Russian Business Network study - bizeul.org

More documents

Recommendations

Info

Version 1.0.1 RBN study – before and after David Bizeul phone: +7 812 4384600 fax-no: +7 812 4384602 remarks: SPAM issues - abuse@mns.ru Mail and News issues - postmaster@mns.ru Customer support - support@mns.ru Hosting issues - hosting@mns.ru e-mail: noc@mns.ru Delta Systems (193.93.232.0/22) address: address: e-mail: 190000, 39 Kazanskaya st. St. Petersburgh Russia admin@deltasys.ru RusTelecom (195.114.8.0/23) address: Volodarskogo str. 21 Sestroreck , Russia e-mail: info@rustelecom.net mnt-by: RUSTELECOM-MNT person: Main Technichal Account phone: +79217872403 nic-hdl: RUST2-RIPE DATAPOINT (85.249.128.0/20) person: Vladimir E Kuznetsov address: 29, Viborgskaya nab., address: 198215 Saint Petersburg, Russia phone: +7 812 3312999 fax-no: +7 812 3312999 e-mail: abuse@infobox.ru e-mail: vova@kuznetsov.spb.ru person: Rustam A Narmanov address: 29, Viborgskaya nab., address: 198215 Saint Petersburg, Russia phone: +7 812 3312999 fax-no: +7 812 3312999 e-mail: rustam@infobox.ru 30
Version 1.0.1 RBN study – before and after David Bizeul 3. Reverse IP and reverse NS analysis With reverse IP, we can identify which domain name records tie back with a precise IP. This technique can be useful to get all virtual hosts using a single machine. As many RBN affiliates now resolve to localhost, the investigation uses previous IP address. With reverse nameserver, we can identify which domain names are using a precise name server. This technique can be useful to get all malicious domain names managed by a single person and redirecting to a domain name server. This technique has already been used in the entity stat grid former in this study but it is now used on main RBN domain names. Domain Nameserver Reverse IP domains Reverse NS domains rbnnetwork.com ns1.rbnnetwork.com 710 domains [ 40 ] on 85.249.135.14 rbnnetwork.com akimon.com ns1.infobox.org Same as above Many domains (>3000) sbttel.com ns1.infobox.org Same as above Same as above nevacon.net ns1.infobox.org 31124 domains Same as above infobox.org ns1.infobox.org infobox.org infobox.ru Same as above 4. Simple DNS analysis With a basic DNS analysis (made in July) on rbnnetwork.com and nevacon.net, we can collect information to try figure out some RBN affiliates interactions. Domain Nameserver MX Reverse IP on NS rbnnetwork.com ns1.rbnnetwork.com ns2.rbnnetwork.com mail.4stat.org (208.72.171.180) ns2.4user.net ns1.eexhost.com ns2.eexhost.com nevacon.net ns1.nevacon.net mail.nevacon.net (194.146.204.2) With this chart, we can identify new RBN partners (4stat.org, 4user.net and eexhost.com) Furthermore, there is a Sender Policy Framework on nevacon.net: nevacon.net IN TXT v=spf1 ip4:194.146.204.2 ip4:208.72.171.180 mx 194.146.205.1 This SPF is interesting because we can see 208.72.171.180 is an official sender of mails coming from nevacon.net. This was also the declared MX from RBN. A reverse lookup on 194.146.205.1 shows that this is the address of gw1.wellhost.ws. This URI mail.4user.net (81.95.145.9) also announces “sp.rbnnetwork.com Postfix” when you connect to it. Complementary tools can also be useful to identify which domain names are managed by a precise name server. During the study I identified a C&C server hosted on Nevacon, I used this technique to identify the other domains using the same name server. Of course, all of them were trojan related: • kolipso.info • nuvida.info • haygunj.com • ljdyun.com • qeixuunj.net • lenicint.info All of these domains are or have been a malware repository. 40 http://www.iptoolbox.fr/cgi-bin/revip.plinputdata=85.249.135.14 31
Page 1 and 2: Russian Business Network study Vers
Page 3 and 4: Version 1.0.1 RBN study - before an
Page 29: Version 1.0.1 RBN study - before an
Page 33 and 34: Version 1.0.1 New York,NY,US 10019
Page 35 and 36: Version 1.0.1 New York, NY 10018,-,
Page 41 and 42: Version 1.0.1 City map RBN study -
Page 47 and 48: Version 1.0.1 Filtering bad network
Page 53 and 54: Version 1.0 David Bizeul RBN study

Russian Business Network study - bizeul.org

Create successful ePaper yourself

Delete template?

Save as template?