[nsp-sec] botnet C&C at The Planet and malware download at dyndns.com client
CERT-UT - Peter
p.g.m.peters at utwente.nl
Mon Mar 26 11:53:42 EDT 2012
Hi,
This afternoon (12:30 - 12:58 UTC+2) we experienced a large flood
towards one system (130.89.36.159) in our network. The flow came from
74.218.68.132 and was 2.1 Gbps. Our 1Gbps line did not cope. We did get
some netflow statistics and it was mainly random src port to random dst
port UDP traffic.
Later that afternoon we got a complaint about an attack from our system
towards another IP address (66.199.135.9). This made us have a closer
look. It appeared our system was compromised through an ftp-account with
a weak password. The miscreant installed scripts and binaries in .gnome/
and .gnome2/.
This host contacted something that looked like a C&C:
> 2012-03-26 12:30:36.514 0.000 TCP 174.123.217.5:6667 -> 130.89.36.159:38141 1 52 1
> 2012-03-26 12:32:12.450 0.128 TCP 174.123.217.5:6667 -> 130.89.36.159:38141 2 127 1
> 2012-03-26 12:32:12.450 0.000 TCP 130.89.36.159:38141 -> 174.123.217.5:6667 1 74 1
> 2012-03-26 12:33:50.331 4.032 TCP 174.123.217.5:6667 -> 130.89.36.159:38141 3 225 1
> 2012-03-26 12:33:58.991 10.752 TCP 174.123.217.5:6667 -> 130.89.36.159:38141 2 150 1
> 2012-03-26 12:34:31.352 0.000 TCP 174.123.217.5:6667 -> 130.89.36.159:38141 1 75 1
> 2012-03-26 12:35:08.808 6.848 TCP 194.109.20.90:6667 -> 130.89.36.159:53506 6 510 1
> 2012-03-26 12:35:17.160 0.000 TCP 174.123.217.5:6667 -> 130.89.36.159:38141 1 146 1
> 2012-03-26 12:37:00.700 0.000 TCP 194.109.20.90:6667 -> 130.89.36.159:53506 1 85 1
Shortly after this the system contacted another site on port 80. C&C or
malware? This host is currently known as checkip-iad.dyndns.com.
> 2012-03-26 12:48:32.333 9.024 TCP 130.89.36.159:56658 -> 216.146.38.70:80 3 180 1
> 2012-03-26 12:48:35.236 8.960 TCP 216.146.38.70:80 -> 130.89.36.159:56658 4 240 1
> 2012-03-26 12:48:50.564 6.016 TCP 216.146.38.70:80 -> 130.89.36.159:56658 3 180 1
> 2012-03-26 12:49:17.033 0.000 TCP 130.89.36.159:56658 -> 216.146.38.70:80 1 60 1
> 2012-03-26 12:49:17.106 8.960 TCP 216.146.38.70:80 -> 130.89.36.159:56658 3 180 1
> 2012-03-26 12:49:38.473 0.000 TCP 216.146.38.70:80 -> 130.89.36.159:56658 1 60 1
The IP address we got a complaint from seemed to be not that innocent.
We observed something like an SSH scan:
> Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
> 2012-03-26 12:36:12.173 6.016 TCP 66.199.135.9:36984 -> 130.89.36.159:22 2 120 1
> 2012-03-26 12:37:03.954 3.008 TCP 66.199.135.9:37036 -> 130.89.36.159:22 2 120 1
> 2012-03-26 12:37:12.931 0.000 TCP 66.199.135.9:37036 -> 130.89.36.159:22 1 60 1
> 2012-03-26 12:38:50.473 0.256 TCP 130.89.36.159:22 -> 66.199.135.9:37189 2 144 1
> 2012-03-26 12:38:50.473 0.384 TCP 66.199.135.9:37189 -> 130.89.36.159:22 3 164 1
> 2012-03-26 12:40:58.890 7.872 TCP 130.89.36.159:22 -> 66.199.135.9:37189 2 104 1
> 2012-03-26 12:40:59.139 7.872 TCP 66.199.135.9:37189 -> 130.89.36.159:22 2 128 1
> 2012-03-26 12:41:20.338 8.960 TCP 66.199.135.9:37249 -> 130.89.36.159:22 3 180 1
> 2012-03-26 12:41:22.578 0.000 TCP 130.89.36.159:22 -> 66.199.135.9:37189 1 52 1
> 2012-03-26 12:41:22.575 0.000 TCP 66.199.135.9:37189 -> 130.89.36.159:22 1 64 1
> 2012-03-26 12:42:57.143 0.000 TCP 130.89.36.159:22 -> 66.199.135.9:37189 1 52 1
At this moment we think this might be two gangs attacking each other. We
did not observe any traffic towards 74.218.68.132. That IP address did
however stop its flood when we disconnected our system from the network.
--
Peter Peters
CERT-UT Officer
cert at utwente.nl http://www.utwente.nl/itsecurity
office-hours: +31 53 489 2301
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 552 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20120326/c1ee860b/attachment-0001.sig>
More information about the nsp-security
mailing list