The IP range for DSL users

schermafdruk website megaprovider.nl.

The silence surrounding spam coming from the network of Megaprovider – save a stray posting on amongst others isc.sans.org – isn’t due to Megaprovider laying low. In fact, Megaprovider has been extremely busy, being a facilitator for the abuse of so called open proxies and hosting spamvertised websites.

Dull, but interesting

This text is long and dull. That is due to Megaprovider’s spam related activities. However, of interest are: the precursor, a bit of more recent spam related activity stemming from the Megaprovider network, a network fingerprint of the traffic actually abusing open proxies, tracing the source of the open proxies, the eluding of blocklists by Megaprovider and the end of it all (at least, for now).

This is not all the information that’s been uncovered. To protect the sources and ongoing investigations a lot of information has been left out or munged. See the Credits section for the attribution. Original text in dutch.

History

Ronald F. Guilmette’s “Who’s spamming you?” showed that during the summer of 2003 Megaprovider had earned itself a permanent spot in the Top 40 open proxies abusers (usually just plain zombies). Each and every time the same /24 IP range showed up in the Top 40: 80.71.71.0/24 (ORG-MPB1-RIPE). That range had been a “dirty block” of sorts for a while. The timing however was remarkable, right in the midst of the whole cyberangels.nl saga.

Ronald reported that proxies were being abused from inside that range of IP addresses since as far back as early July 2003. The IP range had been used for spam related activities a couple of times before that. From August 11th through September 16th 2002 80.71.71.5 was used to send spam (apparently spammers were unaware of open proxies), from August 31st through September 24th 2002 80.71.71.40 was used to host websites being advertised in spam, and at September 23rd and 24th 2002 80.71.71.200 was used for the same.

On March 8th 2004 Giblet reports that spam is being sent out for “all your Paris Hilton movies”, through open proxies which are being simultaneously abused from 6 IP addresses residing in the 80.71.71.0/24 IP range:

80.71.71.54, 80.71.71.56, 80.71.71.57, 80.71.71.159, 80.71.71.160, 80.71.71.161

Webwereld wrote an article and Megaprovider threatens once again with a lawsuit. Business as usual.

March 17th 2004 Webwereld wrote another article based upon Ronald’s “Who’s spamming you?” about the whole period in which open proxies had been abused by IP’s belonging to Megaprovider. Megaprovider explains the abuse saying that the IP range is used for customers with a DSL connection, a couple of customers had apparently been cracked. Perhaps all the attention this IP range was getting was a bit too much, after these events no further activity was seen from the range.

Megaprovider somewhat disappeared from the (corporate) radar.

Recent spam related activities by Megaprovider

June 11th and 12th 2004 spam is sent out for the domain cutprice11.com. It was sent through open proxies. The abuse originated from Megaprovider’s IP space, specifically the following IP addresses:

80.71.72.3, 80.71.72.4, 80.71.72.7, 80.71.72.8, 80.71.72.9, 80.71.72.54, 80.71.72.57, 80.71.72.159, 80.71.72.160, 80.71.72.161, 80.71.72.164, 80.71.72.180, 80.71.72.181, 80.71.72.182

The spams themselves advertise a website which offers (most likely fake) Viagra pills.

August 25th 2004 large quantities of spam are being sent out for sexy-date-match-maker.biz. Which redirects to a form on offshorestats.com, hosted on 80.71.77.100 (NL-MEGAPROVIDER-20010606).

On August 27th 2004, August 31st 2004 and September 3rd 2004 (and most likely also all the days in between) spam is being sent out for wewantmorebabes.com, which leads to cheatinghousewifeservices.com, which is hosted on 80.71.77.100. A webbug points to 80.71.77.102.

September 4th 2004 spam is being sent out for onlythebestbabes.com. This one leads to homepageshotties.com, which is also being hosted on 80.71.77.100. In this case a webbug also points to 80.71.77.102.

September 13th 2004 spam is still being sent out for sites hosted on 80.71.77.100, but the webserver isn’t reachable anymore.

September 14th 2004 (extra sample) spam is being sent out for datemenow.info. It features a popup for datesexybabes.com, a redirect (“clicktrough”) to cheatinghousewifeservices.com, which at first (through an “A record” [wikipedia]) points to 80.71.72.100, but later to 127.0.0.2. The webserver on 80.71.72.100 was unreachable. Creditcard data could be left on a site which was pointing towards offshorestats.com, hosted on 80.71.77.100 and equally unreachable.

