Man in the middle exposure is alive and well

Written by kent on February 23rd, 2015

For those who track exploit and vulnerability news, the word “komodia” or “superfish” is a pretty popular set of terms in security news lately. I won’t save you a Google search. But suffice to say that once you look, the average Joe’s exposure to man in the middle (MITM) is alive and well. It turns out that the Komodia Root Certificate problem prompted the exposure by security researchers of many other similarly “rooted” issues by other vendors like this one.

But what about MITM exploits and vulnerabilities that were widely publicized five years ago? Well, I was reminded by an invoice that I received from my pest control provider, that “innocent” MITM exposure hasn’t gone away.  I will sanitize the pest provider’s name because I don’t think they have done anything wrong. They outsourced everything which is usually a good thing for small businesses that do not have in-house expertise in IT security. Here is a screenshot of the email I just received:

email-invoice

Of course I checked the headers and made sure the PDF was legit.  The link directed me to their local Time Warner broadband-connected IIS 7.5 server, which allowed me to enter my name and credit card type, then click on next, at which time I was presented with the follow-on page that asked for my credit card info:

what-security

In apparent response to the fact that this page itself was not encrypted, the payment processor, Element Payment Services, tries to convince you that there is nothing to worry about, that the page to which you actually submit your credit card info is indeed encrypted.  But apparently they didn’t get the widely-publicized memos from multiple security researchers like Dan Kaminski and Moxi Marlinspike, the latter who came up with a practical way to prove this poor security is trivially bypassed via sslstrip.  While I am fairly confident that there is no miscreant sniffing and/or subverting the connection between two local Hawaii ISP’s, I would not be so sure on the average Wi-Fi connection.  This sort of mediocre security bugs me. So I called Element Payment Systems.  The rep was pleasant on the phone, but they pretty much wouldn’t talk to me. They would only deal with the merchant.  I am thinking the easiest fix would be for my pest provider to install an SSL certificate on their back-end system, into which their customers sign-in.  An SSL certificate is a tiny fraction of the cost of what they spend on outsourcing and hosting their back-end Windows server(s). And as far as the paragraph written by Element Payment Systems goes, they should get rid of that hokey “trust us, we know what we are doing” sort of thing.  You don’t see US banks use SSL-strip-able pages anymore.  So why should we see payment processors or merchants display them either?  I will give them a bit to remedy.  Or I will find a new pest control provider. Should that happen, it means my pest provider would have lost a customer paying an annual rate more than ten times the cost of a medium-tier SSL certificate. I will even offer to install the SSL certificate on their web server for free.

I would say trust me, I know what I am doing. Or something like that.

wink-and-smile-smiley-emoticon

 

 

Malware on a plane

Written by kent on October 25th, 2014
  • It appears that your IP address, 64.88.227.134, is listed in the Spamhaus Exploits Block List which is a list of IP addresses of hijacked PC’s infected by illegal 3rd party exploits, open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

Just posted from a Wi-Fi equipped, United flight.  One of the problems with sharing the Wi-Fi with a planeload of others is that at least some of them are bound to have an infected PC.

 

How to have a comfortably long trip in a wheel well of a 767 jetliner at 40,000 feet

Written by kent on July 4th, 2014

Well, at least until you get arrested. The purpose of this post is to “air out” a thought experiment I had, following the newsworthy survival of a 15-year old who stowed away in the wheel well of a Hawaiian Airlines 767 from California to Maui.  Lest a reader forget, stowing away on a commercial airliner risks a seriously long prison term and fines, even if one did survive. It is likely that the teenager survived because of a “hypothermia-induced coma-like state”, slowing down his body and brain so that it did not need as much oxygen.  Because at that altitude, there isn’t much oxygen or heat. But isn’t there a more certain–and comfortable– way to make it to your reservation in a cell at the federal prison, in a wheel well of a transpacific jetliner?  
Why yes there is, let me explain. There are several environmental factors that severely challenge your vitality in a wheel well, besides just the poor leg room (click on image below for video) that would make even a seasoned Virgin Air traveler grimace.long_flight  As I mentioned, principally these are the following:

  1. Lack of oxygen
  2. Lack of heat

With modern technology, these challenges to your vitality can be overcome, allowing you to not worry about experiencing your first and likely last hypothermia-induced coma.  It would not be exorbitantly expensive, either, depending on what kinds of stuff you have lying around the home workshop.  But still, it would be hard to get the cost of required life support equipment as low as the cost of an economy seat in the pressurized and heated cabin just a few feet above you. But perhaps cheaper than that first class ticket. So here it is

  • Problem: Lack of oxygen at 40,000 feet
  • Solution: Use a homemade (or surplus Russian) closed-circuit oxygen rebreather

So, you ask, what is a closed-circuit rebreather? At its simplest, a closed-circuit oxygen rebreather is a breathing gas re-circulator that adds oxygen and absorbs carbon dioxide (CO2).  Even military closed circuit oxygen rebreathers that have undergone significant research and development efforts are still rather simple affairs.  Consider the following schematic for the German designed Lar V rebreather.

 

This is the venerable rebreather rebreather still used by Navy special forces worldwide.  You could also buy a suitable brand-new Russian surplus rebreather on eBay for about $800.00 plus shipping. However, due to its protective shell, its bulk would be a detraction for use in the wheel well of an aircraft.  Also, the issue of reduced scrubber performance at extreme cold becomes important at the temperatures reached at 40,000 feet.

So I would rather build one myself in the style (though not exact specifications) of the TP2000 designed by the late Will Smithers, described here:

Yes, it is rather straightforward to make one yourself. Well, I guess straightforward being relative. Compared to their closed circuit mixed-gas rebreather cousins, at least. Having dived and worked on mixed-gas closed circuit rebreathers for most of ten years, a simple oxygen rebreather doesn’t need sensors and electronic displays to safely support life.  Also, an oxygen rebreather at altitude has one other thing going for it that an oxygen rebreather at depth does not have: there is no risk of *too much* oxygen, an affliction known as hyperoxia.  This contrasts to the hyperoxia that is the single most dangerous aspect of using an oxygen rebreather underwater, that can occur if depth limits are exceeded.

I have measured my oxygen consumption sitting on a couch as less than half a liter/minute.For surviving a five hour flight at the moderate oxygen consumption requirements of sitting, the diminutive scrubber of the TP2000 would probably be sufficient.  However, I would be more inclined to use perhaps a surplus Russian IDA 71 scrubber  (eBay links included) that–if kept warm enough–should easily last 6 hours or more at resting metabolism.  I would also want a little more oxygen to spare, so perhaps a 437 liter composite cylinder (about $300) that should last at least 800 minutes; way more than sufficient for lasting through the longest international flight.

Some small but important safety details that I would consider would be to have an adjustable oxygen trickler valve, that would constantly feed a little oxygen into the breathing loop, aside from that manually added by the operator or automatically by a demand valve.  This is a common safety principle used by many underwater rebreather divers and is the principle safety feature of the popular manually-controlled KISS rebreathers from the Jetsam company. On my Mk 15.5 rebreather I have designed my own “leaky valve” system using spec-built hardware from gas chromatograph applications.  But the point of a leaky valve at altitude would be to leak the approximate mount of oxygen into the breathing loop that the operator consumes, to counteract–via slight positive pressure–any buildup of nitrogen caused by leaks from the ambient atmosphere, which could otherwise spell unconsciousness without warning to the operator.  This exact issue of leak “contamination” by outside air has been noted as a very significant problem in the development of alpine rebreathers, and is probably why alpine rebreathers are still not popular in spite of their potentially game-changing advantages over open circuit alpine oxygen systems.  By having that extra large oxygen cylinder (but still a small fraction the size and weight of a regular scuba tank), one would not worry too much about exact adjustments of the trickler valve. Also, the extra oxygen supply would allow for regular 100% oxygen flushes of the breathing loop during the flight, critical to counteracting any buildup of nitrogen should there be even small leaks in the loop.

I would also include a full face mask, because holding a mouthpiece in one’s mouth for more than an hour or two leads to severe jaw fatigue. And the point of this post is to walk the dog through my assertion that one *could* be comfortable in a wheel well.

Which brings us to the second significant challenge to one’s vitality in a wheel well at 40,000 feet.

  • Problem: Lack of heat at 40,000 feet
  • Solution: Wear some clothing designed for hanging out in the Arctic

Most people have heard of snowmobile suits.  They are comfortable in cold weather.  However, they perhaps aren’t as warm as a caribou suit hand made by an Inuit crafter, and, as I will shortly mention, aerogel.  But they do have padding and you can buy them at a store, unlike a caribou suit.  And that is the main purpose that I propose them to be included in one’s wheel well kit. The padding would not only be for the uncomfortable metal protuberances of a wheel well, but it would also serve to pad one’s body from the protuberances of the above described rebreather apparatus, and provide sufficient insulation when you have to open your outerwear. Ideally, I would want to cut (and then seal!) holes in the front of the snowmobile suit for the breathing hoses of the rebreather to penetrate so that the CO2 scrubber itself would be inside, warmed by one’s body, and thus ensuring the highest efficiency of the CO2 absorbent.   Over the snowmobile suit and rebreather would come the outerwear, perhaps aerogel ShiverShield hunters pants and a warm parka designed for 60 below zero like this one. If you haven’t heard of aerogel before, I would suggest a Google search.  So the point of the aerogel pants on top of snowmobile suit would be to be comfortable at temperatures approaching seventy below zero, in spite of the insulation being compressed while sitting.  A popular source for just the outfit is ShiverShield.  You would want to get the pants, insoles, and hunter’s seat while at it.  And one would want the larger size since one’s rebreather would need to be worn underneath it.

To wrap it all up, a balaclava to hold one’s noise canceling headphones (to be  warn over earplugs, in turn, because it would be *very* noisy).  And then one would want a watch with a timer, set to remind you to flush the rebreather loop every so often, just to make sure nitrogen wasn’t building up.

And that wraps up my thought experiment for this 4th of July eve. Thanks for reading.

 

Digital parochialism is alive and well

Written by kent on May 13th, 2014

What does the following mean to you?

fax-timestamp

Based on the face value: “2014-04-16 09:28:07 (GMT)” I stood to loose a significant chunk of change. A collective of otherwise reasonably trained technicians and service representatives for a Fortune 100 company saw only one thing.  A time stamp that was after their deadline of midnight customer time, April 15th.

