cNotes 検索一覧カテゴリ

Happy New Year Mail --- New Fast-flux botnet ?

Published: 2011/01/07

今年の年始も量的には少ないですがGreeting Card系、Happy New Year Mail系のスパムが届きました。

このようなメールで、

リンク先のhtmlの中身はこんな感じ。

さらにジャンプ先で、

flash playerのインストーラーをダウンロードさせようとする典型的なパターン。

その正体はこれ。

http://www.virustotal.com/file-scan/report.html?id=a7f431309ef5fbe37516153ffd35f1b3475af91f57d9543b724ca53139cd8cae-1294335028

そろそろWaledacとか、新spam送信用botnetの構築を始めたかな？

でも量は少なめです。

Subjectの例

 Subject: Happy New Year 2011!
 Subject: Happy 2011 To U!

一段目のURLの例

domain html

lancasterautoelectric.com /tk1nney.html

sportsdarlingdowns.org /v0oa2iwq.html

domain	html
lancasterautoelectric.com	/tk1nney.html
sportsdarlingdowns.org	/v0oa2iwq.html

二段目のドメインの例

domain

bitagede.com

elberer.com

domain
bitagede.com
elberer.com

一段目のドメイン、IPアドレスの詳細

   Domain Name: LANCASTERAUTOELECTRIC.COM
   Registrar: GODADDY.COM, INC.
   Whois Server: whois.godaddy.com
   Referral URL: http://registrar.godaddy.com
   Name Server: NS2459.HOSTGATOR.COM
   Name Server: NS2460.HOSTGATOR.COM
   Status: clientDeleteProhibited
   Status: clientRenewProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 16-sep-2010
   Creation Date: 16-sep-2010
   Expiration Date: 16-sep-2015

 174.122.106.3
 network:Class-Name:network
 network:ID:NETBLK-THEPLANET-BLK-16
 network:Auth-Area:174.120.0.0/14
 network:Network-Name:TPIS-BLK-174-122-106-0
 network:IP-Network:174.122.106.0/27
 network:IP-Network-Block:174.122.106.0 - 174.122.106.31
 network:Organization-Name:WebsiteWelcome
 network:Organization-City:Boca Raton
 network:Organization-State:FL
 network:Organization-Zip:33496
 network:Organization-Country:USA

 Domain Name:SPORTSDARLINGDOWNS.ORG
 Created On:18-Dec-2009 02:25:17 UTC
 Last Updated On:16-Feb-2010 03:52:04 UTC
 Expiration Date:18-Dec-2011 02:25:17 UTC
 Sponsoring Registrar:PlanetDomain Pty Ltd (R134-LROR)
 Status:OK
 Registrant ID:ID00432589-PR
 Registrant Name:The Manager SBCWeb
 Registrant Organization:Strategic Business Continuity Pty Ltd
 Registrant Street1:135 Stuart St
 Registrant Street2:
 Registrant Street3:
 Registrant City:.
 Registrant State/Province:QLD
 Registrant Postal Code:4350
 Registrant Country:AU
 
 115.178.17.181
 inetnum:      115.178.16.0 - 115.178.23.255
 netname:      DEDAUS-AU
 descr:        PO Box 58
 country:      AU

2段目のドメインはFast-Flux構成です。

TTL=0のAレコードが一つだけ落ちてきますが、問い合わせの度にAレコードが変わります。

 ;; QUESTION SECTION:
 ;bitagede.com.                  IN      A
 
 ;; ANSWER SECTION:
 bitagede.com.           0       IN      A       75.110.171.75 
 
 ;; AUTHORITY SECTION:
 bitagede.com.           3599    IN      NS      ns6.eplarine.com.
 bitagede.com.           3599    IN      NS      ns5.eplarine.com.
 bitagede.com.           3599    IN      NS      ns3.eplarine.com.
 bitagede.com.           3599    IN      NS      ns4.eplarine.com.
 bitagede.com.           3599    IN      NS      ns2.eplarine.com.
 bitagede.com.           3599    IN      NS      ns1.eplarine.com.
 
 ;; Query time: 247 msec
 ;; SERVER: 202.238.95.24#53(202.238.95.24)
 ;; WHEN: Fri Jan  7 12:27:08 2011
 ;; MSG SIZE  rcvd: 163

Aレコードとして登録されているIPアドレスの例

IP Address name AS AS NAME 国

24.11.217.5 c-24-11-217-5.hsd1.mi.comcast.net. 33668 Comcast US

41.133.139.148 41-133-139-148.dsl.mweb.co.za. 10474 NETACTIVE ZA

71.229.233.224 c-71-229-233-224.hsd1.co.comcast.net. 33652 Comcast US

75.110.171.75 c75-110-171-75.stl1cmta01.stwrok.ok.dh.suddenlink.net. 19108 CoxCommunications US

75.64.226.214 c-75-64-226-214.hsd1.ms.comcast.net. 22258 Comcast US

75.82.161.198 cpe-75-82-161-198.socal.res.rr.com. 20001 RoadRunner US

76.113.61.226 c-76-113-61-226.hsd1.nm.comcast.net. 33654 Comcast US

97.90.18.182 97-90-18-182.dhcp.mtpk.ca.charter.com. 20115 CHARTER-NET-HKY-NC US

98.232.48.112 c-98-232-48-112.hsd1.wa.comcast.net. 33650 DNEO-OSP7 US

98.24.114.217 cpe-098-024-114-217.carolina.res.rr.com. 11426 RoadRunner US

99.227.232.55 CPE0016760caa63-CM00195edb086a.cpe.net.cable.rogers.com. 812 ROGERS-CABLE CA

188.187.11.254 pppoe-188-187-11-254.volgograd.ertelecom.ru. 39435 EVOLGOGRAD-AS RU

190.21.117.239 190-21-117-239.baf.movistar.cl. 7418 Terra_Networks_Chile CL

190.99.40.235 NONE 27773 MILLICOM GT

195.206.233.62 195-206-233-62.broadband.tvin.com.ua. 197035 TVIN-INET UA

200.86.136.110 pc-110-136-86-200.cm.vtr.net. 22047 VTR_BANDA CL

201.160.142.11 201.160.142.11.cable.dyn.cableonline.com.mx. 28554 Cablemas MX

217.9.92.102 NONE 9206 MAI RU

IP Address	name	AS	AS NAME	国
24.11.217.5	c-24-11-217-5.hsd1.mi.comcast.net.	33668	Comcast	US
41.133.139.148	41-133-139-148.dsl.mweb.co.za.	10474	NETACTIVE	ZA
71.229.233.224	c-71-229-233-224.hsd1.co.comcast.net.	33652	Comcast	US
75.110.171.75	c75-110-171-75.stl1cmta01.stwrok.ok.dh.suddenlink.net.	19108	CoxCommunications	US
75.64.226.214	c-75-64-226-214.hsd1.ms.comcast.net.	22258	Comcast	US
75.82.161.198	cpe-75-82-161-198.socal.res.rr.com.	20001	RoadRunner	US
76.113.61.226	c-76-113-61-226.hsd1.nm.comcast.net.	33654	Comcast	US
97.90.18.182	97-90-18-182.dhcp.mtpk.ca.charter.com.	20115	CHARTER-NET-HKY-NC	US
98.232.48.112	c-98-232-48-112.hsd1.wa.comcast.net.	33650	DNEO-OSP7	US
98.24.114.217	cpe-098-024-114-217.carolina.res.rr.com.	11426	RoadRunner	US
99.227.232.55	CPE0016760caa63-CM00195edb086a.cpe.net.cable.rogers.com.	812	ROGERS-CABLE	CA
188.187.11.254	pppoe-188-187-11-254.volgograd.ertelecom.ru.	39435	EVOLGOGRAD-AS	RU
190.21.117.239	190-21-117-239.baf.movistar.cl.	7418	Terra_Networks_Chile	CL
190.99.40.235	NONE	27773	MILLICOM	GT
195.206.233.62	195-206-233-62.broadband.tvin.com.ua.	197035	TVIN-INET	UA
200.86.136.110	pc-110-136-86-200.cm.vtr.net.	22047	VTR_BANDA	CL
201.160.142.11	201.160.142.11.cable.dyn.cableonline.com.mx.	28554	Cablemas	MX
217.9.92.102	NONE	9206	MAI	RU

[カテゴリ:spam観察日記]

by jyake

Happy New Year Mail --- New Fast-flux botnet ?

TOP

Contents

About cNotes

What's New