[nsp-sec] fake av on AS48841, AS36351, AS13237, AS39823, AS174, AS29073, AS24940

Rob Thomas robt at cymru.com
Wed Jun 10 12:36:02 EDT 2009 

Hi, Niels.

Thanks for the heads-up!

> 91.212.65.125

Also watch out for:

      timestamp      |           dns_name           |      ip
--------------------- ------------------------------ ---------------
 2009-05-06 07:04:02 | advanedpromalwarescanner.com | 91.212.65.125
 2009-05-03 19:21:05 | brabusautomoto.cn            | 91.212.65.125
 2009-05-05 23:51:52 | updatescentralsystem.com     | 91.212.65.125
 2009-05-01 00:28:00 | worldofwarcry.cn             | 91.212.65.125

We have 17 samples in our malware menagerie that point to 91.212.65.125.

      timestamp      |                   sha1                   |
        md5                |    dst_ip     | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ---------- ----------
------
 2009-05-02 03:34:09 | 030d184153ab2cd85c3e0882994c8c5755f552d5 |
737bfe375706997e1b4a80f55996cb66 | 91.212.65.125 |       80 |        6 |
 2009-05-11 19:00:24 | 04cda717224045f4ba3d5624d19d91d7b17cd9ab |
ece6f0f183c84d4f8a908ebfb2ff1629 | 91.212.65.125 |       80 |        6 |
 2009-06-03 20:22:13 | 183c5334e825e94406e8e1b0935bf39dc96214c3 |
ec2fb023ebf7832d0cdc3ea608aaeaeb | 91.212.65.125 |       80 |        6 |
 2009-05-13 18:51:59 | 376a9ba0d1d7768649f429b1697278cf6ca8a931 |
8468e3d0fef59c6c14d8206a5ec4929f | 91.212.65.125 |       80 |        6 |
 2009-05-23 03:19:29 | 3836c3fcc6fabacf4c021ca7495ce687f52847a9 |
867da937330d28b92f1caae0ba1b7ad4 | 91.212.65.125 |       80 |        6 |
 2009-05-01 23:50:01 | 383d701f31778b904927c6bd92c25b80a51e7961 |
780f1a5ce863f2f248bd3814a1ff7f60 | 91.212.65.125 |       80 |        6 |
 2009-05-11 19:52:19 | 582fc1f815f02250c339caedf8b87c41583e1695 |
448dca5a3533484821a8c6d6d87b1fcb | 91.212.65.125 |       80 |        6 |
 2009-04-30 11:23:22 | 58603600288de211963a9bf3dc27f54e323f5a79 |
5998824b543b76f2acd41fcf3aee8747 | 91.212.65.125 |       80 |        6 |
 2009-05-23 23:19:22 | 596546292407d59e1a2b926e2d75d75d5f187e9c |
ad6b584d84c68b90d7542f62c849efd7 | 91.212.65.125 |       80 |        6 |
 2009-04-29 18:28:07 | 7896f165dcefcbef9361f4cf2c7e3b7895719cbf |
4f5528113d8cf4bf0ecbbad654b876ca | 91.212.65.125 |       80 |        6 |
 2009-05-21 15:45:48 | 7c07942995f1d2fe0d45492545f8d79ba252c4a7 |
8902ba63cca13934f61d8eadaebaa5b2 | 91.212.65.125 |       80 |        6 |
 2009-05-01 08:59:24 | adf778ce5b898078fc65dc7eb7f442325d420abe |
6089b2df213209e947e1eec48647ac27 | 91.212.65.125 |       80 |        6 |
 2009-05-07 21:20:43 | ae151a679f907216f42042d484fc8009658c4465 |
c95d953478713b233c031d2106304592 | 91.212.65.125 |       80 |        6 |
 2009-05-29 03:28:36 | ce317220eb45311e9cd83903db109471f38ee803 |
010a18a828a1e1c7a5744bfc6e89873b | 91.212.65.125 |       80 |        6 |
 2009-05-22 01:19:37 | e00d5c7f0b4406a280e84ad36d872a1a15298803 |
a226ebb0ee7f88abaefc190353405eb3 | 91.212.65.125 |       80 |        6 |

 2009-06-04 14:20:46 | edcc919e08c57ff60612086a14128ec55e1171ac |
1ba81e8e72528a78a096ff710c403c2d | 91.212.65.125 |       80 |        6 |

 2009-05-22 19:05:40 | ff7ebfc5ad7091874130172d2bf67802da85c750 |
f38d392a41f94946202b4b6237c1932b | 91.212.65.125 |       80 |        6 |

> 69.4.230.204

It appears 69.4.230.204 has been hosting malware since at least
2009-05-26 06:09:23 UTC.

