[nsp-sec] dsl modem worm PYSBOT ATT: IBSNAC telecome italia
Smith, Donald
Donald.Smith at qwest.com
Thu Mar 26 19:37:25 EDT 2009
As promised a report on psybot infected client ips. The following ASNs may want to have these modems rebooted, remote management disabled and strong passwords applied.
This is based on a bi-directional netflow query for the following IPs which are C&Cs on port 5050 for the PYSBOT version we looked at. All of the traffic I saw came from 205.155.1.5 on port 5050 so I didn't see the botted routers checkin for some reason I only see what I believe is a response from that C&C irc server from 5050. It is possible there are some false positives in this and I wouldn't mind verification if IBSNAC or someone else can validate it.
The source interface was constant so I don't think this is spoofed. Times as always GMT:)
ASN list:
3269, 12329,13184 and 30612.
Bulk mode; whois.cymru.com [2009-03-26 23:24:59 +0000]
3269 | 79.0.211.100 | 0323.04:54:03.590 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.16.147.51 | 0323.05:25:15.662 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.16.98.156 | 0323.02:07:44.366 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.19.199.101 | 0323.03:15:04.082 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.2.201.243 | 0323.03:20:27.502 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.2.242.59 | 0323.04:07:34.302 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.21.6.202 | 0323.05:44:09.845 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.22.1.244 | 0323.03:34:16.290 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.23.31.160 | 0323.02:12:04.186 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.23.65.234 | 0323.04:20:28.122 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.24.146.121 | 0323.06:01:33.905 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.24.36.252 | 0323.01:10:12.622 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.24.74.58 | 0323.03:57:22.258 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.24.90.100 | 0323.03:09:31.146 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.27.23.37 | 0323.01:43:29.198 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.27.241.102 | 0323.02:07:44.566 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.31.133.32 | 0323.05:42:03.353 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.31.244.107 | 0323.04:30:57.874 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.32.50.125 | 0323.01:11:15.478 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.32.63.166 | 0323.05:54:39.541 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.33.103.94 | 0323.03:12:04.042 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.33.235.148 | 0323.05:15:21.990 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.34.3.37 | 0323.04:45:40.118 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.37.189.159 | 0323.05:23:10.114 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.37.53.176 | 0323.02:44:19.146 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.40.150.205 | 0323.03:39:21.506 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.40.241.182 | 0323.02:59:56.478 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.41.142.17 | 0323.05:18:49.390 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.41.168.181 | 0323.05:50:27.737 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.42.241.136 | 0323.02:46:51.430 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.44.27.30 | 0323.02:43:34.166 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.45.242.63 | 0323.06:07:15.457 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.47.2.29 | 0323.04:05:28.270 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.50.253.233 | 0323.06:05:27.421 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.50.3.53 | 0323.02:51:58.422 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.51.189.93 | 0323.05:39:58.381 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.52.122.171 | 0323.04:25:34.990 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.52.123.234 | 0323.03:10:52.306 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.52.51.223 | 0323.06:03:13.389 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.54.253.68 | 0323.01:46:57.974 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.56.255.58 | 0323.01:48:10.542 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.7.14.175 | 0323.01:19:40.186 | ASN-IBSNAZ TELECOM ITALIA
3269 | 79.8.184.185 | 0323.02:35:10.146 | ASN-IBSNAZ TELECOM ITALIA
3269 | 80.116.186.170 | 0323.04:15:57.694 | ASN-IBSNAZ TELECOM ITALIA
3269 | 80.117.215.135 | 0323.02:48:49.318 | ASN-IBSNAZ TELECOM ITALIA
3269 | 80.117.51.89 | 0323.01:04:04.442 | ASN-IBSNAZ TELECOM ITALIA
3269 | 80.183.0.193 | 0323.02:48:22.362 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.105.246.175 | 0323.04:09:48.538 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.106.52.12 | 0323.02:18:22.682 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.107.107.141 | 0323.01:30:09.690 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.48.255.90 | 0323.03:52:51.518 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.48.58.219 | 0323.02:45:39.914 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.49.78.64 | 0323.01:15:28.302 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.49.79.253 | 0323.01:02:51.462 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.51.112.103 | 0323.04:55:52.486 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.51.133.240 | 0323.03:49:42.502 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.51.14.186 | 0323.01:35:25.686 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.51.21.5 | 0323.05:37:51.461 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.52.136.102 | 0323.04:45:21.794 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.52.137.227 | 0323.03:10:52.414 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.52.62.58 | 0323.04:33:49.182 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.53.78.84 | 0323.05:39:57.973 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.54.255.8 | 0323.05:37:52.225 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.55.141.213 | 0323.04:19:43.458 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.55.230.187 | 0323.01:13:22.470 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.55.86.169 | 0323.04:15:40.042 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.56.186.201 | 0323.03:02:28.082 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.56.65.64 | 0323.01:47:42.614 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.56.66.61 | 0323.02:01:31.882 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.56.92.81 | 0323.02:01:58.506 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.57.1.122 | 0323.00:57:28.633 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.57.107.110 | 0323.01:00:45.814 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.57.160.235 | 0323.06:07:15.441 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.57.169.201 | 0323.01:34:49.174 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.57.245.134 | 0323.03:40:15.882 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.57.32.206 | 0323.01:14:24.790 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.57.78.142 | 0323.03:36:21.470 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.58.161.191 | 0323.01:52:23.210 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.59.41.11 | 0323.01:02:51.454 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.59.58.248 | 0323.03:43:25.182 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.60.32.76 | 0323.05:39:58.153 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.60.36.147 | 0323.03:06:39.694 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.60.56.136 | 0323.01:34:22.318 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.61.190.237 | 0323.05:22:06.746 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.89.236.13 | 0323.03:12:57.998 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.91.16.88 | 0323.05:39:58.577 | ASN-IBSNAZ TELECOM ITALIA
3269 | 82.91.48.156 | 0323.01:00:46.778 | ASN-IBSNAZ TELECOM ITALIA
3269 | 85.46.92.98 | 0323.04:52:51.822 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.0.116.148 | 0323.02:37:24.758 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.1.62.139 | 0323.00:59:52.045 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.1.62.244 | 0323.03:57:03.690 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.13.220.131 | 0323.03:43:15.814 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.14.170.120 | 0323.02:59:19.270 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.15.44.132 | 0323.05:12:39.846 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.19.101.21 | 0323.04:10:43.214 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.19.38.180 | 0323.05:27:21.878 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.2.163.95 | 0323.04:55:52.358 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.2.52.5 | 0323.05:18:58.342 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.3.197.181 | 0323.04:49:16.378 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.3.49.48 | 0323.02:40:34.330 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.5.212.1 | 0323.02:41:28.450 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.5.240.141 | 0323.04:39:48.590 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.7.135.254 | 0323.02:07:53.418 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.8.176.28 | 0323.02:26:19.158 | ASN-IBSNAZ TELECOM ITALIA
3269 | 87.8.86.53 | 0323.04:32:46.014 | ASN-IBSNAZ TELECOM ITALIA
3269 | 88.36.232.188 | 0323.02:27:21.770 | ASN-IBSNAZ TELECOM ITALIA
3269 | 88.42.187.202 | 0323.03:50:27.846 | ASN-IBSNAZ TELECOM ITALIA
3269 | 88.44.147.72 | 0323.03:10:51.682 | ASN-IBSNAZ TELECOM ITALIA
3269 | 88.44.68.144 | 0323.00:56:33.657 | ASN-IBSNAZ TELECOM ITALIA
3269 | 88.61.236.26 | 0323.03:00:40.046 | ASN-IBSNAZ TELECOM ITALIA
3269 | 88.62.176.217 | 0323.01:36:27.894 | ASN-IBSNAZ TELECOM ITALIA
3269 | 94.82.198.234 | 0323.01:28:22.726 | ASN-IBSNAZ TELECOM ITALIA
12429 | 213.200.235.21 | 0323.12:36:49.932 | CYBERNET-CH Swisscom (Schweiz)
AG / Autonomous System
13184 | 85.176.185.26 | 0323.13:10:53.857 | HANSENET HanseNet Telekommunika
tion GmbH
30612 | 66.232.211.109 | 0323.01:11:15.485 | EAGLE-9-AS - Eagle Communicatio
ns, Inc.
Donald.Smith at qwest.com<mailto:Donald.Smith at qwest.com>
Please cc the handlers to keep them all in the loop.
________________________________
From: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] On Behalf Of Smith, Donald [Donald.Smith at qwest.com]
Sent: Thursday, March 26, 2009 10:30 AM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] dsl modem worm PYSBOT
----------- nsp-security Confidential --------
This is a diary that was written about a dsl modem worm named PSYBOT.
It is MIPSEL based. They get in via weak passwords and possibly some other exploits. This worm RUNS on the router itself. We have done some testing and got it to run on a mipsel based box.
I this site that had the exploit appears to be down. (127.0.0.1)
http//dweb.webhop.net/.bb/udhcpc.env
You can see infected systems in netflow by looking for tcp port 5050 and IP address 207.155.1.5. I will try to get a report out later if people are interested.
http://isc.sans.org/diary.html?storyid=6061
http://android-blog.org/2009/03/25/psyb0t-evolves-targets-unprotected-linux-mipsel-routers/
http://isc.sans.org/diary.html?storyid=6061
Donald.Smith at qwest.com<mailto:Donald.Smith at qwest.com>
Please cc the handlers to keep them all in the loop.
________________________________
From: Rob Thomas [robt at cymru.com]
Sent: Wednesday, March 25, 2009 5:26 PM
To: Smith, Donald
Cc: nsp-security at puck.nether.net
Subject: Re: [nsp-sec] sites that are preying on the conficker victims withscareware and scams.
Hey, Don.
> $ whois 74.217.128.133
> Internap Network Services Corporation PNAP-SJE-01-2008 (NET-74-217-0-0-1)
> 74.217.0.0 - 74.217.255.255
> Netfirms INAP-TOR001-NETFIRMS-23422 (NET-74-217-128-0-1)
> 74.217.128.0 - 74.217.129.255
There's also a bit of mircscript hosted there which is often a bad sign.
We see a few DNS RRs over the past 30+ days.
timestamp | dns_name | ip
--------------------- ---------------------- ----------------
2009-03-11 07:35:20 | dl.pacyrus.com | 74.217.128.133
2009-03-11 07:35:16 | forum.pacyrus.com | 74.217.128.133
2009-03-09 09:25:07 | marketingimagery.com | 74.217.128.133
2009-03-23 13:20:05 | mirctrivia.net | 74.217.128.133
2009-03-08 03:28:03 | subs.geekstogo.com | 74.217.128.133
2009-03-08 11:50:49 | www.pacyrus.com<http://www.pacyrus.com/<http://www.pacyrus.com%3chttp//www.pacyrus.com/>> | 74.217.128.133
2009-02-27 22:35:08 | thehousewatch.sslpowered.com | 74.217.128.133
2009-02-24 07:20:26 | www.fraganciasalpormayor.com<http://www.fraganciasalpormayor.com/<http://www.fraganciasalpormayor.com%3chttp//www.fraganciasalpormayor.com/>> | 74.217.128.133
Thanks,
Rob.
--
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list