news
Russian registrar NAUNET knowingly harbours Cybercriminals
In November 2011, new terms and conditions (T&C's) for registering .ru domains were put out by the Coordination Center for the Top Level Domain RU (cctld.ru). The following paragraphs of the new T&C are important to Spamhaus' mission to fight against spam and cybercrime:
5.7. The Registrar may terminate the domain name delegation upon the receipt of a substantiated petition from an organization indicated by the Coordinator as a competent one to determine violations in the Internet, should the petition contain information about the domain’s information addressing system being used for: 1. receipt from third parties (users of the system) of confidential information by misleading these persons regarding its origin (authenticity) due to similarity of the domain names, design or content of the information (phishing); 2. unauthorized access to third parties’(users, visitors) information systems or for infecting these systems with malware or taking control of such software (botnet control); [...]Reference: The Terms and Conditions of Domain Names Registration in domains .RU
It isn't a secret that dealing with some of the Russia-based domain name registrars is problematic. However, we at Spamhaus hoped that the new conditions for the .ru TLD would raise the security awareness of registrars who provide domain names within .ru.
During the past few months Spamhaus has tried to shut down several hundred .ru domains. Most of these domain names where registered through NAUNET and were associated with professional spammers or related to cybercrime crime, such as botnet operators.
While NAUNET had suspended several token malicious domain names that we reported to them in November 2011, in early 2012 NAUNET started to demand more "evidence". It appears as if NAUNET has changed their mind about their takedown procedure and started to accuse Spamhaus of incompetence when submitting evidence regarding fraudulent domain names.
A good example for NAUNET's behaviour is a set of malicious botnet domains, registered by cybercriminals and used to control computers infected with Feodo. Feodo is a banking Trojan used to steal money from online banking accounts (currently targeting many banks including Bank of America, UBS and HSBC). The involved malware family is quite sophisticated, since it is using a domain name algorithm (DGA) to calculate the current botnet domain which the Trojan will use to drop the stolen credentials and receive commands from the botnet herder.
Sample Feodo botnet traffic:
================================
POST /rwx/B1_3n9/in/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: nolwzyzsqkhjkqhomc.ru:8080
Content-Length: 101
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Wed, 21 Mar 2012 XX:XX:XX GMT
Content-Type: text/html; charset=CP-1251
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.17-1.1
Vary: Accept-Encoding
================================
The cybercriminals are using a FastFlux botnet consisting of hijacked servers:
DNS A records for nolwzyzsqkhjkqhomc.ru:
| IP address | SBL record | Hostname |
| 112.78.124.115 | SBL131211 | |
| 94.20.30.91 | SBL130512 | |
| 188.40.66.199 | SBL133730 | static.199.66.40.188.clients.your-server.de. |
| 91.121.91.111 | SBL132796 | ns28121.ovh.net |
| 178.162.154.214 | SBL133731 | hosted-by.leaseweb.com |
| 85.214.204.32 | SBL131212 | h1886128.stratoserver.net |
| 91.121.7.5 | SBL132800 | cirrus.neusta.fr |
| 83.170.91.152 | SBL129399 | freesweetsite.com.au |
| 79.101.30.15 | ||
| 124.124.212.172 | SBL130513 |
$ dig +short nolwzyzsqkhjkqhomc.ru NS
ns2.nolwzyzsqkhjkqhomc.ru.
ns1.nolwzyzsqkhjkqhomc.ru.
ns6.nolwzyzsqkhjkqhomc.ru.
ns17.nolwzyzsqkhjkqhomc.ru.
ns13.nolwzyzsqkhjkqhomc.ru.
ns7.nolwzyzsqkhjkqhomc.ru.
ns8.nolwzyzsqkhjkqhomc.ru.
ns10.nolwzyzsqkhjkqhomc.ru.
ns16.nolwzyzsqkhjkqhomc.ru.
ns11.nolwzyzsqkhjkqhomc.ru.
ns3.nolwzyzsqkhjkqhomc.ru.
ns4.nolwzyzsqkhjkqhomc.ru.
ns9.nolwzyzsqkhjkqhomc.ru.
ns14.nolwzyzsqkhjkqhomc.ru.
ns12.nolwzyzsqkhjkqhomc.ru.
ns5.nolwzyzsqkhjkqhomc.ru.
ns15.nolwzyzsqkhjkqhomc.ru.
