[nsp-sec] ACK 174 RE: Waladec C&C

Shelton, Steve sshelton at Cogentco.com
Tue Nov 10 11:35:53 EST 2009 

Thanks!

Steve Shelton
Security Engineer
Cogent Communications

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Gabriel
Iovino
Sent: Tuesday, November 10, 2009 9:03 AM
To: NSP nsp-security
Subject: [nsp-sec] Waladec C&C

----------- nsp-security Confidential --------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

(This is being proxied for Dan Adinolfi @ cornell.edu)

Cornell found a Waledac C&C on their wireless network. They are in the
process of taking the machine offline.

C&C info:

128.84.50.52:80

Here is a sample of the callback coming into the C&C:

0000  00 0e d6 21 9c 00 00 16 9c 6f 72 40 08 00 45 00   ...!.....or at ..E.
0010  00 f0 51 00 40 00 6e 06 70 20 3b 9c 5c c3 80 54   ..Q. at .n.p ;.\..T
0020  32 34 08 ce 00 50 48 34 b9 5f fe 34 de bb 50 18   24...PH4._.4..P.
0030  ff ff 6c ee 00 00 50 4f 53 54 20 2f 78 7a 7a 64   ..l...POST /xzzd
0040  71 69 71 66 6b 67 2e 70 6e 67 20 48 54 54 50 2f   qiqfkg.png HTTP/
0050  31 2e 31 0d 0a 52 65 66 65 72 65 72 3a 20 4d 6f   1.1..Referer: Mo
0060  7a 69 6c 6c 61 0d 0a 41 63 63 65 70 74 3a 20 2a   zilla..Accept: *
0070  2f 2a 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65   /*..Content-Type
0080  3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d   : application/x-
0090  77 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f   www-form-urlenco
00a0  64 65 64 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a   ded..User-Agent:
00b0  20 4d 6f 7a 69 6c 6c 61 0d 0a 48 6f 73 74 3a 20    Mozilla..Host:
00c0  31 32 38 2e 38 34 2e 35 30 2e 35 32 0d 0a 43 6f   128.84.50.52..Co
00d0  6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 39 35   ntent-Length: 95
00e0  37 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c   7..Cache-Control
00f0  3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a         : no-cache....

Cornell's FireEye sensor detected the following hosts connecting to the
C&C server.

All times are EST -0500

> Bulk mode; whois.cymru.com [2009-11-10 15:50:57 +0000]
> 174     | 198.138.134.45   | 11/10/09 09:51:38 | COGENT Cogent/PSI
> 174     | 38.105.236.2     | 11/10/09 10:03:48 | COGENT Cogent/PSI

Regards,

Gabe

- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkr5jscACgkQwqygxIz+pTv0/gCgwC/nbChRxuDpIF0H/x9cCcqv
L7wAn3oUlmovgq4YJcUMkUQv9TxA2k4q
=AObL
-----END PGP SIGNATURE-----


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

More information about the nsp-security mailing list