[SecurityRatty] tag: whois

An "Aw3s0me" Offer?

Tue, 05 Aug 2008 12:52:53 +0000

Yes, it's time for our regular "sites to avoid" update with regards URLs related to this ring of sites asking for MSN login details. Yesterday evening, I received this via MSN:

Interestingly, this is the first site I've seen promoted on MSN related to this where the site being pushed isn't asking for your login details. Instead, it cycles through a bunch of adverts & promotions instead. Rather worryingly, the domain has been flagged for Phishing.

Click to Enlarge

In what might be a departure for these websites, there appears to be "real" Whois data listed for the URL, as opposed the "privacy protected" details I seem to remember being used for all the others.

Registrant Contact:
   TST Management, Inc
   Jeff Fisher

   Edificio Magna Corp. 5th Floor, Office 511
   Ave. Manuel Maria Icaza y Calle 51
   Panama City, Panama 0000
   PA

I'm sure there'll be another chapter in this ongoing saga soon.

Storm Worm Hosting Pharmaceutical Scams

Fri, 30 May 2008 10:50:06 +0000

With Storm's recent SQL injection and introduction of several new domains within, the very latest additions to their domain portfolio are the following domains (naturally in a fast-flux provided by already infected hosts) hosting pharmaceutical scams :

producemorning.com
pressrose.com
posestory.com
picturewest.com
lowsmell.com
catsharp.com
printlength.com

All of the domain's DNS entries are set to update every 2 minutes, meaning they every 2 minutes another 20 different and infected IPs will be hosting the domains, which on the other hand logically have identical WHOIS entry records :

Administrative Contact:
WenFeng NO.397,zhuquedadao street,xian
City,shanxi Province xi an Shanxi 710061 CN
tel: 298 5228188
fax: 298 5393585
yayun22@163.com

It's also worth pointing out how they emphasize on the benefits of SSL based transactions, when none of the sites is supporting SSL, but is doing something a great number of phishers do - they've changed the favicon to a key lock looking one, since maintaining a SSL infrastructure on the infected hosts is both, unpragmatic, and a bit unnecessary if they social engineer the visitor :

"SSL Encryption or Https is a technique used to safeguard private information which is sent via Internet. To prove the site's legitimacy, the SSL encryption uses a PKI (Public Key Infrastructure) - public/private key, to encrypt IDs, documents, or messages to securely transmit the information in the World Wide Web. In order to show that our transmission is encrypted, most browsers will display a small icon that would look like a pad "lock" or a key and the URL begins with "https" instead of "http". SSL Encryption or https from a digital certification authority will helps the secure web site with confidential information on web. "

With pharma masters increasingly using fast-flux to increase the survivability of their domains participating in affiliation based pharmaceutical affiliate programs, Storm Worm is anything but lacking behind programs that connect scammers and (infected) infrastructure providers.

Related posts:
All You Need is Storm Worm's Love
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game

Comcast.net not Hacked, DNS Records Hijacked

Fri, 30 May 2008 03:58:46 +0000

Two days ago in a show off move, the Kryogenics team managed to change the DNS records of Comcast.net, and consequently, redirect traffic to third-party servers, which in this incident only served a defaced-looking like page, and denied email services to Comcast's millions of email users for a period of three hours.

The message they appear to have left at the first place, is actually hosted on third-party servers and reads :

"KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven"

Comcast's changed whois records looked like this, and were restored to their original state approximately three hours later :

Administrative Contact:
Domain Registrations,
Comcast kryogenicsdefiant@gmail.com
Defiant still raping 2k8 ebk 69 dick
tard lane dildo room
PHILADELPHIA, PA 19103
US 4206661870 fax: 6664200187

The hacked page was loading from the following locations :
freewebs.com/buttpussy69
freewebs.com/kryogeniks911
defiants.net/hacked.html

Comcast's comments :

"Last night users attempting to access Comcast.net were temporarily redirected to another site by an unauthorized person," he says. "While that issue has been resolved and customers have continued to have access to the Internet and email through services like Outlook, some customers are currently not able to access Comcast.net or Webmail." Douglas says that network engineers continue to work on the issue. "We believe that our registration information at the vendor that registers the Comcast.net domain address was altered, which redirected the site, and is the root cause of today's continued issues as well," he says. "We have alerted law enforcement authorities and are working in conjunction with them."

Network Solutions comments :

"Somebody was able to log into the account using the username and password. It was an unauthorized access," said spokeswoman Susan Wade. "It wasn't like somebody hacked into it. The Network Solutions account was not hacked. "They ping us and say this is my domain and say, 'I'd like to reset my password,'" Wade said. "It could have been compromised through e-mail. They could have gotten it if they acted as the customer. We're not clear."

"Pinging a domain registrar" has been around since the early days of the Internet, and it's obviously still possible to socially engineer one in 2008. A recently released ICANN advisory on the topic of registrar impersonation phishing attacks provides a decent overview of the threat, and in Comcast's case, I think someone impersonated Comcast in front of Network Solutions compared to the other way around, namely someone phished the person possessing the accounting data at Comcast, by making them think it's Network Solutions contacting them.

With Comcast.net now back to normal, the possibilities for abusing the redirected traffic given that the content was loading from web sites they controlled are pretty evident. And despite that there are speculations the hijack is courtesy of the BitTorrent supporters, in this case, the motivation behind this seem to have been to prove that it's possible.

How To Cyber Stalk Potential Employers Article Updated

Sun, 25 May 2008 20:21:34 +0000

I updated the "Social Networking Sites" section with information about RapLeaf. I also updated the "Mail Headers" section with information on the *nix command line whois and Nirsoft's Windows tools IPNetInfo and WhoIsThisDomain.

How To Cyber Stalk Potential Employers Article Updated

Sun, 25 May 2008 20:21:34 +0000

How To Cyber Stalk Potential Employers Article Updated

Sun, 25 May 2008 20:21:34 +0000

ICANN Gets Tough With Shady Registrar

Tue, 20 May 2008 02:53:16 +0000

ICANN has put a registrar on notice that they are in violation of the Registrar Accreditation Agreement and subject to termination in 15 days.

The registrar is Red Register, a registrar with a troubled legal history. They are currently being sued by Microsoft for registering 125 names that typosquat Microsoft's trademarks.

According to the letter sent by ICANN to Red Register, the company was informed back in February of a finding in the arbitration case of Cambridge Pavers, Inc. v Versata Software, Inc. c/o Versata Hostmaster heard by the National Arbitration Forum, pursuant to the ICANN UDRP (Uniform Dispute Resolution Policy). The domain at issue was cambridgepavingstone.com. The registrant, Versata software, lost the case, unsurprisingly since they didn't bother to file a response to the UDRP charges. The cambridgepavingstone.com home page is, of course, parked with the usual boring set of ads.

[Full disclosure: My front walk is built with Cambridge Pavers, and it's really nice. We're very happy with our decision.]

Red Register, as the registrar of record on the domain, was ordered to transfer the domain to Cambridge Pavers, and has ignored the orders. To get a sense of what kind of registrar Red Register is, try running whois on their own domain redregister.com: yes, it's a private registration. In fact, just who these people are is a little fuzzy here; the Contact Us page at Red Register lists addresses in Columbus, OH. But the ICANN notice is sent to a Daniel Sundin in Madison, WI. Two college football towns; perhaps Red Register hasn't responded because Mr. Sundin went off to grad school.

This will be fun to follow; it's hard to imagine they won't relinquish the domain in time. Not only have their permission to operate a registrar business been threatened, but it's getting press. But who knows, maybe the company is on autopilot and the snail mail piles up behind the front door.

Romanian Script Kiddies and the Screensavers Botnet

Mon, 07 Apr 2008 23:48:40 +0000

Shall we turn into zombies, and peek into the modest botnet courtesy of Romanian script kiddies, that are currently spamming postcard.scr greeting cards? Meet the script kiddies. This botnet is going nowhere mostly because knowing how to compile an IRC bot doesn't necessarily mean you posses a certain know-how, a know-how that experienced botnet masters have been outsourcing for years. Malware is obtained through links pointing to :

xhost.ro/filehost/phrame.php?action=saveDownload&fileId=15735
xhost.ro/filehost/phrame.php?action=editDownload&fileId=12923
xhost.ro/filehost/phrame.php?action=saveDownload&fileId=3656
xhost.ro/filehost/phrame.php?action=editDownload&fileId=10936

