[nsp-sec] 5 IPs prepaid card root cause crime
Dave Monnier
dmonnier at cymru.com
Mon Mar 12 10:42:16 EDT 2012
Hi, Christoph!
Comments below.
On 3/11/12 9:08 AM, Christoph Sprongl wrote:
> Hi,
>
> any contact, data or background data from Feb 1 2012 until now from the
> following IPs:
>
> 188.72.202.81
Windows system (probably XP)
Dynamic RR service has had this RR pointed at it in Feb:
zumobtr.ru
No malware we've seen uses the RR
> 95.245.248.117
Windows system (probably XP)
> 31.193.15.218
Nothing, sorry.
> 92.77.254.105
Windows system, possible dual boot with FreeBSD
> 88.153.142.247
Dynamic RR service had this RR pointed at it from Feb 02 - 12
hurt.myftp.org
We've seen a malware sample labeled as the following signarures using
the RR in January.
AV Engine Country Signature
Alwil (avast) CZ Win32:Flooder-GR
Arcabit (arcavir) PL Trojan.Pws.Spy.23
Avira (antivir) DE Generic
BitDefender RO Trojan.Generic.KDV.379771
Dr. Web RU Trojan.PWS.Spy.12318
Frisk (f-prot) IS W32/Downloader.C.gen!Eldorado
F-Secure FI Trojan.Generic.KDV.379771
GData DE Trojan.Generic.KDV.379771
Grisoft (avg) CZ Delf.ACDP
Ikarus AT Trojan.Win32.CDur
Kaspersky RU Backdoor.Win32.Delf.abim
Sophos GB Mal/Behav-058
VirusBlokAda (vba32) BY Backdoor.Delf.abim
Hash info:
sha1: e1b002b6e948bc26d87495e9e9597dbad8e4ef6e
md5: e5e85274cb67789bae8a6c3a60b9063a
At the time the RR was at 88.153.141.134 with the malware reaching out
to TCP/5555
Other IP used by the RR between Jan 10-13
88.153.141.134
88.153.140.203
Cheers,
-Dave
--
Dave Monnier
Team Cymru
https://www.team-cymru.org/
PGP: https://www.cymru.com/dmonnier/0x7C1AAE55_pub.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20120312/a0a6129a/attachment-0001.sig>
More information about the nsp-security
mailing list