Tuesday, July 29, 2014

SFR phish: the Gateway to all French banks

Back in April, we wrote about the French power company, EDF, being used as a universal phishing target in our article, Multi-Brand French Phisher uses EDF Group for ID Theft. Since that time we are seeing that those targeting French speaking victims are choosing yet another large utility to serve as proxy for all of the French banking world. This time the phishing lures are for SFR.

This phish has been especially popular this year. Malcovery's PhishIQ service has seen more than 1,000 SFR phish on more than 330 hacked servers so far this year, including dozens just in the month of July 2014. More importantly though, the attackers are growing more sophisticated! The attack described below is one of the most sophisticated phish we've seen to date, employing "man-in-the-middle" logins where SFR credentials are tested before the victim is allowed to proceed, and nearly a dozen customized bank security procedure questions being processed.

In a typical example of these phish, the victim receives an email that appears to be from SFR informing them that an error was made in their bill, "Ce mail vous a été envoyé dans le but de vous informer qu une erreur est survenue lors de l établissement de la dernière facture" and to "Cliquer ici pour ouvrir le formulaire de remboursement" (Click here to open the refund form). The victim is also warned that they need to fill out the form completely, or they won't get their refund (in some cases 95 Euros!):

Veuillez accepter nos excuses par cette erreur comptable. SFR : Service comptabilité de SFR Toute omission, mauvaise saisie, ou non réponse a ce mail entrainera automatiquement une amputation de la somme de quatre-vingt-quinze (95) euros sur votre compte, et aucune réclamation de sera acceptée.

While there are several versions of the SFR phish, the most sophisticated that we have encountered so far can be seen on a British horse enthusiasts website (obviously hacked). What makes this one particularly compelling is that it begins by requiring the victim to be using their true SFR userid and password. On the originating screen, the user is told to "Connectez-vous" by entering his userid (Identifiant) and password (Mot de passe).

The Action of this form of the phishing site actually passes the userid and password to SFR and confirms whether or not a true identifier has been used. If false information is provided, the phishing victim receives a message back informing him that

Vos coordonnées n'ont polo été reconnues. -- Your details have not been recognized.
Veuillez recommencer. -- Please try again.
Suite à 5 erreurs sur votre mot de passe, -- After 5 errors on your password
votre compte est bloqué. -- Your account will be blocked.

So, with a little incentive to not lie to the criminal, and a fairly strong reason to believe they are really speaking with SFR, the victim continues to page two after providing true login credentials.

On the second page, the victim is invited to choose their bank from a long list of French banks. Depending on which bank they choose, they will be prompted for appropriate additional verification details used by that bank. Banks on the list include:

  • AXA Banque
  • Banque AGF / Allianz
  • Banque de Savoie
  • Banque Dupuy de Parseval
  • Banque Marze
  • Banque Palatine
  • Banque Populaire
  • Banque Postale
  • Barclays
  • BforBank
  • Binck.fr
  • BNP
  • BNP Paribas La NET Agence
  • Boursorama Banque
  • BPE
  • Caisse d'Epargne
  • CIC
  • Coopabanque
  • Crédit Agricole
  • Crédit Cooperatif
  • Crédit du Nord
  • Crédit Mutuel
  • Crédit Mutuel de Bretagne
  • Crédit Mutuel Massif Central
  • Crédit Mutuel Sud-Ouest
  • e.LCL
  • Fortis Banque
  • Fortuneo Banque
  • Groupama Banque
  • HSBC
  • ING Direct
  • LCL
  • Monabanq
  • Societe Generale
  • Société Marseillaisle de Crédit
  • Autre Banque
Here are some examples: (Click on any image to enlarge)

Some banks require the visitor to enter their 3DSecure code

AXA Banque has a custom code for their clients

Banque Postale has security questions, such as:
  • Quel est le prénom de l'aîné(e) de vos cousins et cousines ?
  • Quel était le prénom de votre meilleur(e) ami(e) d'enfance ?
  • Quel était votre dessin animé préféré ?
  • Quel a été votre lieu de vacances préféré durant votre enfance ?

Caisse d'Epargne also provides a personalized Client code.

Even the "Cyberplus" electronic password generators used by Banque Populaire are included in this phish!

Some banks also require information about the victim's birthplace


After successfully acquiring both your SFR.com userid and password, and the necessary information to take over the bank account of the phishing victim, the criminal sends you on your way, after congratulating you on your success!
(The update was successful. SFR thanks you for using its Bank Assurance services. You can continue browsing the site with full security.)

After seeing this message briefly, the visitor is forwarded to the true www.SFR.fr website.

Tuesday, July 15, 2014

.pif files, Polish spam from Orange, and Tiny Banker (Tinba)

Tonight I was looking at my Twitter feed and saw @SCMagazine talking about ZBerp. It was actually a tweet back to a story from July 11th where Danielle Walker wrote ZBerp Evolves: Spreads through Phishing Campaign which was actually quoting the July 7th story from WebSense Labs, where Elad Sharf wrote Zeus PIF: The Evolving Strain Looking to Defeat Your Security Software. I thought that sounded interesting, so I went over to the Malcovery Security systems to see what the malware team had done with .PIF files recently.

.PIF files are like those organs we are said to have for some reason that are not necessary in these modern times. If you still remember the pain of migrating from DOS 5.0 to Windows 3.0, you will remember that we had .PIF files because DOS binaries did not have all the niceties of Windows programs, such as embedded icons and a place to store the default start-up path. Back when Ugg the Caveman was discovering fire and Bill Gates was leading a development team, you could make your DOS Executables APPEAR to be Windows files by sticking a .PIF file of the same name in the same directory. Windows knew that it should associate the .PIF file with the .EXE or .COM file of the same name, and suddenly we had icons! Of course the malware authors have done some sneaky things with this in the past. When Sality was a young pup, browsing a directory that contained the ".pif" format of Sality was enough to get Windows to execute the malware -- because "Active Desktop" knew that if it saw a .PIF file, it should load it so it would know what graphical icon to associate with which programs in the directory listing. Unfortunately, that was all Sality needed to launch itself! So many people were victimized thinking that the AUTORUN=OFF on their thumb drive had failed without realizing it was just what .PIF files did back then.

So, this morning in the Malcovery Spam Data Mine we saw 1,440 copies of a spam message claiming to be from "orange.pl" with the subject "MMS-ie" and a 70,390 byte .zip file with a randomly numbered IMG#####.zip filename. The .ZIP file contained a 126,976 byte .PIF file that was named "IMG875002763.JPEG.pif" and had an MD5 hash of d382068a8666914584d0ae51dd162c6b. When I just checked the file a few minutes ago on VirusTotal, thinking I would see various Zeus-related malware names based on the SCMag / WebSense articles, I was surprised to see that the file was actually TinBa or "Tiny Banker"!

Late last week I was one of the many folks trying to get a friend to get me a copy of the Tinba source code that had been leaked, as Peter Kruse over at CSIS told us on July 10, 2014 (See Tinba/Hunterz source code published. Peter shared a talk The Hunterz Inside Tinba at the recent Cyber Threat Summit, and, with Trend Micro's Robert McArdle and Feike Hacquebord, released a paper called "W32.Tinba, The Turkish Incident" (a 24-page PDF that gives great insights into the malware family).

Tinba: The Polish Incident

If the earlier paper was called "The Turkish Incident", perhaps the current version should be called "The Polish Incident". Here is the email that was distributed so prolifically this morning:

Jeżeli Twój telefon nie obsługuje wiadomości multimedialnych, możesz je wysyłać i odbierać korzystając ze Skrzynki MMS lub Albumu MMS. Wystarczy, że zalogujesz się na www.orange.pl. O każdym otrzymanym na skrzynkę MMS-ie powiadomimy Cię E-mail.

Jeśli odbiorca wiadomości nie ma telefonu z obsługą MMS będzie mógł ją odebrać logując się w portalu www.orange.pl, a następnie wybierając Multi Box i zakładkę MMS. Wiadomości multimedialne możesz też wysyłać na dowolny adres e-mail.

In case you aren't as fluent in Polish as the rest of us, here is how Google Translate renders that:

If your phone does not support multimedia messages, you can send and receive using the Crates MMS or MMS Album. Simply log on www.orange.pl. For each received in an MMS message box will send you e-mail. If the recipient of the message does not have MMS-capable phone will be able to pick it up by logging into the portal www.orange.pl, and then select Multi Box and MMS tab. Multimedia messages can also be sent to any e-mail.
The spam from Monday, July 14th, was Tinba spam according to VirusTotal. Late this evening (about 18 hours after the spam campaign) VirusTotal reported a (25 of 53) detection rate.

The spam from July 11th was also in Polish, and also imitated Orange, although this time the sender was Orange.com. There was a .zip file attached, which contained a file named "DKT_Faktura_indywidualna_2014_07_11_R.pdf.pif" which was 102,400 bytes in size and had an MD5 hash of da9330aa6d275ba28954b88ecf27dedb. The .zip file was 70,323 bytes with MD5 hash of fc1e0a665f99b347e424281a8a6a2526. The spam from July 11th was also Tinba spam, according to many vendors at VirusTotal. But the email body was much simpler. The message, still in Polish, was:

Witamy,

Przesyłamy fakturę Telekomunikacji Polskiej w wersji elektronicznej za czerwiec 2014.

Welcome,

We send an invoice Polish Telecom in the electronic version for June 2014.

But of course it was more malware, disquised as an invoice but actually a .pif file.

The current detection at VirusTotal for that campaign is 33 of 53 detections.

Unlike the Turkish Incident, where Tinba was being dropped by the Blackhole Exploit Kit, in the current spam, Tinba is directly attached to the email message.

Sunday, July 13, 2014

Urgent Court Notice from GreenWinick Lawyers delivers malware

I spent some time yesterday in the Malcovery Security Spam Data Mine looking at the E-Z Pass malware campaign. The ASProx spammers behind that campaign have moved on to Court Notice again . . .

Subjects like these:

  • Hearing of your case in Court No#
  • Notice of appearance
  • Notice of appearance in court No#
  • Notice to Appear
  • Notice to Appear in Court
  • Notice to appear in court No#
  • Urgent court notice
  • Urgent court Notice No#
(All of the subjects that have "No#" are followed by a four digit integer.)


(click to enlarge)

As normal, the spammers for these "Court Appearance" spam campaigns have just grabbed an innocent law firm to imitate. No indication of any real problem at Green Winick, but I sure wish one or more of these abused law firms would step up and file a "John Doe" lawsuit against these spammers so we could get some civil discovery going on!

These are the same criminals who have Previously imitated other law firms including Jones Day (jonesday.com), Latham Watkins (lw.com), Hogan Lovells (hoganlovells.com), McDermitt, Will & Emery (wme.com), and many more! Come on! Let's go get these spammers and the malware authors that pay them!

We've seen 88 destination hosts between July 10th and this morning (list below) but it is likely there are many more!

When malware spammers use malicious links in their email instead of attachments, they tend to have a much better success rate if they deliver unique URLs for every recipient. That is what is happening in this case, and what always happens in these ASProx / Kuluoz spam campaigns. An encoded pseudo-directory is used in the path portion of the URL, which is combined with rotating through hundreds of 'pre-compromised' websites to host their malicious content.

Four patterns in the path portion of the URL are better indicators as we believe there will be MANY more destination hosts.

  • tmp/api/…STUFF…=/notice
  • components/api/…STUFF…=/notice
  • wp-content/api/…STUFF…=/notice
  • capitulo/components/api/…STUFF...=/notice
where "...STUFF..." is an encoding that we believe is related to the original recipient's email address, but have been unable to confirm at this time.

http:// arhiconigroup.com / wp-content / api / pwCYg4Ac5gk0WlQIVFEkRSPGL2E7vZhP8Qh4LMGbbAk= /notice

(to protect the spam donor, the pwCYg... string above has been slightly altered. If you want to work on de-coding, let me know and I'm happy to provide a couple hundred non-altered strings.)

Just like with last week's E-Z Pass spam campaign, visiting the destination website results in a uniquely geo-coded drop .zip file that contains a .exe file.

As an example, when downloading from my home in Birmingham Alabama where my zip code is 35242, the copy I received was named:

Notice_Birmingham_35242.zip

which contained

Notice_Birmingham_35242.exe, which is icon'ed in such a way that it appears to be a Microsoft Word document.

The MD5 of my '.exe' was: 5c255479cb9283fea75284c68afeb7d4

The VirusTotal report for my .exe is here:

VirusTotal Report (7 of 53 detects)

Extra credit points to Kaspersky and Norman for useful and accurate naming !

Kaspersky = Net-Worm.Win32.Aspxor.bpyb
Norman = Kuluoz.EP

Each of the 88 destination websites that we observed was likely compromised to host the malware. We do not believe these are necessarily "Bad Websites" but they either have a vulnerability or have had the webmaster credentials stolen by criminals.

If these are YOUR website - look for one of those directories I mentioned ...

/tmp/api/
/components/api/
/wp-content/api/
/capitulo/components/api/

www.metcalfplumbing.com
www.mikevanhattum.nl
www.mieszkaniaradomsko.pl
www.millionairemakeovertour.com
www.mkefalas.com
www.moldovatourism.ro
www.mobitrove.com
www.modultyp.com
www.mommyabc.com
www.monsterscalper.com
www.myconcilium.de
www.nellalongari.com
www.northsidecardetailers.com.au
www.parasitose.de
www.paulruminski.eu
www.petitecoach.com
www.phasebooks.net
www.plr-content.com
www.profimercadeo.com
www.propertyumbrellablueprint.com
www.proviewhomeservices.com
www.puntanews.com.uy
www.qifc.ir
www.rado-adventures.com
www.rantandraveweddingplanning.com
www.registrosakasicos.es
www.rimaconsulting.com
www.romiko.pl
www.saffronelectronics.co.uk
www.sasregion.com
www.saxonthewall.com
www.sealscandinavia.se
www.stkatharinedrexel.org
www.tecza.org
www.theanimationacademy.com
www.thehitekgroup.com
www.tusoco.com
www.urmasphoto.com
www.vicmy.net
www.viscom-online.com
www.vtretailers.com
www.warp.org.pl
www.webelonghere.ca
www.weihnachten-total.de
www.wesele.eu
www.whistlereh.com
www.wicta.nl
www.widitec.com.br
www.wonderlandinteractive.dk
www.wpprophet.com
www.xin8.org
www.zabytkowe.net
www.zeitgeistportugal.org
www.zmianywpodatkach.pl
www.znamsiebie.pl
www.zuidoost-brabant.nl
www.zs1grodzisk.pl
yourmentoraffiliatemarketing.com
atenea.edu.ec
comopuedoblanquearmisdientes.com
arhiconigroup.com
chris-coupe.com
drnancycooper.com
ian-mcconnell.com
izkigolf.com
kalemaquil.com
kingdommessengernetwork.com

Friday, July 11, 2014

New GameOver Zeus Variant uses FastFlux C&C

Over on the Malcovery Security Blog yesterday we covered a new version of GameOver Zeus (see: GameOver Zeus Mutates, Launches Attack ) that was distributed in three spam campaigns on July 10, 2014. At the bottom of that blog post, we're sharing a detailed "T3 Report" by analysts Brendan Griffin and Wayne Snow that gives all the details. In our reporting yesterday we mentioned that the new bot is using a Fast Flux Command & Control structure and that it is using a Domain Generation Algorithm to allow the malware distributed in the spam to locate and connect to the Command & Control servers.

I wanted to geek that a bit deeper for those who want more details on both of those subjects. First, let's look at the Fast Flux.

Fast Flux Command & Controlled Botnet

Fast Flux is a technique that allows a criminal who controls many servers to obfuscate the true location of his server by building a tiered infrastructure.

Sometimes there are additional "tiers" or levels of misdirection. We don't yet know how many layers there are in this newGOZ botnet.


(click to enlarge)

Here's the flow . . .

  1. the newGOZ criminal pays the Cutwail spammers to send out emails to infect new victims
  2. the Cutwail spammer sends out his emails. On July 10th, they were "Essentra Past Due" and emails imitating M&T Bank and NatWest Bank
  3. while many people delete the emails, ignore the emails, or have them blocked by spam, SOME people click on the emails
  4. the ".scr" email attachment infects their computer and starts generating "Domain Generation Algorithm" domains.
  5. each domain is queried for. the Bot computers say "Hey, Internet! Does this domain exist?"
  6. on July 10th, cfs50p1je5ljdfs3p7n17odtuw.biz existed ... "the Internet" said "Yes, this exists and NS1.ZAEHROMFUY.IN is the Nameserver that can tell you where it is."
  7. When most nameservers tell the address of a computer, they give a "Time To Live" that says "The answer I'm giving you is probably good for 24 hours" or 2 days, or a week, or whatever. But the Nameserver used in a FastFlux Bot, like, NS1.ZAEHROMFUY.IN, usually gives a "Time To Live" answer that says "The answer I'm giving you is only good for about 5 minutes. After 5 minutes, you need to ask me again in case the address has changed."
  8. NS1.ZAEHROMFUY.IN receives constant updates from "newGOZ Criminal" of servers all over the world (but mostly in Ukraine) that have been hacked. Almost every time you ask the nameserver "Where is the newGOZ domain?" it will give you a different answer.
  9. the "FastFlux C&C" boxes are now running nginx proxy software that says "Whatever you ask me, I will ask the servers at the Evil Lair of newGOZ. Whatever the Evil Lair of newGOZ wants to say, I will pass back to you.
  10. Updates from the Evil Lair get passed back THROUGH the FastFlux Proxy and give the newGOZ bots new malware or commands
  11. All traffic to and from the newGOZ bot, whether it is the bot "checking in" or the criminal pushing an "update" goes through one of the proxies, which are constantly changing.

Fast Flux newGOZ resolutions

All of the servers (or workstations) in this table were used as Fast Flux C&C nodes last night by the newGOZ botnet. We'll keep tracking this with friends from ShadowServer, DissectCyber.com and others and sharing this information with our trusted partners, but I wanted to throw out this example. If you have ability to look at "Net Flow" for any of these computers, you may be able to help us locate "The Evil Lair of the newGOZ Criminal." (Which sounds like a lot more fun than just looking at packet dumps, doesn't it? Sorry, this isn't my job, it is my passion. Geeks have to convince themselves they are Fighting Evil or we would get bored. Since the first GOZ enabled the theft of $100 Million or so ( for more see as an example Crooks Seek Revival of GameOver Zeus Botnet where Brian even shares the FBI Wanted Poster of the guy who is thought to be behind Zeus.

2014-07-10 20:37:10-05 92.248.160.157 92.248.128.0/17 OLYMPUS-NSP-AS ZAO _AKADO-Ekaterinburg_,RU 30868 RU ripencc
2014-07-10 20:38:04-05 108.20.219.49 108.20.0.0/16 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business,US 701 US arin
2014-07-10 20:38:36-05 113.163.13.252 113.163.0.0/19 VNPT-AS-VN VNPT Corp,VN 45899 VN apnic
2014-07-10 20:39:03-05 114.46.251.46 114.46.0.0/16 HINET Data Communication Business Group,TW 3462 TW apnic
2014-07-10 20:39:24-05 176.108.15.141 176.108.0.0/19 KADRTV-AS Cadr-TV LLE TVRC,CZ 57800 UA ripencc
2014-07-10 20:40:39-05 178.150.136.252 178.150.136.0/22 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-10 20:40:52-05 37.25.4.162 37.25.0.0/19 BELCOMUA-AS ZAO _Belcom_,UA 25385 UA ripencc
2014-07-10 20:41:05-05 69.143.45.75 69.143.0.0/16 CMCS - Comcast Cable Communications, Inc.,US 33657 US arin
2014-07-10 20:41:18-05 77.242.172.30 77.242.172.0/24 UHT-AS UHT - Ukrainian High Technologies Ltd.,UA 30955 UA ripencc
2014-07-10 20:41:31-05 85.29.179.7 85.29.179.0/24 ORBITA-PLUS-AS ORBITA-PLUS Autonomous System,KZ 21299 KZ ripencc
2014-07-10 20:47:43-05 24.101.46.15 24.101.32.0/19 ACS-INTERNET - Armstrong Cable Services,US 27364 US arin
2014-07-10 20:47:56-05 37.115.246.222 37.115.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-10 20:48:10-05 67.68.99.137 67.68.96.0/22 BACOM - Bell Canada,CA 577 CA arin
2014-07-10 20:48:23-05 70.24.225.245 70.24.224.0/22 BACOM - Bell Canada,CA 577 CA arin
2014-07-10 20:48:43-05 75.76.166.8 75.76.128.0/17 WOW-INTERNET - WideOpenWest Finance LLC,US 12083 US arin
2014-07-10 20:48:57-05 76.127.161.112 76.127.128.0/17 COMCAST-7015 - Comcast Cable Communications Holdings, Inc,US 7015 US arin
2014-07-10 20:49:21-05 91.197.171.38 91.197.168.0/22 INTRAFFIC-AS Intraffic LLC,UA 43658 UA ripencc
2014-07-10 20:49:44-05 99.248.110.218 99.224.0.0/11 ROGERS-CABLE - Rogers Cable Communications Inc.,CA 812 CA arin
2014-07-10 20:50:02-05 100.44.184.18 100.44.160.0/19 WAYPORT - Wayport, Inc.,US 14654 US arin
2014-07-10 20:52:54-05 109.207.127.59 109.207.112.0/20 TELELAN-AS Teleradiocompany TeleLan LLC,UA 196740 UA ripencc
2014-07-10 21:07:24-05 178.214.223.104 178.214.192.0/19 UOS Ukraine Optical Systems LLC,UA 42546 UA ripencc
2014-07-10 21:07:56-05 212.22.192.224 212.22.192.0/24 FREENET-AS Freenet Ltd.,UA 31148 UA ripencc
2014-07-10 21:08:11-05 31.133.118.121 31.133.118.0/24 ENTERRA-AS Private Enterprise _Enterra_,UA 48964 UA ripencc
2014-07-10 21:08:24-05 37.229.149.56 37.229.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-10 21:08:45-05 46.119.77.105 46.119.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-10 21:09:21-05 98.14.34.141 98.14.0.0/16 SCRR-12271 - Time Warner Cable Internet LLC,US 12271 US arin
2014-07-10 21:09:37-05 98.109.164.97 98.109.0.0/16 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business,US 701 US arin
2014-07-10 21:12:28-05 109.162.0.21 109.162.0.0/18 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-10 21:12:41-05 178.140.183.193 178.140.0.0/16 NCNET-AS OJSC Rostelecom,RU 42610 RU ripencc
2014-07-10 21:13:42-05 178.158.135.20 178.158.134.0/23 ISP-EASTNET-AS EAST.NET Ltd.,UA 50780 UA ripencc
2014-07-10 21:28:15-05 192.162.118.118 192.162.116.0/22 ANOXIN FIZICHNA OSOBA-PIDPRIEMEC ANOHIN IGOR VALENTINOVICH,UA 39056 UA ripencc
2014-07-10 21:28:18-05 208.120.58.109 208.120.0.0/18 SCRR-12271 - Time Warner Cable Internet LLC,US 12271 US arin
2014-07-10 21:28:18-05 213.111.221.67 213.111.192.0/18 MAINSTREAM-AS PP MainStream,UA 44924 UA ripencc
2014-07-10 21:28:18-05 24.207.209.129 24.207.128.0/17 CHARTER-NET-HKY-NC - Charter Communications,US 20115 US arin
2014-07-10 21:28:18-05 46.181.215.20 46.180.0.0/15 ELIGHT-AS E-Light-Telecom,RU 39927 RU ripencc
2014-07-10 21:28:19-05 68.45.64.5 68.44.0.0/15 CMCS - Comcast Cable Communications, Inc.,US 33659 US arin
2014-07-10 21:28:19-05 75.131.252.100 75.131.224.0/19 CHARTER-NET-HKY-NC - Charter Communications,US 20115 US arin
2014-07-10 21:28:19-05 91.196.60.108 91.196.60.0/22 ARHAT-AS PE Bondar TN,UA 50204 UA ripencc
2014-07-10 21:28:19-05 91.243.218.157 91.243.192.0/19 ID-TELECOM-AS Intellect Dnepr Telecom LLC,UA 59567 UA ripencc
2014-07-10 21:28:19-05 96.246.91.160 96.246.0.0/17 UUNET - MCI Communications Services, Inc. d/b/a Verizon Business,US 701 US arin
2014-07-10 21:28:19-05 134.249.11.2 134.249.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-10 21:49:21-05 188.190.5.162 188.190.0.0/19 ASINTTEL Inttel Ltd.,UA 56370 UA ripencc
2014-07-10 21:49:22-05 5.248.110.252 5.248.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-10 21:49:22-05 31.43.162.96 31.43.160.0/19 KRASNET-UA-AS Krasnet ltd.,UA 50576 UA ripencc
2014-07-10 21:49:22-05 31.135.144.54 31.135.144.0/22 Technical Centre Radio Systems Ltd.,UA 20539 UA ripencc
2014-07-10 21:49:22-05 37.112.195.140 37.112.192.0/22 KRSK-AS CJSC _ER-Telecom Holding_,RU 50544 RU ripencc
2014-07-10 21:49:22-05 46.119.181.97 46.118.0.0/15 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-10 21:49:22-05 50.83.36.2 50.83.32.0/21 MEDIACOM-ENTERPRISE-BUSINESS - Mediacom Communications Corp,US 30036 US arin
2014-07-10 21:49:23-05 176.8.92.131 176.8.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-10 21:49:23-05 176.98.12.218 176.98.0.0/19 CRYSTAL-AS Crystal Telecom Ltd,CZ 49889 UA ripencc
2014-07-10 21:49:23-05 178.137.8.215 178.137.0.0/17 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-10 22:08:06-05 95.110.45.151 95.110.0.0/17 JSCBIS-AS OJSC _Bashinformsvyaz_,RU 28812 RU ripencc
2014-07-10 22:08:08-05 176.8.21.85 176.8.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-10 22:08:08-05 178.150.89.211 178.150.89.0/24 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-10 22:08:08-05 188.231.191.140 188.231.191.0/24 FREENET-AS Freenet Ltd.,UA 31148 UA ripencc
2014-07-10 22:08:08-05 80.66.79.74 80.66.76.0/22 RISS-AS LLC _Ris-Tel_,RU 20803 RU ripencc
2014-07-10 22:08:09-05 81.200.148.6 81.200.144.0/20 ARTEM-CATV-AS JSC Artemovskoye Interaktivnoe Televidenie,RU 41070 RU ripencc
2014-07-10 22:08:09-05 95.46.219.178 95.46.219.0/24 VITEBSK-TV-ISP-AS OAO Vitebskiy Oblastnoy Techno-Torgoviy Center Garant,BY 50528 CZ ripencc
2014-07-10 22:08:09-05 95.78.166.17 95.78.128.0/18 ERTH-CHEL-AS CJSC _ER-Telecom Holding_,RU 41661 RU ripencc
2014-07-10 22:29:38-05 178.214.169.234 178.214.160.0/19 LUGANET-AS ARTA Ltd,UA 39728 UA ripencc
2014-07-10 22:29:38-05 188.16.223.225 188.16.192.0/18 USI OJSC Rostelecom,RU 6828 RU ripencc
2014-07-10 22:29:38-05 194.246.105.173 194.246.104.0/23 ASN-FUJILINE Trade House _Inet_ Ltd,UA 31000 UA ripencc
2014-07-10 22:29:39-05 70.75.230.0 70.75.0.0/16 SHAW - Shaw Communications Inc.,CA 6327 CA arin
2014-07-10 22:29:39-05 78.137.17.91 78.137.0.0/19 MCLAUT-AS LLC _McLaut-Invest_,UA 25133 UA ripencc
2014-07-10 22:29:39-05 176.117.86.162 176.117.80.0/20 LURENET-AS PP _Lurenet_,UA 50643 UA ripencc
2014-07-10 22:48:09-05 213.111.163.205 213.111.128.0/18 ALNET-AS PP SKS-Lugan,UA 35804 UA ripencc
2014-07-10 22:48:10-05 99.249.29.20 99.249.0.0/16 ROGERS-CABLE - Rogers Cable Communications Inc.,CA 812 CA arin
2014-07-10 22:48:10-05 109.254.35.236 109.254.0.0/16 DEC-AS Donbass Electronic Communications Ltd.,UA 20590 UA ripencc
2014-07-10 22:48:10-05 136.169.151.67 136.169.128.0/19 UBN-AS OJSC _Ufanet_,RU 24955 RU ripencc
2014-07-10 22:48:10-05 176.102.209.127 176.102.192.0/19 KUTS-AS Center for Information Technologies _Fobos_ Ltd.,UA 39822 UA ripencc
2014-07-10 22:48:10-05 178.141.160.202 178.141.0.0/16 MTS-KRV-AS MTS OJSC,RU 44677 RU ripencc
2014-07-10 22:48:10-05 178.213.191.181 178.213.184.0/21 SKYNET-UA-AS FOP Shoruk Andriy Olexanderovich,UA 196777 UA ripencc
2014-07-10 22:48:10-05 184.152.102.159 184.152.0.0/16 SCRR-12271 - Time Warner Cable Internet LLC,US 12271 US arin
2014-07-10 22:48:10-05 213.110.137.77 213.110.128.0/19 SUNNET-AS PE Gritcun Oleksandr Viktorovich,UA 47889 UA ripencc
2014-07-10 23:08:56-05 91.219.254.25 91.219.254.0/24 MONOLITH-AS LLC MONOLITH.NET,UA 48230 UA ripencc
