[nsp-sec] Fast flux or Botnet - Facebook Phish | malware - ns1.castlebin.com | 8.12.160.183 - AS40935 RELYNET - RelyNet Inc

Nicholas Ianelli ni at cert.org
Wed Mar 11 16:58:55 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I have a facebook contact. Are you guys cool with me passing the info
over (minus the nsp-sec stuff)?

If so, lemme know if you want me to pull your info as well.

nick

Shelton, Steve wrote:
> ----------- nsp-security Confidential --------
> 
> Joel,
> 
> It is related, and evidence seems to point to a root-kit with very
> little or limited detection.
> 
> Reference: http://www.dynamoo.com/blog/
> 
> VBA32 	3.12.10.1 	2009.03.11 	suspected of
> Embedded.Rootkit.Win32.Agent.ex
> 
> http://www.virustotal.com/analisis/b86d98263fc6987f2960ceb738b758c1
> http://www.threatexpert.com/report.aspx?md5=a31cdc595075e6802647bc261350
> c1bd
> 
> Steve
> 
> -----Original Message-----
> From: Joel Rosenblatt [mailto:joel at columbia.edu] 
> Sent: Wednesday, March 11, 2009 2:12 PM
> To: nsp-security at puck.nether.net
> Cc: Shelton, Steve
> Subject: Re: [nsp-sec] Fast flux or Botnet - Facebook Phish | malware -
> ns1.castlebin.com | 8.12.160.183 - AS40935 RELYNET - RelyNet Inc
> 
> Hi,
> 
> Here is a copy of a facebook malware invitation we started receiving ..
> I would not be surprised if it were related:
> 
> Return-Path: <euwr at bouzouk.com>
> Received: from lmtpproxyd (tempeh-eth1.cc.columbia.edu [128.59.33.153])
> 	 by weisswurst.cc.columbia.edu (Cyrus v2.3.13) with LMTPA;
> 	 Wed, 11 Mar 2009 11:58:18 -0400
> X-Sieve: CMU Sieve 2.3
> Received: from tempeh.cc.columbia.edu ([unix socket])
> 	 by mail.columbia.edu (Cyrus v2.3.13) with LMTPA;
> 	 Wed, 11 Mar 2009 11:58:18 -0400
> X-Sieve: CMU Sieve 2.3
> Received: from gorgonzola.cc.columbia.edu (gorgonzola.cc.columbia.edu
> [128.59.28.174])
> 	by tempeh.cc.columbia.edu (8.13.1/8.13.1) with ESMTP id
> n2BFwIMt021566;
> 	Wed, 11 Mar 2009 11:58:18 -0400
> Received: from [123.97.194.128] ([123.97.194.128])
> 	by gorgonzola.cc.columbia.edu (8.14.3/8.14.1) with ESMTP id
> n2BFw7Fx006255;
> 	Wed, 11 Mar 2009 11:58:16 -0400 (EDT)
> Received: from [123.97.194.128] by mail.bouzouk.com; Wed, 11 Mar 2009
> 23:58:16 +0800
> Date: 	Wed, 11 Mar 2009 23:58:16 +0800
> From: "Facebook Mail" <messageserver45 at facebook.com>
> X-Mailer: The Bat! (v2.00.6) Business
> Reply-To: euwr at bouzouk.com
> X-Priority: 3 (Normal)
> Message-ID: <083691248.81117996959512 at bouzouk.com>
> To: copyright-reports at columbia.edu
> Subject: FaceBook message: Magnificent Girls extremely dancing  (Last
> rated by Lavonne Lugo)
> MIME-Version: 1.0
> Content-Type: text/plain;
>   charset=iso-8859-2
> Content-Transfer-Encoding: 7bit
> X-No-Spam-Score: exempt from filtering
> X-Scanned-By: MIMEDefang 2.65 on 128.59.28.174
> 
> Messages from Your Friends on Facebook, March 11, 2009
> 
> You have 1 Personal Message:
> Video title: "Amanda is dancing on Striptease Dance Party, March 10,
> 2009! We're absolutely shocked!".
> 
> 
> Proceed to view full video message:
> 
> http://facebook.shared.referencenumber.personalid-6kpw3vjxm.asp.centredo
> wnloadpatch.com/home.htm?/mixed/application=f1o3587jdiimktu
