This Newman, Esmond & Eisenberg LLP
fraud uses a
website stolen from the genuine company
Neal,
Gerber & Eisenberg LLP who are a Chicago based law
firm.
This fraud is just the latest in a long line that have recently
included Harvey Investment, Draper
Investment, Sydney Car Centre, Cronos
Investment and
lastly the Waller
Truck Co.
fraud
to name but five. Its sole purpose is to lend a glossy legitimacy to a
fraud website, (stolen from a genuine company), which is hosting a
money laundering mule job that is heavily spamvertised by highly
characteristic spams that
contain the same Bayesian avoidance 'white text' code as all the other
frauds
mentioned along with the current and past runs of 'Rockphish' phishing
spams.
A Google search
for Newman, Esmond & Eisenberg LLP only throws
up hits for this criminals numerous different fraud domains, (usually
suspended), and listings from various anti-fraud & anti-spam
sites. However, the fraudulent company
Newman, Esmond & Eisenberg should not be confused with any
possible
similarly named companies.
The Newman, Esmond & Eisenberg LLP fraud
website is currently hosted by a zombie botnet in exactly the same
manner as all the previous aliases mentioned above.
If
you've either received an active website link in a spam, or know of an
active domain and it is not listed in the domain tables below, then
please let us know by reporting it using the 'Report Active Domain'
option in the title bar above.
The above table shows the
current providers of hosting services to the criminals and how long
they have been providing them for. The
decent ethical majority of service providers, (all credit to them -
they are a pleasure to deal with), act within
1-24 hours of being informed of the
criminal abuse of their system, (the
best in less than 1 hour), but there are unfortunately
some that, for whatever reason,
do not.
Misc.
Other Hosts
Turktelekom
- 212.174.25.241
JSC "EnginiaSystem" Network -
81.9.106.17
JSC Electrosvyaz of Buryatia Republic (burnet.ru) - 212.0.85.6
Sripatum University/KSC Commercial Internet Co. Ltd - ns2.newmanesrg.com [202.44.71.148]
Orange Nederland Breedband B.V. - 85.150.209.34
If you are an abuse team that
has taken action, please let me
know so that I can update the current status by removing the record. Newman, Esmond
& Eisenberg :
Evidence
of Criminal Fraud
i) The criminal fraudsters
have stolen the website of the genuine
Neal,
Gerber & Eisenberg LLPas detailed above - this fraud
is exactly the same as his Harvey Investment, Draper Investment, Cronos
Investment frauds
etc with a new company as the victim. ii) The bogus websites are zombie botnet
hosted as demonstrated by the DNS data below and the nameserver
ns1.biosigndata.com was
also used by the Adamant
Global Fraud.
iii)
The criminal's spams, (example below), contain the illegal clear money
mule function of accepting payments into a private bank account and
transferring them back out to the criminals less 10% via Moneygram or
Western Union.
iv)
The Newman, Esmond & Eisenberg
website contains the usual smokescreen of bogus jobs but among them is
the following part-time, working from home, clear money mule
function advertised as "Customer Service Associate": Customer
service associate
This
is a part time job position, that enquires 1-2 hours a day to be dealt
with. The candidate will be responsible for dealing with the customer
payments in his local area, this will include: monitoring the payments
to arrive on his banking account, making calculations regarding each
payment, transmitting the payments further to the regional business
partners, associates and branches by the means of Western Union or
Money Gram services and being in an interactive communication with the
headquaters continiously.
The
successful applicant will have computer literacy coupled with the
ability to communicate at a good level and will enjoy being flexible,
enthsiastic and driven.
The
applicant can expect a part-time working agreement to be signed up
after the trial period is over. The employee is paid on a regular basis
in the end of every month, as well as he gets a 10% commission out of
each customer payment he has dealt with.
The
main aim of the role is to attract new customers by offering them the
high-speed delivery of their orders and to fasten customer payment
delivery by prompt collection of their payments. Notice the usual illiterate "fasten customer payment"
which appears in numerous other scams from this fraudster.
v) On their bogus website
they claim: "Today, Newman Esmond Eisenberg
is a firm of over 200 attorneys spanning 22 practice groups".
A Google search for "Newman, Esmond & Eisenberg"
throws up zero
hits as a genuine company, although there are many suspended domains
and fraud website listings.
vi) All of the
criminal's domains were registered with different registrars in the
last few days.
vii)
Domains have
totally different bogus whois data although they are used for
the same fraud website.
viii) The Newman,
Esmond & Eisenberg spam contains forged header information and
the
usual bayesian
filter avoidance 'white text' code that irrefutably link it to the
Cronos
Investment, Draper
Investment, Harvey
Investment, Adamant Global, Sydney Car Centre and all this criminal's
many other aliases along with the 'rockphish' phishing criminals.
ix) The
criminals prolific spam is zombie botnet distributed as is easily
demonstrated by the source IPs.
x) The
criminal's spams are all signed by different random names - they appear
to have an infinite number of fake 'employees'.
The above
evidence clearly demonstrates beyond any doubt that this
stolen Newman, Esmond &
Eisenberg website has been set up by money laundering
and phishing
criminals purely for
the
purpose of spamvertising an illegal money laundering 'mule' job and is
undoubtedly just a stolen copy of the genuine Neal, Gerber &
Eisenberg LLP site and is directly related
to Cronos Investment, Draper Investment, Harvey Investment, Adamant
Global, Sydney Car
Centre and the rest of the money
laundering/phishing criminal fraudsters' aliases
documented here. If you are an abuse team that has received an abuse
report regarding these fraudsters, please
consider immediate
termination of their services in view of the absolutely undeniable
evidence of
site theft, copyright offences, criminal money laundering activity
and
spamming -
please don't delay - these criminals will not
respond to any communication from you, (all their whois data is false),
but will simply take advantage of any attempt
at communication as a delaying tactic to allow them time to carry on
their criminal activity and prepare
their
next network.
Do
not
be misled -
these are professional criminals
with a long history
of fraud as detailed on the General Information page and are the same
criminals as the 'rockphish' phishing fraudsters, so if a host or
registrar shelters these crooks then they are also sheltering the
'rockphish' phishing fraudsters and
aiding and abetting their criminal 'phishing' fraud activities.
Newman, Esmond &
Eisenberg Fraudsters -
current hosting details.
Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Parked Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended Suspended DNS Looped DNS Looped Suspended Unhosted Unhosted Suspended Suspended Suspended Suspended Suspended Active Suspended Unhosted Unhosted Active Active DNS Looped Suspended DNS Looped Suspended Suspended Suspended Suspended Active Suspended Suspended Suspended Suspended Active Suspended Suspended Suspended Active Active DNS Failure
Suspended Suspended Suspended Suspended Suspended Parked Parked Parked Suspended Parked Suspended Suspended Parked Suspended Suspended Suspended Active Active Active Active Active Active
Spiritdomains/IARegistry (19-Oct-2007) Spiritdomains/IARegistry
(19-Feb-2008)
Register.com (07-Feb-2008) Register.com
(07-Feb-2008)
IARegistry/Spiritdomains
(07-Feb-2008)
Register.com
(23-Feb-2008) Register.com (25-Feb-2008)
Spiritdomains/IARegistry (27-Feb-2008) Register.com (25-Feb-2008)
Register.com (27-Feb-2008)
KEY-SYSTEMS GMBH (Imena.ua) (07-mar-2008)
Spiritdomains/IARegistry (07-Mar-2008) Register.com (07-Mar-2008)
KEY-SYSTEMS GMBH (Imena.ua) (04-mar-2008) KEY-SYSTEMS GMBH (Imena.ua)
(11-mar-2008)
INTERNET INVEST, INC. DBA IMENA.UA (28-Mar-2008)
Spiritdomains/IA Registry (28-Mar-2008)
REGISTER.COM, INC. (28-Mar-2008)
INTERNET INVEST, INC. DBA IMENA.UA (29-Mar-2008)
REGISTER.COM, INC. (03-Apr-2008) Spiritdomains/IA Registry (03-Apr-2008)
REGISTER.COM, INC. (07-Apr-2008)
Please notify me of any errors or domains not listed here.
Notes
for Registrars
i) The Newman, Esmond & Eisenberg criminal uses his
own nameserver
domains
to control his zombie botnets or provide his DNS. By definition there
can be no legitimate
domains using his dedicated botnet nameservers & his
conventional nameserver domains are always very recently registered.
This
provides an ideal database search option for you to identify and delete
all of this criminal's fraud domains without
any risk of hurting an innocent domain. All of the criminal's botnet
nameservers are - ns1.mmbopc.com, ns1.iwarzone.com, ns1.bonoxc.com, ns1.walillc.com,
ns1.uneedmc.com, ns1.callsroar.com, ns1.book-xm.com
ii)
The criminal's domains have different false
whois registration data.
iii) The criminal will not respond to your challenge but will use the
notice to prepare a new network -
immediate suspension is preferred, please.The
Spam Content
The Newman,
Esmond & Eisenberg spam headers contain many
different forged/bogus 'From' &
'Return Path' addresses & various forged 'Receive' lines. The
subject lines vary & all indicate that there is a job
opportunity to be had. There is - an illegal job as a money laundering
'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit
proceeds into your account and forwarding it on via Western Union or
Moneygram for a percentage cut. Needless to say it is these mules that
will probably feel the full weight of the law while the remote money
launderers are safe. The bogus or stolen funds in the mules account may
well also be recovered, leaving them with large losses.
