[nsp-sec] ACK RE: 41,000+ likely Bifrose infections

Matthew.Swaar at us-cert.gov Matthew.Swaar at us-cert.gov
Mon Jun 1 18:44:31 EDT 2009 

ACK 3527 & 29992:

3527    | 165.112.154.47   | 2009-06-01 03:53:10.833 3 | NIH-NET -
National Institutes of Health
29992   | 152.133.8.6      | 2009-06-01 00:52:43.798 6 | VA-TMP-CORE -
Department of Veterans Affairs 

Thanks!

V/R,
Matt Swaar
US-CERT Analyst

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Paul Dokas
Sent: Monday, June 01, 2009 1:32 PM
To: NSP-SEC
Subject: [nsp-sec] 41,000+ likely Bifrose infections

----------- nsp-security Confidential --------

One of our users complained last Friday about an inbound DoS attack
against one of their web servers (https://128.101.65.204/).  Looking
over the logs, we found that tons of hosts from all over the world were
hitting the HTTPS front page, but not trying to login at all.  Thanks to
RobT and his remarkable malware database, he was able to tell me that
there are variants of Bifrose that are using this site to check for
Internet connectivity.

I pulled our flows for midnight -> 4am June 01 local time (GMT-5) and
found the following list of 41,000+ IPs.  I suspect that there is a good
chance that all of these hosts have some form of malware on them.

  https://asn.cymru.com/nsp-sec/upload/1243876952.whois.txt

Like I said, the times are all GMT-5 (Central US).  The number after the
timestamp is the count of flows seen over that time period.


Paul
-- 
Paul Dokas                                     dokas at oitsec.umn.edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security community. Confidentiality is essential for effective
Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list