[nsp-sec] FW: Determined malware distributor
Tim Wilde
twilde at cymru.com
Tue Oct 20 09:43:51 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/19/2009 8:58 PM, David Freedman wrote:
> ----------- nsp-security Confidential --------
>
> With help from others, have determined this is "bredolab" (hash not in the cymru MHR at time of writing?)
> and is being distributed by the avalanche fastflux botnet, have prodded the registrar.
Hey David,
What was the SHA1 of the file you picked up from that URL? I know we
have lots of bredolab samples (including plenty we're getting ourselves)
but I'm curious to check our databases for that one, but the domain has
been suspended so I can't grab it myself. :) If you don't mind sending
it along ZIP encrypted too that'd be aces!
FWIW, there are many reasons it might not be in the MHR - AV detection
rates on several of the bredolab samples I've run through have been
pretty abysmal, so it's possible the sample in question didn't reach the
threshold for inclusion at the time that we received and scanned it, or
it's also possible that we haven't seen that exact hash at all.
Thanks,
Tim
- --
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrdvpcACgkQluRbRini9tiSSACdFaafDYrxOUfb5YflFVACMujg
O6oAniOzlWN4jnU3Ha9XBeyI6u8yo++y
=Opye
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list