Home

mcs.setx.in - a draft in an attempt to kickstart myself

March 13, 2009 - 23:23 — Rune

Sort of kicking myself in the ass. As a starter, to get something written.

I have thought about writing about this one for some time now.
A bit outdated, but at the same time maybe still a bit interesting.
The domain setx.in is gone now, but I think the rest of the chain of info is intact.

There will be a lot of the usual "maybes" and tiny connections. And some connections that are easy to verify. The value of it? I don't know.

For now, I settle with an old screenshot from Googles cache from November last year (thanks to robtex.com):

mcs.setx.in on McColo November 2008

I ended up in Ukraine, as I often do nowadays.
Malware, spam, dos, antiddos and perhaps something remotely related to Russias cyberattack on Georgia.
Could be interesting figure(s), the Khrenov(s).

I wonder if I ever get around to get this one finished?
The only way I seem to get it done is by filling in some stuff now and then.

So here we go:

March 14:

This post from December last year is somewhat related if you compare the IPs ( 208.72.168.62) in the screenshot above with the one in the posting : Asprox - Bad Gateway
Not much in common, only one IP on the now gone McColo network with domains from the Asprox botnet and the subdomain mcs.setx.in. But hey, it is something.
Especially if this was an IP solely controlled by the same guy(s).

A couple of details from the whois info for setx.in (registered with Directi, as I mentioned earlier the domain has now expired):

  • Registrant Name: DorbiK
  • Registrant Email: info@antiddos.eu

That should be enough info if you are a bit impatient and don't have time to wait for me. So if you are curious, go ahead. I've probably overlooked something too.

Kind of acceleration, whois info for antiddos.eu led me to the email address setx.mail@gmail.com.
And the contact page at antiddos.eu gave "icq: 149953634" and "skype: D0rbik" as contact points.
I will probably come back to the icq later.

But I also found similar whois info as for setx.in lying around on my HD:
httpdoc.info:

  • Registrant Name: DorbiK
  • Registrant Email: info@antiddos.eu

One interesting read about httpdoc.info found on threatexpert's blog from July 20, 2008:
Hacker Attack Follows Military Fighter Jets

A few quotes from that blog:

Now, the political tension in South Ossetia region has spread into the cyber space with the new distributed denial of service attack against the website of the Georgian President Mikhail Saakashvili (www.president.gov.ge).
As indicated by Steven Adair from the Shadowserver Foundation, who was the first to report about this DoS attack, the C&C server used in it has the IP address 207.10.234.244.

...

Another C&C contacted by the same bot resides at httpdoc.info. Searching this domain at ThreatExpert returns reports on several threats.

March 15:

Good morning.
Not too systematic progress in this posting.

A small detail in this screenshot from googles cache some months ago:
setx.mail@gmail.com, icq 724834 offering spam services on spamsoft.bz
(Click for a bigger one, note the email address setx.mail@gmail.com and icq 724834)

If you now check the whois info for antiddos.eu and antiddos.org, you will find:

  • Registrant email: setx.mail@gmail.com for antiddos.eu
  • Admin Email: setx.mail@gmail.com for antiddos.org

So this small little detail adds "blood leased spam bots system (bot mailer") to "setx.mail@gmail.com's" arsenal of services. And the icq # 724834 is of course interesting too.
In addition to the "antiddos".

The paradox is that he was offering ddos services back in 2007.
Here is a small screenshot from thebugs.ws back in 2007:
ICQ 724834 offering DDoS Service back in 2007

Note the icq # again: 724834.
Full link to the page where the screenshot is from:
http://www.thebugs.ws/forum/?a=open&fid=14&id=301768

Is this a kind of "pay for our antiddos service or else we'll ddos you"?
I don't know.

But anyway, so far we have spamming services, antiddos services and DDoS services.
Nice guys.

There is also a tiny little connection to an interesting email address in the whois info for another domain. I've got to find that one, I'm putting stuff all around and forgot where I put it.
I don't quite know how I should read an email address like "team@russia-vs-georgia.org".

But the Khrenov(s) are getting more and more interesting.

April 1

Alex/Olexij, same guy? I am not familiar with the language.
A profile of "sapsan" calling himself Alex gives a link to a CV on sapsan.org.ua. Which is Olexij.

Some very fresh SBL-listings regarding this guy:
http://www.spamhaus.org/sbl/listings.lasso?isp=gtcomm.net

Comments

March 17, 2009 - 19:04 — Spamislame (not verified)

More on this "spooler" character

Search for "spooler" and that ICQ address and you get a handful of (of course) Russian forum postings from this lowlife.

He offers up a service which will make sure your virus is never detected by most antivirus packages.

He offers the DDOS services to a lot of them:

http://forum.hostobzor.ru/index.php?s=7567c4c04a87a7a04d334703f800b4aa&showtopic=10313&pid=105714&st=0

spooler -> offer DDOS (04.07.2007 18:51:02)
Large botnet.
We carry out large projects.
Individual approach to each client.
Obraschatsya in icq: seven24eight34

https://forum.zloy.org/showthread.php?t=44279

We offer service on an anonymous inspection files of various antivirus systems. This system is designed to check multiple files with antivirus, with no reports of antivirus systems are not sent. You can be sure that your application does not fall into the anti-virus databases!

Searching on his "obfuscated" ICQ (семь24восемь34) produces even more interesting results.

He's used someone else's DDOS service and apparently liked it:

http://exploit.in/forum/index.php?showtopic=11605

Took advantage of the service.
everything went smoothly. Made a good discount.
We will continue to work on a permanent basis.
thanks!

I note that most of these are from Nov. 2007. I wonder how active this guy actually is lately.

SiL / IKS / concerned citizen

March 17, 2009 - 22:47 — Rune

Re: More on this "spooler" character

Thanks for "kicking my ass" by commenting.
I wonder if I ever will finish the posting.

I have some searches archived regarding "spooler".
In addition to other related searches.
"Tvister" is also interesting.

Quoting:

anonymous inspection files of various antivirus systems

That would be avcheck.info and avcheck.biz.

Quoting:

I note that most of these are from Nov. 2007. I wonder how active this guy actually is lately.

I am wondering about that too.
If you take a look at the blogposting from ThreatExpert I link to above, that posting is from July 2008.
ThreatExpert is also mentioning httpdoc.info in a posting in May 2008:
http://www.threatexpert.com/report.aspx?uid=467746b0-1e5b-436d-992b-43ab9d6a4772
Together with fakamaza.info.

Dancho Danchev mentions "Set-X Corporation" in a blogposting last September:
http://blogs.zdnet.com/security/?p=1899 (Offering "spam services")
I don't know if this is the same "setx" or if it could be a couple of months old domain, set-x.biz. Same guy? I don't know.

But there is an interesting chain of info here:
setx.in - info@antiddos.eu - setx.mail@gmail.com - httpdoc.info - fakamaza.info.
The last one with the email address "team@russia-vs-georgia.org" in the whois info.
How relevant it is today, I don't know that either.

Updated a few minutes later:
There is a posting in the newsgroup news.admin.net-abuse.sightings from March 13 2009 here mentioning lovexx.ru with nameservers at antiddos.org. Hosted by Olexij Khrenov on 67.215.13.165 after apparently being killed somewhere else earlier.
Related to ICQ and guestbook spamming (ICQ-spimming?)