Thursday, December 31, 2009

OSS Secret Weapon Deployed


OSS Secret Weapon Deployed

The open source security community through the auspices of the Open Information Security Foundation (OISF) http://www.openinfosecfoundation.org have released the beta version of the next generation intrusion prevention system, Meerkat. The Suricata Engine will run on multiple platforms, and will change the paradigm in malware detection.

Will Metcalf, the maintainer of the Snort Inline project, today made the following announcement on behalf of Matt Jonkman (project leader) of Emerging Threats:


It's been about three years in the making, but the day has finally come!
We have the first release of the Suricata Engine! The engine is an Open
Source Next Generation Intrusion Detection and Prevention Tool, not
intended to just replace or emulate the existing tools in the industry,
but to bring new ideas and technologies to the field.

The Suricata Engine and the HTP Library are available to use under the
GPLv2.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic
of Mod Security fame
for the OISF. This integrates and provides very
advanced processing of HTTP streams for Suricata. The HTP library is
required by the engine, but may also be used independently in a range of
applications and tools.

This is considered a Beta Release as we are seeking feedback from the
community. This release has many of the major new features we wanted to
add to the industry, but certainly not all. We intend to get this base
engine out and stable, and then continue to add new features. We expect
several new releases in the month of January culminating in a production
quality release shortly thereafter.

The engine and the HTP Library are available here:
http://www.openinfosecfoundation.org/index.php/download-suricata

Please join the oisf-users mailing list to discuss and share feedback.
The developers will be there ready to help you test.
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

As this is a first release we don't really have a "what's New" section
because everything is new. But we do have a number of new ideas and new
concepts to Intrusion Detection to note. Some of those are listed below:

Multi-Threading
Amazing that multi-threading is new to IDS, but it is, and we've got it!

Automatic Protocol Detection
The engine not only has keywords for IP, TCP, UDP and ICMP, but also has
HTTP, TLS, FTP and SMB! A user can now write a rule to detect a match
within an HTTP stream for example regardless of the port the stream
occurs on. This is going to revolutionize malware detection and control.
Detections for more layer 7 protocols are on the way.

Gzip Decompression
The HTP Parser will decode Gzip compressed streams, allowing much more
detailed matching within the engine.

Independent HTP Library
The HTP Parser will be of great use to many other applications such as
proxies, filters, etc. The parser is available as a library also under
GPLv2 for easy integration ito other tools.

Standard Input Methods
You can use NFQueue, IPFRing, and the standard LibPcap to capture
traffic. IPFW support coming shortly.

Unified2 Output
You can use your standard output tools and methods with the new engine,
100% compatible!

Flow Variables
It's possible to capture information out of a stream and save that in a
variable which can then be matched again later.

Fast IP Matching
The engine will automatically take rules that are IP matches only (such
as the RBN and compromised IP lists at Emerging Threats) and put them
into a special fast matching preprocessor.

HTTP Log Module
All HTTP requests can be automatically output into an apache-style log
format file. Very useful for monitoring and logging activity completely
independent of rulesets and matching. Should you need to do so you could
use the engine only as an HTTP logging sniffer.


Coming Very Soon: (Within a few weeks)

Global Flow Variables
The ability to store more information from a stream or match (actual
data, not just setting a bit), and storing that information for a period
of time. This will make comparing values across many streams and time
possible.

Graphics Card Acceleration
Using CUDA and OpenCL we will be able to make use of the massive
processing power of even old graphics cards to accelerate your IDS.
Offloading the very computationally intensive functions of the sensor
will greatly enhance performance.

IP Reputation
Hard to summarize in a sentence, but Reputation will allow sensors and
organizations to share intelligence and eliminate many false positives.

Windows Binaries
As soon as we have a reasonably stable body of code.

The list could go on and on. Please take a few minutes to download the
engine and try it out and let us know what you think. We're not
comfortable calling it production ready at the moment until we get your
feedback, and we have a few features to complete. We really need your
feedback and input. We intend to put out a series of small releases in
the two to three weeks to come, and then a production ready major
release shortly thereafter. Phase two of our development plan will then
begin where we go after some major new features such as IP Reputation
shortly.

http://www.openinfosecfoundation.org

Wednesday, December 30, 2009

Brian Krebs Leaving The Washington Post

In another sign of the decline of print media, Brian Krebs, the world's number one journalist in the fight against Internet-based crime, is leaving The Washington Post.

Brian Krebs last column appeared December 24th:

Farewell 2009, and The Washington Post

This will be the last post for the Security Fix blog. Dec. 31 marks my final day at The Washington Post Company.

