[nsp-sec] Fast flux or Botnet - Facebook Phish | malware - ns1.castlebin.com | 8.12.160.183 - AS40935 RELYNET - RelyNet Inc

Wed Mar 11 16:52:44 EDT 2009

Joel,

It is related, and evidence seems to point to a root-kit with very
little or limited detection.

Reference: http://www.dynamoo.com/blog/

VBA32 	3.12.10.1 	2009.03.11 	suspected of
Embedded.Rootkit.Win32.Agent.ex

http://www.virustotal.com/analisis/b86d98263fc6987f2960ceb738b758c1
http://www.threatexpert.com/report.aspx?md5=a31cdc595075e6802647bc261350
c1bd

Steve

-----Original Message-----
From: Joel Rosenblatt [mailto:joel at columbia.edu] 
Sent: Wednesday, March 11, 2009 2:12 PM
To: nsp-security at puck.nether.net
Cc: Shelton, Steve
Subject: Re: [nsp-sec] Fast flux or Botnet - Facebook Phish | malware -
ns1.castlebin.com | 8.12.160.183 - AS40935 RELYNET - RelyNet Inc

Hi,

Here is a copy of a facebook malware invitation we started receiving ..
I would not be surprised if it were related:

[128.59.28.174])
	by tempeh.cc.columbia.edu (8.13.1/8.13.1) with ESMTP id
n2BFwIMt021566;
	Wed, 11 Mar 2009 11:58:18 -0400
Received: from [123.97.194.128] ([123.97.194.128])
	by gorgonzola.cc.columbia.edu (8.14.3/8.14.1) with ESMTP id
n2BFw7Fx006255;
	Wed, 11 Mar 2009 11:58:16 -0400 (EDT)
Received: from [123.97.194.128] by mail.bouzouk.com; Wed, 11 Mar 2009
23:58:16 +0800
Date: 	Wed, 11 Mar 2009 23:58:16 +0800
From: "Facebook Mail" <messageserver45 at facebook.com>
X-Mailer: The Bat! (v2.00.6) Business
Reply-To: euwr at bouzouk.com
X-Priority: 3 (Normal)
Message-ID: <083691248.81117996959512 at bouzouk.com>
To: copyright-reports at columbia.edu
Subject: FaceBook message: Magnificent Girls extremely dancing  (Last
rated by Lavonne Lugo)
MIME-Version: 1.0
Content-Type: text/plain;
  charset=iso-8859-2
Content-Transfer-Encoding: 7bit
X-No-Spam-Score: exempt from filtering
X-Scanned-By: MIMEDefang 2.65 on 128.59.28.174

Messages from Your Friends on Facebook, March 11, 2009

You have 1 Personal Message:
Video title: "Amanda is dancing on Striptease Dance Party, March 10,
2009! We're absolutely shocked!".

Proceed to view full video message:

http://facebook.shared.referencenumber.personalid-6kpw3vjxm.asp.centredo
wnloadpatch.com/home.htm?/mixed/application=f1o3587jdiimktu

Message ID: FB-kpy2olo9g7nd4j7
2009 Facebook community, Message Center.

------------------------------------------------------------------------
-----------

Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

--On Wednesday, March 11, 2009 4:04 PM -0400 "Shelton, Steve"
<sshelton at Cogentco.com> wrote:

> ----------- nsp-security Confidential --------
>
> All,
>
> I just spotted what appears to be a fast flux - botnet serving up
> Phished | malware sites referencing Facebook.
>
> We had a customer with an exploited server that was auth for
> centredownloadpatch.com and needplaeradobe.com for a short stint. Both
> domains have numerous A' records and very low TTL, so this is likely
> fastflux or botnet related.
>
> Note that ns2.castlebin.com appears to be pointed at a DOD network
/32,
> which is lame delegation and once I impacted the routing for what was
> ns1.castlebin.com on our end, 8.12.160.183 took up the slack with a
> matter of minutes it seemed.
>
> 03/11/09 13:49:19 whois ns1.castlebin.com at whois.internic.net
>
> whois -h whois.internic.net ns1.castlebin.com ...
>
> Whois Server Version 2.0
>
>    Server Name: NS1.CASTLEBIN.COM
>    IP Address: 8.12.160.183
>    Registrar: BIZCN.COM, INC.
>
>
> Wed Mar 11 20:38:54 2009
>
> centredownloadpatch.com. 202	IN	A	76.122.72.90
> centredownloadpatch.com. 202	IN	A	66.138.7.3
> centredownloadpatch.com. 202	IN	A	68.220.37.205
> centredownloadpatch.com. 202	IN	A	69.234.146.136
> centredownloadpatch.com. 202	IN	A	75.57.61.217
>
> Wed Mar 11 20:47:06 2009
>
> needplaeradobe.com.	1800	IN	A	66.138.7.3
> needplaeradobe.com.	1800	IN	A	69.234.146.136
> needplaeradobe.com.	1800	IN	A	75.57.61.217
> needplaeradobe.com.	1800	IN	A	75.118.162.91
> needplaeradobe.com.	1800	IN	A	76.122.72.90
>
>
> Some current URL[s] I see are:
>
>
hxxp://facebook.shared.cebmainservlet.personalid-o2pirj9c8.logon.centred
> ownloadpatch.com/home.htm?/permissions/application=5639sgmlqzd4mrb
>
> Or
>
>
hxxp://facebook.shared.cebmainservlet.personalid-o2pirj9c8.logon.centred
> ownloadpatch.com/../Adobe_Player11.exe
>
>
> 6389    | 68.220.37.205    | BELLSOUTH-NET-BLK - BellSouth.net Inc.
> 7132    | 69.234.146.136   | SBIS-AS - AT&T Internet Services
> 7132    | 75.57.61.217     | SBIS-AS - AT&T Internet Services
> 7725    | 76.122.72.90     | CCH-AS7 - Comcast Cable Communications
> Holdings, Inc
> 13368   | 66.138.7.3       | JCP - James Cable Partners
> 29895   | 75.118.162.91    | WOW-INTERNET-COL - WideOpenWest Finance
LLC
> 40935   | 8.12.160.183     | RELYNET - RelyNet Inc.
>
> Steve Shelton
> Network Security Engineer
> Cogent Communications
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> community. Confidentiality is essential for effective Internet
security counter-measures.
> _______________________________________________
>

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel