SecurityZone.org - Information Security Blog

Well, it looks like there might be good news regarding Abdallah_Internet Hizmetleri, a group that owned a few IP ranges on TurkTelekom. It appears they might no longer be operational. As of late last night or early today, all routes going to 88.255.90.0/24 and 88.255.94.0/24 appear to have gone dead. Part of the WHOIS record now reads as follows:

person: Mahmod AbdAllah el Gashmi
address: SISTEMNET TELEKOM BLACKLISTED PERSON
e-mail: admin@sistemnet.com.tr
phone: +902122666060
remarks: ——————————————————
remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
remarks: For Abuse Contact : abuse@sistemnet.com.tr
remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
remarks: SISTEMNET TELEKOM BLACKLISTED PERSON
remarks: ——————————————————

This is pretty good news as we have previously blogged about these IP ranges here. One of my Shadowserver colleagues also just recently published a whitepaper about AbdAllah Internet Hizmetleri. It would be awesome if this is what ultimately pulled the plug. You can read the whitepaper entitled “RBN Rizing” at whitepapers section on the Shadowserver website at whitepapers section or view it directly by going to RBN Rizing document itself. Happy reading and good riddance (?) to AbdAlllah_Internet!

It looks like just with merrychristmasdude.com, there are tons of blogspot weblogs that have postings that just say something like this:

New Year wishes for you
http://uhavepostcard.com/

Once again don’t visit the website, but it is funny to see how they are attacking blogspot weblogs. It would seem that they’ve compromised several of them as these are actual blog postings and not just comment spam. Interesting vector of attack here. If you’ve seen merrychristmasdude.com or uhavepostcard.com sent out in other ways than just E-mail or Blogspot, please drop me a line.

Well it looks like Christmas is upon us and the crew behind Storm Worm have already moved on to trying to take advantage of the New Year. The websites don’t have anything fancy yet, just trying to get you to visit uhavepostcard.com (don’t go!) link to happy2008.exe. Just the the following message:

Your download should begin shortly. If your download does not start in approximately 15 seconds,
you can click here to launch the download and then press Run. Enjoy!

Of course the click here message links to the aforementioned happy2008.exe. So there’s no happynewyeardude.com website yet or nice pictures, but this is what the update is for now. Also, surprisingly enough, no iframes looking to exploit the browser either..interesting. Still seeing disnisa.exe and disnisa.config as the malicious executable it drops and configuration file it creates — if you have these in your Windows directory you are infected.

E-mail Subjects seen so far (per isc.sans.org):

A fresh new year
As the new year…
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It’s the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year
Happy New Year to You!
Happy New Year to
Lots of greetings on the new year
New Year wishes for You

Enjoy your Christmas and try to stay virus free.

There’s a good chance that if you recently stumbled upon my website, you may have been searching for something related to “merrychristmasdude.com” — see more about that in my previous post. However, it seems like another group might be trying to take advantage of the Storm Worm activity, or may even potentially be the same group. When querying Google for the malicious merrychristmasdude.com website, you may also get some funny looking entries on various blogspot.com weblogs.

Each of these entries on the weblogs “merrychristmasdude.com” written all over them and attempt to get you to click on what looks like a YouTube video. Clicking this image actually pulls up a link for siski.cn. What do you see when you get to this website? You see another YouTube video that appears to be broken and a fake “Video ActiveX Object Error” message. This then entices you to run “install_video_3913230.exe” from shockbabetv.com to fix the issue. Of course this would be a bad idea. You might notice that shockbabetv.com is hosted on the IP address 85.255.119.93 on an IP range we have previously blogged about here. Beware as running this file will download yet even more malware from the same IP using the hostname creatonprojects.com.

Happy Holidays!

Do a WHOIS on an IP address in 88.255.0.0/16 and you will get back something like this as part of your response:

% Information related to ‘88.255.0.0/16AS9121′

route: 88.255.0.0/16
descr: TurkTelekom
origin: AS9121
mnt-by: AS9121-MNT
source: RIPE # Filtered

Now not everything on 88.255.0.0/16 or AS9121 is evil. However, there are some ranges that are definitely pretty bad. We have been seeing a lot of malware out of some of these ranges for a while. Even some of the stuff that used to be housed on over on the main Russian Business Network IP ranges have moved here. Remember the Virut trojan that used “proxima.ircgalaxy.pl” as part of its operation and used to be on RBN IP space? Well, it’s now at 88.255.74.140.

Now let’s give you a list of some of the ranges you should be concerned about.

88.255.90.0/24
88.255.91.0/24
88.255.92.0/24
88.255.93.0/24
88.255.94.0/24
88.255.74.0/24

The first five IP ranges belong to AbdAllah Internet Hizmetleri (AbdAllah_Internet) and are particularly nasty. Some of the ranges are seen a lot more than others, but there’s a pretty consistent pattern what is housed here. All kinds of drive-by exploit sites are on these IP addresses. Most of them seem to be geared towards information theft. A number of Nethell, Pinch, and other infostealer/banker trojans are live on those IPs.

The sixth and last IP range above is listed under “AKSERVERS_INTERNET_HIZMETLERI”. No idea if these are some how related, but this subnet also has a lot of the same bad stuff. Consider blocking these ranges or monitoring what goes in and out to them from your networks.

Since I am super slow to update my blog, you may have heard that the Russian Business Network (RBN) has been taken down a notch. Some of the core ranges they operate within are no longer being routed and have had their ASNs withdrawn.

- 81.95.144.0/22 Withdrawn
- 81.95.148.0/22 Withdrawn
- 81.95.154.0/24 Withdrawn
- 81.95.155.0/24 Withdrawn

However, this doesn’t mean they have disappeared or are finished. Spamhaus reported a while back that the Russians are going “Chinese” over here. A lot of people are keeping their eyes on all of this. Even the Bleeding Threats project has start publishing rulesets for RBN related activity. You can grab the Snort rules for RBN related hosts and ranges from http://www.bleedingthreats.net/rules/bleeding-rbn.rules.

We’ve noticed a big increase in the last few months in the amount of malware coming out of one of the IP ranges being tracked on those rulesets. What range is that you ask? Well that would be Intercage. You might as well block or pay specific attention to this range:

85.255.112.0/20

I’m not promising it will be perfect and free of false positives, but it is definitely worth a look. We’re seeing a bunch of stuff out of the whole 85.255.0.0/16 but I wouldn’t block all of it. Plenty of legit stuff but be on the look out.