[nsp-sec] ACK 2914 Re: Koobface C&Cs
Tino Steward
tsteward at us.ntt.net
Fri Sep 18 11:58:34 EDT 2009
Ack'd 2914
tino
On Thu, Sep 17, 2009 at 12:43:50PM +0200, Thomas Hungenberg wrote:
> ----------- nsp-security Confidential --------
>
>
> Forwarded to nsp-sec with permission from Morten:
>
> ----------------------------------------------------------------
> Hi all,
>
> I've attached a list of urls that setup.exe/ld14.exe phones home to
> (POST /.sys/?action=ldgen&v=14).
>
> All hosts were confirmed active few minutes ago.
>
>
> Best regards,
> Morten
> ----------------------------------------------------------------
>
> Format: ASN | CC | IP | Koobface C&C URL
>
>
> - Thomas
>
> CERT-Bund Incident Response & Anti-Malware Team
>
> 174 | CA | 70.35.16.161 | hxxp://www.fwccflint.org/.sys/
> 1785 | US | 209.92.157.145 | hxxp://dricmc.com/.sys/
> 2819 | CZ | 193.86.238.36 | hxxp://hanackeskanzen.cz/.sys/
> 2914 | US | 128.121.21.24 | hxxp://brentsmusic.com/.sys/
> 2914 | US | 161.58.98.21 | hxxp://garlicworld.com/.sys/
> 4250 | US | 216.177.134.4 | hxxp://bulldogreunion.net/.sys/
> 5656 | US | 209.145.150.25 | hxxp://asaok.com/.sys/
> 8201 | BE | 62.182.63.12 | hxxp://locator.getconnected.be/.sys/
> 8368 | BE | 85.158.210.86 | hxxp://www.dj-sergio.be/.sys/
> 8426 | FR | 212.43.241.106 | hxxp://the-www.fr/.sys/
> 8551 | IL | 62.219.50.47 | hxxp://bluezone.co.il/.sys/
> 8560 | DE | 82.165.93.193 | hxxp://costafarilya.com/.sys/
> 8560 | US | 74.208.159.89 | hxxp://j-laptops.com/.sys/
> 8560 | US | 74.208.159.94 | hxxp://genesiskdmparts.com/.sys/
> 8744 | RU | 91.190.95.2 | hxxp://rtrans.spb.ru/.sys/
> 8881 | DE | 195.202.52.10 | hxxp://www.Germanamericantax.com/.sys/
> 9120 | DK | 212.97.132.102 | hxxp://anlaegkp.dk/.sys/
> 9120 | DK | 212.97.132.102 | hxxp://jungersen.net/.sys/
> 9120 | DK | 212.97.132.113 | hxxp://gamlabodens.se/.sys/
> 9120 | DK | 212.97.132.128 | hxxp://fredericia-stavgang.dk/.sys/
> 9120 | DK | 212.97.132.132 | hxxp://harmonyhudospa.se/.sys/
> 9120 | DK | 212.97.132.140 | hxxp://sa-vand.dk/.sys/
> 9120 | DK | 212.97.134.16 | hxxp://kalender.sttmedia.se/.sys/
> 9120 | DK | 212.97.134.16 | hxxp://sttmedia.se/.sys/
> 9293 | HK | 203.86.236.205 | hxxp://shingkee.web5.pacdemo.hk/.sys/
> 9293 | HK | 218.213.239.70 | hxxp://hkindoor.com/.sys/
> 9466 | AU | 117.104.160.140 | hxxp://melbournests.com/.sys/
> 10098 | HK | 202.123.79.15 | hxxp://gospel-force.com/.sys/
> 10316 | US | 66.226.89.239 | hxxp://d55voypa5v.win.aplus.net/.sys/
> 10487 | US | 209.132.28.2 | hxxp://www.pangea-consulting.com/.sys/
> 11343 | US | 64.6.241.26 | hxxp://themasterengraver.com/.sys/
> 11854 | US | 74.217.128.150 | hxxp://sterlinggreenery.netfirms.com/.sys/
> 12200 | US | 173.45.236.6 | hxxp://bandbembroidery.com/.sys/
> 13151 | UA | 89.251.16.41 | hxxp://test.cmis.creator.dp.ua/.sys/
> 13753 | US | 216.185.202.133 | hxxp://exceleronmedical.com/.sys/
> 15982 | CS | 217.26.70.79 | hxxp://www.yurafting.com/.sys/
> 16230 | RU | 217.114.0.67 | hxxp://promservice.sky.ru/.sys/
> 16245 | DK | 195.47.247.145 | hxxp://tivity.dk/.sys/
> 16265 | NL | 77.75.126.146 | hxxp://2live.be/.sys/
> 16265 | NL | 94.75.225.91 | hxxp://becker.webd.pl/.sys/
> 16276 | FR | 91.121.74.7 | hxxp://rabadanmakeupartist.com/.sys/
> 16329 | UA | 83.218.232.69 | hxxp://printservice.kiev.ua/.sys/
> 16338 | ES | 82.159.191.100 | hxxp://toniraga.net/.sys/
> 17547 | SG | 203.211.150.241 | hxxp://chaps.com.my/.sys/
> 19181 | US | 209.188.0.15 | hxxp://spain.gratishost.com/.sys/
> 19296 | US | 216.177.134.4 | hxxp://dallashandball.com/.sys/
> 20021 | US | 208.112.114.164 | hxxp://starart.net/.sys/
> 20401 | US | 64.71.33.133 | hxxp://battlegroundbaseball.com/.sys/
> 20401 | US | 64.71.33.84 | hxxp://www.endurancesportscar.com/.sys/
