[nsp-sec] fyi: ogard irc c&c
Jose Nazario
jose at arbor.net
Sun Feb 22 16:10:34 EST 2009
thanks, cam.
the first (/red.exe) one looks like a premium dialer to go to
0113598780092974.
the second one look like a C&C on red.mobinil.biz TCP port 5900.
red.mobinil.biz. 300 IN A 174.34.132.203
red.mobinil.biz. 300 IN A 174.34.156.203
red.mobinil.biz. 300 IN A 174.34.156.216
if it's ok with you can i ask for the .biz folks to axe that?
TExpert report btw:
http://www.threatexpert.com/report.aspx?md5=2703f20df54be45293d74972d3d63f89
cute: Creates Mutex: We Are HellMakers
matches what our quick analysis internally revealed.
thanks. lemme know if the .biz folks should be asked to axe the name.
--
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
manager of security research arbor networks
v: (734) 821 1427 http://asert.arbor.net/
More information about the nsp-security
mailing list