[nsp-sec] identity theft c&c (AS 4134, 9394)
Tom Fischer
tfischer at bfk.de
Tue May 5 02:56:22 EDT 2009
Hi,
On Mon, Apr 27, 2009 at 03:11:03PM +0200, Tom Fischer wrote:
> any chance to enforce a null route / termination of 61.235.117.71
newcounters.cn/61.235.117.71 is still active - another variant connects
to 0083vorit.cn/122.225.36.35.
Any chance to terminate / null route the mentioned systems?
Malware distribution:
hxxp://newcounters.cn/IT02/02.exe
AV-scan: http://www.virustotal.com/analisis/8f039ec44525adf9e4392c4d1195ca38
hxxp://0083vorit.cn/dbv4.exe
AV-scan: http://www.virustotal.com/analisis/d4d366666ce212757d562c9647617354
c&c:
hxxp://newcounters.cn/IT02/get.php
hxxp://0083vorit.cn/IT02/get.php
e.g. hxxp://newcounters.cn/IT02/get.php?type=slg&id=ZLYER3I3REZASOKGSJ
AS | IP | AS Name
4134 | 122.225.36.35 | CHINANET-BACKBONE No.31,Jin-rong Street
9394 | 61.235.117.71 | CRNET CHINA RAILWAY Internet(CRNET)
> current malware: hxxp://newcounters.cn/IT02/nds.exe
> av-detection: http://www.virustotal.com/analisis/dd7acea5728e004b8bc688801691c744
> c&c: hxxp://newcounters.cn/IT02/get.php - just looks suspended for a
> invalid communication - example of a valid communication (with 102 ok response)
> hxxp://newcounters.cn/IT02/get.php?type=slg&id=ZLYER3I3REZASOKGSJ
>
> DNS history:
> first seen (UTC) last seen (UTC)
> 2009-04-21 13:24:12 2009-04-21 13:24:12 www.rnstatistics.org A 61.235.117.71
> 2009-04-21 13:18:05 2009-04-21 14:39:09 mail.rnstatistics.org A 61.235.117.71
> 2008-12-20 01:19:39 2009-04-21 17:26:00 rnstatistics.org A 61.235.117.71
> 2009-04-21 20:36:44 2009-04-22 11:51:30 itrcounter.net A 61.235.117.71
> 2009-04-22 20:12:06 2009-04-27 12:12:02 mail.newcounters.cn A 61.235.117.71
> 2009-04-22 19:44:47 2009-04-27 12:58:25 newcounters.cn A 61.235.117.71
>
> AS | IP | AS Name
> 9394 | 61.235.117.71 | CRNET CHINA RAILWAY Internet(CRNET)
> PEER_AS | IP | AS Name
> 6453 | 61.235.117.71 | GLOBEINTERNET TATA Communications
> 9304 | 61.235.117.71 | HUTCHISON-AS-AP Hutchison Global Communications
> 10026 | 61.235.117.71 | ANC Asia Netcom Corporation
--
Tom Fischer
BFK edv-consulting GmbH tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe fax: +49 721 962 01-99
More information about the nsp-security
mailing list