The background
Following the case on Nuclear Exploit Kit on malware infection via abuse of .PW 2LD domains (initially spotted : 31.41.221.131 to 31.41.221.139) - As the follow up due to the below malicious verdict of the researcher team & friends:
Dynamoo: http://blog.dynamoo.com/2014/02/something-evil-on-3141221131-to.html Dynamoo: http://blog.dynamoo.com/2014/02/something-evil-on-19295722428.html Dynamoo: http://blog.dynamoo.com/2014/01/something-evil-on-192951020828.html Dynamoo: http://blog.dynamoo.com/2014/01/something-evil-on-192951020828.html Malekal: https://twitter.com/malekal_morte/status/432804655374938112 Umbrella Labs: http://labs.umbrella.com/2014/02/14/when-ips-go-nuclear/ Dhia Mahjoub: http://pastebin.com/QVq2xERkTo be noted: We are not going to expose any technical evidence for this case in this post. And this post is focusing on the Tango Down effort initiated by the MalwareMustDie, NPO. The details of the Nuclear Pack itself is well-documented for the MMD friends in our public forum as information database of exploitation. (You have to be invited to be a member).
Spotting and following the movement of this threat from:
31 December 2013 until 13 February 2014.
And witnessing the movement of the threat of the same group/actors:
From OVH.COM (France) to: BESTHOSTING.UA (Kiev, Ukraine) at: AS 2655 ref-->> http://bgp.he.net/AS42655
Additional: BESTHOSTING.UA ref-->> https://www.besthosting.ua/en/
Additional information of the threat (to be added) - Thank you URLQuery!
One of the recorded .PW of this verdict in action :
http://urlquery.net/report.php?id=9308286
And the current LIVE activity recorded:
http://urlquery.net/search.php?q=,pw\%2F&type=regexp&start=2013-11-15&end=2014-02-13&max=400
The Action and Advisory
We requested the suspension of the total 174 domains with the below stated breakdown, and the suspension was done successfully.
These bad domains are having the same bad actor's route.
The registration information of the domain list stated below is traceable to the positive potential evidence
for the ID of the actors that can be used for law enforcement investigation on
following this cyber crime case, LE will be needed to directly request via ICANN to Registration
entity accordingly.
Any malicious system exploitation and malware infection traffic recorded and logs related to the verdicted domains and its IP Addresses can be used as the evidence of the cyber crime activities, please pass it to your nearest CERT for the further process. The IP recorded in each logs could be still in operation, is a good material for the further monitoring and mitigation of the threat and this post can be used as reference officially. Please be noted of this advisory.
Tango Down
1. Under NAMECHEAP.COM (LA, USA) Registrar (Count: 13) - Status:serverHold:
STATUS: Status:serverHold
$ date && bash check_nonru.sh Thu Feb 13 20:57:51 JST 2014 ipchk-shell 1.3 FreeBSD version - by @unixfreaxjp ----------------------------------------------------------- ewrqb,pw,217.23.1.174,DNS1.REGISTRAR-SERVERS.COM Status:serverHold fdsgr,pw,46.165.229.114,DNS1.REGISTRAR-SERVERS.COM Status:serverHold hrebuf,pw,46.165.229.115,DNS1.REGISTRAR-SERVERS.COM Status:serverHold hrebuff,pw,46.165.229.115,DNS1.REGISTRAR-SERVERS.COM Status:serverHold hrebufffff,pw,46.165.229.115,DNS1.REGISTRAR-SERVERS.COM Status:serverHold hrebuqq,pw,46.165.229.115,DNS1.REGISTRAR-SERVERS.COM Status:serverHold hsfgv,pw,46.165.229.114,DNS1.REGISTRAR-SERVERS.COM Status:serverHold hsfgvvvv,pw,46.165.229.114,DNS1.REGISTRAR-SERVERS.COM Status:serverHold hsfgww,pw,46.165.229.114,DNS1.REGISTRAR-SERVERS.COM Status:serverHold jvdsdveeee,pw,46.165.229.115,DNS1.REGISTRAR-SERVERS.COM Status:serverHold rrthg,pw,46.165.229.114,DNS1.REGISTRAR-SERVERS.COM Status:serverHold rrthh,pw,46.165.229.114,DNS1.REGISTRAR-SERVERS.COM Status:serverHold rrthk,pw,46.165.229.114,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
WARNING! IP is STILL ALIVE! Info: GERMANY & NETHERLANDS (WORLDSTREAM & LEASEWEB)
217.23.1.174|customer.worldstream.nl.|49981 | 217.23.0.0/20 | WORLDSTREAM | NL | WORLDSTREAM.NL | WORLDSTREAM 46.165.229.114|SMRK011.leaseweb.com.|16265 | 46.165.192.0/18 | FIBERRING | DE | LEASEWEB.COM | LEASEWEB GERMANY GMBH 46.165.229.115|SMRK011.leaseweb.com.|16265 | 46.165.192.0/18 | FIBERRING | DE | LEASEWEB.COM | LEASEWEB GERMANY GMBH
2. Under etc Registrar (Count: 73) - Status: Suspension Flag:
