The result of building extra confidence into your malicious hosting provider's ability to remain online, is a scammy ecosystem that's constantly jumping from one netblock to another, whose very latest exploit URLs and rogue security software nexto to the codecs served, always represent a decent sample of malicious activities to analyze.
UkrTeleGroup Ltd (85.255.112.0-85.255.127.255 UkrTeleGroup UkrTeleGroup Ltd. 27595 ASN ATRIVO), a personal favorite due to its historical connection with the Russian Business Network, and hosting provider for a countless of number of injected and malware embedded campaigns during the last two years, is still keeping it as lazy as possible, a laziness allowing you to easily expose a great deal of the malicious activities going on there, and establish the connections between the hosting provider, its current and historical customers.
Take microsoftcodecs.com (88.214.198.220) for instance, and avxp08.com where it redirects the user into yet another rogue security software. avxp08.com is responding to 194.110.162.114; 216.195.41.11; 216.195.41.11; 216.240.139.169, and to UkrTeleGroup Ltd's 85.255.117.163.
Each of these IPs are also being shared by other rogue software and fake codecs simultaneously :
(216.195.41.11)
antivirusxp2008 .com
malwareprotector2008 .com
antivirxp08 .com
antivirusxp08 .com
avxp08 .com
youpornztube .com
winifixer .com
advancedxpfixer .com
encountertracker .ws
It gets even more UkrTeleGroup Ltd related upon the malware (Trojan:Win32/Tibs.HK) served at the avxp08.com gets sandboxed. The malware phones back home stat.avxp08 .com (85.255.118.172) announcing the successful infection winifixer .com/log2.php?affid=980382bdb4e7b779ff6308b0b706571c&uid=06f80eaf-94d7-4b8b-9cf0-5c6f75d2c69f&tm=1211198022 (85.255.118.171), and the scammy ecosystem continues using the same hosting provider. The rest of the rogue tools are also using the same subdomain structure, and IP, stat.antivirusxp2008 .com (85.255.118.172), stat.antivirxp08 .com (85.255.118.172), stat.antivirusxp08 .com (85.255.118.172) in order to phone back home.
winifixer .com, a well known rogue software, is entirely relying on UkrTeleGroup's hosting services hosted at 85.255.117.163; 85.255.118.171; 85.255.120.115; 85.255.120.139; 216.195.41.11 pinpoing several other obvious and well known netblocks hosting anything starting from fake celebrity video sites serving fake Windows Media Player videos, to rogue security software and live exploit URLs. Take for instance their efficiency centered approach to park numerous malicious domains on a single IP, like 85.255.117.218 in this case :
bestfunnyvids .com
celebs69 .com
celebsnofake .com
celebstape .com
celebsvidsonline .com
codecservice1 .com
freevidshardcore .com
newfunnyvideo .com
sexlookupworld .com
starfeed1 .com
starfeed2 .com
topdirectdownload .com
topsearchresults1 .com
topsoftupdate .com
yourfavoritetube .com
Now that it's becoming clear who's providing the hosting infrastructure, it's perhaps also worth pointing out who's using the hosting infrastructure to serve rogue security software and fake codecs on the basis of participating in an affiliate program? A great number of domains used by the rogue security software are registered by krab@thekrab.com behind which is supposedly Mishakov Viktor Ivanovich support@tobesoftware.com, and ironically tobesoftware.com is again hosting within UkrTeleGroup (85.255.120.115). The personal efforts into the number of the typosquatted domains and the persistence applied when registered and spamming them across the web, is the result of the incentives provided to them by the affiliate program they participate in.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Tuesday, July 22, 2008
Lazy Summer Days at UkrTeleGroup Ltd
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment