full auto's ITSEC Blog: April 2011

Sunday, April 10, 2011

zonensuk.cc

Time for my last post regarding the list of nameservers I gave in my first blog post. Today we look at zonensuk.cc, another Russian Business Network (RBN) domain being used as a name server to perpetrate acts of fraud and malware dispersal. Our confirmation that this is an RBN domain/name server comes from Emerging Threat's RBN IP list. A quick google search on zonensuk.cc shows plenty of malware and fraud activity, so lets dive right in -

Domain Name: ZONENSUK.CC
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.ZONENSUK.CC
Name Server: NS2.ZONENSUK.CC
Name Server: NS3.ZONENSUK.CC
Status: CLIENT-XFER-PROHIBITED
Status: CLIENT-DELETE-PROHIBITED
Updated Date: 08-dec-2010
Creation Date: 08-dec-2010
Expiration Date: 08-dec-2011

Registrant Contact:
   Olga Veresova
   Olga Veresova rooms@ppmail.ru
   +78123274547 fax: +78123274547
   ul.Komsomola d.13 kv.26
   Sankt-Peterburg Sankt-Peterburg 195009
   RU

Source: centralops.net

What a surprise, googling Olga's street address I see plenty of hits for fake pharmacy and sofware websites... but the shocker is google leads me right back to my very own blog spot here to the post about FOLOWDNS.CC (another domain with falsified whois information being used by the RBN for their cyber crime). Boom! This proves zonensuk.cc has intentionally falsified registrant information for criminal intent in one blow. Let's throw some more stones through this glass house though -

Domain name: trvlftnow.com
Registrant Contact:
   Vladimir Silyanov
   Vladimir Silyanov epic@ca4.ru
   +78123274547 fax: +78123274547
   ul.Rudneva d.3 k.2 kv.119
   Sankt-Peterburg Sankt-Peterburg 194291
   RU
Created: 2011-03-15
Expires: 2012-03-15

Same phone number that zonensuk.cc, however it's a way different registrant name and address. This proves falsified whois registrant information. We see the same thing here for a fake phramacy... again same phone number but entirely different whois registrant address and name. So, with intentionally falsified whois registrant information for zonensuk.cc shown above, lets show what zonensuk.cc is being used for as a name server with a quick google search -

Fraud:
Link here (too long)
Link here (too long)
http://scamfraudalert.wordpress.com/2011/01/12/avon-products-plc-journey-financial-cc/
http://ddanchev.blogspot.com/2011/01/keeping-money-mule-recruiters-on-short.html
http://www.fraudwatchers.org/forums/showthread.php?p=127376

Malware:
http://support.clean-mx.de/clean-mx/viruses.php?domain=online-solutionsllc.cc&sort=first%20desc
http://support.clean-mx.de/clean-mx/viruses.php?domain=pegasltdunion.cc&sort=email%20desc

Again, there were plenty of other hits for malware and fraud activity on zonensuk.cc, a domain being used as a name server to spread malware and fraud. BizCN, again, just delete these registrants I've been mentoning in my blog posts entirely from your registry. These customers will only bring a business like yours problems in the long run with the amounts of falsified whois registrations they shell out for criminal intent.

uknsspace.cc

Continuing down the list of name servers from my first blog post, let's analyze uknsspace.cc. This is another Russian Business Network (RBN) domain being used for a nameserver to promote both fraud an malware according to Emerging Threat's RBN IP list. A quick google search on uknsspace.cc shows this domain's use in spreading malware and acts of fraud as a name server, so lets dive right in -

Domain Name: UKNSSPACE.CC
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.UKNSSPACE.CC
Name Server: NS2.UKNSSPACE.CC
Name Server: NS3.UKNSSPACE.CC
Status: CLIENT-XFER-PROHIBITED
Status: CLIENT-DELETE-PROHIBITED
Updated Date: 08-dec-2010
Creation Date: 08-dec-2010
Expiration Date: 08-dec-2011

Domain name: uknsspace.cc

Registrant Contact:
   Ninel Popakina
   Ninel Popakina gravy@ca4.ru
   +73842523612 fax: +73842523612
   ul.Suvorova d.2 kv.59
   Tashtagol Kemerovskaya oblast 652990 RU

Source: centralops.net

Ninel, another Russian with faked whois registrant information serving up nothing but the RBN's finest forms of fraud and malware. Proving the whois registrant details falsified on this one actually wasn't that hard. Take "Ninel's" phone number and google it (with "-Ninel), and you get this -

WHOIS для kuzbass.net:
Registrant:
Join-stock company Electrosvyaz

   Oktyabrsky 10
   Kemerovo 650066
   RU

   Domain Name: KUZBASS.NET

   Administrative Contact:
      Alexander, Berdnikov
      Joint-stock company Electrosvyaz
      Oktyabrsky 10
      Kemerovo 650066
      RU
      +73842523612 fax: +73842524310
Source: http://www.rutag.net/site/kuzbass.net (click whois tab)

Look at that! A company that uses the same phone number! Centralops.net shows that kuzbass.net was registered in April of 1997 and has a registration period set until April of 2014. This makes kuzbass.net sound like a legitimate site, and it is (it's a Telecom company). That said, this proves hands down that the whois registrant information for uknsspace.cc has been intentionally falsified. It uses the same phone number as kuzbass, but the registrant information such as address and registrant name are totally different! Let's show why the whois on uknsspace.cc has been intentionally falsified for criminal purposes with a quick search -

Fraud:
http://scamfraudalert.wordpress.com/2010/12/19/whois-ns1-nnsque-cc/
http://scamfraudalert.wordpress.com/2011/01/12/avon-products-plc-journey-financial-cc/
Link here (too long)
http://ddanchev.blogspot.com/2011/01/keeping-money-mule-recruiters-on-short.html
http://www.delphifaq.com/faq/scams/f1057.shtml?p=68
http://www.fraudwatchers.org/forums/showthread.php?p=127376

Malware:
Link here (too long)
Link here (too long)

There were quite a few other hits for criminal activity the domain/name server uknsspace.cc, however this is (point in case) an RBN name server with intentionally falsified whois information for the sole purposes of cyber criminal activity. BizCN, this is another one that needs to go down. In fact, I would just kill any sites you registered from the very same registrant of uknsspace.cc. They're just going to provide headaches in the long run.

Saturday, April 9, 2011

ukdns.cc

Moving on to some information from my first blog post, time to take a look at the domain ukdns.cc. This domain is being used as a name server by the Russian Business Network (RBN) according to Emerging Threat's RBN IP List and the research I did in my first blog post. A quick google search on ukdns.cc shows a lot of hits for cyber criminal activity ranging from malware to fraud. No shock there, this is the multifaceted cyber-criminal friendly RBN... so lets dive right in to ukdns.cc -

Domain Name: UKDNS.CC
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS1.UKDNS.CC
Name Server: NS2.UKDNS.CC
Name Server: NS3.UKDNS.CC
Status: CLIENT-XFER-PROHIBITED
Updated Date: 08-dec-2010
Creation Date: 08-dec-2010
Expiration Date: 08-dec-2011

Registrant Contact:
   Maksim Artemiev
   Maksim Artemiev ()
   
   Fax: 
   ul.Belorechenskaya d.13 k.1 kv.124
   Moscow, Moscow 109559
   RU

Administrative Contact:
   Maksim Artemiev
   Maksim Artemiev (append@free-id.ru)
   +7.4959385996
   Fax: +7.4959385996
   ul.Belorechenskaya d.13 k.1 kv.124
   Moscow, Moscow 109559
   RU

Source: centralops.net

A google search on Maksim's street address shows some hits for other domains he's register, among those quite a few fake pharmacies. This would show Maksim is no stranger to cyber-crime, meaning that the whois registrant information for the domain/nameserver ukdns.cc is definitely falsified. However lets prove it. Lets google his phone number (+7.4959385996 with "-Maksim"). Upon doing so, we come up with the following information -

Registrant:
Alexey Komarov domendiplomy@googlemail.com +7.4959385996
Alexey Komarov
Teply Stan str. d.21 kv.251
Moscow,Moscow,RU 117133

Domain Name:diplomy.com
Record last updated at 2009-07-13 05:59:00
Record created on 2004/9/22
Record expired on 2010/9/22
Source: http://www.webtrafficagents.com/Whois/diplomy.com

This site has been registered nearly 6 years! That would suggest diplomy.com is legitimate... and it would be hard to tell as diplomy.com is written in Russian. Thank God for google translate though (insert cynical laugh here, English version of diplomay.com here). What's do we find on diplomay.com? It's a site for counterfeiting fake documents! Looks like Alex's site isn't that legitimate and he uses the same phone number that "Maksim" used to register ukdns.cc. They both have different names and addresses though, showing that this is hands down, legitimately and intentionally falsified whois registrant information on ukdns.cc. We also find "Alex" registering a fake phramacy here (also another fresh one here) and another site for dispersing malware here. It looks like Alex and Maksim ARE in the same business after all!

So, this definitely proves beyond a shadow of a doubt the whois registrant information for ukdns.cc has been intentionally falsified for criminal purposes. Now lets show how this domain/name server is being used by the RBN to host their wonderful sites with a quick google search -

Fraud:
link here (too long)
http://scamfraudalert.wordpress.com/2011/01/12/avon-products-plc-journey-financial-cc/
http://ddanchev.blogspot.com/2011/01/keeping-money-mule-recruiters-on-short.html

Malware:
link here (too long)
link here (too long)
http://amada.abuse.ch/?search=lilac-antique.cc
http://amada.abuse.ch/?search=west-view-art.cc

There were plenty of other hits for fraud and malware being dished up by the RBN via their usage of the domain ukdns.cc as a name server. However, point in case is we have sufficiently proven the whois information on ukdns.cc has been intentionally falsified for criminal purposes. Enom, I would suggest you look at the registrant information I gave in this blog post thoroughly. Go through your registry, find any sites you registered for the "Alexey Komarov" OR "Maksim Artemiev" talked about here, and just place those domains on client hold. This has to be the fourth time you've come up in my blog spot, as I tied in this same cyber crime gang/fraud ring to other domains you've helped register: AUSTDEC.CC, OLIVAU.CC, & pageredns.cc

Time to clean up house Enom.

Friday, April 8, 2011

ringtons.cc

Continuing down the name server analysis as a recap to my first blog post, time to look at ringtons.cc. This is another domain being used as a name server by the Russian Business Network (RBN) according to Emerging Threat's RBN IP monitoring list. A quick google search on ringtons.cc shows plenty of cyber criminal activity, so lets dive right into this domain's whois information -

Domain Name: RINGTONS.CC
Registrar: KEY-SYSTEMS GMBH
Whois Server: whois.rrpproxy.net
Referral URL: http://www.key-systems.net
Name Server: NS1.RINGTONS.CC
Name Server: NS2.RINGTONS.CC
Name Server: NS3.RINGTONS.CC
Status: ACTIVE
Updated Date: 11-jan-2011
Creation Date: 11-jan-2011
Expiration Date: 11-jan-2012

DOMAIN: RINGTONS.CC
owner-contact: P-MVE719
owner-fname: Mariya
owner-lname: Egorova
owner-street: ul.Petrischeva d.14 kv.560
owner-city: Dzerzhinsk
owner-state: Nizhegorodskaya oblast
owner-zip: 606037
owner-country: RU
owner-phone: 7.8312951414
owner-fax: 7.8312951414
owner-email: aaron@cheapbox.ru
source: centralops.net

Now, from my initial research I noticed Mariya/Maria kept her whois information pretty consistent. But then there's the phone/fax number +7.8312951414. A quick search to analyze the phone number on International Numbering Plans (link here if you want to analyze it yourself) gives us the following information about the phone number -

Information on phone number range +7 831 2XXXXXX

Number billable as	geographic number
Country or destination	Russia
City or exchange location	Nizhniy Novgorod
Original network provider*

Nizhiniy Nvogorod is where this number should dial to as far as a city, yet where does Mariya claim residence? Dzerzhinsk, that is the first sign of falsified whois with criminal intent. Secondly, we have a legitimate hotel (Hotel Volna) that uses the VERY same phone number (7.8312951414 OR +7 831 295 14 14) as a fax line -

Front office department
booking
Tel. +7 831 295 19 00
Fax +7 831 295 14 14
reception@volnahotel.ru

Address:
98, Pr. Lenina,
Nizhny Novgorod 603004 Russia

Website: http://www.volnahotel.ru/en/about/contacts

Hands down, this shows falsified whois registrant details for criminal intent. In fact, there's two whole pages here of google hits showing the Volna Hotel owns this number. Notice on that last google search how I told google to not show any results that had the term Maria in it (e.g. -Maria)? What happens when I google without the -Maria? We come across a google search front page filled with domains used in fraud and malware dispersal. Suprised? I'm not, we know the whois registrant details have been intentionally falsified for criminal intentions.

So with the whois registrant details proven falsified for ringtons.cc, lets show why they falsified them with a quick google search... also showing how the domain ringtons.cc is being used -

Fraud:
http://db.aa419.org/fakebanksview.php?key=56024
link here (too long)
link here (too long)
http://ddanchev.blogspot.com/2011/01/keeping-money-mule-recruiters-on-short.html
http://forum.419eater.com/forum/viewtopic.php?t=198424&view=next
http://www.fraudwatchers.org/forums/archive/index.php/t-39271-p-3.html

Malware:
http://amada.abuse.ch/?search=lilac-groupllc.cc
link here (too long)
http://support.clean-mx.de/clean-mx/viruses.php?domain=fintec-ltd.cc&sort=first%20desc

Again, there were pages of examples showing how the domain ringtons.cc is being used as a name server to promote fraud and malware attacks. Why put them all here though, we've proven beyond a shadow of a doubt that the true owner of ringtons.cc (the RBN) is using the domain to spread their cyber crime. We've also shown that their whois registrant details have been intentionally falsified for these illegal purposes. KEY-SYSTEMS GMBH helped register it, they should clean it up by placing the domain on ClientHold.

In fact, Key-Systems you should probably check your registry to see if the same person, via any of the details they gave you when registering ringtons.cc, have registered other sites with your registrar services. If they have, save yourself the time and headache and just place all of their domains on client hold.

pageredns.cc

Continuing down the list of name servers I mentioned towards the bottom of my first blog post, time to take a look at pageredns.cc. This is another domain acting as a name server for the Russian Business Network according to Emerging Threat's RBN IP/NS monitoring list. Seeing as how the RBN "is a multi-faceted cybercrime organization specializing in and in some cases monopolizing personal identity theft for resale," it would make sense that the whois registrant details have been falsified both intentionally and for criminal purpose (a quick google on pageredns.cc shows plenty of criminal purpose). Diving right in -

Domain Name: PAGEREDNS.CC
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS1.PAGEREDNS.CC
Name Server: NS2.PAGEREDNS.CC
Name Server: NS3.PAGEREDNS.CC
Status: CLIENT-XFER-PROHIBITED
Updated Date: 11-jan-2011
Creation Date: 11-jan-2011
Expiration Date: 11-jan-2012

Registrant Contact:
   Ilya Anisimov
   Ilya Anisimov ()
   
   Fax: 
   ul.Pronina d.26 kv.20
   Kandalaksha, Murmanskaya obl 184040
   RU

Administrative Contact:
   Ilya Anisimov
   Ilya Anisimov (freer@free-id.ru)
   +7.8152628111
   Fax: +7.8152628111
   ul.Pronina d.26 kv.20
   Kandalaksha, Murmanskaya obl 184040
   RU

Source: centralops.net

A quick search on Anisimov's street address shows plenty of cyber crime ranging from fake pharmacy/fraud domains to sites used to spread malware. Evidently, Anisimov is no stranger to cyber crime. So what does a quick google search on Ilya's phone number show (+7.8152628111 OR +78152628111)? Nothing much, we see the whois registrant details staying very consistent. Even searching Ilya's email address (freer@free-id.ru) doesn't return anything. It looks like we're going to have to analyze the whois registrant details the hard way, address analysis.

Let's hop over to google maps and see what we can find. Out first hint comes from google maps here. The street name Pronina (Russian: Пронина and roughly translated to English as Pronin to be accutrate) does exist. So the street address in Russian would be as follow -

26, ул. Пронина, пом. 20,
Кандалакша, Мурманская обл.,
Russia, 184040

Here's the problem, Google maps can't find that address even if I remove the apartment number (пом. 20). This suggests the address is non-existent. Taking this even further to show that 26 ulista (Russian for street) Pronina doesn't exists, I googled it. Nothing, nada, not a single hit found. Taking this one step further, lets see if we can find a street map or address finder for the city of Kandalaksha. What is funny is mapquest seems to work for Russia, and it can't find this address. It would be nice to have a GIS (geographical informations system) on Russia's streets publicly available, but for now google maps will have to do here. Needless to say, this address has trouble claiming existence anywhere else other than the whois registrant details on sites set up to serve malware and commit acts of fraud.

Not entirely shocking as this is the RBN and that is their bread and butter. They will falsify whois details and be involved in domains/name servers that are involved in cyber crime. The fact that pageredns.cc is acting as a name server for the RBN and that it's whois registrant details are (at best) intentionally shady is just part of the game. So let's see how the RBN is using pageredns.cc as a domain/name server with a quick google search -

Fraud:
http://db.aa419.org/fakebanksview.php?key=56024
Link here (too long)
http://forum.419eater.com/forum/viewtopic.php?p=1665521
http://www.delphifaq.com/faq/scams/f1057.shtml?p=70
http://www.fraudwatchers.org/forums/showthread.php?p=127376

Malware:
http://amada.abuse.ch/?search=lilac-groupllc.cc
http://support.clean-mx.de/clean-mx/viruses.php?domain=throne-groupllc.cc&sort=first%20desc
http://forum.autosec4u.info/showthread.php?tid=3708 (German: possible ZeuS trojan activity)

There were plenty of other abuse links found, but point in case pageredns.cc is using intentionally falsified whois registrant information for criminal purposes. Granted, it's not easy to spot... but given the level of criminal activity on the domain/name server pageredns.cc, it merits investigation. Given the fact that it ties in with further abuse here and here (tied in with AUSTDEC.CC & OLIVAU.CC), we can safely assume that not only has Enom received falsified whois registrant information but that pageredns.cc is tied in to the same money mule recruitment gang I mentioned in my first blog post.

Enom, do yourself a favor and get rid of any domain using the same whois information used to register pageredns.cc. It will save you a lot of time and headaches.

OLIVAU.CC

Continuing on from my first blog post, time to look at the Russian Business Network's (RBN) domain/name server OLIVAU.CC. Unfortunately, OLIVAU.CC is not listed in Emerging Threat's RBN IP monitoring list. However, due to the fact that it is being used by the same money mule recruitment gang I noted in my first post, and a quick google search on this domain returns a full page of nothing but fraud and malware hits... it's safe to assume we are talking about the same cyber crime friendly host. Diving right in, lets check out the whois registrant information -

Domain Name: OLIVAU.CC
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS1.OLIVAU.CC
Name Server: NS2.OLIVAU.CC
Name Server: NS3.OLIVAU.CC
Status: CLIENT-XFER-PROHIBITED
Updated Date: 20-feb-2011
Creation Date: 17-dec-2010
Expiration Date: 17-dec-2011

Registrant Contact:
   Larisa Kornyakova
   Larisa Kornyakova ()
   
   Fax: 
   pr-kt Kosmonavtov d.1B kv.80
   Korolev, Moskovskaya oblast 141075
   RU

Administrative Contact:
   Larisa Kornyakova
   Larisa Kornyakova (bop@cheapbox.ru)
   +7.4957284001
   Fax: +7.4957284001
   pr-kt Kosmonavtov d.1B kv.80
   Korolev, Moskovskaya oblast 141075
   RU

Source: centralops.net

Larisa Kornyakova, a quick google search on his/her registrant street address returns nothing but fake pharmacy/software sites and malware hits. How much would you bet the registrant address is falsified? Proving so, let's google Larisa's phone number (+7.4957284001 OR +74957284001). Sifting through the results, this was easy enough -

Domain name: pillsmedspharmacypractitioners.com
Registrant Contact: Vladimir Dudnik
Vladimir Dudnik belch@ca4.ru
+74957284001 fax: +74957284001
ul.Lenina d.99a kv.45
Kolomna Moskovskaya obl 140411 RU
Created: 2010-12-14 Expires: 2011-12-14
Source: http://pillsmedspharmacypractitioners.com.w3spy.net/

We have a fake pharmacy site, created in December of 2010 (just like OLIVAU.CC), using the same registrant phone number as OLIVAU.CC. Notice we have a totally different registrant name and address though than OLIVAU.CC! This is hands down, intentionally falsified whois registrant information for criminal purposes (why else would the RBN do this if not for criminal reasons). Vladimir is also found here registering another site (coo0lnet.net) in September of 2010 (e.g. 2 months before OLIVAU.CC was registered) with the same registrant details he used on pillsmedspharmacypractitioners.com . Funny thing about coo0lnet.net, it's listed by McAfee site advisor as a website used to disperse malware. In fact, you can see more of Vladimir using the same phone number OLIVAU.CC used in registrant details here, here, here, here, and here for other domains used in fraud or to spread malware.

