[AusNOG] Flows to 81.95.147.138 indicating bot or keylogger activity (AUSCERT#20078b140)

matthew at auscert.org.au matthew at auscert.org.au
Mon Mar 5 18:06:55 EST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings all,

We've received some incident information that indicates that there is a
bot network command and control hosted on:

  81.95.147.138

on port 80 - specifically the request would be to:

  hxxp://81.95.147.138 /myhome /in. php

The bots in question are taking their DDoS instructions from there.  So
if you have any flows toward that then that may indicate you have a
bot-infection.

Alternatively it also could indicate a keylogger trojan known as Bzub is
logging compromised account credentials.  We've had a recent incident where
a trojan dropper was spammed heavily that ultimately pulled down the Bzub
trojan from (url modified as trojan is still there):

  hxxp://marketing-know-how. com/products /bild_album. exe

and this keylogger logs to:

  hxxp://81.95.147.138 /sqlstat /info. php

All up, traffic to 81.95.147.138 is probably a sign of bad things.  That
being said - if anyone has what they think are bot infections relating to
this we would be very interested in hearing about it.  We are particularly
keen to get a sample of the bot itself.

Any feedback greatly appreciated.

Thanks for your time,

- -- Matthew McGlashan --
Coordination Centre Team Leader             | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct:  +61 7 3365 7924
(AusCERT)                                   | Fax:     +61 7 3365 7031
The University of Queensland                | WWW:     www.auscert.org.au
Qld 4072 Australia                          | Email: auscert at auscert.org.au

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRevBjih9+71yA2DNAQKxGwP/V071Ot8/q/bBAIMSx7lC51xNMGI6qT3j
4tRbHYWtr/Rq5V0hU2Jccv5uAi2muZ1Pl2yY45w8q8vuRQt/nTVBpSzLZP/l+p/o
qlNdaPK1wqQ6BzbAknDVmFnRaox4SIwOz5V9fYVQkpvcANlA9SnnreAVzNYg4hGK
jWCzY2E1Pcs=
=gd1G
-----END PGP SIGNATURE-----

More information about the AusNOG mailing list