[nsp-sec] Mebroot/Torpig (AS 13618, 23498, 32475)

Wed Mar 25 11:16:50 EDT 2009

ACK for 3356.  We have contacts at CarolinaNet and Hydro One Telecom.  I am contacting them regarding resolution/shutdown.

Nathan Janish
Level3 Network Security

-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Tom Fischer
Sent: Wednesday, March 25, 2009 4:30 AM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] Mebroot/Torpig (AS 13618, 23498, 32475)

----------- nsp-security Confidential --------

Hi,

please help to nuke/null route the following Mebroot/Torpig hosts:

Mebroot:
--------
bsgigeic.com
2009-03-23 22:10:32 2009-03-25 10:17:56 bsgigeic.com A 65.60.42.10  
2009-03-23 22:10:32 2009-03-25 10:17:56 bsgigeic.com NS ns1.everydns.net  
2009-03-23 22:10:32 2009-03-25 10:17:56 bsgigeic.com NS ns2.everydns.net  
2009-03-23 22:10:32 2009-03-25 10:17:56 bsgigeic.com NS ns3.everydns.net  
2009-03-23 22:10:32 2009-03-25 10:17:56 bsgigeic.com NS ns4.everydns.net 

AS      | IP               | AS Name
32475   | 65.60.42.10      | SINGLEHOP-INC - SingleHop

PEER_AS | IP               | AS Name
6461    | 65.60.42.10      | MFNX MFN - Metromedia Fiber Network
23352   | 65.60.42.10      | SERVERCENTRAL - Server Central Network

Torpig:
-------
flippibi.com/rikora.com/pinakola.com
2009-03-09 08:27:59 2009-03-25 10:01:00 flippibi.com A 69.59.26.51  
2009-03-09 08:27:38 2009-03-25 10:20:57 rikora.com A 69.59.26.51  
2009-03-09 08:27:48 2009-03-25 10:20:57 pinakola.com A 69.59.26.51  

AS      | IP               | AS Name
13618   | 69.59.26.51      | CARONET-ASN - Carolina Internet

PEER_AS | IP               | AS Name
3356    | 69.59.26.51      | LEVEL3 Level 3 Communications
4323    | 69.59.26.51      | TWTC - tw telecom holdings, inc.
7018    | 69.59.26.51      | ATT-INTERNET4 - AT&T WorldNet Services

nvdhtram.biz
2009-03-24 13:39:21 2009-03-25 10:14:05 nvdhtram.biz A 76.76.22.199  
2009-03-23 08:08:37 2009-03-25 10:23:17 nvdhtram.biz NS ns1.everydns.net  
2009-03-23 08:08:37 2009-03-25 10:23:17 nvdhtram.biz NS ns2.everydns.net  
2009-03-23 08:08:37 2009-03-25 10:23:17 nvdhtram.biz NS ns3.everydns.net  
2009-03-23 08:08:37 2009-03-25 10:23:17 nvdhtram.biz NS ns4.everydns.net  

AS      | IP               | AS Name
13618   | 76.76.22.199     | CARONET-ASN - Carolina Internet

PEER_AS | IP               | AS Name
3356    | 76.76.22.199     | LEVEL3 Level 3 Communications
4323    | 76.76.22.199     | TWTC - tw telecom holdings, inc.
7018    | 76.76.22.199     | ATT-INTERNET4 - AT&T WorldNet Services

74.213.179.173

AS      | IP               | AS Name
23498   | 74.213.179.173   | CDSI - Cogeco Data Services Inc.

PEER_AS | IP               | AS Name
852     | 74.213.179.173   | ASN852 - Telus Advanced Communications
7992    | 74.213.179.173   | COGECOWAVE - Cogeco Cable
19752   | 74.213.179.173   | HYDROONETELECOM - Hydro One Telecom Inc.

-- 
Tom Fischer
BFK edv-consulting GmbH                  tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________