[nsp-sec] Mebroot/Torpig (AS 13618, 8001, 23498)

Tom Fischer tfischer at bfk.de
Mon Mar 30 04:16:30 EDT 2009 

Hi,

On Fri, Mar 27, 2009 at 11:19:15AM +0100, Tom Fischer wrote:
> please help to nuke/null route the following Mebroot/Torpig c&c server:

new domain names but same IPs ...

first seen (UTC)    last seen (UTC)
2009-03-26 09:38:43 2009-03-29 20:45:55 sffhbeks.com A 76.76.18.79
2009-03-30 03:38:50 2009-03-30 07:40:37 xxkditct.com A 76.76.18.79

2009-03-27 00:10:37 2009-03-27 17:33:34 tvjn8ram.com A 66.246.252.207
2009-03-28 00:15:39 2009-03-28 14:58:50 avat9ram.com A 66.246.252.207
2009-03-29 00:02:49 2009-03-30 07:41:24 dviwiram.biz A 66.246.252.207

and 74.213.179.173 moved to 74.213.179.177 ...

> Mebroot:
> 
> 76.76.18.79
> -----------
> 
> 2009-03-26 09:38:43 2009-03-27 08:53:49 sffhbeks.com A 76.76.18.79  
> 2009-03-26 09:38:43 2009-03-27 08:53:49 sffhbeks.com NS ns1.everydns.net  
> 2009-03-26 09:38:43 2009-03-27 08:53:49 sffhbeks.com NS ns2.everydns.net  
> 2009-03-26 09:38:43 2009-03-27 08:53:49 sffhbeks.com NS ns3.everydns.net  
> 2009-03-26 09:38:43 2009-03-27 08:53:49 sffhbeks.com NS ns4.everydns.net  


