Real Host, Latvia – RBN Resurgence or Clone
A couple of days ago I was investigating an attack that a reader submitted to me that was related to the recent nine ball attacks as reported by WebSense. (Part 1 | Part 2)
The attackers use the same techniques to exploit victims but this time have moved to new domains and updated their payloads. There are 2 payloads dropped on compromised hosts at the end of the attacks that steal banking credentials and send SPAM. These payloads are delivered by multiple exploits including an unpatched 0day vulnerability and a previously unpatched one.
Directshow – MS09-028 (previously a 0day, patched recently)
function directshow()
{
var shellcode=unescape(“%uC033….
obj.data=’./directshow.php’;
obj.classid=’clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF’;
Microsoft Office Web Components (unpatched 0day)
function spreadsheet()
{
try
{
var objspread=new ActiveXObject(‘OWC10.Spreadsheet’);
}
After conducting further research on 71speed.info and finding it hosted by Real Host Ltd of Latvia it quickly became apparent how bad this host is. A quick search leads to a blog written by Dynamoo where the activities of this host are first uncovered. Delving deeper into this provider it is apparent that they are a major hub of cybercrime activity which we will discuss further. This post has been prepared in conjunction with Jart Armin from HostExploit.com. Jart will present a higher level view of Real Host’s activities in relation to other entities and most interestingly how they related to the former Russian Business Network (RBN).
It should be noted that many of these sites are no longer reachable due to swift efforts by registrar Directi.
Observed Hostile Activity:
- Exploits including unpatched (or soon to be patched) 0days
- Payloads to drop on victim PCs including: fake codecs, banking trojans, spambots, fake anti virus, downloaders and even a Mac trojan
- Phishing sites
- Moneymule recruitment sites
- Botnet Command and Control servers
- Hosting of cybercrime websites – Iframe programs
- Distributing licensed software (Warez)
Real Host has 3 /28 IP blocks (48 IPs) that they get from Junik (AS8206), these are:
inetnum: 213.182.197.0 – 213.182.197.15
netname: Real_Host_NET3
descr: Real Host
country: LV
abuse-mailbox: abuseemaildhcp@gmail.com
inetnum: 213.182.197.224 – 213.182.197.239
netname: Real_Host_NET1
descr: Real Host
country: LV
abuse-mailbox: abuseemaildhcp@gmail.com
inetnum: 213.182.197.240 – 213.182.197.255
netname: Real_Host_NET2
descr: Real Host
country: LV
abuse-mailbox: abusemailhost@gmail.com
The first indication of suspicious activity is the use of gmail addresses as abuse contacts.
Next, here is data from my security tools showing attacks and the dates associated with them:
| Date | IP | Domain | URL | Purpose |
| 5/6/2009 | 213.182.197.230 | update.dom11z.cn | / | Multiple Exploits |
| 6/2/2009 | 213.182.197.227 | test.corbsc.com | /splt/getpdf.php | Multiple Exploits |
| 6/4/2009 | 213.182.197.229 | 2k90.cn | /2/include/spl.php | Multiple Exploits |
| 6/5/2009 | 213.182.197.229 | 2k90.cn | /2/include/spl.php | Multiple Exploits |
| 6/10/2009 | 213.182.197.237 | downloadoemsoftware.com | /exempl/include/spl.php | Multiple Exploits |
| 6/15/2009 | 213.182.197.237 | downloadoemsoftware.com | /exempl/include/spl.php | Multiple Exploits |
| 7/10/2009 | 213.182.197.237 | noplit.ws | /exempl/include/spl.php | Multiple Exploits |
| 7/10/2009 | 213.182.197.229 | businessconsulting312.com | /bus_trf/1/pdf.php | Multiple Exploits |
| 7/10/2009 | 213.182.197.229 | businessconsulting312.com | /bus_trf/1/pdf.php | Multiple Exploits |
| 5/6/2009 | 213.182.197.23 | lieliteautobody.cn | /load.php | Payloads |
| 5/6/2009 | 213.182.197.23 | lieliteautobody.cn | /load.php | Payloads |
| 6/2/2009 | 213.182.197.227 | test.corbsc.com | /splt/getexe.php | Payloads |
| 6/6/2009 | 213.182.197.5 | virus-detect-soft.com | /antivirus.exe | Payloads |
| 6/6/2009 | 213.182.197.5 | virus-detect-soft.com | /antivirus.exe | Payloads |
| 6/10/2009 | 213.182.197.237 | downloadoemsoftware.com | /exempl/load.php | Payloads |
| 7/18/2009 | 213.182.197.237 | 5fgh.ws | /expli/update.php | Payloads |
A little manual investigation led me to the following:
| IP | Domain | Purpose | More Information |
| 213.182.197.229 | yourgoogleanalytics.us | Money Mule Recruiting | Link |
