[nsp-sec] identity theft c&c (AS 4134, 9394)

Rob Thomas robt at cymru.com
Tue May 5 14:48:11 EDT 2009 

Hey, Tom.

Thanks for the details!

> newcounters.cn/61.235.117.71 is still active - another variant connects
> to 0083vorit.cn/122.225.36.35.

If this helps, and likely you already have these details, we see the
following samples in our malware menagerie pointed to 61.235.117.71.

      timestamp      |                   sha1                   |
        md5                |    dst_ip     | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ---------- ----------
------
 2009-04-17 08:06:31 | 0e36481d49afb55e14847a25a5ae2805debaf694 |
7e7640e49f6cc2dd7c073c6b747f4878 | 61.235.117.71 |       80 |        6 |
 2009-03-30 17:22:28 | 1c2e7a6c32fc6f37b9ab6a27d4c1d40d3c99cf52 |
814c1de4e9ea8d9acc479ed63e0d895b | 61.235.117.71 |       80 |        6 |
 2009-03-04 06:22:03 | 2155da3ee05e53021fd97427c2dbba76b1e9477c |
48498e14469208e761c1838558dbac8a | 61.235.117.71 |       80 |        6 |
 2009-04-17 03:27:22 | 23c4e5d0c7102732ead04f7f3736c71c2ac3cc68 |
3e1304a32c3f8c06aa0cffd948d760fb | 61.235.117.71 |       80 |        6 |
 2009-04-05 09:22:38 | 38a76c83e07b6bbbfc23aa0ad5ddd7ba4f104aa2 |
47a47386a6ee72503b3afa7a5bffc65a | 61.235.117.71 |       80 |        6 |
 2009-04-23 12:21:36 | 468d8f09fe9b8af843769031526b978c1591a84e |
076e1c785ea8665b8986f87c3bf74a0e | 61.235.117.71 |       80 |        6 |
 2009-02-03 10:31:22 | 5800c7d654bce667f3a8e931261e62a61c77a7df |
7813daaac5243f16784f5f7e56f1b6c2 | 61.235.117.71 |       80 |        6 |
 2009-03-06 07:01:10 | 5ce706d15af344bd75ee830d0d9ae31f0aa04aef |
d77ddd32eea3a41a00fe52e73410de48 | 61.235.117.71 |       80 |        6 |
 2009-04-17 08:08:30 | 83d3fb4aeb7f1d83fc81fa36cd3fcb12a493f0e9 |
8bb4bf785be8de35b05e58979a1e27d8 | 61.235.117.71 |       80 |        6 |
 2009-04-05 05:16:46 | 848e5044fd1488dc319802cd04999f78529cb266 |
1c4dddab4e417f98000898b9485fadfc | 61.235.117.71 |       80 |        6 |
 2009-03-16 18:31:12 | 86c7cc432aaf36c57249258f22e401d2599396d6 |
94e0ebe20babf110be1f9cd2d9c295b4 | 61.235.117.71 |       80 |        6 |
 2009-04-16 12:23:18 | 8f60582a6110ced7bf1dee7d2761aea1a2f53f1f |
d6618085f15cbabf5d078e829292e50e | 61.235.117.71 |       80 |        6 |
 2009-04-30 22:21:38 | c801dd70348e5434e4e25d7ca1de1c2364a7ad3a |
65d9c086da9f95ab7b7ac791f19725b0 | 61.235.117.71 |       80 |        6 |
   0
 2009-03-12 16:25:57 | d3948d6c33be009194513545a110566c2f6bbb97 |
0de37651ab1e4c8d31a202a451d05e73 | 61.235.117.71 |       80 |        6 |
 2009-04-17 21:26:28 | dcb6a1485c3caff7d371c75d8dc465148f8b610d |
c5b76022e0bc01f9c3478dcff3f0a400 | 61.235.117.71 |       80 |        6 |
 2009-03-20 10:24:03 | e37904d129e2e5e047d1e7845df6035afd45ad05 |
64148e5eb525089c448adf0fb59c5257 | 61.235.117.71 |       80 |        6 |
 2009-03-20 11:24:07 | e47f5ae73c218784ca44be93b1e9b6fdaf08fd14 |
e5e320afaef997875d628c0ef5639762 | 61.235.117.71 |       80 |        6 |
 2009-01-23 11:01:10 | f030980da614d6f10a56c7f6697e877aa48b47c6 |
a59c9fcf630bac0059b5c8ece24f7c5b | 61.235.117.71 |       80 |        6 |
 2009-04-17 10:20:37 | f80b1a66b7bf7c95d0b946aad6aaa3a221c32e9c |
284a019f5bd1e4f64c129870b23aba5e | 61.235.117.71 |       80 |        6 |

