[nsp-sec] Korean DDoS update - List confidential - C2 updates - 2009.07.31

Nicholas Ianelli ni at centergate.net
Fri Jul 31 13:43:05 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Team,

My apologies, I should have waited to process today's list before
sending out the below. What's odd is that there were a number of updates
today (usually only 1, 3 so far).

As already stated:

There is active LE investigation on this from multiple agencies around
the globe. I would ask that you just not take these down but make an
effort to preserve any data that you can and work with your respective
LE agency to get them the info (and have them get you the paperwork you
need). If I can be of any assistance here, please do not hesitate to
contact me.

It would be great if LE were able to acquire a number of these machines,
for those that may not have LE investigations, feel free to pass my
number (in my signature line) to your customers. I am more than happy to
assist in reviewing their machine, pulling off the malware and assisting
in cleanup.


577     | 207.236.47.20    | BACOM - Bell Canada
1239    | 207.43.68.89     | SPRINTLINK - Sprint
1659    | 210.240.57.139   | ERX-TANET-ASN1 Tiawan Academic Network
(TANet) Information Center
2516    | 113.151.77.147   | KDDI KDDI CORPORATION
4134    | 222.215.0.199    | CHINANET-BACKBONE No.31,Jin-rong Street
4565    | 155.229.78.81    | MEGAPATH2-US - MegaPath Networks Inc.
4837    | 61.139.142.52    | CHINA169-BACKBONE CNCGROUP China169 Backbone
6327    | 24.76.88.38      | SHAW - Shaw Communications Inc.
6983    | 66.0.117.230     | ITCDELTA - ITC^Deltacom
8048    | 190.73.3.154     | CANTV Servicios, Venezuela
10993   | 206.72.76.235    | AERIONET-INC - Aerioconnect
12322   | 88.174.166.150   | PROXAD AS for Proxad/Free ISP
13583   | 216.230.7.183    | ACCESS-TECH - Access Technology, Inc.
16727   | 69.171.205.192   | PRIVATE-CABLE - Private Cable Co. LLC
17488   | 125.99.123.181   | HATHWAY-NET-AP Hathway IP Over Cable Internet
17621   | 112.64.16.131    | CNCGROUP-SH China Unicom Shanghai network
19429   | 201.245.71.54    | ETB - Colombia
20115   | 24.181.13.217    | CHARTER-NET-HKY-NC - Charter Communications
20115   | 66.191.18.193    | CHARTER-NET-HKY-NC - Charter Communications
20214   | 75.145.228.148   | COMCAST-20214 - Comcast Cable
Communications Holdings, Inc
22080   | 200.112.143.228  | Broadbandtech S. A.
31416   | 217.145.247.138  | APPTEC-NETWORK App-Tec_s Network - AS
32098   | 66.208.118.14    | TRANSTELCO-INC - Transtelco Inc
39015   | 87.237.199.108   | MENA Mena Broadband AS


61.139.142.52:80
155.229.78.81:80
201.245.71.54:80
205.98.194:80
75.145.228.148:80
217.145.247.138:80
66.191.18.193:80
24.76.88.38:80
206.72.76.235:443
207.43.68.89:80

69.171.205.192:80
125.99.123.181:53
190.73.3.154:80
200.112.143.228:443
66.208.118.14:80
113.151.77.147:80
112.64.16.131:443
24.181.13.217:80
201.245.71.54:80
222.215.0.199:21

69.171.205.192:80
125.99.123.181:53
190.73.3.154:80
210.240.57.139:80
216.230.7.183:53
66.0.117.230:80
207.236.47.20:80
87.237.199.108:80
88.174.166.150:80
222.215.0.199:21

