shmengie Posted October 20, 2005 Share Posted October 20, 2005 I can't locate a registrar for this domain. It's a virus/trojan hosted domain, so you need to prefix the domain with anything.. nslookup spammer.vronaholiday.com locates the usual 4-5 virus infected machines. I cannot locate the registrar, so I cannot combat this bastage. ![at]#$%[at]#! Link to comment Share on other sites More sharing options...
Jeff G. Posted October 20, 2005 Share Posted October 20, 2005 It's not registered at present per whois.crsnic.net, and none of its nameservers are responding at first glance. However, here's some data to ponder: 10/20/05 14:04:40 dig vronaholiday.com [at] 216.175.203.50 Dig vronaholiday.com[at]ns2.cucumberdns.com (68.203.191.157) ... failed, couldn't connect to nameserver Dig vronaholiday.com[at]ns2.postik.net (71.12.20.244) ... failed, couldn't connect to nameserver Dig vronaholiday.com[at]ns1.cucumberdns.net (24.148.169.219) ... failed, couldn't connect to nameserver Dig vronaholiday.com[at]ns1.cucumberdns.com (217.122.135.86) ... failed, couldn't connect to nameserver Dig vronaholiday.com[at]ns1.postik.net (12.215.193.251) ... failed, couldn't connect to nameserver Dig vronaholiday.com[at]216.175.203.50 ... Non-authoritative answer Recursive queries supported by this server Query for vronaholiday.com type=255 class=1 vronaholiday.com NS (Nameserver) ns1.cucumberdns.net vronaholiday.com NS (Nameserver) ns2.postik.net vronaholiday.com NS (Nameserver) ns2.cucumberdns.com vronaholiday.com NS (Nameserver) ns1.postik.net vronaholiday.com NS (Nameserver) ns1.cucumberdns.com vronaholiday.com NS (Nameserver) ns2.postik.net vronaholiday.com NS (Nameserver) ns2.cucumberdns.com vronaholiday.com NS (Nameserver) ns1.postik.net vronaholiday.com NS (Nameserver) ns1.cucumberdns.com vronaholiday.com NS (Nameserver) ns1.cucumberdns.net ns1.postik.net A (Address) 67.176.213.97 ns1.postik.net A (Address) 67.186.73.99 ns1.postik.net A (Address) 68.34.215.98 ns1.postik.net A (Address) 68.58.110.87 ns1.postik.net A (Address) 68.60.127.244 ns1.postik.net A (Address) 68.127.26.151 ns1.postik.net A (Address) 71.8.197.224 ns1.postik.net A (Address) 81.190.131.195 ns1.postik.net A (Address) 84.24.235.224 ns1.postik.net A (Address) 12.215.193.251 ns1.postik.net A (Address) 12.217.57.81 ns1.postik.net A (Address) 24.160.122.97 ns1.postik.net A (Address) 66.56.36.62 ns1.cucumberdns.com A (Address) 24.13.123.241 ns1.cucumberdns.com A (Address) 24.170.141.175 ns1.cucumberdns.com A (Address) 66.214.36.102 ns1.cucumberdns.com A (Address) 67.170.48.111 ns1.cucumberdns.com A (Address) 67.176.61.29 ns1.cucumberdns.com A (Address) 67.190.252.222 ns1.cucumberdns.com A (Address) 68.58.110.87 ns1.cucumberdns.com A (Address) 68.63.20.36 ns1.cucumberdns.com A (Address) 68.255.251.92 ns1.cucumberdns.com A (Address) 217.122.135.86 ns1.cucumberdns.com A (Address) 12.215.193.251 ns2.postik.net A (Address) 68.61.247.99 ns2.postik.net A (Address) 68.77.204.135 ns2.postik.net A (Address) 68.115.148.142 ns2.postik.net A (Address) 68.255.251.92 ns2.postik.net A (Address) 71.12.20.244 ns2.postik.net A (Address) 82.46.190.16 ns2.postik.net A (Address) 24.6.197.6 ns2.postik.net A (Address) 24.148.169.219 ns2.postik.net A (Address) 66.191.230.86 ns2.postik.net A (Address) 67.176.61.29 ns2.postik.net A (Address) 67.186.73.99 ns2.postik.net A (Address) 67.189.200.125 ns2.postik.net A (Address) 68.60.127.244 ns2.cucumberdns.com A (Address) 68.203.191.157 ns2.cucumberdns.com A (Address) 68.204.134.128 ns2.cucumberdns.com A (Address) 71.8.197.224 ns2.cucumberdns.com A (Address) 71.12.20.244 ns2.cucumberdns.com A (Address) 12.217.64.216 ns2.cucumberdns.com A (Address) 24.14.51.159 ns2.cucumberdns.com A (Address) 24.90.55.13 ns2.cucumberdns.com A (Address) 24.94.241.185 ns2.cucumberdns.com A (Address) 24.170.141.175 ns2.cucumberdns.com A (Address) 66.56.36.62 ns2.cucumberdns.com A (Address) 68.54.0.145 ns2.cucumberdns.com A (Address) 68.63.20.36 ns2.cucumberdns.com A (Address) 68.127.26.151 See also 3 hits so far on http://groups.google.com/groups?q=vronaholiday Link to comment Share on other sites More sharing options...
Wazoo Posted October 20, 2005 Share Posted October 20, 2005 Did you look at http://www.dnsreport.com/tools/dnsreport.c...ronaholiday.com ..??? per SamSpade / Windows 10/20/05 13:31:20 Slow traceroute vronaholiday.com Trace vronaholiday.com (84.24.235.224) ... 213.51.158.5 RTT: 124ms TTL: 32 (bb1-ge5-0.amsix-nikhef.home.nl ok) 213.51.158.192 RTT: 125ms TTL: 32 (No rDNS) 213.51.152.41 RTT: 124ms TTL: 32 (csw2-ge1-3.tilbu1.nb.home.nl ok) 213.51.152.248 RTT: 127ms TTL: 32 (ubr21-ge0-2-202.tilbu1.nb.home.nl ok) 84.24.235.224 RTT: 150ms TTL:114 (cp80932-a.tilbu1.nb.home.nl fraudulent rDNS) inetnum: 84.24.0.0 - 84.24.255.255 netname: ATHOME-TILBURG-1 descr: [at]Home Tilburg Headend block country: NL admin-c: ABNO1-RIPE tech-c: HOME2-RIPE remarks: Please report abuse by email to abuse[at]home.nl Probably sitting on a compromised machine at present ... Link to comment Share on other sites More sharing options...
shmengie Posted October 20, 2005 Author Share Posted October 20, 2005 Well, you can report all the infected machines until you turn blue... ISPs have a hard enough time resloving spamming client issues. Clients hosting DNS/Webservice trojans/viri, seem to go un-attended. I'm tempted to write a report bot, but fear the consequences of such an endevor. I guess it will require contacting the admin of the root servers, and get this thing delisted. Argh, I don't feel like taking on that much work. -- Oh, FWIW, traceroute is unimportant. Your tracing route to only one of the infected hosts, which is likely ad DSL/cable subscriber. The DNS servers are all virus/trojan servers too. I've reported the domains that they live by (ns1.cucumberdns.net, ns2.postik.net, ns2.cucumberdns.com) to yesnic.com But yesnic.com is slow to respond. Well, they don't bother responding to me. They did eventually take down the last set of domains i reported tho. (listen2me.net and alwaysfirst1.net) were the first set of DNS servers I discovered proping up the virus/trojan hosted web servers. Seems these criminials have changed from one set of infected hosts providing both DNS and Web services, to now using one set for DNS and another set for Web services, or they just use different domain names for the differing services. You probably can still query the web servers for DNS info. I doubt the trojan cares which domain it responds from/to. Link to comment Share on other sites More sharing options...
