Showing posts with label Russian Business Network. Show all posts

Historical OSINT - The Russian Business Network Says "Hi"

September 09, 2019
You know you're popular when "they" say "hi".

It's 2009 and I've received a surprising personal email courtesy of guess who - The Russian Business Network showing off the actual ownership of the hxxp://rbnnetwork.com domain and basically saying "hi". It's worth pointing out that throughout 2008-2013 I've extensively profiled the activities including the customer activities of some of the most prolific customers and members of the infamous Russian Business Network also known as the RBN in the context of blackhat SEO iFrame and input validation abuse across major Web properties including malvertising and various other malware-serving and client-side exploits serving campaigns including money mule recruitment and phishing campaigns the ubiquitous at the time fake security software also known as scareware in a variety of post series.
It's been a decade since I last profiled the most prolific and sophisticated market-leading bullet-proof hosting cybercrime enterprise - the Russian Business network which at the time was dominating the majority of campaigns that I was busy profiling with the help of fellow researchers to whom I owe a big deal of thanks for approaching me circa 2008-2013 namely Jart Armin and James McQuaid with whom I've been directly or indirectly keeping in touch throughout 2008-2013 for the purpose of offering quality research on the activities of the Russian Business Network including their customers and fraudulent and malicious campaigns.
Stay tuned and thanks for reaching out!

Related Russian Business Network (RBN) Research:
I See Alive IFRAMEs Everywhere - Part Two
I See Alive IFRAMEs Everywhere
Bank of India Serving Malware
U.S Consulate in St.Petersburg Serving Malware
Syrian Embassy in London Serving Malware
CISRT Serving Malware
Compromised Sites Serving Malware and Spam
U.S Consulate St. Petersburg Serving Malware
Massive RealPlayer Exploit Embedded Attack
Malware Serving Exploits Embedded Sites as Usual
MDAC ActiveX Code Execution Exploit Still in the Wild
Yet Another Massive Embedded Malware Attack
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Over 100 Malwares Hosted on a Single RBN IP
Detecting and Blocking the Russian Business Network
Exposing the Russian Business Network
Go to Sleep, Go to Sleep my Little RBN
Injecting IFRAMEs by Abusing Input Validation
RBN's Fake Account Suspended Notices
ZDNet Asia and TorrentReactor IFRAME-ed
Russia's FSB vs Cybercrime
HACKED BY THE RBN!
Rogue RBN Software Pushed Through Blackhat SEO
Wired.com and History.com Getting RBN-ed
The Russian Business Network
Exposing the Russian Business Network
More CNET Sites Under IFRAME Attack
Embedded Malware at Bloggies Awards Site
Have Your Malware In a Timely Fashion
Geolocating Malicious ISPs
More High Profile Sites IFRAME Injected
The New Media Malware Gang - Part Four
Another Massive Embedded Malware Attack Continue reading →

Historical OSINT - Inside the 2007-2009 Series of Cyber Attacks Against Multiple International Embassies

May 29, 2017
Remember, the, Russian, Business, Network, and, the, New, Media, Malware, Gang?

It's, been, several, years, since, I, last, posted, an, update, regarding, the, group's, activities, including, the, direct, establishing, of, a, direct, connection, between, the, Russian, Business, Network, the, New, Media, Malware, gang, including, a, variety, of, high, profile, Web, site, compromise, campaigns.

What's, particularly, interesting, about, the, group's, activities, is, the, fact, that, back, in, 2007, the, group's, activities, used, to, dominate, the, threat, landscape, in, a, targeted, fashion, including, the, active, utilization, of, client-side, exploits, and, the, active, exploitation, of, legitimate, Web, sites, successfully, positioning, the, group, including, the, Russian, Business, Network, as, a, leading, provider, of, malicious, activities, online, leading, to, a, series, of, analyses, successfully, detailing, the, activities, of, the, group, including, the, direct, establishing, of, a, connection, between, the, New, Media, Malware, Gang, the, Russian, Business, Network, and, the, Storm, Worm, botnet.

In, this, post, I'll, provide, a, detailed, analysis, of, the, group's, activities, discuss, in, the, depth, the, tactics, techniques, and, procedures, (TTPs), of, the, group, including, a, direct, establishing, of, a, connection, between, the, New, Media, Malware, Gang, the, Russian, Business, Network, and, the, direct, compromise, of, a, series, of, high, profile, Web, site, compromise, campaigns.

Having, successfully, tracked, down, and, profiled, the, group's, activities, for, a, period, of, several, years, and, based, on, the, actionable, intelligence, provided, regarding, the, group's, activities, we, can, easily, establish, a, direct, connection, between, the, New, Media, Malware, Gang, and, the, Russian, Business, Network, including, a, series, of, high, profile, Web, site, compromise, campaigns.

Key Summary Points:
- RBN Connection, New Media Malware Gang connection - "ai siktir" "Die()", money mule recruitment, money laundering of virtual currency
- Actionable CYBERINT data to assist law enforcement, academics and the private sector in ongoing or past cybercrime investigations
- Complete domain portfolios registered up to the present day using the same emails used to register the malicious domains during 2007-2009 to assist law enforcement, academics and the private sector in catching up with their malicious activities over the years
- Detailed analysis of each and every campaign's domain portfolios (up to present day) further dissecting the fraudulent schemes launched by the same cybercriminals that embedded malware on the embassies' web sites
- Complete IP Hosting History for each and every of the malicious domains/command and control servers during the time of the attack
 - The "Big Picture" detailing the inter-connections between the campaigns, with historical OSINT data pointing to the "New Media Malware Gang", back then customers of the Russian Business Network

Let's, profile, the, group's, activities, including, a, direct, establishing, of, a, connection, between, the, Russian, Business, Network, the, New, Media, Malware, Gang, and, the, Storm, Worm, botnet.

In, 2007, I, profiled, the, direct, compromise, of, the, Syrian, Embassy, in, London, including, a, related, compromise of, the, USAID.gov compromised, malware and exploits served, the, U.S Consulate St. Petersburg Serving Malware, Bank of India Serving Malware, French Embassy in Libya Serving Malware, Ethiopian Embassy in Washington D.C Serving Malware, Embassy of India in Spain Serving Malware, Azerbaijanian Embassies in Pakistan and Hungary Serving Malware, further, detailing, the, malicious, activities, of, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.

Let's profile, the, campaigns, and, discuss, in, depth, the, direct, connection, between, the, group's, activities, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.

sicil.info - on 2007-09-26 during the time of the attack, the domain was registered using the srvs4you@gmail.com email. The domain name first appeared online on 2006-06-10 with an IP 213.186.33.24. On 2007-07-11, it changed IPs to 203.121.79.71, followed by another change on 2008-01-06 to 202.75.38.150, another change on 2008-05-06 to 203.186.128.154, yet another change on 2008-05-18 to 190.183.63.103, and yet another change on 2008-07-27 to 190.183.63.56.

