Sponsored by..

Tuesday 17 September 2013

SpeedPacket, CookieBomb and something evil on 37.58.73.42, 95.156.228.69 and 195.210.43.42

A few days ago the Internet Storm Center raised a question about activity on 37.58.73.42 (Softlayer, Netherlands / Techpreneurs India Pvt Ltd, India), 95.156.228.69 (Game Company, Germany) and 195.210.43.42 (Syntis, France).

I hadn't seen the attack in question until today with this injection attack on a legitimate site, using a Cookie Bomb script [1] [2] to send victims to a site [donotclick]11p1rjqaahmp7asqbeqd5fx.bouwslim.be via an intermediary hacked site. The malicious domain is hosted on 95.156.228.69 which forms part of this cluster of three servers.

Reverse DNS indicates tens of thousands of malicious sites, mostly subdomains of domains hijacked from customers of a Belgian company called SpeedPacket, but there are also some other malicious .ru domains some of which I have spotted before on a server in Romania.

The SpeedPacket hijacks are interesting. They have been going on since at least July, and it appears that they are being hijacked in alphabetical order. From my perspective, it looks like one domain gets hijacked, used for evil purposes.. and then it either gets cleaned up by SpeedPacket, or the bad guys are returning it once they have used it. I've never seen anything like that before. For example, using the data from VirusTotal, we can map it out as follows:

04/07/2013    antwerpen-drukkerij.be
13/08/2013    behangwerk.be
15/08/2013    belgianpowersystem.be
21/08/2013    benzino.be
22/08/2013    besparen-isoleren.be
22/08/2013    beste-frankiermaschine
31/08/2013    beveiligingen-vergelijken.be
01/09/2013    bevloerders.be
01/09/2013    bewakingsvideo.be
03/09/2013    binnen-deuren.be
05/09/2013    binnenhuisarchitecten-vergelijken.be
07/09/2013    bizgo.be
07/09/2013    bizzdir.be
08/09/2013    bleachen.be
09/09/2013    blocnotes-drukken.be
09/09/2013    bobbo.be
11/09/2013    bodyhealth.be
11/09/2013    boeddhabeelden.be
11/09/2013    boekbinderijen.be
11/09/2013    boeken-tweedehands.be
12/09/2013    boeken-tweedehands.be
12/09/2013    boiler-op-zonne-energie.be
13/09/2013    boilershop.be
13/09/2013    boiler-warmtepomp.be
14/09/2013    boldea.ro
14/09/2013    boniface.be
16/09/2013    bourgondischschild.be
16/09/2013    bouwcorrect.be
17/09/2013    bouw-materialen.be
17/09/2013    bouwslim.be


At the time of writing, only the domain bouwslim.be seems to be resolving, the rest appear to have been cleaned up.

These domains [pastebin] all appear to have been hijacked from SpeedPacket's customers and have been used in CookieBomb attacks. We can count 138 SpeedPacket domains that have been abused so far.

So, how may domains do SpeedPacket look after? We traced back the hijacked domains to their originating servers and found these 2318 domains [pastebin]. 138 out of 2318 doesn't sound too bad, until you realise that the hijack is happening alphabetically and bouwslim.be is the 316th domain on the list.. so, from that date it looks like a shocking 138/316 (44%) of SpeedPacket domains have been compromised so far.

As I said, there are also some other domains hosted on these servers including some malicious .ru domains. I don't recommend that you block the SpeedPacket customers listed, simply because blocking the IPs is simpler and less likely to block a legitimate site.. but still, if it is your network then it is your rules that apply.

Recommended blocklist:
37.58.73.42
95.156.228.69
195.210.43.42
datingbay.eu
datingbay.us
arcgyj.ru
gmzuwr.ru
gnlhxr.ru
gqwgup.ru
gwggjs.ru
hiitok.ru
hjjjtp.ru
hljnpn.ru
hoqvmh.ru
hrgvrl.ru
htgkyl.ru
ihjxyw.ru
ilpkyu.ru
ivxwzs.ru
ixwsnw.ru
jpkkyy.ru
jtgqqt.ru
kinyng.ru
kjlluq.ru
klzwlz.ru
ksmhwj.ru
lqohmk.ru
lryuuy.ru
luiwmt.ru
lulpqm.ru
lvyrts.ru
lwxzuj.ru
mzjtwz.ru
nsggtm.ru
nsnikn.ru
nsnwzr.ru
nxtmrg.ru
ohskou.ru
olpnso.ru
onjmzs.ru
orjoik.ru
ovhirm.ru
oxxukz.ru
pguirk.ru
plvzjy.ru
ppvyot.ru
pvmkzn.ru
pvzvnp.ru
qroxil.ru
qugpiw.ru
qyloyh.ru
rgqvgm.ru
rhpxwr.ru
rszqxv.ru
rvwwko.ru
rwrkhx.ru
silotw.ru
toqizs.ru
tpxhpz.ru
trlnps.ru
ugjkxh.ru
ugvsmt.ru
umpynu.ru
vpzpkh.ru
vtqkmh.ru
vwjitv.ru
wltmpm.ru
wmhxul.ru
wqgzuo.ru
wstnog.ru
wvgyjr.ru
ximoql.ru
xqixtr.ru
xxpqzs.ru
ylypln.ru
ynjskx.ru
ynxgys.ru
yzxxtj.ru
zhkmgj.ru
zjqtih.ru
zromwk.ru
zrzuhj.ru
ztlwwm.ru
zuihwg.ru
zuknsr.ru

No comments: