NTP vulnerabilities affect all Hawaiian Telcom Internet service customers, so Hawaiian Telcom blocks all NTP

Written by kent on February 20th, 2014

After a rash of Network Time Protocol reflection/amplification attacks, Hawaiian Telcom confirmed that NTP was indeed blocked globally “for the cyber safety of their customers” until they can roll out a patch to all of their customer Pace routers vulnerable to the exploit. Found that another ISP, Sonic, is having the same problem as Hawaiian Telcom with their Pace routers.

CERT has published this Vulnerability Note

Here you go.  The following are NTP servers that Hawaiian Telcom has excepted (while most of their tech support staff do not know it) through their recent global block ACL of everything else on planet Internet on UDP port 123:

12.230.209.133

12.230.208.133

12.230.208.48

12.230.209.5

 

 

Economics of Dogecoin Mining in Honolulu

Written by kent on December 31st, 2013

Years ago now I bought a Bitcoin for twelve dollars and a few cents. Around the same time I ran a Bitcoin peer daemon for a while on this very web server in order to observe and analyze the Bitcoin P2P traffic.  Later, I cashed out that Bitcoin and made a profit of…a few cents.  Should have waited, huh?  Nonetheless, that brings me to the topic of this post, which is the economics of mining a cryptocurrency like Dogecoin.  Dogecoin has made the news recently because of its pop status as the first meme-based cryptocurrency, not to mention an online Dogecoin wallet theft. Dogecoin was inspired by the Doge meme which was itself started by a marked-up photo of a rescue dog belonging to an unwitting middle-aged schoolteacher in Japan. But I digress at the expense of saving you from a Google search.

Dogecoin and other scrypt-based cryptocurrency alternatives like Litecoin have brought back to the masses the potential of (albeit limited) profitability in cryptocurrency mining.  That is because within just the last year, mining of the cryptocurrency standard Bitcoin–owing to the intentional ballooning difficulty in the Bitcoin code–has quickly become profitable only with the use of massive scale ASICS-based mining operations as in the likes of a liquid-cooled dedicated facility in Hong Kong. But, given some cheap power and a video card with a decent GPU, or a cheap VPS, you can actually make a few cents mining alternate coins.  But barely.

If you live in Honolulu like I do where the per-kilowatt-hour price of electrical power is $0.36 (and well above $0.40 on neighbor islands!), such a tiny profit feat would actually be impossible.  You would be adding to global warming at the same time as subtracting from your wallet. But there is cheap power to be had in Hawaii, specifically: solar power from photo voltaic installations.  If you have PV overcapacity like some folks I know, putting an old gaming rig or two to pasture at cryptocurrency mining couldn’t hurt.

Now, if you think cryptocurrency mining might be for you, use this mining calculator to confirm you aren’t actually delusional.

 

doge-kwh

 

Money mule recruiting campaign for Tuesday, 19 November 2013

Written by kent on November 20th, 2013

From my Inbox.  More about Money Mules here:

https://www.us-cert.gov/sites/default/files/publications/money_mules.pdf

 

#####BEGIN MONEY MULE RECRUITING EMAIL#####

Return-Path: <amackubye@london.com>
X-Original-To: <sanitized>
Delivered-To: <sanitized>
Received: from london.com (bas10-montreal28-2925132541.dsl.bell.ca [174.89.250.253])
 by <sanitized> (Postfix) with SMTP id 544E4186A31
 for <sanitized>; Tue, 19 Nov 2013 21:17:48 -0600 (CST)
Message-ID: <C20110CF.DB945F0B@london.com>
Date: Wed, 20 Nov 2013 04:17:41 +0100
Reply-To: "<Me>" <amackubye@london.com>
From: "<Me>" <amackubye@london.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.19) Gecko/20081209 Thunderbird/2.0.0.19
MIME-Version: 1.0
To: "AOL Users" <sanitized>
Subject: Find the job that's right for you.
Content-Type: text/plain;
 charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Good day

We are pleased to inform report you that we start recruiting recruitment for the  Operations Assistant vacancy We do not discriminate in practices job on the basis of an individual’s race, color, national ethnic origin,  age marital status, veteran status, disability, or any other prohibited category set forth in federal or state regulations.

 

JOB POSITION: Operations Assistant (home-sourced) usd 500/week | PART-TIME | FLEXIBLE SCHEDULE

 

Requirements:

- Must be able to work independently;

- Must be detail oriented and organized responsible;

- Must be able to work well with others;

- PC proficient in Windows environments.

 

Duties Instructions:

- Process payments money transfers from customers;

- Check and verify transactions to ensure consistency and accuracy of accounting documents;

- May assist in the training and guiding of staff.

 

APPLY:

To apply please send your Resume: careers@grandconsultgroup.com

#####END MONEY MULE RECRUITING EMAIL#####

 

The following Dossier is courtesy Centralops.net:

 

Address lookup

canonical name grandconsultgroup.com.
aliases
addresses 89.144.29.207

Domain Whois record

Queried whois.internic.net with “dom grandconsultgroup.com”…

   Domain Name: GRANDCONSULTGROUP.COM
   Registrar: INTERNET.BS CORP.
   Whois Server: whois.internet.bs
   Referral URL: http://www.internet.bs
   Name Server: NS1.1000MBIT.RU
   Name Server: NS2.1000MBIT.RU
   Status: clientTransferProhibited
   Updated Date: 12-sep-2013
   Creation Date: 12-sep-2013
   Expiration Date: 12-sep-2014

>>> Last update of whois database: Wed, 20 Nov 2013 19:30:39 UTC <<<

Queried whois.internet.bs with “grandconsultgroup.com”…

Domain grandconsultgroup.com

Date Registered: 2013-9-12
Expiry Date: 2014-9-12

DNS1: ns1.1000mbit.ru
DNS2: ns2.1000mbit.ru

Registrant
    Fundacion Private Whois
    Domain Administrator
    Email:5231efccz110on03@5225b4d0pi3627q9.privatewhois.net
    Attn: grandconsultgroup.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877

Administrative Contact
    Fundacion Private Whois
    Domain Administrator
    Email:5231efccb5qgpw80@5225b4d0pi3627q9.privatewhois.net
    Attn: grandconsultgroup.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877

Technical Contact
    Fundacion Private Whois
    Domain Administrator
    Email:5231efccdrlo73ff@5225b4d0pi3627q9.privatewhois.net
    Attn: grandconsultgroup.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877

Registrar: Internet.bs Corp.
Registrar's Website : <a href='http://www.internetbs.net/'>http://www.internetbs.net/</a>

Network Whois record

Queried whois.ripe.net with “-B 89.144.29.207″…

% Information related to '89.144.29.203 - 89.144.29.207'

% No abuse contact registered for 89.144.29.203 - 89.144.29.207

inetnum:        89.144.29.203 - 89.144.29.207
netname:        RU-VICORE-Network
descr:          Kras-Infocom LLC
descr:          Own infrastructure
descr:          Frankfurt am Main, Germany
country:        RU
admin-c:        KL2321-RIPE
tech-c:         KL2321-RIPE
status:         assigned PA
mnt-by:         ISP4P-MNT
changed:        hostmaster@isp4p.net 20130505
source:         RIPE

person:         Kras-infocom LLC
address:        Igor Astafyev
address:        Krasnoy Gvardii st.,21 of 209
address:        660075, Krasnoyarsk
address:        Krasnoyarskiy kray
phone:          +7 391 2414964
fax-no:         +7 391 2094408
abuse-mailbox:  abs@rusmailbox.ru
nic-hdl:        KL2321-RIPE
mnt-by:         ISP4P-MNT
changed:        hostmaster@isp4p.net 20130504
source:         RIPE

% Information related to '89.144.0.0/18AS35042'

route:          89.144.0.0/18
descr:          ISP4P
origin:         AS35042
mnt-by:         ISP4P-MNT
mnt-routes:     mnt-weesly
changed:        info@isp4p.net 20130701
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.70 (WHOIS4)

DNS records

name class type data time to live
grandconsultgroup.com IN MX
preference: 10
exchange: mx.yandex.ru
14400s (04:00:00)
grandconsultgroup.com IN SOA
server: ns1.1000mbit.ru
email: witalij@rusmailbox.ru
serial: 2013091203
refresh: 86400
retry: 7200
expire: 3600000
minimum ttl: 86400
86400s (1.00:00:00)
grandconsultgroup.com IN NS ns1.1000mbit.ru 86400s (1.00:00:00)
grandconsultgroup.com IN NS ns2.1000mbit.ru 86400s (1.00:00:00)
grandconsultgroup.com IN A 89.144.29.207 14400s (04:00:00)
207.29.144.89.in-addr.arpa IN PTR quantum.1000mbit.ru 86400s (1.00:00:00)
29.144.89.in-addr.arpa IN SOA
server: ns3.isp4p.net
email: hostmaster@isp4p.net
serial: 2005110900
refresh: 10800
retry: 3600
expire: 604800
minimum ttl: 3600
86400s (1.00:00:00)
29.144.89.in-addr.arpa IN RRSIG
type covered: NSEC (47)
algorithm: RSA/SHA-1 (5)
labels: 5
original ttl: 7200 (02:00:00)
signature expiration: 2013-12-20 16:54:19Z
signature inception: 2013-11-20 15:54:19Z
key tag: 9753
signer’s name: 89.in-addr.arpa
signature:
(1024 bits)
17CCD77F834C239FC3F0F92C61C21D2C
35A0EF822E896A1A674E5FEF2F72B41B
D65786642B9CA456231A62E70AC14BEB
ECE37147D3753A71386583FC734FFE3E
9392889183ACD51E2D781E009B6D8F61
46FAC30749ED33D45ABCC0F790F548C0
3AF6839982B2C17433F1F352AFF183F3
E102311759B16A079D12462279C5F78C
7200s (02:00:00)
29.144.89.in-addr.arpa IN NSEC
next domain name: 3.144.89.in-addr.arpa
record types: NS RRSIG NSEC
7200s (02:00:00)
29.144.89.in-addr.arpa IN NS ns3.isp4p.net 3600s (01:00:00)
29.144.89.in-addr.arpa IN NS ns4.isp4p.net 3600s (01:00:00)

Traceroute

Tracing route to grandconsultgroup.com [89.144.29.207]…

hop rtt rtt rtt ip address fully qualified domain name
1 0 0 0 208.101.16.73 208.101.16.73-static.reverse.softlayer.com
2 0 0 0 66.228.118.153 ae11.dar01.sr01.dal01.networklayer.com
3 0 0 0 173.192.18.210 ae6.bbr01.eq01.dal03.networklayer.com
4 0 0 0 173.192.18.209 ae7.bbr02.eq01.dal03.networklayer.com
5 20 20 20 173.192.18.135 ae1.bbr01.tl01.atl01.networklayer.com
6 19 23 25 198.32.132.75 10gigabitethernet1-3.core1.atl1.he.net
7 35 32 41 184.105.213.109 10gigabitethernet16-5.core1.ash1.he.net
8 112 113 124 184.105.213.94 10gigabitethernet9-2.core1.par2.he.net
9 170 181 185 72.52.92.25 10gigabitethernet15-1.core1.fra1.he.net
10 120 120 120 31.214.136.65
11 121 121 121 109.230.212.130
12 119 118 119 109.230.226.122
13 118 118 118 89.144.29.207 quantum.1000mbit.ru

Trace complete

Service scan

FTP – 21 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 03:31. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
220 Logout.
SMTP – 25 220-quantum.1000mbit.ru ESMTP Exim 4.80.1 #2 Thu, 21 Nov 2013 03:31:21 +0800
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
421 quantum.1000mbit.ru lost input connection
HTTP – 80
POP3 – 110 +OK Dovecot ready.

___________________________________________________________

Screenshot:grandconsultgroup website screenshot

 

 

Undocumented Outlook 2010/2013 feature: PGP-GPG-GnuPG-signed email validation out of the box

Written by kent on September 26th, 2013

UPDATE NOV 2013.  My wife pointed out to me that Outlook 2010 has the same feature.  Having used Outlook 2013 as my main email client (on Windows) for a few days now, I was surprised it took me so long to notice the digital signature ribbons in my preview pane on GPG/PGP-signed and S/MIME-signed emails alike.  They looked like this (sent to myself for purposes of this post).

Outlook2k13-crypto-ribbons

Hmm.  That’s interesting.  I thought Outlook was an S/MIME-shop only.  Just to be sure, I also sent an invalid (from another email) PGP signature.  Not recognized by Outlook, as expected.  Which means Outlook 2013 is validating PGP signatures through its cryptographic module.  Certainly this was something new compared to Outlook 2010. A Google search revealed…nothing.  Figures.  How about a Bing search?

I did this on Bing :  PGP “outlook 2013″ site:microsoft.com

I found this.  But alas, there weren’t too many details, and none specifically on PGP/GPG.  Dug into Outlook Trust Center settings and found this.

Outlook2k13-TrustCenter-crypto-format

While grayed out, it does have a drop-down for *selecting* cryptography formats.  So something other than S/MIME?  I wonder if this has been worked with Symantec to better integrate their PGP desktop product within the Outlook framework.  UPDATE 01 Jan 2014.  It appears as per a reader observation that Outlook just looks for a particular PGP mime protocol statement in  the email header. So, to summarize, Outlook 2013 (and 2010)  provides digital signature clear-text validation header checking for PGP/GPG-signed  emails, but  probably does not do actual cryptographic signature validation. There is no way to send or read PGP/GPG encrypted emails out of the box.  Cannot find any documentation on the subject in Office Help on or offline, so one of these days I will have to dig around the registry.

 

inside Rotpoi$on – 12 hour packet capture of DormRing resurrected

Written by kent on July 25th, 2013

More Rotpoi$on analysis.

I set up a fake Ncat proxy on port 8118 last night and let it run.  Will let a little Netwitness do the talking shortly with 12 hours of packet capture.  This will serve as reference and give folks a starting point in identifying the click fraud perps should there be any interest in doing that.  To be sure, the ad networks themselves (identified by the “Hostname Aliases” in the Netwitness output below) share some culpability because of their negligence in not filtering out clearly bogus referrals.   Noticeably absent are Google’s Adsense and DoubleClick, which suggests that at least those ad networks are performing due diligence.  If I was paying for online advertising and wanted to make sure my check was not paying for fraud, I would not be signing up with some of  the companies behind the URLs listed in the Hostname Aliases.   AppNexus, the company associated with the first Hostname Alias URL, appears to be the biggest fraud facilitator.  UPDATE September 2013.  I have been working with representatives of AppNexus.  According to a representative from AppNexus, Rotpoi$on seems to target click advertisement auctions.  The Rotpoi$on network is still active, possibly more updates to follow as analysis continues.

Provided in zipped CSV  format  are the click fraud web site referrals as well as the filtered and sorted domain names, the owners of which are probably the principal beneficiaries of RotPoi$on.

And following  is the relevant Netwitness output, and a Netwitness generated KMZ file of Rotpoi$on/DormRing2 you can view on Google Earth if you like.

Hostname Aliases (47 items)

ib.adnxs.com (260,842) – ads.creafi-online-media.com (57,005) – ad.globe7.com (54,082) – ad.yieldmanager.com (41,601) – ad.tagjunction.com (30,207) – an.z5x.net (17,420) – ad.z5x.net (16,676) – ads1.ministerial5.com (11,067) – ad.xertive.com (9,433) – ad.bharatstudent.com (6,589) – ad.adorika.com (4,561) – ad.reduxmedia.com (4,498) – ads.clovenetwork.com (4,021) – ib.reachjunction.com (3,774) – cdn.adk2.com (3,039) – ad.media-servers.net (2,990) – tags1.z5x.net (2,185) – ad.yieldads.com (1,767) – ad.smxchange.com (1,119) – n17.adshostnet.com (592) – u.pub-fit.com (518) – ad.adnetwork.net (490) – www.mmadsgadget.com (225) – edge.quantserve.com (59) – www.yahoo.com (44) – dalipeng.free.fr (40) – www.epicgameads.com (25) – www.anastasiasaffiliate.com (13) – asianbeauties.anastasiasaffiliate.com (11) – as.ebz.io (7) – jsc.dt07.net (5) – media.fastclick.net (4) – cdn.fastclick.net (4) – ads1.qadabra.com (4) – 216.245.211.138 (4) – www.cpmleader.com (2) – amolatina.anastasiasaffiliate.com (2) – z14132-p14354-n192.pub.pgssl.com (1) – images.neobux.com (1) – affiliates.lifelock.com (1) – ads.creafi-online-media. (1) – ads.creafi-online- (1) – ads.creafi-onlin (1) – ads.crea (1) – ads. (1) – ads (1) – ad.gl (1)

Source IP Address (881 items)

66.220.4.88 (3,727) – 72.52.83.204 (3,653) – 66.160.173.102 (3,648) – 72.52.83.220 (3,646) – 66.220.4.69 (3,631) – 66.160.159.163 (3,562) – 72.52.75.108 (3,314) – 72.52.72.100 (3,307) – 72.52.72.112 (3,045) – 184.105.203.25 (2,350) – 72.52.116.84 (2,347) – 184.105.137.100 (2,340) – 198.15.70.221 (2,328) – 192.69.219.237 (2,319) – 66.220.4.85 (2,293) – 72.52.75.73 (2,063) – 72.52.75.122 (1,931) – 198.204.228.179 (1,800) – 198.204.242.237 (1,794) – 198.204.242.235 (1,793) – 198.204.228.180 (1,785) – 198.204.242.236 (1,784) – 198.204.240.180 (1,762) – 74.121.191.13 (1,730) – 192.69.204.76 (1,702) – 74.91.18.4 (1,684) – 64.120.60.52 (1,558) – 198.204.240.179 (1,531) – 198.204.242.238 (1,498) – 63.141.244.45 (1,486) – 184.105.135.169 (1,472) – 108.62.237.221 (1,460) – 108.62.237.220 (1,460) – 108.62.237.215 (1,458) – 108.62.237.217 (1,455) – 108.62.237.216 (1,453) – 108.62.237.219 (1,443) – 142.54.176.166 (1,439) – 108.62.237.218 (1,438) – 142.54.179.51 (1,437) – 108.62.237.214 (1,437) – 108.62.237.222 (1,433) – 173.234.208.125 (1,426) – 108.62.75.34 (1,410) – 198.204.240.182 (1,409) – 173.234.208.124 (1,387) – 173.234.208.126 (1,385) – 173.234.208.123 (1,381) – 108.177.187.60 (1,363) – 108.177.187.58 (1,362) – 108.177.168.158 (1,356) – 108.177.168.157 (1,351) – 108.177.187.59 (1,350) – 108.177.168.154 (1,350) – 108.177.187.62 (1,349) – 23.19.50.58 (1,349) – 108.177.168.156 (1,345) – 23.19.50.59 (1,345) – 108.177.187.61 (1,342) – 108.177.168.155 (1,342) – 63.141.244.46 (1,341) – 108.177.187.55 (1,340) – 108.177.187.57 (1,330) – 63.141.244.43 (1,326) – 63.141.254.86 (1,325) – 23.19.50.57 (1,324) – 63.141.244.44 (1,322) – 63.141.254.85 (1,321) – 142.54.176.165 (1,305) – 108.177.168.152 (1,301) – 23.19.50.56 (1,245) – 63.141.254.83 (1,225) – 74.91.18.3 (1,223) – 192.69.219.229 (1,220) – 74.91.18.6 (1,191) – 192.69.204.74 (1,189) – 23.19.67.204 (1,184) – 23.19.67.206 (1,179) – 147.255.50.34 (1,170) – 23.19.67.203 (1,157) – 108.62.40.236 (1,155) – 147.255.50.35 (1,145) – 142.54.179.52 (1,141) – 108.62.17.234 (1,137) – 184.105.203.21 (1,124) – 63.141.254.84 (1,114) – 198.15.118.67 (1,112) – 108.62.40.235 (1,094) – 173.234.41.44 (1,086) – 108.62.17.231 (1,084) – 108.62.17.235 (1,077) – 108.62.17.237 (1,075) – 108.62.185.205 (1,068) – 108.62.17.236 (1,068) – 173.234.33.77 (1,066) – 173.234.41.43 (1,061) – 108.62.185.204 (1,061) – 74.121.191.47 (1,059) – 108.62.40.238 (1,058) – 173.234.41.45 (1,057) – 108.62.185.203 (1,056) – 108.62.17.228 (1,054) – 108.62.17.232 (1,050) – 173.234.33.78 (1,043) – 173.234.33.76 (1,036) – 23.19.75.218 (1,036) – 173.234.41.39 (1,035) – 173.234.41.38 (1,022) – 23.19.26.178 (1,022) – 108.62.17.238 (1,021) – 108.62.185.206 (1,019) – 173.234.41.37 (1,016) – 173.234.33.71 (1,014) – 173.234.33.70 (1,014) – 108.62.17.233 (1,014) – 23.19.67.211 (1,012) – 23.19.75.219 (995) – 142.91.245.132 (992) – 23.19.75.212 (982) – 173.234.116.202 (960) – 173.234.116.173 (959) – 23.19.54.3 (959) – 23.19.54.5 (958) – 23.19.54.4 (958) – 23.19.54.2 (955) – 173.234.116.200 (949) – 173.234.116.172 (949) – 173.234.116.171 (949) – 23.19.54.6 (948) – 23.19.54.7 (943) – 173.234.116.206 (941) – 173.234.116.203 (938) – 173.234.116.201 (931) – 173.208.138.248 (931) – 173.234.116.204 (928) – 173.234.116.174 (928) – 173.234.116.195 (927) – 64.120.56.228 (927) – 173.234.116.194 (922) – 23.19.67.212 (919) – 108.62.40.237 (917) – 23.19.54.247 (915) – 173.234.116.205 (911) – 173.234.224.220 (901) – 173.208.16.91 (900) – 173.208.16.83 (899) – 173.234.116.248 (896) – 147.255.50.43 (896) – 173.208.138.245 (893) – 147.255.50.44 (891) – 147.255.50.42 (890) – 74.91.18.5 (888) – 173.208.16.93 (885) – 108.62.40.233 (884) – 173.234.116.247 (883) – 173.208.16.94 (883) – 173.208.16.92 (883) – 173.208.16.86 (883) – 173.208.16.85 (882) – 23.19.89.123 (882) – 108.62.40.230 (880) – 173.208.16.82 (879) – 108.62.40.229 (878) – 198.204.247.220 (877) – 108.62.40.232 (876) – 70.32.43.184 (874) – 173.234.116.250 (873) – 72.52.72.109 (872) – 173.208.16.84 (871) – 64.120.56.227 (857) – 23.19.75.216 (853) – 23.19.75.215 (851) – 147.255.50.39 (850) – 147.255.50.40 (841) – 173.208.16.244 (840) – 23.19.75.217 (840) – 147.255.50.41 (835) – 173.208.16.245 (827) – 23.19.130.186 (825) – 173.234.224.61 (821) – 173.208.94.184 (817) – 173.208.94.178 (816) – 108.177.168.153 (816) – 23.19.54.253 (812) – 173.208.94.181 (811) – 173.234.224.62 (810) – 23.19.54.246 (804) – 173.208.94.185 (802) – 173.208.94.186 (801) – 173.234.224.219 (800) – 64.120.44.148 (800) – 173.208.94.180 (799) – 173.208.94.182 (798) – 23.19.130.185 (798) – 192.69.219.236 (796) – 173.208.94.183 (796) – 173.208.94.179 (796) – 173.208.94.188 (795) – 173.234.33.67 (789) – 173.208.94.190 (789) – 173.208.85.19 (789) – 23.19.54.242 (789) – 173.234.33.68 (788) – 23.19.130.183 (788) – 173.208.94.189 (786) – 173.208.94.187 (786) – 64.120.44.147 (786) – 192.151.151.222 (784) – 198.15.118.87 (778) – 173.234.235.99 (775) – 65.49.8.166 (774) – 173.234.153.182 (771) – 142.54.179.53 (770) – 173.208.85.21 (768) – 23.19.54.244 (766) – 23.19.89.126 (763) – 23.19.54.243 (763) – 23.19.130.184 (762) – 108.62.237.213 (756) – 173.208.85.20 (755) – 173.234.33.66 (754) – 173.208.94.163 (751) – 173.234.116.252 (750) – 173.208.16.87 (746) – 108.62.237.212 (746) – 173.234.41.35 (745) – 108.62.237.210 (745) – 108.62.237.211 (744) – 198.204.243.101 (743) – 173.208.94.166 (743) – 173.234.41.36 (740) – 23.19.67.214 (740) – 173.208.94.164 (739) – 192.151.151.219 (738) – 23.19.67.213 (737) – 173.234.153.181 (736) – 108.177.183.203 (733) – 108.177.183.204 (730) – 173.208.94.165 (728) – 142.54.176.163 (728) – 23.19.89.125 (728) – 173.234.33.75 (725) – 173.208.94.171 (725) – 173.208.94.168 (721) – 108.177.183.205 (721) – 23.19.75.220 (720) – 173.208.16.248 (718) – 108.177.183.206 (718) – 173.234.33.73 (717) – 173.234.41.42 (714) – 173.234.41.41 (714) – 173.208.94.170 (712) – 173.234.41.40 (708) – 173.208.94.169 (707) – 142.54.176.164 (707) – 173.234.116.197 (706) – 173.208.94.167 (706) – 23.19.50.54 (705) – 173.234.153.186 (704) – 173.234.116.196 (704) – 198.204.243.102 (701) – 173.234.153.179 (699) – 173.234.33.74 (697) – 23.19.50.52 (697) – 23.19.50.51 (697) – 173.208.16.249 (696) – 23.19.50.50 (696) – 108.177.168.151 (695) – 23.19.50.53 (694) – 108.177.187.54 (693) – 173.208.16.242 (687) – 23.19.130.180 (687) – 173.234.60.181 (685) – 173.234.60.180 (684) – 173.208.16.250 (682) – 108.177.168.150 (681) – 23.19.54.249 (681) – 173.234.60.182 (679) – 23.19.130.182 (679) – 173.234.41.34 (676) – 173.208.16.243 (676) – 173.234.60.179 (674) – 23.19.54.252 (673) – 198.204.243.100 (672) – 173.234.12.181 (671) – 23.19.54.248 (657) – 74.91.26.182 (656) – 74.91.26.181 (649) – 173.208.138.243 (643) – 198.204.241.246 (640) – 23.19.130.121 (639) – 64.120.60.46 (633) – 23.19.130.125 (632) – 23.19.130.120 (627) – 23.19.130.190 (626) – 173.208.85.11 (625) – 173.234.12.189 (624) – 23.19.130.122 (623) – 23.19.130.119 (622) – 173.234.12.190 (621) – 173.208.85.13 (621) – 23.19.130.189 (620) – 173.234.12.188 (619) – 23.19.130.124 (619) – 173.234.12.186 (617) – 23.19.130.123 (615) – 173.234.12.187 (613) – 173.208.242.43 (613) – 64.120.60.45 (610) – 23.19.54.251 (610) – 23.19.54.250 (610) – 173.208.85.14 (609) – 142.54.179.54 (608) – 70.32.43.186 (605) – 173.208.85.12 (603) – 173.234.153.178 (601) – 64.120.77.154 (597) – 64.120.58.118 (596) – 64.120.77.152 (595) – 64.120.77.153 (593) – 198.204.241.142 (592) – 64.120.58.117 (592) – 64.120.77.155 (591) – 64.120.58.116 (590) – 23.19.89.124 (590) – 173.234.116.73 (589) – 70.32.43.179 (588) – 198.204.242.230 (587) – 64.120.77.156 (587) – 108.62.75.27 (583) – 64.120.77.151 (583) – 64.120.58.115 (583) – 173.234.116.71 (581) – 64.120.77.147 (581) – 70.32.43.178 (580) – 23.19.107.249 (580) – 173.234.116.76 (579) – 23.19.107.247 (579) – 173.234.116.75 (578) – 64.120.77.146 (578) – 108.62.75.28 (577) – 23.19.107.248 (577) – 108.62.75.25 (576) – 173.234.159.2 (575) – 108.62.75.23 (575) – 108.62.75.26 (574) – 173.234.153.102 (573) – 23.19.107.250 (573) – 108.62.236.190 (572) – 108.62.75.24 (572) – 23.19.107.252 (571) – 173.234.116.55 (570) – 173.234.116.74 (569) – 173.234.116.60 (569) – 173.234.159.3 (568) – 173.234.116.56 (568) – 23.19.107.251 (567) – 173.234.116.72 (566) – 173.234.116.58 (565) – 173.234.116.57 (565) – 64.120.58.22 (563) – 108.62.236.189 (562) – 23.19.54.21 (562) – 23.19.54.18 (562) – 64.120.60.114 (561) – 64.120.58.21 (560) – 64.120.58.19 (560) – 64.120.44.164 (560) – 173.234.116.59 (559) – 108.62.5.152 (559) – 23.19.54.20 (559) – 70.32.43.189 (558) – 23.19.54.25 (558) – 23.19.54.24 (557) – 173.234.188.205 (556) – 173.234.116.50 (556) – 108.62.192.22 (556) – 70.32.43.185 (556) – 23.19.54.22 (556) – 23.19.54.19 (556) – 173.208.83.187 (555) – 108.62.5.155 (555) – 173.208.83.189 (554) – 108.62.192.19 (554) – 64.120.60.43 (554) – 23.19.54.23 (554) – 173.208.83.188 (553) – 108.62.5.147 (553) – 173.234.12.179 (552) – 173.234.12.185 (551) – 64.120.44.166 (551) – 173.234.12.235 (550) – 173.234.12.180 (550) – 108.62.5.154 (550) – 173.234.188.196 (549) – 64.120.44.163 (549) – 70.32.43.188 (548) – 64.120.5.254 (548) – 23.19.130.115 (548) – 173.234.42.3 (547) – 108.62.192.20 (547) – 173.234.42.11 (546) – 173.234.42.7 (546) – 173.234.188.195 (545) – 173.234.12.233 (545) – 173.208.83.190 (545) – 173.234.188.198 (544) – 173.234.42.8 (544) – 173.234.42.2 (544) – 173.234.12.236 (544) – 64.120.44.165 (544) – 108.62.5.151 (543) – 173.234.188.197 (542) – 173.234.12.232 (542) – 108.62.75.6 (542) – 108.62.5.153 (542) – 108.62.5.146 (542) – 198.204.243.99 (540) – 173.234.42.10 (540) – 173.234.12.238 (540) – 108.62.5.156 (540) – 23.19.107.242 (540) – 173.234.12.231 (539) – 70.32.43.190 (539) – 173.234.42.9 (538) – 108.62.192.21 (538) – 64.120.5.253 (538) – 64.120.5.251 (538) – 173.234.42.12 (537) – 173.234.12.237 (537) – 74.91.26.179 (536) – 64.120.5.252 (536) – 23.19.107.243 (536) – 174.34.140.155 (535) – 