[RBN] QUALITYNET.NET / KUWAITNET.NET {source}, PAIR.COM {relay}, RIPE.NET {bogus netblock assignment} - ("Income statement") - news.admin.net-abuse.sightings

1 message - Collapse all

Abuse Reporting Account

View profile

More options Oct 30 2007, 7:30 am

Newsgroups: news.admin.net-abuse.sightings

Followup-To: news.admin.net-abuse.email

From: Abuse Reporting Account <abuse-rep...@appropriate-tech.net>

Date: Tue, 30 Oct 2007 11:30:03 +0000 (UTC)

Local: Tues, Oct 30 2007 7:30 am

Subject: [EMAIL][RBN] QUALITYNET.NET / KUWAITNET.NET {source}, PAIR.COM {relay}, RIPE.NET {bogus netblock assignment} - ("Income statement")

  Reply to author
  |
  Forward
  | Print
  | Individual message
  | Show original
  | Report this message
  | Find messages by this author
  

Dear Postmaster and/or Abuse Desk Manager:

The following VIRUS-INFECTED UNSOLICITED ADVERTISING MESSAGE was sent to
our E-Mail/FAX system from or via your system, or by your user. [NOTE: The
spam was sent to an NONEXISTANT address at a "parked" domain; hence, it has
NEVER been used to "opt-in" to anything. Please see our Mail Traffic
Acceptance Policy at <http://www.appropriate-tech.net/mtap.htm>.]

The (now-deleted, of course) attachemnet (named "debt2007.pdf") contained a
trojan downloader variously known as "Exploit.PDF-1" and "Trojan.Pdief.A",
as described at:

<http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5020>
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5020>
<http://www.securityfocus.com/bid/25748>
<http://www.adobe.com/support/security/bulletins/apsb07-18.html>
<http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=139103>

<http://www.symantec.com/business/security_response/writeup.jsp?docid=...
02310-3513-99>

An examination of said attachment with a Hex editor shows that the trojan
attempts to download malware from IP [81.95.146.181] (no rDNS). This is
part of an IP block [81.95.144.0 - 81.95.147.255] reportedly assigned by
RIPE, yet with (presumably forged) registration data pointing to Panama
City, Panama and/or China. This IP block is listed
(<http://www.spamhaus.org/sbl/sbl.lasso?query=SBL43489>) by SpamHaus.Org as
the home of the nototious ROKSO-listed (<http://tinyurl.com/2z2mld>) spam
gang, "Russian Business Network". As has been widely reported (cf.
<http://tinyurl.com/3aoff6>, <http://tinyurl.com/yoyh6w>,
<http://tinyurl.com/2p966y>, <http://tinyurl.com/3bsvzm>,
<http://rbnexploit.blogspot.com/>, etc.), the "Russian Business Network" or
"RBusiness Network" is a blatantly criminal enterprise, responsible for all
manner of "cyber crime" including phishing, fraud, identity theft, kiddie
porn, and massive quantities of spam sent via illicit "botnets" of hijacked
"zombie" PCs. Notably, the DNS "A" record for <www.rbnnetwork.com> is a
CNAME to <rbnnetwork.com>, while <rbnnetwork.com> itself resolves to
[127.0.0.1]. The spam being reported here was apparently yet another
attempt to enlist still more innocent users' systems into said "botnet".

Specific requests:

QUALITYNET.NET / KUWAITNET.NET: The VIRUS-INFECTED UNSOLICITED
ADVERTISING MESSAGE appears to have originated from within your network at
IP: [62.150.38.94] (rDNS: <adsl20-94.qualitynet.net>). Ergo, either the
spammer is your customer/user, or your network security is woefully
inadequate. Given that this block [62.150.38.0 - 62.150.38.255] of IP
addresses is a pool of dynamically-assigned ADSL lines, I'd bet on the
latter; but either way, it is imperative that you remove the
offending/malfunctioning system/network from service IMMEDIATELY, and leave
it off-line at least until such time as it can be properly configured to
prevent this abuse. If upon subsequent further investigation, you find the
former scenario to apply, please terminate the corresponding account(s),
and do not allow the abuser to do any further business with your firm
(including under any alias).

PAIR.COM: You accepted the VIRUS-INFECTED UNSOLICITED ADVERTISING
MESSAGE from the above-cited source. That's bad enough; but worse, you
subsequently relayed it to our primary MX server, WITH THE VIRUS INTACT.
That is simply unacceptable. As shown by the above-cited authoritative
references, this particular virus/trojan/exploit has beeen well-known for
more than a month. Therefore, I cannot fathom ANY plausible excuse for
your having propagated it.

RIPE.NET: The above-cited IP block assignments [81.95.144.0 -
81.95.147.255] and [81.95.144.0 - 81.95.159.255], collectively comprising
[81.95.144.0/20] as listed at
<http://www.spamhaus.org/sbl/sbl.lasso?query=SBL43489> are clearly and
obviously fraudulent, and used solely for criminal purposes.. Please
rescind these assignments IMMEDIATELY.

ALL: Please note that you DO NOT have permission to pass on this
complaint, or provide this E-Mail address or any other information which
may serve to reveal my identity, to your customer. List-washing is NEVER
an acceptable or ethical response to an abuse report. Also, upon the
completion of your investigation, please provide to us the name, company
name (if any) and street address of the spammer, so that we may initiate
legal action for recovery of damages.

Thank you.

Following is a full copy (with headers) of the VIRUS-INFECTED UNSOLICITED
ADVERTISING MESSAGE in question (without the malicious attachment, of course):

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Text of VIRUS-INFECTED UNSOLICITED ADVERTISING MESSAGE follows:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Return-path: <wsqeenys...@bosschair.com>
Received: from fwd3.pairnic.net (216.92.3.113) by mx0.appropriate-tech.net
(Mercury/32 v4.01c) with ESMTP ID MG00081C;
30 Oct 2007 01:42:35 -0400
Received: from adsl20-94.qualitynet.net (adsl20-94.qualitynet.net
[62.150.38.94])
by fwd3.pairnic.net (Postfix) with ESMTP id 395B9BDF27
for <[REDACTED]@appropriate-tech.com>; Tue, 30 Oct 2007 01:42:11 -0400 (EDT)
Received: from [62.150.38.94] by audacious.xo.com; Tue, 30 Oct 2007
08:37:02 +0300
Message-ID: <01c81ad0$0b254210$5e26963e@wsqeenyskdd>
From: "Lori Manley" <wsqeenys...@bosschair.com>
To: <[REDACTED]@appropriate-tech.com>
Subject: Income statement
Date: Tue, 30 Oct 2007 08:37:02 +0300
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0006_01C81AD0.0B254210"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409

Your document is attached.

Attachment Converted: "\[LOCAL PATH REDACTED]\debt2007.pdf"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
End text of VIRUS-INFECTED UNSOLICITED ADVERTISING MESSAGE.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

--
All postings to news.admin.net-abuse.sightings are unconfirmed and
unverified unless stated otherwise by the moderators. All opinions
expressed above are considered the opinions of the original poster,
not the moderators or their respective employers.

For a copy of the guidelines to this group, see:

http://www.killfile.org/~tskirvin/nana/

Reply to author Forward

End of messages

« Back to Discussions

« Newer topic

Older topic »