[nsp-sec] UBNT airOS worm in the wild
Damian Menscher
damian at google.com
Mon May 16 15:14:51 EDT 2016
On Mon, May 16, 2016 at 10:07 AM, Krista Hickey <Krista.Hickey at cogeco.com>
wrote:
> Is there an easy way to somewhat fingerprint these devices? I ask as we've
> been battling (battled at this point I believe) a spam run whereby
> compromised customer credentials are being used to relay through our smtps
> platform, during the investigation we noted an atypically high volume of
> South American hosts (specifically Brazil) and from what (little) I
> currently understand South America is possibly noted as suffering this
> issue so, if possible, I'd like to see if there's any commonality in the
> hosts I saw participating in the spam botnet and this vulnerability.
> Alternately if I'm way off base I'd like a hint I'm wasting my time.
>
When did your spam run start? The worm started spreading Friday 2am
Pacific, so if you saw spam before then it's unlikely to be related (though
I suppose they might have been infected by something else before).
Obviously now that there's published source for this worm it could easily
be taken over by other actors....
Damian
More information about the nsp-security
mailing list