From: "Bud Shop" <email@example.com>
Date: Fri, 16 Nov 2007 14:05:42 -0700
To: "dan" <firstname.lastname@example.org>
Subject: Smoke up the bud
Do You Smoke Big Buddha Bud Or Any Other Legal Bud To Go Crazy ?
My buddy Mark stopped hanging out with me because he now works at the post
office and has to do a piss test every other week. Just last week though, i
see him sparking up. I'm like "Dude are you smoking bud again??" and he is
all "Yeah! i bought ONE POUND of Legal Bud at cheapestbuds.com and i dont
need to worry, this shit doesnt come up in piss tests and its some potent
shit!" cheapestbuds.com is too good to be kept a secret.
One warning though, Dont drive with this potent bud.
My friend blasted up before going on his mailing route and he ended up
crashing the postal truck LOL.
Oh and he still smokes up the Legal Bud!
The shabaaloo.com site being promoted here looks exactly the same as the previous thebudshop.net. Note also the mention of "cheapestbuds.com", which was perhaps an earlier URL for the same scammers. That's dead now, but all of the other ones are still up. The "www2" and "3I" subdomains spread the botnet hosting out even further.
Once again, these sites are all shuffling from one home broadband IP address to another, a technique I now know is called "fast-flux", which was apparently originally used to hide spam mail servers. Their nameservers occasionally seem to be pointing more than one domain at the same IP address - both shabaaloo.com and thebudshop.net were at 184.108.40.206 (someone's virus-infected PC on a Comcast address) when I first checked. Mere moments later shabaaloo had moved to 220.127.116.11 (another zombie, this time connected via AT&T) and thebudshop had moved to 18.104.22.168 (Choice One Communications). Then shabaaloo was 22.214.171.124 (NTL Internet, a UK ISP) and thebudshop was 126.96.36.199 (Road Runner). The subdomains all have their own separate changing addresses, too.
Thebudshop's nameservers are still ns1.b4cf5f189.com and ns2.b4cf5f189.com; those are currently at 188.8.131.52 (AT&T) and 184.108.40.206 (Comcast), respectively. NS1 has stayed the same since I first checked four and a half days ago, but NS2 has changed at least twice since then.
The DNS entry for shabaaloo.com lists no fewer than five nameservers - four is the usual limit. It's got NS1 through NS5.b4cf5f189.com. As I said in the comments for the previous post, that probably makes it virtually invincible, at least by spam-site-hosting standards.
When botnets first hit the news, many people (me included) had some difficulty figuring out what they were for, exactly. Yes, you could use them to send spam, or to launch denial-of-service attacks, or as your own personal massively parallel supercomputer for cracking encryption or something. But none of those features sounded hugely marketable.
Bulletproof hosting for any site you want is different, though. There are plenty of people who already pay big bucks for that.
I think we'll be seeing a lot of spam-scam sites shifting to botnet hosting soon. Perhaps that'll be what it takes to get the major ISPs to start actually disconnecting people whose computers are part of a botnet. Thus far they've resisted taking such action, despite being urged to do so by such minor entities as the US Government for going on three years.
One might cynically surmise that the lack of action is because there's no money to be made in disconnecting zombies. Actually, there's money to be lost; even if all you do is direct all of the customer's Web requests to a "you've been quarantined" page with information about antivirus software, you're still going to get irate support calls that'll rapidly eat up every penny the customer's paying you. If you cut 'em off altogether, they'll probably tell all of their friends that you're a terrible ISP, and may file complaints with their credit card company. It's a nightmare.
And botnet members don't generally actually use a whole lot of the ISP's precious bandwidth, either. J. Random Hacker with his squeaky-clean computer that's downloading TV all day is the user an ISP really wants to cut off.
And if every ISP doesn't adopt a no-zombies policy, at least some disgruntled customers are not going to actually put their house in order - they'll just switch to an ISP that'll let their lurching zombie of a PC onto the Internet.
Here's a good article about the current sad state of affairs. Busting the people who set up the botnets seems to be the most promising course of action. That strategy hasn't exactly stamped out spam so far, though.