Thursday, September 13, 2007

Storm ALERT: Now Using Malicious Domain Name - UPDATE

Click for larger image.


WARNING: While the Storm worm/botnet has been using spams touting an "NFL Game Tracker" sites--which are, ironically, actually being hosted on Storm-compromised victim PCs-- to lure unwitting users to infected themselves, they have now registered a domain name that uses fast-flux techniques to avoid consistent detection of the infected hosts (and it's nameservers) actual location(s).

Be forewarned: Do not surf to this domain.


Checking server [whois.estdomains.com]
Results:
Registration Service Provided By: LOMTI INC.
Contact: +351.3456712

Domain Name: FREENFLTRACKER.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 65
All Postal Mails Rejected, visit Privacyprotect.org
Monster
null,2680 AB
NL
Tel. +45.36946676

Creation Date: 13-Sep-2007
Expiration Date: 13-Sep-2008

Domain servers in listed order:
ns13.freenfltracker.com
ns12.freenfltracker.com
ns11.freenfltracker.com
ns10.freenfltracker.com
ns9.freenfltracker.com
ns8.freenfltracker.com
ns7.freenfltracker.com
ns6.freenfltracker.com
ns5.freenfltracker.com
ns4.freenfltracker.com
ns3.freenfltracker.com
ns2.freenfltracker.com


Administrative Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 65
All Postal Mails Rejected, visit Privacyprotect.org
Monster
null,2680 AB
NL
Tel. +45.36946676


And, of course, ESTdomains is located in Russia, so the possibility of getting the domain suspended is somewhere in the neighborhood of slim & none.

We call this a "Double Flux" botnet because not only are the IP addresses constantly changing for the primary domain (FREENFLTRACKER.COM), but so are the nameserver IP addresses -- all of which are actually Storm-infected hosts of unwitting PCs.

Bad Ju-Ju.

- ferg


UPDATE: 13:45 PDT: Interesting enough, the WHOIS registration information for this domain now says:

Status:SUSPENDED
Note: This Domain Name is Suspended. In this status the domain name is InActive and will not function.

While that may, or may not, be true, it is still resolving at this moment. I'll see if it is just a DNS cache "ghost" in a few hours...

- ferg

posted by Fergie @ 9/13/2007 12:06:00 PM

0 Comments:

Post a Comment

<< Home