Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 20 October 2009

Crimeware friendly ISP's: Bigness (AS49093)

I was trying to decide who to name and shame next, and it was a toss up between Bigness (AS49093), Ecatel and Krypt Technologies. I thought this time, we'd go with Bigness and leave Ecatel and Krypt Technologies for next time.

Bigness came across the radar a few months ago, due to it's hosting a slew of malicious domains, and ONLY hosting malicious domains (I've not seen a single legit site hosted there in all of the time I've been monitoring it).

So what have we got over there you ask? Well, we've had rogues, phishing scams, fake meds, spam, and exploits, and there's evidence over at MDL, of their also housing the likes of the Liberty Exploit, amongst other things.

http://hosts-file.net/?s=195.88.19&view=history
http://hosts-file.net/?s=195.88.19&view=matches
http://www.malwaredomainlist.com/forums/index.php?topic=3303.0
http://www.malwareurl.com/search.php?domain=&s=as49093&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on

... and that just gives a small example ...

I'm 99% convinced, due to the activities, that Bigness is actually not a legit ISP at all, but are infact, a criminal organization themselves, due in part, to the sheer amount of activity in such a short time. I'll be happy to see evidence to debunk this?

I am however, more concerned with why their upstreams haven't yet pulled the plug on them. Given the amount of malware, and the amount of abuse reports that have been sent (and there's no doubt been thousands of such reports sent by others), they should've been pulled months ago.

We'll get to the upstream in a moment. Lets see who's "publicly" behind Bigness shall we? Lets start with the PTR, ptrzonez.com. This domain is registered to;

Domain name: PTRZONEZ.COM
Name Server: ns1.ptrzonez.com 195.88.190.29
Name Server: ns2.ptrzonez.com 195.88.190.29
Creation Date: 2009.08.28
Updated Date: 2009.08.28
Expiration Date: 2010.08.28

Status: DELEGATED

Registrant ID: YAIX0MX-RU
Registrant Name: Ivan C Perrov
Registrant Organization: Ivan C Perrov
Registrant Street1: Chelyabinsk, Lenina 44-399
Registrant City: Sazanye
Registrant State: Penzenskaya obl.
Registrant Postal Code: 442882
Registrant Country: RU

Administrative, Technical Contact
Contact ID: YAIX0MX-RU
Contact Name: Ivan C Perrov
Contact Organization: Ivan C Perrov
Contact Street1: Chelyabinsk, Lenina 44-399
Contact City: Sazanye
Contact State: Penzenskaya obl.
Contact Postal Code: 442882
Contact Country: RU
Contact Phone: +7 911 8838838
Contact E-mail: admini0001@gmail.com

Registrar: ANO Regional Network Information Center dba RU-CENTER


Notice the domains Created date? Yep, so did I. Getting along, the following shows the net-block information for Bigness;

inetnum: 195.88.190.0 - 195.88.191.255
netname: BIGNESS-GROUP-NET
descr: Bigness group Ltd. Network
country: RU
org: ORG-BGL6-RIPE
admin-c: BO429-RIPE
tech-c: BO429-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: BIGNESS-GROUP-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: BIGNESS-GROUP-MNT
mnt-domains: BIGNESS-GROUP-MNT
source: RIPE # Filtered

organisation: ORG-BGL6-RIPE
org-name: Bigness Group Ltd
org-type: OTHER
address: 25 Nevsky broad str, office 96
address: S-Petersburg, Russia
e-mail: cardiro@cardiro.org
admin-c: BO429-RIPE
tech-c: BO429-RIPE
mnt-ref: HOSTER-RIPE-MNT
mnt-by: BIGNESS-GROUP-MNT
source: RIPE # Filtered

person: Bogenov Oleg
address: Russia, S-Petersburg
phone: +79212290843
nic-hdl: BO429-RIPE
mnt-by: BIGNESS-GROUP-MNT
source: RIPE # Filtered

route: 195.88.190.0/23
descr: IPs
origin: as49093
mnt-by: BIGNESS-GROUP-MNT
source: RIPE # Filtered


You'll no doubt have noticed the reference, courtesy of the e-mail address, to cardiro.org;

Domain ID:D154592477-LROR
Domain Name:CARDIRO.ORG
Created On:01-Nov-2008 12:08:33 UTC
Last Updated On:29-Apr-2009 17:09:10 UTC
Expiration Date:01-Nov-2009 12:08:33 UTC
Sponsoring Registrar:Bizcn.com, Inc. (R1248-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:orgns25541303588
Registrant Name:Nilobero Savskiy
Registrant Organization:Nilobero Savskiy
Registrant Street1:231 po box
Registrant Street2:
Registrant Street3:
Registrant City:New York
Registrant State/Province:NY
Registrant Postal Code:10017
Registrant Country:US
Registrant Phone:+1.3312232910
Registrant Phone Ext.:
Registrant FAX:+1.3312232910
Registrant FAX Ext.:
Registrant Email: newssser@yahoo.com
Admin ID:orgns25541304944
Admin Name:Nilobero Savskiy
Admin Organization:Nilobero Savskiy
Admin Street1:231 po box
Admin Street2:
Admin Street3:
Admin City:New York
Admin State/Province:NY
Admin Postal Code:10017
Admin Country:US
Admin Phone:+1.3312232910
Admin Phone Ext.:
Admin FAX:+1.3312232910
Admin FAX Ext.:
Admin Email: newssser@yahoo.com
Tech ID:orgns25541306402
Tech Name:Nilobero Savskiy
Tech Organization:Nilobero Savskiy
Tech Street1:231 po box
Tech Street2:
Tech Street3:
Tech City:New York
Tech State/Province:NY
Tech Postal Code:10017
Tech Country:US
Tech Phone:+1.3312232910
Tech Phone Ext.:
Tech FAX:+1.3312232910
Tech FAX Ext.:
Tech Email: newssser@yahoo.com
Name Server:NS1.ROBONAME.COM
Name Server:NS2.ROBONAME.COM
Name Server:NS3.ROBONAME.COM
Name Server:NS4.ROBONAME.COM


Digging further shows several other domains, for example, vhios.net, that trace back to these people aswell, though none currently resolve.

So who are providing upstream connectivity to Bigness then? Well, a tracert shows the last hop before you get to Bigness, to be tinet.net;

1 {MY_NETWORK}
2 365 ms 498 ms 362 ms lo0-plusnet.pte-ag2.plus.net [195.166.128.72]
3 438 ms 396 ms 420 ms ge0-0-0-504.pte-gw2.plus.net [84.92.4.90]
4 472 ms 515 ms 475 ms te2-4.pte-gw1.plus.net [212.159.1.101]
5 38 ms 34 ms 33 ms te2-2.pcl-gw01.plus.net [212.159.0.185]
6 103 ms 57 ms 33 ms xe-1-2-0-0.lon20.ip4.tinet.net [213.200.79.233]
7 45 ms 47 ms 50 ms xe-2-2-0.fra44.ip4.tinet.net [89.149.185.102]
8 53 ms 55 ms 65 ms star-hosting-gw.ip4.tinet.net [77.67.72.154]
9 60 ms 60 ms 66 ms 195-88-191-2.ptrzonez.com [195.88.191.2]


The hop PTR shows a reference to Star Hosting, so lets check it out shall we? Looking at the AS graph over at Robtex, shows that whilst the hop is indeed owned by Tinet.net, it's actually used by Star Hosting (AS44146).



/Begin side thought

Could it be a coincidence that malware was last seen (that I can find records for) directly on Star Hosting's network, was July 2009, and Bigness appeared on the radars as of August 2009?? .. I'll leave you to ponder that one.

http://www.malwareurl.com/search.php?domain=&s=as44146&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on
http://hosts-file.net/?s=77.37&view=history
http://hosts-file.net/?s=77.37&view=matches

/End side thought


So Star Hosting, would you care to explain to the ladies and gents of the internet, why you are providing upstream connectivity to a criminal organization? Given Bigness also seems to trace to citytelecom.ru (AS29076 CITYTELECOM-AS Citytelecom.ru), I wonder if they'd mind explaining themselves too?

Until they decide to explain themselves, I thought I'd point you to the following PDF report from Host Exploit, which shows Star Hosting's connections to McColo, which is/was part of the Russian Business Network, which leads to the reasonable assumption that Bigness is very likely simply a new name for McColo, and is infact, the RBN.

I'll leave further digging as an excercise for the reader .....

1 comment:

nico said...

Thank you very much Steven!
I've blocked the ISP's entire IP-Range.
Found the address at Google Maps [http://maps.google.nl/maps?q=59.935324,30.323156&num=1&sll=59.936702,30.323812&sspn=0.006295,0.01365&ie=UTF8&hq=&hnear=Rusland,+191186,+%D0%A6%D0%B5%D0%BD%D1%82%D1%80%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D0%B9+%D0%90%D0%B4%D0%BC.+%D1%80%D0%B0%D0%B9%D0%BE%D0%BD,+Sint-Petersburg,+Nevski+Prospekt,+25&ll=59.935245,30.323403&spn=0.001723,0.006866&z=18]
Seems they have an office at 'St.Petersburgs Most Prestigious Business Address' [http://www.nevsky25.com/en/index.html]

Regards, Nico.