[nsp-sec] [SPAM] Re: Two Flashback C&Cs: HE, NTT, Internap, Limelight
Bill Woodcock
woody at pch.net
Thu Apr 19 11:47:23 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Apr 19, 2012, at 8:38 AM, Chip Gwyn wrote:
> Internap checking in.
> We're starting to poke around.
Thanks, Chip.
Update from Apple:
There were more than 1,000 domains registered over the course of more than a month, for a three-layer C&C redirect and load-balancing cloud. Of those, only ten have, so far, actually delivered the final malware payload. All of the others have been bootstrap code or redirection or load-balancing. The two I passed along from last night were two of the ten that have been actually observed delivering payload. The other eight are in process of LE takedown through the DNS. But that leaves a lot more domains that could be re-purposed, and Apple's observed domains being re-purposed already. Also, there's an update mechanism, and there are infected hosts that have been switched from HTTP C&C to Twitter C&C. Twitter is already working with Apple on that.
I'm calling HE now.
-Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJPkDOMAAoJEG+kcEsoi3+HCKIP/38SE/Jfvgnunq3IuM7qiByz
uTYKQecZBMSaIN4JY9E2GJnSnvben6BSrnGgLQUhCD2k+dbNC/P/xCicDOmT7eo6
XO7/V5wBRMC/kYb7/HMztEOGxXJ5llVQ72/08yl0Zd0a2xWulmOZqS1UxcCdGXDa
0Oz4bKSA9B9iCEFwnRs+dPfqczA/nAiQVVVGHRRCptnaryFn3eCP5LtQYbp4vGNl
JcSq78o8dIpPDYnUUvNkBIXgp16qVb+i0FOPcPWLlkY/kw6mRVLW2jMfwzc5XT20
Rwts3SwPaeNwARK2vdZwU1vf2t6dwUKGEY57W5pexzl5mn/Kanr4VdYGijpPXMlZ
Hz2QO7WAeD+n+lcHFJc7oHo1FJEarGghDPiPxt1sLaxqhWNTV7oK1jehKjteOraE
b/qdB49MZt7vnFKe4qooD0wEXnV4a3z4gaPfrzip+kveiQmi4f2penY8SHc5tuoC
F0ragYkERPc/MJcqGpMuRZn1aGBqT11I4PIgyQrPXIWVXn8I9EUPB49kkp+pl/9q
WGT90H+x4Zh0qRrh3NyBXv2YLZeD1NTnf8bo5x8IenlZMy/4CtBdB1dpdmn/2aB3
5LB1lXU72uqLXInPPa7/vwJVjvPOcle7vksGA4uUOGHtwvsWuboGyuOLdVT0t0jC
KbJGegR0AcrmBsd38/6t
=EfQE
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list