[nsp-sec] Korean DDoS update - List confidential

[YoungBaek Kim]

Thank you for your report.
It's very helpful to us, KrCERT.

----- Original Message ----- 
From: "Rodney Joffe" <rjoffe at centergate.com>
To: "NSP-SEC List" <nsp-security at puck.nether.net>
Sent: Friday, July 31, 2009 12:54 AM
Subject: [nsp-sec] Korean DDoS update - List confidential


> ----------- nsp-security Confidential --------
> 
>


--------------------------------------------------------------------------------


> Cross-posted for obvious reasons as well (we really need to reduce the  
> number of campfires we all sit around ;-))
> 
> As if we don't have enough fun going on this week :-)
> 
> This comes to you from our own Nick Ianelli. He has been persistently  
> looking at the KR DDoS from all angles, including recovering files  
> from a botted system's disk image, and on the weekend, with help from  
> a friend "in Pittsburgh" he stumbled on an encrypted binary that  
> appeared to have an additional set of C&C IP addresses in it. He  
> watched some of his systems, and lo and behold, the suckers are  
> actually updating every 24 hours with mostly new C&C IP addresses.  
> Like clockwork. He then validated that some of these C2 systems are in  
> fact live and active and responding :-).
> 
> So while it appeared that the botnet was down, and we missed  
> recovering data from the original 3 C&C IP addresses, looks like we're  
> back in the game.
> 
> We've passed the recent data back to the LE folks who are working  
> this, and we wanted to give you all the data so you can join the  
> project ;-)
> 
> However, please do NOT disturb the systems that may show up in your  
> networks without coordinating with the LE people. They're working on  
> official processes. Some of you in the US may already have been  
> "ping'd" by them. If you *do* have a C&C system in your network,  
> please contact Nick or me, and we'll put you in touch with the Fed LE  
> lead on this, as he would like to hear from you asap.
> 
> There is too much blurb, so I am attaching a pdf of the company report  
> Nick prepared. You should be able to cut and paste from it in case you  
> want to copy hashes, IP addresses etc. Let Nick know if you insist on  
> having it in plain text.
> 
> Nick rocks!
> 
> Regards
> Rodney
> 
>


--------------------------------------------------------------------------------


> 
>


--------------------------------------------------------------------------------


> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________