2010/12/19

Hehachi, AnonOps, WikiLeaks and SpamHaus

As you may or may not know, somebody has recently hosted a WikiLeaks website, wikileaks.info, on Heihachi.net. Whether the wikileaks.info mirror is under control of Wikileaks or not is debatable and I would truly hope not. However a mirror of a popular website under criminal control does pose many opportunities for a cyber criminal. We need to note that the official list of Wikileaks mirrors does not link to wikileaks.info, whereas wikileaks.info claims affiliation with the official mirrors.

Obviously this may or may not be an attempt evade website take downs of the information they Wikileaks is publishing. However, this author was horrified the choice of hosting provider. Heihachi is all to well known as a resource for scammers and other internet miscreants that uses the anonymity of the net to victimize innocent internet users. In my observations I have found a constant flow of:
  • Phishing kits
  • Infected music downloads
  • Carding forums (Carders.cc also ran to Heihachi after being hacked, though by no means unique)
  • Hacking tools
  • DDoS Tools
  • DDos Command and Control's
  • Hate websites (including one publishing a list of home addresses of police in Germany for victimization)
... and a list of other websites that any self respecting hosting provider would never allow on his servers.

Of concern is the responses of Heihachi to abuse reports and communications, they condone abuse. Only one example response is "we allow botnets.","Yes, sure, we allow. Give us money and we host you and we will **** the german police".

In the light of the recent Wikileaks debacle, when hosting was taken up for a mirror Wikileaks, it directly flew in the face of what Wikileaks is supposed to stand for. Here we have Wikileaks, that defends the rights to know of normal people, being mirrored at a party that specializes in victimizing ordinary people and in effect assists in depriving law enforcement of methods to protecting ordinary citizens. Now matter your view on this Wikileaks issue, any party supporting cyber crime should not be a business partner.

As such I could only nod in silent appreciation of SpamHaus'es warning to Wikileaks. A similar warning was issued by Trend Micro.

However what followed was a bizzare and all to well know pattern of DDoS against anybody that dare mention about anything negative Hehachi related. At the same time at this refute appeared on wikileaks.info:

Spamhaus' False Allegations Against wikileaks.info

Published 15-Dec-2010, 8:00 AM GMT

On Tuesday, 14-Dec-2010 Spamhaus has issued a statement wherein it labels wikileaks.info as "unsafe", as they consider our hosting company as a malware facilitator:

http://www.spamhaus.org/news.lasso?article=665

We find it very disturbing that Spamhaus labels a site as dangerous without even checking if there is any malware on it. We monitor the wikileaks.info site and we can guarantee that there is no malware on it. We do not know who else is hosted with Heihachi Ltd and it is none of our business. They provide reliable hosting to us. That's it.

While we are in favour of "Blacklists", be it for mail servers or web sites, they have to be compiled with care. Just listing whole IP blocks as "bad" may be quick and easy for the blacklist editors, but will harm hosters and web site users.

Wikileaks has been pulled from big hosters like Amazon. That's why we are using a "bulletproof" hoster that does not just kick a site when it gets a letter from government or a big company. Our hoster is giving home to many political sites like castor-schottern.org and should not be blocked just because they might have hosted some malware sites.

Fortunately, more responsible blacklists, like stopbadware.org (which protects the Firefox browser, for example), don't list us. We do hope that Spamhaus hasn't issued this statement due to political pressure.

Wikileaks.info will always be safe and clean. Promised:

Google Safe Browsing Check for wikileaks.info

Update (15-Dec-2010 17:00 PM GMT): Spamhaus has updated their statement to say that they don't blacklist us.

The wikileaks.info Team


Nothing of this debacle was mentioned on the officially verified Wikileaks mirrors.

Also of note, the same Google safe browsing link used in retort by wikileaks.info, just serves to confirm what Spamhaus, Trend Micro and a host of other parties know and are saying. From http://www.google.com/safebrowsing/diagnostic?site=wikileaks.info

What happened when Google visited this site?

Of the 13 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-12-19, and suspicious content was never found on this site within the past 90 days.

