[nsp-sec] Korea botnet actually deleting files?
Joel Rosenblatt
joel at columbia.edu
Sat Jul 11 18:29:52 EDT 2009
So, this may be a naive view of the world, but since we have been (for some unknown reason) one of the attack targets of this - after staring at the IP ranges
doing the attacking, it occurred to us that a possible reason for using the S Korean machines to launch this would be to cause the less resourceful American
targets to just blanket block all of South Korea (I will admit it did look very tempting at one point)
This was probably obvious to all of you out there ... but since we did have the discussion internally, I thought I would throw it out there.
Please ignore if irrelevant :-)
Regards,
Joel
--On Saturday, July 11, 2009 5:59 PM -0400 Jose Nazario <jose at arbor.net> wrote:
> ----------- nsp-security Confidential --------
>
> saw it happen in our sandboxes with the flash.gif EXE samples. gzip, delete, poof.
>
> heard reports directly from KRCERT that this was happening in their neck of the woods.
>
> had been advising customers that a few subscribers may be calling in with "i can't boot" issues and this may be related.
>
> -------------------------------------------------------------
> jose nazario, ph.d. <jose at arbor.net>
> manager of security research arbor networks
> v: (734) 821 1427 http://asert.arbor.net/
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>
Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
More information about the nsp-security
mailing list