Below is a list of Feodo botnet domains Spamhaus has detected recently, all of which are registered through NAUNET.
acamacookldaurglbh.ru
amanarenapussyns.ru
axwiyyfbraskytvs.ru
caoodntkioaojdf.ru
caskfhasaoipvma.ru
caskjfhlkaspsfg.ru
cdesikasktopt.ru
cfeedlingpa.ru
cgolidaofghjtr.ru
cgoosjjdopola.ru
cgunikqakklsdpfo.ru
ciasamkbnavtknxiko.ru
ciontooabgooppoa.ru
cjhsdvbfbczuet.ru
cjiahkhklflals.ru
cjjasjjikooppfkja.ru
ckjhasbybnhdjf.ru
ckjsfhlasla.ru
ckolmadiiasf.ru
clkjshdflhhshdf.ru
cnnvcnsaoljfrut.ru
coajsfooioas.ru
cojsdhfhhlsl.ru
copsdifbnsasdf.ru
cparabnormapoopdsf.ru
cpojkjfhotzpod.ru
cpokemnothviik.ru
cpoodsangbkia.ru
cruikdfoknaofa.ru
cruoinaikklaoifpa.ru
cserimankra.ru
csoaspfdpojuasfn.ru
cuqwuuiwrnmfo.ru
dinamitbtzusons.ru
fedikankamolns.ru
gizosuxwpeujnykjye.ru
hbirjhcnsuiwgtrq.ru
hdylanfzmfngwbwxnc.ru
hjpyvexsutdctjol.ru
hngajjkuknzwdliqfj.ru
imanuilletapchenko.ru
jfhxihwykiuwfknoni.ru
jokerbatmannow.ru
kamarovoskorlovo.ru
kblqegxrumlsrefvmb.ru
kroshkidlahlebans.ru
lzngllvmrbwdcpha.ru
monikabestolucci.ru
mvkrxumvbedbouiyfh.ru
ngdvmtwodjjuovsnfj.ru
nogasrakixerosima.ru
opiumdlanaroda.ru
porosenokpetya.ru
qtdlnxbqfohcpwft.ru
rdjdykfceprrqihpcm.ru
rgglvwyzevqeijgnvm.ru
rukobludsostazhem.ru
samanodejannyjpins.ru
samaragotodokns.ru
skjwysujlpedxxsl.ru
sumgankorobanns.ru
taqlftbbztqnyngq.ru
upjachkajasamns.ru
vaopxjiaphevkfpqdo.ru
vjcuiqecxaomkytb.ru
vzhpiaswhqlswkji.ru
wfyusepaxvulfdtn.ru
wiwwkvjkinewgycb.ru
xvmzegestulhtvqz.ru
yhbyqwmrtqxvmpryon.ru
zolindarkksokns.ru
While any normal network security person would identify these domain names as clearly malicious, NAUNET refused to suspend these domain names and actually accused Spamhaus of incompetence after we submitted evidence that these domain names were being used by the botnet's owners.
A quick search on the internet regarding these domain names reveals additional information published by Sophos.
Our experience with NAUNET, as well as the experience of our partners, clearly shows that NAUNET is unwilling to suspend fraudulent domain names.
Since its founding in 1998, Spamhaus has been working with ISPs, networks, domain name registrars and governmental organisations to fight against spam and to protect internet users from cybercrime. Unsurprisingly, the only complaints we get about evidence are from rogue networks or registrars. But Spamhaus is not alone in this. Organisations we work with have indicated that it seems to be NAUNET's "best practice" to accuse complainants of incompetence instead of terminating domains in accordance with its own T&C.
In 2008 Spamhaus listed NAUNET on the Spamhaus Block List (SBL) for "knowingly providing spam support services" according to Spamhaus SBL policy. The evidence at that time of NAUNET's "unclean hands" was overwhelming as over 95% of the .ru domains registered with them were being used in spam. Reports also came to us from the "underground" cybercrime forums that NAUNET representatives were active in these forums promoting their "bulletproof domain" registrations. Those listings can be viewed here:
Spamhaus also recommends that networks use our Don't Route Or Peer list to drop all traffic originating from or destined for NAUNET's IP address space. This will help protect end users from the activities of the cybercriminals to whom NAUNET persists in providing services.
We can only hope that one day the true nature of NAUNET will come to light and the Russian domain regulators at the Coordination Center for the Top Level Domain RU will step forward and either sanction NAUNET, or better yet, put an end to this Russian registrar that knowingly harbours Cybercriminals. It may not be known to them, but this one registrar (and it's cybercriminal clientele) are doing great harm to the current and future worldwide usability of the .ru domain by legitimate Russian interests. The internet suffers when companies and networks blacklist an entire ccTLD, but it is now happening all over with .ru.