[nsp-sec] ACK 3561 - 41,000+ likely Bifrose infections
Paul Dokas
dokas at oitsec.umn.edu
Fri Jun 5 09:53:17 EDT 2009
Smith, Donald wrote:
> ----------- nsp-security Confidential --------
>
> Paul, and team, in an effort to validate this I did a netflow report.
> I see some 39115 to 1971 traffic. 1971 is one of the check in ports listed for bifrose on the symantec writeup so I believe I have verified at least some of the IPs in your report.
> http://www.symantec.com/security_response/writeup.jsp?docid=2004-101214-5358-99&tabid=2
>
> 220.227.66.11 was the IP address listening on 1971.
> I didn't see any tcp 81 traffic or 1999 (from the wikepedia article on bifrose).
> http://en.wikipedia.org/wiki/Bifrost_(trojan_horse)
>
> Is there anything else I can look for?
About the only thing that I can suggest is to look at the analysis of
malware that is abusing the host here and look for other behavior:
http://www.threatexpert.com/reports.aspx?find=128.101.65.204
Spot checking a couple of those I see long lists of IPs and hostnames
being used by these malware samples. Those might be a good place to
start. Given the timing of things here, I suspect that a number of
the hosts on the list that I sent are infected with this:
http://www.threatexpert.com/report.aspx?md5=8c108759a53b3a2f0a708eda70c6702c
This one should be fairly easy to track down thanks to the proxy checks
that use 3460/tcp and 443/tcp shown near the bottom of the page.
Paul
--
Paul Dokas dokas at oitsec.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
More information about the nsp-security
mailing list