[nsp-sec] Malware hosted at AS8560, AS16276 , AS30736 and AS47914 (nuttypiano fast-flux)

Carles Fragoso cfragoso at cesicat.cat
Mon Aug 30 02:35:49 EDT 2010 

Hi,

One of our customers got infected with a malicious script injection hosted at nuttypiano.com ...

> <script type="text/javascript" src="http://nuttypiano.com/Recycle_Bin.js"></script>

... where DNS resolution was pointing using fast-flux to ...

> AS      | IP               | AS Name
> 8560    | 213.165.91.101   | ONEANDONE-AS 1&1 Internet AG
> 16276   | 91.121.61.207    | OVH OVH
> 16276   | 94.23.202.33     | OVH OVH
> 30736   | 82.103.129.152   | EASYSPEEDY-NETWORK Easyspeedy Networks range
> 47914   | 93.157.232.64    | CDMS OOO Creative Direct Marketing Solutions

That domain registered at bizcn.com, now seems to have been disabled ...

>  Domain Name: NUTTYPIANO.COM
>    Registrar: BIZCN.COM, INC.
>    Whois Server: whois.bizcn.com
>    Referral URL: http://www.bizcn.com
>    Name Server: NS1.SMARTYDNSDIRECT.COM
>    Name Server: NS2.SMARTYDNSDIRECT.COM
>    Status: clientDeleteProhibited
>    Status: clientTransferProhibited
>    Updated Date: 24-aug-2010
>    Creation Date: 24-aug-2010
>    Expiration Date: 24-aug-2011
> >>> Last update of whois database: Mon, 30 Aug 2010 05:48:02 UTC <<<


> Georgiy Kiosov
>    Georgiy Kiosov
>    +7127487272 fax: +7127487272
>    B.Sampsonievskij pr-kt d.39 lit.A pom.3-N
>    Sankt-Peterburg Sankt-Peterburg 194044
>    RU

But anyway ping  to AS8560, AS16276 , AS30736 and AS47914 to check those boxes.
 
Warm regards,

-- Carlos (CESICAT-CERT)

More information about the nsp-security mailing list