Everything old is new again. It's been years since I got any spam trying to sell me legal herbal smoking mixtures, but here they come again. But, this time, there's a lot more to the scam than meets the eye.
"Legal weed" concoctions seldom have any more actual effect than does snorting a fat line of baking powder. They invariably, however, have names that make them sound as if just opening the bag and taking a sniff would blow Bob Marley's head clean off.
This time, the spam's trying to sell "Big Buddha Bud".
Or, as I discovered when I searched for that string, perhaps it isn't!
It would appear that the Big Buddha Bud spams were, a week or three ago, promoting thebudshop.hk. That server had a protean IP address, shifting from one address that resolved to a home broadband provider to another, minute by minute if not second by second.
That could only mean that the site was being served by a botnet.
And that, in turn, probably meant that the site's only purpose was to harvest credit card numbers.
If, after all, you've got an online shopping site that can only be traced to countless virus-infected home PCs, why on earth should you bother actually sending anybody anything they've bought from you?
Thebudshop.hk is gone now, but thebudshop.net is alive and well. And its shifting IP address remains.
When I looked at it it a few minutes ago it was at 75.208.93.134, an address in Verizon Wireless's allocation. Then it changed to 76.188.169.229, which is a Road Runner address. Then it was 63.131.13.17; that belongs to ChoiceOne, a bank! And less than a minute later, it resolved to 76.15.25.162, an Earthlink address. And then 76.247.75.67, which is AT&T. I doubt any US ISP will be left out, if I keep on checking.
(If you manually point a Web browser at any of the botnet IP addresses, by the way, you get an interesting little page that says "Coming Soon! Please check us back later... Ddos Protection by the leet boys ;)". This is an interesting thread to tug on, if you're after more information on this particular botnet.)
I had no idea it existed until this moment, but it turns out that this "botnet hosting" is a known phenomenon. It's a brilliant idea, too! Why use your army of zombified home PCs only to send spam, when you can also use it to host the super-dodgy sites you're promoting?
Botnet hosting seems to have taken great strides, as well. Sites like this are supposed to be flaky, but thebudshop.net looks rock solid (not to mention professionally designed!) to me. This botnet seems to be delivering the kind of super-distributed redundancy that major Internet companies dream about.
12 November 2007 at 1:08 pm
interesting, this is so going to stop the DMCA take down notices from working ;)
12 November 2007 at 7:33 pm
How is it that they can get their domain resolving to all those different IP's at such a fast rate? Doesn't it normally take a day or so for a change of IP to propagate through all the DNS servers?
12 November 2007 at 10:56 pm
When you ask DNS for whatever.com, your request is routed to the nameserver(s) specified in that domain's registration information. For a botnet-hosted site, the nameservers simply keep track of the infected machines at their disposal, and serve up those machines' IP addresses, one at a time.
At the moment, the nameservers for thebudshop.net are ns1.b4cf5f189.com and ns2.b4cf5f189.com, which are as I write this at 68.16.9.22 (another AT&T address - a bellsouth.net allocation block) and 76.199.114.84 (an SBC Global address), respectively. This means the nameservers are almost certainly also infected PCs.
The nameservers have to remain relatively static. As you say, it takes time for DNS changes to propagate, and that's what would have to be done for whatever.b4cf5f189.com to be moved to another machine. But as long as the nameservers are up, the botnet can keep hosting sites.
I presume the machines chosen to be nameservers are the more reliable members of the botnet - not your average home PC that's only on for a few hours a day. They may still only need to be on a pissy home DSL connection, though; I don't think nameserver traffic for the average spamvertised site is likely to be very high.
12 November 2007 at 10:58 pm
(I also feel obliged to direct my readers' attention to the perfectly fascinating Google ads which this post is attracting.)
14 November 2007 at 11:01 pm
I'm not sure this really makes the site any less subject to being shut down (either legitimately or via DDOS, depending on whether it's being shut down by the good guys or by rivals); it would just be shut down at the nameservers instead of the webserver, but the net effect would be the same.
15 November 2007 at 12:03 am
True, but in practice it doesn't seem to be easy. I imagine the nameservers churn about as fast as possible - ns1.b4cf5f189.com is still where it was when I posted the above comment, but ns2.b4cf5f189.com has already moved to 24.147.77.136 (a Comcast address).
Since a domain can have as many as four nameservers, stamping on all of them at once would probably be close to impossible. By the time the home broadband provider responsible for one of them disconnects the customer (which many ISPs have little interest in doing over mere botnet complaints), that box probably won't even be a nameserver any more.
You could direct your complaint to the domain registrar instead, but for b4cf5f189.com that's DNS.com.cn, who I have a sneaking suspicion don't even bother to read abuse mail.
15 November 2007 at 10:07 pm
It would appear that the aforementioned search query now returns this very entry as the top hit!
6 September 2012 at 9:51 am
[...] me a thousand dollars a day, then since he's not actually selling fake antivirus software or botnet infectors or something (as far as we know...), I'd run the ad, take the money, kick half of it back [...]