[63676] in North American Network Operators' Group
RE: Wired mag article on spammers playing traceroute games with trojaned boxes
daemon@ATHENA.MIT.EDU (McBurnett, Jim)
Thu Oct 9 12:09:53 2003
Date: Thu, 9 Oct 2003 12:01:35 -0400
From: "McBurnett, Jim" <jmcburnett@msmgmt.com>
To: "Chris Boyd" <cboyd@gizmopartners.com>, <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
->
->I found one of these today, as a matter of fact. The spam was=20
->advertising an anti-spam package, of course.
->
->The domain name is vano-soft.biz, and looking up the address, I get
->
->Name: vano-soft.biz
->Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168,=20
->193.165.6.97
-> 12.229.122.9
->
->A few minutes later, or from a different nameserver, I get
->
->Name: vano-soft.biz
->Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97,=20
->12.229.122.9
-> 12.252.185.129
->
->This is a real Hydra. If everyone on the list looked up=20
->vano-soft.biz=20
->and removed the trojaned boxes, would we be able to kill it?
->
->--Chris
I got :=20
Canonical name: vano-soft.biz
Addresses:
165.166.182.168
193.92.62.42
200.80.137.157
12.229.122.9
12.252.185.129
I think even if we get all the ones for this domain name today,=20
assuming we can muster even man hours to get it today, another
5000 will be added tomarrow.
And looking at my list We have US(a very small ISP and a large ISP)=20
RIPE, and LACNIC.
I wonder if the better question should be:
Can Broadband ISP's require a Linksys, dlink or other
broadband router without too many problems?
That is what it will take to slow this down, and then only if=20
ALL of ISP's do it.
This not only affects this instance but global security=20
as a whole. Just a few days ago, Cisco was taken=20
offline by a large # of Zombies, I am willing to
say that those are potentially some of the same=20
compromised systems.
Thoughts?
Jim
