copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Publications
»
AusCERT Web Log
» Storm, Porn and Brawn
Storm, Porn and Brawn
Date:
31 January 2008
Click here for printable version
G'day Members,
Some of our analysts spent some time poking the storm botnet this week
after receiving some pill spam with very familiar looking URLs.
What they found was that hitting the IP in the message with requests for
various subdirectories would return a different URL each time.
A quick shell script later and the guys found about 20 domains which were
all pointing back to what appear to be compromised (or complicit) machines
acting as proxies for a back end hosting the fake pill selling content.
Here's a list of the domains involved for your blocking pleasure:
andconsider.com
bringinstrument.com
brousesp.com
endscience.com
eurekias.com
fleisihs.com
fruitcoup.com
hutmunst.com
madepattern.com
measureremember.com
moasnter.com
mockasines.com
nubileso.com
owndeep.com
pspwiixbox.com
saymuch.com
speakpound.com
tellthrough.com
thanpopulate.com
vlacimiski.com
We've looked at a few of this style of domains in the past and found that they
are usually huge "fast flux" networks, geo-locating a bunch of these IPs back to
their originating country shows (as COUNT and Country):
2938 Russian Federation
1290 United States
1274 Hong Kong
863 Germany
693 Japan
614 Korea, Republic of
Yep, that's 2938 IPs in the Russian federation all proxying for one domain.
So the storm guys have teamed up with the pill spammers (again) to bring
you various fake enhancement medications.
Must be a growth industry.
Have a great weekend.
MacLeonard
Comments? Click here
http://www.auscert.org.au/render.html?cid=7066&it=8726