Wednesday, June 10, 2009

is static. a logs collector for rbn ? - part 0.4

During some attempts to study RBN it's been found something of interesting. Let to start from the following rogue antivirus spreading URL:


From robtex:

More interesting information for are discovered asking, again via ROBTEX, other details:

That appears as a list of possible names server and hostname for other rogue antivirus domains. Returning to the original url http:\\, it will tries to recognize the authoritative nameserver for the domain Again with robtex:

As shown in the screen shoot above, It seem the existence of two autorithative name server:

- (

Using the last ip address as HTTP URL with a web browser appear the following
"Index of/" page:

It's seem like a log repository folder. Moreover there is another folder named "logs" that contain the "csp" subfolder:

The log files that were analyzed contain information concerning the activities carried out by the web client. For instance the OS, the url visited, which FLASH stream the client has requested, as well which domain are requested by the clients and other activities. The following screen shots, shown three type of logs founded in the folders above (the IP address were specifically removed):

The content of a file within "index of/"

another one (again from "index of/")

another one but from /logs/csp folder

In the second screen shot above some of the IP address (removed) are related to other domains that are considered suspects, certain, however, are reported as RBN c&c. Also exploring the time line, some logs are bigger than others, as if to prove a massive campaign of possible malware propagation:

Some details about AS with bgplay:

It can be shown a reannouncment (date 2009-06-08) between AS8492 OBIT-AS Obit Telecommunications, St.Petersburg, Russia and AS24940 HETZNER-AS Hetzner Online AG RZ-Nuernberg

No comments:

Post a Comment