> 83.133.115.9

Also watch out for:

      timestamp      |           dns_name           |      ip
--------------------- ------------------------------ --------------
 2009-05-01 01:35:26 | fastsecurityupdateserver.com | 83.133.115.9

We have 47 samples in our malware menagerie that point to 83.133.115.9.

      timestamp      |                   sha1                   |
        md5                |    dst_ip    | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- -------------- ---------- ----------
------
 2009-05-25 21:33:16 | 06d95521ca21129b25a462107f13d2ddb9aebd85 |
3f5813f6d9d4c65434603bee50a7147d | 83.133.115.9 |       80 |        6 |
 2009-05-26 06:45:26 | 06f0ea419b70589784968acb407ab5664f22f8f0 |
257486a3dc11b845b24e34590e6fec4b | 83.133.115.9 |       80 |        6 |
 2009-05-25 20:25:15 | 08f614ac03a752bb9f29ff9f7907247438c4f3e3 |
80dc88613c37dd809f3200d1b5b32030 | 83.133.115.9 |       80 |        6 |
 2009-06-01 10:20:41 | 0aade00fa992f2aec0f1fbb4712e25a0cb6fd0c1 |
38c87650fea23fa6a3fad5380f20a0aa | 83.133.115.9 |       80 |        6 |
 2009-06-02 07:24:19 | 0f22c42e9e74505abccca0ce89e9b13d8b634147 |
fa620ca09480ce88f5ba2ce8e1bd7293 | 83.133.115.9 |       80 |        6 |
 2009-05-25 20:25:31 | 1c91883c7d1ed09a8733cefc70f607c4123b1565 |
db42d353b65e7462d3cf20d1f2e1b2ef | 83.133.115.9 |       80 |        6 |
 2009-05-25 21:24:14 | 20a46505c563ab607e08b6b58a620c567d894a1c |
624b882d03f792b47236194bb2dd0d53 | 83.133.115.9 |       80 |        6 |
 2009-05-27 09:21:00 | 217b9ec557e34a7a38f8601cbc9050e35ff9541f |
c13bfe6e107f1df54cd4f660386c04a4 | 83.133.115.9 |       80 |        6 |
 2009-05-24 14:07:33 | 2704c13ae5b806fcf5648baf2075fe4afd70cc2d |
fb2661826e3081e191b670b556272834 | 83.133.115.9 |       80 |        6 |
 2009-05-25 21:20:54 | 2a62188333d1401b42d7c93fb6197d7d97e1e8c5 |
97df3929facd2df8284a878fe3ac4d21 | 83.133.115.9 |       80 |        6 |
 2009-05-25 12:08:54 | 31257141905fd90473822c8ef0aac405dfdd0798 |
e56f4ba40dc37cbdfc4995ead015ae6e | 83.133.115.9 |       80 |        6 |
 2009-05-25 20:24:39 | 317e343842f079aa2160d15cb28548cdd6fe2ac3 |
91329422ba36820a165d21450fb9c64d | 83.133.115.9 |       80 |        6 |
 2009-05-24 13:37:09 | 34114246ae3d07f44b68a89079575e7b9c1e5ad6 |
75d14e9d44a893b32e050fd5cc366015 | 83.133.115.9 |       80 |        6 |
 2009-05-27 09:21:49 | 519ee2fdcb03102183ff26bd713b3792c4f0f1be |
a8ff760de34904caa59ae0fa1d9dec4b | 83.133.115.9 |       80 |        6 |
 2009-05-24 13:42:15 | 53e67b37aa8e5a25e02b9d6b42eb9f81ee798a7c |
f00f9fbb6f466fe58633de4cbfa38ecc | 83.133.115.9 |       80 |        6 |
 2009-05-25 21:33:19 | 56a1760240d0918ef4c17c95692b51fb78df426f |
6a7441ced283de46205a466cb912f4a6 | 83.133.115.9 |       80 |        6 |
 2009-05-26 01:24:50 | 5e5174da69ba3e25ab28199f9582d7b3ef66b5b2 |
86014c3ec714d277da7987d98d9c3f1c | 83.133.115.9 |       80 |        6 |
 2009-06-01 07:26:28 | 6493ab0b010af15ca4ec1de28ab6e44c39d08e9f |
174aeabf02c485165921484ed398462c | 83.133.115.9 |       80 |        6 |
 2009-05-25 20:25:11 | 6550eae2b1819ca270ee035be57d3236e36a58cc |
a6cfee0cfa3f5a5042f7e4f9ba72935b | 83.133.115.9 |       80 |        6 |
 2009-06-01 18:12:50 | 668c422fe741aa99a4fae99fd8f259d6aad95901 |
854141bd6f57d7532b3cda9a58f1d606 | 83.133.115.9 |       80 |        6 |
 2009-05-25 19:39:30 | 6edaaae1acf949dc91152542777a03e85dad0279 |
fbdb1ecc48348c195d7a94a81066e91e | 83.133.115.9 |       80 |        6 |
 2009-05-25 23:29:56 | 703a79190ca4307eb2079b23f3b745b0fa9522dd |
550f239feb9eec890ba53b843cd03999 | 83.133.115.9 |       80 |        6 |
 2009-05-25 21:24:01 | 79d7499fdb4b6609611d020d312f56244dca4f68 |
59fedb6bf317b7117ae7dc2c04f515ac | 83.133.115.9 |       80 |        6 |
 2009-05-22 05:20:33 | 7fc117cd56aa353fd67aaa627caf65919e7c665b |
1bc4a4f2cef5d5d410dbc00a7548faf5 | 83.133.115.9 |       80 |        6 |
 2009-05-27 03:26:41 | 8304680fbaf2ce5b7d4ce0b4def63b23747347b4 |
51290e700d8d421ac80ebb47ffdfa5fb | 83.133.115.9 |       80 |        6 |
 2009-05-25 19:39:53 | 882842668c0f9a3b5462e7ee06374c0d4c11c6f0 |
74bca36b3b47b9f6f945a8e7e5f1d920 | 83.133.115.9 |       80 |        6 |
 2009-05-24 13:38:38 | 8ca4d5cfdb150adf3ab045cc27540c3cee06ce5b |
6a1d6b54b7c10266eff6e5f76548d738 | 83.133.115.9 |       80 |        6 |
 2009-05-25 21:21:16 | 8e9ccd2247788435ee449a917c25c1055bbd25af |
e4616c7fe7b0f490931e3e37b73ecaaa | 83.133.115.9 |       80 |        6 |
 2009-05-24 13:49:23 | 9816b67dec97bf8df6bc28a7c5d2c8a6a6f57584 |
eb7b376489089cdf85fdcfcfef12c6a1 | 83.133.115.9 |       80 |        6 |
 2009-06-04 21:20:56 | a1880d67d66e0635689335b1a0a54ea25cafd136 |
e2034eb83cce60bd75da98968fbb6873 | 83.133.115.9 |       80 |        6 |
 2009-06-02 08:28:07 | a2e84b6feeb7ca2aad78c655886a2644d67756b5 |
42803d626ae8f70ea702016e760301cf | 83.133.115.9 |       80 |        6 |
 2009-05-24 06:58:51 | a718593b6beba94a96d50b855af5a75b1009f9b3 |
350d85b707069176e21f2ad33613d014 | 83.133.115.9 |       80 |        6 |
 2009-05-25 11:03:42 | ac267fca4bf5a7deeb58456d2301c582a2e729c2 |
f5efa77ddc74c5a143d71dc3c3316ca9 | 83.133.115.9 |       80 |        6 |
 2009-05-27 08:27:50 | b37eaa56a84847758b8b712c07f42e8923df2744 |
e8622123bbe4e87c8f665035dd203579 | 83.133.115.9 |       80 |        6 |
 2009-05-23 11:14:45 | b7c9d9d93fafcdfdd077287590d940c159cc9eeb |
b49819c6cb3e1b712792b6b57ac347b0 | 83.133.115.9 |       80 |        6 |
 2009-05-24 13:59:01 | bb46b5f05952f21d56bd5aedab2c3d272d1bc750 |
1f8e5df86c6612780d4c1e9fabf5637a | 83.133.115.9 |       80 |        6 |
 2009-05-30 21:22:03 | bfdef8cc6d20fd8198580d6234a694688c7a431f |
