|
|
Storm, Porn and Brawn |
|
Date: 31 January 2008 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=8726 G'day Members, Some of our analysts spent some time poking the storm botnet this week after receiving some pill spam with very familiar looking URLs. What they found was that hitting the IP in the message with requests for various subdirectories would return a different URL each time. A quick shell script later and the guys found about 20 domains which were all pointing back to what appear to be compromised (or complicit) machines acting as proxies for a back end hosting the fake pill selling content. Here's a list of the domains involved for your blocking pleasure: andconsider.com bringinstrument.com brousesp.com endscience.com eurekias.com fleisihs.com fruitcoup.com hutmunst.com madepattern.com measureremember.com moasnter.com mockasines.com nubileso.com owndeep.com pspwiixbox.com saymuch.com speakpound.com tellthrough.com thanpopulate.com vlacimiski.com We've looked at a few of this style of domains in the past and found that they are usually huge "fast flux" networks, geo-locating a bunch of these IPs back to their originating country shows (as COUNT and Country): 2938 Russian Federation 1290 United States 1274 Hong Kong 863 Germany 693 Japan 614 Korea, Republic of Yep, that's 2938 IPs in the Russian federation all proxying for one domain. So the storm guys have teamed up with the pill spammers (again) to bring you various fake enhancement medications. Must be a growth industry. Have a great weekend. MacLeonard |