[nsp-sec] [SPAM] Re: Two Flashback C&Cs: HE, NTT, Internap, Limelight

[Chris Morrow]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 04/19/2012 11:47 AM, Bill Woodcock wrote:
> ----------- nsp-security Confidential --------
> 
> 
> On Apr 19, 2012, at 8:38 AM, Chip Gwyn wrote:
>> Internap checking in. We're starting to poke around.
> 
> Thanks, Chip.
> 
> Update from Apple:
> 
> There were more than 1,000 domains registered over the course of
> more than a month, for a three-layer C&C redirect and
> load-balancing cloud.  Of those, only ten have, so far, actually
> delivered the final malware payload.  All of the others have been
> bootstrap code or redirection or load-balancing.  The two I passed
> along from last night were two of the ten that have been actually
> observed delivering payload.  The other eight are in process of LE
> takedown through the DNS.  But that leaves a lot more domains that
> could be re-purposed, and Apple's observed domains being
> re-purposed already.  Also, there's an update mechanism, and there
> are infected hosts that have been switched from HTTP C&C to Twitter
> C&C.  Twitter is already working with Apple on that.
> 
> I'm calling HE now.

if Apple has the list of C&C domains... there's a list for getting
those disabled as well. (not nsp-sec)

> 
> 
> _______________________________________________ nsp-security
> mailing list nsp-security at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security community. Confidentiality is essential for effective 
> Internet security counter-measures. 
> _______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12-git43c7d1c (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFPkETDr6swUqhDs2sRAnc3AJ91HFSUVvjOnG2SO137CAreU9gy7wCfbMMV
/PoGK9fwaQchOoRHJoWUhM0=
=WUf1
-----END PGP SIGNATURE-----