Between September 18th and 20th 2004, and possibly a couple of days surrounding that period, spam is being sent out originating from the infamous “DSL” IP range of Megaprovider utilizing open proxies. A number of times a proxypot is hit. Summaries of all the IP’s belonging to Megaprovider which hit the proxypots can be found in the proxypot of Alan Curry, Feike Hacquebord, Christopher Layne and someone who prefers to remain anonymous. The spams advertise Viagra. From the spams which got trapped in the proxypots (sample) the following list of active IP addresses is distilled:

80.71.72.3, 80.71.72.4, 80.71.72.7, 80.71.72.8, 80.71.72.9, 80.71.72.54, 80.71.72.56, 80.71.72.57, 80.71.72.159, 80.71.72.160, 80.71.72.161, 80.71.72.164, 80.71.72.170, 80.71.72.171, 80.71.72.172, 80.71.72.173, 80.71.72.174, 80.71.72.175, 80.71.72.176, 80.71.72.177, 80.71.72.178, 80.71.72.179, 80.71.72.180, 80.71.72.181, 80.71.72.182, 80.71.72.240, 80.71.72.241, 80.71.72.242, 80.71.72.243, 80.71.72.244

Amongst the domainnames advertised through the spam are:

0954vj.com, 0rderdrugs.com, 349fms.com, 4098ws.com, 439fms.com, 450slg.com, 49dmds.com, 49fmas.com, 49fmsas.com, 49fmsv.com, 4imf5.com, 509vms.com, 55mfw.com, 5mfsl6.com, 64ldn5.com, 690mrk.com, 8543nf.com, 95j63s.com, bjepog.com, bjmepe.com, cutprice11.com, dffdh.com, dfjndfv.com, djgpe.com, dpojfs.com, dslk1.com, dsofme.com, eieqo.com, eimhls.com, epofdjep.com, erigsl.com, eroiwe.com, erpowe.com, erwopi.com, etpeh.com, ewfgjs.com, ewofdsf.com, fjdald.com, fjwopfs.com, fkwpsf.com, fmpwng.com, fofmwsp.com, fpoefsd.com, fpowpof.com, fwoi4w.com, gbfjd.com, gneoreo.com, ijjad.com, iohnsk.com, iymwld.com, jpeper.com, lqeriod.com, medz-store.com, nitng.com, oevmte.com, ogmdpes.com, oijia.com, oijji.com, oinrv.com, pi5dkg.com, pjgjeh.com, pogmsa.com, pomcms.com, poremd.com, puyiem.com, qpjfns.com, reoivm.com, repogs.com, reppms.com, rermds.com, roieri.com, rpgjks.com, rpofsdf.com, rpoiwb.com, rtgoiwm.com, rtprbn.com, sdofmw.com, sdpfwod.com, sdpodfj.com, sdpodsw.com, smdddgg.com, smmfsf.com, soiosd.com, sptgjt.com, ssmgmer.com, thpejm.com, tIPej.com, tpoefs.com, vmaprd.com, we49fm.com, wegmws.com, weoine.com, weroim.com, wpofmsg.com, xklghj.com, yiomds.com, yiwoim.com, ypodmns.com, ysnhgld.com

The spamruns also advertise inc-cheap.com. Which originates amongst others from these IP’s:

80.71.72.3, 80.71.72.4, 80.71.72.8, 80.71.72.9, 80.71.72.45, 80.71.72.54, 80.71.72.56, 80.71.72.57, 80.71.72.60, 80.71.72.112, 80.71.72.159, 80.71.72.160, 80.71.72.161, 80.71.72.164, 80.71.72.181, 80.71.72.182

These spams are for an affiliate named “jpeg”. A name we run into again later. Between October 15th and 23rd 2004 spam is sent out for amongst others toels.com, again for the affiliate “jpeg” (sample). The abusing IP’s:

80.71.72.170, 80.71.72.171, 80.71.72.172, 80.71.72.173, 80.71.72.174, 80.71.72.175, 80.71.72.176, 80.71.72.177, 80.71.72.178, 80.71.72.179, 80.71.72.240, 80.71.72.241, 80.71.72.242, 80.71.72.243, 80.71.72.244

There are also other people who sent out their garbage through Megaprovider’s IP space. In the early morning of October 21st 2004 (sample) spam is sent out for hereviagra.com. From the spamvertised pages another referral can be found, called “bleume”. The IP’s involved during that hour:

80.71.72.150, 80.71.72.151, 80.71.72.152, 80.71.72.154, 80.71.72.202

That last one sends out the spam with a URL that – due to a typo – doesn’t make the intended domain clear (at least to a casual bystander). The other IP’s sent out the correct spam. The same spam is being sent from other IP ranges at the same time through open proxies. That abuse originates from amongst others 64.201.105.78 (from the IP range RACETECH belonging to race.com) and 69.90.9.22 (from the IP range PEER1-PRIORITYCOLO-02 belonging to prioritycolo.com).

Between October 23rd and November 30th 2004 (over a month!), again spam is sent out on an almost daily basis (sample). This time again the affiliate “jpeg” and again the domain mejc.com surfaces. During this period the following IP’s can be fingered as the source:

80.71.72.3, 80.71.72.4, 80.71.72.8, 80.71.72.9, 80.71.72.45, 80.71.72.54, 80.71.72.56, 80.71.72.57, 80.71.72.112, 80.71.72.159, 80.71.72.160, 80.71.72.161, 80.71.72.164, 80.71.72.170, 80.71.72.171, 80.71.72.172, 80.71.72.173, 80.71.72.174, 80.71.72.175, 80.71.72.176, 80.71.72.177, 80.71.72.178, 80.71.72.179, 80.71.72.181, 80.71.72.182, 80.71.72.240, 80.71.72.241, 80.71.72.242, 80.71.72.243, 80.71.72.244

The very same spam also gets caught in another proxypot, originating from exactly the same IP addresses (and some other IP’s not belonging to Megaprovider). From the logs of this proxypot it becomes clear that the run has had an even longer duration: from October 25th up to December 4th 2004.

Between January 19th and 21st 2005 spam is sent out from the Megaprovider network for a very diverse multitude of products, like dating spam (sample, sample), Viagra (sample) and porn. The domainnames spamvertised are:

awesomeporno.info, beautifulbitches.info, dellaainthere.com, disgonenowsee.com, eastyids.com, fanominetime.com, ferdlerd.com, fortusgeter.com, gerdnerd.com, gerthperth.com, getsomefundis.com, greeedkeeplee.com, harmanrx.net, hassofrassfey.coms, herdferd.com, jellyteefee.com, jerdmerd.com, jetseefort.com, jorcanfinder.com, kandykanemain.com, kerdserd.com, kessfess.com, kregforteesin.com, lardtard.com, lollyjollydee.com, pardhard.com, perdherd.com, perdkerd.com, persfers.com, profomodo.com, pussymovies.info, pussyonpussy.info, qerdperd.com, refillyourrx.net, renewpharmacy.com, sandroppee.com, serdherd.com, serdwerd.com, shedmorelightzee.com, shescresgee.com, starnowgee.com, transfer-rx.com, werdterm.com, zorodaysin.com

This spam is ofcourse also sent through open proxies. At least 5 IP’s belonging to the Megaprovider IP space are used:

80.71.72.91, 80.71.72.92, 80.71.72.94, 80.71.72.163, 80.71.72.165, 80.71.72.166, 80.71.72.190

A few days later, on January 28th and 29th 2005, spam is sent out for a product similar to Viagra. The domain 0rdernow.com is advertised in the spam and the IP addresses which got caught in the proxypot are:

80.71.72.3, 80.71.72.9, 80.71.72.45

Starting January 28th 2005 spam is sent out (sample) for another domain which sells Viagra pills: vaigra.net. The IP addresses involved in this run belonging to the Megaprovider network are:

80.71.72.3, 80.71.72.4, 80.71.72.8, 80.71.72.9, 80.71.72.45, 80.71.72.54, 80.71.72.56, 80.71.72.57, 80.71.72.112, 80.71.72.159, 80.71.72.160, 80.71.72.161, 80.71.72.164, 80.71.72.170, 80.71.72.171, 80.71.72.172, 80.71.72.173, 80.71.72.174, 80.71.72.175, 80.71.72.176, 80.71.72.177, 80.71.72.178, 80.71.72.179, 80.71.72.181, 80.71.72.182, 80.71.72.201, 80.71.72.240, 80.71.72.241, 80.71.72.242, 80.71.72.243, 80.71.72.244

More dating spam is sent out from Megaprovider IP’s on February 3rd and 4th 2005 (sample). The IP’s involved:

80.71.72.92, 80.71.72.94, 80.71.72.163, 80.71.72.165, 80.71.72.166, 80.71.72.167, 80.71.72.190

In those runs the domains spamvertised are:

desforgor.com, doestopees.com, doesnowfor.com, farnowdoes.com, fatkwee.com, forherhert.com, herteetok.com, kerfeesoi.com, sadtonowsd.com, saderteelo.com

In the same timeframe, between February 26th and March 13th 2005, spam is sent out for a Viagra selling domain: hycod.com. By combining the logs of two proxypots the following IP’s from Megaprovider’s network surface:

80.71.72.3, 80.71.72.4, 80.71.72.8, 80.71.72.9, 80.71.72.45, 80.71.72.54, 80.71.72.56, 80.71.72.57, 80.71.72.112, 80.71.72.159, 80.71.72.160, 80.71.72.161, 80.71.72.164, 80.71.72.170, 80.71.72.171, 80.71.72.172, 80.71.72.173, 80.71.72.174, 80.71.72.175, 80.71.72.176, 80.71.72.177, 80.71.72.178, 80.71.72.179, 80.71.72.181, 80.71.72.182, 80.71.72.201, 80.71.72.240, 80.71.72.241, 80.71.72.242, 80.71.72.243, 80.71.72.244

From March 13th 2005 (up to March 18th), the Viagra spam continues, but another domain is used: 900mg.com. The IP addresses in use are almost identical to the ones used in the previous run.

After March 18th 2005 the Viagra spam disappears for a bit, but up till March 23rd 2005 spam is sent out for replica’s of watches. The domain used is seikos.net and the IP’s involved:

80.71.72.170, 80.71.72.171, 80.71.72.172, 80.71.72.173, 80.71.72.174, 80.71.72.175, 80.71.72.176, 80.71.72.177, 80.71.72.178, 80.71.72.179, 80.71.72.240, 80.71.72.241, 80.71.72.242, 80.71.72.243, 80.71.72.244

After a day of rest, from March 25th till April 5th 2005 the Viagra spams (sample) continue. The domain used this time is: 5qzgrh5.com. The IP’s which got caught in proxypots:

80.71.72.4, 80.71.72.8, 80.71.72.9, 80.71.72.45, 80.71.72.54, 80.71.72.56, 80.71.72.57, 80.71.72.112, 80.71.72.159, 80.71.72.160, 80.71.72.161, 80.71.72.164, 80.71.72.170, 80.71.72.171, 80.71.72.172, 80.71.72.173, 80.71.72.174, 80.71.72.175, 80.71.72.176, 80.71.72.177, 80.71.72.178, 80.71.72.179, 80.71.72.181, 80.71.72.182, 80.71.72.240, 80.71.72.241, 80.71.72.242, 80.71.72.243, 80.71.72.244

Between April 1st and 6th 2005 the IP’s are also logged for spam tied to “jpeg” and the domains cpko.com, fubh.com, ppeq.com and xtst.com (sample). It seems likely that multiple servers are used. The following IP’s are involved in sending these spams through open proxies:

80.71.72.10, 80.71.72.11, 80.71.72.12, 80.71.72.13, 80.71.72.14, 80.71.72.15, 80.71.72.16, 80.71.72.17, 80.71.72.18, 80.71.72.19, 80.71.72.20, 80.71.72.21, 80.71.72.23, 80.71.72.24, 80.71.72.140, 80.71.72.141, 80.71.72.142

Also starting April 1st 2005, but continuing up till April 14th 2005, “jpeg” is also sending out Viagra spam for rrox.com and vdrugz.com (sample). Where as the other run is being sent from the first 128 IP addresses of that range (80.71.72.0/25), this run is sent from the second set of 128 IP addresses of that range (80.71.72.128/25):

80.71.72.170, 80.71.72.171, 80.71.72.172, 80.71.72.173, 80.71.72.174, 80.71.72.175, 80.71.72.176, 80.71.72.177, 80.71.72.178, 80.71.72.179, 80.71.72.240, 80.71.72.241, 80.71.72.242, 80.71.72.243, 80.71.72.244

After the Viagra spam, “jpeg” switches again to the replica watches, and so on April 15th and April 16th 2005 spam for them is sent out. The spams for y73.net (sample) originate from:

80.71.72.240, 80.71.72.241, 80.71.72.242, 80.71.72.243, 80.71.72.244

The spams for oi6.net (sample) originate from:

80.71.72.170, 80.71.72.171, 80.71.72.172, 80.71.72.173, 80.71.72.174

The spams for p1k.net (sample) originate from:

80.71.72.175, 80.71.72.176, 80.71.72.177, 80.71.72.178, 80.71.72.179

These spamruns were all sent by a spammer using the referral “jpeg”. By sheer luck it became clear where exactly this spammer was getting his open proxies from.

April 11th 2005 isc.sans.org mentions 16 IP addresses in that same IP range that were involved with the sending of spam through open proxies:

80.71.72.16, 80.71.72.17, 80.71.72.18, 80.71.72.19, 80.71.72.20, 80.71.72.21, 80.71.72.22, 80.71.72.23, 80.71.72.24, 80.71.72.90, 80.71.72.91, 80.71.72.92, 80.71.72.93, 80.71.72.140, 80.71.72.141, 80.71.72.142, 80.71.72.93, 80.71.72.140, 80.71.72.141, 80.71.72.142

Rule #4 in effect?

And then. Out of the blue, on May 23rd 2005, from my command line prompt:

rejo@bottebijl:~> ping 80.71.72.174
PING 80.71.72.174 (80.71.72.174) 56(84) bytes of data.
--- 80.71.72.174 ping statistics ---
83 packets transmitted, 0 received, 100% packet loss, time 81992ms

Also May 23rd 2005, from one my IRC logs:

16:55 < $nick > hmm, what would bevelander have to discuss with telecity? a pissed-off lawyer for martijn, was standing at the front desk, and demanded that “the meeting wouldn’t start without her”

Telecity 1 is one of the datacenters in Amsterdam. An e-mail sent to me by a friend explained some more:

As far as Bevelander is concerned: I heard that near the end of May or the beginning of June there was a raid at his barplace in Haarlem. This raid (most likely by the [munged]) was related to Bevelander’s spam activities. Computer equipment was allegedly seized.

That barplace cannot be anything else then Delirium (a bar that is owned by Martijn Bevelander, the address of the bar is shared by Megaprovider).

Would Rule #4 be finally be in e ffect again?

The originating systems and the size of the spamruns

By analyzing the simultaneous connections, network fingerprints of Linux and Windows systems surface:

[timestamp] 80.71.72.10:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 942 hrs)
[timestamp] 80.71.72.11:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 943 hrs)
[timestamp] 80.71.72.12:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 943 hrs)
[timestamp] 80.71.72.13:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 942 hrs)
[timestamp] 80.71.72.14:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 942 hrs)
[timestamp] 80.71.72.15:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 941 hrs)
[timestamp] 80.71.72.16:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 941 hrs)
[timestamp] 80.71.72.17:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 941 hrs)
[timestamp] 80.71.72.18:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 941 hrs)
[timestamp] 80.71.72.19:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 941 hrs)
[timestamp] 80.71.72.20:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 941 hrs)
[timestamp] 80.71.72.21:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 941 hrs)
[timestamp] 80.71.72.23:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 920 hrs)
[timestamp] 80.71.72.24:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 919 hrs)
[timestamp] 80.71.72.140:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 43 hrs)
[timestamp] 80.71.72.141:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 199 hrs)
[timestamp] 80.71.72.142:[port] - Linux 2.4/2.6 >= 2.6.7 (up: 198 hrs)
[timestamp] 80.71.72.170:[port] - Windows 2000 SP4, XP SP1
[timestamp] 80.71.72.171:[port] - Windows 2000 SP4, XP SP1
[timestamp] 80.71.72.172:[port] - Windows 2000 SP4, XP SP1
[timestamp] 80.71.72.173:[port] - Windows 2000 SP4, XP SP1
[timestamp] 80.71.72.174:[port] - Windows 2000 SP4, XP SP1
[timestamp] 80.71.72.175:[port] - Windows 2000 SP4, XP SP1
[timestamp] 80.71.72.176:[port] - Windows 2000 SP4, XP SP1
[timestamp] 80.71.72.177:[port] - Windows 2000 SP4, XP SP1
[timestamp] 80.71.72.178:[port] - Windows 2000 SP4, XP SP1
[timestamp] 80.71.72.179:[port] - Windows 2000 SP4, XP SP1
[timestamp] 80.71.72.240:[port] - Windows 2000 SP4, XP SP1
[timestamp] 80.71.72.241:[port] - Windows 2000 SP4, XP SP1
[timestamp] 80.71.72.242:[port] - Windows 2000 SP4, XP SP1
[timestamp] 80.71.72.243:[port] - Windows 2000 SP4, XP SP1
[timestamp] 80.71.72.244:[port] - Windows 2000 SP4, XP SP1

This doesn’t offer conclusive evidence in regard to the number of systems used, a single server can have an almost limitless number of IP’s assigned to it’s network interface card. By using virtual machines the network traffic analysis can turn up a Windows fingerprint, whilst in reality the server is running Linux. Still it is likely that indeed two or more systems were used.

The server with the Linux network fingerprint sent out spam advertising amongst others xtst.com, cpko.com and fubh.com between April 1st and April 6th 2005. The server with the Windows network fingerprint sent out spam advertising amongst others rrox.com during that same period.

The displayed uptime is only an estimate, it can be as far off as a factor 10 when looking at the actual uptime.

The open proxies were also being tested from within the /24 IP range belonging to Megaprovider. This is being done to check that an open proxy indeed will open up the desired connection. The tests which were intercepted show a correlation with IP’s 80.71.72.54 and 80.71.72.240, through the hijacked proxy, back towards port 8655 on both the IP addresses.

Just one of the proxypots, saw attempts being made to send out spam to no less than 1,000,000 addresses during four consecutive days. It’s within reason to presume the actual number of sent spams to be much, much higher and only a fraction got caught in the proxypot.

At any given time a spammer uses several open proxies at once. It has occurred that two or more proxypots where contacted simultaneously from within the same range of IP addresses. This substantiates the belief that dozens of open proxies were used simultaneously. Any serious spammer wouldn’t break a sweat pumping out 20,000,000 spams headed for a multitude of e-mail addresses in less then 24 hours. The proxypot data suggests about four to six addresses per message, but research has showed this could easily be 10 to 100 addresses per message.

The source of the abused open proxies

To keep sending out his millions of spams “jpeg” needs thousands of open proxies. He could quench his need for proxies by actively searching for them, but he could also “just” buy or rent them from others.

By matter of coincidence one of “jpeg”‘s proxy suppliers has been discovered. April 15th 2005 “jpeg” was sending spams through a computer which turned out to be infected with a trojan belonging to the porksiop.info aka kupeisecivica.info aka blahot.com botnetwork.

That specific trojan was spread through amongst others an exploit on nzawgjtm.info by the owners of the porksiop.info network. This website was advertised in spams as offering “free young girls pics”. The spam itself was sent out through open proxies. The site was hosted in China, to prevent it’s removal by the local administrator in case of complaints. A page containing a Visual Basic script installed a program on the computer of the unsuspecting visitor, without his knowledge or consent.

The program has a couple of features. The trojan is related to the Troj/Multidr-BP family (other, possibly incorrect or incomplete, descriptions here and here). The trojan has the following features:

  • It will try to disable any firewall(s) and/or virusscanner(s) the user might have installed. This will make the computer more vulnerable to this and newer viruses and trojans.
  • The program installs a backdoor. This backdoor allows the attacker to gain (unauthorized) access to the infected computer at a later time.
  • The program turns the infected computer into an open proxy and registers itself with the administrators of the porksiop.info botnet. In this registration message all kinds of data is sent to this administrator, like the IP address and the open proxy port of the infected computer. The administrator then sells or rents out this proxy to spammers who are in need of open proxies.
  • And finally the trojan has the ability to download another trojan, from domain-name.biz. It isn’t entirely clear yet if this new trojan was in fact available through domain-name.biz.

