ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]


<<< Chronological Index >>>    <<< Thread Index >>>

RE: [gnso-ff-pdp-may08] The need for facts

  • To: mike@xxxxxxxxxx
  • Subject: RE: [gnso-ff-pdp-may08] The need for facts
  • From: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
  • Date: Sun, 13 Jul 2008 13:11:20 -0700

[caution: at least some sites discussed below may potentially deliver 
content that's flagged as potentially unwanted by at least some PC
antivirus products, so please proceed carefully]

#but it seems to me that before we get to solutions, we need to 
#understand the problem we're trying to solve a lot better than we do now.
#
#facts people, we need facts.   

I *love* facts, or more accurately, I love *data*! :-)

It is so great to see other fact/data driven folks!

#5) if they're not being collected now, what's the best place to get 
#them and is it worth it to go after them?
#
#i'm feeling quite fact-starved in our dialog so far, and (in off-list 
#conversations) so are others.

I'm willing to provide workgroup members with a steady stream of 
fastflux domain names, as well as a perl script that you can use to 
map those domain names to a constantly changing list of dotted quads. 
I cannot guarantee that you'll see ALL fastflux domain names which may be 
in use, but you'll certainly see enough data to support the case that the
technique *is* widely in use, and you'll be able to see how these
compromised hosts are geographically distributed. 

You can also review the domain whois information associated with those
fastflux domains to see (a) who's registering those domains (and the
quality of that point of contact information) (b) where/via-what-registrar
those domains are being registered, and (c) what name servers those 
domains are using (knowing the name servers allows you to use tools such
as the RUS-CERT Passive DNS service to discover additional domain names
using those same name servers or at least the same same name server IPs). 

If you simply visit the fastflux domains, you can also see their raison
d'etre, although I would *caution you* that in some cases doing so may 
be potentially risky. 

But hey, since we're data-driven sorts of guys and gals, let's look at a
couple of examples...


Example #1 ---------------------------------------------------------------

Consider dualmagiccasino.com, a domain which is hosted on a "diverse
assortment" of dotted quads. For example, resolving it just *once* with 
dig I see (in-addr's in brackets added manually with dig -x or IP whois):

dualmagiccasino.com.    180     IN      A       124.120.118.174
                                [ppp-124-120-118-174.revip2.asianet.co.th]

dualmagiccasino.com.    180     IN      A       79.114.188.60
                                [79-114-188-60.rdsnet.ro]

dualmagiccasino.com.    180     IN      A       116.27.114.155
                                [NXDOMAIN; CHINANET Guangdong province IP]

dualmagiccasino.com.    180     IN      A       79.117.151.44
                                [79-117-151-44.rdsnet.ro]

dualmagiccasino.com.    180     IN      A       83.29.190.16
                                [bus16.neoplus.adsl.tpnet.pl]

dualmagiccasino.com.    180     IN      A       89.79.200.129
                                [chello089079200129.chello.pl]

dualmagiccasino.com.    180     IN      A       83.4.98.201
                                [aadu201.neoplus.adsl.tpnet.pl]

dualmagiccasino.com.    180     IN      A       208.104.140.127
                                [208-104-140-127.rhhe1.2wcm.comporium.net]

dualmagiccasino.com.    180     IN      A       83.9.82.41
                                [acak41.neoplus.adsl.tpnet.pl]

dualmagiccasino.com.    180     IN      A       87.250.172.13
                                [13.172.wmc.com.pl]

dualmagiccasino.com.    180     IN      A       87.19.36.17
                        [host17-36-dynamic.19-87-r.retail.telecomitalia.it]

dualmagiccasino.com.    180     IN      A       82.57.80.201
                        [host201-80-dynamic.57-82-r.retail.telecomitalia.it]

dualmagiccasino.com.    180     IN      A       62.121.96.10
                                [10-dzi-5.acn.waw.pl]

dualmagiccasino.com.    180     IN      A       77.79.155.15
                                [77.79.155.15.dynamic.ufanet.ru]

dualmagiccasino.com.    180     IN      A       79.140.162.78
                                [79-140-162-78.danisnet.md]

dualmagiccasino.com.    180     IN      A       88.233.108.223
                                [dsl88-233-27871.ttnet.net.tr]

dualmagiccasino.com.    180     IN      A       86.106.40.211
                                [dyn-86.106.40.211.tm.upcnet.ro]

dualmagiccasino.com.    180     IN      A       78.164.165.3
                                [NXDOMAIN, TurkTelecom IP address]

dualmagiccasino.com is listed on both multi.surbl.org and multi.uribl.com.


