[nsp-sec] [Suspected Spam] ACK 15659 - RE: 41, 000+ likely Bifrose infections

[Odd Stoltenberg]

Forwarded to our abuse dept...

Thanks...

Regards OddS

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Paul
> Dokas
> Sent: Monday, June 01, 2009 7:32 PM
> To: NSP-SEC
> Subject: [Suspected Spam][nsp-sec] 41,000+ likely Bifrose infections
> 
> ----------- nsp-security Confidential --------
> 
> One of our users complained last Friday about an inbound DoS attack
against
> one of their web servers (https://128.101.65.204/).  Looking over the
logs,
> we found that tons of hosts from all over the world were hitting the
HTTPS
> front page, but not trying to login at all.  Thanks to RobT and his
remarkable
> malware database, he was able to tell me that there are variants of
Bifrose
> that are using this site to check for Internet connectivity.
> 
> I pulled our flows for midnight -> 4am June 01 local time (GMT-5) and
found
> the following list of 41,000+ IPs.  I suspect that there is a good
chance that
> all of these hosts have some form of malware on them.
> 
>   https://asn.cymru.com/nsp-sec/upload/1243876952.whois.txt
> 
> Like I said, the times are all GMT-5 (Central US).  The number after
the
> timestamp is the count of flows seen over that time period.
> 
> 
> Paul
> --
> Paul Dokas                                     dokas at oitsec.umn.edu
> ======================================================================
> Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> community. Confidentiality is essential for effective Internet
security counter-measures.
> _______________________________________________