[nsp-sec] IPs contacting "zeus" C&C

Smith, Donald Donald.Smith at CenturyLink.com
Tue Oct 18 13:30:02 EDT 2011 

This came from Dr Richard Clayton richard.clayton at cl.cam.ac.uk, whom some of you know, sent this out and I asked for his permission to share it here.

There was a "Zeus" C&C on basedmarket.com on the 9th/10th October... and the criminals kindly arranged to leave their web logs world readable, so that I was able to extract all the IPs that did:

        POST /db.php
        GET /images/logo.jpg
        GET /distr/antivirus.exe

This of course includes a whole lot of AV companies and other analysts, but also around 1400 real people whose machines need sorting out.

The attached file contains full details (giving IP and the GMT times of the first and last contact with the C&C)

The ASs involved are

14, 46, 71, 111, 174, 209, 702, 1103, 1239, 1423, 1680, 2379, 2510, 2637, 2698, 2828, 2856, 2899, 2914, 2939, 3209, 3215, 3243, 3248, 3320, 3352, 3356, 3462, 3505, 3561, 3737, 3776, 3786, 3801, 4134, 4181, 4323, 4436, 4739, 4755, 4766, 4808, 5078, 5089, 5577, 5650, 5742, 5778, 6079, 6128, 6181, 6198, 6222, 6327, 6368, 6389, 6400, 6539, 6621, 6697, 6799, 7011, 7015, 7016, 7018, 7029, 7050, 7132, 7151, 7459, 7474, 7545, 7552, 7725, 7754, 7782, 7795, 7796, 8047, 8075, 8103, 8167, 8220, 8308, 8374, 8404, 8452, 8551, 8560, 9044, 9050, 9064, 9116, 9121, 9299, 9304, 9318, 9658, 9848, 9931, 10297, 10474, 10507, 10730, 10796, 10838, 11060, 11090, 11232, 11240, 11351, 11426, 11427, 11492, 11596, 11643, 11693, 11714, 11888, 11955, 11960, 11979, 12083, 12112, 12262, 12271, 12297, 12322, 12338, 12570, 12871, 13110, 13193, 13194, 13213, 13367, 13448, 13490, 13576, 13675, 14361, 14420, 14512, 14615, 14618, 14658, 14834, 14921, 14987, 15162, 15169, 15290, 15293, 15659, 15734, 15756, 15831, 15968, 16265, 16276, 16417, 16586, 16718, 16810, 16848, 16880, 17232, 17253, 17762, 17839, 18494, 18712, 18779, 18786, 18812, 18859, 19108, 19262, 19271, 19751, 20001, 20057, 20115, 20141, 20214, 20231, 20257, 20773, 20825, 20960, 21219, 21263, 21321, 21345, 21508, 21797, 21844, 21928, 22258, 22351, 22394, 22561, 22759, 22773, 22781, 23158, 23724, 24456, 24560, 24940, 25019, 25515, 26230, 26250, 26347, 26449, 26744, 26827, 28573, 28706, 29405, 29550, 29737, 29761, 29859, 29873, 29980, 30036, 30444, 30900, 31147, 31198, 31252, 31334, 31500, 32107, 32220, 32331, 32363, 32475, 32613, 32645, 33038, 33287, 33363, 33440, 33489, 33490, 33491, 33588, 33650, 33651, 33652, 33654, 33657, 33660, 33662, 33665, 33666, 33668, 34267, 34400, 36049, 36441, 36727, 36923, 38949, 39309, 39435, 39758, 40285, 41048, 41958, 41983, 42708, 43103, 43350, 44398, 46687, 47155, 47524, 51377, 53250, 55740, 197043

When packets collide the controllers cease transmission AND wait a random time before retransmission (mostly)!
Donald.Smith at CenturyLink.com

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

More information about the nsp-security mailing list