Sunday, March 6, 2011

RBN IP List Update 3-6-2011

RBN IP List Update 3-6-2011 is available at:
http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork

In this update we add more coverage for ChronoPay properties.  Thus far, we have seen only one domain object move.  The mail server mail-eye.com was located at 78.108.190.4 (AS43355 UPL-TELECOM-AS UPL Telecom) and is now deployed at 178.63.72.234 (Hetzner).  Both of these IP addresses also host DNS servers, so this provides a clue as to enemy infrastructure.

In addition to Pavel Vrublevsky's hubris, the update lists new instances of SpyEye Command and Control servers, Zeus, several backdoor trojans, a Heihachi deployment of Trojan Palevo, and we catch the Koobface Gang victimizing cancer patients with Trojan Bredolab.

We have consolidated several IP listings (an opportunity provided by consistently malicious behavior).

We wish to acknowledge Brian Krebs, the Malware Domain List, and David Glosser at Malware Domains.

Thank you,

James McQuaid
http://www.jamesmcquaid.com/JamesMcQuaid.asc