[nsp-sec] Compromised hosts with Mebroot
Beasley, Jason
jason.beasley at xo.com
Mon Feb 23 15:24:11 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ACK 2828 for both lists.
- -----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Florian Weimer
Sent: Friday, February 20, 2009 10:24 AM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] Compromised hosts with Mebroot
- ----------- nsp-security Confidential --------
The following is a list of hosts which have very likely been infected
with Mebroot, based on POST requests to certain Mebroot-specific
domains. Mebroot is a rootkit which installs itself in the Master
Boot Record (MBR) and is used to transparently inject a Torpig DLL
into the host system shortly after boot.
A companian list for Torpig-related domains will be posted shortly.
The data was obtained after a concerted effort from various parties.
Usually guidelines apply (sanitize before you share). We can provide
more details for individual requests we saw (Via and Host header
fields).
- --
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFJowXoTU5wjr6ASAURAhqQAKDJpFgAu/UfMCCkRHD2UP0dMChvwQCg4j5B
2c/Zdsx95xAgmq1xoWo4zjM=
=Hjri
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list