Apparently, my LJ post yesterday freaked some folks out; I got contacted almost immediately after it went up by a startling number of people asking for more information. Softlayer.com was on top of the problem with remarkable swiftness, and as of today the intrusion into their servers appears to have been corrected–all the hacked domains I was able to identify on their network are fixed.

So yesterday I got an email sent to me by someone who’d seen a posting I’d made on a different forum about the iPower hack, to say he’d been searching Google for information about ultralights and had ended up being redirected to the “spyshredderscanner” site–a Russian Business Network Web site that pretends to be an online virus scanner. As with many hostile RBN servers, it tries a number of exploits to sneak malware onto the user’s computer; if all the exploits fail, it presents a fake “online virus scan” and attempts to trick the user into downloading malware disguised as anti-virus software.

The URL which redirected him to the hostile server (which is of this writing offline) was

http://kpzk9.247ihost.com/ultralight-helicopter.html

It bears both similarities and differences when compared with the iPower hack. In this case, the compromised URL used a domain-level redirect, rather than an htaccess redirect; that’s what the “kpzk9” were’d you normally see a “www” is. (Quick and dirty background: You can, if you choose, set up a server or DNS record in such a way that the first part of the URL describes who to connect to. For example, let’s say you own a large business and oyu have a Web site, and you also allow your clients to use FTP to send or receive files. Your Web server and your FTP server are two different computers. You can set things up so that “www.yourwebsite.com” goes to your Web server, and “ftp.yourwebsite.com” goes to your FTP server. The hackers had set up “kpzk9.247ihost.com” to go to their server.)

This is different from the iPower hack attack, and it’s very similar to a spate of attacks recently discovered against a large number of ISPs, all of which made use of domain-level redirection to redirect to hostile servers as described here.

A browser visiting http://kpzk9.247ihost.com/ultralight-helicopter.html was redirected to

http://www.traffoman.com/search.php?said=net48 (WARNING: This malware site is still active!)

This site is a redirector to the payload site at

http://autopressweb.com/scanner.html (WARNING: This malware site is still active!)

This bears a very strong similarity to the iPower attack, which used a server at traffloader.info to redirect round-robin style to one of three payload sites, one of which was identical in content to the payload site at autopressweb.com.

The virus downloaded by autopressweb.com is identical to the virus downloaded by the payload servers used in the iPower Web attack. The similarities between this and the iPower attack, and the similarities between this and the attack on scattered ISPs all over the place as documented in The Register, lead me to the conclusion that all three attacks are almost certainly the work of the same person or group of people.

One of the first things I did was used wget to fetch the page at http://kpzk9.247ihost.com/ultralight-helicopter.html. I expected to see a 302 Moved response, but to my surprise, it actually downloaded an HTML file.

I was even more surprised when I looked at the HTML file. It contained two sections: first, a redirector to traffoman.com, and second, a list of 713 other URLs, such as

http://sllwh.joolo.com/debt-management-programs.html
http://rsbd5.247ihost.com/heath-jimmy.html
http://gunju.247ihost.com/farting-clip.html
http://qxwo6.8000web.com/web-survey-software.html

and so on. (Note that these URLs are no longer resolving.) The majority of the URLs belonged either to softlayer.com or to its various customers and resellers.

I’m not quite sure what the purpose of the list of URLs is, though it certainly makes tracking other poisoned servers easy.

The Whois information for the two hostile servers used in this attack, unsurprisingly, differs from the Whois information for the servers used in the iPower attack. For traffoman.com we have:

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: TRAFFOMAN.COM

Registrant:
osk2
osk2 (ovp_mail@inbox.ru)
address
city
,12345
US
Tel. +123.456789

Creation Date: 18-Sep-2006
Expiration Date: 18-Sep-2008

Domain servers in listed order:
ns2.traffoman.com
ns1.traffoman.com

Administrative Contact:
osk2
osk2 (ovp_mail@inbox.ru)
address
city
,12345
US
Tel. +123.456789

Technical Contact:
osk2
osk2 (ovp_mail@inbox.ru)
address
city
,12345
US
Tel. +123.456789

Billing Contact:
osk2
osk2 (ovp_mail@inbox.ru)
address
city
,12345
US
Tel. +123.456789

Status:ACTIVE

For the virus dropping payload site, we have:

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: AUTOPRESSWEB.COM

Registrant:
Jertoper
Jertoper (Jertoper@Jertoper.com)
105G Silicon Tower, of 17
Gansu
Gansu,237034
CN
Tel. +847.2165253757

Creation Date: 15-Jul-2007
Expiration Date: 15-Jul-2008

Domain servers in listed order:
ns6.public-ns.com
ns5.public-ns.com

Administrative Contact:
Jertoper
Jertoper (Jertoper@Jertoper.com)
105G Silicon Tower, of 17
Gansu
Gansu,237034
CN
Tel. +847.2165253757

