[83434] in North American Network Operators' Group
Re: zotob C&C servers
daemon@ATHENA.MIT.EDU (Michael Grinnell)
Mon Aug 15 14:49:13 2005
In-Reply-To: <4300E974.3070608@linuxbox.org>
From: Michael Grinnell <grinnell@american.edu>
Date: Mon, 15 Aug 2005 14:46:18 -0400
To: nanog list <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
We haven't seen it yet on our network, but I was hoping somebody
might have a text dump or packet capture of the C&C traffic that they
would be willing to send me so I can tune our IDS to recognize it.
I already have exploit rules loaded, just wanted to see if the C&C
traffic varied significantly from the (relatively) standard *bot
variety.
Thanks,
Michael Grinnell
Network Security Administrator
The American University
e-mail: grinnell@american.edu
On Aug 15, 2005, at 3:13 PM, Gadi Evron wrote:
>
> Hi guys.
>
> Zotob, once infected, connects the machine to a botnet C&C (command
> & control) server.
> Due to the extremely rapid spread of these worms, here is the C&C
> servers information that has been confirmed so far:
>
> 62.193.233.52:8080
> 84.244.7.62:8080
> 204.13.171.157:8080
> 62.193.233.4:8080
>
> ASN | IP | Responsible Party
> -----------------------------------------------------------
> 12832 | 84.244.7.62 | LYCOS-EUROPE Lycos Europe GmbH
> 19742 | 204.13.171.157 | MARLIN - Marlin eSourcing Solu
> 28677 | 62.193.233.52 | AMEN AMEN Network
> 28677 | 62.193.233.4 | AMEN AMEN Network
>
> For your information and possible follow-up on your networks. This
> is spreading too quickly that wider activity is necessary.
>
> For comments back to the drone armies & botnets research and
> mitigation mailing list, please go through our new PR team lead,
> "Fergie (Paul Ferguson)" <fergdawg@netzero.net>.
>
> Gadi.
>
