Jump to content

What new Russian botnet is this?


Geek
 Share

Recommended Posts

Hi folks,

Just curious as to what the new Russian botnet is called.

Up until a month or so ago, every spam I got was a virus. My email spam has dropped off (and I'm the guy with no filters) to about 3 or 4 per day for a few days now. It's practically stopped.

But at the same time it was dropping, the comment spammers at forums have gone through the roof and the bots are more highly adaptable than I have ever seen (they use an IP once and usually not again. They grab them from constantly updated proxy lists. They can read 7 alphabnumeric captchas with high noise and have even cracked a neighbor forums Re-captcha, email and usernames rarely repeated).

I've put more IP's in the forum's blocklist in the last two weeks than in the last five years!

(adding about 1,000 per week [2,000 so far])

All the spamvertized URL's are .ru or .ua sites, that's why I assume it's Russian.

So is this a new botnet, or did an existing one become sentient? <_<:P

Cheers!

Link to comment
Share on other sites

So is this a new botnet, or did an existing one become sentient? <_<:P

Probably related to a big spam bust (this often shows up a big drop in spamming/hacking)

http://forum.spamcop.net/forums/index.php?...ic=9834&hl=

Many non-English speaking countries do not have proper security settings that are found in English speaking ones, because of language difficulties

Even English speaking one's are often not sorrect, SpamCops main strength is to try and alert of security breaches. If they have not set-up a correct/contactable abuse address (or don't care) they are threatening the world

Link to comment
Share on other sites

No one knows what is this botnet called? I know it's not the Szribi...
Nah, sorry. Internet security interests are always looking for alarming stories to publish/get published so it's a bit hard to know just what is going on with botnets, and it is difficult to monitor the actual entities anyway.

Some recent stories - http://www.gcn.com/Articles/2009/04/22/RSA-botnet.aspx (Apr 2009)

http://news.cnet.com/8301-1009_3-10233531-83.html (May 2009)

http://blog.searchenginewatch.com/090918-165548 (Sep 2009)

http://blogs.zdnet.com/security/?p=4507 (Sep 2009)

http://www.symantec.com/connect/forums/new...ntec-dectect-it (Sep 2009)

I don't think any of those have the profile you're talking about, hard (for me) to tell.

SenderBase - http://www.senderbase.org/ - has a monthly list of "Current Threat Outbreaks" but I'm thinking that's more related to e-mail propagation.

But such uspsurges in comment spamming with concurrent drops in mail spamming are not new. See:

http://comox.textdrive.com/pipermail/wp-ha...ril/019239.html (& following posts there). (Apr 2008)

Maybe your one is 'smarter'/more adaptable than the above but that is part of the trend. I loved this post in the above thread

I was getting so much Trackback spam today that it DOS'd my server.

Even putting a "die()" in the top of wp-trackback.php didn't bring the

load down. But hey, as they say, don't get mad, get even!

RewriteRule ^(.*?)/trackback/?$ http://127.0.0.1/ [L,R=302] //

translation: go #$%& yourself

Ha! And almost immediately load went down from 60 to 0.5 Gotta love

trackback bots that'll follow a redirect back in their face.

Link to comment
Share on other sites

Hahahaha! That looks like fun! :D

Thanks Farelf :)

Using stopforumspam.com lookup list has REALLY reduced things... it just took a while for the "honeypots" to build an IP database.

Right now there's 448,968 IP's on my ban list :o

Cheers!

Edited by Geek
Link to comment
Share on other sites

Using stopforumspam.com lookup list has REALLY reduced things... it just took a while for the "honeypots" to build an IP database.

Right now there's 448,968 IP's on my ban list :o

It's been about a year since I've had access to the IPB support Forums, but as I recollect, it didn't take but a few thousand entries into the Forum block-list to start causing impact on the operation/speed of the Forum itself. It's a bit hard for me to imagine having that huge of a list being actually usable.

Link to comment
Share on other sites

It's been about a year since I've had access to the IPB support Forums, but as I recollect, it didn't take but a few thousand entries into the Forum block-list to start causing impact on the operation/speed of the Forum itself. It's a bit hard for me to imagine having that huge of a list being actually usable.

This one's a phpBB that isn't mine (I'm an admin though) and it uses the database really efficient.... it's just susceptible to these type of registrations. Speed doesn't seem affected, mind you we have only a real small family of regular posters.

The owner didn't want to upgrade, as all his custom stuff would be lost, so he just made pre-approving by admins a requirement for new registrations. So normally I wake up, see on my inbox who registered during the night and go from there.

When I made this post, registrations were in the hundreds. Now they're below 20 :D

But interesting I've noticed comparing the different lists and IP's... it seems the forum attackers and email spammers are on two different nets. Not always, but a lot of times...

Cheers!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...