Andrew Martin

The Top 50 Bad Hosts – Another Report by HostExploit

Jart and Scott from HostExploit (http://hostexploit.com/) have put together another paper on bad hosting providers, this time giving an overview of 50 that host a great deal of malicious code. The ranking is based on a mathematical calculation, which is included in the report. To be absolutely clear, these providers are not knowingly acting as hubs of cybercrime like McColo, Real Host, etc were. These are hosts that would benefit greatly by improving their security posture. The report also highlights the top 10 good hosts, so readers can get a feel for the differences between the two.

View the top 50

Download the report

Here’s a brief look at the top 10 bad hosts:

HE Rank	HE Index	AS Number	Name	Country
1	269.9	AS30407	VELCOM – Rcp.net	CANADA
2	225.7	AS23522	IPNAP-ES – GigeNET	UNITED STATES
3	179.7	AS16276	OVH OVH	FRANCE
4	159.5	AS41665	HOSTING-AS National Hosting Provider, Hosting.UA	UKRAINE
5	158.7	AS4134	CHINANET – BACKBONE No.31,Jin-rong Street	CHINA
6	151.7	AS49637	ZHM-AS PE Zavalnuk Vladislav Mihailovich	KAZAKHSTAN
7	147.9	AS32613	IWEB-AS – iWeb Technologies Inc.	CANADA
8	142.2	AS10929	Netelligent Hosting Services Inc	CANADA
9	140.3	AS28753	NETDIRECT AS NETDIRECT Frankfurt, DE	GERMANY
10	135.4	AS49314	NEVAL PE Nevedomskiy Alexey Alexeevich	RUSSIAN FEDERATION

Major Stealthy Malware Campaign – 711 Domains Taken Down

Starting sometime around November 6th, many attacks were observed coming from strangely named domains such as us.bf9.info, us.bp0.info, us.bn3.info, etc. The attackers employed some code splitting techniques to make their scripts more stealthy by moving suspicious shellcode from inside the primary exploit script to a secondary script. The attacks were being delivered through advertisements which also made investigating the source a pain. Performing some searches on the domains strangely did not yield any information from common sources such as malwareurl, malwaredomainlist, McAfee Site Adviser, etc.

To get to the root of the problem, Afilias (the company responsible for .info domains) and GoDaddy (the registrar) were involved to investigate. They quickly blocked the offending domains once it was clear they were hostile. What was very surprising was the end result, GoDaddy removed 711 domains that were affiliated with this attack!

Attack scripts:

hxxp://us.hn0.info/f/1/ie.html

http://www.virustotal.com/analisis/a53300db52ccf8a236348995c0480aed05fa4419d1eb5c471808a6ae2fd0d9b6-1259947372

hxxp://us.hn0.info/f/1/ff.html

http://www.virustotal.com/analisis/1d3778247739c072cb435e3b11a0592503cb71f6a03cce24af85ca20ba110f00-1259947360

hxxp://us.hn0.info/f/1/cosplay.swf
http://wepawet.iseclab.org/view.php?hash=8e2a2167a9f34c1c0b9d7ac456aff807&type=swf

Shellcode:
http://www.virustotal.com/analisis/71d15b19cc00d4ddb8cd9152f071671abe398fb6da7b0517b1d6a0e0c3e61995-1259948262

The domains:

