Time | | IP |
11:00:17 | | 118.232.218.209 |
11:00:22 | | 211.105.220.204 |
11:00:28 | | 121.179.73.185 |
11:00:33 | | 124.8.89.29 |
11:00:38 | | 69.55.30.158 |
11:00:44 | | 116.127.184.49 |
11:00:49 | | 201.42.136.214 |
11:00:54 | | 89.35.18.27 |
11:01:00 | | 24.77.250.131 |
11:01:05 | | 118.130.83.202 |
11:01:11 | | 77.78.150.199 |
11:01:16 | | 211.180.118.70 |
11:01:21 | | 189.111.197.36 |
11:01:27 | | 121.183.32.80 |
11:01:32 | | 211.218.197.220 |
11:01:38 | | 121.183.32.80 |
11:01:43 | | 125.129.151.33 |
11:01:48 | | 151.60.88.70 |
11:01:54 | | 121.179.73.186 |
11:01:59 | | 210.207.217.154 |
And all those IP addresses are infected home computers, where the owner of the computer has no idea he's actually running a webserver — which is serving viruses.
This botnet is not just used to host the malware: the malware itself uses it when calling home. When Waledac is executed, it does dozens of HTTP posts to IP addresses belonging to this botnet.
Waledac gang has registered over 100
.com domains for their purposes. You can actually tell a bit about their operations if you arrange their domains into groups. Practically all the domains they own are registered to these email addresses:
hanlin_425@126.com, lijian@qq.com and
wusong_ccc@126.com.
Here they are:
Newsbestgoodnews.com
bestbreakingfree.com
breakinggoodnews.com
breakingnewsltd.com
breakingkingnews.com
breakingnewsfm.com
easyworldnews.com
goodnewsreview.com
goodnewsdigital.com
reportradio.com
linkworldnews.com
tntbreakingnews.com
usabreakingnews.com
wapcitynews.com
worldtracknews.com
worldnewseye.com
worldnewsdot.com
worldtracknews.com
spacemynews.com
yourbreakingnew.com
Blogsbestusablog.com
bestjournalguide.com
bestlifeblog.com
bestblogdirect.com
boarddiary.com
blogsitedirect.com
blogginhell.com
farboards.com
mobilephotoblog.com
photoblogsite.com
Fear & Terroragainstfear.com
antiterroris.com
antiterroralliance.com
antiterrornetwork.com
fearalert.com
globalantiterror.com
terroralertstatus.com
terrorfear.com
terrorismfree.com
urbanfear.com
Coupons & Salesbestcouponfree.com
codecouponsite.com
gonesite.com
greatcouponclub.com
greatsalesgroup.com
greatsalestax.com
smartsalesgroup.com
thecoupondiscount.com
yourcountycoupon.com
Love & Sexadorelyric.com
adorepoem.com
adoresong.com
adoresongs.com
bestadore.com
bestlovehelp.com
bestlovelong.com
bluevalentineonline.com
chatloveonline.com
cherishletter.com
cherishpoems.com
extendedman.com
funloveonline.com
funnyvalentinessite.com
greatsvalentine.com
orldlovelife.com
greatvalentinepoems.com
lovecentralonline.com
lovelifeportal.com
romanticsloving.com
thevalentinelovers.com
whocherish.com
wirelessvalentineday.com
worldlovelife.com
worshiplove.com
youradore.com
yourgreatlove.com
yourlength.com
yourvalentineday.com
yourvalentinepoems.com
yourvalnetinepoems.com
And here are the latest additions:
SMS Spyingchinamobilesms.com
downloadfreesms.com
freecolorsms.com
freeservesms.com
miosmsclub.com
smsclubnet.com
smspianeta.com
virtualesms.com
This leaves us with a handful of domains we can't categorize to any of the above groups. They are:
batchoose.com
bayhousehotel.com
coralarm.com
longballonline.com
moneymedal.com
quickjust.com
soundroyal.com
yourbarrier.com
yourlol.com
yourwent.com
Maybe these domains could give us a hint on their next move?
Does anybody have any ideas? If so, leave us a
comment.