As many of you have probably read today Microsoft initiated a large scale take down operation called “Operation b49″ to behead the Waledac Botnet.  This take down effort has definitely made a visible impact on the botnet as seen here in this recent image taken from my Waledac Botnet tracking scripts.

I applaud their efforts with this take down and now only time will tell if their strategy will have lasting impacts on this menace of a botnet.  Waledac is a peer-to-peer botnet, so simply taking out command and control servers would not have a lasting impact and the botnet would quickly recover.  By taking down the botnet at the domain (“.com”) level the individual peers within the botnet will no longer receive peering list updates, command and control instructions, and spam templates, but Waledac is resilient by design so additional actions have to occur for this take down to be completely successful and/or lasting.

The group and/or groups behind Waledac are most likely still scrambling to understand what occurred and where they went wrong, but with ties to the extinct “Storm Worm” of the past and the Zeus Trojan which has recently made the news headlines it is doubtful this will end their criminal efforts.  Time will only tell us what the groups next move will be and with that I guess I will have to find another botnet to monitor, so I will be on the look out.

KUDOS to Microsoft and the behind the scene folks within the security community that aided in this effort!

Ecatel’s (AS29073) BGP Issues

While I was adding some Google Charts to my SpamBot Comment tracker I noticed that SpamBots originating from the ISP and Hosting company Ecatel Network were my number one comment spam offender.  Like any other security researcher I initially performed a Google search and landed on this blog post “Atrivo, McColo and now Ecatel” by Rune at “Silent noise – about spam, trojans and other nasty stuff” which sparked my interest and lead me to diving deeper into this network.

It appears that several of Ecatel’s Network BGP peers decided to drop peering with them to include Hurricane Electric Internet Service AS6939, which from my research appeared to be their main peering point to the Internet.  The initial drop in peering caused a complete outage for Ecatel’s network, but this was short lived as they were able to obtain peering from Joint Transit.  Joint Transit appears to be their new main peering location to the Internet.  Several customers posted complainants concerning the outages on the public forum WebHosting Talk, which was also documented in Rune’s blog post.  I should also note that Ecatel still has not fully recovered and can not be reached from a few locations in the US according to this Host-Tracker report I ran while writing this blog post.  I can not reach Ecatel’s network right now through my ISP, which isn’t a bad thing.

In trying to identify what exactly occurred when the peering locations decided to stop peering with Ecatel I ran across an extremely useful tool that I had not played with before called “BGPlay” at Route Views.  Using this new toy I was able to graphically play the BGP peering route advertisements and withdrawals for the last week for any of the network subnets living on the AS29073 Ecatel Network.  Here is Ecatel’s Network before AS6939 (Hurricane) stopped peering directly with them.

As you can clearly see Ecatel’s network (AS29073) was communicating out to the Internet via the peer Hurricane (AS6939) for the large percentage of it’s traffic.  Once Hurricane (AS6939) stopped peering directly with them Ecatel scrambled to find a new main peering location which took several hours to do, but eventually they were able to pull it off.  Here is how Ecatel is peering right now:

As you can see from the image above Ecatel’s peering into the Internet is very different, but it did recover.  I am also sure Ecatel’s customers are seeing a difference in response times and through-put, as Hurricane Electric (AS6939) is ranked #46 by NetConfigs AS Rankings and  Joint Transit (AS24785) is ranked #890.

Now that Ecatel has had it’s hand slapped for harboring this collection of general badness I can only hope that they have learned their lesson and will start to clean up their network.  It is hand slaps like this that should really start getting ISPs and hosting companies attention, as a serious loss of revenue could occur if these types of actions continue to be taken.  I can only hope that the actions such as ICANN riding us of EST Domains, and the McColo and Atrivo network demise will become the norm.  These types of actions can really start to get the ball rolling in trying to clean up the Internet.  The networks that harbor this type badness really need to evaluate the costs associated with dealing with these types of customers, and the costs associated with losing Internet connectivity from actions taken against them like this.  I am sure the bad guys always pay their bills on time, but if they can’t route to the Internet I am also equally sure they will be in the same line as the good guys asking for a full refund for the services you can no longer provide.  I would also venture to say it would be more cost effective to lose a few bad customers than it would be to take a network outage with the associated bad reputation I am sure you will be labeled with.

