Thursday, September 24, 2009

Protected By Emerging Again

In "'Money Mule' Recruitment Network Exposed" (http://voices.washingtonpost.com/securityfix/2009/09/money_mule_recruitment_101.html?wprss=securityfix),
Brian Krebs discusses fraudelent money mule recruiters the Scope Group Inc.

scope-group.cn and its associated web sites operate on the following IP addresses:
222.35.137.234
222.35.137.235
222.35.137.236
222.35.137.237

Those who have implemented the emerging-rbn.rules had protected the users of their networks from these ruthless criminals, who stole more than $117,000.00 from the small Sanford School District last month.

James McQuaid

Wednesday, September 23, 2009

Protected By Emerging

Those who have implemented the emerging-rbn.rules had protected their
networks from the September 11th and 12th attacks on the visitors to The New York Times web site.

The attacks utilized the following IP addresses:

212.117.166.69
64.86.16.170
88.198.107.25
88.198.120.177
91.212.107.5
91.212.127.200
94.102.48.29
94.102.51.26

Dancho Danchev and Gary Warner's blogs provide good explanations of
these attacks:

http://ddanchev.blogspot.com/2009/09/ukrainian-fan-club-features.html

http://garwarner.blogspot.com/2009/09/in-brief-new-york-times-fake-anti-virus.html

Visit Emerging Threats at emergingthreats.net

James McQuaid

Friday, September 11, 2009

RBN Attacking White House Anti-Drug Web Sites

In another example of the RBN revealing the true measure of their malice, White House Anti-Drug Sites have been attacked over the past week.

Malware Domain List reported on September 5th that whitehousedrugpolicy.gov, the website of Office of National Drug Control Policy had been compromised. In that instance, the site was directing visitors to a trojan:

adgallery.whitehousedrugpolicy.gov/members/Miley-Cyrus-Nude/default.aspx 198.77.71.192 adgallery.whitehousedrugpolicy.gov directs to trojan abuse@noc.privatedns.com 2009/09/05.

whitehousedrugpolicy.gov features White House Drug Policy initiatives, programs, and resources as well as, testimony and press releases. The site outlines National Drug Control Strategy goals and objectives.

Today, I found that drugs4sale.loderunner.in, which is a data receptor for the notorious Clampi banking Trojan (Trojan.Clampi) had an A record pointing to 130.94.30.137. This is the same IP address reserved for use by theantidrug.com, the "Parents: The Anti-Drug" site created by Fleishman-Hillard (a leader in international marketing and communications).

AS2914 NTTC-GIN-AS NTT Communications Global IP Network
DNS Records
base record name ip reverse route as
drugs4sale.loderunner.in a 130.94.30.137
United States

mail.theantidrug.com a 130.94.30.137
United States

the-anti-drug.com a 130.94.30.137
United States

theantidrug.com a 130.94.30.137
United States


Alexei Vasiliev, a familiar RBN criminal involved in the propagation of the Clampi banking Trojan, used his email address (alexvasiliev1987@cocainmail.com) to register one of the known Clampi domains.