Posted on Thursday, December 6th, 2007 | Bookmark on del.icio.us

Stration/Warezov is Not Dead

by Jose Nazario

UPDATED to link to the F-Secure name map …

This year the Storm Worm (aka Peacomm aka Nuwar aka Tibs aka Zheltin), but we should not forget about good old Stration, the spam botnet that preceded Storm.

With Storm stealing all of the thunder this year, people seemed to think that Stration was whipped. Far from it, it’s still appearing, new variants are alive and the websites are still active.

Domain names used by Stration that are still live …

Domain Name.......... waserunjinkpionyunhdefun.com

  Creation Date........ 2006-12-01 17:16:26

  Registration Date.... 2006-12-01 17:16:26

  Expiry Date.......... 2007-12-01 17:16:26

  Organisation Name.... Bai Ming

  Organisation Address. Bei Jing

  Organisation Address.

  Organisation Address. Bei Jing

  Organisation Address. 100021

  Organisation Address. BJ

  Organisation Address. CN


...Domain Name:threadexceptionkas.com

Administrative Contact:

Dima li

        Dima li

        jungonglu1219hao

        shang hai Shanghai 200093

        China

        tel: 86 021 76886639

        fax: 86 021 76886639

        64117521@163.com


Hey! Bai Ming is still around, and Dima Li is involved in a few of these domains, too. Awesome! Let’s see what kind of hosts we’re using here …


    

  • waserunjinkpionyunhdefun.com A INET 89.178.139.28
    • 

  • waserunjinkpionyunhdefun.com A INET 12.206.206.61
    • 

  • waserunjinkpionyunhdefun.com A INET 221.126.1.22
    • 

  • waserunjinkpionyunhdefun.com A INET 69.231.169.165
    • 

  • waserunjinkpionyunhdefun.com A INET 222.238.99.40
    • 

  • waserunjinkpionyunhdefun.com A INET 89.179.6.140
    • 

  • waserunjinkpionyunhdefun.com A INET 78.106.204.239
    • 

  • waserunjinkpionyunhdefun.com A INET 89.178.5.39
    • 

  • waserunjinkpionyunhdefun.com A INET 140.115.203.26
    • 

  • waserunjinkpionyunhdefun.com A INET 78.106.156.82
    • 

  • waserunjinkpionyunhdefun.com A INET 85.29.244.31
    • 

  • waserunjinkpionyunhdefun.com A INET 220.107.136.215
    • 

  • waserunjinkpionyunhdefun.com A INET 89.179.5.116
    • 

  • waserunjinkpionyunhdefun.com A INET 89.178.9.23
    • 

  • waserunjinkpionyunhdefun.com A INET 85.179.49.140
    • 

  • waserunjinkpionyunhdefun.com A INET 75.80.30.207
    • 

  • waserunjinkpionyunhdefun.com A INET 78.107.180.36
    • 

  • waserunjinkpionyunhdefun.com A INET 78.54.183.222
    • 

  • waserunjinkpionyunhdefun.com A INET 85.216.50.192
    • 

  • waserunjinkpionyunhdefun.com A INET 87.182.106.195
    • 



Fast-flux on the loose, there. Some more domain names that may or may not be related to Bai Ming but are certainly Stration …


    

  • providefunctionkeylin.com
    • 

  • threadexceptionkas.com
    • 

  • beruijindegunhadesun.com
    • 

  • uktinherpionsades.com
    • 

  • vaserjungenfujinas.com
    • 



This is just a few I found in a few minutes by looking at our data dumps. I’m sure more exist, and it’d be nice to NXDOMAIN them all.


Things you can look for to kill those domains:


    

  • If you have DNS admin access, kill those domains (become the SOA internally and NX them …)
    • 

  • If you have HTTP proxy logs, IDS logs, or something similar, look for HTTP POST actions to the script “/cgi-bin/pr.cgi” on those hosts.
    • 



ADDED ON 14 DECEMBER F-Secure’s domain list has been updated, they also note that Warezov has not died.

	
					
				

					
						This entry was posted
						 
						on Thursday, December 6th, 2007 at 5:10 pm						and is filed under Arbor Networks,  Malware,  Spam.
						You can follow any responses to this entry through the RSS 2.0 feed. 
						
													You can leave a response, or trackback from your own site.
						
												
					
				

	
			

		

	
		
		
	



   
		
		
	 



Leave a Comment