Actions against registry services abuse – Report April 2009

The above in figures review the recent actions of Directi, in conjunction with HostExploit independent advice, taken to track down and stop abusive domain names and registrants from abusing Directi’s services.

Registrar Abuse
  • 8,506 domain names have been suspended that were either involved in abusive activity or registered by customers/registrants exhibiting persistent patterns of abuse.
  • These domain names (and/or their registrants) were involved in various types of abuse, such as spamming, phishing/spoofing, malware perpetration, child pornography, financial frauds and falsified ‘Whois’ information.
  • All other services utilized by any of these domain names have also been revoked.


When suspending domain names on receiving complaints about their involvement in abuse, HostExploit is pleased to report that, Directi, while reviewing the complaints over the past few months, found certain trends:

  • Domain names registered with the same/similar contact information (name, address patterns)
  • Bulk registrations of domain names with a slight variation in the domain name e.g. 2008bases1.net, 2008bases2.net, 2008bases3.net, 2008bases4.net, 2008bases5.net …. by abusive registrants/customers
  • Same blacklisted name servers being repeatedly utilized.
  • Registrations in the same customer account involved in various forms of abuse
  • Based on these, we reviewed all domain names, first in the customer's account, then in the reseller's account and then across the databases.

An active list of directly suspended domains is available for down load from HostExploit.com

Note: HostExploit and Directi’s agreement to maintain cooperative collaboration to clamp down on spam and other forms of abuse on the Internet has and is continuing to work. HostExploit confirms that they are pleased to work directly with the Directi abuse desk in helping Directi identify any miscreants that maybe using Directi's services. The partnership includes sharing investigative processes and intelligence data on an ongoing basis. With the view on net-neutrality all actions are based upon ACM (Association of Computing Machinery) http://www.acm.org/about/code-of-ethics

We welcome any concerns or reports related to the abuse of Directi’s registry services forward to abuse(at)directi.com or admin(at)hostexploit.com.

Together with the community we hope to continue taking steps to make the Internet a better and safer place.


Are you a Conficker Zombie?

With the advent of Conficker and to avoid becoming one of the estimated now 20 million or so zombie recruits of the botnet armies requires ongoing awareness. At least we need to be personally alert, to make it difficult for the cyber criminals. If you are reading this article on a MS widows based PC and you have not upgraded your XP or Vista operating system since October 2008, there is a reasonable chance you are a zombie, or rather your PC is.

Before we see the regular smirks and responses from Mac and Linux users, stressing how safe they are and it is all the fault of Microsoft. The now common place blended attacks, whose singular purpose is to add your PC to the zombie botnet armies, are designed to gain control regardless of operating system. MS Windows, Mac, Linux, iPhone, iPod, all have “Hosts files” which allow; you, webmasters, or network administrators to configure a direct link to a remote IP address. So if you can do this, guess who else could configure your host file, more about this below.

As a couple of examples of the sophistication of the latest blended attacks, and also acts as the latest clue for Conficker bounty hunters.

Fig 1 - Fig 1 - Conficker - (ref; Internetpol.fr)

Gone are the days when the simple diagnostic of an infected PC or Zombie was essentially the machine was overheating and a markedly drop in speed. The Conficker agents essentially check for the presence of the firewall and ask the firewall to open a backdoor to the Internet, once done it downloads the payload. Interestingly the early version checks if the target has a Ukrainian IP address also checked for a Ukraine keyboard and if either present stopped any infection. Once a PC is infected it will sleep solely to wake up every 3-4 hours to (quietly) call home for its latest instructions and IP addresses.

Another recent example which is called “Virux” (see PE_VIRUX variants - TrendMicro)

Fig 2 - Virux (TrendMicro)

Here Virux infects the PC via the browser and phones home via IRC (Internet Relay Chat) servers for botnet control instructions. Just to emphasize there is some dispute as to where Virux is another variant or from the same stable as Conficker, due to its similarity of attack vectors, or just an update of the older “Virut” exploit which gained fame back in November 2008 for utilizing a vulnerability in Adobe Reader . Either of these examples, both Conficker and Virux, block access to security websites and anti-virus downloads. Also using sophisticated Geo Location IP systems to gain further exploits for the appropriate location of the victim and more importantly this is for enhanced cyber criminal affiliate sales, for example resale and botnet rental of say just PCs on the US West Coast or Australia, etc.

Now for the good news, all the above should alarm the average reader, however most of this can and should be avoided. Either of these examples spreads through the use of; network sharing, weak passwords, and the bad guys making use of the autorun.inf files which are copied to USB drives and other removable media. Further if you have made use of the latest operating system updates, anti-virus, and upgraded to use Adobe Reader 9.0. Also why anyone whether and individual or company, would not use the free “OpenDNS” service which you can set to avoid phishing, adware, or many of these nuisances, is still surprising.

For a really simple check, how is your “Hosts file”? For more the wider details visit Tom Olzak’s excellent article here . For MS windows users it is really simple; using windows explorer go to c:\windows\system32\drivers\etc open the hosts file in Notepad, if you see anything else beyond the standard “ localhost” then ask yourself why, or more worryingly you are already a botnet zombie.


Conficker; A Bounty Hunter’s Guide

You know things are serious when Microsoft Corp. ponies up a $250,000 bounty. The software vendor is offering the cash in exchange for information leading to the arrest and conviction of the Conficker worm creator(s).

It's part of an unprecedented and coordinated response with ICANN and security researchers from Afilias, AOL LLC , Arbor Networks Inc. , CNNIC, F-Secure Corp. , Georgia Tech, Global Domains International Inc., Internet Storm Center (ISC) , M1D Global, NeuStar Inc. (NYSE: NSR), Public Internet Registry, Shadowserver Foundation, Support Intelligence, Symantec Corp. (Nasdaq: SYMC), and VeriSign Inc. (Nasdaq: VRSN) to disable the hosting and distribution of the worm.

Obviously no one's out to justify or encourage the "Wild West" ethics where this reward's concerned, and it's not the first time Microsoft has gone this route. In 2005, the vendor offered $250,000 for the identity of the creator of Netsky, a.k.a. the Sasser worm, leading to the unmasking of German student Sven Jaschan. But for the interested, the curious, and the bounty-minded, what follows is a starter guide and roadmap to help this latest industry-wide effort along.

What is Conficker?

First, do not get blindsided by the linguistics, and its plethora of names. Conficker.A is what CA Inc. (Nasdaq: CA) calls it, but it also goes by Conficker.worm (McAfee Inc. (NYSE: MFE)); Downadup (Symantec); and Kido and Net-Worm.win32.kido.bt (Kaspersky Lab ). They are all the same thing. It spreads through the use of network shares and weak passwords. Additionally, it uses Windows AutoRun functionality, wherein autorun.inf files are copied to USB drives and other removable media.

When Conficker takes control of the user’s PC

• Injects its code into the address space of one of the “svchost.exe” system processes.

• Disables system restore

• Blocks any addresses which contain the following strings:

indowsupdate / wilderssecurity / threatexpert / castlecops / Spamhaus / cpsecure / arcabit / emsisoft / sunbelt / securecomputing / rising / prevx / pctools / norman / k7computing / ikarus /hauri / hacksoft / gdata / fortinet / ewido / clamav / comodo / quickheal / avira / avast / esafe / ahnlab / centralcommand / drweb / grisoft / eset nod32 / f-prot / jotti / Kaspersky / f-secure / computerassociates / networkassociates / etrust /panda / Sophos / trendmicro / mcafee / Norton Symantec / Microsoft defender / rootkit / malware / spyware / virus

Each day, the worm generates a fresh list of about 250 random domain names such as abfhhibxci.cn. It then checks those domains for new instructions, verifying their cryptographic signature to ensure that they were created by Conficker's author. It should be stressed that this malware is infecting PCs but has not yet been switched on via command and control functions to act as a botnet.

From whence did Conficker spring?

Conficker was first reported to Microsoft as a remote code execution vulnerability in Windows 2000, 2003, 2008, XP, and Vista server service in October 2008; a security update was released on Oct. 23. Estimates vary as to the extent of infection: F-Secure reported on Jan. 16 that Conficker had infected 9 million PCs worldwide with 353,495 unique IP addresses; 10 days later, this was revised to 15 million infected PCs.

Where are the major infection centers?

Panda Security reported on Jan. 21 Conficker in 83 countries, and an estimated 6 percent of the entire world’s PCs were infected, say, 18 million. It further estimated the countries with the highest rates of virulence were the U.S., China, Spain, Taiwan, and Brazil. Press reports have circulated that American military systems were infected by USB drives, and that U.K. Royal Navy warship and submarine systems were infected and rendered unusable; French fighter planes were also reportedly being grounded. Symantec is monitoring 450,000 IP addresses (PCs) with the original infection, with another 1.7 million PCs infected per day.

Who created Conficker?

In this case, the $250,000 question could take a dozen pages of explanation. One simple form of analysis for the potential bounty hunter is to follow the rabbit. But you'll need some Russian language skills. If we examine Kaspersky’s Virus List of Jan. 2, the Conficker worm was originally downloading from trafficconverter.biz, so that's a good starting place. A little examination shows this domain was originally registered via the now defunct EstDomains in December 2008. Even better, some additional Googling gives us a clue to the origin: In Russian hacker forums, we can see earlier offerings from trafficconverter.biz providing excellent reseller margins of $30 a pop to hackers for ensuring downloads of infectious, rogue, anti-virus software.

Not resolving - trafficconverter. biz

Resolving – trafficconverter2.biz

Sister site – RX-Partners.biz

Given the limited space and time, see what conclusions you can draw. You should end up with a combination of hosts, each with a questionable, cybercriminal reputation: AS43816 Centralux (a.k.a. WebAlta, Russia); AS28753 NetDirect (Germany); and AS41867 Geonic (Ukraine). Whether this gets you any closer to Microsoft's reward will depend on which rabbit hole you go down. But safe to say that this sort of incentive will flush out Conficker's writer(s)... The only remaining question is just how long that will take.

Happy hunting!


Cloning Security

Coming to a PC near you very soon is an innovative and possibly deadly combination of well known exploitation techniques, emerging from the dark side of the Internet. What makes this new attack so innovative are the targets: Internet security information and research Web sites. Hackers in the last week have been creating exact clones of Internet security Websites using proxies, DNS (domain name server) spoofing or redirection, and dedicated denial-of-service (DDoS) attacks.

It should not surprise anyone to realize Internet security research, forums, and information Websites are attacked on a regular or even daily basis. Mostly it is nuisance spam, bogus log-in attempts, or hack attempts to gain entry to the administrator side, and in more intense cases, DDoS.

But this cloning approach emerged from investigation only in the last week. To begin with, there was the discovery purely by accident, of an exact clone of the HostExploit Website. After further investigation, it was discovered this was not an isolated case, with one server hosting clones of security sites like avertlabs.com (McAfee), isc.sans.org, milw0rm.com, nmap.org, packetstormsecurity.org, secunia.com, securiteam.com, securityfocus.com, securityreason.com, thedarkvisitor.com, www-935.ibm.com (IBM), and xforce.iss.net (IBM).

In itself this was a worrying discovery, if simply viewed from content theft, hijacked traffic, click through, SSL forgery, PayPal information, and RSS links etc., of relatively high-traffic security sites. However, in parallel to the emergence of these clones commencing on Friday and over the weekend, several of the real sites listed as clones and a few others -- Metasploit, Zone-H, and Kaspersky -- were under hacker or DDoS attack, and in some cases a mixture of the two. For a while a couple sites were completely unavailable for a day or so, and one or two are still under a continuous DDoS attack.

Working off limited data from server logs and network traffic, at least a couple of the attacks originated from Poland (AS5617 TPNET); Romania (AS 9050 Romtelecom, AS39650 VIANET); Russia (JSC servers funneled via RTcomm, and Rostelecom via AS9002 RETN); and Turkey (AS9121 TTNet, AS8386 KOCNET). Many of these servers appear regularly on lists of the worst European offenders for hosting spam and exploits, according to the German-based anti-spam service UCEprotect.

I must emphasize here that there's no proven link between the appearances of the clones and this weekend's attacks. This could be a simple coincidence, but as Edmund Burke said. "Better be despised for too anxious apprehensions, than ruined by too confident security." It does leave the open question, if by hacking and DDoS, the real security Websites were offline the only source available could be the clones. It is by a simple step to include by DNS redirection, cookie plants, and other exploits, to ensure visitors went to and continued to visit the false, cloned sites.

Consider the mayhem that could be caused by providing bad file downloads and misinformation using these sorts of exploits, botnets, and spam, or even distorting the core news and advisories this sector, its enterprise customers and the press depend upon. Worst of all, even without any changes from the real sites, the data gathered from all those misdirected, security-minded visitors would be hugely valuable.

Obviously the intended outcome of the attacks and the clones is to damage reputations, create distrust, and ultimately make it easier for cyber-criminals to operate. The good news is thanks to swift action, these discovered clones and the hacker site serving them are offline. This is certainly not the last we will see of this approach.


Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 2

The Kyrgyzstan DDoS Attacks of January, 2009: Assessment and Analysis

This post is a joint effort of HostExploit.com, Jeff Carr of IntelFusion and Greg Walton of InforWarMonitor.net. Further analysis may be forthcoming by individual contributors at their respective Web sites.

On January 18, 2009, a large scale DDoS attack began against Kyrgyzstan Internet service providers (ISPs). Key national Web server site Asiainfo.kg and the Kyrgyzstan official domain registration service Domain.kg have only been available intermittently from Jan 18th 09.

Russian-based servers primarily known for cybercrime activity have been identified through IP analysis with the attacks on Kyrgyzstan.

Figure 1 shows the Internet routing during the later stages of the Kyrgyzstan DDoS attacks.

Figure 3 provides a BGP (Border Gate Protocol) Internet traffic routing for the period of the 15thth of January 2009, with primary focus on highlighting the DDoS traffic against AS8511 Asiainfo of Kyrgyzstan.

Timeline of Political Events

January 17: Prominent opposition leader detained in Kyrgyzstan

January 17: Political confrontation intensifies. Opposition activists form new coalition UPM (United People’s Movement)

January 19: Two opposition leaders detained and charged

January 19: Russia presses Kyrgyzstan to close US base

January 20: Kyrgyzstan Opposition denied use of Parliament Press Center

January 21: Kyrgyzstan government targets opposition

January 22: Journalists ordered to file personal information

January 22: Kyrgyz Opposition Party denied registration


The Kyrgyz cyber attacks during the week of January 18th fall right in line with an escalating series of repressive political actions by the Bakiev government against this latest attempt to form an opposition political party – the United Peoples Movement (UPM). Bakiev should know, since it was the Tulip Revolution in 2005 (and the last time that DDoS attacks were utilized in Kyrgyzstan) which brought him to power.

Opposition leader Omurbek Tekebaev has pointed out the similarities between 2005 and 2009: “Both then and now, you could see people mistrusted those in power, who lacked moral authority. Both then and now, public opinion was completely controlled by the authorities, and there was persecution of journalists and dissidents, criminal persecution of political opponents,” he said.(IWPR article)

This appears to be a cyber operation for hire by the Bakiev government to control information access against its political opposition. The likely culprits are Russian hackers with moderate skill levels who regularly engage in cyber crime.

There is no evidence that the Russian government is directly involved, however Moscow has complete control over the servers owned by JSC and Golden Telecom. To date, no action has been taken by the RF to deny access to these servers by Russian hackers.

Related Links:

Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 1

Kyrgyz Websites subject to unexplained failure and hacking during the Parliamentary Elections (2005)

The Kyrgyzstan Cyber Attack That No One Is Talking About

The Cyber Iron Curtain


Cyberwar – The Cyber Iron Curtain: Now Kyrgyzstan – Part 1

Fig 1. The new Cyber Version of the Iron Curtain

Large scale DDos attacks have been underway against Kyrgyzstan Internet service providers (ISPs) for several days. This further establishes the emergence of the ‘Cyber Iron-Curtain’ as shown in the schematic diagram above. For examples, the key national web server site Asiainfo.kg and the Kyrgyzstan official domain registration service Domain.kg have only been available intermittently from Jan 18th 09. We are able to confirm the ‘usual suspects’ of well known organized cybercrime servers have been involved, (see Part 2 for details). Although upstream providers in Russia and Kazakhstan have ironically been stating they are refusing to pass traffic because of the scale of the attacks.

The reasons for the cyber attacks are sketchy, as the Kyrgyz President Kurmanbek Bakiyev is seen as pro Kremlin. However, as a coincidence which is similar to DDos of Lithuanian web sites last year, when the Lithuanian Prime Minister visited the US. President Bakiyev is to visit Moscow on February 3, to discuss the extension of Russian investment in the Kyrgyz energy sector and Russia are pressurizing Kyrgyzstan to close the US military air base used to support operations in Afghanistan. (Sydney Morning Herald - news link)

Another view is to effectively neutralize the recently unified opposition United People’s Movement (UPM). In its founding charter, the coalition seeks a new political system for Kyrgyz and the removal of President Kurmanbek Bakiyev from office. Complaining of widespread corruption, increasing human rights abuse, and the deterioration of living standards, the UPM is planning a series of protests for February and March.

The Kyrgyz state general prosecutor has launched criminal investigations involving at least four opposition leaders in recent weeks. This past weekend, opposition leader Omurbek Tekebayev, chairperson of the Ata Meken Party, was arrested on vague weapons charges as he headed for a meeting in the northwestern Talas region of Kyrgyz. He has since been released.

The cyberwar attacks on Kyrgyzstan have also by confirmed on IntelFusion and Information Warfare Monitor describing three out of the four Kyrgyz ISPs having been taken down, e.g. AS8511 ASIAINFO Autonomous System Bishkek, Kyrgyzstan and the Kyrgyzstan official domain registration service AS8511 ASIAINFO Autonomous System Bishkek, Kyrgyzstan

Hence from a ‘Cyber Iron-Curtain’ perspective there is now provided a ‘control at will’ by Russia of communication and increasing cyber influence over its former Soviet satellites, a modern parallel to Winston Churchill’s post second world war description of the Soviet sphere of influence. Separately, the blocking of these major websites in Kyrgyzstan suggests that we should probably move this country up the relative scale of importance for the monitoring cyberwar around the world.

Click here for the RSS feed for Part 2 and further reports.


Majority of Top 100 Websites Host Malicious Content

A majority of the top 100 websites hosted either malicious content or masked redirects according to a Websense report.

Summarizing its significant findings during the six-month period ending in December 2008.

The highlights are:

Web Security

  • 77 percent of Web sites with malicious code are legitimate sites that have been compromised.The number of malicious Web sites identified by Websense Security Labs from January first, 2008 through January first, 2009 has increased by 46 percent.
  • 70 percent of the top 100 sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.
  • This represents a 16 percent increase over the last six-month period.

Messaging Security

  • 84.5 percent of email messages were spam. This represents a 3 percent decrease over the last six months.
  • 90.4 percent of all unwanted emails in circulation during this period contained links to spam sites or malicious Web sites. This represents almost a 6 percent increase in emails containing malicious links to compromised sites.
  • Shopping remained the leading topic of spam (22 percent), followed closely by cosmetics (15 percent) and medical (14.5 percent). This remained consistent over the last six months.
  • Pornography-related spam increased sharply by 94 percent, but still only represented 9 percent of all email spam. 6 percent of spam messages were phishing attacks, representing a 33 percent decrease over the last six months.
  • This represents a change in tactics as spammers concentrated on data-stealing Trojan horses and DNS poisoning tactics to lure victims to malicious sites.

Data Security

  • 39 percent of malicious Web attacks included data-stealing code.
  • 57 percent of data-stealing attacks are conducted over the Web.
  • This represents a 24 percent increase over the six-month period.

The full report is here