[nsp-sec] Fast flux or Botnet - Facebook Phish | malware - ns1.castlebin.com | 8.12.160.183 - AS40935 RELYNET - RelyNet Inc

Joel Rosenblatt joel at columbia.edu
Wed Mar 11 17:02:50 EDT 2009 

Hi,

It's OK with me.

Thanks,
Joel

--On Wednesday, March 11, 2009 4:58 PM -0400 Nicholas Ianelli <ni at cert.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> I have a facebook contact. Are you guys cool with me passing the info
> over (minus the nsp-sec stuff)?
>
> If so, lemme know if you want me to pull your info as well.
>
> nick
>
> Shelton, Steve wrote:
>> ----------- nsp-security Confidential --------
>>
>> Joel,
>>
>> It is related, and evidence seems to point to a root-kit with very
>> little or limited detection.
>>
>> Reference: http://www.dynamoo.com/blog/
>>
>> VBA32 	3.12.10.1 	2009.03.11 	suspected of
>> Embedded.Rootkit.Win32.Agent.ex
>>
>> http://www.virustotal.com/analisis/b86d98263fc6987f2960ceb738b758c1
>> http://www.threatexpert.com/report.aspx?md5=a31cdc595075e6802647bc261350
>> c1bd
>>
>> Steve
>>
>> -----Original Message-----
>> From: Joel Rosenblatt [mailto:joel at columbia.edu]
>> Sent: Wednesday, March 11, 2009 2:12 PM
>> To: nsp-security at puck.nether.net
>> Cc: Shelton, Steve
>> Subject: Re: [nsp-sec] Fast flux or Botnet - Facebook Phish | malware -
>> ns1.castlebin.com | 8.12.160.183 - AS40935 RELYNET - RelyNet Inc
>>
>> Hi,
>>
>> Here is a copy of a facebook malware invitation we started receiving ..
>> I would not be surprised if it were related:
>>
>> Return-Path: <euwr at bouzouk.com>
>> Received: from lmtpproxyd (tempeh-eth1.cc.columbia.edu [128.59.33.153])
>> 	 by weisswurst.cc.columbia.edu (Cyrus v2.3.13) with LMTPA;
>> 	 Wed, 11 Mar 2009 11:58:18 -0400
>> X-Sieve: CMU Sieve 2.3
>> Received: from tempeh.cc.columbia.edu ([unix socket])
>> 	 by mail.columbia.edu (Cyrus v2.3.13) with LMTPA;
>> 	 Wed, 11 Mar 2009 11:58:18 -0400
>> X-Sieve: CMU Sieve 2.3
>> Received: from gorgonzola.cc.columbia.edu (gorgonzola.cc.columbia.edu
>> [128.59.28.174])
>> 	by tempeh.cc.columbia.edu (8.13.1/8.13.1) with ESMTP id
>> n2BFwIMt021566;
>> 	Wed, 11 Mar 2009 11:58:18 -0400
>> Received: from [123.97.194.128] ([123.97.194.128])
>> 	by gorgonzola.cc.columbia.edu (8.14.3/8.14.1) with ESMTP id
>> n2BFw7Fx006255;
>> 	Wed, 11 Mar 2009 11:58:16 -0400 (EDT)
>> Received: from [123.97.194.128] by mail.bouzouk.com; Wed, 11 Mar 2009
>> 23:58:16 +0800
>> Date: 	Wed, 11 Mar 2009 23:58:16 +0800
>> From: "Facebook Mail" <messageserver45 at facebook.com>
>> X-Mailer: The Bat! (v2.00.6) Business
>> Reply-To: euwr at bouzouk.com
>> X-Priority: 3 (Normal)
>> Message-ID: <083691248.81117996959512 at bouzouk.com>
>> To: copyright-reports at columbia.edu
>> Subject: FaceBook message: Magnificent Girls extremely dancing  (Last
>> rated by Lavonne Lugo)
>> MIME-Version: 1.0
>> Content-Type: text/plain;
>>   charset=iso-8859-2
>> Content-Transfer-Encoding: 7bit
>> X-No-Spam-Score: exempt from filtering
>> X-Scanned-By: MIMEDefang 2.65 on 128.59.28.174
>>
>> Messages from Your Friends on Facebook, March 11, 2009
>>
>> You have 1 Personal Message:
>> Video title: "Amanda is dancing on Striptease Dance Party, March 10,
>> 2009! We're absolutely shocked!".
>>
>>
>> Proceed to view full video message:
>>
>> http://facebook.shared.referencenumber.personalid-6kpw3vjxm.asp.centredo
>> wnloadpatch.com/home.htm?/mixed/application=f1o3587jdiimktu
>>
>>
>>
>> Message ID: FB-kpy2olo9g7nd4j7
>> 2009 Facebook community, Message Center.
>>
>> ------------------------------------------------------------------------
