Jump to content
Sign in to follow this  
TerryNZ

BotNet scenario

Recommended Posts

norwaygroupconsulting.cn DEAD (4 days)

consultinggroupnorway.cn DEAD (5 days)

It took 5 days. I entered a trouble ticket for each at www.joker.com and provided evidence. I sent a follow-up quoting the original ticket numbers.

Well done. The only trouble is, Terry is that both those domains, (& also the other 10 I reported & listed earlier in the thread), have all sequentially gone on 'Invalid Address' which I assume means false whois data which means that they have been through the ICANN 15 day procedure, something which Joker have always said they stick to. Mind, everyone who reports them to Joker undoubtedly helps to focus their priorities and you certainly do make a superbly convincing & excellently researched case which means your reports are more likely to be listened to. I don't wish to take any credit away from you - if everybody reported these crooks in the way you do I'm sure the rogue registrars would be 'encouraged' to clean up their acts. Mind, even 4 or 5 days is a totally unacceptable response from a registrar with such unassailable evidential reports as yours of criminal fraud.

I suspect we are getting close to a new incarnation for these crooks....I wonder what it will be next? Swedish consulting Co? Finnish consulting Co? Finninvest Co etc etc? I expect they will hold a brainstorming session on the new name..... smile.gif All answers on a £5 note..... smile.gif
Well, I wasn't far off there - in my first batch of spam today is this one:

http://israeliservicesbrokerage.cn/index.php?sect_id=6

Same criminals, same MO and guess who the registrar is? Joker.com of course..... :angry: I thought they might stick with Europe, but they've gone with the middle East this time. This is a fresh incarnation, Terry (with me , anyhow and I seem to be their favourite mug) & would be a better indicator of Joker's response time. If you feel like having a go at this one please feel free - I'm sure your reports are better than mine. It would be nice to really attack this one. As usual I shall also submit my usual reports to Joker, but the more, (& better!), the merrier!

They are also using a new nameserver, (gwjirr.com), & guess who that is also registered with.... I assume from that that they have given up on teams-cs.com so I guess that is history - I'll give you that one, Terry - Enom always resisted that one for me.... :)

[Edit] Right - that's reports submitted via email & webform to Joker & also to the nameserver hosts. Not to my usual evidential standard as I am due to cook an old ladies lunch 25 miles away & tempus fugit...Assuming I was the first to report the two domains involved, (& that may well not be the case), I wouldn't expect action from joker for a couple of weeks, so any other reports to speed things up would be a great help... :) ). With any decent registrar it would be suspended & out of the zone in 24 hours, i.e. tomorrow - some hopes....

Edited by bobbear

Share this post


Link to post
Share on other sites

Well done Terry.

On a slightly different tack, it strikes me shmengie would be interested in the topic (but hasn't been around since it started). Note some of the work reported in the topic http://forum.spamcop.net/forums/index.php?...ost&p=34509 - even a bit of Python scri_pt to help verify botnets (not that there's much else, just a year later) - http://forum.spamcop.net/forums/index.php?...ost&p=34810.

Share this post


Link to post
Share on other sites

Today my computer went down and into the repair shop for a quote. My backup computer is not working on DSL. Furthermore, I don't usually spend time taking out one site.

I am currently trying to get >2,500 sites taken down in one effort, and >1,000 in another, and that has priority over this new consulting scam. I have only so much time, so I have to spend it where there is maximum leverage.

Share this post


Link to post
Share on other sites

Right - that's reports submitted via email & webform to Joker & also to the nameserver hosts. Not to my usual evidential standard as I am due to cook an old ladies lunch 25 miles away & tempus fugit...Assuming I was the first to report the two domains involved, (& that may well not be the case), I wouldn't expect action from joker for a couple of weeks, so any other reports to speed things up would be a great help... :) ). With any decent registrar it would be suspended & out of the zone in 24 hours, i.e. tomorrow - some hopes....

Response from Joker so far - Nil

Response within 30 minutes from nameserver hosts:-"Hi Bob,

Thanks for bringing this to our attention. The customers server has

now been blocked.

Regards

Nick Ryce

Network Administrator

Real Time Management LLP". Thank you Nick. It just shows what could be achieved if all links in the chain were to pull in the same direction. The site is unresolvable as I write this, but not for long, I fear - two more domains registered by Israeli Brokerage Services Ltd, (israeliservicesbrokerageltd.cn & israeliltdbrokerageservices.cn), & no doubt somewhat more bombproof nameserver host(s) are being set up.....

Anyway, I have no wish to bore everyone to death, so I think that's the end of this topic for me! Good hunting Terry and all....

Share this post


Link to post
Share on other sites

Subsequent to 3 emails to a registrar requesting removal of a chain of nameservers, the following 1,980 web sites are not responding today.

100watches.net aanddckhinese.com abcdemsignstudy.com abcdonetwonow.com abcnutrihtionn.com abcoffdiett.com abcofhghtwo.com abcoftruth.com abcwatcdhcompanyy.com ableklittlethreez.com abouteitdiett.com abrakahdoobra.info . .

<snip for brevity>

. . yeswatches.net yetihealthhyone.com yettocomeeok.com youkknowingmeok.com youonknewdiett.com zeroheaklththingz.com zoekyhasafever.com zoeykhasacold.com

These sites accounted for huge amounts of spam for the following

Exquisite Replica

Hoodia Life

HGH Life

The sites were the handiwork of the most wanted spammer on the Rokso Top 10 - Alex Polyakov.

Edited by TerryNZ

Share this post


Link to post
Share on other sites

No action on my part, but

http://www.dnsstuff.com/tools/traversal.ch?domain=israeliservicesbrokerage.cn&type=A

http://www.dnsstuff.com/tools/traversal.ch?domain=israeliltdbrokerageservices.cn&type=A

ns1.gwjirr.com [195.170.173.8] Timeout

ns2.gwjirr.com [66.78.51.10] Timeout

Both sites are currently down. You don't know your own power sometimes. :-)

Well done on the multiple nameserver front.... :) V. Satisfying when it all comes off, especially on that sort of scale!... :)

ns1.gwjirr.com [195.170.173.8] Timeout = Real Time Management (Nick Ryce - v. helpful - actioned my report in less than 30 mins...)

ns2.gwjirr.com [66.78.51.10] Timeout = bogus

Still no action from Joker on either gwjirr.com or israeliservicesbrokerage.cn etc although they received exactly the same evidential report, (showing DNS traversal/botnet setup & other evidential data), as did the nameserver hosts, Real Time Management, (I copy reports to all concerned). Joker MAY have initiated the 15 day ICANN procedure on my report as part of it alleged false whois data, but i) They never respond to tell you, and ii) That sort of response time is simply not satisfactory anyway.

I find the site/nameserver hosts are usually more responsive than some registrars, but the spammers are usually back up on another host only too quickly....... :( I'm surprised that israeliservicesbrokerage.cn is not back up again already - they usually pop up on another host in 24 hours or less, but all harassment is better than none at all... :)

I only mention israeliservicesbrokerage.cn as a typical example - I tend to go after all obvious criminal fraud spams, (money laundering, phishing, 419 etc), that I receive & leave the pills/porn/watches/stocks etc sites to others with better eyes & more time..... :) Keep up the good work!

Edited by bobbear

Share this post


Link to post
Share on other sites

Well done on the multiple nameserver front.... :) V. Satisfying when it all comes off, especially on that sort of scale!... :)

Thanks, I must admit to feeling somewhat vindicated in my suggestions tht SapmCop adopt the nameserver - Registrar reporting strategy. It's great when it works on such a scale. I have a spreadsheet containing 2,010 site names that were all working last week, spamming HGH Life, Exquisite Replicas, Hoodia Life. I can't test them all, but random sampling of 20 sites show them all down.

Joker MAY have initiated the 15 day ICANN procedure on my report as part of it alleged false whois data, but i) They never respond to tell you, and ii) That sort of response time is simply not satisfactory anyway.

Yes, I know from this side of the fence how frustrating it is to get no feedback. But in the past I have spent time on the other side of the fence. Working for two of the world's largest Internet companies, I have had some experience with large scale helpdesk operations, and have had to make decisions in this very area. There are two very good reasons for the "no response" approach to high volume complaints.

1. Opening a dialog adds an order of magnitude to an already massive workload. Better to fix the problem and spend your time fixing the next one than performing feedback. Robotoc acknowledgement response saying "we have taken your request and we are handling it" is the best tactic, and uses your resources to maximum efficiency.

2. Legal reasons related to liability. I will not explain any further.

Share this post


Link to post
Share on other sites
Thanks, I must admit to feeling somewhat vindicated in my suggestions tht SapmCop adopt the nameserver - Registrar reporting strategy. It's great when it works on such a scale. ...
Indeed, my jaw bone is possibly permanently welded to the carpet. Magnificent work.

Share this post


Link to post
Share on other sites

The Registrar / Nameserver compliance request method

I received a spam with subject VbAGRA. The URL redirected to royaledward.info - yet another attempted reincarnation of Pharma Shop. I thought it might be a good idea to show how to go about shutting down the operation. Up front is the request. Then the definitive evidence.

REQUEST

-------

This is a compliance request to remove access to the illegal Pharma Shop site.

ACTION: eNom Inc: to lock out and remove access to royaledward.info

ACTION: Intercosmos: to lock out and set to 0.0.0.0 the Address records in zone file ahamew.info

EVIDENCE

--------

Pharma Shop http://royaledward.info

Nameserver and Address discovery

http://www.dnsstuff.com/tools/traversal.ch...info&type=A

< ../tools/traversal.ch?domain=royaledward.info&type=A >

ns1.ahamew.info [201.150.75.155] Timeout

ns2.ahamew.info [200.30.252.182] Timeout

ns3.ahamew.info [64.252.215.93] Timeout

ns4.ahamew.info [200.159.197.142] 159.134.167.155 200.159.197.142 200.30.252.182 217.162.110.20 76.208.249.153

ns5.ahamew.info [81.32.119.26] 159.134.167.155 200.159.197.142 200.30.252.182 217.162.110.20 76.208.249.153

Five minutes later

ns1.ahamew.info [201.150.75.155] Timeout

ns2.ahamew.info [200.30.252.182] Timeout

ns3.ahamew.info [64.252.215.93] Timeout

ns4.ahamew.info [200.159.197.142] 200.30.252.182 200.60.216.160 217.162.110.20 24.67.108.19 84.26.154.21

ns5.ahamew.info [81.32.119.26] 200.30.252.182 200.60.216.160 217.162.110.20 24.67.108.19 84.26.154.21

Five minutes later

ns1.ahamew.info [62.46.105.117] Timeout

ns2.ahamew.info [200.30.252.182] Timeout

ns3.ahamew.info [84.26.154.21] 159.134.163.143 200.159.210.151 200.30.252.182 200.60.216.160 76.208.249.153

ns4.ahamew.info [200.159.197.142] 159.134.163.143 200.159.210.151 200.30.252.182 200.60.216.160 76.208.249.153

ns5.ahamew.info [76.208.249.153] [Error: Port Unreachable]

Interpretation

--------------

A webserver botnet of illegally compromised machines running a proxy webserver. Addresses on a round-robin are updated every 5 minutes to escape security alerts sent to the owners of the compromised machines.

Nameservers (located in Spain, Brazil, Mexico, Chile, CT USA, Austria, Netherlands etc) are also illegally compromised machines running a trojan proxy nameserver program.

Nameserver registrar discovery

------------------------------

http://www.dnsstuff.com/tools/whois.ch?ip=ahamew.info

Sponsoring Registrar:Intercosmos Media Group, Inc.

Website registrar discovery

---------------------------

http://www.dnsstuff.com/tools/whois.ch?ip=royaledward.info

Sponsoring Registrar:eNom, Inc.

See the McAfee Site Advisor page available to all browsers with the Site Advisor plug-in

http://www.siteadvisor.com/sites/royaledward.info

Please act promptly to terminate your sponsorship for this criminal activity.

Edited by TerryNZ

Share this post


Link to post
Share on other sites

Thanks Terry, a useful template (even I understand it).

The Registrar / Nameserver compliance request method

I received a spam with subject VbAGRA. The URL redirected to royaledward.info - yet another attempted reincarnation of Pharma Shop. I thought it might be a good idea to show how to go about shutting down the operation. Up front is the request. Then the definitive evidence.

(Link to subject post added)

Share this post


Link to post
Share on other sites
Let's not forget that any recent effort to go after web advertising more aggresively (i. e. Blue Frog like) have met with severe retaliation from spammers who were succesful shuting them down

All the more reason to deploy an "FFB" than one single entity.

No matter how good the criminals are, they couldn't go after

hundreds of thousands of individual users for retaliation --

even if they could find out who they are.

:-)

See: http://www.paulgraham.com/ffb.html

Share this post


Link to post
Share on other sites

ok, lets recap:

SC still does its job, providing an automated mechanism for assisting people in notifying ISP's about spamming activity, and maintaining the SCRBL.

We've seen some evidence here and a pretty straightforward process (template) for communicating spamvertised site abuse to responsible parties, with success ranging from marginal to exceptional.

