MGDPremium,MVM
join:2002-07-31
kudos:9 | reply to moonpuppy
Re: foxnews.com infected?This appears to be a "stealth" infection operation. A few hours ago the authoritative NS for onlineproantispywarescannerv2.com ns1, 2, & 3.greatwallsupport.com began denying all knowledge of its existance.:
NsLookup
----------------------------------
domain: onlineproantispywarescannerv2.com
server: ns1.greatwallsupport.com [85.17.254.136] returned a non-authoritative response in 125 ms:
Query refused
----------------------------------
Within the past few minutes:
NsLookup
----------------------------------
onlineproantispywarescannerv2.com
server: ns1.greatwallsupport.com
Address lookup for ns1.greatwallsupport.com failed: Host not found
----------------------------------
I suspect that they are rotating in malicious ads with a pool of various domains hosting the infections. Each malware advertisement is only active for several hours to minimize exposure. Matching DNS services are set active during the exposure period, and are then withdrawn in an coordinated attempt to hide the trail.
While the infection vector was active on foxnews.com
The authoritative NS for onlineproantispywarescannerv2.com was
ns1.greatwallsupport.com at IP 85.17.254.136
ns2.greatwallsupport.com at IP 203.174.83.75
ns3.greatwallsupport.com at IP 115.126.5.10
During that active period the greatwallsupport.com name servers were directing request for onlineproantispywarescannerv2.com to the following IPs:
78.47.91.153 static.153.91.47.78.clients.your-server.de
[Prior history includes hosting: fullantispywareproscan.com/ "loader" &
securedradiostation.cn/soft.php "iframe" and more]
78.47.172.66 static.66.172.47.78.clients.your-server.de
[A sampling of prior history includes hosting: antivirus360-protection.com, securedantivirusonlinescanner.com, securedliveuploads.com, softwarforgoodusers.cn, trustedpaymentsystem.com, and more]
92.62.98.20 ns1.tallinnblog.org
[No priors, according to domaintools.com these domains are hosted there:
1. Blogcash.org
2. Help-now.org
3. Paul-schoenle.com
4. Tallinnblog.org ]
94.76.213.227 94-76-213-227.static.as29550.net
[Nefarious history of hosting similar malware according to Dancho Danchev's Blog and more]
94.247.3.40 hs.3-40.zlkon.lv
[Extensive prior history of similar Anti Virus malware hosting]
Though onlineproantispywarescannerv2.com and greatwallsupport.com were projected as being hosted at various places around the globe, and only while the infection was being actively pushed, the cyber birthplace of both criminal domains are in the Ukraine at S-HOSTING.BIZ on:
IP 194.54.83.78 [reverse DNS - server.s-hosting.biz]
Domain Name: S-HOSTING.BIZ
Domain ID: D17077428-BIZ
Sponsoring Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD.
D/B/A PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID: 303
Domain Status: ok
Registrant ID: DI_5578081
Registrant Name: Nikolay Tabakov
Registrant Organization: Stephani hosting
Registrant Address1: Topolevaya str. 17, app.6
Registrant City: Odessa
Registrant State/Province: Odessa Oblast
Registrant Postal Code: 65009
Registrant Country: Ukraine
Registrant Country Code: UA
Registrant Phone Number: +380.487198431
Registrant Facsimile Number: +380.964635373
Registrant Email: admin@stephani.od.ua
Administrative Contact ID: DI_5578081
Administrative Contact Name: Nikolay Tabakov
Administrative Contact Organization: Stephani hosting
Administrative Contact Address1: Topolevaya str. 17, app.6
Administrative Contact City: Odessa
Administrative Contact State/Province: Odessa Oblast
Administrative Contact Postal Code: 65009
Administrative Contact Country: Ukraine
Administrative Contact Country Code: UA
Administrative Contact Phone Number: +380.487198431
Administrative Contact Facsimile Number: +380.964635373
Administrative Contact Email: admin@stephani.od.ua
Billing Contact ID: DI_5578081
Billing Contact Name: Nikolay Tabakov
Billing Contact Organization: Stephani hosting
Billing Contact Address1: Topolevaya str. 17, app.6
Billing Contact City: Odessa
Billing Contact State/Province: Odessa Oblast
Billing Contact Postal Code: 65009
Billing Contact Country: Ukraine
Billing Contact Country Code: UA
Billing Contact Phone Number: +380.487198431
Billing Contact Facsimile Number: +380.964635373
Billing Contact Email: admin@stephani.od.ua
Technical Contact ID: DI_5578081
Technical Contact Name: Nikolay Tabakov
Technical Contact Organization: Stephani hosting
Technical Contact Address1: Topolevaya str. 17, app.6
Technical Contact City: Odessa
Technical Contact State/Province: Odessa Oblast
Technical Contact Postal Code: 65009
Technical Contact Country: Ukraine
Technical Contact Country Code: UA
Technical Contact Phone Number: +380.487198431
Technical Contact Facsimile Number: +380.964635373
Technical Contact Email: admin@stephani.od.ua
Name Server: NS1.S-HOSTING.BIZ
Name Server: NS2.S-HOSTING.BIZ
Created by Registrar: ESTDOMAINS INC
Last Updated by Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD.
