Now that the Symantec write up seems legit here’s a little background digging I did the other day on the domains. I think this sort of information is mainly idle speculation, but rather than simply presenting opinions I’m going to provide screenshots. This is based on looking up network information for the domains listed by Symantic, namely:
- yahooo.8866.org
- sl1.homelinux.org
- 360.homeunix.com
- li107-40.members.linode.com
- ftp2.homeunix.com
- update.ourhobby.com
Here’s what I saw:
Interestingly here, the first hostname is in Korea – not China. If you want to ping up the admin the info is listed as:
Another domain sl1.homelinux.org is again shared hosted, and it has multiple domains including those associated with Russia:
Another hostname 360.homeunix.com has a little more info. The hostname is set to localhost, but the domain appears to be in the US:
Same with update.ourhobby.com
Though in fairness it appears to be only a US based service:
Li170-40.members.linode.com actually had some info:
If you look above you see the IP is US based with US based points of contact – though one appears to be Canadian as well.
yahoo.8866.org, finally this one appears to be in China
A lot of the speculation is based on IP addresses and where they resolve to. I believe this is a poor way to do analysis. If I were a criminal or a nation state, I would certainly own a lot of 3rd party easy hosts and create a very complex path that would be near impossible to establish my true identity. I don’t believe the Chinese would be easily attributed back to Chinese IP addresses. Additionally, if you look at the above, it’s not entirely clear that China is the sole source. There are Chinese, Korean, and US hosts/domains. This might provide things to think about as others are speculating about attribution based on where the malware connects back to.
UPDATE:
Saw this link associated with the email address (ppyy@bentium.com): http://archives.neohapsis.com/archives/postfix/2001-05/1841.html. Further if you look up the domain 8866.com you see things like: http://google.com/safebrowsing/diagnostic?site=8866.org/
The more I see the more it looks like a regular malware domain. Maybe “the real badguys” hacked 8866.com to then hack google and those 36 other companies, but if I wanted to say off the radar at all this seems like a really bad idea. I’m thinking regular malware.
All screenshots are from www.centralops.net or www.robtex.com