But let me expand your horizon, if you hadn’t considered something other than digits in a graphic.  This is a time stamp that is equivalent to:

5:28 PM on April 16th in Beijing

4:28 AM on April 16th in New York

2:28 AM on April 16th in San Francisco

and, get this….

11:28 PM on April 15th in Honolulu 

This is an example of what I call digital parochialism. It might be the same type of parochialism that is responsible for someone in New Jersey calling a Honolulu number at 9 am East Coast time in the morning, puzzled as to why the person on the other end might be kind of grouchy.  There are probably lots more examples of digital parochialism that extend outside the realm of time zones, but none more apropos to my situation. I will not be specifically naming the Fortune 100 company afflicted with this issue, because they are certainly not the only one with staff such infected, and not the last. But hopefully they will shortly be passing around a cup of cure.

:-)

 

 

NTP vulnerabilities affect all Hawaiian Telcom Internet service customers, so Hawaiian Telcom blocks all NTP

Written by kent on February 20th, 2014

After a rash of Network Time Protocol reflection/amplification attacks, Hawaiian Telcom confirmed that NTP was indeed blocked globally “for the cyber safety of their customers” until they can roll out a patch to all of their customer Pace routers vulnerable to the exploit. Found that another ISP, Sonic, is having the same problem as Hawaiian Telcom with their Pace routers.

CERT has published this Vulnerability Note

Here you go.  The following are NTP servers that Hawaiian Telcom has excepted (while most of their tech support staff do not know it) through their recent global block ACL of everything else on planet Internet on UDP port 123:

12.230.209.133

12.230.208.133

12.230.208.48

12.230.209.5

 

 

Economics of Dogecoin Mining in Honolulu

Written by kent on December 31st, 2013

Years ago now I bought a Bitcoin for twelve dollars and a few cents. Around the same time I ran a Bitcoin peer daemon for a while on this very web server in order to observe and analyze the Bitcoin P2P traffic.  Later, I cashed out that Bitcoin and made a profit of…a few cents.  Should have waited, huh?  Nonetheless, that brings me to the topic of this post, which is the economics of mining a cryptocurrency like Dogecoin.  Dogecoin has made the news recently because of its pop status as the first meme-based cryptocurrency, not to mention an online Dogecoin wallet theft. Dogecoin was inspired by the Doge meme which was itself started by a marked-up photo of a rescue dog belonging to an unwitting middle-aged schoolteacher in Japan. But I digress at the expense of saving you from a Google search.

Dogecoin and other scrypt-based cryptocurrency alternatives like Litecoin have brought back to the masses the potential of (albeit limited) profitability in cryptocurrency mining.  That is because within just the last year, mining of the cryptocurrency standard Bitcoin–owing to the intentional ballooning difficulty in the Bitcoin code–has quickly become profitable only with the use of massive scale ASICS-based mining operations as in the likes of a liquid-cooled dedicated facility in Hong Kong. But, given some cheap power and a video card with a decent GPU, or a cheap VPS, you can actually make a few cents mining alternate coins.  But barely.

If you live in Honolulu like I do where the per-kilowatt-hour price of electrical power is $0.36 (and well above $0.40 on neighbor islands!), such a tiny profit feat would actually be impossible.  You would be adding to global warming at the same time as subtracting from your wallet. But there is cheap power to be had in Hawaii, specifically: solar power from photo voltaic installations.  If you have PV overcapacity like some folks I know, putting an old gaming rig or two to pasture at cryptocurrency mining couldn’t hurt.

Now, if you think cryptocurrency mining might be for you, use this mining calculator to confirm you aren’t actually delusional.

 

doge-kwh

 

Money mule recruiting campaign for Tuesday, 19 November 2013

Written by kent on November 20th, 2013

From my Inbox.  More about Money Mules here:

https://www.us-cert.gov/sites/default/files/publications/money_mules.pdf

 

#####BEGIN MONEY MULE RECRUITING EMAIL#####

Return-Path: <amackubye@london.com>
X-Original-To: <sanitized>
Delivered-To: <sanitized>
Received: from london.com (bas10-montreal28-2925132541.dsl.bell.ca [174.89.250.253])
 by <sanitized> (Postfix) with SMTP id 544E4186A31
 for <sanitized>; Tue, 19 Nov 2013 21:17:48 -0600 (CST)
Message-ID: <C20110CF.DB945F0B@london.com>
Date: Wed, 20 Nov 2013 04:17:41 +0100
Reply-To: "<Me>" <amackubye@london.com>
From: "<Me>" <amackubye@london.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.19) Gecko/20081209 Thunderbird/2.0.0.19
MIME-Version: 1.0
To: "AOL Users" <sanitized>
Subject: Find the job that's right for you.
Content-Type: text/plain;
 charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Good day

We are pleased to inform report you that we start recruiting recruitment for the  Operations Assistant vacancy We do not discriminate in practices job on the basis of an individual’s race, color, national ethnic origin,  age marital status, veteran status, disability, or any other prohibited category set forth in federal or state regulations.

 

JOB POSITION: Operations Assistant (home-sourced) usd 500/week | PART-TIME | FLEXIBLE SCHEDULE

 

Requirements:

– Must be able to work independently;

– Must be detail oriented and organized responsible;

– Must be able to work well with others;

– PC proficient in Windows environments.

 

Duties Instructions:

– Process payments money transfers from customers;

– Check and verify transactions to ensure consistency and accuracy of accounting documents;

– May assist in the training and guiding of staff.

 

APPLY:

To apply please send your Resume: careers@grandconsultgroup.com

#####END MONEY MULE RECRUITING EMAIL#####

 

The following Dossier is courtesy Centralops.net:

 

Address lookup

canonical name grandconsultgroup.com.
aliases
addresses 89.144.29.207

Domain Whois record

Queried whois.internic.net with “dom grandconsultgroup.com”…

   Domain Name: GRANDCONSULTGROUP.COM
   Registrar: INTERNET.BS CORP.
   Whois Server: whois.internet.bs
   Referral URL: http://www.internet.bs
   Name Server: NS1.1000MBIT.RU
   Name Server: NS2.1000MBIT.RU
   Status: clientTransferProhibited
   Updated Date: 12-sep-2013
   Creation Date: 12-sep-2013
   Expiration Date: 12-sep-2014

>>> Last update of whois database: Wed, 20 Nov 2013 19:30:39 UTC <<<

Queried whois.internet.bs with “grandconsultgroup.com”…

Domain grandconsultgroup.com

Date Registered: 2013-9-12
Expiry Date: 2014-9-12

DNS1: ns1.1000mbit.ru
DNS2: ns2.1000mbit.ru

Registrant
    Fundacion Private Whois
    Domain Administrator
    Email:5231efccz110on03@5225b4d0pi3627q9.privatewhois.net
    Attn: grandconsultgroup.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877

Administrative Contact
    Fundacion Private Whois
    Domain Administrator
    Email:5231efccb5qgpw80@5225b4d0pi3627q9.privatewhois.net
    Attn: grandconsultgroup.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877

Technical Contact
    Fundacion Private Whois
    Domain Administrator
    Email:5231efccdrlo73ff@5225b4d0pi3627q9.privatewhois.net
    Attn: grandconsultgroup.com
    Aptds. 0850-00056
    Zona 15 Panama
    Panama
    Tel: +507.65995877

Registrar: Internet.bs Corp.
Registrar's Website : <a href='http://www.internetbs.net/'>http://www.internetbs.net/</a>

Network Whois record

Queried whois.ripe.net with “-B 89.144.29.207″…

% Information related to '89.144.29.203 - 89.144.29.207'

% No abuse contact registered for 89.144.29.203 - 89.144.29.207

inetnum:        89.144.29.203 - 89.144.29.207
netname:        RU-VICORE-Network
descr:          Kras-Infocom LLC
descr:          Own infrastructure
descr:          Frankfurt am Main, Germany
country:        RU
admin-c:        KL2321-RIPE
tech-c:         KL2321-RIPE
status:         assigned PA
mnt-by:         ISP4P-MNT
changed:        hostmaster@isp4p.net 20130505
source:         RIPE

person:         Kras-infocom LLC
address:        Igor Astafyev
address:        Krasnoy Gvardii st.,21 of 209
address:        660075, Krasnoyarsk
address:        Krasnoyarskiy kray
phone:          +7 391 2414964
fax-no:         +7 391 2094408
abuse-mailbox:  abs@rusmailbox.ru
nic-hdl:        KL2321-RIPE
mnt-by:         ISP4P-MNT
changed:        hostmaster@isp4p.net 20130504
source:         RIPE

% Information related to '89.144.0.0/18AS35042'

route:          89.144.0.0/18
descr:          ISP4P
origin:         AS35042
mnt-by:         ISP4P-MNT
mnt-routes:     mnt-weesly
changed:        info@isp4p.net 20130701
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.70 (WHOIS4)

DNS records

name class type data time to live
grandconsultgroup.com IN MX
preference: 10
exchange: mx.yandex.ru
14400s (04:00:00)
grandconsultgroup.com IN SOA
server: ns1.1000mbit.ru
email: witalij@rusmailbox.ru
serial: 2013091203
refresh: 86400
retry: 7200
expire: 3600000
minimum ttl: 86400
86400s (1.00:00:00)
grandconsultgroup.com IN NS ns1.1000mbit.ru 86400s (1.00:00:00)
grandconsultgroup.com IN NS ns2.1000mbit.ru 86400s (1.00:00:00)
grandconsultgroup.com IN A 89.144.29.207 14400s (04:00:00)
207.29.144.89.in-addr.arpa IN PTR quantum.1000mbit.ru 86400s (1.00:00:00)
29.144.89.in-addr.arpa IN SOA
server: ns3.isp4p.net
email: hostmaster@isp4p.net
serial: 2005110900
refresh: 10800
retry: 3600
expire: 604800
minimum ttl: 3600
86400s (1.00:00:00)
29.144.89.in-addr.arpa IN RRSIG
type covered: NSEC (47)
algorithm: RSA/SHA-1 (5)
labels: 5
original ttl: 7200 (02:00:00)
signature expiration: 2013-12-20 16:54:19Z
signature inception: 2013-11-20 15:54:19Z
key tag: 9753
signer’s name: 89.in-addr.arpa
signature:
(1024 bits)
17CCD77F834C239FC3F0F92C61C21D2C
35A0EF822E896A1A674E5FEF2F72B41B
D65786642B9CA456231A62E70AC14BEB
ECE37147D3753A71386583FC734FFE3E
9392889183ACD51E2D781E009B6D8F61
46FAC30749ED33D45ABCC0F790F548C0
3AF6839982B2C17433F1F352AFF183F3
E102311759B16A079D12462279C5F78C
7200s (02:00:00)
29.144.89.in-addr.arpa IN NSEC
next domain name: 3.144.89.in-addr.arpa
record types: NS RRSIG NSEC
7200s (02:00:00)
29.144.89.in-addr.arpa IN NS ns3.isp4p.net 3600s (01:00:00)
29.144.89.in-addr.arpa IN NS ns4.isp4p.net 3600s (01:00:00)

