M86 Security Labs
RSS feed of TRACElabs Blog from M86 Security

Lethic botnet - The Takedown

 

January 10, 2010

Last week we posted an analysis of the Lethic spambot, a significant spammer. Over the weekend, spam from this botnet dried up. Thanks to the security folks over at Neustar who took the initiative by working with the internet service providers that hosted the Lethic command and control servers. The last Lethic spam we observed in our spam traps arrived at around 9:00 PM (New Zealand time) on January 9, 2010, Sunday. 

 

 

How long this situation will last is unknown. The Lethic bots in our lab are attempting to connect to a new host. Currently, the bots are attempting to connect to 210.17.247.76 and 210.22.14.72, servers hosted in Hong Kong and China respectively. The following domain names point to 210.17.247.76.

  • b1ijh7hifd.com     (Registrar: TODAYNIC.COM, INC.)
  • elephantanimal.com (Registrar: TODAYNIC.COM, INC.)
  • blogforyour.com    (Registrar: TODAYNIC.COM, INC.)
  • getdrivings.com    (Registrar: TODAYNIC.COM, INC.)
  • mo8f2eerrd.com     (Registrar: TODAYNIC.COM, INC.)
  • underseaprawn.com  (Registrar: TODAYNIC.COM, INC.)
  • alltoshow.com      (Registrar: TODAYNIC.COM, INC.)
  • gooddoctorlist.com (Registrar: TODAYNIC.COM, INC.)
  • luckybusy.com      (Registrar: TODAYNIC.COM, INC.)
  • nhi8ho9lbnw.com    (Registrar: TODAYNIC.COM, INC.)
  • busnotstop.com     (Registrar: TODAYNIC.COM, INC.)
  • qwertyforyou.com   (Registrar: TODAYNIC.COM, INC.)
  • placestofind.com   (Registrar: TODAYNIC.COM, INC.)
  • promisebest.com    (Registrar: TODAYNIC.COM, INC.)
  • percentageofyou.com  (Registrar: TODAYNIC.COM, INC.)
  • searchtermfor.com  (Registrar: TODAYNIC.COM, INC.)

The domain name tenverybest.com (Registrar: TODAYNIC.COM, INC.) points to 210.22.14.72.

The following domain names that Lethic attempts to connect to do not currently point to anywhere:

  • arenowglad.cn
  • btceswqdw.com
  • bydvwqcdw.com
  • canunderstand.cn
  • copytothere.cn
  • dqglobex.com
  • drwhox.com
  • goodhearme.cn
  • happymanwoman.cn
  • iamnothere.cn
  • itsyourservice.cn
  • miniknfdw.com
  • mojujfdhew.com
  • mustbethe.cn
  • nogoodhim.cn
  • nuygtfcwq.com
  • placestofind.cn
  • someonewasyou.cn
  • somethingwrong.cn
  • sometimesgood.com
  • verywellhere.cn
  • wasyoujoy.cn
  • watchonline.cn
  • whatisupdown.cn
  • youcanthink.cn
  • younotgood.cn

We have contacted the registrar TodayNIC.com to try and get those domains delisted.

Updated: Additional Lethic domain names and daily spam volume graph.


© M86 Security

Last Reviewed: January 11, 2010 by Rodel Mendrez