[nsp-sec] Multiple DDoS attacks

Wed Jul 8 09:28:16 EDT 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Agreed. The file mentioned in the xcoolcat link matches (MD5) what
YoungBaek Kim provided:

65ba85102aaec5daf021f9bfb9cddd16 perfvwr.dll (Win-Trojan/Agent.65536.VE)

Which also mentions 50c97bf514643d9e60980985db0908ca wmiconf.dll
(Win-Trojan/Agent.67072.DL) - which is what is highlighted in the TE report.

Based on all the data out there, the only files left needed:

6350758b62484765239057218bd81d9e
e199d5c70745c363b734f499a3e065a9
6e5b00560a3c5bb92dfacb3766d6d7bc
04a3552a78ed2f8dc8dc9a77ee9eb281
4b834eadab00115c65f3563fd1dd299a - nls file - sites being attacked
93322e3614babd2f36131d604fb42905

Other than the TE report, the only thing I was able to come up with on
those IPs are some Passive DNS results:

2004-10-28 07:01:18	2005-03-16 19:49:12
dsl-213-023-243-210.arcor-ip.net	A	213.23.243.210
2004-10-28 07:01:18	2005-09-11 01:57:43	210.243.23.213.in-addr.arpa	PTR
dsl-213-023-243-210.arcor-ip.net
2008-05-18 21:52:41	2008-05-18 21:52:41
dialbs-213-023-243-210.static.arcor-ip.net	A	213.23.243.210
2008-05-18 21:52:41	2008-05-18 21:52:41	210.243.23.213.in-addr.arpa	PTR
dialbs-213-023-243-210.static.arcor-ip.net

2005-03-26 17:57:13	2007-05-25 02:25:00	mail.br-automation.co.in	A
213.33.116.41
2006-10-17 01:35:07	2006-10-17 01:35:14	mail.br-automation.cz	A
213.33.116.41

213.33.116.41	53 - was sending RSTs back yesterday

Nick

> ------------------------------------------------------------------------
> 
> Anyone gathering intel on?
> 
> Remote Host	Port Number
> 213.33.116.41	53
> 216.199.83.203	80
> 213.23.243.210	443
> 
> http://www.threatexpert.com/report.aspx?md5=0f394734c65d44915060b36a0b1a972d
> 
> The malware in those droppers seems to speak to it and I verified in a
> sandbox.
> 
> -dave
> 
> 
> 
> On Tue, Jul 07, 2009 at 04:02:38PM -0700, Dave Mitchell wrote:
>> Found some more info on a korean blog about targets. Not sure if anyone
>> has seen this. Now if I could only find the infection vector.
>>
>> http://translate.google.com/translate?hl=en&sl=ko&u=http://xcoolcat7.tistory.com/520&ei=_M9TSoT5OouqsgOd9NDhBw&sa=X&oi=translate&resnum=1&ct=result&prev=/search%3Fq%3Dperfvwr.dll%26hl%3Den%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official
>>
>> - www.president.go.kr (청와대)
>> - www.mnd.go.kr (국방부)
>> - www.mofat.go.kr (외교통상부)
>> - www.assembly.go.kr (대한민국 국회)
>> - www.usfk.mil (주한 미군)
>> - blog.naver.com (네이버 블로그)
>> - mail.naver.com (네이버 메일)
>> - banking.nonghyup.com (농협 인터넷 뱅킹)
>> - ezbank.shinhan.com (신한은행 인터넷 뱅킹)
>> - ebank.keb.co.kr (외환은행 인터넷 뱅킹)
>> - www.hannara.or.kr (한나라당)
>> - www.chosun.com (조선일보)
>> - www.auction.co.kr (옥션)
>>
>> 미국 사이트도 있다.
>>
>> - www.whitehouse.gov
>> - www.faa.gov
>> - www.dhs.gov
>> - www.state.gov
>> - www.voanews.com
>> - www.defenselink.mil
>> - www.nyse.com
>> - www.nasdaq.com
>> - finance.yahoo.com
>> - www.usauctionslive.com
>> - www.usbank.com
>> - www.washingtonpost.com
>> - www.ustreas.gov
>>
>> -dave

- --
Nicholas Ianelli: NeuStar, Inc.
Security Operations

46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkpUnvAACgkQi10dJIBjZIDCBACgymUDWLeg65mwib3tpLC23W8O
89IAnjuDqDNzwoqwhBOy7WBQQWmmGons
=iPMK
-----END PGP SIGNATURE-----