[nsp-sec] UDP based DDoS Attack
Rob Thomas
robt at cymru.com
Tue May 12 17:01:27 EDT 2009
Hey, Nick.
We've not spotted the C&C with certainty, but there are a few
interesting connections.
Two of the IPs attacking you connected to TCP 4876 on 78.110.175.13 on
2009-05-12 UTC. That port may still be active and accepting connections.
AS | IP | BGP Prefix | CC | Registry |
Allocated | AS Name
42831 | 78.110.175.13 | 78.110.160.0/20 | GB | ripencc |
2007-08-14 | UKSERVERS-AS UK Dedicated Servers Limited
Hmm! There might be something to this IP. We have four samples in our
malware menagerie that point to 78.110.175.13. Two of them point
specifically to TCP 4876.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ---------- ----------
--------
2009-04-23 03:13:25 | 062d014d07a1bc1c6368210504340c1b16954894 |
6523dfd1b1fcd8d448b32c90f60af679 | 78.110.175.13 | 4876 | 6 |
0
2009-04-20 07:52:32 | 228e5ef6d5bf9b67106c7ccfe7bed5c03073765e |
c246b0edc4103ed7b81206147bf15be8 | 78.110.175.13 | 4876 | 6 |
0
2009-03-18 18:53:22 | 6eb4a272710e890054500c5781331af6ca59c5e6 |
53e69da7f089c3765d4cada4fadd4b7b | 78.110.175.13 | 2194 | 6 |
305059
2009-03-18 21:12:49 | 82156eb090ff75ba549be28ec4f3dd4943d26cea |
ea4068c113674ec17934914529b0a953 | 78.110.175.13 | 2194 | 6 |
3447
Taking a closer look at SHA1 062d014d07a1bc1c6368210504340c1b16954894,
MD5 6523dfd1b1fcd8d448b32c90f60af679, I see a lot of AV signature with
the string "virut" in them.
It generates a lot of UDP 53 traffic. It also has an IRC component:
Server: irz.zief.pl 121.12.125.198
Port: TCP 80
Channel: #.130
That server is slow, but active.
The bots may be running a HTTP GET of the following URL:
h x x p : / / goasi.cn / ex / a.php
Two of the IPs attacking you connected to TCP 2457 on 78.110.175.18 on
2009-05-12. That port may still be active and accepting connections.
AS | IP | BGP Prefix | CC | Registry |
Allocated | AS Name
42831 | 78.110.175.18 | 78.110.160.0/20 | GB | ripencc |
2007-08-14 | UKSERVERS-AS UK Dedicated Servers Limited
Yahtzee! TCP 2457 is tied to malware.
timestamp | sha1 |
md5 | dst_ip | dst_port | protocol | size
--------------------- ------------------------------------------
---------------------------------- --------------- ---------- ----------
------
2009-04-23 03:13:25 | 062d014d07a1bc1c6368210504340c1b16954894 |
6523dfd1b1fcd8d448b32c90f60af679 | 78.110.175.18 | 2457 | 6 |
32
2009-05-01 04:00:22 | 0e1cab026c7961b0e0895feb4ef9c8f402165804 |
6b0257175892fb2c91e0362e3cc2735f | 78.110.175.18 | 2457 | 6 |
32
2009-04-18 11:12:45 | 214e586f2916b03c1f6658e71168b8f59430b954 |
82e638fc7ae32d589a25b1f4150c5c07 | 78.110.175.18 | 2457 | 6 |
32
78.110.175.18 showed up as infected with Conficker as of 2009-02-03
14:54:22 UTC.
78.110.175.18 was running TCP 445 scans back on 2009-02-03 15:40:21 UTC.
All of those connections and IPs above might be ill-intentioned but
unrelated, of course.
It may be the case that the same set of hosts attacked 122.11.55.133 on
the following dates and times (at least):
2009-05-06 07:27:09 UTC
2009-05-11 13:12:56 UTC
2009-05-12 02:16:21 UTC
In summary I'd take a closer look at 78.110.175.13 and 78.110.175.18.
Thanks,
Rob.
--
Rob Thomas
Team Cymru
https://www.team-cymru.org/
cmn_err(CEO_PANIC, "Out of coffee!");
More information about the nsp-security
mailing list