SpamBot activities from AS29073 seen at sudosecure.net

Seventeen unique IP addresses originating from this network attempted to post 1965 spam messages since I started tracking spam with my comment spam tracker.  These IPs have been around for a while as you can see from the following table:

Note: Longevity is the number of days between the first seen date and the last seen date and not a true depiction of how long these IPs have been doing this.

Ecatel Network’s Autonomous system (AS) number is AS29073.  This AS number made up ~68% off all comment spam attempts being conducted against this blog.  Obviously the people running the actual SpamBots are not scared of being loud or standing out in a crowd.  Take a look at AS29073 vs All other AS SpamBot networks in my comment spam tracker database.

The comment spam messages being spewed out by these SpamBots varied, but I did find some interesting trends.  Seven of these IPs were either posting blank messages or garbage messages consisting of seemingly bogus domain names made of of seemingly random text strings.  Here is an example posting from my database:

Here are the 7 IPs posting these types of messages:

• 200.63.42.136
• 94.102.60.151
• 94.102.60.152
• 94.102.60.153
• 94.102.60.182
• 94.102.60.43
• 94.102.60.77

I am not exactly sure why these SpamBots would be posting such random messages, but I do have a few theories.  My guess is that these few IPs are probing SpamBots that crawl the Internet looking for Blogs, Forums, or any other website that has comment posting capabilities.  Once these probing SpamBots receive a good server response demonstrating that they are capable of posting spam to a website they most likely log the website.  These logs are then used to feed URLs to SpamBots that carry the real spam messages and badness associated with them.  Let me explain why I think this is a technique used by these spammers.  Most websites will block IPs or subscribe to SpamBot tracking databases to create these filters.  If a the SpamBot operator sends out these very loud and aggressive probing SpamBots to do the dirty work it will be these IPs that get added to the ACLs.  This will then allow the real SpamBot to operate in a more effective manner only spamming the websites that have been identified as being susceptible to spam postings.  This technique aids in keeping the real SpamBot from being placed in ACLs and Blacklists.  This also allows the SpamBot operators to accurately predict how many spam messages can be posted at any given time by their SpamBots and also aids in advertising these capabilities to the organizations that buy SpamBot time.  SpamBot operators are businessmen too, so they try to get the most out of their efforts.  Again this is just my theory and I have no real evidence that this is the actual technique being utilized here.

The next set of 3 IPs spammed pharmaceutical type messages leading to wordpress 2.5.1 templates containing pharmaceutical messages and information spam as well.  Here is a sample from one of the spam messages:

Here is a list of the 3 IPs posting similar messages:

• 200.63.42.141
• 94.102.49.14
• 94.102.60.127

The wordpress templates house some obfusticated JavaScript used to redirect the user to another website.  There is some interesting code used to ensure visitors are not being lead to this site via search engine results.  Here is the interesting portion of the code:

Basically the author of this JavaScript is checking to see if any of the major search engines is in the referrer string or if the visitor does not have a referrer string set.  If either of these conditions are true the value of “gogo” will remain false and the visitor will be presented with the “404 page not found” page.  If these conditions are false the visitor is redirected in this case to abapharm.net with a few variables being passed in the URL.  The last three messages posted from these SpamBot IPs redirected to the following domain names:

• bestcasinogroup.com
• abapharm.net
• asiatradefinance.com

These domains seem to be rotated on a regular basis and lead to either pharmaceutical websites or pay per click search redirecting.  The pharmaceutical site I was redirected to during this research was “trustedtabletsworld.com”.  Nothing real interesting there, but the pay per click search redirection sites proved to be a little more interesting.  All of the pay per click hijacking sites we redirecting through one IP:

• 64.111.196.117

A quick google search for this IP lead me to an outstanding article documenting this type of tunneling called “Double-Funnel” by a few Microsoft Security Researchers back in March of 2007.  I am not going to go into the details of how this “Double-Funnel” redirecting tunneling spam stuff works, as this article does a very good job of describing this technique and has some really interesting statistics that I would recommend reading: Spam Double-Funnel: Connecting Web Spammers with Advertisers.  That was the interesting part!

