[nsp-sec] ACK 3561 - 41,000+ likely Bifrose infections

Buchanan, Mark Mark.Buchanan at savvis.net
Thu Jun 4 15:22:33 EDT 2009 

ACK for 3561

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Paul Dokas
Sent: Monday, June 01, 2009 12:32 PM
To: NSP-SEC
Subject: [nsp-sec] 41,000+ likely Bifrose infections

----------- nsp-security Confidential --------

One of our users complained last Friday about an inbound DoS attack
against
one of their web servers (https://128.101.65.204/).  Looking over the
logs,
we found that tons of hosts from all over the world were hitting the
HTTPS
front page, but not trying to login at all.  Thanks to RobT and his
remarkable
malware database, he was able to tell me that there are variants of
Bifrose
that are using this site to check for Internet connectivity.

I pulled our flows for midnight -> 4am June 01 local time (GMT-5) and
found
the following list of 41,000+ IPs.  I suspect that there is a good
chance that
all of these hosts have some form of malware on them.

  https://asn.cymru.com/nsp-sec/upload/1243876952.whois.txt

Like I said, the times are all GMT-5 (Central US).  The number after the
timestamp is the count of flows seen over that time period.


Paul
-- 
Paul Dokas                                     dokas at oitsec.umn.edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

This message contains information which may be confidential and/or privileged. Unless you are the intended recipient (or authorized to receive for the intended recipient), you may not read, use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail and delete the message and any attachment(s) thereto without retaining any copies.

More information about the nsp-security mailing list