Monday, October 01, 2007

Love is a Psychedelic Too

Compared to a previous example of an over-performing image spammer whose efforts to bypass spam filters make it virtually impossible for someone to fall victim into the pharmaceutical scam, in this example of image spam we have something very interesting, namely a dynamic subdomain generating spamming host running a proxy server every time the central campaign URL gets refreshed via an obfuscated javascript. meds247.org (216.55.70.170) is the public face of abetterlevel.org (221.130.192.17), and here are examples of the "one-time-scams-in-everything" style subdomains :

cpv9c5pt.abetterlevel.org:8080/cg/viagra.php
ccj70tjcm.abetterlevel.org:8088/cg/viagra.php
fdbtpju.abetterlevel.org:8080/cg/viagra.php
b80cpno.abetterlevel.org:8088/cg/viagra.php
ffh3rj8zn.abetterlevel.org:8088/cg/viagra.php

Once accessed, a few minutes later the subdomains either stop responding, or start listening on the second port. Moreover, all the subdomains generated at abetterlevel.org resolve to radius.tercernivel.com (200.57.39.20) an indication of an ecosystem operating on three different networks.

No comments:

Post a Comment