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (sicil.info):
MD5: 4802db20da46fca2a1896d4c983b13ba
MD5: f9434d86ef2959670b73a79947b0f4d2
MD5: 32dba64ae55e7bb4850e27274da42d1b
MD5: cd6a7ff6388fbd94b7ee9cdc88ca8f4d
MD5: 57dff9e8154189f0a09fb62450decac6

Known, to, have, responded, to, the, same, malicious, C&C, server, IPs (sicil.info), are, also, the, following, malicious, domains:
hxxp://144.217.69.62
hxxp://63.246.128.71
hxxp://207.150.177.28
hxxp://66.111.47.62
hxxp://66.111.47.4
hxxp://66.111.47.8

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs (213.186.33.24):
MD5: 1a08c0ce5ab15e6fd8f52cd99ea64acb
MD5: 95cc3a0243aa050243ab858794c1d221
MD5: cc63d67282789e03469f2e6520c6de80
MD5: 3829506c454b86297d2828077589cbf8
MD5: 1e18b17149899d55d3625d47135a22a7

 Once, executed, a, sample, malware (MD5: 1a08c0ce5ab15e6fd8f52cd99ea64acb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ioasis.org - 208.112.115.36
hxxp://polyhedrusgroup.com - 143.95.229.33
hxxp://espoirsetvie.com - 213.186.33.24
hxxp://ladiesdehaan.be - 185.59.17.113
hxxp://chonburicoop.net - 27.254.96.151
hxxp://ferienwohnung-walchensee-pur.de - 109.237.138.48

Related posts: Dissecting a Sample Russian Business Network (RBN) Contract/Agreement Through the Prism of RBN's AbdAllah Franchise

 Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (0ki.ru; 89.179.174.156):
MD5: cd33ea55b2d13df592663f18e6426921
MD5: 8e0c7757b82d14b988afac075e8ed5dc
MD5: e6aaafcafdd0a20d6dbe7f8c0bf4d012
MD5: e513a1b25e59670f777398894dfe41b6
MD5: 0fad43c03d80a1eb3a2c1ae9e9a6c9ed
MD5: 6e1b789f0df30ba0798fbc47cb1cec1c
MD5: 9f02232ed0ee609c8db1b98325beaa94

Once, executed, a, sample, malware (MD5: e6aaafcafdd0a20d6dbe7f8c0bf4d012), phones, back, to, the, following, C&C, server, IPs:
hxxp://lordofthepings.ru (173.254.236.159)
hxxp://poppylols.ru
hxxp://chuckboris.ru
hxxp://kosherpig.xyz
hxxp://ladyhaha.xyz
hxxp://porkhalal.site
hxxp://rihannafap.site
hxxp://bieberfans.top
hxxp://runands.top
hxxp://frontlive.net
hxxp://offerlive.net
hxxp://frontserve.net
hxxp://offerserve.net
hxxp://hanghello.ru
hxxp://hanghello.net
hxxp://septemberhello.net
hxxp://hangmine.net
hxxp://septembermine.net
hxxp://hanglive.net
hxxp://wrongserve.ru
hxxp://wrongserve.net
hxxp://madelive.net

Once, executed, a, sample, malware (MD5: e513a1b25e59670f777398894dfe41b6), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 173.254.236.159
hxxp://yardlive.ru
hxxp://yardlive.net
hxxp://musiclive.net - 141.8.225.124
hxxp://yardserve.net
hxxp://musicserve.net - 185.53.177.20
hxxp://wenthello.net
hxxp://spendhello.ru
hxxp://wentmine.net
hxxp://spendmine.net
hxxp://spendhello.net
hxxp://joinlive.net
hxxp://wentserve.ru
hxxp://hanghello.net
hxxp://joinhello.net

hxxp://x12345.org - 46.4.22.145

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (miron555.org):
MD5: 0e423596c502c1e28cce0c98df2a2b6d
MD5: e75d92defb11afe50a8cc51dfe4fb6ee
MD5: adcedd763f541e625f91030ee4de7c19
MD5: 2c664a4c1374b3d887f59599704aef6c
MD5: 2c664a4c1374b3d887f59599704aef6c
MD5: 0e423596c502c1e28cce0c98df2a2b6d

Over the years (up to present day) srvs4you@gmail.com is also known to have been used to register the following domains:
hxxp://10lann10.org
hxxp://24cargo.net
hxxp://ace-assist.biz
hxxp://activation-confirm.com
hxxp://adwoords.net
hxxp://alert-careerbuilder.com
hxxp://annebehnert.info
hxxp://apollo-services.net
hxxp://appolage.org
hxxp://auctions-ukash.com
hxxp://bbcfinancenews.com
hxxp://bestgreatoffers.org
hxxp://blackbird-registration.com
hxxp://bloomborg.biz
hxxp://businessproc1.com
hxxp://bussolutionsinc.org
hxxp://calisto-trading.com
hxxp://calisto-trading.net
hxxp://calisto-trading.org
hxxp://candy-country.com
hxxp://casheq.com
hxxp://cfca-usa.com
hxxp://cfodaily.biz
hxxp://citizenfinancial.net
hxxp://citylending.net
hxxp://clean2mail.com
hxxp://confirm-activation.com
hxxp://consultingwiz.org
hxxp://courierusa-online.com
hxxp://cristhmasx.com
hxxp://d-stanley.net
hxxp://dariazacherl.info
hxxp://des-group.com
hxxp://digital-investment-projects.com
hxxp://dns4your.net
hxxp://dvasuka.com
hxxp://easy-midnight.com
hxxp://easy-transfer.biz
hxxp://easymidnight.com
hxxp://ecareerstyle.com
hxxp://ecnoho.com
hxxp://efinancialnews.biz
hxxp://eluxuryauctions.com
hxxp://elx-ltd.net
hxxp://elx-trading.org
hxxp://elxltd.net
hxxp://emoney-ex.com
hxxp://epsincorp.net
hxxp://equitrust.org
hxxp://erobersteng.com
hxxp://erxlogistics.com
hxxp://esdeals.com
hxxp://estemaniaks.com
hxxp://eu-bis.com
hxxp://eu-cellular.com
hxxp://eubiz.org
hxxp://euwork.org
hxxp://expressdeal.info
hxxp://ezado.net
hxxp://fairwaylending.org
hxxp://fan-gaming.org
hxxp://fcinternatonal1.com
hxxp://fidelitylending.net
hxxp://financial-forbes.com
hxxp://financialnews-us.net
hxxp://firstcapitalgroup.org
hxxp://freemydns.org
hxxp://fremontlending.net
hxxp://fresh-solutions-mail.com
hxxp://fresh-solutions.us
hxxp://garnantfoundation.com
hxxp://gazenvagen.com
hxxp://globerental.com
hxxp://googmail.biz
hxxp://i-expertadvisor.com
hxxp://icebart.com
hxxp://icqdosug.com
hxxp://iesecurityupdates.com
hxxp://indigo-consulting.org
hxxp://indigo-job-with-us.com
hxxp://indigojob.com
hxxp://indigovacancies.com
hxxp://inncoming.com
hxxp://ivsentns.com
hxxp://iwiwlive.net
hxxp://iwiwonline.net
hxxp://jobs-in-eu.org
hxxp://kelermaket.com
hxxp://kklfnews.com
hxxp://knses.com
hxxp://komodok.com
hxxp://krdns.biz
hxxp://ksfcnews.com
hxxp://ksfcradio.com
hxxp://ktes314.org
hxxp://lda-import.com
hxxp://legal-solutions.org
hxxp://lgcareer.com
hxxp://lgtcareer.com
hxxp://librarysp.com
hxxp://littlexz.com
hxxp://mariawebber.org
hxxp://megamule.net
hxxp://moneycnn.biz
hxxp://njnk.net
hxxp://ns4ur.net
hxxp://nytimesnews.biz
hxxp://o2cash.net
hxxp://offsoftsolutions.com
hxxp://pcpro-tbstumm.com
hxxp://perfect-investments.org
hxxp://progold-inc.biz
hxxp://protectedsession.com
hxxp://razsuka.com
hxxp://reutors.biz
hxxp://rushop.us
hxxp://science-and-trade.com
hxxp://secure-operations.org
hxxp://securesitinngs.com
hxxp://servicessupport.biz
hxxp://sessionprotected.com
hxxp://sicil.info
hxxp://sicil256.info
hxxp://simple-investments-mail.org
hxxp://simple-investments.net
hxxp://simple-investments.org
hxxp://sp3library.com
hxxp://speeduserhost.com
hxxp://storempire.com
hxxp://tas-corporation.com
hxxp://tas-corporation.net
hxxp://tascorporation.net
hxxp://topixus.net
hxxp://tsrcorp.net
hxxp://u-file.org
hxxp://ukashauction.net
hxxp://ultragame.org
hxxp://unitedfinancegroup.org
hxxp://vanessakoepp.org
hxxp://verymonkey.com
hxxp://vesa-group.com
hxxp://vesa-group.net
hxxp://vipvipns.net
hxxp://vipvipns.org
hxxp://wondooweria.com
hxxp://wondoowerka.com
hxxp://wootpwnseal.com
hxxp://worldeconomist.biz
hxxp://wumtt-westernunion.com
hxxp://xsoftwares.com
hxxp://xxx2008xxx.com
hxxp://yourcashlive.com
hxxp://yourlive.biz
hxxp://yourmule.com

On 2008-09-25 0ki.ru was registered using the kseninkopetr@nm.ru email. The same email address is not known to have been used to register any additional domains.

On 2008-06-19 x12345.org was registered using the xix.x12345@yahoo.com email. On 2007-09-10 the domain use to respond to 66.36.243.97, then on 2007-11-13 it changed IPs to 58.65.236.10, following another change on 2008-05-06 to 203.186.128.154. No other domains are known to have been registered using the same email address.

On 2007-06-07, miron555.org was registered using the mironbot@gmail.com email, followed by another registration email change on 2008-02-12 to nepishite555suda@gmail.com. On 2007-04-24, the domain responded to 75.126.4.163. It then changed IPs on 2007-05-09 to 203.121.71.165, followed by another change on 2007-06-08 to 58.65.239.247, yet another change on 2007-07-15 to 58.65.239.10, another change on 2007-08-19 to 58.65.239.66, more IP changes on 2007-09-03 to 217.170.77.210, and yet another change on 2007-09-18 to 88.255.90.138.

Historically (up to present day), mironbot@gmail.com is also known to have been used to register the following domains:
hxxp://24-7onlinepharmacy.net
hxxp://bestmoviesonline.info
hxxp://brightstonepharma.com
hxxp://deapotheke.com
hxxp://dozor555.info
hxxp://my-traff.cn
hxxp://pharmacyit.net
hxxp://trffc.org
hxxp://trffc3.ru
hxxp://xmpharm.com

In, 2008, I, profiled, the, direct, compromise, of, The Dutch Embassy in Moscow Serving Malware, further, detailing, the, malicious, and, activity, of, the, Russian, Business, Network, and, the, New, Media, Malware, Gang.

Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, direct, compromise, of, the, Embassy's Web, site.

On 2009-03-04, lmifsp.com was registered using the redemption@snapnames.com email. On 2007-11-30, it used to respond to 68.178.194.64, then on 2008-12-01 it changed IPs to 68.178.232.99.

In, 2008, I, profiled, the, direct, compromise, of, Embassy of Brazil in India Compromised, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

hxxp://google-analyze.com - 87.118.118.193

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (google-analyze.com - 87.118.118.193):
MD5: 2bcb74c95f30e3741210c0de0c1b406f

On 2008-10-15, traff.asia was registered using the traffon@gmail.com email.

On 2008-06-19, google-analyze.com was registered using the incremental@list.ru email. On 2007-12-21 it responded to 66.36.241.153, then it changed IPs on 2007-12-22 to 66.36.231.94, followed by another change on 2008-02-03 to 79.135.166.74, then to 195.5.116.251 on 2008-03-16, to 70.84.133.34 on 2008-07-31, followed by yet another change to 216.195.59.77 on 2008-09-15.

On 2008-08-05, google-analystic.net, is, known, to, have, responded, to, 212.117.163.162, and, was registered using the abusecentre@gmail.com email. On 2008-04-11 it used to respond to 64.28.187.84, it then changed IPS to 85.255.120.195 on 2008-08-03, followed by another change on 2008-08-10 to 85.255.120.194, then to 85.255.120.197 on 2008-09-07, to 69.50.161.117 on 2008-09-14, then to 66.98.145.18 on 2008-10-11, followed by another change on 2008-10-25 to 209.160.67.56.

On 2008-11-11, beshragos.com was registered using the migejosh@yahoo.com email. On 2008-11-11 it used to respond to 79.135.187.38.

In, 2009, I, profiled, the, direct, compromise, of, Ethiopian Embassy in Washington D.C Serving Malware, further, detailing, the, group's, activities, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

Let's, profile, the, campaign, and, discuss, in-depth, the, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On 2009-01-19, 1tvv.com is, known, to, have, responded, to, 69.172.201.153; 66.96.161.140; 122.10.52.139; 122.10.18.138; 67.229.44.15; 74.200.250.130; 69.170.135.92; 64.74.223.38, and, was registered using the mogensen@fontdrift.com email.

On 2005-08-27, the domain (1tvv.com) is, known, to, have, responded to 198.65.115.93, then on 2006-05-12 to 204.13.161.31, with yet another IP change on 2010-04-08 to 216.240.187.145, followed by yet another change on 2010-06-02 to 69.43.160.145, then on 2010-07-25 to 69.43.160.145.

On 2010-01-04, trafficinc.ru was registered using the auction@r01.ru email.

On 2009-03-01, trafficmonsterinc.ru was registered using the trafficmonsterinc.ru@r01-service.ru email.

On 2009-05-02, us18.ru, is, known, to, have, responded, to, 109.70.26.37; 185.12.92.229; 109.70.26.36, and, was registered using the belyaev_andrey@inbox.ru email.

 Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 0b545cd12231d0a4239ce837cd371166
MD5: dae41c862130daebcff0e463e2c30e50
MD5: 601806c0a01926c2a94558148764797a
MD5: 45f97cd8df4448bbe073a38c264ef93f
MD5: 94aeba45e6fb4d17baa4989511e321b3

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs (69.172.201.153):
MD5: 4e0ce2f9f92ac5193c2a383de6015523
MD5: a38d47fcfdaf14372cea3de850cf487d
MD5: 014d2f1bae3611e016f96a37f98fd4b7
MD5: daad60cb300101dc05d2ff922966783b
MD5: 0a775110077e2c583be56e5fb3fa4f09

Once, executed, a, sample, malware (MD5: 4e0ce2f9f92ac5193c2a383de6015523), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pelcpawel.fm.interia.pl - 217.74.66.160
hxxp://pelcpawel.fm.interiowo.pl - 217.74.66.160
hxxp://chicostara.com - 91.142.252.26
hxxp://suewyllie.com
hxxp://dewpoint-eg.com - 195.157.15.100
hxxp://sso.anbtr.com - 195.22.28.222

