Re: [botnets] Washington Post: Atrivo/Intercage, why are we peering wi th the American RBN? (fwd)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Gadi Evron [EMAIL PROTECTED] wrote: From: Marc Sachs [EMAIL PROTECTED] To: 'Gadi Evron' [EMAIL PROTECTED] Subject: RE: Washington Post: Atrivo/Intercage, why are we peering with the American RBN? Unless I'm mis-reading this (or perhaps GBLX read Kreb's story and said good-bye to Atrivo/Intercage), it looks like they are no longer their upstream: http://cidr-report.org/cgi-bin/as-report?as=AS27595v=4view=2.0 For those of you who do not follow the NANOG mailing list, this thread started here: http://mailman.nanog.org/pipermail/nanog/2008-August/003370.html And of course, my response: http://mailman.nanog.org/pipermail/nanog/2008-August/003378.html ...where I applaud GLBX for de-peering Atrivo/Intercage and also mention the issue of the large number of rogue DNS servers which also reside there. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIuJ2oq1pz9mNUZTMRAuH9AJ9AMTuVPzC7bZwDuajcEgnmu7ySbACg6q2E 15o1GKrHp1rTkK+0wqRlnBk= =EtHL -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ botnets@, the public's dumping ground for maliciousness All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] very active server, 50+ bots
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Ryan Carter [EMAIL PROTECTED] wrote: Anyone else unable to resolve irc.indounix.net? On Wed, Mar 19, 2008 at 10:30 AM, bad_brain [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- hey there...;) when checking some RFI attempts in my IDS logs I found a bot server, at least 50 bots are running on it doing nothing but scans: irc.indounix.net:6667 #Scanner time someone spanks their little lame asses I think... -- kindest regards, bad_brain owner of suck-o.com //hacking ~ coding ~ development// Something about that just seems... suspicious. ;-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFH4Tzhq1pz9mNUZTMRAkUIAJsEHKwdYVCnZOJFpxG2jRFdymOzFwCfTKbw VM88Q+3cJssEm2hXIgf/tTc= =vFtN -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
[botnets] Fwd: [Dshield] suspiroamor.land.ru trojan
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 FYI. - - ferg [forwarded message[ Date: Sat, 24 Nov 2007 23:17:32 -0500 From: jayjwa [EMAIL PROTECTED] To: Dshield Mail List [EMAIL PROTECTED] (Possibly) new trojans. These came from a link spammed out in email that ended up in my Hotmail inbox. The files are win32 PE's, with some interesting strings embedded in them. One of the files appears to be a server of some sort with smtp ability. There's also alot of calls to graphics routines, so maybe one of the files is a client or user interface of some type. Written in Delphi, downloaded from suspiroamor.land.ru, root directory. amor.com: The only file linked in the email. Probably downloads/exec others. Interesting strings: taskkill -f /im gbpsv.exe C:\Arquivos de programas\GbPlugin\gbieh.dll C:\Arquivos de programas\GbPlugin\gbieh.gmd C:\windows\Crime.exe C:\WINDOWS\system32\WormList.exe URLDownloadToFileA shell32.dll ShellExecuteA derby.com: Referenced in the above file. javas.com: Same. Contains an email template, lots of calls to Winsock. Interesting hardcoded strings: msnlist.txt [EMAIL PROTECTED] Lista MSN ( gsmtp185.google.com hsResolving hsConnecting hsConnected hsDisconnecting hsDisconnected hsStatusText ftpTransfer ftpReady ftpAborted IdComponent TIdStatusEvent ASender Indy 9.00.10 X-Library * About to connect() to suspiroamor.land.ru port 80 (#0) * Trying 82.204.219.223... connected * Connected to suspiroamor.land.ru (82.204.219.223) port 80 (#0) GET /javas.com HTTP/1.1 User-Agent: from Russia with love? Host: suspiroamor.land.ru Accept: */* HTTP/1.1 200 OK Server: nginx/0.5.31 Date: Sun, 25 Nov 2007 03:09:45 GMT Content-Type: application/octet-stream Content-Length: 523264 Last-Modified: Fri, 23 Nov 2007 22:31:24 GMT Connection: keep-alive Accept-Ranges: bytes { [data not shown] The signature/data files are a bit old (Nov. 9) but F-prot had this to say: amor.com Infection: Possibly a new variant of W32/NewMalware-LSU-based!Maximus Available as downloaded above, or local copies together in a zip for anyone that wants to look at them: https://atr2.ath.cx/vx_lab/specimens/unidentified/suspiroamor-land-ru/suspi roamor-land-ru-trojan.zip Useful tool to examine binaries: http://hte.sourceforge.net/ _ SANS Network Security 2007 in Las Vegas September 22-30. 