<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [gnso-ff-pdp-may08] case study: fluxing domains used for unusual purpose
- To: gaaron@xxxxxxxxxxxx
- Subject: RE: [gnso-ff-pdp-may08] case study: fluxing domains used for unusual purpose
- From: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
- Date: Sun, 3 Aug 2008 21:27:25 -0700
Greg mentioned:
#Initially I shared this case with a small group consisting of Chairman Mike,
#Dave P., Eric B-W., Steve C., and Randy V., for two reasons:
Just for the record, I was also part of that smaller group, unless it
has continued and I've been voted off the island. :-)
#The registrant is an entity called Domain UltraReach. Domain UltraReach
#offers a proxy service called UltraSurf, which it says is designed to allow
#Web users to circumvent Internet censorship by the Chinese government:
# http://www.ultrareach.com/company/aboutus.htm
That URL 404's for me (I'm seeing substantial changes to their website
since we first looked at it). Wayback Machine has it, however, see
http://web.archive.org/web/20070623145656/http://www.ultrar
each.com/company/aboutus.htm (URL wrapped due to length)
#In May, an UltraReach representative testified before the U.S. Senate
#Committee on the Judiciary, Subcommittee on Human Rights and the Law:
#
#http://judiciary.senate.gov/testimony.cfm?id=3369
#<http://judiciary.senate.gov/testimony.cfm?id=3369&wit_id=7187> &wit_id=7187
#
#I think the testimony is notable because it shows the organization chose to
#step into the public spotlight.
If I were using the software, I'd be more concerned about the fact that
it is claimed to carry 95% of the anti-censorship traffic, a *tremendous*
concentration of traffic, including traffic from areas known to be of
high interest to international security authorities (such as parts of
the Gulf).
I'd also want to understand the company's business model/funding sources.
I also remain concerned by the fact that multiple A/V companies flag its
software (see below).
#People use various indicators or "flags" to decide whether a fluxing domain
#is being used for bad purposes or not. UltraReach's indicators are mixed.
#UltraReach does these, which score it on the "negative" side:
#
#* Uses very short TTLs
60 seconds in fact
Most FF folks are willing to at least go 180... :-;
#* Uses IPs on a large number of geographically diverse ASNs
#* Some of those are in consumer broadband ranges. (For example,
#Comcast and RoadRunner have shown up in query results. However, use of
#consumer ranges is less frequent than with usual bad fluxing domains.)
Consumer ranges are VERY infrequent.
There are, however, actually a number of other distinguishing
characteristics:
-- Not only are the TTLs short, unlike the typical fastflux case, the
mapping of domain names to IP addresses constantly and consistently
changes on a fixed schedule (in the "traditional" fast flux case,
IP's drop and are replaced when they become unusable or begin to
perform poorly; in the Ultrareach case, as soon as the TTLs count
down from 60, a new set of three IPs from a different /8 are
ALWAYS returned).
-- Three, and ONLY three IP's are ALWAYS returned, and the three IP's
are ALWAYS from the same /8, albeit usually from two or three
different ASNs
-- The appearance of corporate and government IP addresses in the
rotation is VERY curious given that most corporate and government
IT departments are positively facist when it comes to controlling
what gets run on business PCs; it is hard to imagine a scenario
under which corporate and government PCs would voluntarily
and knowingly allow their potentially sensitive systems and
limited corporate/agency bandwidth to be used for potentially
random activities by unknown users
#* The WHOIS data appears to be complete and accurate.
But a full list of domains used by Ultrareach isn't typically available,
so one is left with complete and accurate data *for the domains one may
stumble across,* but not pointers to all the domains being used. It is
still an evasive pattern of behavior (albeit one that's understandable
given this organization's nominal objectives).
See also the Garden Networks example mentioned below, however, when it
comes to "complete and accurate" whois.
#* Usually returns three A records per nameserver, which is on the low
#side. (Joe S., this will score the domains low using Mannheim's equation.)
Actually, all it means is that it takes (slightly) longer for the
threshold to be reached. Remember that the Mannheim equation is cummulative,
so even if any single resolution doesn't hit the magic "b" coefficient,
over just a matter of minutes, the Ultrareach domains easily attain the
required threshold.
For example, testing the specific domain you mentioned, I see it make it in
three iterations, even when the domain name resolves one dotted quad
to an IP that I don't even see in the RouteViews routing table!
AVONMPRODUCTS.INFO. 60 IN A 208.65.153.253
AS36561
AVONMPRODUCTS.INFO. 60 IN A 208.163.7.175
AS4208
AVONMPRODUCTS.INFO. 60 IN A 208.7.242.227
AS1239
(1.32*3)+(18.54*3)=59.58 for that one iteration...
AVONMPRODUCTS.INFO. 60 IN A 216.239.122.147
AS13867
AVONMPRODUCTS.INFO. 60 IN A 216.115.2.122
AS14188
AVONMPRODUCTS.INFO. 60 IN A 216.172.249.67
[network not in table]
(1.32*3)+(18.54*2)=41.04
AVONMPRODUCTS.INFO. 60 IN A 61.135.179.191
AS4808
AVONMPRODUCTS.INFO. 60 IN A 61.37.88.118
AS3786
AVONMPRODUCTS.INFO. 60 IN A 61.21.245.246
AS9824
(1.32*3)+(18.54*3)=59.58
Those three iterations take us to 160.20, which exceeds the
Mannheim "b" threshold of 142.38
Definitely fastflux under the Mannheim equation.
#On the other
#hand, one of the guys found that an anti-virus vendor flags it as malware,
#and we do not know why the vendor does so.
It was Randy who checked it.
And it's not just *an* A/V vendor, it's multiple ones. Virustotal says
(snipping the products which don't find anything):
File u.exe received on 08.04.2008 04:16:54 (CET)
Result: 6/36 (16.67%)
Antivirus Version Last Update Result
Authentium 5.1.0.4 2008.08.03 W32/Trojan2.ASYO
eSafe 7.0.17.0 2008.08.03 Suspicious File
F-Prot 4.4.4.56 2008.08.03 W32/Trojan2.ASYO
Fortinet 3.14.0.0 2008.08.03 Misc/Ultrasurf
Prevx1 V2 2008.08.04 Worm
TrendMicro 8.700.0.1004 2008.08.01 PAK_Generic.001
Additional information
File size: 217600 bytes
MD5...: f556271e1338dfc224cbebf6fe8f8eae
SHA1..: 054f755a4037ba3bc4c17a5f4c681a1204f35e0d
SHA256: a70560275b6f6e9586a30f473b01f2584717df66a338204c696b55aa9994ca59
SHA512: 5f6c89c1544110d4039b4d814618f18ffd341c1c057ea9837006ab858187164e
9d8f2910cdd133696a20bdbe2a2fb351b7c0e8c4d02693cd436ab7a88e7915d0
Or heck, what about another anticensorship product, Garden GTunnel, also
mentioned in the Congressional Hearing, BTW... (I'll let you check out
gardennetworks.com's domain whois yourself -- if I've got the wrong
outfit, feel free to send me a correct(ed) URL):
hxxp://gardennetworks.com/download/GTunnel.zip
My copy MD5sum's as: 128f5d4727e5aa908cacc8af8856cc82
When you unzip it, you get GTunnel.exe ... Cramming that through
Virustotal, we see twice as many A/V vendors with their hands up...
File GTunnel.exe received on 08.04.2008 05:37:52 (CET)
Result: 12/36 (33.34%)
Antivirus Version Last Update Result
Authentium 5.1.0.4 2008.08.03 W32/Backdoor2.GRA
Avast 4.8.1195.0 2008.08.03 Win32:Delf-IHC
AVG 8.0.0.156 2008.08.03 SHeur.BAKQ
CAT-QuickHeal 9.50 2008.08.02 Backdoor.Delf.cwo
F-Prot 4.4.4.56 2008.08.03 W32/Backdoor2.GRA
GData 2.0.7306.1023 2008.08.03 Win32:Delf-IHC
Ikarus T3.1.1.34.0 2008.08.04 Backdoor.Delf.cwo
NOD32v2 3323 2008.08.04 probably a variant of Win32/Delf
Prevx1 V2 2008.08.04 Malicious Software
Sunbelt 3.1.1537.1 2008.08.01 VIPRE.Suspicious
VBA32 3.12.8.2 2008.08.02 suspected of
Embedded.Backdoor.Win32.Delf.cwo
Webwasher-Gateway 6.6.2 2008.08.04 Worm.Win32.Malware.gen
(suspicious)
Additional information
File size: 660992 bytes
MD5...: 7cec5312dcd7a1884b50c0d221f8875b
SHA1..: e0a330037a8b371d3839e541a3a5ecbb0186f755
SHA256: d66a933ebcebd6da186a8ba41f271a1c638beaf81f460ae7ba1942e489e6b5c0
SHA512: 3caa1ee375e36805e8f38d4e46c5d8d8f2f97f2772d85e5cc61c228f5c7f788e
f82b9a81d0ff604d6799ab3743258cc7bc4deaf1a40e76c6f33c3a1d331c81cc
*Love* to know what's up with that... perfectly willing to accept that
it may have been pwn3d post hoc, but if so, let's see a clean version
released, and let's see the domain whois information get cleaned up
while we're at it, too.
Regards,
Joe
Disclaimer: all opinions strictly my own.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|