Wired mag article on spammers playing traceroute games with trojaned boxes
http://www.wired.com/news/business/0,1367,60747,00.html -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
On Thursday, October 9, 2003, at 10:04 AM, Suresh Ramasubramanian wrote:
http://www.wired.com/news/business/0,1367,60747,00.html
-- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
I found one of these today, as a matter of fact. The spam was advertising an anti-spam package, of course. The domain name is vano-soft.biz, and looking up the address, I get Name: vano-soft.biz Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, 193.165.6.97 12.229.122.9 A few minutes later, or from a different nameserver, I get Name: vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129 This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it? --Chris
At 11:51 AM 10/9/2003, Chris Boyd wrote:
On Thursday, October 9, 2003, at 10:04 AM, Suresh Ramasubramanian wrote:
http://www.wired.com/news/business/0,1367,60747,00.html
-- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
I found one of these today, as a matter of fact. The spam was advertising an anti-spam package, of course.
The domain name is vano-soft.biz, and looking up the address, I get
Name: vano-soft.biz Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, 193.165.6.97 12.229.122.9
A few minutes later, or from a different nameserver, I get
Name: vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129
This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it?
They're using extremely low TTL's on most of their records. Typically 2 minutes to accomplish this. The thing is I would imagine at least ONE of those NS servers cannot change within a 2 hour window whereas the others can change every 2 minutes. If you identify the server that only changes every 2 hours and track what it's replaced with every 2 hours, you're likely to find a rotating list of master servers... Another question is why is NeuLevel (the registrar for .biz) allowing TTL's on the NS records to be 2 hours and submitting those to the GTLD servers. Maybe it's just me, but that's the first time I've seen a registrar set such a low TTL on an NS record. If NeuLevel is any good they would likely have some sort of information to identify the owner of the domain, even if the information is invalid listed on their whois server. They might have a credit card transaction although that too could always be a stolen credit card number. Any other ideas or different angles/experiences? ; <<>> DiG 9.2.2 <<>> +trace a vano-soft.biz. ;; global options: printcmd . 80336 IN NS l.root-servers.net. . 80336 IN NS m.root-servers.net. . 80336 IN NS i.root-servers.net. . 80336 IN NS e.root-servers.net. . 80336 IN NS d.root-servers.net. . 80336 IN NS a.root-servers.net. . 80336 IN NS h.root-servers.net. . 80336 IN NS c.root-servers.net. . 80336 IN NS g.root-servers.net. . 80336 IN NS f.root-servers.net. . 80336 IN NS b.root-servers.net. . 80336 IN NS j.root-servers.net. . 80336 IN NS k.root-servers.net. ;; Received 449 bytes from 216.182.1.1#53(216.182.1.1) in 40 ms biz. 172800 IN NS A.GTLD.biz. biz. 172800 IN NS B.GTLD.biz. biz. 172800 IN NS C.GTLD.biz. biz. 172800 IN NS D.GTLD.biz. biz. 172800 IN NS E.GTLD.biz. biz. 172800 IN NS F.GTLD.biz. ;; Received 228 bytes from 198.32.64.12#53(l.root-servers.net) in 270 ms vano-soft.biz. 7200 IN NS NS1.UZC12.biz. vano-soft.biz. 7200 IN NS NS2.UZC12.biz. vano-soft.biz. 7200 IN NS NS3.UZC12.biz. vano-soft.biz. 7200 IN NS NS4.UZC12.biz. vano-soft.biz. 7200 IN NS NS5.UZC12.biz. ;; Received 223 bytes from 209.173.53.162#53(A.GTLD.biz) in 150 ms vano-soft.biz. 120 IN A 200.80.137.157 vano-soft.biz. 120 IN A 12.229.122.9 vano-soft.biz. 120 IN A 12.252.185.129 vano-soft.biz. 120 IN A 165.166.182.168 vano-soft.biz. 120 IN A 193.92.62.42 vano-soft.biz. 120 IN NS ns5.uzc12.biz. vano-soft.biz. 120 IN NS ns1.uzc12.biz. vano-soft.biz. 120 IN NS ns2.uzc12.biz. vano-soft.biz. 120 IN NS ns3.uzc12.biz. vano-soft.biz. 120 IN NS ns4.uzc12.biz. ;; Received 287 bytes from 204.210.76.197#53(NS4.UZC12.biz) in 130 ms Vinny Abello Network Engineer Server Management vinny@tellurian.com (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Vinny Abello writes on 10/9/2003 9:41 PM:
They're using extremely low TTL's on most of their records. Typically 2 minutes to accomplish this. The thing is I would imagine at least ONE of those NS servers cannot change within a 2 hour window whereas the others
They are using a whole lot of stuff that's basically dynamic DNS.
