[nsp-sec] hints about DDoS against 88.80.216.114 (abuse.ch) ?
Rolf Gartmann
rolf.gartmann at switch.ch
Tue Jun 30 02:34:28 EDT 2009
Hi Rob et al,
thanks for your insights !
as pointed out by Thomas, the crew.abnc-portal.com was
already known, a ZeuS dropper deliberately 'going wild'.
So the last attack could be related to machbot controller a77e1468.biz
mentioned by Jose.
Thanks for digging !
cheers
Rolf
from the fingers of Rob Thomas on 29.6.2009 18:36 Uhr:
> Hi, Rolf.
>
> Sorry to hear about the DDoS!
>
>> does anyone have some intel ( especially C&C server)
>> about a DDoS against abuse.ch (88.80.216.114).
>
> We see two samples in our malware menagerie that references 88.80.216.114.
>
> timestamp | sha1 |
> md5 | dst_ip | dst_port | protocol | size
> --------------------- ------------------------------------------
> ---------------------------------- --------------- ---------- ----------
> ------
> 2009-06-24 11:22:00 | 1f7cbaec722fe410490bf899e737f3167e8ca420 |
> 9d7c42c5fa0c65d66bd60e0cc38b1cc8 | 88.80.216.114 | 80 | 6 |
> 349
> 2009-05-22 07:02:55 | 22a83810f14ff1f177b868b01fe8489e774fee3f |
> 3a1bcd7a5019e5be6c316eed654dbbf4 | 88.80.216.114 | 80 | 6 |
> 348
>
> The most recent one is interesting, and perhaps part of what you've
> endured. It has names such as:
>
> DPTJIOYWFW-690.pms.exe.SVD
> userinit.exe
> 05DEA666.EXE
>
> It performs several HTTP GETs, one of which might impact you.
>
> GET http://dx5.biz/3/gt.php?id=44a2fac4
> USERAGENT ie
>
> GET http://crew.abnc-portal.com/tpmgs.exe
> USERAGENT ie
>
> GET http://business-networks.info/data/images/ftp.exe
> USERAGENT ie
>
> It appears the second one is tied to 88.80.216.114.
>
> stamp | qname | class | type | rdata
> --------------------- ---------------------- ------- ------ ---------------
> 2009-05-29 06:10:05 | alpha.abuse.ch | IN | A | 88.80.216.114
> 2009-05-20 14:09:25 | crew.abnc-portal.com | IN | A | 88.80.216.114
> 2009-06-22 20:15:39 | www.abuse.ch | IN | A | 88.80.216.114
>
> The dx5.biz URL spits out: http://crew.abnc-portal.com/tpmgs.exe.
>
> The tpmgs.exe file comes back as one byte "very short file (no magic),"
> and the ftp.exe file is error 404.
>
> Is your constituent aware of the crew.abnc-portal.com DNS RR and the
> tpmgs.exe file?
>
> Thanks,
> Rob.
--
SWITCH
Serving Swiss Universities
--------------------------
Rolf Gartmann, Security Engineer, Member of SWITCH-CERT
PGP fingerprint: 4602 9CC2 6C04 5DF0 3A05 7609 BC09 45A2 2E0E CA35
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
http://www.switch.ch/cert/
More information about the nsp-security
mailing list