UPDATE: Updated indicators have been rolled out to our client systems. If you see any indicators triggering with "BOTLICK" as the alert type page our on call contact specified in your contract. We would love to catch an active client so we can determine the initial infection vectors.
If you see encrypted traffic going to any of the following IP addresses please check your source for processes that should not be running. This is affecting Windows 7 and Windows 8 PC's.
22.214.171.124 - Additional C+C Detected
126.96.36.199 - Additional C+C Detected
188.8.131.52 - C+C
184.108.40.206 - C+C
Our security analyst have been able to determine that there are at least 300+ host connected to the last indicator 220.127.116.11. We were able to pull in some additional data from our partners honeypots and network sensors to get a rough count of the activity level going to this system.
UPDATE: We are also seeing large numbers of connections to 18.104.22.168 as well.
The system appears to be in Indonesia and is connected via cable modem. We are actively working with the ISP to see if they can provide any additional details.
UPDATES MOVED TO MAILING LIST