Jump to content
Sign in to follow this  
shmengie

vronaholiday.com, what the F....

Recommended Posts

I can't locate a registrar for this domain.

It's a virus/trojan hosted domain, so you need to prefix the domain with anything..

nslookup spammer.vronaholiday.com

locates the usual 4-5 virus infected machines. I cannot locate the registrar, so I cannot combat this bastage.

![at]#$%[at]#!

Share this post


Link to post
Share on other sites

It's not registered at present per whois.crsnic.net, and none of its nameservers are responding at first glance. However, here's some data to ponder:

10/20/05 14:04:40 dig vronaholiday.com [at] 216.175.203.50

Dig vronaholiday.com[at]ns2.cucumberdns.com (68.203.191.157) ...

failed, couldn't connect to nameserver

Dig vronaholiday.com[at]ns2.postik.net (71.12.20.244) ...

failed, couldn't connect to nameserver

Dig vronaholiday.com[at]ns1.cucumberdns.net (24.148.169.219) ...

failed, couldn't connect to nameserver

Dig vronaholiday.com[at]ns1.cucumberdns.com (217.122.135.86) ...

failed, couldn't connect to nameserver

Dig vronaholiday.com[at]ns1.postik.net (12.215.193.251) ...

failed, couldn't connect to nameserver

Dig vronaholiday.com[at]216.175.203.50 ...

