Tag Archives: russian business network

Is there anything in Ukraine except cyber crime?

On the Kaspersky SecureList blog there’s an interesting post about recent developments for the SpyEye malware. The blogger explains how SpyEye supports a nice plugin architecture and how he examined an interesting new plugin that downloads a flash plugin for certain banking sites which can then switch on the victim’s webcam and stream the data back to the crooks.

So while this is clever, what has it got to do with ThreatSTOP or with the title of this post – the cyber crime in Ukraine? Well the answer is fairly simple. It seems that the malicious flash plugin is downloaded from the “statistiktop.com” domain which currently resolves to and previously resolved to, both of which are IP addresses owned by a Ukrainian hosting provider. While said hosting provider is not the worst in our list its 512 IP addresses do contain a number of recent hits and the entire range has been blocked by us via the “Russian Business Network” feed for at least a year.

In practical terms this means that anyone who uses ThreatSTOP would not have been infected by this malicious plugin (and of course it is likely that any call home from it would have been blocked by our SpyEye feed) but while that’s clearly a good thing, it isn’t the thrust of this post.

The point of this post is that, while the attack vectors get smarter using, for example, flash plugins to control a webcam, and they use endless multitudes of domain names as part of their business, the criminals keep on using the same limited numbers of “safe houses” and “fences” – or rather their cyber equivalent, bullet proof hosting companies and compromised servers – to transmit their malware and get the data back.

Many of the places the cyber criminals reuse a lot are in Eastern Europe. If you take a look at the current threat status part of our home page you’ll see that Ukraine is the ‘Worst Large Country’ with about 6% of the 12 million or so IP addresses assigned to it being on our lists. This is not a once time thing. The percentage of bad ip addresses has gradually crept up but Ukraine has been our “worst large country” during the entire time we have run this particular report. Apart from a brief period where the Penguins of Antarctica were our worst small country, that “honor” has almost always gone to one of Haiti, Latvia or the Seychelles. Interestingly Latvia, while still bad, only has 5.9% of its 1.6 million IP addresses on our lists which is a significant improvement and now better than Ukraine.

Fundamentally though, if you don’t do business with countries like Ukraine, you can protect yourself from a lot of malware by simply blocking traffic to/from those countries at the firewall. We created our “Eastern Europe” list precisely because we recognized that this was a useful thing to do. And really when more than 1 in 20 of the IP addresses in a country are suspicious it just makes sense to err on the side of caution.

ThreatSTOP Blocks Android Malware Drive-By

The Lookout Moble Security blog posted a story about some new Android based malware that seems to be set up as fake driver update. This drive by works the same way as classic ones do on Windows PCs (or Macs with Flashback malware) in that if an Android phone visits the infected website it is redirected a couple of times before ending up at a place where it tries to download a new “update” that users are tricked to install.

It turns out that the domain hosting the malware is “androidonlinefix.info” and that has usually resolved to the IP addresses and The good news for ThreatSTOP subscribers is that anyone using their smartphone to browse the internet from behind a ThreatSTOP protected firewall would not be infected because we already knew about and blocked those IP addresses. In fact we’ve been blocking them for over a year because they have been used by many different criminals for many different scams as they are a part of the “Russian Business Network”.

This isn’t the only link to the RBN, the initial domain – gaoanalitics.info – is hosted by a Ukrainian ISP that also hosts 17 other IP addresses associated with the RBN, as well as a number of other malicious entities, indicating that it is probably a “bulletproof” hosting facility used by all sorts of criminals.

PS Talking of the “Russian Business Network”, we have an interesting video from their President of Vice Business Development.

ThreatSTOP blocks new Microsoft Ransomware

This morning I saw various reports of a new type of Ransomware, masquerading as a fake Microsoft warning that your copy of windows is invalid. I had a quick check and was unsurprised to note that ThreatSTOP subscribers were already protected.

Although to be honest, when I say we block it, we stop you being tempted to pay €100 and probably having your credit card details nicked in the process. We may also stop machines from getting infected but that is less certain as there are various infection paths. However we are sure that we block the website where you have to pay – http://www.buylicens.com. This domain resolves to the IP address which is in the Ukraine and also in a couple of our feeds – Spamhaus and the Russian Business Network. Hence users who either blocked Eastern Europe, the Ukraine specifically or use our Advanced block list wuld be protected.

SonicWALL IP Reputation Fail

Since ThreatSTOP is an IP Reputation company, we naturally have a google news feed on the topic of ‘IP reputation’. Today, for some reason, it provided a link to the IP reputation page of the firewall vendor SonicWALL. Naturally I had to test the page out to see how well it did. I picked the 4 addresses currently listed on our home page as being the “worst of the web”:

The Worst IP Addresses for 4 Aug 2011

The Worst Addresses for 4 Aug 2011

The first of these addresses ( from Japan) has been on our page for a few days now so I thought it would be likely to be listed by SonicWALL.

SonicWALL's IP reputation for for reference here is a screenshot of the ThreatSTOP opinion of this address which lists 5 currently active entries in feeds plus one past entry:The real IP reputation of all the feeds are basically server side ones, so it occurred to me that perhaps SonicWALL is biased to client side threats like Malware droppers, trojans and bots.

Well I tried the next entry ( – USA) and SonicWALL was still oblivious to any threat from it:while when I entered that address into our database I got even more hits:

As you can see this one is much more of a threat to regular users. It’s listed in the BLADE malware dropper list, a phishing list and two botnet C&C lists amongst others. So the hypothesis that SonicWALL’s IP reputation is user centric seems to be untrue also.

Just for completeness I queried the two South Korean entries ( and in the SonicWALL IP reputation engine with similar results:

Needless to say, here at ThreatSTOP we know rather more about both and in fact the latter address ( has been on a total of 8 different lists since the middle of May which is quite impressive and puts it in the running for the IP reputation award for “most depraved newcomer 2011”

Just for fairness I plugged the 4 addresses into McAfee’s trusted source, which doesn’t share data with us, and all four were reported as bad.

All in all it has to be said that theSonicWALL’s IP reputation service seems to be rather less that efficacious. In fact it rather reminds me of 3 famous monkeys that are in the same country as the first IP address.

Mizaru kikazaru iwazaruThis isn’t exactly the attitude I’d want for an IP reputation service.

Don’t let your computers talk to countries they aren’t allowed to

Many organizations are subject to government regulations such as ITAR or OFAC that prohibit any dealings with certain foreign nations. Many others have countries that they will not do business with for reasons of corporate policy – because of rampant piracy or fraud for example. However with the Internet it isn’t always where another computer is located. At least not from the domain name it reports or the place a user fills in as contact address. This means that, wittingly or unwittingly, computers in any organization may be connecting with other computers in locations that they are legally forbidden to have any communication with.

ThreatSTOP has always had the ability to block countries – but we have not extended the capability beyond two countries (Russia and China) before today. As of today we have created 5 new combination lists for our standard mode subscribers and a list of some 30 or so countries for our expert mode subscribers. This extension of the geographic block capability now allows our subscribers to do far more than just block China, they can now block based on specific sanctions regimes such as ITAR or OFAC and we have also added a specific Eastern Europe list that blocks countries that are currently major sources of malware. This list – currently Russia, Ukraine, Romania, Moldova and Latvia – is a list of countries that consistently provide far more than their ‘fair share’ of malware because they offer lax enforcement which in turn means they are able to provide bullet-proof hosting and other related facilities for criminals.

If (when?) countries make a clear effort to clean up their ISPs and hosting providers then they will be removed from the list, likewise other countries may be added if they are seen to be worth adding. Of the 5 listed, Ukraine and Latvia vie for the “prize” of being the worst country for malware that has more than an handful of IP addresses. Our lists have blocked roughly 5% of Ukraine’s total IP addresses ever since we started tracking which countries and about 6% of the (much smaller) address space of Latvia. The other 3 – while far less bad proportionally – are also highly significant sources of malware.

The ITAR and OFAC lists of countries are less complex. These are countries that certain organizations are legally forbidden contact with and hence should not let their computers communicate with. The advantage of using the ThreatSTOP lists is that we will keep track not just of changes in IP address allocation but also in the state of the laws so that as counties are added and removed from the various lists so the block lists will change.

ITAR: Afghanistan, Belarus, Burma (Myanmar), China, Cote d’Ivoire, Cuba, Cyprus, Congo (Dem Rep), Eritrea, Haiti, Iran, Iraq, Lebanon, Liberia, Libya, North Korea, Sierra Leone, Somalia, Sri Lanka, Sudan, Syria, Venezuela, Vietnam, Yemen and Zimbabwe

OFAC Embargo – Cuba, Iran, Syria

OFAC Sanction – Libya, Sudan, North Korea, Myanmar (Burma), Liberia, Iraq, Zimbabwe, Serbia, and the Cote D’Ivoire

Finally there is the Modified ITAR list – this is a list countries that are generally suspected of industrial espionage and potentially other acts against US interests, many are on the ITAR and OFAC lists but not all and the list does not include some countries that are on these lists. Currently this list contains: China, Brazil, Russia, India, Korea (both), Vietnam, Ukraine, Cuba, Czech Republic, Estonia, Georgia, Iran, Latvia, Lithuania, Moldova, Romania, Pakistan, Serbia, Somalia, Venezuela and Yemen.

It is worth repeating that neither the Eastern Europe nor the Modified ITAR lists are based on a legal requirement. They are however considered to be useful as a shorthand for protecting against certain sorts of attack. If you are a technology company worried about industrial espionage then the Modified ITAR list is probably of great interest, and anyone who has no particular reason to do business with Eastern Europe will find it useful to block the attentions of the criminals there that operate botnets using ZeuS and related trojans. With the growth of ACH fraud and the current state of US case law, failure to protect against these trojans is great way to see your organization bankrupted.

ThreatSTOP Blocking New Facebook Malware

There is some nasty Facebook spread malware going around at the moment. F-Secure states that the malware infects users in the US and UK and applies to both Mac and PC users.

According to F-Secure’s report (linked above) the malware is downloaded (after the usual series of redirects) from newtubes.in. This domain resolves to the address (name servers for the domain itself ( and I’m pleased, but unsurprised, to note that both these IP addresses are already blocked by ThreatSTOP as they are in the RBN feed and have been for at least a month.

It is worth noting that a number of domains also point to this IP address – various subdomains of newtubes.in as well as subdomains of finetube.in and goldtube.in and the single domain http://www.getmonclerjackets.com. I’m pretty sure that all of them are malware droppers so this is a good illustration that the blocking of the IP address is more efficient than the dropping of the DNS name lookups.

Collateral Damage and IP Reputation

All IP reputation systems (and related filtering too for that matter) will tend to group similar things together under that assumption that if a number of them are definitely bad the rest probably are too. This isn’t perfect but it generally works, as long as the system pays careful attention to corner cases to exclude any false positives.

Over the last couple of days there have been a couple of examples of this – one good, one bad. The bad one is a false positive that occurred on the Russian Business Network feed in which a perfectly harmless company was swept up in the suspicion that it was as bad as its neighbors. The problem in this case was that a quick look showed that it had some features similar to a malware site (multiple subdomains and sub-subdomains on the same host) and was in the same /24 subnet as a number of hosts that were indeed malware sites. Hence the RBN researchers decided to add the entire /24 subnet to their list.

In this case the benefit that ThreatSTOP provides of proactive whitelisting meant that when one of our customers complained, we could quickly add the affected hosts to our whitelist so that they were no longer blocked for our subscribers. And, subject to periodic checks to conform their goodness, they will remain that way so that if other analysts also decide to block the same /24 we will continue to carve out their addresses.

The other example is a minor issue that befell Sony Thailand. As if Sony didn’t have enough to worry about, it seems that one of Sony Thailand’s servers was infiltrated with malware and became a phishing site masquerading as an Italian bank. Now the interesting thing here (from an IP reputation standpoint) is that while http://www.sony.co.th and many other sony domains are hosted on Akamai’s global network, the host in question (hdworld.sony.co.th) turns out to be hosted on by Thai ISP at A quick check on the ISC’s passive DNS database shows that this address is used by a number of Sony and non-Sony related sites as well:

3d.sony.co.th.    A
bloggie.sony.co.th.    A
bpex2009.sony.co.th.    A
bravia.sony.co.th.    A
dexdev.com.    A
diwmap.zg-zing.com.    A
dslr.sony.co.th.    A
feelmorepower.com.    A
handycam.sony.co.th.    A
hdworld.sony.co.th.    A
icrecorder.sony.co.th.    A
mail.nabaan.com.    A
ns3.readyspaces.net.    A
ns4.readyspaces.net.    A
salt.sony.co.th.    A
sframe.sony.co.th.    A
vaio.sony.co.th.    A
walkman.sony.co.th.    A
http://www.dexdev.com.    A
http://www.nabaan.com.    A
http://www.pantenestarsearch.com.    A
http://www.zg-zing.com.    A
youngcreative.sony.co.th.    A

I strongly suspect that in this case proximity led to the infection. That is to say that one of the other virtual hosts on the same server was compromised and then the attackers infected some or all of the other vhosts, including in this case one of Sony’s. Ooops. And a great example of why IP reputation works. Ir really is likely that infections and malware spread to otherwise innocent bystanders.

« Older Entries