During my little website(‘)s(‘) jiggle over the last two days, I’ve had to turn off various plugins from my WordPress powered setup. Usually, for spam combat, Simple Trackback Validation or TanTanNoodles Simple Spam Filter in combination with Akismet does the business.
During this process, I got two trackback spams, both on Saturday 24th May night, about 90 minutes apart. They didn’t manage to appear but they did get to send an admin post. They didn’t actually appear in the comments pending either – they just vaporised – which is nice, but I’ve never had that before…
Breakdown of The Spammer
They both came from IP: 126.96.36.199 which is netcathosting.com, a Russian paged outfit. http://netcathosting.com is the supposed source but a WHOIS search reveals that the contact address is at http://netcathost.com, another Russian paged outfit. This gives another contact at easyxhost.com.
Easyxhost points back to netcathosting for ownership when a WHOIS is done. A company called Phantographics pops up a lot. Their contact email is email@example.com. go.com is actually registered to The Walt Disney Company! Charles in this post and Dirk with this one have some interesting info on the dodginess of Phantographics.
All three domains have an address which is IBC Tower Floor 9 on Manuel Espinosa Batista Avenue in Panama. Each domain has a separate PO Box number! (why do they bother?)
PO Box 901-2389, PO Box 901-2484, PO Box 55-2484
The IBC Tower seems to be a mish-mash of legal and not-so-legal concerns. There are shipping and other companies and even the dodgy sounding Bertrand Russell University which provides a picture of the tower, at least!
Both trackbacks were to a single old post about Rome Total War, 132/install-theme-from-rome-total-war/, probably because it had some external links picked up by a feeder or something.
Each trackback comment had a single hyperlink, to the same Google Notebook account but with different links, common in the respect of them being porn links. Accompanying the link, was a small piece of random pseudo-sense wordage to make it look like a genuine trackback, but this doesn’t appear on the account page (see further below)…
Why am I reporting this here?
Well, it’s the first instance I’ve had of this sort of spam and with links pointing back to Google Notebooks which in turn have a link pointing to a porn site. Also, I decided to trace through the spam source – just for fun!
This is what happens if you follow the links from Google Notebooks. You’ll see that my anti-virus NOD32 has detected a trojan in the link. It then terminates it.
NOD32 calls it a variant of HTML/TrojanClicker.Agent.Ftrojan which doesn’t appear in search engines by itself, but the TrojanClicker, Agent and Ftrojan sub-names appear on Sophos and ESET from a couple of years back. It’s general operation is to switch off your anti-virus software as a starter…
The porn spammer and trojan launcher is here on Google Notebooks, i.e. user ID #13497754368789561429. The Google Notebook terms and conditions section 2, can just about accommodate this “person”‘s activities – apart from the bad code launcher. This I think falls foul of the phrases “purposes that are legal, proper“ and “any activity that interferes with or disrupts Google services or servers or networks“ – but hey! I doubt they care.
Trojan Source Breakdown
The page that both links go to is on the domain setdevi.net/. Click the link and you’ll get a 403 Forbidden message which is kind of ironic given the nature of the postings and the subject matter of the sub pages.
setdevi.net is at IP address 188.8.131.52 It’s registrar is at EST Domains which looks cheap and nasty and is actually in China. The links actually point to debime.net which pulls out a blank page. Some cgi script makes the links hop to setdevi.net Needles to say, debime.net is also hosted at EST Domains.
If you do a whois on the est domains website, all the contact addresses are actually little png files called up from a backend database so that there are no live email links. The contact is listed as Steven Gogey and the email address is firstname.lastname@example.org This is for the sake of completeness in case anyone wants to talk to him (if he exists). There are actually a shed load of clauses after you do a WHOIS search, forbidding the repetition of this information here except if it’s lawful.
They say in the WHOIS t&c, that I’m not supposed to load systems – but it’s okay for them to host systems and activities that do exactly that to other people’s websites and personal computers.
The final part of the “terms” is that by submitting a WHOIS query, I accept the terms – but I can only see the terms after I’ve run the query. See the screendump of the whois screen at left.
Even the dumbest lawyer can pull that apart.
I don’t think they’ll call.
What we have is a spammer setting up a trojan which will either set up a pc as a zombie host by shutting down the anti-virus and relaying the trojan on or maybe key logging for passwords, say. The spammer has hidden himself behind a round-robin of contacts based in Panama but with various names in New York, China and elsewhere. He’s probably Russian and, because he feels pretty safe, his real name is probably Vladislav Radchek.
The whole charade is built upon the initial email registration address which is easily obtained from go.com. One from hotmail or yahoo etc could just as easily have been used so it’s no slur on good ol’ Walt and his cartoon characters.
Doing a google search on the IBC tower and it’s address or Vladislav Radchek pulled out some fellow spam inquistitors. Their results and opinions are broadly in line with mine. Please read them for extra insights into the grubby world of spam. Here are three:
Also, I’ve just recently hit on this huge list of bad guys: http://www.malwaredomainlist.com/mdl.php Now that’s gotta be a barrel of laughs.