Regular readers might remember Halloween's Warezov post.
At that time we had located 2039 domains associated with Warezov (alias Stration) and of those 2039 domains a whopping 810 were then active.
Yesterday, we decided to iterate through the list again. Any clue as to what we found?
Yep, out of the 2039 domains there are 826 domains alive and kicking. About 600 of them were alive during October's test.
We also decided to poke the servers a bit. As you may or may not know, Warezov uses servers (infected computers) for three main purposes:
To distribute new versions of their malware To distribute spam templates for their spam agents To host various "pharmacy" sites
Without digging any further into how we identified the servers — during our observation the Warezov gang had a whopping 506 domains that were hosting pharmacy sites � la fast-flux. 320 sites were used to distribute either malware or spam templates. Those were also fast-flux.
It's long been clear that the Warezov gang rotate their domains to take some of the heat off and that the only way to really make a dent in their operations would be to take down all of the 2039 domains simultaneously.
The fact that most of the domains are under two different registrars would make it easy… but the fact that both registrars are in China and seem to be somewhat reluctant to act makes it a tad more difficult goal to achieve.
