[nsp-sec] Mebroot/Torpig (AS 13618, 15083, 23498)

Chris Calvert Chris.Calvert at telus.com
Fri Mar 13 11:31:35 EDT 2009 

If I'd finished my coffee, I would have been a bit more clear before hitting send.

ACK that we received this as a peer AS, not that we do anything with Cogeco's IP (the Mebroot host) in any way.

I'm going to notify our Abuse department just so they are aware, but assume that Krista can whack this mole before I manage to finish the aforementioned coffee ;)

Chris

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Tom Fischer
> Sent: Friday, March 13, 2009 9:19 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Mebroot/Torpig (AS 13618, 15083, 23498)
> Importance: High
> 
> ----------- nsp-security Confidential --------
> 
> Hi,
> 
> I need help to nuke the following Mebroot/Torpig hosts:
> 
> Mebroot:
> 2009-03-10 09:02:27 2009-03-13 15:16:07 igukxcdu.biz A 74.213.179.112
> 2009-03-10 09:02:27 2009-03-13 15:16:07 igukxcdu.biz NS 
> ns1.dns-diy.net
> 2009-03-10 09:02:27 2009-03-13 15:16:07 igukxcdu.biz NS 
> ns2.dns-diy.net
> 
> AS      | IP               | AS Name
> 23498   | 74.213.179.112   | CDSI - Cogeco Data Services Inc.
> PEER_AS | IP               | AS Name
> 852     | 74.213.179.112   | ASN852 - Telus Advanced Communications
> 7992    | 74.213.179.112   | COGECOWAVE - Cogeco Cable
> 19752   | 74.213.179.112   | HYDROONETELECOM - Hydro One Telecom Inc.
> 
> Torpig:
> 2009-03-09 08:27:26 2009-03-13 15:14:28 mvhgqram.biz NS 
> ns1.dns-diy.net
> 2009-03-09 08:27:26 2009-03-13 15:14:28 mvhgqram.biz NS 
> ns2.dns-diy.net
> 2009-03-09 08:27:26 2009-03-13 15:14:29 mvhgqram.biz A 69.59.26.51
> 
> AS      | IP               | AS Name
> 13618   | 69.59.26.51      | CARONET-ASN - Carolina Internet
> PEER_AS | IP               | AS Name
> 3356    | 69.59.26.51      | LEVEL3 Level 3 Communications
> 4323    | 69.59.26.51      | TWTC - tw telecom holdings, inc.
> 7018    | 69.59.26.51      | ATT-INTERNET4 - AT&T WorldNet Services
> 
> Torpig drop:
> 200.35.150.100
> AS      | IP               | AS Name
> 15083   | 200.35.150.100   | INFOLINK-MIA-US - Infolink 
> Information Services Inc.
> PEER_AS | IP               | AS Name
> 3549    | 200.35.150.100   | GBLX Global Crossing Ltd.
> 
> -- 
> Tom Fischer
> BFK edv-consulting GmbH                  tel: +49 721 962 01-1
> Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list