[nsp-sec] 41,000+ likely Bifrose infections

Taka Mizuguchi taka at nttv6.jp
Tue Jun 2 13:10:34 EDT 2009 

----------- nsp-security Confidential --------
NSP-SEC-JP各位、

 各ISPさまのホストがないか確認頂き、対応をお願い致します。


先週金曜日にある顧客から、彼らのWebサーバ(https://128.101.65.204/)
に対するDoSアタックの流入に関して苦情があった。

ログを見ると、世界中のたくさんのホストからHTTPSのフロントページに
アクセスしているのが確認できた。しかし、全くloginしていない。

RobTと彼の優れたMalware DBに感謝します。彼のアドバイスでは、インター
ネットアクセスの確認のためにこのサイトにアクセスする改良版Bifrose
だろうということ。

GMT 6/1 深夜から4AMまでのflowを抜き出し、以下の4万1千以上のIPを確認
した。これらは、何らかのMalwareが存在するhostを見つけるチャンスだと
思う。



先ほど述べたように、時間は、すべてGMT-5(日本時間-14時間)です。
タイムスタンプの次の数字は、この期間(0AM-4AM)フローのカウント
です。


2497    | 202.232.182.70   | 2009-06-01 01:02:26.305 3 | IIJ Internet
Initiative Japan Inc.
2497    | 202.32.73.45     | 2009-06-01 00:52:35.291 15 | IIJ Internet
Initiative Japan Inc.
2497    | 202.32.73.47     | 2009-06-01 01:20:40.171 6 | IIJ Internet
Initiative Japan Inc.
2497    | 203.180.232.100  | 2009-06-01 00:37:39.940 3 | IIJ Internet
Initiative Japan Inc.
2503    | 133.104.74.1     | 2009-06-01 01:42:58.325 6 | TOPIC Tohoku
Open Internet Community
2514    | 124.154.134.161  | 2009-06-01 03:29:03.812 3 | INFOSPHERE NTT
PC Communications, Inc.
2514    | 124.154.134.252  | 2009-06-01 03:09:13.953 3 | INFOSPHERE NTT
PC Communications, Inc.
2516    | 121.105.155.13   | 2009-06-01 00:38:58.163 6 | KDDI KDDI
CORPORATION
2516    | 121.109.101.29   | 2009-06-01 02:54:20.715 9 | KDDI KDDI
CORPORATION
2516    | 124.209.60.92    | 2009-06-01 00:26:54.905 3 | KDDI KDDI
CORPORATION
2516    | 144.15.247.8     | 2009-06-01 01:10:08.403 3 | KDDI KDDI
CORPORATION
2516    | 61.200.246.17    | 2009-06-01 02:49:35.811 9 | KDDI KDDI
CORPORATION
4694    | 202.234.163.11   | 2009-06-01 00:32:20.011 12 | IDC SOFTBANK
IDC Corp.
4713    | 114.155.140.135  | 2009-06-01 03:29:24.306 3 | OCN NTT
Communications Corporation
4713    | 118.0.203.196    | 2009-06-01 00:43:57.923 3 | OCN NTT
Communications Corporation
4713    | 118.16.100.48    | 2009-06-01 02:11:20.538 3 | OCN NTT
Communications Corporation
4713    | 123.217.20.77    | 2009-06-01 00:03:04.325 3 | OCN NTT
Communications Corporation
4713    | 124.103.10.233   | 2009-06-01 03:38:50.137 3 | OCN NTT
Communications Corporation
4713    | 125.205.77.231   | 2009-06-01 02:02:37.906 3 | OCN NTT
Communications Corporation
4713    | 218.47.140.98    | 2009-06-01 02:59:41.299 21 | OCN NTT
Communications Corporation
4713    | 219.164.114.80   | 2009-06-01 03:10:41.052 12 | OCN NTT
Communications Corporation
4713    | 219.165.234.204  | 2009-06-01 02:57:16.351 9 | OCN NTT
Communications Corporation
4713    | 58.91.253.12     | 2009-06-01 03:50:34.782 3 | OCN NTT
Communications Corporation
4713    | 58.94.188.85     | 2009-06-01 00:37:40.768 3 | OCN NTT
Communications Corporation
4713    | 60.33.193.80     | 2009-06-01 00:07:29.840 14 | OCN NTT
Communications Corporation
4713    | 60.37.114.208    | 2009-06-01 00:15:04.994 53 | OCN NTT
Communications Corporation
4713    | 60.42.217.136    | 2009-06-01 00:39:47.425 8 | OCN NTT
Communications Corporation
4713    | 61.207.80.112    | 2009-06-01 01:28:56.169 3 | OCN NTT
Communications Corporation
4716    | 202.0.65.201     | 2009-06-01 01:20:56.311 3 | POWEREDCOM KDDI
Corporation
4716    | 202.0.65.203     | 2009-06-01 01:03:51.913 3 | POWEREDCOM KDDI
Corporation
4716    | 202.17.254.5     | 2009-06-01 00:13:09.968 48 | POWEREDCOM
KDDI Corporation
4716    | 210.250.12.114   | 2009-06-01 00:19:44.796 18 | POWEREDCOM
KDDI Corporation
4716    | 210.254.77.140   | 2009-06-01 01:30:07.045 3 | POWEREDCOM KDDI
Corporation
4716    | 210.254.81.194   | 2009-06-01 00:24:14.055 18 | POWEREDCOM
KDDI Corporation
4716    | 210.254.81.222   | 2009-06-01 00:24:14.399 12 | POWEREDCOM
KDDI Corporation
4716    | 222.225.141.251  | 2009-06-01 01:19:13.975 15 | POWEREDCOM
KDDI Corporation
4716    | 61.204.190.206   | 2009-06-01 02:51:44.613 7 | POWEREDCOM KDDI
Corporation
4725    | 211.3.32.107     | 2009-06-01 00:07:00.876 9 | ODN SOFTBANK
TELECOM Corp.
4725    | 219.66.89.175    | 2009-06-01 02:09:05.151 3 | ODN SOFTBANK
TELECOM Corp.
4732    | 210.238.197.78   | 2009-06-01 00:24:14.018 12 | DION KDDI
CORPORATION
4732    | 219.108.108.24   | 2009-06-01 00:18:25.063 6 | DION KDDI
CORPORATION
4732    | 222.13.233.158   | 2009-06-01 00:30:55.660 21 | DION KDDI
CORPORATION
7670    | 210.253.48.250   | 2009-06-01 03:01:58.009 3 | CTNET Energia
Communications, Inc.
9619    | 137.153.0.41     | 2009-06-01 00:58:48.606 9 | SSD Sony Global
Solutions Inc.
10013   | 110.0.119.199    | 2009-06-01 00:09:39.995 6 | FBDC FreeBit
Co.,Ltd.
10013   | 110.1.65.176     | 2009-06-01 02:00:52.459 6 | FBDC FreeBit
Co.,Ltd.
10026   | 115.31.64.50     | 2009-06-01 02:48:57.793 3 | ANC Asia Netcom
Corporation
10026   | 203.192.138.195  | 2009-06-01 00:06:45.796 45 | ANC Asia
Netcom Corporation
10026   | 203.192.151.70   | 2009-06-01 00:32:57.365 37 | ANC Asia
Netcom Corporation
10026   | 203.192.155.50   | 2009-06-01 00:22:01.609 30 | ANC Asia
Netcom Corporation
10026   | 61.14.187.113    | 2009-06-01 00:05:24.623 25 | ANC Asia
Netcom Corporation
17511   | 119.230.31.139   | 2009-06-01 01:36:27.356 4 | K-OPTICOM
K-Opticom Corporation
17511   | 203.140.66.57    | 2009-06-01 00:22:12.441 28 | K-OPTICOM
K-Opticom Corporation
17676   | 219.127.170.183  | 2009-06-01 01:59:10.777 6 | GIGAINFRA
Softbank BB Corp.
17676   | 221.52.107.24    | 2009-06-01 00:13:29.762 6 | GIGAINFRA
Softbank BB Corp.
17958   | 219.103.60.45    | 2009-06-01 02:23:33.536 6 | KCV Kasaoka
Cable Vision Co,LTD.
23817   | 202.243.187.20   | 2009-06-01 02:05:40.153 24 | KOCHI-IDC
FUJITSU SHIKOKU Systems Limited.
23817   | 202.243.187.21   | 2009-06-01 02:52:25.116 6 | KOCHI-IDC
FUJITSU SHIKOKU Systems Limited.





-------- Original Message --------
One of our users complained last Friday about an inbound DoS attack
against one of their web servers (https://128.101.65.204/).  Looking
over the logs, we found that tons of hosts from all over the world were
hitting the HTTPS front page, but not trying to login at all.  Thanks to
RobT and his remarkable malware database, he was able to tell me that
there are variants of Bifrose that are using this site to check for
Internet connectivity.

I pulled our flows for midnight -> 4am June 01 local time (GMT-5) and
found the following list of 41,000+ IPs.  I suspect that there is a good
chance that all of these hosts have some form of malware on them.

  https://asn.cymru.com/nsp-sec/upload/1243876952.whois.txt

Like I said, the times are all GMT-5 (Central US).  The number after the
timestamp is the count of flows seen over that time period.



-- 
Taka Mizuguchi

More information about the nsp-security mailing list