Additional detail on the latest Java Exploit, including (one of) the IP address(es) of the C&C server(s)
Symantec has done a very good job of putting together a very quick and easy to follow write-up on this latest Java vulnerability including disclosing the IP of at least one of the C&C servers (below). For the impatient, the IP listed is 110.173.55.187. I did a quick whois on it (details below) and it’s part of the 110.173.48.0/12 network and is registered to CHINADEDICATED-HK (a Chinese company, big surprise there). At this time, unless you have a specific need to communicate with hosts in this network range, we are recommending users block all traffic to / from the entire netblock (I suspect that the C&C is not limited or will not stay limited to this single IP, but that may be me being paranoid).
Article -> http://www.symantec.com/connect/blogs/latest-java-zero-day-shares-connections-bit9-security-incident
Whois info:
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 110.173.48.0 – 110.173.63.255
netname: CHINADEDICATED-HK
descr: Room B, 8/F Wing Cheung Ind Building
country: HK
admin-c: CDCn1-AP
tech-c: CDCn1-AP
status: ALLOCATED PORTABLE
remarks: Used for service-hosting
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINADEDICATED-HK
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation’s account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20090507
source: APNIC
role: CHINA DEDICATED COMPANY – network
administratoraddress: Room B, 8/F, Wing Cheung Ind Building, No. 109, How Ming Street, Kwun Tong
country: HK
phone: +85268554675
e-mail: admin@chinadedicated.com
admin-c: CDCn1-AP
tech-c: CDCn1-AP
nic-hdl: CDCn1-AP
mnt-by: MAINT-CHINADEDICATED-HK
changed: hm-changed@apnic.net 20090507
source: APNICchanged: hm-changed@apnic.net 20090507