A short article from the m86security team about the takedown of the lethic botnet.

Last week we posted an analysis of the Lethic spambot, a significant spammer. Over the weekend, spam from this botnet dried up. Thanks to the security folks over Neustar who took the initiative by working with the internet service providers that hosted the Lethic command and control servers. The last Lethic spam we observed in our spam traps arrived at around 9:00 PM (New Zealand time) on January 9, 2010, Sunday.

How long this situation will last is unknown. The Lethic bots in our lab are attempting to connect to a new host. Currently, the bots are attempting to connect to 210.17.247.76 and 210.22.14.72, servers hosted in Hong Kong and China respectively. The following domain names point to 210.17.247.76.

* b1ijh7hifd.com (Registrar: TODAYNIC.COM, INC.)
* elephantanimal.com (Registrar: TODAYNIC.COM, INC.)
* blogforyour.com (Registrar: TODAYNIC.COM, INC.)
* getdrivings.com (Registrar: TODAYNIC.COM, INC.)
* mo8f2eerrd.com (Registrar: TODAYNIC.COM, INC.)
* underseaprawn.com (Registrar: TODAYNIC.COM, INC.)
* alltoshow.com (Registrar: TODAYNIC.COM, INC.)
* gooddoctorlist.com (Registrar: TODAYNIC.COM, INC.)
* luckybusy.com (Registrar: TODAYNIC.COM, INC.)
* nhi8ho9lbnw.com (Registrar: TODAYNIC.COM, INC.)
* busnotstop.com (Registrar: TODAYNIC.COM, INC.)
* qwertyforyou.com (Registrar: TODAYNIC.COM, INC.)
* placestofind.com (Registrar: TODAYNIC.COM, INC.)
* promisebest.com (Registrar: TODAYNIC.COM, INC.)

The domain name tenverybest.com (Registrar: TODAYNIC.COM, INC.) points to 210.22.14.72.

The following domain names that Lethic attempts to connect to do not currently point to anywhere:

* miniknfdw.com
* btceswqdw.com
* nuygtfcwq.com
* mojujfdhew.com
* drwhox.com
* dqglobex.com
* youcanthink.cn
* canunderstand.cn
* bydvwqcdw.com
* sometimesgood.com
* mustbethe.cn
* whatisupdown.cn

We have contacted the registrar TodayNIC.com to try and get those domains delisted.

Find the original article here.