[nsp-sec] Mebroot/Torpig (AS 13618, 15083, 23498)

Krista Hickey Krista.Hickey at cogeco.com
Fri Mar 13 11:28:40 EDT 2009 

Hi Tom

I'm directly responsible for 7992 so will take care of that immediately.
23498 is a new acquisition so it's technically Cogeco but is run as an
independent entity and I know little to nothing about them yet despite
many screams for assistance, if you're ok with me sharing the info with
my management (I will remote nsp references) I will forcefully escalate
this time. 

Krista
7992

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Tom Fischer
> Sent: Friday, March 13, 2009 11:19 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Mebroot/Torpig (AS 13618, 15083, 23498)
> 
> ----------- nsp-security Confidential --------
> 
> Hi,
> 
> I need help to nuke the following Mebroot/Torpig hosts:
> 
> Mebroot:
> 2009-03-10 09:02:27 2009-03-13 15:16:07 igukxcdu.biz A 74.213.179.112
> 2009-03-10 09:02:27 2009-03-13 15:16:07 igukxcdu.biz NS
ns1.dns-diy.net
> 2009-03-10 09:02:27 2009-03-13 15:16:07 igukxcdu.biz NS
ns2.dns-diy.net
> 
> AS      | IP               | AS Name
> 23498   | 74.213.179.112   | CDSI - Cogeco Data Services Inc.
> PEER_AS | IP               | AS Name
> 852     | 74.213.179.112   | ASN852 - Telus Advanced Communications
> 7992    | 74.213.179.112   | COGECOWAVE - Cogeco Cable
> 19752   | 74.213.179.112   | HYDROONETELECOM - Hydro One Telecom Inc.
> 
> Torpig:
> 2009-03-09 08:27:26 2009-03-13 15:14:28 mvhgqram.biz NS
ns1.dns-diy.net
> 2009-03-09 08:27:26 2009-03-13 15:14:28 mvhgqram.biz NS
ns2.dns-diy.net
> 2009-03-09 08:27:26 2009-03-13 15:14:29 mvhgqram.biz A 69.59.26.51
> 
> AS      | IP               | AS Name
> 13618   | 69.59.26.51      | CARONET-ASN - Carolina Internet
> PEER_AS | IP               | AS Name
> 3356    | 69.59.26.51      | LEVEL3 Level 3 Communications
> 4323    | 69.59.26.51      | TWTC - tw telecom holdings, inc.
> 7018    | 69.59.26.51      | ATT-INTERNET4 - AT&T WorldNet Services
> 
> Torpig drop:
> 200.35.150.100
> AS      | IP               | AS Name
> 15083   | 200.35.150.100   | INFOLINK-MIA-US - Infolink Information
Services Inc.
> PEER_AS | IP               | AS Name
> 3549    | 200.35.150.100   | GBLX Global Crossing Ltd.
> 
> --
> Tom Fischer
> BFK edv-consulting GmbH                  tel: +49 721 962 01-1
> Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> community. Confidentiality is essential for effective Internet
security counter-
> measures.
> _______________________________________________

More information about the nsp-security mailing list