23.19.130.116 (534) – 173.234.12.184 (533) – 174.34.140.156 (532) – 23.19.130.114 (532) – 173.234.12.234 (531) – 108.62.75.19 (529) – 198.204.242.228 (528) – 108.62.75.18 (528) – 108.62.192.30 (527) – 108.62.192.28 (527) – 173.208.138.244 (526) – 70.32.43.181 (526) – 108.62.192.29 (525) – 174.34.140.157 (524) – 23.19.63.222 (524) – 173.234.153.100 (523) – 173.234.153.99 (523) – 23.19.54.104 (523) – 174.34.140.158 (522) – 173.234.153.101 (521) – 23.19.63.219 (521) – 23.19.63.216 (521) – 173.234.224.59 (519) – 198.204.241.141 (518) – 70.32.43.180 (518) – 23.19.63.221 (515) – 199.182.234.34 (514) – 23.19.63.217 (514) – 23.19.54.103 (514) – 23.19.63.220 (513) – 23.19.54.108 (510) – 23.19.54.105 (510) – 198.204.247.221 (509) – 23.19.54.106 (509) – 23.19.63.218 (507) – 173.234.12.101 (505) – 173.234.12.99 (505) – 108.62.236.186 (505) – 173.234.12.100 (504) – 70.32.43.183 (502) – 23.19.54.107 (502) – 173.234.12.102 (501) – 173.234.224.60 (499) – 23.19.35.146 (498) – 173.208.16.246 (496) – 23.19.35.147 (495) – 108.62.75.7 (492) – 108.62.236.185 (491) – 198.204.241.243 (490) – 70.32.43.182 (490) – 198.204.241.140 (489) – 173.234.235.101 (486) – 23.83.96.130 (464) – 173.208.44.43 (463) – 173.208.44.46 (462) – 173.234.12.35 (460) – 173.234.12.44 (458) – 23.19.35.134 (458) – 173.234.12.4 (457) – 108.62.75.8 (457) – 23.19.107.228 (457) – 173.234.12.42 (456) – 173.234.116.107 (455) – 173.234.12.41 (455) – 173.208.44.45 (455) – 173.234.12.3 (454) – 173.234.12.5 (453) – 108.62.236.184 (453) – 64.120.60.115 (453) – 23.19.76.4 (453) – 173.208.44.42 (452) – 23.19.76.5 (452) – 64.120.58.20 (450) – 173.234.247.30 (449) – 173.234.188.206 (449) – 173.234.116.152 (449) – 173.234.12.6 (449) – 173.234.12.43 (448) – 173.234.12.40 (448) – 173.234.12.39 (448) – 173.234.116.109 (447) – 23.19.54.99 (447) – 23.19.54.92 (447) – 192.74.245.18 (445) – 23.19.54.87 (445) – 23.19.54.98 (444) – 173.234.12.34 (443) – 23.19.76.99 (443) – 173.234.116.108 (442) – 198.204.241.139 (441) – 173.234.12.178 (441) – 23.19.54.83 (441) – 23.19.35.133 (441) – 23.19.107.227 (439) – 23.19.76.6 (439) – 23.19.54.90 (439) – 23.19.35.132 (439) – 173.234.116.153 (438) – 173.208.57.54 (438) – 23.19.76.3 (438) – 23.19.76.102 (437) – 23.19.76.101 (437) – 23.19.54.82 (437) – 173.234.247.19 (436) – 173.234.116.151 (436) – 173.234.247.22 (435) – 173.234.188.204 (435) – 173.208.83.100 (435) – 23.19.107.226 (435) – 23.19.54.89 (435) – 23.19.54.88 (435) – 173.208.44.37 (434) – 173.234.12.182 (433) – 173.208.83.99 (433) – 173.208.83.101 (432) – 173.234.247.21 (431) – 173.208.83.102 (431) – 23.19.54.91 (431) – 173.234.247.28 (430) – 173.234.247.25 (430) – 173.234.188.203 (430) – 173.234.247.29 (429) – 173.234.247.18 (428) – 23.19.76.100 (426) – 23.19.54.116 (426) – 173.234.12.30 (425) – 173.208.44.35 (425) – 173.234.12.28 (423) – 108.62.236.212 (423) – 23.19.54.118 (420) – 173.234.12.226 (419) – 173.234.12.27 (419) – 23.19.54.119 (419) – 173.234.12.229 (417) – 108.62.236.211 (417) – 23.19.54.115 (417) – 173.234.247.24 (416) – 173.234.12.250 (416) – 23.19.54.120 (416) – 173.234.12.251 (415) – 173.234.12.29 (415) – 173.234.12.228 (414) – 173.234.12.227 (414) – 173.234.12.183 (414) – 64.120.60.44 (412) – 173.234.12.52 (411) – 108.62.236.215 (411) – 23.19.54.117 (411) – 108.62.236.210 (410) – 108.62.40.244 (409) – 23.19.35.151 (409) – 173.234.12.243 (408) – 173.234.12.54 (408) – 108.62.236.183 (407) – 108.62.236.213 (406) – 23.19.35.152 (406) – 147.255.183.132 (405) – 173.234.12.252 (404) – 173.234.12.53 (404) – 147.255.183.131 (404) – 23.19.35.156 (404) – 108.62.236.182 (402) – 23.19.54.125 (402) – 108.62.236.214 (401) – 173.234.12.242 (400) – 23.19.54.126 (400) – 23.19.35.154 (400) – 108.62.40.246 (399) – 23.19.35.153 (397) – 108.62.236.179 (395) – 108.62.40.245 (395) – 174.34.135.252 (393) – 23.19.54.123 (392) – 23.19.54.124 (391) – 174.34.135.251 (389) – 173.234.12.249 (389) – 108.62.40.254 (389) – 174.34.135.253 (385) – 173.234.12.247 (385) – 23.19.75.214 (385) – 23.19.35.155 (385) – 174.34.135.254 (381) – 173.234.12.248 (378) – 108.62.236.180 (378) – 204.12.211.51 (374) – 108.62.236.178 (365) – 198.204.242.229 (359) – 108.62.236.181 (359) – 108.62.40.242 (348) – 108.62.40.243 (347) – 74.91.26.180 (328) – 198.204.242.227 (327) – 23.19.89.166 (320) – 23.19.50.46 (314) – 23.19.89.164 (305) – 23.19.89.163 (301) – 64.120.56.14 (295) – 23.19.44.139 (295) – 64.120.56.13 (293) – 108.62.42.21 (292) – 64.120.56.12 (292) – 173.208.44.36 (291) – 108.62.42.19 (290) – 108.62.192.3 (288) – 173.208.44.34 (285) – 108.62.5.135 (285) – 23.19.54.28 (285) – 23.19.59.246 (284) – 108.62.236.188 (282) – 23.19.59.245 (282) – 108.62.5.140 (281) – 23.19.54.30 (281) – 173.234.116.211 (280) – 108.62.192.6 (279) – 23.19.59.244 (279) – 173.234.116.226 (278) – 108.62.192.5 (278) – 108.62.192.4 (278) – 108.62.5.138 (278) – 23.19.107.210 (278) – 23.19.54.27 (278) – 173.234.116.228 (277) – 108.62.5.137 (277) – 108.62.5.131 (277) – 23.19.54.29 (277) – 173.234.116.213 (276) – 108.62.5.130 (276) – 173.234.116.227 (275) – 173.234.116.212 (275) – 23.19.59.243 (275) – 173.234.116.229 (274) – 108.62.192.235 (274) – 108.62.5.139 (274) – 23.19.107.220 (274) – 173.234.116.231 (273) – 108.62.5.136 (273) – 173.234.116.214 (272) – 221.215.112.238 (271) – 173.234.116.237 (271) – 173.234.116.234 (271) – 108.62.192.237 (270) – 173.234.116.236 (269) – 108.62.192.238 (269) – 173.234.116.235 (268) – 173.234.116.232 (268) – 23.19.107.211 (268) – 198.204.241.235 (267) – 23.19.89.165 (267) – 173.234.116.238 (266) – 23.19.107.216 (266) – 23.19.107.217 (265) – 173.234.116.233 (263) – 23.19.107.219 (262) – 23.19.107.215 (261) – 108.62.192.236 (260) – 23.19.107.218 (259) – 108.62.236.187 (258) – 23.19.44.140 (244) – 198.204.241.237 (242) – 198.204.241.236 (241) – 198.204.241.238 (240) – 64.120.60.60 (238) – 173.234.142.45 (235) – 64.120.60.59 (235) – 174.34.159.13 (232) – 173.234.122.132 (231) – 23.19.79.118 (231) – 173.234.122.131 (229) – 108.62.42.23 (229) – 173.234.159.11 (226) – 173.234.116.156 (226) – 108.62.42.30 (226) – 108.62.42.25 (226) – 173.234.122.134 (225) – 173.234.122.133 (225) – 108.62.42.27 (224) – 23.19.107.234 (224) – 23.19.107.233 (224) – 108.62.42.26 (223) – 192.74.245.20 (222) – 173.234.159.9 (222) – 108.62.42.24 (222) – 64.120.60.55 (222) – 23.19.107.231 (222) – 173.234.116.146 (221) – 23.19.107.235 (221) – 192.151.151.221 (220) – 173.234.159.12 (220) – 64.120.60.56 (220) – 23.19.107.236 (220) – 173.234.159.7 (219) – 173.234.116.147 (219) – 173.234.116.110 (219) – 108.62.17.197 (219) – 23.19.107.232 (219) – 108.62.17.195 (218) – 173.234.159.10 (217) – 173.234.116.155 (217) – 23.19.99.3 (217) – 173.234.116.154 (216) – 108.62.42.29 (216) – 23.19.99.12 (215) – 23.19.79.53 (215) – 23.19.79.54 (214) – 23.19.54.190 (214) – 23.19.99.5 (213) – 23.19.79.51 (213) – 23.19.58.236 (213) – 173.234.116.68 (212) – 108.62.17.198 (212) – 192.151.151.220 (211) – 173.234.159.8 (211) – 108.62.17.252 (211) – 108.62.17.251 (211) – 108.62.17.248 (211) – 23.19.99.7 (211) – 23.19.58.237 (211) – 23.19.54.182 (211) – 108.62.42.28 (210) – 23.19.99.8 (210) – 23.19.99.2 (210) – 173.234.116.66 (209) – 173.234.116.14 (209) – 108.62.17.242 (209) – 23.19.79.52 (209) – 23.19.58.235 (209) – 23.19.99.9 (208) – 23.19.99.4 (208) – 23.19.58.238 (208) – 23.19.54.179 (208) – 23.19.54.44 (208) – 23.19.54.43 (208) – 173.234.171.147 (207) – 108.62.17.249 (207) – 108.62.17.247 (207) – 108.62.17.196 (207) – 108.62.17.250 (206) – 23.19.99.10 (206) – 173.234.116.67 (205) – 142.91.31.254 (205) – 142.91.31.251 (205) – 23.19.54.157 (205) – 173.234.116.69 (204) – 23.19.58.244 (204) – 173.234.116.11 (203) – 108.62.17.243 (203) – 23.19.99.11 (203) – 173.234.116.13 (202) – 23.19.54.183 (202) – 23.19.54.135 (202) – 23.19.54.180 (201) – 23.19.54.139 (201) – 173.234.12.244 (200) – 23.19.58.246 (200) – 23.19.58.245 (200) – 23.19.54.140 (200) – 23.19.54.130 (200) – 173.234.116.12 (199) – 23.19.54.178 (199) – 23.19.54.131 (199) – 23.19.54.189 (198) – 23.19.54.158 (198) – 23.19.54.137 (198) – 173.234.116.185 (197) – 142.91.31.252 (197) – 23.19.54.181 (197) – 173.234.116.189 (196) – 142.91.31.253 (196) – 23.19.54.136 (196) – 173.234.116.187 (195) – 173.234.171.146 (194) – 173.234.116.188 (194) – 23.19.58.243 (194) – 173.234.116.183 (193) – 173.234.116.243 (191) – 173.234.116.190 (191) – 173.234.116.186 (191) – 173.234.116.184 (191) – 173.234.116.222 (190) – 173.234.142.46 (189) – 173.234.116.244 (187) – 173.234.116.242 (187) – 173.234.116.165 (187) – 173.234.116.166 (185) – 173.234.116.164 (185) – 173.234.116.221 (184) – 173.234.116.181 (184) – 173.234.116.180 (183) – 173.234.116.163 (183) – 173.208.138.246 (183) – 173.234.116.178 (182) – 173.234.116.179 (181) – 173.234.171.155 (180) – 23.19.54.138 (170) – 23.19.58.228 (163) – 23.19.58.227 (163) – 23.19.58.231 (161) – 173.208.44.40 (160) – 23.19.58.230 (160) – 23.19.58.226 (160) – 23.19.58.229 (157) – 108.62.40.228 (150) – 198.15.118.79 (149) – 173.234.171.150 (142) – 173.234.171.157 (131) – 192.184.45.213 (129) – 173.234.171.151 (125) – 192.184.45.212 (123) – 173.234.171.149 (123) – 173.234.171.158 (120) – 173.234.142.43 (118) – 173.234.171.148 (116) – 173.208.242.46 (114) – 173.208.138.247 (111) – 192.184.45.211 (110) – 192.184.53.106 (109) – 173.234.171.154 (109) – 108.62.40.227 (108) – 173.234.142.44 (102) – 192.184.53.100 (100) – 173.234.171.152 (100) – 192.184.53.109 (99) – 115.148.138.212 (98) – 173.234.171.156 (96) – 192.184.53.107 (95) – 192.74.245.19 (93) – 192.184.45.210 (90) – 173.234.171.153 (82) – 115.148.176.160 (79) – 192.184.53.110 (77) – 198.74.123.220 (76) – 192.184.53.102 (62) – 192.184.53.98 (61) – 173.234.116.220 (56) – 192.184.53.105 (49) – 192.184.53.103 (49) – 192.184.53.101 (47) – 23.19.89.173 (44) – 192.184.53.108 (29) – 192.0.24.121 (28) – 199.193.67.153 (26) – 208.115.212.210 (16) – 192.184.53.99 (13) – 23.19.89.174 (12) – 72.52.75.76 (5) – 66.8.208.183 (3) – 199.114.245.100 (1)

