Referrer Spam Worm

Note: This entry has been restored from old archives.

Looks like a new worm has hit the ‘net, or a new feature for existing botnets – one possibly dealing in referrer spam. I have a very strange collection of recent HTTP referrers from a variety of client IPs. All with the user agent string “PycURL/7.15.5” (cURL for Python). In total 16 suspicious referrers coming from 30 different source IPs (a variety of dynamic ISP IPs, web proxies, etc). The spammy referrers in question:

    163.32.88.9
    rfidusa.com
    www.1067freefm.com
    www.antiguosupv.org
    www.cordoba-guia.com.ar
    www.dogudoraku.com
    www.ict.schools.nt.gov.au
    www.liebeaufdenerstenblick.at
    www.malindi.info
    www.mebanenc.info
    www.no-grip.net
    www.northgate-is.com
    www.olex.com.au:80
    www.panel.blink.pl
    www.pfadfinder-bassenheim.de
    www.wexim.com

Some of them are URLs that I wouldn’t expect to be in spam (nt.gov.au?). So I wonder if there is some other nefarious motivation here. I wouldn’t try visiting any of those URLs, just in case, especially if you’re using IE. On inspection of some of them I don’t see anything unusual (the nt.gov.au one is plain HTML, some CSS, no JS or VBS). Also the requests are to a variety of different pages on my site, so maybe this is just obfuscation for something that is actually a harvester or form-spammer spider. The possibilities are endless, however it seems unlikely that it would be something benign.

Hits using PycURL started on Dec 3rd. On the 3rd a variety of URLs were hit, there were no referrer strings. This wave was of 39 hits over an 8 minute period and involved 10 different client IPs. Then on the 4th, about 12 hours after the last hit on the 3rd, another two waves came. The first wave was 2 minutes long and made 18 hits to different URLs from 12 different source IPs using my own domain name as the referrer. The second wave on the 4th lasted only one minute, and made 10 hits from 5 IPs with the same properties as the previous run. Then finally, early this morning after a 3 day break, there have been 34 hits. from 8 IPs with the difference that seemingly random and strange referrer URLs have been used for 18 of the hits delivering 16 unique referrer domains. This final blast was spread out over a 20 minute period.

Some skript kiddie playing with his botnet? Evolution of a nefarious web spider in development?