[nsp-sec] Assistance request: BlackEnergy C&C at 59.125.231.252 (AS3462 / HINET)

Huopio Kauto Kauto.Huopio at ficora.fi
Tue Aug 18 06:53:37 EDT 2009 

Greetings all

Since Saturday evening, 2009-08-15 12:44:43 UTC to be more
exact, a BlackEnergy botnet has been HTTP GET -ddosing more or
less continuously the following URL:s

www.snai.it (Lottery Italy?)
www.vierklee.com (Bookmaker,Austria)
www.veikkaus.fi (National Lottery Finland)
www.wsex.com (bookmaker)
www.danskespil.dk (National Lottery Denmark)
www.wir-wetten.com (also a bookmaker, Austria?)

The botnet C&C is located according to Shadowserver at

AS      | IP               | AS Name
3462    | 59.125.231.252   | HINET Data Communication Business Group
9680    | 59.125.231.252   | HINETUSA HiNet Service Center in U.S.A

These addresses have been associated to DNS RR:s

hack-off.ru
hack-off.info 

We've understood from various sources that this is some sort of a
DDOS for hire -outfit among other dubious things. Seems to be a Zeus
site, too. 

The attack activity has been confirmed to continue at least 
yesterday afternoon UTC+3 (Finland) time by Shadowserver. We have sent
assistance requests to HINET and TWCERT/CC - no reply back so far. 

Situation at target end is somewhat under control - (in the case
of www.veikkaus.fi with the effect of limiting access 
only to domestic IP addresses in Finland).  

If you have good working security  contacts at HINET - 
please please contact me or our team on those. 

If you can assist on getting this botnet to stop their activities,
all help is appreciated. 

If you have more background information on the IP address or 
the domains in question, National Bureau of 
Investigations Finland / Computer Crime Unit would like to hear from
you - superintendent Jussi Hyysalo can be reached at 
jussi.hyysalo at poliisi.fi. Feel free to cc: to us at CERT-FI:
cert at ficora.fi, tag the Subject line with [FICORA #295210] or 
email direct to me. 

Best regards,

Kauto Huopio

Kauto Huopio - kauto.huopio at ficora.fi
Senior information security adviser
Finnish Communications Regulatory Authority  / CERT-FI
tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
CERT-FI watch desk daytime: +358-9-6966510 / http://www.cert.fi

More information about the nsp-security mailing list