Non-authoritative answer

Recursive queries supported by this server

Query for vronaholiday.com type=255 class=1

  vronaholiday.com NS (Nameserver) ns1.cucumberdns.net

  vronaholiday.com NS (Nameserver) ns2.postik.net

  vronaholiday.com NS (Nameserver) ns2.cucumberdns.com

  vronaholiday.com NS (Nameserver) ns1.postik.net

  vronaholiday.com NS (Nameserver) ns1.cucumberdns.com

  vronaholiday.com NS (Nameserver) ns2.postik.net

  vronaholiday.com NS (Nameserver) ns2.cucumberdns.com

  vronaholiday.com NS (Nameserver) ns1.postik.net

  vronaholiday.com NS (Nameserver) ns1.cucumberdns.com

  vronaholiday.com NS (Nameserver) ns1.cucumberdns.net

  ns1.postik.net A (Address) 67.176.213.97

  ns1.postik.net A (Address) 67.186.73.99

  ns1.postik.net A (Address) 68.34.215.98

  ns1.postik.net A (Address) 68.58.110.87

  ns1.postik.net A (Address) 68.60.127.244

  ns1.postik.net A (Address) 68.127.26.151

  ns1.postik.net A (Address) 71.8.197.224

  ns1.postik.net A (Address) 81.190.131.195

  ns1.postik.net A (Address) 84.24.235.224

  ns1.postik.net A (Address) 12.215.193.251

  ns1.postik.net A (Address) 12.217.57.81

  ns1.postik.net A (Address) 24.160.122.97

  ns1.postik.net A (Address) 66.56.36.62

  ns1.cucumberdns.com A (Address) 24.13.123.241

  ns1.cucumberdns.com A (Address) 24.170.141.175

  ns1.cucumberdns.com A (Address) 66.214.36.102

  ns1.cucumberdns.com A (Address) 67.170.48.111

  ns1.cucumberdns.com A (Address) 67.176.61.29

  ns1.cucumberdns.com A (Address) 67.190.252.222

  ns1.cucumberdns.com A (Address) 68.58.110.87

  ns1.cucumberdns.com A (Address) 68.63.20.36

  ns1.cucumberdns.com A (Address) 68.255.251.92

  ns1.cucumberdns.com A (Address) 217.122.135.86

  ns1.cucumberdns.com A (Address) 12.215.193.251

  ns2.postik.net A (Address) 68.61.247.99

  ns2.postik.net A (Address) 68.77.204.135

  ns2.postik.net A (Address) 68.115.148.142

  ns2.postik.net A (Address) 68.255.251.92

  ns2.postik.net A (Address) 71.12.20.244

  ns2.postik.net A (Address) 82.46.190.16

  ns2.postik.net A (Address) 24.6.197.6

  ns2.postik.net A (Address) 24.148.169.219

  ns2.postik.net A (Address) 66.191.230.86

  ns2.postik.net A (Address) 67.176.61.29

  ns2.postik.net A (Address) 67.186.73.99

  ns2.postik.net A (Address) 67.189.200.125

  ns2.postik.net A (Address) 68.60.127.244

  ns2.cucumberdns.com A (Address) 68.203.191.157

  ns2.cucumberdns.com A (Address) 68.204.134.128

  ns2.cucumberdns.com A (Address) 71.8.197.224

  ns2.cucumberdns.com A (Address) 71.12.20.244

  ns2.cucumberdns.com A (Address) 12.217.64.216

  ns2.cucumberdns.com A (Address) 24.14.51.159

  ns2.cucumberdns.com A (Address) 24.90.55.13

  ns2.cucumberdns.com A (Address) 24.94.241.185

  ns2.cucumberdns.com A (Address) 24.170.141.175

  ns2.cucumberdns.com A (Address) 66.56.36.62

  ns2.cucumberdns.com A (Address) 68.54.0.145

  ns2.cucumberdns.com A (Address) 68.63.20.36

  ns2.cucumberdns.com A (Address) 68.127.26.151

See also 3 hits so far on http://groups.google.com/groups?q=vronaholiday

Share this post


Link to post
Share on other sites

Did you look at http://www.dnsreport.com/tools/dnsreport.c...ronaholiday.com ..???

per SamSpade / Windows

10/20/05 13:31:20 Slow traceroute vronaholiday.com

Trace vronaholiday.com (84.24.235.224) ...

213.51.158.5 RTT: 124ms TTL: 32 (bb1-ge5-0.amsix-nikhef.home.nl ok)

213.51.158.192 RTT: 125ms TTL: 32 (No rDNS)

213.51.152.41 RTT: 124ms TTL: 32 (csw2-ge1-3.tilbu1.nb.home.nl ok)

213.51.152.248 RTT: 127ms TTL: 32 (ubr21-ge0-2-202.tilbu1.nb.home.nl ok)

84.24.235.224 RTT: 150ms TTL:114 (cp80932-a.tilbu1.nb.home.nl fraudulent rDNS)

inetnum: 84.24.0.0 - 84.24.255.255

netname: ATHOME-TILBURG-1

descr: [at]Home Tilburg Headend block

country: NL

admin-c: ABNO1-RIPE

tech-c: HOME2-RIPE

remarks: Please report abuse by email to abuse[at]home.nl

Probably sitting on a compromised machine at present ...

Share this post


Link to post
Share on other sites

Well, you can report all the infected machines until you turn blue... ISPs have a hard enough time resloving spamming client issues.

Clients hosting DNS/Webservice trojans/viri, seem to go un-attended.

I'm tempted to write a report bot, but fear the consequences of such an endevor.

I guess it will require contacting the admin of the root servers, and get this thing delisted. Argh, I don't feel like taking on that much work.

--

Oh, FWIW, traceroute is unimportant. Your tracing route to only one of the infected hosts, which is likely ad DSL/cable subscriber.

The DNS servers are all virus/trojan servers too. I've reported the domains that they live by (ns1.cucumberdns.net, ns2.postik.net, ns2.cucumberdns.com) to yesnic.com But yesnic.com is slow to respond. Well, they don't bother responding to me. They did eventually take down the last set of domains i reported tho. (listen2me.net and alwaysfirst1.net) were the first set of DNS servers I discovered proping up the virus/trojan hosted web servers. Seems these criminials have changed from one set of infected hosts providing both DNS and Web services, to now using one set for DNS and another set for Web services, or they just use different domain names for the differing services.

You probably can still query the web servers for DNS info. I doubt the trojan cares which domain it responds from/to.

Edited by shmengie

Share this post


Link to post
Share on other sites

OK ... http://www.whois.sc/vronaholiday.com

Website Status: not active

Blacklist Status: Clear

Record Type: Domain Name

Name Server: NS1.CUCUMBERDNS.NET NS1.CUCUMBERDNS.COM

ICANN Registrar: ENOM, INC.

Created: 20-oct-2005

Expires: 20-oct-2006

Status: REGISTRAR-LOCK

Registration Service Provided By: NameCheap.com

Contact: <x>

Visit: http://www.namecheap.com/

Domain name: vronaholiday.com

Registrant Contact:

Elle jane

Elle Jane (yahoo address)

+1.7690985672

Fax: +1.5555555555

36th Ave

broke hills, CA 45654

US

Status: Locked

Name Servers:

ns1.cucumberdns.com

ns1.cucumberdns.net

ns1.postik.net

ns2.cucumberdns.com

ns2.postik.net

Share this post


Link to post
Share on other sites

Thanks Wazoo,

Guess it just took a while for that information to be published.

I moaned at enom in regard to this fact.

-Joe

Share this post


Link to post
Share on other sites

I just received a spam referencing this domain several times this morning and almost every reference was for a different IP address, including different reporting addresses (comcast and att): http://www.spamcop.net/sc?id=z818099332z0a...6f99ff2bcea08bz

Reports regarding this spam have already been sent:

Re: http:/ /nbzrw.vronaholiday.net/extra/brokenlove3 (Administrator of network hosting website referenced in spam)

Reportid: 1535813940 To: abuse[at]comcast.net

Re: http:/ /oehxa.vronaholiday.net/extra/brokenlove3/getmeoff.php (Administrator of network hosting website referenced in spam)

Reportid: 1535813941 To: abuse[at]comcast.net

Re: http:/ /royji.vronaholiday.net/extra/brokenlove3 (Administrator of network hosting website referenced in spam)

Reportid: 1535813942 To: abuse[at]comcast.net

Re: http:/ /vnfh.vronaholiday.net/extra/brokenlove3 (Administrator of network hosting website referenced in spam)

Reportid: 1535813943 To: abuse[at]comcast.net

Re: http:/ /orfel.vronaholiday.net/extra/brokenlove3 (Administrator of network hosting website referenced in spam)

Reportid: 1535813945 To: abuse[at]att.net

Share this post


Link to post
Share on other sites

This is that virus hosted gig.

There are about 20 to a million computers infected with this virus/trojan.

It must use some kind of irc ring to keep track of which computers are infected. There's no way to shut this thing down, other than report the domain names used to the registrars, because it's not actually hosted by any given isp.

If you nslookup the domain, you'll get 5 ip addresses. These addresses change frequently. They've switched form past behaviour somewhat. They used to use the same domain name for their name servers. Now they have 3 domains that are listed as the DNS server domains. All of which are also hosted on virus/trojaned computers. If you look up the DNS servers, you get about 20.

Every computer listed is dsl/cable, so i assume it is safe to assume this is a virus/trojan at work.

I've reported all the domains I could identify to their registrars. Unfortunatly, yesnic.com and the other enom. appear to be very slow to respond.

Porn, ebay phishing and a few other scams have been hosted in this fashion, by these criminals. Notify the FBI, maybe they'll listen, if enough people complain. They seemed to have ignored my reports. I've run to everyone I can think of in regard to this issue. Nobody seems to understand or worse, they simply don't care. :(

http://nbzrw.vronaholiday.net/extra/brokenlove3/

nbzrw.vronaholiday.net []

68.61.247.99 pcp01188935pcs.strl401.mi.comcast.net returned 42825 bytes

68.63.20.36 pcp01567266pcs.hlcrs201.al.comcast.net returned 42825 bytes

12.217.64.216 12-217-64-216.client.mchsi.com returned 42825 bytes

24.10.176.110 c-24-10-176-110.hsd1.ut.comcast.net returned 42825 bytes

24.92.42.34 cpe-24-92-42-34.nycap.res.rr.com returned 42825 bytes

The one time I followed links on one of their scams, it said it was collecting bank account information via secure https, thought it didn't. The bank info was returned to the virus infected machines.

Anyone stupid enough to give real bank account information will undoubtedly suffer consequences.

Edited by shmengie

Share this post


Link to post
Share on other sites

Timezone is GMT -5

10/21/05 23:57:24 dns nbzrw.vronaholiday.net

Canonical name: nbzrw.vronaholiday.net

Addresses:

68.54.0.145

24.14.237.143

68.34.215.98

193.108.54.147

24.14.251.172

10/22/05 00:13:30 dns nbzrw.vronaholiday.net

Canonical name: nbzrw.vronaholiday.net

Addresses:

67.167.36.157

24.10.176.110

12.219.128.159

68.63.20.36

68.54.0.145

10/22/05 00:36:26 dns nbzrw.vronaholiday.net

Canonical name: nbzrw.vronaholiday.net

Addresses:

70.60.12.174

24.94.241.185

24.14.251.172

12.214.239.206

24.10.176.110

10/22/05 00:51:33 dns nbzrw.vronaholiday.net

Canonical name: nbzrw.vronaholiday.net

Addresses:

68.51.32.6

12.219.128.159

68.203.191.157

68.63.20.36

67.167.36.157

10/22/05 02:22:14 dns nbzrw.vronaholiday.net

Canonical name: nbzrw.vronaholiday.net

Addresses:

68.61.247.99

67.167.36.157

24.10.176.110

24.14.237.143

68.63.20.36

See some repeated systems in there ... but this should provide enough evidence for your future complaints ....

Share this post


Link to post
Share on other sites

Thanks to Wazoo for sharing this thread on the classic SCNG. :)

One may want to go after the ringleader of this crazy botnet.

If you look through the HTML source, it will lead to adultactioncam.com (66.198.36.17) making this a problem for Teleglobe.

This IP address belongs to a known spammer, and I've been manually LARTing these bozos for quite a while. So it isn't like Teleglobe is NOT aware of these SOBs. :angry:

http://www.spamhaus.org/SBL/sbl.lasso?query=SBL18975

Share this post


Link to post
Share on other sites
Thanks to Wazoo for sharing this thread on the classic SCNG.  :)

One may want to go after the ringleader of this crazy botnet.

If you look through the HTML source, it will lead to adultactioncam.com (66.198.36.17) making this a problem for Teleglobe.

This IP address belongs to a known spammer, and I've been manually LARTing these bozos for quite a while.  So it isn't like Teleglobe is NOT aware of these SOBs.  :angry:

http://www.spamhaus.org/SBL/sbl.lasso?query=SBL18975

34769[/snapback]

For those of you following this thread... I have just received a spamvertisement from "vallneedbreaks.com" ... this is the same sourcespammer (and same results when parsed) as "vronaholiday.com".

Share this post


Link to post
Share on other sites

It's interesting, valneedbreaks was spammed to me to, today.

October 24, 2005, Monday 12:00pm -500

Breaking news!

url = 'http://ns1.toperyip.com/ja1'

url = 'http://ns1.vewwopy.com'

http://ns1.toperyip.com/ja1

ns1.toperyip.com []

68.63.20.36 pcp01567266pcs.hlcrs201.al.comcast.net returned 201 bytes

These two new domains both resolve to the same ip address and were referenced in the whois info for vallneedbreaks.

I'm betting this ip address is being used to establish the dns hosts for this virus. The two tucows domains are listed as dns servers for vallneedbreaks.com, but are not yet being used AFAICT.

But there is a lot of guessing in that statement.

Share this post


Link to post
Share on other sites

In case you Redstone or orion might find it useful, here's the python scri_pt I use to verify this botnet.

It also contaions a list of other domains used by this botnet, many of which have been closed by their registrars.

I've only recently reported adultactioncam/cash to their registrars, but they aren't hosted in this fashion, so i have no idea what may come of that. Tucows is pretty good about shutting down spammed domains.

Yesnic closed one set of domains, but the most recent onces, seem to be left unattended by them.