Wazoo Posted October 20, 2005 Share Posted October 20, 2005 OK ... http://www.whois.sc/vronaholiday.com Website Status: not active Blacklist Status: Clear Record Type: Domain Name Name Server: NS1.CUCUMBERDNS.NET NS1.CUCUMBERDNS.COM ICANN Registrar: ENOM, INC. Created: 20-oct-2005 Expires: 20-oct-2006 Status: REGISTRAR-LOCK Registration Service Provided By: NameCheap.com Contact: <x> Visit: http://www.namecheap.com/ Domain name: vronaholiday.com Registrant Contact: Elle jane Elle Jane (yahoo address) +1.7690985672 Fax: +1.5555555555 36th Ave broke hills, CA 45654 US Status: Locked Name Servers: ns1.cucumberdns.com ns1.cucumberdns.net ns1.postik.net ns2.cucumberdns.com ns2.postik.net Link to comment Share on other sites More sharing options...
shmengie Posted October 20, 2005 Author Share Posted October 20, 2005 Thanks Wazoo, Guess it just took a while for that information to be published. I moaned at enom in regard to this fact. -Joe Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 21, 2005 Share Posted October 21, 2005 I just received a spam referencing this domain several times this morning and almost every reference was for a different IP address, including different reporting addresses (comcast and att): http://www.spamcop.net/sc?id=z818099332z0a...6f99ff2bcea08bz Reports regarding this spam have already been sent: Re: http:/ /nbzrw.vronaholiday.net/extra/brokenlove3 (Administrator of network hosting website referenced in spam) Reportid: 1535813940 To: abuse[at]comcast.net Re: http:/ /oehxa.vronaholiday.net/extra/brokenlove3/getmeoff.php (Administrator of network hosting website referenced in spam) Reportid: 1535813941 To: abuse[at]comcast.net Re: http:/ /royji.vronaholiday.net/extra/brokenlove3 (Administrator of network hosting website referenced in spam) Reportid: 1535813942 To: abuse[at]comcast.net Re: http:/ /vnfh.vronaholiday.net/extra/brokenlove3 (Administrator of network hosting website referenced in spam) Reportid: 1535813943 To: abuse[at]comcast.net Re: http:/ /orfel.vronaholiday.net/extra/brokenlove3 (Administrator of network hosting website referenced in spam) Reportid: 1535813945 To: abuse[at]att.net Link to comment Share on other sites More sharing options...
shmengie Posted October 22, 2005 Author Share Posted October 22, 2005 This is that virus hosted gig. There are about 20 to a million computers infected with this virus/trojan. It must use some kind of irc ring to keep track of which computers are infected. There's no way to shut this thing down, other than report the domain names used to the registrars, because it's not actually hosted by any given isp. If you nslookup the domain, you'll get 5 ip addresses. These addresses change frequently. They've switched form past behaviour somewhat. They used to use the same domain name for their name servers. Now they have 3 domains that are listed as the DNS server domains. All of which are also hosted on virus/trojaned computers. If you look up the DNS servers, you get about 20. Every computer listed is dsl/cable, so i assume it is safe to assume this is a virus/trojan at work. I've reported all the domains I could identify to their registrars. Unfortunatly, yesnic.com and the other enom. appear to be very slow to respond. Porn, ebay phishing and a few other scams have been hosted in this fashion, by these criminals. Notify the FBI, maybe they'll listen, if enough people complain. They seemed to have ignored my reports. I've run to everyone I can think of in regard to this issue. Nobody seems to understand or worse, they simply don't care. http://nbzrw.vronaholiday.net/extra/brokenlove3/ nbzrw.vronaholiday.net [] 68.61.247.99 pcp01188935pcs.strl401.mi.comcast.net returned 42825 bytes 68.63.20.36 pcp01567266pcs.hlcrs201.al.comcast.net returned 42825 bytes 12.217.64.216 12-217-64-216.client.mchsi.com returned 42825 bytes 24.10.176.110 c-24-10-176-110.hsd1.ut.comcast.net returned 42825 bytes 24.92.42.34 cpe-24-92-42-34.nycap.res.rr.com returned 42825 bytes The one time I followed links on one of their scams, it said it was collecting bank account information via secure https, thought it didn't. The bank info was returned to the virus infected machines. Anyone stupid enough to give real bank account information will undoubtedly suffer consequences. Link to comment Share on other sites More sharing options...
