Arbor Networks: Security to the Core

We know that the Stration/Warezov botnet is not dead, but in the wake of this week’s revelation that Storm may be dead, folks are now returning their attention to the Stration/Warezov botnet, a major spam botnet. Our systems have been churning through a pile of these samples and discovering new and active domains.

From our own analysis we see the following domains are associated with the botnet, although not all are active any more:

• fandesjinkderunha.com
• localhost-2.com
• rx-from-warehouse3.com
• try-anything-else.com
• paguole.com
• postcards-1.com
• beruijindegunhadesun.com
• jaserungdnesinkas.com

Doing some digging we see that these other domain names are probably related to the Warezov botnet, and many of these are actively fast-fluxing:

• budppsh.com
• pazmogutionsa.com
• discount-pharmacy-online-e.com
• extremely-huge-discounts-d.com
• grand-sale-4.com
• localhost-2.com
• mp3for-you.com
• pazmogutionsa.com
• rx-from-warehouse2.com
• vjucrdfy.com
• vvicwwo.com

This is one live, active botnet spamming many of our favorite products, month after month.

Based on DNS analysis, here’s a map showing several of these servers around the world. In short, they’re all over the world but spread pretty thin. The fact that this botnet may be so weakly holding on could be good news. Maybe this is a botnet we can target and win.

Looking at one of the domain names we can see that it’s fluxy based on the diversity of the ASNs, the location of those IPs based on PTR analysis (ie broadband), and so this huge graph isn’t surprising. Click to enlarge.

Most of the domain names look very similar, so I wont show the others.

Now when we start digging into the domain names themselves we can see that they’re registered all over the world. Many are registered through a Chinese service, Paycenter in China.

Domain name: fandesjinkderunha.com
Registrant:
Navigation Catalyst Systems, Inc
2141 Rosecrans Ave.
Suite 2020
El Segundo, CA 90245
Email: domainadmin@navigationcatalyst.com
Phone: 3106471592
Fax: 3106476001

Domain Name.......... localhost-2.com
   Creation Date........ 2008-07-10 17:03:34
   Registration Date.... 2008-07-10 17:03:34
   Expiry Date.......... 2009-07-10 17:03:34
   Organisation Name.... Zhou Guangqiang
   Organisation Address. Xihua University
   Organisation Address.
   Organisation Address. Chengdu
   Organisation Address. 610000
   Organisation Address. SC
   Organisation Address. CN

Domain Name      : rx-from-warehouse3.com
Registrant:
   Organization   : zhang honghong
   Name           : zhang honghong
   Address        : chengdu.sichuan
   City           : chengdu
   Province/State : Beijing
   Country        : CN
   Postal Code    : 610000

Domain Name      : try-anything-else.com
Registrant:
   Organization   : peng xiongjun
   Name           : pengxiongjun
   Address        : ji nan shi wei e lu 182 hao
   City           : ji nan
   Province/State : Beijing
   Country        : CN
   Postal Code    : 250001

Domain Name      : paguole.com
Registrant:
   Organization   : liu bin
   Name           :
   Address        : wu han
   City           : wu han
   Province/State : Hubei
   Country        : China
   Postal Code    : 321900

Domain Name      : postcards-1.com
Registrant:
   Organization   : peng xiongjun
   Name           : pengxiongjun
   Address        : ji nan shi wei e lu 182 hao
   City           : ji nan
   Province/State : Beijing
   Country        : CN
   Postal Code    : 250001

Domain name: beruijindegunhadesun.com
Administrative Contact:
    Whois Privacy Protection Service, Inc.
    Whois Agent (bkqjsvgvbw@whoisprivacyprotect.com)
    +1.4252740657
    Fax: +1.4256960234
    PMB 368, 14150 NE 20th St - F1
    C/O beruijindegunhadesun.com
    Bellevue, WA 98007
    US

Domain name: jaserungdnesinkas.com
Administrative Contact:
    Whois Privacy Protection Service, Inc.
    Whois Agent (bhbvnkdk@whoisprivacyprotect.com)
    +1.4252740657
    Fax: +1.4256960234
    PMB 368, 14150 NE 20th St - F1
    C/O jaserungdnesinkas.com
    Bellevue, WA 98007
    US

This whois analysis goes back to about March, 2008. These domain names look like some interesting whois records and registrations.

The fact that this botnet, once forgotten, is resurgent shows that spammers who find success will do what they can to continue that success with minimal effort (e.g. building a new botnet), and evolve as needed.

This entry was posted on Friday, October 17th, 2008 at 12:31 pm and is filed under ATLAS, Arbor Networks, Botnets, Malware, Spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.