Its name servers are ns[12345].comehere1231.com

When I resolve those name servers, they're at:

ns1.comehere1231.com: 77.79.155.15
                      [77.79.155.15.dynamic.ufanet.ru]

ns2.comehere1231.com: 86.106.40.211
                      [dyn-86.106.40.211.tm.upcnet.ro]

ns3.comehere1231.com: 218.232.123.208
                      [NXDOMAIN; HANANET, South Korea, IP address]

ns4.comehere1231.com: 70.226.229.18
                      [ppp-70-226-229-18.dsl.spfdil.ameritech.net]

ns5.comehere1231.com: 77.43.213.69
                      [orbita77.43.213.69.ccl.perm.ru]


Working group members who'd like a list of a thousand or so apparently 
casino-related domains that use those same name servers can send me a 
PGP/GnuPrivacy Guard key, and I'll send along a copy off list (it will
need to be encrypted because otherwise it will have zero chance of 
getting past anti-spam sytems)


Oh yes: looking at the domain name, it does look like an online gambling 
site, right?

Well, if you actually *visit* that site, you will indeed see that it is 
indeed an online gambling site, but depending on how you interact with 
the site you may receive an executable (an executable which 18 of 33 
sites on VirusTotal identify in one of a variety of ways)...

For the curious, VirusTotal output for SetupMagicEuro.exe looks like:

File SetupMagicEuro.exe received on 07.13.2008 20:36:35 (CET)
Result: 18/33 (54.55%)
        
Antivirus       Version         Last Update     Result
AhnLab-V3       2008.7.11.0     2008.07.11      Win-AppCare/Xema.379421
AntiVir         7.8.0.64        2008.07.13      ADSPY/CasOnline.379421
Authentium      5.1.0.4         2008.07.13      W32/Backdoor.BNFA
Avast           4.8.1195.0      2008.07.13      Win32:Trojan-gen {Other}
AVG             7.5.0.516       2008.07.12      -
BitDefender     7.2             2008.07.13      Trojan.Generic.115343
CAT-QuickHeal   9.50            2008.07.11      Adware.Casonline.a (Not a Virus)
ClamAV          0.93.1          2008.07.13      Trojan.Agent-17367
DrWeb           4.44.0.09170    2008.07.12      -
eSafe           7.0.17.0        2008.07.13      Suspicious File
eTrust-Vet      31.6.5949       2008.07.12      -
Ewido           4.0             2008.07.13      -
F-Prot          4.4.4.56        2008.07.13      W32/Backdoor.BNFA
F-Secure        7.60.13501.0    2008.07.12      -
Fortinet        3.14.0.0        2008.07.13      -
GData           2.0.7306.1023   2008.07.13      Win32:Trojan-gen
Ikarus          T3.1.1.26.0     2008.07.13      Virus.Win32.Trojan
Kaspersky       7.0.0.125       2008.07.13      -
McAfee          5337            2008.07.11      potentially unwanted program 
CasOnline
Microsoft       1.3704          2008.07.13      -
NOD32v2         3263            2008.07.11      a variant of Win32/PTCasino
Norman          5.80.02         2008.07.11      -
Panda           9.0.0.4         2008.07.13      Suspicious file
Prevx1          V2              2008.07.13      Malicious Software
Rising          20.52.62.00     2008.07.13      -
Sophos          4.31.0          2008.07.13      Casino
Sunbelt         3.1.1536.1      2008.07.12      -
Symantec        10              2008.07.13      Infostealer
TheHacker       6.2.96.378      2008.07.13      -
TrendMicro      8.700.0.1004    2008.07.11      -
VBA32           3.12.6.9        2008.07.12      -
VirusBuster     4.5.11.0        2008.07.13      -
Webwasher-Gateway       6.6.2   2008.07.13      Ad-Spyware.CasOnline.379421

Additional information
File size: 379421 bytes
MD5...: 09a2ff2f6849c1d47ee96d6868b194e4
SHA1..: 92a7a1ddd18f3039198b463f71e8cd2a4e0a5f5f
SHA256: f23960fd226ef422dc88f5b711e302e321b591b255cc07233f290a02cbb5ad41
SHA512: 9f5b5ba7610fea633080f9cb204d17411de6288be515e4515f7940fba0a13158
b1777dec683ee085bbd0241c84ba1303794a147d8f896fa633883cb79acdb247

<cough>

So as you gather facts about domains that may be fluxing, you may want to
remember that it is an, uh, "interesting" world out there, folks. :-)


Example #2 ---------------------------------------------------------------

Online casinos aren't the only thing that we can see using what looks like
FF hosting. For example, consider e-meds-channel.com

Resolving that domain just *once* with dig, we see:

e-meds-channel.com.     120     IN      A       79.207.171.185
                                [p4FCFABB9.dip0.t-ipconnect.de]

e-meds-channel.com.     120     IN      A       82.83.253.10
                                [dslb-082-083-253-010.pools.arcor-ip.net]

e-meds-channel.com.     120     IN      A       85.135.118.158
                                [ip-85-135-118-158.customer.poda.cz]

e-meds-channel.com.     120     IN      A       85.179.162.58
                                [e179162058.adsl.alicedsl.de]

e-meds-channel.com.     120     IN      A       85.216.131.177
                                [chello085216131177.chello.sk]

e-meds-channel.com.     120     IN      A       85.216.239.38
                                [chello085216239038.chello.sk]

e-meds-channel.com.     120     IN      A       87.228.106.7
                                [NXDOMAIN; RU-MOSINFOLINE, Russia IP address]

e-meds-channel.com.     120     IN      A       89.173.46.52
                                [chello089173046052.chello.sk]

e-meds-channel.com.     120     IN      A       89.208.0.174
                                [NXDOMAIN; ELITSTUDIO Moscow IP address]

e-meds-channel.com.     120     IN      A       118.161.190.15
                                [118-161-190-15.dynamic.hinet.net]

e-meds-channel.com.     120     IN      A       213.248.16.105
                                [ppp-4-105.vpdn.msm.ru]

e-meds-channel.com.     120     IN      A       218.190.85.230
                                [NXDOMAIN; Hutchison Global Comm. IP address]

e-meds-channel.com.     120     IN      A       221.126.137.140
                                [NXDOMAIN; Hutchison Global Comm. IP address]

e-meds-channel.com.     120     IN      A       221.126.148.70
                                [NXDOMAIN; Hutchison Global Comm. IP address]

e-meds-channel.com.     120     IN      A       221.126.245.55
                                [NXDOMAIN; Hutchison Global Comm. IP address]

e-meds-channel.com.     120     IN      A       67.150.126.10
                                [67-150-126-10.lsan.mdsg-pacwest.com]

e-meds-channel.com.     120     IN      A       75.25.14.68
                                [adsl-75-25-14-68.dsl.irvnca.sbcglobal.net]

e-meds-channel.com.     120     IN      A       77.20.142.190
                        [NXDOMAIN; Kabel Deutschland Breitband Customer IP]

e-meds-channel.com.     120     IN      A       79.113.52.132
                                [79-113-52-132.rdsnet.ro]

e-meds-channel.com.     120     IN      A       79.119.143.44
                                [79-119-143-44.rdsnet.ro]

That's "Discount Pharmacy", offering schedule IV controlled substances
including diazepam and alprazolam, without requiring a prescription. 
Other drugs are also offered. 

e-meds-channel.com is listed on multi.surbl.org and multi.uribl.com

e-meds-channel.com uses the name servers:

e-meds-channel.com.     172800  IN      NS      ns0.bcrqhro.com.
e-meds-channel.com.     172800  IN      NS      ns0.cnogaira.com.
e-meds-channel.com.     172800  IN      NS      ns0.rehogonro.com.
e-meds-channel.com.     172800  IN      NS      ns0.wkakekod.com.

When I resolve those name servers, they're at:

ns0.bcrqhro.com:   79.111.60.199
                   [NXDOMAIN; Fairlie Holding & Finance Limited/
                   NetByNet Holding/ti.ru, Moscow, Russia, IP address]

ns0.cnogaira.com:  221.127.194.168
                   [NXDOMAIN; Hutchison Global Comm. IP address]

ns0.rehogonro.com: 79.172.64.36
                   [79.172.64.36.dyn.broadband.iskratelecom.ru]

ns0.wkakekod.com:  79.111.11.255
                   [NXDOMAIN; Fairlie Holding & Finance Limited/
                   NetByNet Holding/ti.ru, Moscow, Russia, IP address]

If you're a workgroup member interested in a list of thousands of domains 
also using NS0.BCRQHRO.COM, please let me know. 

Does this sort of factual data help? Anyone going to try to reach out
to some of the people who are on the IP's hosting these fast flux 
domains? If you do, and they're on a network that is instrumented with
Netflow or the equivalent, you may want to encourage them to share 
Netflow data they've seen for applicable dotted quads, (assuming 
they're technically equipped to do so, legally *able* to do so, and 
voluntarily *willing* do so). 

Regards,

Joe

Disclaimer: all opinions strictly my own, and please reverify all data
shown since conditions are constantly, well, in flux. :-)



<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy