Sunday, March 29, 2009

RBN Domains Fleeing HostFresh

After receiving information that the RBN malware bastion, HostFresh (aut-num: AS23898 as-name: HOSTFRESH-AS-AP), was in the process of being depeered, I decided to track fleeing malware domains.

During the takedowns of Atrivo, McColo and UkrTelegroup, we observed domains being migrated to other IP ranges, as the owners sought to keep their criminal enterprises alive.

As of Sunday morning 29 March 2009, 61% of the 18 malware domains that I sampled had been migrated:

Host Fresh malware migrations

DNS Infrastructure:

58.65.236.129
ns1.dnszno.com - name server for wcontact.cn

58.65.236.130
ns2.dnszno.com - name server for wcontact.cn

58.65.237.153
ns1.arsofcaribion.com - name server for arsofcaribion.com

62.80.102.253
ns1.phreneticus.at - name server for iframe.cc

64.251.10.77
ns3.us.editdns.net - name server for strhq.cn

66.48.82.31
*.google-counter.com
ns2.google-counter.com - name server for google-counter.com

72.249.105.234
ns2.us.editdns.net - name server for strhq.cn

74.52.212.235
ns1.us.editdns.net - name server for strhq.cn

78.159.124.235
ns1.antimalwareguard-plus.com
ns1.antimalwareguardplus.com
ns1.antimalwaresuite2009.com
ns1.bestvirusremover2009.com
ns1.pc-virusremover2008.com
ns1.redirectfor-me.com
ns1.redirectforutoo.com
ns1.spywareremover2009plus.com
ns1.svcbox.com
ns1.virusremover2008-offer.com
ns4.systemprotectioncenter.com
78.159.124.235.internetserviceteam.com

80.86.89.131
ns2.systemprotectioncenter.com
ns3.beststatsreport.com
ns4.adtrafficsolution.com
ns4.antimalwareguard-plus.com
ns4.antimalwareguardplus.com
ns4.antimalwaresuite2009.com
ns4.antispywareexpertplus.com
ns4.bestvirusremover2009.com
ns4.mycleaner2009.com
ns4.pc-virusremover2008.com
ns4.redirectfor-me.com
ns4.redirectforme.com
ns4.redirectforutoo.com
ns4.spywareremover2009plus.com
ns4.virusremover2008-offer.com
xbbx.serv.lt

81.177.8.189
ns2.reg.ru - name server for pornozver.ru

83.170.82.53
ns2.phreneticus.at - name server for iframe.cc

85.10.208.252
85-10-208-252.clients.your-server.de
ns1.systemprotectioncenter.com
ns2.adtrafficsolution.com
ns2.antimalwareguard-plus.com
ns2.antimalwareguardplus.com
ns2.antimalwaresuite2009.com
ns2.antispywareexpertplus.com
ns2.beststatsreport.com
ns2.bestvirusremover2009.com
ns2.mycleaner2009.com
ns2.pc-virusremover2008.com
ns2.redirectfor-me.com
ns2.redirectforme.com
ns2.spywareremover2009plus.com
ns2.virusremover2008-offer.com

88.198.62.171
ns1.mihailfedorov.net - name server for mihailfedorov.net

88.198.103.122
mihailfedorov.net - Mihail B Fedorov (whois@mihailfedorov.ru)

88.208.0.179
b.ns.isvbr.net - name server for isvbr.net
rondo.urlhurt.net - name server for isvbr.net

88.208.0.182
b.ns.caricare.net - name server for e.caricare.net
steel.people-info.com - name server for e.caricare.net

88.208.1.195
c.ns.isvbr.net - name server for isvbr.net
cart.dnshelp.info - name server for isvbr.net

88.208.1.198
c.ns.caricare.net - name server for e.caricare.net
river.urlhurt.net - name server for e.caricare.net

89.149.244.29
89-149-244-29.internetserviceteam.com
ns1.antimalwareguardsolution.com
ns1.antispywareexpert-plus.com
ns1.antispywareexpertsolution.com
ns1.antispywareexpertsolutions.com
ns1.best-secureexpertcleaner.com
ns1.cashpanic.com
ns1.cleaner2009solution.com
ns1.hits-traff.com
ns1.pcprivacycleaner-plus.com
ns1.pcprivacycleanerplus.com
ns1.quickinstallpackpro.com
ns1.rdrmepls.com
ns1.redirectforutoo.com
ns1.registrydoctor2008scan.com
ns1.secureexpertcleaner-pro.com
ns1.secureexpertcleanerpro.com
ns1.thesecureexpertcleaner.com
ns1.thevirusremover2008.com
ns1.traffandgo.com
ns1.virusremover2008-flash.com
ns1.virusremover2008plus.com
ns1.virusremover2008pro.com
ns1.virusremoversolution.com
ns1.vmaff.com
ns1.xpboosterpro.com
ns1.yourpcprivacycleanerplus.com
ns1.yourpcprivacycleanerpro.com
ns4.virusremover2008pro.com
ns5.adclickdirect.com
ns5.adtrafficdriver.com
ns5.adtrafficstats.com
ns5.extrafreead.com
ns5.gbpltw.com
ns5.gomyron.com
ns5.hit-traff.com
ns5.onlinepromostats.com
ns5.rdrbroz.com
ns5.traff-true.com
ns5.traff2money.com
ns5.uniqs-traff.com
ns5.webstatsmaster.com

89.149.249.237
*.caricare.net
caricare.net

92.241.180.114
ns1.reg.ru - name server for pornozver.ru

93.190.139.229
antispywareexpertplus.com
best-secureexpertcleaner.com
bestvirusremover2009.com
flog.bestvirusremover2008.com
inetservicepack.com
iservicepack.com
mysecureexpertcleaner.com
ns4.registrydoctor2008pro.com
registrydoctor2008.com
registrydoctor2008pro.com
registrydoctor2008scan.com
registrydoctor2008solution.com
registrydoctorpro2008.com
secureexpertcleaner-pro.com
secureexpertcleanerpro.com
thesecureexpertcleaner.com
thevirusremover2008.com
virus-doctor-site.com
virusremover2008flash.com
winsecureexpertcleaner.com
www.best-secureexpertcleaner.com
www.bestsecureexpertcleaner.com
www.inetservicepack.com
www.iservicepack.com
www.mysecureexpertcleaner.com
www.pc-virusremover2008.com
www.pcvirusremover2008.com
www.powerfulvirusremover2008.com
www.registrydoctor2008.com
www.registrydoctor2008scan.com
www.registrydoctorpro2008.com
www.secureexpertcleaner-pro.com
www.secureexpertcleanerpro.com
www.thesecureexpertcleaner.com
www.thevirusremover2008.com
www.virus-doctor-site.com
www.virusremover2008-flash.com
www.virusremover2008flash.com
www.virusremover2008offer.com
www.virusremover2008plus.com
www.virusremover2008pro.com
www.winsecureexpertcleaner.com
www.yoursecureexpertcleaner.com
yoursecureexpertcleaner.com

116.0.103.115
ns2.google-counter.com - name server for google-counter.com

193.232.130.14
beta.mihailfedorov.net - name server for mihailfedorov.net

194.85.61.20
alpha1.mihailfedorov.net - name server for mihailfedorov.net

194.226.96.8
alpha2.mihailfedorov.net - name server for mihailfedorov.net

209.8.151.186
a.ns.caricare.net - name server for e.caricare.net
stomp.defunct.in - name server for e.caricare.net

209.8.151.190
lake.people-info.com - name server for isvbr.net

213.133.100.58
213-133-100-58.clients.your-server.de
linkscrescent.com
modernstance.com
ns2.virusremover2008offer.com
ns3.adtrafficsolution.com
ns3.antimalwareguardsolution.com
ns3.antimalwareguardsolutions.com
ns3.antimalwaresuite2009.com
ns3.antispywareexpertsolution.com
ns3.antispywareexpertsolutions.com
ns3.best-secureexpertcleaner.com
ns3.cashpanic.com
ns3.hits-traff.com
ns3.mycleaner2009.com
ns3.pc-virusremover2008.com
ns3.pcprivacycleaner-plus.com
ns3.pcprivacycleanerplus.com
ns3.quickinstallpackpro.com
ns3.rdrmepls.com
ns3.redirectforutoo.com
ns3.secureexpertcleaner-pro.com
ns3.secureexpertcleanerpro.com
ns3.thesecureexpertcleaner.com
ns3.thevirusremover2008.com
ns3.traffandgo.com
ns3.virusremover2008-flash.com
ns3.virusremover2008-offer.com
ns3.virusremover2008offer.com
ns3.virusremoversolution.com
ns3.vmaff.com
ns3.xpboosterpro.com
ns3.yourpcprivacycleanerplus.com
ns3.yourpcprivacycleanerpro.com
ns4.virusremoversolution.com
ns7.adclickdirect.com
ns7.adtrafficdriver.com
ns7.adtrafficstats.com
ns7.extrafreead.com
ns7.gbpltw.com
ns7.gomyhit.com
ns7.gomyron.com
ns7.hit-traff.com
ns7.onlinepromostats.com
ns7.rdrbroz.com
ns7.statisticsmanager.com
ns7.traff-true.com
ns7.traff2money.com
ns7.webstatsmaster.com
ronnieandlynda.com
squits.net
static.213-133-100-58.clients.your-server.de

213.174.153.153
a.ns.isvbr.net - name server for isvbr.net

AS23898

Thursday, March 26, 2009

RBN Registers Racist Domains Using Go Daddy

Russian Business Network malware distributors have registered numerous racist domain names using domain registrar Go Daddy. The domains, and subsequently created subdomain names, provide insight into the RBN's misanthropic perspective.

Over the past year, Go Daddy has been criticized by anti-fraud watchdog groups for refusing to take down web sites engaged in the sale of illegal steroids. (note: http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201188)

As of March 26th, the malicious sites were hosted at XS4ALL Networking (cistron) in Amsterdam at IP address 83.68.16.6 (which XS4ALL classifies as "ADSL IP numbers"). One of the domains present on the IP address (and registered through Go Daddy), ntkrnlpa.info, has been involved in several RBN criminal campaigns. Note Dancho Danchev's excellent blog post of March 25th, "Embassy of Portugal in India Serving Malware", at http://ddanchev.blogspot.com/2009/03/embassy-of-portugal-in-india-serving.html

Go Daddy should act in a socially responsible manner and reveal information regarding the registrant(s), take down the domains, and apologize for taking profits from providing registration services for racists and criminals.

83.68.16.6:
4thelulz.info
a.good.time.at.yomammashouse.info
a.shitonjesus.com
am.t3h.n00b-pwner.com
am.your-god.com
and.i.will.be.postingyour.info
and.shitonwomensrights.info
anxau.com
are.jews.on.tha-inter.net
are.no.girls.on.tha-inter.net
at.niggertrading.com
at.yomammashouse.info
be.postingyour.info
bitches.and.shitonwomensrights.info
blows.me.i.say.fuckyeahnigga.com
buy.your.nigger.at.niggertrading.com
call.me.the.n00b-pwner.com
cause.im.the.n00b-pwner.com
dont.worry.ill.soon.be.postingyour.info
exploiterzone.org
fuck.with.me.and.i.will.be.postingyour.info
fuck.your-god.com
fuckyeahnigga.com
get.pwnt.cause.im.the.n00b-pwner.com
getpwnt.info
girl.blows.me.i.say.fuckyeahnigga.com
girls.on.tha-inter.net
good.time.at.yomammashouse.info
hacked.your.site.4thelulz.info
had.a.good.time.at.yomammashouse.info
here.4thelulz.info
ho.rubato.ad.una.fiat.uno.td.le.borchie.biz
i.am.t3h.n00b-pwner.com
i.am.your-god.com
i.say.fuckyeahnigga.com
i.take.a.shitonjesus.com
i.will.be.postingyour.info
ill.soon.be.postingyour.info
im.just.here.4thelulz.info
im.the.n00b-pwner.com
in.the.n00b-pwner.com
its.time.to.call.in.the.n00b-pwner.com
jews.on.tha-inter.net
just.here.4thelulz.info
master.of.tha-inter.net
mazzolin.di.borchie.biz
me.and.i.will.be.postingyour.info
me.i.say.fuckyeahnigga.com
me.the.n00b-pwner.com
metal.borchie.biz
n00b-pwner.com
n00bs.get.pwnt.cause.im.the.n00b-pwner.com
nigger.at.niggertrading.com
niggersgonewild.info
niggertrading.com
no.girls.on.tha-inter.net
ntkrnlpa.info
of.tha-inter.net
oh.fuckyeahnigga.com
on.tha-inter.net
on.your-god.com
out.there.are.jews.on.tha-inter.net
postingyour.info
pwning.tha-inter.net
pwnt.cause.im.the.n00b-pwner.com
quel.mazzolin.di.borchie.biz
rubato.ad.una.fiat.uno.td.le.borchie.biz
satan.says.shitonjesus.com
say.fuckyeahnigga.com
says.shitonjesus.com
shit.on.your-god.com
shitonjesus.com
shitonwomensrights.info
site.4thelulz.info
slapping.bitches.and.shitonwomensrights.info
t3h.n00b-pwner.com
take.a.shitonjesus.com
tatuaggi.e.borchie.biz
tha-inter.net
the.n00b-pwner.com
there.are.jews.on.tha-inter.net
there.are.no.girls.on.tha-inter.net
they.call.me.the.n00b-pwner.com
ti.picchio.con.le.borchie.biz
time.at.yomammashouse.info
time.to.call.in.the.n00b-pwner.com
to.call.in.the.n00b-pwner.com
users.getpwnt.info
watch.out.there.are.jews.on.tha-inter.net
when.your.girl.blows.me.i.say.fuckyeahnigga.com
will.be.postingyour.info
windows.users.getpwnt.info
with.me.and.i.will.be.postingyour.info
worry.ill.soon.be.postingyour.info
yomammashouse.info
your-god.com
your.girl.blows.me.i.say.fuckyeahnigga.com
your.mom.4thelulz.info
your.nigger.at.niggertrading.com
your.site.4thelulz.info
yourseekerz.com

Sunday, March 22, 2009

RUSSIAN BUSINESS NETWORK DEPLOYS IN THE IP SPACE OF THE ISLAMIC REPUBLIC

A Russian organized crime group involved in pornography, drug smuggling, and the distribution of malware has initiated operations from the IP address space of the Islamic Republic of Iran. It is unknown if this activity was launched with state approval.

The Russian Business Network affiliate involved has established a front company, autonomous system AS48669 NTCOLO-AS NTCOLO, and has been allocated 510 unique IP addresses. AS48669 consists of 105 malware domains, 19 domain name servers, 8 mail servers and 3 fraudulent payment processors. The affiliate's contact email address is staff@ntcolo.com.ua.

The domain to IP address assignments are modified several times per week, as the RBN seeks to evade IP blocking by network administrators. As of Sunday 22 March 2009, the domain to IP address assignments were as follows:


194.165.4.0/23 = 192.165.4.1 through 192.165.5.255 AS48669 NTCOLO-AS NTCOLO

194.165.4.7
advancedprotectionscanner.com (fake antivirus application)
bestantimalwarescanner.com (fake antivirus application)
fullantispywareonlinescane.com (fake antivirus application)
newsworldinteger.cn
webgreenpeace.cn
worldwidesphere.cn

194.165.4.14
*.ykoohky.com
ns.ykoohky.com
ns.zdorcaf.com (name server for malware redirector)

194.165.4.15
ns1.ykoohky.com
ns1.zdorcaf.com (name server for malware redirector)

194.165.4.16
mail.quicksecurityskim.com (mail server for malware domain)
mail.webprotectionswipe.com (mail server for malware domain)
quicksecurityskim.com (fake antivirus application)

194.165.4.20
mail.onlinestabilityexamine.com (mail server for malware domain)
ns1.onlinestabilityexamine.com (name server for malware domain)
onlinestabilityexamine.com (Downloader.MisleadApp, WinFixer trojan)
www.onlinestabilityexamine.com (Downloader.MisleadApp, WinFixer trojan)

194.165.4.21
ns2.onlinestabilityexamine.com (name server for malware domain)

194.165.4.39
piratas-numericos.info (Ransom trojan, New Malware.j trojan, Generic.d)

194.165.4.41 (fake antivirus applications and WinFixer trojans)
*.bestscan4.com
*.bestscan6.com
*.easy4scan.com
*.fast4scan.com
*.fastscan4.com
*.just4scan.com
*.lead4scan.com
*.live6scan.com
*.livescan4.com
*.livescan6.com
*.new6scan.com
*.plus4scan.com
*.plus6scan.com
*.plusscan4.com
*.scan4easy.com
*.scan4ever.com (fake antivirus application)
*.scan4fast.com
*.scan4now.com
*.scan6best.com
*.scanbest4.com
*.scaneasy4.com
*.scanfast4.com
*.scanlive4.com
*.scannew4.com
*.scanplus4.com
bestscan4.com
bestscan6.com
easy4scan.com
fast4scan.com
fastscan4.com
gobestscan.com
just4scan.com
lead4scan.com
live6scan.com
livescan4.com
livescan6.com
newscan6.com
ns1.inspred.com (name server for malware domain)
ns1.new4scan.com (name server for malware domain)
ns1.scan4new.com (name server for malware domain)
ns1.scan4plus.com (name server for malware domain)
plus4scan.com
plus6scan.com
scan4easy.com
scan4ever.com
scan4fast.com
scan4now.com
scan6best.com
scan6live.com
scanbest4.com
scaneasy4.com
scanfast4.com
scanlive4.com
scannew4.com
scanplus4.com
www.bestscan4.com
www.bestscan6.com
www.easy4scan.com
www.fast4scan.com
www.fastscan4.com
www.just4scan.com
www.lead4scan.com
www.live6scan.com
www.livescan4.com
www.livescan6.com
www.new6scan.com
www.plus4scan.com
www.plus6scan.com
www.plusscan4.com
www.scan4easy.com
www.scan4ever.com
www.scan4fast.com
www.scan4now.com
www.scan6best.com
www.scanbest4.com
www.scaneasy4.com
www.scanfast4.com
www.scanlive4.com
www.scannew4.com
www.scanplus4.com

