RE: [gnso-ff-pdp-may08] case study: fluxing domains used for unusual purpose

["Greg Aaron" <gaaron@xxxxxxxxxxxx>]

Dear Randy:

Your detective work is ever-thorough!

A conclusion I draw is that it sometimes takes a lot of human expertise and
hard work (both far beyond the norm) to figure out what is going on with
some of these names.  

Using the Mannheim formula, this domain would be flagged as a fast-flux
domain -- in other words, as a false-positive.  And at this point, you feel
the hosts are not compromised.

The Internet is certainly an ocean of new and unexpected things.

All best,
--Greg




-----Original Message-----
From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of RLVaughn
Sent: Monday, August 04, 2008 11:40 PM
Cc: gnso-ff-pdp-May08@xxxxxxxxx
Subject: Re: [gnso-ff-pdp-may08] case study: fluxing domains used for
unusual purpose




My apologies for my horrible form of replying to my own message but
some clarification may be necessary.

> youtube.ru
> 
> I have drawn a conclusion about the above domain.  It is not fastflux

as it fails the compromised hosts test

> but is wildcarding requests to IPs for other purposes.  I do not
> conclude, however, the purpose of said wildcarding is directly related
> to the stated purpose of circumventing Internet censorship.

This is not to imply anything nefarious is going on with the IPs.  In fact,
I expect the use of the IPs has yet another use.

I would have mentioned some of the destination domains would not be the
wisest 
domains to visit using computers at work but am confident no one on this
group 
uses their employer's network resources for causal Internet use.

> 
> RLV

-----Original Message-----
From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of RLVaughn
Sent: Monday, August 04, 2008 11:01 PM
To: gaaron@xxxxxxxxxxxx
Cc: gnso-ff-pdp-May08@xxxxxxxxx
Subject: Re: [gnso-ff-pdp-may08] case study: fluxing domains used for
unusual purpose


Greg Aaron wrote:
> Dear group:
> 
>  
> 
> Here is an interesting case.  It is a service that uses fast-flux methods
--
> but apparently not for the purposes we usually see.  This example touches
> upon several issues the WG has been discussing, including:
> 
> * Is it easy to establish malicious or criminal intent?  What issues are
> faced by those who must evaluate cases, and intervenors?
> 
> * What are people out on the Internet using fast-flux for?  
> 
> * Who could be impacted or harmed by any solutions or counter-measures?
Is
> there any impact upon the existence or creation of new and/or legitimate
> services on the Internet?
> 
>  
> 
> Initially I shared this case with a small group consisting of Chairman
Mike,
> Dave P., Eric B-W., Steve C., and Randy V., for two reasons:
> 
> 1.    They have some relevant experience and expertise, so I thought they
> could help examine what was going on.
> 2.    I wanted to research the registrant before discussing its identity
> in a public fashion.
> 
> I'm going to try and state just the facts, and invite the five to correct
> anything I am missing or get wrong.
> 
>  
> 
> The registrant is an entity called Domain UltraReach.  Domain UltraReach
> offers a proxy service called UltraSurf, which it says is designed to
allow
> Web users to circumvent Internet censorship by the Chinese government:
> http://www.ultrareach.com/company/aboutus.htm  
> 
> These articles mention details:
> 
> Forbes: http://www.forbes.com/forbes/2006/0227/090.html
> 
> PBS: http://www.pbs.org/newshour/bb/asia/jan-june06/china_4-18.html
> 
> In May, an UltraReach representative testified before the U.S. Senate
> Committee on the Judiciary, Subcommittee on Human Rights and the Law:
> 
> http://judiciary.senate.gov/testimony.cfm?id=3369
> <http://judiciary.senate.gov/testimony.cfm?id=3369&wit_id=7187>
&wit_id=7187
> 
> 

I would encourage everyone to throughly read that testimony.  It contains
some rather serious allegations about the behaviors of the anti-virus
community.


