[nsp-sec] ACK 2828 KR DDoS - Command and Control servers - Yup, they're still out there

Gong, Yiming Yiming.Gong at xo.com
Thu Nov 12 16:16:13 EST 2009 

ACK 2828, thanks

2828    | 140.239.222.35   | XO-AS15 - XO Communications

-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Nicholas Ianelli
Sent: Tuesday, November 10, 2009 3:04 PM
To: 'nsp-security at puck.nether.net'
Subject: [nsp-sec] KR DDoS - Command and Control servers - Yup, they're still out there

----------- nsp-security Confidential --------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Team,

Attached is a list of 111 active Command and Control (C2) nodes from the
KR DDoS malware (affected AS' and IP data below).

Active infections include the following set of files on the system (in
addition to others as well as Services and corresponding Registry keys):

netlmgr.exe (C:\Windows\System32)
ntdll.ini (C:\Windows\System32)
perfa093.dat (C:\Windows\System32)
pxdrv.nls (C:\Windows\System32)
uregvs.nls (C:\Windows\System32)

Any and all files uncer C:\Windows\System32\Acrobat\

Everything under the following directory:
C:\windows\system32\acrobat\

If you need assistance, let me know. Feel free to share this data within
your constituency and trusted peers - please remove all PII and list
data before doing so,

The hosts listed below are listing on one of the following ports:

80/TCP
53/TCP
8080/TCP
443/TCP
21/TCP

Exact timestamps can be obtained, but the range is as follows:

2009-11-10 02:31 EST (-5 GMT)
2009-11-10 03:39 EST (-5 GMT)