Wazoo Posted October 22, 2005 Share Posted October 22, 2005 Timezone is GMT -5 10/21/05 23:57:24 dns nbzrw.vronaholiday.net Canonical name: nbzrw.vronaholiday.net Addresses: 68.54.0.145 24.14.237.143 68.34.215.98 193.108.54.147 24.14.251.172 10/22/05 00:13:30 dns nbzrw.vronaholiday.net Canonical name: nbzrw.vronaholiday.net Addresses: 67.167.36.157 24.10.176.110 12.219.128.159 68.63.20.36 68.54.0.145 10/22/05 00:36:26 dns nbzrw.vronaholiday.net Canonical name: nbzrw.vronaholiday.net Addresses: 70.60.12.174 24.94.241.185 24.14.251.172 12.214.239.206 24.10.176.110 10/22/05 00:51:33 dns nbzrw.vronaholiday.net Canonical name: nbzrw.vronaholiday.net Addresses: 68.51.32.6 12.219.128.159 68.203.191.157 68.63.20.36 67.167.36.157 10/22/05 02:22:14 dns nbzrw.vronaholiday.net Canonical name: nbzrw.vronaholiday.net Addresses: 68.61.247.99 67.167.36.157 24.10.176.110 24.14.237.143 68.63.20.36 See some repeated systems in there ... but this should provide enough evidence for your future complaints .... Link to comment Share on other sites More sharing options...
Redstone Posted October 24, 2005 Share Posted October 24, 2005 Thanks to Wazoo for sharing this thread on the classic SCNG. One may want to go after the ringleader of this crazy botnet. If you look through the HTML source, it will lead to adultactioncam.com (66.198.36.17) making this a problem for Teleglobe. This IP address belongs to a known spammer, and I've been manually LARTing these bozos for quite a while. So it isn't like Teleglobe is NOT aware of these SOBs. :angry: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL18975 Link to comment Share on other sites More sharing options...
orion Posted October 24, 2005 Share Posted October 24, 2005 Thanks to Wazoo for sharing this thread on the classic SCNG. One may want to go after the ringleader of this crazy botnet. If you look through the HTML source, it will lead to adultactioncam.com (66.198.36.17) making this a problem for Teleglobe. This IP address belongs to a known spammer, and I've been manually LARTing these bozos for quite a while. So it isn't like Teleglobe is NOT aware of these SOBs. :angry: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL18975 34769[/snapback] For those of you following this thread... I have just received a spamvertisement from "vallneedbreaks.com" ... this is the same sourcespammer (and same results when parsed) as "vronaholiday.com". Link to comment Share on other sites More sharing options...
shmengie Posted October 25, 2005 Author Share Posted October 25, 2005 It's interesting, valneedbreaks was spammed to me to, today. October 24, 2005, Monday 12:00pm -500 Breaking news! url = 'http://ns1.toperyip.com/ja1' url = 'http://ns1.vewwopy.com' http://ns1.toperyip.com/ja1 ns1.toperyip.com [] 68.63.20.36 pcp01567266pcs.hlcrs201.al.comcast.net returned 201 bytes These two new domains both resolve to the same ip address and were referenced in the whois info for vallneedbreaks. I'm betting this ip address is being used to establish the dns hosts for this virus. The two tucows domains are listed as dns servers for vallneedbreaks.com, but are not yet being used AFAICT. But there is a lot of guessing in that statement. Link to comment Share on other sites More sharing options...
