[nsp-sec] [SPAM] Re: Two Flashback C&Cs: HE, NTT, Internap, Limelight

[Chip Gwyn]

So FYI from Oversee....

"The questioned ip is a domain landing
services. What happens is: a previously bad domain was transferred to one of
our partner, and they point the domain to our landing services. Our landing
services only return a landing page, no malicious code. Nevertheless, I
blocked this domain name in our services. So any request to this domain
would
get a connection reset. I will also contact our partner to remove the glue
record of this domain from registrar totally."


Thanks all!

--chip

On Thu, Apr 19, 2012 at 11:47 AM, Bill Woodcock <woody at pch.net> wrote:

> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
> On Apr 19, 2012, at 8:38 AM, Chip Gwyn wrote:
> > Internap checking in.
> >   We're starting to poke around.
>
> Thanks, Chip.
>
> Update from Apple:
>
> There were more than 1,000 domains registered over the course of more than
> a month, for a three-layer C&C redirect and load-balancing cloud.  Of
> those, only ten have, so far, actually delivered the final malware payload.
>  All of the others have been bootstrap code or redirection or
> load-balancing.  The two I passed along from last night were two of the ten
> that have been actually observed delivering payload.  The other eight are
> in process of LE takedown through the DNS.  But that leaves a lot more
> domains that could be re-purposed, and Apple's observed domains being
> re-purposed already.  Also, there's an update mechanism, and there are
> infected hosts that have been switched from HTTP C&C to Twitter C&C.
>  Twitter is already working with Apple on that.
>
> I'm calling HE now.
>
>                                -Bill
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJPkDOMAAoJEG+kcEsoi3+HCKIP/38SE/Jfvgnunq3IuM7qiByz
> uTYKQecZBMSaIN4JY9E2GJnSnvben6BSrnGgLQUhCD2k+dbNC/P/xCicDOmT7eo6
> XO7/V5wBRMC/kYb7/HMztEOGxXJ5llVQ72/08yl0Zd0a2xWulmOZqS1UxcCdGXDa
> 0Oz4bKSA9B9iCEFwnRs+dPfqczA/nAiQVVVGHRRCptnaryFn3eCP5LtQYbp4vGNl
> JcSq78o8dIpPDYnUUvNkBIXgp16qVb+i0FOPcPWLlkY/kw6mRVLW2jMfwzc5XT20
> Rwts3SwPaeNwARK2vdZwU1vf2t6dwUKGEY57W5pexzl5mn/Kanr4VdYGijpPXMlZ
> Hz2QO7WAeD+n+lcHFJc7oHo1FJEarGghDPiPxt1sLaxqhWNTV7oK1jehKjteOraE
> b/qdB49MZt7vnFKe4qooD0wEXnV4a3z4gaPfrzip+kveiQmi4f2penY8SHc5tuoC
> F0ragYkERPc/MJcqGpMuRZn1aGBqT11I4PIgyQrPXIWVXn8I9EUPB49kkp+pl/9q
> WGT90H+x4Zh0qRrh3NyBXv2YLZeD1NTnf8bo5x8IenlZMy/4CtBdB1dpdmn/2aB3
> 5LB1lXU72uqLXInPPa7/vwJVjvPOcle7vksGA4uUOGHtwvsWuboGyuOLdVT0t0jC
> KbJGegR0AcrmBsd38/6t
> =EfQE
> -----END PGP SIGNATURE-----
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>



-- 

--chip


Chip Gwyn | IP Network Architecture
---------------------------------------------------------------
Phone 404.302.9976
cgwyn at internap.com  *  www.internap.com

INTERNAP
connectivity | colocation | managed hosting | cloud

One Ravinia Drive . Suite 1300 . Atlanta . GA . 30346