Know your enemy "better"

posted Mar 8, 2013, 10:05 PM by Anthony Lai
After analysing attack against an ISP with another VX brother via Honeypot (www.honeynet.org),  there is a different interpretation to me (15-day deployment since 22 Feb):

Top 10 Attackers
31111|86.63.108.226
10337|189.83.55.71
10278|95.162.64.252
9235|189.83.120.25
6643|176.62.121.247
5122|189.83.29.13
3712|186.50.142.7
3638|124.247.203.114
3233|186.237.36.104
2769|128.71.208.199

For the binaries and malware downloaded from attackers' hosts:
347d214c8224fc47552addaf91609157|86.63.108.226|15437
c3852074ee50da92c2857d24471747d9|189.83.55.71|5097
7942a56800f2d4e16f95169793c66851|95.162.64.252|5052
c3852074ee50da92c2857d24471747d9|189.83.120.25|4524
9f163e7ea43ec22df3e74fb45e7dffb7|176.62.121.247|3255
c3852074ee50da92c2857d24471747d9|189.83.29.13|2589
87136c488903474630369e232704fa4d|186.50.142.7|1854
87136c488903474630369e232704fa4d|124.247.203.114|1817
6b54e187a3a6971ffe03e9aea5afcacc|186.237.36.104|1605
87136c488903474630369e232704fa4d|186.55.6.68|1189
87136c488903474630369e232704fa4d|186.55.58.40|1166
9f163e7ea43ec22df3e74fb45e7dffb7|94.137.25.4|1007
87136c488903474630369e232704fa4d|186.50.134.101|868
87136c488903474630369e232704fa4d|81.181.40.16|837
c3852074ee50da92c2857d24471747d9|190.38.89.60|628
87136c488903474630369e232704fa4d|186.55.63.9|541
87136c488903474630369e232704fa4d|186.53.104.240|529
c3852074ee50da92c2857d24471747d9|186.95.68.103|460
87136c488903474630369e232704fa4d|186.55.0.148|434
9f163e7ea43ec22df3e74fb45e7dffb7|178.74.117.104|381
9f163e7ea43ec22df3e74fb45e7dffb7|46.233.199.247|375
c3852074ee50da92c2857d24471747d9|190.72.22.126|369
6b54e187a3a6971ffe03e9aea5afcacc|186.237.39.219|363
9f163e7ea43ec22df3e74fb45e7dffb7|176.62.99.151|356
b081022fc581decf4c8640dbc74a9198|186.51.223.218|347
9f163e7ea43ec22df3e74fb45e7dffb7|178.74.91.140|310
c3852074ee50da92c2857d24471747d9|186.95.67.198|268
87136c488903474630369e232704fa4d|186.53.99.170|231
393e2e61ff08a8f7439e3d2cfcb8056f|117.222.195.168|204
6b54e187a3a6971ffe03e9aea5afcacc|186.237.40.123|181
9f163e7ea43ec22df3e74fb45e7dffb7|46.233.240.154|159
b0ace06ed2168781136f13fac6bb1037|37.204.119.122|156
87136c488903474630369e232704fa4d|186.55.8.217|140
6b54e187a3a6971ffe03e9aea5afcacc|186.237.36.32|139
393e2e61ff08a8f7439e3d2cfcb8056f|95.30.95.61|136
6b54e187a3a6971ffe03e9aea5afcacc|186.237.40.90|115
393e2e61ff08a8f7439e3d2cfcb8056f|128.71.48.99|85
87136c488903474630369e232704fa4d|186.55.33.220|84
87136c488903474630369e232704fa4d|186.55.4.119|84
94e689d7d6bc7c769d09a59066727497|176.237.252.212|77
0c1fa21d2ae6374e1e2f754504d7c084|95.46.91.179|73
393e2e61ff08a8f7439e3d2cfcb8056f|2.95.63.148|68
0c1fa21d2ae6374e1e2f754504d7c084|95.46.86.52|64
ac851fdca8a7f4b5a185c9686165586f|190.68.43.12|62
6b54e187a3a6971ffe03e9aea5afcacc|186.237.38.221|60
9c09418c738e265a27e6c599f43d86ab|93.81.212.191|50
9f163e7ea43ec22df3e74fb45e7dffb7|94.137.36.57|42
87136c488903474630369e232704fa4d|186.53.96.33|41
9f163e7ea43ec22df3e74fb45e7dffb7|109.120.44.63|40
9f163e7ea43ec22df3e74fb45e7dffb7|94.137.40.62|40
0c1fa21d2ae6374e1e2f754504d7c084|95.46.92.243|37
6b54e187a3a6971ffe03e9aea5afcacc|186.237.37.157|36
393e2e61ff08a8f7439e3d2cfcb8056f|117.222.196.3|34
9f163e7ea43ec22df3e74fb45e7dffb7|178.74.65.56|32
c3852074ee50da92c2857d24471747d9|189.83.63.113|32
87136c488903474630369e232704fa4d|186.50.137.177|29
9f163e7ea43ec22df3e74fb45e7dffb7|176.62.102.75|28
393e2e61ff08a8f7439e3d2cfcb8056f|128.71.48.119|17
c3852074ee50da92c2857d24471747d9|124.107.74.198|16
393e2e61ff08a8f7439e3d2cfcb8056f|117.203.204.43|13
8c9367b7dc43dadaa3ec9da767c586cf|175.182.21.32|13
9c09418c738e265a27e6c599f43d86ab|93.81.222.198|13

Attack comes from various countries from Brazil, Poland, Russia, Romania, India but "China". A
 honeypot is set up in a private company for 2 months, the top 10 attackers from servers in China. The active one is from AS9800 . I would say, this is the difference between general and target attack. I have notified the affected company and hopefully he could be alerted and make corresponding action on it. 




- Darkfloyd
Comments