Today's we detected the kelihos infected dial-up IP all over the world in total of: 4,360 nodes.
By rapidly requesting the HLUX (domains and NS used) for A records:
The HLUX seems grows very fast for non-unique monitoring..
But after we sort+unique the IPs , it actually grow as per below pace of unique growth:
We made four stages of this "Milking" process within one day, today and this is the result.
The overall IP data was merged and these are two options versions you can use:
1. The usual format, to get the info of your country/ISP/ASN: http://pastebin.com/raw.php?i=kArtKghi
2. The extended format with the additional reversed IP, network segments: http://pastebin.com/raw.php?i=mmuyzTuu
*) Recent samples can be grabbed from these IP, mostly are still alive now
Notes:
For a better look:
In details:
These are the breakdown per AS numbers:
These are the .COM domains that Kelihos scums wanted to use today, by using the below registrar info:
The Registration DB:
We initiate dismantling and blocking for them, below is the result:
This is a fight of group researchers & engineers gathered in MalwareMustDie, all of the result are team work, with wonderful cooperation from abuse.ch, OpenDNS, Umbrella Labs, GroupIB, registrar involved and ICANN.
Please help to clean up your network and inform us if you spot new domains used for new infection.
Stop malware using out internet!!
On behalf of #MalwareMustDie Team
By rapidly requesting the HLUX (domains and NS used) for A records:
The HLUX seems grows very fast for non-unique monitoring..
But after we sort+unique the IPs , it actually grow as per below pace of unique growth:
We made four stages of this "Milking" process within one day, today and this is the result.
The overall IP data was merged and these are two options versions you can use:
1. The usual format, to get the info of your country/ISP/ASN: http://pastebin.com/raw.php?i=kArtKghi
2. The extended format with the additional reversed IP, network segments: http://pastebin.com/raw.php?i=mmuyzTuu
*) Recent samples can be grabbed from these IP, mostly are still alive now
Notes:
Analysis shows most are dial ups IP but a quite big amount of static IP also spotted in some countries, the reversed IP shows you which one are dial-up network and which are not that's why I extracted them too.For the graphical view per country is as per below: (thank's to Chris J Wilson)
For a better look:
In details:
These are the breakdown per AS numbers:
These are the .COM domains that Kelihos scums wanted to use today, by using the below registrar info:
Code: Select all
The current regex format of domains used by Kelihos scum is randomized of:
REGISTERED VIA:
Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Last update of whois database: Sat, 10 Aug 2013 04:38:38 UTC
Registration Service Provided By: DOMALANDCode: Select all
PoC of the registrar:\[a-z\]\{7\}\.COMThe Registration DB:
We initiate dismantling and blocking for them, below is the result:
This is a fight of group researchers & engineers gathered in MalwareMustDie, all of the result are team work, with wonderful cooperation from abuse.ch, OpenDNS, Umbrella Labs, GroupIB, registrar involved and ICANN.
Please help to clean up your network and inform us if you spot new domains used for new infection.
Stop malware using out internet!!
On behalf of #MalwareMustDie Team
