[nsp-sec] KR DDoS - Command and Control servers - Yup, they're still out there
Marius Urkis
marius at litnet.lt
Wed Nov 11 05:07:46 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ACK 2847
Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
>
> Team,
>
> Attached is a list of 111 active Command and Control (C2) nodes from the
> KR DDoS malware (affected AS' and IP data below).
>
> Active infections include the following set of files on the system (in
> addition to others as well as Services and corresponding Registry keys):
>
> netlmgr.exe (C:\Windows\System32)
> ntdll.ini (C:\Windows\System32)
> perfa093.dat (C:\Windows\System32)
> pxdrv.nls (C:\Windows\System32)
> uregvs.nls (C:\Windows\System32)
>
> Any and all files uncer C:\Windows\System32\Acrobat\
>
> Everything under the following directory:
> C:\windows\system32\acrobat\
>
> If you need assistance, let me know. Feel free to share this data within
> your constituency and trusted peers - please remove all PII and list
> data before doing so,
>
> The hosts listed below are listing on one of the following ports:
>
> 80/TCP
> 53/TCP
> 8080/TCP
> 443/TCP
> 21/TCP
>
> Exact timestamps can be obtained, but the range is as follows:
>
> 2009-11-10 02:31 EST (-5 GMT)
> 2009-11-10 03:39 EST (-5 GMT)
>
> https://asn.cymru.com/nsp-sec/upload/1257886351.whois.txt
>
- --
Marius
=============================
Marius Urkis
LITNET CERT
http://cert.litnet.lt
Tel: +370 37 300645
GSM: +370 687 79059
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkr6jPIACgkQHS98nbdNAJy0tgCfSaCZHag67JvOkEjrGNdLnPsy
yMsAnA1JDj6YCec6mI7dWXZTbEDAO9rN
=izdI
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list