Is there anything in Ukraine except cyber crime?

On the Kaspersky SecureList blog there’s an interesting post about recent developments for the SpyEye malware. The blogger explains how SpyEye supports a nice plugin architecture and how he examined an interesting new plugin that downloads a flash plugin for certain banking sites which can then switch on the victim’s webcam and stream the data back to the crooks.

So while this is clever, what has it got to do with ThreatSTOP or with the title of this post – the cyber crime in Ukraine? Well the answer is fairly simple. It seems that the malicious flash plugin is downloaded from the “statistiktop.com” domain which currently resolves to 91.206.200.17 and previously resolved to 91.206.200.79, both of which are IP addresses owned by a Ukrainian hosting provider. While said hosting provider is not the worst in our list its 512 IP addresses do contain a number of recent hits and the entire range has been blocked by us via the “Russian Business Network” feed for at least a year.

In practical terms this means that anyone who uses ThreatSTOP would not have been infected by this malicious plugin (and of course it is likely that any call home from it would have been blocked by our SpyEye feed) but while that’s clearly a good thing, it isn’t the thrust of this post.

The point of this post is that, while the attack vectors get smarter using, for example, flash plugins to control a webcam, and they use endless multitudes of domain names as part of their business, the criminals keep on using the same limited numbers of “safe houses” and “fences” – or rather their cyber equivalent, bullet proof hosting companies and compromised servers – to transmit their malware and get the data back.

Many of the places the cyber criminals reuse a lot are in Eastern Europe. If you take a look at the current threat status part of our home page you’ll see that Ukraine is the ‘Worst Large Country’ with about 6% of the 12 million or so IP addresses assigned to it being on our lists. This is not a once time thing. The percentage of bad ip addresses has gradually crept up but Ukraine has been our “worst large country” during the entire time we have run this particular report. Apart from a brief period where the Penguins of Antarctica were our worst small country, that “honor” has almost always gone to one of Haiti, Latvia or the Seychelles. Interestingly Latvia, while still bad, only has 5.9% of its 1.6 million IP addresses on our lists which is a significant improvement and now better than Ukraine.

Fundamentally though, if you don’t do business with countries like Ukraine, you can protect yourself from a lot of malware by simply blocking traffic to/from those countries at the firewall. We created our “Eastern Europe” list precisely because we recognized that this was a useful thing to do. And really when more than 1 in 20 of the IP addresses in a country are suspicious it just makes sense to err on the side of caution.

ThreatSTOP Blocks Android Malware Drive-By

The Lookout Moble Security blog posted a story about some new Android based malware that seems to be set up as fake driver update. This drive by works the same way as classic ones do on Windows PCs (or Macs with Flashback malware) in that if an Android phone visits the infected website it is redirected a couple of times before ending up at a place where it tries to download a new “update” that users are tricked to install.

It turns out that the domain hosting the malware is “androidonlinefix.info” and that has usually resolved to the IP addresses 109.236.86.172 and 217.23.10.40. The good news for ThreatSTOP subscribers is that anyone using their smartphone to browse the internet from behind a ThreatSTOP protected firewall would not be infected because we already knew about and blocked those IP addresses. In fact we’ve been blocking them for over a year because they have been used by many different criminals for many different scams as they are a part of the “Russian Business Network”.

This isn’t the only link to the RBN, the initial domain – gaoanalitics.info – is hosted by a Ukrainian ISP that also hosts 17 other IP addresses associated with the RBN, as well as a number of other malicious entities, indicating that it is probably a “bulletproof” hosting facility used by all sorts of criminals.

PS Talking of the “Russian Business Network”, we have an interesting video from their President of Vice Business Development.

ThreatSTOP blocks new Microsoft Ransomware

This morning I saw various reports of a new type of Ransomware, masquerading as a fake Microsoft warning that your copy of windows is invalid. I had a quick check and was unsurprised to note that ThreatSTOP subscribers were already protected.

Although to be honest, when I say we block it, we stop you being tempted to pay €100 and probably having your credit card details nicked in the process. We may also stop machines from getting infected but that is less certain as there are various infection paths. However we are sure that we block the website where you have to pay – http://www.buylicens.com. This domain resolves to the IP address 91.217.153.15 which is in the Ukraine and also in a couple of our feeds – Spamhaus and the Russian Business Network. Hence users who either blocked Eastern Europe, the Ukraine specifically or use our Advanced block list wuld be protected.

SonicWALL IP Reputation Fail

Since ThreatSTOP is an IP Reputation company, we naturally have a google news feed on the topic of ‘IP reputation’. Today, for some reason, it provided a link to the IP reputation page of the firewall vendor SonicWALL. Naturally I had to test the page out to see how well it did. I picked the 4 addresses currently listed on our home page as being the “worst of the web”:

The Worst IP Addresses for 4 Aug 2011

The Worst Addresses for 4 Aug 2011

The first of these addresses (49.212.100.60 from Japan) has been on our page for a few days now so I thought it would be likely to be listed by SonicWALL.

SonicWALL's IP reputation for 49.212.100.60Just for reference here is a screenshot of the ThreatSTOP opinion of this address which lists 5 currently active entries in feeds plus one past entry:The real IP reputation of 49.212.100.60However all the feeds are basically server side ones, so it occurred to me that perhaps SonicWALL is biased to client side threats like Malware droppers, trojans and bots.

Well I tried the next entry (209.85.51.152 – USA) and SonicWALL was still oblivious to any threat from it:while when I entered that address into our database I got even more hits:

As you can see this one is much more of a threat to regular users. It’s listed in the BLADE malware dropper list, a phishing list and two botnet C&C lists amongst others. So the hypothesis that SonicWALL’s IP reputation is user centric seems to be untrue also.

Just for completeness I queried the two South Korean entries (112.175.243.22 and 112.175.243.24) in the SonicWALL IP reputation engine with similar results:

Needless to say, here at ThreatSTOP we know rather more about both and in fact the latter address (112.175.243.24) has been on a total of 8 different lists since the middle of May which is quite impressive and puts it in the running for the IP reputation award for “most depraved newcomer 2011″

Just for fairness I plugged the 4 addresses into McAfee’s trusted source, which doesn’t share data with us, and all four were reported as bad.

All in all it has to be said that theSonicWALL’s IP reputation service seems to be rather less that efficacious. In fact it rather reminds me of 3 famous monkeys that are in the same country as the first IP address.

Mizaru kikazaru iwazaruThis isn’t exactly the attitude I’d want for an IP reputation service.

Don’t let your computers talk to countries they aren’t allowed to

Many organizations are subject to government regulations such as ITAR or OFAC that prohibit any dealings with certain foreign nations. Many others have countries that they will not do business with for reasons of corporate policy – because of rampant piracy or fraud for example. However with the Internet it isn’t always where another computer is located. At least not from the domain name it reports or the place a user fills in as contact address. This means that, wittingly or unwittingly, computers in any organization may be connecting with other computers in locations that they are legally forbidden to have any communication with.

ThreatSTOP has always had the ability to block countries – but we have not extended the capability beyond two countries (Russia and China) before today. As of today we have created 5 new combination lists for our standard mode subscribers and a list of some 30 or so countries for our expert mode subscribers. This extension of the geographic block capability now allows our subscribers to do far more than just block China, they can now block based on specific sanctions regimes such as ITAR or OFAC and we have also added a specific Eastern Europe list that blocks countries that are currently major sources of malware. This list – currently Russia, Ukraine, Romania, Moldova and Latvia – is a list of countries that consistently provide far more than their ‘fair share’ of malware because they offer lax enforcement which in turn means they are able to provide bullet-proof hosting and other related facilities for criminals.

If (when?) countries make a clear effort to clean up their ISPs and hosting providers then they will be removed from the list, likewise other countries may be added if they are seen to be worth adding. Of the 5 listed, Ukraine and Latvia vie for the “prize” of being the worst country for malware that has more than an handful of IP addresses. Our lists have blocked roughly 5% of Ukraine’s total IP addresses ever since we started tracking which countries and about 6% of the (much smaller) address space of Latvia. The other 3 – while far less bad proportionally – are also highly significant sources of malware.

The ITAR and OFAC lists of countries are less complex. These are countries that certain organizations are legally forbidden contact with and hence should not let their computers communicate with. The advantage of using the ThreatSTOP lists is that we will keep track not just of changes in IP address allocation but also in the state of the laws so that as counties are added and removed from the various lists so the block lists will change.

ITAR: Afghanistan, Belarus, Burma (Myanmar), China, Cote d’Ivoire, Cuba, Cyprus, Congo (Dem Rep), Eritrea, Haiti, Iran, Iraq, Lebanon, Liberia, Libya, North Korea, Sierra Leone, Somalia, Sri Lanka, Sudan, Syria, Venezuela, Vietnam, Yemen and Zimbabwe

OFAC Embargo – Cuba, Iran, Syria

OFAC Sanction – Libya, Sudan, North Korea, Myanmar (Burma), Liberia, Iraq, Zimbabwe, Serbia, and the Cote D’Ivoire

Finally there is the Modified ITAR list – this is a list countries that are generally suspected of industrial espionage and potentially other acts against US interests, many are on the ITAR and OFAC lists but not all and the list does not include some countries that are on these lists. Currently this list contains: China, Brazil, Russia, India, Korea (both), Vietnam, Ukraine, Cuba, Czech Republic, Estonia, Georgia, Iran, Latvia, Lithuania, Moldova, Romania, Pakistan, Serbia, Somalia, Venezuela and Yemen.

It is worth repeating that neither the Eastern Europe nor the Modified ITAR lists are based on a legal requirement. They are however considered to be useful as a shorthand for protecting against certain sorts of attack. If you are a technology company worried about industrial espionage then the Modified ITAR list is probably of great interest, and anyone who has no particular reason to do business with Eastern Europe will find it useful to block the attentions of the criminals there that operate botnets using ZeuS and related trojans. With the growth of ACH fraud and the current state of US case law, failure to protect against these trojans is great way to see your organization bankrupted.

ThreatSTOP Blocking New Facebook Malware

There is some nasty Facebook spread malware going around at the moment. F-Secure states that the malware infects users in the US and UK and applies to both Mac and PC users.

According to F-Secure’s report (linked above) the malware is downloaded (after the usual series of redirects) from newtubes.in. This domain resolves to the address 77.79.11.91 (name servers for the domain itself (77.79.11.91) and 95.215.140.242). I’m pleased, but unsurprised, to note that both these IP addresses are already blocked by ThreatSTOP as they are in the RBN feed and have been for at least a month.

It is worth noting that a number of domains also point to this IP address – various subdomains of newtubes.in as well as subdomains of finetube.in and goldtube.in and the single domain http://www.getmonclerjackets.com. I’m pretty sure that all of them are malware droppers so this is a good illustration that the blocking of the IP address is more efficient than the dropping of the DNS name lookups.

Collateral Damage and IP Reputation

All IP reputation systems (and related filtering too for that matter) will tend to group similar things together under that assumption that if a number of them are definitely bad the rest probably are too. This isn’t perfect but it generally works, as long as the system pays careful attention to corner cases to exclude any false positives.

Over the last couple of days there have been a couple of examples of this – one good, one bad. The bad one is a false positive that occurred on the Russian Business Network feed in which a perfectly harmless company was swept up in the suspicion that it was as bad as its neighbors. The problem in this case was that a quick look showed that it had some features similar to a malware site (multiple subdomains and sub-subdomains on the same host) and was in the same /24 subnet as a number of hosts that were indeed malware sites. Hence the RBN researchers decided to add the entire /24 subnet to their list.

In this case the benefit that ThreatSTOP provides of proactive whitelisting meant that when one of our customers complained, we could quickly add the affected hosts to our whitelist so that they were no longer blocked for our subscribers. And, subject to periodic checks to conform their goodness, they will remain that way so that if other analysts also decide to block the same /24 we will continue to carve out their addresses.

The other example is a minor issue that befell Sony Thailand. As if Sony didn’t have enough to worry about, it seems that one of Sony Thailand’s servers was infiltrated with malware and became a phishing site masquerading as an Italian bank. Now the interesting thing here (from an IP reputation standpoint) is that while http://www.sony.co.th and many other sony domains are hosted on Akamai’s global network, the host in question (hdworld.sony.co.th) turns out to be hosted on by Thai ISP at 203.151.233.98. A quick check on the ISC’s passive DNS database shows that this address is used by a number of Sony and non-Sony related sites as well:

3d.sony.co.th.    A    203.151.233.98
bloggie.sony.co.th.    A    203.151.233.98
bpex2009.sony.co.th.    A    203.151.233.98
bravia.sony.co.th.    A    203.151.233.98
dexdev.com.    A    203.151.233.98
diwmap.zg-zing.com.    A    203.151.233.98
dslr.sony.co.th.    A    203.151.233.98
feelmorepower.com.    A    203.151.233.98
handycam.sony.co.th.    A    203.151.233.98
hdworld.sony.co.th.    A    203.151.233.98
icrecorder.sony.co.th.    A    203.151.233.98
mail.nabaan.com.    A    203.151.233.98
ns3.readyspaces.net.    A    203.151.233.98
ns4.readyspaces.net.    A    203.151.233.98
salt.sony.co.th.    A    203.151.233.98
sframe.sony.co.th.    A    203.151.233.98
vaio.sony.co.th.    A    203.151.233.98
walkman.sony.co.th.    A    203.151.233.98
http://www.dexdev.com.    A    203.151.233.98
http://www.nabaan.com.    A    203.151.233.98
http://www.pantenestarsearch.com.    A    203.151.233.98
http://www.zg-zing.com.    A    203.151.233.98
youngcreative.sony.co.th.    A    203.151.233.98

I strongly suspect that in this case proximity led to the infection. That is to say that one of the other virtual hosts on the same server was compromised and then the attackers infected some or all of the other vhosts, including in this case one of Sony’s. Ooops. And a great example of why IP reputation works. Ir really is likely that infections and malware spread to otherwise innocent bystanders.

The Worst AS in the world

In an email discussion over the weekend (which was based in part on this post by Brian Krebs) about the distributors of malware it was noted that much of it came from one particular AS – AS49469 Sa Nova Telecom Grup SRL. As is usually the case when I get this kind of email I take a look at our database to see what we know about the subject. In this case I discovered that AS49469 is one of the 64 ASes whose IP address ranges are completely covered by one or more of our blocklists.

This is an interesting group to be in, and I may do some more analysis of it over time, but for today I think I will just note that AS49469 is arguably merely third worst AS of the lot because it has a very small number of associated IPs (2816) but yet manages to rack up a total of 62 entries across 7 different feeds in our database broken down as follows:

DSHIELD Top 4000: 2 entries
Spamhaus Don’t Route or Peer: 9 entries
Parasites, Hijackers and Spyware Domains: 9 entries
ZeuS Blocklist: 6 entries
Autoshun Block List: 2 entries
Malware Domain List: 27 entries
Russian Business Network: 7 entries

That’s an impressive achievement (in a bad way) but it doesn’t quite make it the winner. The broadest range of hits goes a very small AS – AS48709 XISOFT SRL which manages to notch up 22 separate reports in 8 lists for just 512 addresses.

DSHIELD Top 4000: 1 entries
Spamhaus Don’t Route or Peer: 1 entries
Parasites, Hijackers and Spyware Domains: 1 entries
Autoshun Block List: 6 entries
SpyEye Blocklist: 4 entries
Malware Domain List: 6 entries
Russian Business Network: 2 entries
AMaDa C&C IP Blocklist: 1 entries

In the interests of completeness, the ‘silver medal’ position goes to AS51699 Antarktida-Plus LLC which has a mere 256 addresses and also manages to notch up 8 separate lists but with half the number of total hits (11):

DSHIELD Top 4000: 1 entries
Spamhaus Don’t Route or Peer: 1 entries
ZeuS Blocklist: 1 entries
Autoshun Block List: 1 entries
SpyEye Blocklist: 2 entries
Malware Domain List: 3 entries
Russian Business Network: 1 entries
VOIP Abuse Blocklist: 1 entries

I suppose one could argue that since AS49469 is bigger it is worse than the other two, and perhaps it will manage to notch up a few more hits in the next few days and overtake them, but for right now we’ll leave it as #3. Not that it really matters as far the rest of the world is concerned: no computer anywhere should ever communicate with any of the IP addresses of these 3 ASes.

Russian Business Network Penguins

As those who visit our home page may have noticed we have a section where we note the countries with the worst IP reputation. We divide it up between big countries and small ones and determine the relative badness by calculating the proportion of the country’s reported IP addresses that are bad.

Ukraine has been consistently the number one large country ever since we started analyzing it with about 5% or 1 in 20 ip addresses bad.  However the number one small country tends to vary considerably – we’ve had Haiti, at least one of the pacific island nations and just recently we’ve got the almost totally unpopulated continent of Antarctica.

Naughty Penguins

Naughty Penguins

This caused a certain amount of amusement inside and outside the company (thanks Paul C for the image) and I thought it might be interesting to find out what exactly the Penguins have been doing and how much.

Well it turns out to be fairly straight forward (although there is a slight bug in our calculation scheme as I had not anticipated country ip blocks of less than a /24). According to our Maxmind GeoIP database there are 4857 ip addresses in Antarctica in various dribs and drabs of mostly AS34109 but also a couple of other ASes. Unfortunately AS34109 appears to be heavily infested with the Russian Business Network and four /24s that happen to include the Antarctic addresses plus two other unique IP addresses that Maxmind puts in Antactica are a part of the RBN. 1026/4857 gets you 21% which is indeed by far the highest ratio of bad ip addresses to total ip addresses in our list.

So are the penguins really a part of the RBN? Almost certainly not. Neither are the penguin researchers or any of the other inhabitants of Antactica. Almost certainly the addresses inside AS34109 that used to be used for Antarctic research stations have now been reassigned to something else (AS34109 is the Dutch ISP CB3ROB, which appears to have nothing to do with Antarctica).

For those that may be interested, the 4 ‘Antarctic’ /24s that are in the RBN are 84.22.98.0/24, 84.22.112.0/24, 84.22.122.0/24, 84.22.125.0/24 and the two Individual nodes are 84.22.106.30 and 84.22.106.50.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: