rulesbreacker.com — I smell a botnet
-
- Posts: 6594
- Joined: Fri Mar 11, 2011 6:21 pm
rulesbreacker.com — I smell a botnet
Some community members rate sites based on PhishTank.com reports. When investigating reports about rulesbreacker.com, be careful of malware on that site. It appears to be be controlled by a botnet.
[Edit: More]
A "twin" domain name cfnm-paradise.com was also used by the botnet interchangeably with rulesbreacker.com; cfnm-paradise.com was subsequently suspended (Status: clientHold).
name servers for the domains:
ns1.remiann.net [IP 67.23.245.105, HostDime.com, Inc / USA]
http://www.malwareurl.com/ns_listing.php?ns=ns1.remiann.net
ns1.versepurze.com [IP 67.23.245.105]
http://www.malwareurl.com/ns_listing.php?ns=ns1.versepurze.com
ns2.remiann.net [IP 75.4.135.11, AT&T Internet Services PPPoX Pool / USA]
ns2.versepurze.com [IP 67.15.223.200, ThePlanet.com Internet Services, Inc / USA]
"A" records: IP addresses where computers may be under botnet control
115.30.232.131 [STNet / Japan]
125.231.7.243 [HINET Network / Taiwan]
202.170.104.110 [miyazaki cabletelevision network Co / Japan]
63.226.210.233 [NETPOINT uswest.net / USA]
83.213.31.242 [Euskaltel / Spain]
84.123.147.146 [Cableuropa - Ono / Spain]
84.126.146.87 [Cableuropa - Ono / Spain]
85.56.14.108 [Uni2 /Spain]
91.117.147.33 [R Cable y Telecomunicaciones Galicia / Spain]
Newer data
62.42.29.22 [Cableuropa - Ono / Spain]
79.109.116.245 [Cableuropa - Ono / Spain]
82.158.205.127 [Avenida Diagonal - Ono / Spain]
84.121.125.25 [Cableuropa - Ono / Spain]
[Edit: More]
A "twin" domain name cfnm-paradise.com was also used by the botnet interchangeably with rulesbreacker.com; cfnm-paradise.com was subsequently suspended (Status: clientHold).
name servers for the domains:
ns1.remiann.net [IP 67.23.245.105, HostDime.com, Inc / USA]
http://www.malwareurl.com/ns_listing.php?ns=ns1.remiann.net
ns1.versepurze.com [IP 67.23.245.105]
http://www.malwareurl.com/ns_listing.php?ns=ns1.versepurze.com
ns2.remiann.net [IP 75.4.135.11, AT&T Internet Services PPPoX Pool / USA]
ns2.versepurze.com [IP 67.15.223.200, ThePlanet.com Internet Services, Inc / USA]
"A" records: IP addresses where computers may be under botnet control
115.30.232.131 [STNet / Japan]
125.231.7.243 [HINET Network / Taiwan]
202.170.104.110 [miyazaki cabletelevision network Co / Japan]
63.226.210.233 [NETPOINT uswest.net / USA]
83.213.31.242 [Euskaltel / Spain]
84.123.147.146 [Cableuropa - Ono / Spain]
84.126.146.87 [Cableuropa - Ono / Spain]
85.56.14.108 [Uni2 /Spain]
91.117.147.33 [R Cable y Telecomunicaciones Galicia / Spain]
Newer data
62.42.29.22 [Cableuropa - Ono / Spain]
79.109.116.245 [Cableuropa - Ono / Spain]
82.158.205.127 [Avenida Diagonal - Ono / Spain]
84.121.125.25 [Cableuropa - Ono / Spain]
-
- Posts: 6594
- Joined: Fri Mar 11, 2011 6:21 pm
rulesbreacker.com suspended
The rulesbreacker.com domain has been reassigned a status of clientHold. The domains which provided DNS for rulesbreacker.com and cfnm-paradise.com appear to still be running, however, which leaves a strong possibility that the botnet might use remiann.net and versepurze.com to continue the assault with other commandeered domains.
