[nsp-sec] Stumbled upon some malware | domain x8f.ru - numerous A'records

Thomas Hungenberg th.lab at hungenberg.net
Sat Aug 1 03:34:12 EDT 2009 

Steve,

these hosts are related to Gumblar-style attacks - see e.g.
<http://garwarner.blogspot.com/2009/06/gumblars-48000-compromised-domains.html>

$ host autobestwestern.cn
premiumnonfat.cn has address 80.248.208.205
premiumnonfat.cn has address 89.171.115.10
premiumnonfat.cn has address 91.121.146.101
premiumnonfat.cn has address 213.246.39.135
premiumnonfat.cn has address 213.251.176.169

Many of the old domains are still active and serving malicious content,
but from what I see the attackers are currently only using the newer
"three character" domains (like x8f.ru) with the injected IFRAMEs.

However, all domains belong to the same fluxing network and resolve
to the same five IPs. If one of these (proxy) nodes is shut down,
it gets replaced by another IP withing minutes...


     - Thomas

CERT-Bund Incident Response & Anti-Malware Team


Shelton, Steve schrieb:
> ----------- nsp-security Confidential --------
> 
> Guy's
> 
> Sorry to reply to myself, but found some more payload sites - nginx
> servers also on port 8080.  It also appears that France - French based
> networks are a focal point.  Could France be the new Exploit -
> Cybercrime hub?
> 
> A lot of the domains point to the prefix's seem to trace back to domains
> that initially translated to 94.247.3.0/24 and 94.247.2.0/24 for while,
> then bounced around quite a bit ending up on 95.129.144.0/23 AS48856 |
> Ventrex.  The domains were dead for while then apparently popped up in
> .FR under guise it would appear sometime recently.
> 
> 80.248.208.205:8080/cache/readme.pdf
> 89.171.115.10:8080/cache/readme.pdf
> 91.121.174.19:8080/cache/readme.pdf
> 
> 80.248.208.205
> 89.171.115.10
> 91.121.174.19
> 
> Bulk mode; whois.cymru.com [2009-07-31 16:57:03 +0000]
> 
> 12968   | 89.171.115.10    | CDP Crowley Data Poland, sp. z o.o.
> 16276   | 91.121.174.19    | OVH OVH
> 35830   | 80.248.208.205   | SIVIT-AS SIVIT Network -
> http://www.sivit.net/
> 
> Bulk mode; peer-whois.cymru.com [2009-07-31 16:57:03 +0000]
> 
> 174     | 80.248.208.205   | COGENT Cogent/PSI
> 2516    | 91.121.174.19    | KDDI KDDI CORPORATION
> 3356    | 89.171.115.10    | LEVEL3 Level 3 Communications
> 3549    | 91.121.174.19    | GBLX Global Crossing Ltd.
> 4565    | 91.121.174.19    | MEGAPATH2-US - MegaPath Networks Inc.
> 6453    | 80.248.208.205   | GLOBEINTERNET TATA Communications
> 6453    | 89.171.115.10    | GLOBEINTERNET TATA Communications
> 6453    | 91.121.174.19    | GLOBEINTERNET TATA Communications
> 8218    | 80.248.208.205   | NEO-ASN AS Confederation of Neotelecoms,
> euNetworks AG and Upstreamnet gmbh
> 10310   | 89.171.115.10    | YAHOO-1 - Yahoo!
> 10310   | 91.121.174.19    | YAHOO-1 - Yahoo!
> 15830   | 80.248.208.205   | TELECITY-LON TELECITYGROUP UK
> 
> Steve Shelton
> Network Security Engineer
> Cogent Communications
> 
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Shelton,
> Steve
> Sent: Friday, July 31, 2009 9:12 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Stumbled upon some malware | domain x8f.ru - numerous
