Following the Trail: Determining the Origins of Linux/Bckdr-RKC

It is already known that the two Linux/Bckdr-RKC variants I have received have both been hosted by 216.83.44.229.  Furthermore, the first variant had a phone-home address of 216.83.44.226.

Both of these IP addresses are registered to the netblock owned by WIRELESS-ALARM.COM (not to be confused with the actual website wireless-alarm.com, which is registered to a different contact completely, and unrelated here).

Let's use what we already know to try to find the organization responsible for this malware.



Here is a traceroute I performed several days ago:




Hop(ms)(ms)(ms)     IP Address Host name


  0   0   0      206.123.64.154  jbdr2.0.dal.colo4.com  
  0   0   0       64.124.196.225  xe-4-2-0.er2.dfw2.us.above.net  

  0   Timed out   0      63.218.23.29  ge5-4.br02.dal01.pccwbtn.net  
  214   214   214      63.218.252.86  ge9-39.br03.hkg04.pccwbtn.net  
  214    214   258      112.121.160.221   -  
  213    213   213      112.121.160.18   -  
  218    218   217      112.121.160.198   -  
  213    213   212      216.83.44.226   -  


And here is a traceroute as performed today:

TraceRoute to 216.83.44.226




Hop(ms)(ms)(ms)     IP AddressHost name


  12   0   0      206.123.64.154  jbdr2.0.dal.colo4.com  
  0   0   0      64.124.196.225  xe-4-2-0.er2.dfw2.us.above.net  
  0   0   0      63.218.23.29  ge5-4.br02.dal01.pccwbtn.net  
  212   212   212      63.218.252.86  ge9-39.br03.hkg04.pccwbtn.net  
  Timed out   Timed out   Timed out        -  
  Timed out   Timed out   Timed out        -  
  Timed out   Timed out   Timed out        -  
  Timed out   Timed out   Timed out        -  


Seems that either the responsible organization has been disconnected from the network by their provider, or they have purposely disconnected themselves to hinder analysis.

Starting with 216.83.44.226 and working backwards, let's see who this section of IP addresses is registered to.

216.83.44.0 - 216.83.44.255 is registered to WIRELESS-ALARM.COM

OrgName: WIRELESS-ALARM.COM
OrgId: WIREL-46
Address: 3026 Ensley 5 Points W Avenue
City: Birmingham
StateProv: AL
PostalCode: 35208
Country: US
RegDate: 2009-12-30
Updated: 2011-09-24
Ref: http://whois.arin.net/rest/org/WIREL-46

OrgAbuseHandle: PQU12-ARIN
OrgAbuseName: Quagliano, Pedro
OrgAbusePhone: +1-877-605-5273
OrgAbuseEmail: pedroquagliano@cyanclouds.com

We already know that this is a fake registration, because all of my emails to pedroquagliano@cyanclouds.com were returned as non-deliverable due to DNS failures. That means cyanclouds.com is not an active domain.

Lets go up a level in IP address ownership.


216.83.32.0 - 216.83.63.255 is owned by Ether.Net LLC.

network:Class-Name:network
network:ID:216.83.32.0/20
network:Auth-Area:216.83.32.0/20
network:Network-Name:ETHRN-216-83-46-0
network:IP-Network:216.83.46.0/24
network:IP-Network-Block:216.83.46.0 - 216.83.46.255
network:Org-Name:InfoMove Hong Kong Limited.
network:Street-Address:Unit 2001, 20/F, New Tech Plaza, 8 Tai Yau Street
network:City:San Po Kong
network:State:HK
network:Country-Code:HK

Ether.NET appears to be a legitimate business operating in Hong Kong.

They have been around for many years. They have an AIM for support which I was able to trace back to 2003 posting on web hosting support forums. Doubtful that they're involved, so let's shift out focus elsewhere.


Going back to the IP range owned by WIRELESS-ALARM.COM, 216.83.44.0 - 216.83.44.255, lets look at what else is hosted there.

