<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [gnso-ff-pdp-may08] The need for facts
- To: mike@xxxxxxxxxx
- Subject: RE: [gnso-ff-pdp-may08] The need for facts
- From: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
- Date: Sun, 13 Jul 2008 13:11:20 -0700
[caution: at least some sites discussed below may potentially deliver
content that's flagged as potentially unwanted by at least some PC
antivirus products, so please proceed carefully]
#but it seems to me that before we get to solutions, we need to
#understand the problem we're trying to solve a lot better than we do now.
#
#facts people, we need facts.
I *love* facts, or more accurately, I love *data*! :-)
It is so great to see other fact/data driven folks!
#5) if they're not being collected now, what's the best place to get
#them and is it worth it to go after them?
#
#i'm feeling quite fact-starved in our dialog so far, and (in off-list
#conversations) so are others.
I'm willing to provide workgroup members with a steady stream of
fastflux domain names, as well as a perl script that you can use to
map those domain names to a constantly changing list of dotted quads.
I cannot guarantee that you'll see ALL fastflux domain names which may be
in use, but you'll certainly see enough data to support the case that the
technique *is* widely in use, and you'll be able to see how these
compromised hosts are geographically distributed.
You can also review the domain whois information associated with those
fastflux domains to see (a) who's registering those domains (and the
quality of that point of contact information) (b) where/via-what-registrar
those domains are being registered, and (c) what name servers those
domains are using (knowing the name servers allows you to use tools such
as the RUS-CERT Passive DNS service to discover additional domain names
using those same name servers or at least the same same name server IPs).
If you simply visit the fastflux domains, you can also see their raison
d'etre, although I would *caution you* that in some cases doing so may
be potentially risky.
But hey, since we're data-driven sorts of guys and gals, let's look at a
couple of examples...
Example #1 ---------------------------------------------------------------
Consider dualmagiccasino.com, a domain which is hosted on a "diverse
assortment" of dotted quads. For example, resolving it just *once* with
dig I see (in-addr's in brackets added manually with dig -x or IP whois):
dualmagiccasino.com. 180 IN A 124.120.118.174
[ppp-124-120-118-174.revip2.asianet.co.th]
dualmagiccasino.com. 180 IN A 79.114.188.60
[79-114-188-60.rdsnet.ro]
dualmagiccasino.com. 180 IN A 116.27.114.155
[NXDOMAIN; CHINANET Guangdong province IP]
dualmagiccasino.com. 180 IN A 79.117.151.44
[79-117-151-44.rdsnet.ro]
dualmagiccasino.com. 180 IN A 83.29.190.16
[bus16.neoplus.adsl.tpnet.pl]
dualmagiccasino.com. 180 IN A 89.79.200.129
[chello089079200129.chello.pl]
dualmagiccasino.com. 180 IN A 83.4.98.201
[aadu201.neoplus.adsl.tpnet.pl]
dualmagiccasino.com. 180 IN A 208.104.140.127
[208-104-140-127.rhhe1.2wcm.comporium.net]
dualmagiccasino.com. 180 IN A 83.9.82.41
[acak41.neoplus.adsl.tpnet.pl]
dualmagiccasino.com. 180 IN A 87.250.172.13
[13.172.wmc.com.pl]
dualmagiccasino.com. 180 IN A 87.19.36.17
[host17-36-dynamic.19-87-r.retail.telecomitalia.it]
dualmagiccasino.com. 180 IN A 82.57.80.201
[host201-80-dynamic.57-82-r.retail.telecomitalia.it]
dualmagiccasino.com. 180 IN A 62.121.96.10
[10-dzi-5.acn.waw.pl]
dualmagiccasino.com. 180 IN A 77.79.155.15
[77.79.155.15.dynamic.ufanet.ru]
dualmagiccasino.com. 180 IN A 79.140.162.78
[79-140-162-78.danisnet.md]
dualmagiccasino.com. 180 IN A 88.233.108.223
[dsl88-233-27871.ttnet.net.tr]
dualmagiccasino.com. 180 IN A 86.106.40.211
[dyn-86.106.40.211.tm.upcnet.ro]
dualmagiccasino.com. 180 IN A 78.164.165.3
[NXDOMAIN, TurkTelecom IP address]
dualmagiccasino.com is listed on both multi.surbl.org and multi.uribl.com.