> AS      | IP               | AS Name
> 4134    | 122.225.36.35    | CHINANET-BACKBONE No.31,Jin-rong Street

We see three HTTP C&Cs on 122.225.36.35.

   h x x p : / / 0083vorit.cn/IT02/get.php
   h x x p : / / www.0083vorit.cn/IT02/get.php
   h x x p : / / 1256hrom.cn/IT02/get.php

We see four DNS RRs pointed to 122.225.36.35 this month.

      timestamp      |     dns_name     |      ip
--------------------- ------------------ ---------------
 2009-04-04 23:44:29 | 0083vorit.cn     | 122.225.36.35
 2009-04-04 23:44:55 | 1256hrom.cn      | 122.225.36.35
 2009-05-02 07:02:41 | ns1.1256hrom.cn  | 122.225.36.35
 2009-05-01 00:28:21 | www.0083vorit.cn | 122.225.36.35

We have ten samples in our malware menagerie that point to 122.225.36.35.

      timestamp      |                   sha1                   |
        md5                |    dst_ip     | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ---------- ----------
------
 2009-05-02 02:03:17 | 28bc036fb9edb9c6a6581a8bab209e4666b3eea1 |
4d28651e57ef28c7b686c9b97d9cafe6 | 122.225.36.35 |       80 |        6 |
 432
 2009-05-04 06:50:02 | 298a8b7b43bc3ec2b0dfda28fb34d8f7806f18b4 |
21fbd7391893ce2c7ccd2ab49ab40895 | 122.225.36.35 |       80 |        6 |
 2009-05-02 02:03:32 | 29f7cc4b6cc27a8c1458179956dc06ba9a53ba33 |
8040ca8bd24342fb0c74ef86159be00d | 122.225.36.35 |       80 |        6 |
 432
 2009-05-03 15:21:06 | 4b50c11b31655ebb5337cf0df77f0dab7912568d |
4e41f9b7c9f9542892cedab264d004d0 | 122.225.36.35 |       80 |        6 |
 2009-05-04 19:21:49 | 6e7d553987844a1d8fa5d14cfee687a3ce66736e |
b446403c2399e550db577bf0178e933e | 122.225.36.35 |       80 |        6 |
 2009-05-03 02:22:24 | 910d0e845e4f43e01d2b94f2e394a474dde82742 |
a2645b1ac9c2c8e8c09c387cfbb3bdeb | 122.225.36.35 |       80 |        6 |
 432
 2009-05-05 17:23:04 | a6ef26023b99da19980ac13fa2abe38cfd0d100a |
85f2c4c634c347e37f223a36b4f6d006 | 122.225.36.35 |       80 |        6 |
 2009-05-03 02:30:52 | bbc6cb8affad00a6687a4033952284dc025d767d |
83a1d7945ebfca35c3cf4eb6e896f207 | 122.225.36.35 |       80 |        6 |
 432
 2009-04-29 16:23:36 | e0d9184926ad8e994db92c0781c7b6479c01312d |
c8f59bb81065b0dcc8dfd8132eccb192 | 122.225.36.35 |       80 |        6 |
 2009-04-30 02:02:19 | eb0d6498d9785f35292051f6eb40204e7ee1c5a6 |
54aba80a4dc1852608e410c215288554 | 122.225.36.35 |       80 |        6 |
 432

This appears to be an Apache server.

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
http://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");

More information about the nsp-security mailing list