[nsp-sec] Botnet takedown - Chinese SSH Brute Force

宫一鸣 gongyiming at 360.cn
Thu Apr 9 22:24:57 EDT 2015 

This is very nice, thanks!

And fyi the following are the c&c I sent to another list the other day
regarding to the fireeye document

--
For this specific md5 0b7630ead879da12b74b2ed7566da2fe mentioned in the
fireye blog, there are totally six C&C servers

103.25.9.245:8000|103.240.141.50:8000|66.102.253.30:8000|ndns.dsaj2a1.org:8
000|ndns.dsaj2a.org:8000|ndns.hcxiaoao.com:8000|ndns.dsaj2a.com:8000

and for the other md5 85ecdf50a92e76cdb3f5e98d54d014d4, there are three
c&c 
gh.dsaj2a1.org:2857|navert0p.com:2857|wangzongfacai.com:2857
--


Regards

Yiming 

Director of Network Security Research lab at Qihoo 360

www.360.cn




On 4/9/15, 1:52 AM, "Wentworth, Brett" <Brett.Wentworth at Level3.com> wrote:

>----------- nsp-security Confidential --------
>
>Just a heads up that Level 3 conducted a botnet takedown yesterday.  Part
>of the activity of this botnet is extreme SSH brute force scanning. At
>one point throughout the previous 30 dates we saw this comprising over
>30% of the total global SSH traffic, so they aren¹t being subtle    The
>purpose of this notice is to hopefully persuade you all to take similar
>action at your border. Infected hosts we have seen communicating with the
>C2 will be forthcoming.
>
>SSH Brute Force Scanning
>43.255.190.0/23 (ASN: 4134 China Telecom, 36678 China Telecom, 26484
>Hostspace)
>43.255.190.0/24  (ASN: 4134 China Telecom, 36678 China Telecom, 26484
>Hostspace)
>
>C2:
>103.240.140.152/32 (ASN:62466 Telia, 6939 Hurricane Electric, 1299 Telia)
>103.240.141.54/32 (ASN:62466 Telia, 6939 Hurricane Electric, 1299 Telia)
>103.240.141.50/32 (ASN:62466 Telia, 6939 Hurricane Electric, 1299 Telia)
>104.143.5.25/32 (ASN 36114 Versaweb, 53340 Fiberhub, 2914 NTT)
>
>Malware Hosting:
>23.234.60.140/32 (ASN: 4134 China Telecom, 36678 China Telecom, 26484
>Hostspace)
>23.234.60.143/32 (ASN: 4134 China Telecom, 36678 China Telecom, 26484
>Hostspace)
>23.234.19.202/32 (ASN: 4134 China Telecom, 36678 China Telecom, 26484
>Hostspace)
>
>Further details can be found in the attached report (some of the IPs have
>changed but the behavior is the same):
>http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-c
>hina.html
>https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.h
>tml
>
>
>Regards,
>
>Level (3) Communications
>Network Security Operations
>Level3-SOC at level3.com<mailto:Level3-SOC at level3.com>
>720.888.0012
>
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet security
>counter-measures.
>_______________________________________________

More information about the nsp-security mailing list