[nsp-sec] [DDoS - City of New York]
Young, Beth A.
youngba at more.net
Tue Aug 23 09:58:01 EDT 2011
>From Kris Trower's research, 141.136.16.14 using similar domains. The click* domains were serving up FakeAV.
141.136.16.14:
clickaugusta.org
clickcorpuschristi.org
clicksterlingheights.org
findtoy.org
findtrace.org
findtrack.org
findtraffic.org
findtrail.org
findtrain.org
findtransportation.org
findtrap.org
Beth and Kris
MOREnet Security
>-----Original Message-----
>From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
>bounces at puck.nether.net] On Behalf Of Rob Thomas
>Sent: Monday, August 22, 2011 4:31 PM
>To: Joel Rosenblatt
>Cc: nsp-security NSP
>Subject: Re: [nsp-sec] [DDoS - City of New York]
>
>----------- nsp-security Confidential --------
>
>Hi, Joel.
>
>> This reminded me, I sent this to DOITT.NYC.GOV on the 17th - the
>> attached .txt file is really an executable, my guess is "nothing good"
>> :-)
>
>Indeed! :) I ran this one through our malware-o-matic and query-o-matic,
>and found a few interesting bits.
>
>It looks up sfkdhjnsfjg.ru, which presently resolves to 195.189.226.119.
>
>AS | IP | BGP Prefix | CC | Registry |
>Allocated | AS Name
>41018 | 195.189.226.119 | 195.189.226.0/23 | UA | ripencc |
>2006-05-30 | SERVER-UA-AS SERVER-UKRAINE DC
>
>DNS RRs pointed to 195.189.226.119 this month include:
>
> stamp | qname | class | type | rdata
>--------------------- ---------------- ------- ------ -----------------
> 2011-08-19 15:46:12 | sfkdhjnsfjg.ru | IN | A |
>195.189.226.119
> 2011-08-22 07:36:04 | rattsillis.com | IN | A |
>195.189.226.119
>
>It then fetches the following URL:
>
> h x x p : / / sfkdhjnsfjg.ru / pusk3.exe
>
>This is installed as:
>
> C:\Documents and Settings\IT\Local Settings\Temp\pusk3.exe
>
>It then does another GET for:
>
> h x x p : / / sfkdhjnsfjg.ru / ftp / g.php
>
>This is probably some sort of configuration file. It is installed as:
>
> C:\Documents and Settings\IT\Local Settings\Temporary Internet
>Files\Content.IE5\Z7L7D65P\g[1].htm
>
>The file pusk3.exe looks up findtype.org, which presently resolves to
>141.136.16.13.
>
>AS | IP | BGP Prefix | CC | Registry |
>Allocated | AS Name
>50515 | 141.136.16.13 | 141.136.16.0/24 | RO | ripencc |
>2011-06-29 | TIER-DATA-CENTER Tier SRL
>
>141.136.16.13 appears to be a Linux box.
>
>DNS RRs pointed to 141.136.16.13 this month include:
>
> stamp | qname | class | type | rdata
>--------------------- -------------------- ------- ------ ---------------
> 2011-08-01 00:01:34 | findtry.org | IN | A |
>141.136.16.13
> 2011-08-01 00:01:34 | findtube.org | IN | A |
>141.136.16.13
> 2011-08-01 23:34:53 | finddelightful.org | IN | A |
>141.136.16.13
> 2011-08-01 23:34:54 | findtune.org | IN | A |
>141.136.16.13
> 2011-08-04 00:51:21 | findturn.org | IN | A |
>141.136.16.13
> 2011-08-07 02:51:08 | findtwenty.org | IN | A |
>141.136.16.13
> 2011-08-12 04:56:37 | findtwice.org | IN | A |
>141.136.16.13
> 2011-08-16 12:27:15 | findtwo.org | IN | A |
>141.136.16.13
> 2011-08-20 15:51:08 | findtype.org | IN | A |
>141.136.16.13
>
>We have at least 277 samples in our malware menagerie that point to
>141.136.16.13. Oofah! If anyone would like the full list, let me know.
> It dates back to at least 2011-07-06 07:22:51 UTC.
>
>pusk3.exe then issues the following GETs:
>
> h x x p : / / findtype.org / pica1 / 531-direct
>
>This appears to be some sort of data file.
>
> h x x p : / / findtype.org / 404.php?type=stats&affid=531&subid=03&awok
>
>That's probably some sort of counter or beacon method.
>
>Thanks,
>Rob.
>--
>Rob Thomas
>Team Cymru
>https://www.team-cymru.org/
>"Say little and do much." M Avot 1:15
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet security counter-
>measures.
>_______________________________________________
More information about the nsp-security
mailing list