[nsp-sec] Flashback C&C ?

jose nazario jose at arbor.net
Mon Apr 16 18:39:48 EDT 2012 

if someone can reach CCIRC they should be more clear about the origin of the data. "CnC" vs "Sinkhole" is a HUGE difference. if they're not clear then i would suggest they not distribute the data.

_____
Jose Nazario, Ph.D.
Manager of Security Research, Arbor Networks
jose at arbor.net

On Apr 16, 2012, at 6:16 PM, ni at allyourinfoarebelongto.us wrote:

> ----------- nsp-security Confidential --------
> 
> Yes, those are C2 domains for the recent Mac malware being named Flashback. The domains were registered by Dr. Web and the IPs below are part of their sinkhole. 
> 
> I assume if you have hosts within your network communicating with those hosts, they are infected. 
> 
> If I can provide specifics, let me know. 
> 
> HTH,
> Nick
> 
> Unsigned message sent from mobile device. 
> 
> On Apr 16, 2012, at 15:23, Mike Tancsa <mike at sentex.net> wrote:
> 
>> ----------- nsp-security Confidential --------
>> 
>> 
>> I received the email below in our support queue from a CDN gov agency
>> claiming  the hosts below are somehow involved with the flashback
>> botnet. Does anyone have any more details about the hosts below ?
>> 
>> --------------------------------------
>> 
>> The Canadian Cyber Incident Response Centre (CCIRC) is responsible for
>> monitoring and providing mitigation advice on cyber threats and
>> coordinating the national response to cyber security incident affecting
>> Canadian Critical Infrastructures.
>> 
>> 
>> 
>> CCIRC received reports that IP address(es) associated with your
>> organization may be communicating with the malicious Flashback malware
>> command and control websites which were recently disabled by cyber
>> security organizations.
>> 
>> 
>> 
>> CCIRC recommends your security team locate and investigate any internal
>> hosts communicating with the destination IPs or URL's listed below.
>> 
>> 
>> 
>> hxxp://vxvhwcixcxqxd[.]com 91[.]233[.]244[.]102
>> 
>> hxxp://cuojshtbohnt[.]com 91[.]233[.]244[.]102
>> 
>> hxxp://Rfffnahfiywyd[.]com 91[.]233[.]244[.]102
>> ------------------------------------------------------
>> 
>>   ---Mike
>> -- 
>> -------------------
>> Mike Tancsa, tel +1 519 651 3400
>> Sentex Communications, mike at sentex.net
>> Providing Internet services since 1994 www.sentex.net
>> Cambridge, Ontario Canada   http://www.tancsa.com/
>> 
>> 
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>> 
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list