FK0.INFO	AC0.INFO	KD8.INFO	JZ5.INFO
FK6.INFO	AE0.INFO	KD9.INFO	JZ6.INFO
FK7.INFO	AE6.INFO	CUUB.INFO	JZ7.INFO
FK8.INFO	AE9.INFO	CXXB.INFO	JZ8.INFO
FK9.INFO	AF0.INFO	DRRB.INFO	KA0.INFO
FL0.INFO	AF5.INFO	DTTB.INFO	KB0.INFO
FL7.INFO	AF8.INFO	DYYB.INFO	KB8.INFO
FL8.INFO	AF9.INFO	GJGJ.INFO	KC5.INFO
FM0.INFO	AG0.INFO	RFVT.INFO	KC6.INFO
FM9.INFO	AG7.INFO	TGBY.INFO	KC8.INFO
FN3.INFO	AG8.INFO	UJMI.INFO	KD3.INFO
FN4.INFO	AG9.INFO	YHNU.INFO	KD4.INFO
FN5.INFO	AH0.INFO	DT0.INFO	KD7.INFO
FN6.INFO	AH5.INFO	DV0.INFO	HX0.INFO
FN7.INFO	AH7.INFO	DV6.INFO	HY2.INFO
FN8.INFO	AI0.INFO	DV7.INFO	HY3.INFO
FO0.INFO	AJ3.INFO	DW0.INFO	HY6.INFO
FO5.INFO	AJ4.INFO	DW9.INFO	HY7.INFO
FO6.INFO	AJ5.INFO	DX6.INFO	HZ0.INFO
FO7.INFO	AJ7.INFO	DX7.INFO	HZ3.INFO
FP4.INFO	AJ9.INFO	DX8.INFO	HZ4.INFO
FP5.INFO	AK0.INFO	DY2.INFO	HZ5.INFO
FP9.INFO	AN0.INFO	DY5.INFO	HZ7.INFO
FQ0.INFO	AO0.INFO	DZ4.INFO	HZ8.INFO
FQ3.INFO	AO3.INFO	DZ5.INFO	IA0.INFO
FQ4.INFO	AO8.INFO	EA0.INFO	IB0.INFO
FQ6.INFO	AP3.INFO	EA2.INFO	IB4.INFO
FQ7.INFO	AP9.INFO	EA4.INFO	IB5.INFO
FR0.INFO	AQ0.INFO	EA5.INFO	IB6.INFO
FS0.INFO	AQ3.INFO	EA6.INFO	IB7.INFO
FS4.INFO	AQ9.INFO	EA7.INFO	IB8.INFO
FS6.INFO	AR0.INFO	EA8.INFO	IB9.INFO
FS7.INFO	AT4.INFO	EB0.INFO	IC5.INFO
FT0.INFO	AU0.INFO	EB4.INFO	IF4.INFO
FT5.INFO	AW0.INFO	ED0.INFO	IF5.INFO
FT9.INFO	AX0.INFO	ED3.INFO	IF6.INFO
FU0.INFO	AX3.INFO	EF2.INFO	IF7.INFO
FU4.INFO	AY0.INFO	EH4.INFO	IF8.INFO
FU8.INFO	AZ5.INFO	EH7.INFO	IF9.INFO
FV4.INFO	AZ6.INFO	EI4.INFO	IG5.INFO
FV6.INFO	AZ7.INFO	EI5.INFO	IG6.INFO
FV7.INFO	AZ8.INFO	EI6.INFO	IG9.INFO
FV8.INFO	AZ9.INFO	EI8.INFO	IH0.INFO
FV9.INFO	BC0.INFO	EI9.INFO	IH2.INFO
FW0.INFO	BC6.INFO	EK0.INFO	IH3.INFO
FW5.INFO	BC8.INFO	EK2.INFO	IH4.INFO
FW6.INFO	BC9.INFO	EK4.INFO	IH5.INFO
FW8.INFO	BD3.INFO	EK5.INFO	IH6.INFO
FW9.INFO	BF0.INFO	EK7.INFO	IJ2.INFO
FY0.INFO	BF4.INFO	EL0.INFO	IJ4.INFO
FY2.INFO	BF6.INFO	EL6.INFO	IJ5.INFO
FY5.INFO	BF8.INFO	EM5.INFO	IJ6.INFO
FY6.INFO	BF9.INFO	EM8.INFO	IJ7.INFO
FZ0.INFO	BG0.INFO	EM9.INFO	IK3.INFO
FZ3.INFO	BH0.INFO	EN8.INFO	IK4.INFO
FZ4.INFO	BH2.INFO	EO0.INFO	IK5.INFO
FZ5.INFO	BI6.INFO	EO3.INFO	IK6.INFO
FZ7.INFO	BI7.INFO	EO5.INFO	IK7.INFO
FZ8.INFO	BJ4.INFO	EO6.INFO	IK8.INFO
GB0.INFO	BK2.INFO	EO7.INFO	IK9.INFO
GC0.INFO	BL0.INFO	EO8.INFO	IL0.INFO
GC6.INFO	BL8.INFO	EO9.INFO	IL7.INFO
GC7.INFO	BL9.INFO	EP6.INFO	IL8.INFO
GC8.INFO	BM3.INFO	EP7.INFO	IO2.INFO
GC9.INFO	BM5.INFO	EP8.INFO	IO3.INFO
GD0.INFO	BM8.INFO	EQ4.INFO	IO5.INFO
GD4.INFO	BN0.INFO	EQ7.INFO	IO6.INFO
GD5.INFO	BN3.INFO	ER9.INFO	IQ9.INFO
GD6.INFO	BN5.INFO	ES7.INFO	IR0.INFO
GD7.INFO	BN7.INFO	ES8.INFO	IR6.INFO
GD8.INFO	BN8.INFO	ES9.INFO	IR7.INFO
GF3.INFO	BP0.INFO	EU0.INFO	IR9.INFO
GH4.INFO	BP5.INFO	EV9.INFO	IU0.INFO
GH5.INFO	BP6.INFO	EW0.INFO	IU2.INFO
GH6.INFO	BP7.INFO	EW4.INFO	IV2.INFO
GH7.INFO	BP8.INFO	EY0.INFO	IV4.INFO
GI0.INFO	BQ0.INFO	EZ0.INFO	IV5.INFO
GI3.INFO	BQ2.INFO	EZ9.INFO	IV6.INFO
GI6.INFO	BQ3.INFO	FA0.INFO	IW0.INFO
GI8.INFO	BQ4.INFO	FC0.INFO	IW2.INFO
GJ0.INFO	BQ5.INFO	FC5.INFO	IW4.INFO
GJ7.INFO	BQ6.INFO	FC7.INFO	IW5.INFO
GJ8.INFO	BQ7.INFO	FC9.INFO	IW6.INFO
GJ9.INFO	BQ8.INFO	FD0.INFO	IX4.INFO
GK0.INFO	BQ9.INFO	FD5.INFO	IX5.INFO
GK3.INFO	BR5.INFO	FD8.INFO	IX6.INFO
GK5.INFO	BR6.INFO	FD9.INFO	IX7.INFO
GK6.INFO	BR7.INFO	FE0.INFO	IY0.INFO
GK8.INFO	BR9.INFO	FE4.INFO	IY2.INFO
GL3.INFO	BS3.INFO	FE7.INFO	IY3.INFO
GL4.INFO	BS5.INFO	FG0.INFO	IY4.INFO
GL9.INFO	BT0.INFO	FG3.INFO	IY6.INFO
GM8.INFO	BU0.INFO	FG5.INFO	IY8.INFO
GM9.INFO	BU9.INFO	FG8.INFO	IY9.INFO
GN0.INFO	BV0.INFO	FH0.INFO	IZ0.INFO
GN5.INFO	BV2.INFO	FH4.INFO	IZ2.INFO
GN6.INFO	BV5.INFO	FH5.INFO	IZ3.INFO
GN7.INFO	BV7.INFO	FH6.INFO	IZ7.INFO
GN9.INFO	BV8.INFO	FH7.INFO	IZ8.INFO
GP8.INFO	BV9.INFO	FH8.INFO	IZ9.INFO
BX2.INFO	WGREATDREAM.COM	FH9.INFO	JA0.INFO
BX7.INFO	GP0.INFO	FI4.INFO	JB0.INFO
BX9.INFO	GQ0.INFO	FJ0.INFO	JC2.INFO
BY5.INFO	GQ2.INFO	FJ2.INFO	JC5.INFO
BZ9.INFO	GQ3.INFO	FJ3.INFO	JC6.INFO
CB0.INFO	GQ4.INFO	FJ4.INFO	JD2.INFO
CB6.INFO	GQ5.INFO	FJ5.INFO	JD3.INFO
CE3.INFO	GQ9.INFO	FJ6.INFO	JD4.INFO
CE7.INFO	GR6.INFO	FJ7.INFO	KE2.INFO
CF0.INFO	GR9.INFO	FJ8.INFO	KF3.INFO
CF3.INFO	GS0.INFO	FJ9.INFO	KF4.INFO
CF4.INFO	GS3.INFO	FK2.INFO	KF5.INFO
CF5.INFO	GS6.INFO	JD0.INFO	KF7.INFO
CF6.INFO	GS9.INFO	JD6.INFO
CF7.INFO	GU0.INFO	JD7.INFO
CG3.INFO	GU4.INFO	JD9.INFO
CI0.INFO	GV0.INFO	JE2.INFO
CJ0.INFO	GV2.INFO	JE4.INFO
CJ3.INFO	GV3.INFO	JF0.INFO
CJ8.INFO	GV4.INFO	JF2.INFO
