funsec mailing list archives
Comment spam: drive-by sites, domains and spyware - analysis, samples and facts
From: Gadi Evron <ge () linuxbox org>
Date: Wed, 15 Feb 2006 00:43:50 +0200
Warning: this post is being X-posted.Blog/web spam is not the next spam medium, it is spam plain and simple. People, including some anti spam experts, just don't realize how big it all is. It's not only about spam, it is about spyware, bots and breaking into computers.
How about I provide with some facts?Below are some selected spam samples from one of the high-traffic blogs I help maintain. Some of them are included for the repeat-offenders point being made, showing the different IP addresses that attacked us from a botnet/proxy list of compromised (broken into) systems.
NOTE: The URL's quoted are NOT safe. DO NOT go there unless you know what you are doing. Responsibility is yours alone.
As an example, take a look at: http://w ww.hackologie.tk/ It is a site for a drive-by. Spyware you say? Find out. :)Below, further in the text, I start an analysis, showing hundreds of DNS RR's for just one of the IP's you will find looking at the A record for that site.
This is indeed one of the uses for the new black-list some of us are creating. Cooperative effort to compare spams across different blogs, analyze them, find distinct groups and block them, as well as terminate their domain names.
FURTHER - it's a nice way to find their new Trojan horses and spyware, as well as their new domains. These samples will then be reported to anti virus and anti spyware vendors, as much like we will work to terminate the domains - we will also work to make their malware useless.
The malware proves that most of these guys are not just annoying spammers abusing our services, AUP's, users and privacy. It proves they break into computers as well as try and break into ours.
Anti spam projects will get a feed so that whatever medium they spam, we will all cooperate to kick them back.
So far some of the biggest blogging sites online are enlisted on our effort (which is not limited to this), we will see what happens.
My previous (most recent) post on this subject can be found here: http://blogs.securiteam.com/index.php/archives/285 This post can be found here: http://blogs.securiteam.com/index.php/archives/290 Some more analysis on the bad site I spoke of above as an example:A full analysis will take time I don't have, so let's just show a few teasers to get you curious!
"Due to restrictions in Dot TK's Privacy Statement personal information about the user of the domain name cannot be released."
^^^ Ain't that convenient? Domain Type Class TTL Answer hackologie.tk. MX IN 86400 mx-host.dot.tk. [Preference = 20] hackologie.tk. A IN 300 62.129.131.38 hackologie.tk. A IN 300 217.115.203.21 hackologie.tk. A IN 300 195.20.32.104 hackologie.tk. A IN 300 209.172.59.193 hackologie.tk. A IN 300 217.119.57.19 tk. NS IN 86400 root-g.taloha.tk. tk. NS IN 86400 ns-a.taloha.tk. tk. NS IN 86400 ns-b.taloha.tk. tk. NS IN 86400 ns-c.taloha.tk. tk. NS IN 86400 root-a.taloha.tk. tk. NS IN 86400 root-b.taloha.tk. tk. NS IN 86400 root-c.taloha.tk. tk. NS IN 86400 root-d.taloha.tk. tk. NS IN 86400 root-e.taloha.tk. tk. NS IN 86400 root-f.taloha.tk. root-g.taloha.tk. A IN 21600 217.68.243.17 ns-a.taloha.tk. A IN 21600 62.41.22.202 ns-b.taloha.tk. A IN 21600 195.11.245.84 ns-c.taloha.tk. A IN 21600 216.38.132.90 root-a.taloha.tk. A IN 21600 194.109.152.138 root-b.taloha.tk. A IN 21600 195.20.32.102 root-c.taloha.tk. A IN 21600 207.36.228.217 root-d.taloha.tk. A IN 21600 217.199.176.121 root-e.taloha.tk. A IN 21600 66.36.231.236 root-f.taloha.tk. A IN 21600 202.125.44.173 Just a FEW of the DNS RR's pointing to just one of the IP addresses: www.*****.tk A 62.129.131.38 www.*.tk A 62.129.131.38 www.-fctwente-.tk A 62.129.131.38 www.-beach-.tk A 62.129.131.38 www.-erki-.tk A 62.129.131.38 www.atletiek2000.tk A 62.129.131.38 www.beveren2000.tk A 62.129.131.38 www.cj800.tk A 62.129.131.38 www.boca80.tk A 62.129.131.38 bomma80.tk A 62.129.131.38 www.armenia90.tk A 62.129.131.38 em0.tk A 62.129.131.38 www.stropkaai31.tk A 62.129.131.38 www.piaa1.tk A 62.129.131.38 www.devalkb1.tk A 62.129.131.38 www.brambo1.tk A 62.129.131.38 www.ignis1.tk A 62.129.131.38 www.thesims-2.tk A 62.129.131.38 www.biot2002.tk A 62.129.131.38 www.5voor12.tk A 62.129.131.38 www.boelie-v32.tk A 62.129.131.38 www.jordistylertje-b42.tk A 62.129.131.38 www.seca2.tk A 62.129.131.38 www.pitagora2.tk A 62.129.131.38 www.mywitchworld2.tk A 62.129.131.38 www.4hwe2.tk A 62.129.131.38 aandetoog2.tk A 62.129.131.38 www.aandetoog2.tk A 62.129.131.38 www.lmk2.tk A 62.129.131.38 www.cosan2.tk A 62.129.131.38 www.jones2.tk A 62.129.131.38 www.part2.tk A 62.129.131.38 w.driver-3.tk A 62.129.131.38 www.'tng2003.tk A 62.129.131.38 w-i-t-c-h-g-i-r-l-13.tk A 62.129.131.38 groep13.tk A 62.129.131.38 www.groep13.tk A 62.129.131.38 www.atelier13.tk A 62.129.131.38 www.warez13.tk A 62.129.131.38 www.warez33.tk A 62.129.131.38 www.shark69-shinzl3.tk A 62.129.131.38 www.muzikamp3.tk A 62.129.131.38 www.warez-t3.tk A 62.129.131.38 www.vak-v3.tk A 62.129.131.38 abi04.tk A 62.129.131.38 www.mss-abi04.tk A 62.129.131.38 www.abi04.tk A 62.129.131.38 www.trash14.tk A 62.129.131.38 www.harry-potter14.tk A 62.129.131.38 www.rahoveci24.tk A 62.129.131.38 studi24.tk A 62.129.131.38 www.studi24.tk A 62.129.131.38 studiok4.tk A 62.129.131.38 www.studiok4.tk A 62.129.131.38 www.sv4.tk A 62.129.131.38 www.diesel4x4.tk A 62.129.131.38 www.ampuria2005.tk A 62.129.131.38 www.zw-maloja2005.tk A 62.129.131.38 www.mosta2005.tk A 62.129.131.38 sb2005.tk A 62.129.131.38 www.vormsel2005.tk A 62.129.131.38 halo-clan2005.tk A 62.129.131.38 www.grandkemer2005.tk A 62.129.131.38 abi05.tk A 62.129.131.38 www.lissabon05.tk A 62.129.131.38 www.dieter-b35.tk A 62.129.131.38 www.gdw85.tk A 62.129.131.38 www.witchmagazine5.tk A 62.129.131.38 www.tbc-2006.tk A 62.129.131.38 tds-2006.tk A 62.129.131.38 www.tds-2006.tk A 62.129.131.38 www.oeganda2006.tk A 62.129.131.38 www.tbc2006.tk A 62.129.131.38 www.amuzed2006.tk A 62.129.131.38 jeugdweekend2006.tk A 62.129.131.38 www.jeugdweekend2006.tk A 62.129.131.38 www.festivalveurne2006.tk A 62.129.131.38 www.lkf2006.tk A 62.129.131.38 www.extremepaintball2006.tk A 62.129.131.38 www.mfm2006.tk A 62.129.131.38 www.tds2006.tk A 62.129.131.38 www.skireis2006.tk A 62.129.131.38 www.eindejaarsreis2006.tk A 62.129.131.38 www.lost2006.tk A 62.129.131.38 wewi06.tk A 62.129.131.38 www.wewi06.tk A 62.129.131.38 www.vat18jarigen06.tk A 62.129.131.38 winx-club16.tk A 62.129.131.38 www.stel7076.tk A 62.129.131.38 www.knuffeltje6.tk A 62.129.131.38 www.elle6.tk A 62.129.131.38 www.p407.tk A 62.129.131.38 newssvt07.tk A 62.129.131.38 www.fcvdendereh-u17.tk A 62.129.131.38 www.zeal7.tk A 62.129.131.38 www.ir2008.tk A 62.129.131.38 www.sart68.tk A 62.129.131.38 www.revenge88.tk A 62.129.131.38 www.ami8.tk A 62.129.131.38 www.steakn8.tk A 62.129.131.38 www.leerlingengroep8.tk A 62.129.131.38 www.hypnos69.tk A 62.129.131.38 www.hsl9.tk A 62.129.131.38 www.myt9.tk A 62.129.131.38 www.iw3a.tk A 62.129.131.38 www.leaaa.tk A 62.129.131.38 www.dutchmohaa.tk A 62.129.131.38 daba.tk A 62.129.131.38 www.chimbawamba.tk A 62.129.131.38 www.crystalcynthiawicca.tk A 62.129.131.38 www.chemica.tk A 62.129.131.38 www.sowada.tk A 62.129.131.38 www.taida.tk A 62.129.131.38 www.woida.tk A 62.129.131.38 www.laestampida.tk A 62.129.131.38 www.tango-querida.tk A 62.129.131.38 www.provida.tk A 62.129.131.38 www.juf-linda.tk A 62.129.131.38 www.janenlinda.tk A 62.129.131.38 www.alyda.tk A 62.129.131.38 www.geonea.tk A 62.129.131.38 www.chiroharbalorifa.tk A 62.129.131.38 www.agst-antifa.tk A 62.129.131.38 www.indoorsoccerliga.tk A 62.129.131.38 www.langa.tk A 62.129.131.38 www.remmertwielinga.tk A 62.129.131.38 www.kogonga.tk A 62.129.131.38 www.komboecha.tk A 62.129.131.38 www.bullmastiffsvanboedha.tk A 62.129.131.38 www.sopha.tk A 62.129.131.38 www.trisyha.tk A 62.129.131.38 www.nefaia.tk A 62.129.131.38 www.jeugdclubjia.tk A 62.129.131.38 www.flora-helia.tk A 62.129.131.38 www.eendrachtfamilia.tk A 62.129.131.38 www.zvcutopia.tk A 62.129.131.38 www.spoofzakaria.tk A 62.129.131.38 www.caracastasia.tk A 62.129.131.38 www.chirosinttheresia.tk A 62.129.131.38 www.necromantia.tk A 62.129.131.38 tweeja.tk A 62.129.131.38 www.skorpija.tk A 62.129.131.38 www.nathasja.tk A 62.129.131.38 www.mavicka.tk A 62.129.131.38 www.jhjeka.tk A 62.129.131.38 www.stepashka.tk A 62.129.131.38 www.kinetika.tk A 62.129.131.38 www.nautika.tk A 62.129.131.38 www.kutunka.tk A 62.129.131.38 www.stejoka.tk A 62.129.131.38 www.szczepkowska.tk A 62.129.131.38 www.proxilala.tk A 62.129.131.38 www.vila.tk A 62.129.131.38 www.shabhekla.tk A 62.129.131.38 vinylla.tk A 62.129.131.38 www.vinylla.tk A 62.129.131.38 www.wakayama.tk A 62.129.131.38 www.bacma.tk A 62.129.131.38 www.therasmusmaailma.tk A 62.129.131.38 www.jussinloma.tk A 62.129.131.38 www.druma.tk A 62.129.131.38 escortalana.tk A 62.129.131.38 www.hodena.tk A 62.129.131.38 www.christin-jena.tk A 62.129.131.38 www.chironazoena.tk A 62.129.131.38 supermagna.tk A 62.129.131.38 www.mondina.tk A 62.129.131.38 winx-pagina.tk A 62.129.131.38 www.kidspagina.tk A 62.129.131.38 www.aanvullingspagina.tk A 62.129.131.38 www.tomenkarolina.tk A 62.129.131.38 www.vansina.tk A 62.129.131.38 www.aaatina.tk A 62.129.131.38 www.wouterenanna.tk A 62.129.131.38 www.cenna.tk A 62.129.131.38 ww.jamilahenna.tk A 62.129.131.38 www.mktupa.tk A 62.129.131.38 www.waira.tk A 62.129.131.38 www.sectumsempra.tk A 62.129.131.38 www.club-sakura.tk A 62.129.131.38 www.joura.tk A 62.129.131.38 www.mrsa.tk A 62.129.131.38 www.gojirafanusa.tk A 62.129.131.38 hhakunamatata.tk A 62.129.131.38 www.rs3beta.tk A 62.129.131.38 www.5humweta.tk A 62.129.131.38 www.sanderenanita.tk A 62.129.131.38 ukta.tk A 62.129.131.38 www.chirojuventa.tk A 62.129.131.38 www.juf-tinta.tk A 62.129.131.38 www.titta.tk A 62.129.131.38 www.clanfuta.tk A 62.129.131.38 www.wisnatua.tk A 62.129.131.38 www.djalbflava.tk A 62.129.131.38 www.juliapentcheva.tk A 62.129.131.38 www.ligamufova.tk A 62.129.131.38 www.oipova.tk A 62.129.131.38 www.osipova.tk A 62.129.131.38 www.vanallesewa.tk A 62.129.131.38 www.dfwa.tk A 62.129.131.38I don't even want to hazzard a guess as to what I would find if I followed every host and every IP address, and then looked at what each NS is hosting and kept following...