Technical Contact:
Jertoper
Jertoper (Jertoper@Jertoper.com)
105G Silicon Tower, of 17
Gansu
Gansu,237034
CN
Tel. +847.2165253757

Billing Contact:
Jertoper
Jertoper (Jertoper@Jertoper.com)
105G Silicon Tower, of 17
Gansu
Gansu,237034
CN
Tel. +847.2165253757

Status:ACTIVE

Anyone surprised to see estdomains there? Yep, the same registrar used for the payload sites in the iPower attack, and the preferred domain registrar for Russian organized crime since at least 2003.

traffoman.com is currently hosted by Netdirekt Frankfurt (netdirekt.de), a German downstream customer of American-based Global Crossing (gblx.com). I’ve notified both that they’re hosting a redirector for Russian Business Network, but perhaps unsurprisingly it’s still active; Global Crossing’s unofficial corporate motto might as well be “serving the needs of spammers, hackers, scam artists, and organized crime.”

The payload site autopressweb.com appears to be bouncing around. Yesterday, it was hosted on an IP address belonging to Singapore Telecom (singtel.com). Today, it’s being hosted at 88.208.0.131, an IP address assigned to Haldex in the Netherlands but supposedly belonging to a person living in Dominica:

$ whois 88.208.0.131@whois.ripe.net

[whois.ripe.net]
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the “-B” flag

% Information related to ‘88.208.0.0 – 88.208.7.255’

inetnum: 88.208.0.0 – 88.208.7.255
netname: HALDEX-NET
descr: Haldex Ltd.
country: NL
admin-c: KA306-RIPE
tech-c: KA306-RIPE
status: ASSIGNED PA
mnt-by: HALDEX-MNT
mnt-lower: HALDEX-MNT
mnt-routes: HALDEX-MNT
source: RIPE # Filtered

person: Khonda Alexey
address: 8, Copthall, P.O. Box 2342,
address: Roseau, 00152, Commonwealth of Dominica
phone: +38 063 188 2888
nic-hdl: KA306-RIPE
mnt-by: HALDEX-MNT
source: RIPE # Filtered

SingTel has ben associated with hosting related to the RBN (or at least owning IP addresses used by RBN sites) in the past, though I’m curious about whether the change in the payload server’s IP address is a sign that SingTel is becoming more reluctant to host RBN sites, or if it just moves around from one IP address to another to make tracking it down more difficult.

And, five minutes later, autopressweb has moved again, to IP address 89.149.207.96, another address in netdirekt.de/Global Crossing space:

$ whois 89.149.207.96@whois.ripe.net

[whois.ripe.net]
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘89.149.206.0 – 89.149.207.255’

inetnum: 89.149.206.0 – 89.149.207.255
netname: NETDIRECT-NET
descr: netdirekt e.K.
remarks: INFRA-AW
country: DE
admin-c: WW200-RIPE
tech-c: SR614-RIPE
status: ASSIGNED PA
mnt-by: NETDIRECT-MNT
mnt-lower: NETDIRECT-MNT
mnt-routes: NETDIRECT-MNT
source: RIPE # Filtered

person: Wiethold Wagner
address: netdirekt e. K.
address: Kleyer Strasse 79 / Tor 14
address: 60326 Frankfurt
address: DE
phone: +49 69 90556880
fax-no: +49 69 905568822
e-mail: info@netdirekt.de
nic-hdl: WW200-RIPE
mnt-by: NETDIRECT-MNT
source: RIPE # Filtered

person: Simon Roehl
address: netdirekt e. K.
address: Kleyer Strasse 79 /Tor 14
address: 60326 Frankfurt
address: DE
phone: +49 69 90556880
fax-no: +49 69 905568822
e-mail: technik@netdirekt.de
nic-hdl: SR614-RIPE
mnt-by: NETDIRECT-MNT
source: RIPE # Filtered

% Information related to ‘89.149.192.0/18AS28753’

route: 89.149.192.0/18
descr: netdirect Frankfurt, DE
origin: AS28753
org: ORG-nA8-RIPE
mnt-lower: NETDIRECT-MNT
mnt-routes: NETDIRECT-MNT
mnt-by: NETDIRECT-MNT
source: RIPE # Filtered

organisation: ORG-nA8-RIPE
org-name: netdirect
org-type: LIR
address: netdirekt e. K.
Kleyer Strasse 79 / Tor 14
60326 Frankfurt
Germany
phone: +49 69 90556880
fax-no: +49 69 905568822
e-mail: ripe@netdirekt.de
admin-c: SR614-RIPE
admin-c: WW200-RIPE
mnt-ref: NETDIRECT-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

*sigh*