Scanners result : Result: 22/32 (68.75%)
Trojan.Zapchas.F; IRC/BackDoor.Flood; Backdoor.IRC.Zapchast
File size: 735139 bytes
MD5...: 015e5826084f2302b4b2c3237a62e244
SHA1..: 7d05949f6dfffdc58033c9d8b86210a9bd34897c

Sample traffic output :
"NICK Mq2kC01
USER las "" "pic.kauko.lt" :Px7aW6
USER las "" "Helsinki.FI.EU.Undernet.org" :Px7aW6
USERHOST Mq2kC01
NICK :Rk1zK50
AWAY :Eu te scuip in cap si'n gura, tu ma pupi in cur si'n pula =))!
MODE Mq2kC01 +i
ISON loverboy loveru SirDulce
JOIN #madarfakar
USER kzg "" "Helsinki.FI.EU.Undernet.org" :Ho5xI1
NICK :Vm3uF52
MODE Mq2kC01 +wx"

And in next couple of hours, the most interesting domain that joined the IRC channel was :

Ny2fW15 is fwuser@mails.legislature.maine.gov * Kg1jT7
Ny2fW15 on #madarfakar
Ny2fW15 using Noteam.Vs.undernet.org I'm too lazy to edit ircd.conf
Ny2fW15 is away: Eu te scuip in cap si'n gura, tu ma pupi in cur si'n pula =))!
Ny2fW15 has been idle 1min 31secs, signed on Fri Apr 04 12:05:17
Ny2fW15 End of /WHOIS list.

This botnet's futile attempt to scale is a great example of the growing importance of knowlege and experience empowered botnet masters, as a key success factor for sustainability, and also, basic understanding of economic forces, namely, when they're not making an investment there cannot be a return on investment on their efforts at the first place. Take a peek at the efficiency level of remote file inclusion achieved by another botnet, and at alternative botnet C&C channels courtesy of botnet masters realizing that diversity is vital.

Who's Selling Front-Running Data?

Fri, 18 Jan 2008 08:15:55 +0000

In their explanation for why they engage in front-running in order to protect against it, Network Solutions says: "Front Runners may get access to these searches through Internet Service Providers, Spyware, or registries. " I asked Network Solutions if they had any evidence to back this statement up or if it was just speculation. Personally, I've never seen any hard evidence for where front-runners get their tips. They said "We have enough evidence to back up what we've said." I guess the word "may" can make the statement mean anything, so nobody's lying. But do registries actually and provide data on domain searches to front-runners? I've spoken in the last couple of days to the CEOs of Afilias and PIR, which operate ,ORG, .INFO and some lesser domains. They swear up and down that they never sell this data, and I believe them. Of course, tasting and front-running are overwhelmingly .COM issues. I haven't spoken to VeriSign, but I don't believe for a second that they're involved. First, I just can't see them selling such data to these two-bit criminals. Second, when you do a whois request on .COM, it doesn't even usually make it to the registry. It's usually satisfied at some server further up the road. My own command line whois searches whois.internic.net. So VeriSign doesn't necessarily get access to the data in order to sell it. And don't even think of suggesting that the Internic.net, run by the IANA, is selling whois searches to domain tasters. How would ISPs get this data? Presumably by spying on your communications. Sorry, I think this would have shown up and been a scandal through other means long ago if it were true. Spyware is a plausible option; if a user, unbeknownst to them, is running a keylogger, and they do a whois, the spy can see this and jump the claim on the domain. I know of no direct evidence that this is happening, but I can see it happening. When I've heard of front-running cases, I've always been told that the domain was registered the day after the search, which is pretty fast turnaround for the spyware method. So this is possible, but count me skeptical. Where do most people go to search for domains? They don't go to registrars, unless the registrar is (like GoDaddy) also a major hosting service. They go to the hosting service and search there. These services have a web form which proxies a whois request behind the scenes. My money is on one or more of these hosting services, or some disloyal employee at them, selling the search data, especially for searches that don't covert to sales within some short period of time. When I was researching this subject heavily there was one hosting service name that came up more than once, but I couldn't ever nail them down or even get them on the phone. So it's not fair to name them. But anyway, that's what I think is happening, not that I have proof. Network Solutions' explanation doesn't persuade me.

Who's Selling Front-Running Data?

Fri, 18 Jan 2008 08:15:55 +0000