Home / Blogs

Moving Target: Spammer Using Over 1000 Home Computers as DNS

Richard M. Smith

Some individual appears to have hijacked more than a 1,000 home computers starting in late June or early July and has been installing a new Trojan Horse program on them. The Trojan allows this person to run a number of small websites on the hijacked home computers. These websites consists of only a few web pages and apparently produce income by directing sign-ups to for-pay porn websites through affiliate programs. Spam emails messages get visitors to come to the small websites.

To make it more difficult for these websites to be shut down, a single home computer is used for only 10 minutes to host a site. After 10 minutes, the IP address of the website is changed to a different home computer. The hacker is able to do this quick switching because he has installed DNS name servers for his domains on other home computers under his control. The DNS name servers specify that a hostname-to-IP-address mapping should only live for 10 minutes. Over the July 4th long weekend, some of these same web servers were used in an apparent phishing scam to collect stolen PayPal passwords and credit card numbers. Silicon.com has an article about this scam.

Joe Stewart of LURHQ has obtained a copy of the Trojan, which he has named Migmaf. His analysis of the Trojan was just released on LURHQ website.

The initial theory was that the Trojan was installing a mini-web server on hacked computer to host the porn websites. However, Joe's analysis shows that the Trojan is actually a reverse HTTP proxy that makes a home computer act as a front for a home base Web server.

Some of the domain names used by the websites of the Trojan are:

- onlycoredomains.com
- pizdatohosting.com
- bigvolumesites.com
- wolrdofpisem.com
- arizonasiteslist.com
- nomorebullshitsite.com
- linkxxxsites.com

I've been monitoring these domains since July 5th and found over 2,000 unique IP address used by hosts in these domains. Almost all of these IP addresses are for commercial ISPs used by home computer users. AOL.com was the most used ISP.

One interesting feature of the Trojan is that it times the connection speed of a home computer that it is running on and reports the connection speed back to home base. The home base computer seems to only select a computer to run a reverse proxy server or the DNS name server if the computer has a high-speed cable or DSL Internet connection!

It is not known at the present time how the Trojan gets installed on people's computers. My theory is that the Sobig.e virus might be involved, but the evidence is not strong at the moment. 

By Richard M. Smith, Computer & Internet Security Expert

Related topics: DNS, Domain Names, Email, IP Addressing, Security, Spam

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Re: Moving Target: Spammer Using Over 1000 Home Computers as DNS fnord  –  Jul 18, 2003 1:55 PM PDT

This is but one of many examples of why using the DNS to fight spam as suggested in this: http://www.circleid.com/article/151_0_1_0_C/ CircleID article is doomed to failure. -g

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

New Case Study: Jobtome.com Replaces 30 Postfix Servers with a Single PowerMTA

New TLD .STORE Crosses 500+ Sunrise Applications

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Meet Boston Ivy, Home to Some of the Most Specialized TLDs in the Financial Services Sector

Move Beyond Defensive Domain Name Registrations, Towards Strategic Thinking

Is Your TLD Threat Mitigation Strategy up to Scratch?

Verisign Launches New gTLDs for the Korean Market, .닷컴 and .닷넷

Verisign Opens Landrush Program Period for .コム Domain Names

Domain Management Handbook from MarkMonitor

i2Coalition to Host First Ever Smarter Internet Forum

An Update on Port25 and the Future of PowerMTA - One Year Later​

Afilias Announces Relaunch of .GREEN TLD

Encrypting Inbound and Outbound Email Connections with PowerMTA

New .PROMO Domain Sunrise Period Begins Today

Minds + Machines Group Announces Outsourcing Agreements, Web Address Change

.STORE Opens its Doors to Brands

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

What Holds Firms Back from Choosing Cloud-Based External DNS?

V12 Group Sustains Customer Satisfaction by Deploying PowerMTA for Launchpad Platform

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Sponsored Topics

Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services
Port25

Email

Sponsored by
Port25
Afilias

DNS Security

Sponsored by
Afilias
Verisign

Security

Sponsored by
Verisign