[nsp-sec] Monkif C2 - AS33837 Peers: AS21202 and AS30912 - little help please?
Nicholas Ianelli
ni at centergate.net
Wed Nov 25 14:23:52 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Folks,
There is a patterns of behavior that has really become annoying. The
Monkif family of malware has been leveraging a variety of .BIZ domains
for it's C2. Despite them being taken down, they continue to use them,
but they also use the same back-end hosts: 88.80.7.152 and 88.80.5.3
inetnum: 88.80.2.0 - 88.80.7.255
netname: PRQ-NET-COLO
descr: prq Inet POP STH3
descr: Co-located customer servers
country: SE
admin-c: pIN7-RIPE
tech-c: pIN7-RIPE
status: ASSIGNED PA
mnt-by: MNT-PRQ
source: RIPE # Filtered
role: prq Inet NOC
address: PRQ AB
address: Box 1206
address: SE 11479 Stockholm
address: Sweden
remarks: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
remarks: !! Abuse reports should ONLY be sent to abuse at prq.se !!
remarks: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
abuse-mailbox: abuse at prq.se
admin-c: PW1115-RIPE
tech-c: PW1115-RIPE
nic-hdl: PIN7-RIPE
mnt-by: MNT-PRQ
source: RIPE # Filtered
PEER_AS | IP | AS Name
21202 | 88.80.7.152 | DCSNET-AS DCS.net
30912 | 88.80.7.152 | DCSNET-GLOBAL-TRANSIT-AS DCS.net
Can anyone assist in getting this host taken down?
The most recent:
http://stats.hillmedia.biz/cgi/oetjyotz.php?ii=5<26231x644407x4x4x4x1<x
http://stats.hillmedia.biz/cgi/glqaaaaa.php?aa=5<26231x644407x4x4x4x1<x
http://stats.hillmedia.biz/cgi/iynsy.php?hhhhh=5<26231x644407x4x4x4x1<x
hp://www.clickspot.biz/d/dl.php?fl=2a3f7096703a6a9e28191719571bd29a&fid=
100&1=5<26231x644407x4x4x4x1<
hp://www.clickspot.biz/cgi/uzii.php?ii=5<26231x644407x4x4x4x1<x
hp://www.clickspot.biz/cgi/uzii.php?ii=5<26231x644407x4x4x4x1<x
hp://www.clickspot.biz/cgi/uzii.php?ii=5<26231x644407x4x4x4x1<x
Other domains: (LastSeen Domain Type IP)
2009-04-07 06:08:19 cdn.rgpmedia.biz A 88.80.7.152
2009-03-23 08:02:47 cdn.cbtclick.biz A 88.80.7.152
2009-08-15 16:55:14 cdn.clads.biz A 88.80.7.152
2009-08-15 13:27:10 cdn.cdtads.biz A 88.80.7.152
2009-11-23 19:22:00 stats.hillmedia.biz A 88.80.7.152
2009-10-16 02:07:15 stats.woodmedia.biz A 88.80.5.3
2009-10-30 03:13:38 www.clickbig.biz A 88.80.5.3
2008-05-25 09:18:01 nnnew.no-ip.biz A 88.80.5.3
Thanks,
Nick
- --
Nicholas Ianelli: Neustar, Inc.
Security Operations
46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAksNhEgACgkQi10dJIBjZIACFwCeLISKSv9EDFruc7SAIvws43me
UmQAnjcVdm7Pg8iU1FTpuCAUgzck1Q1m
=ejQV
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list