[nsp-sec] identity theft c&c (AS 24400, 9808)

[Yiming Gong]

I am trying to get hold of their security engineer via a contact person, 
email has been sent and will see if they can rectify the issue tomorrow 
(midnight in China now).

ChinaMobil has a dedicate security team, so I would think odds are good 
they will be able to fix the problem.

Yiming

On 05/11/2009 10:12 AM, Tom Fischer wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> On Tue, May 05, 2009 at 08:56:22AM +0200, Tom Fischer wrote:
>> Any chance to terminate / null route the mentioned systems?
>>
>> Malware distribution:
>> hxxp://0083vorit.cn/dbv4.exe
>> AV-scan: http://www.virustotal.com/analisis/d4d366666ce212757d562c9647617354
>
> moved from 122.225.36.35 to 221.130.192.79
>
> 2009-04-07 15:35:28 2009-04-07 15:35:28 0083vorit.cn TXT "v=spf1 a mx
> 2009-04-07 07:06:57 2009-04-24 00:11:53 0083vorit.cn SOA ns1.1256hrom.cn hostmaster.0083vorit.cn 2009030300
> 2009-03-17 07:24:07 2009-04-24 00:53:34 0083vorit.cn A 210.83.85.99
> 2009-04-24 20:07:36 2009-05-05 21:05:49 0083vorit.cn SOA ns1.1256hrom.cn hostmaster.0083vorit.cn 2009042400
> 2009-04-24 20:07:36 2009-05-06 15:13:20 0083vorit.cn A 122.225.36.35
> 2009-05-09 18:05:49 2009-05-10 22:11:44 0083vorit.cn SOA ns1.1256hrom.cn hostmaster.0083vorit.cn 2009050900
> 2009-04-07 07:06:57 2009-05-11 10:11:46 0083vorit.cn MX 10 mail.0083vorit.cn
> 2009-03-17 07:24:06 2009-05-11 10:16:51 0083vorit.cn NS ns1.1256hrom.cn
> 2009-05-09 17:56:38 2009-05-11 10:16:51 0083vorit.cn A 221.130.192.79
> 2009-05-10 23:05:47 2009-05-11 10:16:55 0083vorit.cn SOA ns1.1256hrom.cn hostmaster.0083vorit.cn 2009051000
>
> AS      | IP               | AS Name
> 24400   | 221.130.192.79   | CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd.
>
> PEER_AS | IP               | AS Name
> 9808    | 221.130.192.79   | CMNET-GD Guangdong Mobile Communication Co.Ltd.
>
> btw. another alias is 1256hrom.cn
> 2009-05-10 01:06:03 2009-05-11 08:53:08 1256hrom.cn A 221.130.192.79
>