Over the last 15 years, I've reported hundreds of stories for washingtonpost.com and the paper edition. I have authored more than 1,300 blog posts since we launched Security Fix back in March 2005. Dozens of investigative reports that first appeared online later were "reverse published" in the newspaper, including eight front-page stories and a Post Magazine cover.

Through it all, you - the reader - have been my most valuable source, most reliable critic, and most persistent muse. Loyal readers are the reason Security Fix has consistently been among the most-visited blogs on washingtonpost.com. Thank you.

I will continue to remain engaged in this increasingly vital news beat. Please stay in touch for updates in the New Year. I can be reached directly at this e-mail address.


Brian has led the way in the fight against Russian organized crime's assault on the Internet. Among his notable articles are:

Russian Business Network: Down, But Not Out:
http://blog.washingtonpost.com/securityfix/2007/11/russian_business_network_down.html

Mapping the Russian Business Network:
http://blog.washingtonpost.com/securityfix/2007/10/mapping_the_russian_business_n.html

Taking on the Russian Business Network:
http://blog.washingtonpost.com/securityfix/2007/10/taking_on_the_russian_business.html

Shadowy Russian Firm Seen as Conduit for Cybercrime:
http://www.washingtonpost.com/wp-dyn/content/story/2007/10/12/ST2007101202661.html?hpid=moreheadlines

Estonia Incident Demonstrated Power of Russia-Based Cyber Networks:
http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101201700.html?sub=new


The loss of Krebs indicates that The Washington Post Company may be in serious financial trouble.

Brian is creating a new web site at http://www.krebsonsecurity.com/

He can be reached at: krebsonsecurity@gmail.com

James McQuaid

Sunday, December 6, 2009

RBN Assists Global Iranian Crackdown

Research Center of Islamic Republic of Iran Broadcasting operating in RBN IP space

The Iranian government has launched a "Global Crackdown" against their opposition in actions consequent to their monitoring of Facebook and other social media. Note the Slashdot post referring to The Wall Street Journal article:

Slashdot post: Iranian Crackdown Goes Global
http://politics.slashdot.org/story/09/12/05/2044243/Iranian-Crackdown-Goes-Global

Wall Street Journal article: Iranian Crackdown Goes Global
http://online.wsj.com/article/SB125978649644673331.html

"Tehran's leadership faces its biggest crisis since it first came to power in 1979, as Iranians at home and abroad attack its legitimacy in the wake of June's allegedly rigged presidential vote. An opposition effort, the 'Green Movement,' is gaining a global following of regular Iranians who say they never previously considered themselves activists. The regime has been cracking down hard at home. And now, a Wall Street Journal investigation shows, it is extending that crackdown to Iranians abroad as well. Part of the effort involves tracking the Facebook, Twitter and YouTube activity of Iranians around the world, and identifying them at opposition protests abroad. People who criticize Iran's regime online or in public demonstrations are facing threats intended to silence them."

Caught by surprise with the power of social media during the disputed election, Tehran has commissioned white paper studies by the Research Center of Islamic Republic of Iran Broadcasting (crspa.ir) to "study the role of social capital in knowledge sharing".

The crspa.ir web site has been assisted by the Russian Business Network at the well known RBN IP address 61.61.61.61, which is home to the many of the RBN's spam, scam, and malware DNS servers.

www.crspa.ir is a CNAME forward view entry to crspa.ir:
Research Center of Islamic Republic of Iran Broadcasting in RBN IP space
Research Center of Islamic Republic of Iran Broadcasting operating from RBN IP space: 5 December 2009

Warning: IP address 61.61.61.61 may damage your computer Warning: IP address 61.61.61.61 may damage your computer
http://safeweb.norton.com/report/show?url=new-look-at-life.ru&x=0&y=0
Norton Safe Web reports that new-look-at-life.ru installs the Infostealer virus, a keystroke logger used to steal identities and financial information.
http://www.siteadvisor.com/sites/holeuse.com
The McAfee SiteAdvisor reviewer notes that holeuse.com "is an Identity Theft and Credit Card Fraud ring."




There is also a CNAME entry at RBN IP address: 222.170.127.100
Research Center of Islamic Republic of Iran Broadcasting in RBN IP space
Research Center of Islamic Republic of Iran Broadcasting operating from RBN IP space: 6 December 2009

Warning: IP address 222.170.127.100 may damage your computer Warning: IP address 222.170.127.100 may damage your computer
http://www.siteadvisor.com/sites/sing-sing-sing.ru
The McAfee SiteAdvisor reviewer notes that sing-sing-sing.ru is spamming domain "responsible for millions of junk mails that can lead to malware, phishing sites, or exploits."
http://safeweb.norton.com/report/show?url=getyourpower.ru&x=8&y=5
Norton Safe Web reports that getyourpower.ru installs the Infostealer virus, a keystroke logger used to steal identities and financial information.





