Comments on: Bredolab Mastermind Was Key Spamit.com Affiliate

By: MarshalBananas

MarshalBananas — Sat, 13 Nov 2010 00:33:08 +0000

and please, send all the “russian slang” you’d like my way. i enjoy collecting it.

By: MarshalBananas

MarshalBananas — Sat, 13 Nov 2010 00:31:25 +0000

dev32.net

By: TheGeezer

TheGeezer — Fri, 12 Nov 2010 12:50:17 +0000

Any idea when the Netherlands’ High Tech Crime Unit is going to address the botnets/fake web sites registered with ccTLD “tk” (managed by dot.tk in Netherlands) ?

Not a day goes by without some scam using the ccTLD “tk”. In the last 8 hours there were at least 6 confirmed reports of tk domains faking the Habbo website (a social networking website aimed at teenagers).

In addition, tk registered domains were used twice this month to provide an extra level of obfuscation for the ZeuS/SpyEye botnet. The tk domains used a fast-flux server to reference the NauNet registered domains for the ZeuS/SpyEye botnet fast=flux servers.

BTW, the dot.tk abuse address never responds.

By: TheGeezer

TheGeezer — Sat, 06 Nov 2010 20:47:38 +0000

I should clarify what I meant by the “hosts referencing the fast-flux servers” in the email campaign. I was referring only to the host referenced in the spam email, the host that contains the fake bank or IRS page, collects the info, credit card number, ssn etc., not the ones sending the spam.

Early this year, monitoring 52 domains used in a ZeuS-Avalanche campaign, lasting from march 26 thru april 1, there were only 310 active hosts and the most referenced site, on one of the large US cable networks, was the active site 60 times more often than the least referenced site. Current campaigns show a similar pattern. It could actually be a good marketing campaign for the cable company! When criminal botnets need speed and reliability they choose xxx cable!

By: AlphaCentauri

AlphaCentauri — Sat, 06 Nov 2010 17:51:46 +0000

Actually, I got to see one of these in action when one of my kids downloaded something. (She had friends over who convinced her to violate house rules and use Internet Explorer, because Firefox wouldn’t display the funny video they wanted to show her.)

At the time we had Norton AV but no outgoing firewall. Norton displayed a little envelope icon in the tray each time any email was sent, to signify it was scanning it for malware. The infection was noticed only because once an hour, twelve little envelope icons would appear as email was sent, then the process went back into dormancy. After installing a firewall, we were able to identify the process attempting to send the emails so we could manually disable it. We were never notified that anyone had complained of receiving spam from our IP address.

For mailing spam, it’s better to have a large number of bots sending a small volume of email each, so no one of them is reported enough times to get blocklisted.

As far as hosting the spamvertised websites, while it’s better to have a high capacity server, Spamit didn’t always go that route. They have used fast flux botnets in the past that comprised thousands of individual computers. Each computer would only have borne 1/12 of their website traffic, and only for 5 minutes at a time. And they have documented ties to Storm Worm/Waledac, which used a zero-second refresh, so each computer only got traffic for about 1/3 of a second before another shouldered the load. Most of those were definitely small users on dynamic IP ranges. I suspect they only stopped doing it because it was so easy to get their domains shut down by submitting a table of IP addresses and timestamps — the registrars couldn’t dismiss complaints by making the argument that we should complain to the hosting service.

By: TheGeezer

TheGeezer — Sat, 06 Nov 2010 13:02:01 +0000

I think it should also be noted that among the millions of infected computers only a small fraction are useful to the botnet. The infected computer must be available 24/7, fast, and reliable for the botnet to get in, send back the payload and exit undetected.

During any botnet email campaign, regardless of the number of domains used, the hosts referenced by the fast-flux servers will be limited to several hundred. And of those, there are definitely favorites. Some of the infected sites will be the “active” host on the fast-flux server 20+ times more often than the least referenced site.

By: Alex

Alex — Sat, 06 Nov 2010 08:18:32 +0000

You guys are all glide across the surface. To understand the logic of hacker need to become a hacker.

By: Gary

Gary — Sat, 06 Nov 2010 01:28:39 +0000

Per the blog you ref’d the author reports that he offered to bury the hatchet on Monday and on Tuesday he and Vrublevsky talked for about an hour and a half and are moving toward that, albeit slowly

By: Michel van Eeten

Michel van Eeten — Tue, 02 Nov 2010 07:52:49 +0000

AlphaCentauri, you are correct. In fact, my blogpost points out they did indeed “count infections” for one month and then extrapolated that. The question is: how do you count the number infections? The most likely answer is: they counted the number of unique IP addresses connecting to the command and control server. That is a very problematic way to estimate the size of a botnet. In fact, it has been proven to overestimate the size by one order of magnitude — i.e., not 30 million infections, but 3 million. Guess what: the latter figure is very close to the Microsoft data on Bredolab. See the blogpost for more details.

(Hunchback: thanks for the link!)

By: conner

conner — Tue, 02 Nov 2010 01:44:44 +0000

There’s nothing worse than a PARASITE. Steal steal steal is
all you leeches are competent at.
Brian, you should just totally ignore these worms. We know
and support that approach. Life is too short to have to give
these smegma-breaths any of your precious time. Sincerely,
RainbowRoof