The last set of SpamBot IPs were posting porn spam messages which lead to more of this Double-Funnel pay per click search redirecting.  I noticed that this set of SpamBot IP addresses all started off with the initial JavaScript redirection pointing to “xxx.whatsdirect.cn”, which then again redirected to the actual pay per click tunneling server/site.  These two SpamBot IPs (94.102.60.166, and 94.102.60.162) had errors in the initial spam message links pointing to “xxx.whatsdirect.com” instead of “xxx.whatsdirect.cn”, so if your the paying spam customer utilizing this SpamBot provider to propagate your garbage over the Internet you may want to make sure you get a discount next time as this typo most likely caused you to lose some money.

Here is a chart to demonstrate how active the individual SpamBots are when compared to one another:

While researching the Ecatel Network (AS29073) originating SpamBots I ran across several forum posts, blog posts, and websites complaining about these IP address ranges.  I even found that several of the well know Spam Blacklists had some of these subnets completely blocked.  The Spamhaus project has some interesting listings for the Ecatel Network in which connections with Russian Malware, ROKSO Spammers, and even the recent Mac OS X Trojan DNSChanger are documented.  Here is the Spamhaus Report and Jose Nazzario’s blog post at Arbor documenting the new Mac Trojan.  Here is a link to my SpamBot Comment spam Tracker sorting out the AS29073 network which will be automatically updated as Ecatel SpamBots continue to hit this blog.

As always if you have any questons or comments regarding my postings feel free to post a comment or contact me via email.

Looking through my new comment spam tracker the domain fora.pl just jumps right off the page as my biggest offender, so I decided to take a deeper look into this domain and the comment spam associated with it.  Fora.pl is owned and operated by Gadu-Gadu S.A. which is based in Warsaw, Poland.  Gadu-Gadu S.A. seems to be a very legitimate company that specializes in social communication services such as chat communities, instant messages, and web radio.  Fora.pl fits right into the types of services Gadu-Gadu S.A offers, as Fora.pl is a free phpBB forum hosting site.  Fora.pl basically lets anyone host a phpBB forum on their servers for free as long as they fill out the following form:

Now Gadu-Gadu S.A. has also published a very nice set of regulations in which all forums are subject to and everyone registering a forum must comply with in order to continue operating a phpBB forum under their hosting plan.  Section 4 of these regulations outline acceptable service use which can be seen here: (Using Google Translate)

Now that we know who owns and operates flora.pl and the policies they have set for the users of this service lets look at the comment spam I am seeing for this domain.  There appears to be two spambots spewing this comment spam messages at my site: 200.63.42.81 and 200.63.42.141.  In the last 45 days 200.63.42.141 has spammed my site 322 times and 200.63.42.81 has spammed my site 229 times for a grand total of 551 times.  This may not seem like a lot, but these two IPs rank as number 2 and 3 in my spam comment tracker statistics as the most activity seen.  Doing a quick query to the cymru.com whois server shows us this:

Basically these 2 IP addresses reside on the same class C subnet and obviously share the same BGP information.  Doing a whois on both IPs gives us the following:

• owner:       Panamaserver.com
• ownerid:     PA-PANA3-LACNIC
• country:     PA
• inetrev:     200.63.42/24
• nserver:     NS1.PANAMASERVER.COM
• nsstat:      20080927 AA
• nslastaa:    20080927
• created:     20080328
• changed:     20080328
• person:      Network O. Center
• e-mail:      ABUSE@PANAMASERVER.COM
• address:     El cangrejo, 49,
• address:     0000 – Panama – PA
• country:     PA
• phone:       +507  2633723 []
• created:     20071004
• changed:     20071027

Panamaserver.com is a shared web hosting and dedicated server rental company which allows anyone to register a domain name and mask their personal contact information for privacy reasons with their contact information.  I do not think at this time that the owners of Panamaserver.com are the actual culprits behind these spambots, and it is more likely the case the culprits took advantage of this privacy masking procedure to hide their identities from researchers like me.

Doing a little Google research on these two IP addresses (200.63.42.81 and 200.63.42.141) provided me with some interesting findings.  The entire class C subnet is in the Spamhaus Block List (SBL): SBL68225 and according to the Spamhaus report this class C subnet has been associated with Russian malware and criminal hosting.  The specific IP address in this subnet Spamhaus based their report on was 200.63.42.97 (spamhostnew.com), so the spamming activity I seen on my site from this subnet seems to be nothing new and just more of the same.  Project Honey Pot has also seen some activity from these 2 IP addresses: 200.63.42.81 Report and 200.63.42.141 Report.  The interesting thing about the Project Honey Pot reports is that they saw the same domain flora.pl being spammed in the comment messages and urls from these 2 spambots.  Last but not least Stop Forum Spam had seen activity from these two spambot IPs as well: 200.63.42.81 Report and 200.63.42.141 Report.  The Stop Forum Spam reports were interesting as both of these IPs seem to have started spamming around the middle of August, but these two IPs didn’t seem to be as actitive on sites being monitored by Stop Forum Spam as they are for my site.  I am not sure why these spambots are not as active on Stop Forum Spam monitored sites, but since the goal of Stop Forum Spam is to block these spambots I would assume most of the sites monitoring have implemented blocks for these two spambots.

Now to take a look at the actual spam being spewed out of these to spambots.  There are 9,659 unique subdomains in my comment spam database for the fora.pl domain, which was almost shocking to me when I saw the query results.  A full list of these subdomains can be seen here: fora.pl subdomains, note if your from fora.pl this would be a good place to start cleaning stuff up.  The last messages posted by these spambots while I was writing this post were:

200.63.42.141:

Charpentier brought our bath <a href=hxxp://methamphetamineurufc.fora.pl/>methamphetamine</a> skull and <a href=hxxp://yasminmkanj.fora.pl/>yasmin</a> made their <a href=hxxp://miacalcinpybff.fora.pl/>miacalcin</a> peacocks. King once pressed caviar <a href=hxxp://adderallxqspk.fora.pl/>adderall</a> bowing and <a href=hxxp://ataraxmujtf.fora.pl/>atarax</a> containing the <a href=hxxp://relenzacahru.fora.pl/>relenza</a> coachman. Coupling the perfect order <a href=hxxp://valporicanemm.fora.pl/>valporic</a> third squatted <a href=hxxp://pepcidrreuc.fora.pl/>pepcid</a> smoothly. Before the aturedness and <a href=hxxp://phendimetrazinemcukk.fora.pl/>phendimetrazine</a> oland had <a href=hxxp://tiazacdnmsm.fora.pl/>tiazac</a> trivet. Woland nodded hoarse cry <a href=hxxp://famvirtxoxl.fora.pl/>famvir</a> the thunder <a href=hxxp://miralaxejxer.fora.pl/>miralax</a> glance over <a href=hxxp://loratadinewlpfr.fora.pl/>loratadine</a> quaintance. King relied was entitled <a href=hxxp://clomidnfgpe.fora.pl/>clomid</a> began riding <a href=hxxp://amphetaminemldun.fora.pl/>amphetamine</a> inevitable.

200.63.42.81

Tell your leg remained <a href=hxxp://comeoutrollnhldk.fora.pl/>come out roll</a> their bridles <a href=hxxp://doublehandpokerrxgek.fora.pl/>double hand poker</a> private apartments <a href=hxxp://hornbetqnwwk.fora.pl/>horn bet</a> scattered. Professor signalled glittered and <a href=hxxp://cornerbetwmpgq.fora.pl/>corner bet</a> and alpinism <a href=hxxp://comeoutrolldubvq.fora.pl/>come out roll</a> amala. Woland went off with <a href=hxxp://fastwayapmaq.fora.pl/>fast way</a> heldybin done <a href=hxxp://casinolxrmq.fora.pl/>casino</a> ounterfeit money <a href=hxxp://yablondydjq.fora.pl/>yablon</a> blank. Dear old not forgotten <a href=hxxp://jackpotgncec.fora.pl/>jackpot</a> taggering and <a href=hxxp://wildcardlxvfc.fora.pl/>wild card</a> bleeding profusely <a href=hxxp://redorblackxoouc.fora.pl/>red or black</a> successful. Professor watched strap that <a href=hxxp://wildcardfxzxc.fora.pl/>wild card</a> visible hesitation <a href=hxxp://handrankntluz.fora.pl/>hand rank</a> shall sit <a href=hxxp://fiveofakindxdwoz.fora.pl/>five of a kind</a> path. Catholic priest there emerged <a href=hxxp://passlineiseqi.fora.pl/>pass line</a> narrowing his <a href=hxxp://bonusgamexjeyi.fora.pl/>bonus game</a> way had <a href=hxxp://baccaratskrli.fora.pl/>baccarat</a> goo. Duke smuggled until she <a href=hxxp://gamblinghfjxi.fora.pl/>gambling</a> procurator went <a href=hxxp://payouttablerbkpl.fora.pl/>payout table</a> erkoz. English attendants and aspiration <a href=hxxp://diceawyba.fora.pl/>dice</a> its pointed <a href=hxxp://pontoonkhmva.fora.pl/>pontoon</a> clarations. Just frizzle ary things <a href=hxxp://rideonpokerfkdva.fora.pl/>ride on poker</a> lamp into <a href=hxxp://fastwayolvma.fora.pl/>fast way</a> left disappoint <a href=hxxp://piratestreasuretusga.fora.pl/>pirate\\’s treasure</a> trembled. Mina wants and drew <a href=hxxp://trueoddsyqqxa.fora.pl/>true odds</a> they killed <a href=hxxp://jackpotzruqa.fora.pl/>jackpot</a> uthorities. Margarita came most cases <a href=hxxp://trueoddsbxcja.fora.pl/>true odds</a> giving both <a href=hxxp://cornerstreettkgpa.fora.pl/>corner street</a> worsened. Artful nothing yet there <a href=hxxp://threeofakindlwnsa.fora.pl/>three of a kind</a> same indifferen <a href=hxxp://4perlineqigda.fora.pl/>4 per line</a> cerned. Gardiner read the object <a href=hxxp://cornerbetcuica.fora.pl/>corner bet</a> his circumstan <a href=hxxp://hopebetzhude.fora.pl/>hope bet</a> screamed. Nikolaevna answered sitting alone <a href=hxxp://bonussymbolykwte.fora.pl/>bonus symbol</a> begged passionate <a href=hxxp://egmjygbe.fora.pl/>egm</a> nanta. Nobles like oroviev stood <a href=hxxp://backhandzrbme.fora.pl/>back hand</a> start and <a href=hxxp://bigeightcqgqe.fora.pl/>big eight</a> gruel. King that flitted before <a href=hxxp://bonussymbolgioie.fora.pl/>bonus symbol</a> wheeling along <a href=hxxp://hornbetyhxme.fora.pl/>horn bet</a> tormentor. Professor nodded want you <a href=hxxp://placebetjfvww.fora.pl/>place bet</a> former tribune <a href=hxxp://backhandpsdax.fora.pl/>back hand</a> pluttering with touch.

