Russian Business Network study - bizeul.org
Russian Business Network study - bizeul.org
Russian Business Network study - bizeul.org
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Version 1.0.1<br />
RBN <strong>study</strong> – before and after<br />
David Bizeul<br />
3. Reverse IP and reverse NS analysis<br />
With reverse IP, we can identify which domain name records tie back with a precise IP. This technique can be useful to<br />
get all virtual hosts using a single machine. As many RBN affiliates now resolve to localhost, the investigation uses<br />
previous IP address.<br />
With reverse nameserver, we can identify which domain names are using a precise name server. This technique can be<br />
useful to get all malicious domain names managed by a single person and redirecting to a domain name server.<br />
This technique has already been used in the entity stat grid former in this <strong>study</strong> but it is now used on main RBN domain<br />
names.<br />
Domain Nameserver Reverse IP domains Reverse NS domains<br />
rbnnetwork.com ns1.rbnnetwork.com 710 domains [ 40 ] on 85.249.135.14 rbnnetwork.com<br />
akimon.com ns1.infobox.<strong>org</strong> Same as above Many domains (>3000)<br />
sbttel.com ns1.infobox.<strong>org</strong> Same as above Same as above<br />
nevacon.net ns1.infobox.<strong>org</strong> 31124 domains Same as above<br />
infobox.<strong>org</strong> ns1.infobox.<strong>org</strong> infobox.<strong>org</strong><br />
infobox.ru<br />
Same as above<br />
4. Simple DNS analysis<br />
With a basic DNS analysis (made in July) on rbnnetwork.com and nevacon.net, we can collect information to try figure<br />
out some RBN affiliates interactions.<br />
Domain Nameserver MX Reverse IP on NS<br />
rbnnetwork.com ns1.rbnnetwork.com<br />
ns2.rbnnetwork.com<br />
mail.4stat.<strong>org</strong> (208.72.171.180) ns2.4user.net<br />
ns1.eexhost.com<br />
ns2.eexhost.com<br />
nevacon.net ns1.nevacon.net mail.nevacon.net (194.146.204.2)<br />
With this chart, we can identify new RBN partners (4stat.<strong>org</strong>, 4user.net and eexhost.com)<br />
Furthermore, there is a Sender Policy Framework on nevacon.net:<br />
nevacon.net IN TXT v=spf1 ip4:194.146.204.2 ip4:208.72.171.180 mx 194.146.205.1<br />
This SPF is interesting because we can see 208.72.171.180 is an official sender of mails coming from nevacon.net.<br />
This was also the declared MX from RBN.<br />
A reverse lookup on 194.146.205.1 shows that this is the address of gw1.wellhost.ws.<br />
This URI mail.4user.net (81.95.145.9) also announces “sp.rbnnetwork.com Postfix” when you connect to it.<br />
Complementary tools can also be useful to identify which domain names are managed by a precise name server.<br />
During the <strong>study</strong> I identified a C&C server hosted on Nevacon, I used this technique to identify the other domains using<br />
the same name server. Of course, all of them were trojan related:<br />
• kolipso.info<br />
• nuvida.info<br />
• haygunj.com<br />
• ljdyun.com<br />
• qeixuunj.net<br />
• lenicint.info<br />
All of these domains are or have been a malware repository.<br />
40<br />
http://www.iptoolbox.fr/cgi-bin/revip.plinputdata=85.249.135.14<br />
31