Sponsored by..

Monday, 11 November 2013

"Consumer Benefit Ltd" adware sites to block

A couple of network blocks came to my attention after investigating some adware ntlanmbn.exe (VirusTotal report) and GFilterSvc.exe (report) both in C:\WINDOWS\SYSTEM32.

The blocks are 212.19.36.192/27 and 82.98.97.192/28 and are allocated to:

netname:        Consumer-Benefit-AV-NET
descr:          Consumer Benefit LTD
descr:          Suite F 1st floor, New City Chambers
descr:          36 Wood Street
descr:          WF1 2HB Wakefield
country:        GB
admin-c:        KH2166-RIPE
tech-c:         PLN
status:         ASSIGNED PA
mnt-by:         PLUSLINE-MNT
source:         RIPE # Filtered


The problem is that there is no active company in the UK called Consumer Benefit Ltd.. there was a short-lived Manchester company number 06505446 which was dissolved in 2011, but I can't find any evidence that they are connected other than the similar name.

Many of the domains currently or recently hosted in these IP ranges are clearly deceptive in nature (e.g. awsmazon.com, tradesdoubler.com, ebayrt.com, zanox-afiliate.com) and these use pseudo-anonymous WHOIS details also using the Wakefield address:

Registry Registrant ID:
Registrant Name: whois Protect Service
Registrant Organization:
Registrant Street: Suite F 1st floor, New City,
Registrant Street: Chambers, 36 Wood Street
Registrant City: Wakefield
Registrant State/Province: GB
Registrant Postal Code: WF1 2HB
Registrant Country: GB
Registrant Phone: +44.7077087721
Registrant Phone Ext:
Registrant Fax: +44.7077087502
Registrant Fax Ext:
Registrant Email: whois@sl.to


One .com using services in this range with apparently genuine details is ns-lookups.com:

Registry Registrant ID:
Registrant Name: Andrea Bégerová
Registrant Organization: BA Market Slovakia s. r. o.
Registrant Street: Klincová 37/B
Registrant City: Bratislava
Registrant State/Province: Slovenská Republika
Registrant Postal Code: 821 08
Registrant Country: SK
Registrant Phone: +421.259348122
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@bam-sk.com


Also hosted are some .to domains with anonymous registration, plus some German domains the only one of which with reliable WHOIS details seems to be gutscheinfilter.de registered to:

Type: PERSON
Name: Frank Dümpelmann
Organisation: Domport GmbH & Co KG
Address: Markt 32
PostalCode: 18273
City: Güstrow
CountryCode: DE
Phone: +49-9001-118840
Fax: +49-9001-118860
Email: adminc@domport.de


Domport seem to be invovled in domain parking and they have their own range of 212.19.39.192/28 that they use for this.

The adware in question attempted to call home to the following URLs:
f05e0362515f5125.srv.gutscheinfilter.de
dce645501bc1af9f.srv.ns-lookups.com
a.ns-lookups.com/updatecheck

Anyway, the following domains and IPs are all part of these "Consumer Benefit Ltd ranges and appear to be adware-related and have unclear ownership details. If you block adware sites on your network then I would recommend using the following blocklist:
212.19.36.192/27
82.98.97.192/28
awsmazon.com
beelboon.com
htmladserver.com
tradesdoubler.com
ad-googlelinks.com
zanox-afiliate.com
linktrackingnet.com
googlesyntication.com
ns-lookups.com
download-web-shield.com
linkvista.de
adcall.de
gutscheinfilter.de
ebayrt.com
score.to
uses.to
vill.to
howto.to
setup.to
thats.to
trans.to
public.to
public-load.com
goal.to
vree.to
64-up.to
feeds.to
stopp.to
64-bit.to
hunter.to
trends.to
win-64.to
maps-24.to

3 comments:

shooflypie said...

Any thoughts as to the accuracy of this report, which seems to indicate these domains are involved in more serious targeted attacks?

http://cybertinel.com/wp-content/uploads/2014/09/Appendix-1-HAZARDOUS-IP-AND-URL-%E2%80%93-HARKONNEN-OPERATION.pdf

Conrad Longmore said...

@shooflypie - I went back over the evidence from the time, and the binaries in question were identified as AdWare/GFilter-A. This Malwr report also appears to be the same basic binary. (Registered users can download the binary).

These are some similarities with the victim organisation in this case, but from the evidence that I have reviewed it seems to be AdWare targeting German speakers, possibly related to a Slovak marketing firm.

shooflypie said...

Thanks Conrad. That matches what I and others were thinking (https://github.com/kbandla/APTnotes/issues/13).

I would be concerned if people were responding to infections as serious targeted attacks, based off of the language in the cyberintel report.