[nsp-sec] Flashback C&C ?

ni at allyourinfoarebelongto.us ni at allyourinfoarebelongto.us
Mon Apr 16 18:16:08 EDT 2012 

Yes, those are C2 domains for the recent Mac malware being named Flashback. The domains were registered by Dr. Web and the IPs below are part of their sinkhole. 

I assume if you have hosts within your network communicating with those hosts, they are infected. 

If I can provide specifics, let me know. 

HTH,
Nick

Unsigned message sent from mobile device. 

On Apr 16, 2012, at 15:23, Mike Tancsa <mike at sentex.net> wrote:

> ----------- nsp-security Confidential --------
> 
> 
> I received the email below in our support queue from a CDN gov agency
> claiming  the hosts below are somehow involved with the flashback
> botnet. Does anyone have any more details about the hosts below ?
> 
> --------------------------------------
> 
> The Canadian Cyber Incident Response Centre (CCIRC) is responsible for
> monitoring and providing mitigation advice on cyber threats and
> coordinating the national response to cyber security incident affecting
> Canadian Critical Infrastructures.
> 
> 
> 
> CCIRC received reports that IP address(es) associated with your
> organization may be communicating with the malicious Flashback malware
> command and control websites which were recently disabled by cyber
> security organizations.
> 
> 
> 
> CCIRC recommends your security team locate and investigate any internal
> hosts communicating with the destination IPs or URL's listed below.
> 
> 
> 
> hxxp://vxvhwcixcxqxd[.]com 91[.]233[.]244[.]102
> 
> hxxp://cuojshtbohnt[.]com 91[.]233[.]244[.]102
> 
> hxxp://Rfffnahfiywyd[.]com 91[.]233[.]244[.]102
> ------------------------------------------------------
> 
>    ---Mike
> -- 
> -------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike at sentex.net
> Providing Internet services since 1994 www.sentex.net
> Cambridge, Ontario Canada   http://www.tancsa.com/
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list