GazTransitStroy/GazTranZitStroy Rubbing Shoulders with Petersburg Internet Network LLC

Following the GazTransitStroy/GazTranZitStroy (gaztranzitstroyinfo.ru; 67.15.253.241) coverage, the gang behind the bogus gas company drilling for insecure PCs across the Web has returned to its roots - St. Petersburg, Russia, with routing services courtesy of PIN-AS Petersburg Internet Network LLC (AS44050) (internet-spb.ru) :

"descr: Petersburg Internet Network LLC
address: Sedova 80
address: St.-Petersburg, Russia
e-mail:         support@internet-spb.ru
phone:          +7 812 4483863
fax-no:         +7 812 4483863
person:         Metluk Nikolay Valeryevich
address:        korp. 1a 40 Slavy ave.,
address:        St.-Petersburg, Russia
e-mail:         nm@internet-spb.ru
phone:          +7 812 4483863
fax-no:         +7 812 2683113
PIN LLC
Sedova 80
+7 812 4483863
support@internet-spb.ru
 

Metluk Nikolay Valeryevich
korp. 1a 40 Slavy ave.,
St.-Petersburg, Russia
+7 812 4483863
nm@internet-spb.ru

Ladoha Anton Vladimirovich
korp. 1a 40 Slavy ave.,
St. Petersburg, Russia
+7 812 4483863
admin@internet-spb.ru

Strukov Evgeny Olegovich
korp. 1a 40 Slavy ave.,
St.-Petersburg, Russia
+7 812 4483863
admin2@internet-spb.ru
e.strukov@pinspb.ru

Prefixes 91.212.41.0/24; 95.215.0.0/22; 194.11.16.0/24; 194.11.20.0/23; 195.2.240.0/23"

What's also worth pointing out that is a huge number of of domains operated by GazTransitStroy's customers, and, of course, GazTranzitStroy themselves not only traceroute back to Petersburg Internet Network LLC's network, but also, there's an evident migration to the legitimate NETDIRECT-NET - 89.149.206.0 - 89.149.207.255 - AS2875, as well as to CHINANET-SH CHINANET shanghai province network - 222.64.0.0 - 222.73.255.255.

Combined with the fact that EUROHOST-NET/Eurohost LLC (eurohost.biz.ua) 91.212.65.0 - 91.212.65.255 - AS48841 remain an inseparable part of GazTransitStroy's info, clearly indicates the presence of a well known cybercrime powerhouse - the RBN itself.

The following domains (crimeware, live exploits, scareware, you name it they engage in it) maintained by GazTranzitStroy have migrated as follows. From 91.212.41.96 to CHINANET-SH CHINANET shanghai province network - 222.64.0.0 - 222.73.255.255:

loshadinet .com
roselambda .cn
use-sena .cn
peopleopera .cn
forexsec .cn
symphonygold .cn
dreamlitediamond .cn
vilihood .cn
bookadorable .cn
drawingstyle .cn
housedomainname .cn
roomsme .cn
vilasse .cn
workfuse .cn
stakeshouse .cn
financeimprove .cn
lifenaming .cn
travetbeach .cn
schoolh .cn
rainfinish .cn
housevisual .cn
kvk.housevisual .cn
xfln.housevisual .cn
worksean .cn
blogtransaction .cn
liteauction .cn
seamodern .cn
smilecasino .cn
newtransfer .cn
oceandealer .cn
pub.oceandealer .cn
musicdomainer .cn
wowregister .cn
websiteflower .cn
travets .cn
designroots .cn
teamwows .cn
startgetaways .cn
moulitehat .cn
caxf.moulitehat .cn
islandtravet .cn
weekendtravet .cn
resorttravet .cn
litefront .cn
palaceyou .cn
youbonusnew .cn
clubmillionswow .cn
rainjukebox .cn
xuyxuyxuy .cn

From 91.212.41.114 to NETDIRECT-NET - 89.149.206.0 - 89.149.207.255 - AS28753, interestingly, the DNS servers for the following domains ns1.pubilcnameserver7.com/ns1.pubilcnameserver7.com are diversifying at 89.149.207.56 and 91.212.41.114:

freeantivirusplus09 .com
realantivirusplus09 .com
getantivirusplus09 .com
smartantivirusplus09 .com
addedantivirusonline .com
addedantivirusstore .com
addedantiviruslive .com
addedantiviruspro .com
countedantiviruspro .com
plusantiviruspro .com
myplusantiviruspro .com
addedantivirus .com
youraddedantivirus .com
bestaddedantivirus .com
easyaddedantivirus .com
yourcountedantivirus .com
bestcountedantivirus .com
yourplusantivirus .com
easyplusantivirus .com
yourguardonline .cn
easydefenseonline .cn
bestprotectiononline .cn
freecoveronline .cn
atioqe .cn
yourguardstore .cn
mycheckdiseasestore .cn
examinepoisonstore .cn
freecoverstore .cn
myexaminevirusstore .cn
bestexaminedisease .cn
yourfriskdisease .cn
easyfriskdisease .cn
friskdiseaselive .cn
bestdefenselive .cn
bigprotectionlive .cn
bigcoverlive .cn
examineillnesslive .cn
exodih .cn
suxpymi .cn
aciazi .cn
yourfriskinfection .cn
easyserviceprotection .cn
easyincomeprotection .cn
easypersonalprotection .cn
easybestprotection .cn
myascertainpoison .cn
yourguardpro .cn
refugepro .cn
mycheckdiseasepro .cn
ascertaindiseasepro .cn
yourcheckpoisonpro .cn
easycheckpoisonpro .cn
yourfriskviruspro .cn
myascertainviruspro .cn
fegbywo .cn
feptuaq .cn
myexamineillness .cn
exousyt .cn
newguard2u .cn
freedefense2u .cn
bigdefense2u .cn
bestcover2u .cn
newguard4u .cn
mydefense4u .cn
bestcover4u .cn
newguard4you .cn
mydefense4you .cn
bestcover4you .cn
yourguardforyou .cn
newguardforyou .cn
myguardforyou .cn
freedefenseforyou .cn
mydefenseforyou .cn
bestcoverforyou .cn

The ongoing affiliation with EUROHOST-NET/Eurohost LLC (eurohost.biz.ua) 91.212.65.0 - 91.212.65.255 - AS48841, and the migration of domains (scareware, live exploits, crimeware etc.) as follows. From 91.212.41.119 to 91.212.65.7 EUROHOST-NET/Eurohost LLC:

nicdaheb .cn
sehmadac .cn
ralcofic .cn
bikpakoc .cn
xidsasuc .cn
koqsuyod .cn
tozxiqud .cn
bowselaf .cn
cuzlumif .cn
porgacig .cn
hifgejig .cn
rogkadej .cn
sipcojeq .cn
silzefos .cn
popyodiw .cn
hayboxiw .cn
peskufex .cn
ridmoyey .cn
cakpapaz .cn

What kind of an ISP be maintaining a permanent Under Construction page and engage in Zeus and live exploit serving activities on the same IP as its web server? EUROHOST-NET/Eurohost LLC is one of them:

"person: Mikhail Ignatyev
address: off. 1, 81 Frunze str.,
phone: +38 093 079 00 32
address: Evpatoria, Crimea, Ukraine
e-mail: ipadmin@eurohost.biz.ua"

At eurohost.biz.ua (91.212.65.5) we also have parked 123-service.ru, serving a deja-vu account suspended message - "This account has been suspended. Either the domain has been overused, or the reseller ran out of resources." as well as ramshanabc.ru, with another account suspended message despite its previous involvement in Zeus crimeware campaigns in January, 2009 (ramshanabc .ru/ferrari/main.bin; ramshanabc .ru/ferrari/main.bin).

Besides these domains, several others, again registered to kirilboltovnet@yandex.ru are known to have been maintaining running Zeus crimeware campaigns as well:

grafjasqq .ru/kiew/kiew.cfg
heliskamm .ru/kiew5.cfg
mamaloki .ru/dir2.cfg489
mamaloki .ru/kiew3.cfg
nionalku .ru/dir5.cfg
nionalku .ru/kiew6.cfg

Still not convinced in how malicious their intentions really are? The phone number (+7 928 7867612) used in the registrations of these domains was most recently used in a spammed Zeus crimeware campaign impersonating Western Union.

Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot

Just like GazTranzitStroyInfo's case, what we've got here is failure to understand that the efforts put into building legitimacy of front-ends to cybercrime, is prone to get undermined upon closer examination of the particular web hosting provider.

Who, and what is Life4you .info - Free Hosting for Live (dirsite .com; 65.98.15.80; Dennis Linkor Email: admin@dirsite.com)?

"We are pleased to announce the launch of dirsite.com, the best ASP.NET host on the web. We currently offer one plan. This plan is entirely free! Free ASP.NET 2.0 hosting*! Unfortunately we have hit our quota for ad free accounts. Every new signup is now required to display a 460x60 banner ad on their content pages. We will be running another ad free promotion soon, so be sure to check back! We are currently experiencing some technical issues that are out of our control. We are suffering some server problems and as a result, slight delays in processing signups. We are working on it, and will have everything resolved as soon as possible. Thank you for your patience."

What's so special about them? Well, for starters, they've got no customers but the cybercriminals themselves maintaining a portfolio of over 7,000 adult related keywords which they have been using for blackhat SEO campaigns across thousands of automatically registered -- CAPTCHA recognition outsourced -- Blogspot accounts since February, 2009.

With the Blogspot campaign still ongoing, let's assess it and expose all the participating scareware domains. Upon automatic generation of the Blogspot accounts, links like the following are included next to the bogus content, all using dirsite.com's pseudo-legitimate hosting services:

goto.dirsite .com/go.php?sid=2&tds-key=erotic+bikini+babes
goto.dirsite .com/go.php?sid=2&tds-key=sexe+amateur+on+my+space
goto.dirsite .com/go.php?sid=2&tds-key=aunt+judy+older+women
goto.dirsite .com/go.php?sid=2&tds-key=view+private+profiles+on+myspace
goto.dirsite .com/go.php?sid=2&tds-key=fullmetal+alchemist+porn
goto.dirsite .com/go.php?sid=2&tds-key=Asian+style+bed+throws
goto.dirsite .com/go.php?sid=2&tds-key=cheerleader+candid+pictures
goto.dirsite .com/go.php?sid=2&tds-key=desisexstories
goto.dirsite .com/go.php?sid=2&tds-key=Hey+Arnold+porno
goto.dirsite .com/go.php?sid=2&tds-key=warcraft+henrai

Upon clicking the users are redirected to tdncgo2009 .com/?uid=68&pid=3 (trdatasft .com; fra22 .net; Email: ) 64.86.17.47, Email: hmlragnsky@whoisservices.cn, where the scareware domains are randomly loaded:

virusdoctor-onlinedefender .com - 64.213.140.69 Email: sebarinvert.ivus@gmail.com
onlinescan-ultraantivirus2009 .com - 206.53.61.76
virussweeper-scan .net - 206.53.61.76
virusalarm-scanvirus .net - 206.53.61.76
viruscatcher .net - 64.213.140.71 Email: jeannemcpeters@gmail.com
fast-antivirus .com - 64.213.140.68

The scareware attempts to phone back to update1.virusshieldpro .com/ReleaseXP.exe - 206.53.61.75 - Email: unitedisystems@gmail.com and to updvmfnow .cn - 64.86.17.9 Email: oijfsd.sd@gmail.com. ReleaseXP.exe then phones back to the following locations, naturally earning profit for the cybecriminal -

pay-virusshield .cn - 64.213.140.70; Email: unitedisystems@gmail.com; Returning the following message: "Sorry, the operation is currently unavailable, please email our support team from product's site (Error Code #150)"
updvmfnow .cn - 64.86.17.9
updvmfnow .cn/reports/install-report.php (64.86.17.9)
updvmfnow .cn/reports/soft-report.php
updvmfnow .cn/reports/minstalls.php

The phone back location is also hosting more active scarewaredomains:
ultraantivirus2009 .com - 64.86.17.9
virusalarmpro .com
vmfastscanner .com
mysuperviser .com
pay-virusdoctor .com
virusmelt .com
payvirusmelt .com

Not only is life4info .info or dirsite .com a bogus free hosting provider, but the campaigns hosted by them are interacting with our "dear friends" at AS30407; VELCOM .com which Spamhaus describes as "N. American base of Ukrainian cybercrime spammers" - and with a reason.