39 courses, SANS top instructors. http://www.sans.org/info/9346 [end] -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHSQItq1pz9mNUZTMRArBiAKDhPOCDlh865OKNmWKoJ31HxpkP4ACgwERp ClmmyWOq7b4jtO8GaqG2OrI= =Q5s/ -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- John Fraizer [EMAIL PROTECTED] wrote: There is a lot going on in the shadows to combat botnets and other miscreant activities that most folks don't have credentials to know about. Go get 'em, John. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFG9BQmq1pz9mNUZTMRArRnAKC/MH4lYyqcXFRaUDRl181VTySt5ACfTFx2 wNF9aiNQDql1olvtjgU8yXE= =Yoks -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- James Pleger [EMAIL PROTECTED] wrote: I don't think that ISPs are going to care until there is a business model that will make them money(or save it) and not cost them a bunch of money/staff overhead. It costs a great deal to staff an abuse department that knows what they are doing, there isn't really any value for the ISP to take down a botted machine that is sending spam, unless it is effecting their core business. Perhaps, but the pressure is mounting. Until that time, we have this: https://nssg.trendmicro.com/nrs/reports/rank.php?page=1 - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFG9JMRq1pz9mNUZTMRAi87AJ961/RNFtepDJWJ/UVolAaTvMokPACgiHSt 3xAOllvZNosx9+WUEWLv4K0= =zrci -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] botnet signature?
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Shaun [EMAIL PROTECTED] wrote: [...] To do so by accident would be an amateur gaffe, and whoever's in control of Storm is no amateur. Indeed. And the Storm-generated spambots don't do this. Relying on a silly quirk like this is... silly. :-) Ask your ISP to port-block tcp/25. This particular problem will disappear. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFG8LbKq1pz9mNUZTMRAof2AKCuu0DqAG2tI+XOiB8/dpccRC3KvgCfWLKi gJh31Oak6kTfZXSjJn6MgB0= =Y+DA -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Domain list query...
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- So, what they share is the same dirty nameservers. I picked one domain you listed below at random: Domain ID:D15763363-LRMS Domain Name:ABYSSCASTOR.INFO Created On:18-Dec-2006 19:56:35 UTC Last Updated On:16-Feb-2007 20:36:18 UTC Expiration Date:18-Dec-2007 19:56:35 UTC Sponsoring Registrar:CSL Computer Service Langenbach GmbH d/b/a joker.com (R161-LRMS) Status:CLIENT DELETE PROHIBITED Status:CLIENT RENEW PROHIBITED Status:CLIENT TRANSFER PROHIBITED Status:CLIENT UPDATE PROHIBITED Registrant ID:CAFI-234229 Registrant Name:Wang Tim Registrant Organization:Wang Tim Registrant Street1:5905 N Oketo Ave Registrant Street2: Registrant Street3: Registrant City:Chicago Registrant State/Province:IL Registrant Postal Code:60631 Registrant Country:US Registrant Phone:+1.7736318184 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:[EMAIL PROTECTED] Admin ID:CAFI-234228 Admin Name:Wang Tim Admin Organization:Wang Tim Admin Street1:5905 N Oketo Ave Admin Street2: Admin Street3: Admin City:Chicago Admin State/Province:IL Admin Postal Code:60631 Admin Country:US Admin Phone:+1.7736318184 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email:[EMAIL PROTECTED] Billing ID:CAFI-234228 Billing Name:Wang Tim Billing Organization:Wang Tim Billing Street1:5905 N Oketo Ave Billing Street2: Billing Street3: Billing City:Chicago Billing State/Province:IL Billing Postal Code:60631 Billing Country:US Billing Phone:+1.7736318184 Billing Phone Ext.: Billing FAX: Billing FAX Ext.: Billing Email:[EMAIL PROTECTED] Tech ID:CAFI-234228 Tech Name:Wang Tim Tech Organization:Wang Tim Tech Street1:5905 N Oketo Ave Tech Street2: Tech Street3: Tech City:Chicago Tech State/Province:IL Tech Postal Code:60631 Tech Country:US Tech Phone:+1.7736318184 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:[EMAIL PROTECTED] Name Server:NS1.XETOPNET.COM Name Server:NS2.LOERJAMM.COM Name Server:NS2.ASDERDUB.COM Name Server:NS1.THEBLACKRAINS.NET Every single domain served by NS1.XETOPNET.COM is RBL listed because of previous malicious activity or spamming: ns host ip: 201.236.86.60 There are 6 ns hosts in same /24 domain Date SURBL aswaldo.cd wi cwi p2007-Jul-02 hpbootery.cdwi cwi p2007-Aug-16 moolad.cd wi cwi p2007-Aug-16 samailo.cd wi cwi p2007-Aug-16 separety.cd wi cwi p2007-Aug-16 zinamol.cd wi cwi p2007-Aug-16 xetopnet.comwi cwi