[nsp-sec] ACK W32.Waledac IPs

Philip Taylor Philip.Taylor at rci.rogers.com
Thu Jan 8 10:14:54 EST 2009 

Thanks, forwarded IPs to our abuse desk guy. 

Phillip Taylor
AS812

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Gabriel
Iovino
Sent: Wednesday, January 07, 2009 7:37 PM
To: NSP nsp-security
Subject: [nsp-sec] W32.Waledac IPs

----------- nsp-security Confidential --------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

All of these IPs should be offering up the W32.Waledac Worm or at the
very least hosting "card.exe" over http. I say *should* as I
programmatically verified these from larger data sets.

Each IP I spot checked was offering up card.exe (e.g. http://<ip
address>/card.exe) at the timestamp given.

All time stamps EST (-0500)

> Bulk mode; whois.cymru.com [2009-01-08 00:21:16 +0000]
> 224     | 129.242.61.210   | 2009-01-07-18:42:01 | UNINETT UNINETT,
The Norwegian University & Research Network
> 812     | 99.241.137.8     | 2009-01-07-19:07:51 | ROGERS-CABLE -
Rogers Cable Communications Inc.
> 812     | 99.250.169.192   | 2009-01-07-18:38:49 | ROGERS-CABLE -
Rogers Cable Communications Inc.
> 819     | 129.100.68.229   | 2009-01-07-18:41:43 | LARG-NET - LARG*net
> 852     | 208.181.30.19    | 2009-01-07-19:12:27 | ASN852 - Telus
Advanced Communications
> 1653    | 193.10.187.135   | 2009-01-07-19:11:48 | SUNET SUNET Swedish
University Network
> 1659    | 163.13.166.106   | 2009-01-07-19:11:16 | ERX-TANET-ASN1
Tiawan Academic Network (TANet) Information Center
> 1680    | 85.250.11.28     | 2009-01-07-19:03:47 | NetVision Ltd.
> 3786    | 210.124.121.102  | 2009-01-07-19:12:28 | LGDACOM LG DACOM
Corporation
> 5089    | 80.5.203.139     | 2009-01-07-18:42:48 | NTL NTL Group
Limited
> 5462    | 77.103.215.74    | 2009-01-07-18:44:21 | CABLEINET Telewest
Broadband
> 5462    | 82.36.25.150     | 2009-01-07-19:02:00 | CABLEINET Telewest
Broadband
> 6327    | 24.66.119.100    | 2009-01-07-18:38:42 | SHAW - Shaw
Communications Inc.
> 6327    | 68.146.232.181   | 2009-01-07-18:42:49 | SHAW - Shaw
Communications Inc.
> 7132    | 68.21.35.23      | 2009-01-07-18:57:26 | SBIS-AS - AT&T
Internet Services
> 7132    | 70.250.18.123    | 2009-01-07-18:59:17 | SBIS-AS - AT&T
Internet Services
> 7132    | 71.129.177.96    | 2009-01-07-18:59:19 | SBIS-AS - AT&T
Internet Services
> 7132    | 76.254.74.178    | 2009-01-07-19:00:21 | SBIS-AS - AT&T
Internet Services
> 7757    | 76.170.178.95    | 2009-01-07-18:40:23 | CCCH-AS4 - Comcast
Cable Communications Holdings, Inc
> 9141    | 87.207.85.117    | 2009-01-07-18:43:59 | AS9141 UPC Poland
> 9318    | 114.203.200.215  | 2009-01-07-19:08:08 | HANARO-AS Hanaro
Telecom Inc.
> 11351   | 76.179.104.56    | 2009-01-07-18:38:44 | RR-NYSREGION-ASN-01
- Road Runner HoldCo LLC
> 11426   | 65.188.208.41    | 2009-01-07-18:40:05 | SCRR-11426 - Road
Runner HoldCo LLC
> 11427   | 70.115.166.49    | 2009-01-07-18:44:16 | SCRR-11427 - Road
Runner HoldCo LLC
> 11492   | 67.60.184.150    | 2009-01-07-18:56:23 | CABLEONE - CABLE
ONE, INC.
> 12271   | 68.173.10.112    | 2009-01-07-18:40:07 | SCRR-12271 - Road
Runner HoldCo LLC
> 12271   | 69.86.109.109    | 2009-01-07-18:57:45 | SCRR-12271 - Road
Runner HoldCo LLC
> 12322   | 88.165.250.153   | 2009-01-07-19:04:49 | PROXAD AS for
Proxad/Free ISP
> 13343   | 68.205.198.182   | 2009-01-07-18:41:44 | SCRR-13343 - Road
Runner HoldCo LLC
> 17716   | 140.112.141.235  | 2009-01-07-19:09:57 | NTU-TW National
Taiwan University
> 17716   | 140.112.28.18    | 2009-01-07-19:09:55 | NTU-TW National
Taiwan University
> 20001   | 76.167.145.175   | 2009-01-07-18:42:51 | ROADRUNNER-WEST -
Road Runner HoldCo LLC
> 20115   | 68.184.145.1     | 2009-01-07-18:38:41 | CHARTER-NET-HKY-NC
- Charter Communications
> 20231   | 98.144.99.99     | 2009-01-07-18:43:55 | ROADRUNNER-CENTRAL
- Road Runner HoldCo LLC
> 20412   | 209.159.247.151  | 2009-01-07-18:43:37 | PRAIR-2 -
PrairieWave Telecommunications, Inc.
> 20846   | 212.12.199.222   | 2009-01-07-19:12:31 | PARABOLE-AS UAB
_Parabole_
> 22799   | 24.207.51.215    | 2009-01-07-18:42:47 | DCC - Delta Cable
Communications Ltd.
> 23292   | 66.235.50.206    | 2009-01-07-18:56:22 | MILLENIUM-DIGITAL -
Broadstripe
> 26228   | 208.96.18.58     | 2009-01-07-19:12:07 | SERVEPATH -
ServePath, LLC
> 26891   | 64.25.225.253    | 2009-01-07-18:55:33 | MICROTECH-TEL -
Microtech-tel

Regards,

Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkllSpsACgkQwqygxIz+pTvuHACgxkKPcnbGanRMBMvBGn2RrR8N
lSAAoKUqSozDqJs8idax/qfqbq9VS9f7
=U0+c
-----END PGP SIGNATURE-----


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
-------------- next part --------------
This e-mail (and attachment(s)) is confidential, proprietary, may be subject to copyright and legal privilege and no related rights are waived. If you are not the intended recipient or its agent, any review, dissemination, distribution or copying of this e-mail or any of its content is strictly prohibited and may be unlawful. All messages may be monitored as permitted by applicable law and regulations and our policies to protect our business. E-mails are not secure and you are deemed to have accepted any risk if you communicate with us by e-mail. If received in error, please notify us immediately and delete the e-mail (and any attachments) from any computer or any storage medium without printing a copy.

Ce courriel (ainsi que ses pi?ces jointes) est confidentiel, exclusif, et peut faire l?objet de droit d?auteur et de privil?ge juridique; aucun droit connexe n?est exclu. Si vous n??tes pas le destinataire vis? ou son repr?sentant, toute ?tude, diffusion, transmission ou copie de ce courriel en tout ou en partie, est strictement interdite et peut ?tre ill?gale. Tous les messages peuvent ?tre surveill?s, selon les lois et r?glements applicables et les politiques de protection de notre entreprise. Les courriels ne sont pas s?curis?s et vous ?tes r?put?s avoir accept? tous les risques qui y sont li?s si vous choisissez de communiquer avec nous par ce moyen. Si vous avez re?u ce message par erreur, veuillez nous en aviser imm?diatement et supprimer ce courriel (ainsi que toutes ses pi?ces jointes) de tout ordinateur ou support de donn?es sans en imprimer une copie.

More information about the nsp-security mailing list