It's funny dates4funz.com registered at directi.com was reported. They effectively told me to write the spammers and complain because they were only registrars. I told 'em I didn't think it would be in my best intrest to do that. Then they said there was no "A" record... Duh... The spammers seemed to have dropped that domain in favor of vrona and vallneed.... so i guess it doesn't matter.

I'm hoping google will step up to the plate and help with this foobaz. I wrote them today, because ns1 & ns2.google.com were referenced in one of the whois infos for the rogue domains. I doubt it, but nobody else (namely the FBI or one of the big ISPs whos customers are infected) will step up to the plate and tackle this issue.

"""
SpamResearch.py

minmal web surfer
helps verify virus infected computers
are hosting rogue domain web-sites.

It runs nslookup on the domain of an url,
web queries each ip listed, reports ip,
reverse DNS lookup and size of web result
for each address.
"""

import socket, sys

#url = 'http://bogus.torrence-family.com/drugs'
#url = 'http://www.access-authorization.com/ebayauth/'
#url = 'http://bullwhack.torrence-store.com/farm/?bridgewater=bwligbreak'
#url = 'http://www.nelema.com/ph/'
#url = 'http://www.teljar.com/u.php'
#url = 'http://www.pexetr.com/pt/'
#url = 'http://mnm.datesulook4.com/extra/angelsweet3/getmeoff.php'
#url = 'http://ucvihi.datesulook4.com/extra/angelsweet3/getmeoff.php'
#url = 'http://oimt.datesulook4.com/extra/angelsweet3/getmeoff.php'
#url = 'http://qgqsb.datecravings.com/extra/angelsweet3'
url = 'http://ns.cucumberdns.net'
url = 'http://ubseiz.flower-bed.biz'
url = 'http://ns1.cucumberdns.com'
url = 'http://asdf.vronaholiday.com'
url = 'http://www.DATES4FUNZ.COM'
url = 'http://ns1.postik.net'
url = 'http://ns1.vronaholiday.com'
url = 'http://nbzrw.vronaholiday.net/extra/brokenlove3/'
url = 'http://bpx.vallneedbreaks.com/ja1'
url = 'http://ns1.vewwopy.com'
url = 'http://ns1.toperyip.com/ja1'
if len(sys.argv) &gt;= 2:   # use 1st parameter if one passed,
      url = sys.argv[1]  # instead of hard coded url

dstart = url.find('//') + 2
dend = url.find('/', dstart)
if dend == -1:
      dend = len(url)
domain = url[dstart:dend]
print url
domain, alias, addresses = socket.gethostbyname_ex(domain)
print domain, alias
command = 'GET'
for address in addresses:
      print "%-16s" % address ,
      try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((address,80))
            s.send(command + ' ' + url + '\n')
            result = ''
            while True:
                  data = s.recv(8196)
                  if not data:
                        break
                  result = result + data
            s.close()
            print '%-45s' % socket.gethostbyaddr(address)[0] ,
            print 'returned %d bytes' % len(result)
      except:
            print 'Failed'
print 'Last result\n:'
print result

Moderator edit: change {code} to {codebox} to save screen space

Share this post


Link to post
Share on other sites

I found this spam a little interesting.

http://www.spamcop.net/sc?id=z822460225za1...98736812e39ac2z

The domain afunfakes<dot>com does not appear to be hosted by the botnet, but the spam bears a striking resemblance to the recent deluge of botnet referenced spams.

Random(ized) machine name, is the first clue. Second clue is the fact that it's advertizing a live smut cam.

The whois info appears slightly different, tho bogus, nonetheless.

Share this post


Link to post
Share on other sites
The whois info appears slightly different, tho bogus, nonetheless.

35390[/snapback]

Make sure to send a whois data complaint (see This Thread for complaint info)... and consider a Registrar Problem Reportagainst Namecheap.com, as they've let spammers bulk register tons of sites with identically formatted bad whois data. no oversight should equal ICANN revocation.