Still think this doesn't prove falsified whois registrant information on OLIVAU.CC? Well we aim to please, serve, and prove here. Moving on to sample #2 -

Domain Name: JAPANHOMESTORE.COM
Registrant:
    Alexander Zolotov
    Alexander Zolotov   (ft@bigmailbox.ru)
    ul. Akademika Anohina d.13 kv.244
    Moskva
    Moskva,119571
    RU
    Tel. +7.4957284001
    Fax. +7.4957284001

Creation Date: 10-Feb-2010
Expiration Date: 10-Feb-2011
Source: http://www.who.is/whois/japanhomestore.com/

Look at that! It's the same phone number used to register OLIVAU.CC (by Larisa Kornyakova) and all of Vladimir Dudnik's domains... and they're all registered during the year of 2010! That time line has trouble supporting the fact that the registrant information is legitimate, as we now have 3 different names for one phone number and 3 different addresses! So what was the domain JAPANHOMESTORE.COM? It's just a website used to spam and scam. Looks like Alexander Zolotov isn't anyone you would want to do business with. In fact, you can see some of Alex's other site's whois details here (fake pharmacy), here (fake phramacy), here (scam), and here (another fake phramacy).

With all of the above stated, it has been shown the whois registrant details on OLIVAU.CC have been falsified intentionally and with criminal intent. So lets show how the domain OLIVAU.CC is being used as a name server for more cyber crime with a quick google search -

Fraud:
http://scamfraudalert.wordpress.com/2011/01/31/money-visual-llc-money-visualuk-cc/
http://scamfraudalert.wordpress.com/2011/01/14/high-tech-world-ltd/
http://scamfraudalert.wordpress.com/2011/01/12/avon-products-plc-journey-financial-cc/
http://ddanchev.blogspot.com/2011/01/keeping-money-mule-recruiters-on-short.html
http://www.delphifaq.com/faq/scams/f1057.shtml?p=68

Malware:
Web Cache link (from clean-mx.de)
http://amada.abuse.ch/?search=duncroft-group-inc.cc
http://amada.abuse.ch/?search=gogo-group-inc.cc
Web Cache link (from clean-mx.de)

There were plenty of other hits on google for the cyber crime OLIVAU.CC is helping to promote as a domain/name server for the Russian Business Network. No need to list them all, but for the last little bit I will talk about this. Enom, being the registrar of this site, did a major "fail" here when it comes to checking whois registrant information. It always amazes me how activity on a domain live OLIVAU.CC can go on for so long without anyone in the registrar industry even hearing about it.

Enom, that's strike two for you on my blog spot. The first strike was AUSTDEC.CC, you can read more about it here. In fact you may want to read my first blog post and take note of the name server section I mentioned at the very bottom of that post. I'll be going through each domain I mentioned as acting as a name server in that post. Save your abuse staff the time and see if any more of those domains I listed are apart of your registry. You may even think about deleting the same Larisa Kornyakova/Vladimir Dudnik/Alexander Zolotov I mentioned in this post from your registry entirely. It would save you one big headache.

Thursday, April 7, 2011

LIBUNITAU.CC

Time again to dive back into the list of name servers I gave in my first blog post. Today, we look at the domain LIBUNITAU.CC, another Russian Business Network (RBN) domain being used as a name server according to Emerging Threats RBN IP/NS monitoring list. Diving right in, lets show how the RBN were lying through their teeth with criminal intent when they registered LIBUNITAU.CC to act as a name severs to dish out their malware and other forms of fraud -

Queried whois.nic.cc with "dom libunitau.cc"...

Domain Name: LIBUNITAU.CC
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.LIBUNITAU.CC
Name Server: NS2.LIBUNITAU.CC
Name Server: NS3.LIBUNITAU.CC
Status: CLIENT-XFER-PROHIBITED
Status: CLIENT-DELETE-PROHIBITED
Updated Date: 11-jan-2011
Creation Date: 11-jan-2011
Expiration Date: 11-jan-2012

Registrant Contact:

Petr Anisimov
Petr Anisimov ached@yourisp.ru
+78123342003 fax: +78123342003
ul.P.Germana d.18 kv.19
Sankt-Peterburg Sankt-Peterburg 198205
RU
Source: centralops.net

Petr Anisimov, I'm getting tired of all these Russian names, let's just call him Pete for shorts. Taking a quick google on Pete's street address definitely shows Pete dabbling fraud and malware. It would make sense that the whois registrant details would be intentionally falsified with criminal intent here, as "Pete" works for the multifaceted cyber crime host the RBN. So what does a google search on Pete's phone number (Google: +78123342003 OR +7.8123342003) show? Our first clue towards falsified information leads to a domain serving up malware -

Domain: kbgg.in

Domain ID:D3358497-AFIN
Domain Name:KBGG.IN
Created On:23-Mar-2009 13:57:27 UTC
Last Updated On:23-May-2009 03:26:15 UTC
Expiration Date:23-Mar-2010 13:57:27 UTC
Sponsoring Registrar:Netlynx Technologies Pvt. Ltd. (R62-AFIN)
Status:OK
Registrant ID:DI_9562832
Registrant Name:Evgeniy Veter
Registrant Organization:Evgeniy Veter
Registrant Street1:Savushkina str. d.107 kv.94
Registrant Street2:
Registrant Street3:
Registrant City:Sankt-Peterburg
Registrant State/Province:Sankt-Peterburg
Registrant Postal Code:197374
Registrant Country:RU
Registrant Phone:+7.8123342003
Registrant Phone Ext.:
Registrant FAX:+7.8123342003
Registrant FAX Ext.:
Registrant Email:inhale@bronzemail.net

Source: http://www.malwareurl.com/listing.php?domain=kbgg.in

Notice two things here. First off, that's an entirely different name (Evgeniy Veter) and address, however is the same phone number as Pete's... suggesting falsified registrant name for criminal intent. Secondly, the domain itself confirms criminal intent. We find another domain with the same registrant details for "Veter" here, yet again serving up malware. Continuing along this trend, we find another domain yet again suggesting falsified registrant name for LIBUNITAU.CC -

Registrant:
Pyotr Anisimov raced@corporatemail.ru +7.8123342003
Pyotr Anisimov
ul. P.Germana d.18 kv.19
Sankt-Peterburg,Sankt-Peterburg,RUSSIAN FEDERATION 198205

Domain Name:tarhujelafert.com
Record last updated at 2009-08-17 09:16:18
Record created on 2009/8/10
Record expired on 2010/8/10

Source: Link here (too long)

Notice the difference in names here? Pyotr Anisimov registered a domain named tarhujelafert.com to dish up malware, and he uses the very same registrant details as Petr Anisimov (who registered LIBUNITAU.CC to act as a name server for cyber criminal activity for the RBN). Granted, Pyotr and Petr are pretty close in name, and in Russian are the same as Peter. However look at the time line here, on 8/2009 Peter/Pete registered a domain (tarhujelafert.com) to serve up malware. On 5/2009 and 8/2009 Evgeniy Veter, using the same phone number as Peter but a different registrant address, registered two domains (kbgg.in & cc-payment-sys24.com) to serve up malware.

This is classic and intentionally falsified whois registrant details for criminal intentions. The time line fits, and the key parts of registrant details (name, address, phone number, and email) have problems staying consistent in all of their aspects. That said, lets move on to showing how the RBN is using LIBUNITAU.CC as a name server with a quick google search -

Malware:
Link here (too long)
http://amada.abuse.ch/?search=royalthelmas-teamant.asia (two name servers registered by BizCN!)
http://amada.abuse.ch/?search=bredgarcorp-ant.be (two name servers registered by BizCN!)

Fraud:
link here (too long)
http://ddanchev.blogspot.com/2011/03/keeping-money-mule-recruiters-on-short.html
http://db.aa419.org/fakebanksview.php?key=56098
http://www.delphifaq.com/faq/scams/f1057.shtml?p=72
http://forum.autosec4u.info/showthread.php?tid=3690&pid=16199 (German)

This is now strike 3 for the registrar BizCN, as they registered the name domain LIBUNITAU.CC. Libunitau.cc is being used by the RBN for a name server used in cyber criminal activity, as is AUUSDEC.CC and FOLOWDNS.CC. BizCN, I would suggest you look at my first blog post. In it, towards the very end, you'll find a list of domains being used as name servers by the Russian Business Network for the sole purposes of dishing out malware and fraud. Save yourself the time BizCN, look at the name server section in my first blog post, find the ones that you registered, and place them on client hold... as I'll be going through each and every one of them.

Wednesday, April 6, 2011

FOLOWDNS.CC

Time for another analysis of some of the Russian Business Network's (RBN) nameservers I talked about in my first blog post. Today we will be looking at the domain FOLOWDNS.CC, a confirmed RBN name server according to Emerging Threat's RBN IP List Update on 2-6-2011. A quick google search on FOLOWDNS.CC does show multiple hits for malware dispersal and fraud, but then again why should we be shocked. The RBN promotes this stuff, it's their job (of sorts) to do this. Diving right in, let's take a look at the whois registrant details for FOLOWDNS.CC -

Domain Name: FOLOWDNS.CC
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.FOLOWDNS.CC
Name Server: NS2.FOLOWDNS.CC
Name Server: NS3.FOLOWDNS.CC
Status: CLIENT-XFER-PROHIBITED
Status: CLIENT-DELETE-PROHIBITED
Updated Date: 11-jan-2011
Creation Date: 11-jan-2011
Expiration Date: 11-jan-2012

Registrant Contact:
Nikolaj Stolbikov
Nikolaj Stolbikov dyed@bz3.ru
+78123274547 fax: +78123274547
ul. Marshala Kazakova d.1 k.2 kv.360
Sankt-Peterburg Sankt-Peterburg 198302
RU
Source: centralops.ne

Nikolaj Stolbikov huh? Great! Another Russian name, let's just call him Nick. Googling Nick's street address shows plenty of hits for fraud, malware, fake pharmacy websites, and some phishing. Shocking! Of those results, we find some interesting things where Nick seems to have changed his name to Sergey for a fake pharmacy website -

DOMAIN: PHARMACYPILLSSITE.NET
RSP: DNReg Limited
owner-contact: P-SKK1691
owner-fname: Sergey
owner-lname: Kulakov
owner-street: ul.Marshala Kazakova d.1 k.2 kv.308
owner-city: Sankt-Peterburg
owner-state: Sankt-Peterburg
owner-zip: 198302
owner-country: RU
owner-phone: 7.8121023240
owner-fax: 7.8121023240
owner-email: gouge@maillife.ru
Source: http://whois.domaintools.com/pharmacypillssite.net

This would suggest a willfully falsified whois registrant information when it comes to the name of true owner of FOLOWDNS.CC. Then again the whole thing is falsified as this is the RBN, a group of cyber criminals whose bread and butter relies in staying off the radar when it comes to personal information. Also of consequence, google maps can't seem to find the address at all. That would suggest a falsified address. Still, translating the address into Russian we do find a street with a similar name on google maps here, proving that at least the k. 2 kv. 308 was not needed. We also find that this is a shopping center, not someone's personal place of residence. In this place, we do find the following business -

Mail of Russia, [UFPS] of Saint Petersburg I of Leningrad region,
Kirov inter-district post office, the department of the postal communication of № 198302

Address (Russian):
1, ул. Маршала Казакова, к. 1, г. Санкт-Петербург, Saint Petersburg, Russia
198302

Address (English):
1, ul of marshal Zazakov, k. 1,
Saint Petersburg, Russia 198302

FOLOWDNS.CC Registrant Address:
ul. Marshala Kazakova d.1 k.2 kv.360
Sankt-Peterburg Sankt-Peterburg 198302

So we can say this for sure: the registrant address for FOLOWDNS.CC is incorrect in format and locale, proving that the address is non-existent. Why should we believe it to be true anyway? This is a site registered to act as a name server for criminals. Their intention is to falsify whois registrant information while they commit their crimes. Hence the shotty registrant names and address.

Now if you've read my previous posts, you'll notice I google the registrant's phone number. We've sufficiently proven that the whois registrant information for FOLOWDNS.CC has been falsified in registrant name and address, but lets put some more stones through this glass house. The first one that comes up after googling +78123274547 -

Domain name: capsuletabletsdrugstore.com
Registrant Contact: Olga Veresova
Olga Veresova khaki@bigmailbox.ru
+78123274547 fax: +78123274547
ul.Komsomola d.13 kv.26
Sankt-Peterburg Sankt-Peterburg 195009 RU
Source: http://capsuletabletsdrugstore.com.w3spy.net/

Look at that, a totally new address and name used to register a fake pharmacy, yet the phone number used (+78123274547) is the same as the one used to register FOLOWDNS.CC. In fact you find more glaring examples of this falsified whois registrant details for criminal intent here, here (another new name and address for a fake pharmacy), and here.

I could go on proving the whois registrant details for FOLOWDNS.CC have been falsified with criminal intent, but lets show how the RBN is using FOLOWDNS.CC as a name server. A google search on it shows some rather heavy usage in the cyber criminal arena -

Fraud:
http://scamfraudalert.wordpress.com/2011/01/31/money-visual-llc-money-visualuk-cc/
http://scamfraudalert.wordpress.com/category/employment-alerts/scam-job-alert/page/3/
http://www.fraudwatchers.org/forums/showthread.php?p=126019
http://ddanchev.blogspot.com/2011/01/keeping-money-mule-recruiters-on-short.html
http://db.aa419.org/fakebanksview.php?key=56024

Malware:
http://forum.autosec4u.info/showthread.php?tid=3708&pid=16494#pid16494 (German)
http://amada.abuse.ch/?search=fintec-ltd.cc
http://amada.abuse.ch/?search=lilac-groupllc.cc
http://support.clean-mx.de/clean-mx/viruses.php?domain=throne-groupllc.cc&sort=first%20desc

BIZCN.COM,this is strike number two for you, as I already showed you registering another RBN domain being used for a name server here (whois info was falsified on that one as well). How FOLOWDNS.CC got past any checks for falsified whois registrant with BizCN in conjunction with all of the cyber criminal activity this domain is taking place in by acting as a name server for the RBN is beyond me. Trust me when I say this BizCN, you don't even want your name associated with this lot.