2014-07-10 23:08:58-05 109.87.83.213 109.87.80.0/22 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-10 23:09:00-05 178.137.176.9 178.137.128.0/17 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-10 23:09:00-05 78.109.46.210 78.109.46.0/24 SIBRON-AS Closed Joint Stock Company COMSTAR-Regiony,RU 13155 RU ripencc
2014-07-10 23:09:00-05 80.70.71.41 80.70.64.0/20 ENERGYTEL Energytel LLC,UA 51317 UA ripencc
2014-07-10 23:27:45-05 71.75.52.101 71.75.0.0/16 SCRR-11426 - Time Warner Cable Internet LLC,US 11426 US arin
2014-07-10 23:27:45-05 176.8.72.36 176.8.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-10 23:27:45-05 178.74.214.94 178.74.192.0/18 EVEREST-AS _Everest_ Broadcasting Company Ltd,UA 49223 UA ripencc
2014-07-10 23:27:45-05 178.141.9.72 178.141.0.0/16 MTS-KRV-AS MTS OJSC,RU 44677 RU ripencc
2014-07-10 23:27:45-05 188.230.87.17 188.230.80.0/21 ABUA-AS LLC AB Ukraine,UA 43266 UA ripencc
2014-07-10 23:27:45-05 37.229.79.59 37.229.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-10 23:27:45-05 62.16.38.131 62.16.32.0/19 FPIC-AS CJSC _COMSTAR-regions_,RU 15640 RU ripencc
2014-07-10 23:49:05-05 176.113.227.109 176.113.224.0/19 LUGANET-AS ARTA Ltd,UA 39728 UA ripencc
2014-07-10 23:49:05-05 193.106.184.92 193.106.184.0/22 BOSPOR-AS Bospor-Telecom LLC,UA 42238 UA ripencc
2014-07-10 23:49:05-05 46.172.231.154 46.172.224.0/19 TOPHOST-AS SPD Kurilov Sergiy Oleksandrovich,UA 45043 UA ripencc
2014-07-10 23:49:05-05 74.129.235.88 74.128.0.0/12 SCRR-10796 - Time Warner Cable Internet LLC,US 10796 US arin
2014-07-10 23:49:05-05 77.121.129.181 77.121.128.0/21 VOLIA-AS Kyivski Telekomunikatsiyni Merezhi LLC,UA 25229 UA ripencc
2014-07-10 23:49:05-05 78.27.159.112 78.27.128.0/18 DOMASHKA-AS Domashnya Merezha LLC,UA 15683 UA ripencc
2014-07-10 23:49:05-05 91.196.55.7 91.196.52.0/22 KOMITEX-AS PP KOM i TEX,UA 30886 UA ripencc
2014-07-10 23:49:06-05 94.153.23.170 94.153.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-10 23:49:06-05 109.87.222.148 109.87.222.0/24 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-11 00:07:17-05 178.215.178.112 178.215.176.0/20 FENIXVT-AS Private Enterprise Firma Fenix VT,RU 39399 UA ripencc
2014-07-11 00:07:19-05 195.90.130.19 195.90.128.0/18 ROSNET-AS OJSC Rostelecom,RU 6863 RU ripencc
2014-07-11 00:07:19-05 37.25.118.55 37.25.96.0/19 WILDPARK-AS ISP WildPark, Ukraine, Nikolaev,UA 31272 UA ripencc
2014-07-11 00:07:19-05 37.229.215.18 37.229.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 00:07:19-05 87.244.34.238 87.244.32.0/21 SUNLINK-AS Sunlink Telecom ISP, Tula, Russia,RU 35401 RU ripencc
2014-07-11 00:07:19-05 91.219.233.40 91.219.232.0/22 REALWEB-AS Private Enterprise RealWeb,UA 41161 UA ripencc
2014-07-11 00:07:20-05 173.95.149.72 173.92.0.0/14 SCRR-11426 - Time Warner Cable Internet LLC,US 11426 US arin
2014-07-11 00:07:20-05 178.150.221.2 178.150.220.0/23 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-11 00:07:20-05 178.151.165.182 178.151.165.0/24 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-11 00:28:03-05 109.87.42.122 109.87.40.0/21 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-11 00:28:04-05 109.200.228.156 109.200.224.0/19 BREEZE-NETWORK TOV TRK _Briz_,UA 34661 UA ripencc
2014-07-11 00:28:04-05 31.135.226.91 31.135.224.0/20 TRYTECH-AS Trytech Ltd.,RU 44056 RU ripencc
2014-07-11 00:28:04-05 46.172.145.109 46.172.128.0/19 UTEAM-AS Uteam LTD,UA 49125 UA ripencc
2014-07-11 00:49:18-05 109.229.198.37 109.229.192.0/19 PRONET_LV SIA _PRONETS_,LV 43075 LV ripencc
2014-07-11 00:49:20-05 178.165.98.17 178.165.64.0/18 CITYNET-AS Maxnet Autonomous System,UA 34700 UA ripencc
2014-07-11 00:49:20-05 195.114.145.69 195.114.144.0/20 DATAGROUP PRIVATE JOINT STOCK COMPANY _DATAGROUP_,UA 21219 UA ripencc
2014-07-11 00:49:20-05 5.58.15.61 5.58.0.0/18 NOLAN-AS Lanet Network Ltd,UA 43120 UA ripencc
2014-07-11 00:49:20-05 46.147.186.225 46.147.184.0/22 NEOLINK CJSC _ER-Telecom Holding_,RU 34590 RU ripencc
2014-07-11 00:49:20-05 46.219.50.56 46.219.50.0/24 FREENET-AS Freenet Ltd.,UA 31148 UA ripencc
2014-07-11 00:49:20-05 89.185.24.218 89.185.24.0/21 TVCOM-AS TVCOM Ltd.,UA 34092 UA ripencc
2014-07-11 00:49:20-05 94.158.73.89 94.158.64.0/20 BIGNET-AS PE Yuri Stanislavovich Demenin,UA 43668 UA ripencc
2014-07-11 00:49:20-05 95.47.151.247 95.47.148.0/22 TKS-AS Sumski Telecom Systems Ltd,UA 41967 CZ ripencc
2014-07-11 01:09:51-05 71.227.196.156 71.227.128.0/17 COMCAST-33650 - Comcast Cable Communications, Inc.,US 33650 US arin
2014-07-11 01:09:52-05 87.224.164.135 87.224.128.0/17 TELENET-AS OJSC Rostelecom,RU 35154 RU ripencc
2014-07-11 01:09:52-05 93.127.60.17 93.127.60.0/23 ALKAR-AS PRIVATE JOINT-STOCK COMPANY _FARLEP-INVEST_,RU 6703 UA ripencc
2014-07-11 01:09:52-05 109.227.127.25 109.227.96.0/19 MCLAUT-AS LLC _McLaut-Invest_,UA 25133 UA ripencc
2014-07-11 01:09:52-05 178.151.9.221 178.151.9.0/24 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-11 01:09:52-05 178.151.154.233 178.151.154.0/24 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-11 01:09:52-05 194.187.108.182 194.187.108.0/22 TERABIT TERABIT LLC,UA 29491 UA ripencc
2014-07-11 01:09:52-05 37.229.149.148 37.229.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 01:09:52-05 46.118.151.246 46.118.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 01:09:52-05 46.219.77.143 46.219.77.0/24 FREENET-AS Freenet Ltd.,UA 31148 UA ripencc
2014-07-11 01:28:30-05 178.137.232.234 178.137.128.0/17 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 01:28:31-05 178.150.177.83 178.150.176.0/23 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-11 01:28:31-05 178.151.14.223 178.151.14.0/24 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-11 01:28:31-05 178.151.227.102 178.151.227.0/24 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-11 01:28:31-05 188.231.170.228 188.231.170.0/24 FREENET-AS Freenet Ltd.,UA 31148 UA ripencc
2014-07-11 01:28:31-05 5.34.112.211 5.34.0.0/17 SATELCOM-AS SA-Telcom LLP,KZ 35566 KZ ripencc
2014-07-11 01:28:31-05 46.56.64.196 46.56.64.0/19 MTSBY-AS Mobile TeleSystems JLLC,BY 25106 BY ripencc
2014-07-11 01:28:31-05 46.173.171.188 46.173.168.0/22 BEREZHANY-AS Galitski Telekommunications Ltd,UA 49183 UA ripencc
2014-07-11 01:28:31-05 176.215.86.177 176.215.84.0/22 KRSK-AS CJSC _ER-Telecom Holding_,RU 50544 RU ripencc
2014-07-11 01:49:53-05 31.202.226.233 31.202.224.0/22 FORMAT-TV-AS MSP Format Ltd.,UA 6712 UA ripencc
2014-07-11 01:49:53-05 46.33.59.6 46.33.56.0/22 BLACKSEA TV Company _Black Sea_ Ltd,UA 31593 UA ripencc
2014-07-11 01:49:53-05 46.149.179.87 46.149.179.0/24 ISP-KIM-NET Kalush Information Network LTD,UA 197522 UA ripencc
2014-07-11 01:49:53-05 82.112.53.75 82.112.32.0/19 KTEL-AS K Telecom Ltd.,RU 48642 RU ripencc
2014-07-11 01:49:53-05 95.133.181.160 95.133.128.0/18 UKRTELNET JSC UKRTELECOM,UA 6849 UA ripencc
2014-07-11 01:49:53-05 109.86.112.170 109.86.112.0/22 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-11 01:49:53-05 124.197.73.68 124.197.64.0/18 MOBILEONELTD-AS-AP MobileOne Ltd. Mobile/Internet Service Provider Singapore,SG 4773 SG apnic
2014-07-11 01:49:54-05 178.137.97.155 178.137.0.0/17 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 01:49:54-05 217.112.220.202 217.112.208.0/20 TELEPORTSV PrivateJSC DataGroup,UA 15785 UA ripencc
2014-07-11 02:08:05-05 94.76.127.113 94.76.127.0/24 FREENET-AS Freenet Ltd.,UA 31148 UA ripencc
2014-07-11 02:08:05-05 213.231.6.9 213.231.0.0/18 BREEZE-NETWORK TOV TRK _Briz_,UA 34661 UA ripencc
2014-07-11 02:08:05-05 37.57.203.171 37.57.200.0/21 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-11 02:29:13-05 31.40.33.46 31.40.32.0/19 GORSET-AS Gorodskaya Set Ltd.,RU 49776 RU ripencc
2014-07-11 02:29:13-05 37.53.73.152 37.52.0.0/14 6849 6877 UA ripencc
2014-07-11 02:29:14-05 46.119.213.230 46.119.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 02:29:14-05 46.175.73.188 46.175.64.0/20 MEDIANA-AS Mediana ltd.,UA 56347 UA ripencc
2014-07-11 02:29:14-05 176.73.87.120 176.73.0.0/17 CAUCASUS-CABLE-SYSTEM Caucasus Online Ltd.,GE 20771 GE ripencc
2014-07-11 02:29:14-05 178.219.91.40 178.219.90.0/23 ASDNEPRONET Dnepronet Ltd.,UA 51069 UA ripencc
2014-07-11 02:29:14-05 185.14.102.108 185.14.102.0/24 ORBITA-PLUS-AS ORBITA-PLUS Autonomous System,KZ 21299 KZ ripencc
2014-07-11 02:29:14-05 195.225.147.101 195.225.144.0/22 UA-LINK-AS NPF LINK Ltd.,UA 34359 UA ripencc
2014-07-11 02:50:03-05 46.150.74.97 46.150.64.0/19 VIVANET-AS Vivanet Ltd,UA 44728 UA ripencc
2014-07-11 02:50:04-05 46.150.91.162 46.150.64.0/19 VIVANET-AS Vivanet Ltd,UA 44728 UA ripencc
2014-07-11 02:50:04-05 76.14.215.195 76.14.192.0/18 WAVE-CABLE - Wave Broadband,US 32107 US arin
2014-07-11 02:50:04-05 82.193.220.254 82.193.192.0/19 VODATEL-AS Metronet telekomunikacije d.d.,HR 25528 HR ripencc
2014-07-11 02:50:04-05 178.136.227.61 178.136.226.0/23 ALKAR-AS PRIVATE JOINT-STOCK COMPANY _FARLEP-INVEST_,RU 6703 UA ripencc
2014-07-11 02:50:04-05 178.137.69.209 178.137.0.0/17 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 02:50:04-05 194.28.176.201 194.28.176.0/22 KUZNETSOVSK-AS FOP Chaika Nadija Jakivna,UA 197073 UA ripencc
2014-07-11 02:50:04-05 212.87.183.197 212.87.160.0/19 EDN-AS Online Technologies LTD,UA 45025 UA ripencc
2014-07-11 02:50:04-05 213.231.12.80 213.231.0.0/18 BREEZE-NETWORK TOV TRK _Briz_,UA 34661 UA ripencc
2014-07-11 02:50:04-05 46.119.175.13 46.119.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 03:09:01-05 46.33.50.175 46.33.48.0/21 LIS Telecompany LiS LTD,UA 35588 UA ripencc
2014-07-11 03:09:04-05 46.98.237.27 46.98.0.0/16 FREGAT-AS ISP _Fregat_ Ltd.,UA 15377 UA ripencc
2014-07-11 03:09:04-05 46.185.73.100 46.185.64.0/18 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 03:09:04-05 79.164.171.236 79.164.0.0/16 CNT-AS OJSC Central telegraph,RU 8615 RU ripencc
2014-07-11 03:09:04-05 91.244.137.151 91.244.128.0/20 PERVOMAYSK-AS PP _SKS-Pervomaysk_,UA 44798 UA ripencc
2014-07-11 03:09:05-05 109.86.234.51 109.86.232.0/21 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-11 03:09:05-05 109.207.121.193 109.207.112.0/20 TELELAN-AS Teleradiocompany TeleLan LLC,UA 196740 UA ripencc
2014-07-11 03:09:05-05 176.108.235.203 176.108.232.0/22 SKM-AS PE Yaremenko O.V.,UA 39422 UA ripencc
2014-07-11 03:09:05-05 193.106.82.45 193.106.80.0/22 DATAGROUP PRIVATE JOINT STOCK COMPANY _DATAGROUP_,UA 21219 UA ripencc
2014-07-11 03:09:05-05 31.129.65.152 31.129.64.0/19 ASDNEPRONET Dnepronet Ltd.,UA 51069 UA ripencc
2014-07-11 03:09:05-05 37.232.181.13 37.232.160.0/19 INTERNET-CENTER-AS Net By Net Holding LLC,RU 42420 RU ripencc
2014-07-11 03:29:59-05 109.201.240.84 109.201.224.0/19 VOLIA-AS Kyivski Telekomunikatsiyni Merezhi LLC,UA 25229 UA ripencc
2014-07-11 03:30:00-05 141.101.11.69 141.101.0.0/19 WILDPARK-AS ISP WildPark, Ukraine, Nikolaev,UA 31272 UA ripencc
2014-07-11 03:30:00-05 188.230.1.99 188.230.0.0/21 ABUA-AS LLC AB Ukraine,UA 43266 UA ripencc
2014-07-11 03:30:01-05 46.119.134.13 46.118.0.0/15 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 03:30:01-05 77.79.140.237 77.79.128.0/18 UBN-AS OJSC _Ufanet_,RU 24955 RU ripencc
2014-07-11 03:30:01-05 77.121.125.112 77.121.96.0/19 VOLIA-AS Kyivski Telekomunikatsiyni Merezhi LLC,UA 25229 UA ripencc
2014-07-11 03:30:01-05 77.123.241.141 77.123.224.0/19 IVC IVC-Donbass Ltd,UA 48169 UA ripencc
2014-07-11 03:48:03-05 213.231.4.163 213.231.0.0/18 BREEZE-NETWORK TOV TRK _Briz_,UA 34661 UA ripencc
2014-07-11 03:48:03-05 5.248.133.146 5.248.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 03:48:03-05 81.163.136.160 81.163.128.0/19 DIDAN-AS Didan Group LTD,UA 47694 UA ripencc
2014-07-11 03:48:03-05 91.244.232.200 91.244.232.0/22 VITA-AS Teleradiokompaniya Vizit-A Limited Liability Company,UA 197175 UA ripencc
2014-07-11 03:48:03-05 176.112.17.229 176.112.0.0/19 MAINSTREAM-AS PP MainStream,UA 44924 UA ripencc
2014-07-11 03:48:03-05 176.124.1.31 176.124.0.0/19 DIDAN-AS Didan Group LTD,UA 47694 UA ripencc
2014-07-11 03:48:03-05 193.93.238.13 193.93.236.0/22 STAVSET-AS Kvartal Plus Ltd,RU 49325 RU ripencc
2014-07-11 04:09:03-05 46.118.136.44 46.118.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 04:09:05-05 46.172.128.249 46.172.128.0/19 UTEAM-AS Uteam LTD,UA 49125 UA ripencc
2014-07-11 04:09:05-05 94.41.219.215 94.41.192.0/18 UBN-AS OJSC _Ufanet_,RU 24955 RU ripencc
2014-07-11 04:09:05-05 109.162.59.249 109.162.0.0/18 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 04:09:05-05 178.45.188.246 178.45.160.0/19 OJSC Rostelecom,RU 15500 RU ripencc
2014-07-11 04:09:05-05 178.88.215.41 178.88.0.0/16 KAZTELECOM-AS JSC Kazakhtelecom,KZ 9198 KZ ripencc
2014-07-11 04:09:05-05 188.163.29.68 188.163.0.0/17 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 04:09:05-05 5.14.25.76 5.12.0.0/14 RCS-RDS RCS & RDS SA,RO 8708 RO ripencc
2014-07-11 04:09:05-05 5.248.99.163 5.248.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 04:27:48-05 178.151.23.241 178.151.22.0/23 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-11 04:27:50-05 31.169.23.129 31.169.20.0/22 DTVKZ-AS JSC Kazakhtelecom,KZ 39725 KZ ripencc
2014-07-11 04:27:50-05 77.122.235.167 77.122.192.0/18 VOLIA-AS Kyivski Telekomunikatsiyni Merezhi LLC,UA 25229 UA ripencc
2014-07-11 04:27:50-05 78.62.94.153 78.62.80.0/20 TEOLTAB TEO LT AB Autonomous System,LT 8764 LT ripencc
2014-07-11 04:27:50-05 89.209.96.231 89.209.0.0/16 MTS MTS OJSC,RU 8359 UA ripencc
2014-07-11 04:27:50-05 93.79.143.194 93.79.128.0/17 VOLIA-AS Kyivski Telekomunikatsiyni Merezhi LLC,UA 25229 UA ripencc
2014-07-11 04:27:50-05 176.8.79.228 176.8.0.0/16 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 04:27:50-05 178.141.98.171 178.141.0.0/16 MTS-KRV-AS MTS OJSC,RU 44677 RU ripencc
2014-07-11 04:49:18-05 176.113.146.32 176.113.144.0/20 BELICOM-AS FOP Bilenkiy Olexander Naumovich,UA 44010 UA ripencc
2014-07-11 04:49:21-05 178.137.109.91 178.137.0.0/17 KSNET-AS _Kyivstar_ PJSC,UA 15895 UA ripencc
2014-07-11 04:49:21-05 213.111.226.174 213.111.192.0/18 MAINSTREAM-AS PP MainStream,UA 44924 UA ripencc
2014-07-11 04:49:21-05 217.73.84.131 217.73.80.0/21 INFOMIR-NET Infomir JSC,UA 44291 UA ripencc
2014-07-11 04:49:21-05 5.20.162.237 5.20.160.0/19 CGATES-AS UAB _Cgates_,LT 21412 LT ripencc
2014-07-11 04:49:21-05 5.105.1.241 5.105.0.0/16 CDS-AS Cifrovye Dispetcherskie Sistemy,UA 43554 UA ripencc
2014-07-11 04:49:21-05 77.122.193.42 77.122.192.0/18 VOLIA-AS Kyivski Telekomunikatsiyni Merezhi LLC,UA 25229 UA ripencc
2014-07-11 04:49:21-05 91.225.162.98 91.225.160.0/22 ASSPDCHERNEGA SPD Chernega Aleksandr Anatolevich,UA 56400 UA ripencc
2014-07-11 04:49:21-05 91.236.249.33 91.236.248.0/22 SNAK-AS IP-Connect LLC,UA 57944 UA ripencc
2014-07-11 04:49:21-05 91.244.139.49 91.244.128.0/20 PERVOMAYSK-AS PP _SKS-Pervomaysk_,UA 44798 UA ripencc
2014-07-11 04:49:21-05 109.86.76.58 109.86.64.0/20 BANKINFORM-AS TOV _Bank-Inform_,UA 13188 UA ripencc
2014-07-11 04:49:21-05 176.36.67.204 176.36.0.0/14 LANETUA-AS Lanet Network Ltd.,UA 39608 UA ripencc
2014-07-11 05:08:15-05 46.46.96.199 46.46.64.0/18 FLAGMAN-AS TOV _Flagman Telecom_,UA 48045 UA ripencc
2014-07-11 05:08:16-05 46.149.178.203 46.149.176.0/20 ISP-KIM-NET Kalush Information Network LTD,UA 197522 UA ripencc
2014-07-11 05:08:16-05 95.37.213.26 95.37.128.0/17 NMTS-AS OJSC Rostelecom,RU 25405 RU ripencc
2014-07-11 05:08:16-05 178.251.109.168 178.251.104.0/21 DATALINE-AS Dataline LLC,UA 35297 UA ripencc
2014-07-11 05:08:17-05 31.41.128.57 31.41.128.0/21 ANOXIN FIZICHNA OSOBA-PIDPRIEMEC ANOHIN IGOR VALENTINOVICH,UA 39056 UA ripencc
2014-07-11 05:27:32-05 81.90.233.231 81.90.233.0/24 RADIOCOM-AS RadioCom ISP Autonomous System,UA 25071 UA ripencc
2014-07-11 05:27:32-05 81.162.70.217 81.162.64.0/20 GIGABYTE-AS Private Company Center for Development Information Technology _Gigabyte_,UA 198293 UA ripencc
2014-07-11 05:27:32-05 89.44.89.68 89.44.88.0/22 DNC-AS IM Data Network Communication SRL,MD 41053 RO ripencc
2014-07-11 05:27:32-05 91.244.148.241 91.244.144.0/21 PERVOMAYSK-AS PP _SKS-Pervomaysk_,UA 44798 UA ripencc
2014-07-11 05:27:32-05 188.168.94.122 188.168.0.0/16 TTK-RTL Closed Joint Stock Company TransTeleCom,RU 15774 RU ripencc
2014-07-11 05:27:32-05 62.80.161.77 62.80.160.0/19 INTERTELECOM-AS PJSC Inter-Telecom,UA 25386 UA ripencc
2014-07-11 05:30:03-05 198.105.254.240 198.105.254.0/24 SGINC - Search Guide Inc,US 36029 US arin
2014-07-11 05:30:03-05 198.105.244.240 198.105.244.0/24 SGINC - Search Guide Inc,US 36029 US arin

Wednesday, July 09, 2014

Roman Seleznev (AKA Bulba, AKA Track2, AKA NCUX) appears in US Court in Guam

The media is buzzing about the arrest of hacker and stolen credit card vendor Roman Seleznev who has appeared in court in the US territory of Guam after being arrested in the Maldives. We wrote about Seleznev as part of the RICO racketeering case against the owners and operators of the Carder.su website. (See The Carder.su indictment: United States v. Kilobit et. al.) but that was only the first part of Seleznev's trouble. Until this weekend, the original 27-page indictment against Seleznev in the Western District of Washington was under court seal.

In the Kilobit/Las Vegas indictment, the charges are that Seleznev did "Participate in a Racketeer Influenced Corrupt Organization [RICO]" and "Participated in a Conspiracy to Engage in a Racketeer Influenced Corrupt Organization."

The whole group are described in the indictment like this:

"The defendants herein, and others known and unknown, are members of, employed by, and associates of a criminal organization, hereafter referred to as "the Carder.su organization," whose members engage in acts of identity theft and financial fraud, including, but not limited to, acts involving trafficking in stolen means of identification; trafficking in, production and use of couterfeit identification documents; identity theft; trafficking in, production and use of unauthorized and counterfeit access devices; and bank fraud; and whose members interfere with interstate and foreign commerce through acts of identity theft and financial fraud. Members and associates of the Carder.su organization operate principally in Las Vegas, Nevada, and elsewhere.

The important thing to understand about RICO is that as PART OF THE CORRUPT ORGANIZATION all of the charged members are sentenced as if the whole group did all of the crimes.

What does that mean to Seleznev? In Las Vegas, Nevada, Seleznev is being charged with being part of a RICO group that is credited with directly causing, in actual measured and aggregated fraudulent transaction losses, $50,893,166.35!!

But before Vegas gets their hands on him, Seleznev will face charges in the Western District of Washington for Case # 2:11-cr-0070-RAJ-1.

In that case, Roman Seleznev, AKA TRACK2, AKA Roman Ivanov, AKA Ruben Samvelich, AKA nCuX, AKA Bulba, AKA bandysli64, AKA smaus, AKA Zagreb, AKA shmak is charged with:

(Counts 1-5) Bank Fraud 18:1344 & 2
(6-13)  Intentional Damage to a Protected Computer 18:1030(a)(5)(A) & 1030(c)(4)(B)(i) & 2
(14-21) Obtaining InformationFrom a Protected Computer 18:1030(a)(2) & 1030(c)(2)(ii) & 2
(22) Possession of Fifteen or More Unauthorized Access Devices 18:1029(a)(3) & 1029(c)(1)(A)(i) & 2 
(23-24) Trafficking in Unauthorized Access Devices 18:1029(a)(2) & 1029(c)(1)(A)(i) & 2  
(25-29) Aggravated Identity Theft 18:1028(a)(1) & 2
This 27 page indictment, filed March 3, 2011, was just unsealed on July 6, 2014 when Seleznev appeared in court in Guam.

Washington charges that Seleznev "knowingly and willfully devised and executed and aided and abetted a scheme and artifice to defraud various financial institutions, including, but not limited to, Boeing Employees' Credit Union, Chase Bank, Capital One, Citibank, and Keybank, and to obtain moneys, funds, and credits under the custody and control of the banks by means of material false and fraudulent pretenses, representations and promises, as further described below."

Seleznev would:

  1. hack into retail businesses,
  2. install malicious computer code onto those hacked computers,
  3. and use the malware to steal credit card numbers from the victim businesses' customers
  4. market and sell the stolen credit card numbers on "criminally inspired" websites
  5. thus allowing these cards and the associated accounts to be used for fraudulent purposes by the customers of his service.
Seleznev's malware primarily was controlled from a server named shmak.fvds.ru or smaus.fvds.ru at the IP address 188.120.225.66 which is housed in a data center in the Russian Federation of Irkutsk. (That IP-name mapping is confirmed by Internet Identity's historical Passive DNS systems in May 2010.) A collection of malware found at the root site of that website, including malware named shmak, shmak2, kameo, hameo, zameo, dtc, dtc2, dtc4, rsca, remcomsvc, and others. FVDS.RU is a "third level domain" system that is attractive to criminals wishing to host malware on dedicated hostnames, without having to have their ownership of the hostname tracked in WHOIS services or through credit card payments.

Seleznev's websites for selling cards were primarily bulba.cc, secure.bulba.cc, Track2.name, and secure.Track2.name.

The targeted businesses usually had several "point of sale" terminals "up front" and a "back of the house computer" which may have been a server or perhaps even just the manager's computer.

Some of Seleznov's victims included:

The Broadway Grill - 32,000 unique credit card numbers from Dec 1, 2009 to Oct 22, 2010

Grand Central Baking Company in Seattle, WA

four Mad Pizza restaurants (three in Seattle, one in Tukwila, WA)

Village Pizza in Anacortes, WA

Casa Mia Italian in Yelm, WA.

Schlotsky's Deli in Coeur d'Alene, Idaho

Active Networks in Frostburg, MD

Days Jewelry in Waterville, Maine

Latitude Bar and Grill, NY, NY

Mary's Pizza Shack in Sonoma, CA

City News Stand in Chicago and Evanston, IL

Bulba would advertise when he had new cards for sale, claiming as many as 17,000 "Fresh Dumps" (newly stolen and never before used for fraud) cards and offering guarantees, including free card replacement for cards that were declined. Seleznev/Bulba had such high quality, that the owners of the popular crdsu.su and carder.biz allowed Seleznev and others to assume Monopoly status as the preferred card vendors for their boards, which were extremely prevalent in the underground.

According to the newly unsealed indictment, Seleznev personally stole (through his malware) more than 200,000 cards, and succesfully sold over 140,000 of those cards through his websites bulba.cc and Track2.name between November 15, 2010 and February 22, 2011, generating direct illicit profits in excess of $2,000,000 USD.

Just the cards stolen by Seleznev at the Broadway Grill have been associated with $79,317 in fraudulent charges, and all of the cards stolen by Seleznev are responsible for actual fraud charges of at least $1,175,217.37.

November 15-16, 2010, $83,490 in charges were made against Boeing Employees Credit Union cards.

Jan 31-Feb 1, 2011, $30,716 in charges against BECU.

Seleznev will have a hearing in Guam on July 22, and then be transferred to the Seattle courts.

Seleznev Diplomatic Spat with Russia?

The story is growing into an international diplomatic spat as a Russian politician and member of the Duma, Valery Seleznev, is the father of the cyber criminal. In a statement from the Russian Foreign Ministry, the Russians accuse Maldives of ignoring their Bilateral Treaty of 1999 on Mutual Assistance in Criminal Matters. The statement says this is the third recent case of a similar situation, citing the examples of Viktor Bout and K.V. Yaroshenko as other recent cases where the US has forcibly taken a Russian citizen from a third country to stand trial in the United States. I strongly agree with the statement at the close of their statement, where they "strongly encourage our countryment to pay attention to the cautions posted by the Russian Foreign Ministry on their website about the risks associated with foreign travel, if there is a suspicion that U.S. law enforcement agencies can charge them with any crime."

Who are these others who are mentioned? Viktor Bout (Виктор Анатольевич Бут) was arrested in Thailand in 2008 and extradited in 2010 to stand trial for terrorism charges for delivering anti-aircraft missiles to FARC in Colombia. He was convicted by a jury in Manhattan (More from The Guardian) Konstantin Yaroshenko was arrested in May 2010 in Liberia as a cocaine smuggler pilot when he landed his plane in Monrovia, Liberia and was arrested by the DEA as he tried to negotiate a contract for $4.5 million to deliver 5 tons of cocaine from Colombia to West Africa. Yaroshenko was knowingly working with smugglers who were raising funds for the Colombian terror group FARC. (See Superseding Indictment

Tuesday, July 08, 2014

E-ZPass Spam leads to Location Aware Malware

Jump to bottom for update list of malicious URLs

If you drive in a city with toll roads, you are familiar with the E-Z Pass System. If you are, you may have been tempted to click on an email that looked like this:
A quick search in the Malcovery Security Spam Data Mine revealed these related emails:

    date    |                subject                |           sender_name           
------------+---------------------------------------+---------------------------------
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Collection Agency
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Customer Service Center
 2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Collection Agency
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Customer Service Center
 2014-07-08 | Indebted for driving on toll road     | E-ZPass Info
 2014-07-08 | Indebtedness for driving on toll road | E-ZPass Collection Agency
 2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
 2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
 2014-07-08 | Pay for driving on toll road          | E-ZPass Info
 2014-07-08 | Payment for driving on toll road      | E-ZPass Info
 2014-07-08 | Payment for driving on toll road      | E-ZPass Info
 2014-07-08 | Payment for driving on toll road      | E-ZPass Info
But the destination websites are certainly not on E-Z Pass's domains!
          machine          |                               path                                
---------------------------+-------------------------------------------------------------------
 www.federalparts.com.ar   | /tmp/api/3eLv aFKXBvmuxydKFVfEZIMWSl7f4VJfOpfcdAHPeo=/toll
 www.fiestasnightclub.com  | /tmp/api/kJ1a5XRhE7MM9YhRVR1186why1TgPCPH7aieECyjb I=/toll
 www.flavazstylingteam.com | /tmp/api/vBrLdEDWRK4sXs6KaHEbWzHnbEYIFSo42BZvGd4crCY=/toll
 www.fleavalley.com        | /tmp/api/ycI2IRHcInDd1/cetyLMZMjwyxKxTAEHFkjk1dRUfYs=/toll
 www.frazeryorke.com       | /wp-content/api/LtvaZdAvP3GFuaqyulY/C3haFCeID3krbtMHt52cdnM=/toll
 www.fsp-ugthuelva.org     | /tmp/api/fMVyiIXcbY9gamr17zPrnhTgz2Zvs825GTmvvRjlTIA=/toll
 www.fyaudit.eu            | /components/api/yiBOsvUdvftbCd4Fa1zmVtIkbs4x3ThiUnFoIgwyI9Q=/toll
 www.giedrowicz.pl         | /tmp/api/R4a4iKmACUtWoRHq1DsCiQ1aH 3J7QgBMfp1zq8gqj8=/toll
 www.gostudy.ca            | /components/api/Q/sV7HtfnZGOW4lzlLSfFuKM/lLu8LQmOlT TVXKb2o=/toll
 www.graphiktec.com        | /tmp/api/nZbX6I6vYQrsTlY4OAw44Qq96Lnw/JOoLDdBmdLh21M=/toll
 www.h2oasisinc.com        | /components/api/BivlBt/AhVodCMM9zRuvcQpIyG2X6Knd8sERnP1 QDA=/toll
 www.habicher.eu           | /tmp/api/yra96tiDlyYbYxsbJpr/hDVSPmwh6GKYLF6PaD3nUAI=/toll
 www.grupoancon.com        | /components/api/6jI99hwDmjAvkEvuX8JvVSkS3InPtLii ZN3dbIVkOM=/toll
 www.happymaree.com.au     | /tmp/api/d4ik5Y2GvCVSSJQhXI9wYYpBvxjLS78peeRYMKV0V7c=/toll
 www.headspokerfest.com    | /tmp/api/RTuPCuYLjaj1KnTeJrMlCoH9HL4IixR eBvajB6TCeE=/toll
 www.headspokerfest.com    | /tmp/api/43J6l5G/CkNp6kmGl0b jUY/oOL4411pPds8nylDE5g=/toll
When we visit one of the URLs, we are prompted to download a .zip file, containing a .exe file.

Both are conveniently named for the City and ZIP Code from which we are connected.

For example:

When we run this malware, it attempts to make contact with the following C&C locations:

76.74.184.127:443
113.53.247.147:443
50.57.139.41:8080
188.165.192.116:8080
82.150.199.140:8080
203.157.142.2:8080
212.45.17.15:8080
92.240.232.232:443
188.165.192.116:8080
At Malcovery Security, we've been tracking the ASProx botnet for some time. Most of these IP addresses were already known to belong to the ASProx botnet for some time. This is the same botnet that sent the Holiday Delivery Failure spam imitating Walmart, CostCo, and BestBuy over the holidays and that send the Court Related Malware through the early months of 2014.

Thanks to some updates from new friends on Twitter, we wanted to give an update on what we are seeing in the Malcovery Spam Data Mine. Because every advertised URL is unique, we have taken the approach of replacing the "unique stuff" with "...STUFF..." in the URLs below. The important part is that we realize that anything that you see in your logs that includes either "tmp/api" or "wp-content/api" or "components/api" and then some "STUFF" and then "=/toll" is going to be one of these URLs that is part of the current E-Z Pass spam, which began on July 8th and is still continuing here on July 12th. If you have access to Very Large Logs, we'd love to get YOUR URLs of this pattern to see if we can help webmasters identify and shut this stuff down. Note the alphabetical progression through compromised domain names? These are sorted by timestamp, not by domain name. It just so happens those are the same thing. We believe the criminals have a very large list of pre-compromised domains that they can use at will. Possibly these are just harvested passwords from other malware campaigns.

This malware is the ASProx malware. If anyone has more details on the "what happens next?" part of the malware, please do share. What we have observed and been told is that infected machines are primarily used for advertising click-fraud, but happy to learn more about those aspects and share what we learn.

2014-07-08 10:15:00-05 www.fiestasnightclub.com "/tmp/api/..STUFF…=/toll
2014-07-08 11:15:00-05 www.flavazstylingteam.com "/tmp/api/..STUFF…=/toll
2014-07-08 11:20:00-05 www.fleavalley.com "/tmp/api/..STUFF…=/toll
2014-07-08 13:20:00-05 www.fsp-ugthuelva.org "/tmp/api/..STUFF…=/toll
2014-07-08 13:30:00-05 www.frazeryorke.com "/wp-content/api/…STUFF…=/toll
2014-07-08 14:10:00-05 www.fyaudit.eu "/components/api/…STUFF…=/toll
2014-07-08 15:30:00-05 www.giedrowicz.pl "/tmp/api/..STUFF…=/toll
2014-07-08 16:40:00-05 www.gostudy.ca "/components/api/…STUFF…=/toll
2014-07-08 17:45:00-05 www.graphiktec.com "/tmp/api/..STUFF…=/toll
2014-07-08 18:45:00-05 www.h2oasisinc.com "/components/api/…STUFF…=/toll
2014-07-08 18:50:00-05 www.habicher.eu "/tmp/api/..STUFF…=/toll
2014-07-08 19:00:00-05 www.grupoancon.com "/components/api/…STUFF…=/toll
2014-07-08 19:20:00-05 www.headspokerfest.com "/tmp/api/..STUFF…=/toll
2014-07-08 19:30:00-05 www.happymaree.com.au "/tmp/api/..STUFF…=/toll
2014-07-09 01:10:00-05 www.ingersollpharmasave.ca "/components/api/…STUFF…=/toll
2014-07-09 01:30:00-05 www.improlabsa.com "/components/api/…STUFF…=/toll
2014-07-09 01:45:00-05 www.innovem.nl "/components/api/…STUFF…=/toll
2014-07-09 02:00:00-05 www.intelliwaste.net "/components/api/…STUFF…=/toll
2014-07-09 04:15:00-05 www.investment-mastery.com "/wp-content/api/…STUFF…=/toll
2014-07-09 05:50:00-05 www.islandbiblechapel.com "/tmp/api/..STUFF…=/toll
2014-07-09 06:15:00-05 www.ironstoneranch.com "/tmp/api/..STUFF…=/toll
2014-07-09 13:00:00-05 www.klaafalaaf.de "/components/api/…STUFF…=/toll
2014-07-09 20:00:00-05 www.listerus-capital.com "/components/api/…STUFF…=/toll
2014-07-10 00:10:00-05 www.learn-a-language.eu "/components/api/…STUFF…=/toll
2014-07-10 06:30:00-05 www.mindsolutions.sk "/components/api/…STUFF…=/toll
2014-07-10 07:15:00-05 www.mintom.it "/components/api/…STUFF…=/toll
2014-07-10 14:00:00-05 www.moretrends.de "/tmp/api/..STUFF…=/toll
2014-07-10 15:00:00-05 www.nortech.com.au "/components/api/…STUFF…=/toll
2014-07-10 18:30:00-05 www.p-press.com "/components/api/…STUFF…=/toll
2014-07-11 00:00:00-05 www.porno-sexshop.ch "/tmp/api/..STUFF…=/toll
2014-07-11 01:00:00-05 www.powiatstargardzki.eu "/components/api/…STUFF…=/toll
2014-07-11 02:00:00-05 www.projectstc.org "/components/api/…STUFF…=/toll
2014-07-11 08:15:00-05 www.radmotors.com.pl "/components/api/…STUFF…=/toll
2014-07-11 10:10:00-05 www.reportsolutions.com "/components/api/…STUFF…=/toll
2014-07-11 16:00:00-05 www.search4staff.com "/components/api/…STUFF…=/toll
2014-07-11 18:00:00-05 www.sirman.us "/tmp/api/..STUFF…=/toll
2014-07-11 20:30:00-05 www.stjosephbristol.org "/components/api/…STUFF…=/toll
2014-07-11 21:15:00-05 www.stpat.nsw.edu.au "/components/api/…STUFF…=/toll
2014-07-12 15:00:00-05 avauncemarketing.net "/wp-content/api/…STUFF…=/toll

Disk57.com, Cutwail, and Tearing Down Offending Infrastructure

Sometimes I am so impressed by the things my employees at Malcovery discover as they work through the various email-based threats we process and report about for our customers. Brendan, Wayne, and J evaluate and document hundreds of malware threats each week from our Spam Data Mine and because of their daily interactions with so much malware notice patterns that others miss. I've been asking them to be especially mindful of what the Cutwail spammers are moving to next as the GameOver Zeus era moves to a close, and Brendan did a great job of covering that over on the Malcovery Blog in the article How Spammers Are Filling the Gameover Zeus Void.

June 16 - Disk57.com first sighted

On June 16, 2014, Brendan and the team noticed three malware campaigns distribution spam campaigns that were all pushing the same malware. The email subjects were:

Subject: USPS - Missed package delivery
Subject: You have received a new fax
Subject: Scanned Image from a Xerox WorkCentre

The files attached to those messages included:

USPS1758369.zip - (22,331 bytes) - MD5: 73c4758a84c4a0e24e4f34db69584d26
(VirusTotal results at report time: 3/54)

Scan.zip - (22,329 bytes) - MD5: cbfb3f1e40b30d01f4dda656d7f576e7
(VirusTotal results at report time: 3/54)

IncomingFax.zip - 22,329 bytes - MD5: 048dcc8c9639d2e8ccea362fdb5f7d3e
(VirusTotal results at report time: 3/54)

All three of those .zip files contained the same binary, with the varying names, USPS06162014.scr, Scan.scr, and IncomingFax.scr.

(40,960 bytes) - MD5: 36e264de2cb3321756a511f6c90510f5

(VirusTotal results at report time: 0/54)

By a week later, the detection rate was up to 38 of 46 AV products detecting this as malware, but at the time of the spam campaign, only Sophos and K7 had signature-based detection for the malware, though some vendors may have offered other types of protection.

Whichever of the three versions you downloaded, the SCR file was actually a PE-executable which would contact the site "disk57.com" in order to "check in" by hitting the file "gate.php" on that server. The Ukrainian server in question, 188.190.117.93, (AS197145, Kharkiv Infium LLC) had been seen previously communicating with malware on March 26 and March 27 using the domain name "malidini.com".

The registry was modified so that a copy of the .scr file (now named as an .exe) would be executed on the next start up due to a Policy statement located in "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\818107311"

This resulted in the downloaded of a 7200 byte ".mod" file

More Disk57.com sightings

Disk57.com was also used as part of the malware infrastructure for malware samples distributed by the following spam campaigns:

June 16 - Wells Fargo 
June 17 - USPS
June 18 - HSBC
June 18 - Xerox
June 18 - New Fax
June 30 - HSBC - Subject: Avis de Paiement
June 30 - New Fax - Subject: You have received a new fax message
June 30 - Scanned Document - Subject: Scan de 
July 1 - BanquePopulaire
July 1 - French government
July 3 - Xerox
July 3 - UPS
July 3 - Wells Fargo
On June 30th, we saw the same technique used as in the June 16th campaigns. Three different .zip files, each containing a .scr file that was named differently, but where all samples had the same MD5 hash (MD5: 66dcf2e32aa902e2ffd4c06f5cb23b43 - VirusTotal detection 11/54 at report time.)

As on June 16th, executing the .scr file resulted in an exchange with the "gate.php" file on disk57.com on 188.190.117.93, resulting in a 7200 byte ".mod" file being downloaded.

On June 30th, however, this exchange resulted in a copy of the Cutwail binary, b02.exe, being downloaded from jasongraber.com on the path /css/b02.exe. (IP 192.64.181.14). b02.exe had a file size of 41,472 bytes - MD5: 84822121b11cce3c8a75f27c1493c6bb with a VirusTotal report of 2/54 at report time.

Upatre Updated

On July 3rd, spam campaigns imitating Xerox, UPS, and Wells Fargo used this same technique again with email subjects:

Subject: Scan from a Xerox WorkCentre - seen 1209 times by Malcovery
Subject: New Fax: # pages - seen 288 times by Malcovery
Subject: IMPORTANT - Confidential documents - seen 88 times by Malcovery
Subject: UPS - Credit Card Billing Adjustment. Ref#(random) - seen 178 times by Malcovery

1,941 messages were sent to our Spam Data Mine from 1,037 different sending IP addresses.

The .zip files still contained .scr files that were all the same
file size (23,040 bytes) MD5: 870c63c4420b6f187066a94ef6c56dc6 - VirusTotal report: 1/53 at report time.

However this time there were three very different URLs downloaded as a result of the initial click. The downloaded malware behaved almost exactly like the UPATRE samples that were used to distribute the encrypted version of GameOver Zeus that we wrote about back in February. (See: GameOver Zeus Now Uses Encryption to Bypass Perimeter Security.)

UPATRE Update

The UPATRE malware that was signature detected only by Sophos (as the useful name Mal/Generic-S) on July 3rd now has 43 detections at VirusTotal, although most are crap as usual, with regards to the usefulness of the names chosen by the vendors. Zbot.LDQ, Trojan/Win32.Zbot (but it clearly isn't Zeus, it's just a tiny downloader, which is what several vendors call it (Trojan.Win32.Tiny.bNKP). Several other vendors call it Ransomware or Crypto something or another (Trojan-Ransom.Win32.Cryptodef.oq, Win32/Ransom.ABOQAMB, TROJ_CRYPWALL.JER, Trojan.Win32.A.Cryptodef.23040). Only Microsoft called it Upatre (TrojanDownloader:Win32/Upatre.AA) although that is clearly the consensus of the AV analysts we have discussed the sample with. In this case the job of UPATRE is to download files that CLAIM to be PDF files, "convert/unpack/decrypt" them into .exe files, and then launch those .EXE files.

Three touches to the OVH (AS16276) IP address 94.23.247.202 resulted in three files so-called PDF files being downloaded from repele.net on IP address 82.220.34.132, each with the name "css/agreement.pdf". UPATRE did its magic, converting each of these files into another binary executable:

agreement.pdf = 131,173 bytes - MD5: 354283b80cc9e63d872475175d20f14d

(became CryptoWall Encryption ransomware, (in our case, named 09acd07.exe and located in a directory 09acd07 - 183,296 bytes - MD5: 6238af3e78f3316ea5f0192cb8cf3167 - VirusTotal reports detection of 14/53 at report time

which made connection to three C&C servers:
- vivatsaultppc.com - 194.58.101.96 in Russia (AS39134)
- bolizarsospos.com - 194.58.101.3 in Russia (AS39134)
- covermontislol.com - 31.31.204.59 in Russia (AS12695)

After encrypting files, the victim is shown the following text, with a timer counting down from 168 hours:

Your files are encrypted. To get the key to decrypt the files you have to pay 750 USD/EUR. If payment is not made before 10/07/14 - 15:37 the cost of decrypting files will increase 2 times and will be 1500 USD/EUR

(Other files found in that subdirectory included, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.TXT, and DECRYPT_INSTRUCTION.URL.)

agreement-2.pdf = 51,266 bytes - MD5: 06a16a7701c748467a0b8bc79feb7f35

(became Cutwail spamming botnet malware, mshvsk.exe (random file name) - 39,936 bytes - MD5: c1cc8b5eaf7f25449cfda0c6cd98b553 - VirusTotal reports detection of 1/54 at report time.

which then began communications to seven separate C&C servers:
- 91.217.90.125 in Russia (AS48031)
- 93.171.172.129 in Russia (AS29182)
- 93.170.104.81 in Netherlands (AS50245)
- 148.251.94.182 in Germany (AS24940)
- 91.237.198.93 in Russia (AS198681)
- 91.234.33.125 in Ukraine (AS56485)
- 91.221.36.184 in Russia (AS51724 - FLYNET)

agreement-3.pdf = 27,811 bytes - MD5: 19a1986f6fd0f243b02bba6cb77e9522

(became Andromeda botnet malware: gqxse.exe (random file name) - 23,150 bytes - MD5: 8e6c9e794739e67969c6f81a5786d9e7 VirusTotal reports detection of 0/54.

which then called out to disk57.com / gate.php)

What to do?

First and foremost, we need to get rid of Cutwail. This will be difficult as Russia continues to harbor their cyber criminals, allow them to bribe themselves out of prison and into government offices and contracts, and seems to treat their rampant theft of American and European wealth as a form of Economic Development.

In the meantime, we need to begin smashing their infrastructure at every chance we can get. Seize the hardware if we can, disable the routing of the traffic if we can't, and DEFINITELY block that infrastructure within our homes and companies!

Do yourself and your company a favor by sharing a link to this blog and recommending that your IT Security staff block the addresses shared above. If you live in a country where you can help, please do so!