A Cybercrime Hub Reinvents Itself
A cybercriminal hub is sending out DNS-changing Trojans, false ads, and fake virus infection warnings via a huge network of servers across numerous data centers worldwide, according to an excellent report from Trend Micro.
Via this network, just one DNS-changing Trojan redirected more than 1.8 million unique IP addresses internationally in July 2009 alone.
The Trojan lures the user to a pornographic or pharmaceutical spoof site, automatically displayed in the language of the user's country. This then leads the user to scareware, or a screen reporting the detection of a fake virus, along with an offer for bogus antivirus software -- and hence to the necessary cybercrime payment site.
Let's reach beyond the Trend Micro report and join up a few more dots to understand who is behind this hub -- and how it operates.
This is a rebirth of the RBN (russian business network) affiliate EstDomains, which operated as an accredited ICANN registrar starting in 2005, but was taken down in November 2008 with its company accreditation removed by ICANN .
After its apparent demise, the 272,488 active domains in EstDomains were transferred to legitimate hosts. But subsequently, around 100,000 of these domains were suspended for phishing, malware, spamming financial fraud, rogue pharmacies, and child pornography.
Meanwhile, a new and as-yet-unnamed operation based in Tartu, Estonia -- like EstDomains was -- has risen from the ashes and spread its assets across a wider field of Web hosting companies to balance any future risk from blocking. It is now offering Web hosting, advertising, Internet traffic distribution, pay-per-click advertising, and domain site hosting. Any complaints or queries with regard to the redirects, Google replacement ads, or rogue antivirus software are received directly by the gang.
This is because, in reality, the user is now operating within a controlled Intranet. The cybercriminals have created a new empire with around 280 domain names ending with .intra. The domains reside on an extensive network of 450 proxies hosted on 15 different networks around the world.
The network redirects Google traffic from legitimate to spoof sites. Sites ending in .co.uk, .au, .ca, .de, .it, .fr and .it have been the most popular, but Yahoo and Microsoft's bing.com have not escaped. The load is spread over different IP addresses via the criminal hub's 400-plus proxy servers, thus escaping Google detection by ensuring low traffic volumes at any one time.
When the DNS-changing Trojans infect user machines, the users see replacement ads, all of which are spoofed and mainly pharmaceutical, that prompt users to click, subsequently leading them to proxy foreign servers instead of to legitimate ones.
This new iteration of EstDomains is doing all of this despite the conviction of former EstDomain leader Vladimir Tsastsin for credit card fraud in Estonia.
A major commercial security company has also confirmed the usage by this hub of major U.S. and U.K. data centers, i.e. rented cloud computing facilities.
Although ostensibly this is an Estonian cybercrime operation, the main badness and payment centers are based on the servers named AS43146 - AGAVA (in Russia) and AS4645 HKNET (in Hong Kong, previously known as HostFresh), operating through proxies on China Telecom for botnet latches and relays.
As usual, battling such operations is an ongoing war. And even one DNS-changing Trojan can put a great deal of money at stake.
The good news is that the security community has also benefited from the lessons learned when battling EstDomains -- a battle that took the criminals off the Net for many months. Now, Spamhaus and others will be able to block the new hub.
The more serious element in the picture is the proof of sophisticated and integrated use of cloud computing data centers as part of the criminal operations. These, however, can be cleaned up.
We hope the operators of these data centers do not need to be shamed into action and will start the process to exclude the criminal use of their facilities.