Hosting Ukraine Burnt Out | HostExploit

Hosting Ukraine Burnt Out | HostExploit


Hosting UA in Odessa one of the main data centers and hosts in Ukraine is offline, due to a major fire.

Figure 1 Hosting Ua - Fire - courtesy watcher.com.ua

AS41665 HOSTING-AS National Hosting Provider, UAwith 144,384 IP addresses and was # 4 on the HostExploit Bad Hosts Report in December 2009 out of 34,000 ASNs (autonomous servers / hosts) compared for serving badness on the Internet. Although in the forthcoming HostExploit Top Bad Host report – Hosting Ua had demonstrated some improvement over the first quarter 2010, see forthcomingHostExploit Bad Host Report March 2010.




Figure 2 Hosting Ua - Fire - courtesy watcher.com.ua



The fire that occurred on the second floor Business Center Factory of Business St. Dal'nic'ka 46, Odessa occurred at around 10:00 pm local time on the evening on March 27th 2010. (http://watcher.com.ua). At this time there has not been any official explanation as to the cause of the fire.

Figure 3 - Hosting UA - Offline 032810




Figure3 - shows currently Hosting UA disconnected from the Internet. Of the 5,381 web sites tested on this network over the past 90 days, 291 of the web sites served content that resulted in malicious software being downloaded and installed.


RBN – Real Host, Latvia and the Zeus Botnet

RBN (Russian Business Network) via Real Host Ltd. is a fairly blatant cybercrime and bullet proof hosting hub. Inhabiting AS8206 Junik based in Riga, Latvia, and is high on any watch list. (ref1 & ref2)

As Dynamoo points out “A real sewer” (ref3), moreover this has all the hallmarks and operational elements of the apparently fragmented RBN, either as a resurgence or a clone of the RBN’s business model.

Fig 1 – Front page of installing cc – Zeus botnet rental & loading


Of more current interest, this is the base for distributing the new and as yet un-patched “Zero day Flash/PDF exploit” (ref 4), Zero day MS e.g. Directshow - MS09-028, and a core center for the Zeus botnet C&C (command and control) the # 1 botnet in the US with an estimated 3.6 million PCs infected.


Also known but updated usage of RBN methodologies:

# Rock Phish - which originally introduced the Zeus (aka WSNPOEM) Trojan.

# ZeuEsta (a mix of the ZeuS crimeware and the El Fiesta Exploit Kit). However, since April 17 2009 ZeuEsta in combination with SPack Exploit Kit (ref 5)


Fig 2 – iSell.cc - Stolen: Bank logins, credit cards, PayPal Sales and IDs – On Real Host





Fortunately in more recent times there are several good sources within the Open SEC community of up-to-date information as to malware domains, spam centers, botnets, to select a few:
  • Spamhaus – SBL75831 – lists the net block for Phishing and Malware hosting. (Ref 6.)
  • Fire - shows up to 9 complete malware servers over recent times. (Ref 7.)
  • MalwareURL – shows currently 199 domains hosting amongst other badness; 18 trojans, 25 redirects to exploits and rogue anti-virus, 6 Botnet C&C (command and control) (Ref 8.)
  • Google’s Safe Browsing - shows for AS8206 Junik in the last 90 days; 12 sites providing malicious software for drive by downloads, 102 sites acting as intermediaries for the infection of 11,810 other web sites. Finally it found 161 websites hosting malware that infected 20,681 other web sites.
  • Google’s Safe Browsing - as an example for just one of the domains – 71.speed.info – 32 scripting exploits

The Results of Investigation and Reporting the Issues


Fig 3 – Real Host Routing – as of 073109






Fig 4 – Real Host Routing – as of 080309

Money Mule sites - the Barwells Group and NewskyAG reveals the following:

BarwellsGroup
"During the trial period (1 month), you will be paid 2,000 USD per month while working on average 3 hours per day, Monday-Friday, plus 5 commissions from every transactions or task received and processed. The salary will be sent in the form of wire transfer directly to your account. After the trial period your base pay salary will go up to 3,500USD per month, plus 5 commissions."
Clearly this is a money mule recruitment program. Sounds pretty good for 3 hours work per day!

NewskyAG
Not only does this domain operate a money mule scam, it also ran a Zeus C&C server. What is scary is that people actually fall prey to this scheme as shown by this quote from yahoo answers:
In summary Real Host from within Junik serves;
  • exploits including un patched (or soon to be patched) 0days
  • Payloads to drop on victim PCs including: fake codecs, banking trojans, spambots, fake antivirus, down loaders and even a Mac trojan
  • phishing sites,
  • money mule recruitment sites;
  • Zeus botnet Command and Control servers
  • Distributing licensed software (Warez),
  • Illegal porn content

Added to which is a center for the RBN cybercrime business model;
  • botnet rental,
  • botnet loading,
  • phishing
  • iFrame exploit affiliate,
  • warez
  • credit card trading forums,
  • openly selling credit card, PayPal accounts and bank logins, over 10,000 “newly harvested”
So who is Real Host Ltd.?
To start with the net block is leased from Junik by Alex Spiridonov, Abay Street 2a, Almaty, Kazakhstan. However, here are just a few other tell tale signs:
  • Many of the domains are ex-Estdomains.
  • All of the websites are in Russian or for the trading arm Russian / English.
  • Older entities which many had thought were dead and gone are here; Barwells Group, Newsky, Web-Alfa, and good old Botnet.Su
All of these were operational elements of RBN (Russian Business Network). So this may not be a reincarnation of the RBN but are clearly Russian organized cyber criminals, in the same vein and at least headed by someone from the old RBN school.

Further manual investigation led to the following information on domains supplied by Real Hosts:

IP Domain Purpose
213.182.197.229 yourgoogleanalytics.us Money Mule Recruiting
213.182.197.229 barwellsgroup.cn Money Mule Recruiting
213.182.197.249 Vikd3jj-3.com Malware
213.182.197.251 2k90.cn Malware
213.182.197.13 Mac-videos.com Mac Trojan
213.182.197.236 71speed.info Banking Trojan - Silent Banker
213.182.197.8 bestxvids.info Zlob
213.182.197.249 traffic-searches.cn Botnet C&C
213.182.197.237 1gigabayt.com Zeus C&C
213.182.197.14 iframepartners.com iframe sellers
213.182.197.228 Chlenopopik.com Zeus C&C
213.182.197.14 Megavipsite.cn Malware
213.182.197.20 Traffcount.cn Malware
213.182.197.229 Newskyag.com Money Mule Recruiting & Zeus C&C
213.182.197.235 Traffic-exchange.ru Part of iframe redirection service
213.182.197.10 vlkontacte.ru Russian Social Network Phish
213.182.197.251 Botnet.su Zeus C&C

The Botnet.su & related installs.cc domains, the attackers clearly aren't trying to hide their motives on this one! This domain was previously used by the RBN along with NewskyAG and others. Zeus is of the most common threats being hosted from Real Host's network.


RBN - McColo R.I.P.

RBN (Russian Business Network) in the USA takes another hit, and another victory in the war against Internet badness.

‘Alas poor McColo I knew them well’ - so does anyone on the planet who receives email / spam.

McColo was host to the world’s major spam botnets (an estimated 50% of spam worldwide), malware, rogue PC security products, cybercrime affiliate payment systems, and child pornography.

The study published by HostExploit.com was based on tracking and documenting the ongoing cyber criminal activity of McColo and others. Get the report here. HostExploit Report


As a result of the first HostExploit Cyber Crime USA report which focused on Atrivo / Intercage and subsequent community actions, there was a quantitative drop of 10% of spam and malware worldwide. While temporary, it does clearly demonstrate that with a concerted and consistent effort by concerned commercial Internet network operators, a safer Internet can ensue.


Following Hurricane Electric's awareness of the report's content, at approximately 4:30pm EST 11/11/08 Hurricane Electric pulled the plug. Just to check on this see the chart from SpamCop below. Yes a huge drop in spam as just one example!




Of course not over yet -

fraudcrew.com on IP 64.62.171.193 = 193.64-62-171.reverse.mccolo.com =
net 64.62.128.0/18 =
AS6939 HURRICANE Electric. Our favorite ‘CoolWebSearch hijackers’ are still online.



Also as we see on the CIDR report AS26780 MCCOLO - McColo Corporation is still peered by AS3549 GBLX Global Crossing Ltd.


However, we can assume Hurricane Electric will get around to this 64.62.128.0/18 net block and GBLX is also acting in unison.

Again this is an excellent example of a growing community effort, involving a wide cross section of anti-spammers, malware and botnet researchers, journalists, and Internet network operators. When considering the ongoing war for the heart and soul of the Internet; “Not the end not the beginning of the end, but the end of the beginning”?

RBN - Farewell to EstDomains

In the wake of the demise of Atrivo we now see the demise of EstDomains by an emboldened ICANN.



Many have shown Estdomains et. al., as a source of domain registration badness and used by cyber criminals for many years. As recently described within the HostExploit.com report “Atrivo - Cyber Crime USA” Sunbelt Software , Spamhaus, to name a few, and followed up by The Washington Post by Brian Krebs “A Superlative Scam and Spam Site Registrar”



Ironically EstDomains has been trying to fight back with press releases such as “EstDomains, Inc Takes Next Step in Combating Spam and Malware” with them stating; “Once again EstDomains, Inc would like to address the interactive community and ask for co-operation to make the Internet clear and safe.”


However, even more relevant to the demise of EstDomains was the later Brian Krebs post “A Sordid History and a Storied CEO” relating to the EstDomains CEO Vladimir Tsastsin

As of today ICANN has issued a formal and we assume irrevocable, notice of termination – see fig 2 below:




The formal letter of termination is available for download from ICANN <here> is based on court records from Estonia.




Of course what will be interesting is what happens to the approximately 281,000 domain names under EstDomains’ management. All registrations sponsored by EstDomains will be transferred to an ICANN-Accredited Registrar in accordance with ICANN’s “De-accredited Registrar Transition Procedure”. ICANN goes on to say “It is ICANN's goal to protect registrants’ from unnecessary harm and we look forward to amicably resolving any domain name transition issues that may arise from this termination.”



Hopefully this does demonstrate an emboldened ICANN which has recently become besieged on security issues, is listening to the community. Perhaps we could persuade ICANN to allow the Internet security community to provide solid advice which of these domains is abusive before any transfer is made?