[nsp-sec] 41,000+ likely Bifrose infections

Tue Jun 2 13:20:33 EDT 2009

Sorry, I should sent it to japanes ISPs.

Please ignore.

Taka Mizuguchi wrote,on 09.6.3 2:10 AM:
> ----------- nsp-security Confidential --------
> 
> ----------- nsp-security Confidential --------
> NSP-SEC-JP各位、
> 
> 　各ISPさまのホストがないか確認頂き、対応をお願い致します。
> 
> 
> 先週金曜日にある顧客から、彼らのWebサーバ（https://128.101.65.204/）
> に対するDoSアタックの流入に関して苦情があった。
> 
> ログを見ると、世界中のたくさんのホストからHTTPSのフロントページに
> アクセスしているのが確認できた。しかし、全くloginしていない。
> 
> RobTと彼の優れたMalware DBに感謝します。彼のアドバイスでは、インター
> ネットアクセスの確認のためにこのサイトにアクセスする改良版Bifrose
> だろうということ。
> 
> GMT 6/1 深夜から4AMまでのflowを抜き出し、以下の4万1千以上のIPを確認
> した。これらは、何らかのMalwareが存在するhostを見つけるチャンスだと
> 思う。
> 
> 
> 
> 先ほど述べたように、時間は、すべてGMT-5（日本時間-14時間）です。
> タイムスタンプの次の数字は、この期間（0AM-4AM）フローのカウント
> です。
> 
> 
> 2497    | 202.232.182.70   | 2009-06-01 01:02:26.305 3 | IIJ Internet
> Initiative Japan Inc.
> 2497    | 202.32.73.45     | 2009-06-01 00:52:35.291 15 | IIJ Internet
> Initiative Japan Inc.
> 2497    | 202.32.73.47     | 2009-06-01 01:20:40.171 6 | IIJ Internet
> Initiative Japan Inc.
> 2497    | 203.180.232.100  | 2009-06-01 00:37:39.940 3 | IIJ Internet
> Initiative Japan Inc.
> 2503    | 133.104.74.1     | 2009-06-01 01:42:58.325 6 | TOPIC Tohoku
> Open Internet Community
> 2514    | 124.154.134.161  | 2009-06-01 03:29:03.812 3 | INFOSPHERE NTT
> PC Communications, Inc.
> 2514    | 124.154.134.252  | 2009-06-01 03:09:13.953 3 | INFOSPHERE NTT
> PC Communications, Inc.
> 2516    | 121.105.155.13   | 2009-06-01 00:38:58.163 6 | KDDI KDDI
> CORPORATION
> 2516    | 121.109.101.29   | 2009-06-01 02:54:20.715 9 | KDDI KDDI
> CORPORATION
> 2516    | 124.209.60.92    | 2009-06-01 00:26:54.905 3 | KDDI KDDI
> CORPORATION
> 2516    | 144.15.247.8     | 2009-06-01 01:10:08.403 3 | KDDI KDDI
> CORPORATION
> 2516    | 61.200.246.17    | 2009-06-01 02:49:35.811 9 | KDDI KDDI
> CORPORATION
> 4694    | 202.234.163.11   | 2009-06-01 00:32:20.011 12 | IDC SOFTBANK
> IDC Corp.
> 4713    | 114.155.140.135  | 2009-06-01 03:29:24.306 3 | OCN NTT
> Communications Corporation
> 4713    | 118.0.203.196    | 2009-06-01 00:43:57.923 3 | OCN NTT
> Communications Corporation
> 4713    | 118.16.100.48    | 2009-06-01 02:11:20.538 3 | OCN NTT
> Communications Corporation
> 4713    | 123.217.20.77    | 2009-06-01 00:03:04.325 3 | OCN NTT
> Communications Corporation
> 4713    | 124.103.10.233   | 2009-06-01 03:38:50.137 3 | OCN NTT
> Communications Corporation
> 4713    | 125.205.77.231   | 2009-06-01 02:02:37.906 3 | OCN NTT
> Communications Corporation
> 4713    | 218.47.140.98    | 2009-06-01 02:59:41.299 21 | OCN NTT
> Communications Corporation
> 4713    | 219.164.114.80   | 2009-06-01 03:10:41.052 12 | OCN NTT
> Communications Corporation
> 4713    | 219.165.234.204  | 2009-06-01 02:57:16.351 9 | OCN NTT
> Communications Corporation
> 4713    | 58.91.253.12     | 2009-06-01 03:50:34.782 3 | OCN NTT
> Communications Corporation
> 4713    | 58.94.188.85     | 2009-06-01 00:37:40.768 3 | OCN NTT
> Communications Corporation
> 4713    | 60.33.193.80     | 2009-06-01 00:07:29.840 14 | OCN NTT
> Communications Corporation
> 4713    | 60.37.114.208    | 2009-06-01 00:15:04.994 53 | OCN NTT
> Communications Corporation
> 4713    | 60.42.217.136    | 2009-06-01 00:39:47.425 8 | OCN NTT
> Communications Corporation
> 4713    | 61.207.80.112    | 2009-06-01 01:28:56.169 3 | OCN NTT
> Communications Corporation
> 4716    | 202.0.65.201     | 2009-06-01 01:20:56.311 3 | POWEREDCOM KDDI
> Corporation
> 4716    | 202.0.65.203     | 2009-06-01 01:03:51.913 3 | POWEREDCOM KDDI
> Corporation
> 4716    | 202.17.254.5     | 2009-06-01 00:13:09.968 48 | POWEREDCOM
> KDDI Corporation
> 4716    | 210.250.12.114   | 2009-06-01 00:19:44.796 18 | POWEREDCOM
> KDDI Corporation
> 4716    | 210.254.77.140   | 2009-06-01 01:30:07.045 3 | POWEREDCOM KDDI
> Corporation
> 4716    | 210.254.81.194   | 2009-06-01 00:24:14.055 18 | POWEREDCOM
> KDDI Corporation
> 4716    | 210.254.81.222   | 2009-06-01 00:24:14.399 12 | POWEREDCOM
> KDDI Corporation
> 4716    | 222.225.141.251  | 2009-06-01 01:19:13.975 15 | POWEREDCOM
> KDDI Corporation
> 4716    | 61.204.190.206   | 2009-06-01 02:51:44.613 7 | POWEREDCOM KDDI
> Corporation
> 4725    | 211.3.32.107     | 2009-06-01 00:07:00.876 9 | ODN SOFTBANK
> TELECOM Corp.
> 4725    | 219.66.89.175    | 2009-06-01 02:09:05.151 3 | ODN SOFTBANK
> TELECOM Corp.
> 4732    | 210.238.197.78   | 2009-06-01 00:24:14.018 12 | DION KDDI
> CORPORATION
> 4732    | 219.108.108.24   | 2009-06-01 00:18:25.063 6 | DION KDDI
> CORPORATION
> 4732    | 222.13.233.158   | 2009-06-01 00:30:55.660 21 | DION KDDI
> CORPORATION
> 7670    | 210.253.48.250   | 2009-06-01 03:01:58.009 3 | CTNET Energia
> Communications, Inc.
> 9619    | 137.153.0.41     | 2009-06-01 00:58:48.606 9 | SSD Sony Global
> Solutions Inc.
> 10013   | 110.0.119.199    | 2009-06-01 00:09:39.995 6 | FBDC FreeBit
> Co.,Ltd.
> 10013   | 110.1.65.176     | 2009-06-01 02:00:52.459 6 | FBDC FreeBit
> Co.,Ltd.
> 10026   | 115.31.64.50     | 2009-06-01 02:48:57.793 3 | ANC Asia Netcom
> Corporation
> 10026   | 203.192.138.195  | 2009-06-01 00:06:45.796 45 | ANC Asia
> Netcom Corporation
> 10026   | 203.192.151.70   | 2009-06-01 00:32:57.365 37 | ANC Asia
> Netcom Corporation
> 10026   | 203.192.155.50   | 2009-06-01 00:22:01.609 30 | ANC Asia
> Netcom Corporation
> 10026   | 61.14.187.113    | 2009-06-01 00:05:24.623 25 | ANC Asia
> Netcom Corporation
> 17511   | 119.230.31.139   | 2009-06-01 01:36:27.356 4 | K-OPTICOM
> K-Opticom Corporation
> 17511   | 203.140.66.57    | 2009-06-01 00:22:12.441 28 | K-OPTICOM
> K-Opticom Corporation
> 17676   | 219.127.170.183  | 2009-06-01 01:59:10.777 6 | GIGAINFRA
> Softbank BB Corp.
> 17676   | 221.52.107.24    | 2009-06-01 00:13:29.762 6 | GIGAINFRA
> Softbank BB Corp.
> 17958   | 219.103.60.45    | 2009-06-01 02:23:33.536 6 | KCV Kasaoka
> Cable Vision Co,LTD.
> 23817   | 202.243.187.20   | 2009-06-01 02:05:40.153 24 | KOCHI-IDC
> FUJITSU SHIKOKU Systems Limited.
> 23817   | 202.243.187.21   | 2009-06-01 02:52:25.116 6 | KOCHI-IDC
> FUJITSU SHIKOKU Systems Limited.
> 
> 
> 
> 
> 
> -------- Original Message --------
> One of our users complained last Friday about an inbound DoS attack
> against one of their web servers (https://128.101.65.204/).  Looking
> over the logs, we found that tons of hosts from all over the world were
> hitting the HTTPS front page, but not trying to login at all.  Thanks to
> RobT and his remarkable malware database, he was able to tell me that
> there are variants of Bifrose that are using this site to check for
> Internet connectivity.
> 
> I pulled our flows for midnight -> 4am June 01 local time (GMT-5) and
> found the following list of 41,000+ IPs.  I suspect that there is a good
> chance that all of these hosts have some form of malware on them.
> 
>   https://asn.cymru.com/nsp-sec/upload/1243876952.whois.txt
> 
> Like I said, the times are all GMT-5 (Central US).  The number after the
> timestamp is the count of flows seen over that time period.
> 
> 
> 

-- 
Taka Mizuguchi