:: Deepquest ::

Spammers based in Russia are using stealth and a sophisticated new Trojan horse program to turn home workstations into unwitting hosts in a pornography and spam distribution ring.

Someone sending out spam e-mail pointing to spoofed PayPal Web sites and Russian pornography sites appeared to be able to change the addresses of his sites every few minutes.
(…/…)
In its capacity as a proxy server, the Trojan forwards outgoing spam from its source to the intended recipient, replacing the source address with its own IP address and covering the spammer’s tracks.

As a reverse proxy server, the Trojan receives requests from spam recipients who, for example, click on a link to a pornographic Web site, and passes that along to the master Web server. That server responds with the requested Web page and sends its content along to the compromised computer, which then serves it to the requesting machine.

Users never know where the content they’re receiving is really coming from, and the Web site’s owners are shielded from pressure by their ISP to shut down the site.
Because such behind-the-scenes activity might eventually arouse the suspicions of victims, each compromised user machine acts as a Domain Name Service (DNS) host for the illicit Web domains for only 10 minutes. Then it is replaced by another compromised system known to the spammer.

To continually move Web properties around, the spammer installs DNS software on the compromised machines, turning them into their own DNS servers. Then, using features of DNS, the spammer sets a short expiration, or “time to live” setting on what is referred to as the DNS “host name mappings,” which specify a relationship between a domain name, such as [url=http://www.ebay.com]www.ebay.com[/url] and a numeric Internet address.