[nsp-sec] [SPAM] Mebroot/Torpig null route (AS 3356, 3549, 4323, 10297, 10796)
Stephen Gill
gillsr at cymru.com
Sat Feb 21 11:49:54 EST 2009
Added these in to ddos-rs for 1 week. If we need them to stay longer let us
know.
-- steve
On 2/21/09 2:11 AM, "Tom Fischer" <tfischer at bfk.de> wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> any chance to enforce a null route of the following Mebroot/Torpig
> c&c IP addresses?
> That's necessary to get additional data from the Mebroot/Torpig sinkhole
> with is based on connections to the fallback domains.
>
> 173.45.68.170 (dhxbksiw.com) is the primary Mebroot c&c server
>
> AS | IP | AS Name
> 10297 | 173.45.68.170 | COLUMBUSNAP - The Columbus Network Access Point,
> Inc.
>
> PEER_AS | IP | AS Name
> 3356 | 173.45.68.170 | LEVEL3 Level 3 Communications
> 3549 | 173.45.68.170 | GBLX Global Crossing Ltd.
> 4323 | 173.45.68.170 | TWTC - tw telecom holdings, inc.
>
>
> 207.182.141.42 (lvaffbef.com) is the primary Torpig c&c server
>
> AS | IP | AS Name
> 10297 | 207.182.141.42 | COLUMBUSNAP - The Columbus Network Access Point,
> Inc.
>
> PEER_AS | IP | AS Name
> 3356 | 207.182.141.42 | LEVEL3 Level 3 Communications
> 3549 | 207.182.141.42 | GBLX Global Crossing Ltd.
> 10796 | 207.182.141.42 | SCRR-10796 - Road Runner HoldCo LLC
>
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list