Hi guys. Zotob, once infected, connects the machine to a botnet C&C (command & control) server. Due to the extremely rapid spread of these worms, here is the C&C servers information that has been confirmed so far: 62.193.233.52:8080 84.244.7.62:8080 204.13.171.157:8080 62.193.233.4:8080 ASN | IP | Responsible Party ----------------------------------------------------------- 12832 | 84.244.7.62 | LYCOS-EUROPE Lycos Europe GmbH 19742 | 204.13.171.157 | MARLIN - Marlin eSourcing Solu 28677 | 62.193.233.52 | AMEN AMEN Network 28677 | 62.193.233.4 | AMEN AMEN Network For your information and possible follow-up on your networks. This is spreading too quickly that wider activity is necessary. For comments back to the drone armies & botnets research and mitigation mailing list, please go through our new PR team lead, "Fergie (Paul Ferguson)" <fergdawg@netzero.net>. Gadi.
We haven't seen it yet on our network, but I was hoping somebody might have a text dump or packet capture of the C&C traffic that they would be willing to send me so I can tune our IDS to recognize it. I already have exploit rules loaded, just wanted to see if the C&C traffic varied significantly from the (relatively) standard *bot variety. Thanks, Michael Grinnell Network Security Administrator The American University e-mail: grinnell@american.edu On Aug 15, 2005, at 3:13 PM, Gadi Evron wrote:
Hi guys.
Zotob, once infected, connects the machine to a botnet C&C (command & control) server. Due to the extremely rapid spread of these worms, here is the C&C servers information that has been confirmed so far:
62.193.233.52:8080 84.244.7.62:8080 204.13.171.157:8080 62.193.233.4:8080
ASN | IP | Responsible Party ----------------------------------------------------------- 12832 | 84.244.7.62 | LYCOS-EUROPE Lycos Europe GmbH 19742 | 204.13.171.157 | MARLIN - Marlin eSourcing Solu 28677 | 62.193.233.52 | AMEN AMEN Network 28677 | 62.193.233.4 | AMEN AMEN Network
For your information and possible follow-up on your networks. This is spreading too quickly that wider activity is necessary.
For comments back to the drone armies & botnets research and mitigation mailing list, please go through our new PR team lead, "Fergie (Paul Ferguson)" <fergdawg@netzero.net>.
Gadi.
Michael Grinnell wrote:
We haven't seen it yet on our network, but I was hoping somebody might have a text dump or packet capture of the C&C traffic that they would be willing to send me so I can tune our IDS to recognize it. I already have exploit rules loaded, just wanted to see if the C&C traffic varied significantly from the (relatively) standard *bot variety.
Hi. Any IRC JOIN sig will do, channel is: #niggah Gadi.
Michael Grinnell wrote:
We haven't seen it yet on our network, but I was hoping somebody might have a text dump or packet capture of the C&C traffic that they would be willing to send me so I can tune our IDS to recognize it. I already have exploit rules loaded, just wanted to see if the C&C traffic varied significantly from the (relatively) standard *bot variety.
Matt just got some signatures together: http://www.bleedingsnort.com/article.php?story=20050814131513212 Enjoy, Gadi.
participants (2)
-
Gadi Evron
-
Michael Grinnell