[nsp-sec] Mebroot/Torpig (AS 13618, 8001, 23498)

Tom Fischer tfischer at bfk.de
Fri Mar 27 06:19:15 EDT 2009 

Hi,

please help to nuke/null route the following Mebroot/Torpig c&c server:

Mebroot:

76.76.18.79
-----------

2009-03-26 09:38:43 2009-03-27 08:53:49 sffhbeks.com A 76.76.18.79  
2009-03-26 09:38:43 2009-03-27 08:53:49 sffhbeks.com NS ns1.everydns.net  
2009-03-26 09:38:43 2009-03-27 08:53:49 sffhbeks.com NS ns2.everydns.net  
2009-03-26 09:38:43 2009-03-27 08:53:49 sffhbeks.com NS ns3.everydns.net  
2009-03-26 09:38:43 2009-03-27 08:53:49 sffhbeks.com NS ns4.everydns.net  

AS      | IP               | AS Name
13618   | 76.76.18.79      | CARONET-ASN - Carolina Internet

PEER_AS | IP               | AS Name
3356    | 76.76.18.79      | LEVEL3 Level 3 Communications
4323    | 76.76.18.79      | TWTC - tw telecom holdings, inc.
7018    | 76.76.18.79      | ATT-INTERNET4 - AT&T WorldNet Services


Torpig:

66.246.252.207
--------------

2009-03-27 00:10:36 2009-03-27 09:12:00 tvjn8ram.com NS dns010.d.register.com  
2009-03-27 00:10:36 2009-03-27 09:12:00 tvjn8ram.com NS dns013.a.register.com  
2009-03-27 00:10:36 2009-03-27 09:12:00 tvjn8ram.com NS dns046.c.register.com  
2009-03-27 00:10:36 2009-03-27 09:12:00 tvjn8ram.com NS dns082.b.register.com  
2009-03-27 00:10:37 2009-03-27 09:12:00 tvjn8ram.com A 66.246.252.207 

AS      | IP               | AS Name
8001    | 66.246.252.207   | NET-ACCESS-CORP - Net Access Corporation

PEER_AS | IP               | AS Name
174     | 66.246.252.207   | COGENT Cogent/PSI
1299    | 66.246.252.207   | TELIANET TeliaNet Global Network
2516    | 66.246.252.207   | KDDI KDDI CORPORATION
3356    | 66.246.252.207   | LEVEL3 Level 3 Communications
3491    | 66.246.252.207   | BTN-ASN - Beyond The Network America, Inc.
3561    | 66.246.252.207   | SAVVIS - Savvis
4565    | 66.246.252.207   | MEGAPATH2-US - MegaPath Networks Inc.
6762    | 66.246.252.207   | SEABONE-NET Telecom Italia Sparkle
10310   | 66.246.252.207   | YAHOO-1 - Yahoo!

74.213.179.173
--------------

AS      | IP               | AS Name
23498   | 74.213.179.173   | CDSI - Cogeco Data Services Inc.

PEER_AS | IP               | AS Name
852     | 74.213.179.173   | ASN852 - Telus Advanced Communications
7992    | 74.213.179.173   | COGECOWAVE - Cogeco Cable
19752   | 74.213.179.173   | HYDROONETELECOM - Hydro One Telecom Inc.


These are no sinkhole systems (see attached communication excerpt).

@cymru: please add these IPs to the ddos-rs


--Mebroot communication excerpt--
POST / HTTP/1.1
Host: sffhbeks.com
Content-Length: 108
Connection: close
.z....
.i\..aZ....O}.
.7.....DJ.._$C..P.=q..o>...(,...1......[$r...qh.........<^......].x.P....2...V`.......HTTP/1.1 200 OK

Server: nginx/0.5.33
Date: Thu, 26 Mar 2009 16:45:10 GMT
Content-Type: text/html
X-Powered-By: PHP/5.2.6
Content-Length: 44
Connection: close

.z... `.iFq....T=4H..D./..1......AsP.....]..
--end of excerpt--

--Torpig communication excerpt--
POST /6BA7FCB57B7F79A7/FXFi5GEVJVegFBAw5H+HEVQxVaQ1JzERRBETclNKVRNVkQehoCHV0yGUEBBD6qcBVEFCVGWhUddkkQCwVUpCFHWRBhCwRMRXRFEUBeR+ZsExdSOUVVCgRtXBVFXVGtIk5UXXVRVgUUZEQbR1FCqSAHE HTTP/
1.0
Host: tvjn8ram.com
Content-Length: 0
Connection: close
Content-Type: application/x-www-form-urlencoded

HTTP/1.1 200 OK
Server: nginx/0.5.35
Date: Fri, 27 Mar 2009 09:02:10 GMT
Content-Type: text/html
X-Powered-By: PHP/5.2.5
Connection: close

okn
--end of excerpt--

--Torpig trigger communication excerpt--
GET /7FCB57B3701FF5CA41B36B17760/FXFi5GEVJVegFBRB43eAYFQmJSRFMHERRBEXA1RCUmJVkQehoCFh5gRFUWF20/CgIGQGALBEoEJANeAUN1NllSVFA HTTP/1.1
Host: 74.213.179.173
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Fri, 27 Mar 2009 08:53:06 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Content-Length: 589
Content-Type: text/html; charset=windows-1251
Connection: close

oka       576NkJSNWVBQTcUQDSxN9NFVcOk10GwhbCD0VQVcAfHQbRgBLM1sAWg06E0xfHCNkFQxEAXcaT1pCMRBQTBN5NGVTRBQiREQEA2NUW1MNJnoLCRlBfhs6VUcsX01SEWdnGwMbAXcbRBNrFT5ndDhEWCMvLmJaJjxwZBU/GkcKYWEXBgdbM1EAWgg9FUFXAHx0HkNlFDNEVQQDY1QTEwtjakENC05uEQlbc2JLCF0SYXAXHARbNhALFAUbMml3NEhTKCQoblU9NmxnFDJoCgd6dhEQAUdsVEFQTXgaQlEXcGsEGUQlI1RUBRNzRAMDU3t0GkgKRX8WCx9NMhZHQAxja0EHCwQ4GgVYQTxUBlcdKHoFAQBXbBQeFCJjUxMSQyIkRBsEWjYaC15eNhlMY0I8PwoCBkBgCwRLBjcbAxleN30KDA1HYAEHTkhsEE0ZXCNkFQxEAXcaT1pCMRBQTBN5NGVTTBQzREYEAysUXRNCNnALNxdBcQ0AWwg9FUFXAHx0G0YASzNeSltKNwVAWh9jZBUMRFRiOAVQUSwUV0gWYW0ADEQBdxpPWkIxEFBME3kw==
--end of communication excerpt--


-- 
Tom Fischer
BFK edv-consulting GmbH                  tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99

More information about the nsp-security mailing list