[nsp-sec] ACK 3561 - 41,000+ likely Bifrose infections

Smith, Donald Donald.Smith at qwest.com
Thu Jun 4 16:44:41 EDT 2009 

Paul, and team, in an effort to validate this I did a netflow report.
I see some 39115 to 1971 traffic. 1971 is one of the check in ports listed for bifrose on the symantec writeup so I believe I have verified at least some of the IPs in your report.
http://www.symantec.com/security_response/writeup.jsp?docid=2004-101214-5358-99&tabid=2

220.227.66.11 was the IP address listening on 1971.
I didn't see any tcp 81 traffic or 1999 (from the wikepedia article on bifrose).
http://en.wikipedia.org/wiki/Bifrost_(trojan_horse)

Is there anything else I can look for?


(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia   


> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Paul Dokas
> Sent: Monday, June 01, 2009 12:32 PM
> To: NSP-SEC
> Subject: [nsp-sec] 41,000+ likely Bifrose infections
> 
> ----------- nsp-security Confidential --------
> 
> One of our users complained last Friday about an inbound DoS attack
> against
> one of their web servers (https://128.101.65.204/).  Looking over the
> logs,
> we found that tons of hosts from all over the world were hitting the
> HTTPS
> front page, but not trying to login at all.  Thanks to RobT and his
> remarkable
> malware database, he was able to tell me that there are variants of
> Bifrose
> that are using this site to check for Internet connectivity.
> 
> I pulled our flows for midnight -> 4am June 01 local time (GMT-5) and
> found
> the following list of 41,000+ IPs.  I suspect that there is a good
> chance that
> all of these hosts have some form of malware on them.
> 
>   https://asn.cymru.com/nsp-sec/upload/1243876952.whois.txt
> 
> Like I said, the times are all GMT-5 (Central US).  The 
> number after the
> timestamp is the count of flows seen over that time period.
> 
> 
> Paul
> -- 
> Paul Dokas                                     dokas at oitsec.umn.edu
> ======================================================================
> Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security
> counter-measures.
> _______________________________________________
> 
> This message contains information which may be confidential 
> and/or privileged. Unless you are the intended recipient (or 
> authorized to receive for the intended recipient), you may 
> not read, use, copy or disclose to anyone the message or any 
> information contained in the message. If you have received 
> the message in error, please advise the sender by reply 
> e-mail and delete the message and any attachment(s) thereto 
> without retaining any copies.
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
>

More information about the nsp-security mailing list