[nsp-sec] KR DDoS C2 points

Fri Aug 28 17:05:45 EDT 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Team,

Attached are the hosts still acting in a Command and Control (C2)
capacity for the KR DDoS malware (affected AS' and IP data are under my
signature block).

The malware in question does a number of things, including obtain
compromised host data. If you are able to, I would really appreciate it
if you could reach out to your customers and have them provide you the
following set of files:

netlmgr.exe (C:\Windows\System32)
ntdll.ini (C:\Windows\System32)
perfa093.dat (C:\Windows\System32)

Everything under the following directory:
C:\windows\system32\acrobat\

If you or your customers need help, please let me know and I will make
myself available. All it takes is one or two people to get files and we
may be able to locate some of the folks behind this.

The hosts in the attached files are listing on one of the following ports:

80/TCP
53/TCP
8080/TCP
443/TCP

Full details can be located in:

20090824:
https://asn.cymru.com/nsp-sec/upload/1251490448.whois.txt

20090827:
https://asn.cymru.com/nsp-sec/upload/1251490495.whois.txt

20090828:
https://asn.cymru.com/nsp-sec/upload/1251490564.whois.txt

- --
Nicholas Ianelli: Neustar, Inc.
Security Operations

46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz

- --

 AS     IP
10318 190.245.82.125
10993 206.72.76.235
11032 192.77.52.229
11060 74.219.99.71
11060 98.100.24.158
11290 205.237.43.14
11290 24.226.251.225
11290 24.49.227.14
11351 24.103.158.23
11427 67.78.112.37
11666 76.75.92.169
12322 82.242.40.146
12322 88.174.166.150
1239 207.43.68.82
1239 207.43.68.89
1239 208.15.239.199
12880 78.38.210.98
12880 78.39.34.22
12880 78.39.72.3
12880 85.185.2.194
13037 82.70.196.196
13367 173.11.40.93
13489 190.70.244.81
13614 66.205.202.97
14178 201.149.23.116
14793 74.51.118.244
16342 217.113.234.233
16399 216.159.239.4
1659 210.240.57.139
16604 209.74.226.175
16629 200.68.10.27
16727 69.171.205.192
17459 203.191.169.126
17621 58.246.5.43
17621 58.246.94.186
17621 58.247.114.86
17746 121.98.80.170
1785 169.130.155.95
1785 74.11.100.38
17897 219.147.227.66
18403 210.245.60.222
18566 72.244.141.204
18747 190.60.42.82
19093 199.43.208.211
19262 71.120.201.23
19262 71.160.113.36
19262 71.160.171.115
19262 98.117.166.141
19429 201.245.71.54
19817 66.218.62.50
19960 200.187.162.101
20115 24.181.13.217
20115 68.185.22.250
20115 96.40.104.17
20214 75.145.228.148
20456 66.254.194.146
20456 66.254.194.84
20485 62.33.100.133
20797 87.226.50.162
209 71.216.51.2
21050 62.215.216.141
21127 81.1.197.254
21341 94.124.103.227
21508 173.15.205.101
21508 173.15.205.104
21508 75.146.23.33
21852 150.208.142.150
21852 170.211.209.235
22561 64.192.65.100
22773 70.168.1.111
22773 70.184.184.140
22773 98.191.168.50
22927 200.63.164.96
23184 208.96.70.45
23292 66.235.45.169
2379 69.68.8.165
2516 124.208.252.169
25184 217.11.31.173
25248 82.99.146.133
2529 194.70.241.202
25438 93.178.19.34
2614 194.102.32.19
2711 204.116.151.25
2711 216.236.169.67
27431 216.29.152.200
27699 189.19.79.78
27839 200.58.71.4
