Thursday, February 13, 2014

Tango Down of Nuclear Pack's 174 Multiple Registered .PW Domains

To "some" fellow researchers: Don't mock for us taking down these bad domains. Think of the victims who get infected in hourly basis! Sorry if we blew your "tracking" objects away. Because of this takedown now the data behind these are ready to be used by the law enforcement to collect.

The background

Following the case on Nuclear Exploit Kit on malware infection via abuse of .PW 2LD domains (initially spotted : 31.41.221.131 to 31.41.221.139) - As the follow up due to the below malicious verdict of the researcher team & friends:

Dynamoo: http://blog.dynamoo.com/2014/02/something-evil-on-3141221131-to.html
Dynamoo: http://blog.dynamoo.com/2014/02/something-evil-on-19295722428.html
Dynamoo: http://blog.dynamoo.com/2014/01/something-evil-on-192951020828.html
Dynamoo: http://blog.dynamoo.com/2014/01/something-evil-on-192951020828.html
Malekal: https://twitter.com/malekal_morte/status/432804655374938112
Umbrella Labs: http://labs.umbrella.com/2014/02/14/when-ips-go-nuclear/
Dhia Mahjoub: http://pastebin.com/QVq2xERk 
To be noted: We are not going to expose any technical evidence for this case in this post. And this post is focusing on the Tango Down effort initiated by the MalwareMustDie, NPO. The details of the Nuclear Pack itself is well-documented for the MMD friends in our public forum as information database of exploitation. (You have to be invited to be a member).

Spotting and following the movement of this threat from:
31 December 2013 until 13 February 2014.
And witnessing the movement of the threat of the same group/actors:
From OVH.COM (France) to: BESTHOSTING.UA (Kiev, Ukraine) at: AS 2655 ref-->> http://bgp.he.net/AS42655
Additional: BESTHOSTING.UA ref-->> https://www.besthosting.ua/en/

Additional information of the threat (to be added) - Thank you URLQuery!

One of the recorded .PW of this verdict in action :
http://urlquery.net/report.php?id=9308286
And the current LIVE activity recorded:
http://urlquery.net/search.php?q=,pw\%2F&type=regexp&start=2013-11-15&end=2014-02-13&max=400

The Action and Advisory

We requested the suspension of the total 174 domains with the below stated breakdown, and the suspension was done successfully.

These bad domains are having the same bad actor's route.
The registration information of the domain list stated below is traceable to the positive potential evidence for the ID of the actors that can be used for law enforcement investigation on following this cyber crime case, LE will be needed to directly request via ICANN to Registration entity accordingly.

Any malicious system exploitation and malware infection traffic recorded and logs related to the verdicted domains and its IP Addresses can be used as the evidence of the cyber crime activities, please pass it to your nearest CERT for the further process. The IP recorded in each logs could be still in operation, is a good material for the further monitoring and mitigation of the threat and this post can be used as reference officially. Please be noted of this advisory.

Tango Down

1. Under NAMECHEAP.COM (LA, USA) Registrar (Count: 13) - Status:serverHold:
STATUS: Status:serverHold

$ date && bash check_nonru.sh
Thu Feb 13 20:57:51 JST 2014

ipchk-shell 1.3 FreeBSD version - by @unixfreaxjp
-----------------------------------------------------------
ewrqb,pw,217.23.1.174,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
fdsgr,pw,46.165.229.114,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
hrebuf,pw,46.165.229.115,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
hrebuff,pw,46.165.229.115,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
hrebufffff,pw,46.165.229.115,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
hrebuqq,pw,46.165.229.115,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
hsfgv,pw,46.165.229.114,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
hsfgvvvv,pw,46.165.229.114,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
hsfgww,pw,46.165.229.114,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
jvdsdveeee,pw,46.165.229.115,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
rrthg,pw,46.165.229.114,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
rrthh,pw,46.165.229.114,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
rrthk,pw,46.165.229.114,DNS1.REGISTRAR-SERVERS.COM Status:serverHold

WARNING! IP is STILL ALIVE! Info: GERMANY & NETHERLANDS (WORLDSTREAM & LEASEWEB)

217.23.1.174|customer.worldstream.nl.|49981 | 217.23.0.0/20 | WORLDSTREAM | NL | WORLDSTREAM.NL | WORLDSTREAM
46.165.229.114|SMRK011.leaseweb.com.|16265 | 46.165.192.0/18 | FIBERRING | DE | LEASEWEB.COM | LEASEWEB GERMANY GMBH
46.165.229.115|SMRK011.leaseweb.com.|16265 | 46.165.192.0/18 | FIBERRING | DE | LEASEWEB.COM | LEASEWEB GERMANY GMBH

