Tuesday, May 19, 2009

GazTranzitStroyInfo - a Fake Russian Gas Company Facilitating Cybercrime

"In gaz we trust"? I'd rather change GazTranzitStroyInfo's vision to HangUp Team's infamous - "in fraud we trust". It is somehow weird to what lengths would certain cybercriminals go to create a feeling of legitimacy of their enterprise.

AS29371 - gaztranzitstroyinfo LLC - 91.212.41.0/24 based in Russia, Sankt Peterburg, Kropotkina 1, office 299, is one of them. Let's "drill" for some malicious activity at GazTranzitStroyInfo, and demonstrate how cybercriminals are converging different hosting providers to increase the lifecycle of their campaigns.

The recent peak of fake codecs (for instance video-info .info and sex-tapes-celebs .com serving softwarefortubeview.40018.exe) puts the spotlight on GazTranzitStroyInfo and its connections with another rogue hosting provider in the face of AS48841, EUROHOST-AS Eurohost LLC, which was providing hosting infrastructure to the scareware domains part of Conficker's Scareware Monetization strategy, and continues to do so for a great deal of exploits/malware serving domains, next to AS10929 NETELLIGENT Hosting Services Inc. where the infrastructure of the three hosting providers has converged.

Let's detail some malicious activity found at GazTranzitStroyInfo. The following are redirectors to live exploits/zeus config files/scareware found within AS29371 and pushed through blackhat SEO and web site compromises:

peopleopera .cn - 91.212.41.96
forexsec .cn
vitamingood .cn
bookadorable .cn
drawingstyle .cn
housedomainname .cn
workfuse .cn
schoolh .cn
rainfinish .cn
housevisual .cn
worksean .cn
liteauction .cn
newtransfer .cn
oceandealer .cn
musicdomainer .cn
websiteflower .cn
designroots .cn
islandtravet .cn
litefront .cn
clubmillionswow .cn


softwaresupport-group .com - 91.212.41.91
bestfindahome .cn
dastrealworld .ru
elantrasantrope .ru
borishoffbibi .ru
sandiiegoexpo .ru
nightplayauto .ru
startdontstop .ru


nicdaheb .cn - 91.212.41.119
sehmadac .cn
vavgurac .cn
tixleloc .cn
xidsasuc .cn
cuzlumif .cn
teyrebuf .cn
hifgejig .cn
tukhemaj .cn
rogkadej .cn
wuhwasum .cn
sipcojeq .cn
tixwagoq .cn
silzefos .cn
popyodiw .cn
cakpapaz .cn


Rogue security software:
addedantivirusonline .com - 91.212.41.114
addedantivirusstore .com
addedantiviruslive.com
addedantiviruspro.com
countedantiviruspro.com
myplusantiviruspro.com
easyaddedantivirus.com
yourcountedantivirus.com
bestcountedantivirus.com
yourplusantivirus.com


For instance, a sampled domain such as housedomainname .cn/in.cgi?6 redirects us to securityonlinedirect .com/scan.php?affid=02083 which is serving scareware with hosting courtesy of AS10929 Netelligent Hosting Services Inc, which in case you remember popped-up in the Diverse Portfolio of Fake Security Software - Part Twenty. At securityonlineworld .com (209.44.126.22) we also have a portfolio of scareware domains:

thestabilityweb .com
securityonlineworld .com
websecuritypolice .com
wwwsafeexamine .com
dynamicstabilityexamine .com
networkstabilityexamine .com
safetyscansite .com
onlinesafetyscansite .com
securityscansite .com
stabilityonlineskim .com
socialsecurityscan .com
securityexamination .com
internetsecuritymetrics .com
onlinebrandsecuritys .com
securityonlinedirect .com
scanstabilityinternet .com
stabilityaudit .com
websecuritybureau .com
safewebsecurity .com
webbrowsersecurity .com
futureinternetsecurity .com
superiorinternetsecurity .com


The fake codec at video-info .info (AS29371 - gaztranzitstroyinfo LLC) is in fact downloaded from kir-fileplanet .com - 91.212.65.54 (AS48841; EUROHOST-NET) where more malicious activity is easily detected at:

downloadmax .org - 91.212.65.19
hd-codec .com
shotgol .com
kauitour .com
coecount .com
countbiz .com
videoaaa .net
7stepsmedia .net
ispartof .net
amoretour .net
browardcount .net


trucount3000 .com - 91.212.65.10; 91.212.65.29
trucount3001 .com
trucount3002 .com
antivirus-xppro-2009.com
onlinescanxppp .com
onlinescanxpp .com
onlinescanxp .com
free-webscaners .com


In cybercriminals I don't trust.

Related posts:
Fake Codec Serving Domains from Digg.com's Comment Spam Attack
Lazy Summer Days at UkrTeleGroup Ltd
Bogus LinkedIn Profiles Redirect to Malware and Rogue Security Software
Massive Blackhat SEO Campaign Serving Scareware
EstDomains and Intercage VS Cybercrime
The Template-ization of Malware Serving Sites
The Template-ization of Malware Serving Sites - Part Two
Malware campaign at YouTube uses social engineering tricks
Poisoned Search Queries at Google Video Serving Malware
Syndicating Google Trends Keywords for Blackhat SEO

Related Russian Business Network coverage:
The New Media Malware Gang - Part Four
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network