Happy New Year Mail --- New Fast-flux botnet ?
Published: 2011/01/07
今年の年始も量的には少ないですがGreeting Card系、Happy New Year Mail系のスパムが届きました。
このようなメールで、
リンク先のhtmlの中身はこんな感じ。
さらにジャンプ先で、
flash playerのインストーラーをダウンロードさせようとする典型的なパターン。
その正体はこれ。
そろそろWaledacとか、新spam送信用botnetの構築を始めたかな?
でも量は少なめです。
Subjectの例
Subject: Happy New Year 2011! Subject: Happy 2011 To U!
一段目のURLの例
domain | html |
---|---|
lancasterautoelectric.com | /tk1nney.html |
sportsdarlingdowns.org | /v0oa2iwq.html |
二段目のドメインの例
domain |
---|
bitagede.com |
elberer.com |
一段目のドメイン、IPアドレスの詳細
Domain Name: LANCASTERAUTOELECTRIC.COM Registrar: GODADDY.COM, INC. Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS2459.HOSTGATOR.COM Name Server: NS2460.HOSTGATOR.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 16-sep-2010 Creation Date: 16-sep-2010 Expiration Date: 16-sep-2015
174.122.106.3 network:Class-Name:network network:ID:NETBLK-THEPLANET-BLK-16 network:Auth-Area:174.120.0.0/14 network:Network-Name:TPIS-BLK-174-122-106-0 network:IP-Network:174.122.106.0/27 network:IP-Network-Block:174.122.106.0 - 174.122.106.31 network:Organization-Name:WebsiteWelcome network:Organization-City:Boca Raton network:Organization-State:FL network:Organization-Zip:33496 network:Organization-Country:USA
Domain Name:SPORTSDARLINGDOWNS.ORG Created On:18-Dec-2009 02:25:17 UTC Last Updated On:16-Feb-2010 03:52:04 UTC Expiration Date:18-Dec-2011 02:25:17 UTC Sponsoring Registrar:PlanetDomain Pty Ltd (R134-LROR) Status:OK Registrant ID:ID00432589-PR Registrant Name:The Manager SBCWeb Registrant Organization:Strategic Business Continuity Pty Ltd Registrant Street1:135 Stuart St Registrant Street2: Registrant Street3: Registrant City:. Registrant State/Province:QLD Registrant Postal Code:4350 Registrant Country:AU 115.178.17.181 inetnum: 115.178.16.0 - 115.178.23.255 netname: DEDAUS-AU descr: PO Box 58 country: AU
2段目のドメインはFast-Flux構成です。
TTL=0のAレコードが一つだけ落ちてきますが、問い合わせの度にAレコードが変わります。
;; QUESTION SECTION: ;bitagede.com. IN A ;; ANSWER SECTION: bitagede.com. 0 IN A 75.110.171.75 ;; AUTHORITY SECTION: bitagede.com. 3599 IN NS ns6.eplarine.com. bitagede.com. 3599 IN NS ns5.eplarine.com. bitagede.com. 3599 IN NS ns3.eplarine.com. bitagede.com. 3599 IN NS ns4.eplarine.com. bitagede.com. 3599 IN NS ns2.eplarine.com. bitagede.com. 3599 IN NS ns1.eplarine.com. ;; Query time: 247 msec ;; SERVER: 202.238.95.24#53(202.238.95.24) ;; WHEN: Fri Jan 7 12:27:08 2011 ;; MSG SIZE rcvd: 163
Aレコードとして登録されているIPアドレスの例
IP Address | name | AS | AS NAME | 国 |
---|---|---|---|---|
24.11.217.5 | c-24-11-217-5.hsd1.mi.comcast.net. | 33668 | Comcast | US |
41.133.139.148 | 41-133-139-148.dsl.mweb.co.za. | 10474 | NETACTIVE | ZA |
71.229.233.224 | c-71-229-233-224.hsd1.co.comcast.net. | 33652 | Comcast | US |
75.110.171.75 | c75-110-171-75.stl1cmta01.stwrok.ok.dh.suddenlink.net. | 19108 | CoxCommunications | US |
75.64.226.214 | c-75-64-226-214.hsd1.ms.comcast.net. | 22258 | Comcast | US |
75.82.161.198 | cpe-75-82-161-198.socal.res.rr.com. | 20001 | RoadRunner | US |
76.113.61.226 | c-76-113-61-226.hsd1.nm.comcast.net. | 33654 | Comcast | US |
97.90.18.182 | 97-90-18-182.dhcp.mtpk.ca.charter.com. | 20115 | CHARTER-NET-HKY-NC | US |
98.232.48.112 | c-98-232-48-112.hsd1.wa.comcast.net. | 33650 | DNEO-OSP7 | US |
98.24.114.217 | cpe-098-024-114-217.carolina.res.rr.com. | 11426 | RoadRunner | US |
99.227.232.55 | CPE0016760caa63-CM00195edb086a.cpe.net.cable.rogers.com. | 812 | ROGERS-CABLE | CA |
188.187.11.254 | pppoe-188-187-11-254.volgograd.ertelecom.ru. | 39435 | EVOLGOGRAD-AS | RU |
190.21.117.239 | 190-21-117-239.baf.movistar.cl. | 7418 | Terra_Networks_Chile | CL |
190.99.40.235 | NONE | 27773 | MILLICOM | GT |
195.206.233.62 | 195-206-233-62.broadband.tvin.com.ua. | 197035 | TVIN-INET | UA |
200.86.136.110 | pc-110-136-86-200.cm.vtr.net. | 22047 | VTR_BANDA | CL |
201.160.142.11 | 201.160.142.11.cable.dyn.cableonline.com.mx. | 28554 | Cablemas | MX |
217.9.92.102 | NONE | 9206 | MAI | RU |
by jyake