Wired mag article on spammers playing traceroute games with trojaned boxes

Gregory Hicks ghicks at cadence.com
Thu Oct 9 17:00:46 UTC 2003 


> Date: Thu, 9 Oct 2003 10:51:08 -0500
> Subject: Re: Wired mag article on spammers playing traceroute games with 
trojaned boxes
> From: Chris Boyd <cboyd at gizmopartners.com>
> To: nanog at merit.edu
> 
> 
> 
> On Thursday, October 9, 2003, at 10:04  AM, Suresh Ramasubramanian 
> wrote:
> 
> >
> > http://www.wired.com/news/business/0,1367,60747,00.html
> >
> > -- 
> > srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
> > manager, outblaze.com security and antispam operations
> >
> >
> >
> 
> I found one of these today, as a matter of fact.  The spam was 
> advertising an anti-spam package, of course.
> 
> The domain name is vano-soft.biz, and looking up the address, I get
> 
> Name:    vano-soft.biz
> Addresses:  12.252.185.129, 131.220.108.232, 165.166.182.168, 
> 193.165.6.97
>            12.229.122.9
> 
> A few minutes later, or from a different nameserver, I get
> 
> Name:    vano-soft.biz
> Addresses:  131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9
>            12.252.185.129
> 
> This is a real Hydra.  If everyone on the list looked up vano-soft.biz 
> and removed the trojaned boxes, would we be able to kill it?

This is NOT a hydra.  The IP addresses are the same but presented
differently.  This happens because of THIS setup in DNS:

vano-soft.biz.  IN A 131.220.108.232
                IN A 165.166.182.168
                IN A 193.165.6.97
                IN A 12.229.122.9
                IN A 12.252.185.129
                
This setup is called "Round-robin" because the name server provides the
first IP address FIRST to the first query; the second IP address first
to the second query; the third IP address first to the third query; ...
to the fifth query.  Then it starts over with the first IP Address in
response to the sixth query...

In each case, ALL IP addresses are provided in response to each query.

Yes, the TTL may be a bit low, but it is a workable setup...

And no, I am NOT condoning what vano-soft.biz is doing, just trying to
explain why, when you checked the first time, you got one answer, and
when you checked sometime later, you got a different answer...

(Donning flameproof underwear...)

Regards,
Gregory Hicks

-------------------------------------------------------------------

"The trouble with doing anything right the first time is that nobody
appreciates how difficult it was."

When a team of dedicated individuals makes a commitment to act as
one...  the sky's the limit.

Just because "We've always done it that way" is not necessarily a good
reason to continue to do so...  Grace Hopper, Rear Admiral, United
States Navy

More information about the NANOG mailing list