CL0.INFO	GV5.INFO	JF3.INFO
CL5.INFO	GV9.INFO	JG0.INFO
CL9.INFO	GW0.INFO	JG2.INFO
CM9.INFO	GX0.INFO	JG3.INFO
CO0.INFO	GX2.INFO	JG7.INFO
CP0.INFO	GX4.INFO	JG8.INFO
CP5.INFO	GX5.INFO	JG9.INFO
CP7.INFO	GX6.INFO	JH0.INFO
CQ0.INFO	GY0.INFO	JH4.INFO
CQ5.INFO	GY2.INFO	JH5.INFO
CQ7.INFO	GY4.INFO	JH7.INFO
CQ8.INFO	GY5.INFO	JI0.INFO
CQ9.INFO	GY6.INFO	JI1.INFO
CS0.INFO	GY7.INFO	JI2.INFO
CS7.INFO	GY9.INFO	JI7.INFO
CT0.INFO	HB7.INFO	JI9.INFO
CT6.INFO	HB8.INFO	JK7.INFO
CT8.INFO	HC0.INFO	JK8.INFO
CU3.INFO	HC4.INFO	JL2.INFO
CU4.INFO	HC8.INFO	JL3.INFO
CU5.INFO	HD0.INFO	JL4.INFO
CV0.INFO	HE4.INFO	JL5.INFO
CV8.INFO	HE5.INFO	JL7.INFO
CV9.INFO	HE7.INFO	JL9.INFO
CW0.INFO	HF0.INFO	JM0.INFO
CW4.INFO	HF6.INFO	JM3.INFO
CW5.INFO	HF7.INFO	JM6.INFO
CW8.INFO	HF8.INFO	JM7.INFO
CW9.INFO	HF9.INFO	JN2.INFO
CX0.INFO	HG3.INFO	JN7.INFO
CX5.INFO	HG4.INFO	JN8.INFO
CX6.INFO	HG5.INFO	JN9.INFO
CY2.INFO	HG6.INFO	JO0.INFO
CY3.INFO	HG8.INFO	JQ1.INFO
CY6.INFO	HG9.INFO	JQ2.INFO
CY7.INFO	HJ2.INFO	JQ3.INFO
CZ0.INFO	HJ3.INFO	JQ4.INFO
CZ7.INFO	HJ5.INFO	JQ5.INFO
CZ9.INFO	HJ6.INFO	JQ6.INFO
DA3.INFO	HJ7.INFO	JQ7.INFO
DA6.INFO	HJ8.INFO	JQ8.INFO
DA7.INFO	HJ9.INFO	JR0.INFO
DB5.INFO	HK0.INFO	JS3.INFO
DB6.INFO	HK3.INFO	JS4.INFO
DE4.INFO	HK4.INFO	JS5.INFO
DE5.INFO	HL0.INFO	JS8.INFO
DE6.INFO	HL6.INFO	JS9.INFO
DE8.INFO	HL9.INFO	JT0.INFO
DF5.INFO	HM4.INFO	JT3.INFO
DF6.INFO	HN0.INFO	JT4.INFO
DG0.INFO	HN3.INFO	JT5.INFO
DH3.INFO	HN4.INFO	JT9.INFO
DH9.INFO	HN5.INFO	JU0.INFO
DI0.INFO	HN6.INFO	JU2.INFO
DI3.INFO	HN9.INFO	JV0.INFO
DI4.INFO	HO0.INFO	JV3.INFO
DI8.INFO	HP0.INFO	JV4.INFO
DJ3.INFO	HR6.INFO	JV5.INFO
DJ7.INFO	HS0.INFO	JV6.INFO
DK0.INFO	HS7.INFO	JV8.INFO
DK5.INFO	HS8.INFO	JW4.INFO
DK7.INFO	HS9.INFO	JW7.INFO
DK8.INFO	HT6.INFO	JW8.INFO
DL0.INFO	HU0.INFO	JW9.INFO
DM0.INFO	HU3.INFO	JX1.INFO
DM4.INFO	HU4.INFO	JX2.INFO
DP0.INFO	HU6.INFO	JX3.INFO
DP3.INFO	HU7.INFO	JX5.INFO
DP6.INFO	HV0.INFO	JX8.INFO
DP7.INFO	HW4.INFO	JY0.INFO
DQ0.INFO	HW6.INFO	JY2.INFO
DQ2.INFO	HW7.INFO	JY4.INFO
DR0.INFO	HW8.INFO	JY5.INFO
DS7.INFO	HX3.INFO	JY6.INFO
DT3.INFO	HX5.INFO	JY7.INFO
DT5.INFO	HX6.INFO	JY9.INFO
DT6.INFO	HX7.INFO	JZ2.INFO
DT7.INFO	HX9.INFO	JZ3.INFO
DT8.INFO	KD0.INFO	JZ4.INFO
DT9.INFO

