[nsp-sec] W32.Waledac IPs

Gabriel Iovino giovino at ren-isac.net
Wed Jan 7 19:36:43 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

All of these IPs should be offering up the W32.Waledac Worm or at the
very least hosting "card.exe" over http. I say *should* as I
programmatically verified these from larger data sets.

Each IP I spot checked was offering up card.exe (e.g. http://<ip
address>/card.exe) at the timestamp given.

All time stamps EST (-0500)

> Bulk mode; whois.cymru.com [2009-01-08 00:21:16 +0000]
> 224     | 129.242.61.210   | 2009-01-07-18:42:01 | UNINETT UNINETT, The Norwegian University & Research Network
> 812     | 99.241.137.8     | 2009-01-07-19:07:51 | ROGERS-CABLE - Rogers Cable Communications Inc.
> 812     | 99.250.169.192   | 2009-01-07-18:38:49 | ROGERS-CABLE - Rogers Cable Communications Inc.
> 819     | 129.100.68.229   | 2009-01-07-18:41:43 | LARG-NET - LARG*net
> 852     | 208.181.30.19    | 2009-01-07-19:12:27 | ASN852 - Telus Advanced Communications
> 1653    | 193.10.187.135   | 2009-01-07-19:11:48 | SUNET SUNET Swedish University Network
> 1659    | 163.13.166.106   | 2009-01-07-19:11:16 | ERX-TANET-ASN1 Tiawan Academic Network (TANet) Information Center
> 1680    | 85.250.11.28     | 2009-01-07-19:03:47 | NetVision Ltd.
> 3786    | 210.124.121.102  | 2009-01-07-19:12:28 | LGDACOM LG DACOM Corporation
> 5089    | 80.5.203.139     | 2009-01-07-18:42:48 | NTL NTL Group Limited
> 5462    | 77.103.215.74    | 2009-01-07-18:44:21 | CABLEINET Telewest Broadband
> 5462    | 82.36.25.150     | 2009-01-07-19:02:00 | CABLEINET Telewest Broadband
> 6327    | 24.66.119.100    | 2009-01-07-18:38:42 | SHAW - Shaw Communications Inc.
> 6327    | 68.146.232.181   | 2009-01-07-18:42:49 | SHAW - Shaw Communications Inc.
> 7132    | 68.21.35.23      | 2009-01-07-18:57:26 | SBIS-AS - AT&T Internet Services
> 7132    | 70.250.18.123    | 2009-01-07-18:59:17 | SBIS-AS - AT&T Internet Services
> 7132    | 71.129.177.96    | 2009-01-07-18:59:19 | SBIS-AS - AT&T Internet Services
> 7132    | 76.254.74.178    | 2009-01-07-19:00:21 | SBIS-AS - AT&T Internet Services
> 7757    | 76.170.178.95    | 2009-01-07-18:40:23 | CCCH-AS4 - Comcast Cable Communications Holdings, Inc
> 9141    | 87.207.85.117    | 2009-01-07-18:43:59 | AS9141 UPC Poland
> 9318    | 114.203.200.215  | 2009-01-07-19:08:08 | HANARO-AS Hanaro Telecom Inc.
> 11351   | 76.179.104.56    | 2009-01-07-18:38:44 | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
> 11426   | 65.188.208.41    | 2009-01-07-18:40:05 | SCRR-11426 - Road Runner HoldCo LLC
> 11427   | 70.115.166.49    | 2009-01-07-18:44:16 | SCRR-11427 - Road Runner HoldCo LLC
> 11492   | 67.60.184.150    | 2009-01-07-18:56:23 | CABLEONE - CABLE ONE, INC.
> 12271   | 68.173.10.112    | 2009-01-07-18:40:07 | SCRR-12271 - Road Runner HoldCo LLC
> 12271   | 69.86.109.109    | 2009-01-07-18:57:45 | SCRR-12271 - Road Runner HoldCo LLC
> 12322   | 88.165.250.153   | 2009-01-07-19:04:49 | PROXAD AS for Proxad/Free ISP
> 13343   | 68.205.198.182   | 2009-01-07-18:41:44 | SCRR-13343 - Road Runner HoldCo LLC
> 17716   | 140.112.141.235  | 2009-01-07-19:09:57 | NTU-TW National Taiwan University
> 17716   | 140.112.28.18    | 2009-01-07-19:09:55 | NTU-TW National Taiwan University
> 20001   | 76.167.145.175   | 2009-01-07-18:42:51 | ROADRUNNER-WEST - Road Runner HoldCo LLC
> 20115   | 68.184.145.1     | 2009-01-07-18:38:41 | CHARTER-NET-HKY-NC - Charter Communications
> 20231   | 98.144.99.99     | 2009-01-07-18:43:55 | ROADRUNNER-CENTRAL - Road Runner HoldCo LLC
> 20412   | 209.159.247.151  | 2009-01-07-18:43:37 | PRAIR-2 - PrairieWave Telecommunications, Inc.
> 20846   | 212.12.199.222   | 2009-01-07-19:12:31 | PARABOLE-AS UAB _Parabole_
> 22799   | 24.207.51.215    | 2009-01-07-18:42:47 | DCC - Delta Cable Communications Ltd.
> 23292   | 66.235.50.206    | 2009-01-07-18:56:22 | MILLENIUM-DIGITAL - Broadstripe
> 26228   | 208.96.18.58     | 2009-01-07-19:12:07 | SERVEPATH - ServePath, LLC
> 26891   | 64.25.225.253    | 2009-01-07-18:55:33 | MICROTECH-TEL - Microtech-tel

Regards,

Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkllSpsACgkQwqygxIz+pTvuHACgxkKPcnbGanRMBMvBGn2RrR8N
lSAAoKUqSozDqJs8idax/qfqbq9VS9f7
=U0+c
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list