Once, executed, a, sample, malware (MD5: a38d47fcfdaf14372cea3de850cf487d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://ledyazilim.com - 213.128.83.163
hxxp://ksandrafashion.com - 166.78.145.90
hxxp://lafyeri.com - 69.172.201.153
hxxp://kulppasur.com - 52.28.249.128
hxxp://toalladepapel.com.ar

 hxxp://trafficinc.ru, is, known, to, have, responded, to, 222.73.91.203

 hxxp://trafficmonsterinc.ru, is, known, to, have, responded, to, 178.208.83.7; 178.208.83.27; 91.203.4.112

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: ce4e2e12ee16d5bde67a3dc2e3da634b
MD5: 4423e04fb3616512bf98b5a565fccdd7
MD5: 33f890c294b2ac89d1ee657b94e4341d
MD5: 1c5096c3ce645582dd18758fe523840a
MD5: 1efae0b0cb06faacae46584312a12504

Once, executed, a, sample, malware (MD5: ce4e2e12ee16d5bde67a3dc2e3da634b), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://rms-server.tektonit.ru - 109.234.156.179
hxxp://365invest.ru - 178.208.83.7

Once, executed, a, sample, malware (MD5: 4423e04fb3616512bf98b5a565fccdd7), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://topstat.mcdir.ru - 178.208.83.7

Once, executed, a, sample, malware (MD5: 33f890c294b2ac89d1ee657b94e4341d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://cadretest.ru - 178.208.83.7

Once, executed, a, sample, malware (MD5: 1c5096c3ce645582dd18758fe523840a), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://pelcpawel.fm.interia.pl - 217.74.65.161
hxxp://testtrade.ru - 178.208.83.7
hxxp://chicostara.com - 91.142.252.26

In, 2009, I, profiled, the, direct, compromise, of Embassy of India in Spain Serving Malware, further, detailing, the, malicious, activity, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On 2008-09-07, msn-analytics.net was registered using the palfreycrossvw@gmail.com email. On 2007-06-17 it used to respond to 82.98.235.50, it then changed IPs on 2008-09-07 to 58.65.234.9, followed by another change on 2009-11-14 to 96.9.183.149, then to 96.9.158.41 on 2009-12-29, and to 85.249.229.195 on 2010-03-09.

On 2008-07-10, pinoc.org was registered using the 4ykakabra@gmail.com email. On 2008-07-10 it responded to 58.65.234.9, it then changed IPs on 2008-08-17 to 91.203.92.13, followed by another change on 2008-08-24 to 58.65.234.9, followed by yet another change to 208.73.210.76 on 2009-10-03, and yet another change on 2009-10-06 to 96.9.186.245.

On 2008-09-20, wsxhost.net was registered using the palfreycrossvw@gmail.com email. On 2008-09-20 wsxhost.net responded to 58.65.234.9, it then changed IPs on 2008-12-22 to 202.73.57.6, followed by another change on 2009-05-18 to 202.73.57.11, yet another change on 2009-06-22 to 92.38.0.66, then to 91.212.198.116 on 2009-07-06, yet another change on 2009-08-17 to 210.51.187.45, then to 210.51.166.239 on 2009-08-25, and finally to 213.163.89.54 on 2009-09-05.

On 2008-06-29 google-analyze.cn was registered using the johnvernet@gmail.com email.

Historically (up to present day) johnvernet@gmail.com is known to have registered the following domains:
hxxp://baidustatz.com
hxxp://edcomparison.com
hxxp://google-analyze.org
hxxp://google-stat.com
hxxp://kolkoman.com
hxxp://m-analytics.net
hxxp://pinalbal.com
hxxp://pornokman.com
hxxp://robokasa.com
hxxp://rx-white.com
hxxp://sig4forum.com
hxxp://thekapita.com
hxxp://visittds.com

msn-analytics.net, is, known, to, have, responded, to, 216.157.88.21; 85.17.25.214; 216.157.88.22; 85.17.25.215; 85.17.25.202; 216.157.88.25; 5.39.99.49; 167.114.156.214; 5.39.99.50; 66.135.63.164; 85.17.25.242; 69.43.161.210

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: eb95798965a18e7844f4c969803fbaf8
MD5: 106b6e80be769fa4a87560f82cd24b57
MD5: 519a9f1cb16399c515723143bf7ff0d0
MD5: b537c3d65ecc8ac0f3cd8d6bf3556da5
MD5: 613e8c31edf4da1b8f8de9350a186f41

Once, executed, a, sample, malware (MD5: eb95798965a18e7844f4c969803fbaf8), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://vboxsvr.ovh.net
hxxp://thinstall.abetterinternet.com - 85.17.25.214
hxxp://survey-winner.net - 94.229.72.117
hxxp://survey-winner.net - 208.91.196.145
hxxp://comedy-planet.com

 Once, executed, a, sample, malware (MD5: 106b6e80be769fa4a87560f82cd24b57), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://memberfortieth.net
hxxp://beginadvance.net
hxxp://knownadvance.net
hxxp://beginstranger.net
hxxp://knownstranger.net - 23.236.62.147

Once, executed, a, sample, malware (MD5: b537c3d65ecc8ac0f3cd8d6bf3556da5), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://followfortieth.net
hxxp://memberfortieth.net
hxxp://beginadvance.net
hxxp://knownadvance.net
hxxp://beginstranger.net
hxxp://knownstranger.net - 23.236.62.147

pinoc.org, is, known, to, have, responded, to, 103.224.212.222; 185.53.179.24; 185.53.179.9; 185.53.177.10; 188.40.174.81; 46.165.247.18; 178.162.184.130

Related, malicious, MD5s, known, to, have, phoned, back, to, the, same, malicious, C&C, server, IPs:
MD5: 000125b0d0341fc078c7bdb5b7996f9e
MD5: b3bbeaca85823d5c47e36959b286bb22
MD5: 4faa9445394ba4edf73dd67e239bcbca
MD5: 9f3b9de8a3e7cd8ee2d779396799b17a
MD5: 38d07b2a1189eb1fd64296068fbaf08a

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://os.onlineapplicationsdownloads.com - 103.224.212.222
hxxp://static.greatappsdownload.com - 54.230.187.48
hxxp://ww1.os.onlineapplicationsdownloads.com - 91.195.241.80
hxxp://os2.onlineapplicationsdownloads.com - 103.224.212.222
hxxp://ww1.os2.onlineapplicationsdownloads.com - 91.195.241.80

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://errors.myserverstat.com - 103.224.212.222

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://scripts.dlv4.com - 103.224.212.222
hxxp://ww38.scripts.dlv4.com - 185.53.179.29

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://complaintsboard.com - 208.100.35.85
hxxp://7ew8gov.firoli-sys.com - 103.224.212.222
hxxp://yx-vom2s.hdmediastore.com - 45.33.9.234
hxxp://q8x3kb.wwwmediahosts.com - 204.11.56.48

Once, executed, a, sample, malware, phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://newworldorderreport.com - 50.63.202.29
hxxp://69jh93.firoli-sys.com - 103.224.212.222
hxxp://bpvv11ndq5.wwwmediahosts.com - 204.11.56.48
hxxp://0dbhwuja.hdmediastore.com - 45.33.9.234

wsxhost.net, is, known, to, have, responded, to, 184.168.221.45; 50.63.202.82; 69.43.161.172

Related, malicious, MD5s, known, to, have, responded, to, the, same, malicious, C&C, server, IPs:
MD5: 117036e5a7b895429e954f733e0acada
MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be
MD5: 6e330742d22c5a5e99e6490de65fabd6
MD5: f1c9cd766817ccf55e30bb8af97bfdbb
MD5: 7f4145bc211089d9d3c666078c35cf3d