>> -----------
>>
>>
>> Joel Rosenblatt
>>
>> Joel Rosenblatt, Manager Network & Computer Security
>> Columbia Information Security Office (CISO)
>> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
>> http://www.columbia.edu/~joel
>>
>>
>> --On Wednesday, March 11, 2009 4:04 PM -0400 "Shelton, Steve"
>> <sshelton at Cogentco.com> wrote:
>>
>>> ----------- nsp-security Confidential --------
>>>
>>> All,
>>>
>>> I just spotted what appears to be a fast flux - botnet serving up
>>> Phished | malware sites referencing Facebook.
>>>
>>> We had a customer with an exploited server that was auth for
>>> centredownloadpatch.com and needplaeradobe.com for a short stint. Both
>>> domains have numerous A' records and very low TTL, so this is likely
>>> fastflux or botnet related.
>>>
>>> Note that ns2.castlebin.com appears to be pointed at a DOD network
>> /32,
>>> which is lame delegation and once I impacted the routing for what was
>>> ns1.castlebin.com on our end, 8.12.160.183 took up the slack with a
>>> matter of minutes it seemed.
>>>
>>> 03/11/09 13:49:19 whois ns1.castlebin.com at whois.internic.net
>>>
>>> whois -h whois.internic.net ns1.castlebin.com ...
>>>
>>> Whois Server Version 2.0
>>>
>>>    Server Name: NS1.CASTLEBIN.COM
>>>    IP Address: 8.12.160.183
>>>    Registrar: BIZCN.COM, INC.
>>>
>>>
>>> Wed Mar 11 20:38:54 2009
>>>
>>> centredownloadpatch.com. 202	IN	A	76.122.72.90
>>> centredownloadpatch.com. 202	IN	A	66.138.7.3
>>> centredownloadpatch.com. 202	IN	A	68.220.37.205
>>> centredownloadpatch.com. 202	IN	A	69.234.146.136
>>> centredownloadpatch.com. 202	IN	A	75.57.61.217
>>>
>>> Wed Mar 11 20:47:06 2009
>>>
>>> needplaeradobe.com.	1800	IN	A	66.138.7.3
>>> needplaeradobe.com.	1800	IN	A	69.234.146.136
>>> needplaeradobe.com.	1800	IN	A	75.57.61.217
>>> needplaeradobe.com.	1800	IN	A	75.118.162.91
>>> needplaeradobe.com.	1800	IN	A	76.122.72.90
>>>
>>>
>>> Some current URL[s] I see are:
>>>
>>>
>> hxxp://facebook.shared.cebmainservlet.personalid-o2pirj9c8.logon.centred
>>> ownloadpatch.com/home.htm?/permissions/application=5639sgmlqzd4mrb
>>>
>>> Or
>>>
>>>
>> hxxp://facebook.shared.cebmainservlet.personalid-o2pirj9c8.logon.centred
>>> ownloadpatch.com/../Adobe_Player11.exe
>>>
>>>
>>> 6389    | 68.220.37.205    | BELLSOUTH-NET-BLK - BellSouth.net Inc.
>>> 7132    | 69.234.146.136   | SBIS-AS - AT&T Internet Services
>>> 7132    | 75.57.61.217     | SBIS-AS - AT&T Internet Services
>>> 7725    | 76.122.72.90     | CCH-AS7 - Comcast Cable Communications
>>> Holdings, Inc
>>> 13368   | 66.138.7.3       | JCP - James Cable Partners
>>> 29895   | 75.118.162.91    | WOW-INTERNET-COL - WideOpenWest Finance
>> LLC
>>> 40935   | 8.12.160.183     | RELYNET - RelyNet Inc.
>>>
>>> Steve Shelton
>>> Network Security Engineer
>>> Cogent Communications
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>>> community. Confidentiality is essential for effective Internet
>> security counter-measures.
>>> _______________________________________________
>>>
>>
>>
>>
>> Joel Rosenblatt, Manager Network & Computer Security
>> Columbia Information Security Office (CISO)
>> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
>> http://www.columbia.edu/~joel
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
>
> iEYEARECAAYFAkm4Jg8ACgkQi10dJIBjZIA9iACZAVUxTIc5vtX78SCzHfSII+7M
> JoYAoKxPUfzqr2ueBIzKaFGgeQTwzDS9
> =+XvC
> -----END PGP SIGNATURE-----
>



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

More information about the nsp-security mailing list