[nsp-sec] 10Gbps distributed UDP flood against62.50.74.234(AS8928)

Shelton, Steve sshelton at Cogentco.com
Fri Jun 4 06:50:51 EDT 2010 

William,

I've been poking around for info on muza-flowers.biz as it translates to
the same IP as go-thailand-now.com which has been depicted as being
associated with the return of Rustock.

>go-thailand-now.com [189.120.233.193]
>muza-flowers.biz [189.120.233.193]

Both the domains were listed as C2's, observed on 5/24/2010.

The POST/ urls for muza-flowers.biz are consistent with urls observed
and or associated with go-thailand-now.com.

So, it is looking like C2 or something else related to a Fake/AV, RBN
related exploit.

Steve Shelton
Security Engineer
Cogent Communications


-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Salusky,
William
Sent: Thursday, June 03, 2010 5:47 PM
To: Mike Hellers; nsp-security at puck.nether.net
Subject: Re: [nsp-sec] 10Gbps distributed UDP flood
against62.50.74.234(AS8928)

----------- nsp-security Confidential --------

Having only one traffic source makes this a highly probable false
positive, but I see some potential C2 comms to the following making my
spidey senses tingle.

Can anyone else chime in on the legitimacy/evilness of the following?


POST /forums.php?fid=149 HTTP/1.1
Host: muza-flowers.biz

POST /download.php?file=7700233c371b36cd43401a5b22520444 HTTP/1.1
Host: muza-flowers.biz

POST /search.php?doc_id=440ac345ef5336aa53f11f2c0d88dfd8 HTTP/1.1
Host: muza-flowers.biz

POST /topic.php?tid=117 HTTP/1.1
Host: muza-flowers.biz



More troublesome is that the above requests to muza-flowers.biz
targetted the following IP's (in a span of a few minutes):

27645   | 66.79.162.138    | ASN-NA-MSG-01 - Managed Solutions Group,
Inc. 
32392   | 96.0.203.82      | OPENTRANSFER-ECOMMERCE - Ecommerce
Corporation


Yet I resolved the hostname perhaps 10 minutes after the actual client
connectivity was observed, resulting in:

28573   | 189.120.233.193  | NET Servicos de Comunicao S.A. 

 
----
William Salusky
Princ. Technical Security Engineer - AOL Information Technology Security
CERT team
703-265-4924 (office) : 571-480-1933 (mobile) 
 
 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Salusky, 
> William
> Sent: Thursday, June 03, 2010 4:40 PM
> To: Mike Hellers; nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] 10Gbps distributed UDP flood against
> 62.50.74.234(AS8928)
> 
> ----------- nsp-security Confidential --------
> 
> I see *one* single active dial-up user participating.  If only there 
> were one other active participant, finding a comms structure [if there

> is one] would be simple.
> 
> I'll keep an eye on this one to see if anything distinct stands out.
> Aside from the UDP flood toward the 62.x, the client in question is 
> also running a Limewire p2p client so needless to say it's a very 
> noisy little pipe.
>  
> ----
> William Salusky
> Princ. Technical Security Engineer - AOL Information Technology 
> Security CERT team
> 703-265-4924 (office) : 571-480-1933 (mobile)
>  
>  
> 
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Mike 
> > Hellers
> > Sent: Thursday, June 03, 2010 11:17 AM
> > To: nsp-security at puck.nether.net
> > Subject: [nsp-sec] 10Gbps distributed UDP flood against
> > 62.50.74.234 (AS8928)
> > 
> > ----------- nsp-security Confidential --------
> > 
> > Hi,
> > 
> >  
> > 
> > We have experienced a rather large, and distributed attack
> against one
> > of our customers over the past couple of hours, it is
> actually still
> > going on at this time. We have seen overall traffic levels above 
> > 10Gbps, mainly UDP traffic from and towards a range of ports.
> > 
> > The targeted host is primarily  62.50.74.234.
> > 
> > I would appreciate to hear if anybody else has some additional 
> > information they can provide us with, especially if this was 
> > controlled by known C&C.
> > 
> >  
> > 
> > ...mike
> > 
> >  
> > 
> > --
> > 
> > Mike Hellers
> > 
> > Interoute Communications Ltd.
> > 
> > Tel +44 20 7025 9396
> > 
> > Mob +44 7817 101 736
> > 
> > 
> > 
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> > 
> > Please do not Forward, CC, or BCC this E-mail outside of the 
> > nsp-security community. Confidentiality is essential for effective 
> > Internet security counter-measures.
> > _______________________________________________
> > 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 



_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security community. Confidentiality is essential for effective
Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list