Both of these IP addresses are registered to the netblock owned by WIRELESS-ALARM.COM (not to be confused with the actual website wireless-alarm.com, which is registered to a different contact completely, and unrelated here).
Let's use what we already know to try to find the organization responsible for this malware.
Here is a traceroute I performed several days ago:
| Hop | (ms) | (ms) | (ms) | IP Address | Host name |
| 1 | 0 | 0 | 0 | 206.123.64.154 | jbdr2.0.dal.colo4.com |
| 2 | 0 | 0 | 0 | 64.124.196.225 | xe-4-2-0.er2.dfw2.us.above. |
| 3 | 0 | Timed out | 0 | 63.218.23.29 | ge5-4.br02.dal01.pccwbtn.net |
| 4 | 214 | 214 | 214 | 63.218.252.86 | ge9-39.br03.hkg04.pccwbtn.net |
| 5 | 214 | 214 | 258 | 112.121.160.221 | - |
| 6 | 213 | 213 | 213 | 112.121.160.18 | - |
| 7 | 218 | 218 | 217 | 112.121.160.198 | - |
| 8 | 213 | 213 | 212 | 216.83.44.226 | - |
And here is a traceroute as performed today:
TraceRoute to 216.83.44.226
| Hop | (ms) | (ms) | (ms) | IP Address | Host name |
| 1 | 12 | 0 | 0 | 206.123.64.154 | jbdr2.0.dal.colo4.com |
| 2 | 0 | 0 | 0 | 64.124.196.225 | xe-4-2-0.er2.dfw2.us.above.net |
| 3 | 0 | 0 | 0 | 63.218.23.29 | ge5-4.br02.dal01.pccwbtn.net |
| 4 | 212 | 212 | 212 | 63.218.252.86 | ge9-39.br03.hkg04.pccwbtn.net |
| 5 | Timed out | Timed out | Timed out | - |
| 6 | Timed out | Timed out | Timed out | - |
| 7 | Timed out | Timed out | Timed out | - |
| 8 | Timed out | Timed out | Timed out | - |
Seems that either the responsible organization has been disconnected from the network by their provider, or they have purposely disconnected themselves to hinder analysis.
Starting with 216.83.44.226 and working backwards, let's see who this section of IP addresses is registered to.
216.83.44.0 - 216.83.44.255 is registered to WIRELESS-ALARM.COM
OrgName: WIRELESS-ALARM.COM
OrgId: WIREL-46
Address: 3026 Ensley 5 Points W Avenue
City: Birmingham
StateProv: AL
PostalCode: 35208
Country: US
RegDate: 2009-12-30
Updated: 2011-09-24
Ref: http://whois.arin.net/rest/org/WIREL-46
OrgAbuseHandle: PQU12-ARIN
OrgAbuseName: Quagliano, Pedro
OrgAbusePhone: +1-877-605-5273
OrgAbuseEmail: pedroquagliano@cyanclouds.com
We already know that this is a fake registration, because all of my emails to pedroquagliano@cyanclouds.com were returned as non-deliverable due to DNS failures. That means cyanclouds.com is not an active domain.
Lets go up a level in IP address ownership.
216.83.32.0 - 216.83.63.255 is owned by Ether.Net LLC.
network:Class-Name:network
network:ID:216.83.32.0/20
network:Auth-Area:216.83.32.0/20
network:Network-Name:ETHRN-216-83-46-0
network:IP-Network:216.83.46.0/24
network:IP-Network-Block:216.83.46.0 - 216.83.46.255
network:Org-Name:InfoMove Hong Kong Limited.
network:Street-Address:Unit 2001, 20/F, New Tech Plaza, 8 Tai Yau Street
network:City:San Po Kong
network:State:HK
network:Country-Code:HK
Ether.NET appears to be a legitimate business operating in Hong Kong.
They have been around for many years. They have an AIM for support which I was able to trace back to 2003 posting on web hosting support forums. Doubtful that they're involved, so let's shift out focus elsewhere.
Going back to the IP range owned by WIRELESS-ALARM.COM, 216.83.44.0 - 216.83.44.255, lets look at what else is hosted there.
From http://bgp.he.net/net/216.83.44.0/24#_dns as of 12/31/2011 6:21 PST
Hmm, remember the registration for WIRELESS-ALARM.COM?
The email address pointed at cyancoulds.com... and the DNS servers for cyanclouds.com happen to be hosted in the same netblock. Could it be cyanclouds.com is also being controlled by the responsible organization?
So let's lookup the contact info for cyanclouds.com...
Domain Name: CYANCLOUDS.COM
Registrar: DIRECTNIC, LTD
Whois Server: whois.directnic.com
Referral URL: http://www.directnic.com
Name Server: NS1.CYANCLOUDS.COM
Name Server: NS2.CYANCLOUDS.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 31-jan-2011
Creation Date: 03-mar-2009
Expiration Date: 03-mar-2012
Registrant:
Good Names Network
342 Broadway
New York, NY 10013
US
212-555-1212
Domain Name: CYANCLOUDS.COM
Administrative Contact:
Operations, Network goodnames@yahoo.com
342 Broadway
New York, NY 10013
US
212-555-1212
Technical Contact:
Operations, Network goodnames@yahoo.com
342 Broadway
New York, NY 10013
US
212-555-1212
It looks like cyanclouds.com is registered by "proxy" through another company called the "Good Names Network". But wait...is this company real either?
212-555-1212 will simply give you directory assistance for the 212 area code. (New York)
342 Broadway is actually a UPS Store which offers mailbox services...so this could be anyone.
So, another dead end? This malware which has definite Chinese origins also has a link to an anonymous business New York.
This is where I'd like to point out the marvels of Google. Specifically Google Street View.
Without Google Street View, we would never have known that next to this UPS Store at 344 Broadway is a shop called "Broadway Cleaners". A quick Google search shows that Broadway Cleaners is actually owned by someone at 95 Worth Street, which happens to be in Chinatown.
Please note that this is absolutely speculation, and that there is no proof whatsoever anyone at Broadway Cleaners has anything to do with this. However, the fact that the malware has definite ties to China, and the fact that the proxy company used to register WIRELESS-ALARM.COM's IP block is right next door to a business originating in Chinatown, is a very interesting coincidence.
Unfortunately this is where the trail goes cold.
This search for the origin of this malware has possibly raised more questions than provided answers. But one thing is for certain - the network framework for this malware has definitely been in place for some time. WIRELESS-ALARM.COM's IP block as well as cyanclouds.com have been registered since 2009. This is not the work of a "fly-by-night" script kiddy. Careful planning has been taken to not only develop this malware, but also to establish the hosting this malware would be using - and hide its true origins.
No comments:
Post a Comment