This is the content of an actual Newman, Esmond & Eisenberg
scam spam:
Newman,
Esmond, & Eisenberg LLP is a Berne-based law firm providing
legal services to a diverse group of clients in a wide array of
domestic and global business transactions and litigation matters. Our
clients include privately and publicly held companies, financial
institutions, not-for-profit organizations and high net worth
individuals. Our client base reflects virtually every business
industry, including a number of Fortune 100 companies.
Our company has a current opening for a part-time position of a
Customer Service Associate. Join a team of professionals dedicated to
the international growth, brand recognition, and successful partnering
with clients to achieve exceptional expansion.
This is a part time job position, that enquires 1-2 hours a day to be
dealt with. The candidate will be responsible for dealing with the
customer payments in his local area; this will include: monitoring the
payments to arrive on his banking account, making calculations
regarding each payment, transmitting the payments further to the
regional business partners, associates and branches by the means of
Western Union or Money Gram services and being in an interactive
communication with the headquaters continiously.
The successful
applicant will have computer literacy coupled with the ability to
communicate at a good level and will enjoy being flexible, enthsiastic
and driven.
The applicant can
expect a part-time working agreement to be signed up after the trial
period is over. The employee is paid on a regular basis in the end of
every month, as well as he gets a 10% commission out of each customer
payment he has dealt with.
The main aim of the
role is to attract new customers by offering them the high-speed
delivery of their orders and to fasten customer payment delivery by
prompt collection of their payments.
In NEE LLP we believe,
that career is more than a job. It's about skills training. Competitive
salaries. Flexible scheduling. Comprehensive benefits. Job
satisfaction. At NEE LLP, we offer all this and more. Because we want
to help you enjoy your work… and your life.
If you feel interested in a position, please visit our
web-site to apply now!
If you have any questions, please do not hesitate to contact us.
Please consider, this is not a spam distribution. Your contact details
were kindly put into our disposal by our partners: www.monster.com and
www.careerbuilder.com.
We are looking to
hearing from you asap,
Yours sincerely, Jayson Sanders
Note
the usual Bayesian filter
avoidance 'code', commonly used by these criminals and the 'rockphish'
scammers alike. It's normally in 'whitetext' so it's invisible, but
here I've greyed it in.
Searching for neegl.org A record at m.root-servers.net
[202.12.27.33]: Got referral to C0.ORG.AFILIAS-NST.INFO. (zone: org.)
[took 139 ms]
Searching for neegl.org A record at C0.ORG.AFILIAS-NST.INFO.
[199.19.53.1]: Got referral to ns2.biosigndata.com. (zone: neegl.org.)
[took 67 ms]
Searching for neegl.org A record at ns2.biosigndata.com.
[212.78.44.91]: Timed out. Trying again.
Searching for neegl.org A record at ns2.biosigndata.com.
[212.78.44.91]: Timed out. Trying again.
Searching for neegl.org A record at ns1.biosigndata.com.
[194.169.192.131]: Reports neegl.org. [took 138 ms]
Response:
Domain
Type
Class
TTL
Answer
neegl.org.
A
IN
1800
89.136.146.112
neegl.org.
A
IN
1800
89.178.108.90
neegl.org.
A
IN
1800
91.196.44.203
neegl.org.
A
IN
1800
79.114.92.75
neegl.org.
A
IN
1800
82.37.145.218
neegl.org.
A
IN
1800
86.123.247.45
neegl.org.
A
IN
1800
89.33.91.15
neegl.org.
NS
IN
1800
ns2.biosigndata.com.
neegl.org.
NS
IN
1800
ns1.biosigndata.com.
ns1.biosigndata.com.
A
IN
1800
194.169.192.131
ns2.biosigndata.com.
A
IN
1800
212.78.44.91
Looking up at the 2 neegl.org. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie botnet where the
nameserver ns1.biosigndata.com hosted by Funke Internet Services Ltd.
on
IP 194.169.192.131 is acting as a zombie botnet controller
'herding'
the rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT). These
criminals are
experienced liars, thieves and professional confidence
tricksters. Do not be
fooled - do
not believe them. The evidence of criminal fraud is undeniable.
I'd
like to thank the many honest & ethical hosts who have
disconnected
these fraudsters within an hour of receiving an abuse report, (several
in c. 20 minutes). However, the zombie botnet controlling nameservers
seem to be occasionally hosted by Colocation/VPS service providers who
do not respond to criminal fraud abuse reports. The honest &
ethical SPs will respond with an immediate, (preferably not 24 hours or
48 hours & certainly not never...), disconnection on receipt of
a
criminal abuse
report,
having considered the evidence below & investigated, but more
and
more
frequently service providers stall or simply ignore abuse reports.
This latter minority of uncaring & unethical hosts are aiding
and
abetting criminal fraud
and
the victims suffer because of it. Blocking
The spam
I
have had quite a few queries about how to block the criminal's spam in
Outlook Express. Fortunately they are easily detected using the OE
'Mail Rules' (Tools - Message Rules - Mail).
Rules based on the
From, To etc addresses will never work as the header data is all
forged. The message body remains constant, however & that can
be
used to detect them.
Use the rule "Where the message body
contains specific words" and use "Newman, Esmond,
& Eisenberg"
as
the search item then choose 'delete' (or whatever action you prefer) as
the action then that will definitely detect every single one of these
spams.
If
you find this site helpful then please feel free to link to it on your
website by inserting the following HTML code, (opens site in new
window): <a
href="http://www.bobbear.co.uk" target="_blank">Money
Laundering Fraud Websites</a>Fraud
BlogInitial
entry 21st. February 2008 ***Latest News*** - 23rd.
February 2008
The
criminal has had his nameserver domain suspended by Spiritdomains. His
new one is TOTDCOM.COM. His botnet is still located
on the Funke Internet Services Ltd.
IP 194.169.192.131
They have
not responded to an abuse report.
Searching for neei.la A record at e.root-servers.net
[192.203.230.10]: Got referral to NS0.CENTRALNIC.NET. (zone: la.)
Searching for neei.la A record at NS0.CENTRALNIC.NET.
[213.146.149.169]: Got referral to ns1.totdcom.com. (zone: neei.la.)
Searching for neei.la A record at ns1.totdcom.com. [194.169.192.131]:
Reports neei.la. Response:
Domain
Type
Class
TTL
Answer
neei.la.
A
IN
1800
89.137.200.165
neei.la.
A
IN
1800
62.231.91.77
neei.la.
A
IN
1800
79.114.90.75
neei.la.
A
IN
1800
79.114.221.130
neei.la.
A
IN
1800
82.79.233.221
neei.la.
A
IN
1800
84.108.239.70
neei.la.
A
IN
1800
89.43.205.130
neei.la.
NS
IN
1800
ns2.totdcom.com.
neei.la.
NS
IN
1800
ns1.totdcom.com.
ns1.totdcom.com.
A
IN
1800
194.169.192.131
ns2.totdcom.com.
A
IN
1800
67.74.18.77
Looking up at the 2 neei.la. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a
standard 7-IP site hosting zombie
botnet where the nameserver ns1.totdcom.com hosted by Funke
Internet Services Ltd. on IP 194.169.192.131 is acting as a zombie
botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT). ***Latest News*** - 25th.
February 2008 Information
supplied by site contact -
The
criminal has already had his nameserver domain totdcom.com suspended by
Spiritdomains and is now using a new one - my-cpm.com
registered with
Register.com.
DNS data: (neegl.org, neemi.tl,
eisllpc.tl)
The data shows a
standard 7-IP site hosting zombie
botnet where the nameserver ns1.my-cpm.com hosted by Funke
Internet Services Ltd. on IP 194.169.192.131, (notified of abuse 22nd.
Feb - no response to date), is acting as a zombie
botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT).
The
criminal has also drafted into service his zombie botnets that he used
for his Waller Truck fraud using nameserver
domains regtoo.com and iprintworld.com along with new main domains neegl.com (Spiritdomains,
ns1.iprintworld.com), neellp.com (Spiritdomains,
ns1.regtoo.com), and neellp.net (Spiritdomains,
ns1.regtoo.com). Both zombie botnets are hosted on a SoftLayer Technologies Inc. (vpswelcome.com) IP (74.86.253.100).
DNS Data:
(neegl.com) Looking up at the 2
neegl.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a
standard 7-IP site hosting zombie
botnet where the nameserver ns1.iprintworld.com hosted by SoftLayer
Technologies Inc. (vpswelcome.com) on IP 74.86.253.100 is acting as a zombie
botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT).
DNS Data: (neellp.com,
neellp.net) Looking
up at the 2 neellp.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.regtoo.com hosted by SoftLayer
Technologies Inc. (vpswelcome.com) on IP 74.86.253.100 is acting as a
zombie
botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT). ***Latest News*** - 26th.
February 2008 Response
from Funke Internet Services - hosting of ns1.my-cpm.com
[194.169.192.131] has
been ceased. ***Latest News*** - 27th.
