[nsp-sec] Multiple DDoS attacks

Smith, Donald Donald.Smith at qwest.com
Tue Jul 7 13:37:54 EDT 2009 

Can I assume these are the UA's and other http header info your seeing. I got these via strings on the dll file;)
Notice the accept-language is : ko.

GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shock
wave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application
/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms
-xpsdocument, application/xaml+xml, */*
Accept-Language: ko
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: %s
%sHost: %s
Connection: Keep-Alive
POST %s HTTP/1.1
Accept: */*
Accept-Language: ko
Referer: http://%s/
charset: utf-8
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Accept-Encoding: gzip, deflate
User-Agent: %s
Host: %s
Content-Length: 0
Connection: Keep-Alive
Cache-Control: %s
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 2.0.5072
7; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB6; .NET
 CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/2008121
7 Firefox/2.0.0.20 (.NET CLR 3.5.30729)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; MAXTHON 2.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)


(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Dave Mitchell
> Sent: Tuesday, July 07, 2009 10:35 AM
> To: Tim Wilde
> Cc: NSP nsp-security
> Subject: Re: [nsp-sec] Multiple DDoS attacks
> 
> ----------- nsp-security Confidential --------
> 
>

This is great. It helped us verify which UA's are indeed part of this
malware. We suspected it was the ones I posted earlier, but this
confirms it. 

-dave

On Tue, Jul 07, 2009 at 12:12:56PM -0400, Tim Wilde wrote:
> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 7/7/2009 12:04 PM, Tim Wilde wrote:
> > I believe the attachment is being stripped by puck because it's password
> > protected.  If you send it directly to me I can put it up in the NSP-SEC
> > section of our web site and post the URL so anyone who is interested
> > here can download it.
> 
> Matt sent me the file from YoungBaek, and I've uploaded it here:
> 
> 	https://www.cymru.com/nsp-sec/Owned/perfvwr-2009-07-07.zip
> 
> Download at your own risk/enjoyment! :)
> 
> Regards,
> Tim
> 
> - -- 
> Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
> twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iD8DBQFKU3QIluRbRini9tgRAttaAJ9fAU5/mwCw7uCN1srRuK/ekieElQCfRghC
> YphXxn9subIrtrHdRMK4J5k=
> =7WqM
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list