Tuesday, July 22, 2008

Lazy Summer Days at UkrTeleGroup Ltd

The result of building extra confidence into your malicious hosting provider's ability to remain online, is a scammy ecosystem that's constantly jumping from one netblock to another, whose very latest exploit URLs and rogue security software nexto to the codecs served, always represent a decent sample of malicious activities to analyze.



UkrTeleGroup Ltd (85.255.112.0-85.255.127.255 UkrTeleGroup UkrTeleGroup Ltd. 27595 ASN ATRIVO), a personal favorite due to its historical connection with the Russian Business Network, and hosting provider for a countless of number of injected and malware embedded campaigns during the last two years, is still keeping it as lazy as possible, a laziness allowing you to easily expose a great deal of the malicious activities going on there, and establish the connections between the hosting provider, its current and historical customers.



Take microsoftcodecs.com (88.214.198.220) for instance, and avxp08.com where it redirects the user into yet another rogue security software. avxp08.com is responding to 194.110.162.114; 216.195.41.11; 216.195.41.11; 216.240.139.169, and to UkrTeleGroup Ltd's 85.255.117.163.



Each of these IPs are also being shared by other rogue software and fake codecs simultaneously :



(216.195.41.11)

antivirusxp2008 .com

malwareprotector2008 .com

antivirxp08 .com

antivirusxp08 .com

avxp08 .com

youpornztube .com

winifixer .com

advancedxpfixer .com

encountertracker .ws




It gets even more UkrTeleGroup Ltd related upon the malware (Trojan:Win32/Tibs.HK) served at the avxp08.com gets sandboxed. The malware phones back home stat.avxp08 .com (85.255.118.172) announcing the successful infection winifixer .com/log2.php?affid=980382bdb4e7b779ff6308b0b706571c&uid=06f80eaf-94d7-4b8b-9cf0-5c6f75d2c69f&tm=1211198022 (85.255.118.171), and the scammy ecosystem continues using the same hosting provider. The rest of the rogue tools are also using the same subdomain structure, and IP, stat.antivirusxp2008 .com (85.255.118.172), stat.antivirxp08 .com (85.255.118.172), stat.antivirusxp08 .com (85.255.118.172) in order to phone back home.



winifixer .com, a well known rogue software, is entirely relying on UkrTeleGroup's hosting services hosted at 85.255.117.163; 85.255.118.171; 85.255.120.115; 85.255.120.139; 216.195.41.11 pinpoing several other obvious and well known netblocks hosting anything starting from fake celebrity video sites serving fake Windows Media Player videos, to rogue security software and live exploit URLs. Take for instance their efficiency centered approach to park numerous malicious domains on a single IP, like 85.255.117.218 in this case :



bestfunnyvids .com

celebs69 .com

celebsnofake .com

celebstape .com

celebsvidsonline .com

codecservice1 .com

freevidshardcore .com

newfunnyvideo .com

sexlookupworld .com

starfeed1 .com

starfeed2 .com

topdirectdownload .com   

topsearchresults1 .com

topsoftupdate .com

yourfavoritetube .com




Now that it's becoming clear who's providing the hosting infrastructure, it's perhaps also worth pointing out who's using the hosting infrastructure to serve rogue security software and fake codecs on the basis of participating in an affiliate program? A great number of domains used by the rogue security software are registered by krab@thekrab.com behind which is supposedly Mishakov Viktor Ivanovich support@tobesoftware.com, and ironically tobesoftware.com is again hosting within UkrTeleGroup (85.255.120.115). The personal efforts into the number of the typosquatted domains and the persistence applied when registered and spamming them across the web, is the result of the incentives provided to them by the affiliate program they participate in.