[nsp-sec] Morto worm C&C (RDP Scanner)

Carles Fragoso cfragoso at cesicat.cat
Wed Aug 31 04:35:57 EDT 2011 

ACK for AS13041. Proxy ACK for AS3352, AS6739, AS12334, AS12338, AS12357, AS12479, AS12715, AS12946 and AS20838.

BTW, any info about which kind of traffic profile uses Morto to communicate with C&C?

-- Carlos Fragoso (CESICAT-CERT)

3339    | 213.181.66.71    | 213.181.66.0/23     | ES | ripencc  | 2010-02-09 | TELEELDA-AS Tele Elda, S.A
3352    | 2.136.179.75     | 2.136.0.0/16        | ES | ripencc  | 2010-11-05 | TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
3352    | 2.136.73.36      | 2.136.0.0/16        | ES | ripencc  | 2010-11-05 | TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
3352    | 2.142.35.155     | 2.142.32.0/20       | ES | ripencc  | 2010-11-05 | TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
3352    | 79.144.237.89    | 79.144.0.0/16       | ES | ripencc  | 2007-06-07 | TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
3352    | 83.32.24.3       | 83.32.0.0/16        | ES | ripencc  | 2003-12-02 | TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
3352    | 83.42.221.170    | 83.42.0.0/16        | ES | ripencc  | 2003-12-02 | TELEFONICA-DATA-ESPANA TELEFONICA DE ESPANA
6739    | 62.42.149.200    | 62.42.0.0/16        | ES | ripencc  | 2000-05-03 | ONO-AS Cableuropa - ONO
6739    | 62.43.38.41      | 62.43.0.0/16        | ES | ripencc  | 2000-11-06 | ONO-AS Cableuropa - ONO
6739    | 62.57.17.247     | 62.57.0.0/16        | ES | ripencc  | 2000-10-13 | ONO-AS Cableuropa - ONO
6739    | 79.108.158.127   | 79.108.128.0/17     | ES | ripencc  | 2007-12-03 | ONO-AS Cableuropa - ONO
6739    | 81.203.163.143   | 81.203.0.0/16       | ES | ripencc  | 2002-11-12 | ONO-AS Cableuropa - ONO
6739    | 81.203.180.49    | 81.203.0.0/16       | ES | ripencc  | 2002-11-12 | ONO-AS Cableuropa - ONO
6739    | 84.127.114.180   | 84.127.64.0/18      | ES | ripencc  | 2004-04-15 | ONO-AS Cableuropa - ONO
6739    | 84.127.194.47    | 84.127.192.0/19     | ES | ripencc  | 2004-04-15 | ONO-AS Cableuropa - ONO
6739    | 84.127.77.220    | 84.127.64.0/18      | ES | ripencc  | 2004-04-15 | ONO-AS Cableuropa - ONO
12334   | 91.117.100.36    | 91.117.64.0/18      | ES | ripencc  | 2006-10-03 | AS R Cable y Telecomunicaciones Galicia S.A.
12334   | 91.117.198.20    | 91.117.192.0/18     | ES | ripencc  | 2006-10-03 | AS R Cable y Telecomunicaciones Galicia S.A.
12334   | 91.117.222.164   | 91.117.192.0/18     | ES | ripencc  | 2006-10-03 | AS R Cable y Telecomunicaciones Galicia S.A.
12338   | 62.99.58.239     | 62.99.0.0/17        | ES | ripencc  | 2001-06-18 | EUSKALTEL Euskaltel S.A.
12338   | 82.130.149.93    | 82.130.128.0/17     | ES | ripencc  | 2003-07-17 | EUSKALTEL Euskaltel S.A.
12338   | 83.213.90.162    | 83.213.0.0/16       | ES | ripencc  | 2004-03-22 | EUSKALTEL Euskaltel S.A.
12338   | 85.86.131.157    | 85.86.0.0/16        | ES | ripencc  | 2004-10-22 | EUSKALTEL Euskaltel S.A.
12338   | 85.86.176.202    | 85.86.0.0/16        | ES | ripencc  | 2004-10-22 | EUSKALTEL Euskaltel S.A.
12338   | 85.87.92.113     | 85.87.0.0/16        | ES | ripencc  | 2004-10-22 | EUSKALTEL Euskaltel S.A.
12357   | 77.229.71.52     | 77.224.0.0/13       | ES | ripencc  | 2006-12-06 | COMUNITEL VODAFONE ESPANA, S.A.U.
12479   | 85.62.233.204    | 85.48.0.0/12        | ES | ripencc  | 2004-09-07 | UNI2-AS France Telecom Espana SA
12715   | 95.17.183.114    | 95.17.0.0/16        | ES | ripencc  | 2008-11-10 | JAZZNET Jazz Telecom S.A.
12715   | 95.17.183.49     | 95.17.0.0/16        | ES | ripencc  | 2008-11-10 | JAZZNET Jazz Telecom S.A.
12946   | 85.152.192.71    | 85.152.0.0/16       | ES | ripencc  | 2004-10-20 | TELECABLE TELECABLE Autonomous System
12946   | 93.156.196.240   | 93.156.0.0/16       | ES | ripencc  | 2008-02-07 | TELECABLE TELECABLE Autonomous System
16299   | 46.222.200.32    | 46.222.0.0/16       | ES | ripencc  | 2011-01-26 | XFERA Xfera Moviles SA
16299   | 46.6.187.10      | 46.6.128.0/17       | ES | ripencc  | 2010-09-03 | XFERA Xfera Moviles SA
16299   | 46.6.82.238      | 46.6.80.0/20        | ES | ripencc  | 2010-09-03 | XFERA Xfera Moviles SA
20838   | 84.78.164.36     | 84.78.128.0/17      | ES | ripencc  | 2004-04-23 | YIF-AS France Telecom Espana S.A
34977   | 46.37.66.134     | 46.37.64.0/19       | ES | ripencc  | 2010-11-11 | PROCONO-AS PROCONO S.A.
34977   | 46.37.80.241     | 46.37.64.0/19       | ES | ripencc  | 2010-11-11 | PROCONO-AS PROCONO S.A.
41368   | 89.29.128.15     | 89.29.128.0/19      | ES | ripencc  | 2006-07-20 | TVALMANSA-ASN TV ALMANSA, S.L.
56710   | 178.237.148.93   | 178.237.148.0/24    | ES | ripencc  | 2010-06-25 | MAXEN MAXEN TECHNOLOGIES S.L.

13041   | 147.83.134.80    | 147.83.0.0/16       | EU | ripencc  | 1991-07-16 | CESCA-AC CESCA - Anella Cientifica RREN Autonomous System

766     | 150.214.102.74   | 150.214.0.0/16      | EU | ripencc  | 1991-06-11 | REDIRIS RedIRIS Autonomous System
766     | 150.214.110.31   | 150.214.0.0/16      | EU | ripencc  | 1991-06-11 | REDIRIS RedIRIS Autonomous System
766     | 155.54.169.24    | 155.54.0.0/16       | EU | ripencc  | 1991-10-28 | REDIRIS RedIRIS Autonomous System
766     | 158.49.50.109    | 158.49.0.0/16       | EU | ripencc  | 1992-02-12 | REDIRIS RedIRIS Autonomous System


On Aug 30, 2011, at 8:29 PM, Joel Rosenblatt wrote:

> ----------- nsp-security Confidential --------
> 
> <ATT00001..txt><out_data.txt><ATT00002..txt>

More information about the nsp-security mailing list