On April 15th 2005 a specially prepared honeypot system was used to simulate a porksiop.info trojan infection. Three spammers were interested in this honeypot: a (most likely) Russian spammer, the “jpeg” spammer from the forementioned Megaprovider IP addresses (the spamruns performed on April 15th and April 16th 2005) and his colleague “ndgs” from the IP address 219.153.10.141.

This specific case makes it very probable that the “jpeg” spammer uses computers infected with a trojan and under control of a botnet network to send out his spam.

Megaprovider’s mailservers in blocklists a problem?

Something I had been wondering about for quite some time, how can Megaprovider keep it’s business up and running without running into the fact that it is being listed in a very large number of private blocklists and DNS blocklists like the SBL (by Spamhaus)? The answer is most likely as predictable as it is simple, Megaprovider (sometimes) simply utilizes mailservers with an IP address outside of their own range(s):

Received: from smtp.zeldaservices.biz (smtp.zeldaservices.biz [64.151.68.188]) by mx1.[munged] (Postfix) with ESMTP for <[munged]@[munged]>; [munged] May 2005 [munged] +0200 (CEST)

This e-mail (complete header), sent by an employee at Megaprovider, was sent from an XS4ALL IP (XS4ALL) through a mailserver in the IP space (SERVEPATH-BLK4) belonging to ServePath. Although recently it would seem to be going better, Servepath does have a history of not objecting to spammers.

I’m assuming that this employee sent this e-mail from his private connection, that would explain the XS4ALL DSL link. But, that would make the mailserver at ServePath all the more interesting. Because, why would a mailinglist server at Megaprovider sent out all it’s mail through this mailserver at ServePath (as “smarthost”) ?

Received: from smtp.zeldaservices.biz [64.151.68.188]:[munged] (helo=smtp.zeldaservices.biz) by [munged] with esmtp id [munged] for [munged]; Sun, [munged] Jun 2005 [munged] +0200
Received: from nld99 by s02.vanleuven.com with local (Exim 4.24) id [munged] for [munged]; Sun, 26 Jun 2005 [munged] +0200

Van Leuven uses the services provided by Megaprovider. It’s mailinglist server runs on s02.vanleuven.com, reachable on IP address 80.71.70.58. That IP address is listed in a number of blocklists, not excluding that of spamhaus. If e-mail would be sent directly from this server, it would not reach that many places. By routing the e-mail through a server outside of the Megaprovider IP range, this block is circumvented.

Megaprovider has been using this specific mailserver for quite some time, according to e-mail from a couple of months back:

Received: from smtp.zeldaservices.biz (customer-reverse-entry.64.151.68.188 [64.151.68.188] (may be forged)) by [munged] (8.10.2/8.10.2) with ESMTP id [munged] for [munged]; [munged] Jul 2004 [munged] +0200

Received: from smtp.zeldaservices.biz (unknown [64.151.68.188]) by [munged] (Postfix) with ESMTP id [munged] for [munged]; [munged] Jun 2004 [munged] +0200 (CEST)

Received: from smtp.zeldaservices.biz (unknown [64.151.68.188]) by [munged] ([munged]) with ESMTP id [munged] for [munged]; [munged] Apr 2004 [munged] +0200 (CEST)

Most likely Megaprovider has set up several systems like this one. There are at least two more (Dutch) IP’s outside of Megaprovider IP space that are used for sending e-mail. The server smtp.zeldaservices.biz points towards 64.151.68.188, zelda.zeldaservices.biz points towards 64.151.69.236 – both IP addresses are used on the same box.

The name “Zelda” has surfaced before when dealing with Megaprovider, but this could be sheer coincidence ofcourse.

Update 1: Both Servepath IP addresses have been listed by the Spamhaus SBL (SBL28402 and SBL28403), only a few hours after this article has been posted.

Update 2: And 36 hours later, Servepath disconnects their customer.

Credits

Large parts of the information was based on the excellent work of mainly Feike Hacquebord. Others that have made contributions are Carel Bitter, Johan Haagsma and several others who rather prefer to not be named.

This butchering of the English language was provided by JPV.