Share this post


Link to post
Share on other sites

A new domain popped up on the spam-dar today.

ineedu2nite<dot>com

Same speel... botnet enabled. The domains I've reported to enom, valneedbreaks, vronaholiday, qazwinner are still operational, AFAICT, so i reported enom to ICANN.

I figure it is not worth while expecting any action. :(

Share this post


Link to post
Share on other sites
afunfakes<dot>com

35390[/snapback]

That domain is now listed by RFC-Ignorant.org, it no longer has working DNS per the gtld-servers, and I have independently verified that Yahoo! has cancelled its registration address rosie_beer[at]yahoo.com, as hinted at by the following:
Hello,

Thank you for contacting Yahoo! Customer Care.

In this particular case, we have taken appropriate action against the

Yahoo! account in question, as per our Terms of Service (TOS).  For

further details about the Yahoo! TOS, you can visit:

   http://docs.yahoo.com/info/terms/

Please know that Yahoo! is unable to disclose the action taken on

another user's account with a third party.  We are not able to make

exceptions to this rule.

Thank you again for contacting Yahoo! Customer Care.

Regards,

Alexander

Yahoo! Customer Care

http://www.yahoo.com/

Share this post


Link to post
Share on other sites

An update on this "vronaholiday.com" jackass.

After using the above domain name and "vallneedsbreaks.com", this jerk switched to "gazwinner.net", then came out from behind his virus/trojan infected host for a few days as "foolfingers.com" then "afunfakes.com" followed by "floppyfive.com".

This spammer is now once again behind a virus/trojan infected host, spewing out random IP's, first as "stinkyfleet.com" and currently as "ineedu2nite.com"

As well as the red graphics spams, once in a while I receive an out-and-out porno message, to procure prostitutes for me... all from this same source.

Share this post


Link to post
Share on other sites

This method of setting up a round-robin of hijacked sites in the Address record of the Domain Name zone file is becoming common in the spammer community. I found this posting in another forum, related to Pharma Shop. The round-robin set of five addresses were being updated every five minutes. At the time, spamvertized URLs were redirected to leaderprince.info, which was running Pharma Shop.

Looking up at the 5 leaderprince.info. parent servers:

Server Response Time

ns5.reyualo.org [74.129.126.225] 62.57.15.204 / 72.184.15.221 / 74.129.126.225 / 80.57.79.194 / 82.251.201.9

ns4.reyualo.org [190.6.193.26]

ns2.reyualo.org [62.57.15.204]

ns1.reyualo.org [82.251.201.9]

ns3.reyualo.org [69.45.111.3] Timeout

A few minutes later . .

ns5.reyualo.org [74.129.126.225] 128.153.201.22 / 74.129.126.225 / 80.57.79.194 / 82.251.201.9 / 88.11.1.172

ns2.reyualo.org [62.57.15.204]

ns1.reyualo.org [82.251.201.9]

ns3.reyualo.org [69.45.111.3] Timeout

ns4.reyualo.org [190.6.193.26] Timeout

A few minutes more . . .

24.90.77.28 / 62.57.15.204 / 82.251.201.9 / 85.222.9.181 / 87.74.232.166

Then five minutes later . . .

62.0.134.19 / 72.184.15.221 / 81.170.134.248 / 82.251.201.9 / 88.11.1.172

Next . . .

62.57.15.204 / 72.184.15.221 / 74.129.126.225 / 81.170.134.248 / 82.251.201.9

Later . .

70.224.167.114 / 81.170.134.248 / 82.248.19.176 / 85.222.9.181 / 88.11.1.172

And . .

65.190.89.108 / 80.57.79.194 / 81.170.134.248 / 82.255.83.168 / 88.11.1.172

It is a bit like a "botnet" of hijacked machines, each running a trojan proxy web server. The difference is that the "herding" is being performed at the name server address level. I suspect an automated update mechanism is in play, updating the NS record with new quintets of round-robin addresses to keep the sites continually on the move.

Such a rapid site shifting method seems designed to counter SpamCop's spamvertized site IP reporting.

Edited by TerryNZ

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×