[nsp-sec] rustock C&C - ACK for AS3909 & AS209

Smith, Donald Donald.Smith at qwest.com
Tue Feb 3 15:15:28 EST 2009 

So what are those rustock boxes doing?
Mostly sending out smtp packets:)
count port
26775 25
7136 80
1736 53
1330 0
1265 443
 611 5190
 378 44386
 356 5192

5190 and 5192 appear to be related to aol im.
44386 is only in use by one of out rustock infected customers HOWEVER it appears to be doing a lot of uploading via that port.




(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Hicks, Howard
> Sent: Tuesday, February 03, 2009 12:11 PM
> To: 'Beasley, Jason'; 'nsp-security at puck.nether.net'
> Subject: Re: [nsp-sec] rustock C&C - ACK for AS3909 & AS209
> 
> ----------- nsp-security Confidential --------
> 
> 
> 
> 
> Howard E. Hicks
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Beasley, Jason
> Sent: Tuesday, February 03, 2009 12:19 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] rustock C&C
> 
> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Suresh over at Outblaze has identified what he believes to be 
> an rustock C&C existing at 69.10.44.210.  From what I can 
> tell, it appears he is correct.  I've compiled a listing of 
> sources communicating to this server.  Please check the 
> following list for your ASN:
> http://drakul.nsc.xo.net/asns.txt
> And then the full listing here for the hosts:
> https://asn.cymru.com/nsp-sec/upload/1233681381.whois.txt
> Timestamps are included.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> 
> iD8DBQFJiIqaTU5wjr6ASAURAltgAJ0Sd7CbIlK5I99x9Wym821XSEb42ACdHtbn
> j+Wdn3H9zNfUpo/rXxV1VnU=
> =RP8n
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security community. Confidentiality is essential for 
> effective Internet security counter-measures.
> _______________________________________________
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list