$ date && bash check_nonru.sh Thu Feb 13 20:58:542 JST 2014 ipchk-shell 1.3 FreeBSD version - by @unixfreaxjp ----------------------------------------------------------- archerbocce,pw,,NS2.SUSPENDED-DOMAIN.COM archercyclist,pw,,NS2.SUSPENDED-DOMAIN.COM archeryolympics,pw,,NS2.SUSPENDED-DOMAIN.COM arrowjogger,pw,,NS2.SUSPENDED-DOMAIN.COM athleticsarchery,pw,,NS2.SUSPENDED-DOMAIN.COM athleticsjudo,pw,,NS2.SUSPENDED-DOMAIN.COM athleticsmove,pw,,NS2.SUSPENDED-DOMAIN.COM ballfigureskating,pw,,NS2.SUSPENDED-DOMAIN.COM ballkayaker,pw,,NS2.SUSPENDED-DOMAIN.COM baseballcompetition,pw,,NS2.SUSPENDED-DOMAIN.COM basenet,pw,,NS2.SUSPENDED-DOMAIN.COM basketballplaying,pw,,NS2.SUSPENDED-DOMAIN.COM batongoal,pw,,NS2.SUSPENDED-DOMAIN.COM batonhome,pw,,NS2.SUSPENDED-DOMAIN.COM battingfield,pw,,NS2.SUSPENDED-DOMAIN.COM battinggymnast,pw,,NS2.SUSPENDED-DOMAIN.COM battingrelay,pw,,NS2.SUSPENDED-DOMAIN.COM bicyclecompete,pw,,NS2.SUSPENDED-DOMAIN.COM bicyclingcrew,pw,,NS2.SUSPENDED-DOMAIN.COM bikingplaying,pw,,NS2.SUSPENDED-DOMAIN.COM billiardsdiver,pw,,NS2.SUSPENDED-DOMAIN.COM blanketfield,pw,,NS2.SUSPENDED-DOMAIN.COM boomerangbiking,pw,,NS2.SUSPENDED-DOMAIN.COM boomerangrun,pw,,NS2.SUSPENDED-DOMAIN.COM boulesplaying,pw,,NS2.SUSPENDED-DOMAIN.COM bowlerfield,pw,,NS2.SUSPENDED-DOMAIN.COM bowlingbiathlon,pw,,NS2.SUSPENDED-DOMAIN.COM boxercoach,pw,,NS2.SUSPENDED-DOMAIN.COM boxerfielder,pw,,NS2.SUSPENDED-DOMAIN.COM boxerplay,pw,,NS2.SUSPENDED-DOMAIN.COM bronzecatcher,pw,,NS2.SUSPENDED-DOMAIN.COM buntpellets,pw,,NS2.SUSPENDED-DOMAIN.COM canoeingbaton,pw,,NS2.SUSPENDED-DOMAIN.COM canoeingmammatus,pw,,NS2.SUSPENDED-DOMAIN.COM canoekarate,pw,,NS2.SUSPENDED-DOMAIN.COM catchbaton,pw,,NS2.SUSPENDED-DOMAIN.COM competearena,pw,,NS2.SUSPENDED-DOMAIN.COM competitionathletics,pw,,NS2.SUSPENDED-DOMAIN.COM competitionexercise,pw,,NS2.SUSPENDED-DOMAIN.COM competitiongolfer,pw,,NS2.SUSPENDED-DOMAIN.COM crewjumping,pw,,NS2.SUSPENDED-DOMAIN.COM dartboardolympics,pw,,NS2.SUSPENDED-DOMAIN.COM dartfield,pw,,NS2.SUSPENDED-DOMAIN.COM dartgym,pw,,NS2.SUSPENDED-DOMAIN.COM discuschef,pw,,NS2.SUSPENDED-DOMAIN.COM divebicycling,pw,,NS2.SUSPENDED-DOMAIN.COM divepressure,pw,,NS2.SUSPENDED-DOM diverracket,pw,,NS1.SUSPENDED-DOMAIN.COM divingrelay,pw,,NS2.SUSPENDED-DOMAIN.COM fencingbicycling,pw,,NS2.SUSPENDED-DOMAIN.COM fencingdiamond,pw,,NS2.SUSPENDED-DOMAIN.COM fieldergymnast,pw,,NS2.SUSPENDED-DOMAIN.COM goaleddy,pw,,NS2.SUSPENDED-DOMAIN.COM golferboomerang,pw,,NS2.SUSPENDED-DOMAIN.COM NS1.SUSPENDED-DOMAIN.COM hardballkayaker,pw,,NS2.SUSPENDED-DOMAIN.COM hockeyarchery,pw,,NS2.SUSPENDED-DOMAIN.COM hoopjudo,pw,,NS2.SUSPENDED-DOMAIN.COM huddledartboard,pw,,NS2.SUSPENDED-DOMAIN.COM javelinbowler,pw,,NS2.SUSPENDED-DOMAIN.COM leaguehockey,pw,,NS2.SUSPENDED-DOMAIN.COM movearcher,pw,,NS2.SUSPENDED-DOMAIN.COM movementarchery,pw,,NS2.SUSPENDED-DOMAIN.COM netarcher,pw,,NS2.SUSPENDED-DOMAIN.COM playingriding,pw,,NS2.SUSPENDED-DOMAIN.COM playmove,pw,,NS2.SUSPENDED-DOMAIN.COM playride,pw,,NS2.SUSPENDED-DOMAIN.COM polofencing,pw,,NS2.SUSPENDED-DOMAIN.COM pooljump,pw,,NS2.SUSPENDED-DOMAIN.COM NS1.SUSPENDED-DOMAIN.COM r7ee73dbrunbasketball,pw,,NS2.SUSPENDED-DOMAIN.COM racerathlete,pw,,NS2.SUSPENDED-DOMAIN.COM racerbronze,pw,,NS2.SUSPENDED-DOMAIN.COM runfreeze,pw,,NS2.SUSPENDED-DOMAIN.COM runrafting,pw,,NS2.SUSPENDED-DOMAIN.COM
3. Under etc registrar (Count: 88) - Status:serverHold:
$ date && bash check_nonru.sh Thu Feb 13 20:59:55 JST 2014 ipchk-shell 1.3 FreeBSD version - by @unixfreaxjp ----------------------------------------------------------- basketballrain,pw,,NS2.POWER-DNS.NET NS1.POWER-DNS.NET Status:serverHold blankethalftime,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold boomerangfair,pw,,DNS2.OFROADCDNNS.ORG DNS1.OFROADCDNNS.ORG Status:serverHold buntcanoe,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold championjavelin,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold championshipgear,pw,,DNS2.MASASJI.COM DNS1.MASASJI.COM Status:serverHold competitionbunt,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold competitionfencing,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold coughexercise,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold dartboardrunninger,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold decembergear,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold defensebicycle,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold defensecanoeing,pw,173.194.113.142,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold diamondracer,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold discushurdle,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold divemedal,pw,,DNS2.HERMESLABS.COM DNS1.HERMESLABS.COM Status:serverHold diverbiking,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold diverbowling,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold divingbaton,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold dodgeballkayaker,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold fencingrun,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold fielddefense,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold fielderchampion,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold figureskatingpolo,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold fleecegolfing,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold flurriescrew,pw,173.194.113.142,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold footballfield,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold gearcompetitor,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold golfbow,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold golfcluber,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold golfercyclist,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold golfermove,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold golfingchampionship,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold golfingorienteering,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold gymnasticsarchery,pw,,DNS2.KOLOMINUTY.COM DNS1.KOLOMINUTY.COM Status:serverHold halftimedecathlon,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold handballdart,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold highjumpbow,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold hockeybatter,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold hockeybunt,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold homebicycling,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold huddlecatch,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold huddledart,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold hypothermiahuddle,pw,173.194.113.142,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold jacketgoalie,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold januarypool,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold javelinbaton,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold jvdsdvee,pw,46.165.229.115,DNS1.REGISTRAR-SERVERS.COM Status:serverHold jvdsdveee,pw,46.165.229.115,DNS1.REGISTRAR-SERVERS.COM Status:serverHold karatecycling,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold kayakbasketball,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold kayakingball,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold lacrossepingpong,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold leaguedart,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold medaljogger,pw,,DNS2.HERMESLABS.COM DNS1.HERMESLABS.COM Status:serverHold movemedal,pw,,DNS2.KOLOMINUTY.COM DNS1.KOLOMINUTY.COM Status:serverHold mufflerbow,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold orienteeringgoalie,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold pitchbiathlon,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold pitchexercise,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold playbunt,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold playingrunning,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold playoffsbronze,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold playoffschampion,pw,,DNS2.HERMESLABS.COM DNS1.HERMESLABS.COM Status:serverHold polarquarterback,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold polediver,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold polefitness,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold polegymnasium,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold quarterbackarena,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold quiltplay,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold racketrunning,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold radiatorepee,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold raftingbocce,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold relaycompete,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold ridingball,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold runbasketball,pw,,DNS2.KOLOMINUTY.COM DNS1.KOLOMINUTY.COM Status:serverHold runboxing,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold rungymnastics,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold runhurdle,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold runningracer,pw,,NS2.POWER-DNS.NET NS1.POWER-DNS.NET Status:serverHold twitch,pw,,EVA.NS.CLOUDFLARE.COM MAX.NS.CLOUDFLARE.COM Status:serverHold thermometergolfer,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold whiteoutdart,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold windchillbiking,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold winterbatter,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold wintercoach,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold woolchampionship,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold woolensbicycle,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
Credits:
Thank you: @essachin @ConradLongmore @DhiaLite @abhinavbom @malekal_morte (twitter)
#MalwareMustDie!!
