New Asprox domains Sept 06

2aspx.net, 6aspx.com, 8ssl.net, 9ssl.net, 9aspx.net, 19ssl.net, 24aspx.com, 56ssl.com, 58ssl.com, 64asp.com, 64do.com, 74asp.net, 81ssl.com, 83asp.com, 93asp.net, asp46.com, aspx46.com, asp53.com, ssl95.com
Registrar for these are bizcn.com.

No big changes (I have not checked the content of the javascript files), still hosting the Nesco mule scam at the root level, add.js has returned. Some of the domains are also used in phishing expeditions as usual. Todays phishes are trying to fool customers of Associated Bank.

Example whois and dig, for whatever it is worth (see below the whois info for some more):

   Domain Name: 64DO.COM
   Registrar: BIZCN.COM, INC.
   Whois Server: whois.bizcn.com
   Referral URL: http://www.bizcn.com.
   Name Server: NS1.64DO.COM
   Name Server: NS2.64DO.COM
   Name Server: NS3.64DO.COM
   Status: clientDeleteProhibited
   Status: clientTransferProhibited
   Updated Date: 07-sep-2008
   Creation Date: 06-sep-2008
   Expiration Date: 06-sep-2009

Registrant Contact:
   City22 llc
   Alex Williamos druid00091@aol.com
   +1.8827721124 fax: +1.8827721124
   321113 po box
   New York NY 12131
   us

Administrative Contact:
   Alex Williamos druid00091@aol.com
   +1.8827721124 fax: +1.8827721124
   321113 po box
   New York NY 12131
   us

Technical Contact:
   Alex Williamos druid00091@aol.com
   +1.8827721124 fax: +1.8827721124
   321113 po box
   New York NY 12131
   us

Billing Contact:
   Alex Williamos druid00091@aol.com
   +1.8827721124 fax: +1.8827721124
   321113 po box
   New York NY 12131
   us

DNS:
ns1.64do.com
ns2.64do.com
ns3.64do.com

Created: 2008-09-06
Expires: 2009-09-06
dig 64do.com

; <<>> DiG 9.3.5-P1 <<>> 64do.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5044
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;64do.com.                      IN      A

;; ANSWER SECTION:
64do.com.               600     IN      A       84.108.2.210
64do.com.               600     IN      A       84.125.213.27
64do.com.               600     IN      A       98.192.123.168
64do.com.               600     IN      A       98.193.232.166
64do.com.               600     IN      A       99.242.18.143
64do.com.               600     IN      A       189.82.193.156
64do.com.               600     IN      A       208.126.130.49
64do.com.               600     IN      A       12.203.121.61
64do.com.               600     IN      A       24.168.139.174
64do.com.               600     IN      A       65.184.106.105
64do.com.               600     IN      A       69.247.213.228
64do.com.               600     IN      A       75.40.202.87
64do.com.               600     IN      A       76.235.55.204
64do.com.               600     IN      A       76.241.133.144

;; AUTHORITY SECTION:
64do.com.               162779  IN      NS      ns1.64do.com.
64do.com.               162779  IN      NS      ns2.64do.com.
64do.com.               162779  IN      NS      ns3.64do.com.

;; Query time: 730 msec
;; SERVER: 217.13.7.140#53(217.13.7.140)
;; WHEN: Mon Sep  8 17:53:14 2008
;; MSG SIZE  rcvd: 304

Conrad Longmore at dynamoo.com/blog/ ties druid00091@aol.com to a mule scam, luksus-jobs.org:
http://www.dynamoo.com/blog/2008/09/job-opportunity-at-luksus-luksus.html
He points out that the contact point here is not a website, but only by email.
The emailserver lives at 12.192.82.225.

There is also another mule scam sharing the mail server at 12.192.82.225:

; <<>> DiG 9.3.5-P1 <<>> mx.kiroxsolutions.com any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10613
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;mx.kiroxsolutions.com.		IN	ANY

;; ANSWER SECTION:
mx.kiroxsolutions.com.	1044	IN	A	12.192.82.225

;; AUTHORITY SECTION:
kiroxsolutions.com.	863	IN	NS	ns1.toolns.com.
kiroxsolutions.com.	863	IN	NS	ns2.toolns.com.

;; Query time: 48 msec
;; SERVER: 217.13.7.140#53(217.13.7.140)
;; WHEN: Mon Sep  8 18:55:46 2008
;; MSG SIZE  rcvd: 98

Following the same pattern as luksus-jobs.org, no website is up, but the contact point is email.
For examples including some spam, here is a google search:
http://www.google.com/search?q=kiroxsolutions

Including a whois for kiroxsolutions.com:

Domain Name: KIROXSOLUTIONS.COM
   Registrar: THE REGISTRY AT INFO AVENUE D/B/A IA REGISTRY
   Whois Server: whois.iaregistry.com
   Referral URL: http://www.spiritdomains.com
   Name Server: NS1.TOOLNS.COM
   Name Server: NS2.TOOLNS.COM
   Status: clientTransferProhibited
   Updated Date: 13-aug-2008
   Creation Date: 13-aug-2008
   Expiration Date: 13-aug-2009

Registration Service Provided By: SPIRITDOMAINS/IAREGISTRY
Contact: +1.8662720938
Website: http://www.spiritdomains.com

Domain Name: KIROXSOLUTIONS.COM

Registrant:
    N/A
    Channon Jay Cruz        (superbook@mail.com)
    123-310 Dapple Ct
    Wilmington
    North Carolina,28403
    US
    Tel. +001.2544587549

Creation Date: 13-Aug-2008
Expiration Date: 13-Aug-2009

Domain servers in listed order:
    ns2.toolns.com
    ns1.toolns.com

Administrative Contact:
    N/A
    Channon Jay Cruz        (superbook@mail.com)
    123-310 Dapple Ct
    Wilmington
    North Carolina,28403
    US
    Tel. +001.2544587549

Technical Contact:
    N/A
    Channon Jay Cruz        (superbook@mail.com)
    123-310 Dapple Ct
    Wilmington
    North Carolina,28403
    US
    Tel. +001.2544587549

Billing Contact:
    N/A
    Channon Jay Cruz        (superbook@mail.com)
    123-310 Dapple Ct
    Wilmington
    North Carolina,28403
    US
    Tel. +001.2544587549

http://www.kiroxsolutions.com/ gives a "Forbidden" error. The error page seems to rotate between some IPs. Not following this closely, but so far 69.141.7.178 (Comcast), 82.176.199.100 (ZeelandNet in the Netherlands) have showed up.

Silent noise - about spam, trojans and other nasty stuff

New Asprox domains Sept 06

Similar

Main content

Recent comments

Syndicate