Its name servers are ns[12345].comehere1231.com
When I resolve those name servers, they're at:
ns1.comehere1231.com: 77.79.155.15
[77.79.155.15.dynamic.ufanet.ru]
ns2.comehere1231.com: 86.106.40.211
[dyn-86.106.40.211.tm.upcnet.ro]
ns3.comehere1231.com: 218.232.123.208
[NXDOMAIN; HANANET, South Korea, IP address]
ns4.comehere1231.com: 70.226.229.18
[ppp-70-226-229-18.dsl.spfdil.ameritech.net]
ns5.comehere1231.com: 77.43.213.69
[orbita77.43.213.69.ccl.perm.ru]
Working group members who'd like a list of a thousand or so apparently
casino-related domains that use those same name servers can send me a
PGP/GnuPrivacy Guard key, and I'll send along a copy off list (it will
need to be encrypted because otherwise it will have zero chance of
getting past anti-spam sytems)
Oh yes: looking at the domain name, it does look like an online gambling
site, right?
Well, if you actually *visit* that site, you will indeed see that it is
indeed an online gambling site, but depending on how you interact with
the site you may receive an executable (an executable which 18 of 33
sites on VirusTotal identify in one of a variety of ways)...
For the curious, VirusTotal output for SetupMagicEuro.exe looks like:
File SetupMagicEuro.exe received on 07.13.2008 20:36:35 (CET)
Result: 18/33 (54.55%)
Antivirus Version Last Update Result
AhnLab-V3 2008.7.11.0 2008.07.11 Win-AppCare/Xema.379421
AntiVir 7.8.0.64 2008.07.13 ADSPY/CasOnline.379421
Authentium 5.1.0.4 2008.07.13 W32/Backdoor.BNFA
Avast 4.8.1195.0 2008.07.13 Win32:Trojan-gen {Other}
AVG 7.5.0.516 2008.07.12 -
BitDefender 7.2 2008.07.13 Trojan.Generic.115343
CAT-QuickHeal 9.50 2008.07.11 Adware.Casonline.a (Not a Virus)
ClamAV 0.93.1 2008.07.13 Trojan.Agent-17367
DrWeb 4.44.0.09170 2008.07.12 -
eSafe 7.0.17.0 2008.07.13 Suspicious File
eTrust-Vet 31.6.5949 2008.07.12 -
Ewido 4.0 2008.07.13 -
F-Prot 4.4.4.56 2008.07.13 W32/Backdoor.BNFA
F-Secure 7.60.13501.0 2008.07.12 -
Fortinet 3.14.0.0 2008.07.13 -
GData 2.0.7306.1023 2008.07.13 Win32:Trojan-gen
Ikarus T3.1.1.26.0 2008.07.13 Virus.Win32.Trojan
Kaspersky 7.0.0.125 2008.07.13 -
McAfee 5337 2008.07.11 potentially unwanted program
CasOnline
Microsoft 1.3704 2008.07.13 -
NOD32v2 3263 2008.07.11 a variant of Win32/PTCasino
Norman 5.80.02 2008.07.11 -
Panda 9.0.0.4 2008.07.13 Suspicious file
Prevx1 V2 2008.07.13 Malicious Software
Rising 20.52.62.00 2008.07.13 -
Sophos 4.31.0 2008.07.13 Casino
Sunbelt 3.1.1536.1 2008.07.12 -
Symantec 10 2008.07.13 Infostealer
TheHacker 6.2.96.378 2008.07.13 -
TrendMicro 8.700.0.1004 2008.07.11 -
VBA32 3.12.6.9 2008.07.12 -
VirusBuster 4.5.11.0 2008.07.13 -
Webwasher-Gateway 6.6.2 2008.07.13 Ad-Spyware.CasOnline.379421
Additional information
File size: 379421 bytes
MD5...: 09a2ff2f6849c1d47ee96d6868b194e4
SHA1..: 92a7a1ddd18f3039198b463f71e8cd2a4e0a5f5f
SHA256: f23960fd226ef422dc88f5b711e302e321b591b255cc07233f290a02cbb5ad41
SHA512: 9f5b5ba7610fea633080f9cb204d17411de6288be515e4515f7940fba0a13158
b1777dec683ee085bbd0241c84ba1303794a147d8f896fa633883cb79acdb247
<cough>
So as you gather facts about domains that may be fluxing, you may want to
remember that it is an, uh, "interesting" world out there, folks. :-)
Example #2 ---------------------------------------------------------------
Online casinos aren't the only thing that we can see using what looks like
FF hosting. For example, consider e-meds-channel.com
Resolving that domain just *once* with dig, we see:
e-meds-channel.com. 120 IN A 79.207.171.185
[p4FCFABB9.dip0.t-ipconnect.de]
e-meds-channel.com. 120 IN A 82.83.253.10
[dslb-082-083-253-010.pools.arcor-ip.net]
e-meds-channel.com. 120 IN A 85.135.118.158
[ip-85-135-118-158.customer.poda.cz]
e-meds-channel.com. 120 IN A 85.179.162.58
[e179162058.adsl.alicedsl.de]
e-meds-channel.com. 120 IN A 85.216.131.177
[chello085216131177.chello.sk]
e-meds-channel.com. 120 IN A 85.216.239.38
[chello085216239038.chello.sk]
e-meds-channel.com. 120 IN A 87.228.106.7
[NXDOMAIN; RU-MOSINFOLINE, Russia IP address]
e-meds-channel.com. 120 IN A 89.173.46.52
[chello089173046052.chello.sk]
e-meds-channel.com. 120 IN A 89.208.0.174
[NXDOMAIN; ELITSTUDIO Moscow IP address]
e-meds-channel.com. 120 IN A 118.161.190.15
[118-161-190-15.dynamic.hinet.net]
e-meds-channel.com. 120 IN A 213.248.16.105
[ppp-4-105.vpdn.msm.ru]
e-meds-channel.com. 120 IN A 218.190.85.230
[NXDOMAIN; Hutchison Global Comm. IP address]
e-meds-channel.com. 120 IN A 221.126.137.140
[NXDOMAIN; Hutchison Global Comm. IP address]
e-meds-channel.com. 120 IN A 221.126.148.70
[NXDOMAIN; Hutchison Global Comm. IP address]
e-meds-channel.com. 120 IN A 221.126.245.55
[NXDOMAIN; Hutchison Global Comm. IP address]
e-meds-channel.com. 120 IN A 67.150.126.10
[67-150-126-10.lsan.mdsg-pacwest.com]
e-meds-channel.com. 120 IN A 75.25.14.68
[adsl-75-25-14-68.dsl.irvnca.sbcglobal.net]
e-meds-channel.com. 120 IN A 77.20.142.190
[NXDOMAIN; Kabel Deutschland Breitband Customer IP]
e-meds-channel.com. 120 IN A 79.113.52.132
[79-113-52-132.rdsnet.ro]
e-meds-channel.com. 120 IN A 79.119.143.44
[79-119-143-44.rdsnet.ro]
That's "Discount Pharmacy", offering schedule IV controlled substances
including diazepam and alprazolam, without requiring a prescription.
Other drugs are also offered.
e-meds-channel.com is listed on multi.surbl.org and multi.uribl.com
e-meds-channel.com uses the name servers:
e-meds-channel.com. 172800 IN NS ns0.bcrqhro.com.
e-meds-channel.com. 172800 IN NS ns0.cnogaira.com.
e-meds-channel.com. 172800 IN NS ns0.rehogonro.com.
e-meds-channel.com. 172800 IN NS ns0.wkakekod.com.
When I resolve those name servers, they're at:
ns0.bcrqhro.com: 79.111.60.199
[NXDOMAIN; Fairlie Holding & Finance Limited/
NetByNet Holding/ti.ru, Moscow, Russia, IP address]
ns0.cnogaira.com: 221.127.194.168
[NXDOMAIN; Hutchison Global Comm. IP address]
ns0.rehogonro.com: 79.172.64.36
[79.172.64.36.dyn.broadband.iskratelecom.ru]
ns0.wkakekod.com: 79.111.11.255
[NXDOMAIN; Fairlie Holding & Finance Limited/
NetByNet Holding/ti.ru, Moscow, Russia, IP address]
If you're a workgroup member interested in a list of thousands of domains
also using NS0.BCRQHRO.COM, please let me know.
Does this sort of factual data help? Anyone going to try to reach out
to some of the people who are on the IP's hosting these fast flux
domains? If you do, and they're on a network that is instrumented with
Netflow or the equivalent, you may want to encourage them to share
Netflow data they've seen for applicable dotted quads, (assuming
they're technically equipped to do so, legally *able* to do so, and
voluntarily *willing* do so).
Regards,
Joe
Disclaimer: all opinions strictly my own, and please reverify all data
shown since conditions are constantly, well, in flux. :-)
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|