[nsp-sec] China contact?

[Krista Hickey]

Hi All

Does anyone have any trusted contacts that can take a look at 222.35.34.132

AS      | IP               | AS Name
4808    | 222.35.34.132    | CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
24138   | 222.35.34.132    | CRNET_BJ_IDC-CNNIC-AP China Tietong Telecommunication Corporation
38356   | 222.35.34.132    | NETEON Beijing Neteon Tech Co, Ltd.

I've just concluded an investigation whereby this IP was relaying a large amount of pharmaceutical spam via destination port 35 on exploited Grandstream HT-502 VOIP Adapters that some of our subscribers use to receive 3rd party VOIP services. I do not have in-depth information but apparently these Grandstream devices were vulnerable to an external hack prior to firmware 1.0.57 that allowed miscreants to use them for DNS purposes (I do not have further details on that) or as a mail relay since approx Aug 2010. 

I have worked with the 3rd VOIP provider that provides service to our subscribers to eliminate this threat from our network but IP 222.35.34.132 is still making a few attempts as it has since at least January 2011 when I started investigating, my investigation revealed that vulnerable hosts were relaying approx 5000 pharma spam messages per host per day - a spam researcher I spoke to about this theorized the spam looked like Bagle-CB spambot but I did not confirm this however if there's interest I can probably get you in touch for further discussion.

If anyone would like further information let me know, you may want to take a look at your network for activity to/from 222.35.34.132, port 35 and if you have ability to correlate it might be prudent to take a quick peek at what hosts with MAC address beginning with 000B82 are doing on your network.

Krista
7992