From http://bgp.he.net/net/216.83.44.0/24#_dns as of 12/31/2011 6:21 PST

IPPTRA
216.83.44.31 mail.bostonyarn.com
216.83.44.54 fold.bronxbreakfast.com
216.83.44.113 prn.iselinnotebook.com
216.83.44.115 joplinyear.com
216.83.44.116 mail.joplinyear.com
216.83.44.189 proe.northandoverschool.com
216.83.44.191 northbendlearning.com
216.83.44.202 wink.norwellobservation.com
216.83.44.204 mail.philadelphiafather.com e8lvbet.com, i3mic.com
216.83.44.221 copy.southplainfieldfeet.com
216.83.44.2
ns1.cyanclouds.com
216.83.44.3
ns2.cyanclouds.com
216.83.44.10
22073.com
216.83.44.18
int-pe.com, interush-pe.com
216.83.44.19
oll365.com
216.83.44.42
centrinofund.com, cf-pe.com
216.83.44.44
games456.us, gamt465.com, gmae456.info
216.83.44.45
com-com-com-com-com.com
216.83.44.46
111i.net, 23u9.com, 55-com.com, gamex6.com, llgame.net, org2.net
216.83.44.66
bmp79.com
216.83.44.67
app67.com, apt67.com, bbv78.com, bul79.com, ddc77.com, ght33.com, jjt55.com, jpg77.com, kky55.com, mmx88.com, rtr66.com, sta78.com, tgg33.com, uub33.com, vbo33.com, vvx45.com
216.83.44.68
aaz33.com, ccx89.com, ygk77.com
216.83.44.69
abo34.com, bmn99.com, ccx66.com, ese55.com, ffs234.com, jsa52.com, kbx33.com, kut99.com, kyy78.com, myb78.com, nnc99.com, rka77.com, ssx69.com, ttx77.com, tvn66.com, wsd22.com
216.83.44.70
kgb69.com
216.83.44.82
66hw.net, hk888.net
216.83.44.90
clubwptasia.com, haedongcheong.com, oce365.com, openrace24.com
216.83.44.99
ylg886.com
216.83.44.122
hg1138.com
216.83.44.123
fh636.com, hg3968.com, hk638.com, yh372.com
216.83.44.131
hg0608.com, hg1918.com, hg4568.com, hg9168.com, hg9338.com
216.83.44.132
hg7678.com
216.83.44.154
sc93.com
216.83.44.155
tv105.com
216.83.44.156
duooo.com
216.83.44.157
bbsveb.com
216.83.44.163
1999829.com, 3771mm.info, 911meinv.info, mytaojia.com, qgxinxi.info, taaobbao.com, wawachina.info, yayaqq.info
216.83.44.164
360meinv.info, 920meinv.com, 999taobao.com, kissbye.info, tabaserver.com
216.83.44.165
265gc.com
216.83.44.166
439995.com
216.83.44.186
03hz.com, 18018.com
216.83.44.194
ckk67.com, fta79.com, jkj88.com, ktm77.com, ktm99.com, mou79.com, nvb89.com, pub79.com, ssr999.com, ssx778.com, tot66.com, tut88.com, utp79.com, vub99.com, xxr44.com, yyc33.com
216.83.44.195
aki77.com, amu77.com, arp77.com, arv99.com, avc77.com, eed69.com, gje88.com, mmb77.com, mpo77.com, tup77.com, vcd79.com
216.83.44.197
vvz69.com
216.83.44.218
hg0035.com, hg1090.com
216.83.44.219
hg1095.com, hg8869.com
216.83.44.228
lcddos.com
216.83.44.229
todayg.com, xy100000.com
216.83.44.243
hg0091.com, hg0093.com, hg0094.com
216.83.44.245
hg0092.com
216.83.44.250
tt95588.com


Hmm, remember the registration for WIRELESS-ALARM.COM?
The email address pointed at cyancoulds.com... and the DNS servers for cyanclouds.com happen to be hosted in the same netblock. Could it be cyanclouds.com is also being controlled by the responsible organization?

So let's lookup the contact info for cyanclouds.com...

Domain Name: CYANCLOUDS.COM
Registrar: DIRECTNIC, LTD
Whois Server: whois.directnic.com
Referral URL: http://www.directnic.com
Name Server: NS1.CYANCLOUDS.COM
Name Server: NS2.CYANCLOUDS.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 31-jan-2011
Creation Date: 03-mar-2009
Expiration Date: 03-mar-2012

Registrant:
Good Names Network
342 Broadway
New York, NY 10013
US
212-555-1212


Domain Name: CYANCLOUDS.COM

Administrative Contact:
Operations, Network goodnames@yahoo.com
342 Broadway
New York, NY 10013
US
212-555-1212


Technical Contact:
Operations, Network goodnames@yahoo.com
342 Broadway
New York, NY 10013
US
212-555-1212


It looks like cyanclouds.com is registered by "proxy" through another company called the "Good Names Network". But wait...is this company real either?

212-555-1212 will simply give you directory assistance for the 212 area code. (New York)

342 Broadway is actually a UPS Store which offers mailbox services...so this could be anyone.

So, another dead end?  This malware which has definite Chinese origins also has a link to an anonymous business New York.

This is where I'd like to point out the marvels of Google.  Specifically Google Street View.

Without Google Street View, we would never have known that next to this UPS Store at 344 Broadway is a shop called "Broadway Cleaners".  A quick Google search shows that Broadway Cleaners is actually owned by someone at 95 Worth Street, which happens to be in Chinatown.

Please note that this is absolutely speculation, and that there is no proof whatsoever anyone at Broadway Cleaners has anything to do with this.  However, the fact that the malware has definite ties to China, and the fact that the proxy company used to register WIRELESS-ALARM.COM's IP block is right next door to a business originating in Chinatown, is a very interesting coincidence.

Unfortunately this is where the trail goes cold.

This search for the origin of this malware has possibly raised more questions than provided answers.  But one thing is for certain - the network framework for this malware has definitely been in place for some time.  WIRELESS-ALARM.COM's IP block as well as cyanclouds.com have been registered since 2009.  This is not the work of a "fly-by-night" script kiddy.  Careful planning has been taken to not only develop this malware, but also to establish the hosting this malware would be using - and hide its true origins.