Blog for hpHosts, and whatever else I feel like writing about ....

Friday, 6 November 2009

Crimeware friendly ISP's: Sun Network (AS38197, Hong Kong) / iJoos Network Solutions

What do you get if you cross MSN + scammers + a rogue Chinese ISP? That's right folks, a whole lot of phishing phun!

NB: Those previously at 121.54.174.* moved to .171 after their 174.* IP's were shut off, these will be reflected in the main hpHosts database when someone queries the respective domains report pages

My friend Jonathan has been tracking and keeping me updated on this, to both keep me abreast of any new domains I've not yet noticed that are involved, and his progress on getting the ISP to take action and disable the IP's involved.

You can probably guess from my posting this, that the ISP hasn't exactly been err, an ISP, or not a responsible one anyway - all of the domains are still live, there's been new ones popping up (the newest one being, and the response from the ISP? it's one of their clients, so not their responsibility .... where have I heard this before?

Lets get to that shall we? The IPNB info shows the following;

inetnum: -
netname: JNS-CN
descr: iJoos Network Solutions.
descr: iJoos Internet Service Provider
country: CN
admin-c: XL201-CN
tech-c: XL201-CN
mnt-by: MAINT-CN-JNS
changed: 20090929
source: APNIC

person: xiaobing LI
address: 198-C Qingnian Road, Chaoyang District, Beijing
country: CN
phone: +86 010-85785916
fax-no: +86 010-85785919
nic-hdl: XL201-CN
mnt-by: MAINT-CN-JNS
changed: 20090929
source: APNIC

For those unaware, is a Chinese ISP, and unrelated to this incident.

"iJoos Network Solutions" doesn't exist from what I'm seeing, and given the contact address provided by this "owner", coupled with the company not existing, suggests the information is actually fake.

So where does Sun Network fit in? Not surprisingly, they're the AS responsible for this IP block;

38197 SUNHK-DATA-AS-AP Sun Network (Hong Kong) Limited

Alas, they're claiming it's simply their customer and not their responsibility ..... as I said before - where have I heard that before.

Dear Sun Network, allow me to point something out to you. When a customer signs up with YOUR COMPANY, they are required to agree to an AUP/TOS, which unless you've deliberately missed it out, INCLUDES their NOT using your network for malicious purposes, in short - this is YOUR NETWORK and YOUR RESPONSIBILITY!. Given I've yet to see a single legit domain on this entire /24, and the sheer amount of malicious activity, I'm finding myself absolutely disgusted that you're refusing to deal with this.

As an aside, one of Sun Networks upstreams, Arcstar (AS9293), are also seeing malicious activity apparently;

With the other, AS9381, seeing a little activity;

Note, I'm still verifying the activity on the upstreams

Until Sun Network decide to cease providing a home for this rubbish, I'd strongly urge everyone blackhole their range. In the meantime, the following are the domains I'm presently aware of;

hpObserver Results

Those using Microsofts Security Essentials should be protected from this as they added detection for it a few days ago after Jonathan reported it to them;

I've not actually seen the trojan side of this yet, only the phishing sites, so if someone else has seen it, or has a sample that uses this IP range, I'd appreciate a copy of it/them.

/update 07-11-09 06:02

25 minutes or so after posting this (coinkydink?), Jonathan forwarded me the latest e-mail received from Sun Network that shows they've now given in to the abuse reports, and sent the following to their customer;

Dear Customer,

IP: [ ,]

We have received complaints about your Phishing web site.

We would like to take this opportunity to make sure that all our customers understand our company is firmly against such behavior.

We will consider this a warning before we will be forced to take actions against further such acts, and those actions may include IP blocking to the said address without further notice if the offending material is not removed within 72 hours starting from the sent time of this email.

Thank you for your understanding and co-operation. Should you need further assistance please contact us at or call us at 3611-0789.

Thanks and Regards,
Sun Network (Hong Kong) Limited

I'm a little skeptical as to the timing of this response, but aslong as the customer is booted or ALL of the malicious content is removed and further such stopped, then I'll be happy.

Excellent work Jonathan!

/edit 06:32

I forgot to add these two links for you guys and gals (related campaigns and further documentation on this particular one, from Sophos);

Pics for MSN Friends spams

“MSN Messenger Block Checker” spams


Jonathan Yaniv said...

Sunnetwork is the worst company ever when it comes to knowing what they are doing. Coincidonk yes... Now after thousands upon thousands of people suffered identity theft they get shut down... The company running the phishing scam is called tubela management Inc.. Based in panama I believe... These guys are probably responsible for the 20000 leaked hotmail passwords lately . I'm sure it's not the last I'll see of tubela management

Next on the list for takedowns are this guys servers nameservers at peer1

I really want xin net technology corps to go away they are a major registrar for phishing domains and malware sites.


MysteryFCM said...

The registrar has been doing this for a very long time, with absolutely no view that I've seen, of giving a hoot. The sooner ICANN boot them, the better as far as I'm concerned.

Can't comment on whether Tubela Management Inc. are responsible for the leak (wouldn't surprise me, but whilst I'm aware most of the leaked accounts were obtained via phishing scams such as these, I don't believe it was this particular campaign that was responsible), but never the less, they've been getting away with this rubbish for far too long.

kaleh said...

I do believe that the current discussion on BadwareBusters:

... is yet another variation of the following:

Pics for MSN Friends spams