> I think the testimony is notable because it shows the organization chose
to
> step into the public spotlight.
> 
>  

<snip>

> UltraSurf's domain names run on the fast-flux technique -- the technical
> practice of using the DNS to rapidly rotate the hosting of the domain.
> Attached is representative query data.  
> 
<snip>
This is, indeed, an interesting domain.  Just for fun
I asked dig for the nameserver for the domain.  I was
told 67.15.183.52 (Everyone's Internet) (aka ns2.gotodafa.net registered to
UltraReach Internet Corp) was ns1.AVONMPRODUCTS.INFO, so I tossed a
few queries that way which you will find listed one per line on the
following output:

C:\secdata>gettl 67.15.183.52 avi.log
Using DNS: 67.15.183.52
Input File : avi.log
Output: stdout
A,AVONMPRODUCTS.INFO,212.48.10.150,60
A,AVONMPRODUCTS.INFO,212.182.88.229,60
A,AVONMPRODUCTS.INFO,212.32.50.4,0
A,ns1.AVONMPRODUCTS.INFO,74.203.241.16,60
A,ns1.AVONMPRODUCTS.INFO,74.103.178.222,60
A,ns1.AVONMPRODUCTS.INFO,74.242.224.4,0
A,ns1.AVONMPRODUCTS.INFO,59.188.4.76,60
A,ns1.AVONMPRODUCTS.INFO,59.143.101.225,60
A,ns1.AVONMPRODUCTS.INFO,59.196.214.4,0
A,ns1.AVONMPRODUCTS.INFO,72.233.72.142,60
A,ns1.AVONMPRODUCTS.INFO,72.179.203.115,60
A,ns1.AVONMPRODUCTS.INFO,72.42.62.2,0
A,ns2.AVONMPRODUCTS.INFO,74.203.241.11,60
A,ns2.AVONMPRODUCTS.INFO,74.185.65.243,60
A,ns2.AVONMPRODUCTS.INFO,74.154.247.123,0
A,ns2.AVONMPRODUCTS.INFO,209.151.227.84,60
A,ns2.AVONMPRODUCTS.INFO,209.129.245.127,60
A,ns2.AVONMPRODUCTS.INFO,209.192.212.2,0
A,ns2.AVONMPRODUCTS.INFO,218.30.64.121,60
A,ns2.AVONMPRODUCTS.INFO,218.170.4.165,60
A,ns2.AVONMPRODUCTS.INFO,218.201.60.227,0
A,ns2.AVONMPRODUCTS.INFO,213.180.204.46,60
A,ns2.AVONMPRODUCTS.INFO,213.106.132.229,60
A,ns2.AVONMPRODUCTS.INFO,213.46.60.4,0
A,ns2.AVONMPRODUCTS.INFO,69.26.188.18,60
A,ns2.AVONMPRODUCTS.INFO,69.44.140.171,60
A,ns2.AVONMPRODUCTS.INFO,69.182.67.227,0
A,ns1.AVONMPRODUCTS.INFO,66.48.78.201,60
A,ns1.AVONMPRODUCTS.INFO,66.21.100.122,60
A,ns1.AVONMPRODUCTS.INFO,66.49.100.67,0
A,ns1.AVONMPRODUCTS.INFO,69.147.83.197,60
A,ns1.AVONMPRODUCTS.INFO,69.140.34.165,60
A,ns1.AVONMPRODUCTS.INFO,69.254.11.227,0
A,ns1.AVONMPRODUCTS.INFO,143.166.83.38,60
A,ns1.AVONMPRODUCTS.INFO,143.180.198.121,60
A,ns1.AVONMPRODUCTS.INFO,143.156.99.233,0
A,ns2.AVONMPRODUCTS.INFO,66.135.210.64,60
A,ns2.AVONMPRODUCTS.INFO,66.149.224.126,60
A,ns2.AVONMPRODUCTS.INFO,66.19.70.67,0
A,ns2.AVONMPRODUCTS.INFO,193.33.59.200,60
A,ns2.AVONMPRODUCTS.INFO,193.161.39.141,60
A,ns2.AVONMPRODUCTS.INFO,193.79.188.229,0
A,ns2.AVONMPRODUCTS.INFO,58.22.102.8,60
A,ns2.AVONMPRODUCTS.INFO,58.99.28.116,60
A,ns2.AVONMPRODUCTS.INFO,58.3.23.2,0
A,ns2.AVONMPRODUCTS.INFO,66.230.188.2,60
A,ns2.AVONMPRODUCTS.INFO,66.139.37.165,60
A,ns2.AVONMPRODUCTS.INFO,66.249.12.227,0
A,ns2.AVONMPRODUCTS.INFO,219.148.35.89,60
A,ns2.AVONMPRODUCTS.INFO,219.122.14.127,60
A,ns2.AVONMPRODUCTS.INFO,219.202.222.2,0
A,ns1.AVONMPRODUCTS.INFO,75.126.141.204,60
A,ns1.AVONMPRODUCTS.INFO,75.176.200.115,60
A,ns1.AVONMPRODUCTS.INFO,75.41.61.2,0
A,ns1.AVONMPRODUCTS.INFO,38.107.129.3,60
A,ns1.AVONMPRODUCTS.INFO,38.132.23.152,60
A,ns1.AVONMPRODUCTS.INFO,38.143.229.124,0
A,ns1.AVONMPRODUCTS.INFO,209.191.93.52,60
A,ns1.AVONMPRODUCTS.INFO,209.98.84.61,60
A,ns1.AVONMPRODUCTS.INFO,209.33.51.4,0
A,ns2.AVONMPRODUCTS.INFO,209.151.227.84,60
A,ns2.AVONMPRODUCTS.INFO,209.165.209.127,60
A,ns2.AVONMPRODUCTS.INFO,209.192.212.2,0
A,ns2.AVONMPRODUCTS.INFO,62.149.24.66,60
A,ns2.AVONMPRODUCTS.INFO,62.181.91.229,60
A,ns2.AVONMPRODUCTS.INFO,62.17.3.4,0
A,ns2.AVONMPRODUCTS.INFO,61.174.63.217,60
A,ns2.AVONMPRODUCTS.INFO,61.41.93.127,60
A,ns2.AVONMPRODUCTS.INFO,61.255.170.67,0
A,ns22223333.AVONMPRODUCTS.INFO,58.22.102.8,60
A,ns22223333.AVONMPRODUCTS.INFO,58.163.15.167,60
A,ns22223333.AVONMPRODUCTS.INFO,58.10.255.227,0
A,ns21212121.AVONMPRODUCTS.INFO,217.74.65.68,60
A,ns21212121.AVONMPRODUCTS.INFO,217.226.144.121,60
A,ns21212121.AVONMPRODUCTS.INFO,217.202.53.233,0
A,microsoft.com,208.65.153.253,60
A,microsoft.com,208.190.80.229,60
A,microsoft.com,208.120.106.4,0
A,fbi.gov,217.72.204.254,60
A,fbi.gov,217.173.6.160,60
A,fbi.gov,217.72.17.79,0