> 
> 
> 
> Message ID: FB-kpy2olo9g7nd4j7
> 2009 Facebook community, Message Center.
> 
> ------------------------------------------------------------------------
> -----------
> 
> 
> Joel Rosenblatt
> 
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
> 
> 
> --On Wednesday, March 11, 2009 4:04 PM -0400 "Shelton, Steve"
> <sshelton at Cogentco.com> wrote:
> 
>> ----------- nsp-security Confidential --------
>>
>> All,
>>
>> I just spotted what appears to be a fast flux - botnet serving up
>> Phished | malware sites referencing Facebook.
>>
>> We had a customer with an exploited server that was auth for
>> centredownloadpatch.com and needplaeradobe.com for a short stint. Both
>> domains have numerous A' records and very low TTL, so this is likely
>> fastflux or botnet related.
>>
>> Note that ns2.castlebin.com appears to be pointed at a DOD network
> /32,
>> which is lame delegation and once I impacted the routing for what was
>> ns1.castlebin.com on our end, 8.12.160.183 took up the slack with a
>> matter of minutes it seemed.
>>
>> 03/11/09 13:49:19 whois ns1.castlebin.com at whois.internic.net
>>
>> whois -h whois.internic.net ns1.castlebin.com ...
>>
>> Whois Server Version 2.0
>>
>>    Server Name: NS1.CASTLEBIN.COM
>>    IP Address: 8.12.160.183
>>    Registrar: BIZCN.COM, INC.
>>
>>
>> Wed Mar 11 20:38:54 2009
>>
>> centredownloadpatch.com. 202	IN	A	76.122.72.90
>> centredownloadpatch.com. 202	IN	A	66.138.7.3
>> centredownloadpatch.com. 202	IN	A	68.220.37.205
>> centredownloadpatch.com. 202	IN	A	69.234.146.136
>> centredownloadpatch.com. 202	IN	A	75.57.61.217
>>
>> Wed Mar 11 20:47:06 2009
>>
>> needplaeradobe.com.	1800	IN	A	66.138.7.3
>> needplaeradobe.com.	1800	IN	A	69.234.146.136
>> needplaeradobe.com.	1800	IN	A	75.57.61.217
>> needplaeradobe.com.	1800	IN	A	75.118.162.91
>> needplaeradobe.com.	1800	IN	A	76.122.72.90
>>
>>
>> Some current URL[s] I see are:
>>
>>
> hxxp://facebook.shared.cebmainservlet.personalid-o2pirj9c8.logon.centred
>> ownloadpatch.com/home.htm?/permissions/application=5639sgmlqzd4mrb
>>
>> Or
>>
>>
> hxxp://facebook.shared.cebmainservlet.personalid-o2pirj9c8.logon.centred
>> ownloadpatch.com/../Adobe_Player11.exe
>>
>>
>> 6389    | 68.220.37.205    | BELLSOUTH-NET-BLK - BellSouth.net Inc.
>> 7132    | 69.234.146.136   | SBIS-AS - AT&T Internet Services
>> 7132    | 75.57.61.217     | SBIS-AS - AT&T Internet Services
>> 7725    | 76.122.72.90     | CCH-AS7 - Comcast Cable Communications
>> Holdings, Inc
>> 13368   | 66.138.7.3       | JCP - James Cable Partners
>> 29895   | 75.118.162.91    | WOW-INTERNET-COL - WideOpenWest Finance
> LLC
>> 40935   | 8.12.160.183     | RELYNET - RelyNet Inc.
>>
>> Steve Shelton
>> Network Security Engineer
>> Cogent Communications
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
>> community. Confidentiality is essential for effective Internet
> security counter-measures.
>> _______________________________________________
>>
> 
> 
> 
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkm4Jg8ACgkQi10dJIBjZIA9iACZAVUxTIc5vtX78SCzHfSII+7M
JoYAoKxPUfzqr2ueBIzKaFGgeQTwzDS9
=+XvC
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list