[nsp-sec] irc bot controller on as 10929 as3356, 4436, 5769, 6453, 14572
Smith, Donald
Donald.Smith at qwest.com
Mon Feb 23 13:34:49 EST 2009
This has been around for a while. Attempts to notify netelligent appears to be going to the bit bucket.
Could leven3, nlayer, videotron or globeinternet put a little pressure on them to shutdown the bot controller identified below?
Thanks.
$ whois -h whois.cymru.com 209.44.119.210
AS | IP | AS Name
10929 | 209.44.119.210 | NETELLIGENT - Netelligent Hosting Services Inc.
$ whois -h whois.cymru.com 209.44.97.57
AS | IP | AS Name
10929 | 209.44.97.57 | NETELLIGENT - Netelligent Hosting Services Inc.
$ whois -h whois.cymru.com 209.44.119.210
AS | IP | AS Name
10929 | 209.44.119.210 | NETELLIGENT - Netelligent Hosting Services Inc.
$ whois -h upstream-whois.cymru.com 209.44.119.210
PEER_AS | IP | AS Name
3356 | 209.44.119.210 | LEVEL3 Level 3 Communications
4436 | 209.44.119.210 | AS-NLAYER - nLayer Communications, Inc.
5769 | 209.44.119.210 | VIDEOTRON - Videotron Telecom Ltee
6453 | 209.44.119.210 | GLOBEINTERNET TATA Communications
>> The C&C is contacted via dns lookup as follows. It runs a fairly standard
>> IRC based C&C on 80/tcp.
>>
>> $ host www.baldmanpower.net
>> www.baldmanpower.net has address 209.44.97.57
>> www.baldmanpower.net has address 209.44.118.105
>> www.baldmanpower.net has address 209.44.119.210
The exe is located here.
In as 14572 (suavemente) space.
>> http://66.11.114.38/~gamegone/test.exe
Virustotal results here:
http://www.virustotal.com/analisis/0750f7289e20ef62b171f4d1efd2f0c6
Some engines identify it as sdbot others as rbot.
H8Hz
Donald.Smith at qwest.com gcia
More information about the nsp-security
mailing list