[nsp-sec] irc bot controller on as 10929 as3356, 4436, 5769, 6453, 14572

Marc Kneppers Marc.Kneppers at TELUS.COM
Mon Feb 23 17:00:55 EST 2009 

Hi

Just a quick note, since I don't think Videotron is online. I've been in contact with them (Videotron) about this. Their abuse desk will be attempting to contact them shortly so we may get some traction.

Thx

-
MArc
TELUS 
852
 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Smith, Donald
> Sent: Monday, February 23, 2009 11:35 AM
> To: 'nsp-security NSP'
> Subject: [nsp-sec] irc bot controller on as 10929 as3356, 
> 4436, 5769, 6453, 14572
> 
> ----------- nsp-security Confidential --------
> 
> This has been around for a while. Attempts to notify 
> netelligent appears to be going to the bit bucket.
> Could leven3, nlayer, videotron or globeinternet put a little 
> pressure on them to shutdown the bot controller identified below?
> Thanks.
> 
> 
> $ whois -h whois.cymru.com 209.44.119.210
> AS      | IP               | AS Name
> 10929   | 209.44.119.210   | NETELLIGENT - Netelligent 
> Hosting Services Inc.
> 
> $ whois -h whois.cymru.com 209.44.97.57
> AS      | IP               | AS Name
> 10929   | 209.44.97.57     | NETELLIGENT - Netelligent 
> Hosting Services Inc.
> 
> $ whois -h whois.cymru.com 209.44.119.210
> AS      | IP               | AS Name
> 10929   | 209.44.119.210   | NETELLIGENT - Netelligent 
> Hosting Services Inc.
> 
> 
> $ whois -h upstream-whois.cymru.com 209.44.119.210
> PEER_AS | IP               | AS Name
> 3356    | 209.44.119.210   | LEVEL3 Level 3 Communications
> 4436    | 209.44.119.210   | AS-NLAYER - nLayer Communications, Inc.
> 5769    | 209.44.119.210   | VIDEOTRON - Videotron Telecom Ltee
> 6453    | 209.44.119.210   | GLOBEINTERNET TATA Communications
> 
> 
> >> The C&C is contacted via dns lookup as follows.  It runs a 
> fairly standard
> >> IRC based C&C on 80/tcp.
> >>
> >> $ host www.baldmanpower.net
> >> www.baldmanpower.net has address 209.44.97.57
> >> www.baldmanpower.net has address 209.44.118.105
> >> www.baldmanpower.net has address 209.44.119.210
> 
> 
> The exe is located here.
> In as 14572 (suavemente) space.
> >> http://66.11.114.38/~gamegone/test.exe
> 
> 
> Virustotal results here:
> http://www.virustotal.com/analisis/0750f7289e20ef62b171f4d1efd2f0c6
> 
> Some engines identify it as sdbot others as rbot.
> 
> 
> 
> 
> H8Hz
> Donald.Smith at qwest.com gcia
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list