RE: New trojan turns home PCs into porno Web site hosts

From: ge (geat_private)
Date: Fri Jul 11 2003 - 22:05:33 PDT

Next message: Chris Paget: "Re: iDEFENSE Security Advisory 07.11.03: Win32 Message Vulnerabilities Redux"

Previous message: David A. Pérez: "Re: iDEFENSE Security Advisory 07.11.03: Win32 Message Vulnerabilities Redux"
In reply to: Richard M. Smith: "New trojan turns home PCs into porno Web site hosts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Some individual appears to have hijacked more than a 1,000 home
computers starting in late June or early July and has been installing a
new trojan horse
> program on them.

Let us consider ourselves lucky. That is an extremely low number.

> To make it more difficult for these web sites to be shut down, a
single home computer is used for only 10 minutes to host a site.  After
10 minutes, the IP address of the Web site is changed to a different
home 
> computer.  The hacker is able to do this quick switching because he
has installed DNS name servers for his domains on other home computers
under his control.  The DNS name servers specify that a hostname 
> to-IP-address mapping should only live for 10 minutes.
 
As I see it, someone in the states should file a complaint with the FBI
(if one has not already been charged) and they can handle this guy.
If not, the best way, as I see, it is to check where the Trojan gets the
information it uses from, a.k.a. where it connects. Should give you the
right IP for abuse mail.
If you get rid of that one IP, you effectively get rid of the thousand
infected machines.

> Some of the domain names used by the Web sites of the trojan are:
>
>    onlycoredomains.com
>    pizdatohosting.com
>    bigvolumesites.com
>    wolrdofpisem.com
>    arizonasiteslist.com
>    nomorebullshitsite.com
>    linkxxxsites.com

Here's a place to start with the abuse mails, find out what ISP hosts
them and cross your fingers they won't send your emails to /dev/null.

> It is not known at the present time how the trojan gets installed on
people's computers.  My theory is that the Sobig.e virus might be
involved, but the evidence is not strong at the moment.

The DSL and Cable IP ranges get scanned _even_ more than the rest of the
world. Anybody remembers that paper that stated a computer would get
scanned 36 hours after it establishes a connection to the Internet?
Well, I am on ADSL with my home machine, and surprisingly enough I got
hit the second I switched to ADSL and I get ten to fifteen scans a
minute. That said not mentioning being a secondary victims to kiddies
using these IP ranges to spoof attacks (ICMP echo 3).

> Richard M. Smith
> http://www.ComputerBytesMan.com


      Gadi (i.e. ge),
      geat_private

--------
gevronat_private
PGP Key: 2048/2048 (Size) 0x2D3D6741 (ID).
Fingerprint: 0EB3 00BC 974B 3C2B 336D 6486 ECA5 2D0D 2D3D 6741.

Next message: Chris Paget: "Re: iDEFENSE Security Advisory 07.11.03: Win32 Message Vulnerabilities Redux"
Previous message: David A. Pérez: "Re: iDEFENSE Security Advisory 07.11.03: Win32 Message Vulnerabilities Redux"
In reply to: Richard M. Smith: "New trojan turns home PCs into porno Web site hosts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jul 12 2003 - 16:09:40 PDT