Blog for hpHosts, and whatever else I feel like writing about ....

Friday, 6 November 2009

Crimeware friendly ISP's: Sun Network (AS38197 121.54.171.0/24, Hong Kong) / iJoos Network Solutions

What do you get if you cross MSN + scammers + a rogue Chinese ISP? That's right folks, a whole lot of phishing phun!

http://hosts-file.net/?s=121.54.17.&view=matches

NB: Those previously at 121.54.174.* moved to .171 after their 174.* IP's were shut off, these will be reflected in the main hpHosts database when someone queries the respective domains report pages

My friend Jonathan has been tracking and keeping me updated on this, to both keep me abreast of any new domains I've not yet noticed that are involved, and his progress on getting the ISP to take action and disable the IP's involved.

You can probably guess from my posting this, that the ISP hasn't exactly been err, an ISP, or not a responsible one anyway - all of the domains are still live, there's been new ones popping up (the newest one being i-tracked-who-blocked-me.com), and the response from the ISP? it's one of their clients, so not their responsibility .... where have I heard this before?

Lets get to that shall we? The IPNB info shows the following;

inetnum: 121.54.171.0 - 121.54.171.255
netname: JNS-CN
descr: iJoos Network Solutions.
descr: iJoos Internet Service Provider
country: CN
admin-c: XL201-CN
tech-c: XL201-CN
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-CN-JNS
changed: xiaobing_lili@126.com 20090929
source: APNIC

person: xiaobing LI
address: 198-C Qingnian Road, Chaoyang District, Beijing
country: CN
phone: +86 010-85785916
fax-no: +86 010-85785919
e-mail: xiaobing_lili@126.com
nic-hdl: XL201-CN
mnt-by: MAINT-CN-JNS
changed: xiaobing_lili@126.com 20090929
source: APNIC


For those unaware, 126.com is a Chinese ISP, and unrelated to this incident.

"iJoos Network Solutions" doesn't exist from what I'm seeing, and given the contact address provided by this "owner", coupled with the company not existing, suggests the information is actually fake.

So where does Sun Network fit in? Not surprisingly, they're the AS responsible for this IP block;

38197 121.54.171.0/24 SUNHK-DATA-AS-AP Sun Network (Hong Kong) Limited

Alas, they're claiming it's simply their customer and not their responsibility ..... as I said before - where have I heard that before.

Dear Sun Network, allow me to point something out to you. When a customer signs up with YOUR COMPANY, they are required to agree to an AUP/TOS, which unless you've deliberately missed it out, INCLUDES their NOT using your network for malicious purposes, in short - this is YOUR NETWORK and YOUR RESPONSIBILITY!. Given I've yet to see a single legit domain on this entire /24, and the sheer amount of malicious activity, I'm finding myself absolutely disgusted that you're refusing to deal with this.

As an aside, one of Sun Networks upstreams, Arcstar (AS9293), are also seeing malicious activity apparently;

http://google.com/safebrowsing/diagnostic?site=AS:9293

With the other, AS9381, seeing a little activity;

http://google.com/safebrowsing/diagnostic?site=AS:9381

Note, I'm still verifying the activity on the upstreams

Until Sun Network decide to cease providing a home for this rubbish, I'd strongly urge everyone blackhole their range. In the meantime, the following are the domains I'm presently aware of;

aaouch-im-blocked.com
ahem-they-blocked-me.com
ahh-im-blocked.com
ahh-unblock-me.com
amazed-i-wasnt-blocked.com
amazing-true-block-checks.com
anytime-block-grabber.com
anytime-grab-block-status.com
awsome-grab-block-statuses.com
bad-luck-im-blocked.com
biggest-block-check-service.com
bing-block-status.com
bingo-i-can-grab-block-stats.com
bingoo-check-block-status.com
bing-your-block-status.com
block-me-before-i-block-u.com
block-status-grabber.com
blogger-are-blocked.com
broadband-block-checker.com
cannon-digital-photos.com
chigy-people-who-blocks.com
chunii-block-checks.com
cindrella-blocked-me.com
cool-pool-blocked-services.com
crunchy-block-checkings.com
damn-im-blocked.com
damnn-they-blocked-me.com
damn-them-they-blocked-me.com
darn-im-blocked.com
did-they-block-you.com
digi-wigi-block-checker.com
duh-i-got-blocked.com
face-blocked-truth.com
face-the-fact.com
famous-block-status-check.com
fast-blocked-stats.com
finding-who-blocks.com
findout-liars-who-blocked-you.com
find-out-live-block-stats.com
find-reason-of-being-blocked.com
friends-block-buddies.com
friends-who-blocked-you.com
get-blocked-list.com
get-info-on-blocked-stats.com
get-superb-block-checks.com
global-block-checking.com
grab-block-status.com
grab-liars-who-blocked-you.com
grab-my-block-status.com
grab-your-block-status.com
have-they-blocked-you.com
heheh-i-wasnt-blocked.com
hell-they-blocked-you.com
heroes-cant-be-blocked-hehe.com
heroes-never-block.com
hey-you-block-me.com
high-ranked-block-checks.com
hooo-i-was-being-blocked.com
how-come-they-block-me.com
huhu-bing-block-statuses.com
huh-yes-i-was-blocked.com
i-got-obsessed.com
i-laughed-at-you.com
ima-checking-block-status.com
im-fedup-of-being-blocked.com
im-sad-im-blocked.com
i-photo-shoot-you.com
i-tracked-who-blocked-me.com
jealous-buddies-block.com
jealoused-people-block.com
jesus-he-blocked-us.com
jesus-im-blocked.com
juggy-blocked-services.com
lame-friends-block-you.com
leme-check-block-status.com
let-people-laugh.com
let-them-hehe.com
live-block-statistics.com
lol-at-you-haha.com
look-whos-blockin-you.com
lool-i-saw-you.com
mean-friends-block.com
mega-block-statistics.com
miggy-liggy-block-statistics.com
my-alarming-block-check.com
my-block-checker.com
my-block-stat-grabber.com
my-block-status-check.com
my-friends-block-me.com
my-mates-blocked-me.com
my-party-party-party.com
no-damn-way-im-blocked.com
notice-they-blocked-u.com
no-way-im-blocked.com
ohhh-damn-im-blocked.com
ohh-ma-friend-blocked-me.com
ohh-pinky-blocked-me.com
oh-i-was-blocked.com
oh-jesus-im-blocked.com
oh-my-god-im-blocked.com
oh-my-i-was-on-a-block-list.com
oh-strange-im-blocked.com
oh-weird-im-blocked.com
omg-omg-im-blocked.com
omg-they-blocked-me.com
ooo-seems-im-blocked.com
ooo-shit-im-blocked.com
phew-they-blocked-me.com
phewww-seems-i-am-blocked.com
ppl-are-sick-im-blocked.com
premium-block-checking.com
puff-im-blocked.com
pwdgds.grab-my-block-status.com
query-block-status.com
rino-block-get-services.com
sad-i-was-blocked.com
see-alarming-block-check.com
see-live-block-stats.com
see-the-live-block-stats.com
see-they-blocked-me.com
shout-at-people-who-block.com
sonic-block-checking.com
strange-i-was-blocked.com
superb-blocked-checking.com
super-doper-block-finding.com
supereme-block-checks.com
super-fast-block-checker.com
tchv9l.find-reason-of-being-blocked.com
the-naughty-play.com
they-were-haha.com
tingy-tungy-blocking-stats.com
try-blocking-me-again.com
uffff-i-was-blocked.com
ufff-i-was-blocked.com
ufff-seems-blocked.com
uh-ho-i-got-blocked.com
uhuu-check-blocked-status.com
ultimate-block-checker.com
ultimate-block-checking.com
umm-jesus-im-blocked.com
unlucky-im-blocked.com
unsubscriptionmanagement.com
urr-he-blocked-me.com
urr-he-blocked-us.com
we5kg.phewww-seems-i-am-blocked.com
weird-i-was-blocked.com
who-let-me-block.com
why-do-they-block.com
why-i-got-blocked.com
why-my-friends-block.com
wooh-im-blocked.com
woooh-i-was-not-blocked.com
www.aaouch-im-blocked.com
www.ahem-they-blocked-me.com
www.ahh-im-blocked.com
www.ahh-unblock-me.com
www.amazed-i-wasnt-blocked.com
www.amazing-true-block-checks.com
www.anytime-block-grabber.com
www.anytime-grab-block-status.com
www.awsome-grab-block-statuses.com
www.bad-luck-im-blocked.com
www.biggest-block-check-service.com
www.bing-block-status.com
www.bingo-i-can-grab-block-stats.com
www.bingoo-check-block-status.com
www.bing-your-block-status.com
www.block-me-before-i-block-u.com
www.block-status-grabber.com
www.blogger-are-blocked.com
