[nsp-sec] Mebroot/Torpig null route (AS 3356, 3549, 4323, 10297, 10796)
Tom Fischer
tfischer at bfk.de
Sat Feb 21 04:11:07 EST 2009
Hi,
any chance to enforce a null route of the following Mebroot/Torpig
c&c IP addresses?
That's necessary to get additional data from the Mebroot/Torpig sinkhole
with is based on connections to the fallback domains.
173.45.68.170 (dhxbksiw.com) is the primary Mebroot c&c server
AS | IP | AS Name
10297 | 173.45.68.170 | COLUMBUSNAP - The Columbus Network Access Point, Inc.
PEER_AS | IP | AS Name
3356 | 173.45.68.170 | LEVEL3 Level 3 Communications
3549 | 173.45.68.170 | GBLX Global Crossing Ltd.
4323 | 173.45.68.170 | TWTC - tw telecom holdings, inc.
207.182.141.42 (lvaffbef.com) is the primary Torpig c&c server
AS | IP | AS Name
10297 | 207.182.141.42 | COLUMBUSNAP - The Columbus Network Access Point, Inc.
PEER_AS | IP | AS Name
3356 | 207.182.141.42 | LEVEL3 Level 3 Communications
3549 | 207.182.141.42 | GBLX Global Crossing Ltd.
10796 | 207.182.141.42 | SCRR-10796 - Road Runner HoldCo LLC
--
Tom Fischer
BFK edv-consulting GmbH tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe fax: +49 721 962 01-99
More information about the nsp-security
mailing list