shmengie Posted October 25, 2005 Author Share Posted October 25, 2005 In case you Redstone or orion might find it useful, here's the python scri_pt I use to verify this botnet. It also contaions a list of other domains used by this botnet, many of which have been closed by their registrars. I've only recently reported adultactioncam/cash to their registrars, but they aren't hosted in this fashion, so i have no idea what may come of that. Tucows is pretty good about shutting down spammed domains. Yesnic closed one set of domains, but the most recent onces, seem to be left unattended by them. It's funny dates4funz.com registered at directi.com was reported. They effectively told me to write the spammers and complain because they were only registrars. I told 'em I didn't think it would be in my best intrest to do that. Then they said there was no "A" record... Duh... The spammers seemed to have dropped that domain in favor of vrona and vallneed.... so i guess it doesn't matter. I'm hoping google will step up to the plate and help with this foobaz. I wrote them today, because ns1 & ns2.google.com were referenced in one of the whois infos for the rogue domains. I doubt it, but nobody else (namely the FBI or one of the big ISPs whos customers are infected) will step up to the plate and tackle this issue. """ SpamResearch.py minmal web surfer helps verify virus infected computers are hosting rogue domain web-sites. It runs nslookup on the domain of an url, web queries each ip listed, reports ip, reverse DNS lookup and size of web result for each address. """ import socket, sys #url = 'http://bogus.torrence-family.com/drugs' #url = 'http://www.access-authorization.com/ebayauth/' #url = 'http://bullwhack.torrence-store.com/farm/?bridgewater=bwligbreak' #url = 'http://www.nelema.com/ph/' #url = 'http://www.teljar.com/u.php' #url = 'http://www.pexetr.com/pt/' #url = 'http://mnm.datesulook4.com/extra/angelsweet3/getmeoff.php' #url = 'http://ucvihi.datesulook4.com/extra/angelsweet3/getmeoff.php' #url = 'http://oimt.datesulook4.com/extra/angelsweet3/getmeoff.php' #url = 'http://qgqsb.datecravings.com/extra/angelsweet3' url = 'http://ns.cucumberdns.net' url = 'http://ubseiz.flower-bed.biz' url = 'http://ns1.cucumberdns.com' url = 'http://asdf.vronaholiday.com' url = 'http://www.DATES4FUNZ.COM' url = 'http://ns1.postik.net' url = 'http://ns1.vronaholiday.com' url = 'http://nbzrw.vronaholiday.net/extra/brokenlove3/' url = 'http://bpx.vallneedbreaks.com/ja1' url = 'http://ns1.vewwopy.com' url = 'http://ns1.toperyip.com/ja1' if len(sys.argv) >= 2: # use 1st parameter if one passed, url = sys.argv[1] # instead of hard coded url dstart = url.find('//') + 2 dend = url.find('/', dstart) if dend == -1: dend = len(url) domain = url[dstart:dend] print url domain, alias, addresses = socket.gethostbyname_ex(domain) print domain, alias command = 'GET' for address in addresses: print "%-16s" % address , try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((address,80)) s.send(command + ' ' + url + '\n') result = '' while True: data = s.recv(8196) if not data: break result = result + data s.close() print '%-45s' % socket.gethostbyaddr(address)[0] , print 'returned %d bytes' % len(result) except: print 'Failed' print 'Last result\n:' print result Moderator edit: change {code} to {codebox} to save screen space Link to comment Share on other sites More sharing options...
shmengie Posted November 2, 2005 Author Share Posted November 2, 2005 I found this spam a little interesting. http://www.spamcop.net/sc?id=z822460225za1...98736812e39ac2z The domain afunfakes<dot>com does not appear to be hosted by the botnet, but the spam bears a striking resemblance to the recent deluge of botnet referenced spams. Random(ized) machine name, is the first clue. Second clue is the fact that it's advertizing a live smut cam. The whois info appears slightly different, tho bogus, nonetheless. Link to comment Share on other sites More sharing options...
Jank1887 Posted November 3, 2005 Share Posted November 3, 2005 The whois info appears slightly different, tho bogus, nonetheless.35390[/snapback] Make sure to send a whois data complaint (see This Thread for complaint info)... and consider a Registrar Problem Reportagainst Namecheap.com, as they've let spammers bulk register tons of sites with identically formatted bad whois data. no oversight should equal ICANN revocation. Link to comment Share on other sites More sharing options...
shmengie Posted November 7, 2005 Author Share Posted November 7, 2005 A new domain popped up on the spam-dar today. ineedu2nite<dot>com Same speel... botnet enabled. The domains I've reported to enom, valneedbreaks, vronaholiday, qazwinner are still operational, AFAICT, so i reported enom to ICANN. I figure it is not worth while expecting any action. Link to comment Share on other sites More sharing options...
