Sponsored by..

Wednesday, 13 January 2016

Evil network: 46.30.40.0/21 / Eurobyte LLC and GoDaddy

Recently I kept coming across the name "Eurobyte LLC" when it came to hosting malware [1] [2] to an extent that I became rather suspicious about this Russian hosting company and what it is they actually do.

From looking around, it seemed that whoever Eurobyte rented servers to had an unhealthy interest in CryptoWall and the Angler EK. Eurobyte is a Russian hosting company, which in turn is a customer of Webzilla in the Netherlands. One of Webzilla's other customers is McHost.ru who also have a shitty reputation.

A look at Webzilla's AS35415 range shows that Eurobyte LLC is allocated the following blocks:

46.30.40.0/24
46.30.41.0/24
46.30.42.0/24
46.30.43.0/24
46.30.44.0/24
46.30.45.0/24
46.30.46.0/24
46.30.47.0/24

These coincide with a large-ish block of 46.30.40.0/21 which contains all the Eurobyte /24s.

Using DNSDB I found over 70,000 sites associated with this block. By associated I mean site currently hosted in the /21, or hosted there in the past few years. Crucially, that includes a lot of somedomains, nameservers and that sort of thing. In order to keep things manageable, I consolidated almost all the subdomains down into their main domains, leaving 18,260 domains and sites.

The next step was to take that data and look up the current IPs and Google prognosis (results here), giving 4048 sites with their main domains currently hosted at Eurobyte. Of this, only the following 16 appear to be malicious, 0.4% of the total.

promodoms.ru
androiddeff.ru
xpopkax.ru
xxxplayx.ru
justyoutube.ru
maineaquaventus.info
dallasdispute.com
waysecureforyou.pw
mammals.ru
101curtesty.pw
hitbambar.pw
topgradations.pw
getgradations.us
igrakon.biz
alwrgame.ru
igrakon-loads.ru

0.4% is a tiny amount.. I would typically expect to see about 1-2% on any network. So, Eurobyte LLC looks squeaky clean, yes?

In fact, this low number of malicious sites is misleading. If we go back to the original 18,260 domains and look at the number of malicious domains there, the total is 3,129. That's 17.1% of the original dataset.. a very high figure indeed.

The discrepancy appears to exist because there are thousands of subdomains hosted in the 46.30.40.0/21 range, where the main domain (e.g. www.) is hosted in a completely different location. The subdomains are then used to host malware such as the Angler Exploit Kit, while leaving the main domain completely untouched. The attack is known sometimes as domain shadowing.

Out of the malicious sites, 2793 are currently hosted at GoDaddy. That's 89.2% of the sites listed as malicious. But it turns out, that out of the other 336 sites taggest as malicious, about 300 are either registered with GoDaddy but hosted elsewhere, or use GoDaddy name servers. In other words, approximately 99% of the malicious sites belong to someone with a GoDaddy account.

But in fact, it is even worse than that. Looking at the domains that aren't tagged as malicious by Google reveals hundreds more similar hijacked GoDaddy domains. This list contains 5201 domains that are both parked on GoDaddy servers and have had malicious subdomains running in the Eurobyte LLC IP range. There are probably hundreds more that are hosted elsewhere.

What appears to be going on here is a domain shadowing attack on a massive scale, primarily leading victims to exploit kits.

There do appear to be some genuine Russian-language sites hosted in this block. But if you don't tend to send visitors to Russian sites, I would very strongly recommend blocking 46.30.40.0/21 from your network.

If you are a GoDaddy customer then enabling-two factor authentication might give you some additional protection against this type of attack.

While researching this topic, I discovered that Talos had done some similar work which also pointed a finger at Eurobyte and their very lax control over their network.

No comments: