« May 2010 · November 2010 · February 2012 »

July 2010
MonTueWedThuFriSatSun
   01020304
05060708091011
12131415161718
19202122232425
262728293031 
August 2010
MonTueWedThuFriSatSun
      01
02030405060708
09101112131415
16171819202122
23242526272829
3031     
September 2010
MonTueWedThuFriSatSun
  0102030405
06070809101112
13141516171819
20212223242526
27282930   

Calendar:

Newest first Oldest first

Sunday, 15 August 2010

Spam using RU domains - Who's your nameserver?

Over the past week, I've noticed a huge amount of spam of similar nature. Typically we don't blog about silly spam campaigns, or we like to look for the botnet responsible for the actual spam. However this one was annoying enough for me to want to dig into it a bit. What I found annoying was that in all the spam messages, they each had a different .RU domain. What were these domains, who is the registrar and where is this all hosted?

The spam was simple in nature and typically was constructed with a Subject line alluding to improving sexual performance. The body of the email had a lead in sentence, followed by a link to a .RU domain. Sure enough, the site itself was all about male enhancement pharma. There did not appear to be anything malicious dropped or any re-directs. A few of the domains seen were:

  • riskbottle .ru
  • steaklove .ru
  • toiletvillian .ru
  • lowsort .ru
  • silencebear. ru

Each of these domains is hosted on 112.78.8.6 which is "Online Data Services" in Vietnam - AS45538

As expected, I saw several hundred domains hosted on this IP. Many of them were brand new, and it seems new domains are actively being added. Cross checking the nameservers for each of the domains I had seen in the RU spam, I saw the following sets:

  • ns1.domainzoom. ru
  • ns2.domainzoom. ru
  • ns1.tunehost. ru
  • ns2.tunehost. ru
  • ns1.domainfox. ru
  • ns2.domainfox. ru
  • ns1.marshost. ru
  • ns2.marshost. ru
  • ns1.domainair. ru
  • ns2.domainair. ru
  • ns1.netcasual.ru
  • ns2.netcasual.ru

OK, so the actual website is hosted in Vietnam, where are the nameservers located? For all the previously listed nameservers I saw associated with this spam campaign, they all were located on the following IP addresses:

  • 218.10.16.55- CHINA169-Backbone - AS4837
  • 218.75.144.9 - CHINANET-BACKBONE - AS4134
  • 218.75.149.210 - CHINANET-BACKBONE - AS4134
  • 211.95.79.151 - China Internet Network Information Center - AS17621

I then wanted to determine all the other active nameservers on these IPs. I again saw a large number of nameservers such as:

  • ns1.domainzoom. ru
  • ns1.tunehost. ru
  • ns1.awardshop. ru
  • ns1.ballhost. ru
  • ns1.fastprovider. ru
  • ns1.netwebbit. ru
  • ns1.prosupersite. ru
  • ns2.domainclick. ru
  • ns2.hostingprov. ru
  • ns1.proshopmax. com
  • ns2.smoothwar. ru
  • ns1.fastwebbox. ru
  • :
  • :

What these nameservers had in common were that they all used NAUNET-REG-RIPN as their registrar. I see from the RU Coordination Center for TLD RU, that Naunet-SP is considered an 'accredited registrar" - http://www.cctld.ru/en/registrators/

Checking the URIBL for Naunet, I saw that at the time of this blog, that over 80% of active Naunet registered domains seen in an email were blacklisted by URIBL over the past 5 days. http://rss.uribl.com/nic/NAUNET_REG_RIPN.html

It's fairly common now to see RU domains be hosted on servers in China or other Asia-Pacific providers. Perhaps this is due to the recent effort by China to "tighten Internet controls" by requiring more documentation and accountability before registering domains. http://news.bbc.co.uk/2/hi/asia-pacific/8530378.stm'

In any case, this silly spam campaign seems to have ramped up a pretty good arsenal of RU domains hosted in China. It's often fruitful to keep track of certain nameservers used by malicious domains and watching for new domains utilizing them. This also allows you to track certain registrars and develop a basic 'scoring' system based on nameserver, registrar, hosting provider, etc.

For now this particular campaign is yielding nothing more than offers to help men with a "problem". Next time, something more malicious could be dropped.

Update

August 16th - 18:49 UTC

Since this posting, I have learned of many more malicious domains registered via Naunet. Our good friend Roman at abuse.ch provided this link to Naunet domains he is watching. https://zeustracker.abuse.ch/monitor.php?registrar=NAUNET-REG-RIPN

Additionally, Alex Cox at NetWitness has provided us a list of the following Gumblar domains also registered via Naunet:

  • cutboss.ru
  • squareamp.ru
  • abovebikini.ru
  • icypose.ru
  • albinoearth.ru
  • validblood.ru
  • zenwitch.ru
  • rudeinsect.ru
  • bitterwater.ru
  • furrytack.ru
  • ashmind.ru
  • crispybattle.ru
  • nuttyiron.ru
  • tendermix.ru
  • publicsummer.ru
  • pokingissue.ru
  • yellowbarn.ru
  • ourpub.ru
  • gorgeoushead.ru
  • abovehell.ru
  • dizzyfruit.ru
  • giganticartist.ru
  • hereport.ru
  • soggyplan.ru
  • scarystroke.ru
  • barkingtar.ru
  • soreturtle.ru
  • absurdyear.ru
  • wickerarms.ru
  • sourmood.ru
  • mshand.ru
  • nicechevy.ru
  • moldypill.ru
  • zilchpipe.ru
  • bentfolk.ru
  • tribalbell.ru
  • nearflash.ru
  • useyack.ru
  • dimfame.ru
  • wildplane.ru
  • hiddenyak.ru
  • slickclaim.ru
  • tightmouse.ru
  • ruralmetal.ru
  • hugegirls.ru
  • sillysauce.ru
  • sneakyring.ru
  • dumbdevice.ru
  • lesskids.ru
  • theirpicture.ru

=>Posted August 15, 2010, at 05:09 PM by Andre' - Semper_Securus