RBN Targets Lady Gaga

Steroid marketers in the Russian Business Network have targeted pop star Lady Gaga.

This takes the form of brand/copyright infringement attendant with the creation of the following domains:

• lady-gaga-romance.com
• ladygagaromance.net
• ladygagaromance.org
• ladygagaromancefilms.com
• ladygagaromancetips.com

On the face of it, these Lady Gaga domains appear to be the property of a Swedish marketing firm:

ladygagaromance.org
Reverse Whois:
"Ogelvy & Nielsen Ltd" owns about 19 other domains

Domain ID:D160903576-LROR
Domain Name:LADYGAGAROMANCE.ORG
Created On:11-Dec-2010 21:48:32 UTC
Last Updated On:10-Feb-2011 03:49:07 UTC
Expiration Date:11-Dec-2011 21:48:32 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com
(R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_2144851
Registrant Name:Per Lundstroem
Registrant Organization:Ogelvy & Nielsen Ltd
Registrant Street1:12, Gammel Kongevej
Registrant Street2:
Registrant Street3:
Registrant City:Copenhagen V
Registrant State/Province:Bornholm
Registrant Postal Code:1610
Registrant Country:DK
Registrant Phone:+45.332565
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: contact@victorymarketing.info

LadyGagaRomanceTips.com is also Ogelvy & Nielsen Ltd (contact@victorymarketing.info)

Looking more closely, we can see that Ogelvy & Nielsen Ltd are a front:

victorymarketing.info is hosted on a server in Hong Kong with IP address 123.108.108.55:

victorymarketing.info    a     123.108.108.55
Hong Kong

The name server for victorymarketing.info is ns1.pranza.com.

Other domains with the same IP address and name server are:

abrahamwealthservices.com
fosassetmanagement.com
hsharpprivateconsultants.com
ivitamins.org
mail.abrahamwealthservices.com
mail.hsharpprivateconsultants.com
mail.pacific-escrow.com
mail.pranza.com
mail.pricelaw.com
mail.rainesecuritiesllc.com
ns1.pranza.com
pranza.com
pricelaw.com
rainesecuritiesllc.com
top.pranza.com
victorymarketing.info

ns1.pranza.com:
Domains using this as name server (8)

abrahamwealthservices.com
hsharpprivateconsultants.com
ivitamins.org
pranza.com
pricelaw.com
rainesecuritiesllc.com
roidgear.net
victorymarketing.info

pranza.com itself is shielded by privacyprotect:

Domain Name: PRANZA.COM
Registrant:
PrivacyProtect.org
Domain Admin (XXXXXXX@privacyprotect.org)
ID#10760, PO Box 16
Note - All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null,QLD 4218
AU
Tel. +45.36946676

pranza.com was registered through Directi:

Domain Name:    PRANZA.COM
Registrar:    DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM

Examining the other properties associated by DNS and IP address:

Domain Name:IVITAMINS.ORG
Created On:25-Mar-2005 09:25:39 UTC
Last Updated On:24-Aug-2010 13:46:11 UTC
Expiration Date:25-Mar-2012 09:25:39 UTC
Sponsoring Registrar:1API GmbH (R1724-LROR)
Status:OK
Registrant ID:RAI6113358-QAPX
Registrant Name:Rusnac Irina Anatoli
Registrant Organization:ICS Interland SRL
Registrant Street1:B-dul Stefan celMare, no. 169
Registrant Street2:
Registrant Street3:
Registrant City:Chisinau
Registrant State/Province:Chisinau
Registrant Postal Code:2004
Registrant Country:MD
Registrant Phone:+373.60305749
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:

ivitamins.org, based in Moldova, is an Internet marketer of anabolic steroids, human growth hormone, and the like, presumably manufactured by Balkan Pharmaceuticals SRL:

iVitamins Shop

Manufacturer:Balkan Pharmaceuticals. This product is human use licensed by law at GMP standards. More details on company website ...
www.ivitamins.org/product_info.php?products_id... - Cached - Similar
Show more results from ivitamins.org

iVITAMINS - Anabolic Steroids Discussion and Bodybuilding Forum

20 posts - 10 authors - Last post: Sep 19, 2006
Just to let others know,I had some damage occur during shipping and I-vitamins said they would ship a replacement.Exellent costumer service. ...
www.anasci.org › ... › News & Updates › Anasci Board Sponsors - Cached - Similar
Very Happy with Ivitamins.org

Reverse Whois:

