We have received information about a suspected Rovnix botnet controller currently using at least 2 domains (mashevserv[.]com and ericpotic[.]com) pointing to the same IP address of 37.9.53.126 (AS 44050). This is the information that we currently have available that should help identify if any hosts in your network is currently contacting this botnet:
It also appears this malware has very little detection. This is all we currently have. If you can recover samples either on the host or via packets and are willing to share them with us, you can upload them to our contact page.
----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu |
Guy 486 Posts ISC Handler Dec 7th 2013 |
Thread locked Subscribe |
Dec 7th 2013 7 years ago |
- https://www.virustotal.com/en/ip-address/37.9.53.126/information/
- http://google.com/safebrowsing/diagnostic?site=AS:44050 . |
PC.Tech 34 Posts |
Quote |
Dec 7th 2013 7 years ago |
Found this IP inside a file from ericpotic[.]com -- 85.17.222.24
|
HackDefendr 65 Posts |
Quote |
Dec 8th 2013 7 years ago |
Found this IP inside a file from ericpotic[.]com -- 85[.]17[.]222[.]24
Looks like a mirror, as it contains same files. Jeff |
HackDefendr 65 Posts |
Quote |
Dec 8th 2013 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!