As you can see these messages seem almost cryptic and make absolutely no sense, so I decided to take a look at a link embedded in on of these messages.  The link I followed was “hxxp://egmjygbe.fora.pl/” which lead to a phpBB forum titled: “what does EGM proxy stand for: download september 2007 EGM magazine” and the forum post wasn’t as cryptic as the message spam, but it definitely didn’t flow.  Here is the first few sentences:

Children would presumably be immunized against cocaine dependence at the request of their egm lair parents. New approaches egm halo 3 screenshots to influenza chemotherapy. Therefore, optimal surveillance at this point is essential for successful containment. Note: halo 3 egm august scans bold page numbers denote material in figures, tables and boxes. Kong, despite easy exchange of family members between the two areas, egm free subscriptions does suggest, fortunately, a virus with halo 3 august egm a low infectiousness.

So what would a spambot that is so active be hiding in these forums, well nothing more than some obfusticated JavaScript.  Here is a copy of the original obfusticated JavaScript I extracted from the phpBB web forum page: obfusticated_js.  Using SpiderMonkey I was able to deobfusticate the script to this: deobfusticated_js.  As you can see from the deobfuscated JavaScript output this is just a really complex way to redirect you to “hxxp://bestcasinogroup.com/search.php?q=egm+key”.  The +key part is just used to modify your search results to display different links.  So who is bestcasinogroup.com?  Here is some information from a whois query:

Domain Name: BESTCASINOGROUP.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: VC11.AMHOST.NET
Name Server: VC12.AMHOST.NET
Status: clientTransferProhibited
Updated Date: 22-sep-2008
Creation Date: 14-apr-2008
Expiration Date: 14-apr-2010

Administrative Contact:
Protect Details, Inc
Domain Manager (privatecontact@protectdetails.com)
29 Kompozitorov st.
Saint Petersburg
,194358
RU
Tel. +7.8129342271

These whois results share the theme of other ESTDOMAINS malware/crimeware domain names in that they are using the privacy protection option offered by protectdetails.com at ESTDOMAINS.  If you have been following the discussions and/or actions between ESTDOMAINS and several malware analysts these last few weeks this theme should be very familiar.  Now bestcasinogroup.com is only a redirect and is not the stopping point of the obfusticated JavaScript code.  Bestcasinogroup.com redirects to usacasinoworld.net which is hosted on the same IP 72.232.116.51.  Performing a whois lookup against usacasinoworld.net provided the following information:

Domain Name: USACASINOWORLD.NET
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: VC11.AMHOST.NET
Name Server: VC12.AMHOST.NET
Status: ok
Updated Date: 22-sep-2008
Creation Date: 13-jun-2008
Expiration Date: 13-jun-2009

Administrative Contact:
N/A
Naumenko Genadiy Vladimirovich (msndrugs@mail.ru)
Kolomoysko 56
Kiev
Kiev,03056
UA
Tel. +380.0976576665

This time the domain registration information wasn’t protected, but I doubt very seriously if msndrugs@mail.ru is a legitimate email address with a anxious domain administrator waiting to shut this all down.  The usacasinoworld.net is the last stop for the obfusticated JavaScript redirection, but this isn’t the end of the oddness associated with this spam.  A screen shot of the usacasinoworld.net ending point can be seen here:

All of the links shown in this screen shot are redirects/click through tracking.  Here is an example link string from the above screen shot:

hxxp://66.230.188.67/click.php?c=eNodkcuSqjAYhB/IKvxzAZLFLBSVUTioiCBsThESREe8Ag5WHv5Qp3vTveqq/k6amIRppP9sv740NTijSNsGQhoDMASIwiBEtawvVUZWlbYFKkyTEMntHAOmJTcBC8Us2+SCY/VXElyWpWKMgm2CYGUu0ZAsJXNkE1JohIc9FdyazwV1x/NkUqlFSXucNq97+jr1PS0E3T9ue2kHEz/23Bs44fvByh5+16SNik2a7Onl+/CEvq4b97fxkkXYts/o1Ky78eh5z9D2M7rfu62TMT8bnWd8lMyd/nR9KdmG9aQYf7r29rK68/Tmsd003zSk9HrlFpHjtJ8qWiX51o/dyTTGo+OyBxa5mYrbd9sE4WKWrcVquUmvh2fu1TIsl08qf46wFoF/zqvlyeEsv4M8v8nb8qQX1qW/+wYaPjxVuNBcgvFi5qYb/8rnd963fhooRB2rGNv1eE7Y9LgNNrv3wGP4y0CWgbBBLA3axgYmeIBjGSYMXWMtiST+JUDiuqJREv8UvXkWGDoN/62JloegSvHikydmJzHvhbttRR2DZsrGTEhqc0kAZKHA4hYijOZCcVXCP+dPqm8=

The IP 66.230.188.67 is the same in every search redirect I checked.  Another interesting observation I had was that the IP 66.230.188.67 was running nginx/0.5.37 server, which is a light weight HTTP server that is sometimes used by crimeware and malware authors to act as a proxy.  Again with a whois lookup I found:

OrgName:    ISPrime, Inc.
OrgID:      IPRM
Address:    300 Boulevard East
Address:    Suite 100
City:       Weehawken
StateProv:  NJ
PostalCode: 07086-6702
Country:    US

Now ISPrime, Inc. has had it’s fair share of issues in the past, so again I was not surprised by these results either.  What I am surprised about is the final results of this crazy maze that started with two spambots posting spam to my blog that lead to a free phpBB forum hosted at fora.pl.  This phpBB forum hosted some obfusticated JavaScript that redirected me to bestcasinogroup.com which then again redirected me to usacasinoworld.net.  At usacasinoworld.net we found that all links from this generic search engine were directed through a nginx server (66.230.188.67) most likely serving as a pay-per-click redirection server based off some off the web sites I ended up on by clicking the links presented to me.  All of this craziness to earn a few cents with pay-per-click redirection.  Obviously these guys are good at it and I am sure this won’t be the last time I run into them on the internet chasing spam.

Just as a general note I have sent emails off to all of the POCs for these domains and IPs in an attempt to get this shutdown, but I doubt anything will happen quickly.  With that being said I would suggest taking the above information and adding it to you content filters, proxies, and/or firewalls to prevent this stuff from entering your network.  As always if you have any questions or comments regarding this post feel free to contact me anytime.

For anyone operating a blog or forum combating comment spambots are a daily nuisance.  These spambots are normally small applications or scripts that comb the Internet just like search engine web crawlers, but instead of indexing your pages these spambots are looking for web forms where they can post there spam comments.  These spam comments are very similar to the spam messages you find in your email spam folder with contents ranging from pharmaceutical spam, phishing, and Trojans masked with catchy one liners advertising naked pictures or movies of a famous star.

While doing some research on these spambots I came across a really insightful video using a tool called Xrumer which is is a Windows based program that posts spam.  This application really shows how much intelligence is built into these spambots.  Xrumer can defeat many of the common safe guards used by forum and blog administrators such as account registration, CAPTCHA, and email activation.  If you haven’t seen the video demonstration I would recommend taking a look at it here: Xrumer Demo.

In an attempt to learn more about the who, what, where, and how of these spambots I have started harvesting data captured during automated spam attempts seen here at sudosecure.net.  I am opening up this harvested data to the public in hopes that in may be useful to someone.  This data can now been found here: http://sudosecure.net/spambot, and as with all of the data I make available to the public I advise you take caution in utilizing it.  As you can see when visiting this new portion of sudosecure there is a lot of data captured on these spambots, and what I have attempted to do is provide several different view points into this data to make it more usable.  I can see this data being utilized not only by security researchers, but by site owners and administrators as firewall rules and .htaccess files could easily be constructed to block these spambots.  With that being said I must point out that just because an IP address or User Agent is seen in this data set does not mean it is a bad guy.  User Agents are easily spoofed and compromised or misconfigured computers can be utilized as proxies for these spambots.  Anytime you implement an IP block or User Agent filter you run the risk of blocking a legitimate user from visiting your web page, so again don’t generate filters or blocks unless you are absolutely sure you know what your doing.

I am sure this data will lead to new articles being published here at sudosecure, and if you have any suggestions or comments regarding this data feel free to contact me anytime.