Thursday, April 7, 2011

LIBUNITAU.CC

Time again to dive back into the list of name servers I gave in my first blog post. Today, we look at the domain LIBUNITAU.CC, another Russian Business Network (RBN) domain being used as a name server according to Emerging Threats RBN IP/NS monitoring list. Diving right in, lets show how the RBN were lying through their teeth with criminal intent when they registered LIBUNITAU.CC to act as a name severs to dish out their malware and other forms of fraud -

Queried whois.nic.cc with "dom libunitau.cc"...
Domain Name: LIBUNITAU.CC
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.LIBUNITAU.CC
Name Server: NS2.LIBUNITAU.CC
Name Server: NS3.LIBUNITAU.CC
Status: CLIENT-XFER-PROHIBITED
Status: CLIENT-DELETE-PROHIBITED
Updated Date: 11-jan-2011
Creation Date: 11-jan-2011
Expiration Date: 11-jan-2012
Registrant Contact:
Petr Anisimov
Petr Anisimov ached@yourisp.ru
+78123342003 fax: +78123342003
ul.P.Germana d.18 kv.19
Sankt-Peterburg Sankt-Peterburg 198205
RU
Source: centralops.net
Petr Anisimov, I'm getting tired of all these Russian names, let's just call him Pete for shorts. Taking a quick google on Pete's street address definitely shows Pete dabbling fraud and malware. It would make sense that the whois registrant details would be intentionally falsified with criminal intent here, as "Pete" works for the multifaceted cyber crime host the RBN. So what does a google search on Pete's phone number (Google: +78123342003 OR +7.8123342003) show? Our first clue towards falsified information leads to a domain serving up malware -
Domain: kbgg.in 
Domain ID:D3358497-AFIN
Domain Name:KBGG.IN
Created On:23-Mar-2009 13:57:27 UTC
Last Updated On:23-May-2009 03:26:15 UTC
Expiration Date:23-Mar-2010 13:57:27 UTC
Sponsoring Registrar:Netlynx Technologies Pvt. Ltd. (R62-AFIN)
Status:OK
Registrant ID:DI_9562832
Registrant Name:Evgeniy Veter
Registrant Organization:Evgeniy Veter
Registrant Street1:Savushkina str. d.107 kv.94
Registrant Street2:
Registrant Street3:
Registrant City:Sankt-Peterburg
Registrant State/Province:Sankt-Peterburg
Registrant Postal Code:197374
Registrant Country:RU
Registrant Phone:+7.8123342003
Registrant Phone Ext.:
Registrant FAX:+7.8123342003
Registrant FAX Ext.:
Registrant Email:inhale@bronzemail.net
Source: http://www.malwareurl.com/listing.php?domain=kbgg.in
Notice two things here. First off, that's an entirely different name (Evgeniy Veter) and address, however is the same phone number as Pete's... suggesting falsified registrant name for criminal intent. Secondly, the domain itself confirms criminal intent. We find another domain with the same registrant details for "Veter" here, yet again serving up malware. Continuing along this trend, we find another domain yet again suggesting falsified registrant name for LIBUNITAU.CC -

Registrant:
Pyotr Anisimov raced@corporatemail.ru +7.8123342003
Pyotr Anisimov
ul. P.Germana d.18 kv.19
Sankt-Peterburg,Sankt-Peterburg,RUSSIAN FEDERATION 198205

Domain Name:tarhujelafert.com
Record last updated at 2009-08-17 09:16:18
Record created on 2009/8/10
Record expired on 2010/8/10
Source: Link here (too long)
Notice the difference in names here? Pyotr Anisimov registered a domain named tarhujelafert.com to dish up malware, and he uses the very same registrant details as Petr Anisimov (who registered LIBUNITAU.CC to act as a name server for cyber criminal activity for the RBN). Granted, Pyotr and Petr are pretty close in name, and in Russian are the same as Peter. However look at the time line here, on 8/2009 Peter/Pete registered a domain (tarhujelafert.com) to serve up malware. On 5/2009 and 8/2009 Evgeniy Veter, using the same phone number as Peter but a different registrant address, registered two domains (kbgg.in & cc-payment-sys24.com) to serve up malware.

This is classic and intentionally falsified whois registrant details for criminal intentions. The time line fits, and the key parts of registrant details (name, address, phone number, and email) have problems staying consistent in all of their aspects. That said, lets move on to showing how the RBN is using LIBUNITAU.CC as a name server with a quick google search -

Malware: 
Link here (too long)
http://amada.abuse.ch/?search=royalthelmas-teamant.asia (two name servers registered by BizCN!)
http://amada.abuse.ch/?search=bredgarcorp-ant.be (two name servers registered by BizCN!)

Fraud: 
link here (too long)
http://ddanchev.blogspot.com/2011/03/keeping-money-mule-recruiters-on-short.html
http://db.aa419.org/fakebanksview.php?key=56098
http://www.delphifaq.com/faq/scams/f1057.shtml?p=72
http://forum.autosec4u.info/showthread.php?tid=3690&pid=16199 (German)


This is now strike 3 for the registrar BizCN, as they registered the name domain LIBUNITAU.CC. Libunitau.cc is being used by the RBN for a name server used in cyber criminal activity, as is AUUSDEC.CC and FOLOWDNS.CC. BizCN, I would suggest you look at my first blog post. In it, towards the very end, you'll find a list of domains being used as name servers by the Russian Business Network for the sole purposes of dishing out malware and fraud. Save yourself the time BizCN, look at the name server section in my first blog post, find the ones that you registered, and place them on client hold... as I'll be going through each and every one of them.








Posted by
Fully Automatic


at
10:19 PM



















Labels:
,
,
,
,
,
,
,
,
,
,

















No comments:















Post a Comment


















        

      









Subscribe to:
Post Comments (Atom)