Silent noise - about spam, trojans and other nasty stuff

Brian Krebs over at SecurityFix has done a nice job focusing on McColo.
Which lead to a couple of their providers "cutting the lines".
Maybe only a shortlived "victory", but I am enjoying it.

A couple of small details:

TheAsprox botnet and McColo?

This is what I get today when trying to connect to a couple of the live domains on the botnet:

(First written Nov 05, last updated Nov 10)

07load.us, 1filter.gs, 1hostid.cc, 1server.jp, 15load.tv, 25uid.name, 30doc.tk, 32doc.cn, 3update.eu, 49url.cc, 50inet.asia, 56pool.in, 5version.mobi, 62get.asia, 6tagid.com, 8default.net, chk80.co.uk (nuked?), confirm3.in, id81.mobi, input2.cc, pif02.jp, root71.ws, search5.name, sslweb5.bz, sys17.name, udp96.ws

version9.bz has also been set up on the botnet, but no sign of registration. Maybe nuked already?

Example of an phishing URL, or more correctly: A part of an URL:
www2.abbey.com.win635801.id81.mobi

Spotted so far today (November 1, 2008 14.25.07 GMT+01:00):

21java.tk, 4client.mobi, 4logon.jp, 78hit.gs (registered Nov 1), code57.ws, default2.asia, encode1.name, netmsg5.eu, tray62.tw,

unsounder@

Usual phishing set up in addition to the javascript infections, like variations of:
ww0.abbey-national.co.uk.task7255.code57.ws

(First written October 28, updated November 01)

1route.in, 43ole.me, 48filt.jp, 55pif.me, 63page.ws, 69reg.cc, 6domain.tk, 83set.name, 8ipsec.asia, 91tmp.eu, 97type.me, 9frame.eu, api07.eu, code11.ca, en-us7.tk, login5.gs, manage5.tv, netapi7.name, portal6.jp, rdir52.us, report7.asia, rid31.ws, snmp52.gs, sslnet3.name, util13.us, vbs27.bz

pontooner@ /receptacle@

He sure is, in my inbox that is:

Hi
Local Single are waiting for you
This is the place to hook up
h||p://paythegirls. info/

Last time he was using clickthisnow.info as the landingpage for his spam.
This time it is paythegirls.info. Hosted at the same IP as clickthisnow.info, 119.42.148.66 (InfoMove Limited in HK). And of course that IP is still listed in the Spamhaus Block List.

But he changed the setup a bit, paythegirls. info now goes automagically to the following domain on the same IP:

In the everlasting and extremely boring saga of new Asprox domains:

38rate.tk, 44text.eu, 5token.ws, 7direct.co.uk, 8shell.mobi, api68.co.uk, cid49.gs, config9.us, control7.ca, err05.bz, frame4.cc, load95.asia, log-in1.jp, map19.net, ssl37.name, sslcom0.tv

Most of them probably set up for phishing, expect spam with links including patterns like:
online3.lloydstsb.co.uk.stat359257154.93vbs.tk/[etcetc]
www6.lloydstsb.co.uk.sslweb9858604.api68.co.uk/[etcetc]
ww7.lloydstsb.com.drv366795.8shell.mobi/[etcetc]