| 213.182.197.229 | barwellsgroup.cn | Money Mule Recruiting | Related to above |
| 213.182.197.249 | Vikd3jj-3.com | Malware | |
| 213.182.197.251 | 2k90.cn | malware | |
| 213.182.197.13 | Mac-videos.com | Mac Trojan | Link |
| 213.182.197.236 | 71speed.info | Leads to Banking Trojan – Silent Banker & Spambot | |
| 213.182.197.8 | bestxvids.info | zlob | Link |
| 213.182.197.249 | traffic-searches.cn | botnet C&C | Link |
| 213.182.197.237 | 1gigabayt.com | Zeus C&C | Link |
| 213.182.197.14 | iframepartners.com | iframe sellers | |
| 213.182.197.228 | Chlenopopik.com | Zeus C&C | Link |
| 213.182.197.14 | Megavipsite.cn | malware | Link |
| 213.182.197.20 | Traffcount.cn | malware | Link |
| 213.182.197.229 | Newskyag.com | Money Mule Recruiting | Link |
| Zeus C&C | Link | ||
| 213.182.197.235 | Traffic-exchange.ru | Part of iframe redirection service | Link |
| 213.182.197.10 | vlkontacte.ru | Russian Social Network Phish | |
| 213.182.197.251 | Botnet.su | Zeus C&C | Link |
The domain I found most amusing was botnet.su, the attackers clearly aren’t trying to hide their motives on this one! This domain was previously used by the RBN along with NewskyAG and others. More on this link can be found at hostexploit.com.
Zeus seems to be one of the most common threats being hosted from Real Host’s network. According to recent information released by Damballa, Zeus is the #1 botnet in the US with an estimated 3.6 million PCs compromised.
To begin, let’s look at the money mule sites the Barwells Group and NewskyAG, here is an excerpt from the link included above:
BarwellsGroup
“During the trial period (1 month), you will be paid 2000 USD per month
while working on average 3 hours per day, Monday-Friday, plus 5
commission from every transactions or task received and processed. The
salary will be sent in the form of wire transfer directly to your
account. After the trial period your base pay salary will go up to
3,500USD per month, plus 5 commission.”
Clearly this is a money mule recruitment program. Sounds pretty good for 3 hours work per day, maybe I should quit my day job!
NewskyAG
Not only does this domain operate a money mule scam, it also ran a Zeus C&C server. What is scary is that people actually fall prey to this scheme as shown by this quote from yahoo answers:
Q: “Anyone ever heard of a company called NewSky Ag?”
A: “Yes I work for them from home and so far everything is ok but I’ve only been doing it about 2 months so if you have any more ? please let me know”
Next we have a phish for a Russian social networking site
Lastly lets look at iframepartners.com, the site is currently down however information is still available. The site pays malicious web admins to put iframes on their compromised websites. A colleague of mine was kind enough to translate the text from Russian (thanks Alex!). It reads:
1. A partner pays for iframe traffic, we accept only us, gb, it, au, and it will be in average from $1 to $20 for 1K depending on traffic quality
2. We accept only ads that generate more that 50K USA traffic
3. You are prohibited to install anything else with our iframe
4. Adult traffic is not welcomed
5. An account will be deleted without payout in case of detection of spam or worm traffic
6. We have been deleting accounts that are not active for few days
7. Cheaters and hit-boters, please don’t waste our time, look for other places
8. Payout twice a month, in the beginning and in the middle of month
Use XXX XXXXXX to contact us
Notice how adult sites, worms and spam traffic is not allowed? This is probably due to the fact that they are very noisy and easily spotted by security professionals.
This leads to another site called installing.cc. This site pays for installing malware onto compromised PCs.
Another interesting hit comes up from a design company called web-alfa.com. They designed an eye catching flash banner advertisement for the attackers.
The slides in the flash movie say:
Long-live substitution,
And software sale,
Referral system,
And other life enjoyments
For invitation and detailed information contact us via XXX XXXXXX
Clearly Real Host Ltd is hosting major cybercrime activity as a vast number of IPs in their space host malicious content. Several of the domains hosted with them were used by the former RBN. Real Host represents a major threat to individuals, business and the safety of the Internet ecosystem.
