[nsp-sec] 41,000+ likely Bifrose infections
Paul Dokas
dokas at oitsec.umn.edu
Mon Jun 1 13:31:50 EDT 2009
One of our users complained last Friday about an inbound DoS attack against
one of their web servers (https://128.101.65.204/). Looking over the logs,
we found that tons of hosts from all over the world were hitting the HTTPS
front page, but not trying to login at all. Thanks to RobT and his remarkable
malware database, he was able to tell me that there are variants of Bifrose
that are using this site to check for Internet connectivity.
I pulled our flows for midnight -> 4am June 01 local time (GMT-5) and found
the following list of 41,000+ IPs. I suspect that there is a good chance that
all of these hosts have some form of malware on them.
https://asn.cymru.com/nsp-sec/upload/1243876952.whois.txt
Like I said, the times are all GMT-5 (Central US). The number after the
timestamp is the count of flows seen over that time period.
Paul
--
Paul Dokas dokas at oitsec.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
More information about the nsp-security
mailing list