[nsp-sec] ACK RE: Mebroot/Torpig (AS 13618, 15083, 23498)

Gassen, Derek Derek.Gassen at twtelecom.com
Fri Mar 13 12:14:45 EDT 2009 

ACK 4323. Sent to abuse.


Derek Gassen
Security Engineering
tw telecom inc.


-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Tom Fischer
Sent: Friday, March 13, 2009 9:19 AM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] Mebroot/Torpig (AS 13618, 15083, 23498)

----------- nsp-security Confidential --------

Hi,

I need help to nuke the following Mebroot/Torpig hosts:

Mebroot:
2009-03-10 09:02:27 2009-03-13 15:16:07 igukxcdu.biz A 74.213.179.112
2009-03-10 09:02:27 2009-03-13 15:16:07 igukxcdu.biz NS ns1.dns-diy.net
2009-03-10 09:02:27 2009-03-13 15:16:07 igukxcdu.biz NS ns2.dns-diy.net

AS      | IP               | AS Name
23498   | 74.213.179.112   | CDSI - Cogeco Data Services Inc.
PEER_AS | IP               | AS Name
852     | 74.213.179.112   | ASN852 - Telus Advanced Communications
7992    | 74.213.179.112   | COGECOWAVE - Cogeco Cable
19752   | 74.213.179.112   | HYDROONETELECOM - Hydro One Telecom Inc.

Torpig:
2009-03-09 08:27:26 2009-03-13 15:14:28 mvhgqram.biz NS ns1.dns-diy.net
2009-03-09 08:27:26 2009-03-13 15:14:28 mvhgqram.biz NS ns2.dns-diy.net
2009-03-09 08:27:26 2009-03-13 15:14:29 mvhgqram.biz A 69.59.26.51

AS      | IP               | AS Name
13618   | 69.59.26.51      | CARONET-ASN - Carolina Internet
PEER_AS | IP               | AS Name
3356    | 69.59.26.51      | LEVEL3 Level 3 Communications
4323    | 69.59.26.51      | TWTC - tw telecom holdings, inc.
7018    | 69.59.26.51      | ATT-INTERNET4 - AT&T WorldNet Services

Torpig drop:
200.35.150.100
AS      | IP               | AS Name
15083   | 200.35.150.100   | INFOLINK-MIA-US - Infolink Information
Services Inc.
PEER_AS | IP               | AS Name
3549    | 200.35.150.100   | GBLX Global Crossing Ltd.

--
Tom Fischer
BFK edv-consulting GmbH                  tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

---


The content contained in this electronic message is not intended to constitute
formation of a contract binding tw telecom.  tw telecom will be contractually
bound only upon execution, by an authorized officer, of a contract including
agreed terms and conditions or by express application of its tariffs.  This message
is intended only for the use of the individual or entity to which it is addressed. If
the reader of this message is not the intended recipient, or the employee or agent
responsible for delivering the message to the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this message is strictly
prohibited. If you have received this communication in error, please notify us
immediately by replying to the sender of this E-Mail or by telephone.

More information about the nsp-security mailing list