[nsp-sec] legion.sinip.es
Serge Droz
serge.droz at switch.ch
Fri Oct 16 07:33:01 EDT 2009
Hello,
one of our customers reports a mariposa infection which connects to
legion.sinip.es 66.197.176.41:9999, fair enough and does not appear in the
dnsrr list.
However that system is actually referenced in this article:
http://www.pcmag.com/article2/0,2817,2353401,00.asp
<CUT>
Defence Intelligence states that companies can detect the botnet by
watching for traffic to butterfly.sinip.es or to a specific set of
IP addresses. Hypponen adds the addresses qwertasdfg.sinip.es,
butterfly.BigMoney.bizand legion.sinip.es, and points out that the
latter two still have live servers in operation.
<CUT>
Cheers
Serge
--
SWITCH
Serving Swiss Universities
--------------------------
Serge Droz, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 63, fax +41 44 268 15 78
serge.droz at switch.ch, http://www.switch.ch
More information about the nsp-security
mailing list