[nsp-sec] fyi: ogard irc c&c
Rodney Joffe
rjoffe at centergate.com
Sun Feb 22 16:39:36 EST 2009
On Feb 22, 2009, at 2:10 PM, Jose Nazario wrote:
> ----------- nsp-security Confidential --------
>
> thanks, cam.
>
> the first (/red.exe) one looks like a premium dialer to go to
> 0113598780092974.
>
> the second one look like a C&C on red.mobinil.biz TCP port 5900.
>
> red.mobinil.biz. 300 IN A 174.34.132.203
> red.mobinil.biz. 300 IN A 174.34.156.203
> red.mobinil.biz. 300 IN A 174.34.156.216
>
> if it's ok with you can i ask for the .biz folks to axe that?
Let me know ;-)
>
>
> TExpert report btw: http://www.threatexpert.com/report.aspx?md5=2703f20df54be45293d74972d3d63f89
>
> cute: Creates Mutex: We Are HellMakers
>
> matches what our quick analysis internally revealed.
>
> thanks. lemme know if the .biz folks should be asked to axe the name.
>
> --
> -------------------------------------------------------------
> jose nazario, ph.d. <jose at arbor.net>
> manager of security research arbor networks
> v: (734) 821 1427 http://asert.arbor.net/
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet
> security counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list