[nsp-sec] Stumbled upon some malware | domain x8f.ru - numerous A'records

Shelton, Steve sshelton at Cogentco.com
Fri Jul 31 14:14:40 EDT 2009 

Guy's

Sorry to reply to myself, but found some more payload sites - nginx
servers also on port 8080.  It also appears that France - French based
networks are a focal point.  Could France be the new Exploit -
Cybercrime hub?

A lot of the domains point to the prefix's seem to trace back to domains
that initially translated to 94.247.3.0/24 and 94.247.2.0/24 for while,
then bounced around quite a bit ending up on 95.129.144.0/23 AS48856 |
Ventrex.  The domains were dead for while then apparently popped up in
.FR under guise it would appear sometime recently.

80.248.208.205:8080/cache/readme.pdf
89.171.115.10:8080/cache/readme.pdf
91.121.174.19:8080/cache/readme.pdf

80.248.208.205
89.171.115.10
91.121.174.19

Bulk mode; whois.cymru.com [2009-07-31 16:57:03 +0000]

12968   | 89.171.115.10    | CDP Crowley Data Poland, sp. z o.o.
16276   | 91.121.174.19    | OVH OVH
35830   | 80.248.208.205   | SIVIT-AS SIVIT Network -
http://www.sivit.net/

Bulk mode; peer-whois.cymru.com [2009-07-31 16:57:03 +0000]

174     | 80.248.208.205   | COGENT Cogent/PSI
2516    | 91.121.174.19    | KDDI KDDI CORPORATION
3356    | 89.171.115.10    | LEVEL3 Level 3 Communications
3549    | 91.121.174.19    | GBLX Global Crossing Ltd.
4565    | 91.121.174.19    | MEGAPATH2-US - MegaPath Networks Inc.
6453    | 80.248.208.205   | GLOBEINTERNET TATA Communications
6453    | 89.171.115.10    | GLOBEINTERNET TATA Communications
6453    | 91.121.174.19    | GLOBEINTERNET TATA Communications
8218    | 80.248.208.205   | NEO-ASN AS Confederation of Neotelecoms,
euNetworks AG and Upstreamnet gmbh
10310   | 89.171.115.10    | YAHOO-1 - Yahoo!
10310   | 91.121.174.19    | YAHOO-1 - Yahoo!
15830   | 80.248.208.205   | TELECITY-LON TELECITYGROUP UK

Steve Shelton
Network Security Engineer
Cogent Communications

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Shelton,
Steve
Sent: Friday, July 31, 2009 9:12 AM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] Stumbled upon some malware | domain x8f.ru - numerous
A'records

----------- nsp-security Confidential --------

Team,

While looking into the activities of 80.93.90.88/32, I found the
following servers were also facilitating the very same exploit as well
as what appears to be 100 percent widespread nefarious activity.  Please
note that all /32's were found to have nginx servers operating on port
8080.

Note: While researching, I also found references to Cutwail, rustock and
Gumblar.

hxxp://80.93.90.88:8080/cache/readme.pdf [Server: nginx]
hxxp://91.121.146.101:8080/cache/readme.pdf [Server: nginx]
hxxp://91.121.167.41:8080/cache/readme.pdf [Server: nginx]
hxxp://94.76.235.32:8080/cache/readme.pdf [Server: nginx]
hxxp://213.251.176.169:8080/cache/readme.pdf [Server: nginx]

http://wepawet.iseclab.org/view.php?hash=865a53b592bc0853282c081f052fad4
2&t=1249050293&type=js

Non-authoritative answer:
 Name:	x8f.ru
 Address: 80.93.90.88
 Name:	x8f.ru
 Address: 91.121.146.101
 Name:	x8f.ru
 Address: 91.121.167.41
 Name:	x8f.ru
 Address: 94.76.235.32
 Name:	x8f.ru
 Address: 213.251.176.169


Bulk mode; whois.cymru.com [2009-07-31 15:01:35 +0000]

16276   | 213.251.176.169  | OVH OVH
16276   | 91.121.146.101   | OVH OVH
16276   | 91.121.167.41    | OVH OVH
21409   | 80.93.90.88      | IKOULA IKOULA European Backbone AS
29550   | 94.76.235.32     | EUROCONNEX-AS Blueconnex Networks Ltd


Bulk mode; peer-whois.cymru.com [2009-07-31 15:01:35 +0000]
174     | 80.93.90.88      | COGENT Cogent/PSI
2516    | 213.251.176.169  | KDDI KDDI CORPORATION
2516    | 91.121.146.101   | KDDI KDDI CORPORATION
2516    | 91.121.167.41    | KDDI KDDI CORPORATION
2914    | 94.76.235.32     | NTT-COMMUNICATIONS-2914 - NTT America, Inc.
3257    | 94.76.235.32     | TINET-BACKBONE Tinet SpA
3549    | 213.251.176.169  | GBLX Global Crossing Ltd.
3549    | 91.121.146.101   | GBLX Global Crossing Ltd.
3549    | 91.121.167.41    | GBLX Global Crossing Ltd.
4565    | 213.251.176.169  | MEGAPATH2-US - MegaPath Networks Inc.
4565    | 91.121.146.101   | MEGAPATH2-US - MegaPath Networks Inc.
4565    | 91.121.167.41    | MEGAPATH2-US - MegaPath Networks Inc.
6453    | 213.251.176.169  | GLOBEINTERNET TATA Communications
6453    | 91.121.146.101   | GLOBEINTERNET TATA Communications
6453    | 91.121.167.41    | GLOBEINTERNET TATA Communications
8218    | 80.93.90.88      | NEO-ASN AS Confederation of Neotelecoms,
euNetworks AG and Upstreamnet gmbh
8468    | 94.76.235.32     | ENTANET ENTANET International Ltd
10310   | 213.251.176.169  | YAHOO-1 - Yahoo!
10310   | 80.93.90.88      | YAHOO-1 - Yahoo!
10310   | 91.121.146.101   | YAHOO-1 - Yahoo!
10310   | 91.121.167.41    | YAHOO-1 - Yahoo!
10310   | 94.76.235.32     | YAHOO-1 - Yahoo!
21502   | 80.93.90.88      | ASN-NUMERICABLE NUMERICABLE is a cable
network operator in France, offering TV,VOICE and Internet services

Steve Shelton
Network Security Engineer
Cogent Communications


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

More information about the nsp-security mailing list