www.broadband-block-checker.com
www.cannon-digital-photos.com
www.chigy-people-who-blocks.com
www.chunii-block-checks.com
www.cindrella-blocked-me.com
www.cool-pool-blocked-services.com
www.crunchy-block-checkings.com
www.damn-im-blocked.com
www.damnn-they-blocked-me.com
www.damn-them-they-blocked-me.com
www.darn-im-blocked.com
www.did-they-block-you.com
www.digi-wigi-block-checker.com
www.duh-i-got-blocked.com
www.face-blocked-truth.com
www.face-the-fact.com
www.famous-block-status-check.com
www.fast-blocked-stats.com
www.finding-who-blocks.com
www.findout-liars-who-blocked-you.com
www.find-out-live-block-stats.com
www.find-reason-of-being-blocked.com
www.friends-block-buddies.com
www.friends-who-blocked-you.com
www.get-blocked-list.com
www.get-info-on-blocked-stats.com
www.get-superb-block-checks.com
www.global-block-checking.com
www.grab-block-status.com
www.grab-liars-who-blocked-you.com
www.grab-my-block-status.com
www.grab-your-block-status.com
www.have-they-blocked-you.com
www.heheh-i-wasnt-blocked.com
www.hell-they-blocked-you.com
www.heroes-cant-be-blocked-hehe.com
www.heroes-never-block.com
www.hey-you-block-me.com
www.high-ranked-block-checks.com
www.hooo-i-was-being-blocked.com
www.how-come-they-block-me.com
www.huhu-bing-block-statuses.com
www.huh-yes-i-was-blocked.com
www.i-got-obsessed.com
www.i-laughed-at-you.com
www.ima-checking-block-status.com
www.im-fedup-of-being-blocked.com
www.im-sad-im-blocked.com
www.i-photo-shoot-you.com
www.i-tracked-who-blocked-me.com
www.jealous-buddies-block.com
www.jealoused-people-block.com
www.jesus-he-blocked-us.com
www.jesus-im-blocked.com
www.juggy-blocked-services.com
www.lame-friends-block-you.com
www.leme-check-block-status.com
www.let-people-laugh.com
www.let-them-hehe.com
www.live-block-statistics.com
www.lol-at-you-haha.com
www.look-whos-blockin-you.com
www.lool-i-saw-you.com
www.mean-friends-block.com
www.mega-block-statistics.com
www.miggy-liggy-block-statistics.com
www.my-alarming-block-check.com
www.my-block-checker.com
www.my-block-stat-grabber.com
www.my-block-status-check.com
www.my-friends-block-me.com
www.my-mates-blocked-me.com
www.my-party-party-party.com
www.no-damn-way-im-blocked.com
www.notice-they-blocked-u.com
www.no-way-im-blocked.com
www.ns1.i-got-obsessed.com
www.ns1.party-photo-shoot.com
www.ns2.you-looked-crazy.com
www.ohhh-damn-im-blocked.com
www.ohh-ma-friend-blocked-me.com
www.ohh-pinky-blocked-me.com
www.oh-i-was-blocked.com
www.oh-jesus-im-blocked.com
www.oh-my-god-im-blocked.com
www.oh-my-i-was-on-a-block-list.com
www.oh-strange-im-blocked.com
www.oh-weird-im-blocked.com
www.omg-omg-im-blocked.com
www.omg-they-blocked-me.com
www.ooo-seems-im-blocked.com
www.ooo-shit-im-blocked.com
www.phew-they-blocked-me.com
www.phewww-seems-i-am-blocked.com
www.ppl-are-sick-im-blocked.com
www.premium-block-checking.com
www.puff-im-blocked.com
www.query-block-status.com
www.rino-block-get-services.com
www.sad-i-was-blocked.com
www.see-alarming-block-check.com
www.see-live-block-stats.com
www.see-the-live-block-stats.com
www.see-they-blocked-me.com
www.shout-at-people-who-block.com
www.sonic-block-checking.com
www.strange-i-was-blocked.com
www.superb-blocked-checking.com
www.super-doper-block-finding.com
www.supereme-block-checks.com
www.super-fast-block-checker.com
www.the-naughty-play.com
www.they-were-haha.com
www.tingy-tungy-blocking-stats.com
www.try-blocking-me-again.com
www.uffff-i-was-blocked.com
www.ufff-i-was-blocked.com
www.ufff-seems-blocked.com
www.uh-ho-i-got-blocked.com
www.uhuu-check-blocked-status.com
www.ultimate-block-checker.com
www.ultimate-block-checking.com
www.umm-jesus-im-blocked.com
www.unlucky-im-blocked.com
www.unsubscriptionmanagement.com
www.urr-he-blocked-me.com
www.urr-he-blocked-us.com
www.weird-i-was-blocked.com
www.who-let-me-block.com
www.why-do-they-block.com
www.why-i-got-blocked.com
www.why-my-friends-block.com
www.wooh-im-blocked.com
www.woooh-i-was-not-blocked.com
www.yellow-block-checker.com
www.yesterdays-party.com
www.you-blocked-me-now-suffer.com
www.your-head-is-a-block.com
www.your-mom-got-blocked-cuz-she-ugly.com
www.you-were-nervous.com
www.you-were-not-like-that.com
www.yuppy-find-block-statuses.com
yellow-block-checker.com
yesterdays-party.com
you-blocked-me-now-suffer.com
your-head-is-a-block.com
your-mom-got-blocked-cuz-she-ugly.com
you-were-nervous.com
you-were-not-like-that.com
yuppy-find-block-statuses.com
zlhcj.fast-blocked-stats.com


