Friday, August 28, 2015

Historical OSINT - How TROYAK-AS Utillized BGP-over-VPN to Serve the Avalance Botnet

Historical OSINT is a crucial part of an intelligence analyst's mindset, further positioning a growing or an emerging trend, as a critical long term early warning system indicator, highlighting the importance, of current and emerging trends.


In this post, I'll discuss Troyak-AS, a well-known cybercrime-friendly hosting provider, that represented, the growing factor, for the highest percentage of malicious and fraudulent activity online, throughout 2010, its upstream provider NetAssist LLC, and most importantly, a malicious innovation applied by cybercriminals, at the time, namely the introduction of malicious netblocks and ISPs, within the RIPE registry, relying on OPSEC (Operational Security) and basic evasive practices.

According to RSA, the Ukrainian based ISP NetAssist LLC is listed as a legitimate ISP,  one whose services haven't been abused in any particular cybercrime-friendly way. 

This analysis, will not only prove, otherwise, namely, that NetAssist LLC's involvement in introducing a dozen of cybercrime friendly networks – including TROYAK-AS – has been taking place for purely commercial reasons, with the ISP charging thousands of euros for the process, but also, expose a malicious innovation applied on behalf of opportunistic cybercriminals, at the time, namely, the introduction of innovative bulletproof hosting tactics, techniques and procedures.

Domain name reconnaissance:
troyak.org - 74.208.21.227 (AS8560); 195.93.184.1 (AS44310) - Email: staruy.rom@troyak.org; staruy.rom@inbox.ru
smallshopkz.org - 195.78.123.1 (AS12570)


Name servers:
ns.troyak.org - 195.93.184.1 - (AS44307) ALYANSHIMIYA
ns.bgpvpn.kz - 91.213.93.10


ns.smallshopkz.org (195.78.123.1) is also known to have offered DNS services, to prombd.net (AS44107) PROMBUDDETAL (AS50215 Troyak-as at the time responding to ctlan.net) - 91.201.30.1, and vesteh.net (AS47560) VESTEH-NET 91.200.164.1

Domain name reconnaissance:
bgpvpn.kz
Organization Using Domain Name
Name...................: Mykola Tabakov
Organization Name......: Mykola Tabakov
Street Address.........: office 211, ul. Pushkina, dom 166
City...................: Astana
State..................: Astana
Postal Code............: 010000
Country................: KZ

Administrative Contact/Agent
NIC Handle.............: CA537455-RT
Name...................: Mykola Tabakov
Phone Number...........: +7.7022065468
Fax Number.............: +7.7022065468
Email Address..........: tabanet@mail.ru

Nameserver in listed order:
Primary server.........: ns.bgpvpn.kz
Primary ip address.....: 91.213.93.10



Domain name reconnaissance:
smallshopz.biz
Domain Name:SMALLSHOPKZ.ORG
Created On:30-Oct-2009 13:42:14 UTC
Last Updated On:19-Mar-2010 14:39:19 UTC
Expiration Date:30-Oct-2010 13:42:14 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_10606443
Registrant Name:Vladimir Vladimirovich Stebluk
Registrant Organization:N/A
Registrant Street1:off. 306, Bulvar Mira, 16
Registrant Street2:
Registrant Street3:
Registrant City:Karaganda
Registrant State/Province:Qaraghandyoblysy
Registrant Postal Code:100008
Registrant Country:KZ
Registrant Phone:+7.7012032605
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:vladcrazy@smallshopkz.org



NetAssist LLC (netassist.ua) (AS29632) reconnaissance:
inetnum:        62.205.128.0 - 62.205.159.255
netname:        UA-NETASSIST-20080201
descr:          NetAssist LLC
country:        UA
org:            ORG-NL64-RIPE
admin-c:        MT6561-RIPE
admin-c:        AVI27-RIPE
tech-c:         MT6561-RIPE
tech-c:         APP18-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MEREZHA-MNT
mnt-routes:     MEREZHA-MNT
mnt-domains:    MEREZHA-MNT
source:         RIPE # Filtered



organisation:  ORG-NL64-RIPE
org-name:      NetAssist LLC
org-type:       LIR
address:        NetAssist LLC
Max Tulyev
GEROEV STALINGRADA AVE  APP 57  BUILD 54
04213 Kiev
UKRAINE
phone:          +380 44 5855265
fax-no:         +380 44 2721514
e-mail:         info@netassist.kiev.ua
admin-c:      AT4266-RIPE
admin-c:      KS3536-RIPE
admin-c:      MT6561-RIPE
mnt-ref:       RIPE-NCC-HM-MNT
mnt-ref:       MEREZHA-MNT
mnt-by:       RIPE-NCC-HM-MNT
source:        RIPE # Filtered




person:         Max Tulyev
address:        off. 32, 12 Artema str.,
address:        Kiev, Ukraine
remarks:        Office phones
phone:          +380 44 2398999
phone:          +7 495 7256396
phone:          +1 347 3414023
phone:          +420 226020344
remarks:        GSM mobile phones, SMS supported
phone:          +7 916 6929474
phone:          +380 50 7775633
remarks:        Fax is in auto-answer mode
fax-no:         +380 44 2726209
remarks:        The phone below is for emergency only
remarks:        You can also send SMS to this phone
phone:          +88216 583 00392
remarks:
remarks:      Jabber ID mt6561@jabber.kiev.ua
remarks:      SIP 7002@195.214.211.129
e-mail:         maxtul@netassist.ua
e-mail:         president@ukraine.su
nic-hdl:        MT6561-RIPE
mnt-by:        MEREZHA-MNT
source:         RIPE # Filtered

person:         Alexander V Ivanov
address:        14-28 Lazoreviy pr
address:        Moscow, Russia
address:        129323
phone:          +7 095 7251401
fax-no:         +7 095 7251401
e-mail:         ivanov077@gmail.com
nic-hdl:        AVI27-RIPE
mnt-by:         MEREZHA-MNT
source:         RIPE # Filtered


person:         Alexey P Panyushev
address:        8-142, Panferova street
address:        Moscow, Russia
address:        117261
phone:          +7 903 6101520
fax-no:         +7 903 6101520
e-mail:         panyushev@gmail.com
nic-hdl:        APP18-RIPE
mnt-by:         MEREZHA-MNT
source:         RIPE # Filtered

Is NetAssist LLC, on purposely offering its services, for the purpose of orchestrating cybercrime-friendly campaigns, in a typical bulletproof cybercrime friendly fashion, or has it been abused, by an opportunistic cybercriminals, earning fraudulently obtained revenues in the process? Based on the analysis in this post, and the fact, that the company, continues offering IPv4 RIPE announcing services, I believe, that on the majority of occasions, the company has had its services abused, throughout 2010, leading to the rise of the Avalance bothet.

I expect to continue observing such type of abuse, however, in a cybercrime ecosystem, dominated, by the abuse of legitimate services, I believe that cybercriminals will continue efficiently bypassing defensive measures in place, through the abuse and compromise of legitimate infrastructure.

This post has been reproduced from Dancho Danchev's blog.