[nsp-sec] Monkif C2 - AS33837 Peers: AS21202 and AS30912 - little help please?

Marius Urkis marius at litnet.lt
Thu Nov 26 06:53:12 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

Two months ago I was involved in case of network block hijacking. The
network block in RIPE db was taken over and route assigned to the PRQ-AS
AS33837. That makes impression of not very fair business....


Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
> 
> Folks,
> 
> There is a patterns of behavior that has really become annoying. The
> Monkif family of malware has been leveraging a variety of .BIZ domains
> for it's C2. Despite them being taken down, they continue to use them,
> but they also use the same back-end hosts: 88.80.7.152 and 88.80.5.3
> 
> inetnum:        88.80.2.0 - 88.80.7.255
> netname:        PRQ-NET-COLO
> descr:          prq Inet POP STH3
> descr:          Co-located customer servers
> country:        SE
> admin-c:        pIN7-RIPE
> tech-c:         pIN7-RIPE
> status:         ASSIGNED PA
> mnt-by:         MNT-PRQ
> source:         RIPE # Filtered
> 
> role:           prq Inet NOC
> address:        PRQ AB
> address:        Box 1206
> address:        SE 11479 Stockholm
> address:        Sweden
> remarks:        !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> remarks:        !! Abuse reports should ONLY be sent to abuse at prq.se !!
> remarks:        !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> abuse-mailbox:  abuse at prq.se
> admin-c:        PW1115-RIPE
> tech-c:         PW1115-RIPE
> nic-hdl:        PIN7-RIPE
> mnt-by:         MNT-PRQ
> source:         RIPE # Filtered
> 
> 
> PEER_AS | IP               | AS Name
> 21202   | 88.80.7.152      | DCSNET-AS DCS.net
> 30912   | 88.80.7.152      | DCSNET-GLOBAL-TRANSIT-AS DCS.net
> 
> Can anyone assist in getting this host taken down?
> 
> The most recent:
> 
> http://stats.hillmedia.biz/cgi/oetjyotz.php?ii=5<26231x644407x4x4x4x1<x
> http://stats.hillmedia.biz/cgi/glqaaaaa.php?aa=5<26231x644407x4x4x4x1<x
> http://stats.hillmedia.biz/cgi/iynsy.php?hhhhh=5<26231x644407x4x4x4x1<x
> 
> hp://www.clickspot.biz/d/dl.php?fl=2a3f7096703a6a9e28191719571bd29a&fid=
> 100&1=5<26231x644407x4x4x4x1<
> hp://www.clickspot.biz/cgi/uzii.php?ii=5<26231x644407x4x4x4x1<x
> hp://www.clickspot.biz/cgi/uzii.php?ii=5<26231x644407x4x4x4x1<x
> hp://www.clickspot.biz/cgi/uzii.php?ii=5<26231x644407x4x4x4x1<x
> 
> Other domains: (LastSeen Domain Type IP)
> 
> 2009-04-07 06:08:19     cdn.rgpmedia.biz        A       88.80.7.152
> 2009-03-23 08:02:47     cdn.cbtclick.biz        A       88.80.7.152
> 2009-08-15 16:55:14     cdn.clads.biz   	A       88.80.7.152
> 2009-08-15 13:27:10     cdn.cdtads.biz  	A       88.80.7.152
> 2009-11-23 19:22:00	stats.hillmedia.biz	A	88.80.7.152
> 
> 2009-10-16 02:07:15     stats.woodmedia.biz     A       88.80.5.3
> 2009-10-30 03:13:38     www.clickbig.biz        A       88.80.5.3
> 2008-05-25 09:18:01     nnnew.no-ip.biz 	A       88.80.5.3
> 
> Thanks,
> Nick
> 

_______________________________________________

Cheers
- --
Marius

=============================
 Marius Urkis
 LITNET CERT
 http://cert.litnet.lt
 Tel: +370 37 300645
 GSM: +370 687 79059
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksObCgACgkQHS98nbdNAJwH9wCfWk0L+/x1nXDcZeE2WAGfhkqs
zowAn2EDchD30CAJyy4De9RnrQh2wE7h
=nwPM
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list