February 2008
Nameserver domain my-cpm.com has been suspended by Register.com and has
been replaced by form-cm.com
(Register.com - 23-Feb-2008)
New zombie botnet DNS data: (neegl.org, neemi.tl,
eisllpc.tl)
Looking up at the 2 eisllpc.tl. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.form-cm.com hosted by Network
Operations Center Inc., (BurstNET Technologies, Inc.™), on IP
64.191.119.197 is acting as a zombie botnet controller 'herding' the
rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT). Later -
Domain regtoo.com
suspended
New Botnet DNS Data:(neellp.org):
Looking up at the 2 neellp.org parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.alkgrp.com hosted by Globale
Internet InfoAccess (vexxhost.com) on IP 65.38.67.37 is acting
as
a zombie botnet controller 'herding' the
rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT).
DNS
Data:
(neer.la) Looking up at the 2 neer.la parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.iprintworld.com hosted by
PF-Pintiliescu-Paul (Maxnet.ro) on IP 89.33.8.17 is acting as
a
zombie botnet controller 'herding' the rotating zombies, (as determined
by RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT). Later:
The criminal has had his Burst.net botnet disconnected... New details:
DNS Data (neegl.org, neemi.tl,
eisllpc.tl)
Looking up at the 2 eisllpc.tl. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.form-cm.com hosted by Cogentco.com,
(Performance Systems International Inc.) on IP 38.103.164.11
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
I see that they are back
with a regular supplier of services to these criminals, Cogentco.com,
(Performance Systems International Inc.) on IP 38.103.164.11 Later
- The crook seems to be hopping about with his botnet hosting, I wonder
if this is a new tactic - he's now with yet another of his regulars -
Net Access Corporation:
DNS Data (neemi.tl,
eisllpc.tl, neeg.la)
Looking up at the 2 eisllpc.tl. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.form-cm.com hosted by Net Access
Corporation (Moxiehosting) on IP 64.21.48.156 is acting as a zombie
botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT). ***Latest News*** - 28th.
February 2008
New domain reported by site contact - neer.la - hosted on
PF-Pintiliescu-Paul (Maxnet.ro) zombie botnet.
New domain reported by site contact - neellp.org - hosted
on Globale Internet InfoAccess (vexxhost.com) zombie botnet.
New domain spotted in the wild - neeg.la
- hosted on the Net Access
Corporation (Moxiehosting) zombie botnet. ***Latest News*** - 29th.
February 2008
Various domains suspended and Vexxhost hosting ceased Later:
New domain reported by site contact - newesei.tl
Looking up at the 2 newesei.tl parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.minkot.com hosted by Net Access
Corporation (Moxiehosting) on IP 64.21.48.156 is acting as a zombie
botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT). ***Latest News*** - 1st. March
2008
Domain newesei.tl
suspended by registrar - no operational domains known. Later -
New domain reported by site contact - neween.tl
on new botnet:
DNS Data: (newese.org, neegr.la)
Looking up at the 2 newese.org parent
servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.minkot.com hosted by Network Operations
Center Inc./Burst.net (Geek Rack Networks) on
IP 64.191.112.197 is
acting as
a zombie
botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT). Later: -
New domain reported by site contact (neel.la) on new botnet:
DNS
Data:
(neel.la)
Looking up at the 2 neel.la parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.mm-garden.com hosted by
PF-Pintiliescu-Paul (Jump.ro) on IP 89.33.8.17 is
acting as
a zombie
botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT). ***Latest News*** - 2nd. March
2008 New domain spotted in the wild
- newese.org
- hosted on the ns1.minkot.com controlled botnet (currently
Network Operations
Center Inc./Burst.net (Geek Rack Networks)) Later
- The above Jump.ro zombie botnet has gone, replaced by one on IP
65.75.191.14 DNS Data
(neegl.net, neegl.biz )
Looking up at the 2 neegl.net
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.mm-garden.com hosted by WEBHOSTPLUS-INC
(theserverdoctor.com) on IP 65.75.191.14 is
acting as
a zombie
botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT).
The
criminal has a third zombie botnet on the go using botnet
controller/nameserver ns1.notice-mm.com [78.110.164.34] hosting domain neellp.org DNS Data
(neellp.org): Looking up at the 2 neellp.org. parent
servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.notice-mm.com hosted by VAServe LTD on
IP 78.110.164.34 is acting as a zombie botnet controller 'herding' the
rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT). ***Latest News*** - 3rd. March
2008
Two new domains reported by site contact - newese.com and newese.biz both
hosted on the ns1.minkot.com botnet controller which is now on a new
host as follows:
DNS Data
(newese.org, newese.com and newese.biz):
Looking
up at the 2 newese.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie botnet where the nameserver
ns1.minkot.com hosted by OthelloColo.net (Tidyhosts.com) on IP
194.150.121.44 is acting as a zombie botnet controller 'herding' the
rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT). The IP
194.150.121.44 was last used by the Silverlens fraudster to host his
botnet nameserver ns1.listns.com. Later -
new domain notified by site contact - nenr.la hosted on a
Turktelekom IP for a change:
DNS Data: (newdgl.com, newdgl.biz)
Looking
up at the 2 nenr.la. parent servers:
Server
Response
ns67.mobns.com
[200.72.139.67]
85.105.182.6
ns18.mobns.com
[211.142.23.18]
[Error: Port
Unreachable]
With
a reverse DNS of dsl.static.85-105-46598.ttnet.net.tr,
the host IP (85.105.182.6) looks to me like a single zombie on a
TurkTelekom DSL (Broadband) network, assuming that the RDNS data is
genuine. It could easily be a criminal owned IP or possibly just an
unwitting infected end user. It's displaying the well known 'Rockphish'
"66.1
Host Locked" message on HTTP access.
The above evidence undeniably links these crooks to the 'Rockphish'
gang. ***Latest News*** - 4th. March
2008
New domains notified from site contact - newdgl.com
& newdgl.biz - both hosted on the Turktelekom ADSL IP
above, and neesn.net, neesn.org,
neesn.com
all hosted on the ns1.notice-mm.com botnet, currently hosted on
Tidyhosts IP 194.150.121.96
using nameserver ns1.notice-mm.com:
DNS Data: (neellp.org, neesn.net,
neesn.org, neesn.com)
How I
am searching:
Searching for neesn.com A record at a.root-servers.net
[198.41.0.4]: Got referral to H.GTLD-SERVERS.NET. (zone: com.) [took 33
ms]
Searching for neesn.com A record at H.GTLD-SERVERS.NET.
[192.54.112.30]: Got referral to ns1.notice-mm.com. (zone: neesn.com.)
[took 124 ms]
Searching for neesn.com A record at ns1.notice-mm.com.
[194.150.121.96]: Reports neesn.com. [took 109 ms]
Response:
Domain
Type
Class
TTL
Answer
neesn.com.
A
IN
1800
84.108.239.70
neesn.com.
A
IN
1800
77.81.232.76
neesn.com.
A
IN
1800
79.113.80.122
neesn.com.
A
IN
1800
79.114.90.194
neesn.com.
A
IN
1800
79.116.134.179
neesn.com.
A
IN
1800
82.79.67.253
neesn.com.
A
IN
1800
83.174.240.2
neesn.com.
NS
IN
1800
ns1.notice-mm.com.
neesn.com.
NS
IN
1800
ns2.notice-mm.com.
ns1.notice-mm.com.
A
IN
1800
194.150.121.96
ns2.notice-mm.com.
A
IN
1800
70.14.44.72
Looking up at the 2 neesn.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.notice-mm.com hosted byTidyhosts on
IP 194.150.121.96 is acting as a zombie botnet controller
'herding' the
rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT). Later -
New domain reported by site contact - neegl.net - hosted
on the ns1.mm-garden.com zombie botnet, hosted by WEBHOSTPLUS-INC
(theserverdoctor.com) on IP 65.75.191.14. Domain neegl.biz also noted
on the same botnet. Later - The
criminal has also set up his ns1.minkot.com botnet on another Tidyhosts
IP (ns1.minkot.com [194.150.121.44]) hosting domains newese.org, newese.com and newese.biz:
DNS Data: (newese.org, newese.com and newese.biz) How
I am searching:
Searching for newese.biz A record at a.root-servers.net [198.41.0.4]:
Got referral to A.GTLD.biz. (zone: biz.)
Searching for newese.biz A record at A.GTLD.biz. [209.173.53.162]:
Got referral to NS2.MINKOT.COM. (zone: newese.biz.)
Searching for newese.biz A record at NS2.MINKOT.COM. [208.21.54.10]:
Timed out. Trying again.
Searching for newese.biz A record at NS1.MINKOT.COM. [194.150.121.44]:
Reports newese.biz. Response:
The data
shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.minkot.com hosted by OthelloColo.net
(Tidyhosts.com) on IP 194.150.121.44 is acting as a zombie botnet
controller 'herding' the rotating zombies, (as determined by RDNS), in
the 'A' records list which are hosting the fraud site (as determined by
TRACERT). Later - New domain notified by site
contact - newndl.com
The Tidyhosts botnets have been
disconnected Later
- The criminal appears to have moved his zombie botnet
controller/nameserver ns1.minkot.com back to the Hostnoc/Burst.net IP
64.191.112.197
DNS Data:
(newese.org, newese.com, newndl.com) Looking up at the 2 newese.org. parent
servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.minkot.com hosted by Network Operations
Center Inc./Burst.net (Geek Rack Networks) on
IP 64.191.112.197 is
acting as
a zombie
botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT).
