[nsp-sec] zbot 74.208.200.142

Gabriel Iovino giovino at ren-isac.net
Thu Mar 25 14:29:43 EDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 3/25/2010 10:30 AM, Dirk Stander wrote:
> Hi Teams,
> 
> please find attached a list of ZeuS botnet drones which were connected to
> the c&c 74.208.200.142 (sukiblyadi.name).  The timestamps are GMT+00.
> Sorry, I don't have bot_id:s this time (the drop zone or next hop of this
> botnet is hXXp://88.198.61.233/img/gate.php)

Sanitized notifications will be sent to the following:

> 17      | 128.210.107.124  | US | 2010-03-24 02:17:01 | PURDUE - Purdue University
> 17      | 128.210.107.41   | US | 2010-03-24 20:43:21 | PURDUE - Purdue University
> 17      | 128.210.37.37    | US | 2010-03-23 03:46:26 | PURDUE - Purdue University
> 17      | 128.210.37.50    | US | 2010-03-24 01:15:21 | PURDUE - Purdue University
> 17      | 128.211.220.111  | US | 2010-03-25 04:04:37 | PURDUE - Purdue University
> 17      | 128.46.215.131   | US | 2010-03-25 04:00:19 | PURDUE - Purdue University
> 34      | 128.175.182.37   | US | 2010-03-22 13:52:56 | UDELNET - University of Delaware
> 81      | 198.85.248.114   | US | 2010-03-25 04:02:13 | NCREN - MCNC
> 81      | 204.84.96.201    | US | 2010-03-23 16:20:47 | NCREN - MCNC
> 87      | 134.68.64.93     | US | 2010-03-23 20:23:37 | INDIANA-AS - Indiana University
> 209     | 137.85.150.80    | US | 2010-03-24 17:25:37 | ASN-QWEST - Qwest Communications Company, LLC
> 209     | 137.85.150.85    | US | 2010-03-23 18:15:57 | ASN-QWEST - Qwest Communications Company, LLC
> 237     | 198.111.56.52    | US | 2010-03-24 12:58:04 | MERIT-AS-14 - Merit Network Inc.
> 237     | 35.8.141.106     | US | 2010-03-24 22:12:00 | MERIT-AS-14 - Merit Network Inc.
> 600     | 138.28.54.208    | US | 2010-03-24 07:22:30 | OARNET-AS - OARnet
> 701     | 150.174.176.137  | US | 2010-03-23 17:05:16 | UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
> 1201    | 128.82.33.178    | US | 2010-03-23 16:07:31 | ASN-ODU-AS-AS - Old Dominion University
> 1201    | 128.82.59.254    | US | 2010-03-23 15:12:26 | ASN-ODU-AS-AS - Old Dominion University
> 1706    | 128.196.76.203   | US | 2010-03-24 01:03:23 | UNIV-ARIZ - University of Arizona
> 1767    | 159.28.7.176     | US | 2010-03-25 04:04:13 | ILIGHT-NET - Indiana Higher Education Telecommunication System
> 2152    | 130.86.93.178    | US | 2010-03-25 04:04:03 | CSUNET-NW - California State University Network
> 2152    | 165.196.0.23     | US | 2010-03-24 16:05:09 | CSUNET-NW - California State University Network
> 2381    | 198.150.95.254   | US | 2010-03-25 13:22:00 | WISCNET1-AS - WiscNet
> 2495    | 198.248.70.112   | US | 2010-03-25 04:00:07 | KANREN - Kansas Research and Education Network
> 2553    | 146.201.81.14    | US | 2010-03-24 20:59:01 | FSU-AS - Florida State University
> 2553    | 146.201.87.11    | US | 2010-03-23 23:22:30 | FSU-AS - Florida State University
> 2572    | 150.167.80.148   | US | 2010-03-25 04:02:10 | MORENET - University of Missouri - dba the Missouri Research and Education Network (MOREnet)
> 2572    | 150.200.177.158  | US | 2010-03-24 23:18:35 | MORENET - University of Missouri - dba the Missouri Research and Education Network (MOREnet)
> 2711    | 155.225.130.229  | US | 2010-03-25 04:00:16 | SUNBELT-AS - Rock Hill Telephone Company
> 2920    | 204.102.40.103   | US | 2010-03-25 04:02:08 | LACOE - Los Angeles County Office of Education
> 3685    | 128.205.18.3     | US | 2010-03-24 18:04:18 | BUFFALO-ASN - University of Buffalo
> 3794    | 128.194.6.196    | US | 2010-03-24 04:26:36 | TAMU - Texas A&M University
> 4246    | 128.235.73.182   | US | 2010-03-24 19:58:34 | NJIT-AS - New Jersey Institute of Technology
> 5078    | 147.97.34.116    | US | 2010-03-25 13:18:02 | ONENET-AS-1 - Oklahoma Network for Education Enrichment and
