[nsp-sec] Waladec C&C

Gabriel Iovino giovino at ren-isac.net
Tue Nov 10 11:03:19 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

(This is being proxied for Dan Adinolfi @ cornell.edu)

Cornell found a Waledac C&C on their wireless network. They are in the
process of taking the machine offline.

C&C info:

128.84.50.52:80

Here is a sample of the callback coming into the C&C:

0000  00 0e d6 21 9c 00 00 16 9c 6f 72 40 08 00 45 00   ...!.....or at ..E.
0010  00 f0 51 00 40 00 6e 06 70 20 3b 9c 5c c3 80 54   ..Q. at .n.p ;.\..T
0020  32 34 08 ce 00 50 48 34 b9 5f fe 34 de bb 50 18   24...PH4._.4..P.
0030  ff ff 6c ee 00 00 50 4f 53 54 20 2f 78 7a 7a 64   ..l...POST /xzzd
0040  71 69 71 66 6b 67 2e 70 6e 67 20 48 54 54 50 2f   qiqfkg.png HTTP/
0050  31 2e 31 0d 0a 52 65 66 65 72 65 72 3a 20 4d 6f   1.1..Referer: Mo
0060  7a 69 6c 6c 61 0d 0a 41 63 63 65 70 74 3a 20 2a   zilla..Accept: *
0070  2f 2a 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65   /*..Content-Type
0080  3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d   : application/x-
0090  77 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f   www-form-urlenco
00a0  64 65 64 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a   ded..User-Agent:
00b0  20 4d 6f 7a 69 6c 6c 61 0d 0a 48 6f 73 74 3a 20    Mozilla..Host:
00c0  31 32 38 2e 38 34 2e 35 30 2e 35 32 0d 0a 43 6f   128.84.50.52..Co
00d0  6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 39 35   ntent-Length: 95
00e0  37 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c   7..Cache-Control
00f0  3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a         : no-cache....

Cornell's FireEye sensor detected the following hosts connecting to the
C&C server.

All times are EST -0500

> Bulk mode; whois.cymru.com [2009-11-10 15:50:57 +0000]
> 174     | 198.138.134.45   | 11/10/09 09:51:38 | COGENT Cogent/PSI
> 174     | 38.105.236.2     | 11/10/09 10:03:48 | COGENT Cogent/PSI
> 209     | 63.228.160.150   | 11/10/09 09:59:57 | ASN-QWEST - Qwest Communications Company, LLC
> 2856    | 86.132.248.42    | 11/10/09 10:06:24 | BT-UK-AS BTnet UK Regional network
> 3215    | 92.133.105.179   | 11/10/09 09:49:50 | AS3215 France Telecom - Orange
> 3269    | 62.110.67.2      | 11/10/09 10:08:39 | ASN-IBSNAZ TELECOM ITALIA
> 3269    | 79.43.162.8      | 11/10/09 09:57:01 | ASN-IBSNAZ TELECOM ITALIA
> 3269    | 87.23.38.183     | 11/10/09 10:05:39 | ASN-IBSNAZ TELECOM ITALIA
> 3320    | 84.164.186.121   | 11/10/09 08:45:37 | DTAG Deutsche Telekom AG
> 3320    | 93.192.45.54     | 11/10/09 09:57:29 | DTAG Deutsche Telekom AG
> 3352    | 88.14.124.96     | 11/10/09 10:00:01 | TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
> 4691    | 59.156.92.195    | 11/10/09 09:53:50 | DTI Dream Train Internet Inc.
> 4713    | 219.160.23.51    | 11/10/09 10:01:15 | OCN NTT Communications Corporation
> 4766    | 118.36.18.217    | 11/10/09 10:02:07 | KIXS-AS-KR Korea Telecom
> 4788    | 115.132.0.228    | 11/10/09 09:59:25 | TMNET-AS-AP TM Net, Internet Service Provider
> 5089    | 82.31.177.171    | 11/10/09 10:03:35 | NTL NTL Group Limited
> 5089    | 86.21.138.86     | 11/10/09 10:04:23 | NTL NTL Group Limited
> 5466    | 83.71.169.113    | 11/10/09 10:01:51 | EIRCOM Eircom
> 5607    | 90.198.35.240    | 11/10/09 10:01:35 | BSKYB-BROADBAND-AS BSkyB Broadband
> 5615    | 82.170.103.103   | 11/10/09 10:00:36 | TISNL-BACKBONE Telfort B.V.
> 6128    | 67.82.107.115    | 11/10/09 09:54:17 | CABLE-NET-1 - Cablevision Systems Corp.
> 6389    | 70.153.220.95    | 11/10/09 09:49:01 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
> 6389    | 74.178.56.152    | 11/10/09 09:49:50 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
> 6389    | 74.239.103.90    | 11/10/09 09:56:23 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
> 6830    | 89.132.165.79    | 11/10/09 08:49:39 | UPC UPC Broadband
> 7132    | 99.140.168.40    | 11/10/09 10:01:33 | SBIS-AS - AT&T Internet Services
> 7395    | 72.25.177.146    | 11/10/09 09:41:35 | INTEGRATELECOM - Integra Telecom, Inc.
> 7738    | 201.58.212.153   | 11/10/09 09:58:46 | Telecomunicacoes da Bahia S.A.
> 8151    | 189.162.29.70    | 11/10/09 09:55:27 | Uninet S.A. de C.V.
> 8708    | 86.121.32.90     | 11/10/09 09:23:40 | RDSNET RCS & RDS S.A.
> 9105    | 88.108.192.225   | 11/10/09 09:52:25 | TISCALI-UK Tiscali UK
> 9121    | 88.246.102.151   | 11/10/09 10:08:00 | TTNET TTnet Autonomous System
> 9762    | 211.47.123.135   | 11/10/09 09:55:38 | HCN-AS HYUNDAI COMMUNICATIONS & NETWORK
> 10201   | 58.68.11.206     | 11/10/09 09:35:55 | DWL-AS-IN Dishnet Wireless Limited. Broadband Wireless
> 10282   | 57.66.138.15     | 11/10/09 08:49:06 | ORANGE-BUSINESS-SERVICES-CEEUR Orange Business Services (formerly Equant) AS for CEEUR
> 10396   | 66.50.192.55     | 11/10/09 10:02:31 | COQUI-NET - DATACOM CARIBE, INC.
> 12322   | 88.164.2.94      | 11/10/09 10:04:54 | PROXAD AS for Proxad/Free ISP
> 12338   | 85.84.240.19     | 11/10/09 09:53:38 | EUSKALTEL Euskaltel Autonomous System
> 13019   | 212.234.248.2    | 11/10/09 09:45:52 | RR-BRETAGNE Autonomous System
> 14051   | 64.30.96.202     | 11/10/09 09:56:24 | SUREWEST - Roseville Telephone Company
> 15644   | 193.41.37.202    | 11/10/09 09:59:55 | FRESENIUS Fresenius Global Network
> 16338   | 62.82.65.94      | 11/10/09 09:34:39 | AUNA_TELECOM-AS Cableuropa - ONO
> 17858   | 124.61.141.30    | 11/10/09 10:09:12 | KRNIC-ASBLOCK-AP KRNIC
> 19262   | 71.167.251.106   | 11/10/09 10:00:45 | VZGNI-TRANSIT - Verizon Internet Services Inc.
> 21327   | 92.251.186.52    | 11/10/09 09:53:17 | H3GUKNIE Hutchison 3G UK and Ireland Core AS
> 24560   | 122.168.247.18   | 11/10/09 10:02:17 | AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services
> 25019   | 188.49.74.142    | 11/10/09 09:59:51 | SAUDINETSTC-AS Autonomus System Number for SaudiNet
> 25019   | 77.30.138.136    | 11/10/09 09:50:42 | SAUDINETSTC-AS Autonomus System Number for SaudiNet
> 25019   | 94.97.126.218    | 11/10/09 09:49:01 | SAUDINETSTC-AS Autonomus System Number for SaudiNet
> 25019   | 94.97.126.218    | 11/10/09 09:52:26 | SAUDINETSTC-AS Autonomus System Number for SaudiNet
> 25973   | 72.37.171.28     | 11/10/09 09:59:21 | MZIMA - Mzima Networks, Inc.
> 26599   | 189.96.234.154   | 11/10/09 10:03:28 | Telesp Celular S.A.
> 27759   | 200.2.155.217    | 11/10/09 10:00:39 | ACCESS HAITI S.A.
> 33287   | 68.39.91.135     | 11/10/09 10:07:09 | COMCAST-33287 - Comcast Cable Communications, Inc.
> 33491   | 67.173.96.176    | 11/10/09 10:06:34 | COMCAST-33491 - Comcast Cable Communications, Inc.
> 34397   | 212.118.117.133  | 11/10/09 09:54:54 | CYBERIA-RUH Cyberia Riyadh Autonomous System
> 34400   | 188.132.117.240  | 11/10/09 09:49:11 | ASN-ETTIHADETISALAT Etihad Etisalat
> 35228   | 188.220.144.11   | 11/10/09 09:48:10 | BEUNLIMITED Avatar Broadband Limited
> 35819   | 86.51.18.192     | 11/10/09 09:54:57 | BAO-AS Mobily/Bayanat AS
> 41176   | 89.108.13.216    | 11/10/09 08:46:01 | SAHARANET-AS Sahara Net Main NOC AS
> 41440   | 95.189.143.3     | 11/10/09 10:08:01 | SIBIRTELECOM-AS Sibirtelecom backbone AS
> 42298   | 78.101.123.35    | 11/10/09 09:48:17 | GCC-MPLS-PEERING Qatar Telecom
> 43234   | 92.4.103.226     | 11/10/09 09:56:41 | CPWBBSERV-AS Carphone Warehouse Broadband Services
> 44038   | 62.203.143.142   | 11/10/09 10:04:09 | BLUEWIN-AS Swisscom (Schweiz) AG
> 44889   | 212.16.77.227    | 11/10/09 10:09:16 | AZMA-AS AZMA GROUP - FACC Compnay
> 44957   | 93.148.113.132   | 11/10/09 09:59:23 | OPITEL OPITEL AS number

Regards,

Gabe

- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkr5jscACgkQwqygxIz+pTv0/gCgwC/nbChRxuDpIF0H/x9cCcqv
L7wAn3oUlmovgq4YJcUMkUQv9TxA2k4q
=AObL
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list