[nsp-sec] 10Gbps distributed UDP flood against 62.50.74.234(AS8928)

Tim Wilde twilde at cymru.com
Fri Jun 4 09:26:35 EDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 6/3/2010 5:46 PM, Salusky, William wrote:
> Having only one traffic source makes this a highly probable false
> positive, but I see some potential C2 comms to the following making my
> spidey senses tingle.
> 
> Can anyone else chime in on the legitimacy/evilness of the following?
> 
> 
> POST /forums.php?fid=149 HTTP/1.1
> Host: muza-flowers.biz
[ snip ]

Hey Teams,

To chime in and add our $0.02 on the badness of muza-flowers.biz, we
have seen quite a few malware samples pointing there, dating as far back
as 2009-12-17, and as recently as 2010-05-26.  The most recent couple I
checked pulled down a 'foto20.rar' and POSTed some gzipped data to two
different IPs, both with muza-flowers.biz Host: headers, as well as
grabbing a few pages from Wikipedia, of all places.  Of further
interest, the IPs POSTed to as muza-flowers.biz do NOT match the DNS
response for muza-flowers.biz received by the malware's own DNS query -
either it did some internal magic to translate the returned IP into the
two it used, or they were hard-coded or otherwise derived (no other DNS
queries of interest were observed, just mozilla.org, msn.com's MXes,
mx4.hotmail.com, and en.wikipedia.org).

Details of the few most recent samples we have referencing muza-flowers.biz:

74fbc052a829cac4a87cbbce4f0203352bae2c38   2010-05-26 18:35:23
7 KB
md5: 6932b54eae83b22180ebb48212fe0902
filetype: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

c02dc059aa7e50874526845cfd3c193658b78510   2010-03-27 10:11:35
7 KB
md5: 30909c67291600057191fd78d9ff49fc
filetype: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

e00d585b752406399ff9702dae97e374ecf3003b   2010-03-18 11:11:51
34 KB
md5: f535237316e9016077423f36dba60462
filetype: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

c8065543bedf7d245ee325267e7102a35707d558   2010-03-14 04:33:22
31 KB
md5: f13114631f38bdcc91f111e118ed28ac
filetype: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

I hope this is helpful, let me know if any additional information would
be of use!

Regards,
Tim Wilde

- -- 
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkwI/wsACgkQluRbRini9tjbPwCdEZn3vuBsNbCMvkuFPlRzuQEa
4yoAn2wrwmSJixbtI1tVQ7s8bM7zID40
=7nCx
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list