Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 15 November 2009

Real International Business Corp = NatCoWeb (AS46636)

Looking up records for AS46636, I noticed something interesting. The Netblock WhoIs showed a reference to "uaonline", but the AS was saying it belonged to NatCoWeb, clearly something was amiss here, as I remember this as being Real International Business Corp just a few months ago.

I decided to look further, and got clarification that Real International Business Corp, are indeed NatCoWeb, thanks to WhoIs records for both natcoweb.com (204.62.12.11) and gosecure.eu (204.62.15.9) (owned by RIBC).

Domain Name: gosecure.eu
Status: REGISTERED (What this means)
Registered: July 30, 2006
Last update: September 23, 2009, 8:33 am

Registrant

Name: Sabyetyev Sergiy
Organisation: Navilive Private Limited
Language: English
Address:

Suite 8525, 16-18 Circus Road, St. Johns Wood
NW8 6PG, London
United Kingdom

Phone: +44 (0)8704867384
Fax: +44 (0)8704867385
Email: manager@hqhost.net

Registrar technical contacts

Name: Domain Manager
Organisation: PublicDomainRegistry.com
Language: English
Address:

14525 SW Millikan #48732
97005-2343
Oregon
United States

Phone: +1.2013775952
Fax: +1.3202105146
Email: domain.manager@publicdomainregistry.com

Registrar Organisation: Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com
Website: www.publicdomainregistry.com

Nameservers:

ns20.natcoweb.com
ns10.natcoweb.com


Registrant:
Natcoweb Corp.
5851 West Side Ave
North Bergen, NJ 07047
US
6462333035
Fax:2125916245

Domain Name: NATCOWEB.COM

Administrative Contact:
Sabyetyev, Sergiy ceo@natcoweb.com
5851 West Side Ave
North Bergen, NJ 07047
US
6462333035
Fax:2125916245

Technical Contact:
Sabyetyev, Sergiy ceo@natcoweb.com
5851 West Side Ave
North Bergen, NJ 07047
US
6462333035
Fax:2125916245

Record last updated 08-14-2009 06:29:50 AM
Record expires on 01-13-2016
Record created on 01-13-2007

Domain servers in listed order:
NS10.NATCOWEB.COM 204.62.12.14
NS20.NATCOWEB.COM 204.62.13.6


"Navilive Private Limited", incase you're wondering, have already previously been implicated in a number of malicious activities, including Asprox for example;

http://www.matchent.com/wpress/?q=node/392

And appear to be related, or have ties to, Bigness Group Limited;

http://www.bobbear.co.uk/pfg-inc.html

And just for further clarification, you'll no doubt have noticed that NatCoWeb are down as owning 88.214.241.0/24, and no doubt have noticed the @ipipe.net e-mail address in the net-block records? Well, lets see who owns ipipe.net (hosted at 80.77.95.119) shall we?

Registration Service Provided By: HIGH QUALITY HOST COMPANY
Contact: +1.6462130098

Domain Name: IPIPE.NET

Registrant:
Real International Business Corp
Sabetyev, Sergey (domains@ipipe.net)
244 fifth ave #200
New York
New York,10001-7604
US
Tel. +1.6462130098
Fax. +1.2125916425

Creation Date: 22-Feb-2005
Expiration Date: 22-Feb-2012

Domain servers in listed order:
ns1.ipipe.net
ns2.ipipe.net

Administrative Contact:
Real International Business Corp
Sabetyev, Sergey (domains@ipipe.net)
244 fifth ave #200
New York
New York,10001-7604
US
Tel. +1.6462130098
Fax. +1.2125916425

Technical Contact:
Real International Business Corp
Sabetyev, Sergey (domains@ipipe.net)
244 fifth ave #200
New York
New York,10001-7604
US
Tel. +1.6462130098
Fax. +1.2125916425

Billing Contact:
Real International Business Corp
Sabetyev, Sergey (domains@ipipe.net)
244 fifth ave #200
New York
New York,10001-7604
US
Tel. +1.6462130098
Fax. +1.2125916425

Status:ACTIVE


And who owns 80.77.95.119?

inetnum: 80.77.95.1 - 80.77.95.255
netname: level0-NET-1
descr: level0 is a webhosting organization
country: US
admin-c: MS9776-ripe
tech-c: VK1045-ripe
status: ASSIGNED PA
mnt-by: uaonline
source: RIPE # Filtered

person: Soldatov Maxim
address: Marylebone high street 78
address: W1U 5AP London
phone: +380 50 4985406
e-mail: makc@ipipe.net
org: ORG-RIBC1-RIPE
nic-hdl: MS9776-ripe
mnt-by: uaonline
source: RIPE # Filtered

person: Vladimir Klenov
address: London, United Kingdom
phone: +380 50 4985406
e-mail: maple@ipipe.net
nic-hdl: VK1045-ripe
mnt-by: uaonline
source: RIPE # Filtered


If they were trying to re-brand themselves without anyone noticing, they've certainly done a very poor job of it. Navilive Private Limited = Real International Business Corp = NatCoWeb and (hqhost.net = ipipe.net) = Real International Business Corp.

9 comments:

Nic said...

You are wrong!
ALL EU domains registered with onlineNic have the same Navilive Private Limited company as a registrar, which is fully qualified for .EU registration.
look here http://www.google.ca/search?hl=en&source=hp&q=Navilive+Private+Limited&btnG=Google+Search&meta=&aq=f&oq=
and here
http://www.onlinenic.com/english/eu/index.php

Navilive Private Limited = OnlineNic.com

So, if you wonna buy an EU domain and you live OUTSIDE of European Union you can click here :
http://www.onlinenic.com/english/eu/index.php
But, in this case you'll get the same company as a registrar :) your whois will show the same company too..
so do not forget to insert your domain in a malware list..

lol

Malware is something more than the same whois information or re-branding or IP addresses..
It's bad when dabblers trying to make such an important job..

I believe it’s better to say sorry to gosecure.eu owners.
It seems they do a great job.

MysteryFCM said...

Thanks for the clarification. However, ignoring the Organization company listed in the WhoIs, it's still pretty clear that the two domains are related to each other. I think you'll also find the findings as far as malware etc are concerned, were based on a little more than WhoIs information ;o) (I'll leave the research to you).

As for my whois showing the same company, I'll think you'll find that's cobbles as my domain isn't a .eu, nor was it purchased through OnlineNic (I find it a little curious however, that they've chosen to list this company given other eu registrars do not).

Unknown said...

Hello,
My name’s Sergiy Sabyetyev, I’m the owner of GoSecure, Ipipe, NatCoWeb and at least a dozen of other well-known internet projects.
I feel awkward spending my time to prove my innocence and the legality of gosecure.eu that was in fact blackmailed by you and Directi..
On the basis of the false information Directi has given us 72 hours to transfer the domain.
I’m not going to transfer it, as everything we do is absolutely legal.
Dozens and hundreds of our products are distributed daily via the network of affiliate companies, for example, CNET.
The software distributed via this web site doesn't contain viruses or malware, as this software is offered at other web sites selling software:
http://www.softpedia.com/get/Security/Encrypting/GoSecure-Secure-Disk.shtml
http://www.sofotex.com/gosecure-Secure-Disk-download_L64748.html
http://www.tucows.com/preview/513982
http://download.cnet.com/Secure-Disk/3010-2092_4-10797313.html
It’s quite obvious that the program code of the software is thoroughly tested before the product is accepted for sale by all our partners.
Search the Internet, check MCAFEE, and you’ll see the information you provided is incorrect.
We are a well-known brand with the staff exceeding one hundred of employees working in the Eastern European and USA-based offices. We have licenses for creation and distribution of cryptographic software.
I hope that my email will offer you the facts to look into this issue with more consideration and you’ll change your idea of gosecure.eu.

About Gosecure.eu
Originally the domain was registered at onlinenic. We used their services due to the fact we are not in the EU. Recently the domain has been transferred to Directi, as we are Directi resellers.
Tomorrow morning we are going to publish official press release. This is extremely important issue. If Directi suspend gosecure.eu dozen of thousands customers will be out of service.

MysteryFCM said...

Sergiy,
Glad to finally get a response from you.

I'm afraid however, given the plethora of malware that has been, and continues to be, available all across the RIBC/NatCoWeb range, that I find it a little hard to believe your company is an innocent party in this.

Giving the benefit of the doubt however (and to clarify, I've not said anything about gosecure.eu that I recall, other than it's being owned by the same company), would you care to explain why your company's ranges have seen a plethora of malicious content, with everything from generic malware to exploits to phishing to CP, seemingly without your company either taking action or even doing as little as responding to an abuse report? (there are plenty of references around concerning this, and have been got aslong as I can remember).

I'll be happy to publish specific examples if necessary? (certainly got a plethora of them recorded, as have many of my fellow researchers)

Unknown said...

Sorry, I don't understand you. You are talking about 'plethora of malware that has been, and continues to be'
We have more than 12000 customers. Every day we have 20-50 more customers. I can (although it is questionable) assume that not all the customers are good, although we do the best in order to find out scammers.
Anyway, I know that our support team working good. I have no doubts they remove every malware resourse at the moment.
If you have specific examples please let me know. But I really think that there are no reported active cases.
As for RIB Corp. It was our old company. It works now and we are not hiding it.

MysteryFCM said...

I'll get the records correlated for you within the next 24 - 48 hours or so (got alot of work to do), but in the meantime, may I suggest you start with;

1. Alex Moskalev

Just one of the domains he's "purchased" through your company is traffholder.net, and yep, there's more than one. A little research will quickly show you the criminal activity involved

2. 88.214.0.0/16

I'm sure I don't need to teach your staff how to research and identify malicious content, so I'll just give you the following and let you take it from there.

http://hosts-file.net/pest.asp?show=88.214.&direct=1

http://www.malwareurl.com/search.php?domain=&s=46636&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on

http://www.malwaredomainlist.com/mdl.php?search=46636&colsearch=ASN&quantity=50

http://support.clean-mx.de/clean-mx/viruses.php?as=AS46636

Unknown said...

MysteryFCM,
we'll sort out the issue with this domain. But there's still a doubtful assumption that by registering any domain that will be further used for illegal purposes the registrar automatically becomes an outcast and his overall activity is illegal. The problem behind the stats for the above-mentioned resources is that it's not uptodate. About 20% of the enlisted projects have been already transferred to other ISPs, others were infected by malware and cured, and I'm perplexed to see others there. Say hosts-file.net or celebsbase.com, why are they on the list??? Adult content isn't illegal in itself. Google doesn't trust rantrafrout .com, mature-and-young .com & wantfinest .com, and these projects aren't hosted with us, care to ask why?
Check malwareurl - dmst96.us, lead-trix.com and a number of other.cc domains, they were removed from our servers and are operated from other.
Just to make sure check the stats on theplanet, svwh, webazilla etc. You are sure to see there illegal domains as well, but this fact alone doesn't make them parties in the malware distribution. This is an ongoing process, and you have to be flexible here.

Unknown said...

I'd like to ask Sergiy a question. I can't find NatCoWeb registered with the New York Secretary of State. What gives, Serg? You list an address in New York state.

OrgName: NatCoWeb Corp.
OrgID: NATCO-8
Address: 244 5TH AVE APT S211
City: New York
StateProv: NY
PostalCode: 10001-7604
Country: US

That 5th Avenue address is not an apartment building! It's this place: http://www.nymail.com/, which is nothing more than a private mailbox/virtual office business. Why the subterfuge?

Is NatCoWeb a real corporation and if so: where is it incorporated?

I'm emailing him in case he doesn't see this.

TIA

Unknown said...

It was our temporary address in NYC. Now we are in NJ(5851 West Side Ave, North Bergen) just 15 minutes away from 5th AVE. You can visit us at any time.

by the way, please check Arkansas ;)
The company has been incorporated 3 years ago, although we are in this industry much longer.

Also sorry for the delay with answer.. just forgot about it.