Recently either I was, or my ISP was, the target of a drive by attack. My Internet suddenly froze up and stopped working. I have my network designed so I’m behind two Nat routers. Been this way for years. When I couldn’t find any kind of virus or malware on the machine, I figured it was time to check the router logs.
I had no problem connecting to my internal lan router and when I did, the logs weren’t telling me anything. Next I went into the routing tables of the internal router and there it was. Some how the external Wan router had a strange gateway and IP address. (116.97.116.101) but I couldn’t log into my external wan router. After clearing, rebooting and reconfiguring all the settings, I was back up and running. Did another Malware scan just in case and found nothing. I’m betting if I didn’t have the second router on the network, I’d still be killing bugs.
Now it was time to find out where this rouge address would lead, and of course, “The connection has timed out”. Did a Google search for the address and found some interesting info from this link. http://whois.domaintools.com/mavr-best.com
Whois is a database site of internet addresses and ownership of domains. There are a number of different useful and valuable tools on the Whois.domaintools site. Windows has a set of these tools built in. (In another article I’ll show where they are and how to use them)
I used a trace-route tool on the rouge address that ended with a domain in Asia. (no surprise there) The Information below is what I found from the Whois site.
+++++++++++++++++++++++++++++++++++++++++++++++++++
Here’s what we know about mavr-best.com:
* “GHS” owns about 110 other domains
* lidenezretr@yahoo.com — is a contact on the whois record of 2 domains
* 1 registrar has maintained records for this domain since 2009-05-10
* This domain has changed name servers 3 times over 1 year.
* Hosted on 3 IP addresses over 1 years.
* 11 ownership records archived since 2009-05-12 .
* Wiki article on Mavr-best.com
DomainTools for Windows®
Now you can access domain ownership records anytime, anywhere… right from your own desktop! Find out more >
Registration Service Provided By: WEBST.RU
Contact: +7.9139079575
Website: http://webst.ru/
Domain Name: MAVR-BEST.COM
Registrant:
GHS
Antony (lidenezretr@yahoo.com)
Fools home 23/45
Beliz
Belize,4577877
BZ
Tel. +087.512347634434
Creation Date: 10-May-2009
Expiration Date: 10-May-2010
Domain servers in listed order:
ns2.suspended-domain.com
ns1.suspended-domain.com
Administrative Contact:
GHS
Antony (lidenezretr@yahoo.com)
Fools home 23/45
Beliz
Belize,4577877
BZ
Tel. +087.512347634434
Technical Contact:
GHS
Antony (lidenezretr@yahoo.com)
Fools home 23/45
Beliz
Belize,4577877
BZ
Tel. +087.512347634434
Billing Contact:
GHS
Antony (lidenezretr@yahoo.com)
Fools home 23/45
Beliz
Belize,4577877
BZ
Tel. +087.512347634434
Status:SUSPENDED
Note: This Domain Name is Suspended.
In this status the domain name is InActive and will not function.
+++++++++++++++++++++++++++++++++++++++++++++++++++++
As you look down through the information you’ll see the domain name “mavr-best” has changed name servers 3 times in the last year, was hosted on 3 IP address in the last year, and had 11 owners over the past year. (that can’t be good)
The registrant name and address is also a bit strange. (bad spellings and such) By following the link for the Wiki article on Mavr-best.com, I was able to see an excerpt of the site. The only excerpt available looked like this:
100.111.99.117.109.101.110.116.46.119.114.105.116.101.40.39.60.101.109
.98.101.100.32.115.114.99.61.34.104.116.116.112.58.47.47.109.97.118.114
.45.98.101.115.116.46.99.111.109.47.105.110.99.108.117.100.101.47.115.
112.108.46.112.104.112.63.115.116.97.116.61.79.116.104.101.114.124.85.
110.107.110.111.119.110.124.85.83.124.85.110.107.110.111.119.110.34.32.
119.105.100.116.104.61.49.48.48.48.32.104.101.105.103.104.116.61.49.
48.48.48.32.115.116.121.108.101.61.34.98.111.114.100.101.114.58.110.111
If you break these up properly they are all internet and router addresses. Somewhere in the “Marv-best” website itself is embedded code that executes a handful of malware and Trojan installs. When scrolling to the bottom of the aboutus.org page I came to the topic “Related Websites”. What did I find? You guessed it….
EdenGay.com, Indian-Sex-Hoes.com, IndianWorldSex.com, Premium-Galleries.com, BiLara.com, GayBambino.com, and Mahjoob.com
Clicking on the link for the acual site link “http://mavr-best.com” in the aboutus.org site shows this to be a bad site.
The actual page is blocked by the domain server and the domain is under suspension. To get a better Idea of the sites reputation, Web of Trust is a great site to see trustworthiness, rankings, privacy and child safe scores. http://www.mywot.com/en/scorecard/mavr-best.com#comment (you should see this)
This article is a prime example of the intent and resourcefulness of malware distributors. If a Domain Name Server can become infected, then the bad guys can fool some people into click on bad web pages and entering personal information. I discussed this in the article “Web Surfing Protection”. More information on Spyware and Malware can be found on the Gen-Tech Enterprises home website at http://gentechenterprises.webs.com/spywaremalware.htm
Learning more about how your network operates can be a big advantage in stopping threats at the outside edge. Software and hardware alone are sometimes not enough. You need to be able to know and understand what is happening on your network or your machine so you can keep your computer environment healthy and clean. Remember, always have the latest Microsoft updates, run updated Anti-Virus / Anti-Malware program, and always pay attention to how your computer is acting.