[nsp-sec] Flashback C&C ?
Eric Ziegast
ziegast at isc.org
Mon Apr 16 16:22:03 EDT 2012
Mike Tancsa wrote:
> I received the email below in our support queue from a CDN gov agency
> claiming the hosts below are somehow involved with the flashback
> botnet. Does anyone have any more details about the hosts below ?
Some captured C&C domains exist for Flashback (*) that are being
captured by white hats for sinkholes. Some organizations, including
CCIRC, may be getting feeds of which machines are accessing the
sinkholes (determining infection).
About CCIRC: I know that CCIRC is a real organization run by Public
Safety Canada. If you got a notice, they probably think you're a
Canadian organization in their notification domain. You might have a
canadian ISP as one of your uplinks. If you don't have a direct
relationship with them, perhaps you should reach out to them for
future work:
http://www.publicsafety.gc.ca/abt/contact-eng.aspx
For anyone disseminating information, it may help those notified to
include time stamps and source port numbers along with the IP
addresses so that the affected organization can do some better
attribution to the correct client in case there are NAT or DHCP issues.
It's possible that Apple updates might do a good job of uninstalling
this specific infection and disabling Java, but then again who knows
for sure what a criminal can do or drop onto a computer once they get
access? Sinkhole notification (like conficker, dnschanger, etc.) may
be necessary in the future for this infection.
--
Eric Ziegast
(*) For more public information about Flashback, check out the Krebs
articles:
http://krebsonsecurity.com/2012/04/
urgent-fix-for-zero-day-mac-java-flaw/
http://krebsonsecurity.com/2012/04/
how-to-find-and-remove-mac-flashback-infections/
Less amusing, here's info about lack of cooperation on sinkhole
efforts:
http://onforb.es/Htm0vW
More information about the nsp-security
mailing list