Sunday, March 22, 2009

RUSSIAN BUSINESS NETWORK DEPLOYS IN THE IP SPACE OF THE ISLAMIC REPUBLIC

A Russian organized crime group involved in pornography, drug smuggling, and the distribution of malware has initiated operations from the IP address space of the Islamic Republic of Iran. It is unknown if this activity was launched with state approval.

The Russian Business Network affiliate involved has established a front company, autonomous system AS48669 NTCOLO-AS NTCOLO, and has been allocated 510 unique IP addresses. AS48669 consists of 105 malware domains, 19 domain name servers, 8 mail servers and 3 fraudulent payment processors. The affiliate's contact email address is staff@ntcolo.com.ua.

The domain to IP address assignments are modified several times per week, as the RBN seeks to evade IP blocking by network administrators. As of Sunday 22 March 2009, the domain to IP address assignments were as follows:


194.165.4.0/23 = 192.165.4.1 through 192.165.5.255 AS48669 NTCOLO-AS NTCOLO

194.165.4.7
advancedprotectionscanner.com (fake antivirus application)
bestantimalwarescanner.com (fake antivirus application)
fullantispywareonlinescane.com (fake antivirus application)
newsworldinteger.cn
webgreenpeace.cn
worldwidesphere.cn

194.165.4.14
*.ykoohky.com
ns.ykoohky.com
ns.zdorcaf.com (name server for malware redirector)

194.165.4.15
ns1.ykoohky.com
ns1.zdorcaf.com (name server for malware redirector)

194.165.4.16
mail.quicksecurityskim.com (mail server for malware domain)
mail.webprotectionswipe.com (mail server for malware domain)
quicksecurityskim.com (fake antivirus application)

194.165.4.20
mail.onlinestabilityexamine.com (mail server for malware domain)
ns1.onlinestabilityexamine.com (name server for malware domain)
onlinestabilityexamine.com (Downloader.MisleadApp, WinFixer trojan)
www.onlinestabilityexamine.com (Downloader.MisleadApp, WinFixer trojan)

194.165.4.21
ns2.onlinestabilityexamine.com (name server for malware domain)

194.165.4.39
piratas-numericos.info (Ransom trojan, New Malware.j trojan, Generic.d)

194.165.4.41 (fake antivirus applications and WinFixer trojans)
*.bestscan4.com
*.bestscan6.com
*.easy4scan.com
*.fast4scan.com
*.fastscan4.com
*.just4scan.com
*.lead4scan.com
*.live6scan.com
*.livescan4.com
*.livescan6.com
*.new6scan.com
*.plus4scan.com
*.plus6scan.com
*.plusscan4.com
*.scan4easy.com
*.scan4ever.com (fake antivirus application)
*.scan4fast.com
*.scan4now.com
*.scan6best.com
*.scanbest4.com
*.scaneasy4.com
*.scanfast4.com
*.scanlive4.com
*.scannew4.com
*.scanplus4.com
bestscan4.com
bestscan6.com
easy4scan.com
fast4scan.com
fastscan4.com
gobestscan.com
just4scan.com
lead4scan.com
live6scan.com
livescan4.com
livescan6.com
newscan6.com
ns1.inspred.com (name server for malware domain)
ns1.new4scan.com (name server for malware domain)
ns1.scan4new.com (name server for malware domain)
ns1.scan4plus.com (name server for malware domain)
plus4scan.com
plus6scan.com
scan4easy.com
scan4ever.com
scan4fast.com
scan4now.com
scan6best.com
scan6live.com
scanbest4.com
scaneasy4.com
scanfast4.com
scanlive4.com
scannew4.com
scanplus4.com
www.bestscan4.com
www.bestscan6.com
www.easy4scan.com
www.fast4scan.com
www.fastscan4.com
www.just4scan.com
www.lead4scan.com
www.live6scan.com
www.livescan4.com
www.livescan6.com
www.new6scan.com
www.plus4scan.com
www.plus6scan.com
www.plusscan4.com
www.scan4easy.com
www.scan4ever.com
www.scan4fast.com
www.scan4now.com
www.scan6best.com
www.scanbest4.com
www.scaneasy4.com
www.scanfast4.com
www.scanlive4.com
www.scannew4.com
www.scanplus4.com

194.165.4.140 (fake antivirus applications and WinFixer trojans)
*.avpayments.com (fraudulent payment processor)
*.easy6scan.com
*.fast6scan.com (fake antivirus application)
*.ia-pro.com (WinFixer trojan)
*.internetantiviruspro.com (WinFixer trojan)
avpayments.com (fraudulent payment processor)
easy6scan.com
fast6scan.com
general-antivirus.com
generalantivirus.com
internetantiviruspro.com
mail.new4scan.com (mail server for malware domain)
mail.scan4new.com (mail server for malware domain)
mail.scan4plus.com (mail server for malware domain)
mail.scan5best.com (mail server for malware domain)
scan4plus.com
www.avpayments.com (fraudulent payment processor)
www.easy6scan.com
www.fast6scan.com (fake antivirus application)
www.ia-pro.com (WinFixer trojan)
www.internetantiviruspro.com (WinFixer trojan)
www.live4scan.com
www.new4scan.com

194.165.4.224
ns1.scan5best.com (JS.Downloader, Packed.Generic.200, fake antivirus application)
personal-antivirus.com (Downloader.MisleadApp, WinFixer trojan)

194.165.5.20
google-analitecs.com ("intermediary for the infection of 123 sites" - Google)
mail.google-analitecs.com (mail server for hacking domain)
ns1.google-analitecs.com (name server for hacking domain)
ns2.google-analitecs.com (name server for hacking domain)
ns2.inspred.com

194.165.5.54
ns2.new4scan.com (name server for phishing domain)
ns2.scan4best.com (name server for malware domain)
ns2.scan4new.com (name server for malware domain)
ns2.scan4plus.com (name server for malware domain)
ns2.scan5best.com (name server for malware domain)

RBN in Islamic Republic IP space