« October 2010 · April 2011 · July 2017 »

December 2010
MonTueWedThuFriSatSun
  0102030405
06070809101112
13141516171819
20212223242526
2728293031  
January 2011
MonTueWedThuFriSatSun
     0102
03040506070809
10111213141516
17181920212223
24252627282930
31      
February 2011
MonTueWedThuFriSatSun
 010203040506
07080910111213
14151617181920
21222324252627
28      

Calendar:

  • 14.02.2011: Andre' DiMino - Resignation from Shadowserver
  • 27.01.2011: Darkness DDoS bot version identification guide
  • 24.01.2011: The Conficker Working Group Lessons Learned Document
  • 23.01.2011: Spread of Darkness...Details on the public release of the Darkness DDoS bot
  • 16.01.2011: See below.
  • 30.12.2010: New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?\\
  • 05.12.2010:
Newest first Oldest first

Sunday, 16 January 2011

Update on DDoS botnet - greenter.ru & globdomain.ru

On September 13, 2010, I posted a blog about a very active BlackEnergy DDoS botnet that was attacking a wide variety of victims.

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913

Since that post, the Command and Control servers on the greenter.ru and globdomain.ru domains have directed DDoS attacks against approximately 170 different victims. Again, these attacks are across many different industries and target some rather high profile sites.

As of 9/13/10, I've seen these controllers use the following hosting providers. The list indicates the date first seen on the provider, the IP address used, the AS number of the provider, and the country of the provider:

greenter.ru hosts

  • 08/07/10 - 194.28.112.135 - AS48691 SPECIALIST-AS Specialist Ltd - - Moldova
  • 11/18/10 - 188.95.159.114 - AS51306 - Tavria Host Network - Ukraine
  • 11/30/10 - 193.186.9.60 - AS44209 - FINACTIVE - Ukraine
  • 1/7/10 - 46.252.129.155 - AS52055 - ReliktBVK - Latvia

globdomain.ru hosts

  • 08/07/10 - 194.28.112.134 - AS48691 SPECIALIST-AS Specialist Ltd - Moldova
  • 11/23/10 - 188.95.159.115 - AS51306 - Tavria Host Network - UA
  • 11/30/10 - 193.186.9.61 - AS44209 - FINACTIVE - UA
  • 1/7/10 - 46.252.129.156 - AS52055 - ReliktBVK - LV

As of this post, globdomain.ru is on 46.252.129.156 and greenter.ru is on 46.252.129.155.

Shadowserver is in the process of notifying the various global CERT teams, Law Enforcement, as well as the victims themselves.

=>Posted January 16, 2011, at 01:51 PM by Andre' - Semper_Securus