2. Under etc Registrar (Count: 73) - Status: Suspension Flag:

$ date && bash check_nonru.sh
Thu Feb 13 20:58:542 JST 2014

ipchk-shell 1.3 FreeBSD version - by @unixfreaxjp
-----------------------------------------------------------
archerbocce,pw,,NS2.SUSPENDED-DOMAIN.COM
archercyclist,pw,,NS2.SUSPENDED-DOMAIN.COM
archeryolympics,pw,,NS2.SUSPENDED-DOMAIN.COM
arrowjogger,pw,,NS2.SUSPENDED-DOMAIN.COM
athleticsarchery,pw,,NS2.SUSPENDED-DOMAIN.COM
athleticsjudo,pw,,NS2.SUSPENDED-DOMAIN.COM
athleticsmove,pw,,NS2.SUSPENDED-DOMAIN.COM
ballfigureskating,pw,,NS2.SUSPENDED-DOMAIN.COM
ballkayaker,pw,,NS2.SUSPENDED-DOMAIN.COM
baseballcompetition,pw,,NS2.SUSPENDED-DOMAIN.COM
basenet,pw,,NS2.SUSPENDED-DOMAIN.COM
basketballplaying,pw,,NS2.SUSPENDED-DOMAIN.COM
batongoal,pw,,NS2.SUSPENDED-DOMAIN.COM
batonhome,pw,,NS2.SUSPENDED-DOMAIN.COM
battingfield,pw,,NS2.SUSPENDED-DOMAIN.COM
battinggymnast,pw,,NS2.SUSPENDED-DOMAIN.COM
battingrelay,pw,,NS2.SUSPENDED-DOMAIN.COM
bicyclecompete,pw,,NS2.SUSPENDED-DOMAIN.COM
bicyclingcrew,pw,,NS2.SUSPENDED-DOMAIN.COM
bikingplaying,pw,,NS2.SUSPENDED-DOMAIN.COM
billiardsdiver,pw,,NS2.SUSPENDED-DOMAIN.COM
blanketfield,pw,,NS2.SUSPENDED-DOMAIN.COM
boomerangbiking,pw,,NS2.SUSPENDED-DOMAIN.COM
boomerangrun,pw,,NS2.SUSPENDED-DOMAIN.COM
boulesplaying,pw,,NS2.SUSPENDED-DOMAIN.COM
bowlerfield,pw,,NS2.SUSPENDED-DOMAIN.COM
bowlingbiathlon,pw,,NS2.SUSPENDED-DOMAIN.COM
boxercoach,pw,,NS2.SUSPENDED-DOMAIN.COM
boxerfielder,pw,,NS2.SUSPENDED-DOMAIN.COM
boxerplay,pw,,NS2.SUSPENDED-DOMAIN.COM
bronzecatcher,pw,,NS2.SUSPENDED-DOMAIN.COM
buntpellets,pw,,NS2.SUSPENDED-DOMAIN.COM
canoeingbaton,pw,,NS2.SUSPENDED-DOMAIN.COM
canoeingmammatus,pw,,NS2.SUSPENDED-DOMAIN.COM
canoekarate,pw,,NS2.SUSPENDED-DOMAIN.COM
catchbaton,pw,,NS2.SUSPENDED-DOMAIN.COM
competearena,pw,,NS2.SUSPENDED-DOMAIN.COM
competitionathletics,pw,,NS2.SUSPENDED-DOMAIN.COM
competitionexercise,pw,,NS2.SUSPENDED-DOMAIN.COM
competitiongolfer,pw,,NS2.SUSPENDED-DOMAIN.COM
crewjumping,pw,,NS2.SUSPENDED-DOMAIN.COM
dartboardolympics,pw,,NS2.SUSPENDED-DOMAIN.COM
dartfield,pw,,NS2.SUSPENDED-DOMAIN.COM
dartgym,pw,,NS2.SUSPENDED-DOMAIN.COM
discuschef,pw,,NS2.SUSPENDED-DOMAIN.COM
divebicycling,pw,,NS2.SUSPENDED-DOMAIN.COM
divepressure,pw,,NS2.SUSPENDED-DOM
diverracket,pw,,NS1.SUSPENDED-DOMAIN.COM
divingrelay,pw,,NS2.SUSPENDED-DOMAIN.COM
fencingbicycling,pw,,NS2.SUSPENDED-DOMAIN.COM
fencingdiamond,pw,,NS2.SUSPENDED-DOMAIN.COM
fieldergymnast,pw,,NS2.SUSPENDED-DOMAIN.COM
goaleddy,pw,,NS2.SUSPENDED-DOMAIN.COM
golferboomerang,pw,,NS2.SUSPENDED-DOMAIN.COM NS1.SUSPENDED-DOMAIN.COM
hardballkayaker,pw,,NS2.SUSPENDED-DOMAIN.COM
hockeyarchery,pw,,NS2.SUSPENDED-DOMAIN.COM
hoopjudo,pw,,NS2.SUSPENDED-DOMAIN.COM
huddledartboard,pw,,NS2.SUSPENDED-DOMAIN.COM
javelinbowler,pw,,NS2.SUSPENDED-DOMAIN.COM
leaguehockey,pw,,NS2.SUSPENDED-DOMAIN.COM
movearcher,pw,,NS2.SUSPENDED-DOMAIN.COM
movementarchery,pw,,NS2.SUSPENDED-DOMAIN.COM
netarcher,pw,,NS2.SUSPENDED-DOMAIN.COM
playingriding,pw,,NS2.SUSPENDED-DOMAIN.COM
playmove,pw,,NS2.SUSPENDED-DOMAIN.COM
playride,pw,,NS2.SUSPENDED-DOMAIN.COM
polofencing,pw,,NS2.SUSPENDED-DOMAIN.COM
pooljump,pw,,NS2.SUSPENDED-DOMAIN.COM NS1.SUSPENDED-DOMAIN.COM
r7ee73dbrunbasketball,pw,,NS2.SUSPENDED-DOMAIN.COM
racerathlete,pw,,NS2.SUSPENDED-DOMAIN.COM
racerbronze,pw,,NS2.SUSPENDED-DOMAIN.COM
runfreeze,pw,,NS2.SUSPENDED-DOMAIN.COM
runrafting,pw,,NS2.SUSPENDED-DOMAIN.COM

