Fake marijuana botnettery continues

It would appear that the previously mentioned "herbal marijuana" business (which, as I explain in that earlier post, is probably actually just a scam to harvest credit card numbers) is burgeoning.

From: "Bud Shop" <dancitep_yzpsoy@gte.net>
Date: Fri, 16 Nov 2007 14:05:42 -0700
To: "dan" <dan@dansdata.com>
Subject: Smoke up the bud

Do You Smoke Big Buddha Bud Or Any Other Legal Bud To Go Crazy ?


My buddy Mark stopped hanging out with me because he now works at the post
office and has to do a piss test every other week. Just last week though, i
see him sparking up. I'm like "Dude are you smoking bud again??" and he is
all "Yeah! i bought ONE POUND of Legal Bud at cheapestbuds.com and i dont
need to worry, this shit doesnt come up in piss tests and its some potent
shit!" cheapestbuds.com is too good to be kept a secret.

One warning though, Dont drive with this potent bud.
My friend blasted up before going on his mailing route and he ended up
crashing the postal truck LOL.
Oh and he still smokes up the Legal Bud!




The shabaaloo.com site being promoted here looks exactly the same as the previous thebudshop.net. Note also the mention of "cheapestbuds.com", which was perhaps an earlier URL for the same scammers. That's dead now, but all of the other ones are still up. The "www2" and "3I" subdomains spread the botnet hosting out even further.

Once again, these sites are all shuffling from one home broadband IP address to another, a technique I now know is called "fast-flux", which was apparently originally used to hide spam mail servers. Their nameservers occasionally seem to be pointing more than one domain at the same IP address - both shabaaloo.com and thebudshop.net were at (someone's virus-infected PC on a Comcast address) when I first checked. Mere moments later shabaaloo had moved to (another zombie, this time connected via AT&T) and thebudshop had moved to (Choice One Communications). Then shabaaloo was (NTL Internet, a UK ISP) and thebudshop was (Road Runner). The subdomains all have their own separate changing addresses, too.

Thebudshop's nameservers are still ns1.b4cf5f189.com and ns2.b4cf5f189.com; those are currently at (AT&T) and (Comcast), respectively. NS1 has stayed the same since I first checked four and a half days ago, but NS2 has changed at least twice since then.

The DNS entry for shabaaloo.com lists no fewer than five nameservers - four is the usual limit. It's got NS1 through NS5.b4cf5f189.com. As I said in the comments for the previous post, that probably makes it virtually invincible, at least by spam-site-hosting standards.

When botnets first hit the news, many people (me included) had some difficulty figuring out what they were for, exactly. Yes, you could use them to send spam, or to launch denial-of-service attacks, or as your own personal massively parallel supercomputer for cracking encryption or something. But none of those features sounded hugely marketable.

Bulletproof hosting for any site you want is different, though. There are plenty of people who already pay big bucks for that.

I think we'll be seeing a lot of spam-scam sites shifting to botnet hosting soon. Perhaps that'll be what it takes to get the major ISPs to start actually disconnecting people whose computers are part of a botnet. Thus far they've resisted taking such action, despite being urged to do so by such minor entities as the US Government for going on three years.

One might cynically surmise that the lack of action is because there's no money to be made in disconnecting zombies. Actually, there's money to be lost; even if all you do is direct all of the customer's Web requests to a "you've been quarantined" page with information about antivirus software, you're still going to get irate support calls that'll rapidly eat up every penny the customer's paying you. If you cut 'em off altogether, they'll probably tell all of their friends that you're a terrible ISP, and may file complaints with their credit card company. It's a nightmare.

And botnet members don't generally actually use a whole lot of the ISP's precious bandwidth, either. J. Random Hacker with his squeaky-clean computer that's downloading TV all day is the user an ISP really wants to cut off.

And if every ISP doesn't adopt a no-zombies policy, at least some disgruntled customers are not going to actually put their house in order - they'll just switch to an ISP that'll let their lurching zombie of a PC onto the Internet.