2820 195.68.252.16
2828 140.239.222.35
2847 83.171.6.13
28525 189.200.82.26
2856 86.156.96.172
28679 87.247.116.72
29079 217.25.56.8
29791 72.26.202.74
30340 65.61.118.52
31416 217.145.245.236
31416 217.145.247.138
31619 84.205.98.194
31642 212.37.113.150
31931 208.14.183.144
3215 194.2.125.71
3243 81.193.250.47
32613 67.205.106.181
3269 79.29.13.39
3269 79.39.14.231
3269 88.44.73.68
3269 94.81.163.26
32768 74.85.103.41
3301 78.70.7.58
33287 70.90.12.49
3352 194.179.91.182
33650 173.10.102.77
3462 220.128.156.6
3462 220.134.233.122
3462 220.135.136.120
3462 59.125.253.121
3462 60.249.134.64
3462 60.251.45.88
3505 166.82.112.120
3505 166.82.178.12
35125 212.3.132.56
3741 196.211.97.37
3741 196.213.203.148
3741 196.23.20.58
39015 87.237.199.108
39015 87.237.199.110
39246 77.78.133.2
4130 136.142.100.42
4134 116.10.195.134
4134 221.230.133.68
4134 58.210.234.137
4134 58.210.234.149
4134 58.210.234.154
4134 58.210.234.170
4134 60.190.22.154
4134 61.147.113.98
42004 194.105.154.4
42569 79.137.203.7
42927 94.124.6.202
4323 97.65.187.179
43395 94.101.135.139
4515 210.177.6.183
4538 210.35.88.16
4565 155.229.78.81
4565 155.229.78.87
4565 155.229.79.4
4713 124.100.79.250
4747 61.57.6.193
4750 58.137.27.245
4780 210.243.132.181
4837 202.97.136.244
4837 220.250.12.157
4837 221.202.72.84
4837 222.134.131.84
4837 61.139.142.52
5056 199.120.75.188
5056 207.177.110.71
5056 207.199.219.91
5384 213.42.59.27
5390 85.145.152.35
5396 77.43.61.75
5610 88.103.76.19
5610 90.177.101.241
5650 74.41.226.162
577 207.236.47.20
6181 216.196.177.144
6306 186.24.1.30
6327 24.108.248.23
6327 24.108.28.176
6327 24.76.56.56
6327 24.76.88.38
6327 24.84.168.189
6327 70.73.140.119
6400 201.229.187.1
6580 64.251.165.40
6799 79.129.23.80
6983 66.0.117.230
6983 72.243.189.114
701 63.81.211.100
7011 74.41.235.220
7015 75.150.95.34
7029 98.21.253.110
7132 68.126.37.101
7470 61.91.86.56
7497 210.72.128.234
7843 64.188.193.33
8048 190.73.3.154
8048 190.75.227.186
8151 148.235.224.39
8151 201.144.42.36
8167 189.31.229.184
8167 189.72.254.202
8167 201.34.227.245
8434 212.105.84.233
852 142.179.188.5
8629 84.253.94.110
8672 82.147.141.83
8708 82.77.2.212
8708 86.122.170.54
8708 86.122.170.70
9050 89.122.74.160
9104 195.60.151.8
9121 78.186.243.144
9121 85.96.238.169
9304 118.142.14.42
9304 118.142.23.62
9394 222.56.118.20
9680 59.125.253.121
9829 210.212.83.131
9916 163.19.104.19
9916 163.19.170.181
9916 163.19.170.182
9916 163.19.186.237
9916 163.19.221.184
9924 114.198.171.203

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkqYRqkACgkQi10dJIBjZIA+6wCfWtMwjGoMuky15Mt2JQ48xNzm
lvMAoOnlGxN3Y6WFCkpZi+5+IViPtkO0
=Y9gN
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: KRDDoS_20090824-C2.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090828/9c80f9e6/attachment-0003.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: KRDDoS_20090827-C2.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090828/9c80f9e6/attachment-0004.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: KRDDoS_20090828-C2.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090828/9c80f9e6/attachment-0005.txt>