Comments on: More tales from the online Wild West

by: tjscott

Thu, 15 Nov 2007 22:07:15 +0000

It would appear that the aforementioned search query now returns this very entry as the top hit!

by: Daniel Rutter

Thu, 15 Nov 2007 00:03:09 +0000

True, but in practice it doesn’t seem to be easy. I imagine the nameservers churn about as fast as possible - ns1.b4cf5f189.com is still where it was when I posted the above comment, but ns2.b4cf5f189.com has already moved to 24.147.77.136 (a Comcast address).

Since a domain can have as many as four nameservers, stamping on all of them at once would probably be close to impossible. By the time the home broadband provider responsible for one of them disconnects the customer (which many ISPs have little interest in doing over mere botnet complaints), that box probably won’t even be a nameserver any more.

You could direct your complaint to the domain registrar instead, but for b4cf5f189.com that’s DNS.com.cn, who I have a sneaking suspicion don’t even bother to read abuse mail.

by: Geraint

Wed, 14 Nov 2007 23:01:07 +0000

I’m not sure this really makes the site any less subject to being shut down (either legitimately or via DDOS, depending on whether it’s being shut down by the good guys or by rivals); it would just be shut down at the nameservers instead of the webserver, but the net effect would be the same.

by: Daniel Rutter

Mon, 12 Nov 2007 22:58:54 +0000

(I also feel obliged to direct my readers’ attention to the perfectly fascinating Google ads which this post is attracting.)

by: Daniel Rutter

Mon, 12 Nov 2007 22:56:34 +0000

When you ask DNS for whatever.com, your request is routed to the nameserver(s) specified in that domain’s registration information. For a botnet-hosted site, the nameservers simply keep track of the infected machines at their disposal, and serve up those machines’ IP addresses, one at a time.

At the moment, the nameservers for thebudshop.net are ns1.b4cf5f189.com and ns2.b4cf5f189.com, which are as I write this at 68.16.9.22 (another AT&T address - a bellsouth.net allocation block) and 76.199.114.84 (an SBC Global address), respectively. This means the nameservers are almost certainly also infected PCs.

The nameservers have to remain relatively static. As you say, it takes time for DNS changes to propagate, and that’s what would have to be done for whatever.b4cf5f189.com to be moved to another machine. But as long as the nameservers are up, the botnet can keep hosting sites.

I presume the machines chosen to be nameservers are the more reliable members of the botnet - not your average home PC that’s only on for a few hours a day. They may still only need to be on a pissy home DSL connection, though; I don’t think nameserver traffic for the average spamvertised site is likely to be very high.

by: Dan Gordon

Mon, 12 Nov 2007 19:33:42 +0000

How is it that they can get their domain resolving to all those different IP’s at such a fast rate? Doesn’t it normally take a day or so for a change of IP to propagate through all the DNS servers?

by: will.dutt

Mon, 12 Nov 2007 13:08:53 +0000

interesting, this is so going to stop the DMCA take down notices from working ;)