Third scummy RBN Server with CNAME forward view entry for www.crspa.ir:
Research Center of Islamic Republic of Iran Broadcasting in RBN IP space
Research Center of Islamic Republic of Iran Broadcasting operating from RBN IP address 58.218.250.107: 7 December 2009

Warning: IP address 58.218.250.107 may damage your computer Warning: IP address 58.218.250.107 may damage your computer
http://www.siteadvisor.com/sites/brownarea.com
The McAfee SiteAdvisor reviewer noted that brownarea.com are "Specialists in: credit-card fraud; hacking, hijacking, using viruses to get control of computers, that act as a zombie in botnets."

crspa.ir is a CNAME alias for www.rcirib.ir:
Research Center of Islamic Republic of Iran Broadcasting in Iranian IP space
Research Center of Islamic Republic of Iran Broadcasting in Iranian IP space

The Research Center of Islamic Republic of Iran Broadcasting owns two domains:
crspa.ir is Research Center of Islamic Republic of Iran Broadcasting
crspa.ir is Research Center of Islamic Republic of Iran Broadcasting

rcrib.ir is Research Center of Islamic Republic of Iran Broadcasting
rcrib.ir is Research Center of Islamic Republic of Iran Broadcasting

It will be interesting to see if the Iranian hacktivists target these RBN servers.

James McQuaid
emergingthreats.net
Most Recent Update: 7 December 2009

Sunday, November 15, 2009

DNS Blackhole and RBN IP List Updated 11-15-2009

Over the weekend I've updated the DNS Blackhole and RBN IP List files to include blocking of the most recent malware sites. Updating your firewall will provide you with optimal protection:

Emerging Russian Business Network rules for Snort:
http://www.emergingthreats.net/rules/emerging-rbn.rules

Emerging Threats RBN Project page:
http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork

IP list as a text file (last update: 10-24-2009)
http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

DNS Black Hole files for Smoothwall at Emerging Threats:
http://doc.emergingthreats.net/pub/Main/HoneywallSamples/config-hosts


http://doc.emergingthreats.net/pub/Main/HoneywallSamples/hosts


Understanding DNS Black Hole In Home Defense


James McQuaid

Saturday, November 7, 2009

DNS Blackhole Updated

DNS Black Hole files for Smoothwall at Emerging Threats:
http://doc.emergingthreats.net/pub/Main/HoneywallSamples/config-hosts

http://doc.emergingthreats.net/pub/Main/HoneywallSamples/hosts

Protect your home network from 285,273 bad actor and malware domains.

James McQuaid
11-7-2009

Tuesday, November 3, 2009

Message for Web Hosting Providers

The Electric Six, known for ridiculous, over-the-top rock, provide a timely message for legitimate web hosting providers who, by failing to scan their own networks, are allowing criminals to use web sites to deliver malware:

Listen to "Formula 409" by Electric Six on lala.com:
http://popup.lala.com/popup/360569453772674524

Lala.com rated safe for listening:
http://www.google.com/safebrowsing/diagnostic?site=lala.com
http://safeweb.norton.com/report/show?url=lala.com&x=0&y=0
http://www.siteadvisor.com/sites/lala.com
http://wepawet.cs.ucsb.edu/domain.php?hash=c1762e2fa3c76e8bfe41a9f7de069504&type=js

"You can clean your kitchen baby
Make it look good every time.
You can use a little Mr Clean
or Formula 409.

You can find my mission baby,
lock it on target every time.
Take out Washington or New York
Or you can take out Palestine.

You can drive your car to pieces baby,
Drive it until somebody dies.
Get out of trouble with a cover-up,
A greasy lawyer and some lies.

You can clean your kitchen baby
Make it look good every time.
You can use a little Mr Clean
or Formula 409."


Perhaps Congress should consider legislation imposing financial penalties for malware hosting. This would provide the hosts with an incentive to perform due diligence.

Monday, October 26, 2009

DNS Blackhole and RBN IP List Updated

Over the weekend I've updated the DNS Blackhole and RBN IP List files to include blocking of the most recent malware sites (including the ASProx botnet). Updating your firewall will provide you with optimal protection:

Emerging Russian Business Network rules for Snort:
http://www.emergingthreats.net/rules/emerging-rbn.rules

Emerging Threats RBN Project page:
http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork

IP list as a text file (last update: 10-24-2009)
http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

DNS Black Hole files for Smoothwall at Emerging Threats:
http://doc.emergingthreats.net/pub/Main/HoneywallSamples/config-hosts


http://doc.emergingthreats.net/pub/Main/HoneywallSamples/hosts


James McQuaid
10-25-2009

Friday, October 16, 2009

Don't Lose Your Bank Account: Bank on a Live CD

Brian Krebs has provided people who use online banking services with excellent advice: do your online banking only from a read-only, bootable operating system, such as Knoppix, or Ubuntu.

Brian's articles on this subject have been featured by both Slashdot and Google. He provides a tutorial on how to burn a live CD using Ashampoo Burning Studio Free. If you use Nero, my tutorial on burning ISO images may also be useful.

For those who do not wish to burn their own ISO image, the large bookstores now have Linux magazines available which include bootable Linux Live CDs.

James McQuaid

Sunday, October 11, 2009

Blocking the ASProx Fast Flux Botnet

With the IP addresses of the ASProx fast flux botnet changing between infected residential computers nearly daily, the only effective methods of blocking it are through the use of a DNS black hole or with Snort Inline.

Gary Warner provides an excellent write up on the botnet at his blog at: http://garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html

Today, I updated the DNS Super Blackhole at emergingthreats.net. You can download the DNS Super Black Hole files for Smoothwall at Emerging Threats from: http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples)

* config-hosts (http://doc.emergingthreats.net/pub/Main/HoneywallSamples/config-hosts): 275,937 organized crime, RBN affiliates, malware hosts and bad actors blacklisted for Smoothwall 3. Leave last line blank. Place in /var/smoothwall/hosts/, then rename config-hosts to config. Updated 10-11-2009: added 9,116 cybercrime and malware domains identified since 6-20-2009.

* hosts (http://doc.emergingthreats.net/pub/Main/HoneywallSamples/hosts): Protect your home from 275,937 bad domains for Smoothwall 3; placed in /var/smoothwall/hosts/. Note: with this many objects in BlackHole, you must use local loopback (blacklisted domains must resolve to 127.0.0.1). Updated 10-11-2009. If you believe that your domain should not be listed, please let us know and we will review it for delisting.

- James McQuaid

Thursday, September 24, 2009

Protected By Emerging Again

In "'Money Mule' Recruitment Network Exposed" (http://voices.washingtonpost.com/securityfix/2009/09/money_mule_recruitment_101.html?wprss=securityfix),
Brian Krebs discusses fraudelent money mule recruiters the Scope Group Inc.

scope-group.cn and its associated web sites operate on the following IP addresses:
222.35.137.234
222.35.137.235
222.35.137.236
222.35.137.237

Those who have implemented the emerging-rbn.rules had protected the users of their networks from these ruthless criminals, who stole more than $117,000.00 from the small Sanford School District last month.

James McQuaid

Wednesday, September 23, 2009

Protected By Emerging

Those who have implemented the emerging-rbn.rules had protected their
networks from the September 11th and 12th attacks on the visitors to The New York Times web site.

The attacks utilized the following IP addresses:

212.117.166.69
64.86.16.170
88.198.107.25
88.198.120.177
91.212.107.5
91.212.127.200
94.102.48.29
94.102.51.26

Dancho Danchev and Gary Warner's blogs provide good explanations of
these attacks:

http://ddanchev.blogspot.com/2009/09/ukrainian-fan-club-features.html

http://garwarner.blogspot.com/2009/09/in-brief-new-york-times-fake-anti-virus.html

Visit Emerging Threats at emergingthreats.net

James McQuaid

Friday, September 11, 2009

RBN Attacking White House Anti-Drug Web Sites

In another example of the RBN revealing the true measure of their malice, White House Anti-Drug Sites have been attacked over the past week.

Malware Domain List reported on September 5th that whitehousedrugpolicy.gov, the website of Office of National Drug Control Policy had been compromised. In that instance, the site was directing visitors to a trojan:

adgallery.whitehousedrugpolicy.gov/members/Miley-Cyrus-Nude/default.aspx 198.77.71.192 adgallery.whitehousedrugpolicy.gov directs to trojan abuse@noc.privatedns.com 2009/09/05.

whitehousedrugpolicy.gov features White House Drug Policy initiatives, programs, and resources as well as, testimony and press releases. The site outlines National Drug Control Strategy goals and objectives.

Today, I found that drugs4sale.loderunner.in, which is a data receptor for the notorious Clampi banking Trojan (Trojan.Clampi) had an A record pointing to 130.94.30.137. This is the same IP address reserved for use by theantidrug.com, the "Parents: The Anti-Drug" site created by Fleishman-Hillard (a leader in international marketing and communications).