https://asn.cymru.com/nsp-sec/upload/1257886351.whois.txt

577     | 207.236.47.20    | BACOM - Bell Canada
701     | 63.81.211.100    | UUNET - MCI Communications Services, Inc.
d/b/a Verizon Business
852     | 142.179.188.5    | ASN852 - Telus Advanced Communications
1239    | 207.43.68.89     | SPRINTLINK - Sprint
1239    | 208.15.239.199   | SPRINTLINK - Sprint
1659    | 210.70.175.51    | ERX-TANET-ASN1 Tiawan Academic Network
(TANet) Information Center
2516    | 124.208.252.169  | KDDI KDDI CORPORATION
2529    | 194.70.241.202   | DEMON-INTERNET Demon Internet
2614    | 194.102.32.19    | ROEDUNET Romanian Education Network
2820    | 195.68.252.16    | ELVIS-AS Elvis-Telecom, Moscow, Russia
2828    | 140.239.222.35   | XO-AS15 - XO Communications
2847    | 83.171.6.13      | LITNET LITNET, Lithuanian Academic and
Research Network
3243    | 81.193.250.47    | TELEPAC PT.Com - Comunicacoes Interactivas,
S.A.
3269    | 79.39.14.231     | ASN-IBSNAZ TELECOM ITALIA
3301    | 78.70.7.58       | TELIANET-SWEDEN TeliaNet Sweden
3462    | 220.128.156.6    | HINET Data Communication Business Group
3462    | 220.135.136.120  | HINET Data Communication Business Group
3462    | 60.251.45.88     | HINET Data Communication Business Group
3505    | 166.82.112.120   | WINDSTREAM - Windstream Communications Inc
3741    | 196.211.97.37    | IS
3741    | 196.213.203.148  | IS
3741    | 196.23.20.58     | IS
4130    | 136.142.100.42   | UPITT-AS - University of Pittsburgh
4134    | 116.10.195.134   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 58.210.234.137   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 58.210.234.149   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 58.210.234.154   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 60.190.22.154    | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.147.113.98    | CHINANET-BACKBONE No.31,Jin-rong Street
4515    | 210.177.6.183    | ERX-STAR PCCW IMSBiz
4538    | 210.35.88.16     | ERX-CERNET-BKB China Education and Research
Network Center
4565    | 155.229.78.81    | MEGAPATH2-US - MegaPath Networks Inc.
4565    | 155.229.79.4     | MEGAPATH2-US - MegaPath Networks Inc.
4750    | 58.137.27.245    | CSLOXINFO-ISP-AS-AP CSLOXINFO Public
Company Limited.
4780    | 210.243.132.181  | SEEDNET Digital United Inc.
4837    | 202.97.136.244   | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 220.250.12.157   | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 221.202.72.84    | CHINA169-BACKBONE CNCGROUP China169 Backbone
4837    | 61.139.142.52    | CHINA169-BACKBONE CNCGROUP China169 Backbone
5056    | 207.199.219.91   | INS-NET-2 - Iowa Network Services
5384    | 213.42.59.27     | EMIRATES-INTERNET Emirates Internet
5390    | 85.145.152.35    | EURONET Orange Nederland B.V. Global AS
5396    | 77.43.61.75      | MC-link Spa
5610    | 88.103.76.19     | TO2-CZECH-REPUBLIC Telefonica O2, Czech
Republic
6181    | 216.196.177.144  | FUSE-NET - Cincinnati Bell Telephone
6327    | 24.108.248.23    | SHAW - Shaw Communications Inc.
6327    | 24.76.88.38      | SHAW - Shaw Communications Inc.
6400    | 201.229.187.1    | Compañía Dominicana de Teléfonos, C. por
A. - CODETEL
6983    | 66.0.117.230     | ITCDELTA - ITC^Deltacom
8048    | 190.73.3.154     | CANTV Servicios, Venezuela
8151    | 201.144.42.36    | Uninet S.A. de C.V.
8167    | 189.31.229.184   | TELESC - Telecomunicacoes de Santa Catarina SA
8167    | 189.72.254.202   | TELESC - Telecomunicacoes de Santa Catarina SA
8629    | 84.253.94.110    | MCNTT-AS MCNTT Autonomous System
8732    | 87.245.140.142   | COMCOR-AS AS for Moscow Telecommunication
Corporation (COMCOR)
9050    | 89.122.74.160    | RTD ROMTELECOM S.A
9121    | 85.96.238.169    | TTNET TTnet Autonomous System
9304    | 118.142.14.42    | HUTCHISON-AS-AP Hutchison Global Communications
9394    | 222.56.118.20    | CRNET CHINA RAILWAY Internet(CRNET)
9916    | 163.19.104.19    | NCTU-TW National Chiao Tung University,
9916    | 163.19.170.181   | NCTU-TW National Chiao Tung University,
9916    | 163.19.170.182   | NCTU-TW National Chiao Tung University,
9916    | 163.19.221.184   | NCTU-TW National Chiao Tung University,
9924    | 114.198.171.203  | TFN-TW Taiwan Fixed Network, Telco and
Network Service Provider.
10993   | 206.72.76.235    | AERIONET-INC - Aerioconnect
11060   | 98.100.24.158    | NEO-RR-COM - Road Runner HoldCo LLC
11290   | 205.237.43.14    | RAPIDUS - COGECO Cable Canada Inc.
11666   | 76.75.92.169     | NEXICOM-CA - Nexicom Inc.
12741   | 83.238.81.238    | INTERNETIA-AS Netia SA
12880   | 78.39.72.3       | DCI-AS DCI Autonomous System
13110   | 85.221.220.232   | INEA-AS INEA network (ICP)
13367   | 173.11.40.93     | COMCAST-13367 - Comcast Cable
Communications Holdings, Inc
13489   | 190.70.244.81    | EPM Telecomunicaciones S.A. E.S.P.
14178   | 201.149.23.116   | Megacable Comunicaciones de Mexico, SA de CV
16342   | 217.113.234.233  | Toya ,TV cable company located in PL( town
Lodz).
16399   | 216.159.239.4    | FIRSTCOMM-AS2 - First Communications LLC
16629   | 200.68.10.27     | CTC. CORP S.A. (TELEFONICA EMPRESAS)
17459   | 203.191.169.126  | M2TELECOMMUNICATIONS-AP M2
Telecommunications Group Ltd
17621   | 58.247.114.86    | CNCGROUP-SH China Unicom Shanghai network
17746   | 121.98.80.170    | ORCONINTERNET-NZ-AP Orcon Internet
18566   | 72.244.141.204   | COVAD - Covad Communications Co.
18747   | 190.60.42.82     | IFX-NW - IFX Communication Ventures, Inc.
19093   | 199.43.208.211   | IBMUSF-SCH - IBM
19262   | 71.120.201.23    | VZGNI-TRANSIT - Verizon Internet Services Inc.
19817   | 66.218.62.50     | DSLEXTREME - DSL Extreme
20115   | 24.181.13.217    | CHARTER-NET-HKY-NC - Charter Communications
20115   | 68.185.22.250    | CHARTER-NET-HKY-NC - Charter Communications
20115   | 96.40.104.17     | CHARTER-NET-HKY-NC - Charter Communications
20115   | 97.93.77.209     | CHARTER-NET-HKY-NC - Charter Communications
20456   | 66.254.194.146   | T6-BROADBAND - T6 Broadband
21050   | 62.215.216.141   | FAST-TELCO Fast Telecommunications Company
W.L.L.
21508   | 173.15.205.104   | COMCAST-21508 - Comcast Cable
Communications Holdings, Inc
22773   | 98.191.168.50    | ASN-CXA-ALL-CCI-22773-RDC - Cox
Communications Inc.
23292   | 66.235.45.169    | MILLENIUM-DIGITAL - Broadstripe
27431   | 216.29.152.200   | JTLNET - JTL Networks Inc.
28525   | 189.200.82.26    | TELEVISION POR CABLE DE TABASCO S.A. DE C.V.
29079   | 217.25.56.8      | IRNA-AS IRAN News Agency.
29780   | 75.118.190.185   | WOW-INTERNET-CLV - WideOpenWest Finance LLC
30340   | 65.61.118.52     | AS-TIER - Tierpoint, LLC
31416   | 217.145.247.138  | APPTEC-NETWORK App-Tec_s Network - AS
31619   | 84.205.98.194    | CITYSTARS-AS
31642   | 212.37.113.150   | STADSNAT Regional Internet Exchange (RIX)
31931   | 208.14.183.144   | EPHINAYNET - Ephinay
32613   | 67.205.106.181   | IWEB-AS - iWeb Technologies Inc.
32768   | 74.85.103.41     | MOBIUS-COMMUNICATIONS-NE - HEMINGFORD TELEPHONE
33287   | 70.90.12.49      | COMCAST-33287 - Comcast Cable
Communications, Inc.
39015   | 87.237.199.108   | MENA Mena Broadband AS
39015   | 87.237.199.110   | MENA Mena Broadband AS
39246   | 77.78.133.2      | LIULINNET Liulin Net Internet Services Network
42004   | 194.105.154.4    | ULGRP-AS Information Technology Un Limited
43395   | 94.101.135.139   | AFROOZ Afrooz Network Solutions


- --
Nicholas Ianelli: Neustar, Inc.
Security Operations

46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkr51UkACgkQi10dJIBjZIDTaQCguI7x+iEzvd2TuThPn/L7HAd4
tHoAoMAtCgr6J93CFzP36Klxi6jXTATw
=xqV3
-----END PGP SIGNATURE-----


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list