Destination IP address (4 items)
66.8.208.183 (535,129) – 108.62.75.7 (1) – 82.223.191.10 (1) – 64.120.77.147 (1)

Event (1 item)
get (534,881)

Extension (9 items)

<none> (530,555) – js (3,901) – html (317) – php (71) – aspx (26) – htm (7) – media (4) – gif (1) – asp (1)
Client Application (100 items)

mozilla/5.0 (245,579) – mozilla/4.0 (223,537) – opera/9.80 (26,637) – 001|mozilla/5.0 (12,361) – 001|mozilla/4.0 (4,779) – mozilla/4.76 [en] (3,941) – mozilla/3.0 webtv/1.2 (2,323) – 001|opera/9.80 (2,052) – mozilla/4.61 [en] (1,628) – mozilla/5.0 archlinux (1,587) – mozilla/4.73 [en] (1,518) – mozilla/4.7 [en] (1,493) – mozilla/5.0 slackware/13.37 (1,231) – mozilla/1.22 (989) – mozilla/3.0 (853) – mozilla/4.61 (832) – mozilla/4.75 [en] (817) – mozilla/4.5 [en] (812) – mozilla/4.08 [en] (809) – mozilla/4.76 (799) – opera/10.60 (795) – mozilla/3.01 (793) – mozilla/2.0 (766) – mozilla/4.79 (513) – mozilla/6.0 (494) – mozilla/4.7 (401) – oracle/1.5.0.3-0.3.el4 firefox/1.5.0.3 pango-text (388) – mozilla/4.77c-cck-mcd {c-udp; ebm-apple} (379) – chrome/15.0.860.0 (374) – opera/10.50 (354) – mozilla/4.0(compatible; msie 7.0b; windows nt 6.0) (241) – mozilla/4.79 [en] (216) – 001|mozilla/5.0 archlinux (148) – 001|mozilla/5.0 slackware/13.37 (95) – 001|mozilla/1.22 (69) – 001|mozilla/2.0 (66) – 001|opera/10.60 (63) – opera/9.27 (51) – 001|mozilla/6.0 (40) – opera/8.0 (38) – opera/12.80 (38) – 001|mozilla/3.0 (38) – 001|oracle/1.5.0.3-0.3.el4 firefox/1.5.0.3 pango-text (35) – opera/6.05 (34) – 001|opera/10.50 (30) – opera/12.0(windows nt 5.1;u;en)presto/22.9.168 version/12.00 (27) – opera/8.50 (26) – opera/12.0(windows nt 5.2;u;en)presto/22.9.168 version/12.00 (25) – 001|chrome/15.0.860.0 (24) – opera/9.62 (23) – opera/9.02 (20) – opera/9.00 (19) – opera/9.63 (18) – opera/9.20 (18) – opera/9.01 (18) – opera/9.61 (17) – opera/9.25 (17) – opera/9.21 (17) – opera/7.03 (14) – opera/7.11 (13) – opera/9.60 (12) – opera/9.23 (12) – opera/9.10 (12) – opera/9.51 (11) – opera/8.51 (11) – opera/9.52 (9) – opera/6.04 (9) – opera/9.26 (8) – opera/8.54 (8) – opera/8.01 (8) – opera/7.23 (8) – opera/6.01 (8) – opera/9.22 (7) – opera/8.53 (7) – opera/8.52 (7) – opera/7.10 (7) – opera/7.0 (7) – opera/7.54 (6) – opera/6.0 (6) – opera/9.64 (5) – opera/9.50 (5) – opera 9.4 (5) – opera/9.20(windows nt 5.1; u; en) (4) – opera/8.00 (4) – opera/7.01 (4) – opera/6.02 (4) – opera/9.12 (3) – opera/8.02 (3) – opera/6.03 (3) – opera/5.12 (3) – mozilla/45.0 (3) – mozilla/4.01 (3) – opera/9.24 (2) – opera/7.52 (2) – opera/7.50 (2) – opera/7.22 (1) – opera/7.20 (1) – opera/7.02 (1) – opera/5.02 (1) – mozilla/4.08 (1)

TCP Destination Port (3 items)
8118 (535,129) – 4378 (1) – 3735 (1)
Source Country (5 items)

united states (486,789) – china (6,091) – united kingdom (4,986) – canada (4,584) – singapore (644)
Destination Country (2 items)

united states (535,131) – spain (1)

Source Organization (34 items)

nobis technology group phoenix (75,878) – ubiquity server solutions dallas (56,801) – hambilios lcc (56,249) – nobis technology group, llc (50,308) – ubiquity server solutions seattle (41,727) – ubiquity server solutions chicago (36,213) – fannie mae (25,159) – ubiquity server solutions new york (17,583) – ubiquity server solutions los angeles (14,754) – ubiquity server solutions atlanta (12,745) – egihosting (10,861) – datashack, lc (10,834) – hurricane electric (9,807) – aboutweddings.com (9,651) – epsilon data management (8,135) – credyn (7,313) – emdigo (7,224) – pure web technologies, llc. (5,579) – curvehost (4,986) – server results llc (3,938) – meng wq (3,474) – hosting (3,287) – pipechase (2,789) – jestservers.com (2,722) – shenmiren communications (2,169) – hostmist (2,160) – auctiva corporation (774) – carson keating (727) – gecko electronics (539) – china unicom shandong province network (271) – dataone technologies corp (232) – chinanet jiangxi province network (177) – limestone networks (16) – road runner (3)

Destination Organization (4 items)

road runner (535,129) – ubiquity server solutions los angeles (1) – nobis technology group, llc (1) – arsys.es (1)

Source City (30 items)

phoenix (126,186) – los angeles (71,003) – seattle (35,757) – chicago (26,570) – dallas (25,327) – new york (17,583) – fremont (17,031) – lebanon (16,028) – campbell (14,612) – atlanta (12,101) – kansas city (11,561) – tucson (10,287) – burlingame (9,651) – alexandria (9,643) – hudson (7,897) – suwanee (5,970) – sylmar (5,579) – york (4,986) – carson city (3,938) – jinan (3,745) – harrisburg (3,562) – menlo park (3,287) – vancouver (2,789) – tanggu (2,169) – youngstown (2,160) – chico (774) – boston (539) – schaumburg (232) – nanchang (177) – honolulu (3)

Destination City (3 items)

honolulu (535,129) – phoenix (1) – los angeles (1)

Source Domain (30 items)

ubiquityservers.com (194,742) – ubiquity.io (102,725) – xninet.com (16,924) – simpledeliverysolutions.com (14,333) – researchprimary.info (10,574) – giscafe.com (9,651) – unitedhost.com (7,313) – win-dns.com (7,299) – civicactions.net (7,224) – dailybreakthroughs.net (5,696) – rlookuphost.com (5,145) – beretcity.info (4,705) – thousandsofgenerationsbehind.com (4,494) – paneltelefon.com (4,342) – rethinkvps.com (3,938) – oneminutedaily.com (3,562) – netornerics.info (3,474) – forecastcompare.info (3,287) – pipechase.com (2,789) – evolutionreloaded.com (2,722) – thedogshadlong.com (2,664) – defineproduc.com (2,347) – hostmist.com (2,160) – differe.net (1,725) – ioflood.com (1,472) – vpsquicksolutions.com (727) – synede.com (539) – directmarketingyou.com (374) – lstn.net (16) – rr.com (3)

Destination Domain (4 items)

rr.com (535,129) – ubiquityservers.com (1) – servidoresdns.net (1) – beretcity.info (1)

 

Rotpoi$on click fraud throngnet powered by thousands of *servers*

Written by kent on April 15th, 2013

Last update 24 JULY 2013

Thanks to Javntea of AltSci, Aaron Hopkins, and Zack of CMU for their help with identifying the real purpose behind Rotpoi$on and confirming that I was not the only one seeing this.

I have created the following evolving FAQ on Rotpoi$on. It is under revision.

Q: What is Rotpoi$on?

A: Rotpoi$on is a large net of servers apparently leased for at least the purpose of committing click fraud and may even be the successor to the DormRing1 operation described in 2009.   So, DormRing2? We know that it is targeting open proxy ports on Tor relays.  There are perhaps many organizations getting cheated, if the return of investment cost of leasing thousands of servers is any evidence.  I could have only part of the story, so do not want to speculate further on perceived culpability at this point. But in keeping with the point of having a research network, if I see it and can do something about it, I will do it.  So I will be following up with the security teams of various advertisement networks as time allows.

Q: Why do you call it Rotpoi$on?

A:  I call it Rotpoi$on because my family once visited Rottnest Island in Western Australia and it was, well, memorable. (Rotte is the old Dutch word for rat).  So a homonym of  Tor spelled backwards.  Since this packet spewing is directed at Tor exit nodes including mine, I am using a play on the term “rat poison.”  Because I have confirmed that the servers are leased, and the organizations paying the bills are aware of and very likely specifically directing the activities of these leased servers, there is the dollar sign.  A leased net of computers is in contrast to a botnet, which by definition is controlled by an entity that uses hacked–not leased–computer systems.

Q: Why are you posting on Rotpoi$on?

A: The purpose of this post was to serve as a primer and reference for other Tor exit relay operators and security researchers who have participated in this analysis and helped characterize Rotpoi$on.

Q: Is Rotpoi$on performing a SYN flood attack?

A: In my case, no.  By definition a SYN flood is a form of denial of service attack on an otherwise functioning service or port.  My systems didn’t have port 8118 listening.  And my firewall(s) blocks what would otherwise be RST packets sent by the OS. So in my case, it is entirely one-way traffic.   And no, most ISPs do not block SYN flood attacks.  That is indeed the job of the customer’s router or firewall.

Q: Why should I be concerned about Rotpoi$on?

A:  When it was at its largest in the first quarter of 2013, Rotpoi$on was throwing thousands of packets a second.  While a few thousand small SYN packets a second should not harm any reasonably well configured system or network, it did have a very detrimental effect on my research network at home.  I believe that was because I had a router that was inadequate for managing sessions from several thousand different IP addresses at once while logging everything, so Rotpoi$on bogged it completely down.  Once I replaced the router with something adequate (a virtual firewall running iptables) Rotpoi$on became mostly a nuisance.  However, the potential effects enabled by thousands of high powered Windows servers running on large, unmetered pipes in well-connected data centers across two continents are not insignificant. So while the potential for more malicious effects are there, Rotpoi$on is probably “just” a fraudulent money-making operation.

Q: What the heck is a throngnet?

A: Another term I have made up trying to describe Rotpoi$on.  Gangnet was already taken.  The commonly accepted definition of a botnet is a bunch of computer systems controlled by a single unauthorized entity, usually via malicious code. I used to call Rotpoi$on a botnet, but knowing what I know, I think that would be inaccurate.  From outward appearances, it looks to be more than one entity (although it could be one disguised as several) “thronging” together with a common purpose of click fraud.  The systems seem to be running the same poorly written script designed to generate illicit advertisement commissions.

Q: How many servers are you talking about?

A:   It might help to illustrate  with the following GeoIP maps:

rp-geo-2013-March

 

Contributor analysis from 22 JULY 2013

Javantea from AltSci volunteered to open up port 8118 on his relay and observe for a bit.

Hi Kent,

 

I am getting 125 packets per second sustained incoming on port 8118 like you on my exit node. I noticed this last year but forgot about it because it was such low bandwidth. I count 2582 unique IPs in 20 minutes.

 

I think you’ve found something significant. The obvious question is why since sending data in the clear is pretty worthless and it’s going to come out of a tor exit node just like if they were using tor.

 

I’m a security researcher and would be happy to help you learn more about these silly systems. You’ve already done most of the basic research though: who, what, and where. When I open port 8118 with netcat a few times I get this:

 

GET http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300×250&section=4211101&pub_url=${PUB_URL} HTTP/1.0

Accept: */*

Referer: http://www.lotsoffree.com/index.php?option=com_content&view=article&id=84:free-gift-card-microsoft-privacy&catid=39:free-gift-cards&Itemid=106

Accept-Language: en-us

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3

Host: ad.yieldmanager.com

Connection: Keep-Alive

 

GET http://ib.adnxs.com/ttj?id=1284883 HTTP/1.0

Accept: */*

Referer: http://www.psxobs.com/privacy-policy

Accept-Language: en-us

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0

Host: ib.adnxs.com

Connection: Keep-Alive

 

That looks like clickfraud to me. Perhaps someone wrote a quick script that downloads the list of tor exit nodes and sends clickfraud requests to 8118 and was too lazy to add tor. That would mean that the sites in the referrer are the attackers and the url on the first line is the ad service which is being defrauded. Of course there is the possibility of a joe job occuring, but we know that at least some of them are the bad actors. Whois on both referrers returns China. I’m surprised that the script doesn’t remove servers from the list that have the port closed. It’s a very inefficient script.

 

Regards,

Javantea

 

Based on his observations, Joel concluded that the Rotpoi$on collective is running a (laughably inefficient) script with the goal of clickfraud.  Following in Joel’s footsteps,  I decided to install and open up Privoxy on my relay for a few seconds and watch what happens myself.  This is what I saw:

09:21:01.419951 IP 23.19.89.126.2318 > my.exit.node.8118: Flags [P.], seq 1:416, ack 1, win 65535, length 415
E…..@.u.u/..Y~B… …^.]^M….P…….GET http://ad.media-servers.net/st?ad_type=iframe&ad_size=160×600&section=4432147 HTTP/1.0
Accept: */*
Referer: http://giftcardsrus.net/index.php?option=com_content&view=article&id=1741:when-you-are-not-able-to-get-standard-loans&catid=54:financial-services-&Itemid=412
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)
Host: ad.media-servers.net
Connection: Keep-Alive
09:21:01.430712 IP 173.208.16.93.1094 > my.exit.node.8118: Flags [.], ack 1, win 65535, length 0
E..(………..]B….F…._..x..P….~……..
09:21:01.431701 IP 173.208.16.93.1094 > my.exit.node.8118: Flags [P.], seq 1:511, ack 1, win 65535, length 510
E..&………..]B….F…._..x..P…….GET http://ad.globe7.com/st?ad_type=pop&ad_size=0×0&section=3910946&banned_pop_types=29&pop_times=1&pop_frequency=0&pop_nofreqcap=1&pub_url=${PUB_URL} HTTP/1.0
Accept: */*
Referer: http://twicemagic.com/index.php?option=com_content&view=category&layout=blog&id=44&Itemid=100&limitstart=48
Accept-Language: en-us
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)
Host: ad.globe7.com
Connection: Keep-Alive

Response from Zack at CMU:

The CMU Tor exit is seeing about 66 packets/second worth of this
(10000 packets, 1151 unique IPs in 149.5 seconds).  I don’t have time
to dig any deeper right now, but on the theory that it’s a botnet
doing click fraud, I’ll pass this along to our cybercrime people.

 

Aaron Hopkins reports:

I set up a copy of nginx returning 404s on that port.  After a few thousand

requests, here are the hostnames it is trying to hit:

 

4655 ib.adnxs.com

2193 ad.globe7.com

1705 ads.creafi-online-media.com

1149 ad.tagjunction.com

767 ad.yieldmanager.com

259 an.z5x.net

184 ad.z5x.net

123 ad.xertive.com

115 ib.reachjunction.com

80 tags1.z5x.net

72 ad.bharatstudent.com

71 ad.reduxmedia.com

23 ad.smxchange.com

18 opt.cdxndirectopt.com

10 www.xtendadvert.com

 

It might be worth digging up the security contact for at least the top few

of those and give them a heads up.

 

And the /24s that have sent at least 100 requests (of 811 unique IPs from 122

/24s):

 

1182 23.19.54.0/24

878 173.234.116.0/24

645 208.115.124.0/24

639 173.208.16.0/24

585 23.19.130.0/24

398 64.120.5.0/24

397 64.31.43.0/24

389 64.31.38.0/24

376 64.31.63.0/24

369 173.234.41.0/24

362 108.62.236.0/24

351 23.19.107.0/24

328 173.234.33.0/24

319 64.31.39.0/24

291 108.62.192.0/24

280 108.62.5.0/24

272 173.208.83.0/24

262 208.115.245.0/24

238 69.162.66.0/24

237 70.32.43.0/24

229 216.245.219.0/24

223 64.31.52.0/24

191 64.120.77.0/24

184 173.234.42.0/24

180 64.120.60.0/24

172 63.143.53.0/24

172 23.19.76.0/24

172 23.19.35.0/24

172 173.234.188.0/24

163 173.208.85.0/24

159 208.115.200.0/24

150 173.234.224.0/24

149 173.234.247.0/24

147 64.120.58.0/24

143 74.63.232.0/24

143 74.63.192.0/24

137 108.171.248.0/24

132 64.31.62.0/24

120 108.62.40.0/24

116 64.31.48.0/24

114 173.234.153.0/24

113 74.63.255.0/24

113 108.177.183.0/24

112 69.162.75.0/24

108 208.115.246.0/24

103 74.63.199.0/24

100 63.143.59.0/24

************************

************************

 

Q. Why do you think the number of servers in the Rotpoi$on throngnet decreased over a half a year?

A: It could be that my initial furious reporting to offending server hosting providers actually had an effect. For instance, the greatest “offending” provider once hosting the greatest fraction of Rotpoi$on servers, DataShack AKA Wholesale Internet, has a fraction of its original servers  in Rotpoi$on.   The Datashack/Wholesale Internet abuse representative Rebecca Kaiser acknowledged my reports and asserted several times that the server owner (apparently one client) would stop the activity.  They eventually did.  Or, it could be a combination of my reporting and other reasons, or something else entirely. Some email correspondence screenshots from Rebecca @ DataShack/WholesaleInternet:

Wholesaleinternet-abuse-reply1

 

Wholesaleinternet-abuse-reply2

 

Q: Which ports is Rotpoi$on attempting to use and for what are those ports typically used?

A: When at it’s peak in first quarter of 2013, the automated process common among all Rotpoi$on nodes  was port 8118 and to a lesser extent, 3128.  Port 8118 is associated with Privoxy which is a service used on many Tor clients for secure compatibility with browsers, and to prevent client applications from leaking DNS traffic.   Port 3128 is associated with the Squid proxy service.

Q: Why is Rotpoi$on checking for open Privoxy and Squid ports?

A:  Apparently, to commit click fraud by hiding their true source from the advertising networks that are paying for bogus click referrals.

Q: Come on, you mean to tell me that there are Tor exit relays out there that have their actual Privoxy service open and available to the world?

A: Yep, I checked.  Not that many of them, but some.  This means that anyone could also hop on to the Tor network, without using Tor client.  Just like using a Tor client, you would pop out of the network on some other exit relay somewhere else entirely. You would be anonymized very well, assuming you trust the network path from where you are, to the Tor exit relay.

Q: So why would Rotpoi$on have to continually scan all Tor exit nodes to check for open proxy services?

A: Another researcher surmised that Rotpoi$on controller must be using an inefficient fraud script that hits all Tor exit nodes, not just the ones with open proxy ports.  There could be a more complicated answer, but Occam’s razor suggests the simplest answer usually turns out to be correct.   In my larger study of Tor, I have seen that exit node IP address come and go, and that there is actually a not insignificant chunk of Tor exit relay IP addresses that only stay connected in Tor network circuits for a little while.  Some of those exit relay IP addresses aren’t seen again in the Tor network for a while, if ever.  So this could be an reason why the Rotpoi$on controller decided to continue using an inefficient method of running an automated click fraud process.  Earlier this year I set up a Tor exit node and ran it for just a few days.  Rotpoi$on continued to hit it for weeks after it had left the Tor network.  Which suggests that it is easier to get added to the Rotpoi$on script than get removed from it.  It is also possible that the Rotpoi$on controller additionally pushes the click fraud activity through Tor the “normal” way, with a Tor client.

Q: How did you discover Rotpoi$on?

A: A Rotpoi$on detector, of course, pictured below ;-)  More seriously, my home research network throughput had dropped to a crawl. So I wanted to find out why. I would have to say that inadequate hardware precipitated Rotpoi$on’s discovery.  If I would have had something slightly more capable than my Buffalo WHR-G54S running DD-WRT with a bunch of plugins while logging everything, with only 16MB of RAM,  it is possible that I would not have noticed Rotpoi$on even at its throughput peak.

rp-detector-img

Q: How do I know that you aren’t making this up?

A:  Other researchers have confirmed my observations and even quickly provided much more analysis than I had the time or ability to do.  I have also saved GB’s of Rotpoi$on packets to share upon request.

Q:  How do you know these are Windows servers?

A: I was able to reproduce their characteristic SYN traffic in a virtual environment only using a Windows server.  Specifically, Windows Server 2003 series. They also respond exactly like a Windows server, to include displaying typical remote desktop logon splash screens on port 3389.  I suppose it is possible that they could be something other than a Windows server configured really carefully–and at great effort–to look like a Windows server, but why?

Q: Who is behind Rotpoi$on?

A: Currently as of middle of July 2013, there are three major hosting providers where these leased Rotpoi$on Windows servers reside: Gorilla ServersUbiquity/Nobistech, and Limestone Networks. A handful reside at Psychz. Whois queries that responded with actual client names show the following entities behind the Rotpoi$on IP addresses:

Gorilla Servers
Guowei Lu, US

Ubiquity Hosting/Nobis Tech
Org-Name:wang, haitao
Street-Address:Xigang family West 331
City:Xining
State:Qinghai
Postal-Code:810000
Country-Code:CN

Org-Name:Xiaoru, Li
Street-Address:room 513, building 5, xinjinganli
City:shiyijinglu
State:hedong district
Postal-Code:Tianjin
Country-Code:CN

Org-Name:Sun, Qiang
Street-Address:169# huayuan road
City:xining
State:qinghai
Postal-Code:81000
Country-Code:CN

Limestone Networks
Organization-Name:Fuqiang Zhou
Organization-City:Liaoyang
Organization-State:OT
Organization-Zip:111000

The referral websites (and there are many, most of which I have not had time to check) look like the following examples:

Domain Name:     giftcardsrus.netExpiration Date: 2014-05-07 06:12:18Creation Date:   2009-05-07 06:12:18REGISTRANT CONTACT INFOantDeng GoShaXian No188SanMingFuJian365500CNPhone:         +86.13592993721

Email Address: flswallow@gmail.com

Domain Name: LOTSOFFREE.COMCreated on: 03-Mar-07Expires on: 03-Mar-14Last Updated on: 23-Sep-12Registrant:deng, yanhong  admin@lotsoffree.comHuaqiang computer city b135Shenzhen, guangdon 518028China+86.75583405032
Domain Name: PSXOBS.COMRegistration Date: 31-May-2012Expiration Date: 31-May-2014ns1.ezdnscenter.comns2.ezdnscenter.comRegistrant Contact Details:xingbiao  zhouzhou xingbiao        (zhou520530qq@yahoo.com.cn)fujian yonganshiyonganshifujian,366000CNTel. +86.05983653670

Fax. +86.05983653670

Domain Name:     twicemagic.comProtected Domain Services Customer ID: NCR-4230837Expiration Date: 2013-09-28 08:07:24Creation Date:   2012-09-28 08:07:24REGISTRANT CONTACT INFOProtected Domain Services – Customer ID: NCR-4230837P.O. Box 6197DenverCO80206USPhone:         +1.3037474010 twicemagic.com@protecteddomainservices.com

 

Q. Why are you the first one to bring attention to this?

A: I am not sure.  I suspect there are (were) other exit relay operators also with crappy enough hardware for Rotpoi$on to have a similar detrimental effect on their systems, as it did on my research network, but just didn’t have the time to troubleshoot.  Other researchers have reported seeing the same thing, but did not have the time to look into it.  So I am thinking it was probably a coincident meeting of “crap and curiosity.”

Q. What else are those servers doing besides click fraud?

A: I don’t know if they are doing anything else.  I am hoping someone else can help me answer that question.  The common service among all these servers seems to be Remote Desktop Protocol/MS Windows Terminal Services.  As you can see in the following screenshots, English is probably not the native language used by the operators of these servers.

 

rdp-splash-examples8 rdp-splash-examples9 rdp-splash-examples10 rdp-splash-examples11 rdp-splash-examples12 rdp-splash-examples3 rdp-splash-examples4 rdp-splash-examples5 rdp-splash-examples6 rdp-splash-examples7 rdp-splash-examples2 rdp-splash-examples

 

Another familiar phish, yet more ransomware controller proxies

Written by kent on December 12th, 2012

This looks familiar.

 

ransomeware-phish

 

Since was already updating my WordPress install, thought I might do a little post on the probable ransomware phish I received the other day from the MTA:

Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186])
Received: from icpu1637.kundenserver.de (infong708.kundenserver.de [212.227.29.41])
	by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis)
	id 0M4muv-1Sxthi0XUL-00zKvh; Sun, 09 Dec 2012 01:01:43 +0100
Received: from 31.184.244.18 (IP may be forged by CGI script)
    by icpu1637.kundenserver.de with HTTP
    id 4ASQNn-1TdaIj0QKs-00WUqR; Sun, 09 Dec 2012 01:01:43 +0100

Link was to the hacked but otherwise legitimate website hxxp://www.mmshealthyforlife[.]com/EUDJZQZCXS.php?php=receipt which invoked a download of  the zipped PE PostalReceipt.exe.  Not much time to do analysis.  Someone else had submitted it to VT,   but not yet to ThreatExpert, so here is the latter analysis. Multiple AV vendors are calling this Kuluoz.  Here are the IP addresses of the controller proxies as you will *NOT* notice in the online ThreatExpert report.  For  some reason (protection of the innocent?) the “other details” section is abridged and is missing the callbacks.  Don’t worry, have included those below ;-) Linode and 1&1 (or their customers) appear to have taken action as of this post, since port 8080 was up before, but not now.

 

Other details
  • The following Host Name was requested from a host database:
    • 192.5.5.241
  • The data identified by the following URLs was then requested from the remote web server(s):
    • http://202.169.224.202:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97ECFE413F82D541
    • http://82.113.204.228:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97ECFE413F82D541
    • http://81.93.248.152:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97ECFE413F82D541
    • http://59.126.131.132:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97ECFE413F82D541
    • http://87.106.89.231:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97ECFE413F82D541
    • http://59.25.189.234:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97ECFE413F82D541
    • http://188.212.156.180:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97ECFE413F82D541
    • http://85.214.22.38:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97ECFE413F82D541
    • http://211.172.112.7:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97ECFE413F82D541
    • http://173.255.203.58:8080/F911A672AE42FE0D3E501D3F3A364199EF74BDC93B112F3D397626680610EB781E39F86AFAEB6AA94F385BE9F540F0FC56CF007F4ECBE171E8C93EA3E1385A97ECFE413F82D541
IP Address Country Code Country Name City ISP
202.169.224.202 ID Indonesia Yogyakarta Jogja Medianet
82.113.204.228 IT Italy Milan TWT S.p.A.
81.93.248.152 FR France   SAS CTS
59.126.131.132 TW Taiwan Taichung CHTD, Chunghwa Telecom Co., Ltd.
87.106.89.231 DE Germany   1&1 Internet AG
59.25.189.234 KR South Korea Daegu Korea Telecom
188.212.156.180 RO Romania Bistrita Net Design Srl
85.214.22.38 DE Germany Berlin Strato AG
211.172.112.7 KR South Korea    
173.255.203.58 US USA Absecon Linode

The controller proxies this time aren’t giving out the clear Ubuntu banner as in the last campaign. Also, all consistently port 8080.

Thought I might throw out some passive DNS results from a query on IP addresses behind the undoubtedly unwitting web sites hosting the controller proxies, and then call it a wrap.

202.169.224.202
jogdas.com
pendidikan-diy.go.id
sogacafe.com

81.93.248.152
atlantem.net
calligramme.com
internel.fr
internite.fr
normandiepa.com
qmodule.fr
quickmodule.fr
semif.com

59.126.131.132
songwriter.tw

87.106.89.231
jan-tristan.de

59.25.189.234
ctest.net

85.214.22.38
bashgame.de
microweaver.com
microweaver.de
microweaver.es
microweaver.net
neocoon.com
neocoon.de
project-world-war.com
project-world-war.de
project-world-war.es
project-world-war.eu
project-world-war.us
space-emperors.com

 

 

 

New Asprox phish, a few old and many more controller proxies

Written by kent on September 25th, 2012

Received another phish from the same actors.  Similar dropper as the one described in my last post.  Medium’ish  coverage on VT.  Like the last one, it appears that the controllers proxy connections back to a master server.  If it is the same master server behind algeriamanaus.ru  is yet undetermined.  UPDATE late on 25 SEP 2012: Most of the proxy controllers identified by the ThreatExpert analysis  appear to be red herrings…specifically all of those supposedly responding to callout by the malware on port 80.  The only two responding are from the original 8 port 84 proxy controllers whose admins may have acknowledged my emails, but perhaps don’t understand them.  If you include the otherwise legitimate site in Germany (smokerstuff.de) that is serving the malcode, there are still several systems that are compromised and unwittingly participating.

MD5: 85224EBC62F1C9D7A2D235D917D0FE58

http://www.threatexpert.com/report.aspx?md5=85224ebc62f1c9d7a2d235d917d0fe58

 

Update 2012  OCT 23

Included some screenshots of the FakeAV infection that leads to “ransomware” by an undoubtedly well-obfuscated perpetrator behind fastpaymentplus.com 

 

All (of this Asprox campaign’s) proxies lead to Romania-hosted Russian criminal domain

Written by kent on September 19th, 2012

This is a follow up to my recent post on a Zeus bot phishing campaign. I was able to contact some of the owners of systems being used as controllers.  One of the owners of the systems being used did some analysis, leading directly to the discovery of the master server in Romania.

As I suspected, each of the eight systems had been compromised.  But rather than (or in addition to) installing malicious code on those eight systems, the bot herder installed the otherwise legitimate Nginx httpd daemon running in proxy mode.  The Nginx proxy then directed all connections back to the master server in Romania.  This server was running Apache server on Debian Linux, and serving commands as well as additional malicious code for download.

I was emailed the contents of the nginx.conf file, which you will see has opened the cybercriminal’s kimono:

worker_processes 2;
  events {
         worker_connections 10240;
 }
  http {
          default_type application/octet-stream;
         log_format main '$remote_addr - $remote_user [$time_local] $request $status $body_bytes_sent $http_referer $http_user_agent $http_x_forwarded_for';
          sendfile on;
         tcp_nopush on;
         keepalive_timeout 1;
         tcp_nodelay on;
         server {
                 listen 84;
                 server_name _;
                 access_log off;
                 error_log off;
                 location / {
                         proxy_pass http://algeriamanaus.ru/;
                         proxy_set_header Host $host;
                         proxy_set_header X-Real-IP $remote_addr;
                         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                         proxy_connect_timeout 120;
                         proxy_send_timeout 120;
                         proxy_read_timeout 180;
                  }
         }
 }

Notice the malicious master URL algeriamanaus.ru.   That URL currently resolves to 46.108.132.19, out of AdNet Telecom, Romania.  The DNS Start of Authority (SOA) for ageriamanaus.ru are ns1.algeriamanaus.ru and ns2.algeriamanaus.ru, hosted on 46.108.132.19 and 46.108.132.20, respectfully.

algeriamanaus.ru was privately registered via the infamous St. Petersburg-based Naunet.ru registrar and bulletproof hosting provider of distinct notoriety (check out Jeffrey Carr’s book Mapping the Cyber Underworld).  Naunet.ru is blocked globally by the international anti-spam organization Spamhaus for clear reasons, but has nonetheless survived largely unencumbered from law enforcement action due to the same corruptible political climate that has made Russia the ultimate headquarters for many other thriving cybercriminal enterprises.

In spite of my multiple emails to all available points of contacts associated with the system owners behind the malcode controllers, my efforts haven’t yielded much in response from three of the system owners: they are alive and well and doing the bidding of the criminal…hosting the proxy for the master server.  In fact, you can readily see that browsing any of the live host controllers reveals the same host information in the 404 response as the master controller: for no other reason that it *is* the same host.

Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze13

Proxied controllers:
 
 Master server:

So what to do? For me, this has been a lesson in how truly difficult it is to stop cybercriminal activity. There are geographic, time, political and language barriers that all have to be overcome in order to take down malicious services.  With this post I hope to upramp a couple of tags in Google to bring attention to the problem and the complicit participation by Jasmine Internet, Thailand, and the Romanian hosting providers IMPATT and AdNet Telecom.  I shouldn’t rule out the possibility that there is law enforcement activity going on behind the scene, for which I have no purview.   I don’t see any potential benefits in shaming the Russians behind Naunet and algeriamanaus.ru, as it has done little previously.   But at least the indicators are out there for anyone to Google.

 

Click here for your Asprox package

Written by kent on September 15th, 2012

 

I recently received the phishing email below.

 
Unfortunately we failed to deliver the postal package you have sent on the 27th of August in time because the recipient’s address is erroneous. Please print out the label copy attached and collect the package at our office.
<<Print a shipping label>>

 

I could only find minor analysis elsewhere on the web for the binary behind this campaign, and the initial links, as well as many of the C2 callbacks are very much alive at the time of this post, several days after it was initially submitted to VirusTotal, So here I offer up some details.  Caveat: I am  normally spoiled with easy to analyze APT code, so this Eastern European cybercriminal stuff usually exceeds my attention span on a debugger. I am sticking to bare essential dynamic analysis in an unmodified VM for a memory dump. Sample is available if you want to dig deeper.

Lets start with the slightly sanitized headers and source of the phishmail:

Return-Path: <worldwide.services@spus-fedex.com>
X-Original-To: <me@mydomain>
Delivered-To: <me@mydomain>
Received-SPF: none (spus-fedex.com: No applicable sender policy available) receiver=mymailserver; identity=mailfrom; envelope-from=”worldwide.services@spus-fedex.com”; helo=spus-fedex.com; client-ip=82.206.194.122
Received: from spus-fedex.com (unknown [82.206.194.122])
by mymailserver (Postfix) with SMTP id 10A6B21C067
for <me@mydomain>; Thu, 13 Sep 2012 07:18:25 +0000 (UTC)
Message-ID: <001801cd9180$e286c75c$640210ac@NokwandaPC>
From: “FedEx Services” <worldwide.services@spus-fedex.com>
To: <me@mydomain>
Subject: Error in the delivery address ID#06547
Date: Thu, 13 Sep 2012  09:25:00 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_NextPart_000_0012_01CD9191.A60D3020″
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.

——=_NextPart_000_0012_01CD9191.A60D3020
Content-Type: text/plain;
charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

Teen boy, Pa. Hershey school settle AIDS bias case

NASA to broadcast Neil Armstrong memorial service Thursday

Freddie Mac to recover billions extra from loan reviews: regulator

——=_NextPart_000_0012_01CD9191.A60D3020
Content-Type: text/html;
charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D”text/html; charset=3Diso-8859-1″>
<META content=3D”MSHTML 6.00.2900.2722″ name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<a href=”http://www.quintab2011.altervista.org/NTOBNEDMTE.htm”><img style=”width: 368px; height: 353px;” alt=”” src=”http://www.quintab2011.altervista.org/LZGSSLVBKT.jpg”></a>
<P><FONT color=3D”#FFFFF0″>Teen boy, Pa. Hershey school settle AIDS bias case</FONT></P>
<P><FONT color=3D”#FFFFF4″>NASA to broadcast Neil Armstrong memorial service Thursday</FONT></P>
<P><FONT color=3D”#FFFFF3″>Freddie Mac to recover billions extra from loan reviews: regulator</FONT></P>
</body>
</html>

——=_NextPart_000_0012_01CD9191.A60D3020–

  IP Address Country Name Latitude Longitude ISP Organization Domain Name
Email sender 82.206.194.122 Swaziland -26.5 31.5 Intelsat Global Sales & Marketing LTD. BLUESKY customer  
Malcode link 46.4.76.100 Germany 51 9 Hetzner Online AG Hetzner Online AG your-server.de

The sending IP address is assigned to satellite service out of South Africa.  Usually high latency satellite connections are not very suitable for large phishing campaigns, which indicates that the distribution path is just plain random, or the target audience is perhaps not as large as I first suspected.  Note the recent news headlines included (but hidden) to help defeat Bayesian SPAM filters. Note also the altervista.org hosted image and hyperlink.    Again, at the time of this post, both the image and URL which prompts the download of the malicious binary are still very much alive.  Here is a wireshark screenshot of the “click on the link” traffic:

Unzipping the compressed file, reveals an executable that has had its stock icon replaced with a PDF icon.  On a typical Windows box with extensions hidden and in icon view, would probably fool the average bear. This is what the average Windows bear would see:

I can’t imagine I was the first one to receive this average bear malmail, and I was right.  A search for: c4c3f1b37d0061e103bcaf074a40fb98, the MD5 on VirusTotal, revealed that it had been uploaded probably a few minutes before I even noticed it in my Inbox. It was late, and had no time to throw it in a VM before bed, so I did the next best thing: I uploaded it to ThreatExpert.  ThreatExpert usually does OK with analyzing Zeus/Zbot.  Here are the results, fair-use copied until ThreatExpert fixes their links (or asks me to take this data down):

Submission Summary:

  • Submission details:
    • Submission received: 13 September 2012, 04:02:00 AM
    • Processing time: 8 min 0 sec
    • Submitted sample:
      • File MD5: 0xC4C3F1B37D0061E103BCAF074A40FB98
      • Filesize: 116,073 bytes
  • Summary of the findings:
What’s been found Severity Level
Downloads/requests other files from Internet.

 

Technical Details:

 

File System Modifications
  • The following files were created in the system:
# Filename(s) File Size File MD5
1 %System%\.txt 5 bytes 0x43FB2705D9766EA761F934981936503F
2 [file and pathname of the sample #1] 116,073 bytes 0xC4C3F1B37D0061E103BCAF074A40FB98

 

Memory Modifications
  • There was a new process created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 94,208 bytes

 

Other details
  • The data identified by the following URLs was then requested from the remote web server(s):
    • http://74.208.73.243:84/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577E90751ED3FC925691223BC8E3A25F2B211169BAF86A0A20919FFE3BB6FCB
    • http://209.20.78.241:84/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577E90751ED3FC925691223BC8E3A25F2B211169BAF86A0A20919FFE3BB6FCB
    • http://77.81.225.253:84/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577E90751ED3FC925691223BC8E3A25F2B211169BAF86A0A20919FFE3BB6FCB
    • http://203.130.129.58:84/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577E90751ED3FC925691223BC8E3A25F2B211169BAF86A0A20919FFE3BB6FCB
    • http://72.55.174.23:84/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577E90751ED3FC925691223BC8E3A25F2B211169BAF86A0A20919FFE3BB6FCB
    • http://78.137.161.116:84/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577E90751ED3FC925691223BC8E3A25F2B211169BAF86A0A20919FFE3BB6FCB
    • http://114.202.247.182:84/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577E90751ED3FC925691223BC8E3A25F2B211169BAF86A0A20919FFE3BB6FCB
    • http://188.138.95.133:84/00cd1a40FA511365883ACEB58B055EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC7397577E90751ED3FC925691223BC8E3A25F2B211169BAF86A0A20919FFE3BB6FCB

Notice the weird port 84 of the HTTP callbacks.  UPDATE 16 SEP 2012. Here is an Nmap (full scan here) banner grab of port 84 on the six out of eight callback hosts that are still responding.

84/tcp open hadoop-datanode Apache Hadoop 1.2.2
|_http-title: 404 Not Found
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-methods: No Allow or Public header in OPTIONS response (status code 404)

84/tcp open hbase-master Apache Hadoop Hbase 1.2.2
|_http-title: 404 Not Found
|_http-methods: No Allow or Public header in OPTIONS response (status code 404)
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E

84/tcp open hbase-region Apache Hadoop Hbase 1.2.2
|_http-title: 404 Not Found
|_http-methods: No Allow or Public header in OPTIONS response (status code 404)
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E

84/tcp open hbase-region Apache Hadoop Hbase 1.3.3
|_http-methods: No Allow or Public header in OPTIONS response (status code 404)
|_http-title: 404 Not Found
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E

84/tcp open hbase-region Apache Hadoop Hbase 1.3.3
|_http-title: 404 Not Found
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-methods: No Allow or Public header in OPTIONS response (status code 404)

84/tcp open hadoop-datanode Apache Hadoop 1.2.2
|_http-methods: No Allow or Public header in OPTIONS response (status code 404)
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
|_http-title: 404 Not Found

And this is why I think they are compromised, or at least have a common administrator behind all those servers.  As far as I know, Hadoop doesn’t bind to port 84 by default. Which means it has been probably been put there as part of a common setup among all the callback servers.

As of this writing, browsing any of those URLs indicates the callbacks are active…displayed is the following simple text string I observed when browsing each callback URL above:

c=idl

However, there may be some user-agent filtering going on if the user agent I observed in the memory dump of the binary is any indicator.  Which leads me to some of the interesting strings that I later saw in a VM.  Here is a link to the full string dump, rather than pasting it all here, because some of the words may be offensive.  But those of us who see a lot of malcode know that profanity is not uncommon. Strings match behaviour observed by ThreatExpert, and the only behaviour which I saw in the VM: injection into svchost.exe before exiting. I am confident the latter event occurred because this binary has VM detect routines, as is typical with Zeus/Zbot.  HBGary’s Flypaper helped me keep the code in memory so I could dump strings on my next run.

svchost.exe 
open 
Software\Microsoft\Windows\CurrentVersion\Run 
Software\Microsoft\Windows\CurrentVersion\Run 
ntdll.dll 
NtQueryInformationProcess 
NtReadVirtualMemory 
%8x%8x%s 
ntdll.dll 
_stricmp 
strcat 
strlen 
strcpy 
sprintf 
sscanf 
memset 
memcpy 
NtQueryInformationProcess 
ZwReadVirtualMemory 
ZwMapViewOfSection 
NtCreateSection 
ZwUnmapViewOfSection 
ZwResumeThread 
.exe 
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) 
UNABmhWb7Q 
/index.php?r=gate&id= 
&group= 
n1209rcm 
&debug= 
&ips= 
idl 
run 
c=run&u=%1024s 
.exe 
rem 
rdl 
c=rdl&u=%1024[^&]&a=%x&k=%x&n=%1024s 
Software\ 
red 
c=red&n=%1024s 
upd 
c=upd&u=%1024s 
Software\ 
Software\Microsoft\Windows\CurrentVersion\Run 
http://
/index.php?r=gate/getipslist&id=

I don’t know the purpose of this code other than it being related to the very capable, modular crimeware Trojan Zeus/Zbot.  The perpetrators could probably do anything with your system and all of its data and files once it has been installed.  Before I end this post, wanted to expose some of the callback locations in detail.  I will probably try to contact a few of the hosting providers to see if they know what is up.

IP Address Country Name City Postal Latitude Longitude ISP Organization Domain Name
74.208.73.243 United States Wayne, PA 19087 40.0548 -75.4083 1&1 Internet 1&1 Internet onlinehome-server.com
209.20.78.241 United States Saint Louis, MO 63108 38.6446 -90.2533 Slicehost LLC Slicehost LLC slicehost.net
77.81.225.253 Romania Vulcan   45.3833 23.2667 Sc Impatt Srl Sc Impatt Srl  
203.130.129.58 Thailand Bangkok   13.754 100.5014 Jasmine Internet Co Jasmine Internet Co  
72.55.174.23 Canada Montreal h3e1z6 45.5 -73.5833 IWeb Technologies iWeb Dedicated CL privatedns.com
78.137.161.116 Ireland     53 -8 Digiweb Digiweb digiweb.ie
114.202.247.182 Korea, Republic of Seoul   37.5985 126.9783 Hanaro Telecom Hanaro Telecom  
188.138.95.133 Germany     51 9 intergenia AG intergenia AG startdedicated.com