Domain name: auusdec.cc Registrant Contact: Andrej Morov Andrej Morov gk@ppmail.ru +74956211281 fax: +74956211281 Schelkovskij pr. d.11 k.1 kv.3 Moscow Moscow 105425 RUDomain Name: AUUSDEC.CC Registrar: BIZCN.COM, INC. Whois Server: whois.bizcn.com Referral URL: http://www.bizcn.com Name Server: NS1.AUUSDEC.CC Name Server: NS2.AUUSDEC.CC Name Server: NS3.AUUSDEC.CC Status: CLIENT-XFER-PROHIBITED Status: CLIENT-DELETE-PROHIBITED Updated Date: 11-jan-2011 Creation Date: 11-jan-2011 Expiration Date: 11-jan-2012
Now, the only thing a registrar has to be concerned about is registrant information being falsified for illegal purposes. I will have no problem showing that this whois registrant has been involved in plenty of illegal online activity for some time now. Proving his registrant information has been falsified may take some time though. I'll say this much, the address cannot be found on google maps. Now, a quick google search of the phone number (+74956211281) shows some interesting stuff for quite a few malware domains and fake pharmacies. Of total interest though is the following whois registrant discrepancy-
Domain name: pnc-demo.net
Registrant Contact:
Nikolay Vukolov
Nikolay Vukolov - prove@bigmailbox.ru
+74956211281 fax: +74956211281
ul. 1-aya Magistralnaya d.22 kv.53
Moskva Moskva 123007
RU
Created: 2010-03-31
Expires: 2011-03-31
Source: http://whois.domaintools.com/pnc-demo.net
Notice how this phone number (used to register both AUUSDEC.CC and pnc-demo.net) has differences in registrant name, address, and email? Also notice how close the site registration times were less than one year apart. This goes towards proving falsified whois. Lets put another nail in this coffin and prove falsified whois registrant information -
Domain name: asdeachreaz.com
Registrant Contact:
Nikolay Vukolov
Nikolay Vukolov - sued@cheapbox.ru
+74956211281 fax: +74956211281
ul.1-aya Magistralnaya d.22 kv.53
Moscow Moscow 123007
RU
Created: 2010-11-17
Expires: 2011-11-17
Source: http://whois.domaintools.com/asdeachreaz.com
Again, the mysterious Nikolay Vukolov, using the same phone/fax number as our Andrej Morov registers another the domain asdeachreaz.com with completely different registrant information. This time, asdeachreaz.com and AUUSDEC.CC were created some 2 months apart. Also of interest, googling the term "ul.1-aya Magistralnaya d.22 kv.53" brings up quite a few fake pharmacy websites and malware domains for good 'ol Nikolay. I think it's safe to assume Nikolay and Andrej are in the same business.
From here, we can assume that the whois registrant information on AUUSDEC.CC has been falsified. Now what's left is showing how this server has had it's whois registrant information falsified for illegal purposes such as phishing, malware deployment, and other forms of fraud.
First off, lets google Andrej Morov's registrant information. First, we start with "Schelkovskij pr. d.11 k.1 kv.3" and see how many fraud hits we get there -
http://whois.domaintools.com/pillsprescriptionmarket.com *fake online pharmacy*
http://whois.domaintools.com/pillstoretabletssite.com *fake online pharmacy*
http://whois.domaintools.com/pillfreetabletsworld.com *fake online pharmacy*
http://www.malwareurl.com/listing.php?domain=noiceanimakae.com *malware*
etc etc (do a google search and you'll find tons of other fake sites and malware for this address)
So I think it's now safe to say you don't want to have anything to do with Andrej Morov/Nikolay Vukolov's sites. Now let's google AUUSDEC.CC and see how many fraud hits we get to finish this off -
Fraud:
http://scamfraudalert.wordpress.com/2011/02/03/
cached delphifaq.com thread (note: site is probably under DDoS like the site's I listed in my first post... also on the list of blocked sites these guys make their malware block by changing the hosts file)
scamfraudalert.com cached thread (again site blocked by these malware makers when they change the hosts file on any machine they infect, site also appears under DDoS see my first blog post)
Malware:
http://support.clean-mx.de/clean-mx/viruses.php?domain=paultonsgroup-ltd.info&submit=query
http://support.clean-mx.de/clean-mx/viruses.php?domain=worldofart-ltd.info&sort=id%20desc
http://amada.abuse.ch/?search=worldofart-ltd.info
http://amada.abuse.ch/?search=paultonsgroup-ltd.info
To be honest, there were quite a few google hit results for the fraud and malware offered on AUUSDEC.CC. I could go through them all, but I found one jewel that sums this up (plus I was getting tired of trying to do research on sites that are currently under DDoS by these malware operators). That site was the following -
http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RBN_IP_List_Update_2-6-2011.txt
Emerging Threats has been following one of the most infamous cyber crime organizations out there for a while now, the infamous Russian Business Network (wikipedia article here, Dancho Danchev break down here). The fact that AUUSDEC.CC is listed by Emerging Threats as part of the Russian Business Network (RBN) is not shocking due to the way this name server operates. What is scary here is the fact that these name servers have been online for so long with falsified registration, catering to the charred underbelly of the internet (fraud artists and cyber criminals). Then again, lets consider the registrar, bizcn.com. The McAfee site advisor notes that this company has run phishing and browser exploits in the past (link here). There has also been some interesting data on how this company's services has been used in spamming and the ZeuS botnet.
Needless to say, this name server needs to get trashed by the registrar. I doubt it will happen, but the knowledge will at least be out there.
No comments:
Post a Comment