Wired mag article on spammers playing traceroute games with trojaned boxes
Vinny Abello
vinny at tellurian.com
Thu Oct 9 16:11:56 UTC 2003
At 11:51 AM 10/9/2003, Chris Boyd wrote:
>On Thursday, October 9, 2003, at 10:04 AM, Suresh Ramasubramanian wrote:
>
>>
>>http://www.wired.com/news/business/0,1367,60747,00.html
>>
>>--
>>srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
>>manager, outblaze.com security and antispam operations
>>
>>
>
>I found one of these today, as a matter of fact. The spam was advertising
>an anti-spam package, of course.
>
>The domain name is vano-soft.biz, and looking up the address, I get
>
>Name: vano-soft.biz
>Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, 193.165.6.97
> 12.229.122.9
>
>A few minutes later, or from a different nameserver, I get
>
>Name: vano-soft.biz
>Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9
> 12.252.185.129
>
>This is a real Hydra. If everyone on the list looked up vano-soft.biz and
>removed the trojaned boxes, would we be able to kill it?
They're using extremely low TTL's on most of their records. Typically 2
minutes to accomplish this. The thing is I would imagine at least ONE of
those NS servers cannot change within a 2 hour window whereas the others
can change every 2 minutes. If you identify the server that only changes
every 2 hours and track what it's replaced with every 2 hours, you're
likely to find a rotating list of master servers... Another question is why
is NeuLevel (the registrar for .biz) allowing TTL's on the NS records to be
2 hours and submitting those to the GTLD servers. Maybe it's just me, but
that's the first time I've seen a registrar set such a low TTL on an NS
record. If NeuLevel is any good they would likely have some sort of
information to identify the owner of the domain, even if the information is
invalid listed on their whois server. They might have a credit card
transaction although that too could always be a stolen credit card number.
Any other ideas or different angles/experiences?
; <<>> DiG 9.2.2 <<>> +trace a vano-soft.biz.
;; global options: printcmd
. 80336 IN NS l.root-servers.net.
. 80336 IN NS m.root-servers.net.
. 80336 IN NS i.root-servers.net.
. 80336 IN NS e.root-servers.net.
. 80336 IN NS d.root-servers.net.
. 80336 IN NS a.root-servers.net.
. 80336 IN NS h.root-servers.net.
. 80336 IN NS c.root-servers.net.
. 80336 IN NS g.root-servers.net.
. 80336 IN NS f.root-servers.net.
. 80336 IN NS b.root-servers.net.
. 80336 IN NS j.root-servers.net.
. 80336 IN NS k.root-servers.net.
;; Received 449 bytes from 216.182.1.1#53(216.182.1.1) in 40 ms
biz. 172800 IN NS A.GTLD.biz.
biz. 172800 IN NS B.GTLD.biz.
biz. 172800 IN NS C.GTLD.biz.
biz. 172800 IN NS D.GTLD.biz.
biz. 172800 IN NS E.GTLD.biz.
biz. 172800 IN NS F.GTLD.biz.
;; Received 228 bytes from 198.32.64.12#53(l.root-servers.net) in 270 ms
vano-soft.biz. 7200 IN NS NS1.UZC12.biz.
vano-soft.biz. 7200 IN NS NS2.UZC12.biz.
vano-soft.biz. 7200 IN NS NS3.UZC12.biz.
vano-soft.biz. 7200 IN NS NS4.UZC12.biz.
vano-soft.biz. 7200 IN NS NS5.UZC12.biz.
;; Received 223 bytes from 209.173.53.162#53(A.GTLD.biz) in 150 ms
vano-soft.biz. 120 IN A 200.80.137.157
vano-soft.biz. 120 IN A 12.229.122.9
vano-soft.biz. 120 IN A 12.252.185.129
vano-soft.biz. 120 IN A 165.166.182.168
vano-soft.biz. 120 IN A 193.92.62.42
vano-soft.biz. 120 IN NS ns5.uzc12.biz.
vano-soft.biz. 120 IN NS ns1.uzc12.biz.
vano-soft.biz. 120 IN NS ns2.uzc12.biz.
vano-soft.biz. 120 IN NS ns3.uzc12.biz.
vano-soft.biz. 120 IN NS ns4.uzc12.biz.
;; Received 287 bytes from 204.210.76.197#53(NS4.UZC12.biz) in 130 ms
Vinny Abello
Network Engineer
Server Management
vinny at tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
There are 10 kinds of people in the world. Those who understand binary and
those that don't.
More information about the NANOG
mailing list