Hosting Ukraine Burnt Out | HostExploit

Hosting Ukraine Burnt Out | HostExploit

Hosting UA in Odessa one of the main data centers and hosts in Ukraine is offline, due to a major fire.

AS41665 HOSTING-AS National Hosting Provider, UAwith 144,384 IP addresses and was # 4 on the HostExploit Bad Hosts Report in December 2009 out of 34,000 ASNs (autonomous servers / hosts) compared for serving badness on the Internet. Although in the forthcoming HostExploit Top Bad Host report – Hosting Ua had demonstrated some improvement over the first quarter 2010, see forthcomingHostExploit Bad Host Report March 2010.

The fire that occurred on the second floor Business Center Factory of Business St. Dal'nic'ka 46, Odessa occurred at around 10:00 pm local time on the evening on March 27th 2010. (http://watcher.com.ua). At this time there has not been any official explanation as to the cause of the fire.

Figure3 - shows currently Hosting UA disconnected from the Internet. Of the 5,381 web sites tested on this network over the past 90 days, 291 of the web sites served content that resulted in malicious software being downloaded and installed.

RBN – Real Host, Latvia and the Zeus Botnet

RBN (Russian Business Network) via Real Host Ltd. is a fairly blatant cybercrime and bullet proof hosting hub. Inhabiting AS8206 Junik based in Riga, Latvia, and is high on any watch list. (ref1 & ref2)

As Dynamoo points out “A real sewer” (ref3), moreover this has all the hallmarks and operational elements of the apparently fragmented RBN, either as a resurgence or a clone of the RBN’s business model.

Fig 1 – Front page of installing cc – Zeus botnet rental & loading

Of more current interest, this is the base for distributing the new and as yet un-patched “Zero day Flash/PDF exploit” (ref 4), Zero day MS e.g. Directshow - MS09-028, and a core center for the Zeus botnet C&C (command and control) the # 1 botnet in the US with an estimated 3.6 million PCs infected.

Also known but updated usage of RBN methodologies:

# Rock Phish - which originally introduced the Zeus (aka WSNPOEM) Trojan.

# ZeuEsta (a mix of the ZeuS crimeware and the El Fiesta Exploit Kit). However, since April 17 2009 ZeuEsta in combination with SPack Exploit Kit (ref 5)

Fig 2 – iSell.cc - Stolen: Bank logins, credit cards, PayPal Sales and IDs – On Real Host

Fortunately in more recent times there are several good sources within the Open SEC community of up-to-date information as to malware domains, spam centers, botnets, to select a few:

• Spamhaus – SBL75831 – lists the net block for Phishing and Malware hosting. (Ref 6.)
• Fire - shows up to 9 complete malware servers over recent times. (Ref 7.)
• MalwareURL – shows currently 199 domains hosting amongst other badness; 18 trojans, 25 redirects to exploits and rogue anti-virus, 6 Botnet C&C (command and control) (Ref 8.)
• Google’s Safe Browsing - shows for AS8206 Junik in the last 90 days; 12 sites providing malicious software for drive by downloads, 102 sites acting as intermediaries for the infection of 11,810 other web sites. Finally it found 161 websites hosting malware that infected 20,681 other web sites.
• Google’s Safe Browsing - as an example for just one of the domains – 71.speed.info – 32 scripting exploits

The Results of Investigation and Reporting the Issues

Fig 3 – Real Host Routing – as of 073109

Fig 4 – Real Host Routing – as of 080309

Money Mule sites - the Barwells Group and NewskyAG reveals the following:

BarwellsGroup

"During the trial period (1 month), you will be paid 2,000 USD per month while working on average 3 hours per day, Monday-Friday, plus 5 commissions from every transactions or task received and processed. The salary will be sent in the form of wire transfer directly to your account. After the trial period your base pay salary will go up to 3,500USD per month, plus 5 commissions."

Clearly this is a money mule recruitment program. Sounds pretty good for 3 hours work per day!

NewskyAG

Not only does this domain operate a money mule scam, it also ran a Zeus C&C server. What is scary is that people actually fall prey to this scheme as shown by this quote from yahoo answers:

In summary Real Host from within Junik serves;

• exploits including un patched (or soon to be patched) 0days
• Payloads to drop on victim PCs including: fake codecs, banking trojans, spambots, fake antivirus, down loaders and even a Mac trojan
• phishing sites,
• money mule recruitment sites;
• Zeus botnet Command and Control servers
• Distributing licensed software (Warez),
• Illegal porn content

Added to which is a center for the RBN cybercrime business model;

• botnet rental,
• botnet loading,
• phishing
• iFrame exploit affiliate,
• warez
• credit card trading forums,
• openly selling credit card, PayPal accounts and bank logins, over 10,000 “newly harvested”

So who is Real Host Ltd.?

To start with the net block is leased from Junik by Alex Spiridonov, Abay Street 2a, Almaty, Kazakhstan. However, here are just a few other tell tale signs:

• Many of the domains are ex-Estdomains.
• All of the websites are in Russian or for the trading arm Russian / English.
• Older entities which many had thought were dead and gone are here; Barwells Group, Newsky, Web-Alfa, and good old Botnet.Su

All of these were operational elements of RBN (Russian Business Network). So this may not be a reincarnation of the RBN but are clearly Russian organized cyber criminals, in the same vein and at least headed by someone from the old RBN school.

Further manual investigation led to the following information on domains supplied by Real Hosts:

IP Domain Purpose

213.182.197.229 yourgoogleanalytics.us Money Mule Recruiting

213.182.197.229 barwellsgroup.cn Money Mule Recruiting

213.182.197.249 Vikd3jj-3.com Malware

213.182.197.251 2k90.cn Malware

213.182.197.13 Mac-videos.com Mac Trojan

213.182.197.236 71speed.info Banking Trojan - Silent Banker

213.182.197.8 bestxvids.info Zlob

213.182.197.249 traffic-searches.cn Botnet C&C

213.182.197.237 1gigabayt.com Zeus C&C

213.182.197.14 iframepartners.com iframe sellers

213.182.197.228 Chlenopopik.com Zeus C&C

213.182.197.14 Megavipsite.cn Malware

213.182.197.20 Traffcount.cn Malware

213.182.197.229 Newskyag.com Money Mule Recruiting & Zeus C&C

213.182.197.235 Traffic-exchange.ru Part of iframe redirection service

213.182.197.10 vlkontacte.ru Russian Social Network Phish

213.182.197.251 Botnet.su Zeus C&C

The Botnet.su & related installs.cc domains, the attackers clearly aren't trying to hide their motives on this one! This domain was previously used by the RBN along with NewskyAG and others. Zeus is of the most common threats being hosted from Real Host's network.

References:

1. Martin Security

2. HostExploit

3. Dynamoo’s blog on Real Host / Junik

4. ISCsans Advisory “0 day Flash/PDF exploit”

5. Abuse CH ZeuEsta & SPack kit

6. Spamhaus SBL 75831

7. Fire

8. MalwareURL

RBN - McColo R.I.P.

RBN (Russian Business Network) in the USA takes another hit, and another victory in the war against Internet badness.

‘Alas poor McColo I knew them well’ - so does anyone on the planet who receives email / spam.

McColo was host to the world’s major spam botnets (an estimated 50% of spam worldwide), malware, rogue PC security products, cybercrime affiliate payment systems, and child pornography.

The study published by HostExploit.com was based on tracking and documenting the ongoing cyber criminal activity of McColo and others. Get the report here. HostExploit Report

As a result of the first HostExploit Cyber Crime USA report which focused on Atrivo / Intercage and subsequent community actions, there was a quantitative drop of 10% of spam and malware worldwide. While temporary, it does clearly demonstrate that with a concerted and consistent effort by concerned commercial Internet network operators, a safer Internet can ensue.


Following Hurricane Electric's awareness of the report's content, at approximately 4:30pm EST 11/11/08 Hurricane Electric pulled the plug. Just to check on this see the chart from SpamCop below. Yes a huge drop in spam as just one example!

SpamCop Charts live here

Of course not over yet -

fraudcrew.com on IP 64.62.171.193 = 193.64-62-171.reverse.mccolo.com =
net 64.62.128.0/18 =
AS6939 HURRICANE Electric. Our favorite ‘CoolWebSearch hijackers’ are still online.

Also as we see on the CIDR report AS26780 MCCOLO - McColo Corporation is still peered by AS3549 GBLX Global Crossing Ltd.


However, we can assume Hurricane Electric will get around to this 64.62.128.0/18 net block and GBLX is also acting in unison.

Again this is an excellent example of a growing community effort, involving a wide cross section of anti-spammers, malware and botnet researchers, journalists, and Internet network operators. When considering the ongoing war for the heart and soul of the Internet; “Not the end not the beginning of the end, but the end of the beginning”?

RBN - Farewell to EstDomains

In the wake of the demise of Atrivo we now see the demise of EstDomains by an emboldened ICANN.



Many have shown Estdomains et. al., as a source of domain registration badness and used by cyber criminals for many years. As recently described within the HostExploit.com report “Atrivo - Cyber Crime USA” Sunbelt Software , Spamhaus, to name a few, and followed up by The Washington Post by Brian Krebs “A Superlative Scam and Spam Site Registrar”

Ironically EstDomains has been trying to fight back with press releases such as “EstDomains, Inc Takes Next Step in Combating Spam and Malware” with them stating; “Once again EstDomains, Inc would like to address the interactive community and ask for co-operation to make the Internet clear and safe.”


However, even more relevant to the demise of EstDomains was the later Brian Krebs post “A Sordid History and a Storied CEO” relating to the EstDomains CEO Vladimir Tsastsin

As of today ICANN has issued a formal and we assume irrevocable, notice of termination – see fig 2 below:

The formal letter of termination is available for download from ICANN <here> is based on court records from Estonia.




Of course what will be interesting is what happens to the approximately 281,000 domain names under EstDomains’ management. All registrations sponsored by EstDomains will be transferred to an ICANN-Accredited Registrar in accordance with ICANN’s “De-accredited Registrar Transition Procedure”. ICANN goes on to say “It is ICANN's goal to protect registrants’ from unnecessary harm and we look forward to amicably resolving any domain name transition issues that may arise from this termination.”



Hopefully this does demonstrate an emboldened ICANN which has recently become besieged on security issues, is listening to the community. Perhaps we could persuade ICANN to allow the Internet security community to provide solid advice which of these domains is abusive before any transfer is made?

RBN - Russian Cyberwar on Georgia: Report

"In August 2008, cyberwar associated with the Russian Federation struck once more, this time against Georgia. The DDoS attacks began in the weeks running up to the outbreak of the Russian invasion and continued after the Kremlin announced that it had ceased hostilities on August 12th."

This excerpt is from the 29 page report available for download from HostExploit.com or georgiaupdate.gov.ge this is probably the most thorough analysis available on the cyberwarfare related to Georgia.



Concerning RBN (Russian Business Network)



"The individual, with direct responsibility for carrying out the cyber "first strike" on Georgia, is a RBN operative named Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrey Smirnov. These
men are leaders of RBN sections and are not "script-kiddies" or "hacktivists," as some have maintained of the cyber attacks on Georgia – but senior operatives in positions of responsibility with vast background knowledge.



Intelligence can suggest further information about these individual cyber-terrorists. According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network 79.135.167.0/24. It should be noted that the pre-invasion attacks emanated from 79.135.167.22, clearly showing professional planning and not merely ‘hacktivism.’ Due to the degree of professionalism and the required massive costs to run such operations, a state-sponsor is suspected. Further information gathered also links the RBN to known disruptive websites.



• The IP addresses of the range, 79.135.160.0/19 are assigned to Sistemnet Telecom to provide services to companies who are classified as engaging in illicit activities such as credit card fraud, malware and so on.



• 79.135.160.0/19 Sistemnet Telecom and AS9121 TTNet (Turkey) are associated with AbdAllah_Internet which is linked with cybercrime hosting such as thecanadianmeds.com. These are known Russian Business Network routes. "

The puzzle of StopGeorgia.ru = follow the rabbit?


To add to the report, and shed light on the ongoing puzzle of the attack site StopGeorgia.ru (click on diagrams to enlarge):

Figure 1 - The IP route diagram route for StopGeorgia.ru (note: steadyhoster.com)



Figure 2. - The IP route diagram for SteadyHoster.com (note: for both fig1 /2 74.86.81.232.infomart.reverse.dnska.com)


Protect Details, Inc - (privatecontact@protectdetails.com)
29 Kompozitorov st. Saint Petersburg, 194358 RU







Figure 3. - Welcome to London GB, the IP route diagram for InnovativeITsolutions.com - actual home of 'StopGeorgia.ru' - AKA; dnska.com reseller for AS36351 SOFTLAYER Technologies

Innovation IT Solutions Corp.

Andrey Nesterenko(admin@mirhosting.com)

95 Wilton Road,

London,SW1V 1BZ,GB

RBN: Atrivo Goes Dark

Not the end, not the beginning of the end, but perhaps the end of the beginning.

As from today the Internet is a little safer, as Atrivo goes dark.


It is pleasing to report the last remaining peer routing Atrivo (AS 27595 Atrivo/ Intercage), ‘Pacific Internet Exchange’ (PIE) see Spamhaus ref below, was withdrawn at 2:35am EST Sunday Sept 21st 2008.

This is an excellent example of community effort involving a wide cross section of anti-spammers, malware and botnet researchers, journalists, and Internet network operators.


Although this is good news we should not relax too much, some of the bad stuff has migrated elsewhere, similar to the self re-distribution of AS40989 RBN Network last year. However, we look forward to the forthcoming ‘Atrivo – Cyber Crime USA’ report version 2.0 from HostExploit which may cast some light on this re-distribution and other bad actors.

Magnanimous in victory we should give the last word to the vanquished as Emil Kacperski long time spokesman and apologist for Atrivo / Intercage said,

“I just put my fate into companies I shouldn't have.”

For the record the CIDR report - RIP

Refs:

Spamhaus - PIE - Lasso

Atrivo: Cyber Crime USA Report - Hostexploit.com

Cidr Report - Atrivo / Intercage

RBN - Atrivo: Cyber Crime USA

In a new study entitled "Atrivo - Cyber Crime USA", the authors have extensively tracked and documented ongoing cyber criminal activity from within the Internet servers controlled by the California-based Atrivo, and other associated entities. Atrivo is one of the Internet's Autonomous Systems and controls a large number of IP addresses, which web sites must use to reach consumers.

Produced by cyber crime researcher Jart Armin, in association with Matt Jonkman and James McQuaid, the first of its kind Open Source Security study set out to quantify and continuously track cyber crime using numerous methods of measurement. It focuses specifically on the notorious Atrivo, which has been seen by many over several years as a main conduit for financial scams, identity theft, spam and malware. This study although fully self contained is the first of a series of reports, on a monthly basis there will be a follow up to report on the community response, the efforts of the cyber criminals to evade exposure, listings to assist in blocking the risks to Internet users, and hopefully efforts to stop them.

In addition to original quantitative research conducted by Armin, Jonkman and McQuaid, the study draws upon the findings of other research efforts, including StopBadware, EmergingThreats, Knujon, Sunbelt, CastleCops, Spamhaus, and many others. What emerges is a picture of a front for ruthless cyber criminals, who have specifically targeted consumers in the United States and elsewhere. The study provides hard data regarding specific current activity within Atrivo, explains how consumers are targeted, describes Atrivo's virtual network structure, organizational modeling, and cites Atrivo's collusive failure to respond to abuse complaints from 2004 to the present. The study includes three dimensional charts, diagrams, and a YouTube video which make it easy to grasp the statistics or processes discussed.

