Sponsored by..

Showing posts with label TDS. Show all posts
Showing posts with label TDS. Show all posts

Monday 21 September 2015

Tainted Network: "kfc.i.illuminationes.com/snitch" and VPS Hosting of Latvia (91.226.32.0/23)

I've been seeing some injection attacks since last week utilising hosting services of VPS Hosting in Latvia. These are continuing today, with attacks like this one [URLquery] which sends traffic to:

[donotclick]kfc.i.illuminationes.com/snitch

This is hosted on 91.226.33.54. The exploit is not clear at this point, but some sources say that this is some sort of TDS kit. The URLquery transaction flowchart shows the attack in action.


The injected script sends the keywords and referring site upstream, for example:

[donotcliick]kfc.i.illuminationes.com/snitch?default_keyword=Team%20Tyra%20%7C%20The%20most%20popular%20equestrian%20website%20in%20Sweden%2FEurope&referrer=&se_referrer=&source=www.teamtyra.se
Although the attacks in the past few days only seem to have utilised 91.226.33.54, an analysis of the netblock [pastebin] shows several bad or spammy sites in 91.226.32.0/23, so my recommendation is that you banish this range from your network.

UPDATE:
ZScaler are also tracking their infection, an analysis of what it does can be found here.

Friday 13 June 2014

Something suspect on 38.84.134.0/24

This attack (assuming it is an attack) revolves around a bunch of domains hosted in 38.84.134.0/24 (HostZealot, UK).

It starts when a visitor visits the website click-and-trip.com hosted on 38.84.134.46 which purports to be some sort of hotel reservation system.

However, this URLquery report also shows a suspected Fiesta EK pattern and/or a TDS (Traffic Distribution System) URL. In the case of the report, the landing page is [donotclick]asasas.eu/yo416f8/counter.php?id=5 on 38.84.134.171 but this is one of those cases where the landing page seems to change quickly.

Both the "gateway" domain and "payload" domain share similarities in the WHOIS details. For click-and-trip.com it is:

Registrant Name: BERNARDO MINES
Registrant Organization: LA SAGRADA
Registrant Street: CARRER DE MALLORCA, 401
Registrant City: BARCELONA
Registrant State/Province: NON
Registrant Postal Code: 08013
Registrant Country: DE
Registrant Phone: +34.932073031
Registrant Phone Ext: 
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: HANSBRUSE@YAHOO.COM

Well, Barcelona isn't in DE (Germany), so these contact details look awfully suspect. If we look at the WHOIS details for asasas.eu we see:

Name         Hans Bruse
Organisation hans inc
Language     German
Address      Am Forsthaus 9
             18209 Glashagen
             Germany
Phone        +49.382037295
Email        hansbruse@yahoo.com


Both addresses use the "hansbruse@yahoo.com" email address, and those German contact details for "Hans Bruse" are more convicining than "Bernado Mines".

The click-and-trip.com domain has been around since January and interestingly a dig back in time six months turns up slightly different contact details:

Registry Registrant ID:
Registrant Name: BERNARDO MINES
Registrant Organization: LA SAGRADA
Registrant Street: CARRER DE MALLORCA, 401
Registrant City: BARCELONA
Registrant State/Province: NON
Registrant Postal Code: 08013
Registrant Country: ES
Registrant Phone: +34.932073031
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: GEFEST@ZMAIL.RU
Registry Admin ID: 


See the Russian email address? That gets some positive matches on Google linking it to a person called Aleksandr Filippovskiy (or Filippovskiy Aleksandr) who has been connected with malware sites before. So on balance, this thing looks rather suspicious.. even though those details could also be a smokescreen.

Reverse DNS on 38.84.134.171 shows three suspect domains with a similar naming pattern:

aaqaaq.eu
asasas.eu
ooaooa.eu

We can also check the IP's reputation at VirusTotal and it doesn't look great. However, if we extend a look to neighbouring servers, we can see a similar pattern of domains all the way from 38.84.134.162 to 38.84.134.171.


ioooiiio.eu 38.84.134.162
oieaa.com 38.84.134.162
dcfvfr.com 38.84.134.162
eiieei.com 38.84.134.162
ijueee.com 38.84.134.162
aoooaooa.com 38.84.134.162
acccaacccaaaa.pw 38.84.134.163
aaeeaae.com 38.84.134.163
ooioooii.com 38.84.134.163
azzaaazz.pw 38.84.134.164
axxaaaxxx.pw 38.84.134.164
aaooaaoaoaaa.pw 38.84.134.164
advantagefilm.pw 38.84.134.164
gthyuuuy.com 38.84.134.164
kujeikdkd.com 38.84.134.164
mijkuiiid.com 38.84.134.164
rfttyhuui.com 38.84.134.164
uyueueuee.com 38.84.134.164
oooiiiio.us 38.84.134.165
iiiiiiioooooooooo.us 38.84.134.165
hyujuuy.com 38.84.134.165
hyujyttr.com 38.84.134.165
nefdefeettyt.com 38.84.134.165
gthuueeed.us 38.84.134.166
eeeeaeeeea.us 38.84.134.166
aaeeeaaaeee.us 38.84.134.166
gtyuyyuuj.com 38.84.134.166
eedeeeedddd.eu 38.84.134.167
iyiiyyyiiiyy.eu 38.84.134.167
uoooouuuoo.pw 38.84.134.167
efefefeeeeee.pw 38.84.134.167
eaeaaaaaaeeeeee.pw 38.84.134.167
aaaaaaooooo.us 38.84.134.167
ioiiio.eu 38.84.134.168
aeaaeee.eu 38.84.134.168
aoaoooao.eu 38.84.134.168
oiioooiiii.pw 38.84.134.168
iaiaiaiaia.eu 38.84.134.169
axxazazaza.eu 38.84.134.170
jjjjajjiiiooo.eu 38.84.134.170
aaqaaq.eu 38.84.134.171
asasas.eu 38.84.134.171
ooaooa.eu 38.84.134.171

Older domains seem to use lower IP addresses, the pattern seems to be that domains are hosted in the range for a short time, then they are parked on what appear to be Namecheap parking IPs. Once the reputation of the IP is tarnished, then the domains move on to the next IP address.

The IPs in question roughly correspond to 38.84.134.160/28, but looking at the sites hosted in that range there is a gap of unused IPs all the way to 38.84.134.196.

Where these domains have identifiable WHOIS details, they conform to variants of the "Bernado Mines" persona, for example, acccaacccaaaa.pw:

Registrant ID:SVXABVV3KWVMGEKW
Registrant Name:Bernardo Mines
Registrant Organization:La Sagrada
Registrant Street1:Carrer de Mallorca, 401
Registrant City:Barcelona
Registrant State/Province:non
Registrant Postal Code:08013
Registrant Country:ES
Registrant Phone:+34.932073031
Registrant Fax:+1.5555555555
Registrant Email:ilokios@gmail.com


But we know that "Bernado Mines" also operates other IPs in this range, including techno6.com on 38.84.134.47 and a further examination of sites in the range shows aws-wireless.com on 38.84.134.14 which is registered to..

Registry Registrant ID:
Registrant Name: FILIPPOVSKIY ALEKSANDR
Registrant Organization: DOM
Registrant Street: YLICA BAYMANA. DOM 9.KORPYS A. KVARTIRA 106
Registrant Street: KVARTIRA 106
Registrant City: YOSHKAR OLA
Registrant State/Province: YOSHKAR OLA
Registrant Postal Code: 42400
Registrant Country: RU
Registrant Phone: +7.79276827596
Registrant Phone Ext:
Registrant Fax: +7.79276827596
Registrant Fax Ext:
Registrant Email: AWSWIRELESS@MAIL.COM


So we have Filippovskiy Aleksandr again

A look at all the hosts I can find in this range [csv] show nothing of value, and a load of cyberquatting and spam sites. On balance, I think that blocking the entire 38.84.134.0/24 range may be prudent, even if it is hard to tell exactly what is going on here.