Blast from the past
And no, I’m not talking about W32/Blaster either. I was digging through some scrap that my sensor caught when I found something that was detected as HwBot. It’s been detected since August 2005. There’s nothing interesting about the bot itself: It’s just a basic, small (6 694 bytes), IRC based backdoor that uses modified C&C commands and modified IRC protocol. Been there, done that and so on. But here’s the funny thing:
The DNS names it uses are
- symantec.loves.the.cock.pheer.biz
- owjgp.game2max.net
And guess what happens when we check the DNS names? Yup, that’s right, the DNS is still alive:
;; ANSWER SECTION:
symantec.loves.the.cock.pheer.biz. 300 IN A 58.20.109.46
;; AUTHORITY SECTION:
pheer.biz. 10800 IN NS a.dns.gandi.net.
pheer.biz. 10800 IN NS b.dns.gandi.net.
pheer.biz. 10800 IN NS c.dns.gandi.net.
Would be nice to have some relatively fast and efficient way of knocking down (and keeping them down) domains that are used for evil purposes only. Few weeks or even months wouldn’t hurt, but close to two years is a bit too much :)
Norman Sandbox reveals 777 hits on pheer.biz.Mostly they are the same variants, but the hitcount reveals a bit on how far and long these bugger have been spreading. Also fewother domain point to that same IP. All used in HwBots, all registered under GANDI and all with the same whois-data:
esxt.is-a-fag.net A 58.20.109.46
esxt.legi0n.net A 58.20.109.46
symantec.loves.the.cock.pheer.biz A 58.20.109.46