rulesbreacker.com — I smell a botnet

[NotBuyingIt]

Some community members rate sites based on PhishTank.com reports. When investigating reports about rulesbreacker.com, be careful of malware on that site. It appears to be be controlled by a botnet.

[Edit: More]
A "twin" domain name cfnm-paradise.com was also used by the botnet interchangeably with rulesbreacker.com; cfnm-paradise.com was subsequently suspended (Status: clientHold).

name servers for the domains:
ns1.remiann.net [IP 67.23.245.105, HostDime.com, Inc / USA]
http://www.malwareurl.com/ns_listing.php?ns=ns1.remiann.net

ns1.versepurze.com [IP 67.23.245.105]
http://www.malwareurl.com/ns_listing.php?ns=ns1.versepurze.com

ns2.remiann.net [IP 75.4.135.11, AT&T Internet Services PPPoX Pool / USA]
ns2.versepurze.com [IP 67.15.223.200, ThePlanet.com Internet Services, Inc / USA]

"A" records: IP addresses where computers may be under botnet control
115.30.232.131 [STNet / Japan]
125.231.7.243 [HINET Network / Taiwan]
202.170.104.110 [miyazaki cabletelevision network Co / Japan]
63.226.210.233 [NETPOINT uswest.net / USA]
83.213.31.242 [Euskaltel / Spain]
84.123.147.146 [Cableuropa - Ono / Spain]
84.126.146.87 [Cableuropa - Ono / Spain]
85.56.14.108 [Uni2 /Spain]
91.117.147.33 [R Cable y Telecomunicaciones Galicia / Spain]

Newer data
62.42.29.22 [Cableuropa - Ono / Spain]
79.109.116.245 [Cableuropa - Ono / Spain]
82.158.205.127 [Avenida Diagonal - Ono / Spain]
84.121.125.25 [Cableuropa - Ono / Spain]

[NotBuyingIt]

The rulesbreacker.com domain has been reassigned a status of clientHold. The domains which provided DNS for rulesbreacker.com and cfnm-paradise.com appear to still be running, however, which leaves a strong possibility that the botnet might use remiann.net and versepurze.com to continue the assault with other commandeered domains.

As I stated earlier, cfnm-paradise.com has been suspended. When I first mentioned that domain, I did not realize that it might have a barely naughty meaning. I have a nose for botnets, perhaps, but not so much for other stuff. For screen captures of the domain during its botnet phase, see
http://www.phishtank.com/phish_detail.php?phish_id=1215369
http://www.phishtank.com/phish_detail.php?phish_id=1215368
http://www.phishtank.com/phish_detail.php?phish_id=1215363

[NotBuyingIt]

<quote user="notbuyingit">
The domains which provided DNS for rulesbreacker.com and cfnm-paradise.com appear to still be running, however, which leaves a strong possibility that the botnet might use remiann.net and versepurze.com to continue the assault with other commandeered domains.
[/quote]
As anticipated, another domain has come online as a part of the botnet, using remiann.net and versepurze.com for DNS. The newly registered oposumcruiser.com is currently running many of the botnet's malware and phishing scams.


[Edit: More]

"A" records: IP addresses where computers may be under botnet control

112.71.69.76 [K-Opticom Corporation / Japan]
183.176.107.152 [STNet, Incorporated / Japan]
63.226.223.92 [Qwest Communications Company / USA]
66.159.180.87 [AT&T Internet Services PPPoX Pool / USA]
80.133.83.24 [Deutsche Telekom AG - Germany]
81.203.1.104 [Cableuropa - Ono / Spain]
85.86.48.130 [Euskaltel / Spain]
90.168.204.27 [France Telecom España / Spain]

I need to acknowledge an earlier report by MysteryFCM at http://hosts-file.net/?s=oposumcruiser.com
My work is based upon (subsequent) reports at PhishTank.com and OpenDNS.com. PhishTank.com has marked several reported malware URLs "Offline" although they are actually still running.

[c۞g]

To add:
bitschoonerop.com
58.227.43.222
91.203.88.46
91.209.24.174
96.38.26.235
113.53.251.236
124.248.39.46
ns1.carsmagiaso.com
ns1.zapiraguns.com
carsmagiaso.com
171.23.151.11
173.234.8.215
digimoduleded.com
58.227.43.222
91.203.88.46
96.38.26.235
113.53.251.236
124.248.39.46
dns1.carsmagiaso.com
ns1.zapiraguns.com
hideomechanic.com
58.227.43.222
91.203.88.46
96.38.26.235
113.53.251.236
124.248.39.46
ns1.carsmagiaso.com
ns1.zapiraguns.com
blackfuril.ru
datacricketuf.ru
greensinkod.com
neframeofwork.com
purplepron.ru&nbsp;

[NotBuyingIt]

I began this thread to caution members, who independently examine sites that they come across in order to rate them, about a particular botnet. The Cybercrime & Doing Time blog has a new article that gives examples of how this botnet uses spam to spread malware, including 'drive-by' infections(!), and promote phishing scams. See
http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html
(Note: In an update to the article, MysteryFCM is once again acknowledged.)

[NotBuyingIt]

A few hours after I posted the (hopefully useful) reference
http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html
a fairly new member submitted it as a phishing incident to PhishTank.com. I guess that I should have colored it green in my earlier comment.

[NotBuyingIt]

ns1.lareconexiondelser.net [IP 67.23.245.105, HostDime.com, Inc / USA] is now listed as a DNS provider for oposumcruiser.com; it replaces versepurze.com, which has been suspended by its registrar.

"A" records: additional IP addresses where computers may be under botnet control
125.231.8.177 [Chunghwa Telecom Co / Taiwan]
217.68.182.5 [Decimus GmbH (Primacom AG) / Germany]
62.83.93.27 [Cableuropa - Ono / Spain]
[Edit: more]
125.231.7.167 [Chunghwa Telecom Co / Taiwan]
173.20.247.94 [Mediacom Communications Corp / USA]

Clean-mx.de has several active reports about newer botnet configuration. For an example, see
http://support.clean-mx.de/clean-mx/phishing?id=935154

[c۞g]

<quote user="notbuyingit">
I guess that I should have colored it green in my earlier comment.
[/quote]
Maybe just paste the link: http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html
or wrap it with the anchor tag so it's not truncated:
[url=http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html t=_self]http://garwarner.blogspot.com/2011/06/new-car-or-zeus-spam-campaign.html[/url]

[NotBuyingIt]

oposumcruiser.com has been suspended (status: clientHold) by its domain registrar.

[c۞g]

I'm not in the mood to reconfigure my router....
Checking purplepron.ru I get the OpenDNS blocking notice:
This site was blocked by OpenDNS in response to either the [url=http://blog.opendns.com/2009/03/30/worried-about-conficker-on-april-1-setting-up-opendns-can-protect-your-network/ t=_self]Conficker virus[/url], the Microsoft [url=http://isc.sans.org/diary.html?storyid=6739 t=_self]IE zero-day vulnerability[/url], or some equally serious vulnerability.

If you think this shouldn't be blocked, please email us at contact@opendns.com.