Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

All of your pages are belonging to us

Published: 2010-11-18
Last Updated: 2010-11-18 21:53:16 UTC
by Chris Carboni (Version: 1)
18 comment(s)

We received a report of a very aggressive web spider that apparently is not obeying robots.txt.

The report claims the spider is from http://www.80legs.com/webcrawler.html

Here are a few interesting tidbits from that site.

"008 runs on a grid computing platform that consists of several thousand computers, which is why you may see our web crawler access your site from many different IP addresses."

"If you block 008 using robots.txt, you will see crawl requests die down gradually, rather than immediately. This happens because of our distributed architecture. Our computers only periodically receive robots.txt information for domains they are crawling."

And my personal favorite ...

"Blocking our web crawler by IP address will not work. Due to the distributed nature of our infrastructure, we have thousands of constantly changing IP addresses. We strongly recommend you don't try to block our web crawler by IP address, as you'll most likely spend several hours of futile effort and be in a very bad mood at the end of it."

Several thousand computers?  Sounds like a recipe for a DDoS attack if I ever saw one and I don't even want to think about what could happen if that site got 0wn3d.

Has anyone else seen this?  Let us know.

Christopher Carboni - Handler On Duty

18 comment(s)

Someone is attempting to register your domain in [insert country name here]

Published: 2010-11-18
Last Updated: 2010-11-18 20:03:35 UTC
by Chris Carboni (Version: 2)
7 comment(s)

Dear Mr. Carboni,

"We are a Network Service Company which is the domain name registration center in [some city and country]. On Nov. 16 2010, we received an application from [some company that doesn't exist] requested "Sans" as their internet keyword and [country and (TLD)] domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company is your distributor or business partner in [country name]?


[some person name]
[some company name]
[some company address] etc ...


Really?  Oh no!  I might lose my company.com/cn/af/sk/so/br domain in China/Afghanistan/S.Korea/Somalia/Brazil/ ...!

This is a scam that is several years old and I'm finding out is not as widely known as I originally thought.

Back in the day I used to receive this type of email at least a few times every month, usually from a different person/company/country.

If you call / email or in some way return communication, in my experience, the "registrar" tries to extort you for some amount of money telling you that if you don't pay (I remember one for $10000 USD and another was much more though I can't remember the exact amount - credit cards gratefully accepted) you will lose whatever domain they're telling you someone is trying to register.

There may be other angles that I haven't seen before but the bottom line is this is a scam that can be filed with the other scams, phishes, hoaxes and other stuff which (hopefully) is caught by your spam filter.

 

Update:

One of our other Handlers pointed me to an excellent  article by Dr. Neal Krawetz on this very scam.  Read about it in the Hacker Factor Blog.

 

Christopher Carboni - Handler On Duty

Keywords:
7 comment(s)

Stopping the ZeroAccess Rootkit

Published: 2010-11-18
Last Updated: 2010-11-18 16:26:20 UTC
by Chris Carboni (Version: 1)
1 comment(s)

Jack at the Infosec Institute sent a note announcing research that had been done on the ZeroAccess Rootkit.

He states "One of our InfoSec Resources Authors defeated all of the anti-debugging and anti-forensics features of ZeroAccess and traced the source of this crimeware rootkit"

The full article can be found on their website.

How widespread are rootkits in your environment?

Are you having a problem with rootkits right now or have you had a problem with them in the past?

Write in and share your experiences including any practical tips on recovery in a corporate environment.
 

Christopher Carboni - Handler On Duty

1 comment(s)
Diary Archives