Time for other baddies in the following blog spam samples: Details are in the following order - Title Nickname entered E-mail entered IP posted from URL entered URL's found in the post DATA (contents) Not all fields are present in all the below posts. Some of the links below break. Not all these host malware, some are just annoying spam. ALL THESE LINKS ARE TO BE CONSIDERED NOT SAFE. VISIT AT YOUR OWN RISK. notebook computer ac Author: notebook computer accessories E-mail: netsecu11 () yahoo com IP: 200.121.71.53 URL: http://w ww.notebook-computers.com-infor.com Laser Cutting Servic Author: Laser Cutting Service E-mail: laser-cutting-service@craigrom.com IP: 200.117.186.202URL: http://w ww.laser-cutting-pro.info/laser-cutting-service/laser-cu tting-services.html
Cheap laptop skins E-mail: shopcart963 () yahoo com IP: 200.121.71.53 URL: http://w ww.cheap-laptops.com-infor.com benozor77 E-mail: webmaster () hackologie tk IP: 82.65.181.88 URL: http://w ww.hackologie.tk/ allegra E-mail: IP: 203.162.27.81 URL: http://w ww.20mbweb.com/Health/allegra/ allegra E-mail: IP: 202.58.85.6 URL: http://w ww.20mbweb.com/Health/allegra/ google pr main E-mail: sdb6xgc () email com IP: 202.58.85.8 URL: http://w ww.pr.com http://w ww.pr.com/contacts/ google pr main E-mail: mci6r4b () lycos com IP: 213.249.155.240 URL: http://w ww.pr.com http://w ww.pr.com/contac http://w ww.pr.com pagerank main E-mail: cfz6qf2 () search com IP: 140.134.4.80 URL: http://w ww.pr.com http://w ww.pr.com/improvep http://w ww.pr.com/linksale/ http://w ww.pr.com online directory mai Author: online directory main E-mail: ybww8h9 () ebay com IP: 207.225.139.26 URL: http://w ww.yp.com http://w ww.yp.com/Sweden/ online directory mai Author: online directory main E-mail: blcr4cw () hotmail com IP: 140.134.4.80 URL: http://w ww.yp.com http://w ww.yp.com/Sweden http://w ww.yp.com google pr main E-mail: zjfzw3f () mail ru IP: 213.249.155.240 URL: http://w ww.pr.com http://w ww.pr.com/contacts/ google pr main E-mail: hejlj0e () email com IP: 207.225.139.26 URL: http://w ww.pr.com http://w ww.pr.com/contac http://w ww.pr.com pagerank main E-mail: eqnm7ht () yahoo com IP: 140.134.4.80 URL: http://w ww.pr.com http://w ww.pr.com/improvep http://w ww.pr.com/linksale/ http://w ww.pr.com yellow pages main E-mail: smlrkt2 () hotmail com IP: 66.232.147.211 URL: http://w ww.yp.com http://w ww.yp.com/India/ http://w ww.yp.com/China/ http://w ww.yp.com no-deposit-casino IP: 81.31.160.4 URL: http://c asino2006.ca.funpic.de/no-deposit-casino.htm swimsuits E-mail: akochgdls () qlog com IP: 203.162.27.87 URL: http://z oomy.home.sapo.pt/ljqff/human.html http://z oomy.home.sapo.pt/ljqff/ebo http://z oomy.home.sapo.pt/toon/2qz342llxv/cartoonmanga.html Phentermine E-mail: contact () phentermine-support com IP: 202.58.85.6 URL: http://w ww.phentermine-support.com http://b ingo.up-a.com http://w ww.cheapest-viagra-source.com http://t amiflu.usa-online-pharmacy.net http://w ww.viagra-here.com http://w ww.viagra-exchange.com http://w ww.0-online-casino.us http://w ww.0-poker.biz http://w ww.phentermine-support.com http://w ww.casino-focus.com/ lorazepam IP: 68.60.116.167 URL: http://l orazepam1.lo.funpic.de/lorazepam.htm Gadi. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Comment spam: drive-by sites, domains and spyware - analysis, samples and facts Gadi Evron (Feb 14)