HOW TO REPORT INTERNET CRIME

With the globalization of organized crime via the Internet, increasing numbers of people are being subjected to crime. The resources available to local law enforcement organizations to respond to these crimes is often limited. If you would like to report a crime, the following list may be helpful:

Computer Crime & Intellectual Property Section
United States Department of Justice:
http://www.justice.gov/criminal/cybercrime/reporting.htm

The Internet Crime Complaint Center:
http://www.ic3.gov/default.aspx

Your Local FBI Office:
http://www.fbi.gov/contact/fo/fo.htm

National Association of Attorney General's Computer Crime Point of Contact List:
http://www.naag.org/issues/20010724-cc_list_bg.php

National Center for Missing & Exploited Children:
http://www.missingkids.com/missingkids/servlet/PublicHomeServlet?LanguageCountry=en_US

United States Computer Emergency Readiness Team (for technicians):
http://www.us-cert.gov/

Regardless of whether you expect a successful resolution, it is beneficial to report a crime because it enables these organizations to better evaluate the extent of the problem.

James McQuaid
2-27-2010

Russians Stage Large-scale, Successful Attack on U.S. and State Governments Computers

The Criminal Behind the Attack

Brian Krebs today posted a story on his excellent blog, "Zeus Attack Spoofs NSA, Targets .gov and .mil" (http://www.krebsonsecurity.com/2010/02/zeus-attack-spoofs-nsa-targets-gov-and-mil/) which discusses an attack in which "a relatively large number of recipients were taken in".

"The messages are spoofed so that they appear to have been sent by the National Intelligence Council (address used was nic@nsa.gov), which serves as the center for midterm and long-range strategic thinking for the U.S. intelligence community and reports to the office of the Director of National Intelligence." The infecting file is detected by less than half of all anti-virus programs, but allows the attackers to steal passwords and remotely control the infected computers. The state government agency that Brian Krebs' "source works at has already confirmed 'a couple hundred' infections at their site".

The email containing the spoofed message originated from nobody@sh16.ruskyhost.ru. sh16.ruskyhost.ru is at IP address 174.36.194.156, which is leased by long time Russian cyber criminal Nikolai Lidiaev. It should be noted that less than two years ago, Nikolai Lidiaev launched an attack against the customers of Wachovia financial services from the email account "nobody@sh5.slavhost.com". ruskyhost.ru and slavhost.com are duplicated, overlapping servers.

Russian criminals operate as privateers against the West; receiving rewards from Russian intelligence for information acquired during criminal operations against the West. They are also allowed to keep what they are able to steal.

The irony is that Mr. Lidiaev's servers are based in the United States, not Russia. The United States should shut down his criminal operation. His IP addresses follow:

network:IP-Network-Block:173.192.194.192-173.192.194.223
network:Organization;I:Nikolai Lidiaev
Malware: 173.192.194.192 kpip.ru PHP/Small.F

network:IP-Network-Block:174.36.167.20-174.36.167.23
network:Organization;I:Nikolai Lidiaev
174.36.167.20 ns4.ruskyhost.net name server for malware domains

network:IP-Network-Block:174.36.194.152-174.36.194.159
network:Organization;I:Nikolai Lidiaev
174.36.194.154 sh14.ruskyhost.ru (reverse for 174.36.195.192)

174.36.194.156 sh16.ruskyhost.ru Attacker of .gov and .mil domains
sh16.ruskyhost.ru ptr 174.36.221.128
(174.36.221.128 reverse entry is sh16.ruskyhost.ru)
Domains on 174.36.221.128 include ebay typosquatters, rape sites, underage sex sites, and illegal pharmacy sites.

174.36.194.158 sh18.ruskyhost.ru reverse for 174.37.217.96 (illegal pharmacy, scam and porn sites)

network:IP-Network-Block:174.36.195.192-174.36.195.223
network:Organization;I:Nikolai Lidiaev
Malware: 174.36.195.192 hobby-continent.ru PHP/BackDoor.AR
Other domains on 174.36.195.192 include warez, incest sites, and "children's music" sites.
Reverse entry is sh14.ruskyhost.ru (at 174.36.194.154)

network:IP-Network-Block:174.36.214.32-174.36.214.63
network:Organization;I:Nikolai Lidiaev

network:IP-Network-Block:174.36.221.128-174.36.221.159
network:Organization;I:Nikolai Lidiaev
sh16.ruskyhost.ru ptr 174.36.221.128
(174.36.221.128 reverse entry is sh16.ruskyhost.ru)
Domains on 174.36.221.128 include ebay typosquatters, rape sites, underage sex sites, and illegal pharmacy sites.

network:IP-Network-Block:174.36.225.48-174.36.225.63
network:Organization;I:Nikolai Lidiaev
Malware: 174.36.225.48 drakarinfo.ru WORM/Koobface.ebk

network:IP-Network-Block:174.37.217.96-174.37.217.127
network:Organization;I:Nikolai Lidiaev
174.37.217.96 (illegal pharmacy, scam and porn sites)

network:IP-Network-Block:174.37.222.128-174.37.222.159
network:Organization;I:Nikolai Lidiaev
Malware: 174.37.222.128 shuchinsk.net unknown_html_RFI

network:IP-Network-Block:174.37.244.32-174.37.244.63
network:Organization;I:Nikolai Lidiaev
174.37.244.32 mail-sticker.ru phishing
Malware: 174.37.244.51 trashiugar.info ZEUS Trojan

Nikolai Lidiaev NET-67-228-53-176 (NET-67-228-53-176-1)
67.228.53.176 - 67.228.53.183 rusky host domains
67.228.53.176 ns1.slavhost.com name server for illegal pharmacy, malware, and pornography domains

network:IP-Network-Block:67.228.22.132-67.228.22.135
network:Organization;I:Nikolai Lidiaev
67.228.22.132 ns2.slavhost.com name server for malware domains
67.228.22.132 ns2.wpills.info name server for illegal pharmacy sites

network:IP-Network-Block:67.228.250.128-67.228.250.159
network:Organization;I:Nikolai Lidiaev

network:IP-Network-Block:67.228.77.0-67.228.77.7
network:Organization;I:FXOpen
Investor Forex Scams

network:IP-Network-Block:74.86.132.176-74.86.132.179
network:Organization;I:Nikolai Lidiaev
74.86.132.177 ns3.ruskyhost.net name server for malware and scam sites

Other email addresses used by Nikolai Lidiaev in the past few years include:
nick@slavhost.ru
nnnlen@comcast.net

James McQuaid