Pump out the gunk?
Paris, Oh please, I *really* don't need to explain that do I?
One of the three botnets cut off by the shutdown of rogue ISP McColo is back in business. The Mega-D botnet is back on its feet and throwing off huge volumes of spam, net security firm Marshal8e6 reports. The botnet - best known for spamvertising adverts for penis pills - has been linked back to a network of compromised zombie …
No firmer terror than these firms, I'd'a thought. Wish someone would tell the Homeland Security (snigger) folks that spam is funded by you-know-who so they'd take the bastards/freedom fighters out with tasers, gas and cluster (geddit?) bombs. Of course our collective dick would shrink, but the price of feedom is eternal detumescence.
(Paris cos she likes firma things, likes to be taken out, but scratches her *** a bit over the detumescence thingy)
Yeah I did notice a fall then a rise again what's much more freaking annoying is that they are using my own isp based e-mail address either directly or adding 1 or 2 characters to it and sending it to me I mean I could send e-mail out on email@example.com and it would be from me but it's being sent from firstname.lastname@example.org etc to me it's truly funny but annoying / depressing all the same, thankfully I can report it and I could always look back and see where many of the "origininating" was done as well as where the "links" are hosted..
I seem to remember seeing "cnc-noc" a lot.
Flame Icon well I have a just cause...
I can confirm much of this article from my own weekly automated reports about SSH attacks and spam rejects. The number of spam rejects dropped suddenly to a quarter when the McColo net was taken down. But the number of IP addresses getting locked out for SSH brute force password guesses trying to break into my Linux hosted server quadrupled immediately afterwards. (If your logs show you have this problem, denyhosts is well worth installing). It seems the botnets still under criminal control were being used to try to get more Linux servers under their control as level 2 C+C servers. Level 1 in their C+C network seems to be a few machines under long-term criminal control, presumably in a country where they can bribe the authorities to stay out of their way. Level 3 seems to be compromised Windows PCs, and level 2 are compromised Linux servers. This arrangement presumably allows for more plausible deniability as to the location, use and purpose of the level 1 servers.
If you get spam from their network it will be from a level 3 machine likely to be located anywhere as they are less likely to want to get their level 2 systems blacklisted.
Biting the hand that feeds IT © 1998–2019