Later
- The same IP is also hosting a second botnet as follows:
DNS Data: (neesn.net, neesn.org, neesn.com) Looking up at the 2 neesn.net. parent
servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.notice-mm.com hosted by
Network
Operations Center Inc./Burst.net (Geek Rack Networks) on IP
64.191.112.197 is acting as a zombie botnet controller 'herding' the
rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT). ***Latest News*** - 4th. March
2008
Burst.net
have taken action against the crook and he has moved his ns1.minkot.com
botnet. No doubt he is also working on his other one, possibly to put
it on the same host. DNS Data:
(newese.org, newese.com,
newese.biz, newndl.com)
Looking
up at the 2 newese.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.minkot.com hosted by Tier Four on
IP 209.41.75.37 is acting as a zombie botnet controller
'herding'
the rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT). ***Latest News*** - 5th. March
2008
The criminals have now set up their second botnet on Tier Four IP 209.41.75.37. DNS
Data
(neesn.net,
neesn.org, neesn.com)
Looking up at the 2 neesn.org. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie botnet where the nameserver
ns1.notice-mm.com hosted by Tier Four on IP 209.41.75.37 is acting as a
zombie botnet controller 'herding' the rotating zombies, (as determined
by RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT). ***Latest News*** - 7th. March
2008
The criminals have now moved both of their botnet controllers, (ns1.minkot.com
and ns1.notice-mm.com),
to IP 76.76.3.149 DNS Data: (neesn.net,
neesn.org, neesn.com) Looking
up at the 2 neesn.org. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie botnet where the nameserver
ns1.notice-mm.com hosted by CaroNet Managed Hosting (carohosting.net)
on IP 76.76.3.149 is acting as a
zombie botnet controller 'herding' the rotating zombies, (as determined
by RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT).
DNS Data:
(newnese.com)
Looking
up at the 2 newnese.com
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.minkot.com hosted by CaroNet Managed
Hosting (carohosting.net) on IP 76.76.3.149 is acting as a zombie
botnet controller 'herding'
the rotating zombies, (as determined by RDNS), in the 'A' records list
which are hosting the fraud site (as determined by TRACERT). ***Latest News*** - 8th. March
2008
The criminals have now moved both of their botnet controllers, (ns1.minkot.com
and ns1.notice-mm.com),
to IP 209.59.209.179 DNS Data: (neesn.net,
neesn.org, neesn.com) Looking
up at the 2 neesn.org. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie botnet where the nameserver
ns1.notice-mm.com hosted by Spry Hosting on IP 209.59.209.179 is acting
as a
zombie botnet controller 'herding' the rotating zombies, (as determined
by RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT).
DNS Data:
(newnese.com)
Looking
up at the 2 newnese.com
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.minkot.com hosted by Spry Hosting on IP
209.59.209.179 is acting as a
zombie botnet controller 'herding' the rotating zombies, (as determined
by RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT). ***Latest News*** - 9th. March
2008
The
criminals have now moved both of their botnet controllers, (ns1.minkot.com
and ns1.notice-mm.com),
to IP 208.116.44.16 DNS Data: (neesn.net,
neesn.org, neesn.com, newmnllp.tl) Looking
up at the 2 neesn.org. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie botnet where the nameserver
ns1.notice-mm.com hosted by FortressITX on IP 208.116.44.16 is acting
as a
zombie botnet controller 'herding' the rotating zombies, (as determined
by RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT).
DNS Data:
(newnese.com, newnm.org,
newnmm.com)
Looking
up at the 2 newnese.com
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.minkot.com hosted by FortressITX on IP
208.116.44.16 is acting as a
zombie botnet controller 'herding' the rotating zombies, (as determined
by RDNS), in the 'A' records list which are hosting the fraud site (as
determined by TRACERT). New domain noted in the wild -
newdg.net
(Spiritdomains - 01-Mar-2008) Hosted on IP 69.129.59.26 listed as
belonging to THE BRIDGE
RECORDING STUDIO via nameserver hosted on IP 81.16.131.40
listed as belonging to Complex
Telmatic Systems Siberia network:
DNS Data: (newdg.net) Looking up at the 2 newdg.net. parent
servers:
Server
Response
ns1.newdg.net
[200.72.139.67]
69.129.59.26
ns2.newdg.net
[81.16.131.40]
69.129.59.26
The host
IP
69.129.59.26 has an RDNS of mntimnbas01-lo1-pool9-a26.mntimn.tds.net
which suggests that it may be a criminal owned IP or more likely simply
just a single zombie machine IP. The nameserver ns2.newdg.net
[81.16.131.40] is obviously the criminal's own nameserver hosted on IP 81.16.131.40 listed
as belonging to Complex
Telmatic Systems Siberia network. The criminal's
nameserver ns1.newdg.net [200.72.139.67] is on the usual Entel Chile IP. New domain reported by site
contact - neelaw.org.
This is a domain registered with CSL
Computer Service Langenbach GmbH d/b/a Joker.com and
hosted on GoDaddy's
network on IP 208.109.181.25 which is an arrangement the
criminal used for one of his Waller Truck domains.
DNS Data: (neelaw.org):
How I am searching:
Searching for neelaw.org A record at g.root-servers.net
[192.112.36.4]: Got referral to B0.ORG.AFILIAS-NST.org. (zone: org.)
Searching for neelaw.org A record at B0.ORG.AFILIAS-NST.org.
[199.19.54.1]: Got referral to ns43.domaincontrol.com. (zone:
neelaw.org.)
Searching for neelaw.org A record at ns43.domaincontrol.com.
[208.109.78.180]: Reports neelaw.org. Response:
Domain
Type
Class
TTL
Answer
neelaw.org.
A
IN
3600
208.109.181.25
neelaw.org.
NS
IN
3600
ns43.domaincontrol.com.
neelaw.org.
NS
IN
3600
ns44.domaincontrol.com.
Looking up at the 2 neelaw.org. parent servers:
Server
Response
ns44.domaincontrol.com
[208.109.255.22]
208.109.181.25
ns43.domaincontrol.com
[208.109.78.180]
208.109.181.25
neelaw.org ishosted on GoDaddy's network on
IP 208.109.181.25***Latest News*** - 10th. March
2008 New domain reported by site
contact - neelaw.biz, registered
with CSL Computer
Service Langenbach GmbH d/b/a Joker.com and also hosted on
GoDaddy's
network on IP 208.109.181.224 as follows: How I am searching:
Searching for neelaw.biz A record at l.root-servers.net [199.7.83.42]:
Got referral to a.gtld.biz. (zone: biz.)
Searching for neelaw.biz A record at a.gtld.biz. [209.173.53.162]:
Got referral to NS43.DOMAINCONTROL.COM. (zone: neelaw.biz.)
Searching for neelaw.biz A record at NS43.DOMAINCONTROL.COM.
[208.109.78.180]: Reports neelaw.biz. Response:
Domain
Type
Class
TTL
Answer
neelaw.biz.
A
IN
3600
208.109.181.224
neelaw.biz.
NS
IN
3600
ns43.domaincontrol.com.
neelaw.biz.
NS
IN
3600
ns44.domaincontrol.com.
Looking up at the 2 neelaw.biz. parent servers:
Server
Response
ns44.domaincontrol.com
[208.109.255.22]
208.109.181.224
ns43.domaincontrol.com
[208.109.78.180]
208.109.181.224
neelaw.bizishosted on GoDaddy's network on
IP 208.109.181.224 Later:
The domain newdg.net is now
hosted on a RoadRunner IP: Looking
up at the 2 newdg.net. parent servers:
Server
Response
ns1.newdg.net
[200.72.139.67]
76.186.12.121
ns2.newdg.net
[81.16.131.40]
76.186.12.121
Once again it has an
RDNS (cpe-76-186-12-121.tx.res.rr.com)
that appears to be that of a Road Runner end user in Texas, so this is
almost certainly another single zombie or infected machine.
Five minutes later:
Looking up at the 2 newdg.net. parent servers:
Server
Response
ns2.newdg.net
[81.16.131.40]
79.15.170.74
ns1.newdg.net
[200.72.139.67]
76.186.12.121
Caught it in mid-cycle this time - the first nameserver
has changed over to a new zombie ( 79.15.170.74) but the second one
hasn't quite caught up....
Five minutes later:
Looking up at the 2 newdg.net. parent servers:
Server
Response
ns2.newdg.net
[81.16.131.40]
79.15.170.74
ns1.newdg.net
[200.72.139.67]
79.15.170.74
This time both nameservers are showing the new zombie (79.15.170.74) -
RDNS for this is host74-170-static.15-79-b.business.telecomitalia.it
Five minutes later:
Looking up at the 2 newdg.net. parent servers:
Server
Response
ns1.newdg.net
[200.72.139.67]
76.186.12.121
ns2.newdg.net
[81.16.131.40]
76.186.12.121
Back on the original zombie again.... and so it goes
on, continually cycling round these two zombies which could conceivably
be two or two hundred... Later: -
The Joker registered domain neelaw.org
is back up on another GoDaddy
IP (208.109.181.230):
How I am searching:
Searching for neelaw.org A record at c.root-servers.net
[192.33.4.12]: Got referral to C0.ORG.AFILIAS-NST.INFO. (zone: org.)
Searching for neelaw.org A record at C0.ORG.AFILIAS-NST.INFO.
[199.19.53.1]: Got referral to ns43.domaincontrol.com. (zone:
neelaw.org.)
Searching for neelaw.org A record at ns43.domaincontrol.com.
[208.109.78.180]: Reports neelaw.org. Response:
Domain
Type
Class
TTL
Answer
neelaw.org.
A
IN
3600
208.109.181.230
neelaw.org.
NS
IN
3600
ns43.domaincontrol.com.
neelaw.org.
NS
IN
3600
ns44.domaincontrol.com.
Looking up at the 2 neelaw.org. parent servers:
Server
Response
ns44.domaincontrol.com
[208.109.255.22]
208.109.181.230
ns43.domaincontrol.com
[208.109.78.180]
208.109.181.230
***Latest News*** - 11th. March
2008
New domain reported by site contact - newnmm.com hosted on
ns1.minkot.com controlled botnet hosted on FortressITX/pwebtech.com
IP 208.116.44.16.
No response from FortressITX/pwebtech.com to abuse reports, but domains
neesn.net,
neesn.org, neesn.com
have been suspended by the registrar Spiritdomains. Neesn.biz
remains active but parked on the criminals nameservers at the moment.
The second botnet controlled by ns1.minkot.com [208.116.44.16] hosting
domains newnese.com, newnm.org and
newnmm.com remains active on
their IP.
No further response from GoDaddy
to reports of abuse of their IPs 208.109.181.230
and 208.109.181.224.
Their initial response was "As
a hosting provider, we cannot be expected to judge the alleged illegal
activities you have mentioned." followed by "We are currently investigating
this company" when pressed, but as yet they have failed to
take action. Later -
New domain spotted in the wild - newmnllp.tl hosted
on the FortressITX/pwebtech.com
zombie botnet controlled by ns1.notice-mm.com
[208.116.44.16] Later - GoDaddy now appear
to have taken action against their criminal clients neelaw.biz and neelaw.org. FortressITX/pwebtech.com
appear to have taken action against ns1.notice-mm.com
[208.116.44.16],
but ns1.minkot.com [208.116.44.16] remains active. Later -
The fraudster has moved his domains neelaw.org
and neelaw.biz
onto two new GoDaddy
IPs as per the following DNS data:
Domain
Type
Class
TTL
Answer
neelaw.org.
A
IN
3600
208.109.181.232
neelaw.org.
NS
IN
3600
ns43.domaincontrol.com.
neelaw.org.
NS
IN
3600
ns44.domaincontrol.com.
Domain
Type
Class
TTL
Answer
neelaw.biz.
A
IN
3600
208.109.181.210
neelaw.biz.
NS
IN
3600
ns43.domaincontrol.com.
neelaw.biz.
NS
IN
3600
ns44.domaincontrol.com.
GoDaddy need
to find a way to stop this criminal simply moving his hosting onto a
new IP. ***Latest News*** - 12th. March
2008
The
criminal seems to have branched out into an email response version of
his spam, perhaps because his hosting is getting more and more
difficult: Newman, Esmond, &
Eisenberg LLP is a Berne-based law firm providing legal services to a
diverse group of clients in a wide array of domestic and global
business transactions and litigation matters. Our clients include
privately and publicly held companies, financial institutions,
not-for-profit organizations and high net worth individuals. Our client
base reflects virtually every business industry, including a
number of Fortune 100 companies. Our company has a
current opening for a part-time position of a Customer Service
Associate. Join a team of professionals dedicated to the international
growth, brand recognition, and successful partnering with clients to achieve
exceptional expansion. This is a part time job
position, that enquires 1-2 hours a day to be dealt with. The
candidate will be responsible for dealing with the customer payments in his
local area; this will include: monitoring the payments to arrive on
his banking account, making calculations regarding each payment,
transmitting the payments further to the regional business
partners, associates and branches and being in an interactive
communication with the headquaters continiously. The successful applicant
will have computer literacy coupled with the ability to communicate
at a good level and will enjoy being flexible, enthsiastic and driven. The applicant can expect
a part-time working agreement to be signed up after the trial period
is over. The employee is paid on a regular basis in the end of every
month, as well as he gets a 10% commission out of each customer payment he
has dealt with. The main aim of the role
is to attract new customers by offering them the high-speed delivery
of their orders and to fasten customer payment delivery by prompt
collection of their payments. In NEE LLP we believe,
that career is more than a job. It's about skills training.
Competitive salaries. Flexible scheduling. Comprehensive benefits.
Job satisfaction. At NEE LLP, we offer all this and more. Because we
want to help you enjoy your work. and your life. If you feel interested
in a position, please send your reply and CV via email: patrowe95@yahoo.com to apply now!And If you have
any questions, please do not hesitate
to contact us. Please consider, this is
not a spam distribution. Your contact details were kindly put into our
disposal by our partners: www.monster.com and www.careerbuilder.com. We are looking to
hearing from you asap, Yours sincerely, Pat Rowe The criminal has
parked his minkot.com
nameserver domain on his bogus search page hosted by 'Optical Jungle' and
has set up a new botnet to replace the one that used it as a nameserver
domain: DNS Data:
(newnese.com, newnm.org,
newnmm.com)
Looking up at the 2 newnese.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.toomnc.com hosted by FDC Servers.net,
LLC on IP 67.159.41.89 is acting as a zombie botnet
controller
'herding' the rotating zombies, (as determined by RDNS), in the 'A'
records list which are hosting the fraud site (as determined by
TRACERT). Later:
GoDaddy
appear to have promptly taken action against the hosting of the crooks
domains neelaw.org and neelaw.biz as both
of them are resolving to a fault page. GoDaddy now seem to
be a bit more on the ball than their initial response indicated. The above
criminals botnet is still active on the FDC Servers Inc.
hosting Later:
FDC Servers
now appear to have terminated the hosting of the criminal's zombie
botnet controller ns1.toomnc.com
[67.159.41.89] ***Latest News*** - 13th. March
2008
The criminal has set up a new botnet on Schlund + Partner AG
IP 212.227.251.161
with a new nameserver (ns1.theloging.com) as KEY-SYSTEMS GMBH have
already suspended toomnc.com:
DNS Data:
(newnese.com, newnm.org,
newnmm.com)
Looking up at the 2 newnmm.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.theloging.com hosted by Schlund + Partner AG
on IP 212.227.251.161
is acting as a zombie botnet controller
'herding' the rotating zombies, (as determined by RDNS), in the 'A'
records list which are hosting the fraud site (as determined by
TRACERT).
Later: The
criminal has set up a new botnet on Spry
Hosting IP 209.40.204.226:
DNS Data:
(newnese.com, newnm.org,
newnmm.com)
Looking up at the 2 newnmm.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.theloging.com hosted by Spry Hosting on IP 209.40.204.226 is
acting as a zombie botnet controller
'herding' the rotating zombies, (as determined by RDNS), in the 'A'
records list which are hosting the fraud site (as determined by
TRACERT). ***Latest News*** - 14th. March
2008
The criminal has some more domains registered with Enom.com's reseller Mobile Names Services, Inc.
whose published contact email address of support@mobilenameservices.com
bounces with a "550 5.7.1
No mailbox found" error:
nmnmd.org nmnmd.net nmnmd.org
They also have registered a new nameserver domain of snowbm.com, (REGISTER.COM, INC. 07-Mar-2008)
DNS Data:
(nmnmd.org, nmnmd.net,
nmnmd.com)
Looking up at the 2 nmnmd.org. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A'
Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.snowbm.com hosted by Road Runner HoldCo LLC
on IP 74.62.155.57
(rrcs-74-62-155-57.west.biz.rr.com) is acting as a zombie
botnet controller
'herding' the rotating zombies, (as determined by RDNS), in the 'A'
records list which are hosting the fraud site (as determined by
TRACERT). ***Latest News*** - 16th. March
2008
The criminal has a new botnet to replace the Spry Hosting one: DNS Data:
(newnese.com, newnm.org,
newnmm.com, nenmdg.net)
Looking up at the 2 newnese.com. parent servers:
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.theloging.com hosted by AS1660/Globalcon.net, LLC (Eric
Chen) on IP 67.210.224.100
is acting as a zombie botnet controller
'herding' the rotating zombies, (as determined by RDNS), in the 'A'
records list which are hosting the fraud site (as determined by
TRACERT). ***Latest News*** - 17th. March
2008 The criminal has a new domain (nwmsd.com) on a new ,
(non-botnet), host - Comcast.net DNS Data:
(nwmsd.com)
Looking up at the 2 nwmsd.com. parent servers:
Server
Response
ns2.nwmsd.com [202.44.71.148]
76.126.72.41
ns1.nwmsd.com [200.72.139.67]
76.126.72.41
He's using his own main domain as his nameserver domain
and once again there's the usual 'blackhat' SP Entel Chile IP
200.72.139.67 along with a Bangkok one (Sripatum University),
202.44.71.148. The website host IP is 76.126.72.41 (Comcast). The IP
has a RDNS of c-76-126-72-41.hsd1.ca.comcast.net
so it's quite possibly a zombie.
No
response whatsoever from the Roadrunner abuse team or Globalcon.net. ***Latest News*** - 19th. March
2008
New domain notified by site contact - nenmdg.net (KEY-SYSTEMS GMBH
(12-Mar-2008))
Later:
The criminal has added a second host IP to his above network:
Looking
up at the 2 nwmsd.com. parent servers:
Server
Response
ns2.nwmsd.com [202.44.71.148]
76.126.72.41
ns1.nwmsd.com [200.72.139.67]
80.7.203.208
The
effect of this is to make the hosting of domain nwmsd.com appear to
switch between the Comcast IP 76.126.72.41 and the NTL IP 80.7.203.208
depending on which nameserver is accessed for the lookup. The NTL IP 80.7.203.208
has
a RDNS of cpc3-pool6-0-0-cust975.sotn.cable.ntl.com
which to me looks like an end user on NTL's cable system in
Southampton, UK, so it is almost certainly another zombie. ***Latest News*** - 21st. March
2008
The criminal is using two new zombies on the above network: Looking up at the 2 nwmsd.com, nmnsd.net, nmnsd.com parent servers:
Server
Response
ns1.nwmsd.com [200.72.139.67]
75.145.209.157
ns2.nwmsd.com [202.44.71.148]
79.15.170.74
The RDNS for 79.15.170.74 is host74-170-static.15-79-b.business.telecomitalia.it The
RDNS for
75.145.209.157 is 75-145-209-157-Memphis.hfc.comcastbusiness.net
Yet another Comcast zombie, looks like a business user this time. The criminal's Globalcon and Roadrunner
networks are still intact. Unfortunately it seems next to impossible to
get Roadrunner to even understand that they
are hosting this criminal fraudster on their IP 74.62.155.57
(rrcs-74-62-155-57.west.biz.rr.com),
let alone take action to end the criminality, and Globalcon have
not
responded to a ticket which has been open on their ticketing system
since 16th. March. ***Latest News*** - 22nd. March
2008
Today's zombies hosting nwmsd.com, nmnsd.net andnmnsd.com
Looking up at the 2 nwmsd.com, nmnsd.net, nmnsd.com parent servers:
Server
Response
ns1.nmnsd.com [71.249.231.112]
76.232.230.182
ns2.nmnsd.com [219.76.235.93]
75.145.209.157
Zombie 1: The RDNS for
76.232.230.182 is adsl-76-232-230-182.dsl.stlsmo.sbcglobal.net Zombie 2: The RDNS for
75.145.209.157 is 75-145-209-157-Memphis.hfc.comcastbusiness.net
The criminal's zombie
controllers are being hosted by: Verizon
Internet Services Inc. (ns1.nmnsd.com [71.249.231.112])
(static-71-249-231-112.nycmny.east.verizon.net) NETVIGATOR
(PCCW Limited)
(ns2.nmnsd.com [219.76.235.93])
(n219076235093.netvigator.com) Even the
nameservers appear to be hosted on criminal owned machines or zombies. ***Latest News*** - 23nd. March
2008
Today's zombies hosting nwmsd.com, nmnsd.net andnmnsd.com
Looking up at the 2 nmnsd.net. parent servers:
Server
Response
ns1.nmnsd.net [71.249.231.112]
85.15.69.38
ns2.nmnsd.net [219.76.235.93]
212.0.81.14
Zombie 1: The RDNS for
85.15.69.38 is a85-15-69-38.vpn.vtelecom.ru Zombie 2: The RDNS for
212.0.81.14 is ws-81-14.burnet.ru The criminal's zombie
controllers are being hosted by: Verizon
Internet Services Inc. (ns1.nmnsd.com [71.249.231.112])
(static-71-249-231-112.nycmny.east.verizon.net) NETVIGATOR
(PCCW Limited)
(ns2.nmnsd.com [219.76.235.93])
(n219076235093.netvigator.com) Even the
nameservers appear to be hosted on criminal owned machines or zombies. The criminal has set up a new
zombie network. It hardly seems necessary as the crook has
already got a selection of criminal friendly hosts in AS1660/Globalcon.net, LLC (Eric
Chen), and
Road Runner HoldCo LLC along with registrars like Enom
who simply ignore all abuse reports of this illegal activity. With
unethical service providers like that as accomplices, the criminal has
an easy life with his 'bullet-proof' hosting. Anyway here is the new
zombie botnet: DNS Data:
(newesm.net,
newesm.com,
newesm.org)
Looking up at the 2
newesm.net. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site
Host IPs)
The data shows a
standard 7-IP site hosting zombie botnet where the nameserver ns1.dmmlife.com
hosted by SoftwareWorks
Group, Inc. (TheServerDoctor) on IP 65.75.191.14
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). New domain nmnsd.org spotted in
the wild:
Looking up at the 2 nmnsd.org. parent servers:
Server
Response
ns1.nmnsd.org [200.72.139.67]
85.15.69.38
ns2.nmnsd.org [202.44.71.148]
85.15.69.38
He's using his
own main domain as his nameserver domain and once again there's the
usual 'blackhat' SP Entel Chile IP 200.72.139.67 along with a Bangkok
one (Sripatum University), 202.44.71.148. The website host IP
is 85.15.69.38 (a85-15-69-38.vpn.vtelecom.ru). ***Latest News*** - 24th. March
2008
Today's zombies hosting nmnsd.com, nmnsd.net, nmnsd.org and nwmsd.com
Looking up at the 2 nmnsd.com. parent servers:
Server
Response
ns1.nmnsd.com [71.249.231.112]
76.126.72.41
ns2.nmnsd.com [219.76.235.93]
85.15.69.38
Looking up at the 2 nmnsd.net. parent servers:
Server
Response
ns1.nmnsd.net [71.249.231.112]
76.126.72.41
ns2.nmnsd.net [219.76.235.93]
85.15.69.38
Looking up at the 2 nmnsd.org. parent servers:
Server
Response
ns1.nmnsd.org [200.72.139.67]
76.126.72.41
ns2.nmnsd.org [202.44.71.148]
76.126.72.41
Looking up at the 2 nwmsd.com. parent servers:
Server
Response
ns1.nwmsd.com [200.72.139.67]
76.126.72.41
ns2.nwmsd.com [202.44.71.148]
85.15.69.38
Here's the usual selection of IP addresses currently abused by the
criminals:
71.249.231.112
(static-71-249-231-112.nycmny.east.verizon.net) 219.76.235.93
(n219076235093.netvigator.com)
76.126.72.41 (c-76-126-72-41.hsd1.ca.comcast.net) 85.15.69.38
(a85-15-69-38.vpn.vtelecom.ru) 200.72.139.67
(Entel Chile) 202.44.71.148
(Sripatum University) ***Latest News*** - 25th. March
2008
Spiritdomains
have suspended the nameserver domain theloging.com and the criminal has
replaced it with newxmm.com New botnet data:
DNS
Data: (newnm.org, newnmm.com, nenmdg.net,
nenmdg.com)
Looking up at the 2 newnm.org. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.newxmm.com hosted by
AS1660/Globalcon.net, LLC (Eric Chen) on IP 67.210.224.100 is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Later
- Globalcon.net have
terminated the hosting of ns1.newxmm.com [67.210.224.100]. New botnet
data:
DNS
Data: (newnmm.com, nenmdg.net,
nenmdg.com, nenmdg.org)
Looking up at the 2 nenmdg.net parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.newxmm.com hosted by EMC COMMUNICATIONS, LLC
on IP 74.202.129.229
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Today's
zombies hosting nwmsd.com, nwmsd.net, nwmsd.org
Looking up at the 2 nwmsd.com. parent servers:
Server
Response
ns1.nwmsd.com [200.72.139.67]
85.105.182.6
ns2.nwmsd.com [202.44.71.148]
76.126.72.41
Looking up at the 2 nwmsd.net. parent servers:
Server
Response
ns2.nwmsd.net [71.249.231.112]
85.105.182.6
ns1.nwmsd.net [219.76.235.93]
85.105.182.6
Looking up at the 2 nwmsd.org. parent servers:
Server
Response
ns1.nwmsd.org [200.72.139.67]
85.105.182.6
ns2.nwmsd.org [219.76.235.93]
85.105.182.6
IP
addresses involved in the criminal's network:
85.105.182.6 (dsl.static.85-105-46598.ttnet.net.tr) - TurkTelekom,
ADSL-ALC-Static Pool 76.126.72.41
(c-76-126-72-41.hsd1.ca.comcast.net) - Comcast Cable Communications,
Inc. 71.249.231.112
(static-71-249-231-112.nycmny.east.verizon.net) - Verizon
Internet Services Inc. 219.76.235.93
(n219076235093.netvigator.com) - NETVIGATOR (PCCW Limited) 200.72.139.67
(Entel Chile) 202.44.71.148
(Sripatum
University)
Enom
seems now to have joined the ethical camp along with Spiritdomains,
www.la, nic.tl et al in the battle against these fraudsters with most
of the Enom registered domains having been suspended. ***Latest News*** - 27th. March
2008 The EMC COMMUNICATIONS, LLC zombie botnet has been
terminated and the criminals now have a new host for their botnet, OC3 Networks & Web
Solutions, LLC:
DNS
Data: (newnmm.com, nenmdg.net,
nenmdg.com, nenmdg.org)
Looking up at the 2 nenmdg.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.newxmm.com hosted by OC3 Networks & Web
Solutions, LLC on IP 66.63.174.26
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest News*** - 28th. March
2008
The OC3 Networks & Web
Solutions, LLC
zombie botnet has been terminated and the criminals now have a new host
for their botnet, Netrouting Data Facilities (GrafiX Internet B.V.):
DNS
Data: (newnmm.com, nenmdg.net,
nenmdg.com, nenmdg.org)
Looking up at the 2 nenmdg.net. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.newxmm.com hosted by Netrouting Data Facilities
(Grafix.nl)
on IP 91.199.50.70
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). Today's
zombies hosting nwmsd.net, nwmsd.org
Looking up at the 2 nwmsd.net. parent servers:
Server
Response
ns2.nwmsd.net [71.249.231.112]
212.0.72.114
ns1.nwmsd.net [219.76.235.93]
85.105.182.6
Looking up at the 2 nwmsd.org. parent servers:
Server
Response
ns1.nwmsd.org [200.72.139.67]
212.0.72.114
ns2.nwmsd.org [219.76.235.93]
85.105.182.6
IP
addresses involved in the criminal's network:
85.105.182.6 (dsl.static.85-105-46598.ttnet.net.tr) - TurkTelekom,
ADSL-ALC-Static Pool
212.0.72.114 - BURNET.RU (SC
Electrosvyaz of Buryatia Republic) 71.249.231.112
(static-71-249-231-112.nycmny.east.verizon.net) - Verizon
Internet Services Inc. 219.76.235.93
(n219076235093.netvigator.com) - NETVIGATOR (PCCW Limited) 200.72.139.67
(Entel Chile) KEY-SYSTEMS
GMBH seem to have put domain nwmsd.com on clienthold,
(i.e. suspended
it), but they haven't taken action against all the other domains
registered with them which are all involved in the exactly the same
criminal activity - strange... ***Latest News*** - 30th. March
2008 Today's
zombies hosting nwmsd.net, nwmsd.org
Looking up at the 2 nwmsd.net. parent servers:
Server
Response
ns1.nwmsd.net [219.76.235.93]
212.0.72.114
ns2.nwmsd.net [71.249.231.112]
212.0.72.114
Looking up at the 2 nwmsd.org. parent servers:
Server
Response
ns1.nwmsd.org [200.72.139.67]
212.0.72.114
ns2.nwmsd.org [219.76.235.93]
212.0.72.114
IP
addresses involved in the criminal's network:
212.0.72.114 - BURNET.RU (SC
Electrosvyaz of Buryatia Republic) 71.249.231.112
(static-71-249-231-112.nycmny.east.verizon.net) - Verizon
Internet Services Inc. 219.76.235.93
(n219076235093.netvigator.com) - NETVIGATOR (PCCW Limited) 200.72.139.67
(Entel Chile) No
response to several abuse reports to Netrouting Data Facilities
(GrafiX Internet B.V.), first sent on March 28th. The
company continues to host the criminal's zombie botnet on their IP 91.199.50.70.
