[nsp-sec] botnet C&C at The Planet and malware download at dyndns.com client

Nick Hale nspsec at rtfmnewbie.com
Mon Mar 26 13:54:19 EDT 2012 

Thanks for the heads up on this one.  I'm digging into this C&C now.

For the record, "The Planet" no longer exists as a company, it's a part of SoftLayer.


Regards,
Nick
SoftLayer Technologies, Inc.
Abuse Team

On 3/26/2012 11:08, Tim Wilde wrote:
> ----------- nsp-security Confidential --------
> 
> On 3/26/2012 11:53 AM, CERT-UT - Peter wrote:
>> This host contacted something that looked like a C&C:
>>> 2012-03-26 12:30:36.514     0.000 TCP      174.123.217.5:6667  ->
>>> 130.89.36.159:38141        1       52     1 2012-03-26
>>> 12:32:12.450     0.128 TCP      174.123.217.5:6667  ->
>>> 130.89.36.159:38141        2      127     1 2012-03-26
>>> 12:32:12.450     0.000 TCP      130.89.36.159:38141 ->
>>> 174.123.217.5:6667         1       74     1 2012-03-26
>>> 12:33:50.331     4.032 TCP      174.123.217.5:6667  ->
>>> 130.89.36.159:38141        3      225     1 2012-03-26
>>> 12:33:58.991    10.752 TCP      174.123.217.5:6667  ->
>>> 130.89.36.159:38141        2      150     1 2012-03-26
>>> 12:34:31.352     0.000 TCP      174.123.217.5:6667  ->
>>> 130.89.36.159:38141        1       75     1 2012-03-26
>>> 12:35:08.808     6.848 TCP      194.109.20.90:6667  ->
>>> 130.89.36.159:53506        6      510     1 2012-03-26
>>> 12:35:17.160     0.000 TCP      174.123.217.5:6667  ->
>>> 130.89.36.159:38141        1      146     1 2012-03-26
>>> 12:37:00.700     0.000 TCP      194.109.20.90:6667  ->
>>> 130.89.36.159:53506        1       85     1
> 
> Chris,
> 
> 174.123.217.5:6667 does in fact look like a C&C, we have probed it and
> added it to the DDoS-RS.  Thanks for pointing it out!
> 
>> Shortly after this the system contacted another site on port 80.
>> C&C or malware? This host is currently known as
>> checkip-iad.dyndns.com.
> 
>>> 2012-03-26 12:48:32.333     9.024 TCP      130.89.36.159:56658 ->
>>> 216.146.38.70:80           3      180     1 2012-03-26
>>> 12:48:35.236     8.960 TCP      216.146.38.70:80    ->
>>> 130.89.36.159:56658        4      240     1 2012-03-26
>>> 12:48:50.564     6.016 TCP      216.146.38.70:80    ->
>>> 130.89.36.159:56658        3      180     1 2012-03-26
>>> 12:49:17.033     0.000 TCP      130.89.36.159:56658 ->
>>> 216.146.38.70:80           1       60     1 2012-03-26
>>> 12:49:17.106     8.960 TCP      216.146.38.70:80    ->
>>> 130.89.36.159:56658        3      180     1 2012-03-26
>>> 12:49:38.473     0.000 TCP      216.146.38.70:80    ->
>>> 130.89.36.159:56658        1       60     1
> 
> This is not a C&C, but a legitimate IP checking service run by Dyn,
> Inc.  Possibly being abused by the malware to find its public IP,
> possibly unrelated to the malware.
> 
> Best regards,
> Tim
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list