[nsp-sec] botnet C&C at The Planet and malware download at dyndns.com client
Tim Wilde
twilde at cymru.com
Mon Mar 26 12:08:29 EDT 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 3/26/2012 11:53 AM, CERT-UT - Peter wrote:
> This host contacted something that looked like a C&C:
>> 2012-03-26 12:30:36.514 0.000 TCP 174.123.217.5:6667 ->
>> 130.89.36.159:38141 1 52 1 2012-03-26
>> 12:32:12.450 0.128 TCP 174.123.217.5:6667 ->
>> 130.89.36.159:38141 2 127 1 2012-03-26
>> 12:32:12.450 0.000 TCP 130.89.36.159:38141 ->
>> 174.123.217.5:6667 1 74 1 2012-03-26
>> 12:33:50.331 4.032 TCP 174.123.217.5:6667 ->
>> 130.89.36.159:38141 3 225 1 2012-03-26
>> 12:33:58.991 10.752 TCP 174.123.217.5:6667 ->
>> 130.89.36.159:38141 2 150 1 2012-03-26
>> 12:34:31.352 0.000 TCP 174.123.217.5:6667 ->
>> 130.89.36.159:38141 1 75 1 2012-03-26
>> 12:35:08.808 6.848 TCP 194.109.20.90:6667 ->
>> 130.89.36.159:53506 6 510 1 2012-03-26
>> 12:35:17.160 0.000 TCP 174.123.217.5:6667 ->
>> 130.89.36.159:38141 1 146 1 2012-03-26
>> 12:37:00.700 0.000 TCP 194.109.20.90:6667 ->
>> 130.89.36.159:53506 1 85 1
Chris,
174.123.217.5:6667 does in fact look like a C&C, we have probed it and
added it to the DDoS-RS. Thanks for pointing it out!
> Shortly after this the system contacted another site on port 80.
> C&C or malware? This host is currently known as
> checkip-iad.dyndns.com.
>
>> 2012-03-26 12:48:32.333 9.024 TCP 130.89.36.159:56658 ->
>> 216.146.38.70:80 3 180 1 2012-03-26
>> 12:48:35.236 8.960 TCP 216.146.38.70:80 ->
>> 130.89.36.159:56658 4 240 1 2012-03-26
>> 12:48:50.564 6.016 TCP 216.146.38.70:80 ->
>> 130.89.36.159:56658 3 180 1 2012-03-26
>> 12:49:17.033 0.000 TCP 130.89.36.159:56658 ->
>> 216.146.38.70:80 1 60 1 2012-03-26
>> 12:49:17.106 8.960 TCP 216.146.38.70:80 ->
>> 130.89.36.159:56658 3 180 1 2012-03-26
>> 12:49:38.473 0.000 TCP 216.146.38.70:80 ->
>> 130.89.36.159:56658 1 60 1
This is not a C&C, but a legitimate IP checking service run by Dyn,
Inc. Possibly being abused by the malware to find its public IP,
possibly unrelated to the malware.
Best regards,
Tim
- --
Tim Wilde, Software Engineer, Team Cymru, Inc.
twilde at cymru.com | +1-847-378-3333 | http://www.team-cymru.org/
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJPcJR9AAoJED1BdOFPDWdbkukQANjIUV37C4G7OrveP/p7vat9
X3V54iZG+gwSubh294nJgHs3lZ+r45+hHnECR184WnSBzA68knC5rroaWSJU7sI/
SJDxRFDMnE2Py03AHA92krPwxG5LWpAs1ONfD5NaVWzv3vylcNcHuCtMRotoWwPX
Js/ngPwicZbpBc5d1mUTqfHeibFZQej9rcCvwUBezFdPwdVWcMg2OFjlkxR13lxw
L355x0QalVvbe/pyEI/8hLwQjF959+LA490fEcgWz+u5J3EFo/wSNmcHcp1M5ecW
qIZETQFNij/Rowep+e237cA2tdZmHbuy6I/35I71grkoA6SQmgY+YZnZmaJK8yWd
X9hk7DIq5cs6FiGHovjUhrEqc9L4uWp311Il/VdyYnjUDuutBe3TvcVVznaHWWIx
x90ZfaswCMVmDf2MK4BFYqWpVAgwoHbJSwpiF8mIN2Z+qnjKMizRZ8deXoU0TZmC
NcNho7T0Vt8rfgf+kYs6LiBzajd3wTn/zCI5kqEL9cqz7B9pj/b78i+S+QbAfWYw
0DYh/G9xfE0kONHDH95UZFmlTnkmjNJRKdC4vROZLuODTQ7kXRHt5kfY0lYpxcwv
8FctXp2Wjl5RK/eXerkeGUeXueVJs3wyvW0rekTvLMK4djw/6r4rn7mjXMjujJqH
+Xc8M4J17qYmGcnDUOhl
=4AO3
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list