uknamo.com

Continuing on with my analysis of the name servers towards the end of my first blog post, it's time to look at the domain/name sever uknamo.com. We can assume this is another Russian Business Network (RBN) name server, set up for the sole purpose of delivering malware and committing fraud as a bulletproof host. A quick check on Emerging Threats RBN monitoring list shows this assumption to be true. Shocking right? Also upon googling "uknamo.com", I was greeted by a few links showing malicious software  Again, why do I bother to be shocked at this point? Maybe it's the fact that the IT, registrar, and hosting industry hasn't taken a more proactive stance against these guys. Anyway, diving right in, lets look at uknamo.com's whois registrant information -


Queried whois.internic.net with "dom uknamo.com"...

Domain Name: UKNAMO.COM
   Registrar: TRUNKOZ TECHNOLOGIES PVT LTD. D/B/A OWNREGISTRAR.COM
   Whois Server: whois.ownregistrar.com
   Referral URL: http://www.ownregistrar.com
   Name Server: NS1.UKNAMO.COM
   Name Server: NS2.UKNAMO.COM
   Name Server: NS3.UKNAMO.COM
   Status: clientTransferProhibited
   Updated Date: 27-jan-2011
   Creation Date: 27-jan-2011
   Expiration Date: 27-jan-2012

Registrant:
    Roman Shumakov
    Roman Shumakov        (morph@ppmail.ru)
    ul.Dubrovinskogo d.114
    Kursk
    Kurskaya obl,305009
    RU
    Tel. +7.4717545322
    Fax. +7.4717545322
Creation Date: 27-Jan-2011  
Expiration Date: 27-Jan-2012

Source: centralops.net

Russia, what do you know! Googling Roman's street address pull up multiple hits for recorded cyber criminal activity, and googling his whole address pull up no hits for google maps (in fact you just find even more records of "Roman's" cyber criminal activity). This suggest the whois registrant information has been falsified. Shocking, I know, that criminals wouldn't want their place of residence known. So what happened when we google his phone number? We find more fraud, and we find his address stays pretty consistent.

Regardless of this fact, it's safe to assume that the address information has been falsified for uknamo.com. Why do I say this? Dubrovinskogo (Дубровинского) street seems to be mapped in two places on google maps. Additionally, notice the formatting of the addresses on this street -

ул. Дубровинского, 3а, к.48, Курск, Россия

305009

Get Directions

8 (4712) 50-49-09

Notice the "3а, к.48" part? This suggests that the whois registrant information is not formatted correctly for uknamo.com. Still, lets give this address one more look over. First lets translate it into Russian and google it. Finally! We get somewhere. Notice that xls file being offered by rpn.gov.ru in the google search? This site looks like it's some sort of environmental complaince organization. Let's take a look at this .xls file and see what we can clean about this residence (also the excel file was made in September of 2010). 

From Row 2 - 
Russian: Список                                                                                                                                                                                                                        конкретных объектов хозяйственной и иной деятельности по территории Курской области, оказывающих негативное воздействие на окружающую среду и подлежащих федеральному государственному экологическому контролю
Rough English translation:
List the concrete objects of economic and other activity in the territory of Kurskaya district, which exert negative influence on the environment and which are subject to the federal state ecological control

From Row 3 column B - 
Russian: Наименование юридического лица (филиала по субъекту Российской Федерации)/        Ф.И.О. индивидуального предпринимателя
Rough English translation: Designation of legal person (branch for the subject of the Russian Federation)/ [F].[I].[O]. of the individual owner
Comment: The owner of the address.

From Row 3 Column C -
Russian: Фактический адрес и местонахождение (по месту государственной регистрации)
Rough English translation: Actual address and location (on the place for state registration)

Good! Let's see if Roman Shumakov owns this address! We scroll down to row 3014 in the xls file from this environmental compliance agency and look at columns B (owner) and C (address). 

Column B -
Russian: ООО "КурскСтройМастер"
Rough English translation: [OOO] of " [KurskStroyMaster]" (google hit here, looks like a company that installs pools).
Notes: Proves falsified whois registrant details.

Column C -
Russian: 305029, Курская обл., г. Курск, ул. Дубровинского, д. 114
Rough English translation: 305029, Kursk reg., g. Kursk, ul Of [dubrovinskogo], d. 114
Comment: There's our registrant address, and it doesn't belong to Roman Shumakov!

So, that took a little longer than usual to prove falsified whois registrant details, now lets prove that the domain uknamo.com has been set up by the Russian Business Network for no other reason than to serve as a staging point for cyber crime. A quick google search on uknamo.com shows a lot of cyber criminal activity in the following areas -

Phishing:
http://siteadvisor.de/sites/uknamo.com/msgpage

Fraud:
http://scamfraudalert.wordpress.com/2011/02/03/
Link here (too long)
Link here (too long)
http://ddanchev.blogspot.com/2011/03/keeping-money-mule-recruiters-on-short.html

Malware:
Clean MX cache here
http://amada.abuse.ch/?search=throne-uk.at
Another Clean MX cache here

There we plenty of other google hits support the fact that uknamo.com has been used as a name server for some time to promote cyber criminal activity. It would make sense for the whois to be completely falsified in this case, and as such it's something that TRUNKOZ TECHNOLOGIES PVT LTD. D/B/A OWNREGISTRAR.COM needs to look into.