Traceroute

Tracing route to grandconsultgroup.com [89.144.29.207]…

hop rtt rtt rtt ip address fully qualified domain name
1 0 0 0 208.101.16.73 208.101.16.73-static.reverse.softlayer.com
2 0 0 0 66.228.118.153 ae11.dar01.sr01.dal01.networklayer.com
3 0 0 0 173.192.18.210 ae6.bbr01.eq01.dal03.networklayer.com
4 0 0 0 173.192.18.209 ae7.bbr02.eq01.dal03.networklayer.com
5 20 20 20 173.192.18.135 ae1.bbr01.tl01.atl01.networklayer.com
6 19 23 25 198.32.132.75 10gigabitethernet1-3.core1.atl1.he.net
7 35 32 41 184.105.213.109 10gigabitethernet16-5.core1.ash1.he.net
8 112 113 124 184.105.213.94 10gigabitethernet9-2.core1.par2.he.net
9 170 181 185 72.52.92.25 10gigabitethernet15-1.core1.fra1.he.net
10 120 120 120 31.214.136.65
11 121 121 121 109.230.212.130
12 119 118 119 109.230.226.122
13 118 118 118 89.144.29.207 quantum.1000mbit.ru

Trace complete

Service scan

FTP – 21 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 03:31. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
220 Logout.
SMTP – 25 220-quantum.1000mbit.ru ESMTP Exim 4.80.1 #2 Thu, 21 Nov 2013 03:31:21 +0800
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
421 quantum.1000mbit.ru lost input connection
HTTP – 80
POP3 – 110 +OK Dovecot ready.

___________________________________________________________

Screenshot:grandconsultgroup website screenshot

 

 

Undocumented Outlook 2010/2013 feature: PGP-GPG-GnuPG-signed email validation out of the box

Written by kent on September 26th, 2013

UPDATE NOV 2013.  My wife pointed out to me that Outlook 2010 has the same feature.  Having used Outlook 2013 as my main email client (on Windows) for a few days now, I was surprised it took me so long to notice the digital signature ribbons in my preview pane on GPG/PGP-signed and S/MIME-signed emails alike.  They looked like this (sent to myself for purposes of this post).

Outlook2k13-crypto-ribbons

Hmm.  That’s interesting.  I thought Outlook was an S/MIME-shop only.  Just to be sure, I also sent an invalid (from another email) PGP signature.  Not recognized by Outlook, as expected.  Which means Outlook 2013 is validating PGP signatures through its cryptographic module.  Certainly this was something new compared to Outlook 2010. A Google search revealed…nothing.  Figures.  How about a Bing search?

I did this on Bing :  PGP “outlook 2013″ site:microsoft.com

I found this.  But alas, there weren’t too many details, and none specifically on PGP/GPG.  Dug into Outlook Trust Center settings and found this.

Outlook2k13-TrustCenter-crypto-format

While grayed out, it does have a drop-down for *selecting* cryptography formats.  So something other than S/MIME?  I wonder if this has been worked with Symantec to better integrate their PGP desktop product within the Outlook framework.  UPDATE 01 Jan 2014.  It appears as per a reader observation that Outlook just looks for a particular PGP mime protocol statement in  the email header. So, to summarize, Outlook 2013 (and 2010)  provides digital signature clear-text validation header checking for PGP/GPG-signed  emails, but  probably does not do actual cryptographic signature validation. There is no way to send or read PGP/GPG encrypted emails out of the box.  Cannot find any documentation on the subject in Office Help on or offline, so one of these days I will have to dig around the registry.

 

inside Rotpoi$on – 12 hour packet capture of DormRing resurrected

Written by kent on July 25th, 2013

More Rotpoi$on analysis.

I set up a fake Ncat proxy on port 8118 last night and let it run.  Will let a little Netwitness do the talking shortly with 12 hours of packet capture.  This will serve as reference and give folks a starting point in identifying the click fraud perps should there be any interest in doing that.  To be sure, the ad networks themselves (identified by the “Hostname Aliases” in the Netwitness output below) share some culpability because of their negligence in not filtering out clearly bogus referrals.   Noticeably absent are Google’s Adsense and DoubleClick, which suggests that at least those ad networks are performing due diligence.  If I was paying for online advertising and wanted to make sure my check was not paying for fraud, I would not be signing up with some of  the companies behind the URLs listed in the Hostname Aliases.   AppNexus, the company associated with the first Hostname Alias URL, appears to be the biggest fraud facilitator.  UPDATE September 2013.  I have been working with representatives of AppNexus.  According to a representative from AppNexus, Rotpoi$on seems to target click advertisement auctions.  The Rotpoi$on network is still active, possibly more updates to follow as analysis continues.

Provided in zipped CSV  format  are the click fraud web site referrals as well as the filtered and sorted domain names, the owners of which are probably the principal beneficiaries of RotPoi$on.

And following  is the relevant Netwitness output, and a Netwitness generated KMZ file of Rotpoi$on/DormRing2 you can view on Google Earth if you like.

Hostname Aliases (47 items)

ib.adnxs.com (260,842) – ads.creafi-online-media.com (57,005) – ad.globe7.com (54,082) – ad.yieldmanager.com (41,601) – ad.tagjunction.com (30,207) – an.z5x.net (17,420) – ad.z5x.net (16,676) – ads1.ministerial5.com (11,067) – ad.xertive.com (9,433) – ad.bharatstudent.com (6,589) – ad.adorika.com (4,561) – ad.reduxmedia.com (4,498) – ads.clovenetwork.com (4,021) – ib.reachjunction.com (3,774) – cdn.adk2.com (3,039) – ad.media-servers.net (2,990) – tags1.z5x.net (2,185) – ad.yieldads.com (1,767) – ad.smxchange.com (1,119) – n17.adshostnet.com (592) – u.pub-fit.com (518) – ad.adnetwork.net (490) – www.mmadsgadget.com (225) – edge.quantserve.com (59) – www.yahoo.com (44) – dalipeng.free.fr (40) – www.epicgameads.com (25) – www.anastasiasaffiliate.com (13) – asianbeauties.anastasiasaffiliate.com (11) – as.ebz.io (7) – jsc.dt07.net (5) – media.fastclick.net (4) – cdn.fastclick.net (4) – ads1.qadabra.com (4) – 216.245.211.138 (4) – www.cpmleader.com (2) – amolatina.anastasiasaffiliate.com (2) – z14132-p14354-n192.pub.pgssl.com (1) – images.neobux.com (1) – affiliates.lifelock.com (1) – ads.creafi-online-media. (1) – ads.creafi-online- (1) – ads.creafi-onlin (1) – ads.crea (1) – ads. (1) – ads (1) – ad.gl (1)

Source IP Address (881 items)

66.220.4.88 (3,727) – 72.52.83.204 (3,653) – 66.160.173.102 (3,648) – 72.52.83.220 (3,646) – 66.220.4.69 (3,631) – 66.160.159.163 (3,562) – 72.52.75.108 (3,314) – 72.52.72.100 (3,307) – 72.52.72.112 (3,045) – 184.105.203.25 (2,350) – 72.52.116.84 (2,347) – 184.105.137.100 (2,340) – 198.15.70.221 (2,328) – 192.69.219.237 (2,319) – 66.220.4.85 (2,293) – 72.52.75.73 (2,063) – 72.52.75.122 (1,931) – 198.204.228.179 (1,800) – 198.204.242.237 (1,794) – 198.204.242.235 (1,793) – 198.204.228.180 (1,785) – 198.204.242.236 (1,784) – 198.204.240.180 (1,762) – 74.121.191.13 (1,730) – 192.69.204.76 (1,702) – 74.91.18.4 (1,684) – 64.120.60.52 (1,558) – 198.204.240.179 (1,531) – 198.204.242.238 (1,498) – 63.141.244.45 (1,486) – 184.105.135.169 (1,472) – 108.62.237.221 (1,460) – 108.62.237.220 (1,460) – 108.62.237.215 (1,458) – 108.62.237.217 (1,455) – 108.62.237.216 (1,453) – 108.62.237.219 (1,443) – 142.54.176.166 (1,439) – 108.62.237.218 (1,438) – 142.54.179.51 (1,437) – 108.62.237.214 (1,437) – 108.62.237.222 (1,433) – 173.234.208.125 (1,426) – 108.62.75.34 (1,410) – 198.204.240.182 (1,409) – 173.234.208.124 (1,387) – 173.234.208.126 (1,385) – 173.234.208.123 (1,381) – 108.177.187.60 (1,363) – 108.177.187.58 (1,362) – 108.177.168.158 (1,356) – 108.177.168.157 (1,351) – 108.177.187.59 (1,350) – 108.177.168.154 (1,350) – 108.177.187.62 (1,349) – 23.19.50.58 (1,349) – 108.177.168.156 (1,345) – 23.19.50.59 (1,345) – 108.177.187.61 (1,342) – 108.177.168.155 (1,342) – 63.141.244.46 (1,341) – 108.177.187.55 (1,340) – 108.177.187.57 (1,330) – 63.141.244.43 (1,326) – 63.141.254.86 (1,325) – 23.19.50.57 (1,324) – 63.141.244.44 (1,322) – 63.141.254.85 (1,321) – 142.54.176.165 (1,305) – 108.177.168.152 (1,301) – 23.19.50.56 (1,245) – 63.141.254.83 (1,225) – 74.91.18.3 (1,223) – 192.69.219.229 (1,220) – 74.91.18.6 (1,191) – 192.69.204.74 (1,189) – 23.19.67.204 (1,184) – 23.19.67.206 (1,179) – 147.255.50.34 (1,170) – 23.19.67.203 (1,157) – 108.62.40.236 (1,155) – 147.255.50.35 (1,145) – 142.54.179.52 (1,141) – 108.62.17.234 (1,137) – 184.105.203.21 (1,124) – 63.141.254.84 (1,114) – 198.15.118.67 (1,112) – 108.62.40.235 (1,094) – 173.234.41.44 (1,086) – 108.62.17.231 (1,084) – 108.62.17.235 (1,077) – 108.62.17.237 (1,075) – 108.62.185.205 (1,068) – 108.62.17.236 (1,068) – 173.234.33.77 (1,066) – 173.234.41.43 (1,061) – 108.62.185.204 (1,061) – 74.121.191.47 (1,059) – 108.62.40.238 (1,058) – 173.234.41.45 (1,057) – 108.62.185.203 (1,056) – 108.62.17.228 (1,054) – 108.62.17.232 (1,050) – 173.234.33.78 (1,043) – 173.234.33.76 (1,036) – 23.19.75.218 (1,036) – 173.234.41.39 (1,035) – 173.234.41.38 (1,022) – 23.19.26.178 (1,022) – 108.62.17.238 (1,021) – 108.62.185.206 (1,019) – 173.234.41.37 (1,016) – 173.234.33.71 (1,014) – 173.234.33.70 (1,014) – 108.62.17.233 (1,014) – 23.19.67.211 (1,012) – 23.19.75.219 (995) – 142.91.245.132 (992) – 23.19.75.212 (982) – 173.234.116.202 (960) – 173.234.116.173 (959) – 23.19.54.3 (959) – 23.19.54.5 (958) – 23.19.54.4 (958) – 23.19.54.2 (955) – 173.234.116.200 (949) – 173.234.116.172 (949) – 173.234.116.171 (949) – 23.19.54.6 (948) – 23.19.54.7 (943) – 173.234.116.206 (941) – 173.234.116.203 (938) – 173.234.116.201 (931) – 173.208.138.248 (931) – 173.234.116.204 (928) – 173.234.116.174 (928) – 173.234.116.195 (927) – 64.120.56.228 (927) – 173.234.116.194 (922) – 23.19.67.212 (919) – 108.62.40.237 (917) – 23.19.54.247 (915) – 173.234.116.205 (911) – 173.234.224.220 (901) – 173.208.16.91 (900) – 173.208.16.83 (899) – 173.234.116.248 (896) – 147.255.50.43 (896) – 173.208.138.245 (893) – 147.255.50.44 (891) – 147.255.50.42 (890) – 74.91.18.5 (888) – 173.208.16.93 (885) – 108.62.40.233 (884) – 173.234.116.247 (883) – 173.208.16.94 (883) – 173.208.16.92 (883) – 173.208.16.86 (883) – 173.208.16.85 (882) – 23.19.89.123 (882) – 108.62.40.230 (880) – 173.208.16.82 (879) – 108.62.40.229 (878) – 198.204.247.220 (877) – 108.62.40.232 (876) – 70.32.43.184 (874) – 173.234.116.250 (873) – 72.52.72.109 (872) – 173.208.16.84 (871) – 64.120.56.227 (857) – 23.19.75.216 (853) – 23.19.75.215 (851) – 147.255.50.39 (850) – 147.255.50.40 (841) – 173.208.16.244 (840) – 23.19.75.217 (840) – 147.255.50.41 (835) – 173.208.16.245 (827) – 23.19.130.186 (825) – 173.234.224.61 (821) – 173.208.94.184 (817) – 173.208.94.178 (816) – 108.177.168.153 (816) – 23.19.54.253 (812) – 173.208.94.181 (811) – 173.234.224.62 (810) – 23.19.54.246 (804) – 173.208.94.185 (802) – 173.208.94.186 (801) – 173.234.224.219 (800) – 64.120.44.148 (800) – 173.208.94.180 (799) – 173.208.94.182 (798) – 23.19.130.185 (798) – 192.69.219.236 (796) – 173.208.94.183 (796) – 173.208.94.179 (796) – 173.208.94.188 (795) – 173.234.33.67 (789) – 173.208.94.190 (789) – 173.208.85.19 (789) – 23.19.54.242 (789) – 173.234.33.68 (788) – 23.19.130.183 (788) – 173.208.94.189 (786) – 173.208.94.187 (786) – 64.120.44.147 (786) – 192.151.151.222 (784) – 198.15.118.87 (778) – 173.234.235.99 (775) – 65.49.8.166 (774) – 173.234.153.182 (771) – 142.54.179.53 (770) – 173.208.85.21 (768) – 23.19.54.244 (766) – 23.19.89.126 (763) – 23.19.54.243 (763) – 23.19.130.184 (762) – 108.62.237.213 (756) – 173.208.85.20 (755) – 173.234.33.66 (754) – 173.208.94.163 (751) – 173.234.116.252 (750) – 173.208.16.87 (746) – 108.62.237.212 (746) – 173.234.41.35 (745) – 108.62.237.210 (745) – 108.62.237.211 (744) – 198.204.243.101 (743) – 173.208.94.166 (743) – 173.234.41.36 (740) – 23.19.67.214 (740) – 173.208.94.164 (739) – 192.151.151.219 (738) – 23.19.67.213 (737) – 173.234.153.181 (736) – 108.177.183.203 (733) – 108.177.183.204 (730) – 173.208.94.165 (728) – 142.54.176.163 (728) – 23.19.89.125 (728) – 173.234.33.75 (725) – 173.208.94.171 (725) – 173.208.94.168 (721) – 108.177.183.205 (721) – 23.19.75.220 (720) – 173.208.16.248 (718) – 108.177.183.206 (718) – 173.234.33.73 (717) – 173.234.41.42 (714) – 173.234.41.41 (714) – 173.208.94.170 (712) – 173.234.41.40 (708) – 173.208.94.169 (707) – 142.54.176.164 (707) – 173.234.116.197 (706) – 173.208.94.167 (706) – 23.19.50.54 (705) – 173.234.153.186 (704) – 173.234.116.196 (704) – 198.204.243.102 (701) – 173.234.153.179 (699) – 173.234.33.74 (697) – 23.19.50.52 (697) – 23.19.50.51 (697) – 173.208.16.249 (696) – 23.19.50.50 (696) – 108.177.168.151 (695) – 23.19.50.53 (694) – 108.177.187.54 (693) – 173.208.16.242 (687) – 23.19.130.180 (687) – 173.234.60.181 (685) – 173.234.60.180 (684) – 173.208.16.250 (682) – 108.177.168.150 (681) – 23.19.54.249 (681) – 173.234.60.182 (679) – 23.19.130.182 (679) – 173.234.41.34 (676) – 173.208.16.243 (676) – 173.234.60.179 (674) – 23.19.54.252 (673) – 198.204.243.100 (672) – 173.234.12.181 (671) – 23.19.54.248 (657) – 74.91.26.182 (656) – 74.91.26.181 (649) – 173.208.138.243 (643) – 198.204.241.246 (640) – 23.19.130.121 (639) – 64.120.60.46 (633) – 23.19.130.125 (632) – 23.19.130.120 (627) – 23.19.130.190 (626) – 173.208.85.11 (625) – 173.234.12.189 (624) – 23.19.130.122 (623) – 23.19.130.119 (622) – 173.234.12.190 (621) – 173.208.85.13 (621) – 23.19.130.189 (620) – 173.234.12.188 (619) – 23.19.130.124 (619) – 173.234.12.186 (617) – 23.19.130.123 (615) – 173.234.12.187 (613) – 173.208.242.43 (613) – 64.120.60.45 (610) – 23.19.54.251 (610) – 23.19.54.250 (610) – 173.208.85.14 (609) – 142.54.179.54 (608) – 70.32.43.186 (605) – 173.208.85.12 (603) – 173.234.153.178 (601) – 64.120.77.154 (597) – 64.120.58.118 (596) – 64.120.77.152 (595) – 64.120.77.153 (593) – 198.204.241.142 (592) – 64.120.58.117 (592) – 64.120.77.155 (591) – 64.120.58.116 (590) – 23.19.89.124 (590) – 173.234.116.73 (589) – 70.32.43.179 (588) – 198.204.242.230 (587) – 64.120.77.156 (587) – 108.62.75.27 (583) – 64.120.77.151 (583) – 64.120.58.115 (583) – 173.234.116.71 (581) – 64.120.77.147 (581) – 70.32.43.178 (580) – 23.19.107.249 (580) – 173.234.116.76 (579) – 23.19.107.247 (579) – 173.234.116.75 (578) – 64.120.77.146 (578) – 108.62.75.28 (577) – 23.19.107.248 (577) – 108.62.75.25 (576) – 173.234.159.2 (575) – 108.62.75.23 (575) – 108.62.75.26 (574) – 173.234.153.102 (573) – 23.19.107.250 (573) – 108.62.236.190 (572) – 108.62.75.24 (572) – 23.19.107.252 (571) – 173.234.116.55 (570) – 173.234.116.74 (569) – 173.234.116.60 (569) – 173.234.159.3 (568) – 173.234.116.56 (568) – 23.19.107.251 (567) – 173.234.116.72 (566) – 173.234.116.58 (565) – 173.234.116.57 (565) – 64.120.58.22 (563) – 108.62.236.189 (562) – 23.19.54.21 (562) – 23.19.54.18 (562) – 64.120.60.114 (561) – 64.120.58.21 (560) – 64.120.58.19 (560) – 64.120.44.164 (560) – 173.234.116.59 (559) – 108.62.5.152 (559) – 23.19.54.20 (559) – 70.32.43.189 (558) – 23.19.54.25 (558) – 23.19.54.24 (557) – 173.234.188.205 (556) – 173.234.116.50 (556) – 108.62.192.22 (556) – 70.32.43.185 (556) – 23.19.54.22 (556) – 23.19.54.19 (556) – 173.208.83.187 (555) – 108.62.5.155 (555) – 173.208.83.189 (554) – 108.62.192.19 (554) – 64.120.60.43 (554) – 23.19.54.23 (554) – 173.208.83.188 (553) – 108.62.5.147 (553) – 173.234.12.179 (552) – 173.234.12.185 (551) – 64.120.44.166 (551) – 173.234.12.235 (550) – 173.234.12.180 (550) – 108.62.5.154 (550) – 173.234.188.196 (549) – 64.120.44.163 (549) – 70.32.43.188 (548) – 64.120.5.254 (548) – 23.19.130.115 (548) – 173.234.42.3 (547) – 108.62.192.20 (547) – 173.234.42.11 (546) – 173.234.42.7 (546) – 173.234.188.195 (545) – 173.234.12.233 (545) – 173.208.83.190 (545) – 173.234.188.198 (544) – 173.234.42.8 (544) – 173.234.42.2 (544) – 173.234.12.236 (544) – 64.120.44.165 (544) – 108.62.5.151 (543) – 173.234.188.197 (542) – 173.234.12.232 (542) – 108.62.75.6 (542) – 108.62.5.153 (542) – 108.62.5.146 (542) – 198.204.243.99 (540) – 173.234.42.10 (540) – 173.234.12.238 (540) – 108.62.5.156 (540) – 23.19.107.242 (540) – 173.234.12.231 (539) – 70.32.43.190 (539) – 173.234.42.9 (538) – 108.62.192.21 (538) – 64.120.5.253 (538) – 64.120.5.251 (538) – 173.234.42.12 (537) – 173.234.12.237 (537) – 74.91.26.179 (536) – 64.120.5.252 (536) – 23.19.107.243 (536) – 174.34.140.155 (535) – 23.19.130.116 (534) – 173.234.12.184 (533) – 174.34.140.156 (532) – 23.19.130.114 (532) – 173.234.12.234 (531) – 108.62.75.19 (529) – 198.204.242.228 (528) – 108.62.75.18 (528) – 108.62.192.30 (527) – 108.62.192.28 (527) – 173.208.138.244 (526) – 70.32.43.181 (526) – 108.62.192.29 (525) – 174.34.140.157 (524) – 23.19.63.222 (524) – 173.234.153.100 (523) – 173.234.153.99 (523) – 23.19.54.104 (523) – 174.34.140.158 (522) – 173.234.153.101 (521) – 23.19.63.219 (521) – 23.19.63.216 (521) – 173.234.224.59 (519) – 198.204.241.141 (518) – 70.32.43.180 (518) – 23.19.63.221 (515) – 199.182.234.34 (514) – 23.19.63.217 (514) – 23.19.54.103 (514) – 23.19.63.220 (513) – 23.19.54.108 (510) – 23.19.54.105 (510) – 198.204.247.221 (509) – 23.19.54.106 (509) – 23.19.63.218 (507) – 173.234.12.101 (505) – 173.234.12.99 (505) – 108.62.236.186 (505) – 173.234.12.100 (504) – 70.32.43.183 (502) – 23.19.54.107 (502) – 173.234.12.102 (501) – 173.234.224.60 (499) – 23.19.35.146 (498) – 173.208.16.246 (496) – 23.19.35.147 (495) – 108.62.75.7 (492) – 108.62.236.185 (491) – 198.204.241.243 (490) – 70.32.43.182 (490) – 198.204.241.140 (489) – 173.234.235.101 (486) – 23.83.96.130 (464) – 173.208.44.43 (463) – 173.208.44.46 (462) – 173.234.12.35 (460) – 173.234.12.44 (458) – 23.19.35.134 (458) – 173.234.12.4 (457) – 108.62.75.8 (457) – 23.19.107.228 (457) – 173.234.12.42 (456) – 173.234.116.107 (455) – 173.234.12.41 (455) – 173.208.44.45 (455) – 173.234.12.3 (454) – 173.234.12.5 (453) – 108.62.236.184 (453) – 64.120.60.115 (453) – 23.19.76.4 (453) – 173.208.44.42 (452) – 23.19.76.5 (452) – 64.120.58.20 (450) – 173.234.247.30 (449) – 173.234.188.206 (449) – 173.234.116.152 (449) – 173.234.12.6 (449) – 173.234.12.43 (448) – 173.234.12.40 (448) – 173.234.12.39 (448) – 173.234.116.109 (447) – 23.19.54.99 (447) – 23.19.54.92 (447) – 192.74.245.18 (445) – 23.19.54.87 (445) – 23.19.54.98 (444) – 173.234.12.34 (443) – 23.19.76.99 (443) – 173.234.116.108 (442) – 198.204.241.139 (441) – 173.234.12.178 (441) – 23.19.54.83 (441) – 23.19.35.133 (441) – 23.19.107.227 (439) – 23.19.76.6 (439) – 23.19.54.90 (439) – 23.19.35.132 (439) – 173.234.116.153 (438) – 173.208.57.54 (438) – 23.19.76.3 (438) – 23.19.76.102 (437) – 23.19.76.101 (437) – 23.19.54.82 (437) – 173.234.247.19 (436) – 173.234.116.151 (436) – 173.234.247.22 (435) – 173.234.188.204 (435) – 173.208.83.100 (435) – 23.19.107.226 (435) – 23.19.54.89 (435) – 23.19.54.88 (435) – 173.208.44.37 (434) – 173.234.12.182 (433) – 173.208.83.99 (433) – 173.208.83.101 (432) – 173.234.247.21 (431) – 173.208.83.102 (431) – 23.19.54.91 (431) – 173.234.247.28 (430) – 173.234.247.25 (430) – 173.234.188.203 (430) – 173.234.247.29 (429) – 173.234.247.18 (428) – 23.19.76.100 (426) – 23.19.54.116 (426) – 173.234.12.30 (425) – 173.208.44.35 (425) – 173.234.12.28 (423) – 108.62.236.212 (423) – 23.19.54.118 (420) – 173.234.12.226 (419) – 173.234.12.27 (419) – 23.19.54.119 (419) – 173.234.12.229 (417) – 108.62.236.211 (417) – 23.19.54.115 (417) – 173.234.247.24 (416) – 173.234.12.250 (416) – 23.19.54.120 (416) – 173.234.12.251 (415) – 173.234.12.29 (415) – 173.234.12.228 (414) – 173.234.12.227 (414) – 173.234.12.183 (414) – 64.120.60.44 (412) – 173.234.12.52 (411) – 108.62.236.215 (411) – 23.19.54.117 (411) – 108.62.236.210 (410) – 108.62.40.244 (409) – 23.19.35.151 (409) – 173.234.12.243 (408) – 173.234.12.54 (408) – 108.62.236.183 (407) – 108.62.236.213 (406) – 23.19.35.152 (406) – 147.255.183.132 (405) – 173.234.12.252 (404) – 173.234.12.53 (404) – 147.255.183.131 (404) – 23.19.35.156 (404) – 108.62.236.182 (402) – 23.19.54.125 (402) – 108.62.236.214 (401) – 173.234.12.242 (400) – 23.19.54.126 (400) – 23.19.35.154 (400) – 108.62.40.246 (399) – 23.19.35.153 (397) – 108.62.236.179 (395) – 108.62.40.245 (395) – 174.34.135.252 (393) – 23.19.54.123 (392) – 23.19.54.124 (391) – 174.34.135.251 (389) – 173.234.12.249 (389) – 108.62.40.254 (389) – 174.34.135.253 (385) – 173.234.12.247 (385) – 23.19.75.214 (385) – 23.19.35.155 (385) – 174.34.135.254 (381) – 173.234.12.248 (378) – 108.62.236.180 (378) – 204.12.211.51 (374) – 108.62.236.178 (365) – 198.204.242.229 (359) – 108.62.236.181 (359) – 108.62.40.242 (348) – 108.62.40.243 (347) – 74.91.26.180 (328) – 198.204.242.227 (327) – 23.19.89.166 (320) – 23.19.50.46 (314) – 23.19.89.164 (305) – 23.19.89.163 (301) – 64.120.56.14 (295) – 23.19.44.139 (295) – 64.120.56.13 (293) – 108.62.42.21 (292) – 64.120.56.12 (292) – 173.208.44.36 (291) – 108.62.42.19 (290) – 108.62.192.3 (288) – 173.208.44.34 (285) – 108.62.5.135 (285) – 23.19.54.28 (285) – 23.19.59.246 (284) – 108.62.236.188 (282) – 23.19.59.245 (282) – 108.62.5.140 (281) – 23.19.54.30 (281) – 173.234.116.211 (280) – 108.62.192.6 (279) – 23.19.59.244 (279) – 173.234.116.226 (278) – 108.62.192.5 (278) – 108.62.192.4 (278) – 108.62.5.138 (278) – 23.19.107.210 (278) – 23.19.54.27 (278) – 173.234.116.228 (277) – 108.62.5.137 (277) – 108.62.5.131 (277) – 23.19.54.29 (277) – 173.234.116.213 (276) – 108.62.5.130 (276) – 173.234.116.227 (275) – 173.234.116.212 (275) – 23.19.59.243 (275) – 173.234.116.229 (274) – 108.62.192.235 (274) – 108.62.5.139 (274) – 23.19.107.220 (274) – 173.234.116.231 (273) – 108.62.5.136 (273) – 173.234.116.214 (272) – 221.215.112.238 (271) – 173.234.116.237 (271) – 173.234.116.234 (271) – 108.62.192.237 (270) – 173.234.116.236 (269) – 108.62.192.238 (269) – 173.234.116.235 (268) – 173.234.116.232 (268) – 23.19.107.211 (268) – 198.204.241.235 (267) – 23.19.89.165 (267) – 173.234.116.238 (266) – 23.19.107.216 (266) – 23.19.107.217 (265) – 173.234.116.233 (263) – 23.19.107.219 (262) – 23.19.107.215 (261) – 108.62.192.236 (260) – 23.19.107.218 (259) – 108.62.236.187 (258) – 23.19.44.140 (244) – 198.204.241.237 (242) – 198.204.241.236 (241) – 198.204.241.238 (240) – 64.120.60.60 (238) – 173.234.142.45 (235) – 64.120.60.59 (235) – 174.34.159.13 (232) – 173.234.122.132 (231) – 23.19.79.118 (231) – 173.234.122.131 (229) – 108.62.42.23 (229) – 173.234.159.11 (226) – 173.234.116.156 (226) – 108.62.42.30 (226) – 108.62.42.25 (226) – 173.234.122.134 (225) – 173.234.122.133 (225) – 108.62.42.27 (224) – 23.19.107.234 (224) – 23.19.107.233 (224) – 108.62.42.26 (223) – 192.74.245.20 (222) – 173.234.159.9 (222) – 108.62.42.24 (222) – 64.120.60.55 (222) – 23.19.107.231 (222) – 173.234.116.146 (221) – 23.19.107.235 (221) – 192.151.151.221 (220) – 173.234.159.12 (220) – 64.120.60.56 (220) – 23.19.107.236 (220) – 173.234.159.7 (219) – 173.234.116.147 (219) – 173.234.116.110 (219) – 108.62.17.197 (219) – 23.19.107.232 (219) – 108.62.17.195 (218) – 173.234.159.10 (217) – 173.234.116.155 (217) – 23.19.99.3 (217) – 173.234.116.154 (216) – 108.62.42.29 (216) – 23.19.99.12 (215) – 23.19.79.53 (215) – 23.19.79.54 (214) – 23.19.54.190 (214) – 23.19.99.5 (213) – 23.19.79.51 (213) – 23.19.58.236 (213) – 173.234.116.68 (212) – 108.62.17.198 (212) – 192.151.151.220 (211) – 173.234.159.8 (211) – 108.62.17.252 (211) – 108.62.17.251 (211) – 108.62.17.248 (211) – 23.19.99.7 (211) – 23.19.58.237 (211) – 23.19.54.182 (211) – 108.62.42.28 (210) – 23.19.99.8 (210) – 23.19.99.2 (210) – 173.234.116.66 (209) – 173.234.116.14 (209) – 108.62.17.242 (209) – 23.19.79.52 (209) – 23.19.58.235 (209) – 23.19.99.9 (208) – 23.19.99.4 (208) – 23.19.58.238 (208) – 23.19.54.179 (208) – 23.19.54.44 (208) – 23.19.54.43 (208) – 173.234.171.147 (207) – 108.62.17.249 (207) – 108.62.17.247 (207) – 108.62.17.196 (207) – 108.62.17.250 (206) – 23.19.99.10 (206) – 173.234.116.67 (205) – 142.91.31.254 (205) – 142.91.31.251 (205) – 23.19.54.157 (205) – 173.234.116.69 (204) – 23.19.58.244 (204) – 173.234.116.11 (203) – 108.62.17.243 (203) – 23.19.99.11 (203) – 173.234.116.13 (202) – 23.19.54.183 (202) – 23.19.54.135 (202) – 23.19.54.180 (201) – 23.19.54.139 (201) – 173.234.12.244 (200) – 23.19.58.246 (200) – 23.19.58.245 (200) – 23.19.54.140 (200) – 23.19.54.130 (200) – 173.234.116.12 (199) – 23.19.54.178 (199) – 23.19.54.131 (199) – 23.19.54.189 (198) – 23.19.54.158 (198) – 23.19.54.137 (198) – 173.234.116.185 (197) – 142.91.31.252 (197) – 23.19.54.181 (197) – 173.234.116.189 (196) – 142.91.31.253 (196) – 23.19.54.136 (196) – 173.234.116.187 (195) – 173.234.171.146 (194) – 173.234.116.188 (194) – 23.19.58.243 (194) – 173.234.116.183 (193) – 173.234.116.243 (191) – 173.234.116.190 (191) – 173.234.116.186 (191) – 173.234.116.184 (191) – 173.234.116.222 (190) – 173.234.142.46 (189) – 173.234.116.244 (187) – 173.234.116.242 (187) – 173.234.116.165 (187) – 173.234.116.166 (185) – 173.234.116.164 (185) – 173.234.116.221 (184) – 173.234.116.181 (184) – 173.234.116.180 (183) – 173.234.116.163 (183) – 173.208.138.246 (183) – 173.234.116.178 (182) – 173.234.116.179 (181) – 173.234.171.155 (180) – 23.19.54.138 (170) – 23.19.58.228 (163) – 23.19.58.227 (163) – 23.19.58.231 (161) – 173.208.44.40 (160) – 23.19.58.230 (160) – 23.19.58.226 (160) – 23.19.58.229 (157) – 108.62.40.228 (150) – 198.15.118.79 (149) – 173.234.171.150 (142) – 173.234.171.157 (131) – 192.184.45.213 (129) – 173.234.171.151 (125) – 192.184.45.212 (123) – 173.234.171.149 (123) – 173.234.171.158 (120) – 173.234.142.43 (118) – 173.234.171.148 (116) – 173.208.242.46 (114) – 173.208.138.247 (111) – 192.184.45.211 (110) – 192.184.53.106 (109) – 173.234.171.154 (109) – 108.62.40.227 (108) – 173.234.142.44 (102) – 192.184.53.100 (100) – 173.234.171.152 (100) – 192.184.53.109 (99) – 115.148.138.212 (98) – 173.234.171.156 (96) – 192.184.53.107 (95) – 192.74.245.19 (93) – 192.184.45.210 (90) – 173.234.171.153 (82) – 115.148.176.160 (79) – 192.184.53.110 (77) – 198.74.123.220 (76) – 192.184.53.102 (62) – 192.184.53.98 (61) – 173.234.116.220 (56) – 192.184.53.105 (49) – 192.184.53.103 (49) – 192.184.53.101 (47) – 23.19.89.173 (44) – 192.184.53.108 (29) – 192.0.24.121 (28) – 199.193.67.153 (26) – 208.115.212.210 (16) – 192.184.53.99 (13) – 23.19.89.174 (12) – 72.52.75.76 (5) – 66.8.208.183 (3) – 199.114.245.100 (1)

Destination IP address (4 items)
66.8.208.183 (535,129) – 108.62.75.7 (1) – 82.223.191.10 (1) – 64.120.77.147 (1)

Event (1 item)
get (534,881)

Extension (9 items)

<none> (530,555) – js (3,901) – html (317) – php (71) – aspx (26) – htm (7) – media (4) – gif (1) – asp (1)
Client Application (100 items)

mozilla/5.0 (245,579) – mozilla/4.0 (223,537) – opera/9.80 (26,637) – 001|mozilla/5.0 (12,361) – 001|mozilla/4.0 (4,779) – mozilla/4.76 [en] (3,941) – mozilla/3.0 webtv/1.2 (2,323) – 001|opera/9.80 (2,052) – mozilla/4.61 [en] (1,628) – mozilla/5.0 archlinux (1,587) – mozilla/4.73 [en] (1,518) – mozilla/4.7 [en] (1,493) – mozilla/5.0 slackware/13.37 (1,231) – mozilla/1.22 (989) – mozilla/3.0 (853) – mozilla/4.61 (832) – mozilla/4.75 [en] (817) – mozilla/4.5 [en] (812) – mozilla/4.08 [en] (809) – mozilla/4.76 (799) – opera/10.60 (795) – mozilla/3.01 (793) – mozilla/2.0 (766) – mozilla/4.79 (513) – mozilla/6.0 (494) – mozilla/4.7 (401) – oracle/1.5.0.3-0.3.el4 firefox/1.5.0.3 pango-text (388) – mozilla/4.77c-cck-mcd {c-udp; ebm-apple} (379) – chrome/15.0.860.0 (374) – opera/10.50 (354) – mozilla/4.0(compatible; msie 7.0b; windows nt 6.0) (241) – mozilla/4.79 [en] (216) – 001|mozilla/5.0 archlinux (148) – 001|mozilla/5.0 slackware/13.37 (95) – 001|mozilla/1.22 (69) – 001|mozilla/2.0 (66) – 001|opera/10.60 (63) – opera/9.27 (51) – 001|mozilla/6.0 (40) – opera/8.0 (38) – opera/12.80 (38) – 001|mozilla/3.0 (38) – 001|oracle/1.5.0.3-0.3.el4 firefox/1.5.0.3 pango-text (35) – opera/6.05 (34) – 001|opera/10.50 (30) – opera/12.0(windows nt 5.1;u;en)presto/22.9.168 version/12.00 (27) – opera/8.50 (26) – opera/12.0(windows nt 5.2;u;en)presto/22.9.168 version/12.00 (25) – 001|chrome/15.0.860.0 (24) – opera/9.62 (23) – opera/9.02 (20) – opera/9.00 (19) – opera/9.63 (18) – opera/9.20 (18) – opera/9.01 (18) – opera/9.61 (17) – opera/9.25 (17) – opera/9.21 (17) – opera/7.03 (14) – opera/7.11 (13) – opera/9.60 (12) – opera/9.23 (12) – opera/9.10 (12) – opera/9.51 (11) – opera/8.51 (11) – opera/9.52 (9) – opera/6.04 (9) – opera/9.26 (8) – opera/8.54 (8) – opera/8.01 (8) – opera/7.23 (8) – opera/6.01 (8) – opera/9.22 (7) – opera/8.53 (7) – opera/8.52 (7) – opera/7.10 (7) – opera/7.0 (7) – opera/7.54 (6) – opera/6.0 (6) – opera/9.64 (5) – opera/9.50 (5) – opera 9.4 (5) – opera/9.20(windows nt 5.1; u; en) (4) – opera/8.00 (4) – opera/7.01 (4) – opera/6.02 (4) – opera/9.12 (3) – opera/8.02 (3) – opera/6.03 (3) – opera/5.12 (3) – mozilla/45.0 (3) – mozilla/4.01 (3) – opera/9.24 (2) – opera/7.52 (2) – opera/7.50 (2) – opera/7.22 (1) – opera/7.20 (1) – opera/7.02 (1) – opera/5.02 (1) – mozilla/4.08 (1)

TCP Destination Port (3 items)
8118 (535,129) – 4378 (1) – 3735 (1)
Source Country (5 items)

united states (486,789) – china (6,091) – united kingdom (4,986) – canada (4,584) – singapore (644)
Destination Country (2 items)

united states (535,131) – spain (1)

Source Organization (34 items)

nobis technology group phoenix (75,878) – ubiquity server solutions dallas (56,801) – hambilios lcc (56,249) – nobis technology group, llc (50,308) – ubiquity server solutions seattle (41,727) – ubiquity server solutions chicago (36,213) – fannie mae (25,159) – ubiquity server solutions new york (17,583) – ubiquity server solutions los angeles (14,754) – ubiquity server solutions atlanta (12,745) – egihosting (10,861) – datashack, lc (10,834) – hurricane electric (9,807) – aboutweddings.com (9,651) – epsilon data management (8,135) – credyn (7,313) – emdigo (7,224) – pure web technologies, llc. (5,579) – curvehost (4,986) – server results llc (3,938) – meng wq (3,474) – hosting (3,287) – pipechase (2,789) – jestservers.com (2,722) – shenmiren communications (2,169) – hostmist (2,160) – auctiva corporation (774) – carson keating (727) – gecko electronics (539) – china unicom shandong province network (271) – dataone technologies corp (232) – chinanet jiangxi province network (177) – limestone networks (16) – road runner (3)

Destination Organization (4 items)

road runner (535,129) – ubiquity server solutions los angeles (1) – nobis technology group, llc (1) – arsys.es (1)

Source City (30 items)

phoenix (126,186) – los angeles (71,003) – seattle (35,757) – chicago (26,570) – dallas (25,327) – new york (17,583) – fremont (17,031) – lebanon (16,028) – campbell (14,612) – atlanta (12,101) – kansas city (11,561) – tucson (10,287) – burlingame (9,651) – alexandria (9,643) – hudson (7,897) – suwanee (5,970) – sylmar (5,579) – york (4,986) – carson city (3,938) – jinan (3,745) – harrisburg (3,562) – menlo park (3,287) – vancouver (2,789) – tanggu (2,169) – youngstown (2,160) – chico (774) – boston (539) – schaumburg (232) – nanchang (177) – honolulu (3)

Destination City (3 items)

honolulu (535,129) – phoenix (1) – los angeles (1)

Source Domain (30 items)

ubiquityservers.com (194,742) – ubiquity.io (102,725) – xninet.com (16,924) – simpledeliverysolutions.com (14,333) – researchprimary.info (10,574) – giscafe.com (9,651) – unitedhost.com (7,313) – win-dns.com (7,299) – civicactions.net (7,224) – dailybreakthroughs.net (5,696) – rlookuphost.com (5,145) – beretcity.info (4,705) – thousandsofgenerationsbehind.com (4,494) – paneltelefon.com (4,342) – rethinkvps.com (3,938) – oneminutedaily.com (3,562) – netornerics.info (3,474) – forecastcompare.info (3,287) – pipechase.com (2,789) – evolutionreloaded.com (2,722) – thedogshadlong.com (2,664) – defineproduc.com (2,347) – hostmist.com (2,160) – differe.net (1,725) – ioflood.com (1,472) – vpsquicksolutions.com (727) – synede.com (539) – directmarketingyou.com (374) – lstn.net (16) – rr.com (3)

Destination Domain (4 items)

rr.com (535,129) – ubiquityservers.com (1) – servidoresdns.net (1) – beretcity.info (1)

 

Rotpoi$on click fraud throngnet powered by thousands of *servers*

Written by kent on April 15th, 2013

Last update 24 JULY 2013

Thanks to Javntea of AltSci, Aaron Hopkins, and Zack of CMU for their help with identifying the real purpose behind Rotpoi$on and confirming that I was not the only one seeing this.

I have created the following evolving FAQ on Rotpoi$on. It is under revision.

Q: What is Rotpoi$on?

A: Rotpoi$on is a large net of servers apparently leased for at least the purpose of committing click fraud and may even be the successor to the DormRing1 operation described in 2009.   So, DormRing2? We know that it is targeting open proxy ports on Tor relays.  There are perhaps many organizations getting cheated, if the return of investment cost of leasing thousands of servers is any evidence.  I could have only part of the story, so do not want to speculate further on perceived culpability at this point. But in keeping with the point of having a research network, if I see it and can do something about it, I will do it.  So I will be following up with the security teams of various advertisement networks as time allows.

Q: Why do you call it Rotpoi$on?

A:  I call it Rotpoi$on because my family once visited Rottnest Island in Western Australia and it was, well, memorable. (Rotte is the old Dutch word for rat).  So a homonym of  Tor spelled backwards.  Since this packet spewing is directed at Tor exit nodes including mine, I am using a play on the term “rat poison.”  Because I have confirmed that the servers are leased, and the organizations paying the bills are aware of and very likely specifically directing the activities of these leased servers, there is the dollar sign.  A leased net of computers is in contrast to a botnet, which by definition is controlled by an entity that uses hacked–not leased–computer systems.

Q: Why are you posting on Rotpoi$on?

A: The purpose of this post was to serve as a primer and reference for other Tor exit relay operators and security researchers who have participated in this analysis and helped characterize Rotpoi$on.

Q: Is Rotpoi$on performing a SYN flood attack?

A: In my case, no.  By definition a SYN flood is a form of denial of service attack on an otherwise functioning service or port.  My systems didn’t have port 8118 listening.  And my firewall(s) blocks what would otherwise be RST packets sent by the OS. So in my case, it is entirely one-way traffic.   And no, most ISPs do not block SYN flood attacks.  That is indeed the job of the customer’s router or firewall.

Q: Why should I be concerned about Rotpoi$on?

A:  When it was at its largest in the first quarter of 2013, Rotpoi$on was throwing thousands of packets a second.  While a few thousand small SYN packets a second should not harm any reasonably well configured system or network, it did have a very detrimental effect on my research network at home.  I believe that was because I had a router that was inadequate for managing sessions from several thousand different IP addresses at once while logging everything, so Rotpoi$on bogged it completely down.  Once I replaced the router with something adequate (a virtual firewall running iptables) Rotpoi$on became mostly a nuisance.  However, the potential effects enabled by thousands of high powered Windows servers running on large, unmetered pipes in well-connected data centers across two continents are not insignificant. So while the potential for more malicious effects are there, Rotpoi$on is probably “just” a fraudulent money-making operation.

Q: What the heck is a throngnet?

A: Another term I have made up trying to describe Rotpoi$on.  Gangnet was already taken.  The commonly accepted definition of a botnet is a bunch of computer systems controlled by a single unauthorized entity, usually via malicious code. I used to call Rotpoi$on a botnet, but knowing what I know, I think that would be inaccurate.  From outward appearances, it looks to be more than one entity (although it could be one disguised as several) “thronging” together with a common purpose of click fraud.  The systems seem to be running the same poorly written script designed to generate illicit advertisement commissions.

Q: How many servers are you talking about?

A:   It might help to illustrate  with the following GeoIP maps:

rp-geo-2013-March

 

Contributor analysis from 22 JULY 2013

Javantea from AltSci volunteered to open up port 8118 on his relay and observe for a bit.

Hi Kent,

 

I am getting 125 packets per second sustained incoming on port 8118 like you on my exit node. I noticed this last year but forgot about it because it was such low bandwidth. I count 2582 unique IPs in 20 minutes.

 

I think you’ve found something significant. The obvious question is why since sending data in the clear is pretty worthless and it’s going to come out of a tor exit node just like if they were using tor.

 

I’m a security researcher and would be happy to help you learn more about these silly systems. You’ve already done most of the basic research though: who, what, and where. When I open port 8118 with netcat a few times I get this:

 

GET http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=300×250&section=4211101&pub_url=${PUB_URL} HTTP/1.0

Accept: */*

Referer: http://www.lotsoffree.com/index.php?option=com_content&view=article&id=84:free-gift-card-microsoft-privacy&catid=39:free-gift-cards&Itemid=106

Accept-Language: en-us

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3

Host: ad.yieldmanager.com

Connection: Keep-Alive

 

GET http://ib.adnxs.com/ttj?id=1284883 HTTP/1.0

Accept: */*

Referer: http://www.psxobs.com/privacy-policy

Accept-Language: en-us

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0

Host: ib.adnxs.com

Connection: Keep-Alive

 

That looks like clickfraud to me. Perhaps someone wrote a quick script that downloads the list of tor exit nodes and sends clickfraud requests to 8118 and was too lazy to add tor. That would mean that the sites in the referrer are the attackers and the url on the first line is the ad service which is being defrauded. Of course there is the possibility of a joe job occuring, but we know that at least some of them are the bad actors. Whois on both referrers returns China. I’m surprised that the script doesn’t remove servers from the list that have the port closed. It’s a very inefficient script.

 

Regards,

Javantea

 

Based on his observations, Joel concluded that the Rotpoi$on collective is running a (laughably inefficient) script with the goal of clickfraud.  Following in Joel’s footsteps,  I decided to install and open up Privoxy on my relay for a few seconds and watch what happens myself.  This is what I saw:

09:21:01.419951 IP 23.19.89.126.2318 > my.exit.node.8118: Flags [P.], seq 1:416, ack 1, win 65535, length 415
E…..@.u.u/..Y~B… …^.]^M….P…….GET http://ad.media-servers.net/st?ad_type=iframe&ad_size=160×600&section=4432147 HTTP/1.0
Accept: */*
Referer: http://giftcardsrus.net/index.php?option=com_content&view=article&id=1741:when-you-are-not-able-to-get-standard-loans&catid=54:financial-services-&Itemid=412
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)
Host: ad.media-servers.net
Connection: Keep-Alive
09:21:01.430712 IP 173.208.16.93.1094 > my.exit.node.8118: Flags [.], ack 1, win 65535, length 0
E..(………..]B….F…._..x..P….~……..
09:21:01.431701 IP 173.208.16.93.1094 > my.exit.node.8118: Flags [P.], seq 1:511, ack 1, win 65535, length 510
E..&………..]B….F…._..x..P…….GET http://ad.globe7.com/st?ad_type=pop&ad_size=0x0&section=3910946&banned_pop_types=29&pop_times=1&pop_frequency=0&pop_nofreqcap=1&pub_url=${PUB_URL} HTTP/1.0
Accept: */*
Referer: http://twicemagic.com/index.php?option=com_content&view=category&layout=blog&id=44&Itemid=100&limitstart=48
Accept-Language: en-us
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)
Host: ad.globe7.com
Connection: Keep-Alive

Response from Zack at CMU:

The CMU Tor exit is seeing about 66 packets/second worth of this
(10000 packets, 1151 unique IPs in 149.5 seconds).  I don’t have time
to dig any deeper right now, but on the theory that it’s a botnet
doing click fraud, I’ll pass this along to our cybercrime people.

 

Aaron Hopkins reports:

I set up a copy of nginx returning 404s on that port.  After a few thousand

requests, here are the hostnames it is trying to hit:

 

4655 ib.adnxs.com

2193 ad.globe7.com

1705 ads.creafi-online-media.com

1149 ad.tagjunction.com

767 ad.yieldmanager.com

259 an.z5x.net

184 ad.z5x.net

123 ad.xertive.com

115 ib.reachjunction.com

80 tags1.z5x.net

72 ad.bharatstudent.com

71 ad.reduxmedia.com

23 ad.smxchange.com

18 opt.cdxndirectopt.com

10 www.xtendadvert.com

 

It might be worth digging up the security contact for at least the top few

of those and give them a heads up.

 

And the /24s that have sent at least 100 requests (of 811 unique IPs from 122

/24s):

 

1182 23.19.54.0/24

878 173.234.116.0/24

645 208.115.124.0/24

639 173.208.16.0/24

585 23.19.130.0/24

398 64.120.5.0/24

397 64.31.43.0/24

389 64.31.38.0/24

376 64.31.63.0/24

369 173.234.41.0/24

362 108.62.236.0/24

351 23.19.107.0/24

328 173.234.33.0/24

319 64.31.39.0/24

291 108.62.192.0/24

280 108.62.5.0/24

272 173.208.83.0/24

262 208.115.245.0/24

238 69.162.66.0/24

237 70.32.43.0/24

229 216.245.219.0/24

223 64.31.52.0/24

191 64.120.77.0/24

184 173.234.42.0/24

180 64.120.60.0/24

172 63.143.53.0/24

172 23.19.76.0/24

172 23.19.35.0/24

172 173.234.188.0/24

163 173.208.85.0/24

159 208.115.200.0/24

150 173.234.224.0/24

149 173.234.247.0/24

147 64.120.58.0/24

143 74.63.232.0/24

143 74.63.192.0/24

137 108.171.248.0/24

132 64.31.62.0/24

120 108.62.40.0/24

116 64.31.48.0/24

114 173.234.153.0/24

113 74.63.255.0/24

113 108.177.183.0/24

112 69.162.75.0/24

108 208.115.246.0/24

103 74.63.199.0/24

100 63.143.59.0/24

************************

************************

 

Q. Why do you think the number of servers in the Rotpoi$on throngnet decreased over a half a year?

A: It could be that my initial furious reporting to offending server hosting providers actually had an effect. For instance, the greatest “offending” provider once hosting the greatest fraction of Rotpoi$on servers, DataShack AKA Wholesale Internet, has a fraction of its original servers  in Rotpoi$on.   The Datashack/Wholesale Internet abuse representative Rebecca Kaiser acknowledged my reports and asserted several times that the server owner (apparently one client) would stop the activity.  They eventually did.  Or, it could be a combination of my reporting and other reasons, or something else entirely. Some email correspondence screenshots from Rebecca @ DataShack/WholesaleInternet:

Wholesaleinternet-abuse-reply1

 

Wholesaleinternet-abuse-reply2

 

Q: Which ports is Rotpoi$on attempting to use and for what are those ports typically used?

A: When at it’s peak in first quarter of 2013, the automated process common among all Rotpoi$on nodes  was port 8118 and to a lesser extent, 3128.  Port 8118 is associated with Privoxy which is a service used on many Tor clients for secure compatibility with browsers, and to prevent client applications from leaking DNS traffic.   Port 3128 is associated with the Squid proxy service.

Q: Why is Rotpoi$on checking for open Privoxy and Squid ports?

A:  Apparently, to commit click fraud by hiding their true source from the advertising networks that are paying for bogus click referrals.

Q: Come on, you mean to tell me that there are Tor exit relays out there that have their actual Privoxy service open and available to the world?

A: Yep, I checked.  Not that many of them, but some.  This means that anyone could also hop on to the Tor network, without using Tor client.  Just like using a Tor client, you would pop out of the network on some other exit relay somewhere else entirely. You would be anonymized very well, assuming you trust the network path from where you are, to the Tor exit relay.

Q: So why would Rotpoi$on have to continually scan all Tor exit nodes to check for open proxy services?

A: Another researcher surmised that Rotpoi$on controller must be using an inefficient fraud script that hits all Tor exit nodes, not just the ones with open proxy ports.  There could be a more complicated answer, but Occam’s razor suggests the simplest answer usually turns out to be correct.   In my larger study of Tor, I have seen that exit node IP address come and go, and that there is actually a not insignificant chunk of Tor exit relay IP addresses that only stay connected in Tor network circuits for a little while.  Some of those exit relay IP addresses aren’t seen again in the Tor network for a while, if ever.  So this could be an reason why the Rotpoi$on controller decided to continue using an inefficient method of running an automated click fraud process.  Earlier this year I set up a Tor exit node and ran it for just a few days.  Rotpoi$on continued to hit it for weeks after it had left the Tor network.  Which suggests that it is easier to get added to the Rotpoi$on script than get removed from it.  It is also possible that the Rotpoi$on controller additionally pushes the click fraud activity through Tor the “normal” way, with a Tor client.

Q: How did you discover Rotpoi$on?

A: A Rotpoi$on detector, of course, pictured below ;-)  More seriously, my home research network throughput had dropped to a crawl. So I wanted to find out why. I would have to say that inadequate hardware precipitated Rotpoi$on’s discovery.  If I would have had something slightly more capable than my Buffalo WHR-G54S running DD-WRT with a bunch of plugins while logging everything, with only 16MB of RAM,  it is possible that I would not have noticed Rotpoi$on even at its throughput peak.

rp-detector-img

Q: How do I know that you aren’t making this up?

A:  Other researchers have confirmed my observations and even quickly provided much more analysis than I had the time or ability to do.  I have also saved GB’s of Rotpoi$on packets to share upon request.

Q:  How do you know these are Windows servers?

A: I was able to reproduce their characteristic SYN traffic in a virtual environment only using a Windows server.  Specifically, Windows Server 2003 series. They also respond exactly like a Windows server, to include displaying typical remote desktop logon splash screens on port 3389.  I suppose it is possible that they could be something other than a Windows server configured really carefully–and at great effort–to look like a Windows server, but why?

Q: Who is behind Rotpoi$on?

A: Currently as of middle of July 2013, there are three major hosting providers where these leased Rotpoi$on Windows servers reside: Gorilla ServersUbiquity/Nobistech, and Limestone Networks. A handful reside at Psychz. Whois queries that responded with actual client names show the following entities behind the Rotpoi$on IP addresses:

Gorilla Servers
Guowei Lu, US

Ubiquity Hosting/Nobis Tech
Org-Name:wang, haitao
Street-Address:Xigang family West 331
City:Xining
State:Qinghai
Postal-Code:810000
Country-Code:CN

Org-Name:Xiaoru, Li
Street-Address:room 513, building 5, xinjinganli
City:shiyijinglu
State:hedong district
Postal-Code:Tianjin
Country-Code:CN

Org-Name:Sun, Qiang
Street-Address:169# huayuan road
City:xining
State:qinghai
Postal-Code:81000
Country-Code:CN

Limestone Networks
Organization-Name:Fuqiang Zhou
Organization-City:Liaoyang
Organization-State:OT
Organization-Zip:111000

The referral websites (and there are many, most of which I have not had time to check) look like the following examples:

Domain Name:     giftcardsrus.netExpiration Date: 2014-05-07 06:12:18Creation Date:   2009-05-07 06:12:18REGISTRANT CONTACT INFOantDeng GoShaXian No188SanMingFuJian365500CNPhone:         +86.13592993721

Email Address: flswallow@gmail.com

Domain Name: LOTSOFFREE.COMCreated on: 03-Mar-07Expires on: 03-Mar-14Last Updated on: 23-Sep-12Registrant:deng, yanhong  admin@lotsoffree.comHuaqiang computer city b135Shenzhen, guangdon 518028China+86.75583405032
Domain Name: PSXOBS.COMRegistration Date: 31-May-2012Expiration Date: 31-May-2014ns1.ezdnscenter.comns2.ezdnscenter.comRegistrant Contact Details:xingbiao  zhouzhou xingbiao        (zhou520530qq@yahoo.com.cn)fujian yonganshiyonganshifujian,366000CNTel. +86.05983653670

Fax. +86.05983653670

Domain Name:     twicemagic.comProtected Domain Services Customer ID: NCR-4230837Expiration Date: 2013-09-28 08:07:24Creation Date:   2012-09-28 08:07:24REGISTRANT CONTACT INFOProtected Domain Services – Customer ID: NCR-4230837P.O. Box 6197DenverCO80206USPhone:         +1.3037474010 twicemagic.com@protecteddomainservices.com

 

Q. Why are you the first one to bring attention to this?

A: I am not sure.  I suspect there are (were) other exit relay operators also with crappy enough hardware for Rotpoi$on to have a similar detrimental effect on their systems, as it did on my research network, but just didn’t have the time to troubleshoot.  Other researchers have reported seeing the same thing, but did not have the time to look into it.  So I am thinking it was probably a coincident meeting of “crap and curiosity.”

Q. What else are those servers doing besides click fraud?

A: I don’t know if they are doing anything else.  I am hoping someone else can help me answer that question.  The common service among all these servers seems to be Remote Desktop Protocol/MS Windows Terminal Services.  As you can see in the following screenshots, English is probably not the native language used by the operators of these servers.

 

rdp-splash-examples8 rdp-splash-examples9 rdp-splash-examples10 rdp-splash-examples11 rdp-splash-examples12 rdp-splash-examples3 rdp-splash-examples4 rdp-splash-examples5 rdp-splash-examples6 rdp-splash-examples7 rdp-splash-examples2 rdp-splash-examples