low TTL on an NS record. If NeuLevel is any good they would likely have some sort of information to identify the owner of the domain, even if
They seem to have a spammer infestation though. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
On Thu, 2003-10-09 at 09:11, Vinny Abello wrote:
They're using extremely low TTL's on most of their records. Typically 2 minutes to accomplish this. The thing is I would imagine at least ONE of those NS servers cannot change within a 2 hour window whereas the others can change every 2 minutes. If you identify the server that only changes every 2 hours and track what it's replaced with every 2 hours, you're likely to find a rotating list of master servers... Another question is why is NeuLevel (the registrar for .biz) allowing TTL's on the NS records to be 2 hours and submitting those to the GTLD servers. Maybe it's just me, but that's the first time I've seen a registrar set such a low TTL on an NS record. If NeuLevel is any good they would likely have some sort of information to identify the owner of the domain, even if the information is invalid listed on their whois server. They might have a credit card transaction although that too could always be a stolen credit card number.
Any other ideas or different angles/experiences?
Looks like there was a slight misinterpretation of the DNS records. The 2hr TTL is on the NS record from the registrar (NeuStar/*.GTLD.BIZ), which means it would take up to 2 hours to switch DNS servers (probably longer, due to red tape). However, the DNS servers aren't what's being rotated. It's the data that they are giving that's rotating, hence the 2 minute ttl. ALL of the nsX.uzc12.biz servers record changes will be seen w/in 2 minutes, not just one of them. Also, after doing some preliminary digging, it would seem that the GTLD.BIZ servers have very low TTLs on a lot of their domains. In fact, 7200 seems high compared to some other ones I found. --Gar
Michael G writes on 10/9/2003 10:27 PM:
Also, after doing some preliminary digging, it would seem that the GTLD.BIZ servers have very low TTLs on a lot of their domains. In fact, 7200 seems high compared to some other ones I found.
Any correlation with the unusually high proportion of .biz domains that are being registered by spammers? -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Chris Boyd writes on 10/9/2003 9:21 PM:
A few minutes later, or from a different nameserver, I get
Name: vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129
This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it?
Nope - the guy would get more trojaned boxes, no shortage of unpatched windows machines on broadband. There are two ways to go here - * Nullroute or bogus out in your resolvers the DNS servers for this domain --> two problems here. One is that the spammer doesn't use vano-soft.biz in the smtp envelope, and second, he abuses open redirectors like yahoo's srd.yahoo.com * "Follow the money" - find out the spammer / the guy who he spams for, from payment information etc. Sic law enforcement on them. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote:
* "Follow the money" - find out the spammer / the guy who he spams for, from payment information etc.Sic law enforcement on them.
srs
I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-) -Hank
Hank Nussbacher writes on 10/9/2003 10:00 PM:
I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-)
vano-soft has been extensively discussed on other forums (spam-l, nanae etc) for quite some time. But yeah - it's stayed at the "discussion" level so far. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
And as soon as you call law enforcement what happends? The spammer --- Hank Nussbacher <hank@att.net.il> wrote:
On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote:
* "Follow the money" - find out the spammer / the guy who he spams for, from payment information etc.Sic law enforcement on them.
srs
I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-)
-Hank
Oops... Try this again... And as soon as you call law enforcement what happends? The spammer is located offshore. Then what? --- Hank Nussbacher <hank@att.net.il> wrote:
On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote:
* "Follow the money" - find out the spammer / the guy who he spams for, from payment information etc.Sic law enforcement on them.
srs
I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-)
-Hank
Andy Ellifson writes on 10/9/2003 10:58 PM:
Oops... Try this again...
And as soon as you call law enforcement what happends? The spammer is located offshore. Then what?
99% of them are americans - and mostly from Florida at that. See http://www.spamhaus.org/rokso/ they might subcontract stuff offshore (to India and China, where a lot of legitimate software development / BPO etc work is also going), sure. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
How many times have you received SPAM selling a product from a U.S. based company? I have received plenty.... follow the money.... Hank has it right. M (speaking only for myself)
Oops... Try this again...
And as soon as you call law enforcement what happends? The spammer is located offshore. Then what?
--- Hank Nussbacher <hank@att.net.il> wrote:
On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote:
* "Follow the money" - find out the spammer / the guy who he spams for, from payment information etc.Sic law enforcement on them.
srs
I think we can all safely assume that the people behind this are most probably on NANOG or reading the archives and are now aware of your idea :-)
-Hank
* andy@ellifson.com (Andy Ellifson) [Fri 10 Oct 2003, 01:04 CEST]:
And as soon as you call law enforcement what happends? The spammer is located offshore. Then what?
This hasn't stopped the FTC before. Recently it named a Dutch national in a complaint: http://www.ftc.gov/opa/2003/09/fyi0357.htm -- Niels.
On Thursday, October 9, 2003, at 12:24 PM, Suresh Ramasubramanian wrote:
Nope - the guy would get more trojaned boxes, no shortage of unpatched windows machines on broadband.