9c9ccc9da8b1389314f1b29d177e59cd | 83.133.115.9 |       80 |        6 |
 2009-05-24 14:11:28 | ca9d1405b419e6bb06675e90b00dc007f3a777d1 |
be1813ac513bb11e027dce796db07c02 | 83.133.115.9 |       80 |        6 |
 2009-05-28 18:32:47 | ccb46665775820b1da57835c47388d633b3f167a |
bcf7eff6a1536ff5ae632acac8fec449 | 83.133.115.9 |       80 |        6 |
 2009-05-25 01:44:44 | d04bea5e1cf9e9caa3daa9a8087bfaa3e207cbf7 |
ddfef32eb4a6b46267888ee3d86d6dab | 83.133.115.9 |       80 |        6 |
 2009-05-25 22:20:50 | d9feac067cf4bb07617df73a72ef57056b863e2e |
818999e2cd5bc812c5383f25d9f9d8ac | 83.133.115.9 |       80 |        6 |
 2009-05-25 20:24:18 | dbe8ab156f103d51e1ec4ec9c5f81f75edab4479 |
c9293d1c00e129b48f3bf051545bb3a6 | 83.133.115.9 |       80 |        6 |
 2009-06-01 17:48:05 | e2731ee1e66c50b4044b5b3ea8c369487d9ec7b9 |
0b5fbdaeee3640a2735c7421bafd62d7 | 83.133.115.9 |       80 |        6 |
 2009-05-25 21:23:58 | e5d673cbcc42eca76ac79a6d6ac962145dab1db4 |
0179ceb3242d9f979d7002e57d7b3399 | 83.133.115.9 |       80 |        6 |
 2009-05-27 08:28:06 | eafcc2d695e1acae2066af64d074844859448779 |
9985be887018e29d1e68fafbb4215c1c | 83.133.115.9 |       80 |        6 |
 2009-05-25 22:23:04 | f1b5fb54d0f12ee2a6154c54ac0ce7931f549ee0 |
ad97127312cf9bbaeab00e06746f55cc | 83.133.115.9 |       80 |        6 |
 2009-05-23 20:02:49 | f4c0b0a17fbb4b6f59d04bb93d57176680c98501 |
1885cf03a264614955720da39c1cfeb1 | 83.133.115.9 |       80 |        6 |

> 92.62.98.19

We've got bupkes on this IP.

> 38.99.170.9

Looks like this one has been hosting malware since at least 2009-05-14
16:23:45 UTC.

> 93.174.93.34

Also watch out for:

      timestamp      |           dns_name            |      ip
--------------------- ------------------------------- --------------
 2009-05-01 05:14:29 | 1bestprotectionscanner.com    | 93.174.93.34
 2009-04-04 23:55:46 | 1spywareonlinescanner.com     | 93.174.93.34

Another candidate might be caricare.net.

We have one sample in our malware menagerie that points to 93.174.93.34.

      timestamp      |                   sha1                   |
        md5                |    dst_ip    | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- -------------- ---------- ----------
------
 2009-05-27 17:25:26 | 232284fea709e65a9e7f51df1ee8d0ec4b106ef3 |
665103dd252245a48f6063b5668d8356 | 93.174.93.34 |       80 |        6 |

The malware hosting appears to date back to at least 2009-05-01 02:53:10
UTC.

> 78.47.132.216

We see this one go live more recently, with downloads beginning on or
about 2009-06-06 17:48:09 UTC.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
https://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");

More information about the nsp-security mailing list