This site was hosted on 3 network(s) including AS6772 (IMPNET), AS41947 (WEBALTA), AS8473 (BAHNHOF).

Very interesting, but however no guarantee for the future. But let us take a closer look at what Google is telling us:
AS6772 (IMPNET): Hosted 1.82% dangerous sites.
Of the 165 site(s) we tested on this network over the past 90 days, 3 site(s) .... served content that resulted in malicious software being downloaded and installed without user consent.
AS41947 (WEBALTA): Hosted 7.63% dangerous sites.
Of the 37087 site(s) we tested on this network over the past 90 days, 2829 site(s), .... served content that resulted in malicious software being downloaded and installed without user consent.
AS8473 (BAHNHOF): Hosted 1.10% dangerous sites.
Of the 1900 site(s) we tested on this network over the past 90 days, 21 site(s) .... served content that resulted in malicious software being downloaded and installed without user consent.
While it is difficult quantifying those numbers, what is clear is that Webalta, the upstream provider for Heihaci, has a five times more likelihood of infecting your PC or stealing your information than other providers for wikileaks.info. In the global scheme of badness, Webalta ranked 4th worst in the HostExploit reports. While it needs to be noted that Heihachi is one hosting providers on the Webalta network, they have been linked to various groups, I refrain from saying business since we do not know if they really are, on Webalta.

In a separate post I will list on the domains hosted on the same address as Wikileaks.info. Reading through these domain names belies the Wikileaks.info statement.

Now, apparently AnonOps is responsible for the ongoing DDoS. Or is this just what some nefarious party would like you to believe? SpamHaus has done some digging and currently have published piece of information about the ongoing DDoS:
This is not the profile of DDoS traffic from the LOIC and other *OIC tools issued to script kiddies to DDoS "enemies of Anon" with. In fact, at some semi-private forums, the AnonOps members have denied the DDoS and have stated how much they hate spam and would not attack Spamhaus. It would seem some actually read and understood what our warning message was about. Rumors are that they have also distanced themselves from members who were promoting the use of botnets to attack sites.
An IP address lookup done on the 9th of Dec 2010 on irc.anonops.net, also causes more reason for concern:
Non-authoritative answer:
Name: irc.anonops.net
Addresses: 69.60.115.75, 83.169.21.109, 88.198.224.117, 91.121.72.103, 92.241.190.94, 199.19.226.231, 67.23.234.51, 67.220.74.147
Of note is IP address
92.241.190.94
inetnum: 92.241.190.0 - 92.241.190.255
netname: HEIHACHI
descr: Heihachi Ltd
country: RU
admin-c: HEI668-RIPE
tech-c: HEI668-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered
Did somebody give AnonOps some bad advice? On this IP address we find the following website: RESISTANCIA.ORG

It was also the IP address for the domains anonops.net. anonops.org and anonops.com, although the DNS has been disabled.

However the Heihachi worm gives another twist upon doing a whois lookup on RESISTANCIA.ORG:
Domain ID:D159346719-LROR
Domain Name:RESISTANCIA.ORG
Created On:04-Jun-2010 20:34:17 UTC
Last Updated On:19-Dec-2010 10:00:05 UTC
Expiration Date:04-Jun-2011 20:34:17 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:917350c3ec1914e0
Registrant Name:Protected-ns.info Whois Protection Registrant Organization:Dinghost Limited Registrant Street1:Calle 53, Marbella Registrant Street2: Registrant Street3: Registrant City:Panama Registrant State/Province:PA Registrant Postal Code:10000 Registrant Country:PA Registrant Phone:+507.8321488 Registrant Phone Ext.: Registrant FAX:+507.8321488
Registrant FAX Ext.:
Registrant Email:abuse@protected-ns.info
Admin ID:917350c3ec1914e0
Admin Name:Protected-ns.info Whois Protection
Admin Organization:Dinghost Limited
Admin Street1:Calle 53, Marbella
Admin Street2:
Admin Street3:
Admin City:Panama
Admin State/Province:PA
Admin Postal Code:10000
Admin Country:PA
Admin Phone:+507.8321488
Admin Phone Ext.:
Admin FAX:+507.8321488
Admin FAX Ext.:
Admin Email:abuse@protected-ns.info
Tech ID:917350c3ec1914e0
Tech Name:Protected-ns.info Whois Protection
Tech Organization:Dinghost Limited
Tech Street1:Calle 53, Marbella
Tech Street2:
Tech Street3:
Tech City:Panama
Tech State/Province:PA
Tech Postal Code:10000
Tech Country:PA
Tech Phone:+507.8321488
Tech Phone Ext.:
Tech FAX:+507.8321488
Tech FAX Ext.:
Tech Email:abuse@protected-ns.info
Name Server:DNS1.NAME-SERVICES.COM
Name Server:DNS2.NAME-SERVICES.COM
Name Server:DNS3.NAME-SERVICES.COM
Name Server:DNS4.NAME-SERVICES.COM
Name Server:DNS5.NAME-SERVICES.COM
As the registrar Enom and a host of other providers for Heihachi have already been informed so many times, Calle 53, Marbella is the address of the World Trade Centre in Panama, an incomplete address not meeting the requirements of whois registration data.

