- 14.02.2011: Andre' DiMino - Resignation from Shadowserver
- 27.01.2011: Darkness DDoS bot version identification guide
- 24.01.2011: The Conficker Working Group Lessons Learned Document
- 23.01.2011: Spread of Darkness...Details on the public release of the Darkness DDoS bot
- 16.01.2011: See below.
- 30.12.2010: New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?\\
Sunday, 16 January 2011
Update on DDoS botnet - greenter.ru & globdomain.ru
On September 13, 2010, I posted a blog about a very active BlackEnergy DDoS botnet that was attacking a wide variety of victims.
Since that post, the Command and Control servers on the greenter.ru and globdomain.ru domains have directed DDoS attacks against approximately 170 different victims. Again, these attacks are across many different industries and target some rather high profile sites.
As of 9/13/10, I've seen these controllers use the following hosting providers. The list indicates the date first seen on the provider, the IP address used, the AS number of the provider, and the country of the provider:
- 08/07/10 - 126.96.36.199 - AS48691 SPECIALIST-AS Specialist Ltd - - Moldova
- 11/18/10 - 188.8.131.52 - AS51306 - Tavria Host Network - Ukraine
- 11/30/10 - 184.108.40.206 - AS44209 - FINACTIVE - Ukraine
- 1/7/10 - 220.127.116.11 - AS52055 - ReliktBVK - Latvia
- 08/07/10 - 18.104.22.168 - AS48691 SPECIALIST-AS Specialist Ltd - Moldova
- 11/23/10 - 22.214.171.124 - AS51306 - Tavria Host Network - UA
- 11/30/10 - 126.96.36.199 - AS44209 - FINACTIVE - UA
- 1/7/10 - 188.8.131.52 - AS52055 - ReliktBVK - LV
As of this post, globdomain.ru is on 184.108.40.206 and greenter.ru is on 220.127.116.11.
Shadowserver is in the process of notifying the various global CERT teams, Law Enforcement, as well as the victims themselves.
=>Posted January 16, 2011, at 01:51 PM by Andre' - Semper_Securus