> 
> AS      | IP               | AS Name
> 13618   | 76.76.18.79      | CARONET-ASN - Carolina Internet
> 
> PEER_AS | IP               | AS Name
> 3356    | 76.76.18.79      | LEVEL3 Level 3 Communications
> 4323    | 76.76.18.79      | TWTC - tw telecom holdings, inc.
> 7018    | 76.76.18.79      | ATT-INTERNET4 - AT&T WorldNet Services
> 
> 
> Torpig:
> 
> 66.246.252.207
> --------------
> 
> 2009-03-27 00:10:36 2009-03-27 09:12:00 tvjn8ram.com NS dns010.d.register.com  
> 2009-03-27 00:10:36 2009-03-27 09:12:00 tvjn8ram.com NS dns013.a.register.com  
> 2009-03-27 00:10:36 2009-03-27 09:12:00 tvjn8ram.com NS dns046.c.register.com  
> 2009-03-27 00:10:36 2009-03-27 09:12:00 tvjn8ram.com NS dns082.b.register.com  
> 2009-03-27 00:10:37 2009-03-27 09:12:00 tvjn8ram.com A 66.246.252.207 
> 
> AS      | IP               | AS Name
> 8001    | 66.246.252.207   | NET-ACCESS-CORP - Net Access Corporation
> 
> PEER_AS | IP               | AS Name
> 174     | 66.246.252.207   | COGENT Cogent/PSI
> 1299    | 66.246.252.207   | TELIANET TeliaNet Global Network
> 2516    | 66.246.252.207   | KDDI KDDI CORPORATION
> 3356    | 66.246.252.207   | LEVEL3 Level 3 Communications
> 3491    | 66.246.252.207   | BTN-ASN - Beyond The Network America, Inc.
> 3561    | 66.246.252.207   | SAVVIS - Savvis
> 4565    | 66.246.252.207   | MEGAPATH2-US - MegaPath Networks Inc.
> 6762    | 66.246.252.207   | SEABONE-NET Telecom Italia Sparkle
> 10310   | 66.246.252.207   | YAHOO-1 - Yahoo!
> 
> 74.213.179.173
> --------------
> 
> AS      | IP               | AS Name
> 23498   | 74.213.179.173   | CDSI - Cogeco Data Services Inc.
> 
> PEER_AS | IP               | AS Name
> 852     | 74.213.179.173   | ASN852 - Telus Advanced Communications
> 7992    | 74.213.179.173   | COGECOWAVE - Cogeco Cable
> 19752   | 74.213.179.173   | HYDROONETELECOM - Hydro One Telecom Inc.
> 
> 
> These are no sinkhole systems (see attached communication excerpt).
> 
> @cymru: please add these IPs to the ddos-rs
> 
> 
> --Mebroot communication excerpt--
> POST / HTTP/1.1
> Host: sffhbeks.com
> Content-Length: 108
> Connection: close
> .z....
> .i\..aZ....O}.
> .7.....DJ.._$C..P.=q..o>...(,...1......[$r...qh.........<^......].x.P....2...V`.......HTTP/1.1 200 OK
> 
> Server: nginx/0.5.33
> Date: Thu, 26 Mar 2009 16:45:10 GMT
> Content-Type: text/html
> X-Powered-By: PHP/5.2.6
> Content-Length: 44
> Connection: close
> 
> .z... `.iFq....T=4H..D./..1......AsP.....]..
> --end of excerpt--
> 
> --Torpig communication excerpt--
> POST /6BA7FCB57B7F79A7/FXFi5GEVJVegFBAw5H+HEVQxVaQ1JzERRBETclNKVRNVkQehoCHV0yGUEBBD6qcBVEFCVGWhUddkkQCwVUpCFHWRBhCwRMRXRFEUBeR+ZsExdSOUVVCgRtXBVFXVGtIk5UXXVRVgUUZEQbR1FCqSAHE HTTP/
> 1.0
> Host: tvjn8ram.com
> Content-Length: 0
> Connection: close
> Content-Type: application/x-www-form-urlencoded
> 
> HTTP/1.1 200 OK
> Server: nginx/0.5.35
> Date: Fri, 27 Mar 2009 09:02:10 GMT
> Content-Type: text/html
> X-Powered-By: PHP/5.2.5
> Connection: close
> 
> okn
> --end of excerpt--
> 
> --Torpig trigger communication excerpt--
> GET /7FCB57B3701FF5CA41B36B17760/FXFi5GEVJVegFBRB43eAYFQmJSRFMHERRBEXA1RCUmJVkQehoCFh5gRFUWF20/CgIGQGALBEoEJANeAUN1NllSVFA HTTP/1.1
> Host: 74.213.179.173
> Cache-Control: no-cache
> 
> HTTP/1.1 200 OK
> Date: Fri, 27 Mar 2009 08:53:06 GMT
> Server: Apache
> X-Powered-By: PHP/5.1.6
> Content-Length: 589
> Content-Type: text/html; charset=windows-1251
> Connection: close
> 
> oka       576NkJSNWVBQTcUQDSxN9NFVcOk10GwhbCD0VQVcAfHQbRgBLM1sAWg06E0xfHCNkFQxEAXcaT1pCMRBQTBN5NGVTRBQiREQEA2NUW1MNJnoLCRlBfhs6VUcsX01SEWdnGwMbAXcbRBNrFT5ndDhEWCMvLmJaJjxwZBU/GkcKYWEXBgdbM1EAWgg9FUFXAHx0HkNlFDNEVQQDY1QTEwtjakENC05uEQlbc2JLCF0SYXAXHARbNhALFAUbMml3NEhTKCQoblU9NmxnFDJoCgd6dhEQAUdsVEFQTXgaQlEXcGsEGUQlI1RUBRNzRAMDU3t0GkgKRX8WCx9NMhZHQAxja0EHCwQ4GgVYQTxUBlcdKHoFAQBXbBQeFCJjUxMSQyIkRBsEWjYaC15eNhlMY0I8PwoCBkBgCwRLBjcbAxleN30KDA1HYAEHTkhsEE0ZXCNkFQxEAXcaT1pCMRBQTBN5NGVTTBQzREYEAysUXRNCNnALNxdBcQ0AWwg9FUFXAHx0G0YASzNeSltKNwVAWh9jZBUMRFRiOAVQUSwUV0gWYW0ADEQBdxpPWkIxEFBME3kw==
> --end of communication excerpt--
> 
> 
> -- 
> Tom Fischer
> BFK edv-consulting GmbH                  tel: +49 721 962 01-1
> Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
> 
End of Excerpt of Message from Tom Fischer.

-- 
Tom Fischer
BFK edv-consulting GmbH                  tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99

More information about the nsp-security mailing list