Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: The RedRet connection... - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The RedRet connection...

Have you ever wondered why we are on this security chaos these days?

Well, I have one simple explanation, besides Stuxnets and DuQus oneof's , most of the current malware is simple, easy to understand and analyze. And Why? Because they dont need to be really advanced...:) And the malware writers know about it.

Take the BlackHole exploit kit gang for example, they are out there for some time, renting and selling the kit, and at least one gang is responsible for the majority of the spams that are floating around, like "Your Flight Order NXXX", "ACH and wire transfer disabled." , " Scan from a Hewlett-Packard Officejet #XXX"... ALL of them contain a link to a hacked website that redirects to a "redret"...:)

But what is a "redret" ?

This is a "redret" :

  • czredret.ru
  • curedret.ru
  • ctredret.ru
  • crredret.ru
  • bzredret.ru
  • byredret.ru
  • bxredret.ru
  • bwredret.ru
  • bvredret.ru
  • bsredret.ru
  • bpredret.ru
  • boredret.ru
  • blredret.ru
  • bkredret.ru
  • biredret.ru
  • bhredret.ru
  • bgredret.ru
  • bfredret.ru,
  • beredret.ru
  • bdredret.ru
  • bcredret.ru
  • bbredret.ru
  • aredret.ru
  • apredret.ru
  • amredret.ru
  • alredret.ru
  • akredret.ru
  • ajredret.ru
  • airedret.ru
  • ahredret.ru
  • agredret.ru
  • afredret.ru
  • aeredret.ru
  • adredret.ru
  • acredret.ru
  • abredret.ru
  • aaredret.ru

These are all domains still active/resolving that host BlackHole exploit kit, the actual one and not the links on the spams...

At this moment they are resolving to:

  • 95.163.89.193
  • 89.208.34.116
  • 94.199.51.108
  • 91.220.35.38
  • 77.79.7.136
  • 95.163.89.200
  • 91.228.133.120

In a recent past, the following IPs were also observed hosting them:

  • 188.190.99.26
  • 87.120.41.191
  • 94.199.53.14
  • 89.208.34.116

  

I would recommend, to first check your logs for those, and second make good use of a regex, if you know what I mean...:)

-------------------------------------------------------------

Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure

 

Pedro

155 Posts
ISC Handler
79.137.237.63 is hosting these domains
crredret.ru
ctredret.ru
curedret.ru
czredret.ru
Anonymous
New DNS analysis (done about 2011-12-07 10:00 UTC) is here:

http://www.securemecca.com/Analysis/IP2Host.txt

One was not in DNS when I did the DNS run but is now so I suspect they hop them every few hours to several days and they temporarily drop out of DNS. That localhost may be a red herring. Will add regexp which will be available in 1-3 hours. Let's see with 26 * 26 = 676 combinations I suspect they put them up at one server and them move them every eight hours or several days. They may also swap to new names. IOW, regexp is the only way to fly. I thought these had gone away. Otherwise I would have added the pattern. Don't hold your breath - it may be gone in just weeks.
Henry

1 Posts

Sign Up for Free or Log In to start participating in the conversation!