Crimeware server and the international man of mystery

While conducting research for the latest Malicious Page of the Month we have just released, we tried to track down the origins of the crimeware.

Obviously, this is a daunting task by itself, and although sometimes security researchers are able to point at specific people as the ones running the criminal activity, it does not always help that much (remember the RBN case where multiple law enforcement agencies were notified, but the people behind the scenes were never arrested or indicted).

Well then, back to our little server – the domain name hosting the crimeware (Neosploit 2.0.13) was hosted in Hong-Kong (see below)

mistery001

So that does not bring us any closer to who is this – as the address is located at a hosting company. Fortunately, our research brought in some additional IP addresses. We managed to grab these from the web server just like we have uncovered the 8,700 FTP account credentials that the research paper talks about (no exploits or attacks were used to do so – simply thinking outside the box sufficed).

Tracking these down proved to be a nice tour around the globe (long whois info deprecated for clarity):

inetnum:        78.109.19.160 – 78.109.19.167

netname:        activebill

descr:          activebill – Andrey Smirnov

person:         Andrey Smirnov

address:        125167, Leningradsky prospekt, 47, Moscow, Russia

remarks:        phone:        +7 095 795 0295

phone:          +7 495 795 0295

remarks:        fax-no:       +7 095 795 0295

fax-no:         +7 495 795 0295

nic-hdl:        AS32250-RIPE

e-mail:         admie@svetcorp.net

source:         RIPE # Filtered

inetnum:        82.146.40.0 – 82.146.47.255

netname:        ISPSYSTEM

descr:          ISPsystem at MSM

country:        RU

admin-c:        DS2036-RIPE

tech-c:         AB11726-RIPE

status:         ASSIGNED PA

mnt-by:         ISPSYSTEM-MNT

source:         RIPE # Filtered

<>person:         Dmitry Sidorovaddress:        PoBox 30, 664017, Irkutsk, Russia

phone:          +7 495 727 38 79

e-mail:         inet@ispserver.com

nic-hdl:        DS2036-RIPE

source:         RIPE # Filtered

person:         Alexandr Brukhanov

address:        PoBox30, 664017, Irkutsk, Russia

phone:          +7 495 727 38 79

nic-hdl:        AB11726-RIPE

source:         RIPE # Filtered

inetnum:        85.17.111.0 – 85.17.111.255

netname:        LEASEWEB

descr:          LeaseWeb

descr:          P.O. Box 93054

descr:          1090BB AMSTERDAM

descr:          Netherlands

descr:          www.leaseweb.com

remarks:        Please send email to “abuse@leaseweb.com” for complaints

remarks:        regarding portscans, DoS attacks and spam.

remarks:        INFRA-AW

country:        NL

admin-c:        LSW1-RIPE

tech-c:         LSW1-RIPE

status:         ASSIGNED PA

mnt-by:         OCOM-MNT

source:         RIPE # Filtered

OrgName:    Galaxyvisions Inc

OrgID:      GALAX-6

Address:    882 3rd avenue 8th floor

City:       Brooklyn

StateProv:  NY

PostalCode: 11232

Country:    US

Putting all these guys on the map results in a very interesting “international man of mystery” cross-continent network of connections:

mistery002

Obviously we are looking at some eastern-bloc oriented operation, with some access to resources in the Netherlands and the US (either other people, or just computers from which access could have been made).

Now that law enforcement agencies are involved with this, maybe we would see some developments on the matter, although from the looks of these pins on the map, I expect some really interesting multi-lingual cop-speak to spur out soon…


Comments

One response to “Crimeware server and the international man of mystery”

  1. […] isn’t a whole lot of infrastructure in my back yard to really call a decent CERT. I have experienced that multiple times (and again and again) when handling major incidents that prompted incident […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.