No content since 2004
Feel free to donate
Chris @ MyITforum
Subscribe in a reader
Subscribe to Chris Mosby at myITforum.com by Email
The Waledac botnet has been actively used to push malware since last year. The tactics employed by Waledac are so similar to the old Storm Worm that we have reason to believe they are closely connected. Last night, the websites used to push Waledac infections got an overhaul. We started seeing infection reports of filenames like sms.exe, trial.exe, smstrap.exe, freetrial.exe and smsreader.exe. When we went searching, we noticed that the Waledac sites now looked like this: Nice graphics, jerks. Anyway, these sites had domain names like downloadfreesms.com, chinamobilesms.com and smsclubnet.com If you check the DNS records for these domains, you'll notice that they have a time-to-live set to zero. And they use that to change their IP address every time you query it. This is fast fluxing in effect. Lets monitor the IP address of smsclubnet.com for two minutes: Time IP 11:00:17 118.232.218.209 11:00:22 211.105.220.204 11:00:28 121.179.73.185 11:00:33 124.8.89.29 11:00:38 69.55.30.158 11:00:44 116.127.184.49 11:00:49 201.42.136.214 11:00:54 89.35.18.27 11:01:00 24.77.250.131 11:01:05 118.130.83.202 11:01:11 77.78.150.199 11:01:16 211.180.118.70 11:01:21 189.111.197.36 11:01:27 121.183.32.80 11:01:32 211.218.197.220 11:01:38 121.183.32.80 11:01:43 125.129.151.33 11:01:48 151.60.88.70 11:01:54 121.179.73.186 11:01:59 210.207.217.154 And all those IP addresses are infected home computers, where the owner of the computer has no idea he's actually running a webserver - which is serving viruses. This botnet is not just used to server the malware: the malware itself uses it when calling home. When Waledac is executed, it does dozens of HTTP posts to IP addresses belonging to this botnet. Waledac gang has registered over 100 .com domains for their purposes. You can actually tell a bit about their operations if you arrange their domains into groups. Practically all the domains they own are registered to these email addresses: hanlin_425@126.com, lijian@qq.com and wusong_ccc@126.com. Here they are: News: bestgoodnews.com bestbreakingfree.com breakinggoodnews.com breakingnewsltd.com breakingkingnews.com breakingnewsfm.com easyworldnews.com goodnewsreview.com goodnewsdigital.com reportradio.com linkworldnews.com tntbreakingnews.com usabreakingnews.com wapcitynews.com worldtracknews.com worldnewseye.com worldnewsdot.com worldtracknews.com spacemynews.com yourbreakingnew.com Blogs: bestusablog.com bestjournalguide.com bestlifeblog.com bestblogdirect.com boarddiary.com blogsitedirect.com blogginhell.com farboards.com mobilephotoblog.com photoblogsite.com Fear & Terror: againstfear.com antiterroris.com antiterroralliance.com antiterrornetwork.com fearalert.com globalantiterror.com terroralertstatus.com terrorfear.com terrorismfree.com urbanfear.com Coupons & sales: bestcouponfree.com codecouponsite.com gonesite.com greatcouponclub.com greatsalesgroup.com greatsalestax.com smartsalesgroup.com thecoupondiscount.com yourcountycoupon.com Love & sex: adorelyric.com adorepoem.com adoresong.com adoresongs.com bestadore.com bestlovehelp.com bestlovelong.com bluevalentineonline.com chatloveonline.com cherishletter.com cherishpoems.com extendedman.com funloveonline.com funnyvalentinessite.com greatsvalentine.com orldlovelife.com greatvalentinepoems.com lovecentralonline.com lovelifeportal.com romanticsloving.com thevalentinelovers.com whocherish.com wirelessvalentineday.com worldlovelife.com worshiplove.com youradore.com yourgreatlove.com yourlength.com yourvalentineday.com yourvalentinepoems.com yourvalnetinepoems.com and here are the latest additions: SMS Spying: chinamobilesms.com downloadfreesms.com freecolorsms.com freeservesms.com miosmsclub.com smsclubnet.com smspianeta.com virtualesms.com This leaves us with a handful of domains we can't categorize to any of the above groups. They are: batchoose.com bayhousehotel.com coralarm.com longballonline.com moneymedal.com quickjust.com soundroyal.com yourbarrier.com yourlol.com yourwent.com Maybe these domains could give us a hint on their next move? Does anybody have any ideas? If so, leave us a comment.
No Comments