194.165.4.140 (fake antivirus applications and WinFixer trojans)
*.avpayments.com (fraudulent payment processor)
*.easy6scan.com
*.fast6scan.com (fake antivirus application)
*.ia-pro.com (WinFixer trojan)
*.internetantiviruspro.com (WinFixer trojan)
avpayments.com (fraudulent payment processor)
easy6scan.com
fast6scan.com
general-antivirus.com
generalantivirus.com
internetantiviruspro.com
mail.new4scan.com (mail server for malware domain)
mail.scan4new.com (mail server for malware domain)
mail.scan4plus.com (mail server for malware domain)
mail.scan5best.com (mail server for malware domain)
scan4plus.com
www.avpayments.com (fraudulent payment processor)
www.easy6scan.com
www.fast6scan.com (fake antivirus application)
www.ia-pro.com (WinFixer trojan)
www.internetantiviruspro.com (WinFixer trojan)
www.live4scan.com
www.new4scan.com

194.165.4.224
ns1.scan5best.com (JS.Downloader, Packed.Generic.200, fake antivirus application)
personal-antivirus.com (Downloader.MisleadApp, WinFixer trojan)

194.165.5.20
google-analitecs.com ("intermediary for the infection of 123 sites" - Google)
mail.google-analitecs.com (mail server for hacking domain)
ns1.google-analitecs.com (name server for hacking domain)
ns2.google-analitecs.com (name server for hacking domain)
ns2.inspred.com

194.165.5.54
ns2.new4scan.com (name server for phishing domain)
ns2.scan4best.com (name server for malware domain)
ns2.scan4new.com (name server for malware domain)
ns2.scan4plus.com (name server for malware domain)
ns2.scan5best.com (name server for malware domain)

RBN in Islamic Republic IP space

Thursday, March 12, 2009

United States Agency for International Development hacked by Georgia attacker

Russian intelligence enlists RBN to boost Lavrov

With the arrival of Russian Foreign Minister Sergei Lavrov to Azerbaijan, the corresponding U.S.A.I.D. site was hacked by the Russian Business Network. Those who visited the site have had the information on their computers taken:
"The Azerbaijan section at the United States Agency for International Development (azerbaijan.usaid.gov) has been compromised and is embedded with malware and exploits serving scripts approximately around the 1st of March." - Dancho Danchev (http://blogs.zdnet.com/security/?p=2817)

The domain which is collecting data from the computers infected when they visited the U.S.A.I.D. Azerbaijani web site, fileuploader.cn, was registered by Sergey Astakhov.

fileuploader.cn whois data

Those familiar with this blog will note that Mr. Astakhov led the cyber "first strike" against Georgia preceeding the war between Georgia and Russia (http://securehomenetwork.blogspot.com/2008/09/rbn-operatives-part-ii.html).

The domain, fileuploader.cn, has been used for criminal purposes in the past. "It gets even more interesting when the phone back location of the malware fileuploader.cn/check/check.php is revealed. The domain in question was exclusively used by Russian Business Network/customers of the RBN in January, 2008 part of the cybercrime powerhouse’s attempt to throw sand in the eyes of the community by
issuing fake account suspended notices whereas the malware campaigns remained active." (http://blogs.zdnet.com/security/?p=2817)

As Danchev observes, "Is there such a thing as a coincidence, especially when it comes to three malware embedded attacks in a week affecting Azerbaijan's USAID.gov section, and now their Pakistani (azembassy.com.pk) and Hungarian (azerembassy.hu) embassies?" (http://ddanchev.blogspot.com/2009/03/azerbaijanian-embassies-in-pakistan-and.html)

It should be noted that Mr. Astakhov is a commercial purveyor of potentially illegal sexual material (deinglaube.com) as well as, malware. Such is the less than exemplary state of Russia's intelligence services. It is unfortunate that Russia's Foreign Ministry draws upon criminal assets.

James