Comment spam: drive-by sites, domains and spyware – analysis, samples and facts

blog/web spam is not the next spam medium, it is spam plain and simple. people, including some anti spam experts, just don’t realize how big it all is. it’s not only about spam, it is about spyware, bots and breaking into computers.
how about i provide with some facts?

below are some selected spam samples from one of the high-traffic blogs i help maintain. some of them are included for the repeat-offenders point being made, showing the different ip addresses that attacked us from a botnet/proxy list of compromised (broken into) systems.

note: the url’s quoted are not safe. do not go there unless you know what you are doing. responsibility is yours alone.

as an example, take a look at:
http://w ww.hackologie.tk/

it is a site for a drive-by. spyware you say? find out. :)

below, further in the text, i start an analysis, showing hundreds of dns rr’s for just one of the ip’s you will find looking at the a record for that site.

this is indeed one of the uses for the new black-list some of us are creating. cooperative effort to compare spams across different blogs, analyze them, find distinct groups and block them, as well as terminate their domain names.

further – it’s a nice way to find their new trojan horses and spyware, as well as their new domains. these samples will then be reported to anti virus and anti spyware vendors, as much like we will work to terminate the domains – we will also work to make their malware useless.

the malware proves that most of these guys are not just annoying spammers abusing our services, aup’s, users and privacy. it proves they break into computers as well as try and break into ours.

anti spam projects will get a feed so that whatever medium they spam, we will all cooperate to kick them back.

so far some of the biggest blogging sites online are enlisted on our effort (which is not limited to this), we will see what happens.

my previous (most recent) post on this subject can be found here:
http://blogs.securiteam.com/index.php/archives/285

some more analysis on the bad site i spoke of above as an example:

a full analysis will take time i don’t have, so let’s just show a few teasers to get you curious!

“due to restrictions in dot tk’s privacy statement personal information about the user of the domain name cannot be released.”

^^^ ain’t that convenient?

domain              type  class answer

hackologie.tk.      mx    in    86400   mx-host.dot.tk. [preference = 20]
hackologie.tk.      a     in    300     62.129.131.38
hackologie.tk.      a     in    300     217.115.203.21
hackologie.tk.      a     in    300     195.20.32.104
hackologie.tk.      a     in    300     209.172.59.193
hackologie.tk.      a     in    300     217.119.57.19
tk.                 ns    in    86400   root-g.taloha.tk.
tk.                 ns    in    86400   ns-a.taloha.tk.
tk.                 ns    in    86400   ns-b.taloha.tk.
tk.                 ns    in    86400   ns-c.taloha.tk.
tk.                 ns    in    86400   root-a.taloha.tk.
tk.                 ns    in    86400   root-b.taloha.tk.
tk.                 ns    in    86400   root-c.taloha.tk.
tk.                 ns    in    86400   root-d.taloha.tk.
tk.                 ns    in    86400   root-e.taloha.tk.
tk.                 ns    in    86400   root-f.taloha.tk.
root-g.taloha.tk.   a     in    21600   217.68.243.17
ns-a.taloha.tk.     a     in   21600   62.41.22.202
ns-b.taloha.tk.     a     in   21600   195.11.245.84
ns-c.taloha.tk.     a     in   21600   216.38.132.90
root-a.taloha.tk.   a     in   21600   194.109.152.138
root-b.taloha.tk.   a     in   21600   195.20.32.102
root-c.taloha.tk.   a     in   21600   207.36.228.217
root-d.taloha.tk.   a     in   21600   217.199.176.121
root-e.taloha.tk.   a     in   21600   66.36.231.236
root-f.taloha.tk.   a     in   21600   202.125.44.173

just a few of the dns rr’s pointing to just one of the ip addresses:

www.*****.tk                 a        62.129.131.38
www.*.tk                     a        62.129.131.38
www.-fctwente-.tk            a        62.129.131.38
www.-beach-.tk               a        62.129.131.38
www.-erki-.tk                a        62.129.131.38
www.atletiek2000.tk          a        62.129.131.38
www.beveren2000.tk           a        62.129.131.38
www.cj800.tk                 a        62.129.131.38
www.boca80.tk                a        62.129.131.38
bomma80.tk                   a        62.129.131.38
www.armenia90.tk             a        62.129.131.38
em0.tk                       a        62.129.131.38
www.stropkaai31.tk           a        62.129.131.38
www.piaa1.tk                 a        62.129.131.38
www.devalkb1.tk              a        62.129.131.38
www.brambo1.tk               a        62.129.131.38
www.ignis1.tk                a        62.129.131.38
www.thesims-2.tk             a        62.129.131.38
www.biot2002.tk              a        62.129.131.38
www.5voor12.tk               a        62.129.131.38
www.boelie-v32.tk            a        62.129.131.38
www.jordistylertje-b42.tk    a        62.129.131.38
www.seca2.tk                 a        62.129.131.38
www.pitagora2.tk             a        62.129.131.38
www.mywitchworld2.tk         a        62.129.131.38
www.4hwe2.tk                 a        62.129.131.38
aandetoog2.tk                a        62.129.131.38
www.aandetoog2.tk            a        62.129.131.38
www.lmk2.tk                  a        62.129.131.38
www.cosan2.tk                a        62.129.131.38
www.jones2.tk                a        62.129.131.38
www.part2.tk                 a        62.129.131.38
w.driver-3.tk                a        62.129.131.38
www.’tng2003.tk              a        62.129.131.38
w-i-t-c-h-g-i-r-l-13.tk      a        62.129.131.38
groep13.tk                   a        62.129.131.38
www.groep13.tk               a        62.129.131.38
www.atelier13.tk             a        62.129.131.38
www.warez13.tk               a        62.129.131.38
www.warez33.tk               a        62.129.131.38
www.shark69-shinzl3.tk       a        62.129.131.38
www.muzikamp3.tk             a        62.129.131.38
www.warez-t3.tk              a        62.129.131.38
www.vak-v3.tk                a        62.129.131.38
abi04.tk                     a        62.129.131.38
www.mss-abi04.tk             a        62.129.131.38
www.abi04.tk                 a        62.129.131.38
www.trash14.tk               a        62.129.131.38
www.harry-potter14.tk        a        62.129.131.38
www.rahoveci24.tk            a        62.129.131.38
studi24.tk                   a        62.129.131.38
www.studi24.tk               a        62.129.131.38
studiok4.tk                  a        62.129.131.38
www.studiok4.tk              a        62.129.131.38
www.sv4.tk                   a        62.129.131.38
www.diesel4�4.tk             a        62.129.131.38
www.ampuria2005.tk           a        62.129.131.38
www.zw-maloja2005.tk         a        62.129.131.38
www.mosta2005.tk             a        62.129.131.38
sb2005.tk                    a        62.129.131.38
www.vormsel2005.tk           a        62.129.131.38
halo-clan2005.tk             a        62.129.131.38
www.grandkemer2005.tk        a        62.129.131.38
abi05.tk                     a        62.129.131.38
www.lissabon05.tk            a        62.129.131.38
www.dieter-b35.tk            a        62.129.131.38
www.gdw85.tk                 a        62.129.131.38
www.witchmagazine5.tk        a        62.129.131.38
www.tbc-2006.tk              a        62.129.131.38
tds-2006.tk                  a        62.129.131.38
www.tds-2006.tk              a        62.129.131.38
www.oeganda2006.tk           a        62.129.131.38
www.tbc2006.tk               a        62.129.131.38
www.amuzed2006.tk            a        62.129.131.38
jeugdweekend2006.tk          a        62.129.131.38
www.jeugdweekend2006.tk      a        62.129.131.38
www.festivalveurne2006.tk    a        62.129.131.38
www.lkf2006.tk               a        62.129.131.38
www.extremepaintball2006.tk  a        62.129.131.38
www.mfm2006.tk               a        62.129.131.38
www.tds2006.tk               a        62.129.131.38
www.skireis2006.tk           a        62.129.131.38
www.eindejaarsreis2006.tk    a        62.129.131.38
www.lost2006.tk              a        62.129.131.38
wewi06.tk                    a        62.129.131.38
www.wewi06.tk                a        62.129.131.38
www.vat18jarigen06.tk        a        62.129.131.38
winx-club16.tk               a        62.129.131.38
www.stel7076.tk              a        62.129.131.38
www.knuffeltje6.tk           a        62.129.131.38
www.elle6.tk                 a        62.129.131.38
www.p407.tk                  a        62.129.131.38
newssvt07.tk                 a        62.129.131.38
www.fcvdendereh-u17.tk       a        62.129.131.38
www.zeal7.tk                 a        62.129.131.38
www.ir2008.tk                a        62.129.131.38
www.sart68.tk                a        62.129.131.38
www.revenge88.tk             a        62.129.131.38
www.ami8.tk                  a        62.129.131.38
www.steakn8.tk               a        62.129.131.38
www.leerlingengroep8.tk      a        62.129.131.38
www.hypnos69.tk              a        62.129.131.38
www.hsl9.tk                  a        62.129.131.38
www.myt9.tk                  a        62.129.131.38
www.iw3a.tk                  a        62.129.131.38
www.leaaa.tk                 a        62.129.131.38
www.dutchmohaa.tk            a        62.129.131.38
daba.tk                      a        62.129.131.38
www.chimbawamba.tk           a        62.129.131.38
www.crystalcynthiawicca.tk   a        62.129.131.38
www.chemica.tk               a        62.129.131.38
www.sowada.tk                a        62.129.131.38
www.taida.tk                 a        62.129.131.38
www.woida.tk                 a        62.129.131.38
www.laestampida.tk           a        62.129.131.38
www.tango-querida.tk         a        62.129.131.38
www.provida.tk               a        62.129.131.38
www.juf-linda.tk             a        62.129.131.38
www.janenlinda.tk            a        62.129.131.38
www.alyda.tk                 a        62.129.131.38
www.geonea.tk                a        62.129.131.38
www.chiroharbalorifa.tk      a        62.129.131.38
www.agst-antifa.tk           a        62.129.131.38
www.indoorsoccerliga.tk      a        62.129.131.38
www.langa.tk                 a        62.129.131.38
www.remmertwielinga.tk       a        62.129.131.38
www.kogonga.tk               a        62.129.131.38
www.komboecha.tk             a        62.129.131.38
www.bullmastiffsvanboedha.tk a        62.129.131.38
www.sopha.tk                 a        62.129.131.38
www.trisyha.tk               a        62.129.131.38
www.nefaia.tk                a        62.129.131.38
www.jeugdclubjia.tk          a        62.129.131.38
www.flora-helia.tk           a        62.129.131.38
www.eendrachtfamilia.tk      a        62.129.131.38
www.zvcutopia.tk             a        62.129.131.38
www.spoofzakaria.tk          a        62.129.131.38
www.caracastasia.tk          a        62.129.131.38
www.chirosinttheresia.tk     a        62.129.131.38
www.necromantia.tk           a        62.129.131.38
tweeja.tk                    a        62.129.131.38
www.skorpija.tk              a        62.129.131.38
www.nathasja.tk              a        62.129.131.38
www.mavicka.tk               a        62.129.131.38
www.jhjeka.tk                a        62.129.131.38
www.stepashka.tk             a        62.129.131.38
www.kinetika.tk              a        62.129.131.38
www.nautika.tk               a        62.129.131.38
www.kutunka.tk               a        62.129.131.38
www.stejoka.tk               a        62.129.131.38
www.szczepkowska.tk          a        62.129.131.38
www.proxilala.tk             a        62.129.131.38
www.vila.tk                  a        62.129.131.38
www.shabhekla.tk             a        62.129.131.38
vinylla.tk                   a        62.129.131.38
www.vinylla.tk               a        62.129.131.38
www.wakayama.tk              a        62.129.131.38
www.bacma.tk                 a        62.129.131.38
www.therasmusmaailma.tk      a        62.129.131.38
www.jussinloma.tk            a        62.129.131.38
www.druma.tk                 a        62.129.131.38
escortalana.tk               a        62.129.131.38
www.hodena.tk                a        62.129.131.38
www.christin-jena.tk         a        62.129.131.38
www.chironazoena.tk          a        62.129.131.38
supermagna.tk                a        62.129.131.38
www.mondina.tk               a        62.129.131.38
winx-pagina.tk               a        62.129.131.38
www.kidspagina.tk            a        62.129.131.38
www.aanvullingspagina.tk     a        62.129.131.38
www.tomenkarolina.tk         a        62.129.131.38
www.vansina.tk               a        62.129.131.38
www.aaatina.tk               a        62.129.131.38
www.wouterenanna.tk          a        62.129.131.38
www.cenna.tk                 a        62.129.131.38
ww.jamilahenna.tk            a        62.129.131.38
www.mktupa.tk                a        62.129.131.38
www.waira.tk                 a        62.129.131.38
www.sectumsempra.tk          a        62.129.131.38
www.club-sakura.tk           a        62.129.131.38
www.joura.tk                 a        62.129.131.38
www.mrsa.tk                  a        62.129.131.38
www.gojirafanusa.tk          a        62.129.131.38
hhakunamatata.tk             a        62.129.131.38
www.rs3beta.tk               a        62.129.131.38
www.5humweta.tk              a        62.129.131.38
www.sanderenanita.tk         a        62.129.131.38
ukta.tk                      a        62.129.131.38
www.chirojuventa.tk          a        62.129.131.38
www.juf-tinta.tk             a        62.129.131.38
www.titta.tk                 a        62.129.131.38
www.clanfuta.tk              a        62.129.131.38
www.wisnatua.tk              a        62.129.131.38
www.djalbflava.tk            a        62.129.131.38
www.juliapentcheva.tk        a        62.129.131.38
www.ligamufova.tk            a        62.129.131.38
www.oipova.tk                a        62.129.131.38
www.osipova.tk               a        62.129.131.38
www.vanallesewa.tk           a        62.129.131.38
www.dfwa.tk                  a        62.129.131.38

i don’t even want to hazzard a guess as to what i would find if i followed every host and every ip address, and then looked at what each ns is hosting and kept following…

time for other baddies in the following blog spam samples:

details are in the following order -
title
nickname entered
e-mail entered
ip posted from
url entered
url’s found in the post data (contents)

not all fields are present in all the below posts.
some of the links below break.
not all these host malware, some are just annoying spam.

all these links are to be considered not safe. visit at your own risk.

notebook computer ac
author: notebook computer accessories
e-mail: netsecu11@yahoo.com
ip: 200.121.71.53
url: http://w ww.notebook-computers.co​m-infor.com

laser cutting servic
author: laser cutting service
e-mail: laser-cutting-service@craigrom.c​om​
ip: 200.117.186.202
url: http://w ww.laser-cutting-pro.inf​o/laser-cutting-service/laser-cu​tting-services.html

cheap laptop skins
e-mail: shopcart963@yahoo.com
ip: 200.121.71.53
url: http://w ww.cheap-laptops.com-inf​or.com

benozor77
e-mail: webmaster@hackologie.tk
ip: 82.65.181.88
url: http://w ww.hackologie.tk/

allegra
e-mail:
ip: 203.162.27.81
url: http://w ww.20mbweb.com/health/al​legra/

allegra
e-mail:
ip: 202.58.85.6
url: http://w ww.20mbweb.com/health/al​legra/

google pr main
e-mail: sdb6xgc@email.com
ip: 202.58.85.8
url: http://w ww.pr.com

http://w ww.pr.com/contacts/

google pr main
e-mail: mci6r4b@lycos.com
ip: 213.249.155.240
url: http://w ww.pr.com

http://w ww.pr.com/contac
http://w ww.pr.com

pagerank main
e-mail: cfz6qf2@search.com
ip: 140.134.4.80
url: http://w ww.pr.com

http://w ww.pr.com/improvep
http://w ww.pr.com/linksale/​
http://w ww.pr.com

online directory mai
author: online directory main
e-mail: ybww8h9@ebay.com
ip: 207.225.139.26
url: http://w ww.yp.com

http://w ww.yp.com/sweden/

online directory mai
author: online directory main
e-mail: blcr4cw@hotmail.com
ip: 140.134.4.80
url: http://w ww.yp.com

http://w ww.yp.com/sweden
http://w ww.yp.com

google pr main
e-mail: zjfzw3f@mail.ru
ip: 213.249.155.240
url: http://w ww.pr.com

http://w ww.pr.com/contacts/

google pr main
e-mail: hejlj0e@email.com
ip: 207.225.139.26
url: http://w ww.pr.com

http://w ww.pr.com/contac
http://w ww.pr.com

pagerank main
e-mail: eqnm7ht@yahoo.com
ip: 140.134.4.80
url: http://w ww.pr.com

http://w ww.pr.com/improvep
http://w ww.pr.com/linksale/​
http://w ww.pr.com

yellow pages main
e-mail: smlrkt2@hotmail.com
ip: 66.232.147.211
url: http://w ww.yp.com

http://w ww.yp.com/india/
http://w ww.yp.com/china/
http://w ww.yp.com

no-deposit-casino
ip: 81.31.160.4
url: http://c asino2006.ca.funpic.de/n​o-deposit-casino.htm

swimsuits
e-mail: akochgdls@qlog.com
ip: 203.162.27.87
url: http://z oomy.home.sapo.pt/ljqff/​human.html

http://z oomy.home.sapo.pt/ljqff/​ebo​
http://z oomy.home.sapo.pt/toon/2​qz342llxv/cartoonmanga.html

phentermine
e-mail: contact@phentermine-support.com
ip: 202.58.85.6
url: http://w ww.phentermine-support.c​om

http://b ingo.up-a.com
http://w ww.cheapest-v​iagra-source.com
http://t amiflu.usa-onli​ne-pharmacy.net
http://w ww.viagra-here.c​om
http://w ww.viagra-exchange.com
http://w ww.0-online-c​asino.us
http://w ww​.0-poker.biz
http://w ww.phentermine-s​upport.com
http://w ww.casino-focu​s.com/

lorazepam
ip: 68.60.116.167
url: http://l orazepam1.lo.funpic.de/l​orazepam.htm

gadi evron,
ge@beyondsecurity.com.

Share
  • http://www.longren.org/ tyler

    I had some really weird looking comment spam slip through Spam Karma lastnight. Never seen the likes of it before.

  • sunshine

    We all have enough spam, especially in this post. Want to email it to me so I take a look? :)

  • Pingback: Spam Huntress » Blog Archive » The connection between webspam and zombies

  • Pingback: SecuriTeam Blogs » Comment spam and Xanga: create blogs to spam to?

  • http://ice.breaker.free.fr/ pr00t

    lol, it’s my old website. ;)

  • http://www.cathetel.com Malliobiana

    I thought the idea behind a Blog was that it was an almost daily communicator, which like brushing your hair, can be maintained readily with just a bit of effort. So why the complaint about unsolicited commercial advertising? Just check back every so often, add your latest comment, and delete the obvious spam. What could be more easy?

  • http://www.johnbecksamazingprofits.com/ john beck mentoring

    Hi, It was good reading your post! I’ve been hearing about John Beck’s program these days. My colleague also purchased the system to use it as a side business work.