Hello, Antony! - SANS Internet Storm Center

Hello, Antony!
Antony Elmar owns quite a few domain names. He lives in a lovely city called "Kansas, US", but seems to make his home there on a park bench, because he doesn't have a street address. On the upside, the park bench does have a phone extension, but one with a phone number that is a tad odd for "Kansas, US" and has a dial prefix that looks more like Italy: Domain Name:EVORMCORP .IN Created On:14-Jan-2012 00:01:08 UTC Last Updated On:14-Jan-2012 00:01:10 UTC Expiration Date:14-Jan-2013 00:01:08 UTC Registrar:Directi Web Services Pvt. Ltd. (R118-AFIN) Registrant Name:Antony Elmar Registrant Organization:N/A Registrant Street1:none Registrant City:Kansas Registrant State/Province: Registrant Postal Code:67420 Registrant Country:US Registrant Phone:+3.976639877 None of this fazes the domain name registrar "Directi Web Services" in Mumbai, India, to the least. And Antony has been busy - he bought a dozen or so new domains over the past two days, and managed to bring them live within a matter of minutes after purchase. His new domains currently point to 89.187.53.237, in Moldova. Yup, ol'Antony is quite the international business executive, conducting his trade on three continents with equal ease! The IP used seems to change about once per week, until past Thursday, Antony's virtual HQ was at the neighboring IP, 89.187.53.238. His latest new domains include cyberendbaj .in cyberevorm .in endbaj .in endbajcomp .in evorm .in evormhost .in evormcorp .in and provide a generous helping of malware to users unlucky enough to get redirected there via what appears to be poisoned ads on legitimate web pages. Antony's toys currently seem to use URLs with a certain pattern that you can search for in your web logs with a command like egrep -E '\/.{8}\/\?[[:xdigit:]]{60}' Example result from earlier today: http://endbajcomp. in/rgy9hcgw/?1a4c39a0370ad0f641cc790b5d0acdb24eba0f2d2483b98b4076689a4684 Caveat - that regexp might of course also match on perfectly benign web site URLs. The malware uses CVE-2010-0842 (javax.sound.midi) and CVE-2011-3544 (Rhino script engine) and when successful seems to download an executable off a URL that matches egrep -E '\/.{8}\/\?[[:xdigit:]]{60};[0-9];[0-9]' If you find anything of interest in your logs, please let us know via the contact form, or comment below.	Daniel 367 Posts ISC Handler
Subscribe	Jan 14th 2012 7 years ago
why stop this ? when we'll have protect ip and sopa to protect us ?	Anonymous
Quote	Jan 15th 2012 7 years ago
Looks like a Phoenix exploit kit URL. We see a fair few of these, but nowhere near as many as the Blackhole exploit kit. Note the download URLs are one-time only, and the kit usually includes two or three Java exploits and a PDF exploit (probably exploiting CVE-2010-0188). See http://wepawet.iseclab.org/view.php?hash=502f5b628a4d57603955309d22b42631&t=1326462037&type=js for a recent example My guess is the "rgy9hcgw" part is a user ID for the attacker as the same string will appear in different domains.	Anonymous
Quote	Jan 16th 2012 7 years ago
Staff in countries outside the US often do not have any idea how our phone numbers or street address system (especially zip code) work and could be helpful in detecting fraud. What looks like obvious fraud to us looks innocuous to them. I'd imagine that we'd have the same problem with their systems.	Anonymous
Quote	Jan 17th 2012 7 years ago

Antony Elmar owns quite a few domain names. He lives in a lovely city called "Kansas, US", but seems to make his home there on a park bench, because he doesn't have a street address. On the upside, the park bench does have a phone extension, but one with a phone number that is a tad odd for "Kansas, US" and has a dial prefix that looks more like Italy:

Domain Name:EVORMCORP .IN
Created On:14-Jan-2012 00:01:08 UTC
Last Updated On:14-Jan-2012 00:01:10 UTC
Expiration Date:14-Jan-2013 00:01:08 UTC
Registrar:Directi Web Services Pvt. Ltd. (R118-AFIN)
Registrant Name:Antony Elmar
Registrant Organization:N/A
Registrant Street1:none
Registrant City:Kansas
Registrant State/Province:
Registrant Postal Code:67420
Registrant Country:US
Registrant Phone:+3.976639877

None of this fazes the domain name registrar "Directi Web Services" in Mumbai, India, to the least. And Antony has been busy - he bought a dozen or so new domains over the past two days, and managed to bring them live within a matter of minutes after purchase.

His new domains currently point to 89.187.53.237, in Moldova. Yup, ol'Antony is quite the international business executive, conducting his trade on three continents with equal ease! The IP used seems to change about once per week, until past Thursday, Antony's virtual HQ was at the neighboring IP, 89.187.53.238.

His latest new domains include

cyberendbaj .in
cyberevorm .in
endbaj .in
endbajcomp .in
evorm .in
evormhost .in
evormcorp .in

and provide a generous helping of malware to users unlucky enough to get redirected there via what appears to be poisoned ads on legitimate web pages. Antony's toys currently seem to use URLs with a certain pattern that you can search for in your web logs with a command like egrep -E '\/.{8}\/\?[[:xdigit:]]{60}'

Example result from earlier today:
http://endbajcomp. in/rgy9hcgw/?1a4c39a0370ad0f641cc790b5d0acdb24eba0f2d2483b98b4076689a4684

Caveat - that regexp might of course also match on perfectly benign web site URLs.

The malware uses CVE-2010-0842 (javax.sound.midi) and CVE-2011-3544 (Rhino script engine) and when successful seems to download an executable off a URL that matches egrep -E '\/.{8}\/\?[[:xdigit:]]{60};[0-9];[0-9]'

If you find anything of interest in your logs, please let us know via the contact form, or comment below.

Daniel

367 Posts
ISC Handler

why stop this ?
when we'll have protect ip and sopa
to protect us ?

Anonymous

Looks like a Phoenix exploit kit URL. We see a fair few of these, but nowhere near as many as the Blackhole exploit kit. Note the download URLs are one-time only, and the kit usually includes two or three Java exploits and a PDF exploit (probably exploiting CVE-2010-0188).

See http://wepawet.iseclab.org/view.php?hash=502f5b628a4d57603955309d22b42631&t=1326462037&type=js for a recent example

My guess is the "rgy9hcgw" part is a user ID for the attacker as the same string will appear in different domains.

Anonymous

Staff in countries outside the US often do not have any idea how our phone numbers or street address system (especially zip code) work and could be helpful in detecting fraud. What looks like obvious fraud to us looks innocuous to them. I'd imagine that we'd have the same problem with their systems.

Anonymous