North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Wired mag article on spammers playing traceroute games with trojaned boxes

  • From: McBurnett, Jim
  • Date: Thu Oct 09 12:13:04 2003

->
->I found one of these today, as a matter of fact.  The spam was 
->advertising an anti-spam package, of course.
->
->The domain name is vano-soft.biz, and looking up the address, I get
->
->Name:    vano-soft.biz
->Addresses:  12.252.185.129, 131.220.108.232, 165.166.182.168, 
->193.165.6.97
->           12.229.122.9
->
->A few minutes later, or from a different nameserver, I get
->
->Name:    vano-soft.biz
->Addresses:  131.220.108.232, 165.166.182.168, 193.165.6.97, 
->12.229.122.9
->           12.252.185.129
->
->This is a real Hydra.  If everyone on the list looked up 
->vano-soft.biz 
->and removed the trojaned boxes, would we be able to kill it?
->
->--Chris


I got : 
Canonical name: vano-soft.biz
Addresses:
  165.166.182.168
  193.92.62.42
  200.80.137.157
  12.229.122.9
  12.252.185.129

I think even if we get all the ones for this domain name today, 
assuming we can muster even man hours to get it today, another
5000 will be added tomarrow.
And looking at my list We have US(a very small ISP and a large ISP) 
RIPE, and LACNIC.

I wonder if the better question should be:

Can Broadband ISP's require a Linksys, dlink or other
broadband router without too many problems?

That is what it will take to slow this down, and then only if 
ALL of ISP's do it.

This not only affects this instance but global security 
as a whole. Just a few days ago, Cisco was taken 
offline by a large # of Zombies, I am willing to
say that those are potentially some of the same 
compromised systems.


Thoughts?
Jim