Managed Fast-Flux Provider

Vertical integration in the spamming market means you don't just provide potential customers lists in the form of harvested emails, the infrastructure for the mass mailing consisting of hundreds of infected PCs, but also, occupying emerging market segments such as the need for increasing the overal time a spam/phishing campaign remains online, as well as make it hard to traceback courtesy of fast-flux networks. And so, the IP that was hosting the spam/phishing campaign in the last 5 minutes is now clean and has nothing to do with it.

There's an interesting tactic phishers and spammers are starting to use, next to the pure fast-flux at the DNS level I covered in a previous post, and that is a dynamically serving the data from multiple locations per web session. Take meds247.org for instance. Who's providing meds247.org's fast-flux infrastructure? In the first example we had "a dynamic subdomain generating spamming host running a proxy server every time the central campaign URL gets refreshed via an obfuscated javascript". The javascript is now gone, but the content (dynamic per page view) is obtained from dynamic locations behind a proxy. For instance, while the domain responds to 78.94.45.76, the content in the session is obtained from 72.2.16.236:8088/vti_sys. And despite that the DNS records and the content IPs change the vti_sys directory structure doesn't, a fax fluxing service that I feel Send-Safe.com branded as "Your Own Proxies" and as it looks like, use on for their own order processing next to maintaining a rogue certificate authority for anyone who dares to shop there :

216.153.170.110:8088/vti_sys/order.php?product=ssnp
216.153.170.110:8088/vti_sys/order.php?product=sspc
216.153.170.110:8088/vti_sys/order.php?product=sse1
216.153.170.110:8088/vti_sys/order.php?product=ssalonesite
67.118.79.234:8088/vti_sys/order.php?product=sslm

More info about Send-Safe.com, a spamware vendor that's vertically integrating in the spamming market.

Detecting and Blocking the Russian Business Network

Bleeding Edge Threats recently announced the release of some very handy RBN blocking/detecting rulesets :

"Call these hosts what you like, we see a large amount of hostile activity from these nets, and get little to no abuse response for takedown, Do what you will with this information."

Remember RBN's fake anti virus and anti spyware software? The list is getting bigger with another 20 additions again hosted on RBN IPs exposed by the RBNExploit blog.

Meanwhile you may be also be interested in how does an abuse request get handled at the RBN? Deceptively of course. Each and every domain or IP that has been somehow reported malicious to them, not once but numerous times by different organizations starts serving a fake account suspended message like the following malicious domains hosted at the RBN do :

"This Account Has Been Suspended For Violation Of Hosting Terms And Conditions. Please contact the billing/support department as soon as possible"

- superengine.cn (81.95.149.181) - fake account suspended message, no malicious script at front page but within the domain

- eliteproject.cn (81.95.149.124) - fake account suspended message, no malicious script at front page but within the domain

- space-sms.info (200.115.174.248) - fake account suspended, loads the malicious takenames.cn

- lem0n.info - (200.115.174.248) fake account suspended message, obfuscated javascript to bl0cker.info

- worldtraff.cn (200.115.174.248) - fake account suspended message, loads bl0cker.info and takenames.cn

- takenames.cn (58.65.239.66) - fake of eValid web testing solution, interacting with all of these domains

Dots, dots, dots, 58.65.239.66 or takenames.cn for the time being, used to resolve to goodtraff.biz in the past, another RBN operation we know from the Bank of India hack, where the second RBN IP was used in the most recent Possibility Media's Malware Fiasco as well.