Silent noise - about spam, trojans and other nasty stuff

Brian Krebs over at SecurityFix has done a nice job focusing on McColo.
Which lead to a couple of their providers "cutting the lines".
Maybe only a shortlived "victory", but I am enjoying it.

A couple of small details:

TheAsprox botnet and McColo?

This is what I get today when trying to connect to a couple of the live domains on the botnet:

Could this be a result of McColo being down?
The infected homePC can't connect to the master sitting in McColo's space? Or is it just a coincidence?
I have no clue.

But I have not spotted any new domains the last days either on the Asprox botnet.
(Which of course does not mean that there aren't any, only that I through my primitive methods have not found them).

Two coincidences at the same time?
I would not be surprised if the botmasters are at McColo.

The child abusers and McColo

McColo has hosted at least a few chains in the payment process for child abusers.
The chain goes something like this:

Child abuse-site --> pay.aspire-systems.biz/[code] --> flashbill/flash-bill.[tld] --> bill-support.com

pay.aspire-systems.biz was hosted at 208.72.168.67, McColo.
The domain aspire-systems.biz now seems to be nuked by the registrar (Directi).
flashbill.net still points to 208.72.170.149 on McColo and therefore sleeps with the phishes at the moment (from my part of the world).

But another one was in place when McColo went off the air.
Hosted at the same IP as pay.aspire-systems.biz.
That domain is now hosted at ecatel.net, 89.248.168.80.
Already nicely placed in the Spamhaus Block List, SBL68266

Now eltel.net is on their way routing McColo.
Which has led to some listings in SBL.

Other hosts and child abusers

In addition to McColo, here are a few other contributing to hosting of at least one of the chains in the payment process:

• 78.47.60.3 and 78.47.61.225, Hetzner Online AG / Alexander Ruzhentsev.
  Hosting bill-support.com and flashbill.com, the last and the "next-last" step in the payment chain.
• 92.241.176.22, RU-WEBALTA (Wahome IP's)/ netplace.ru
  Hosting flashbill.org
• 65.254.217.103, Peak 10 / Jadase LLC.
  Hosting signup.nudistcash.com (usually the second step in the payment chain)
• 85.17.111.162, Leaseweb in the Netherlands.
  Hosting flash-bill.net
• ezzi.net hosts what I have been informed a site where the actual download of files happens
• gnax / Northstorm.net host a handful of the "entry pages" for the seeking pedophiles

Try different variations of flash[-]bill.[tld] and you may find other hosts.

But they are moving around and there are several other networks hosting bits and pieces of this gangs operation.
Serving the pedophiles the abused children.