Blog

Bad Actors Part 3 - Internet Path/Cernel

| By | Advanced Malware

Much was made of the Intercage/Atrivo shutdown last year, which was a result of significant research by the security community, and tenacity by the Washington Post's Security Fix technical blog.  While a good chunk of the network was depeered, there are a few netblocks owned by "sister organizations" which remain routed.

The connection between Internet Path/Cernel, Intercage/Atrivo, Hostfresh, UkrTeleGroup, etc, is a tangled mess which others have written about extensively.  In this article I'll be looking at UkrTeleGroup and Internet Path/Cernel. 

This simple exercise can be done for any of the examples below, but for posterity's sake, I'll just point out one simple way to convince yourself that it is probably all the same group.  Below I look deeply into the networking side of the DNSChanger trojan, much of which uses malicious DNS servers in the 85.255.112.0/20 block.  Simply whoising the IP shows the following:

inetnum:        85.255.112.0 - 85.255.127.255
netname:        UkrTeleGroup
mnt-routes:     UKRTELE-MNT

Taking a look at robtex, you'll see that 85.255.112.0/20 is an advertised route by AS36445, which used to be registered as "Cernel Network Ltd", but is now "Internet Path, Inc".
Robtex showing networks registered to "Atrivo Cernel Network Ltd"
Cidr Report showing an updated registration of AS36445
Intercage was/is AS27595 and controlled 64.28.176.0/20, but now that is registered to Internet Path    

The IP blocks I examined were 64.28.176.0/20 (partially not routed), 67.210.0.0/20 (partially not routed), 85.255.112.0/20 (partially not routed), and 93.188.160.0/21 (mostly not routed) 

As always, I'm not looking at historical data, this is from the past couple days.

Cernel

Above you can see DNS queries from computers affected by one of the DNSChanger trojans, of which there have been a couple varieties.

I had the chance to take a look at some live network traffic and I actively saw these malicious DNS servers being used for DNS hijacking on the 85.255.112.0/20 network.  I would be surprised if this list was 100% comprehensive, but it's a decent sampling.

85.255.112.6
85.255.112.11
85.255.112.12
85.255.112.14
85.255.112.15
85.255.112.19
85.255.112.20
85.255.112.21
85.255.112.22
85.255.112.25
85.255.112.39
85.255.112.40
85.255.112.60
85.255.112.61
85.255.112.63
85.255.112.64
85.255.112.66
85.255.112.72
85.255.112.74
85.255.112.77
85.255.112.78
85.255.112.82
85.255.112.84
85.255.112.88
85.255.112.89
85.255.112.90
85.255.112.94
85.255.112.97
85.255.112.98
85.255.112.99
85.255.112.102
85.255.112.105
85.255.112.109
85.255.112.110
85.255.112.111
85.255.112.113
85.255.112.118
85.255.112.123
85.255.112.127
85.255.112.131
85.255.112.132
85.255.112.133
85.255.112.134
85.255.112.139
85.255.112.140
85.255.112.141
85.255.112.142
85.255.112.143
85.255.112.145
85.255.112.146
85.255.112.148
85.255.112.150
85.255.112.153
85.255.112.154
85.255.112.157
85.255.112.165
85.255.112.166
85.255.112.167
85.255.112.169
85.255.112.172
85.255.112.176
85.255.112.178
85.255.112.179
85.255.112.180
85.255.112.183
85.255.112.184
85.255.112.185
85.255.112.186
85.255.112.187
85.255.112.189
85.255.112.190       
85.255.112.191       
85.255.112.195       
85.255.112.198
85.255.112.199
85.255.112.200
85.255.112.201
85.255.112.203
85.255.112.205
85.255.112.207
85.255.112.209
85.255.112.210
85.255.112.212
85.255.112.215
85.255.112.217
85.255.112.225
85.255.112.227
85.255.112.228
85.255.112.232

85.255.113.131
85.255.113.117
85.255.113.132
85.255.113.140
85.255.113.146

85.255.114.7
85.255.114.14
85.255.114.19
85.255.114.39
85.255.114.56
85.255.114.67
85.255.114.87
85.255.114.108

85.255.115.4
85.255.115.6
85.255.115.18
85.255.115.22
85.255.115.26
85.255.115.30
85.255.115.34
85.255.115.42
85.255.115.44
85.255.115.54
85.255.115.62
85.255.115.75
85.255.115.76
85.255.115.90
85.255.115.91
85.255.115.99
85.255.115.156

85.255.116.55
85.255.116.56
85.255.116.68
85.255.116.70
85.255.116.101
85.255.116.131
85.255.116.132
85.255.116.156
85.255.116.167
85.255.116.169
85.255.116.172

Just as a refresher to those who might not fully understand this particular trojan - the way it works is somehow malware enters your system and it changes the DNS servers that you use for lookups to these malicious servers.  Most of the time, the "malicious" DNS servers actually  pass you the correct IP address for a given domain name, but for a few specific domains they want to control, it returns a IP that's in its purview.

For instance, let's say you wanted to go to www.fireeye.com.  Your system would request an A record for www.fireeye.com using the resolvers/nameservers set on your system.  These nameservers are generally passed out by your DHCP server, but in the case of this trojan, they are maliciously statically set.  These nameservers do the lookup against the NS records for the domain (basically) and return you the correct ip of 204.9.177.195. 

You're probably thinking - hmm, ok, why would they want to provide DNS services for free?  Well, simple, so that they can, on a whim, redirect you to a site they control.  For instance, if you told your system to do DNS queries, using one of those resolvers, you would see a different IP returned for certain domains.  Here is an example:

First I'll query for www.googleadservices.com using a nameserver that I control:

root@alex_lanstein.eng.fireeye.com — {~} dig @192.168.0.53 www.googleadservices.com
;; QUESTION SECTION:
;www.googleadservices.com.      IN      A

;; ANSWER SECTION:
www.googleadservices.com. 32484 IN      CNAME   adservices.google.com.
adservices.google.com.  32484   IN      CNAME   adservices.l.google.com.
adservices.l.google.com. 152    IN      A       64.233.169.96

You'll notice that the IP returned was 64.233.169.96, which if you were to whois, would see that it is indeed registered to Google. 

However, if I do a lookup using the malicious server, I get:

root@alex_lanstein.eng.fireeye.com — {~} dig @85.255.112.203 www.googleadservices.com
;; QUESTION SECTION:
;www.googleadservices.com.      IN      A

;; ANSWER SECTION:
www.googleadservices.com. 600   IN      A       67.210.12.201

Doing a lookup on that IP, I see:

root@alex_lanstein.eng.fireeye.com — {~} whois 67.210.12.201

OrgName:    Internet Path, Inc.
OrgID:      INTER-890
Address:    1971 Western Avenue #1162
City:       Albany
StateProv:  NY
PostalCode: 12203
Country:    US

Here's a clearer example of how this is used:

GET /pagead/conversion/1044253011/?label=default&script=0 HTTP/1.1
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Referer: http://www.hulu.com/watch/57889/friday-night-lights-every-rose-has-its-thorn

You'll notice the Referer HTTP header.  In this case, there are ads hosted by Google on hulu.com, which Alec Baldwin tells me will turn my brain to mush.

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_4_11; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1

Notice that this indeed is an exploited Mac.

Cache-Control: max-age=0
Connection: keep-alive

Here you can see the computer is really connecting to what it believes is www.googleadservices.com, but has resolved to a third party IP (as stated above)

Host: www.googleadservices.com

HTTP/1.1 302 Found
Date: Mon, 16 Feb 2009 16:42:42 GMT
Server: Apache/2.0.63 (FreeBSD) PHP/5.2.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.6

Location: http://adservices.google.com/pagead/conversion/1044253011/?label=default&script=0
Content-Length: 0
Connection: close
Content-Type: text/html

I thought it might be fun to look at some of the domain names they are hijacking.  Below are some of the ones I observed, and again, probably not an exhaustive list.  All these are hosted in Internet Path/Cernel IP space.

67.210.12.165 www.google.ca
67.210.12.167 rds.yahoo.com
67.210.12.168 results.yahoo.com
67.210.12.176 fereror.com
67.210.12.176 pilowar.net
67.210.12.177 friendfound.net
67.210.12.189 auto.search.msn.com
67.210.12.189 search.live.com
67.210.12.189 search.msn.com
67.210.12.189 searchsense.search.live.com
67.210.12.190 search.aol.com
67.210.12.200 ac2.msn.com
67.210.12.200 ac3.msn.com
67.210.12.201 www.googleadservices.com
67.210.12.202 rc10.overture.com
67.210.12.202 rc12.overture.com
67.210.12.203 wzus1.ask.com
67.210.12.208 dercool.com
67.210.12.208 mainstatus.com
67.210.12.208 mxbar.com
67.210.12.208 startnets.com
67.210.12.209 results.googleadservices.com
67.210.12.209 results.msn.com
67.210.12.209 results.overture.com
67.210.12.240 js.ztomy.com
67.210.14.74 www.google.fr

There are also other addresses in the range well known for being associated with search and web hijacking.  I hope I'll be able to go more into what's going on in a later post, but it's essentially malicious redirections and basic browsing detail theft

67.210.12.200
67.210.13.101
67.210.13.102
67.210.14.28
67.210.14.41
67.210.15.11
64.28.187.235

There are a couple other sites that track badness, such as MalwareDomainList and HpHosts.  They show some historical badness with these guys as well:

HpHosts Internet Path 1
HpHosts Internet Path 2
HpHosts UkrTeleGroup

MalwareDomainList Cernel
MalwareDomainList UkrTeleGroup

Alex Lanstein @ FireEye Malware Intelligence Lab
Questions/Comments to research [@] fireeye [.] com

One thought on “Bad Actors Part 3 - Internet Path/Cernel

  1. And again, I think you’re doing a great job with your researches. The greatest advantage of your articles is that you write about your own work and you never forget to mension the practical part of the problem!

Comments are closed.