[Emerging-Sigs] auto-domain creation

Matt Jonkman jonkman at jonkmans.com
Wed Mar 12 11:15:25 EST 2008 

Ya, I didn't mean to imply that I didn't think RBN was running botnets.
Just that the fast flux is botnet stuff, not related to their static
nets. The static nets are info drops, the fake AV sites, and c&c for
static trojans.

The bot nets appear to be a different 'department' from the fraudulent
software stuff to me. :)

Matt


David Glosser wrote:
> I was under the impression
> (http://rbnexploit.blogspot.com/2007/11/rbn-google-search-exploits.html)
> that RBN is now using fast flux for their botnets.....
> 
> 
> 
> On Wed, Mar 12, 2008 at 7:57 AM, Matt Jonkman <jonkman at jonkmans.com
> <mailto:jonkman at jonkmans.com>> wrote:
> 
> 
>     David Glosser wrote:
>     > 1.  How often do these guys switch netblocks?
> 
>     Jim can answer that better than I, but I'd say from watching Jim's work
>     that the major move was after the wash post article. Since that major
>     scattering it's been just additions for improved capacity.
> 
>     > 2.  I guess none of these are fast-flux.
>     > Is it best to concentrate on blocking the fast-flux domains rather
>     than
>     > "regular ones"
> 
>     2 different issues. The fast flus stuff is botnet controllers, mostly
>     (as far as I see) medium level to small time operators. RBN uses
>     redundant dns and the like, but they're more into the static fraud, fake
>     products stuff of late. Static websites, fake AV and antispyware, etc.
>     Not fast flux for any on those. That correlate with what you're
>     seeing Jim?
> 
>     > 3. Sounds like an interesting two-pronged strategy would be to
>     block IPs
>     > of "regular" RBN domains and domains themselves which are part of a
>     > fast-flux botnet... Not sure what the easiest way to do this is
>     besides
>     > a script to check each domain to see if it's fast-flux'ed...
>     >
> 
>     We've got a version of that running behind the RBN ruleset and the
>     compromised domains. RBN is the static nets. mostly what Jim is tracking
>     and what shows up in the sandnet. The compromised is fast flux, storm
>     major peers, and others that show up as just plain and obviously
>     hostile.
> 
>     We're working on better ways to track and to distribute the information
>     though.
> 
>     Matt
> 
> 
>     >
>     >
>     >
>     > On Tue, Mar 11, 2008 at 11:24 PM, Jim McQuaid
>     <jim.mcquaid at gmail.com <mailto:jim.mcquaid at gmail.com>
>     > <mailto:jim.mcquaid at gmail.com <mailto:jim.mcquaid at gmail.com>>> wrote:
>     >
>     >     "One way to beat the RBN's auto-domain creation tactic is to
>     catalogue
>     >     their IP space and block it whether they have anything there
>     or not.
>     >     I've thought about this as a means to diminish the
>     effectiveness of
>     >     fast flux.  An example is at RapidSwitch, yesterday the RBN sigs
>     >     blocked:
>     >     87.117.252.11 <http://87.117.252.11> <http://87.117.252.11>
>     >     87.117.255.20 <http://87.117.255.20> <http://87.117.255.20>
>     >     87.117.255.30 <http://87.117.255.30> <http://87.117.255.30>
>     >
>     >     However, we have now observed:
>     >     87.117.252.11/32 <http://87.117.252.11/32>
>     <http://87.117.252.11/32>    trustedprotection.com
>     <http://trustedprotection.com>
>     >     <http://trustedprotection.com>
>     >     87.117.255.20/32 <http://87.117.255.20/32>
>     <http://87.117.255.20/32>
>     >      mail.yourprivacyguard.com <http://mail.yourprivacyguard.com>
>     <http://mail.yourprivacyguard.com>,
>     >     mail.storageprotector.com <http://mail.storageprotector.com>
>     <http://mail.storageprotector.com>,
>     >     ns1.trustedprotection.com <http://ns1.trustedprotection.com>
>     <http://ns1.trustedprotection.com> and
>     >     mail.trustedprotection.com <http://mail.trustedprotection.com>
>     <http://mail.trustedprotection.com>
>     >     87.117.255.30/32 <http://87.117.255.30/32>
>     <http://87.117.255.30/32>    ns2.harddriveguard.com
>     <http://ns2.harddriveguard.com>
>     >     <http://ns2.harddriveguard.com>, ns2.trustedprotection.com
>     <http://ns2.trustedprotection.com>
>     >     <http://ns2.trustedprotection.com>
>     >     87.117.255.38/32 <http://87.117.255.38/32>
>     <http://87.117.255.38/32>    *.trygpcbruger.com
>     >     87.117.255.41/32 <http://87.117.255.41/32>
>     <http://87.117.255.41/32>    *.toolsicuro.com
>     >     87.117.255.42/32 <http://87.117.255.42/32>
>     <http://87.117.255.42/32>    *.schijfbewaker.com
>     >     87.117.255.47/32 <http://87.117.255.47/32>
>     <http://87.117.255.47/32>    *.harddriveguard.com
>     >     87.117.255.52/32 <http://87.117.255.52/32>
>     <http://87.117.255.52/32>    *.erreurchasseur.com
>     >     87.117.255.81/32 <http://87.117.255.81/32>
>     <http://87.117.255.81/32>    *.trustedprotection.com
>     >     87.117.255.85/32 <http://87.117.255.85/32>
>     <http://87.117.255.85/32>    *.elmejorantivirus.com
>     >     87.117.255.87/32 <http://87.117.255.87/32>
>     <http://87.117.255.87/32>    *.diskretter.com
>     >     87.117.255.96/32 <http://87.117.255.96/32>
>     <http://87.117.255.96/32>    *.bestsellerantivirus.com
>     >     87.117.255.98/32 <http://87.117.255.98/32>
>     <http://87.117.255.98/32>    *.exterminadordevirus.com
>     >     87.117.255.124/32 <http://87.117.255.124/32>
>     <http://87.117.255.124/32>   *.pctoolpro.com
>     >     87.117.255.158/32 <http://87.117.255.158/32>
>     <http://87.117.255.158/32>   *.confidentsurf.com
>     >     87.117.255.185/32 <http://87.117.255.185/32>
>     <http://87.117.255.185/32>   *.cleanuptool.com
>     >     87.117.255.218/32 <http://87.117.255.218/32>
>     <http://87.117.255.218/32>   *.gubbishremover.com
>     >     87.117.255.226/32 <http://87.117.255.226/32>
>     <http://87.117.255.226/32>   *.yourprivacyguard.com
>     >     87.117.255.250/32 <http://87.117.255.250/32>
>     <http://87.117.255.250/32>
>     >
>     >     Conclusion, RBN owns that block of 255 addresses.  So, we should
>     >     always block it, as they are free to move domains in and out
>     of that
>     >     range at will."
>     >
>     >
>     >     --
>     >     James McQuaid
>     >     http://www.jamesmcquaid.com
>     >     _______________________________________________
>     >     Emerging-sigs mailing list
>     >     Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     >     <mailto:Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>>
>     >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>     >
>     >
>     >
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > Emerging-sigs mailing list
>     > Emerging-sigs at emergingthreats.net
>     <mailto:Emerging-sigs at emergingthreats.net>
>     > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
>     --
>     --------------------------------------------
>     Matthew Jonkman
>     Emerging Threats
>     Phone 765-429-0398
>     Fax 312-264-0205
>     http://www.emergingthreats.net
>     --------------------------------------------
> 
>     PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list