Document available for download from hostexploit.com

Video of the Exploitation of a PC User - YouTube

RBN - Georgia Cyberwarfare – Attribution & Spam Botnets

Further attribution highlighting specific RBN (Russian Business Network) leadership and RBN directed spam botnet observations.



Specific RBN Attribution

The individuals with direct responsibility for carrying out the cyber "first strike" on Georgia is a RBN (Russian Business Network) operative named Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrew Smirnov. These men are leaders of RBN sections and are not "script-kiddies" or "hacktivists" (as some have maintained of the cyber attacks on Georgia).

Mr. Boykov has been engaged in criminal activity for some time. He best known for distributing the malware VirusIsolator (which downloads trojans to take control of the victims computer). He has been directly involved in financial crime, and operated scam sites including: Harbor Lending, Oakwood Lending, and Capital Lending. Mr Boykov is also a purveyor of porn spam.

Mr. Smirnov is known for operating a number a scam sites including canadian-pharmacy-support and canadiandiscountmeds. Mr. Smirnov is known to hold Russian nationalist views, and supported cutting off natural gas supplies to the Ukraine. The Ukrainian authorities should note that he often travels between Russia and the Ukraine.

According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network 79.135.167.0/24. It should be noted that the pre-invasion attacks emanated from 79.135.167.22. Presently, there is a large-scale spam campaign underway purporting to be from the BBC which accuses the President of Georgia of being gay. When an individual clicks on the link in the email, a virus is downloaded from 79.135.167.49. (Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet) Spamhaus issued a warning regarding 79.135.167.49 on July 29th in SBL66533.

Further investigation of Mr. Boykov and Mr. Smirnov are likely to implicate the Russian authorities in the cyber first strike.

Contribution - James McQuaid

Fig 1 - Sistemnet Telecom - AS9121 TTNet (Turkey) associated with AbdAllah_Internet (click to enlarge)

Further spam botnet analysis - Knujon

They are part of a botnet that came into existence in 2008. The vast majority show up in Mar/Apr 2008, but some have been sending spam since 2006

80.255.244.19 - Web Media Services - Russian Federation
nslookup = mx1.privatehost.nl
79 hits from April 2008 and 4 from Mar 2008.

85.71.224.34 - Czech Republic nslookup = 34.224.broadband4.iol.cz
5 hits spread over Feb, Mar and Apr 2008.

242.3.213.198 = mailrouter2.austincc.edu
107 in Mar/Apr 2008, 1 in Jan 08 and 1 in 2006

57.83.52.200 = mail5.hostweb.com.mx
1 in Jul 2007

100.192.162.206 = mx2.seidata.com
90 in Mar/Apr 2008, 1 in Oct 2007

16.164.163.212 = dns2.tea-cegos.es
104 in Mar/Apr 2008

5.197.8.212 = mx2.teuto.net
209 total. 159 in Mar/Apr, 2 Jan, 6 Feb 2008. 39(2007) 3(2006)

118.32.147.216 = adoptolder.org
8 Mar/Apr 2008

165.209.35.217 = mx2.bt.net
100 Mar/Apr, 1 Jan 2008,65 2007) 9 (2006)

Mar/Apr 2008 period

mail7.jetblue.com 106
autoliike.com 3
smtp.cablebahamas.net 151
mx4.mardelhosting.net 1
mx1.privatehost.nl 83
34.224.broadband4.iol.cz 5
un-158-235.domainunused.net 31
pool-96-234-41-61.nwrknj.fios.verizon.net 8
123-193-82-34.dynamic.kbronet.com.tw 7
mbox.edmaster.it 90
smtp3.willamette.edu 77
argo.regione.toscana.it 92
msgsrv1.itellium.net 177

Again special thanks to the many community contributions and messages of support of the RBN blog, in our efforts to expose cyber crime and the Russian Business Network. We welcome ongoing observations, send to RBNexploit gmail.com

Refs:

RBN info from James McQuaid his blog here

Spam Botnet analysis Dr. Bob Bruen of Knujon.com.