[nsp-sec] Bitcoin DDoS-RS entries
Dave Monnier
dmonnier at cymru.com
Tue Jun 7 12:52:23 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi, Jim.
Thanks for the heads up. These hosts were added as the result of a
chain reaction of litmus. First, their client was detected as malicious
by a few A/V engines. This landed it as a candidate by our malware
o'matic system. That system then does a sharknarc style interrogation
of the system. Botcoin (pun intended) looks to use IRC as its
communication mechanism and has tens of thousands of +i clients
attaching to an IRC server with automated(ish) looking channel names.
Long story short, if it quacks like a duck it probably is.
I wasn't familiar with this bitcoin any way other than name and approved
the additions to the dnsrr and the ddosrs. I've removed all of the
following entries and will be whitelisting appropriately.
DDosRS:
173.246.103.92 | tcp | 6667
92.243.23.21 | tcp | 6667
193.107.204.22 | tcp | 6667
193.107.204.81 | tcp | 6667
DNSRR:
RR irc.lfnet.org
We'll just have to hope that bitcoin doesn't add synflood as a feature
because it's everything else "bot" as far as I can tell.
As always, thanks for the feedback!
Thanks,
- -Dave
- --
Dave Monnier
Team Cymru
https://www.team-cymru.org/
PGP: http://www.cymru.com/dmonnier/0x7C1AAE55_pub.asc
We just launched our new Training Practice, see
http://www.team-cymru.com/Services/Training/
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAk3uV0cACgkQ+29txnwarlUwlQCggODE/5ixqJ/er1NfFHG6BT93
ZjwAn1SVjk8WxIGnlKi+9CEaH1qD472k
=V7jw
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list