[nsp-sec] ACK: Re: Compromised hosts with Mebroot
Steven Matkoski
matkoski at nysernet.org
Mon Feb 23 09:20:33 EST 2009
Ack AS#s: 4190, 11452, 17324, 22990, 27616, 31822, 32360, 33545, 33703
At 11:23 AM 2/20/2009, Florian Weimer wrote:
>----------- nsp-security Confidential --------
>
>The following is a list of hosts which have very likely been infected
>with Mebroot, based on POST requests to certain Mebroot-specific
>domains. Mebroot is a rootkit which installs itself in the Master
>Boot Record (MBR) and is used to transparently inject a Torpig DLL
>into the host system shortly after boot.
>
>A companian list for Torpig-related domains will be posted shortly.
>
>The data was obtained after a concerted effort from various parties.
>Usually guidelines apply (sanitize before you share). We can provide
>more details for individual requests we saw (Via and Host header
>fields).
>
>First column is the AS number. Time stamps are in UTC and refer to
>the last time the IP address was seeen so far.
>
More information about the nsp-security
mailing list