Saturday, November 03, 2007

Managed Fast-Flux Provider

Vertical integration in the spamming market means you don't just provide potential customers lists in the form of harvested emails, the infrastructure for the mass mailing consisting of hundreds of infected PCs, but also, occupying emerging market segments such as the need for increasing the overal time a spam/phishing campaign remains online, as well as make it hard to traceback courtesy of fast-flux networks. And so, the IP that was hosting the spam/phishing campaign in the last 5 minutes is now clean and has nothing to do with it.

There's an interesting tactic phishers and spammers are starting to use, next to the pure fast-flux at the DNS level I covered in a previous post, and that is a dynamically serving the data from multiple locations per web session. Take meds247.org for instance. Who's providing meds247.org's fast-flux infrastructure? In the first example we had "a dynamic subdomain generating spamming host running a proxy server every time the central campaign URL gets refreshed via an obfuscated javascript". The javascript is now gone, but the content (dynamic per page view) is obtained from dynamic locations behind a proxy. For instance, while the domain responds to 78.94.45.76, the content in the session is obtained from 72.2.16.236:8088/vti_sys. And despite that the DNS records and the content IPs change the vti_sys directory structure doesn't, a fax fluxing service that I feel Send-Safe.com branded as "Your Own Proxies" and as it looks like, use on for their own order processing next to maintaining a rogue certificate authority for anyone who dares to shop there :

216.153.170.110:8088/vti_sys/order.php?product=ssnp
216.153.170.110:8088/vti_sys/order.php?product=sspc
216.153.170.110:8088/vti_sys/order.php?product=sse1
216.153.170.110:8088/vti_sys/order.php?product=ssalonesite
67.118.79.234:8088/vti_sys/order.php?product=sslm

More info about Send-Safe.com, a spamware vendor that's vertically integrating in the spamming market.