Cheers,
Nick

Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
> 
> Team,
> 
> As Rodney has already noted, here are the IP's I've seen being utilized
> by the Korean DDoS malware as their new C2 hosts. A spot check reveals
> that a number of these are your run of the mill compromised host.
> 
> There is active LE investigation on this from multiple agencies around
> the globe. I would ask that you just not take these down but make an
> effort to preserve any data that you can and work with your respective
> LE agency to get them the info (and have them get you the paperwork you
> need). If I can be of any assistance here, please do not hesitate to
> contact me.
> 
> It would be great if LE were able to acquire a number of these machines,
> for those that may not have LE investigations, feel free to pass my
> number (in my signature line) to your customers. I am more than happy to
> assist in reviewing their machine, pulling off the malware and assisting
> in cleanup.
> 
> 1239    | 207.43.68.89     | SPRINTLINK - Sprint
> 1785    | 169.130.155.95   | AS-PAETEC-NET - PaeTec Communications, Inc.
> 2529    | 194.70.241.202   | DEMON-INTERNET Demon Internet
> 3269    | 94.81.163.26     | ASN-IBSNAZ TELECOM ITALIA
> 3462    | 122.124.106.180  | HINET Data Communication Business Group
> 3462    | 60.251.45.88     | HINET Data Communication Business Group
> 3505    | 166.82.112.120   | WINDSTREAM - Windstream Communications Inc
> 3741    | 196.211.97.37    | IS
> 3786    | 112.216.240.243  | LGDACOM LG DACOM Corporation
> 4134    | 122.243.81.131   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 203.88.213.144   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 58.210.234.137   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 58.210.234.137   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 58.210.234.154   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4837    | 123.153.119.80   | CHINA169-BACKBONE CNCGROUP China169 Backbone
> 4837    | 220.250.12.157   | CHINA169-BACKBONE CNCGROUP China169 Backbone
> 4837    | 61.139.142.52    | CHINA169-BACKBONE CNCGROUP China169 Backbone
> 5650    | 74.41.226.162    | FRONTIER-FRTR - Frontier Communications of
> America, Inc.
> 6327    | 24.108.248.23    | SHAW - Shaw Communications Inc.
> 6327    | 24.76.88.38      | SHAW - Shaw Communications Inc.
> 6400    | 201.229.187.1    | Compañía Dominicana de Teléfonos, C. por
> A. - CODETEL
> 6478    | 173.19.142.58    | ATT-INTERNET3 - AT&T WorldNet Services
> 7303    | 190.138.60.254   | Telecom Argentina S.A.
> 9121    | 88.247.20.210    | TTNET TTnet Autonomous System
> 9695    | 121.54.160.103   | KITINET-AS KT Solutions Coprporation
> 9916    | 163.19.186.237   | NCTU-TW National Chiao Tung University,
> 10993   | 206.72.76.235    | AERIONET-INC - Aerioconnect
> 11060   | 74.219.99.71     | NEO-RR-COM - Road Runner HoldCo LLC
> 11290   | 24.49.242.134    | RAPIDUS - COGECO Cable Canada Inc.
> 11666   | 76.75.92.169     | NEXICOM-CA - Nexicom Inc.
> 16342   | 217.113.234.233  | Toya ,TV cable company located in PL( town
> Lodz).
> 17379   | 201.12.92.148    | Intelig Telecomunica Ltda
> 18566   | 72.244.141.204   | COVAD - Covad Communications Co.
> 20115   | 66.191.18.193    | CHARTER-NET-HKY-NC - Charter Communications
> 20214   | 75.145.228.148   | COMCAST-20214 - Comcast Cable
> Communications Holdings, Inc
> 27672   | 200.95.230.30    | Tele Cable Centro Occidente S.A. de C.V.
> 29079   | 217.25.56.8      | IRNA-AS IRAN News Agency.
> 31416   | 217.145.247.138  | APPTEC-NETWORK App-Tec_s Network - AS
> 33650   | 173.10.102.77    | COMCAST-33650 - Comcast Cable
> Communications, Inc.
> 35125   | 212.3.132.56     | SMOLENSK-AS Smolensk branch of the JSC
> _CenterTelecom_
> 38890   | 121.54.160.103   | CITS-KITINET-AS-PH Internet Service
> Provider /IDC
> 
> IP:Port
> 
> 112.216.240.243:443
> 121.54.160.103:53
> 122.124.106.180:443
> 122.243.81.131:443
> 123.153.119.80:443
> 163.19.186.237:80
> 166.82.112.120:80
> 169.130.155.95:80
> 173.10.102.77:80
> 173.19.142.58:80
> 190.138.60.254:80
> 194.70.241.202:53
> 196.211.97.37:443
> 200.95.230.30:53
> 201.12.92.148:80
> 201.229.187.1:80
> 203.88.213.144:443
> 206.72.76.235:443
> 207.43.68.89:80
> 212.3.132.56:443
> 217.113.234.233:80
> 217.145.247.138:80
> 217.25.56.8:80
> 220.250.12.157:443
> 24.108.248.23:80
> 24.49.242.134:80
> 24.76.88.38:80
> 58.210.234.137:443
> 58.210.234.137:443
> 58.210.234.154:443
> 60.251.45.88:443
> 61.139.142.52:80
> 66.191.18.193:80
> 72.244.141.204:80
> 74.219.99.71:80
> 74.41.226.162:80
> 75.145.228.148:80
> 76.75.92.169:80
> 88.247.20.210:80
> 94.81.163.26:443
> 
> 
> Rodney Joffe wrote:
> 
>> So while it appeared that the botnet was down, and we missed recovering
>> data from the original 3 C&C IP addresses, looks like we're back in the
>> game.
> 
>> We've passed the recent data back to the LE folks who are working this,
>> and we wanted to give you all the data so you can join the project ;-)
> 
>> However, please do NOT disturb the systems that may show up in your
>> networks without coordinating with the LE people. They're working on
>> official processes. Some of you in the US may already have been "ping'd"
>> by them. If you *do* have a C&C system in your network, please contact
>> Nick or me, and we'll put you in touch with the Fed LE lead on this, as
>> he would like to hear from you asap.
> 
> Cheers,
> Nick
> 

- --
Nicholas Ianelli: NeuStar, Inc.
Security Operations

46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkpzLSkACgkQi10dJIBjZIAFKACePnSy1tIj9YVuCWLI3pWvlAo2
CU0AoKC3XM09/oismWRdcjzyxuohFLJz
=ATkE
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list