North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Wired mag article on spammers playing traceroute games withtrojaned boxes

  • From: Mike Hyde
  • Date: Thu Oct 09 17:01:16 2003

It looks like they are using there little team of zombie machines that
are doing the port 80 redirect to also respond to DNS requests:

;; AUTHORITY SECTION:
vano-soft.biz.          120     IN      NS      ns3.uzc12.biz.
vano-soft.biz.          120     IN      NS      ns4.uzc12.biz.
vano-soft.biz.          120     IN      NS      ns5.uzc12.biz.
vano-soft.biz.          120     IN      NS      ns1.uzc12.biz.
vano-soft.biz.          120     IN      NS      ns2.uzc12.biz.

;; ADDITIONAL SECTION:
ns3.uzc12.biz.          7200    IN      A       24.91.206.103
ns3.uzc12.biz.          7200    IN      A       12.206.49.107
ns4.uzc12.biz.          7200    IN      A       12.227.146.168
ns5.uzc12.biz.          7200    IN      A       66.21.211.204
ns5.uzc12.biz.          7200    IN      A       165.166.182.168
ns1.uzc12.biz.          7200    IN      A       24.243.218.127
ns1.uzc12.biz.          7200    IN      A       12.239.143.71
ns1.uzc12.biz.          7200    IN      A       66.90.158.89
ns1.uzc12.biz.          7200    IN      A       12.229.122.9
ns2.uzc12.biz.          7200    IN      A       24.107.74.166
ns2.uzc12.biz.          7200    IN      A       207.6.75.110

103.206.91.24.in-addr.arpa domain name pointer
h00402b45512d.ne.client2.attbi.com.

168.182.166.165.in-addr.arpa domain name pointer
rhhe16-168.2wcm.comporium.net

110.75.6.207.in-addr.arpa domain name pointer
d207-6-75-110.bchsia.telus.net



On Thu, 2003-10-09 at 11:53, Kee Hinckley wrote:
> At 10:51 AM -0500 10/9/03, Chris Boyd wrote:
> >A few minutes later, or from a different nameserver, I get
> >
> >Name:    vano-soft.biz
> >Addresses:  131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9
> >           12.252.185.129
> >
> >This is a real Hydra.  If everyone on the list looked up 
> >vano-soft.biz and removed the trojaned boxes, would we be able to 
> >kill it?
> 
> I think in this instance your best approach may be to go after the 
> name servers.  Anything else is going to be a game of whack-a-mole. 
> Our spam filtering software actually uses the address of a domain's 
> name server in it's scoring system.  Sometime's that's the only way 
> we've been able to reliably detect a spammer.