- feng.pc-officer.com
- ihe1979.3322.org
Right now, host ihe1979.3322.org does not resolve at all, and feng.pc-officer.com resolves to a placeholder IP (which is 63.64.63.64). The attackers can temporarily make the hostname resolve to the real IP address and then turn it back, to hide their tracks.
The domain name
pc-officer.com is a weird one. It has been registered already in 2006, and it has been used in targeted attacks before.
See this ISC blog entry from
September 2007. Here the attack was done via a DOC files, instead of XLS. And the reporting server was
ding.pc-officer.com, not
feng.pc-officer.com.
If you haven't read about
Ghostnet yet, now would be a good time.
PS. We don't know what area is shown in the map image. If you do, please
leave a Comment.
Updated to add, Wednesday the 7th of April: We kept monitoring the host
feng.pc-officer.com. As expected, it became alive for a short period yesterday.
Here's what our logs look like:
Tue 7 Apr 2009 16:13:21
63.64.63.64 Tue 7 Apr 2009 16:14:17
63.64.63.64 Tue 7 Apr 2009 16:15:13
63.64.63.64 Tue 7 Apr 2009 16:16:09
216.255.196.154 Tue 7 Apr 2009 16:17:04
216.255.196.154 Tue 7 Apr 2009 16:18:00
216.255.196.154 Tue 7 Apr 2009 17:40:33
216.255.196.154 Tue 7 Apr 2009 17:41:29
216.255.196.154 Tue 7 Apr 2009 17:42:25
216.255.196.154 Tue 7 Apr 2009 17:43:21
63.64.63.64 Tue 7 Apr 2009 17:44:17
63.64.63.64 Tue 7 Apr 2009 17:45:13
63.64.63.64IP 63.64.63.64 is just a placeholder; 216.255.196.154 is the real control server. They only bring it online sporadically, trying to avoid detection.
The IP is located in Spokane, USA:
% whois 216.255.196.154
OrgName: One Eighty Networks
OrgID: OEN-1
Address: 118 N Stevens
City: Spokane
StateProv: WA
PostalCode: 99201
Country: US
Updated to add, Thursday the 9th of April: It changed again. Host
feng.pc-officer.com is now pointing to
211.234.122.84.
This IP is located in Seoul. South Korea:
% whois 211.234.122.84
[ IPv4�ּ� ��� ��� ���� ]
���������ȣ : ORG137200
����� : (��)����������
�ּ� : ������ ������
���ּ� : 261-1
������ȣ : 135-010