"SC Balkan Pharmaceuticals SRL" owns about 1 other domains
Registration Service Provided By: IMENA.UA
Contact: +380.442010102
Website: http://imena.ua
Domain Name: BALKANPHARMACEUTICALS.COM
Registrant:
    SC Balkan Pharmaceuticals SRL
    Silviu Chiru        ()
    ul. N.Grehdesku 4
    Kishinev
    ,MD-2002
    MD
    Tel. +1.22503588
    Fax. +373.22503589

James McQuaid
EmergingThreats.net

How To Disable WebGL

On May 11th, Swa Frantzen posted "Time to disable WebGL?" on the Internet Storm Center's Diary page (http://isc.sans.edu/diary.html?storyid=10867).  Dan Goodin also covered this story on the 11th: "New graphics engine imperils users of Firefox and Chrome" (http://www.theregister.co.uk/2011/05/11/chrome_firefox_security_threat/). 

Both articles point out that US-CERT has recommended that WebGL be turned off in browsers which support it (http://www.us-cert.gov/current/index.html#web_users_warned_to_turn).

The SANS piece mentions that in order to disable WebGL in Google Chrome "It needs the --disable-webgl argument on the command line".  After some testing, I have concluded that this only works once (i.e. in the browser session opened from the command line).  In addition, if you open the command window in the Run As Administrator mode, the command line argument does not work at all.

In order to disable WebGL on end user computers, it is necessary to change the target of every Google Chrome shortcut on a machine. 

To make this change in Windows 7:
1) right click the Google Chrome shortcut,
2) left click Properties,
3) click the Shortcut tab,and
4) change the Target to:
C:\Users\THEUSERNAME\AppData\Local\Google\Chrome\Application\chrome.exe --disable-webgl

This will not prevent users from creating a new WebGL enabled shortcut.

In Firefox 4.01, WebGL can be disabled by:
1) enter "about:config" in the address window,
2) scroll down to webgl.disabled and right click on it,
3) left click Toggle.

You can test your configurations by browsing to this site: http://www.webkit.org/blog-files/webgl/SpiritBox.html.  If the puppy appears in a rotating cube, WebGL is enabled.  If WebGL is disabled, you will see a photograph.

The WebGL extension designed to protect the GPU stack from exploitation, GL_ARB_robustness, has not been deployed by most GPU vendors.

Once WebGL is effectively sandboxed by Google and Mozilla, I will be happy to turn it back on.  Until then, the eye candy will have to wait.

Additional references:
    http://www.contextis.com/resources/blog/webgl/
    http://www.khronos.org/news/permalink/webgl-security

James McQuaid

RBN IP List and Super Black Hole Updated

IP address ranges from which the former customers of the RBN ISP, their malware marketing affiliate networks, emulators, and other organized crime groups exploit consumers. Block at will:

Download the Emerging Russian Business Network rules for Snort

Emerging Threats RBN Project page

Download the RBN IP list as a text file

Protect your family and home network from 300,675 of "the baddest of the bad" domains blacklisted for Smoothwall 3:

DNS SuperBlackHole

config

hosts

RBN IP List Update 3-6-2011

RBN IP List Update 3-6-2011 is available at:
http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork

In this update we add more coverage for ChronoPay properties.  Thus far, we have seen only one domain object move.  The mail server mail-eye.com was located at 78.108.190.4 (AS43355 UPL-TELECOM-AS UPL Telecom) and is now deployed at 178.63.72.234 (Hetzner).  Both of these IP addresses also host DNS servers, so this provides a clue as to enemy infrastructure.

In addition to Pavel Vrublevsky's hubris, the update lists new instances of SpyEye Command and Control servers, Zeus, several backdoor trojans, a Heihachi deployment of Trojan Palevo, and we catch the Koobface Gang victimizing cancer patients with Trojan Bredolab.

We have consolidated several IP listings (an opportunity provided by consistently malicious behavior).

We wish to acknowledge Brian Krebs, the Malware Domain List, and David Glosser at Malware Domains.

Thank you,

James McQuaid
http://www.jamesmcquaid.com/JamesMcQuaid.asc

AnonLeaks On The Move

Yesterday, I pointed out that anonleaks.pcriot.com had been deployed on IP address 69.175.6.102. During the night, anonleaks.pcriot.com was moved to 69.175.122.178. In addition, anonlinks.pcriot.com was deployed on 69.175.6.102.

69.175.122.178
anonleaks.pcriot.com

69.175.6.102
anonlinks.pcriot.com

In addition, anonleaks.ru has been set up within criminal hoster Webalta's IP space:

92.241.162.216
anonleaks.ru
hbgary.anonleaks.ru
internetfeds.mil.nf
irc.anonops.net
loic.anonops.in

Anonops has several familiar dedicated DDOS domains at 109.235.53.142:

dharma.anonops.ru
irc.anonops.net
irc.anonops.ru
loic.anonops.in
loic.anonops.net
loic.anonops.ru

Hijacked brands on 69.175.122.178 include Facebook, HSBC Finance, Nintendo, and Star Wars. In addition, the IP is cluttered with web spam junk domains.

According to clean-mx.de, there have been 29 separate instances of malware on 69.175.122.178 during the past 12 months (including pcriot.com) http://support.clean-mx.de/clean-mx/viruses.php?ip=69.175.122.178&sort=first%20desc, and the host domain objects remain in play (they include various subdomains for pcriot.com, x10.bz, and x10.mx).
MalwareURL reports that Zeus and other keyloggers are currently active on the IP.


x10hosting.com is the bad hosting firm involved, and we will be taking a close look at their other operations.


James McQuaid
2-12-2011

AnonLeaks Continues Relationship With Criminals

The sociopaths at Anonymous are once again aligning themselves with cyber criminals.  You may recall that they hooked up with Heihachi some time ago.  Now they are launching AnonLeaks as a replacement for wikileaks.  While AnonLeaks is being promoted through social media, and a free sites such as blogger, they have also launched a subdomain at malware domain pcriot.com.

Google Safe Browsing paints a pretty ugly picture:
"Malicious software includes 1 scripting exploit(s), 1 trojan(s), 1 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine."
http://www.google.com/safebrowsing/diagnostic?site=pcriot.com

Threat Expert, Norton, and McAfee also warn of malware at the site:
http://www.threatexpert.com/report.aspx?md5=a7e1388c38c1fed12785bc335f95b15d
http://safeweb.norton.com/report/show?name=biohazarder.pcriot.com
http://www.siteadvisor.com/sites/pcriot.com

anonleaks.pcriot.com is nestled in with numerous scam, fraud and malware sites at 69.175.6.102:

*.alma-radiantbarrier.x10.mx *.bigfang.exofire.net *.com.x10.mx *.com2fhttp3awww.menshealth.x10.mx *.conectplayer.x10.mx *.craybiez.pcriot.com *.dammy.exofire.net *.domains.menshealth.x10.mx *.dotnuxx.x10hosting.com *.ebay.menshealth.x10.mx *.ebaymotors.ebay.menshealth.x10.mx *.elementfx.com *.emu.pcriot.com *.exofire.net *.fogafoga.exofire.net *.freedownload.x10.mx *.in.www.menshealth.x10.mx *.menshealth.x10.mx *.monroefunds.elementfx.com *.moviesx.x10.mx *.new4m.x10.mx *.o-radiantbarrier.x10.mx *.pcriot.com *.porno-radiantbarrier.x10.mx *.proactolreview.x10.mx *.prodigy.x10.mx *.s102-darkwindow.exofire.net *.s102-radiantbarrier.x10.mx *.sars-gov.x10.mx *.standardbanksecuredpage.x10.mx *.uk.x10.bz *.www.menshealth.x10.mx *.x10.bz *.x10.mx *.x10hosting.com 6apart.menshealth.x10.mx 9lb-ar.x10.bz absolut.x10hosting.com accountnow.x10hosting.com accs-google.x10.bz accs-radiantbarrier.x10.mx activities.menshealth.x10.mx adiantbarrier.x10.mx alma-radiantbarrier.x10.mx am-red.menshealth.x10.mx americanflyertrains.x10.bz anonleaks.pcriot.com astoora.pcriot.com atenas.x10.bz avto-radiantbarrier.x10.mx aztecas.exofire.net b.s102-darkwindow.exofire.net b.s102-radiantbarrier.x10.mx background-netsite.x10.bz background-radiantbarrier.x10.mx beatfiltering.com2fhttp3awww.menshealth.x10.mx beautyskincare.pcriot.com best1services.x10hosting.com bigfang.exofire.net bizmarket.x10hosting.com blogging-radiantbarrier.x10.mx bos1-mail.domains.menshealth.x10.mx build-radiantbarrier.x10.mx bz2.menshealth.x10.mx c13-b2b-prod-fa-web-lb.menshealth.x10.mx cashopping.pcriot.com chat-radiantbarrier.x10.mx cheapstackingchairs.x10.bz chiziahu.x10.mx com.x10.mx com2fhttp3awww.menshealth.x10.mx conectplayer.x10.mx cosex-darkwindow.exofire.net craybiez.pcriot.com cucvip.net dogtrainingcenter.pcriot.com domains.menshealth.x10.mx ebay.menshealth.x10.mx ebaymotors.ebay.menshealth.x10.mx emu.pcriot.com facebook.emu.pcriot.com facebook.pcriot.com fogafoga.exofire.net folksfun.pcriot.com fuuhx.x10hosting.com gamesnaper.x10hosting.com guias2009.exofire.net iciici.x10hosting.com in.www.menshealth.x10.mx in2.x10hosting.com infinityicici1.x10.mx iyan.x10hosting.com leroi.elementfx.com lestim.x10hosting.com lotus.x10hosting.com malisnet.com menshealth.x10.mx monroefunds.elementfx.com morenathuso.com morenathuso.x10hosting.com mptiga.x10hosting.com mrrohana.x10hosting.com mx.x10hosting.com new.x10hosting.com new4m.x10.mx nikmob.x10.mx ns1.conectplayer.x10.mx ns10.x10hosting.com ns100000.x10hosting.com ns2.conectplayer.x10.mx ns3.conectplayer.x10.mx ns3.x10hosting.com o-radiantbarrier.x10.mx onetouchglucometer.exofire.net phonezone.exofire.net pills.x10.bz pnoykb.x10.mx porno-radiantbarrier.x10.mx quebec-community.com rijad2.x10.mx runex.pcriot.com s102-darkwindow.exofire.net s102-radiantbarrier.x10.mx sap.x10hosting.com sc2.pcriot.com serfx.dotnuxx.x10hosting.com sex.x10.mx sexypicsblog.x10.bz simanta.x10hosting.com stoned.x10hosting.com teacuppigs.x10hosting.com timehack.pcriot.com touchnew.elementfx.com trenager.pcriot.com unlimited.pcriot.com visualfields.pcriot.com watch4free.x10hosting.com www.elementfx.com www.fogafoga.exofire.net www.menshealth.x10.mx www.pcriot.com xartit.x10hosting.com zzsite.x10.mx

If you don't want to reload your computer as well as, deal with the nightmare that is identity theft, stay away from the various AnonLeaks sites.

We will be adding 69.175.6.102 to the RBN IP List with the next update.

Amazon may be interested to learn that they are hosting a site being utilized by Anonymous:

AnonLeaks. posted Dec 14, 2010 03:57:55 by anonleaks123. Pure Awesomeness. page 1. Back to Topics. Login below to reply: get your own embeddable forum with ...5950853.weebly.tal.ki/20101214/anonleaks-257449/

5950853.weebly.tal.ki a 184.72.247.12 United States
184.72.128.0/17 Amazon IAD prefix AS14618 Amazon-AES-IAD

One of the characteristics that the members of Anonymous have in common with their Russian and Ukrainian cybercriminal benefactors is that they evidently never received a moral education. Another is that they are felons who have earned hard prison time.

James McQuaid
11 February 2011

FBI Impersonation Spam Serves Trojan.Ransom

For the past month,  a compromised web site has been sending emails purporting to be from the "Federal Bureau of Investigation".   The email encourages the victim to download a file which installs Trojan.Ransom.


The spear phishing email originates from an evidently compromised domain robertmueller.com.  The email that I received bears the subject line "Email Correspondence", and was 111 kb in size.  The email account which was used to send the email is infors@robertmueller.com.


A check of the site reveals that it has been in existence since 1999:

robertmueller.com a 85.13.128.201 dd1932.kasserver.com

robertmueller.net

ICANN Registrar:INTERNETWIRE COMMUNICATIONS GMBHCreated:1999-08-24Expires:2011-08-24Updated:2010-12-07

domain:          robertmueller.com

nserver:         ns5.kasserver.com

nserver:         ns6.kasserver.com

created:         1999-08-24

updated:         2010-12-07

owner-id:        RM624348

owner-org:       

owner-name:      Robert Caspar Mueller

owner-address:   Frankfurter Tor 7

owner-pcode:     10243

owner-city:      Berlin

owner-country:   DE

owner-phone:     +49 305 4714361

owner-email:     mail@robertmueller.com

This spear phishing campaign appears to be relatively unknown.  I checked the domain at Google Safe Browsing and Norton Safe Web, neither of which had checked the site.  McAfee Site Advisor gives the site a safe rating.


For over a year, members of the Russian Business Network have sought to impersonate F.B.I. leaders and web sites.


If you receive this email do not open it.


James McQuaid
1-28-2011

Massive Blackhat SEO Malware Campaign Launched

"Do not blame the Soviet Union had thousands of such care, the body for small medical gas cents, even if he is especially the fear, if allowed to spread this poison out of stock"

On January 23rd, thousands of machine generated attack sites were registered through GoDaddy via DNSPod name servers.  These sites generally include a name of 5 characters in length, and utilize the .info TLD.  The sites combine black hat SEO poisoning with virulent malware infections.  At least one anti-virus vendor has labeled the infections as "not disinfectable".

The structure of these sites take two forms.  The attack sites utilize a technique known as wild card DNS.  This enables an infinite number of subdomains to be created for a single domain name.  Sites like pgkqy.info, which I will refer to as the hounds, contain over 6000 links to the attack sites.  The hounds' content (6000 links) consists of 200 links to the subdomains of 30 different attack domains (note http://doc.emergingthreats.net/bin/viewfile/Main/RussianBusinessNetwork?rev=1;filename=hounds_to_the_hunters.txt).  The hounds' large number of links serve to boost the search engine rankings of the attack sites. 

The attack sites themselves are littered with keywords and phrases designed to poison search engine results, and lure the unwary.  These include references to celebrity sex scandals, teenage sex, and so forth.  The attack sites also contain machine generated text consisting of numerous paragraph length narratives (in English and Mandarin). Inserted among these narratives are out of context messages, which resemble coded messages.  Might the following be a reference to Iranian oil?:

"Since no increase, and that this spirit of building the base fluid, the patriarch will be purchased by the Shaw and the next war"

Regardless, the malware payload appears quite ominous on its own.  One of the sites distributing malware to the visitors of the attack sites (code1.2bj.cc) has previously distributed malware deemed "exact, not disinfectable" by F-Prot.  In that incident, anti-virus detection rates were approximately 50%:

Antivir                    TR/Agent.DT  
Avast                     Win32:Trojan-gen  
Bit Defender           Trojan.Agent.DT  
ClamAV                 Trojan.Agent-298  
DrWeb                   Trojan.PWS.Htool  
F-Prot                    W32/Trojan.CXF (exact, not disinfectable)  
F-Secure Anti-Virus           Trojan.Win32.Agent.dt  
Ikarus                    Trojan.Win32.Agent  
Kaspersky Anti-Virus         Trojan.Win32.Agent.dt  
McAfee VirusScan             potentially unwanted program Generic HTool  
Panda Anti-Virus               Trj/Agent.AMJ  
Sophos                Troj/HTool-B  
Symantec Command Line Scanner         Trojan Horse  
VBScan               Trojan.Agent.HPVY  
VirusBlokAda       Trojan.Win32.Agent.dt

Sites serving malware to the attack sites have been highly successful in separate campaigns over the past 90-days.  A sampling of Google Safe Browsing reveals results like the following:

tpjt.info:
Over the past 90 days, tpjt.info appeared to function as an intermediary for the infection of 254 site(s)
coooog.com:
Malicious software includes 143 exploit(s).
Over the past 90 days, coooog.com appeared to function as an intermediary for the infection of 371 site(s)

In the case of attack site 175.bctjd.info, network activity included:

Requests
URL    Status    Content Type
http://175.bctjd.info     200    text/html
http://175.bctjd.info/tj400.js     404    text/javascript
http://175.bctjd.info/tj.js     200    text/javascript
http://js.users.51.la/4440802.js     200    text/javascript
http://175.bctjd.info/1.js     200    text/javascript
http://tpjt.info/bs003/?9865     200    text/html
http://vip.coooog.com:8080/f/cpv.asp?adid=4207&uid=11228     200    text/javascript
http://122.226.223.149:8080/coo/uploadfile/20110114110108277.swf     200    application/x-shockwave-flash
about:blank     200    text/html
http://s6.cnzz.com/stat.php?id=1583556&web_id=1583556     200    text/javascript
http://vip.coooog.com:8080/f/mt.js     200    text/javascript
http://tpjt.info/skins/orange/images/style.css     200    text/javascript
http://tpjt.info/liaotian/cjtc.js     200    application/x-javascript
http://74.207.249.234/liaotian2/     200    text/html
http://74.207.249.234/liaotian1/flash/novie.swf     200    application/x-shockwave-flash
http://74.207.249.234/liaotian2/img/ChatShow.js     200    application/x-javascript
http://74.207.249.234/liaotian1/f1ash/16.swf     404    text/html
http://www.blogkou.com/f1ash/11.swf     200    application/x-shockwave-flash
http://www.blogkou.com/f1ash/3.swf     200    application/x-shockwave-flash
http://www.blogkou.com/f1ash/6.swf     200    application/x-shockwave-flash
http://www.blogkou.com/f1ash/5.swf     200    application/x-shockwave-flash
http://www.blogkou.com/f1ash/4.swf     200    application/x-shockwave-flash
http://www.blogkou.com/f1ash/7.swf     200    application/x-shockwave-flash
http://www.blogkou.com/f1ash/8.swf     200    application/x-shockwave-flash
http://www.blogkou.com/f1ash/9.swf     200    application/x-shockwave-flash
http://www.blogkou.com/f1ash/2.swf     200    application/x-shockwave-flash
http://www.blogkou.com/f1ash/13.swf     200    application/x-shockwave-flash
http://www.blogkou.com/f1ash/12.swf     200    application/x-shockwave-flash
http://www.blogkou.com/f1ash/15.swf     200    application/x-shockwave-flash
http://www.blogkou.com/f1ash/1.swf     200    application/x-shockwave-flash
http://74.207.249.234/liaotian2/img/ip.js     200    text/javascript
http://fw.qq.com:80/ipaddress     200    text/javascript
http://js.users.51.la/4429735.js     200    text/javascript
http://cpm.ad123456.com/m.js     200    text/javascript
http://tpjt.info/1.js     200    text/javascript
http://images.sohu.com/cs/jsfile/js/lu.js     200    text/javascript
http://js.star8.net/code.js     200    text/javascript
http://js.users.51.la/4192183.js     200    text/javascript
http://js.users.51.la/4397946.js     200    text/javascript
http://js.users.51.la/4392080.js     200    text/javascript
http://js.users.51.la/4286690.js     200    text/javascript
http://vip.coooog.com:8080/gotocpvv.asp?id=11228&adid=2105&Vfc=38333831333132383131313438313534&tid=11295&url=http://tpjt.info/bs003/?9865     500    text/html
http://lu.sogou.com/kwd?pid=meilalala&ct=kwd&fmt=h_kwd&dn=8&iw=728&ih=15&fs=12&c_bo=ffffff&c_bg=ffffff&c_fg=ff0000&tdw=&charset=gb2312&ti=QVOD%E4%BC%A6%E7%90%86%E7%94%B5%E5%BD%B1,%E4%BC%A6%E7%90%86%E7%94%B5%E5%BD%B1,QVOD%E7%94%B5%E5%BD%B1,%E5%BF%AB%E6%92%AD%E7%94%B5%E5%BD%B1,%E4%BC%A6%E7%90%86%E7%89%87,%E5%BF%AB%E6%92%AD%E4%BC%A6%E7%90%86%E7%94%B5%E5%BD%B1-%E5%9C%A8%E7%BA%BF%E5%85%8D%E8%B4%B9%E4%BC%A6%E7%90%86%E7%94%B5%E5%BD%B1%E7%BD%91&ref=http://tpjt.info/bs003/?9865&sohuurl=http://tpjt.info/bs003/?9865     200    text/html
http://code1.2bj.cc:8899/click.html?adid=687&uid=9idy     200    text/html
http://code1.2bj.cc:8899/cf.aspx?action=adget&ad_id=687&username=9idy     200    text/javascript
http://code1.2bj.cc:8899/CF.aspx?action=adget_2&UserName=9idy&Ad_ID=687&CycleAd=0&TcType=0&TcSpace=0&Ly=http://code1.2bj.cc:8899/click.html?adid=687&uid=9idy&FirstShow=1&CookieOk=1&WebWidth=0&WebHeight=0&WebTop=0&WebLeft=0     200    text/html
http://code1.2bj.cc:8899/click.html?adid=551&uid=9idy     200    text/html
http://code1.2bj.cc:8899/cf.aspx?action=adget&ad_id=551&username=9idy     200    text/javascript
http://code1.2bj.cc:8899/CF.aspx?action=adget_2&UserName=9idy&Ad_ID=551&CycleAd=0&TcType=0&TcSpace=0&Ly=http://code1.2bj.cc:8899/click.html?adid=551&uid=9idy&FirstShow=1&CookieOk=1&WebWidth=0&WebHeight=0&WebTop=0&WebLeft=0     200    text/html
http://pic.2bj.cn/upload/wz823/55/950x90.files/2.js     200    application/x-javascript
http://code1.2bj.cc:8899/click.html?adid=675&uid=9idy     200    text/html
http://code1.2bj.cc:8899/cf.aspx?action=adget&ad_id=675&username=9idy     200    text/javascript
http://code1.2bj.cc:8899/CF.aspx?action=adget_2&UserName=9idy&Ad_ID=675&CycleAd=0&TcType=0&TcSpace=0&Ly=http://code1.2bj.cc:8899/click.html?adid=675&uid=9idy&FirstShow=1&CookieOk=1&WebWidth=0&WebHeight=0&WebTop=0&WebLeft=0     200    text/html
http://c.star8.net/c1.ashx?ln=1&w=314261&sid=0&logo=true&e=OR8cNc5cKsA3Zk8bA2zB4PEV5be4MdCu4ZolkxB8r4c6mTNwRdD3UQ==&ar2s=1&furl=http://tpjt.info/bs003/?9865&ffurl=http://tpjt.info/bs003/?9865     200    text/html
http://sougoudaima.soua.com/101105/950x220/950x220.html?uid=2234     200    text/html
http://code.soua.com/js/common.js     200    text/javascript
http://code.soua.com/js/word.js     200    application/x-javascript
http://code1.2bj.cc:8899/click.html?adid=311&uid=9idy     200    text/html
http://code1.2bj.cc:8899/cf.aspx?action=adget&ad_id=311&username=9idy     200    text/javascript
http://code1.2bj.cc:8899/CF.aspx?action=adget_2&UserName=9idy&Ad_ID=311&CycleAd=0&TcType=0&TcSpace=0&Ly=http://code1.2bj.cc:8899/click.html?adid=311&uid=9idy&FirstShow=1&CookieOk=1&WebWidth=0&WebHeight=0&WebTop=0&WebLeft=0     200    text/html
http://pic.2bj.cn/upload/wz425/950_90_5_files/js.js     200    text/javascript
http://pic.2bj.cn/upload/wz425/950_90_5_files/279.css     200    text/javascript

In addition, numerous ActiveX controls were invoked.

The sites have been deployed throughout HostNOC.  Hound site pgkqy.info is at 173.212.238.77, while attack sites vdjiv.info and bbzfc.info reside at 173.212.238.76.  However, both hound site dsqof.info and attack site bjpwn.info are at 184.82.9.206.  All are utilizing f1g1ns1.dnspod.net as a DNS server.
We will pinpoint more hostile IP addresses as time permits.  You can pursue further investigation with the use of this file: http://doc.emergingthreats.net/bin/viewfile/Main/RussianBusinessNetwork?rev=1;filename=includes_skynet.txt.


James McQuaid
1-25-2011

More Glavmed to Kick

Citing an alarming statistic, the Partnership at Drugfree.org announced the results of a suvey of consumers of online drug purchasing behavior. The survey's results? 1 in 6 adults, approximately 16% of adult population have bought or currently buy medications online without a doctor's prescription.


These counterfeit drugs are likely to harm you, and will leave your condition untreated.  One counterfeit's ingredients were shown to include roach powder, powdered brick, road paint, and floor wax. 


When you obtain a medication that has been approved by the FDA, and prescribed by a licensed practitioner, and purchased at a licensed pharmacy, that product is safe. When you go out of the system, you are dealing with criminals who have found it is easier to sell drugs online than to sell crack or heroin on the street.


Glavmed is the Russian mafia consortium that operates these illegal "pharmacies".  Today's RBN IP List Update includes additional Glavmed online properties.


Come on people, let's get smart.  For the most part, these guys are militant nationalists who hate all Americans.  They find it amusing that they can get the "stupid Americans" to pay to harm themselves.


Additional information is available at Gary Warner's excellent blog: http://garwarner.blogspot.com/2010/12/36-million-americans-buy-drugs-online.html


James McQuaid

A Backhand Blow to the Koobface Gang

Today's RBN IP List update is a backhand blow to the Koobface Gang. They are electronic terrorists systematically poisoning the Internet ecosystem, and they should be hunted down with extreme prejudice.

Over 100,000 networks utilize EmergingThreats.net's emerging-rbn.rules in their intrusion prevention systems and firewalls. You can find all of the files at http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork, including the RBN IP List. You can download today's observations update at: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RBN_IP_List_Update_1-18-2011.txt

Home users can easily block the Koobface Gang (and other threats) using DNS BlackHole in Smoothwall Express.  The files are free and are available here: http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples

James McQuaid

Notes On The Darzhavna Sigurnost

I once worked with a refined and very gracious man, a gentlemen's gentlemen in every sense of the word. He had retired from the C.I.A. before taking a position in the organization where we had become acquainted. Not given to the negative, he was an evangelist for the power of positive thinking. He had a great sense of humor, which he could inject into an otherwise grim business meeting.

I had occasion to ask him about the Darzhavna Sigurnost during the Cold War. He described them as murderous gangsters, and related the story of an individual he had sought to extract from Bulgaria. He eventually found his man, at least the lower torso; the other half of the body having been burned up in a furnace.

Once Moscow’s most obedient ally, Bulgaria operated one of the most notorious spy networks in the Cold War era. The Darzhavna Sigurnost was implicated in plots ranging from a failed assassination attempt on Pope John Paul II to the killing of an exiled dissident in London with a poison-tipped umbrella.

Under current Bulgarian law, no one can be punished or face any legal consequences if they are named as former informants or spies. Previous attempts to bar them from holding public positions (including in law enforcement) have consistently been overruled by the constitutional court.

The Komitet za darzhavna sigurnost's 6th Directorate were the political police, and they were succeeded by the "Head Service for Combating Organized Crime". It had the following departments:
1st Department – worked among the intelligentsia and controlling the unions of artists
2nd Department – worked in the universities and among the students
3rd Department – responsible for the clergy, the Jews, Armenians and Russian White emigrants
4th Department – specialized in pro-Turkish and pro-Macedonian nationalism
5th Department – worked among the political rivals, such as the agrarians and social democrats
6th Department – observed pro-Maoist and anti-party activity
7th Department – information analysis and anonymous activity

The publication by Bulgaria's parliament in mid-December of the names of ambassadors and top diplomats in capitals ranging from Berlin, Lisbon, London, Madrid, Moscow and Rome to Beijing and Tokyo who all worked as agents or collaborators for the Darzhavna Sigurnost "has dealt a humiliating blow to Bulgaria's foreign service".

88 former Darzhavna Sigurnost agents "were still currently employed by the foreign ministry, including 33 ambassadors, eight interim ambassadors and four consuls-general. They included the Bulgarian envoys to 13 of the other 26 European Union capitals, plus Sofia's representatives to the United Nations in Geneva and New York, as well as all of its missions in the neighbouring Balkan countries". One former collaborator includes the country's current president Georgy Parvanov.

"In the second half of the 1970s and the first half of the 1980s, known terrorists were granted a safe haven in Bulgaria – the terrorist group led by Ilich Ramirez Sanchez, also known as Carlos the Jackal, the Abu Nidal group, and members and supporters of the Muslim Brotherhood.

During the same period, Bulgaria was visited by activists of known terrorist organizations, including the German Red Army Faction – also known as the Baader Meinhoff Gang – Turkey’s right- and left-wing extremists from the Grey Wolves and Dev Sol, as well as the Armenian Secret Army for the Liberation, or Armenia ASALA. These visits can be associated with the first acts of international terrorism on Bulgarian soil, such as hijacking of airplanes and assassinations of foreign diplomats."

In 2008, the New York Times cited an unnamed senior Western European diplomat as saying, "You could bet that anything we shared with Bulgaria inside NATO went straight to Moscow. The old Communist nomenklatura and secret services is still around in Romania and Bulgaria."

Western law enforcement officials, computer security specialists, and journalists need to bear in mind the character of who they are dealing with when they interact with Bulgaria's diplomatic service and law enforcement organizations.

James McQuaid
16 January 2011

Blocking the Heihachi and 2x4.ru Networks

USMC Lance Corporal Albert Miranda, Lance Corporal David Burdwell, and platoon Lieutenant Alec Bodenwiser hold Khe Sanh.

(photograph by David Douglas Duncan)


Heihachi Ltd. is a bulletproof, blackhat-hosting provider, located in the Russian Federation, which is a well known safe haven for Internet as well as, real world criminals. Heihachi hosts a large number of domains, the operators of which are engaged in hard core crime. The types of crimes these domains perpetrate include bank fraud, wire fraud, stolen credit card (carder), piracy, brand jacking, money mule recruiting, illegal drugs, illegal pornography, human smuggling, botnet operation, stealth malware, web site hacking, denial of service attacks, spam and phishing. It is more than disturbing that the Russian and Ukrainian governments shield these predators from prosecution. In December, Heihachi launched denial of service attacks against Spamhaus, and set up a mirror site from which it could attack the computers of those attempting to visit WikiLeaks. Heihachi Ltd. operates front companies in Panama and elsewhere.

Closely allied with Heihachi is the 2x4.ru network, operated from Moscow by Pavel Ivanov. Ivanov sits at the nexus between the criminality and terrorism. He is believed to have enabled terrorist activity. Ivanov operates shell companies in the Seychelles Islands and elsewhere (the address he used in registering these fronts in the Seychelles is actually that of a hotel).

This is transnational organized crime at its worst.

Heihachi-2x4.txt is a list of Heihachi and 2x4.ru domains, and you are well advised to add these to your DNS black hole and blocklists. You can freely download the file at:
http://www.jamesmcquaid.com/Heihachi-2x4.txt

James McQuaid
1-1-2011