> 20794 | IT | 80.68.203.64 | hxxp://www.stellacometaboscoreale.it/.sys/
> 21496 | RU | 80.253.225.12 | hxxp://zu.ktk.ru/.sys/
> 21844 | US | 67.18.12.98 | hxxp://bbckzoo.com/.sys/
> 21844 | US | 75.125.121.56 | hxxp://xpertfill.com.mx/.sys/
> 21844 | US | 75.125.189.194 | hxxp://prsatulsa.com/.sys/
> 21844 | US | 75.125.238.98 | hxxp://myijji.com/.sys/
> 22180 | US | 204.189.82.253 | hxxp://momentsbypat.com/.sys/
> 22298 | US | 67.215.224.35 | hxxp://www.financialnewsanalyst.com/.sys/
> 24257 | JP | 202.90.10.76 | hxxp://mauirainbowretreat.com/.sys/
> 24699 | RU | 81.20.104.173 | hxxp://gvpschekschov.iv-edu.ru/.sys/
> 24940 | DE | 78.47.108.77 | hxxp://soundcity.typo3hosting.ch/.sys/
> 24971 | CZ | 89.185.232.142 | hxxp://wifi.nedachlebice.cz/.sys/
> 24989 | DE | 88.84.144.66 | hxxp://beiseelers.de/.sys/
> 25137 | PT | 82.102.6.97 | hxxp://deca200.net/.sys/
> 25456 | UA | 193.200.255.17 | hxxp://cubman32.net.ua/.sys/
> 25525 | NL | 85.92.144.57 | hxxp://oceanacompany.com/.sys/
> 25532 | RU | 90.156.153.51 | hxxp://drive-class.ru/.sys/
> 26228 | US | 64.151.87.9 | hxxp://videoleverage.com/.sys/
> 26347 | US | 208.113.192.79 | hxxp://telework.tutmozis.com/.sys/
> 26347 | US | 69.163.147.203 | hxxp://1001.trinityonline.biz/.sys/
> 26347 | US | 69.163.147.213 | hxxp://bianca.trinityonline.biz/.sys/
> 26496 | US | 72.167.232.202 | hxxp://costasunwear.com/.sys/
> 26496 | US | 97.74.144.104 | hxxp://stjosephhousesales.com/.sys/
> 26496 | US | 97.74.144.121 | hxxp://www.temposolutionsllc.com/.sys/
> 26496 | US | 97.74.144.179 | hxxp://www.blakeaustin.com/.sys/
> 27257 | US | 216.130.184.135 | hxxp://www.intelsourcepvt.com/.sys/
> 27501 | US | 64.250.229.92 | hxxp://www.blingstringsbykitten.com/.sys/
> 27823 | AR | 200.58.100.2 | hxxp://www.jimearima.com.ar/.sys/
> 27823 | AR | 200.58.113.61 | hxxp://trabajar.org.ar/.sys/
> 29873 | US | 65.254.231.119 | hxxp://lockportwrestling.com/.sys/
> 31034 | IT | 62.149.128.151 | hxxp://paseoshoes.it/.sys/
> 31034 | IT | 62.149.128.154 | hxxp://bebaurora.com/.sys/
> 31034 | IT | 62.149.128.157 | hxxp://aricosenza.it/.sys/
> 31034 | IT | 62.149.128.166 | hxxp://vertigine.it/.sys/
> 31430 | RU | 217.147.29.29 | hxxp://prospect-m.ru/.sys/
> 33165 | US | 207.192.234.27 | hxxp://www.nemr.net/.sys/
> 33182 | US | 66.7.216.212 | hxxp://shmoo3-ad.com/.sys/
> 34011 | DE | 80.67.17.65 | hxxp://shannondreamlabradors.de/.sys/
> 35041 | SE | 83.168.226.152 | hxxp://s1021009.crystone.net/.sys/
> 35592 | CZ | 89.187.131.141 | hxxp://dvstyl.cz/.sys/
> 35732 | GB | 195.62.28.79 | hxxp://www.alkhoei.org/.sys/
> 36351 | US | 174.36.10.162 | hxxp://tuscanyresidenceclub.com/.sys/
> 41078 | DE | 94.102.219.38 | hxxp://agribasal-me.com/.sys/
> 43059 | DK | 195.128.174.129 | hxxp://krocketklubben1972.dk/.sys/
> 43146 | RU | 89.108.97.21 | hxxp://stats-urru.703.com1.ru/.sys/
> 43391 | TR | 78.40.227.99 | hxxp://zaferburo.com.tr/.sys/
> 46475 | US | 216.245.196.123 | hxxp://Moldova.6te.net/.sys/
> 46475 | US | 69.162.65.132 | hxxp://pocelui.freetzi.com/.sys/
> 48044 | RU | 91.205.242.36 | hxxp://tehnocentr.chita.ru/.sys/
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
--
Tino T. Steward SNA1 - Security & Abuse tsteward at us.ntt.net
NTT Communications Global IP Network Operations Center
214-853-7344 (Ph.) 214.800.7771 (Fax)
AUP online: http://www.nttamerica.com/legal/internet/acceptable_policy.html
AUP online: http://www.ntt.net/library/pdf/AUP.pdf
Check http://www.cert.org for some of the latest documented exploits and your OS manufacturer for the latest security patches.
Intruder detection: http://www.cert.org/tech_tips/intruder_detection_checklist.html
Latest viruses: http://www.cert.org
Recovering from a compromised host: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
More information about the nsp-security
mailing list