[nsp-sec] kol/avalanche
CASEY, JOEL J
jc3128 at att.com
Thu Nov 15 11:33:15 EST 2012
All,
Forwarded to the abuse team.
Joel Casey
Principal Technology Security
AT&T CSO Mobility Security Enablement
joeljcasey at att.com
-----Original Message-----
From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Tom Fischer
Sent: Thursday, November 15, 2012 10:34 AM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] kol/avalanche
----------- nsp-security Confidential --------
Hi,
I see nowadays two kind of kol/avalanche double-fast-flux botnets.
One is based on compromised Windows system with port forwarding to a
specified avalanche nginx host (e.g. malware dcb73b459437a741f9e0bff7e9d23976).
Another variant is based on Linux systems with nginx as first proxy instance.
e.g. the identity theft malware family urlzone uses
chicwhite.com. 165 IN A 182.19.54.114
chicwhite.com. 165 IN A 219.95.142.217
chicwhite.com. 165 IN A 219.141.171.70
chicwhite.com. 165 IN A 175.136.253.153
or in the last days
2519 | 183.180.134.217 | VECTANT VECTANT Ltd.
3786 | 121.66.166.20 | LGDACOM LG DACOM Corporation
4134 | 119.60.6.254 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 220.182.54.150 | CHINANET-BACKBONE No.31,Jin-rong Street
4788 | 175.136.253.153 | TMNET-AS-AP TM Net, Internet Service Provider
4788 | 219.95.142.217 | TMNET-AS-AP TM Net, Internet Service Provider
4847 | 219.141.171.70 | CNIX-AP China Networks Inter-Exchange
6301 | 15.185.100.19 | HP-CLOUD-SERVICES - Hewlett-Packard Company
7132 | 75.15.24.140 | SBIS-AS - AT&T Internet Services
7349 | 216.27.10.24 | WINDSTEAM-HOSTED-SOLUTIONS-1 - Windstream Hosted Solutions, LLC
7545 | 115.64.45.89 | TPG-INTERNET-AP TPG Internet Pty Ltd
8426 | 79.123.42.75 | CLARANET-AS ClaraNET LTD
9318 | 220.149.84.221 | HANARO-AS Hanaro Telecom Inc.
9829 | 59.90.146.30 | BSNL-NIB National Internet Backbone
10029 | 125.63.91.50 | SPECTRANET FIRST FIBRE BROADBAND NETWORK IN NEW DELHI, INDIA
10429 | 189.20.75.225 | Telefonica Empresas SA
12741 | 62.233.166.103 | INTERNETIA-AS Netia SA
17785 | 123.101.2.10 | CHINATELECOM-HA-AS-AP asn for Henan Provincial Net of CT
20454 | 108.170.30.99 | SSASN2 - SECURED SERVERS LLC
21011 | 88.81.239.98 | TOPNET _TOP NET_ PJSC
22047 | 190.47.48.69 | VTR BANDA ANCHA S.A.
24862 | 83.145.28.27 | CLSE-AS DATAPHONE SCANDINAVIA AB
24955 | 92.50.171.166 | UBN-AS OJSC _Ufanet_
29182 | 77.246.148.234 | ISPSYSTEM-AS ISPsystem Autonomous System
29574 | 194.146.140.6 | VNTU-AS Vinnytsia National Technical University
29691 | 178.209.46.190 | NINE Nine Internet Solutions AG
33363 | 67.78.215.62 | BHN-TAMPA - BRIGHT HOUSE NETWORKS, LLC
33651 | 76.21.85.51 | CMCS - Comcast Cable Communications, Inc.
38442 | 183.81.133.124 | VODAFONEFIJI-AS-FJ Vodafone Fiji Limited
41665 | 213.155.19.117 | HOSTING-AS Tehnologii Budushego LLC
46475 | 208.115.198.196 | LIMESTONENETWORKS - Limestone Networks, Inc.
53340 | 199.241.137.184 | VEGASNAP - VegasNAP, LLC
55410 | 182.19.54.114 | VODAFONE-NET-AS-AP C48 Okhla Industrial Estate, New Delhi-110020
Anyone able to provide the nginx config of such a proxy?
--
Tom Fischer
BFK edv-consulting GmbH tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe fax: +49 721 962 01-99
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list