[Scspamcop] Re: OT, Ralsky Indictment (Link)

[David Bolt]

On Sun, 6 Jan 2008, Farelf wrote:-

<snip>

>Truth.  A peek at a live botnet is currently afforded by looking at the
>hosting of greatcanadianpharm.com (using nslookup or whatever).  A
>changing list of 15 addresses should be shown, with a few different
>ones coming into play every few minutes - doesn't take long to see 50
>or more different addresses.  75% of which are east Asian - China,
>Japan, Korea (Comcast and AT&T making up most of the rest).  May not be
>representative but I'm supposing it is.

Another botnet can be seen by looking at newyearwithlove.com and the IP
addresses returned by queries. A lookup will get a single IP address
with a TTL of 0, so results aren't cached and new lookups are required
whenever you retrieve anything from the site. Also, each of the infected
systems can act as a name server for the various domains used by the
botnet. It also has a web server to serve up the trojan which may or may
not be detected by up-to-date anti-virus software.

When I was tracking the infected hosts[0] around 50% were in the US, and
mostly on AT&T or Comcast, with another 20-30% throughout Europe and the
rest spread out around the world.


[0] Was tracking. One of the defences the Storm worm incorporates is a
DDOS attack on anyone "interfering" with the botnet. I must have
triggered it as I got DDOS'd after just a couple of days of fairly
active scanning. The initial DDOS lasted about a day or two, with the
level dropping off slowly. With a dynamic IP, this probably wouldn't
have been a problem, but I have a static IP and so could do little but
sit there and weather the storm.

Regards,
        David Bolt

-- 
Team Acorn: http://www.distributed.net/ OGR-P2 @ ~100Mnodes RC5-72 @ ~15Mkeys
SUSE 10.1 32bit  | openSUSE 10.2 32bit | openSUSE 10.3 32bit | openSUSE 11.0a0
SUSE 10.1 64bit  | openSUSE 10.2 64bit | openSUSE 10.3 64bit
RISC OS 3.6      | TOS 4.02            | openSUSE 10.3 PPC   |RISC OS 3.11