Chapter 12
Every bulletproof network begins with the inherent weakness of ICANN to enforce accurate WHOIS information.
ICANN.
ICANN is a nonprofit organization with headquarters in Marina del Rey, CA. The organization took over registration and accreditation responsibilities from the US government in 1998.
When you register a domain name with an accredited registrar, ICANN issues a corresponding IP address. The registration process requires that the customer provide accurate WHOIS information. Unfortunately, ICANN hasn't been effective in enforcing its own rules.
A GAO audit in 2005 looked into this problem and found that an estimated "2.31 million domain names (5.14 percent) have been registered with patently false data-data that appeared obviously and intentionally false without verification against any reference data-in one or more of the required contact information fields" (from the GAO report "Internet Management-Prevalence of False Contact Information for Registered Domain Names," published in November 2005; see Figure 7-2).
Figure 7-2. GAO a.n.a.lysis of domain contact information ICANN relies on registrars to enforce the collection of accurate registration information, which is level two of the bulletproof network: an ICANN-accredited registrar.
The Accredited Registrar.
A person who wants to create an Internet presence for nefarious purposes needs to find an accredited registrar that won't seek to verify false registration information. This will allow her to enter a pseudonym instead of her real name, as well as false contact information (email and telephone). In the case of StopGeorgia.ru, that registrar was Naunet, a Russian Internet services company that offers domain registration and hosting services.
The Hosting Company.
In the case of StopGeorgia.ru, the registrant acquired hosting services through a small Russian company, SteadyHost.ru, which in turn was a reseller for a London company, Innovation IT Solutions Corp, which contracted with a very large data center and hosting company, SoftLayer Technologies.
SoftLayer Technologies and The Planet, both based in Texas, have proven to be attractive options for spam and phis.h.i.+ng websites, as had Atrivo/Intercage, based in Northern California. Atrivo was finally shut down in October 2008, resulting in a temporary world-wide plunge in spam levels, according to the Was.h.i.+ngton Post's Security Fix column of October 9, 2008.
The Bulletproof Network of StopGeorgia.ru.
Figure 7-3 shows linkages between companies that support the StopGeorgia.ru forum.
StopGeorgia.ru.
As we discussed in Chapter 2, StopGeorgia.ru was a pa.s.sword-protected forum built with a bulletin board software application (phpBB) and launched within 24 hours after the commencement of Russia's ground, sea, and air a.s.sault on the nation of Georgia on August 8, 2008.
Cyber attacks against Georgian government websites occurred as early as July 21, 2008, but this particular forum was not active until the day after the invasion. It provided hackers of all levels with vetted target lists, links to malware to be used to attack Georgian government websites, and expert advice for novice hackers (of which there were many).
A WHOIS search on the StopGeorgia.ru domain revealed the following information: Domain StopGeorgia.ru Type CORPORATE.
Nserver ns1.gost.in Nserver ns2.gost.in State Registered, Delegated Person Private Person Phone
7 908 3400066.
E-mail [email protected] Registrar NAUNET-REG-RIPN.
Figure 7-3. The StopGeorgia.ru network.
NAUNET.RU.
NAUNET is a Russian registrar that is blacklisted by the Spamhaus Project for providing cyber crime/spam/phish domains (Spamhaus SBL advisory #SBL67369 01 Dec 2008).
The domain name StopGeorgia.ru was acquired at Naunet.ru. Part of the complaint against Naunet on file at Spamhaus is that it has knowingly accepted false information (specifically related to invalid IP DNS addresses in the WHOIS info), which is in violation of Russian Inst.i.tute for Public Networks (RIPN) rules.
In the WHOIS info for StopGeorgia.ru, the phone number 7 908 3400066 and email address [email protected] are both listed in the registrar information for a variety of websites selling things such as fake pa.s.sports, adult p.o.r.n, and ATM skimmers.
