[nsp-sec] C&C at 91.212.41.252
Huopio Kauto
Kauto.Huopio at ficora.fi
Thu Jun 4 03:34:56 EDT 2009
Timothy A Battles <tmbattles at att.com> wrote:
> C&C and malware distribution on 91.212.41.0/24
This is LLC "Gaztransitstroyinfo" - or the "Gas Company"
as some call it.
Ref:
http://ddanchev.blogspot.com/2009/05/gaztranzitstroyinfo-fake-russian-ga
s.html
I've escalated this to RU-CERT (last week?) and got a strong ACK from
them,
they know this and have received numerous other reports on the case.
They have further escalated this to the LE side. Folks,
if you have data on this /24 - RU-CERT will be more than
happy to receive and further process the data.
If you need anonymising - I can help.
Good direct contact over there is Mikhail Ganev, ganev at cert.ru.
Email to info at cert.ru _is_ processed but if you want a reply, Mikhail
is a person whom I've met several times.
Some have put a "RBN is alive and well" -stamp on this /24. But I have
a hard time drawing that connection with the information I've seen so
far - mostly because RBN was involved
in sooooo many malicious activities and they have been around here and
there after they were kicked out. Yes it definately looks malicious
hosting, but to say that the same persons behind RBN are
involved..that's a very difficult thing to prove. And more to
the area of LE world to make that connection.
RBN was yanked nearly two internet decades (2 years) ago..that's a long
time.
--Kauto
Kauto Huopio - kauto.huopio at ficora.fi
Senior information security adviser
Finnish Communications Regulatory Authority / CERT-FI
tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
CERT-FI watch desk daytime: +358-9-6966510 / http://www.cert.fi
More information about the nsp-security
mailing list