[nsp-sec] identity theft c&c (AS 9394, 6453, 9304, 10026)
Tom Fischer
tfischer at bfk.de
Mon Apr 27 09:11:03 EDT 2009
Hi,
any chance to enforce a null route / termination of 61.235.117.71
current malware: hxxp://newcounters.cn/IT02/nds.exe
av-detection: http://www.virustotal.com/analisis/dd7acea5728e004b8bc688801691c744
c&c: hxxp://newcounters.cn/IT02/get.php - just looks suspended for a
invalid communication - example of a valid communication (with 102 ok response)
hxxp://newcounters.cn/IT02/get.php?type=slg&id=ZLYER3I3REZASOKGSJ
DNS history:
first seen (UTC) last seen (UTC)
2009-04-21 13:24:12 2009-04-21 13:24:12 www.rnstatistics.org A 61.235.117.71
2009-04-21 13:18:05 2009-04-21 14:39:09 mail.rnstatistics.org A 61.235.117.71
2008-12-20 01:19:39 2009-04-21 17:26:00 rnstatistics.org A 61.235.117.71
2009-04-21 20:36:44 2009-04-22 11:51:30 itrcounter.net A 61.235.117.71
2009-04-22 20:12:06 2009-04-27 12:12:02 mail.newcounters.cn A 61.235.117.71
2009-04-22 19:44:47 2009-04-27 12:58:25 newcounters.cn A 61.235.117.71
AS | IP | AS Name
9394 | 61.235.117.71 | CRNET CHINA RAILWAY Internet(CRNET)
PEER_AS | IP | AS Name
6453 | 61.235.117.71 | GLOBEINTERNET TATA Communications
9304 | 61.235.117.71 | HUTCHISON-AS-AP Hutchison Global Communications
10026 | 61.235.117.71 | ANC Asia Netcom Corporation
--
Tom Fischer
BFK edv-consulting GmbH tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe fax: +49 721 962 01-99
More information about the nsp-security
mailing list