Although the domain information for StopGeorgia.ru doesn't list a person's name, opting instead for the ubiquitous "private person," other domains with the same telephone number and email address have been registered under the name Andrej V Uglovatyj.
Andrej V Uglovatyj, however, is most likely a fict.i.tious person. A search on Yandex.com returns only two unique hits for the name. Considering the amount of data being collected online for individuals today, as well as the fact that Andrej V Uglovatyj is purportedly conducting a number of businesses online, receiving so few hits can only be due to this name being a pseudonym used in
Figure 7-4. One of Andrej V Uglovatyj's shady domains selling forged doc.u.ments The tagline under Dokim.ru reads "Creation of pa.s.sports and driver licenses for Russia and EU countries."
SteadyHost.ru.
Performing a WHOIS on the IP address is an important step in the money trail process. Someone needed to purchase time on a server to host the PHP forum, which, ironically, used the Army-themed forum template (the ever-stylish camouflage look). The StopGeorgia.ru IP address is 75.126.142.110, which resolves to a small Russian company called SteadyHost (http://www.Steadyhost.ru).
The domain registration for Steadyhost.ru provides the following information: Domain Steadyhost.ru Type CORPORATE.
Nserver ns1.steadyhoster.com Nserver ns2.steadyhoster.com State Registered, delegated Person Sergey A Deduhin Phone.
7 905 4754005.
Email [email protected] Registrar RUCENTER-REG-RIPN.
Created 09/30/06.
Paid till 09/30/09.
Source TC-RIPN.
Sergey A. Deduhin, the person who registered the domain name Steadyhost.ru, doesn't seem to have any more of an Internet footprint than StopGeorgia.ru's Andrej V Uglovatyj.
According to contact information at SteadyHost's website, it has its office in an apartment building at 88 Khoroshevskoe Shosse, Moskva (Moscow).
SteadyHost's neighbor, in the adjacent building, is the Ministry of Defense Research Inst.i.tute called the Center for Research of Military Strength of Foreign Countries. And just down the block, at 76 Khoroshevskoe Shosse, is GRU headquarters, also known as the Aquarium (see Figure 7-5).
Figure 7-5. Google Earth view of GRU headquarters The GRU is the Main Intelligence Directorate of the Russian Armed Forces. Its primary business is deploying several thousand spies in foreign countries for political and military information gathering.
According to the Federation of American Scientists (FAS) website, the GRU may be thought of as the Russian equivalent of the US Defense Intelligence Agency (DIA). It is involved in the collection of human intelligence (HUMINT) via foreign agents, signals intelligence (SIGINT) via various electronic mediums, and image intelligence (IMINT) via satellite imagery.
In a 1996 interview with Pravda, General Fedor Ladygin, the leader of the GRU at that time, included technical espionage among the missions of his organization (Komsomolskaya Pravda, 05 November 1996). This included hacking computer networks to gain access to sensitive data.
The current leader, General Valentin Korabelnikov, added open source intelligence (OSINT) to the GRU's mission, according to an interview with CDI Russia Weekly on July 17, 2003. The physical location of Steadyhost.ru's "office" near GRU headquarters is circ.u.mstantial and is not offered as proof of GRU involvement; it is simply one element among many to be considered when weighing possible state connections to the attackers.
Innovation IT Solutions Corp.
Most legitimate registrars will confirm at least some of the registration information provided by a customer as part of the process of registering a domain name. Those that don't have become favorites of spammers and cyber criminals.
If you look closer at the information provided on the StopGeorgia.ru IP address, you'll see that it is part of an IP block subdelegation leased to Innovation IT Solutions Corp in England by SoftLayer Technologies in Dallas.
Innovation IT Solutions Corp had a website URL, http://init-sol.com, but no website. Instead visitors see a placeholder page providing basic contact information (Figure 7-6).
Figure 7-6. Innovation IT Solutions Corp web page According to WHOIS data, the Init-sol.com domain name was registered by an employee of Innovation IT Solutions Corp named Andrey Nesterenko. Mr. Nesterenko purchased the domain name through another company-MIRhosting.com.
If you examine the WHOIS records in the following table, you'll see that Mr. Nesterenko is apparently employed by both companies, and both companies have the same business address: 95 Wilton Road, Suite 3, London. A Google search for that address brings up a variety of businesses, including a p.o.r.n site (Cheeky-Touch), a teen site, Goldstein Equitas, Inc., and Global Securities Consulting; in other words, 95 Wilton Road, Suite 3, London, is a mail drop.
Domain name Init-sol.com Registrant Innovation IT Solutions Corp Andrey Nesterenko 95 Wilton Road, Suite 3 London London,SW1V 1BZ GB Tel. +44.8458692184 Fax. +44.8450205104 Creation date 10/10/04.
Expiration date 10/10/09.
Domain servers ns5.dnska.com ns6.dnska.com Administrative contact Innovation IT Solutions Corp Status Active Innovation IT Solutions Corp is not a registered business in the UK or anywhere else, and it doesn't seem to exist outside of its London mail drop address.
Mirhosting.com.
Mirhosting.com provides some substantive information on its website regarding its services, albeit in the Russian language. According to Dun and Bradstreet, its princ.i.p.al and sole stockholder, Andrey Nesterenko, is a Russian national living in the Netherlands, yet his business address is a mail drop in London-the same one used by Innovation IT Solutions Corp (see the following WHOIS data): Domain name Init-sol.com Registrant Innovation IT Solutions Corp Andrey Nesterenko 95 Wilton Road, Suite 3 London London,SW1V 1BZ GB Tel. +44.8458692184 Fax. +44.8450205104 Creation date 10/10/04.
Expiration date 10/10/09.
Domain servers ns2.dnska.com ns1.dnska.com Administrative contact Innovation IT Solutions Corp Status Active.
SoftLayer Technologies.
The IP address for the StopGeorgia.ru forum (75.126.142.110) can be traced backward from SteadyHost to Innovation IT Solutions Corp to SoftLayer Technologies, a US company based in Dallas, TX, with server locations in Seattle, WA, and Was.h.i.+ngton, DC. See Figure 7-7.
Figure 7-7. WHOIS data for 75.126.142.110 SoftLayer Technologies and The Planet (also in Dallas, TX) share the unique distinction of being on s...o...b..dware.org's top 10 worst badware network blocks (Figure 7-8). To add some perspective to this, s...o...b..dware.org's May 2008 report reveals China to be the world leader, hosting 52% of all badware sites, whereas the United States hosts 21%. None of the other countries involved, including Russia, individually hosts more than 4%.
When s...o...b..dware.org released its report, it attempted to contact the companies that it named to give them an opportunity to respond. SoftLayer Technologies issued the following statement, published on the s...o...b..dware.org blog on June 24, 2008: SoftLayer Technologies is a provider of data center services centered around the delivery of on-demand server infrastructure. We do not manage the content or applications hosted from our infrastructure as this is the direct responsibility of our customers, many of which are in fact hosting resellers. Having said that, we also have a very strict acceptable use policy which you can find here: http://www.softlayer.com/legal.html.
We try to be as proactive as possible in eliminating any and all content from our network that breaches the terms of this policy. But, as I am sure you are aware, this is not always an easy task.
I have forwarded your email to our abuse department so that they can start investigating the findings you have suggested below. We will take all necessary actions to remove any malicious material from our network so that we can better serve our customers and the entire Internet community.
Figure 7-8. Top 10 network blocks hosting badware sites About 45 days later, the StopGeorgia.ru forum, hosted on a SoftLayer server, became a focal point for a nationalistic Russian hacker attack against Georgian government websites. At no time did SoftLayer Technologies take a proactive role and cancel StopGeorgia.ru's access to its servers for a Terms of Service violation.
SORM-2.