p2007-Aug-16 fraternaldeal.com wi cwi p2007-Aug-16 shatterserw.com wi cwi p2007-Aug-16 eacheagle.com wi cwi p2007-Aug-16 coolinhydrogen.com wi cwi p2007-Aug-16 beastlanguor.comwi cwi p2007-Jul-02 innerfruit.com wi cwi p2007-Aug-16 mastvulture.com wi cwi p2007-Aug-16 menhes.com wi cwi p2007-Aug-16 winterwolfer.comwi cwi p2007-Aug-16 bundlero.comwi cwi p2007-Jul-02 faktioner.com wi cwi p2007-Aug-16 titikako.comwi cwi p2007-Aug-16 dubintko.comwi cwi p2007-Aug-16 exotunes.comwi cwi p2007-Aug-16 grapemod.comwi cwi p2007-Aug-16 praymire.comwi cwi p2007-Aug-16 imalonline.com wi cwi p2007-Aug-16 ominioslot.com wi cwi p2007-Aug-16 purgernol.com wi cwi p2007-Aug-16 payerweeding.comwi cwi p2007-Aug-16 reasonarrival.com wi cwi p2007-Aug-16 dinnerwhiner.comwi cwi p2007-Aug-16 countryschange.com wi cwi p2007-Aug-16 advisersable.comwi cwi p2007-Jul-02 townelection.comwi cwi p2007-Aug-16 benddotted.com wi cwi p2007-Jul-02 dripmes.com wi cwi p2007-Aug-16 thithera.comwi cwi p2007-Aug-16 ourselfp.comwi cwi p
Re: [botnets] Fwd: Fwd: [funsec] U.K. Case Shows Link Between Online F raud and Jihadist Networks
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -- Stuart Woodward [EMAIL PROTECTED] wrote: Well, we all know that spam is actually a covert channel for stenographically hidden messages. :-) c.f. http://www.spammimic.com/encode.shtml If you broadcast it to a wide enough audience, then which person you are intending sending it to is hidden. The scary thing is, is that this actually might work. Interesting. [snip] Dear Friend ; Your email address has been submitted to us indicating your interest in our newsletter . If you no longer wish to receive our publications simply reply with a Subject: of REMOVE and you will immediately be removed from our mailing list . This mail is being sent in compliance with Senate bill 2216 , Title 4 ; Section 305 . This is different than anything else you've seen . Why work for somebody else when you can become rich within 63 weeks . Have you ever noticed most everyone has a cellphone nobody is getting any younger . Well, now is your chance to capitalize on this . We will help you sell more and SELL MORE . You can begin at absolutely no cost to you ! But don't believe us . Prof Ames of Massachusetts tried us and says My only problem now is where to park all my cars . We assure you that we operate within all applicable laws . Do not go to sleep without ordering ! Sign up a friend and you'll get a discount of 50% ! Thank-you for your serious consideration of our offer . Dear Cybercitizen , Thank-you for your interest in our letter . We will comply with all removal requests . This mail is being sent in compliance with Senate bill 1916 , Title 6 ; Section 306 ! THIS IS NOT MULTI-LEVEL MARKETING ! Why work for somebody else when you can become rich in 58 months ! Have you ever noticed people love convenience plus society seems to be moving faster and faster ! Well, now is your chance to capitalize on this . We will help you SELL MORE and process your orders within seconds ! You can begin at absolutely no cost to you . But don't believe us ! Prof Ames who resides in South Dakota tried us and says My only problem now is where to park all my cars . We are a BBB member in good standing ! Don't delay - order today . Sign up a friend and you get half off ! Thanks ! Dear Friend ; You made the right decision when you signed up for our database ! If you are not interested in our publications and wish to be removed from our lists, simply do NOT respond and ignore this mail ! This mail is being sent in compliance with Senate bill 2116 ; Title 9 ; Section 306 . THIS IS NOT MULTI-LEVEL MARKETING . Why work for somebody else when you can become rich in 78 weeks . Have you ever noticed people are much more likely to BUY with a credit card than cash and nearly every commercial on television has a .com on in it ! Well, now is your chance to capitalize on this ! We will help you sell more and sell more . The best thing about our system is that it is absolutely risk free for you . But don't believe us . Mr Jones of New York tried us and says I was skeptical but it worked for me . We assure you that we operate within all applicable laws ! If not for you then for your LOVED ONES - act now ! Sign up a friend and you'll get a discount of 80% ! Thank-you for your serious consideration of our offer . [snip] -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets