[botnets] new srizbis, more links
Date: Fri, 29 Aug 2008 18:00:28 + From: Jenna S. [EMAIL PROTECTED] Subject: Hi, remember me?.. in archive my new fotos hxxp://xsitejobs.com/myfoto.exe Jenna :) link de-fanged. more URLs hxxp://shot-by-frogg.de/My_foto.exe hxxp://armonia-spa.com.ar/My_foto.exe hxxp://warmymusic.com.ar/My_foto.exe all yield MD5: 4097df28691722645d6a505696225ecf SHA1: ddf82a109f7d14efc0146549d79a8c905c5b0612 File type: MS Windows PE File size: 143360 bytes A/V INFO: --- SCANNER: VScanner VIRUS: Unknown, file is suspicious SCANNER: AVG VIRUS: No virus found. SCANNER: ClamAVVIRUS: No virus found. SCANNER: BDC VIRUS: Trojan.Srizbi.Dropper.1.Gen --- New Files C:\WINDOWS\system32\drivers\grande48.sys Create Service - Name: (grande48) Display Name: (grande48) File Name: (C:\WINDOWS\system32\drivers\grande48.sys) Control: () Start Type: (SERVICE_AUTO_START) whee ... - jose nazario, ph.d. [EMAIL PROTECTED] security researcher, office of the CTO, arbor networks v: (734) 821 1427 http://asert.arbornetworks.com/ ___ Malware-track mailing list [EMAIL PROTECTED] http://mal-aware.org/mailman/listinfo/malware-track ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] mal links from a honeyclient
Bulk mode; whois.cymru.com [2008-08-29 21:32:08 +] 39392 | 88.86.113.138| hxxp://ekoterra.unas.cz/index_9.html | SUPERNETWORK-AS SuperNetwork s.r.o. 26496 | 208.109.220.165 | hxxp://drfrankensteins.com/index_9.html | PAH-INC - GoDaddy.com, Inc. 26753 | 65.61.216.103| hxxp://6063100.com/index_9.html | IN2NET-NETWORK - In2net Network Inc. 8560| 74.208.136.198 | hxxp://davidsavells.com/index_9.html | ONEANDONE-AS 11 Internet AG 32475 | 67.212.163.42| hxxp://elizermedia.com/index99.html | SINGLEHOP-INC - SingleHop 25973 | 216.227.209.22 | hxxp://desa.org/index99.html | MZIMA - Mzima Networks, Inc. 39010 | 85.112.85.5 | hxxp://monroebeirut.com/index_12.html | TERRANET-AS TerraNet sal jose nazario, ph.d. http://monkey.org/~jose/ ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] nepethes / honeypot dump list: volunteers and instructions
Sweet! I subscribed and will deploy a honeypot over the weekend. :) Gadi Evron wrote: Hi all. The honey pot dump mailing list is ready. Point your servers to report to; [EMAIL PROTECTED] To get us started I am quoting Jeremy, who came up with the idea of us pointing our nepethes sensors to a mailing list. He is providing with simple instructions on how to get started using nepethes, and how to point them to dump results to the new mailing list. The mailing list which was created is at: [EMAIL PROTECTED] Subscribe at: http://whitestar.linuxbox.org/mailman/listinfo/honeydump Jeremy's how-to: If you just want to get a nepenthes malware collection box up and running, there is a ready to run vmware appliance available at: http://www.dalmatech.com/downloads/Nepenthes.20.zip I have no affiliation with the company, but this vmware appliance is nice, precompiled, and has a great web interface. Just edit the submit-norman.conf like so: submit-norman { // this is the adress where norman sandbox reports will be sent email [EMAIL PROTECTED]; urls(http://sandbox.norman.no/live_4.html;, http://luigi.informatik.uni-mannheim.de/submit.php?action=verify;); }; And then, in nepenthes.conf, uncomment the line submitnorman.so, submit-norman.conf, There is a little write-up on basic usage here: http://www.securityfocus.com/infocus/1880 And the homepage for nepenthes is here: http://nepenthes.mwcollect.org/ ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets -- Charles Wyble (818) 280 - 7059 http://charlesnw.blogspot.com CTO Known Element Enterprises / SoCal WiFI project ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] [phishing] facebook worms and id theft [was: Re: XP update phish/malware]
A good summary has been released at http://www.insidefacebook.com/2008/08/26/update-facebook-security-fighting-koobface-worm-chain-letters/ [switched to new message title now, handling FB worm etc.] Juha-Matti Gadi Evron [EMAIL PROTECTED] kirjoitti: Interesting, Do you or anyone else know more about the account theft that has been going on with FaceBook. I ask because my kid sister was using it for a while and she kept on asking why her password was changed. Shortly there after her friends had the same issue and they had random wall posts going up. Ideas? I'm just curious. Malware spreading via walls and messages. Click on it and you get your credentials stolen and spam your friends. Facebook.* Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --- Netragard, LLC - http://www.netragard.com - We make IT Safe Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: --- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Steven Adair wrote: It seems Imageshack with malicious or at least abusive Flash files is getting more popular. We saw a similar attack, yet far less malicious, on Facebook last week. User's walls were spammed with a messae about someone having a crush on them with a link to an Imageshack flash file. The file then did a full redirect to a dating website. The bad guys are both simply just using them as a jumping point and in some cases playing off of their [somewhat] trusted name. Steven On Thu, 28 Aug 2008 09:18:12 -0400, Discini, Sonny [EMAIL PROTECTED] wrote: Here is another XP/Vista download link: ht tp://img 182.imageshack.us/img182/7145/47024671do7 .swf -- Steve I had a bunch of that come through in 3 separate waves yesterday. The malware download pointed to: Hxxp://89.187.49.18/install.exe Note that the payload is known to Sophos so I'm assuming that most of the other big players also pick it up. Nothing new. Sonny Sonny Discini, Senior Network Security Engineer Office of the CIO Department of Technology Services Montgomery County Government -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Pirk Sent: Thursday, August 28, 2008 7:13 AM To: [EMAIL PROTECTED] Cc: Botnets Subject: Re: [phishing] XP update phish/malware Equal bytes for women. On Wed, 27 Aug 2008, Steve Pirk wrote: Here are some links related to a XP update phish/malware download. Image or payload? ht tp://img 504.imageshack.us/img504/6262/23031231ob0 .swf That was the only link in the email. -- Steve Equal bytes for women. ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Washington Post: Atrivo/Intercage, why are we peering with the American RBN? (fwd)
From: Marc Sachs [EMAIL PROTECTED] To: 'Gadi Evron' [EMAIL PROTECTED] Subject: RE: Washington Post: Atrivo/Intercage, why are we peering with the American RBN? Unless I'm mis-reading this (or perhaps GBLX read Kreb's story and said good-bye to Atrivo/Intercage), it looks like they are no longer their upstream: http://cidr-report.org/cgi-bin/as-report?as=AS27595v=4view=2.0 Marc SANS ISC -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2008 4:02 PM To: [EMAIL PROTECTED] Subject: Washington Post: Atrivo/Intercage, why are we peering with the American RBN? Hi all. This Washington Post story came out today: http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as _major.html In it, Brian Krebs discusses the SF Bay Area based Atrivo/Intercage, which has been long named as a bad actor, accused of shuffling abuse reports to different IP addresses and hosting criminals en masse, compared often to RBN in maliciousness. The American RBN, if you like. 1. I realize this is a problematic issue, but when it is clear a network is so evil (as the story suggests they are), why are we still peering with them? Who currently provides them with transit? Are they aware of this news story? If Lycos' make spam not war, and Blue Security's blue frog were ran out of hosting continually, this has been done before to some extent. This network is not in Russia or China, but in the silicon valley. 2. On a different note, why is anyone still accepting their route announcements? I know some among us re-route RBN traffic to protect users. Do you see this as a valid solution for your networks? What ASNs belong to Atrivo, anyway? Anyone has more details as to the apparent evilness of Atrivo/Intercage, who can verify these reports? As researched as they are, and my personal experience aside, I'd like some more data before coming to conclusions. Hostexploit released a document [PDF] on this very network, just now, which is helpful: http://hostexploit.com/index.php?option=com_contentview=articleid=12Itemi d=15 Gadi. ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Malware hosting site
Thanks Dean for sharing this! There are about 16 or so exploits up on the site at the moment. Windows media player, quicktime, IE, etc I've not looked at all the latest pages yet so I'm not sure which are new or not. I've browsed thru the pages and there was nothing new there. Same old exploits for MDAC, VML, Winzip, Yahoo, Ani, WebViewFolder plus the ones you just mentioned. -- Ivan From: [EMAIL PROTECTED] on behalf of Dean De Beer Sent: Fri 8/29/2008 10:55 AM To: botnets@whitestar.linuxbox.org Subject: [botnets] Malware hosting site This site appears to be run by the authors to host their malware. It's been around for a long time now. I track it on and off to see if they add any new exploits. Since it's inception they have refined the code and exploits. I've been looking at it for about 8 months on and off but I think it's been around a lot longer. Google searches reveals very little info. There are about 16 or so exploits up on the site at the moment. Windows media player, quicktime, IE, etc I've not looked at all the latest pages yet so I'm not sure which are new or not. Discovery after 4 months for this exe is good but there are still some AV that don't detect it. hxxp://www.ahack.info hxxp://www.ahack.info/tds/ hxxp://www.ahack.info/forum/index.php hxxp://www.ahack.info/ice/exploits/ hxxp://www.ahack.info/ice/index.php/exploits/ http://www.ahack.info/ice/exe.php exe I thought it interesting that there was so little on this domain yet it has been up for such a period of time. It is blacklisted by some RBLs though but that may be due other sites hosted on the IP. http://www.robtex.com/rbl/203.202.239.59.html /dean On Fri, Aug 29, 2008 at 11:35 AM, Brack o'Malley [EMAIL PROTECTED] wrote: Found this IRC based CC (yesterday) if anybody wants to go after it. The channel was still live as of yesterday morning. it gets delivered as a self extracting rar file. [mirc] user=Kj6cQa9hFw3tR nick=Qd0pAb4xTi3a anick=Gg8lNv5rCk7lW email=Politia host=serveru de ircdSERVER:serveru de ircd:6667GROUP:servere Here's the usual server.ini: [servers] n1=serveru de ircdSERVER:red.box23.de:6667GROUP:servere n2=serveru de ircdSERVER:red.box23.de:GROUP:servere n4=bucharest.ro.eu.undernet.orgSERVER:bucharest.ro.eu.undernet.org:6667GROUP:serveree n5=Helsinki.FI.EU.Undernet.orgSERVER:Helsinki.FI.EU.Undernet.orgg:6667GROUP:serveree n6=Ede.NL.EU.UnderNet.OrgSERVER:Ede.NL.EU.UnderNet.Org:6667GROUP:serveree n7=graz.at.Eu.UnderNet.orgSERVER:217.168.95.245:6667GROUP:serveree n8=Helsinki.FI.EU.Undernet.orgSERVER:Helsinki.FI.EU.Undernet.org:6667GROUP:serveree n9=London.UK.Eu.UnderNet.orgSERVER:38.114.116.5:6667GROUP:serveree n10=London2.UK.EU.Undernet.OrgSERVER:London2.UK.EU.Undernet.Org:6667GROUP:serveree n11=Oslo1.NO.EU.undernet.orgSERVER:Oslo1.NO.EU.undernet.org:6667GROUP:serveree n12=Oslo2.NO.EU.undernet.orgSERVER:Oslo2.NO.EU.undernet.org:6667GROUP:serveree n13=mesa2.az.us.undernet.org:mesa2.az.us.undernet.org:6667GROUP:serveree n14=mesa.az.us.undernet.orgSERVER:mesa.az.us.undernet.org:6667GROUP:serveree n15=US.Undernet.orgSERVER:66.186.59.50:6667GROUP:serveree n16=Diemen.NL.EU.Undernet.OrgSERVER:Diemen.NL.EU.Undernet.Org:6667GROUP:serveree n17=eu.Undernet.OrgSERVER:208.83.20.130:6667GROUP:serveree n122=Lelystad.NL.EU.UnderNet.OrgSERVER:Lelystad.NL.EU.UnderNet.Org:6667GROUP:serveree n121=SantaAna.CA.US.Undernet.orgSERVER:72.51.18.254:6667GROUP:serveree n212=Zagreb.Hr.EU.UnderNet.orgSERVER:193.109.122.67:6667GROUP:serveree n323=Tampa.FL.US.Undernet.orgSERVER:Tampa.FL.US.Undernet.org:6667GROUP:serveree n419=EU, AT, DiemenSERVER:Diemen.NL.EU.Undernet.Org:6660-6670,7000GROUP:serveree n420=EU, AT, ElseneSERVER:Elsene.Be.Eu.undernet.org:6660-6670,7000GROUP:serveree n421=EU, AT, GrazSERVER:195.68.221.221:6660-6670,7000GROUP:serveree n422=EU, AT, Graz2SERVER:64.18.128.86:6660-6670,7000GROUP:serveree n423=EU, AT, GrazSERVER:195.197.175.21:6660-6670,7000GROUP:serveree n424=EU, BE, ElseneSERVER:195.144.12.5:6667-6669,7000GROUP:serveree n425=EU, HR, ZagrebSERVER:161.53.178.240:-6669,GROUP:serveree n426=EU, NL, AmsterdamSERVER:195.47.220.2:6667GROUP:serveree n427=EU, NL, EdeSERVER:193.109.122.67:-6669GROUP:serveree n428=EU, NO, OsloSERVER:69.16.172.40:-6669GROUP:serveree n429=US, AZ, MesaSERVER:194.109.20.90:6660,6665-6667,7000GROUP:serveree n430=Random EU serverSERVER:eu.undernet.org:6667GROUP:serveree n431=Random US serverSERVER:mesa2.az.us.undernet.org:6667GROUP:serveree ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon
Re: [botnets] Malware hosting site
Arturo 'Buanzo' Busleiman wrote: First post, hi everybody! -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dean De Beer wrote: This site appears to be run by the authors to host their malware. [...] hxxp://www.ahack.info The IP for www.ahack.info is: 203.202.239.59 According to a simple vhosts query tool I wrote, that IP also hosts these sites: e-gold-exchange.net hook-up-tonight.com ns112233.org liberty-exchange.net ueaconline.com www.ahack.info www.y-press.ru www.serialydvd.ru sarazin.ru pinoc.info sh0p0rtal.com sh0pp0rtal.com www.google-world.biz robotraf.com (mentioned on a slashdot story a couple days ago, about the business of malware) adword.google-gw.info f9i.org stocktraffic.net sweet-mp3.com thebestlog.org ultra-shop.biz google-gw.info Interesting, huh? FWIW, the RUS-CERT Passive DNS replication tool says that that IP has recently been seen serving these domains: thebestlog.org chulavistaca.cn as-cannabis.cn www.as-cannabis.cn www.d1gix.cn kokc.info pinoc.info portki.info ahack.info www.ahack.info ithack.info yourcount.info www.yourcount.info bleky.info ns3.2ru.us ns4.2ru.us tradingway.net serialy1.ru mail.serialy1.ru serialydvd.ru mail.serialydvd.ru yellow-journal.ru mail.yellow-journal.ru yellow-magazin.ru mail.yellow-magazin.ru news-press.ru mail.news-press.ru y-press.ru mail.y-press.ru press-news.ru mail.press-news.ru serialytv.ru mail.serialytv.ru webarh.biz domogj.biz mail.domogj.biz ultra-shop.biz And another passive DNS engine returns: ns4.2ru.us ns3.2ru.us pinoc.info usersoftware.in framemoney.biz y-press.ru svchost.org expmailing.com y-press.ru yellow-magazin.ru serialy1.ru domogj.biz serialydvd.ru serialytv.ru www.domogj.biz ithack.info press-news.ru yellow-journal.ru news-press.ru www.as-cannabis.cn as-cannabis.cn Regards, Nick FitzGerald ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Washington Post: Atrivo/Intercage, why are we peering wi th the American RBN? (fwd)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Gadi Evron [EMAIL PROTECTED] wrote: From: Marc Sachs [EMAIL PROTECTED] To: 'Gadi Evron' [EMAIL PROTECTED] Subject: RE: Washington Post: Atrivo/Intercage, why are we peering with the American RBN? Unless I'm mis-reading this (or perhaps GBLX read Kreb's story and said good-bye to Atrivo/Intercage), it looks like they are no longer their upstream: http://cidr-report.org/cgi-bin/as-report?as=AS27595v=4view=2.0 For those of you who do not follow the NANOG mailing list, this thread started here: http://mailman.nanog.org/pipermail/nanog/2008-August/003370.html And of course, my response: http://mailman.nanog.org/pipermail/nanog/2008-August/003378.html ...where I applaud GLBX for de-peering Atrivo/Intercage and also mention the issue of the large number of rogue DNS servers which also reside there. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIuJ2oq1pz9mNUZTMRAuH9AJ9AMTuVPzC7bZwDuajcEgnmu7ySbACg6q2E 15o1GKrHp1rTkK+0wqRlnBk= =EtHL -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Washington Post: Atrivo/Intercage, why are we peering with the American RBN? (fwd)
Another nice nepenthes virtual machine is available here: http://ids.surfnet.nl/wiki/doku.php?id=global:downloadable_demo There are many more. I just wanted to post a couple easy options to get you up and running. -Jeremy ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets