Pharmacy related sites - the work of CME711?
Over the last few months there has been a large number of domains registered for what appears to be pharmacy related sites.
Many of the sites are using 5 minute TTL's with multiple A records.
Possibly related, Websense posted this today: http://www.websense.com/securitylabs/blog/blog.php?BlogID=170
Websense believes the spam they have seen is related to Storm/CME711. Its very likely that these domains are also related, but I'm stopping short of claiming that at this time.
~400 examples are:
More information available as soon as I know more.
Many of the sites are using 5 minute TTL's with multiple A records.
Possibly related, Websense posted this today: http://www.websense.com/securitylabs/blog/blog.php?BlogID=170
Websense believes the spam they have seen is related to Storm/CME711. Its very likely that these domains are also related, but I'm stopping short of claiming that at this time.
~400 examples are:
24storerx.org, aacsrwalty.com, aadwsv.shipany.cn, aaqpsh.flowsame.com, actand.com, aftersilent.com, agoeven.com, agosurface.com, agreecopy.com, agreedoctor.com, aktzu.centurytie.cn, alsochair.com, alsoother.com, alwaysgive.cn, amonggold.com, ancorrect.cn, angerbest.com, ao.drawdecide.com, aokhb.termcrop.com, atg.imagineoh.com, barhair.com, barresult.cn, basicsat.com, baspul.com, bbm.drawdecide.com, beautywest.cn, bestgoodguide.com, bestgrayso.com, besthotelsoxford.com, bestpillstick.com, bestrateon.com, bestwhiteso.com, bestwhitso.com, betweengrass.cn, bhi.wishlisten.com, bigbonger.com, boatnor.cn, bothstill.cn, brightmany.com, bringheart.com, bringpay.cn, brotherwhose.com, buteat.com, buychange.cn, bvogiwr.movesince.com, canwehost.com, cardfresh.cn, carrystood.com, cattable.com, causechild.com, causeshare.cn, centurytie.cn, cheaptmundo.com, chekdirecto.com, chekguia.com, chektierra.com, chickcourse.cn, chiefthird.cn, childturn.cn, chinaonworld.com, colonystone.cn, containadd.com, containyour.com, continueboy.com, continuedouble.com, cooktwo.com, cornerbrother.com, cottondecimal.com, countplace.com, courserule.cn, coverhuman.com, coverpiece.com, creasefine.cn, cureabc.org, dangerwhose.com, davort.com, decidedoor.cn, decideshort.cn, decimalmuch.com, desertother.com, desertsure.com, desertthat.com, develophold.cn, developstudy.com, dgani.throwline.cn, dhino.lookstretch.com, didsoil.com, directdrugred.com, divideif.cn, dkqkao.shallask.com, dogloud.cn, doublespeech.cn, downminute.com, drawdecide.com, ducksong.cn, d.wishlisten.com, e4rxmeds.org, eabch.subtracttree.cn, earlyspot.com, earlywarm.com, eastman.sailhim.com, edgeatom.com, edgegive.com, efp.onewhole.cn, eioow.speeddegree.com, elsedear.com, endlet.cn, entercame.com, eromeds.com, esplhaf.whatshore.com, evenspot.cn, exceptboat.com, experimentshore.cn, factclose.com, fairengine.com, farmmonth.com, fdrei.butseem.cn, feartold.cn, feeddark.com, feedhat.com, fewreason.com, filllead.com, finalmine.com, fitglad.com, flategg.com, flatread.com, flatrub.com, flowerfeet.cn, forcechord.com, foundby.cn, foxlawonline.com, friendgun.cn, fromport.cn, fuvlma.suddensilver.cn, fvzyevo.girlroot.cn, fxzhpu.wishlisten.com, gaswent.com, g.greatsoxdirect.com, gladfarm.com, glassneighbor.com, gohour.cn, goldfear.cn, gonwodm.syllablewill.cn, goodmoodman.com, gotdraw.com, goyapas.net, greatsoxdirect.com, groundoil.cn, groupseem.com, growfell.com, guessbegan.com, hadstop.cn, happenrepeat.cn, hardsummer.cn, hasout.com, healthdivision.org, heardweight.cn, heardwinter.cn, heatpractice.cn, heavyclass.com, heavyobserve.com, hopeyoung.com, hoqte.wishlisten.com, hurryrecord.com, iabqs.lightcapital.cn, ideathan.com, iffraction.cn, imagineanimal.cn, imagineoh.com, imscin.troublesea.cn, intereststudy.com, int-pharma.com, iqdod.spokeeye.cn, iteffect.cn, iwihjb.largeprobable.com, joysurprise.com, kcooj.shipany.cn, kebird.com, kemtkbo.vowelthrough.cn, kingrx.org, largeprobable.com, leadposition.cn, learndegree.cn, leastcall.com, lessvoice.cn, levelsmell.cn, liftduck.cn, liftmatter.com, lightcapital.cn, lookstretch.com, lotthink.com, lovelypills.com, lovepharmcheck.com, lowgood.cn, luecq.whothese.com, l.wishlisten.com, matternote.cn, meantplace.com, measureremember.com, medicalplacetrade.com, medisuccess.com, medsalon.org, medsbuzz.org, medscit.com, medselectron.org, medsher.com, medsjumbo.org, medsonline-new.com, medsplacecolor.com, medsqualitynecessary.com, medssuperstore.org, megumw.beginclimb.cn, melodylone.com, memountain.com, middlecircle.cn, miletake.com, minf.imagineoh.com, mixevery.com, mloism.spokeeye.cn, moment4medical.org, monthlength.com, mountainforward.com, mountstate.com, mountwide.com, mouthsell.com, muchwrite.com, musicindicate.com, musiclarge.com, mw.imagineoh.com, my24meds.com, nearred.com, nearvisit.com, neckespecially.cn, neckfavor.com, newpillsfour.com, ninepaint.com, nirmteq.beautywest.cn, nitrousoxideonline.com, nnusint.caughtkept.com, northfit.cn, ns1.kepcar.com, ns1.podezm.com, ns1.zipolt.net, ns2.bilepa.com, ns2.podezm.com, ns2.telyxnet.com, ns2.zipolt.net, ns4.medabcs.org, oilhow.com, one-edmeds.com, onlinedrugsset.com, onlyexcept.com, onron.intereststop.cn, ooghh.teachclimb.com, opensrx.org, orderhold.com, orx.wishlisten.com, ourroyaloem.net, ownfull.cn, ownreach.cn, parenthorse.cn, partcolumn.cn, particularprint.com, pathexperiment.com, pav.greatsoxdirect.com, pharma-vo.com, pharm-edone.com, pharmonlineyou.com, pharmplaceleave.com, pharm-x-press.com, piecestreet.com, pills33.com, planetclaim.com, playduring.cn, prettyevery.com, productagain.com, propersince.com, protectphrase.com, provethird.cn, psbq.measureremember.com, psezanm.saycame.com, pushfamily.com, p.wishlisten.com, qaicnlj.servehit.cn, qee.presentfly.com, qourm.takeresult.cn, quiteyour.com, raiseend.com, raisesnow.com, rangepattern.com, rangorp.net, rathershape.com, reasonso.com, requireisland.com, ridepossible.com, risecheck.com, rj.wishlisten.com, rollspeak.com, roomcaught.cn, roothad.cn, roundstand.cn, royaloemsoft.com, rqopsip.amonghand.cn, ruborse.com, rulespring.com, rx800.org, rxcounts.org, rxhandsup.org, rxonlinethe.com, rxqualitypresent.com, safechief.cn, samanthafoxsite.com, samosahead.com, sandnatural.com, scorebed.com, seamoment.com, seasonchance.com, seatfeel.cn, segmentsign.cn, selfoh.com, sentencewe.com, servehit.cn, setcross.cn, settlechord.com, settlelie.cn, settletone.com, shecommon.cn, shefill.com, shipany.cn, singwill.com, sisterexact.com, sitepharmgarden.com, sizetruck.com, sleepburn.cn, snowseat.com, softbestgrand.com, softsiteprovide.com, softwareonlinemuch.com, solvewest.cn, sonrain.com, sosgay.subtracttree.cn, speakgas.com, speakpound.com, speeddegree.com, spokeeye.cn, springexcept.com, squareway.cn, standwheel.com, starsrx.org, statewas.com, stretchstar.com, strongmust.com, subtracttree.cn, suggestgrand.cn, suggestleave.com, suitconnect.com, suitleast.com, surefinal.com, tablewhose.com, tailevent.cn, thanpopulate.com, thebetterredso.com, thechiso.com, thepawso.com, theredsoxes.com, thereseason.com, theseatsoxfactory.com, thinspace.cn, thoughtmouth.cn, thoughwalk.com, tmhued.creasefine.cn, to.drawdecide.com, toldexact.com, toldwhere.com, tomdef.com, touchwild.cn, towardvary.com, treecase.com, treetriangle.cn, truckclimb.com, uesjpm.servehit.cn, umajct.subtracttree.cn, unmos.shipany.cn, untilport.cn, uplone.com, verbalso.com, villagedepend.cn, vowellow.com, vowelthrough.cn, walkmore.cn, weekinvent.cn, weekown.com, wfa.drawdecide.com, whatcurrent.com, whensafe.com, whoseour.cn, whothese.com, whyallow.com, willcat.cn, windowloud.com, wintersilent.com, wishlisten.com, wquos.latebring.com, wroteplan.com, wyk.wishlisten.com, xpt.wishlisten.com, xznluo.statejoin.cn, youngchord.com, yourcrease.com, yyoat.suddenfull.com, zkgio.sharecontrol.cn, z.wishlisten.comThese domains share many of the same A records, which is what caught my attention.
More information available as soon as I know more.
Labels: CME711 Storm, pharmacy spam, phishing, Websense
posted by Nicholas at
03:29
4 Comments:
How you get these domain list? Did you check all of them to A records? 8-\
Denis and all:
Over the last few months our email drops have been filling up with pharmacy related spam. A more recent spam looks like this:
--snip--
Date: Jan 30, 2008 12:30 AM
Subject: Proven effect on your PE enlargement!
FDA-approved blue-pill to treat ED!
http://71.195.165.21/giafp/
--snip--
Once we noticed the trend, we used RUS-CERT's passive DNS Replication to check several of the IP's. Using the linux DIG utility we're able to query the domains for their name servers, and google seaches help identify even more domains.
You can click the link at the right hand side of this page and input the IP in question.
If you have a large network, please consider building a sensor for Rus-Cert and contributing to the community.
Could you give URL to passive DNS repliction? :)
Denis,
Sure thing - The link is on the right hand side of the page under "Recommended Sites" or you can cut and paste the following URL into your browser:
http://cert.uni-stuttgart.de/stats/dns-replication.php
Post a Comment
<< Home