rulesbreacker.com — I smell a botnet

Post Reply
NotBuyingIt
Posts: 6505
Joined: Fri Mar 11, 2011 6:21 pm

rulesbreacker.com — I smell a botnet

Post by NotBuyingIt » Sat Jun 18, 2011 2:34 am

Some community members rate sites based on PhishTank.com reports. When investigating reports about rulesbreacker.com, be careful of malware on that site. It appears to be be controlled by a botnet.

[Edit: More]
A "twin" domain name cfnm-paradise.com was also used by the botnet interchangeably with rulesbreacker.com; cfnm-paradise.com was subsequently suspended (Status: clientHold).

name servers for the domains:
ns1.remiann.net [IP 67.23.245.105, HostDime.com, Inc / USA]
http://www.malwareurl.com/ns_listing.ph ... emiann.net

ns1.versepurze.com [IP 67.23.245.105]
http://www.malwareurl.com/ns_listing.ph ... epurze.com

ns2.remiann.net [IP 75.4.135.11, AT&T Internet Services PPPoX Pool / USA]
ns2.versepurze.com [IP 67.15.223.200, ThePlanet.com Internet Services, Inc / USA]

"A" records: IP addresses where computers may be under botnet control
115.30.232.131 [STNet / Japan]
125.231.7.243 [HINET Network / Taiwan]
202.170.104.110 [miyazaki cabletelevision network Co / Japan]
63.226.210.233 [NETPOINT uswest.net / USA]
83.213.31.242 [Euskaltel / Spain]
84.123.147.146 [Cableuropa - Ono / Spain]
84.126.146.87 [Cableuropa - Ono / Spain]
85.56.14.108 [Uni2 /Spain]
91.117.147.33 [R Cable y Telecomunicaciones Galicia / Spain]

Newer data
62.42.29.22 [Cableuropa - Ono / Spain]
79.109.116.245 [Cableuropa - Ono / Spain]
82.158.205.127 [Avenida Diagonal - Ono / Spain]
84.121.125.25 [Cableuropa - Ono / Spain]

NotBuyingIt
Posts: 6505
Joined: Fri Mar 11, 2011 6:21 pm

rulesbreacker.com suspended

Post by NotBuyingIt » Mon Jun 20, 2011 3:52 am

The rulesbreacker.com domain has been reassigned a status of clientHold. The domains which provided DNS for rulesbreacker.com and cfnm-paradise.com appear to still be running, however, which leaves a strong possibility that the botnet might use remiann.net and versepurze.com to continue the assault with other commandeered domains.

As I stated earlier, cfnm-paradise.com has been suspended. When I first mentioned that domain, I did not realize that it might have a barely naughty meaning. I have a nose for botnets, perhaps, but not so much for other stuff. For screen captures of the domain during its botnet phase, see
http://www.phishtank.com/phish_detail.p ... id=1215369
http://www.phishtank.com/phish_detail.p ... id=1215368
http://www.phishtank.com/phish_detail.p ... id=1215363

NotBuyingIt
Posts: 6505
Joined: Fri Mar 11, 2011 6:21 pm

oposumcruiser.com is new member of botnet

Post by NotBuyingIt » Sat Jun 25, 2011 2:31 am

<quote user="notbuyingit">
The domains which provided DNS for rulesbreacker.com and cfnm-paradise.com appear to still be running, however, which leaves a strong possibility that the botnet might use remiann.net and versepurze.com to continue the assault with other commandeered domains.
[/quote]
As anticipated, another domain has come online as a part of the botnet, using remiann.net and versepurze.com for DNS. The newly registered oposumcruiser.com is currently running many of the botnet's malware and phishing scams.


[Edit: More]

"A" records: IP addresses where computers may be under botnet control

112.71.69.76 [K-Opticom Corporation / Japan]
183.176.107.152 [STNet, Incorporated / Japan]
63.226.223.92 [Qwest Communications Company / USA]
66.159.180.87 [AT&T Internet Services PPPoX Pool / USA]
80.133.83.24 [Deutsche Telekom AG - Germany]
81.203.1.104 [Cableuropa - Ono / Spain]
85.86.48.130 [Euskaltel / Spain]
90.168.204.27 [France Telecom España / Spain]

I need to acknowledge an earlier report by MysteryFCM at http://hosts-file.net/?s=oposumcruiser.com
My work is based upon (subsequent) reports at PhishTank.com and OpenDNS.com. PhishTank.com has marked several reported malware URLs "Offline" although they are actually still running.

c۞g
Posts: 21225
Joined: Mon Jan 05, 2009 4:02 am

RE: rulesbreacker.com — I smell a botnet

Post by c۞g » Sat Jun 25, 2011 5:01 am

To add:
bitschoonerop.com
58.227.43.222
91.203.88.46
91.209.24.174
96.38.26.235
113.53.251.236
124.248.39.46
ns1.carsmagiaso.com
ns1.zapiraguns.com

carsmagiaso.com
171.23.151.11
173.234.8.215

digimoduleded.com
58.227.43.222
91.203.88.46
96.38.26.235
113.53.251.236
124.248.39.46
dns1.carsmagiaso.com
ns1.zapiraguns.com

hideomechanic.com
58.227.43.222
91.203.88.46
96.38.26.235
113.53.251.236
124.248.39.46
ns1.carsmagiaso.com
ns1.zapiraguns.com

blackfuril.ru
datacricketuf.ru
greensinkod.com
neframeofwork.com
purplepron.ru
&nbsp;

NotBuyingIt
Posts: 6505
Joined: Fri Mar 11, 2011 6:21 pm

oposumcruiser.com is new member of botnet

Post by NotBuyingIt » Sun Jun 26, 2011 2:52 pm

I began this thread to caution members, who independently examine sites that they come across in order to rate them, about a particular botnet. The Cybercrime & Doing Time blog has a new article that gives examples of how this botnet uses spam to spread malware, including 'drive-by' infections(!), and promote phishing scams. See
http://garwarner.blogspot.com/2011/06/n ... ign.html[i]
(Note: In an update to the article, MysteryFCM is once again acknowledged.)

NotBuyingIt
Posts: 6505
Joined: Fri Mar 11, 2011 6:21 pm

No, no, no....

Post by NotBuyingIt » Sun Jun 26, 2011 8:02 pm

A few hours after I posted the (hopefully useful) reference
http://garwarner.blogspot.com/2011/06/n ... paign.html
a fairly new member submitted it as a phishing incident to PhishTank.com. I guess that I should have colored it green in my earlier comment.

NotBuyingIt
Posts: 6505
Joined: Fri Mar 11, 2011 6:21 pm

lareconexiondelser.net joins the botnet

Post by NotBuyingIt » Mon Jun 27, 2011 2:39 am

ns1.lareconexiondelser.net [IP 67.23.245.105, HostDime.com, Inc / USA] is now listed as a DNS provider for oposumcruiser.com; it replaces versepurze.com, which has been suspended by its registrar.

"A" records: additional IP addresses where computers may be under botnet control
125.231.8.177 [Chunghwa Telecom Co / Taiwan]
217.68.182.5 [Decimus GmbH (Primacom AG) / Germany]
62.83.93.27 [Cableuropa - Ono / Spain]
[Edit: more]
125.231.7.167 [Chunghwa Telecom Co / Taiwan]
173.20.247.94 [Mediacom Communications Corp / USA]

Clean-mx.de has several active reports about newer botnet configuration. For an example, see
http://support.clean-mx.de/clean-mx/phishing?id=935154

c۞g
Posts: 21225
Joined: Mon Jan 05, 2009 4:02 am

RE: No, no, no....

Post by c۞g » Mon Jun 27, 2011 3:17 am

<quote user="notbuyingit">
I guess that I should have colored it green in my earlier comment.
[/quote]
Maybe just paste the link: http://garwarner.blogspot.com/2011/06/n ... paign.html
or wrap it with the anchor tag so it's not truncated:
http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html

;-)

NotBuyingIt
Posts: 6505
Joined: Fri Mar 11, 2011 6:21 pm

RE: oposumcruiser.com is new member of botnet

Post by NotBuyingIt » Tue Jun 28, 2011 3:40 pm

oposumcruiser.com has been suspended (status: clientHold) by its domain registrar.

c۞g
Posts: 21225
Joined: Mon Jan 05, 2009 4:02 am

RE: rulesbreacker.com — I smell a botnet

Post by c۞g » Tue Jun 28, 2011 9:33 pm

I'm not in the mood to reconfigure my router....
Checking purplepron.ru I get the OpenDNS blocking notice:

This site was blocked by OpenDNS in response to either the Conficker virus, the Microsoft IE zero-day vulnerability, or some equally serious vulnerability.

If you think this shouldn't be blocked, please email us at contact@opendns.com.


Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests