Following the Trail: Determining the Origins of Linux/Bckdr-RKC

It is already known that the two Linux/Bckdr-RKC variants I have received have both been hosted by  Furthermore, the first variant had a phone-home address of

Both of these IP addresses are registered to the netblock owned by WIRELESS-ALARM.COM (not to be confused with the actual website, which is registered to a different contact completely, and unrelated here).

Let's use what we already know to try to find the organization responsible for this malware.

Here is a traceroute I performed several days ago:

Hop(ms)(ms)(ms)     IP Address Host name
  0   0   0  
  0   0   0  

  0   Timed out   0  
  214   214   214  
  214    214   258   -  
  213    213   213   -  
  218    218   217   -  
  213    213   212   -  

And here is a traceroute as performed today:

TraceRoute to

Hop(ms)(ms)(ms)     IP AddressHost name
  12   0   0  
  0   0   0  
  0   0   0  
  212   212   212  
  Timed out   Timed out   Timed out        -  
  Timed out   Timed out   Timed out        -  
  Timed out   Timed out   Timed out        -  
  Timed out   Timed out   Timed out        -  

Seems that either the responsible organization has been disconnected from the network by their provider, or they have purposely disconnected themselves to hinder analysis.

Starting with and working backwards, let's see who this section of IP addresses is registered to. - is registered to WIRELESS-ALARM.COM

OrgId: WIREL-46
Address: 3026 Ensley 5 Points W Avenue
City: Birmingham
StateProv: AL
PostalCode: 35208
Country: US
RegDate: 2009-12-30
Updated: 2011-09-24

OrgAbuseHandle: PQU12-ARIN
OrgAbuseName: Quagliano, Pedro
OrgAbusePhone: +1-877-605-5273

We already know that this is a fake registration, because all of my emails to were returned as non-deliverable due to DNS failures. That means is not an active domain.

Lets go up a level in IP address ownership. - is owned by Ether.Net LLC.

network:IP-Network-Block: -
network:Org-Name:InfoMove Hong Kong Limited.
network:Street-Address:Unit 2001, 20/F, New Tech Plaza, 8 Tai Yau Street
network:City:San Po Kong

Ether.NET appears to be a legitimate business operating in Hong Kong.

They have been around for many years. They have an AIM for support which I was able to trace back to 2003 posting on web hosting support forums. Doubtful that they're involved, so let's shift out focus elsewhere.

Going back to the IP range owned by WIRELESS-ALARM.COM, -, lets look at what else is hosted there.

From as of 12/31/2011 6:21 PST


Hmm, remember the registration for WIRELESS-ALARM.COM?
The email address pointed at and the DNS servers for happen to be hosted in the same netblock. Could it be is also being controlled by the responsible organization?

So let's lookup the contact info for

Whois Server:
Referral URL:
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 31-jan-2011
Creation Date: 03-mar-2009
Expiration Date: 03-mar-2012

Good Names Network
342 Broadway
New York, NY 10013


Administrative Contact:
Operations, Network
342 Broadway
New York, NY 10013

Technical Contact:
Operations, Network
342 Broadway
New York, NY 10013

It looks like is registered by "proxy" through another company called the "Good Names Network". But this company real either?

212-555-1212 will simply give you directory assistance for the 212 area code. (New York)

342 Broadway is actually a UPS Store which offers mailbox this could be anyone.

So, another dead end?  This malware which has definite Chinese origins also has a link to an anonymous business New York.

This is where I'd like to point out the marvels of Google.  Specifically Google Street View.

Without Google Street View, we would never have known that next to this UPS Store at 344 Broadway is a shop called "Broadway Cleaners".  A quick Google search shows that Broadway Cleaners is actually owned by someone at 95 Worth Street, which happens to be in Chinatown.

Please note that this is absolutely speculation, and that there is no proof whatsoever anyone at Broadway Cleaners has anything to do with this.  However, the fact that the malware has definite ties to China, and the fact that the proxy company used to register WIRELESS-ALARM.COM's IP block is right next door to a business originating in Chinatown, is a very interesting coincidence.

Unfortunately this is where the trail goes cold.

This search for the origin of this malware has possibly raised more questions than provided answers.  But one thing is for certain - the network framework for this malware has definitely been in place for some time.  WIRELESS-ALARM.COM's IP block as well as have been registered since 2009.  This is not the work of a "fly-by-night" script kiddy.  Careful planning has been taken to not only develop this malware, but also to establish the hosting this malware would be using - and hide its true origins.

No comments:

Post a Comment