This address has been used all to many times by Heihachi. As an example, on 2010-05-17 the whois record for Heihachi.net reflected:
Registration Service Provided By: Heihachi LTD.
Contact: support@heihachi.net
Visit: www.heihachi.net

Domain name: heihachi.net

Registrant Contact:
Heihachi.net
Heihachi Ltd WHOIS-PROTECTION ()

Fax:
Calle 53, Marbella
Bella Vista
Panama, PA 00000
PA

Administrative Contact:
Heihachi.net
Heihachi Ltd WHOIS-PROTECTION (abuse@heihachi.net)
+507.8321668
Fax: +507.8321668
Calle 53, Marbella
Bella Vista
Panama, PA 00000
PA

Technical Contact:
Heihachi.net
Heihachi Ltd WHOIS-PROTECTION (support@heihachi.net)
+507.8321668
Fax:
Calle 53, Marbella
Bella Vista
Panama, PANAMA 00000
PA

Status: Locked

Name Servers:
NS0.XNAME.ORG
NS1.XNAME.ORG
NS2.XNAME.ORG
Since then Heihachi have availed themselves of Whois Privacy Protection Service.

A search on the given telephone number +507.8321488 yields interesting results:
macbilliger.com with scam alerts
russiansubtitles.com where a Google search says a lot
hardcoremt2.com no explanation needed
It seems Heihachi is related to DingHost in whatever affiliation and in turn resistancia.org used DingHost.

But a quick search on resistancia.org reveals malware issues for this domain. As an example http://support.clean-mx.de/
Likewise http://www.threatexpert.com

So who is behind this SpamHaus attack?

At this stage all I would risk saying is Wikileaks are not part and parcel of the issue at hand. This does beg the question who is though. What is known is that a previously exploit domain resistancia.org shared the same IP address as AnonOps, Wikileaks.info is sharing a very direty IP address that does not belong on any clean IP list by any stretch of imagination.

What is clear is that SpamHaus and WikiLeaks are both victims to something that hatched on Heihachi and whatever it was, it was not good, showing the all to familiar pattern DDoS'ing.

A very big question mark hangs over AnonOps. We have to consider this is a group of loosely associated individuals. If the party arranging the hosting and tools of AnonOps was in the know of what was happening or not on Heihachi's IP's is another question. It does serve as a major red flag for those who merrily follow an unknown Pied Piper in "good causes". Make sure who you associate with.

It is also just another example of bad unaccountable things emanating from Heihachi or touching anything to do with Heihachi.

Personally I have no doubt the Wikileaks situation became exploitable when SpamHaus highlighted this serious issue. Immediately Operation Payback became payback for past blacklistings by SpamHaus, using an instant army of unwitting do-gooders protecting freedom of speech, or so the DDoS'ers thought.

In a separate post I will be posting domains found on the same IP address, 92.241.190.202, as which is used for Wikileaks.info.





No comments:

Post a Comment