Here's a good article about the current sad state of affairs. Busting the people who set up the botnets seems to be the most promising course of action. That strategy hasn't exactly stamped out spam so far, though.

7 Responses to “Fake marijuana botnettery continues”

  1. Stark Says:

    I think you are, unfortunately, exactly right about the spammers moving to fast-flux hosting. I also think you are exactly right about the causes of reticence do do anything about bot nets as far as isp's are concerned. However, there is an alternative to cutting the bots off the net altogether and many ISP's appear to already be moving this way - that alternative is to require antivirus packages supplied by the isp to be on your pc and running in order to connect. Folks will cry foul at that but really, it's not an unreasonable proposition. It's certainly far more reasonable than cutting the poor clueless user off at the knees.

    Personally I'm all for creating an international rapid strike force authorized to use deadly force in the apprehension and permanent removal of the bot net runners and spammers.... but that may be a bit drastic.

  2. Jax184 Says:

    Setting aside the question of how a net provider would know if you were running their software, especially with the huge number of routers and such in service, I can still see a fatal flaw or two in mandatory net provider approved antivirus software.

    "Sorry sir, you must be running Telus branded antivirus, with added value links, desktop shortcuts and pop-up messages to inform you of our latest special offers in order to use the service you're paying for!"

    "But your software only runs on Windows Vista! I've got a mac/C-64/VoIP phone/Sega Dreamcast/windows 2000/windows CE/Newton OS/linux/Solaris/Irix based machine that can't run your software!"

    "Sorry sir, you'll have to upgrade your computer to meet the minimum system requirements before I will be able to help you."


    "Have a nice day sir, and thank you for choosing Telus."

  3. Kahm Says:

    Hilarious comment to come home to, considering that I work tech support for TELUS. (Edmonton, Alberta, Canada) :)

    Ironically, you don't require the Telus software at all to get going on the net, and the install CD lets you bypass our AV (which you have to subscribe to) and our (moderately useful) diagnostic software.

    Our new standard modems also include routers, which we support, and that means it is much easier to eliminate the client's computer from the equation.

    On the flip side, I've talked to people who changed ISPs because we cut them off for virus traffic, rather than actually fix the computer. :( One of the routers has a built in "excessive connections" warning that intercepts the webpage if you have thousands of outgoing connections on your computer. Unfortunately, client's are always "Just turn that off so I can connect" ;_;

  4. Jax184 Says:

    I realize that the current software is optional, but I was trying to show what a mess it would be if the software were to become mandatory.

    I'm an E-Slut, err, Telus user myself here in Vancouver, but only because Shaw has a slower upload speed and more strict monthly transfer limits. Now if only I could get port 80 opened up so my domain would function properly...

  5. Daniel Rutter Says:

    The latest spam to arrive was promoting YbA7mt.shabaaloo.com as well. At the moment most/all of the content you get from going to that subdomain is still coming from thebudshop.net, but it could all be YbA7mt.shabaaloo.com/whatever files any minute now.

  6. Stark Says:

    Jax, I don't disagree with your assesment at all... however I think the major ISP's won't much care. The AT&T's of the world already don't much care if they lose a few thousand home customers here and there due to being a pain in the ass. And, frankly, the percentage of their home users using something other than Winduhs is small enough to really not bother them at all if they go away.

    Although it strikes me that the easiest way for an ISP to deal with this might be to create their own bot-net out of everything that connects to their network. Then we can have massive bot-net wars! Eventually an intelligence will rise out of the massed bot-nets and humanity will be subjugated to its will...or something... ;)

  7. Daniel Rutter Says:

    Almost a month later, another "Legal Bud Shop" e-mail turned up, with the same "buddy Mark at the post office" text, but this time promoting MyCrazyBuds.com , www2.MyCrazyBuds.com and 4e5U2.MyCrazyBuds.com. Which resolve right now to Road Runner and Comcast IP addresses, so it's clearly the same thing again.

Leave a Reply