[nsp-sec] FW: Determined malware distributor

David Freedman david.freedman at uk.clara.net
Mon Oct 19 20:58:11 EDT 2009 

With help from others, have determined this is "bredolab" (hash not in the cymru MHR at time of writing?)
and is being distributed by the avalanche fastflux botnet, have prodded the registrar.

Dave.

------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net



-----Original Message-----
From: David Freedman
Sent: Tue 10/20/2009 00:46
To: nsp-security at puck.nether.net
Subject: Determined malware distributor
 
Hi, we have a very determined malware distributor, amusingly using our name here, see

hxxp://clara.net.tll1ill.net/owa/service_directory/settings.php?email=g.jones@clara.net&from=clara.net&fromname=g.jones


$ (echo "begin" && host clara.net.tll1ill.net | awk '{ print $4 }' && echo "end") | nc whois.cymru.com whois | sort -n
Bulk mode; whois.cymru.com [2009-10-19 23:42:57 +0000]
1680    | 89.138.127.135   | NetVision Ltd.
3462    | 218.162.125.232  | HINET Data Communication Business Group
4766    | 211.195.69.45    | KIXS-AS-KR Korea Telecom
4766    | 211.199.225.132  | KIXS-AS-KR Korea Telecom
5603    | 86.61.58.129     | SIOL-NET Telekom Slovenije d.d.
7049    | 190.0.167.233    | Silica Networks Argentina S.A.
7303    | 190.137.185.10   | Telecom Argentina S.A.
7303    | 190.30.143.28    | Telecom Argentina S.A.
7303    | 201.253.255.241  | Telecom Argentina S.A.
7418    | 190.82.176.224   | Terra Networks Chile S.A.
9121    | 88.247.239.23    | TTNET TTnet Autonomous System
9319    | 112.72.162.134   | HCNCHUNGJU-AS-KR CHEONGJU CABLE TV SYSTEMS
9680    | 218.162.125.232  | HINETUSA HiNet Service Center in U.S.A
22047   | 200.86.21.40     | VTR BANDA ANCHA S.A.
27699   | 189.46.118.100   | TELECOMUNICACOES DE SAO PAULO S/A - TELESP
27699   | 189.47.29.3      | TELECOMUNICACOES DE SAO PAULO S/A - TELESP

Any assistance appreciated, if not just for informative purposes :)

------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net

More information about the nsp-security mailing list