AS2914 NTTC-GIN-AS NTT Communications Global IP Network
DNS Records
base record name ip reverse route as
drugs4sale.loderunner.in a 130.94.30.137
United States

mail.theantidrug.com a 130.94.30.137
United States

the-anti-drug.com a 130.94.30.137
United States

theantidrug.com a 130.94.30.137
United States


Alexei Vasiliev, a familiar RBN criminal involved in the propagation of the Clampi banking Trojan, used his email address (alexvasiliev1987@cocainmail.com) to register one of the known Clampi domains.

Thursday, July 30, 2009

RBN Attacks Labour Organization

Russian Business Network hackers have targeted the computers of visitors to WomensLabour.org, a website devoted to women and the labour market in Central and Eastern Europe.

The website is designed to provide Non Governmental Organizations (NGOs) and particularly gender focused NGOs with up to date information about the economic position of women from the Central and Eastern Europe (CEE). It places particular emphasis on the link between the EU enlargement process and the position of CEE women in the labour market.

The RBN is well known for its direct involvement in the sexual exploitation of women and children. The Russian Business Network's efforts to spy on Eastern European labour organizations should be noted by law enforcement.

MalwareDomainList.com first listed WomensLabour.org as compromised on June 30th. Google's Safe Browsing application reports that visitors to the site were targeted by malicious software ("resulted in malicious software being downloaded and installed without user consent") originating at martuz.cn, betbigwager.cn, and cutlot.cn. Cutlot.cn and betbigwager.cn are operated by well known cyber criminal Raymond Keaton (keaton@cybernauttech.com). Chen Poon, who also acts in tandem with Russian cyber criminals, owns martuz.cn. The RBN's malicious software included, but was not limited to, "7 scripting exploits".

- James McQuaid

Monday, April 20, 2009

DNS Super Black Hole

Understanding DNS Black Hole In Home Defense


DNS Black Hole technology has been used in various settings for some years. "The first DNSBL was the Real-time Blackhole List (RBL), created in 1997 by Paul Vixie as part of his Mail Abuse Prevention System (MAPS)" (note: http://en.wikipedia.org/wiki/DNSBL).

Some years later, David Glosser's open source security project at EmergingThreats.net formalized the use of the technique as a means of blocking malware (note http://www.malwaredomains.com/bhdns.html). His site includes a nice hyperlink list of the various hosts blocking web sites at http://www.malwaredomains.com/bhdns.html#Resources.

Over the past two years, having faced an onslaught of hundreds of new malware domains per week created by the RBN and their affiliates, those of us engaged in mitigation and recovery operations began creating Super Black Holes in Linux DNS servers as a matter of necessity. Initially, there was some skepticism as to whether the concept was practicable, but it has proven sound when used with internal DNS servers.

The great advantage for home users is that a DNS Super Black Hole provides the opportunity to effectively block a *very* large number of malicious web sites with minimum resources. For example, to filter by IP address the 247,268 evil sites (provided in the DNS Super Black Hole files that I am posting) requires 6 GB of RAM deployed across two inline firewall servers. Such hardware is unavailable to most home users. In contrast, using one older PC bearing only 512 MB of RAM, the home user can block the same 247,268 bad actor web sites using a DNS Super Black Hole (deployed on a free, open source software platform such as Smoothwall). Windows users can edit the files by using free, open source software such as Notepad++ (http://sourceforge.net/projects/notepad-plus/) and WinSCP (http://sourceforge.net/projects/winscp/). This provides parents with a means to filter racist, criminal and pornographic web sites.

In the struggle against cyber criminals, I have often observed instances where viruses are used to drive up the traffic statistics of a web site owned by the criminal. This enables cyber criminals to auction the domain at a greater price. In order to discourage this practice, my DNS Super Black Hole files include many of these domains.

Few individuals visit malicious web sites on purpose. In most cases, the user visits a legitimate site which has been hacked or which includes a malicious banner ad (a fairly common occurence at Yahoo and Google). The end result is that a hidden window or I-Frame is invoked by JavaScript which installs malware on the PC. DNS Super Black Hole prevents this by diverting the DNS (domain name server) query to the Black Hole. The files include Internet bad actors as well as, most of the known malware domains as of May 27, 2009.

Smoothwall is a stable platform which provides excellent installation instructions and documentation (http://www.smoothwall.org/) and user community support (http://community.smoothwall.org/forum/). As such, it is ideal for home users.

You can download the DNS Super Black Hole files for Smoothwall at Emerging Threats from: http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples):

* config-hosts (http://doc.emergingthreats.net/pub/Main/HoneywallSamples/config-hosts): 247,268 organized crime, RBN affiliates, malware hosts and bad actors blacklisted for Smoothwall 3. Leave last line blank. Place in /var/smoothwall/hosts/, then rename config-hosts to config. Update 5-27-2009: 3,526 cybercrime and malware domains discovered since May 3rd.

* hosts (http://doc.emergingthreats.net/pub/Main/HoneywallSamples/hosts): Protect your home from 247,268 bad domains for Smoothwall 3; placed in /var/smoothwall/hosts/. Note: with this many objects in BlackHole, you must use local loopback. Updated 5-27-2009.

Many of the web sites listed in these files are extraordinarily dangerous, so do not visit them!

Thursday, March 26, 2009

RBN Registers Racist Domains Using Go Daddy

Russian Business Network malware distributors have registered numerous racist domain names using domain registrar Go Daddy. The domains, and subsequently created subdomain names, provide insight into the RBN's misanthropic perspective.

Over the past year, Go Daddy has been criticized by anti-fraud watchdog groups for refusing to take down web sites engaged in the sale of illegal steroids. (note: http://www.darkreading.com/security/management/showArticle.jhtml?articleID=211201188)

As of March 26th, the malicious sites were hosted at XS4ALL Networking (cistron) in Amsterdam at IP address 83.68.16.6 (which XS4ALL classifies as "ADSL IP numbers"). One of the domains present on the IP address (and registered through Go Daddy), ntkrnlpa.info, has been involved in several RBN criminal campaigns. Note Dancho Danchev's excellent blog post of March 25th, "Embassy of Portugal in India Serving Malware", at http://ddanchev.blogspot.com/2009/03/embassy-of-portugal-in-india-serving.html

Go Daddy should act in a socially responsible manner and reveal information regarding the registrant(s), take down the domains, and apologize for taking profits from providing registration services for racists and criminals.

83.68.16.6:
4thelulz.info
a.good.time.at.yomammashouse.info
a.shitonjesus.com
am.t3h.n00b-pwner.com
am.your-god.com
and.i.will.be.postingyour.info
and.shitonwomensrights.info
anxau.com
are.jews.on.tha-inter.net
are.no.girls.on.tha-inter.net
at.niggertrading.com
at.yomammashouse.info
be.postingyour.info
bitches.and.shitonwomensrights.info
blows.me.i.say.fuckyeahnigga.com
buy.your.nigger.at.niggertrading.com
call.me.the.n00b-pwner.com
cause.im.the.n00b-pwner.com
dont.worry.ill.soon.be.postingyour.info
exploiterzone.org
fuck.with.me.and.i.will.be.postingyour.info
fuck.your-god.com
fuckyeahnigga.com
get.pwnt.cause.im.the.n00b-pwner.com
getpwnt.info
girl.blows.me.i.say.fuckyeahnigga.com
girls.on.tha-inter.net
good.time.at.yomammashouse.info
hacked.your.site.4thelulz.info
had.a.good.time.at.yomammashouse.info
here.4thelulz.info
ho.rubato.ad.una.fiat.uno.td.le.borchie.biz
i.am.t3h.n00b-pwner.com
i.am.your-god.com
i.say.fuckyeahnigga.com
i.take.a.shitonjesus.com
i.will.be.postingyour.info
ill.soon.be.postingyour.info
im.just.here.4thelulz.info
im.the.n00b-pwner.com
in.the.n00b-pwner.com
its.time.to.call.in.the.n00b-pwner.com
jews.on.tha-inter.net
just.here.4thelulz.info
master.of.tha-inter.net
mazzolin.di.borchie.biz
me.and.i.will.be.postingyour.info
me.i.say.fuckyeahnigga.com
me.the.n00b-pwner.com
metal.borchie.biz
n00b-pwner.com
n00bs.get.pwnt.cause.im.the.n00b-pwner.com
nigger.at.niggertrading.com
niggersgonewild.info
niggertrading.com
no.girls.on.tha-inter.net
ntkrnlpa.info
of.tha-inter.net
oh.fuckyeahnigga.com
on.tha-inter.net
on.your-god.com
out.there.are.jews.on.tha-inter.net
postingyour.info
pwning.tha-inter.net
pwnt.cause.im.the.n00b-pwner.com
quel.mazzolin.di.borchie.biz
rubato.ad.una.fiat.uno.td.le.borchie.biz
satan.says.shitonjesus.com
say.fuckyeahnigga.com
says.shitonjesus.com
shit.on.your-god.com
shitonjesus.com
shitonwomensrights.info
site.4thelulz.info
slapping.bitches.and.shitonwomensrights.info
t3h.n00b-pwner.com
take.a.shitonjesus.com
tatuaggi.e.borchie.biz
tha-inter.net
the.n00b-pwner.com
there.are.jews.on.tha-inter.net
there.are.no.girls.on.tha-inter.net
they.call.me.the.n00b-pwner.com
ti.picchio.con.le.borchie.biz
time.at.yomammashouse.info
time.to.call.in.the.n00b-pwner.com
to.call.in.the.n00b-pwner.com
users.getpwnt.info
watch.out.there.are.jews.on.tha-inter.net
when.your.girl.blows.me.i.say.fuckyeahnigga.com
will.be.postingyour.info
windows.users.getpwnt.info
with.me.and.i.will.be.postingyour.info
worry.ill.soon.be.postingyour.info
yomammashouse.info
your-god.com
your.girl.blows.me.i.say.fuckyeahnigga.com
your.mom.4thelulz.info
your.nigger.at.niggertrading.com
your.site.4thelulz.info
yourseekerz.com

Sunday, March 22, 2009

RUSSIAN BUSINESS NETWORK DEPLOYS IN THE IP SPACE OF THE ISLAMIC REPUBLIC

A Russian organized crime group involved in pornography, drug smuggling, and the distribution of malware has initiated operations from the IP address space of the Islamic Republic of Iran. It is unknown if this activity was launched with state approval.

The Russian Business Network affiliate involved has established a front company, autonomous system AS48669 NTCOLO-AS NTCOLO, and has been allocated 510 unique IP addresses. AS48669 consists of 105 malware domains, 19 domain name servers, 8 mail servers and 3 fraudulent payment processors. The affiliate's contact email address is staff@ntcolo.com.ua.

The domain to IP address assignments are modified several times per week, as the RBN seeks to evade IP blocking by network administrators. As of Sunday 22 March 2009, the domain to IP address assignments were as follows:


194.165.4.0/23 = 192.165.4.1 through 192.165.5.255 AS48669 NTCOLO-AS NTCOLO

194.165.4.7
advancedprotectionscanner.com (fake antivirus application)
bestantimalwarescanner.com (fake antivirus application)
fullantispywareonlinescane.com (fake antivirus application)
newsworldinteger.cn
webgreenpeace.cn
worldwidesphere.cn

194.165.4.14
*.ykoohky.com
ns.ykoohky.com
ns.zdorcaf.com (name server for malware redirector)

194.165.4.15
ns1.ykoohky.com
ns1.zdorcaf.com (name server for malware redirector)

194.165.4.16
mail.quicksecurityskim.com (mail server for malware domain)
mail.webprotectionswipe.com (mail server for malware domain)
quicksecurityskim.com (fake antivirus application)

194.165.4.20
mail.onlinestabilityexamine.com (mail server for malware domain)
ns1.onlinestabilityexamine.com (name server for malware domain)
onlinestabilityexamine.com (Downloader.MisleadApp, WinFixer trojan)
www.onlinestabilityexamine.com (Downloader.MisleadApp, WinFixer trojan)

194.165.4.21
ns2.onlinestabilityexamine.com (name server for malware domain)

194.165.4.39
piratas-numericos.info (Ransom trojan, New Malware.j trojan, Generic.d)

194.165.4.41 (fake antivirus applications and WinFixer trojans)
*.bestscan4.com
*.bestscan6.com
*.easy4scan.com
*.fast4scan.com
*.fastscan4.com
*.just4scan.com
*.lead4scan.com
*.live6scan.com
*.livescan4.com
*.livescan6.com
*.new6scan.com
*.plus4scan.com
*.plus6scan.com
*.plusscan4.com
*.scan4easy.com
*.scan4ever.com (fake antivirus application)
*.scan4fast.com
*.scan4now.com
*.scan6best.com
*.scanbest4.com
*.scaneasy4.com
*.scanfast4.com
*.scanlive4.com
*.scannew4.com
*.scanplus4.com
bestscan4.com
bestscan6.com
easy4scan.com
fast4scan.com
fastscan4.com
gobestscan.com
just4scan.com
lead4scan.com
live6scan.com
livescan4.com
livescan6.com
newscan6.com
ns1.inspred.com (name server for malware domain)
ns1.new4scan.com (name server for malware domain)
ns1.scan4new.com (name server for malware domain)
ns1.scan4plus.com (name server for malware domain)
plus4scan.com
plus6scan.com
scan4easy.com
scan4ever.com
scan4fast.com
scan4now.com
scan6best.com
scan6live.com
scanbest4.com
scaneasy4.com
scanfast4.com
scanlive4.com
scannew4.com
scanplus4.com
www.bestscan4.com
www.bestscan6.com
www.easy4scan.com
www.fast4scan.com
www.fastscan4.com
www.just4scan.com
www.lead4scan.com
www.live6scan.com
www.livescan4.com
www.livescan6.com
www.new6scan.com
www.plus4scan.com
www.plus6scan.com
www.plusscan4.com
www.scan4easy.com
www.scan4ever.com
www.scan4fast.com
www.scan4now.com
www.scan6best.com
www.scanbest4.com
www.scaneasy4.com
www.scanfast4.com
www.scanlive4.com
www.scannew4.com
www.scanplus4.com

194.165.4.140 (fake antivirus applications and WinFixer trojans)
*.avpayments.com (fraudulent payment processor)
*.easy6scan.com
*.fast6scan.com (fake antivirus application)
*.ia-pro.com (WinFixer trojan)
*.internetantiviruspro.com (WinFixer trojan)
avpayments.com (fraudulent payment processor)
easy6scan.com
fast6scan.com
general-antivirus.com
generalantivirus.com
internetantiviruspro.com
mail.new4scan.com (mail server for malware domain)
mail.scan4new.com (mail server for malware domain)
mail.scan4plus.com (mail server for malware domain)
mail.scan5best.com (mail server for malware domain)
scan4plus.com
www.avpayments.com (fraudulent payment processor)
www.easy6scan.com
www.fast6scan.com (fake antivirus application)
www.ia-pro.com (WinFixer trojan)
www.internetantiviruspro.com (WinFixer trojan)
www.live4scan.com
www.new4scan.com

194.165.4.224
ns1.scan5best.com (JS.Downloader, Packed.Generic.200, fake antivirus application)
personal-antivirus.com (Downloader.MisleadApp, WinFixer trojan)

194.165.5.20
google-analitecs.com ("intermediary for the infection of 123 sites" - Google)
mail.google-analitecs.com (mail server for hacking domain)
ns1.google-analitecs.com (name server for hacking domain)
ns2.google-analitecs.com (name server for hacking domain)
ns2.inspred.com

194.165.5.54
ns2.new4scan.com (name server for phishing domain)
ns2.scan4best.com (name server for malware domain)
ns2.scan4new.com (name server for malware domain)
ns2.scan4plus.com (name server for malware domain)
ns2.scan5best.com (name server for malware domain)

RBN in Islamic Republic IP space

Thursday, March 12, 2009

United States Agency for International Development hacked by Georgia attacker

Russian intelligence enlists RBN to boost Lavrov

With the arrival of Russian Foreign Minister Sergei Lavrov to Azerbaijan, the corresponding U.S.A.I.D. site was hacked by the Russian Business Network. Those who visited the site have had the information on their computers taken:
"The Azerbaijan section at the United States Agency for International Development (azerbaijan.usaid.gov) has been compromised and is embedded with malware and exploits serving scripts approximately around the 1st of March." - Dancho Danchev (http://blogs.zdnet.com/security/?p=2817)

The domain which is collecting data from the computers infected when they visited the U.S.A.I.D. Azerbaijani web site, fileuploader.cn, was registered by Sergey Astakhov.

fileuploader.cn whois data

Those familiar with this blog will note that Mr. Astakhov led the cyber "first strike" against Georgia preceeding the war between Georgia and Russia (http://securehomenetwork.blogspot.com/2008/09/rbn-operatives-part-ii.html).

The domain, fileuploader.cn, has been used for criminal purposes in the past. "It gets even more interesting when the phone back location of the malware fileuploader.cn/check/check.php is revealed. The domain in question was exclusively used by Russian Business Network/customers of the RBN in January, 2008 part of the cybercrime powerhouse’s attempt to throw sand in the eyes of the community by
issuing fake account suspended notices whereas the malware campaigns remained active." (http://blogs.zdnet.com/security/?p=2817)

As Danchev observes, "Is there such a thing as a coincidence, especially when it comes to three malware embedded attacks in a week affecting Azerbaijan's USAID.gov section, and now their Pakistani (azembassy.com.pk) and Hungarian (azerembassy.hu) embassies?" (http://ddanchev.blogspot.com/2009/03/azerbaijanian-embassies-in-pakistan-and.html)

It should be noted that Mr. Astakhov is a commercial purveyor of potentially illegal sexual material (deinglaube.com) as well as, malware. Such is the less than exemplary state of Russia's intelligence services. It is unfortunate that Russia's Foreign Ministry draws upon criminal assets.

James

Monday, February 2, 2009

RBN Takes Another Hit

Ukrainian web hosting provider UkrTeleGroup Ltd., a long time hub of Russian cybercrime operations, has been taken offline. The take down came after reports by McAfee and other security organizations, and a formal complaint by Brian Krebs of The Washington Post. This action sends a clear message to other web hosting providers that providing service to organized cyber crime imposes risks to the host. The overall effect will be to drive up the cost to cyber criminals of doing business. Last year, cybercrime cost the world economy as much as $1 trillion.

You can read more at Brian Krebs' Security Fix column at The Washington Post:
http://voices.washingtonpost.com/securityfix/2009/01/troubled_ukrainian_host_sideli.html