Once, executed, a, sample, malware (MD5: 117036e5a7b895429e954f733e0acada), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://amacweb.org
hxxp://superaffiliatehookup.com
hxxp://germanamericantax.com
hxxp://lineaidea.it
hxxp://speedysalesletter.com

Once, executed, a, sample, malware (MD5: 1172e5a2ca8a43a2a2274f2c3b76a7be), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://allstatesdui.com - 50.63.202.36
hxxp://wellingtontractorparts.com - 72.167.232.158
hxxp://amacweb.org - 160.16.211.99
hxxp://nctcogic.org - 207.150.212.74

Once, executed, a, sample, malware (MD5: 6e330742d22c5a5e99e6490de65fabd6), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://santele.be - 176.62.170.69
hxxp://fever98radio.com - 141.8.224.93
hxxp://brushnpaint.com - 74.220.219.132
hxxp://jameser.com - 54.236.195.15
hxxp://hillsdemocrat.com - 67.225.168.30

Once, executed, a, sample, malware (MD5: f1c9cd766817ccf55e30bb8af97bfdbb), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://afterpeace.net - 195.38.137.100
hxxp://sellhouse.net - 184.168.221.45

Once, executed, a, sample, malware (MD5: 7f4145bc211089d9d3c666078c35cf3d), phones, back, to, the, following, malicious, C&C, server, IPs:
hxxp://riddenstorm.net - 208.100.26.234
hxxp://lordofthepings.ru - 109.70.26.37
hxxp://forcerain.net
hxxp://afterrain.net - 50.63.202.43)
hxxp://forcerain.ru
hxxp://forceheld.net

google-analyze.cn, is, known, to, have, responded, to, 103.51.144.81; 184.105.178.89; 65.19.157.235; 124.16.31.146; 123.254.111.190; 103.232.215.140; 103.232.215.147; 205.164.14.78; 50.117.116.117; 50.117.120.254; 205.164.24.45; 50.117.116.205; 50.117.122.90; 184.105.178.84; 50.117.116.204

Related malicious MD5s known to have phoned back to the same malicious C&C, server, IPs:
MD5: df05460b5e49cbba275f6d5cbd936d1d
MD5: 7732ffcf2f4cf1d834b56df1f9d815c9
MD5: 615eb515da18feb2b87c0fb5744411ac
MD5: 24fec5b3ac1d20e61f2a3de95aeb177c
MD5: 348eed9b371ddb2755eb5c2bfaa782ee

On 2008-08-27, yahoo-analytics.net was registered using the fuadrenalray@gmail.com email.

- google-analyze.org - Email: johnvernet@gmail.com - on, 2008-07-09, google-analyze.org , is, known, to, have, responded, to, 58.65.234.9, followed, by, a, hosting, change, on, 2008-08-17, with, google-analyze.org, responding, to, 91.203.92.13, followed, by, another, hosting, change, on, 2008-08-24, with, google-analyze.org, responding, to, 202.73.57.6.

- qwehost.com - Email: 4ykakabra@gmail.com - on, 2009-05-18, qwehost.com, is, known, to, have, responded, to, 202.73.57.11, followed, by, a, hosting, change, to, 202.73.57.11, followed, by, another, hosting, change, on, 2009-06-22, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, pointing, to, 91.212.198.116, followed, by, yet, another, hosting, change, on, 2009-08-17, pointing, to, 210.51.187.45.

- zxchost.com - Email: 4ykakabra@gmail.com - on, 2009-03-02, zxchost.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-05-18, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-06-22, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-25, pointing, to, 210.51.166.239.

- odile-marco.com - Email: OdileMarcotte@gmail.com - on, 2009-05-18, odile-marco.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-06, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, pointing, to, 91.212.198.116.

- edcomparison.com - Email: johnvernet@gmail.com - on, 2009-05-18, edcomparison.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-13,  this, time, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 210.51.187.45.

- fuadrenal.com - Email: fuadrenalRay@gmail.com - on, 2009-01-26, fuadrenal.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-05-18, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-13, this, time, pointing, to, 91.212.198.116, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 91.212.198.116.

- rx-white.com - Email: johnvernet@gmail.com - on, 2009-05-18, rx-white.com, is, known, to, have, responded, to, 202.73.57.6, followed, by, a, hosting, change, on, 2009-06-22, pointing, to, 202.73.57.11, followed, by, yet, another, hosting, change, on, 2009-07-06, this, time, pointing, to, 92.38.0.66, followed, by, yet, another, hosting, change, on, 2009-08-17, this, time, pointing, to, 91.212.198.116.

In, 2009, I, profiled, the, direct, compromise, of, Embassy of Portugal in India Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On, 2009-03-30, ntkrnlpa.info, is, known, to, have, responded, to, 83.68.16.6. Related, domains, known, to, have, participated, in, the, same, campaign - betstarwager.cn; ntkrnlpa.cn.

In, 2007, I, profiled, the, direct, compromise, of, French Embassy in Libya Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On, 2008-11-05, tarog.us (Email: bobby10@mail.zp.ua), used, to, respond, to, 67.210.13.94, followed, by, a, hosting, change, on, 2009-03-02, pointing, to, 208.73.210.121. Related, domains, known, to, have, participated, in, the, campaign: fernando123.ws; winhex.org - Email: ipspec@gmail.com

On, 2007-02-18, winhex.org, used, to, respond, to, 195.189.247.56, followed, by, a, hosting, change, on, 2007-03-03, pointing, to, 89.108.85.97, followed, by, yet, another, hosting, change, on, 2007-04-29, this, time, pointing, to, 203.121.71.165, followed, by, yet, another, hosting, change, on, 2007-08-19, this, time, pointing, to, 69.41.162.77.

On, 2007-11-23, kjlksjwflk.com (Email: sflgjlkj45@yahoo.com), used, to, respond, to, 58.65.239.114, followed, by, a, hosting, change, on, 2009-02-16, pointing, to, 38.117.90.45, followed, by, yet, another, hosting, change, on, 2009-03-09, this, time, pointing, to, 216.188.26.235.

In, 2009, I, profiled, the, direct, compromise, of, Azerbaijanian Embassies in Pakistan and Hungary Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

Related, domains, known, to, have, participated, in, the, campaign:
- hxxp://filmlifemusicsite.cn; hxxp://promixgroup.cn; hxxp://betstarwager.cn; hxxp://clickcouner.cn

In, 2009, I, profiled, the, direct, compromise, of, USAID.gov compromised, malware and exploits served, further, establishing, a, direct, connection, between, the, gang's, activities, and, the, New, Media, Malware, Gang.

Related, domains, known, to, have, participated, in, the, campaign:
hxxp://should-be.cn - Email: admin@brut.cn; hxxp://orderasia.cn; hxxp://fileuploader.cn

In, 2007, I, profiled, the, direct, compromise, of, U.S Consulate St. Petersburg Serving Malware, further, establishing, a, direct, connection, between, the, group's, activities, and, the, Russian, Business, Network.

On, 2007-08-31, verymonkey.com (Email: srvs4you@gmail.com), used, to, respond, to, 212.175.23.114, followed, by, a, hosting, change, on, 2007-09-07, pointing, to, 209.123.181.185, followed, by, yet, another, hosting, change, on, 2007-09-27, this, time, pointing, to, 88.255.90.50, followed, by, yet, another, hosting, change, on, 2008-11-11, this, time, pointing, to, 216.188.26.235.

What's, particularly, interested, about, the, gang's, activities, is, the, fact, that, back, in 2007, the, group, pioneered, for, the, first, time, the, utilization, of, Web, malware, exploitation, kits, further, utilizing, the, infrastructure, of, the, Russian, Business, Network, successfully, launching, a, multi-tude, of, malicious, campaigns, further, spreading, malicious, software, further, utilizing, the, infrastructure, of, the, Russian, Business, Network.

Related posts:
Syrian Embassy in London Serving Malware
USAID.gov compromised, malware and exploits served
U.S Consulate St. Petersburg Serving Malware
Bank of India Serving Malware
French Embassy in Libya Serving Malware
The Dutch Embassy in Moscow Serving Malware
Ethiopian Embassy in Washington D.C Serving Malware
Embassy of India in Spain Serving Malware
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware Continue reading →

Dissecting a Sample Russian Business Network (RBN) Contract/Agreement Through the Prism of RBN's AbdAllah Franchise

August 10, 2013

The Russian Business Network (RBN), is perhaps the most speculated, buzzed about, cybercrime enterprise in the World, a poster child for fraudulent activity 'streaming' from 'Mother Russia', in the eyes of respected/novice security/cybercrime researchers across the globe.

However, what a huge percentage of the researchers who're just catching up with its 'fraudulent performance metrics' over the years, don't realize, is how a newly emerged bulletproof hosting provider, managed to end up, as the World's most prolific source of fraudulent/malicious activity.

Hint: Basic business concepts like franchising, signalling the early stages of the modernization/professionalization of cybercrime, where being the benchmark has had a direct inspirational impact in the 'hearts and minds' of current and potential cybercriminals, then and now.

Case in point is Abdallah Internet Hizmetleri also known as AbdAllah (VN), an ex-RBN darling relying on the franchise business concept.

In this post, I'll discuss a sample contract/contractual agreement that every one of its customers had to sign before doing business with them, which in the broader context leads to a situation, where while the franchise is publicly advertising the bulletproof hosting services for trojans, exploits, warez, adult content, drop projects, botnets and spam, it's explicitly forbidding such activities -- with some visible exceptions -- in its contractual agreement.

What does this mean? It means that the Russian Business Network, the benchmark for the majority of ex/currently active bulletproof hosting providers, has been (legally) forwarding the responsibility for the fraudulent activity to its customers, in between reserving the right to act and deactivate their accounts if they ever violate the agreement/contract. The first thing that comes to my mind when it comes to the RBN 'reaction' in a socially oriented manner, are the infamous RBN Fake Account Suspended Notices, and that's just for starters, indicating a deteriorated understanding of malicious/fraudulent activity, with high profit margins in mind.

Let's go through the contract/agreement that every customer used to sign, before doing cybercrime-friendly business with them, both in original Russian, and automatically translated in English.

Sample AbdAllah (VN) Contractual Bulletproof Hosting Agreement/Contract in Russian:
1. ПРЕДМЕТ ДОГОВОРА

1.1. Заказчик поручает, а ИСПОЛНИТЕЛЬ берет на себя обязательства по размещению и/или регистрации виртуального сервера ЗАКАЗЧИКА в сети Интернет.

2. УСЛОВИЯ ВЫПОЛНЕНИЯ ДОГОВОРА

2.1. По заключению настоящего договора ИСПОЛНИТЕЛЬ производит первоначальную установку и настройку виртуального сервера и обеспечивает ЗАКАЗЧИКА необходимой информацией для администрирования виртуального сервера.

2.2. ИСПОЛНИТЕЛЬ обеспечивает доступ в сети Интернет к виртуальному серверу, а так же работоспособность всех доступных сервисов ЗАКАЗЧИКА круглосуточно в течение семи дней в неделю.

3. ЦЕНЫ И ПОРЯДОК ОПЛАТЫ

3.1. Стоимость и порядок оплаты работ по настоящему договору на момент его заключения определяется в соответствии с действующими условиями, распространяемыми сотрудниками по E-Mail и/или ICQ.

3.2. Оплата вносится ЗАКАЗЧИКОМ в счет оплаты услуги поддержки виртуального веб-сервера ИСПОЛНИТЕЛЕМ. ИСПОЛНИТЕЛЬ вправе приостановить предоставление услуг при отрицательном состоянии счета.

3.3. Все выделенные серверы предоставляются в состоянии UNMANAGED, т.е администраторы ИСПОЛНИТЕЛЯ могут, но не ОБЯЗАНЫ настраивать арендуемый сервер. За любую настройку сервера ЗАКАЗЧИКА, либо скриптов на нём - взымается плата в размере 50 USD/за 1 час работы администратора ИСПОЛНИТЕЛЯ по Вашему вопросу, минимум пол часа. Полное администрирование сервера специалистами ИСПОЛНИТЕЛЯ стоит 250 USD в месяц. Бесплатно осуществляется перезагрузка сервер (если нет автоматической формы для этого).

3.4. В случае не оплаты услуг ЗАКАЗЧИКОМ в последний день биллингового периода, данные ЗАКАЗЧИКА удаляются по наступлению новых суток без возвратно. В случае виртуального хостинга удаляется аккаунт и все бэкапы данного аккаунта, в случае аренды сервера (dedicated или vps) сервер снимается с обслуживания, форматируются жесткие диски.

4. ОТВЕТСТВЕННОСТЬ СТОРОН

4.1. ИСПОЛНИТЕЛЬ не несет ответственности перед ЗАКАЗЧИКОМ или третьими сторонами за любые задержки, прерывания, ущерб или потери, происходящие из-за:
(а) дефектов в любом электронном или механическом оборудовании, не принадлежащем ИСПОЛНИТЕЛЮ;
(б) проблем при передаче данных или соединении, произошедших не по вине ИСПОЛНИТЕЛЯ ;
(в) вследствие обстоятельств непреодолимой силы в общепринятом смысле, т.е. чрезвычайными силами и непредотвратимыми обстоятельствами, не подлежащими разумному контролю;
(г) давление властей.

4.2. При расторжении Договора по инициативе ЗАКАЗЧИКА, неиспользованная часть аванса ЗАКАЗЧИКУ не возвращается.

4.3. ИСПОЛНИТЕЛЬ оставляет за собой право приостановить обслуживание ЗАКАЗЧИКА или расторгнуть договор в безусловном порядке без возвращения средств заказчику в следующих случаях:

- размещение детской порнографии и зоофилии в любом виде;

- попытки взлома, несанкционированного проникновения на сервер, в аккаунты других клиентов, попытки порчи оборудования или программного обеспечения;

- попытки взлома правительственных организаций в любом виде;

- попытки спама любого рода с наших серверов виртуального хостинга, кроме как через соксы;

- попытки фишинга банков (кража денег);

- размещение информации по торговле оружием и наркотиками, торговля людьми или органами людей, вызывающие межнациональную и религиозную рознь, призывающую к войне и насилию;

- неоправданная перегрузка вычислительных мощностей сервера виртуального хостинга (допускается использовать не более 5% мощности процессора и не более 128Мб оперативной памяти сервера);

- попытки взлома с серверов (dedicated и виртуальный хостинг) - серверы, которые расположены рядом в стойке, либо клиентов этой же страны, где расположен сервер;

- оскорбление в любой форме сотрудников сервиса.

4.4. ИСПОЛНИТЕЛЬ не отвечает за содержание информации, размещаемой ЗАКАЗЧИКОМ.

4.5. ИСПОЛНИТЕЛЬ не будет нести ответственности за любые затраты или ущерб, прямо или косвенно возникшие в результате использования услуги вэб хостинга.

4.6. MoneyBack за выделенный сервер возможен только в том случае, если недоступность данного сервера происходит по вине ИСПОЛНИТЕЛЯ, ввиду того, что ИСПОЛНИТЕЛЬ оплачиваем полную стоимость сервера в Дата-Центр. Также возможна замена сервера.

4.7. Размещение сайтов ЗАКАЗЧИКА, рекламируемых SPAMом на серверах ИСПОЛНИТЕЛЯ (как виртаульного хостинга, так и dedicated) оплачивается отдельно из расчета объема писем. При объёмах от 5млн до 10млн =1000 USD - 1500 USD в месяц за сервер в Китае или ГонгКонге, либо 150 USD неделя или 500 USD в месяц за виртуальный хостинг, более 10-20 млн.  = 200 USD неделя либо 2000$ за выделенный сервер.

4.8. ИСПОЛНИТЕЛЬ обязуется делать ежедневные резервные копии аккаунта ЗАКАЗЧИКА на сторонний сервер (только виртуальный хостинг).

4.9. ИСПОЛНИТЕЛЬ обязуется решать самостоятельно все жалобы (абузы/abuse), не привлекая к этому ЗАКАЗЧИКА и без вмешательства в данные ЗАКАЗЧИКА. ИСПОЛНИТЕЛЬ не решает жалобы (абузы/abuse) от полиции, крупных правительственных организаций и VerSign.

4.10. ИСПОЛНИТЕЛЬ не дает никаких гарантий, что домен ЗАКАЗЧИКА не будет заблокирован по любым причинам, а особенно таким как любой вид SPAMа, fraud, phishing и т.п.

5. КОНФИДЕНЦИАЛЬНАЯ ИНФОРМАЦИЯ

5.1. Стороны обязуются без обоюдного согласия не передавать третьим лицам либо использовать иным способом, не предусмотренным условиями Договора, организационно-технологическую, коммерческую, финансовую и иную информацию, составляющую секрет для любой из сторон (далее - "конфиденциальная информация") при условии, что:

- такая информация имеет действительную или потенциальную коммерческую ценность в силу ее неизвестности третьим лицам;

- к такой информации нет свободного доступа на законном основании;

- обладатель такой информации принимает надлежащие меры к обеспечению ее конфиденциальности.

5.2. Стороны обязуются, без обоюдного согласия, не передавать третьим лицам сведения о содержании и условиях Договора.

5.3. ИСПОЛНИТЕЛЬ обязуется предотвращать запись логов на серверах виртуального хостинга и маршрутизирующем оборудовании.

5.4. Будьте внимательны, сотрудники ИСПОЛНИТЕЛЯ не запрашивают пароли от аккаунтов виртуального хостинга и выделенных серверов. Исключением является ситуация, когда ЗАКАЗЧИК просить произвести какие-либо работы на его Выделенном Сервере.


 
Automatically translated Russian Business Network (RBN) Contractual Agreement/Contract:
1. SUBJECT OF CONTRACT

1.1. Customer Requests, but ARTIST is committed to the placement and / or registration CUSTOMER virtual server on the Internet.

2. CONDITIONS OF IMPLEMENTATION OF THE TREATY

2.1. At the conclusion of this treaty ARTIST produces initial setup and configuration of the virtual server and provides the necessary information for CUSTOMER virtual server administration.

2.2. ARTIST provides access to the Internet to the virtual server, as well as efficiency of all available services CUSTOMER day seven days a week.

3. PRICES AND ORDER OF PAYMENT

3.1. Cost and arrangements of works under this contract at the time of its conclusion is determined in accordance with existing conditions, the staff distributed by E-Mail and / or ICQ.

3.2. Payment is made ZAKAZCHIKOM as payment services support virtual web server ISPOLNITELEM. ARTIST right to suspend the provision of services at a negative status of the account.

3.3. All dedicated servers are provided in a position UNMANAGED ie ISPOLNITELYA administrators can, but not OBYAZANY tune rented server. For any server setup CUSTOMER or scripts on it - charge of $ 50 USD / for 1 hour administrator ISPOLNITELYA to your question, at least half an hour. The full server administration specialists ISPOLNITELYA worth USD 250 per month. Free done rebooting the server (if not automatic form for this).

3.4. If no payment ZAKAZCHIKOM bill on the last day of the period, the data are removed CUSTOMER new offensive on days without reciprocating. In the case of virtual hosting account and removed all of your backups, in case the rental server (dedicated or vps) server is removed from service, formatted hard drives.

4. RESPONSIBILITY OF PARTIES

4.1. ARTIST no responsibility to ZAKAZCHIKOM or third parties for any delays, interruptions, damage or losses that occur because of:
(a) defects in any electronic or mechanical equipment, not belonging ISPOLNITELYU;
(b) problems in the transfer of data or connection that occurred through no fault ISPOLNITELYA;
(c) due to force majeure circumstances, in the conventional sense, that is, nepredotvratimymi forces and emergency circumstances, not subject to reasonable control;
(g) pressure from the authorities.

4.2. At the dissolution of the Treaty on the initiative CUSTOMER, ZAKAZCHIKU unused portion of the advance is not refundable.

4.3. ARTIST reserves the right to suspend or terminate CUSTOMER service contract in order without the unconditional return of customer funds in the following cases:

-- Locating and zoofilii child pornography in any form;

-- attempted burglary, unauthorized entry to the server, in the accounts of other customers, trying to damage equipment or software;

-- attempted burglary governmental organizations in any form;

-- spam attempts of any kind from our servers hosting virtual except through SOCKS;

-- phishing attempts banks (stealing money);

-- posting on the arms trade and drug trafficking, or human organs, causing inter-ethnic and religious discord, calling for war and violence;

-- unjustified computing power overload virtual server hosting (which is allowed to use no more than 5% of CPU capacity, and no more than 128 MB of RAM server);

-- attempted burglary of servers (and dedicated virtual hosting) - servers, which are located next to the rack, a customer in the same country where the server;

-- insulting to any form of service personnel.

4.4. ARTIST is not responsible for the content of the information posted ZAKAZCHIKOM.

4.5. ARTIST shall not be liable for any costs or damages arising directly or indirectly from the use of Web hosting services.

4.6. MoneyBack for dedicated server is possible only in case the inaccessibility of the fault occurs on the server ISPOLNITELYA, because ARTIST pay for the full cost of a server in Data Center. Also possible replacement server.

4.7. Placing sites CUSTOMER advertised on servers ISPOLNITELYA SPAM (as virtaulnogo hosting, and dedicated) is charged separately at the rate of the volume of letters. With volume of 5 million to 10 million USD = 1000 - 1500 USD per month for the server in China or Gong Konge or 150 USD week, or 500 USD per month for a virtual hosting, a 10-20 million = 200 USD week, or $ 2000 for a dedicated server.

4.8. ARTIST undertakes to do daily backups CUSTOMER account for the third-party server (only virtual hosting).

4.9. ARTIST undertakes to decide all complaints (abuzy / abuse), are not engaging in the CUSTOMER and without interference in the CUSTOMER data. ARTIST does not solve complaints (abuzy / abuse) from the police, government organizations and major VerSign.