FK0.INFO	AC0.INFO	KD8.INFO
FK6.INFO	AE0.INFO	KD9.INFO
FK7.INFO	AE6.INFO	CUUB.INFO
FK8.INFO	AE9.INFO	CXXB.INFO
FK9.INFO	AF0.INFO	DRRB.INFO
FL0.INFO	AF5.INFO	DTTB.INFO
FL7.INFO	AF8.INFO	DYYB.INFO
FL8.INFO	AF9.INFO	GJGJ.INFO
FM0.INFO	AG0.INFO	RFVT.INFO
FM9.INFO	AG7.INFO	TGBY.INFO
FN3.INFO	AG8.INFO	UJMI.INFO
FN4.INFO	AG9.INFO	YHNU.INFO
FN5.INFO	AH0.INFO	DT0.INFO
FN6.INFO	AH5.INFO	DV0.INFO
FN7.INFO	AH7.INFO	DV6.INFO
FN8.INFO	AI0.INFO	DV7.INFO
FO0.INFO	AJ3.INFO	DW0.INFO
FO5.INFO	AJ4.INFO	DW9.INFO
FO6.INFO	AJ5.INFO	DX6.INFO
FO7.INFO	AJ7.INFO	DX7.INFO
FP4.INFO	AJ9.INFO	DX8.INFO
FP5.INFO	AK0.INFO	DY2.INFO
FP9.INFO	AN0.INFO	DY5.INFO
FQ0.INFO	AO0.INFO	DZ4.INFO
FQ3.INFO	AO3.INFO	DZ5.INFO
FQ4.INFO	AO8.INFO	EA0.INFO
FQ6.INFO	AP3.INFO	EA2.INFO
FQ7.INFO	AP9.INFO	EA4.INFO
FR0.INFO	AQ0.INFO	EA5.INFO
FS0.INFO	AQ3.INFO	EA6.INFO
FS4.INFO	AQ9.INFO	EA7.INFO
FS6.INFO	AR0.INFO	EA8.INFO
FS7.INFO	AT4.INFO	EB0.INFO
FT0.INFO	AU0.INFO	EB4.INFO
FT5.INFO	AW0.INFO	ED0.INFO
FT9.INFO	AX0.INFO	ED3.INFO
FU0.INFO	AX3.INFO	EF2.INFO
FU4.INFO	AY0.INFO	EH4.INFO
FU8.INFO	AZ5.INFO	EH7.INFO
FV4.INFO	AZ6.INFO	EI4.INFO
FV6.INFO	AZ7.INFO	EI5.INFO
FV7.INFO	AZ8.INFO	EI6.INFO
FV8.INFO	AZ9.INFO	EI8.INFO
FV9.INFO	BC0.INFO	EI9.INFO
FW0.INFO	BC6.INFO	EK0.INFO
FW5.INFO	BC8.INFO	EK2.INFO
FW6.INFO	BC9.INFO	EK4.INFO
FW8.INFO	BD3.INFO	EK5.INFO
FW9.INFO	BF0.INFO	EK7.INFO
FY0.INFO	BF4.INFO	EL0.INFO
FY2.INFO	BF6.INFO	EL6.INFO
FY5.INFO	BF8.INFO	EM5.INFO
FY6.INFO	BF9.INFO	EM8.INFO
FZ0.INFO	BG0.INFO	EM9.INFO
FZ3.INFO	BH0.INFO	EN8.INFO
FZ4.INFO	BH2.INFO	EO0.INFO
FZ5.INFO	BI6.INFO	EO3.INFO
FZ7.INFO	BI7.INFO	EO5.INFO
FZ8.INFO	BJ4.INFO	EO6.INFO
GB0.INFO	BK2.INFO	EO7.INFO
GC0.INFO	BL0.INFO	EO8.INFO
GC6.INFO	BL8.INFO	EO9.INFO
GC7.INFO	BL9.INFO	EP6.INFO
GC8.INFO	BM3.INFO	EP7.INFO
GC9.INFO	BM5.INFO	EP8.INFO
GD0.INFO	BM8.INFO	EQ4.INFO
GD4.INFO	BN0.INFO	EQ7.INFO
GD5.INFO	BN3.INFO	ER9.INFO
GD6.INFO	BN5.INFO	ES7.INFO
GD7.INFO	BN7.INFO	ES8.INFO
GD8.INFO	BN8.INFO	ES9.INFO
GF3.INFO	BP0.INFO	EU0.INFO
GH4.INFO	BP5.INFO	EV9.INFO
GH5.INFO	BP6.INFO	EW0.INFO
GH6.INFO	BP7.INFO	EW4.INFO
GH7.INFO	BP8.INFO	EY0.INFO
GI0.INFO	BQ0.INFO	EZ0.INFO
GI3.INFO	BQ2.INFO	EZ9.INFO
GI6.INFO	BQ3.INFO	FA0.INFO
GI8.INFO	BQ4.INFO	FC0.INFO
GJ0.INFO	BQ5.INFO	FC5.INFO
GJ7.INFO	BQ6.INFO	FC7.INFO
GJ8.INFO	BQ7.INFO	FC9.INFO
GJ9.INFO	BQ8.INFO	FD0.INFO
GK0.INFO	BQ9.INFO	FD5.INFO
GK3.INFO	BR5.INFO	FD8.INFO
GK5.INFO	BR6.INFO	FD9.INFO
GK6.INFO	BR7.INFO	FE0.INFO
GK8.INFO	BR9.INFO	FE4.INFO
GL3.INFO	BS3.INFO	FE7.INFO
GL4.INFO	BS5.INFO	FG0.INFO
GL9.INFO	BT0.INFO	FG3.INFO
GM8.INFO	BU0.INFO	FG5.INFO
GM9.INFO	BU9.INFO	FG8.INFO
GN0.INFO	BV0.INFO	FH0.INFO
GN5.INFO	BV2.INFO	FH4.INFO
GN6.INFO	BV5.INFO	FH5.INFO
GN7.INFO	BV7.INFO	FH6.INFO
GN9.INFO	BV8.INFO	FH7.INFO
GP8.INFO	BV9.INFO	FH8.INFO
BX2.INFO	WGREATDREAM.COM	FH9.INFO
BX7.INFO	GP0.INFO	FI4.INFO
BX9.INFO	GQ0.INFO	FJ0.INFO
BY5.INFO	GQ2.INFO	FJ2.INFO
BZ9.INFO	GQ3.INFO	FJ3.INFO
CB0.INFO	GQ4.INFO	FJ4.INFO
CB6.INFO	GQ5.INFO	FJ5.INFO
CE3.INFO	GQ9.INFO	FJ6.INFO
CE7.INFO	GR6.INFO	FJ7.INFO
CF0.INFO	GR9.INFO	FJ8.INFO
CF3.INFO	GS0.INFO	FJ9.INFO
CF4.INFO	GS3.INFO	FK2.INFO
CF5.INFO	GS6.INFO	JD0.INFO
CF6.INFO	GS9.INFO	JD6.INFO
CF7.INFO	GU0.INFO	JD7.INFO
CG3.INFO	GU4.INFO	JD9.INFO
CI0.INFO	GV0.INFO	JE2.INFO
CJ0.INFO	GV2.INFO	JE4.INFO
CJ3.INFO	GV3.INFO	JF0.INFO
CJ8.INFO	GV4.INFO	JF2.INFO
CL0.INFO	GV5.INFO	JF3.INFO
CL5.INFO	GV9.INFO	JG0.INFO
CL9.INFO	GW0.INFO	JG2.INFO
CM9.INFO	GX0.INFO	JG3.INFO
CO0.INFO	GX2.INFO	JG7.INFO
CP0.INFO	GX4.INFO	JG8.INFO
CP5.INFO	GX5.INFO	JG9.INFO
CP7.INFO	GX6.INFO	JH0.INFO
CQ0.INFO	GY0.INFO	JH4.INFO
CQ5.INFO	GY2.INFO	JH5.INFO
CQ7.INFO	GY4.INFO	JH7.INFO
CQ8.INFO	GY5.INFO	JI0.INFO
CQ9.INFO	GY6.INFO	JI1.INFO
CS0.INFO	GY7.INFO	JI2.INFO
CS7.INFO	GY9.INFO	JI7.INFO
CT0.INFO	HB7.INFO	JI9.INFO
CT6.INFO	HB8.INFO	JK7.INFO
CT8.INFO	HC0.INFO	JK8.INFO
CU3.INFO	HC4.INFO	JL2.INFO
CU4.INFO	HC8.INFO	JL3.INFO
CU5.INFO	HD0.INFO	JL4.INFO
CV0.INFO	HE4.INFO	JL5.INFO
CV8.INFO	HE5.INFO	JL7.INFO
CV9.INFO	HE7.INFO	JL9.INFO
CW0.INFO	HF0.INFO	JM0.INFO
CW4.INFO	HF6.INFO	JM3.INFO
CW5.INFO	HF7.INFO	JM6.INFO
CW8.INFO	HF8.INFO	JM7.INFO
CW9.INFO	HF9.INFO	JN2.INFO
CX0.INFO	HG3.INFO	JN7.INFO
CX5.INFO	HG4.INFO	JN8.INFO
CX6.INFO	HG5.INFO	JN9.INFO
CY2.INFO	HG6.INFO	JO0.INFO
CY3.INFO	HG8.INFO	JQ1.INFO
CY6.INFO	HG9.INFO	JQ2.INFO
CY7.INFO	HJ2.INFO	JQ3.INFO
CZ0.INFO	HJ3.INFO	JQ4.INFO
CZ7.INFO	HJ5.INFO	JQ5.INFO
CZ9.INFO	HJ6.INFO	JQ6.INFO
DA3.INFO	HJ7.INFO	JQ7.INFO
DA6.INFO	HJ8.INFO	JQ8.INFO
DA7.INFO	HJ9.INFO	JR0.INFO
DB5.INFO	HK0.INFO	JS3.INFO
DB6.INFO	HK3.INFO	JS4.INFO
DE4.INFO	HK4.INFO	JS5.INFO
DE5.INFO	HL0.INFO	JS8.INFO
DE6.INFO	HL6.INFO	JS9.INFO
DE8.INFO	HL9.INFO	JT0.INFO
DF5.INFO	HM4.INFO	JT3.INFO
DF6.INFO	HN0.INFO	JT4.INFO
DG0.INFO	HN3.INFO	JT5.INFO
DH3.INFO	HN4.INFO	JT9.INFO
DH9.INFO	HN5.INFO	JU0.INFO
DI0.INFO	HN6.INFO	JU2.INFO
DI3.INFO	HN9.INFO	JV0.INFO
DI4.INFO	HO0.INFO	JV3.INFO
DI8.INFO	HP0.INFO	JV4.INFO
DJ3.INFO	HR6.INFO	JV5.INFO
DJ7.INFO	HS0.INFO	JV6.INFO
DK0.INFO	HS7.INFO	JV8.INFO
DK5.INFO	HS8.INFO	JW4.INFO
DK7.INFO	HS9.INFO	JW7.INFO
DK8.INFO	HT6.INFO	JW8.INFO
DL0.INFO	HU0.INFO	JW9.INFO
DM0.INFO	HU3.INFO	JX1.INFO
DM4.INFO	HU4.INFO	JX2.INFO
DP0.INFO	HU6.INFO	JX3.INFO
DP3.INFO	HU7.INFO	JX5.INFO
DP6.INFO	HV0.INFO	JX8.INFO
DP7.INFO	HW4.INFO	JY0.INFO
DQ0.INFO	HW6.INFO	JY2.INFO
DQ2.INFO	HW7.INFO	JY4.INFO
DR0.INFO	HW8.INFO	JY5.INFO
DS7.INFO	HX3.INFO	JY6.INFO
DT3.INFO	HX5.INFO	JY7.INFO
DT5.INFO	HX6.INFO	JY9.INFO
DT6.INFO	HX7.INFO	JZ2.INFO
DT7.INFO	HX9.INFO	JZ3.INFO
DT8.INFO	KD0.INFO	JZ4.INFO
DT9.INFO

Introducing MalFI – Another Report From HostExploit

I’m a few days late for posting this but the HostExploit team has produced another report, this time on an attack dubbed “MalFI” for malicious file inclusion. This encompasses remote file inclusion (RFI), local file inclusion (LFI) and Cross Server Attack (XSA). The report had been in the works for quite some time and while I was not a main author this time, Jart Armin and Scott Logan worked with me to interpret and use my honeypot data that I’ve been collecting over the last several months.

Rather than rehash the purpose for the report, here’s an excerpt from the abstract:

MALfi “A Silent Threat”

What is it all about, MALfi? A blended threat currently detected on around 350,000 websites &
Internet servers. One major purpose is to establish, “use once and throw away” disposable
botnets for spam, phishing, DDoS and exploits.
Full Report (public version) download PDF – hostexploit Download page = http://bit.ly/eoO4C

Abstract / Press Release

MALfi is a holistic and descriptive term applied to adequately describe the recent blended attack
utilized by hackers and cyber criminals to compromise websites and servers. This is
combination of RFI (remote file inclusion), LFI (local file inclusion), XSA (cross server attack),
and RCE (remote code execution).

Conservative estimates over recent months indicate around 350,000 affected websites and
servers worldwide. hostexploit and associated researchers have tracked 103,351 attacks,
involving 2,743 unique IP addresses, with 85 countries involved in RFI scanning and 911 ASNs
involved.

Check out the report for our research and findings. A more detailed version will also be made available to key members of the security and law enforcement communities.

Recruiting Chinese Attackers

With all the talk about Chinese malware authors and groups of attackers supposedly sponsored by governments out there, I thought I would publish a find of mine from back in 2007. Excellent research has been done on this topic with one of the most interesting events being the discovery of GhostNet.

The following message was discovered in a HTML comment section inside a hostile script. I found the page hosting the script by searching for a string inside an ANI exploit on Google in May 2007.

天高云淡，正宜一马奔腾，青春年少，我自纵横驰骋，这是一个只承认强者的时代，然而学习正是赋予了我们作强者的资本，物竟天择，适者生存，只有不断的学习我们才不会被社所会淘汰，我们才会逐渐变强，珍惜你生命中的每一分钟无学习，你会发现平凡的你一样很优秀，当你在风烛残年的那一刻时，面对你的朋友，爱人，儿子，不会因碌碌无为而羞耻，不会因年华虚度而悔恨，你会发现当你,把你的你的青春变的更加劲直和充满活力的时候，曾经无奈与迷茫的你，现在是那样的精彩与辉煌黑域战盟一个，和平，博爱，互助，不会有任何的技术歧视的技术团体，诚心邀请您的加盟楚蓝枫QQ4998XXXXX

This translates to:

It is a clear day, suitable for horse gallops. The youth is young; he can advance freely and quickly.

This is the era which appreciates only the strong, the survival of the fittest; yet study is the capital which empowers us to become strong. Only through continuous learning we will not be eliminated, we will become stronger and stronger. Cherish every minute of life with learning, you will find yourself as extraordinary as others. When you become old, in the face of your friends, wife, son, you will not feel shame and regret because you did not waste time when you were young; you will find yourself so wonderful when you contributed your vibrant youth into something meaningful, and changed yourself from once a helpless and confused you to someone brilliant.QQ4998XXXXX

Interesting message they were trying to get across isn’t it?

SPAM Briefly Drops 38% Due To Real Host Shutdown

MessageLabs wrote a nice report summarizing key events from August and it turns out our work was more widely felt than believed. Apparently part of Cutwail’s C&C infrastructure resided inside Real Host’s network. When they got cut off, SPAM levels dropped but only briefly since there were more C&Cs elsewhere to pick up the slack.

Here’s an excerpt from the report, to bad they didn’t credit our work

“Real Host was disconnected by its upstream providers on 1 August 2009. The impact was immediately felt, as can be seen in Figure 1, where spam volumes dropped briefly by as much as 38% in the subsequent 48-hour period.

Much of this spam was linked to the Cutwail botnet, currently one of the largest botnets and responsible for approximately 15-20% of all spam. Its activity levels fell by as much as 90% when Real Host was taken offline, but quickly recovered in a matter of days.”