Sponsored by..

Tuesday, 8 September 2015

Evil network: 89.144.2.0/24 / spoofing Echo Romeo LLP (AS199762)

This post at malware.kiwi caught my eye after a sort-of challenge by Techhelplist. Well, the bottom line is that these get-rich-quick schemes are run by serious organised criminals who tend not to leave too many traces behind.

This appears to be a binary options scam that is using illegally hacked sites as redirectors, and I suspect that it is using a botnet to send the spam in the first place, although this is not clear. Eventually, victims are sent via an affiliate link to a site searchingprofit.me, more of which in another post.

It turns out that dailybusinessdirect.com is hosted alongside a cluster of related domains on a set of IPs apparently belonging to a firm called Echo Romeo LLP in the UK. From the research I have done, it appears that Echo Romeo are a legitimate small business doing web design and hosting. However, they are listed as the owner 89.144.2.0/24 which seems to be almost completely full of spam, scam and malware sites.

UPDATE: there is evidence that Echo Romeo are the victim of a type of corporate identity theft. Scroll to the bottom for me.

Here's an oddity - Echo Romeo have a portfolio on their site of designs they have done for customers. As far as I can tell, none of those customer sites are actually hosted in this IP address range.

The first thing I noticed was a cluster of sites and IPs that appear to be closely related to dailybusinessdirect.com:

89.144.2.85
topinvestmentnews.com
news-finance-today.com

89.144.2.86
profit-method.biz
thesknews.com
huffnewstoday.com
businessnewsclub.com
businessdailygroup.com
investmentnewstoday.com

89.144.2.157
24-finances-news.com
finance-news-cbm.com

89.144.2.158
finances24-news.com
businessinfodaily.com
finance-today-news.com
dailybusinessdirect.com

Some of these domains have anonymous WHOIS details, some have details that look fake. I have not found any way to trace ownership of these domains.. after all, these are not amateurs, these are professional fraudsters who tend not to make silly mistakes.

I checked all the active sites in the 89.144.2.0/24 range against SURBL which came up with these results [csv]. Out of 56 sites identified, 13 are identified by SURBL as being spamming and/or phishing. But what of the rest?

A look at the Google Safe Browsing Diagnostic for AS199762 gave some interesting results:

Safe Browsing

Diagnostic page for AS199762 (ECHOROMEO-AS)

What happened when Google visited sites hosted on this network?
Of the 13 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example, 89.144.2.0/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2015-09-07, and the last time suspicious content was found was on 2015-08-24.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, this network has not hosted any sites that appeared to function as intermediaries for the infection of any other sites.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 2 site(s), including, for example, t9e.net/, 89.144.2.0/, that infected 7 other site(s), including, for example, kgdbase.com/, kgdbase.eu/, softbase.xyz/.
Drilling down to the Google diagnostic for t9e.net is surprising:

Safe Browsing

Diagnostic page for t9e.net

What is the current listing status for t9e.net?
This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 150 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 22277 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2015-09-07, and the last time suspicious content was found on this site was on 2015-08-24.Malicious software includes 25596 trojan(s), 61 exploit(s).
This site was hosted on 2 network(s) including AS199762 (ECHOROMEO-AS), AS35042 (ISP4P).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, t9e.net did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 3 domain(s), including kgdbase.com/, kgdbase.eu/, softbase.xyz/.
25,596 trojans and 61 exploits? I think that's a site to avoid, and as you might guess t9e.net has anonymous WHOIS details.

Also in this range:
  • The domains travsolut.com and travsolut.org on 89.144.2.143 are associated with suspect-looking job offers and claim to have been founded in 2002 in Australia, yet the domains were only created in 2015 with the .org being registered to an address in Spain.
  • On 89.144.2.148, the domains weksrubaz.ru, linturefa.ru and xablopefgr.ru are all associated with with the POSeidon malware.  On the same IP, srachechno.com is associated with a later version of the same malware.
  • Meanwhile on 89.144.2.149, dornegromant.com is also associated with POSeidon [pdf]
  • On 89.144.2.150 another POSeidon domain lurks, repherfeted.com.
  • And on 89.144.2.151 there is litramoloka.com which is again POSeidon, as is cawasuse.ru on 89.144.2.152.
  • On 89.144.2.153 is the domain ranferolto.com tagged as Infostealer.Posfind by Symantec. 
  • On 89.144.2.154 the domains gowasstalpa.com and nasedrontit.com are associated with the Pony Downloader
  • On 89.144.2.180 the website clarkgrp.org has been accused of being fake. If that is the case, then marlin-staff.com on the same IP will probably be too.
Overall, the evil-ness factor of 89.144.2.0/24 seems very high indeed (for example, this Damballa report on POSeidon shows how the bad guys moved to this netblock), and yet Echo Romeo LLP seems to be completely legitimate. I even went to the effort of checking them out at Companies House, and all seems OK. I wonder if perhaps the bad guys have either gained control of the IP block or have popped a large number of their servers?

UPDATE:
I asked Echo Romeo about this and their response was very quick..

Echo Romeo had pointed out something that I had missed. The registrant details for the IP block were very similar to their real details..

organisation:   ORG-ERL2-RIPE
org-name:       ECHO ROMEO LLP
org-type:       OTHER
address:        47 GLENMOOR ROAD , WEST PARLEY , FERNDOWN , DORSET , UNITED KINGDOM
admin-c:        JL7999-RIPE
phone:          +44 1202872908
e-mail:         info@echoromeonet.co.uk
abuse-mailbox:  abuse@echoromeonet.co.uk
mnt-ref:        echoromeo-mnt
mnt-by:         echoromeo-mnt
changed:        info@echoromeonet.co.uk 20140128
created:        2014-01-28T17:28:45Z
last-modified:  2014-02-17T12:18:41Z
source:         RIPE


But in fact, their domain name is just echoromeo.co.uk and not echoromeonet.co.uk at all. The WHOIS details for the fake domain are:

Domain name:
        echoromeonet.co.uk

    Registrant:
        ECHO ROMEO LLP

    Registrant type:
        Unknown

    Registrant's address:
        47 GLENMOOR ROAD
        WEST PARLEY
        FERNDOWN
        BH22 8QE
        United Kingdom

    Data validation:
        Nominet was able to match the registrant's name and address against a 3rd party data
source on 25-Jan-2014

    Registrar:
        101Domain, Inc. [Tag = 101INC-US]
        URL: https://101domain.com

    Relevant dates:
        Registered on: 25-Jan-2014
        Expiry date:  25-Jan-2016
        Last updated:  03-Nov-2014

    Registration status:
        Registered until expiry date.

    Name servers:
        ns1.echoromeonet.co.uk    212.38.166.68
        ns2.echoromeonet.co.uk    5.133.179.64

These closely match the real contact details of Echo Romeo. The fake website itself is hosted on 212.38.166.68 (one of the nameservers). It looks very different from the real website.

But all the contact details on the FAKE website point to the REAL Echo Romeo. The whole site looks like a fake created just to get hold of a range of IP address.

Let's go back to these IPs..

The 89.144.2.0/24 range with the fake registration details is carved out of an IP block belonging to isp4p.net (IP Interactive UG, Germany). Presumably the bad guys used the fake Echo Romeo domain and name to persuade IP Interactive to lease them a set of IP addresses.

Although the nameservers of 212.38.166.68 and 5.133.179.64 appear to be on very different blocks, they are actually allocated to the same person:

inetnum:        5.133.179.0 - 5.133.179.255
netname:        IPSERVER
descr:          IPSERVER WORLD LTD
remarks:        abuse-mailbox: abuse@ipserver.su
country:        GB
admin-c:        ON929-RIPE
tech-c:         ON929-RIPE
status:         ASSIGNED PA
mnt-by:         RAPIDSWITCH-MNT
changed:        abuse@rapidswitch.com 20120918
created:        2012-09-18T09:09:38Z
last-modified:  2015-08-12T07:25:02Z
source:         RIPE

person:         Oleg Nikol'skiy
address:        British Virgin Islands, Road Town, Tortola, Drake Chambers
phone:          +18552100465
e-mail:         abuse@ipserver.su
nic-hdl:        ON929-RIPE
mnt-by:         IPSERVER-MNT
changed:        abuse@ipserver.su 20150528
created:        2015-05-28T11:11:09Z
last-modified:  2015-05-28T11:11:09Z
source:         RIPE

route:          5.133.176.0/21
descr:          RapidSwitch
origin:         AS20860
mnt-by:         RAPIDSWITCH-MNT
mnt-routes:     GB10488-RIPE-MNT
changed:        richard@iomart.com 20120712
created:        2012-07-12T15:08:31Z
last-modified:  2012-07-12T15:08:31Z
source:         RIPE


Both have been leased from Iomart in the UK. .SU domains such as ipserver.su are such a strong indicator of badness that I even have a little graphic for them.

A quick look at the 5.133.179.0/24 and 212.38.166.0/24 ranges indicates they are full of crap. There may be legitimate sites hosted there, but I would recommend blocking them.

The evidence that I can find does seem to point toward this spoof IP range being set up by organised criminals in Russia, and my opinion is that Echo Romeo LLP have nothing to do with this at all and are the good guys.

Recommended blocklist:
89.144.2.0/24
5.133.179.0/24
212.38.166.0/24

3 comments:

Theanonblogger said...

WTF are doing the block owners ?
support@isp4p.net

I believe the escalation to RIPE level would be necessary if no action is taken
https://www.ripe.net/report-form

Theanonblogger said...

Now moved to
goodnewsfinance.com 178.239.58.59 / Netrouting Telecom NL

Theanonblogger said...

moved to
businessexpert24.net has address 109.237.109.237

inetnum: 109.237.108.0 - 109.237.111.255
netname: ADMAN-NET
descr: Krek Ltd.
country: RU
admin-c: VEG9-RIPE
tech-c: VEG9-RIPE
status: ASSIGNED PA
mnt-by: MNT-INTERLAN
mnt-domains: MNT-ADMAN
mnt-routes: MNT-ADMAN
mnt-lower: MNT-ADMAN
created: 2013-10-15T15:08:18Z
last-modified: 2013-12-20T13:10:36Z
source: RIPE # Filtered