4.10. ARTIST gives no guarantees that the domain CUSTOMER not be blocked for any reason, but especially like any kind of SPAM, fraud, phishing, etc.

5. CONFIDENTIAL INFORMATION

5.1. The Parties undertake without the unanimous consent not to transfer to third parties or used in any other way other than prescribed conditions Treaty, organizational and technological, commercial, financial and other information, which is the secret to any of the parties (hereinafter - "confidential information"), provided that:

-- this information is actual or potential commercial value by virtue of its unknown third parties;

-- to such information no free access to the lawful;

-- holds such information shall take appropriate steps to ensure its confidentiality.

5.2. The Parties undertake, without unanimous consent, not to transfer to third parties about the content and conditions of the Treaty.

5.3. ARTIST undertakes to prevent logging on servers and virtual hosting routing equipment.

5.4. Be careful, do not require employees ISPOLNITELYA passwords from virtual hosting accounts and dedicated servers. The exception is when CUSTOMER request to any work for his Vydelennom Server.

Excluding the direct offering of managed servers for spam sending in the actual agreement/contract, and the fact that their abuse department is virtually non-existent, the contact explicitly prohibits related malicious/fraudulent activity. Naturally, that's not the case when AbdAllah (VN) used to advertise its bulletproof hosting service across cybercrime-friendly communities, "back in the day":


In 2013, despite the overall availability of RBN-like bulletproof hosting providers, cybercriminals continue experimenting with abusing legitimate infrastructure in an attempt to mitigate the risk of having their activities exposed. Various cases throughout the last couple of years include:
The "best" is yet to come.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

TorrentReactor.net Serving Crimeware, Client-Side Exploits Through a Malicious Ad

May 11, 2010
Deja vu!

Jerome Segura at the Malware Diaries is reporting that TorrentReactor.net, a high-trafficked torrents tracker, is currently serving live-exploits through a malicious ad served by "Fulldls.com  - Your source for daily torrent downloads".

Why deja vu? It's because the TorrentReactor.net malware campaign takes me back to 2008, among the very first extensive profiling of Russian Business Network activity, with their mass "input validation abuse" campaign back then, successfully appearing on numerous high-trafficked web sites, serving guess what? Scareware.

Moreover, despite the surprisingly large number of people still getting impressed by the use of http referrers as an evasive practice applied by the cybercriminals, these particular campaigns (ZDNet Asia and TorrentReactor IFRAME-ed; Wired.com and History.com Getting RBN-ed; Massive IFRAME SEO Poisoning Attack Continuing) are a great example of this practice in use back then:
  • So the malicious parties are implementing simple referrer techniques to verify that the end users coming to their IP, are the ones they expect to come from the campaign, and not client-side honeypots or even security researchers. And if you're not coming from you're supposed to come, you get a 404 error message, deceptive to the very end of it.
The most recent compromise of TorrentReactor.net appears to be taking place through a malicioud ad serving exploits using the NeoSploit kit, which ultimately drops a ZeuS crimeware sample hosted within a fast-flux botnet.


The campaign structure, including detection rates, phone back locations and ZeuS crimeware fast-flux related data is as follows:
- ads.fulldls.com /phpadsnew/www/delivery/afr.php?zoneid=1&cb=291476
    - ad.leet.la /stats?ref=~.*ads\.fulldls\.com$ - 208.111.34.38 - Email: bertrand.crevin@brutele.com (leet.la - 212.68.193.197 - AS12392, ASBRUTELE AS Object for Brutele SC)
    - lo.dep.lt /info/us1.html - 91.212.127.110 - lo.dep.lt - 91.212.127.110 - AS49087, Telos-Solutions-AS Telos Solutions LTD
        - 91.216.3.108 /de1/index.php; 91.216.3.108 /ca1/main.php - AS50896, PROXIEZ-AS PE Nikolaev Alexey Valerievich
            - 91.216.3.108 responding to gaihooxaefap.com - Nikolay Vukolov, Email: woven@qx8.ru

Upon successful exploitation, the following malicious pdf is served:
- eac27d.pdf - Exploit.PDF-JS.Gen (v); JS:Pdfka-AET; - Result: 6/40 (15%) which when executed phones back to 91.216.3.108 /ca1/banner.php/1fda161dab1edd2f385d43c705a541d3?spl=pdf_30apr and drops:
- myexebr.exe - TSPY_QAKBOT.SMG - Result: 17/41 (41.47%) which then phones back to the ZeuS crimeware C&C: saiwoofeutie.com /bin/ahwohn.bin - 78.9.77.158 - Email: spasm@maillife.ru


Fast-fluxed domains sharing the same infrastructure:
demiliawes.com - Email: bust@qx8.ru
jademason.com - 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124; 170.51.231.93 - Email: blare@bigmailbox.ru
laxahngeezoh.com - 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124 - Email: zig@fastermail.ru
line-ace.com - Email: greysy@gmx.com
xareemudeixa.com - 112.201.223.129; 119.228.44.124; 170.51.231.93; 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 85.176.73.211 - Email: writhe@fastermail.ru
zeferesds.com - 190.135.224.89; 213.156.118.221; 217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 112.201.223.129; 119.228.44.124 - Email: mated@freemailbox.ru

Name servers of notice:
ns1.rexonna.net - 202.60.74.39 - Email: aquvafrog@animail.net
ns2.rexonna.net - 25.120.19.23
ns1.line-ace.com - 202.60.74.39 - Email: greysy@gmx.com
ns2.line-ace.com - 67.15.223.219
ns1.growthproperties.net - 62.19.3.2 - Email: growth@support.net
ns2.growthproperties.net - 15.94.34.196
ns1.tropic-nolk.com - 62.19.3.2 - Email: greysy@gmx.com
ns2.tropic-nolk.com - 171.103.51.158

These particular iFrame injection Russian Business Network's campaigns from 2008, used to rely on the following URL for their malicious purposes - a-n-d-the.com/wtr/router.php (216.255.185.82 - INTERCAGE-NETWORK-GROUP2). Why am I highlighting it? Excerpts from previous profiled campaigns, including one that is directly linked to the Koobface gang's blackhat SEO operations.

U.S Federal Forms Blackhat SEO Themed Scareware Campaign Expanding:
  • The compromised/mis-configured web sites participating in this latest blackhat SEO campaign are surprisingly redirecting to a-n-d-the.com /wtr/router.php - 95.168.177.35 - Email: bulk@spam.lv - AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE if the http referrer condition isn't met. This very same domain -- back then parked at INTERCAGE-NETWORK-GROUP2 -- was also used in the same fashion in March, 2008's massive blackhat SEO campaigns serving scareware.
Not only is a-n-d-the.com /wtr/router.php (95.168.177.35) (Web sessions of the URL acting as a redirector), the exact same URL that was in circulating in 2008, residing on the Russian Business Network's netblock back then, still active, but also, it's currently redirecting to -- if the campaign's evasive conditions are met -- to www4.zaikob8.xorg.pl/?uid=213&pid=3&ttl=31345701120 - 217.149.251.12.

What this proves is fairly simple - with or without the Russian Business Network the way we used to know it, it's customers simply moved on to the competition, whereas the original Russian Business Network simply diversified its netblocks ownership.

Related posts:
ZDNet Asia and TorrentReactor IFRAME-ed
Wired.com and History.com Getting RBN-ed
Massive IFRAME SEO Poisoning Attack Continuing

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
Subscribe to: Comments (Atom)