As I stated earlier, cfnm-paradise.com has been suspended. When I first mentioned that domain, I did not realize that it might have a barely naughty meaning. I have a nose for botnets, perhaps, but not so much for other stuff. For screen captures of the domain during its botnet phase, see
http://www.phishtank.com/phish_detail.php?phish_id=1215369
http://www.phishtank.com/phish_detail.php?phish_id=1215368
http://www.phishtank.com/phish_detail.php?phish_id=1215363
As I stated earlier, cfnm-paradise.com has been suspended. When I first mentioned that domain, I did not realize that it might have a barely naughty meaning. I have a nose for botnets, perhaps, but not so much for other stuff. For screen captures of the domain during its botnet phase, see
http://www.phishtank.com/phish_detail.php?phish_id=1215369
http://www.phishtank.com/phish_detail.php?phish_id=1215368
http://www.phishtank.com/phish_detail.php?phish_id=1215363
-
- Posts: 6594
- Joined: Fri Mar 11, 2011 6:21 pm
oposumcruiser.com is new member of botnet
<quote user="notbuyingit">
The domains which provided DNS for rulesbreacker.com and cfnm-paradise.com appear to still be running, however, which leaves a strong possibility that the botnet might use remiann.net and versepurze.com to continue the assault with other commandeered domains.
[/quote]
As anticipated, another domain has come online as a part of the botnet, using remiann.net and versepurze.com for DNS. The newly registered oposumcruiser.com is currently running many of the botnet's malware and phishing scams.
[Edit: More]
"A" records: IP addresses where computers may be under botnet control
112.71.69.76 [K-Opticom Corporation / Japan]
183.176.107.152 [STNet, Incorporated / Japan]
63.226.223.92 [Qwest Communications Company / USA]
66.159.180.87 [AT&T Internet Services PPPoX Pool / USA]
80.133.83.24 [Deutsche Telekom AG - Germany]
81.203.1.104 [Cableuropa - Ono / Spain]
85.86.48.130 [Euskaltel / Spain]
90.168.204.27 [France Telecom España / Spain]
I need to acknowledge an earlier report by MysteryFCM at http://hosts-file.net/?s=oposumcruiser.com
My work is based upon (subsequent) reports at PhishTank.com and OpenDNS.com. PhishTank.com has marked several reported malware URLs "Offline" although they are actually still running.
The domains which provided DNS for rulesbreacker.com and cfnm-paradise.com appear to still be running, however, which leaves a strong possibility that the botnet might use remiann.net and versepurze.com to continue the assault with other commandeered domains.
[/quote]
As anticipated, another domain has come online as a part of the botnet, using remiann.net and versepurze.com for DNS. The newly registered oposumcruiser.com is currently running many of the botnet's malware and phishing scams.
[Edit: More]
"A" records: IP addresses where computers may be under botnet control
112.71.69.76 [K-Opticom Corporation / Japan]
183.176.107.152 [STNet, Incorporated / Japan]
63.226.223.92 [Qwest Communications Company / USA]
66.159.180.87 [AT&T Internet Services PPPoX Pool / USA]
80.133.83.24 [Deutsche Telekom AG - Germany]
81.203.1.104 [Cableuropa - Ono / Spain]
85.86.48.130 [Euskaltel / Spain]
90.168.204.27 [France Telecom España / Spain]
I need to acknowledge an earlier report by MysteryFCM at http://hosts-file.net/?s=oposumcruiser.com
My work is based upon (subsequent) reports at PhishTank.com and OpenDNS.com. PhishTank.com has marked several reported malware URLs "Offline" although they are actually still running.
RE: rulesbreacker.com — I smell a botnet
To add:
bitschoonerop.com
58.227.43.222
91.203.88.46
91.209.24.174
96.38.26.235
113.53.251.236
124.248.39.46
ns1.carsmagiaso.com
ns1.zapiraguns.com
carsmagiaso.com
171.23.151.11
173.234.8.215
digimoduleded.com
58.227.43.222
91.203.88.46
96.38.26.235
113.53.251.236
124.248.39.46
dns1.carsmagiaso.com
ns1.zapiraguns.com
hideomechanic.com
58.227.43.222
91.203.88.46
96.38.26.235
113.53.251.236
124.248.39.46
ns1.carsmagiaso.com
ns1.zapiraguns.com
blackfuril.ru
datacricketuf.ru
greensinkod.com
neframeofwork.com
purplepron.ru
bitschoonerop.com
58.227.43.222
91.203.88.46
91.209.24.174
96.38.26.235
113.53.251.236
124.248.39.46
ns1.carsmagiaso.com
ns1.zapiraguns.com
carsmagiaso.com
171.23.151.11
173.234.8.215
digimoduleded.com
58.227.43.222
91.203.88.46
96.38.26.235
113.53.251.236
124.248.39.46
dns1.carsmagiaso.com
ns1.zapiraguns.com
hideomechanic.com
58.227.43.222
91.203.88.46
96.38.26.235
113.53.251.236
124.248.39.46
ns1.carsmagiaso.com
ns1.zapiraguns.com
blackfuril.ru
datacricketuf.ru
greensinkod.com
neframeofwork.com
purplepron.ru
-
- Posts: 6594
- Joined: Fri Mar 11, 2011 6:21 pm
oposumcruiser.com is new member of botnet
I began this thread to caution members, who independently examine sites that they come across in order to rate them, about a particular botnet. The Cybercrime & Doing Time blog has a new article that gives examples of how this botnet uses spam to spread malware, including 'drive-by' infections(!), and promote phishing scams. See
http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html
(Note: In an update to the article, MysteryFCM is once again acknowledged.)
http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html
(Note: In an update to the article, MysteryFCM is once again acknowledged.)
-
- Posts: 6594
- Joined: Fri Mar 11, 2011 6:21 pm
No, no, no....
A few hours after I posted the (hopefully useful) reference
http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html
a fairly new member submitted it as a phishing incident to PhishTank.com. I guess that I should have colored it green in my earlier comment.
http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html
a fairly new member submitted it as a phishing incident to PhishTank.com. I guess that I should have colored it green in my earlier comment.
-
- Posts: 6594
- Joined: Fri Mar 11, 2011 6:21 pm
lareconexiondelser.net joins the botnet
ns1.lareconexiondelser.net [IP 67.23.245.105, HostDime.com, Inc / USA] is now listed as a DNS provider for oposumcruiser.com; it replaces versepurze.com, which has been suspended by its registrar.
"A" records: additional IP addresses where computers may be under botnet control
125.231.8.177 [Chunghwa Telecom Co / Taiwan]
217.68.182.5 [Decimus GmbH (Primacom AG) / Germany]
62.83.93.27 [Cableuropa - Ono / Spain]
[Edit: more]
125.231.7.167 [Chunghwa Telecom Co / Taiwan]
173.20.247.94 [Mediacom Communications Corp / USA]
Clean-mx.de has several active reports about newer botnet configuration. For an example, see
http://support.clean-mx.de/clean-mx/phishing?id=935154
"A" records: additional IP addresses where computers may be under botnet control
125.231.8.177 [Chunghwa Telecom Co / Taiwan]
217.68.182.5 [Decimus GmbH (Primacom AG) / Germany]
62.83.93.27 [Cableuropa - Ono / Spain]
[Edit: more]
125.231.7.167 [Chunghwa Telecom Co / Taiwan]
173.20.247.94 [Mediacom Communications Corp / USA]
Clean-mx.de has several active reports about newer botnet configuration. For an example, see
http://support.clean-mx.de/clean-mx/phishing?id=935154
RE: No, no, no....
<quote user="notbuyingit">
I guess that I should have colored it green in my earlier comment.
[/quote]
Maybe just paste the link: http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html
or wrap it with the anchor tag so it's not truncated:
[url=http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html t=_self]http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html[/url]

I guess that I should have colored it green in my earlier comment.
[/quote]
Maybe just paste the link: http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html
or wrap it with the anchor tag so it's not truncated:
[url=http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html t=_self]http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html[/url]

-
- Posts: 6594
- Joined: Fri Mar 11, 2011 6:21 pm
RE: oposumcruiser.com is new member of botnet
oposumcruiser.com has been suspended (status: clientHold) by its domain registrar.
RE: rulesbreacker.com — I smell a botnet
I'm not in the mood to reconfigure my router....
Checking purplepron.ru I get the OpenDNS blocking notice:
This site was blocked by OpenDNS in response to either the [url=http://blog.opendns.com/2009/03/30/worried-about-conficker-on-april-1-setting-up-opendns-can-protect-your-network/ t=_self]Conficker virus[/url], the Microsoft [url=http://isc.sans.org/diary.html?storyid=6739 t=_self]IE zero-day vulnerability[/url], or some equally serious vulnerability.
If you think this shouldn't be blocked, please email us at contact@opendns.com.
Checking purplepron.ru I get the OpenDNS blocking notice:
This site was blocked by OpenDNS in response to either the [url=http://blog.opendns.com/2009/03/30/worried-about-conficker-on-april-1-setting-up-opendns-can-protect-your-network/ t=_self]Conficker virus[/url], the Microsoft [url=http://isc.sans.org/diary.html?storyid=6739 t=_self]IE zero-day vulnerability[/url], or some equally serious vulnerability.
If you think this shouldn't be blocked, please email us at contact@opendns.com.
Who is online
Users browsing this forum: No registered users and 13 guests