There is no delay between the above queries which clearly
demonstrate the above domain is double-fastflux using a
round robin reply from a precanned set of IPs choosen from
the same /8/

I will leave determining whether or not the above IPs are
truly acting as name servers as an exercise for the reader.

Interestingly enough, the advertised ns1.avonmproducts.info is
an open recursive nameserver of a different sort.  IE,
208.65.153.253 is aka  youtube.com and
217.72.204.254 is aka www.gmx.com rather
than microsoft and the fbi.

But, we have seen the youtube.com IP,208.65.153.253, in Joe's data.
I strongly suspect the A queries responses for AVONMPRODUCTS.INFO are
red herrings.

But.... perhaps the name servers are merely playing games
with me.  To test that, I ran two phoney domains through
my query engine to the same IP. I get:
A,iamacompletelymadeupdomain.pluto,64.56.205.72,60
A,iamacompletelymadeupdomain.pluto,64.203.37.229,60
A,iamacompletelymadeupdomain.pluto,64.111.125.4,0
A,pass_L_Esprit_de_Courvoisier_Sil_vous_plait.request,195.210.91.83,60
A,pass_L_Esprit_de_Courvoisier_Sil_vous_plait.request,195.76.233.174,60
A,pass_L_Esprit_de_Courvoisier_Sil_vous_plait.request,195.188.229.79,0

I suppose I need to extend the previous name server determination exercise
with the following thought problem, "If the above IPs are all
functioning as nameservers, would it be a good idea for them to act
in the same manner as 67.15.183.52?"

Although, my data suggests the above IPs are merely wildcard replies
to any query name making them not name servers, it is not safe to conclude
that there are not compromise hosts located in dynamic IP space which act as
open recursive name servers.

My confidence in the veracity of the nameserver replies is not high
but, being of an adventurous spirit, I decided to reverse map the IPs
to domains.  Here is what I found:
a1166.g.akamai.net
a1248.g.akamai.net
a1293.g.akamai.net
a1728.g.akamai.net.1be102cc.1.cn.akamaitech.net
a200.g.akamai.net
a222.g.akamai.net
a247.gc.akamai.net
a247.gc.akamai.net.e51ed882.1.cn.akamaitech.net
a247.gc.akamai.net.e71ed882.1.cn.akamaitech.net
a321.g.akamai.net
a527.g.akamai.net
a637.g.akamai.net
a685.b.akamai.net.1028140c.1.cn.akamaitech.net
a72.g.akamai.net
a850.g.akamai.net
a978.g.akamai.net
alice.it
ap.dell.com
assparade.com
au.youtube.com
bangbros.com
bangbrosnetwork.com
bangbus.com
beatazdunek.grono.net
befan.com
bigmouthfuls.com
bigtitsroundasses.com
br.youtube.com
c3.xanga.com
c-69-140-34-165.hsd1.md.comcast.net
car.autohome.com.cn
cartoon.chinavnet.com
cartoon.vnet.cn
ca.youtube.com
del.com
dell.ca
dell.com
dellvistaupgrade.com
demonoid.com
dermalamor.grono.net
de.youtube.com
disk.yandex.ru
download.paipai.z.lxdns.com
edu.chinavnet.com
edu.vnet.cn
embed.vnet.cn
ent.chinavnet.com
es.youtube.com
f1.www.vip.mud.yahoo.com
forum1.uwants.com
forum3.uwants.com
forum.uwants.com
free.chinavnet.com
fr.youtube.com
game.chinavnet.com
game.vnet.cn
gmx.net
golden.chinavnet.com
golden.vnet.cn
grono.net
hd.chinavnet.com
help.vnet.cn
hk.youtube.com
hp-intl-de.ebay.com
hp-intl-other.ebay.com
hp-intl-uk.ebay.com
ie.youtube.com
images.paypopup.com
in.youtube.com
it.youtube.com
joegross.com
jp.youtube.com
k4ngel.grono.net
kr.youtube.com
l.autohome.com.cn
live.chinavnet.com
log24.net
l.pcpop.com
l.ttdown.com
mail4.fanfiction.net
m.chinavnet.com
milflessons.com
monstersofcock.com
multi-pops.com
music.chinavnet.com
music.vnet.cn
mx.youtube.com
narod.ru
narod.yandex.ru
news.vnet.cn
nl.youtube.com
ns1.demonoid.com
ns1.ultrareach.net
nz.youtube.com
oversea.uwants.com
paypopup.com
pc1-www1.us.dell.com
pet.qqadv2.glb.lxdns.com
pet.qqpet.z.lxdns.com
php.net
phs.chinavnet.com
pl.youtube.com
poolcnc.17173.com
poolcnc.l.a.sohu.com
product.pcpop.com
ru.youtube.com
sms.vnet.cn
star.chinavnet.com
studiodell.com
survey.vnet.cn
thottbot.com
tin.alice.it
tj.chinavnet.com
tugjobs.com
tv.vnet.cn
tw.youtube.com
uk.youtube.com
uwants.com
uwants.com.hk
virgilio.it
vlife.vnet.cn
vnet.cn
www10.paypopup.com
www11.paypopup.com
www12.paypopup.com
www13.paypopup.com
www14.paypopup.com
www15.paypopup.com
www1.ins.dell.com
www1.paypopup.com
www2.paypopup.com
www.309589.grono.net
www4.paypopup.com
www.4shared.com
www5.paypopup.com
www6.paypopup.com
www.adsrevenue.net
www.alice.it
www.americannstandard.info
www.applieddmaterial.info
www.autohome.cnc.chinacache.net
www.autohome.com.cn
www.autohome.tel.chinacache.net
www.bangbros.com
www.beatkaz.grono.net
www.befan.com
www.chinadvclub.com
www.chinavnet.com
www.colgatepallmolive.info
www.dellcorp.info
www.demonoid.cc
www.demonoid.com
www.fanfiction.net
www.gmx.de
www.gmx.net
www.infoalibaba.info
www.interia.pl
www.made-in-china-home.info
www.multi-pops.com
www.narod.ru
www.paypopup.com
www.taisa.grono.net
www.thotbott.com
www.thottbot.com
www.tyfocus.info
www.uwants.com
www.uwants.com.hk
www.virgilio.it
www.vnet.cn
www.xanga.com
www.yahoo-ht3.akadns.net
www.yesadvertising.com
www.youtube.com
xanga.com
y2.php.net
yesadvertising.com
youth.chinavnet.com
youtube.co.in
youtube.co.kr
youtube.com
youtube.com.br
youtube.com.hk
youtube.com.mx
youtube.com.tw
youtube.co.nz
youtube.co.uk
youtube.de
youtube.es
youtube.fr
youtube.it
youtube.jp
youtube.l.google.com
youtube.pl
youtube.ru

I have drawn a conclusion about the above domain.  It is not fastflux
but is wildcarding requests to IPs for other purposes.  I do not
conclude, however, the purpose of said wildcarding is directly related
to the stated purpose of circumventing Internet censorship.

RLV