[nsp-sec] KR DDoS C2 points
Nicholas Ianelli
ni at centergate.net
Fri Aug 28 17:57:31 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The one thing that I forgot to add was that the timestamp for validation
of this activity:
20090824: 1657 - 1744 GMT
20090827: 1910 - 2000 GMT
20090828: 0630 - 0717 GMT
nick
>
> Attached are the hosts still acting in a Command and Control (C2)
> capacity for the KR DDoS malware (affected AS' and IP data are under my
> signature block).
>
> The malware in question does a number of things, including obtain
> compromised host data. If you are able to, I would really appreciate it
> if you could reach out to your customers and have them provide you the
> following set of files:
>
> netlmgr.exe (C:\Windows\System32)
> ntdll.ini (C:\Windows\System32)
> perfa093.dat (C:\Windows\System32)
>
> Everything under the following directory:
> C:\windows\system32\acrobat\
>
> If you or your customers need help, please let me know and I will make
> myself available. All it takes is one or two people to get files and we
> may be able to locate some of the folks behind this.
>
> The hosts in the attached files are listing on one of the following ports:
>
> 80/TCP
> 53/TCP
> 8080/TCP
> 443/TCP
>
> Full details can be located in:
>
> 20090824:
> https://asn.cymru.com/nsp-sec/upload/1251490448.whois.txt
>
> 20090827:
> https://asn.cymru.com/nsp-sec/upload/1251490495.whois.txt
>
> 20090828:
> https://asn.cymru.com/nsp-sec/upload/1251490564.whois.txt
- --
Nicholas Ianelli: Neustar, Inc.
Security Operations
46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAkqYUssACgkQi10dJIBjZIBD/ACg3soXLC102yACAXEjdS0stW4k
sY8An2S/Q0AzDDDsFso+ugKP2p1Cp4pS
=gZRK
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list