Thursday, October 11, 2007
As I pointed out in my last series of posts assessing pharmaceutical scams and phishing campaigns, both, botnet masters, pharma masters, and rock phishers, are starting to take advantage of fast-flux networks to make it harder to trace back and shut down their operations. Here's a related article on the topic :"With fast-flux, spammers continually change the URL in the e-mail to counter filtering efforts. The constant change requires a corresponding defense that recognizes those changes as they occur, Red Condor officials said. Fast-flux botnets turn IP addresses against anti-spammers. Using a large number of servers, fast-flux DNS uses a compromised PC as a proxy, frustrating investigators. In its September intelligence report, MessageLabs counted fast-flux DNS techniques as one of the key reasons botnets are hard to shut down. The MySpace worm that compromised thousands of MySpace users' sites earlier this year utilized fast-flux techniques."
Let's showcase this emerging trend. Take for instance some recently spammed .cn domains such as considerjust.cn and pageagainst.cn advertising a Canadian Pharmacy scam. The domains have an allocated space of IPs to rotate on each and every request to them, something you can easily verify by pinging them and see how their IPs change on every new ping in coordination with the allocated IP table you can see in the screenshot. It gets even more interesting, especially in terms of locating the main fast-flux domain, in this case it's mainseven.com, a central point for a great deal of other pharma domains in its fast-flux. Here are graphs of fast-flux spam and scam networks :
Posted by Dancho Danchev at Thursday, October 11, 2007