D/B/A PUBLICDOMAINREGISTRY.COM
Last Transferred Date: Mon Dec 01 13:54:54 GMT 2008
Domain Registration Date: Wed Mar 28 15:23:46 GMT 2007
Domain Expiration Date: Sat Mar 27 23:59:59 GMT 2010
Domain Last Updated Date: Fri Mar 20 23:52:33 GMT 2009
.
Questions
name class type
greatwallsupport.com IN ANY
Answer records
name class type data time to live
greatwallsupport.com IN NS ns1.s-hosting.biz 826s
greatwallsupport.com IN NS ns2.s-hosting.biz 826s
.
194.54.83.78 [reverse DNS - server.s-hosting.biz]
.
IP Information for 194.54.83.78
IP Location: Ukraine Realon Service Llc
Resolve Host: server.s-hosting.biz
IP Address: 194.54.83.78
Reverse IP: 242 other sites hosted on this server.
Blacklist Status: Clear
.
Whois Record
inetnum: 194.54.80.0 - 194.54.83.255
netname: REALON-UA
descr: Realon Service LLC
remarks: www.server.ua
country: UA
org: ORG-BEAR1-RIPE
admin-c: PRO-RIPE
tech-c: PRO-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: SERVER-MNT
mnt-routes: SERVER-MNT
mnt-domains: SERVER-MNT
source: RIPE # Filtered
.
organisation: ORG-BEAR1-RIPE
org-name: Realon Service LLC
org-type: OTHER
address: 54001, PBOX 297, Mykolayiv - 001
address: UA, Mykolayiv, Mykolaiv Oblast
e-mail:
mnt-ref: SERVER-MNT
mnt-by: SERVER-MNT
source: RIPE # Filtered
.
person: Alexey Provorny
address: 54001, PBOX 297, Mykolayiv - 001
address: Mykolayiv, Ukraine
phone: +380 512 71-18-36
phone: +380 44 360-00-44
fax-no: +380 512 71-18-36
nic-hdl: PRO-RIPE
mnt-by: RX-MNT
source: RIPE # Filtered
.
route: 194.54.80.0/22
descr: SERVER UA UKRAINE DEDICATED SERVICE
origin: AS41671
mnt-by: BEARNET-MNT
mnt-by: SERVER-MNT
source: RIPE # Filtered
.
ns1.greatwallsupport.com IP 85.17.254.136 [no reverse DNS set]
----------------------------------
IP Information for 85.17.254.136
IP Location: Netherlands Amsterdam Leaseweb
IP Address: 85.17.254.136
Blacklist Status: Clear
Whois Record
inetnum: 85.17.0.0 - 85.17.255.255
org: ORG-OB3-RIPE
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
netname: NL-LEASEWEB-20050311
descr: LeaseWeb B.V.
country: NL
status: ALLOCATED PA
remarks: Please send email to for complaints
remarks: regarding portscans, DoS attacks and spam.
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: LEASEWEB-MNT
mnt-routes: LEASEWEB-MNT
source: RIPE # Filtered
organisation: ORG-OB3-RIPE
org-name: LeaseWeb B.V.
org-type: LIR
address: Ocom B.V.
P.O. Box 93054
1090 BB Amsterdam
Netherlands
phone: +31 30 2369745
fax-no: +31 20 4889458
admin-c: SPW1-RIPE
admin-c: gj907-ripe
admin-c: LSW1-RIPE
mnt-ref: OCOM-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
person: RIP Mean
address: P.O. Box 93054
address: 1090BB AMSTERDAM
address: Netherlands
phone: +31 20 3162880
fax-no: +31 20 3162890
abuse-mailbox:
nic-hdl: LSW1-RIPE
mnt-by: OCOM-MNT
source: RIPE # Filtered
route: 85.17.0.0/16
descr: LEASEWEB
origin: AS16265
remarks: LeaseWeb
mnt-by: OCOM-MNT
source: RIPE # Filtered
----------------------------------
ns2.greatwallsupport.com IP 203.174.83.75 [reverse DNS - 203-174-83-75.rev.ne.com.sg]
----------------------------------
IP Information for 203.174.83.75
IP Location: Singapore Singapore Newmedia Express Pte Ltd Singapore Web Hosting Provider
Resolve Host: 203-174-83-75.rev.ne.com.sg
IP Address: 203.174.83.75
SSL Cert: 2001-10-20 SSL Certificate has expired.
Blacklist Status: Clear
Whois Record
inetnum: 203.174.80.0 - 203.174.87.255
netname: NEWMEDIAEXPRESS-AP
descr: NewMedia Express Pte Ltd, Singapore Web Hosting Provider
descr: Singapore
country: SG
admin-c: SW640-AP
tech-c: SW640-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-SG-NEWMEDIAEXPRESS
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: 20060426
source: APNIC
person: Shian Loong Woo
nic-hdl: SW640-AP
e-mail:
address: 20 Ayer Rajah Crescent
address: #08-12
address: Singapore 139964
phone: +65 68730128
fax-no: +65 68730129
country: SG
changed: 20060401
mnt-by: MAINT-SG-NEWMEDIAEXPRESS
source: APNIC
----------------------------------
ns3.greatwallsupport.com IP 115.126.5.10 [no reverse DNS set]
----------------------------------
IP Information for 115.126.5.10
IP Location: Hong Kong Hong Kong Hkntcm-291-091pvt
IP Address: 115.126.5.10
Blacklist Status: Clear
Whois Record
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: >whois://whois.apnic.net
NetRange: 115.0.0.0 - 115.255.255.255
CIDR: 115.0.0.0/8
NetName: APNIC-115
NetHandle: NET-115-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS-SEC.RIPE.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
RegDate: 2007-10-29
Updated: 2007-11-12
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail:
== Additional Information From whois://whois.apnic.net ==
inetnum: 115.126.5.0 - 115.126.5.255
netname: HKNTCM-291-091PVT
country: HK
descr: hknetcom.biz
admin-c: BA144-AP
tech-c: BA144-AP
status: ALLOCATED NON-PORTABLE
changed: 20081224
mnt-by: MAINT-HK-FNCL
source: APNIC
route: 115.126.0.0/17
descr: Forewin Telecom Group Limited, ISP at HK
origin: AS38186
mnt-by: MAINT-HK-FTG
changed: hostmaster@hkt.cc 20090306
source: APNIC
person: Shian Loong Woo
nic-hdl: BA144-AP
e-mail:
address: No. 400 Post Office Tuen Mun N
address: Hong Kong
phone: +852-3597-9799
country: HK
changed: 20081224
mnt-by: MAINT-HK-FNCL
source: APNIC
----------------------------------
A copy of the page source code of >http://www.foxnews.com/story/0,2933,516877,00.html http://www.foxnews.com/story/0,2933,516877,00.html from where the malware popup originated at was taken within a few minutes of the event:
 FoxnewsSourc···code.txt 71158 bytes
However, it is inconclusive if any of the embedded links were responsible.
MGD |
 Doctor FourMy other vehicle is a TARDISPremium
join:2000-09-05
Dallas, TX | I'm not surprised in the least to see DIRECTI's involvement in this. They have been implicated in a huge number of rogue security software scams.
They continually allow the cybercriminals behind these fraudware sites to register new domains, all the while claiming they are taking action against them by shutting down existing ones.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
