[nsp-sec] 41,000+ likely Bifrose infections - ACK many

Zane Jarvis zane at auscert.org.au
Tue Jun 2 21:27:48 EDT 2009 

Sanitised and forward reports for the following AU ASNs.

703     
1239    
2764    
4739    
4802    
4804    
7496    
7545    
7575    
9443    
9543    
9738    
9747    
9822    
10143   
10223   
17536   
17561   
18201   
23719   
23721   
24243   
24300   
24436   
38055   
38307   
38484   
38858

Thanks,
Zane.


---
Zane Jarvis, Computer Security Analyst   | Hotline: +61 7 3365 4417
AusCERT, Australia's national CERT       | Fax:     +61 7 3365 7031
The University of Queensland             | WWW:     www.auscert.org.au
QLD 4072 Australia                       | Email:   auscert at auscert.org.au





> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Paul Dokas
> Sent: Tuesday, 2 June 2009 3:32 AM
> To: NSP-SEC
> Subject: [nsp-sec] 41,000+ likely Bifrose infections
> 
> ----------- nsp-security Confidential --------
> 
> One of our users complained last Friday about an inbound DoS attack
> against
> one of their web servers (https://128.101.65.204/).  Looking over the
> logs,
> we found that tons of hosts from all over the world were hitting the
> HTTPS
> front page, but not trying to login at all.  Thanks to RobT and his
> remarkable
> malware database, he was able to tell me that there are variants of
> Bifrose
> that are using this site to check for Internet connectivity.
> 
> I pulled our flows for midnight -> 4am June 01 local time (GMT-5) and
> found
> the following list of 41,000+ IPs.  I suspect that there is a good
> chance that
> all of these hosts have some form of malware on them.
> 
>   https://asn.cymru.com/nsp-sec/upload/1243876952.whois.txt
> 
> Like I said, the times are all GMT-5 (Central US).  The number after
> the
> timestamp is the count of flows seen over that time period.
> 
> 
> Paul
> --
> Paul Dokas                                     dokas at oitsec.umn.edu
> ======================================================================
> Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________

More information about the nsp-security mailing list