It looks like they are using there little team of zombie machines that are doing the port 80 redirect to also respond to DNS requests:
;; AUTHORITY SECTION: vano-soft.biz. 120 IN NS ns3.uzc12.biz. vano-soft.biz. 120 IN NS ns4.uzc12.biz. vano-soft.biz. 120 IN NS ns5.uzc12.biz. vano-soft.biz. 120 IN NS ns1.uzc12.biz. vano-soft.biz. 120 IN NS ns2.uzc12.biz. ;; ADDITIONAL SECTION: ns3.uzc12.biz. 7200 IN A 24.91.206.103 ns3.uzc12.biz. 7200 IN A 12.206.49.107 ns4.uzc12.biz. 7200 IN A 12.227.146.168 ns5.uzc12.biz. 7200 IN A 66.21.211.204 ns5.uzc12.biz. 7200 IN A 165.166.182.168 ns1.uzc12.biz. 7200 IN A 24.243.218.127 ns1.uzc12.biz. 7200 IN A 12.239.143.71 ns1.uzc12.biz. 7200 IN A 66.90.158.89 ns1.uzc12.biz. 7200 IN A 12.229.122.9 ns2.uzc12.biz. 7200 IN A 24.107.74.166 ns2.uzc12.biz. 7200 IN A 207.6.75.110 103.206.91.24.in-addr.arpa domain name pointer h00402b45512d.ne.client2.attbi.com. 168.182.166.165.in-addr.arpa domain name pointer rhhe16-168.2wcm.comporium.net 110.75.6.207.in-addr.arpa domain name pointer d207-6-75-110.bchsia.telus.net On Thu, 2003-10-09 at 11:53, Kee Hinckley wrote: > At 10:51 AM -0500 10/9/03, Chris Boyd wrote: > >A few minutes later, or from a different nameserver, I get > > > >Name: vano-soft.biz > >Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, 12.229.122.9 > > 12.252.185.129 > > > >This is a real Hydra. If everyone on the list looked up > >vano-soft.biz and removed the trojaned boxes, would we be able to > >kill it? > > I think in this instance your best approach may be to go after the > name servers. Anything else is going to be a game of whack-a-mole. > Our spam filtering software actually uses the address of a domain's > name server in it's scoring system. Sometime's that's the only way > we've been able to reliably detect a spammer.