3. Under etc registrar (Count: 88) - Status:serverHold:

$ date && bash check_nonru.sh
Thu Feb 13 20:59:55 JST 2014

ipchk-shell 1.3 FreeBSD version - by @unixfreaxjp
-----------------------------------------------------------
basketballrain,pw,,NS2.POWER-DNS.NET NS1.POWER-DNS.NET Status:serverHold
blankethalftime,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
boomerangfair,pw,,DNS2.OFROADCDNNS.ORG DNS1.OFROADCDNNS.ORG Status:serverHold
buntcanoe,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
championjavelin,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
championshipgear,pw,,DNS2.MASASJI.COM DNS1.MASASJI.COM Status:serverHold
competitionbunt,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
competitionfencing,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
coughexercise,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
dartboardrunninger,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
decembergear,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
defensebicycle,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
defensecanoeing,pw,173.194.113.142,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
diamondracer,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
discushurdle,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
divemedal,pw,,DNS2.HERMESLABS.COM DNS1.HERMESLABS.COM Status:serverHold
diverbiking,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
diverbowling,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
divingbaton,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
dodgeballkayaker,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
fencingrun,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
fielddefense,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
fielderchampion,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
figureskatingpolo,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
fleecegolfing,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
flurriescrew,pw,173.194.113.142,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
footballfield,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
gearcompetitor,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
golfbow,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
golfcluber,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
golfercyclist,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
golfermove,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
golfingchampionship,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
golfingorienteering,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
gymnasticsarchery,pw,,DNS2.KOLOMINUTY.COM DNS1.KOLOMINUTY.COM Status:serverHold
halftimedecathlon,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
handballdart,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
highjumpbow,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
hockeybatter,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
hockeybunt,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
homebicycling,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
huddlecatch,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
huddledart,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
hypothermiahuddle,pw,173.194.113.142,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
jacketgoalie,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
januarypool,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
javelinbaton,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
jvdsdvee,pw,46.165.229.115,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
jvdsdveee,pw,46.165.229.115,DNS1.REGISTRAR-SERVERS.COM Status:serverHold
karatecycling,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
kayakbasketball,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
kayakingball,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
lacrossepingpong,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
leaguedart,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
medaljogger,pw,,DNS2.HERMESLABS.COM DNS1.HERMESLABS.COM Status:serverHold
movemedal,pw,,DNS2.KOLOMINUTY.COM DNS1.KOLOMINUTY.COM Status:serverHold
mufflerbow,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
orienteeringgoalie,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
pitchbiathlon,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
pitchexercise,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
playbunt,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
playingrunning,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
playoffsbronze,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
playoffschampion,pw,,DNS2.HERMESLABS.COM DNS1.HERMESLABS.COM Status:serverHold
polarquarterback,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
polediver,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
polefitness,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
polegymnasium,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
quarterbackarena,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
quiltplay,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
racketrunning,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
radiatorepee,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
raftingbocce,pw,,DNS2.MERCHANTMARKETS.COM DNS1.MERCHANTMARKETS.COM Status:serverHold
relaycompete,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
ridingball,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
runbasketball,pw,,DNS2.KOLOMINUTY.COM DNS1.KOLOMINUTY.COM Status:serverHold
runboxing,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
rungymnastics,pw,,DNS2.DECADEMARKETS.COM DNS1.DECADEMARKETS.COM Status:serverHold
runhurdle,pw,,DNS2.BIGSKYEXPERT.COM DNS1.BIGSKYEXPERT.COM Status:serverHold
runningracer,pw,,NS2.POWER-DNS.NET NS1.POWER-DNS.NET Status:serverHold
twitch,pw,,EVA.NS.CLOUDFLARE.COM MAX.NS.CLOUDFLARE.COM Status:serverHold
thermometergolfer,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
whiteoutdart,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
windchillbiking,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
winterbatter,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
wintercoach,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
woolchampionship,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold
woolensbicycle,pw,,DNS2.ECHOUNIVERSAL.COM DNS1.ECHOUNIVERSAL.COM Status:serverHold

Credits:

Thank you: @essachin @ConradLongmore @DhiaLite @abhinavbom @malekal_morte (twitter)

#MalwareMustDie!!

2 comments: