From steve@unixwiz.net Mon Oct 5 05:44:59 2009 Date: Mon, 5 Oct 2009 05:44:59 -0700 From: Steve Friedl To: abuse@hopone.net, abuse@theplanet.com, abuse@opticaljungle.com Subject: ABUSE: your customer providing DNS to a botnet Good morning, The set of nameservers a.dns.gen.in (and b. and c. and d.dns.gen.in) are hosting DNS for a machine used in a password-stealing botnet, and I'm having trouble finding who to contact to report this. So I'm reporting this to the owners of their address space in the hopes that you can pass this on. BACKGROUND ---------- For more than a week, a large US-based payroll service has been subject to a malware attack on customers: Refs: http://unixwiz.net/paychoice/ http://voices.washingtonpost.com/securityfix/2009/09/hackers_breach_payroll_giant_t.html This malware is a password-stealing Trojan that phones home to a Command-and-control mothership in Sweden, but the domain name used iicon-metal.org is using dns.gen.in for resolution: $ rootns iicon-metal.org iicon-metal.org: a.dns.gen.in b.dns.gen.in c.dns.gen.in d.dns.gen.in This would be at least the third DNS host in the last week, after EveryDNS.net and EditDNS.net terminated them for abuse. I have no reason to believe that DNS.GEN.IN is complicit in this criminal activity, they're just providing DNS. This Trojan is known to be actively stealing and exploiting passwords of its victims. DNS HOSTING ----------- There are ten IP addresses involved with these nameservers, listed here along with the responsible parties: a.dns.gen.in has address 66.36.229.196 HopOne abuse@hopone.net b.dns.gen.in has address 74.54.56.227 ThePlanet abuse@theplanet.com b.dns.gen.in has address 74.54.56.231 b.dns.gen.in has address 74.54.56.236 d.dns.gen.in has address 74.52.140.82 d.dns.gen.in has address 74.52.140.83 d.dns.gen.in has address 74.52.140.84 c.dns.gen.in has address 67.15.47.188 Optical Jungle abuse@opticaljungle.com c.dns.gen.in has address 67.15.253.219 c.dns.gen.in has address 67.15.253.252 Could I ask that this note be passed onto the customer in question with a request to investigate and take action? I'm happy to provide additional information should you or they require it to protect customers. Thank you, Steve --- Stephen J Friedl | Security Consultant | UNIX Wizard | 714 694-0494 steve@unixwiz.net | Orange County, CA | Microsoft MVP | unixwiz.net