01/06/2009
ID-ref.be part of international phishing botnet
reposted because important - there is a Belgian site in the botnetwork according to arbor networks and also block the mentioned sites they are part of a botnet (some other countries will see some of their own domains pop up, some say this diversity is a first for fast-flux botnets)
thanx Arbor networks for publishing this, we want more
Today it’s an American Express phish. In the past few weeks it’s been JPMorgan Chase, Bank of America, CitiGroup, Colonial Bank, and many others. All of them are using fast flux hosting techniques on the same hosts. I don’t know the name of this botnet (either the malcode or the coloquial name) but it sure is busy. Here’s a list of domain names they have been using for their activities (gathered using passive DNS techniques, most of them are now suspended domains):
- dir10.cz
- adobeflasplayer10.com
- isapid.cz
- es-pos1.es
- es-pos0.es
- frankiezfunz.com
- sofia16-online18.com
- es-pos3.es
- idsrv1.es
- serverdemobank.com
- idsrv2.es
- id-rt01.cz
- aktien-news-online24.com
- id-rt04.cz
- flashplayercolonial.com
- srv-3id.cz
- clrtemp.cz
- file033.cz
- file11.cz
- sofia16-online24.com
- ref-id.es
- idsrv4.es
- player10update.com
- bankamericademo.com
- dir017.cz
- idrtd.cz
- 0177.es
- id-ref.cz
- serversupdates.com
- srv-1id.cz
- 72.in-addr.arpa
- id0.cz
- bmspeedlab.org
- id-rt03.cz
- democolonialbank.com
- refid73.es
- refid70.es
- identify-3.cz
- colonialshow.com
- demobankofamerica.com
- cs03.cz
- isapi10.cz
- es-pos2.es
- id-ref.be
- 0104.es
- idsrv10.es
- bumospo.com
- hawaiiantel.net
- isdir.cz
- cs07.cz
- cs01.cz
- identify-4.cz
- ptil.cz
- sofia18-online.com
- idsrv11.es
- installadobeplayer.com
- es-pos7.es
- colonialdemo.com
- bmspeedlab.com
- id-rt02.cz
- srv-4id.cz
- fasttrk.cz
- bumotor.org
- srv-7id.cz
- bumotor.net
- identify-1.cz
- bumospe.tk
- onlineserverdownload.com
- clasmatessup.com
- everettzfunz.com
- file17.cz
- demoversions10.com
- tempdir.cz
- demoservers1.com
this was published the 14th of december by Arbor networks but as we have no CERT and I decided to take some holiday and more family time (this is not my job) nobody did anything with this info. Normally this should have been closed down 4 hours after being discovered (that counts for all of them in fact)
THis is the whois for id-ref.be (look at the emailadres.... if that doesn't work dns.be can block the domain but if it is a botnet, they will have to be careful with opening responsemail. As a domainregistrar I would not even use my own mailserver, you can try it from a yahoo account also, if it ain't working it won't work anywhere....)
For the moment there seems to be no website at this space, but may be somewhere hidden or waiting we can't see yet.
Also look at some other domainnames that were registered or used. Quite interesting ones for malware, don't you think, especially if you can fake MD5 certificates for files....
| Domein details | ||||||
|---|---|---|---|---|---|---|
| Domein | ||||||
| Naam | id-ref | |||||
| Status | REGISTERED | |||||
| Registratie | 26 november 2008 | |||||
| Laatste wijziging | 3 december 2008 10:55 | |||||
| Licentienemer | ||||||
| Taal | Engels | |||||
| Technische contactpersonen van de registrar | ||||||
| Naam | Auto répondeur | |||||
| Organisatie | Gandi Sas | |||||
| Taal | Engels | |||||
| Adres | 15 place de la Nation 75011 Paris Frankrijk | |||||
| Telefoon | +33.143737851 | |||||
| Fax | +33.143731851 | |||||
| support-en@support.gandi.net | ||||||
| Registrar | ||||||
| Organisatie | Gandi Sas | |||||
| Website | www.gandi.net | |||||
| Nameservers | ||||||
| ||||||
11:03 | Permalink | Comments (0) | Email this
| 
| 
del.icio.us
|
| 
Digg | 
Facebook
Post a comment