Tuesday, April 5, 2011

ukansnami.com

Time to move on to the name server ukansnami.com that I talked about in blog post #1. Again, according to Emerging Threats RBN IP list, we are dealing with the infamous Russian Business Network (RBN). Now, a quick google on ukansnami.com does show some illegal activity, so lets get down to business and see if this domain/name server is set up as a legit business entity by a real person or some cyber criminal organization hoping to pedal malware and fraud -

Domain Name: UKANSNAMI.COM
Registrar: PAKNIC (PRIVATE) LIMITED
Whois Server: whois.paknic.com
Referral URL: http://www.paknic.com
Name Server: NS1.UKANSNAMI.COM
Name Server: NS2.UKANSNAMI.COM
Name Server: NS3.UKANSNAMI.COM
Status: ok
Updated Date: 27-jan-2011
Creation Date: 27-jan-2011
Expiration Date: 27-jan-2012

Registrant [PAK11012722053-1]:

NA
Sergej Chashin        glide@yourisp.ru
ul.Gogolya d.15 kv.1
Tyukalinsk, Omskaya oblast 646330
RU
Phone: 7.381228450 Ext: 
Fax: 1.

Source: centralops.net

From the last few blog posts, we've seen some results searching registrant phone numbers, however googling Chashin's phone number gives us nothing. Let's google his street address next to see if we can come up with something creative. Our first hit comes from a malware record from malwareurl.com -

Domain name:             SOFTWARESTORE4YOU.COM
Name Server:             ns1.softwarestore4you.com  
                         61.191.191.61
Name Server:             ns2.softwarestore4you.com 
                         121.61.118.101
Creation Date:           2010.04.30
Updated Date:            2010.05.01
Expiration Date:         2011.04.30
Status:                  DELEGATED
Registrant ID:           HIALRYE-RU
Registrant Name:         Sergey A Chashchin
Registrant Organization: Sergey A Chashchin
Registrant Street1:      ul.Gogolya d.15 kv.1
Registrant City:         Tyukalinsk
Registrant State:        Omskaya obl.
Registrant Postal Code:  646330
Registrant Country:      RU
Administrative, Technical Contact
Contact ID:              HIALRYE-RU
Contact Name:            Sergey A Chashchin
Contact Organization:    Sergey A Chashchin
Contact Street1:         ul.Gogolya d.15 kv.1
Contact City:            Tyukalinsk
Contact State:           Omskaya obl.
Contact Postal Code:     646330
Contact Country:         RU
Contact Phone:           +7 3812 284504
Contact E-mail:          semen@freenetbox.ru
Source: here

Notice three things here. One, the address is the same. Two, the name has some slight changes suggesting falsified name. Third, the phone number (+7 3812 284504) is entirely different. So are Sergej Chashin and Sergey A Chashchin one in the same? Yes! Check out this link to the aa419 database. Looks like Sergej and Sergey use the same secondary phone number (+7.3812284504 or +7 3812 284504). Point in case, we can prove the name is falsified at this point on the whois record, but lets see what kind of hits Sergej/Sergey has on his secondary phone number (link to search results here). Our first glaring example of blatant whois obfuscation lies here -

domain:     YOUHELPNOW.RU
nserver:    ns1.hostdnssite.com.
nserver:    ns2.hostdnssite.com.
nserver:    ns3.hostdnssite.com.
nserver:    ns4.hostdnssite.com.
state:      REGISTERED, NOT DELEGATED, VERIFIED
person:     Private Person
phone:      +7 3812 284504
e-mail:     liver@freenetbox.ru
registrar:  NAUNET-REG-RIPN
created:    2010.03.22
paid-till:  2011.03.22
free-date:  2011.04.25
source:     TCI
Source: http://whois.domaintools.com/youhelpnow.ru

Private person? I'm sorry this is not the typical privacy protection, this is someone refusing to give their name in whois registrant details. Privacy protection hides your phone number and your emails address. The same was done here and here with phishing sites using Sergej/Sergey's secondary number. I wonder how this got past any registrar, but then again nothing should be shocking by now when it comes to cyber criminal activity.

So I think it's safe to assume the whois registrant information for ukansnami.com is just as falsified as the rest of Sergej/Sergey's work. This includes his street address as google maps seems to have trouble even finding the street "Gogolya " the whois claims registrant residence on. Let's move on to show how the RBN is using the domain ukansnami.com as a name server with some googling -

Fraud:
http://ddanchev.blogspot.com/2011/03/keeping-money-mule-recruiters-on-short.html
http://scamfraudalert.wordpress.com/2011/02/21/lilac-llc-company/

Malware:
http://support.clean-mx.de/clean-mx/viruses.php?domain=westview-art.net&submit=query
link here (too long)

Basically it's being used for money mule recruitment and to infect them so the RBN can steal their identity and financial information. Congrats on checking the registrant details for this one PAKNIC (PRIVATE) LIMITED. You just supplied the RBN with a name server and in turn they gave you falsified whois information.

uknamo.com

Continuing on with my analysis of the name servers towards the end of my first blog post, it's time to look at the domain/name sever uknamo.com. We can assume this is another Russian Business Network (RBN) name server, set up for the sole purpose of delivering malware and committing fraud as a bulletproof host. A quick check on Emerging Threats RBN monitoring list shows this assumption to be true. Shocking right? Also upon googling "uknamo.com", I was greeted by a few links showing malicious software Again, why do I bother to be shocked at this point? Maybe it's the fact that the IT, registrar, and hosting industry hasn't taken a more proactive stance against these guys. Anyway, diving right in, lets look at uknamo.com's whois registrant information -

Queried whois.internic.net with "dom uknamo.com"...

Domain Name: UKNAMO.COM
   Registrar: TRUNKOZ TECHNOLOGIES PVT LTD. D/B/A OWNREGISTRAR.COM
   Whois Server: whois.ownregistrar.com
   Referral URL: http://www.ownregistrar.com
   Name Server: NS1.UKNAMO.COM
   Name Server: NS2.UKNAMO.COM
   Name Server: NS3.UKNAMO.COM
   Status: clientTransferProhibited
   Updated Date: 27-jan-2011
   Creation Date: 27-jan-2011
   Expiration Date: 27-jan-2012

Registrant:
    Roman Shumakov
    Roman Shumakov        (morph@ppmail.ru)
    ul.Dubrovinskogo d.114
    Kursk
    Kurskaya obl,305009
    RU
    Tel. +7.4717545322
    Fax. +7.4717545322
Creation Date: 27-Jan-2011  
Expiration Date: 27-Jan-2012

Source: centralops.net

Russia, what do you know! Googling Roman's street address pull up multiple hits for recorded cyber criminal activity, and googling his whole address pull up no hits for google maps (in fact you just find even more records of "Roman's" cyber criminal activity). This suggest the whois registrant information has been falsified. Shocking, I know, that criminals wouldn't want their place of residence known. So what happened when we google his phone number? We find more fraud, and we find his address stays pretty consistent.

Regardless of this fact, it's safe to assume that the address information has been falsified for uknamo.com. Why do I say this? Dubrovinskogo (Дубровинского) street seems to be mapped in two places on google maps. Additionally, notice the formatting of the addresses on this street -

ул. Дубровинского, 3а, к.48, Курск, Россия

305009

8 (4712) 50-49-09

Notice the "3а, к.48" part? This suggests that the whois registrant information is not formatted correctly for uknamo.com. Still, lets give this address one more look over. First lets translate it into Russian and google it. Finally! We get somewhere. Notice that xls file being offered by rpn.gov.ru in the google search? This site looks like it's some sort of environmental complaince organization. Let's take a look at this .xls file and see what we can clean about this residence (also the excel file was made in September of 2010).

From Row 2 -
Russian: Список конкретных объектов хозяйственной и иной деятельности по территории Курской области, оказывающих негативное воздействие на окружающую среду и подлежащих федеральному государственному экологическому контролю
Rough English translation:
List the concrete objects of economic and other activity in the territory of Kurskaya district, which exert negative influence on the environment and which are subject to the federal state ecological control

From Row 3 column B -
Russian: Наименование юридического лица (филиала по субъекту Российской Федерации)/ Ф.И.О. индивидуального предпринимателя
Rough English translation: Designation of legal person (branch for the subject of the Russian Federation)/ [F].[I].[O]. of the individual owner
Comment: The owner of the address.

From Row 3 Column C -
Russian: Фактический адрес и местонахождение (по месту государственной регистрации)
Rough English translation: Actual address and location (on the place for state registration)

Good! Let's see if Roman Shumakov owns this address! We scroll down to row 3014 in the xls file from this environmental compliance agency and look at columns B (owner) and C (address).

Column B -
Russian: ООО "КурскСтройМастер"
Rough English translation: [OOO] of " [KurskStroyMaster]" (google hit here, looks like a company that installs pools).
Notes: Proves falsified whois registrant details.

Column C -
Russian: 305029, Курская обл., г. Курск, ул. Дубровинского, д. 114
Rough English translation: 305029, Kursk reg., g. Kursk, ul Of [dubrovinskogo], d. 114
Comment: There's our registrant address, and it doesn't belong to Roman Shumakov!

So, that took a little longer than usual to prove falsified whois registrant details, now lets prove that the domain uknamo.com has been set up by the Russian Business Network for no other reason than to serve as a staging point for cyber crime. A quick google search on uknamo.com shows a lot of cyber criminal activity in the following areas -

Phishing:
http://siteadvisor.de/sites/uknamo.com/msgpage

Fraud:
http://scamfraudalert.wordpress.com/2011/02/03/
Link here (too long)
Link here (too long)
http://ddanchev.blogspot.com/2011/03/keeping-money-mule-recruiters-on-short.html

Malware:
Clean MX cache here
http://amada.abuse.ch/?search=throne-uk.at
Another Clean MX cache here

There we plenty of other google hits support the fact that uknamo.com has been used as a name server for some time to promote cyber criminal activity. It would make sense for the whois to be completely falsified in this case, and as such it's something that TRUNKOZ TECHNOLOGIES PVT LTD. D/B/A OWNREGISTRAR.COM needs to look into.

Monday, April 4, 2011

dnsukrect.com

Again, moving off of my first blog post, it's time to examine dnsukrect.com (another domain being used as a name server for fraudulent, malware pushing money recruitment sites). As demonstrated with the last two name servers I wrote about (here and here), it would be safe to assume that all 14 name servers I plan on covering will be associated with or run by the multifaceted, cyber crime friendly, bulletproof host the Russian Business Network (RBN). Dnsukrect.com is no different, and was found to be in the Emerging Threats RBN watch list here.

Let's start by diving right into the whois registrant details of dnsukrect.com -

Domain Name: DNSUKRECT.COM
Registrar: NICS TELEKOMUNIKASYON TICARET LTD.STI.
Whois Server: whois.nicproxy.com
Referral URL: http://www.nicproxy.com
Name Server: NS1.DNSUKRECT.COM
Name Server: NS2.DNSUKRECT.COM
Name Server: NS3.DNSUKRECT.COM
Status: ok
Updated Date: 27-jan-2011
Creation Date: 27-jan-2011
Expiration Date: 27-jan-2012

DOMAIN: DNSUKRECT.COM

owner-contact:CID-129136DNS
owner-organization:Oksana Boiko
owner-name:Oksana
owner-lname:Boiko
owner-street:ul.Pobedy d.3 kv.81
owner-city:Stroitel
owner-state:Belgorodskaya oblast
owner-zip:309070
owner-country:RU
owner-phone:+7.4722311731
owner-fax:+7.4722311731
owner-email:code@yourisp.ru

Source: centralops.net

Upon googling Mr. Boiko's street address, you will find links noting sites that have been set up for malware dispersal. No shock there, we're talking about the RBN. Googling his whole address, it won't pull up on google maps. So I highly doubt the street even exists in Stroitel Russia, meaning the whois registrant information has been falsified for illegal and fraudulent purposes. On that note, what happens when you google Boiko's phone number? Aside from being greeted by quite a few reports of fake pharmacies and malware dispersal sites, there were some more things to suggest falsified whois registrant information for criminal activity.

Domain Name : DISCOUNTPHARMACYPILLS.COM
Registrant: Nataliya Guzik
Nataliya Guzik (tw@free-id.ru)
ul.Pochtovaya d.76 kv.28
Belgorod Belgorodskaya oblast, 308013
RU Tel. +7.4722311731 Fax. +7.4722311731
Creation Date : 11/3/2010 7:04:54 PM
Expiration Date : 11/3/2011 7:04:54 PM
Source: http://discountpharmacypills.com.w3spy.net/

Notice two things here, Mr. Boiko is now named Nataliya Guzik (sexy name Boiko) and his place of residence has changed drastically all within a year. Also he's (she?) has quite a few email addresses, in this case it was used to register a fake pharmacy (looks like Natalia started another one here too). This hands down, proves falsified whois registrant information. We're not done here though, let's look at another site "Nataliya" registered for malware dispersal 5 days after Mr. Boiko registered dnsukrect.com

Registrant:
Nataliya Guzik above@yourisp.ru +7.4722311731
Nataliya Guzik
ul.Pochtovaya d.76 kv.28
Belgorod,Belgorodskaya oblast,RU 308013
Domain Name:quvujykolenuja.com
Record last updated at
Record created on 2011/2/28
Record expired on 2012/2/28

Source: link here (too long)

Totally different address, totally different name, all registered within the same time period, and all for the purposes of cyber criminal activity. This is hands down falsified whois registrant activity for illegal purposes.

So, we've already shown that the whois registrant information has been falsified for the name server dnsukrect.com. Let's show what kind of illegal activity takes place on this name server -

Phishing:
http://www.siteadvisor.com/sites/dnsukrect.com/postid?p=7305091

Fraud:
http://scamfraudalert.wordpress.com/2011/02/03/
http://scamfraudalert.wordpress.com/2011/02/21/lilac-llc-company/
http://scamfraudalert.wordpress.com/2011/02/03/gogo-group-inc-cc-gogo-teamant-com/
http://ddanchev.blogspot.com/2011/03/keeping-money-mule-recruiters-on-short.html

Malware:
http://rss.uribl.com/ns/dnsukrect_com.html
link here (too long!)
http://amada.abuse.ch/?search=renaissance-llc.cc
http://support.clean-mx.de/clean-mx/viruses?id=761523

There were plenty of other google hits for this kind of activity, I'm pretty sure if you made it this far down the post you know how to google for it. That said, again we see a registrar fail in that whois registrant information has been falsified while the slime of the internet's charred underbelly run rampant dispersing their malware and other forms of fraud. NICS TELEKOM, it's time to see if you want your name associated with this lot.

Coming soon to a blog post near you, a short story about a name server/domain named uknamo.com .

AUSTDEC.CC

The show must go on! Again, continuing down the name servers list I gave towards the end of my first blog post it's time to take a look at the name server AUSTDEC.CC. Let's start by taking a look at the whois details to see who registered this nameserver for the sole purposes of catering to cyber crime.

Domain Name: AUSTDEC.CC
   Registrar: ENOM, INC.
   Whois Server: whois.enom.com
   Referral URL: http://www.enom.com
   Name Server: NS1.AUSTDEC.CC
   Name Server: NS2.AUSTDEC.CC
   Name Server: NS3.AUSTDEC.CC
   Status: CLIENT-XFER-PROHIBITED
   Updated Date: 11-jan-2011
   Creation Date: 11-jan-2011
   Expiration Date: 11-jan-2012

Registrant Contact:
   Aleksandr Barhatov
   Aleksandr Barhatov ()

Fax: 
   1-ij Mikrorayon d.23 kv.177
   Kurgan, Kurganskaya oblast 640024
   RU

Administrative Contact:
   Aleksandr Barhatov
   Aleksandr Barhatov (bold@yourisp.ru)
   +7.3522462300
   Fax: +7.3522462300
   1-ij Mikrorayon d.23 kv.177
   Kurgan, Kurganskaya oblast 640024
   RU

So... it's owned by another Russian by the name of Aleksandr Barhatov, or is it? Google maps can't say for sure whether his address is real, as it just couldn't find it. When I did google search his address though, it did have have plenty of phishing, malware, and fake pharmacy activity though. That shows he's definitely into illegal activity, now all we have to prove to any decent registrar is that the whois information has been falsified. First off, let's google his phone number (+7.3522462300). The first site that comes to attention is as follows -

DOMAIN: MYSALES24.NET
RSP: Internet 7 Ltd.
owner-contact: P-AXB1501
owner-fname: Alexander
owner-lname: Barkhatov
owner-street: Perviy Mikrorajon dom 23 kv.177
owner-city: Kurgan
owner-state: Kurganskaya oblast
owner-zip: 640024
owner-country: RU
owner-phone: 7.3522462300
owner-fax: 7.3522462300
owner-email: cr@8081.ru
Updated Date: 05-jun-2010
Creation Date: 04-jun-2009
Expiration Date: 04-jun-2011
Source: centralops.net & http://whois.domaintools.com/mysales24.net

Notice the slight change in street address? He also uses the same slight name change here for a domain spreading malware. The street address further changes to "Perviy Mkr." in another domain dishing out more malware -

Registrant:
Aleksandr Barhatov chute@infotorrent.ru (email 
address helped spread conficker virus - 
see: Dancho Danchev)
+7.3522462300
Aleksandr Barhatov
Perviy Mkr. d.23 kv.177
Kurgan,Kurganskaya oblast,RUSSIAN FEDERATION 640024
Domain Name:kasonkertub.com
Record last updated at 2009-08-27 06:36:59
Record created on 2009/8/21
Record expired on 2010/8/21
Source: here

I'm starting to wonder how many email addresses Mr. Barhatov keeps! Again, his street address during these time periods seems to keep changing -

Domain: healthpillstablets.com
owner: Alexander Barhatov
email: thug@ml3.ru
Adresse: Perviy Mikrorayin d.23 kv.177
Stadt: Kurgan
Staat: --
postal-code: 640024
Land: RU
Telefon: +7.3522462300
admin-c: CCOM-1504106 thug@ml3.ru
tech-c: CCOM-1504106 thug@ml3.ru
billing-c: CCOM-1483242 info@gtec.ru
nserver: ns1.yourstorehealth.net
nserver: ns2.goodhealthoutlet.com
status: lock
Erstellt: 2009-11-18 12:00:03 UTC
modified: 2009-11-24 14:34:05 UTC
Gültig: 2010-11-18 12:00:03 UTC

Source: http://whois.gwebtools.de/healthpillstablets.com

Mr. Barhatov seems to "get around the block when it comes to street addresses. Did anyone catch his email he used to register that last domain (thug@ml3.ru)? I guess his fake pharmacy site there makes him a thug! So I think from here we've shown enough registrant information discrepancies in conjunction with cyber criminal activity. Let's move on to AUSTDEC.CC and examine it's more dubious cyber activity via google -

Malware:
http://support.clean-mx.de/clean-mx/viruses.php?domain=drysdale-group-inc.cc&sort=first%20desc
http://support.clean-mx.de/clean-mx/viruses.php?virusname=mdl_money%20mule%20recruitment%20/%20scam&sort=first%20desc *lots of hits here*

Fraud:
http://scamfraudalert.wordpress.com/2011/01/31/money-visual-llc-money-visualuk-cc/
http://ddanchev.blogspot.com/2011/03/keeping-money-mule-recruiters-on-short.html
http://forum.autosec4u.info/showthread.php?tid=3690&pid=16199#pid16199 (German!)

Results a bit short, but there's enough googling in here to show that Aleksandr Barhatov's sites and name servers are involved in plenty of cyber criminal activity. They have been for years. This is not the kind of guy you want registering a site with you, if you're a registrar. The information is falsified/highly obfuscated, and all for the purposes of illegal activity. As we can see, his nameserver AUSTDEC.CC was registered by Enom. Now, in 2009 Enom was mentioned by knujon here as being one of the top 10 registrars not taking action against cyber criminals. Hopefully their attitude has changed since then, as yet again we are dealing with another Russian Business Network (RBN - the multifaceted and well known Russian cyber crime hoster) name server here. Again, the name server AUSTDEC.CC was picked up on Emerging Threats RBN monitoring network (link here).

Enom abuse staff, if you're reading this you can be sure the whois registrant information has been falsified for cyber criminal activity. This is just how the RBN operates, no name and no face to the digital crime.