[nsp-sec] Korean DDoS update - List confidential

Smith, Donald Donald.Smith at qwest.com
Fri Jul 31 16:13:46 EDT 2009 

This one, 94.81.163.26:,  is doing a LOT of 445 and 139 scanning. It is also looking for 137 and 5900.
Based on that pattern I would guess this is a bot that spreads via SMB and vnc exploitation.
I saw NO 443 traffic towards it (so far).


#    port
 444 445
  45 139
   2 38224
   2 24950
   2 23156
   2 19939
   2 137
   1 5900
   1 51968
   1 40143


This is based on netflow from the 28th and 29th. I am doing additional reports and this pattern could change:)


(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Nicholas Ianelli
> Sent: Friday, July 31, 2009 7:42 AM
> To: NSP-SEC List
> Subject: Re: [nsp-sec] Korean DDoS update - List confidential
> 
> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Team,
> 
> As Rodney has already noted, here are the IP's I've seen 
> being utilized
> by the Korean DDoS malware as their new C2 hosts. A spot check reveals
> that a number of these are your run of the mill compromised host.
> 
> There is active LE investigation on this from multiple agencies around
> the globe. I would ask that you just not take these down but make an
> effort to preserve any data that you can and work with your respective
> LE agency to get them the info (and have them get you the 
> paperwork you
> need). If I can be of any assistance here, please do not hesitate to
> contact me.
> 
> It would be great if LE were able to acquire a number of 
> these machines,
> for those that may not have LE investigations, feel free to pass my
> number (in my signature line) to your customers. I am more 
> than happy to
> assist in reviewing their machine, pulling off the malware 
> and assisting
> in cleanup.
> 
> 1239    | 207.43.68.89     | SPRINTLINK - Sprint
> 1785    | 169.130.155.95   | AS-PAETEC-NET - PaeTec 
> Communications, Inc.
> 2529    | 194.70.241.202   | DEMON-INTERNET Demon Internet
> 3269    | 94.81.163.26     | ASN-IBSNAZ TELECOM ITALIA
> 3462    | 122.124.106.180  | HINET Data Communication Business Group
> 3462    | 60.251.45.88     | HINET Data Communication Business Group
> 3505    | 166.82.112.120   | WINDSTREAM - Windstream 
> Communications Inc
> 3741    | 196.211.97.37    | IS
> 3786    | 112.216.240.243  | LGDACOM LG DACOM Corporation
> 4134    | 122.243.81.131   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 203.88.213.144   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 58.210.234.137   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 58.210.234.137   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4134    | 58.210.234.154   | CHINANET-BACKBONE No.31,Jin-rong Street
> 4837    | 123.153.119.80   | CHINA169-BACKBONE CNCGROUP 
> China169 Backbone
> 4837    | 220.250.12.157   | CHINA169-BACKBONE CNCGROUP 
> China169 Backbone
> 4837    | 61.139.142.52    | CHINA169-BACKBONE CNCGROUP 
> China169 Backbone
> 5650    | 74.41.226.162    | FRONTIER-FRTR - Frontier 
> Communications of
> America, Inc.
> 6327    | 24.108.248.23    | SHAW - Shaw Communications Inc.
> 6327    | 24.76.88.38      | SHAW - Shaw Communications Inc.
> 6400    | 201.229.187.1    | Compañía Dominicana de 
> Teléfonos, C. por
> A. - CODETEL
> 6478    | 173.19.142.58    | ATT-INTERNET3 - AT&T WorldNet Services
> 7303    | 190.138.60.254   | Telecom Argentina S.A.
> 9121    | 88.247.20.210    | TTNET TTnet Autonomous System
> 9695    | 121.54.160.103   | KITINET-AS KT Solutions Coprporation
> 9916    | 163.19.186.237   | NCTU-TW National Chiao Tung University,
> 10993   | 206.72.76.235    | AERIONET-INC - Aerioconnect
> 11060   | 74.219.99.71     | NEO-RR-COM - Road Runner HoldCo LLC
> 11290   | 24.49.242.134    | RAPIDUS - COGECO Cable Canada Inc.
> 11666   | 76.75.92.169     | NEXICOM-CA - Nexicom Inc.
> 16342   | 217.113.234.233  | Toya ,TV cable company located 
> in PL( town
> Lodz).
> 17379   | 201.12.92.148    | Intelig Telecomunica Ltda
> 18566   | 72.244.141.204   | COVAD - Covad Communications Co.
> 20115   | 66.191.18.193    | CHARTER-NET-HKY-NC - Charter 
> Communications
> 20214   | 75.145.228.148   | COMCAST-20214 - Comcast Cable
> Communications Holdings, Inc
> 27672   | 200.95.230.30    | Tele Cable Centro Occidente S.A. de C.V.
> 29079   | 217.25.56.8      | IRNA-AS IRAN News Agency.
> 31416   | 217.145.247.138  | APPTEC-NETWORK App-Tec_s Network - AS
> 33650   | 173.10.102.77    | COMCAST-33650 - Comcast Cable
> Communications, Inc.
> 35125   | 212.3.132.56     | SMOLENSK-AS Smolensk branch of the JSC
> _CenterTelecom_
> 38890   | 121.54.160.103   | CITS-KITINET-AS-PH Internet Service
> Provider /IDC
> 
> IP:Port
> 
> 112.216.240.243:443
> 121.54.160.103:53
> 122.124.106.180:443
> 122.243.81.131:443
> 123.153.119.80:443
> 163.19.186.237:80
> 166.82.112.120:80
> 169.130.155.95:80
> 173.10.102.77:80
> 173.19.142.58:80
> 190.138.60.254:80
> 194.70.241.202:53
> 196.211.97.37:443
> 200.95.230.30:53
> 201.12.92.148:80
> 201.229.187.1:80
> 203.88.213.144:443
> 206.72.76.235:443
> 207.43.68.89:80
> 212.3.132.56:443
> 217.113.234.233:80
> 217.145.247.138:80
> 217.25.56.8:80
> 220.250.12.157:443
> 24.108.248.23:80
> 24.49.242.134:80
> 24.76.88.38:80
> 58.210.234.137:443
> 58.210.234.137:443
> 58.210.234.154:443
> 60.251.45.88:443
> 61.139.142.52:80
> 66.191.18.193:80
> 72.244.141.204:80
> 74.219.99.71:80
> 74.41.226.162:80
> 75.145.228.148:80
> 76.75.92.169:80
> 88.247.20.210:80
> 94.81.163.26:443
> 
> 
> Rodney Joffe wrote:
> 
> > So while it appeared that the botnet was down, and we 
> missed recovering
> > data from the original 3 C&C IP addresses, looks like we're 
> back in the
> > game.
> > 
> > We've passed the recent data back to the LE folks who are 
> working this,
> > and we wanted to give you all the data so you can join the 
> project ;-)
> > 
> > However, please do NOT disturb the systems that may show up in your
> > networks without coordinating with the LE people. They're working on
> > official processes. Some of you in the US may already have 
> been "ping'd"
> > by them. If you *do* have a C&C system in your network, 
> please contact
> > Nick or me, and we'll put you in touch with the Fed LE lead 
> on this, as
> > he would like to hear from you asap.
> 
> Cheers,
> Nick
> 
> - --
> Nicholas Ianelli: NeuStar, Inc.
> Security Operations
> 
> 46000 Center Oak Plaza Sterling, VA 20166
> +1 571.434.4691 - http://www.neustar.biz
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> 
> iEYEARECAAYFAkpy9LwACgkQi10dJIBjZIDWgQCcC3iQa1HeXHnkn6zldqdEd/jy
> GBAAn3GGr+JLinClwJByfzCL1tSpzzmZ
> =Uitp
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
>

More information about the nsp-security mailing list