Security

The stats at Spamcops and MxLogic, along with my own spam filter, makes me a believer in the claim of researchers that McColo provided the connectivity responsible for half the world’s spam.

No doubt the cyber crooks who lost their botnet’s ‘command and control’ servers will resume business somewhere else, but right now we can enjoy the temporary drop in spam.

Let’s not forget the child pornography (child abuse) vendors. At least 40 websites, nameservers or payment services used for child pornography were recently found to be hosted by McColo, according to HostExploit’s Report (PDF)

Third “Bad ISP” Dissolves — McColo Gone
Jose Nazario writes that in arbornetworks own database they have been tracking a few dozen botnets that phoned home to McColo IPs, and also nearly 1000 distinct URLs from hundreds of different malcode samples.

These guys ran a dirty operation.

As with Atrivo/Intercage, McColo relied on US transit peers.

{ 1 comment }

HostExploit’s Cyber Crime Series - Version 2.0

This second CYBER CRIME USA report highlights those Internet players that currently host the world‟s major spam botnets (an estimated 50% of spam worldwide), malware, rogue PC security products, cybercrime affiliate payment systems, and child pornography. This study from HostExploit.com is based on tracking and documenting ongoing cyber criminal activity.

HostExploit Report (PDF)

Certifiedbug, August 28, 2008. Cyber Crime USA

GarWarner, November 12, 2008. Internet Landfill: McColo Corporation

Certifiedbug, November 12, 2008. McColo Corp down for the count

{ 0 comments }

Brian Krebs at the Washington Post reports,

A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about criminal activity emanating from the network.

1) Major Source of Online Scams and Spams Knocked Offline

2) Host of Internet Spam Groups is Cut Off
“This story was updated from an earlier version to clarify McColo’s role in hosting of suspicious sites.”

Certifiedbug,

Spamcop stats, week.

I doubt that is a coincidence, more later.

Edit: Spamcop, 24 hours.

CIDR Report for AS26780
Global Crossing still shows a listing.
“26780 MCCOLO - McColo Corporation
Adjacency: 1 Upstream: 1 Downstream: 0
Upstream Adjacent AS list
AS3549 GBLX Global Crossing Ltd.”

FireEye Malware Intelligence Lab, 2008.10.26.

If you look back in our articles, you’ll see a fairly deep connection between Malware, Botnets, and McColo. With the shutdown of Atrivo, McColo seems to be the frontrunner for Botnet/Malware hosting -

Rogue.AntiVirus2009 hosted by McColo

{ 0 comments }

This spam looks like the recent ones pushing pharmaceuticals.

Except this time “One-stop for all your meds here” hid an url to globalmarketingsolutions where I landed on what appeared to be a real estate page containing a lot of links. Clicking on one of them brought this up.

http://safeweb.norton.com/report/show?name=66.96.85.221

Searching in Google I was warned, “this site may harm your computer”.

MSN Featured Offers, Spam from Canadian Pharmacy

Infector Spam ‘Free Update Windows XP,Vista’

Fake IE7 email Spam

Spam posing as MSN Featured Offers

Hit delete when it appears in your mailbox, and again do not click the ‘unsubscribe’ link contained in the spam. Doing that would just confirm to spammers that your email address is alive and working.

This week I have seen a resurgence of the “MSN Featured Offers” scam, this time from Canadian Pharmacy, pushing Viagra and other pharmaceuticals.

Previous Certifiedbug alerts:
Infector Spam ‘Free Update Windows XP,Vista’
Fake IE7 email Spam
Spam posing as MSN Featured Offers

Domain Name: xhtnnfx.cn
Created: 2008-10-28
Expires: 2009-10-28
Whois Server: whois.cnnic.net.cn
IP Location: Latvia - Latvia - Vdhost Ltd

Domain Name: progressconsider.com
ICANN Registrar: 35 TECHNOLOGY CO., LTD
Created: 2008-11-05
Expires: 2009-11-05
Updated: 2008-11-05
Domain servers in listed order:
srv1.reachfarm.com
srv2.reachfarm.com
ZHANGJIE
JIANSHELU263
TS,HB,CN 063002

hxxx://ler.rightachievement.com
Canadian Pharmacy

hxxx://myx.poseindependence.com
Canadian Pharmacy

hxxx://xkx.rightachievement.com/
Canadian Pharmacy

Those are just an example, the links will change frequently.

Fake pharmaceuticals on-line, buyer beware

{ 28 comments }

Critical update, version 9.0.151.0 for Flash 9 users unable to update to Flash 10.

In addition to issues previously reported in Security Bulletin APSB08-18, the update addresses several other security vulnerabilities.

http://www.adobe.com/support/security/bulletins/apsb08-20.html

Certifiedbug, October 15, 2008.
Adobe Flash Player update 10.0.12.36

{ 0 comments }

ICANN received a response from EstDomains regarding the notice of termination. http://www.icann.org/correspondence/poltev-to-burnette-29oct08-en.pdf [PDF, 853K] To assess the merits of the claims made in EstDomains’ response, ICANN has stayed the termination process as ICANN analyzes these claims.

{ 0 comments }

Stacy K. Burnette, Director of Contractual Compliance at ICANN, sent an official letter to Vladimir Tsastsin, President of EstDomains Inc., informing him that the company’s accreditation as a registrar is being terminated.

Be advised that the Internet Corporation for Assigned Names and Numbers (ICANN) Registrar Accreditation Agreement (RAA) for Estdomains, Inc. (Customer No. 919, IANA No. 832) is terminated. Consistent with subsection 5.3.3 of the RAA, this termination is based on your status as President of EstDomains and your credit card fraud, money laundering and document forgery conviction. This termination shall be effective within fifteen calendar days from the date of this letter, on 12 November 2008.

The attached Estonia Court records state that you were convicted of credit card fraud, money laundering and document forgery on 6 February 2008. EstDomains’ has submitted official documents to ICANN that state you are the President of EstDomains. Absent receipt by ICANN of any document indicating that you were removed from the position of President, ICANN concludes that you maintained the position of President of EstDomains since the date of your conviction. Estdomains’ RAA is being terminated based on your conviction and your status as President of EstDomains.

Notice Of Termination Of ICANN Register Accreditation Agreement. (PDF)

ICANN’s notice informs that approximately 281,000 domains currently sponsored by EstDomains will be transferred to another ICANN-Accredited Registrar in accordance with the De registration Transition Procedure and that EstDomains has the right to suggest the transfer recipient by November 6, 2008.

Certifiedbug: http://certifiedbug.com/blog/tag/estdomains/

Edit
ICANN - Expressions of Interest Sought for Bulk Transfer of Registrations

As the result of the de-accreditation of EstDomains, Inc. (IANA ID 832), ICANN is seeking Statements of Interest from ICANN-accredited registrars that are interested in assuming sponsorship of the gTLD names that had been managed by EstDomains. EstDomains managed approximately 280,000 gTLD registrations, including registrations in the biz, com, info, mobi, net, and org registries, including approximately 7 second-level internationalized domain names. EstDomains, Inc. is organized in Delaware, United States

Whack-A-Mole.

http://www.domainnews.com/en/general/icann-expressions-of-interest-sought-for-bulk-transfer-of-registrations.html

{ 2 comments }

decitu.com is one of estdomain’s October registrations, checking it out my browser was redirected to porno-tube-online.com/porn/. Obviously an adult content site.

Snippet from my log,
/banners/flash/24368/json_400×600_005.swf 11,524 application/x-shockwave-flash
Host: banners.adultfriendfinder.com.

By the way, if your Adobe flash is up to date and you think you are protected from SWF exploits see Sandi’s article at Spyware Sucks.
Adobe Flash 10 does NOT stop malvertizement hijacking

A lot of malware victims end up in help forums because they were redirected to a bad site, or intentionally downloaded video codecs so they could watch such content.

The dialog informs that a codec is needed to view the video, this is where you should stop already before infecting your computer.

The anti virus program alerted.

Hiding in the background waiting for an unsuspecting user to download the codec was a rogue, the link on its own produced an error.

Domain Name: DECITU.COM
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-10-23
Expires: 2009-10-23
Updated: 2008-10-23
3 other sites hosted on this server.

Certifiedbug October 24, 2008. EstDomains, Inc. PR

From EstDomains’s Press release,

Once again EstDomains, Inc would like to address the interactive community and ask for co-operation to make the Internet clear and safe. Please report infringements that involve the activity of EstDomains, Inc customers to: https://support.estdomains.com.

The support link they provided produced,
“The requested site did not respond to a connection request and the browser has stopped waiting for a reply.”
I went directly to their website and clicked the red ‘Report Abuse’ button, same thing.

The rest of the site loads normally, it is the ’support’ page that was kapoot at time of writing.

{ 0 comments }