Spiritdomains
have been very helpful and have suspended all of the criminal's fraud
domains registered with them - many thanks are due to them for their
ethical
position along with all the other honest and decent registrars and
hosts who help in the fight
against internet crime. Road Runner HoldCo LLC have
been knowingly hosting a zombie botnet since 14-Mar-2008
on their IP address 74.62.155.57.It
would appear that they don't care that they host the
zombie botnets of criminals.
Unfortunately,
while unethical service providers are free to turn a blind eye to
criminal fraud in this way, these criminals will continue to prosper
and their victims will continue to suffer.
Later:-
Domains neamds.com, neamds.net and neamds.org spotted in the
wild, (all registered with KEY-SYSTEMS
GMBH/Imena.ua), and all hosted on the
abovementioned Roadrunner zombie botnet as follows: DNS Data (neamds.com, neamds.net and neamds.org) Looking
up at the 2 neamds.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a
standard 7-IP site hosting zombie
botnet where the nameserver ns1.snowbm.com hosted by Road Runner
HoldCo LLC
on IP 74.62.155.57
(rrcs-74-62-155-57.west.biz.rr.com) is acting as a zombie botnet
controller
'herding' the rotating zombies, (as determined by RDNS), in the 'A'
records list which are hosting the fraud site (as determined by
TRACERT). ***Latest
News*** - 1st. April 2008 The
Netrouting Data Facilities (GrafiX Internet B.V.) zombie
botnet
has been terminated and the criminal is now back on a previous host for
their botnet, OC3 Networks & Web
Solutions, LLC:
DNS
Data: (newnmm.com, nenmdg.net,
nenmdg.com, nenmdg.org)
Looking up at the 2 nenmdg.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.newxmm.com hosted by OC3 Networks & Web
Solutions, LLC on IP 66.63.174.28
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest
News*** - 2nd. April 2008 The
criminal has moved his OC3 Networks botnet onto a Layered
Technologies, Inc.
IP (72.232.5.33):
The data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.newxmm.com hosted by Layered Technologies, Inc.
on IP 72.232.5.33
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). The RDNS for 72.232.5.33 is 33.5.232.72.static.reverse.ltdomains.com ***Latest
News*** - 3rd. April 2008
The criminal's Roadrunner and Layeredtech botnets
are both still active despite both Layeredtech
and Roadrunner
having been informed of the abuse. It is rather sad and discouraging
that companies of such standing can continue to aid and abet these
criminals without any sanction or apparent conscience at all.
The
Roadrunner botnet now has a new nameserver domain (mmbopc.com) which is
rather odd as the criminal's old nameserver domain (snowbm.com) doesn't
seem to have been suspended by Register.com. New DNS details: DNS Data (neamds.com, neamds.net, neamds.org, nwmsmds.net, and nwmsmds.org) Looking
up at the 2 neamds.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site
Host IPs)
The data shows a
standard 7-IP site hosting zombie
botnet where the nameserver ns1.mmbopc.com hosted by Road Runner
HoldCo LLC
on IP 74.62.155.57
(rrcs-74-62-155-57.west.biz.rr.com) is acting as a zombie
botnet
controller
'herding' the rotating zombies, (as determined by RDNS), in the 'A'
records list which are hosting the fraud site (as determined by
TRACERT).
The old nameserver ns1.snowbm.com still tracerts
to Roadrunner
IP 74.62.155.57
so I suspect that the criminals are taking advantage of Roadrunners
willingness to aid and abet their fraud to set up a second site hosting
botnet with new domains. ***Latest
News*** - 5th. April 2008
TheServerDoctor,
Roadrunner, and Layeredtech are
continuing to knowingly host this criminals botnet controllers. Latest botnet DNS data:
(nemns.com, nemns.net and nemns.org)
Looking up at the 2 nemns.com
parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie botnet where the nameserver
ns1.dmmlife.com hosted by SoftwareWorks
Group, Inc./TheServerDoctor on IP 65.75.191.14
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest
News*** - 7th. April 2008 The
criminal now has three site hosting zombie botnets operating courtesy
of Road Runner HoldCo LLC
(74.62.155.57),
Layered
Technologies, Inc./Savvis.net. (72.232.5.33) and SoftwareWorks Group, Inc.
(TheServerDoctor) (65.75.191.14)
all of whom were informed of the abuse on the dates at the top of this
page. ***Latest
News*** - 9th. April 2008
Suspension
notice received from Imena.ua for all of their registered domains for
this criminal - thanks guys for your ethical action. That means the
criminals will by now have new main domains, new nameserver domains and
new botnet details. Known details follow, (please let me know of any active
website URLs/domains):
DNS Data (newnmm.com)
Looking up at the 2 newnmm.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.iwarzone.com hosted by Layered Technologies, Inc.
on IP 72.232.5.33
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). The RDNS for 72.232.5.33 is 33.5.232.72.static.reverse.ltdomains.com
The
criminals newly registered nameserver domain is iwarzone.com (Spiritdomains/IA
Registry - 28-Mar-2008). The botnet continues to be
hosted by Layeredtech/Savvis despite several abuse reports. DNS Data (nemns.com, newesm.biz,
nnmbg.com,
nee.com.ua,
nem.kg)
Looking up at the 2 nemns.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data
shows a standard 7-IP site hosting zombie botnet where the nameserver
ns1.bonoxc.com hosted by SoftwareWorks
Group, Inc./TheServerDoctor on IP 65.75.191.14
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
The criminals newly registered
nameserver domain is bonoxc.com (REGISTER.COM,
INC. - 28-Mar-2008).
The botnet continues to be hosted by SoftwareWorks
Group, Inc. (TheServerDoctor). DNS Data (nwmsmds.net, and nwmsmds.org) Looking
up at the 2 nwmsmds.org parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site
Host IPs)
The data shows a
standard 7-IP site hosting zombie
botnet where the nameserver ns1.walillc.com hosted by Road Runner
HoldCo LLC
on IP 74.62.155.57
(rrcs-74-62-155-57.west.biz.rr.com) is acting as a zombie
botnet
controller
'herding' the rotating zombies, (as determined by RDNS), in the 'A'
records list which are hosting the fraud site (as determined by
TRACERT).
The criminals newly registered
nameserver domain is walillc.com (INTERNET
INVEST, INC. DBA IMENA.UA - 29-Mar-2008). The botnet continues to be
hosted by Road Runner
HoldCo LLC.
despite numerous abuse reports. ***Latest
News*** - 10th. April 2008
The
criminal has moved his above Roadrunner botnet, whether it is because
of any action by Roadrunner or not I do not know. New network data: DNS Data (nwmsmds.net, and nwmsmds.org) Looking
up at the 2 nwmsmds.org parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site
Host IPs)
The data shows a
standard 7-IP site hosting zombie
botnet where the nameserver ns1.walillc.com hosted by SoftLayer Technologies
Inc./AptHost Communications Inc.
on IP 67.228.213.11
is acting as a zombie botnet
controller
'herding' the rotating zombies, (as determined by RDNS), in the 'A'
records list which are hosting the fraud site (as determined by
TRACERT). The
criminal has also moved his Layered
Technologies, Inc. zombie botnet. New network data: DNS Data (newnmm.com)
Looking up at the 2 newnmm.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.iwarzone.com hosted by Secured Private
Network/FISIXNETWORKS on IP 67.215.229.45
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest
News*** - 11th. April 2008
New
zombie botnets replacing ones shut down by ethical hosts: DNS Data (newnmm.com)
Looking up at the 2 newnmm.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.iwarzone.com hosted by Network Operations Center
Inc./Burst.net on IP 66.197.222.5
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest
News*** - 12th. April 2008
New
zombie botnet replacing one shut down by ethical hosts Network Operations Center
Inc./Burst.net: DNS Data (newnmm.com, newmmns.com, nwaesde.net)
Looking up at the 2 newnmm.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie
botnet where the nameserver ns1.iwarzone.com hosted by Spectrum Networks/Vanoppen.biz
on IP 76.191.102.141
is
acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest
News*** - 13th. April 2008 New domain noted in the wild - nensmb.org registered with Enom's reseller Mobile Names Services, Inc.,
both of whom have been unresponsive. It's highly amusing to note that
Enom have themselves been a victim of a 'phishing' attack using the
domain enomcemtral.com
registered with ENOM, INC./Mobile Names Services, Inc. - I hope the
irony is not lost on them and they start being more pro-active
against these criminals that they knowingly shelter. I won't hold my
breath.... DNS Data (nensmb.org)
Looking
up at the 2 nensmb.org. parent servers:
Server
Response
ns1.nensmb.org [200.72.139.67]
212.174.25.241
ns2.nensmb.org [219.76.235.93]
212.174.25.241
The host
of this one is Turktelekom on IP 212.174.25.241 ***Latest
News*** - 15th. April 2008
The criminal has some more domains registered with Imena.ua (Internet
Invest Ltd): newmanesrg.net newmanesrg.org newmanesrg.com
DNS Data (newmanesrg.org, newmanesrg.com, nensmb.org)
Looking up at the 2 newmanesrg.org. parent servers:
Server
Response
ns1.newmanesrg.org [200.72.139.67]
81.9.106.17
ns2.newmanesrg.org [219.76.235.93]
81.9.106.17
The host IP is another JSC "EnginiaSystem" Network IP 81.9.106.17 and the
nameserver IPs are also the usual Entel
Chile IP (200.72.139.67)
and the NETVIGATOR (PCCW
Limited) IP (219.76.235.93)
both of which have been reported many times with no response, never
mind action.
The
domain newmanesrg.net is unhosted at
present, but no doubt it will join the rest shortly. Later:
New botnet:
DNS Data (newmesde.com, newmesde.net,
newmesde.org) Looking up at the 2
newmesde.com. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a
standard 7-IP site hosting zombie botnet where the nameserver ns1.uneedmc.com
hosted by California
Regional Intranet, Inc./Zanadoo Hosting on IP 71.6.211.95
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest
News*** - 18th. April 2008 By suspending all of their registrations, the ethical
registrar Spiritdomains
have sent a clear message to these criminals that they will not
tolerate their criminal activity. ENOM,
INC. (Mobile Names Services, Inc.) have also taken similar
action. All other companies please
take note. Remaining known domains and hosting:
DNS Data: (nee.com.ua,
nem.kg) Looking up at the 2
nee.com.ua. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie botnet where the
nameserver ns1.bonoxc.com
hosted by SoftwareWorks
Group, Inc./CaroNet/TheServerDoctor on IP 65.75.191.14
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
SoftwareWorks Group,
Inc./CaroNet/TheServerDoctor have ignored all abuse
reports and have hosted these criminals since 23-Mar-2008
N.B. - A
contact from the company TheServerDoctor has asked me to point out that
as far as he is concerned the ARIN data for the IP 65.75.191.14 is
incorrect and he is NOT the owner and responsible person. The IP is
controlled by CaroNet hosting, (Caro.net), of Charlotte, North Carolina. DNS Data: (newmanesrg.org, newmanesrg.com)
Looking up at the 2 newmanesrg.org. parent servers:
Server
Response
ns1.newmanesrg.org [200.72.139.67]
212.0.85.6
ns2.newmanesrg.org [219.76.235.93]
212.0.85.6
The host of this
criminal's network is JSC
Electrosvyaz of Buryatia Republic (burnet.ru) Later: The criminal's botnet on IP
65.75.191.14 has been shut down after a complaint to the upstream
transit provider to SoftwareWorks Group,
Inc./CaroNet/TheServerDoctor. It's a pity it was
necessary. The criminal is in the process of setting up a new botnet on
IP 67.222.130.212
which is an IP belonging to Tailor
Made Servers of Carrollton, Texas.
DNS Data: (nee.com.ua,
nem.kg)
Looking
up at the 2 nem.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The
data shows a standard 7-IP site hosting zombie botnet where the
nameserver ns1.bonoxc.com
hosted by Tailor Made Servers of
Carrollton, Texas. on IP 67.222.130.212
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest
News*** - 19th. April 2008
The above criminal's botnet controller ns1.bonoxc.com [67.222.130.212]
appears to have been disconnected.
Later:
The criminal has set up a new botnet on IP 66.197.245.92
DNS Data: (nee.com.ua, nem.kg)
Looking
up at the 2 nem.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
nameserver ns1.bonoxc.com
hosted by Network
Operations Center Inc./Burst.net on IP 66.197.245.92
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT).
New domain noted in the wild:
DNS Data:
(nwa.kg) Looking up at the 2 nwa.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
nameserver ns1.uneedmc.com
hosted by Awknet
Communications, LLC on IP 69.42.220.141
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site http://www.nwa.kg/ (as determined by TRACERT). ***Latest
News*** - 20th. April 2008 The criminal's botnet controller ns1.bonoxc.com [66.197.245.92] has been disconnected by Hostnoc/Burst.net.
Unfortunately the criminal's botnet controller ns1.uneedmc.com [69.42.220.141] hosted byAwknet Communications LLC remains active. Awknet Communications LLC have been informed of the criminal activity that they are hosting.
Later: The criminal has moved his ns1.bonoxc.com botnet to the FDC Servers IP 67.159.48.120:
DNS Data: (nee.com.ua, nem.kg)
Looking
up at the 2 nem.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
criminal owned nameserver ns1.bonoxc.com
hosted by FDCservers.net on IP 67.159.48.120
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site (as determined by TRACERT). ***Latest
News*** - 21st. April 2008 The criminal's botnet controller ns1.bonoxc.com [67.159.48.120] has been disconnected by FDCservers. The Awknet Communications LLC hosted botnet controller ns1.uneedmc.com [69.42.220.141] remains active. ***Latest
News*** - 22nd. April 2008 The criminal's Awknet
Communications botnet has been disconnected. ***Latest
News*** - 23rd. April 2008 The criminal has a new nameserver domain (callsroar.com - Spiritdomains - 03-apr-2008) but it is not yet on an active network.
The criminal has a new botnetwork for domain nwa.kg: DNS Data:
(nwa.kg)
Looking up at the 2 nwa.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
criminal owned nameserver ns1.uneedmc.com
hosted by Inline Internet Online Dienste GmbH/ValueServer.de on IP 91.193.130.202
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site http://www.nwa.kg/ (as determined by TRACERT).
Later: The criminal's botnet has been quickly terminated by Internet Online Dienste GmbH/ValueServer.de, (an abuse team that's really clued up - thank you). The criminal now has a new botnetwork for domain nwa.kg:
DNS Data:
(nwa.kg)
Looking up at the 2 nwa.kg. parent servers:
Zombie Botnet Nameserver
Botnet Nameserver 'A' Records (Zombie Site Host IPs)
The data shows a standard 7-IP site hosting zombie botnet where the
criminal owned nameserver ns1.uneedmc.com
hosted by Network Operations Center Inc./Burst.net on IP 66.197.245.157
is acting as a zombie botnet controller 'herding' the rotating zombies,
(as determined by RDNS), in the 'A' records list which are hosting the
fraud site http://www.nwa.kg/ (as determined by TRACERT).
DNS Data
(newmanesrg.org, newmanesrb.net) DNS Data (newmanesrg.com, newmanesrb.com)
Looking up at the 2 newmanesrg.org. parent servers:
Looking up at the 2 newmanesrg.com. parent servers:
Server
Response
Server
Response
ns2.newmanesrg.org [219.76.235.93]
85.150.209.34
ns2.newmanesrg.com [202.44.71.148]
85.150.209.34
ns1.newmanesrg.org [200.72.139.67]
85.150.209.34
ns1.newmanesrg.com [200.72.139.67]
85.150.209.34
The domains newmanesrg.org, newmanesrb.net, newmanesrb.com and newmanesrg.com are all hosted on the zombie IP 85.150.209.34 which is a compromised or criminal owned customer machine, (5596d122.adsl.wanadoo.nl), on the Orange Nederland Breedband B.V. network. They are still using 'in house' nameservers hosted on the usual 'Blackhat' Entel Chile IP 200.72.139.67 and the equally unhelpful NETVIGATOR (PCCW Limited) IP (219.76.235.93) both of which have been reported many times with no response, never mind action. ***Latest
News*** - 24th. April 2008 The Network Operations Center Inc./Burst.net on IP 66.197.245.157 hosting nwa.kg appears to have been disconnected. ***Latest
News*** - 24th. May 2008
No known current activity on this fraud - archived to previous aliases. If you know different, please let me know.