> A'records
> 
> ----------- nsp-security Confidential --------
> 
> Team,
> 
> While looking into the activities of 80.93.90.88/32, I found the
> following servers were also facilitating the very same exploit as well
> as what appears to be 100 percent widespread nefarious activity.  Please
> note that all /32's were found to have nginx servers operating on port
> 8080.
> 
> Note: While researching, I also found references to Cutwail, rustock and
> Gumblar.
> 
> hxxp://80.93.90.88:8080/cache/readme.pdf [Server: nginx]
> hxxp://91.121.146.101:8080/cache/readme.pdf [Server: nginx]
> hxxp://91.121.167.41:8080/cache/readme.pdf [Server: nginx]
> hxxp://94.76.235.32:8080/cache/readme.pdf [Server: nginx]
> hxxp://213.251.176.169:8080/cache/readme.pdf [Server: nginx]
> 
> http://wepawet.iseclab.org/view.php?hash=865a53b592bc0853282c081f052fad4
> 2&t=1249050293&type=js
> 
> Non-authoritative answer:
>  Name:	x8f.ru
>  Address: 80.93.90.88
>  Name:	x8f.ru
>  Address: 91.121.146.101
>  Name:	x8f.ru
>  Address: 91.121.167.41
>  Name:	x8f.ru
>  Address: 94.76.235.32
>  Name:	x8f.ru
>  Address: 213.251.176.169
> 
> 
> Bulk mode; whois.cymru.com [2009-07-31 15:01:35 +0000]
> 
> 16276   | 213.251.176.169  | OVH OVH
> 16276   | 91.121.146.101   | OVH OVH
> 16276   | 91.121.167.41    | OVH OVH
> 21409   | 80.93.90.88      | IKOULA IKOULA European Backbone AS
> 29550   | 94.76.235.32     | EUROCONNEX-AS Blueconnex Networks Ltd
> 
> 
> Bulk mode; peer-whois.cymru.com [2009-07-31 15:01:35 +0000]
> 174     | 80.93.90.88      | COGENT Cogent/PSI
> 2516    | 213.251.176.169  | KDDI KDDI CORPORATION
> 2516    | 91.121.146.101   | KDDI KDDI CORPORATION
> 2516    | 91.121.167.41    | KDDI KDDI CORPORATION
> 2914    | 94.76.235.32     | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
> 3257    | 94.76.235.32     | TINET-BACKBONE Tinet SpA
> 3549    | 213.251.176.169  | GBLX Global Crossing Ltd.
> 3549    | 91.121.146.101   | GBLX Global Crossing Ltd.
> 3549    | 91.121.167.41    | GBLX Global Crossing Ltd.
> 4565    | 213.251.176.169  | MEGAPATH2-US - MegaPath Networks Inc.
> 4565    | 91.121.146.101   | MEGAPATH2-US - MegaPath Networks Inc.
> 4565    | 91.121.167.41    | MEGAPATH2-US - MegaPath Networks Inc.
> 6453    | 213.251.176.169  | GLOBEINTERNET TATA Communications
> 6453    | 91.121.146.101   | GLOBEINTERNET TATA Communications
> 6453    | 91.121.167.41    | GLOBEINTERNET TATA Communications
> 8218    | 80.93.90.88      | NEO-ASN AS Confederation of Neotelecoms,
> euNetworks AG and Upstreamnet gmbh
> 8468    | 94.76.235.32     | ENTANET ENTANET International Ltd
> 10310   | 213.251.176.169  | YAHOO-1 - Yahoo!
> 10310   | 80.93.90.88      | YAHOO-1 - Yahoo!
> 10310   | 91.121.146.101   | YAHOO-1 - Yahoo!
> 10310   | 91.121.167.41    | YAHOO-1 - Yahoo!
> 10310   | 94.76.235.32     | YAHOO-1 - Yahoo!
> 21502   | 80.93.90.88      | ASN-NUMERICABLE NUMERICABLE is a cable
> network operator in France, offering TV,VOICE and Internet services
> 
> Steve Shelton
> Network Security Engineer
> Cogent Communications
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list