Re: Operation Ghost Click

[Sam Tetherow <tetherow () shwisp net>]

On 04/26/2012 05:00 PM, Andrew Latham wrote:
> On Thu, Apr 26, 2012 at 5:57 PM, Kyle Creyts<kyle.creyts () gmail com>  wrote:
> > http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf
> >
> > On Apr 26, 2012 5:48 PM, "Leigh Porter"<leigh.porter () ukbroadband com>
> > wrote:
> > > On 26 Apr 2012, at 22:47, "Andrew Latham"
> > > <lathama () gmail com<mailto:lathama () gmail com>>  wrote:
> > >
> > >
> > > On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart
> > > <jeroen () mompl net<mailto:jeroen () mompl net>>  wrote:
> > >
> > > Yes its a major problem for the users unknowingly infected.  To them
> > > it will look like their Internet connection is down.  Expect ISPs to
> > > field lots of support s
> > >
> > > Is there a list of these temporary servers so I can see what customers are
> > > using them (indicating infection) and head off a support call with some
> > > contact?
> > >
> > > --
> > > Leigh
> 85.255.112.0 through 85.255.127.255
> 67.210.0.0 through 67.210.15.255
> 93.188.160.0 through 93.188.167.255
> 77.67.83.0 through 77.67.83.255
> 213.109.64.0 through 213.109.79.255
> 64.28.176.0 through 64.28.191.255
Or for those that don't want to do the math, here they are in CIDR notation

85.255.112.0/20
67.210.0.0/20
93.188.160.0/21
77.67.83.0/24
213.109.64.0/20
64.28.176.0/20