Jeff G. Posted November 8, 2005 Share Posted November 8, 2005 afunfakes<dot>com35390[/snapback] That domain is now listed by RFC-Ignorant.org, it no longer has working DNS per the gtld-servers, and I have independently verified that Yahoo! has cancelled its registration address rosie_beer[at]yahoo.com, as hinted at by the following:Hello, Thank you for contacting Yahoo! Customer Care. In this particular case, we have taken appropriate action against the Yahoo! account in question, as per our Terms of Service (TOS). For further details about the Yahoo! TOS, you can visit: http://docs.yahoo.com/info/terms/ Please know that Yahoo! is unable to disclose the action taken on another user's account with a third party. We are not able to make exceptions to this rule. Thank you again for contacting Yahoo! Customer Care. Regards, Alexander Yahoo! Customer Care http://www.yahoo.com/ Link to comment Share on other sites More sharing options...
orion Posted November 8, 2005 Share Posted November 8, 2005 An update on this "vronaholiday.com" jackass. After using the above domain name and "vallneedsbreaks.com", this jerk switched to "gazwinner.net", then came out from behind his virus/trojan infected host for a few days as "foolfingers.com" then "afunfakes.com" followed by "floppyfive.com". This spammer is now once again behind a virus/trojan infected host, spewing out random IP's, first as "stinkyfleet.com" and currently as "ineedu2nite.com" As well as the red graphics spams, once in a while I receive an out-and-out porno message, to procure prostitutes for me... all from this same source. Link to comment Share on other sites More sharing options...
TerryNZ Posted October 5, 2006 Share Posted October 5, 2006 This method of setting up a round-robin of hijacked sites in the Address record of the Domain Name zone file is becoming common in the spammer community. I found this posting in another forum, related to Pharma Shop. The round-robin set of five addresses were being updated every five minutes. At the time, spamvertized URLs were redirected to leaderprince.info, which was running Pharma Shop. Looking up at the 5 leaderprince.info. parent servers: Server Response Time ns5.reyualo.org [74.129.126.225] 62.57.15.204 / 72.184.15.221 / 74.129.126.225 / 80.57.79.194 / 82.251.201.9 ns4.reyualo.org [190.6.193.26] ns2.reyualo.org [62.57.15.204] ns1.reyualo.org [82.251.201.9] ns3.reyualo.org [69.45.111.3] Timeout A few minutes later . . ns5.reyualo.org [74.129.126.225] 128.153.201.22 / 74.129.126.225 / 80.57.79.194 / 82.251.201.9 / 88.11.1.172 ns2.reyualo.org [62.57.15.204] ns1.reyualo.org [82.251.201.9] ns3.reyualo.org [69.45.111.3] Timeout ns4.reyualo.org [190.6.193.26] Timeout A few minutes more . . . 24.90.77.28 / 62.57.15.204 / 82.251.201.9 / 85.222.9.181 / 87.74.232.166 Then five minutes later . . . 62.0.134.19 / 72.184.15.221 / 81.170.134.248 / 82.251.201.9 / 88.11.1.172 Next . . . 62.57.15.204 / 72.184.15.221 / 74.129.126.225 / 81.170.134.248 / 82.251.201.9 Later . . 70.224.167.114 / 81.170.134.248 / 82.248.19.176 / 85.222.9.181 / 88.11.1.172 And . . 65.190.89.108 / 80.57.79.194 / 81.170.134.248 / 82.255.83.168 / 88.11.1.172 It is a bit like a "botnet" of hijacked machines, each running a trojan proxy web server. The difference is that the "herding" is being performed at the name server address level. I suspect an automated update mechanism is in play, updating the NS record with new quintets of round-robin addresses to keep the sites continually on the move. Such a rapid site shifting method seems designed to counter SpamCop's spamvertized site IP reporting. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.