There are two ways to go here -
* Nullroute or bogus out in your resolvers the DNS servers for this domain --> two problems here. One is that the spammer doesn't use vano-soft.biz in the smtp envelope, and second, he abuses open redirectors like yahoo's srd.yahoo.com
This may apply w/r/t something I've been seeing for the last couple of days. I've been seeing e-mails into our server with the following characteristics: 1). Sent to invalid user on our domain 2). Sent from varying origins; usually, groups of three arriving ~ every half hour 3). Origin IP on mostly home broadband networks in US 4). Frequently, purported sender's e-mail address non-US domain although originating from US domain, with the language of the e-mail text matching the purported sender's domain (lots of German spam...guess that's the current flavor). 5). Invalid user send-to addresses arriving in groups in alphabetical order (nice list processing) It looks like person(s) responsible is using distributed network of trojaned pcs, varying send-to mail servers every 3 messages or so. This way, spam arrives at purported sender's address as undelivered mail bounce with our address in the SMTP envelope, in low enough volume (they hope) not to trigger filtering based on source IP. I wonder about how long until legitimate mail servers start getting blackholed because of bounce messages? David Keith
There are two ways to go here -
* Nullroute or bogus out in your resolvers the DNS servers for this domain --> two problems here. One is that the spammer doesn't use vano-soft.biz in the smtp envelope, and second, he abuses open redirectors like yahoo's srd.yahoo.com << There is another option, create an email filter and block any email that includes the text ".biz/" in any email. That will do two things, it will stop the spams from being received in the first place and it will cause one heck of a headache for the .biz domain so they clean up their act and deal with their problems. Geo.
At 10:51 AM -0500 10/9/03, Chris Boyd wrote:
A few minutes later, or from a different nameserver, I get
Name: vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129
This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it?
I think in this instance your best approach may be to go after the name servers. Anything else is going to be a game of whack-a-mole. Our spam filtering software actually uses the address of a domain's name server in it's scoring system. Sometime's that's the only way we've been able to reliably detect a spammer. -- Kee Hinckley http://www.messagefire.com/ Next Generation Spam Defense http://commons.somewhere.com/buzz/ Writings on Technology and Society I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.
It looks like they are using there little team of zombie machines that are doing the port 80 redirect to also respond to DNS requests: ;; AUTHORITY SECTION: vano-soft.biz. 120 IN NS ns3.uzc12.biz. vano-soft.biz. 120 IN NS ns4.uzc12.biz. vano-soft.biz. 120 IN NS ns5.uzc12.biz. vano-soft.biz. 120 IN NS ns1.uzc12.biz. vano-soft.biz. 120 IN NS ns2.uzc12.biz. ;; ADDITIONAL SECTION: ns3.uzc12.biz. 7200 IN A 24.91.206.103 ns3.uzc12.biz. 7200 IN A 12.206.49.107 ns4.uzc12.biz. 7200 IN A 12.227.146.168 ns5.uzc12.biz. 7200 IN A 66.21.211.204 ns5.uzc12.biz. 7200 IN A 165.166.182.168 ns1.uzc12.biz. 7200 IN A 24.243.218.127 ns1.uzc12.biz. 7200 IN A 12.239.143.71 ns1.uzc12.biz. 7200 IN A 66.90.158.89 ns1.uzc12.biz. 7200 IN A 12.229.122.9 ns2.uzc12.biz. 7200 IN A 24.107.74.166 ns2.uzc12.biz. 7200 IN A 207.6.75.110 103.206.91.24.in-addr.arpa domain name pointer h00402b45512d.ne.client2.attbi.com. 168.182.166.165.in-addr.arpa domain name pointer rhhe16-168.2wcm.comporium.net 110.75.6.207.in-addr.arpa domain name pointer d207-6-75-110.bchsia.telus.net On Thu, 2003-10-09 at 11:53, Kee Hinckley wrote:
At 10:51 AM -0500 10/9/03, Chris Boyd wrote:
A few minutes later, or from a different nameserver, I get
Name: vano-soft.biz Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 12.252.185.129
This is a real Hydra. If everyone on the list looked up vano-soft.biz and removed the trojaned boxes, would we be able to kill it?
I think in this instance your best approach may be to go after the name servers. Anything else is going to be a game of whack-a-mole. Our spam filtering software actually uses the address of a domain's name server in it's scoring system. Sometime's that's the only way we've been able to reliably detect a spammer.
participants (12)
-
Andy Ellifson
-
Chris Boyd
-
David Keith
-
Geo.
-
Hank Nussbacher
-
Kee Hinckley
-
Michael Airhart
-
Michael G
-
Mike Hyde
-
Niels Bakker
-
Suresh Ramasubramanian
-
Vinny Abello