Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   
Russian registrar NAUNET knowingly harbours Cybercriminals

2012-03-22 10:22:15 GMT, by Quentin Jenkins
Recent News Articles

Stop spammers from exploiting your webserver!

Second arrest in response to DDoS attack on Spamhaus

New IPv6 CIDR searching tools released: grepcidrs

Changes in Spamhaus DBL DNSBL return codes

Summer Break arrives early for Malware & Botnet Gang

Spamhaus launches CERT Insight Portal

The Spamhaus Policy Block List now covers One Billion IP addresses

Resilans Incident Report


Older News Articles:
Spamhaus News INDEX

In November 2011, new terms and conditions (T&C's) for registering .ru domains were put out by the Coordination Center for the Top Level Domain RU (cctld.ru). The following paragraphs of the new T&C are important to Spamhaus' mission to fight against spam and cybercrime:
5.7. The Registrar may terminate the domain name delegation upon the receipt 
of a substantiated petition from an organization indicated by the Coordinator
as a competent one to determine violations in the Internet, should the petition
contain information about the domain’s information addressing system being 
used for:

1.    receipt from third parties (users of the system) of confidential 
information by misleading these persons regarding its origin (authenticity) 
due to similarity of the domain names, design or content of the information
(phishing);
2.    unauthorized access to third parties’(users, visitors) information 
systems or for infecting these systems with malware or taking control of 
such software (botnet control);
[...]
Reference: The Terms and Conditions of Domain Names Registration in domains .RU

It isn't a secret that dealing with some of the Russia-based domain name registrars is problematic. However, we at Spamhaus hoped that the new conditions for the .ru TLD would raise the security awareness of registrars who provide domain names within .ru.

During the past few months Spamhaus has tried to shut down several hundred .ru domains. Most of these domain names where registered through NAUNET and were associated with professional spammers or related to cybercrime crime, such as botnet operators.

While NAUNET had suspended several token malicious domain names that we reported to them in November 2011, in early 2012 NAUNET started to demand more "evidence". It appears as if NAUNET has changed their mind about their takedown procedure and started to accuse Spamhaus of incompetence when submitting evidence regarding fraudulent domain names.

A good example for NAUNET's behaviour is a set of malicious botnet domains, registered by cybercriminals and used to control computers infected with Feodo. Feodo is a banking Trojan used to steal money from online banking accounts (currently targeting many banks including Bank of America, UBS and HSBC). The involved malware family is quite sophisticated, since it is using a domain name algorithm (DGA) to calculate the current botnet domain which the Trojan will use to drop the stolen credentials and receive commands from the botnet herder.

Sample Feodo botnet traffic:
================================
POST /rwx/B1_3n9/in/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)
Host: nolwzyzsqkhjkqhomc.ru:8080
Content-Length: 101
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Wed, 21 Mar 2012 XX:XX:XX GMT
Content-Type: text/html; charset=CP-1251
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.17-1.1
Vary: Accept-Encoding
================================

The cybercriminals are using a FastFlux botnet consisting of hijacked servers:

DNS A records for nolwzyzsqkhjkqhomc.ru:
IP addressSBL recordHostname
112.78.124.115SBL131211 
94.20.30.91SBL130512 
188.40.66.199SBL133730static.199.66.40.188.clients.your-server.de.
91.121.91.111SBL132796ns28121.ovh.net
178.162.154.214SBL133731hosted-by.leaseweb.com
85.214.204.32SBL131212h1886128.stratoserver.net
91.121.7.5SBL132800cirrus.neusta.fr
83.170.91.152SBL129399freesweetsite.com.au
79.101.30.15  
124.124.212.172SBL130513 

$ dig +short nolwzyzsqkhjkqhomc.ru NS
ns2.nolwzyzsqkhjkqhomc.ru.
ns1.nolwzyzsqkhjkqhomc.ru.
ns6.nolwzyzsqkhjkqhomc.ru.
ns17.nolwzyzsqkhjkqhomc.ru.
ns13.nolwzyzsqkhjkqhomc.ru.
ns7.nolwzyzsqkhjkqhomc.ru.
ns8.nolwzyzsqkhjkqhomc.ru.
ns10.nolwzyzsqkhjkqhomc.ru.
ns16.nolwzyzsqkhjkqhomc.ru.
ns11.nolwzyzsqkhjkqhomc.ru.
ns3.nolwzyzsqkhjkqhomc.ru.
ns4.nolwzyzsqkhjkqhomc.ru.
ns9.nolwzyzsqkhjkqhomc.ru.
ns14.nolwzyzsqkhjkqhomc.ru.
ns12.nolwzyzsqkhjkqhomc.ru.
ns5.nolwzyzsqkhjkqhomc.ru.
ns15.nolwzyzsqkhjkqhomc.ru.

Below is a list of Feodo botnet domains Spamhaus has detected recently, all of which are registered through NAUNET.

acamacookldaurglbh.ru
amanarenapussyns.ru
axwiyyfbraskytvs.ru
caoodntkioaojdf.ru
caskfhasaoipvma.ru
caskjfhlkaspsfg.ru
cdesikasktopt.ru
cfeedlingpa.ru
cgolidaofghjtr.ru
cgoosjjdopola.ru
cgunikqakklsdpfo.ru
ciasamkbnavtknxiko.ru
ciontooabgooppoa.ru
cjhsdvbfbczuet.ru
cjiahkhklflals.ru
cjjasjjikooppfkja.ru
ckjhasbybnhdjf.ru
ckjsfhlasla.ru
ckolmadiiasf.ru
clkjshdflhhshdf.ru
cnnvcnsaoljfrut.ru
coajsfooioas.ru
cojsdhfhhlsl.ru
copsdifbnsasdf.ru
cparabnormapoopdsf.ru
cpojkjfhotzpod.ru
cpokemnothviik.ru
cpoodsangbkia.ru
cruikdfoknaofa.ru
cruoinaikklaoifpa.ru
cserimankra.ru
csoaspfdpojuasfn.ru
cuqwuuiwrnmfo.ru
dinamitbtzusons.ru
fedikankamolns.ru
gizosuxwpeujnykjye.ru
hbirjhcnsuiwgtrq.ru
hdylanfzmfngwbwxnc.ru
hjpyvexsutdctjol.ru
hngajjkuknzwdliqfj.ru
imanuilletapchenko.ru
jfhxihwykiuwfknoni.ru
jokerbatmannow.ru
kamarovoskorlovo.ru
kblqegxrumlsrefvmb.ru
kroshkidlahlebans.ru
lzngllvmrbwdcpha.ru
monikabestolucci.ru
mvkrxumvbedbouiyfh.ru
ngdvmtwodjjuovsnfj.ru
nogasrakixerosima.ru
opiumdlanaroda.ru
porosenokpetya.ru
qtdlnxbqfohcpwft.ru
rdjdykfceprrqihpcm.ru
rgglvwyzevqeijgnvm.ru
rukobludsostazhem.ru
samanodejannyjpins.ru
samaragotodokns.ru
skjwysujlpedxxsl.ru
sumgankorobanns.ru
taqlftbbztqnyngq.ru
upjachkajasamns.ru
vaopxjiaphevkfpqdo.ru
vjcuiqecxaomkytb.ru
vzhpiaswhqlswkji.ru
wfyusepaxvulfdtn.ru
wiwwkvjkinewgycb.ru
xvmzegestulhtvqz.ru
yhbyqwmrtqxvmpryon.ru
zolindarkksokns.ru

While any normal network security person would identify these domain names as clearly malicious, NAUNET refused to suspend these domain names and actually accused Spamhaus of incompetence after we submitted evidence that these domain names were being used by the botnet's owners.

A quick search on the internet regarding these domain names reveals additional information published by Sophos.

Our experience with NAUNET, as well as the experience of our partners, clearly shows that NAUNET is unwilling to suspend fraudulent domain names.

Since its founding in 1998, Spamhaus has been working with ISPs, networks, domain name registrars and governmental organisations to fight against spam and to protect internet users from cybercrime. Unsurprisingly, the only complaints we get about evidence are from rogue networks or registrars. But Spamhaus is not alone in this. Organisations we work with have indicated that it seems to be NAUNET's "best practice" to accuse complainants of incompetence instead of terminating domains in accordance with its own T&C.

In 2008 Spamhaus listed NAUNET on the Spamhaus Block List (SBL) for "knowingly providing spam support services" according to Spamhaus SBL policy. The evidence at that time of NAUNET's "unclean hands" was overwhelming as over 95% of the .ru domains registered with them were being used in spam. Reports also came to us from the "underground" cybercrime forums that NAUNET representatives were active in these forums promoting their "bulletproof domain" registrations. Those listings can be viewed here:

http://www.spamhaus.org/sbl/query/SBL67369
http://www.spamhaus.org/sbl/query/SBL67504

Spamhaus also recommends that networks use our Don't Route Or Peer list to drop all traffic originating from or destined for NAUNET's IP address space. This will help protect end users from the activities of the cybercriminals to whom NAUNET persists in providing services.

We can only hope that one day the true nature of NAUNET will come to light and the Russian domain regulators at the Coordination Center for the Top Level Domain RU will step forward and either sanction NAUNET, or better yet, put an end to this Russian registrar that knowingly harbours Cybercriminals. It may not be known to them, but this one registrar (and it's cybercriminal clientele) are doing great harm to the current and future worldwide usability of the .ru domain by legitimate Russian interests. The internet suffers when companies and networks blacklist an entire ccTLD, but it is now happening all over with .ru.


Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Russian registrar NAUNET knowingly harbours Cybercriminals
http://www.spamhaus.org/news/article/680/russian-registrar-naunet-knowingly-harbours-cybercriminals

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2014 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy