[Scgeeks] Re: Query: watch.ru

Mon Aug 25 07:44:21 EDT 2008

rooster wrote:
> Farelf wrote:
> 

<snip>

>>
>> Imagine - hacking a spammer!  "Little fleas have smaller fleas," etc. 
>> Still, the Russians evidently see spamming in a 'different' light, 
>> just another kind of advertising to them.
> 
> 
> "hacking a spammer." Doesn't really make sense though, does it? If I'm
> understanding you. The spamming agent (spag) would have to have rather
> intimidating receivables clerks when it came time to collect from 
> watches.ru
> for his masters unsolicited promo services; eh?

What I had in mind is some third party silently inserting code and/or 
exploit pages into the relatively innocent 'straight up' spammer 
watch.ru.  There seems to be a lot of this sort of thing happening. 
Purpose, to assimilate as many visitors as possible into the botnet(s) 
using the CNN Top 10 and other malicious link spams.  Nothing to do with 
the unwitting hosts.   See 
http://forum.spamcop.net/forums/index.php?showtopic=9627 - with links 
http://www.vivtek.com/projects/despammed/stormspam_explanation.html and
http://www.vivtek.com/projects/despammed/stormspam.html explaining it 
more purposefully than I could (and with about 10^4 times the data to 
play with - probably a bit more spare time too).  Not to mention more 
knowledge.  And a higher IQ.  And a nice dog.  You get the picture.

> 
> If the watch.ru spew *isn't* a malware medium directed at hijacking the 
> unwary,
> perhaps we're seeing a turf war over share in the fake bling market. The 
> 2 biggies,
> King Replica (cum Elite Herbal, cum Herbal King) and Prestige Replica(s) 
> have been
> hosted on Korean nameservers, ...although PresRep also has a smattering 
> of Chinese,
> Panamanian and Romanians in the mix. Point being, no .ru's. The 
> legitimacy of
> watch.ru aside for the moment, perhaps this blitz is a full-frontal 
> attempt to get the
> watch.ru site blisted/red flagged to discredit them (further) in order 
> to level the
> playing field.

I think just to expand the botnets for any/all of that, plus take down 
Georgia's internet, perfect the Theory of Everything/GUT and rule all of 
the observable universe.  Something in between and not limited to the 
first and the last.

> 
> FWI
> King Replica/Elite Herbal/Herbal King uses name server:
> 124.1.2.3
> 124.0.0.0 - 124.1.255.255
> netname:      SKNETWORKS
> descr:        SK Networks Co.
> descr:        199-15, Ulchiro-2Ga, Chung-Gu, Seoul, 100-192
> descr:        ************************************************
> descr:        Allocated to KRNIC Member.
> 
> Prestige Replica(s) also uses a preponderance of Korean nameservers
> (e.g., ns1.monn12.com 211.110.100.137 & etc.).,. with a
> smattering of Chinese, Panamanian and Romanians into the mix.
> 
> I don't know if anyone has established it, but these two bruits might
> be affiliates. On one hand, it's obvious. But that's not the same as
> provable.
> 
> watch.ru on the other hand is distinctly Russian, ...been around for 10 
> years
> or so, following a business plan that kind of straddles the line between 
> outright
> spam and mere opportunistic marketing, (i.e., between criminal and 
> really irritating)

Yep

> ns.caravan.ru. 217.23.128.1
> ns2.caravan.ru. 217.23.146.1
> 
> FFYI: (from my notes)
> #985
> watch.ru
> <snip>
> SC link resolver misquotes link!
> 
> http://www.spamcop.net/sc?id=z2183806550z9274e85fe59499a998169b98da18ba11z
> 
> Subj: Rolex, Raddo, Patek  Philippe, Omega, Gucci
> 
> Resolving link obfuscation
>   http://www.watch.ru
>   http://www.watchru
>   Host www.watchru (checking ip) IP not found ; www.watchru discarded as 
> fake.
>   Host www.watchru (checking ip) IP not found ; www.watchru discarded as 
> fake.
> Tracking link: http://www.watchru/

Crappy spamware mass-mailer.  You'd think they'd get better gear.

> No recent reports, no history available
> Cannot resolve http://www.watchru/

Of course not. Crappy spamware mass-mailer.