Spotting the bad guys…

It is very important to be familiar with the traits and suspicious behaviour/signs common to domains associated with malware, fraudware and malvertizing, affiliate misbehaviour and whatnot. By studying what the bad guys are doing, and how they do it, and the domains that they are using, we can build a dossier of features common to dangerous domains which can be built into our reputational assessments and other due diligence checks.

By way of example, let's take the example of a series of fraudware domains as highlighted by the PandaLabs blog:
http://pandalabs.pandasecurity.com/archive/Rash-of-Rogue-Security-Malware.aspx

As we take a closer look at the domains it becomes clear that there a high likelihood of danger, not just because of the domains themselves (my personal opinion is that any new domain names that can be used to infer antivirus, or antispyware, or scanning, or security or similar themes should immediately be flagged for closer examination by Registrars as a matter of course) but because the Registrant details are suspicious. What we see below is 24 domains that can be gathered into 7 distinct "groups".  Nearly all of the domains are registered via the same Registrar, and are shared between six different Registrants.  There is also a lot of what I can best describe as "cross pollination" between the various "groups" and Registrants.

I have sorted the 24 domains, using various criteria, to make it easier to see the “ties that bind” between the various Registrants and groups.  I see no reason why Registrars cannot implement similar checks and balances – checks that could be triggered by particular symptoms, such as a series of similar domains being registered, or when certain key words make up part of a domain name, or when “cross pollination” is detected via automated cross-checks.

Sorted by domain:

best6scan.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
bestscan6.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel

The two “Robert Flork” registrations above seems innocuous from the perspective of WHOIS information and domain “group”, until we realise that the name and email address is used in association with other suspicious domains (below), which then leads us to wonder if the various names we see are nothing more than pseudonyms. 

easy4scan.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
easy6scan.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
easyscan6.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE

fastscan4.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
fastscan6.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
fast4scan.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI

livescan4.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
livescan5.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
livescan6.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel

newscan4.com   - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
newscan5.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
newscan6.com   - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
new7scan.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

plus4scan.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
plus6scan.com  - REGTIME, for Alex Kitzmiller, (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
plusscan4.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI

scan4easy.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
scan4fast.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
scan5best.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan5plus.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan6live.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
scan7live.com  - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

 

Sorted by Registrant:

best6scan.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
bestscan6.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
livescan6.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
scan6live.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
newscan6.com   - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel

easy4scan.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
fastscan4.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
plus4scan.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
plusscan4.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI
scan4fast.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI

easy6scan.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
easyscan6.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
fastscan6.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
plus6scan.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE

fast4scan.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
livescan4.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
newscan4.com   - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI
scan4easy.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI

livescan5.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan5best.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha
scan5plus.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha

newscan5.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
new7scan.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
scan7live.com  - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

 

Sorted by IP:

best6scan.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel        (66.101.58.54)
newscan6.com   - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel       (66.101.58.54)
scan6live.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel         (66.101.58.54)

easy4scan.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI  (194.165.4.41)
fastscan4.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI  (194.165.4.41)
fast4scan.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI                      (194.165.4.41)
livescan4.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI                       (194.165.4.41)
plus4scan.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
plusscan4.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)
scan4easy.com  - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI                    (194.165.4.41)
scan4fast.com  - REGTIME, for Michael Apenbrinck (subossink@gmail.com) - Slovenska Cesta 34, Ljubljana, SI (194.165.4.41)

livescan5.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha   (69.10.52.12)
scan5best.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha (69.10.52.12)
scan5plus.com  - REGTIME, for Ernest Lucas (wohuldah@gmail.com) - Vsehrdova 16, Praha  (69.10.52.12)

newscan4.com   - REGTIME, for Edmund Vandiver (qassadari@gmail.com) - Ljubljansua 6, Bled, SI   (78.159.99.66)

bestscan6.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
easy6scan.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
easyscan6.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
fastscan6.com  - REGTIME, for Alex Kitzmiller (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
livescan6.com  - REGTIME, for Robert Flork (flork.robert@gmail.com) - Rue de Limalsart 20, Brussel
newscan5.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
new7scan.com   - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida
plus6scan.com  - REGTIME, for Alex Kitzmiller, (alkitzmiller@gmail.com) - Zoutelaan 175, Knokke-Heist, BE
scan7live.com  - UK2 GROUP LTD, for Jahn Bemis (jhbemis@gmail.com) - 1541 W Ninth Street, West Palm Beach, Florida

 

*****

These last few domains highlighted by PandaLabs exhibit identical Registrants and (for the most part) different IP addresses (by the way, I would look askance at WHOIS which records a USA street address but a Russian email address):

best2008-scan-av.com  - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA  (64.27.1.203)
av-pcscan-comp.com   - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA   (216.240.149.159)
forpc-av-scanner.net  - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA  (216.240.149.159)
best-scanner-pc.net  - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA   (64.27.18.54)
quickly-scan-no-av.com - REGTIME, for Rui Harvey (harvdavis@yandex.ru) - 1248 Pinchelone Street, Herndon, VA (64.27.18.54)

sg10scanner.com - REGTIME, for Kire Serona (kiresl1540@yahoo.com) - Ilichova 16, Ljubljana, Ljubljana, SI (78.26.179.253)
sg11scanner.com - REGTIME, for Kire Serona (kiresl1540@yahoo.com) - Ilichova 16, Ljubljana, Ljubljana, SI (94.247.2.39)
sg12scanner.com - REGTIME, for Kire Serona (kiresl1540@yahoo.com) - Ilichova 16, Ljubljana, Ljubljana, SI

 

*****

Who are REGTIME, and UK2 GROUP?

UK2 Group Ltd, Suite 2C, Eurolife Building 1, Corral Road, Gibraltar

Regtime Ltd, 1 Krasnoarmeyskaya Street, Samara, Russian Rederation

"Regtime Ltd was the first Russian ICANN-accredited registrar to offer a full service of cyrillic domains to Russian companies and individuals. Russian is the native or second language for more than 230 million people, so the decision to launch cyrillic language domains in 2001 was an important stage in the ability of Russian-speakers to access the Internet and the World Wide Web. Regtime continues to play a key role in the development of the Internet in Russia, including its work with the Cyrillic Languages Internet Names Consortium (CLINC)."

CITE: http://www.nic.aero/news/2008-06-30-03

Comments

# re: Spotting the bad guys…

Monday, January 19, 2009 9:24 PM by Scott

Sandi,

Not that this is likely to make things worse, but Pinchelone Street doesn't exist at all in that part of Virginia...

# re: Spotting the bad guys…

Monday, January 26, 2009 8:06 AM by Paul

Sandi, if you're looking for bad guys, here is another bunch:

www.robtex.com/.../opticscomputers.cn.html

Click on 'shared' tab and you will find a lot of bad domains, from 'anti-virus-secure-scanner.com' to 'xpsoftupgrade.com'