[nsp-sec] kol/avalanche

Tom Fischer tfischer at bfk.de
Thu Nov 15 10:34:02 EST 2012 

Hi,

I see nowadays two kind of kol/avalanche double-fast-flux botnets.

One is based on compromised Windows system with port forwarding to a
specified avalanche nginx host (e.g. malware dcb73b459437a741f9e0bff7e9d23976).

Another variant is based on Linux systems with nginx as first proxy instance.
e.g. the identity theft malware family urlzone uses
chicwhite.com.		165	IN	A	182.19.54.114
chicwhite.com.		165	IN	A	219.95.142.217
chicwhite.com.		165	IN	A	219.141.171.70
chicwhite.com.		165	IN	A	175.136.253.153

or in the last days

2519    | 183.180.134.217  | VECTANT VECTANT Ltd.
3786    | 121.66.166.20    | LGDACOM LG DACOM Corporation
4134    | 119.60.6.254     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 220.182.54.150   | CHINANET-BACKBONE No.31,Jin-rong Street
4788    | 175.136.253.153  | TMNET-AS-AP TM Net, Internet Service Provider
4788    | 219.95.142.217   | TMNET-AS-AP TM Net, Internet Service Provider
4847    | 219.141.171.70   | CNIX-AP China Networks Inter-Exchange
6301    | 15.185.100.19    | HP-CLOUD-SERVICES - Hewlett-Packard Company
7132    | 75.15.24.140     | SBIS-AS - AT&T Internet Services
7349    | 216.27.10.24     | WINDSTEAM-HOSTED-SOLUTIONS-1 - Windstream Hosted Solutions, LLC
7545    | 115.64.45.89     | TPG-INTERNET-AP TPG Internet Pty Ltd
8426    | 79.123.42.75     | CLARANET-AS ClaraNET LTD
9318    | 220.149.84.221   | HANARO-AS Hanaro Telecom Inc.
9829    | 59.90.146.30     | BSNL-NIB National Internet Backbone
10029   | 125.63.91.50     | SPECTRANET FIRST FIBRE BROADBAND NETWORK IN NEW DELHI, INDIA
10429   | 189.20.75.225    | Telefonica Empresas SA
12741   | 62.233.166.103   | INTERNETIA-AS Netia SA
17785   | 123.101.2.10     | CHINATELECOM-HA-AS-AP asn for Henan Provincial Net of CT
20454   | 108.170.30.99    | SSASN2 - SECURED SERVERS LLC
21011   | 88.81.239.98     | TOPNET _TOP NET_ PJSC
22047   | 190.47.48.69     | VTR BANDA ANCHA S.A.
24862   | 83.145.28.27     | CLSE-AS DATAPHONE SCANDINAVIA AB
24955   | 92.50.171.166    | UBN-AS OJSC _Ufanet_
29182   | 77.246.148.234   | ISPSYSTEM-AS ISPsystem Autonomous System
29574   | 194.146.140.6    | VNTU-AS Vinnytsia National Technical University
29691   | 178.209.46.190   | NINE Nine Internet Solutions AG
33363   | 67.78.215.62     | BHN-TAMPA - BRIGHT HOUSE NETWORKS, LLC
33651   | 76.21.85.51      | CMCS - Comcast Cable Communications, Inc.
38442   | 183.81.133.124   | VODAFONEFIJI-AS-FJ Vodafone Fiji Limited
41665   | 213.155.19.117   | HOSTING-AS Tehnologii Budushego LLC
46475   | 208.115.198.196  | LIMESTONENETWORKS - Limestone Networks, Inc.
53340   | 199.241.137.184  | VEGASNAP - VegasNAP, LLC
55410   | 182.19.54.114    | VODAFONE-NET-AS-AP C48 Okhla Industrial Estate, New Delhi-110020

Anyone able to provide the nginx config of such a proxy?

-- 
Tom Fischer
BFK edv-consulting GmbH                  tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe        fax: +49 721 962 01-99

More information about the nsp-security mailing list