[nsp-sec] hints about DDoS against 88.80.216.114 (abuse.ch) ?
Thomas Hungenberg
th.lab at hungenberg.net
Mon Jun 29 13:42:59 EDT 2009
Rob Thomas schrieb:
> It appears the second one is tied to 88.80.216.114.
>
> stamp | qname | class | type | rdata
> --------------------- ---------------------- ------- ------ ---------------
> 2009-05-29 06:10:05 | alpha.abuse.ch | IN | A | 88.80.216.114
> 2009-05-20 14:09:25 | crew.abnc-portal.com | IN | A | 88.80.216.114
> 2009-06-22 20:15:39 | www.abuse.ch | IN | A | 88.80.216.114
>
> The dx5.biz URL spits out: http://crew.abnc-portal.com/tpmgs.exe.
crew.abnc-portal.com previously pointed to another IP and hosted
malware as well as malicious javascripts which were referenced from
compromised websites.
For an unknown reason, the DNS record for crew.abnc-portal.com was
changed to 88.80.216.114 in mid April.
This way the attackers supplied us with kind of a sinkhole for the
trojan downloader infected clients. :)
> The tpmgs.exe file comes back as one byte "very short file (no magic),"
Yes, this is just an empty file.
> Is your constituent aware of the crew.abnc-portal.com DNS RR and the
> tpmgs.exe file?
Yes, see message "Clients infected with trojan dropper trying to download
Zbot malware" posted to nsp-sec on 2009-04-30.
The recent DDoS targeting 88.80.216.114 was a SYN flood attack with 2500+
unique source IPs.
- Thomas
CERT-Bund Incident Response & Anti-Malware Team
More information about the nsp-security
mailing list