Now, what? TerryNZ has hinted at direct past contact with some of the Powers that Be here with SC, and they've indicated a lack of resources to take this same approach in an automated fashion with the SC submissions. (more later)

My thoughts:

1) start a new thread in the New Feature Request board. Link to this discussion (possibly to individual posts since this is getting long) showing the 'template' and results. Recommend SC find a way to implement some form of this Template. TerryNZ mentioned that it doesn't make sense to send a million of these to the registrars. So, maybe limit based on reported volume (1 report per day for each... ?domain? ?server? per #Threshold# reports). I.e., something with similar methods but "reasonable" resources.

2) Based on the statement above, would it make sense to implement similar limiting to the standard SC ISP reports? (one per IP per unique spam per... ?day? ?listing renewal? ?#threshold number of reports#) Maybe another New Feature Request. THose with better knowledge of the current reporting mechanism could shoot this down. End goal: ease up SC mailserver resources. (rather that send the ISP a link to individual reports, send them a link to a single page listing the reports for that IP, which gets updated as they come in.)

3) I just started playing around with the PhishTank. For those who aren't aware, it's a "new wacky cool Web 2.0" open (free) Phishing site database which is user driven. (submit a site with spam background, users vote it up or down onto a confirmed list, list available for free to those who could use it, with an open API) Currently I think it just feeds OpenDNS, but it's something. Anyway, the point is, would something like this approach be useful for facilitating item #1 above. Some user supported, system facilitated mechanism to notify the appropriate bodies in a controlled fashion. Just a thought.

Edited by Jank1887

Share this post


Link to post
Share on other sites
1) start a new thread in the New Feature Request board.

An ignored suggestion way back in Linear Post #15 ...

Share this post


Link to post
Share on other sites
The Registrar / Nameserver compliance request method

REQUEST

-------

This is a compliance request to remove access to the illegal Pharma Shop site.

ACTION: eNom Inc: to lock out and remove access to royaledward.info

ACTION: Intercosmos: to lock out and set to 0.0.0.0 the Address records in zone file ahamew.info

EVIDENCE

--------

Pharma Shop http://royaledward.info

Link now results in "Server not found"

DEAD

Nameserver and Address discovery

http://www.dnsstuff.com/tools/traversal.ch...info&type=A

< ../tools/traversal.ch?domain=royaledward.info&type=A >

ns1.ahamew.info [201.150.75.155] Timeout

ns2.ahamew.info [200.30.252.182] Timeout

ns3.ahamew.info [64.252.215.93] Timeout

ns4.ahamew.info [200.159.197.142] 159.134.167.155 200.159.197.142 200.30.252.182 217.162.110.20 76.208.249.153

ns5.ahamew.info [81.32.119.26] 159.134.167.155 200.159.197.142 200.30.252.182 217.162.110.20 76.208.249.153

Link now results in

[Reports no A record (NXDOMAIN)]

Nameserver registrar discovery

------------------------------

http://www.dnsstuff.com/tools/whois.ch?ip=ahamew.info

Sponsoring Registrar:Intercosmos Media Group, Inc.

He can't take it anywhere else

Status:TRANSFER PROHIBITED

Website registrar discovery

---------------------------

http://www.dnsstuff.com/tools/whois.ch?ip=royaledward.info

Sponsoring Registrar:eNom, Inc.

He can't transfer it from eNom either

Status:TRANSFER PROHIBITED

Removal complete in 48 hours

Share this post


Link to post
Share on other sites

Brilliant! The best and most instructive read I have had in ages.

I have been subjected to hundreds of automatic non-delivery notices for a couple of days now, and your article, along with others in this forum, has cheered me up 100% and forced me to contribute. - Though as I am at the start of an exponential learning curve all I can offer is a big thank you!

:wub::excl: I hope that this is not too frivolous as a first post.

Share this post


Link to post
Share on other sites
I hope that this is not too frivolous as a first post.

That you made it here, took the time to read it all, offer up thanks to those that took the time to post it all .... hardly frivilous .... a big Thank You! is offered. Your efforts amd actions are much appreciated.

Share this post


Link to post
Share on other sites

Dredging up an old post...

TerryNZ: Have you had any luck with nameservers handled by Beijing Innovative? I have been reporting the same replica site to these guys for weeks, always the same nameservers ns0.lestem.com and ns1.lestem.com, and they just won't die. I'm wondering if either Beijing Innovative is black hat, or just empty hat.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×