> 6298    | 140.198.129.139  | US | 2010-03-23 17:51:07 | ASN-CXA-PH-6298-CBS - Cox Communications Inc.
> 6298    | 140.198.73.181   | US | 2010-03-25 04:01:08 | ASN-CXA-PH-6298-CBS - Cox Communications Inc.
> 6325    | 143.195.200.148  | US | 2010-03-25 04:01:38 | ILLINOIS-CENTURY - Illinois Century Network
> 7202    | 168.223.85.104   | US | 2010-03-23 16:19:06 | FAMU - Florida A & M University
> 7272    | 147.72.65.131    | US | 2010-03-25 04:03:15 | TCIMET - TCI Telephony Services
> 7276    | 129.7.105.146    | US | 2010-03-23 18:19:52 | UH-AS - University of Houston
> 7341    | 206.180.219.249  | US | 2010-03-25 04:04:50 | VELOCITY - The Velocity Network
> 7341    | 206.180.222.143  | US | 2010-03-24 01:21:41 | VELOCITY - The Velocity Network
> 11039   | 128.164.135.222  | US | 2010-03-23 20:08:56 | GWU - The George Washington University
> 11351   | 137.141.92.141   | US | 2010-03-23 20:34:59 | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
> 11351   | 137.141.92.229   | US | 2010-03-25 04:03:54 | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
> 11351   | 137.141.93.100   | US | 2010-03-23 02:50:16 | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
> 11607   | 137.216.162.225  | US | 2010-03-25 04:04:38 | SD-STATE-UNIVERSITY - South Dakota State University
> 11847   | 198.51.16.8      | US | 2010-03-24 11:55:19 | MIDMAINE - Mid-Maine Communications, Inc.
> 11975   | 128.239.172.34   | US | 2010-03-24 03:03:16 | WM - The College of William and Mary
> 13760   | 69.85.217.230    | US | 2010-03-23 14:50:41 | SOUTHERN-LIGHT - Southern Light, LLC
> 13809   | 144.30.28.62     | US | 2010-03-25 11:44:39 | UAMS-ASN - University of Arkansas for Medical Sciences
> 14041   | 130.253.26.1     | US | 2010-03-22 16:15:45 | AS14041 - University Corporation for Atmospheric Research
> 14433   | 129.3.56.171     | US | 2010-03-23 17:26:51 | SUNY-OSWEGO-ASN - State University of New York - Oswego
> 16461   | 129.108.211.62   | US | 2010-03-23 22:06:18 | ASN-UTEP - The University of Texas at El Paso
> 16489   | 74.207.70.196    | US | 2010-03-23 00:48:28 | WEBSTER - Webster University
> 19956   | 198.146.87.128   | US | 2010-03-25 13:10:50 | TENNESSEE-NET - Bell South
> 20252   | 140.251.153.80   | US | 2010-03-25 04:01:32 | JSIWMC - Joan and Sanford I. Weill Medical College and Graduate School of Medical Sciences of Cornell University
> 22192   | 156.12.221.86    | US | 2010-03-25 04:02:00 | SSHENET - Pennsylvania State System of Higher Education
> 22303   | 137.140.124.96   | US | 2010-03-23 12:24:39 | NEWPALTZEDU - SUNY College at New Paltz
> 22742   | 137.99.146.197   | US | 2010-03-23 05:02:23 | CT-ED-NET - State of Connecticut Dept of InformationTechnology
> 26335   | 161.45.235.57    | US | 2010-03-25 04:00:58 | MTSU - Middle Tennessee State University
> 29917   | 158.65.139.246   | US | 2010-03-24 18:00:13 | KSC - Keene State College
> 29917   | 158.65.160.207   | US | 2010-03-24 04:59:36 | KSC - Keene State College
> 30703   | 139.127.205.127  | US | 2010-03-25 04:01:52 | SHSC-1-AS - SUNY Health and Science Center
> 32136   | 137.125.104.130  | US | 2010-03-23 18:07:11 | FARMINGDALESTATE - Farmingdale State College
> 33670   | 137.52.187.110   | US | 2010-03-25 00:53:19 | NOVASOUTHEASTERNAS - Nova University
> 36269   | 134.198.48.1     | US | 2010-03-23 18:41:09 | UOFSCRANTON - University of Scranton
> 40245   | 152.17.113.190   | US | 2010-03-25 12:28:49 | WAKE-FOREST-UNIVERSITY - Wake Forest University
> 53257   | 155.225.130.229  | US | 2010-03-25 04:00:16 | ASN1 - The Citadel

Thank you!

Gabe

- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkurq5cACgkQwqygxIz+pTsfGwCZAedmu8YLsevQKNK/DuNrxwiO
wvkAnj2MsQIjWqh0NgexbVyoCcikgdGB
=3Jy2
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list