hpObserver Results
http://it-mate.co.uk/temp/hpObserver_Results_-_Sun_Network.html

Those using Microsofts Security Essentials should be protected from this as they added detection for it a few days ago after Jonathan reported it to them;

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aHTML%2fMsnblock.A&ThreatID=-2147337961

I've not actually seen the trojan side of this yet, only the phishing sites, so if someone else has seen it, or has a sample that uses this IP range, I'd appreciate a copy of it/them.

/update 07-11-09 06:02

25 minutes or so after posting this (coinkydink?), Jonathan forwarded me the latest e-mail received from Sun Network that shows they've now given in to the abuse reports, and sent the following to their customer;

Dear Customer,

IP: [121.54.171.111 , 121.54.171.150]

We have received complaints about your Phishing web site.

We would like to take this opportunity to make sure that all our customers understand our company is firmly against such behavior.

We will consider this a warning before we will be forced to take actions against further such acts, and those actions may include IP blocking to the said address without further notice if the offending material is not removed within 72 hours starting from the sent time of this email.

Thank you for your understanding and co-operation. Should you need further assistance please contact us at idc-noc@snw.hk or call us at 3611-0789.

Thanks and Regards,
Sun Network (Hong Kong) Limited


I'm a little skeptical as to the timing of this response, but aslong as the customer is booted or ALL of the malicious content is removed and further such stopped, then I'll be happy.

Excellent work Jonathan!

/edit 06:32

I forgot to add these two links for you guys and gals (related campaigns and further documentation on this particular one, from Sophos);

Pics for MSN Friends spams
http://www.sophos4.com/security/blog/2009/09/6438.html

“MSN Messenger Block Checker” spams
http://www.sophos.com/blogs/sophoslabs/v/post/6454

3 comments:

Unknown said...

Sunnetwork is the worst company ever when it comes to knowing what they are doing. Coincidonk yes... Now after thousands upon thousands of people suffered identity theft they get shut down... The company running the phishing scam is called tubela management Inc.. Based in panama I believe... These guys are probably responsible for the 20000 leaked hotmail passwords lately . I'm sure it's not the last I'll see of tubela management

Next on the list for takedowns are this guys servers nameservers at peer1

I really want xin net technology corps to go away they are a major registrar for phishing domains and malware sites.

Jonathan

MysteryFCM said...

The registrar has been doing this for a very long time, with absolutely no view that I've seen, of giving a hoot. The sooner ICANN boot them, the better as far as I'm concerned.

Can't comment on whether Tubela Management Inc. are responsible for the leak (wouldn't surprise me, but whilst I'm aware most of the leaked accounts were obtained via phishing scams such as these, I don't believe it was this particular campaign that was responsible), but never the less, they've been getting away with this rubbish for far too long.

kaleh said...

I do believe that the current discussion on BadwareBusters:

http://badwarebusters.org/main/itemview/13601?t=3251#itemblock-13626

... is yet another variation of the following:

Pics for MSN Friends spams
http://www.sophos4.com/security/blog/2009/09/6438.html