ICANN Email Archives: [gnso-ff-pdp-may08]

ICANN ICANN Email List Archives
[gnso-ff-pdp-may08]

<<< Chronological Index >>> <<< Thread Index >>>
RE: [gnso-ff-pdp-may08] case study: fluxing domains used for unusual purpose

To: gaaron@xxxxxxxxxxxx
Subject: RE: [gnso-ff-pdp-may08] case study: fluxing domains used for unusual purpose
From: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
Date: Sun, 3 Aug 2008 21:27:25 -0700
Greg mentioned:

#Initially I shared this case with a small group consisting of Chairman Mike,
#Dave P., Eric B-W., Steve C., and Randy V., for two reasons:

Just for the record, I was also part of that smaller group, unless it
has continued and I've been voted off the island. :-)

#The registrant is an entity called Domain UltraReach.  Domain UltraReach
#offers a proxy service called UltraSurf, which it says is designed to allow
#Web users to circumvent Internet censorship by the Chinese government:
# http://www.ultrareach.com/company/aboutus.htm  

That URL 404's for me (I'm seeing substantial changes to their website
since we first looked at it). Wayback Machine has it, however, see
http://web.archive.org/web/20070623145656/http://www.ultrar
each.com/company/aboutus.htm (URL wrapped due to length)

#In May, an UltraReach representative testified before the U.S. Senate
#Committee on the Judiciary, Subcommittee on Human Rights and the Law:
#
#http://judiciary.senate.gov/testimony.cfm?id=3369
#<http://judiciary.senate.gov/testimony.cfm?id=3369&wit_id=7187> &wit_id=7187
#
#I think the testimony is notable because it shows the organization chose to
#step into the public spotlight.

If I were using the software, I'd be more concerned about the fact that 
it is claimed to carry 95% of the anti-censorship traffic, a *tremendous*
concentration of traffic, including traffic from areas known to be of 
high interest to international security authorities (such as parts of
the Gulf). 

I'd also want to understand the company's business model/funding sources.

I also remain concerned by the fact that multiple A/V companies flag its
software (see below).

#People use various indicators or "flags" to decide whether a fluxing domain
#is being used for bad purposes or not.  UltraReach's indicators are mixed.
#UltraReach does these, which score it on the "negative" side:
#
#*      Uses very short TTLs

60 seconds in fact

Most FF folks are willing to at least go 180... :-;

#*      Uses IPs on a large number of geographically diverse ASNs
#*      Some of those are in consumer broadband ranges.  (For example,
#Comcast and RoadRunner have shown up in query results.  However, use of
#consumer ranges is less frequent than with usual bad fluxing domains.)

Consumer ranges are VERY infrequent. 

There are, however, actually a number of other distinguishing 
characteristics:

-- Not only are the TTLs short, unlike the typical fastflux case, the
   mapping of domain names to IP addresses constantly and consistently 
   changes on a fixed schedule (in the "traditional" fast flux case, 
   IP's drop and are replaced when they become unusable or begin to 
   perform poorly; in the Ultrareach case, as soon as the TTLs count
   down from 60, a new set of three IPs from a different /8 are 
   ALWAYS returned).

-- Three, and ONLY three IP's are ALWAYS returned, and the three IP's 
   are ALWAYS from the same /8, albeit usually from two or three 
   different ASNs

-- The appearance of corporate and government IP addresses in the
   rotation is VERY curious given that most corporate and government 
   IT departments are positively facist when it comes to controlling
   what gets run on business PCs; it is hard to imagine a scenario
   under which corporate and government PCs would voluntarily
   and knowingly allow their potentially sensitive systems and
   limited corporate/agency bandwidth to be used for potentially 
   random activities by unknown users

#*      The WHOIS data appears to be complete and accurate.

But a full list of domains used by Ultrareach isn't typically available,
so one is left with complete and accurate data *for the domains one may
stumble across,* but not pointers to all the domains being used. It is
still an evasive pattern of behavior (albeit one that's understandable
given this organization's nominal objectives).

See also the Garden Networks example mentioned below, however, when it
comes to "complete and accurate" whois.

#*      Usually returns three A records per nameserver, which is on the low
#side.  (Joe S., this will score the domains low using Mannheim's equation.)

Actually, all it means is that it takes (slightly) longer for the 
threshold to be reached. Remember that the Mannheim equation is cummulative,
so even if any single resolution doesn't hit the magic "b" coefficient,
over just a matter of minutes, the Ultrareach domains easily attain the 
required threshold. 

For example, testing the specific domain you mentioned, I see it make it in
three iterations, even when the domain name resolves one dotted quad 
to an IP that I don't even see in the RouteViews routing table!

AVONMPRODUCTS.INFO.     60      IN      A       208.65.153.253
                                                AS36561
AVONMPRODUCTS.INFO.     60      IN      A       208.163.7.175
                                                AS4208
AVONMPRODUCTS.INFO.     60      IN      A       208.7.242.227
                                                AS1239
(1.32*3)+(18.54*3)=59.58 for that one iteration...

AVONMPRODUCTS.INFO.     60      IN      A       216.239.122.147
                                                AS13867
AVONMPRODUCTS.INFO.     60      IN      A       216.115.2.122
                                                AS14188
AVONMPRODUCTS.INFO.     60      IN      A       216.172.249.67
                                                [network not in table]
(1.32*3)+(18.54*2)=41.04

AVONMPRODUCTS.INFO.     60      IN      A       61.135.179.191
                                                AS4808
AVONMPRODUCTS.INFO.     60      IN      A       61.37.88.118
                                                AS3786
AVONMPRODUCTS.INFO.     60      IN      A       61.21.245.246
                                                AS9824
(1.32*3)+(18.54*3)=59.58

Those three iterations take us to 160.20, which exceeds the
Mannheim "b" threshold of 142.38

Definitely fastflux under the Mannheim equation.

#On the other
#hand, one of the guys found that an anti-virus vendor flags it as malware,
#and we do not know why the vendor does so. 

It was Randy who checked it.

And it's not just *an* A/V vendor, it's multiple ones. Virustotal says 
(snipping the products which don't find anything):

File u.exe received on 08.04.2008 04:16:54 (CET)
Result: 6/36 (16.67%)

Antivirus       Version         Last Update     Result
Authentium      5.1.0.4         2008.08.03      W32/Trojan2.ASYO
eSafe           7.0.17.0        2008.08.03      Suspicious File
F-Prot          4.4.4.56        2008.08.03      W32/Trojan2.ASYO
Fortinet        3.14.0.0        2008.08.03      Misc/Ultrasurf
Prevx1          V2              2008.08.04      Worm
TrendMicro      8.700.0.1004    2008.08.01      PAK_Generic.001

Additional information
File size: 217600 bytes
MD5...: f556271e1338dfc224cbebf6fe8f8eae
SHA1..: 054f755a4037ba3bc4c17a5f4c681a1204f35e0d
SHA256: a70560275b6f6e9586a30f473b01f2584717df66a338204c696b55aa9994ca59
SHA512: 5f6c89c1544110d4039b4d814618f18ffd341c1c057ea9837006ab858187164e
9d8f2910cdd133696a20bdbe2a2fb351b7c0e8c4d02693cd436ab7a88e7915d0

Or heck, what about another anticensorship product, Garden GTunnel, also
mentioned in the Congressional Hearing, BTW... (I'll let you check out 
gardennetworks.com's domain whois yourself -- if I've got the wrong
outfit, feel free to send me a correct(ed) URL):

hxxp://gardennetworks.com/download/GTunnel.zip

My copy MD5sum's as: 128f5d4727e5aa908cacc8af8856cc82

When you unzip it, you get GTunnel.exe ... Cramming that through
Virustotal, we see twice as many A/V vendors with their hands up...

File GTunnel.exe received on 08.04.2008 05:37:52 (CET)
Result: 12/36 (33.34%)
        
Antivirus       Version         Last Update     Result
Authentium      5.1.0.4         2008.08.03      W32/Backdoor2.GRA
Avast           4.8.1195.0      2008.08.03      Win32:Delf-IHC
AVG             8.0.0.156       2008.08.03      SHeur.BAKQ
CAT-QuickHeal   9.50            2008.08.02      Backdoor.Delf.cwo
F-Prot          4.4.4.56        2008.08.03      W32/Backdoor2.GRA
GData           2.0.7306.1023   2008.08.03      Win32:Delf-IHC
Ikarus          T3.1.1.34.0     2008.08.04      Backdoor.Delf.cwo
NOD32v2         3323            2008.08.04      probably a variant of Win32/Delf
Prevx1          V2              2008.08.04      Malicious Software
Sunbelt         3.1.1537.1      2008.08.01      VIPRE.Suspicious
VBA32           3.12.8.2        2008.08.02      suspected of 
Embedded.Backdoor.Win32.Delf.cwo
Webwasher-Gateway       6.6.2   2008.08.04      Worm.Win32.Malware.gen 
(suspicious)

Additional information
File size: 660992 bytes
MD5...: 7cec5312dcd7a1884b50c0d221f8875b
SHA1..: e0a330037a8b371d3839e541a3a5ecbb0186f755
SHA256: d66a933ebcebd6da186a8ba41f271a1c638beaf81f460ae7ba1942e489e6b5c0
SHA512: 3caa1ee375e36805e8f38d4e46c5d8d8f2f97f2772d85e5cc61c228f5c7f788e
f82b9a81d0ff604d6799ab3743258cc7bc4deaf1a40e76c6f33c3a1d331c81cc

*Love* to know what's up with that... perfectly willing to accept that
it may have been pwn3d post hoc, but if so, let's see a clean version 
released, and let's see the domain whois information get cleaned up
while we're at it, too.

Regards,

Joe

Disclaimer: all opinions strictly my own.
<<< Chronological Index >>> <<< Thread Index >>>
Privacy Policy | Terms of Service | Cookies Policy