[nsp-sec] Korean DDoS update - List confidential

Nicholas Ianelli ni at centergate.net
Fri Jul 31 09:42:20 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Team,

As Rodney has already noted, here are the IP's I've seen being utilized
by the Korean DDoS malware as their new C2 hosts. A spot check reveals
that a number of these are your run of the mill compromised host.

There is active LE investigation on this from multiple agencies around
the globe. I would ask that you just not take these down but make an
effort to preserve any data that you can and work with your respective
LE agency to get them the info (and have them get you the paperwork you
need). If I can be of any assistance here, please do not hesitate to
contact me.

It would be great if LE were able to acquire a number of these machines,
for those that may not have LE investigations, feel free to pass my
number (in my signature line) to your customers. I am more than happy to
assist in reviewing their machine, pulling off the malware and assisting
in cleanup.

1239    | 207.43.68.89     | SPRINTLINK - Sprint
1785    | 169.130.155.95   | AS-PAETEC-NET - PaeTec Communications, Inc.
2529    | 194.70.241.202   | DEMON-INTERNET Demon Internet
3269    | 94.81.163.26     | ASN-IBSNAZ TELECOM ITALIA
3462    | 122.124.106.180  | HINET Data Communication Business Group
3462    | 60.251.45.88     | HINET Data Communication Business Group
3505    | 166.82.112.120   | WINDSTREAM - Windstream Communications Inc
3741    | 196.211.97.37    | IS
3786    | 112.216.240.243  | LGDACOM LG DACOM Corporation
4134    | 122.243.81.131   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 203.88.213.144   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 58.210.234.137   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 58.210.234.137   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 58.210.234.154   | CHINANET-BACKBONE No.31,Jin-rong Street
4837    | 123.153.119.80   | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 220.250.12.157   | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 61.139.142.52    | CHINA169-BACKBONE CNCGROUP China169 Backbone
5650    | 74.41.226.162    | FRONTIER-FRTR - Frontier Communications of
America, Inc.
6327    | 24.108.248.23    | SHAW - Shaw Communications Inc.
6327    | 24.76.88.38      | SHAW - Shaw Communications Inc.
6400    | 201.229.187.1    | Compañía Dominicana de Teléfonos, C. por
A. - CODETEL
6478    | 173.19.142.58    | ATT-INTERNET3 - AT&T WorldNet Services
7303    | 190.138.60.254   | Telecom Argentina S.A.
9121    | 88.247.20.210    | TTNET TTnet Autonomous System
9695    | 121.54.160.103   | KITINET-AS KT Solutions Coprporation
9916    | 163.19.186.237   | NCTU-TW National Chiao Tung University,
10993   | 206.72.76.235    | AERIONET-INC - Aerioconnect
11060   | 74.219.99.71     | NEO-RR-COM - Road Runner HoldCo LLC
11290   | 24.49.242.134    | RAPIDUS - COGECO Cable Canada Inc.
11666   | 76.75.92.169     | NEXICOM-CA - Nexicom Inc.
16342   | 217.113.234.233  | Toya ,TV cable company located in PL( town
Lodz).
17379   | 201.12.92.148    | Intelig Telecomunica Ltda
18566   | 72.244.141.204   | COVAD - Covad Communications Co.
20115   | 66.191.18.193    | CHARTER-NET-HKY-NC - Charter Communications
20214   | 75.145.228.148   | COMCAST-20214 - Comcast Cable
Communications Holdings, Inc
27672   | 200.95.230.30    | Tele Cable Centro Occidente S.A. de C.V.
29079   | 217.25.56.8      | IRNA-AS IRAN News Agency.
31416   | 217.145.247.138  | APPTEC-NETWORK App-Tec_s Network - AS
33650   | 173.10.102.77    | COMCAST-33650 - Comcast Cable
Communications, Inc.
35125   | 212.3.132.56     | SMOLENSK-AS Smolensk branch of the JSC
_CenterTelecom_
38890   | 121.54.160.103   | CITS-KITINET-AS-PH Internet Service
Provider /IDC

IP:Port

112.216.240.243:443
121.54.160.103:53
122.124.106.180:443
122.243.81.131:443
123.153.119.80:443
163.19.186.237:80
166.82.112.120:80
169.130.155.95:80
173.10.102.77:80
173.19.142.58:80
190.138.60.254:80
194.70.241.202:53
196.211.97.37:443
200.95.230.30:53
201.12.92.148:80
201.229.187.1:80
203.88.213.144:443
206.72.76.235:443
207.43.68.89:80
212.3.132.56:443
217.113.234.233:80
217.145.247.138:80
217.25.56.8:80
220.250.12.157:443
24.108.248.23:80
24.49.242.134:80
24.76.88.38:80
58.210.234.137:443
58.210.234.137:443
58.210.234.154:443
60.251.45.88:443
61.139.142.52:80
66.191.18.193:80
72.244.141.204:80
74.219.99.71:80
74.41.226.162:80
75.145.228.148:80
76.75.92.169:80
88.247.20.210:80
94.81.163.26:443


Rodney Joffe wrote:

> So while it appeared that the botnet was down, and we missed recovering
> data from the original 3 C&C IP addresses, looks like we're back in the
> game.
> 
> We've passed the recent data back to the LE folks who are working this,
> and we wanted to give you all the data so you can join the project ;-)
> 
> However, please do NOT disturb the systems that may show up in your
> networks without coordinating with the LE people. They're working on
> official processes. Some of you in the US may already have been "ping'd"
> by them. If you *do* have a C&C system in your network, please contact
> Nick or me, and we'll put you in touch with the Fed LE lead on this, as
> he would like to hear from you asap.

Cheers,
Nick

- --
Nicholas Ianelli: NeuStar, Inc.
Security Operations

46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkpy9LwACgkQi10dJIBjZIDWgQCcC3iQa1HeXHnkn6zldqdEd/jy
GBAAn3GGr+JLinClwJByfzCL1tSpzzmZ
=Uitp
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list