Understanding Ecatel

Understanding Ecatel

By Justin David Pineda

Some people have been visiting to websites hosted in Europe which are part of the Ecatel network. Seclist says that the Ecatel network is the source of a rootkit callesd Zero Access, “…purpose of this rootkit is to set up a stealthy, undetectable and un-removable platform to deliver malicious software to victim computers.” [1] As of writing, the Elcatel Network is rated second, in the Top 10 Hosts Bad for the 1st quarter of 2011. [2]

A malware site has only one goal: to do something bad to you like getting confidential/private information and doing something harmful to your computer. Considerably, many sites under the said network are considered harmful but of course, we cannot generalize that all of them are. But since it’s coming from the same network, then we might consider it as suspicious.

The Ecatel Network is part of the Russian Business Network (RBN) which is known for cybercrime activities since 2007. News also say that Russian authorities don’t give enough attention to the cybercrimes made.

A lot of articles tell that this particular network is noted for spammers. Spamhaus event named it as “The Most Notorious Spammers.” Further, it listed 15 known sites which were classified as popular for Zeus Botnet Command & Control Activity, Showshoe Spam Sources, Heavily Abused Redirect, Botnet Pharma Spammers and Cybercrime Hosting of Fake A/V Malware. [4] It also plants rootkits on infected machines which can monitor and control personal workstations illegally. Some sites under Ecatel also trick users of Fake Antivirus crimeware. These crimeware resulted to more than 250,000 computers became affected. [5]

To make our measurement of Ecatel Network’s maliciousness quantitative, let’s look at the numbers: [6]

1 Zeus server

3285 malicious URLs

1076 badware instances

846 spam bots

16 spam IPs

Here are also the IP addresses that are considered the “dangerous” as related to Ecatel Network: [7]

62.41.26.0/24

62.41.27.0/24

89.248.160.0/21

89.248.168.0/24

89.248.169.0/24

89.248.170.0/23

89.248.172.0/23

89.248.174.0/24

89.248.175.0/24

93.174.88.0/21

94.102.48.0/20

94.102.49.0/24

94.102.62.0/24

Now that we know some knowledge about Elcatel and how it can affect us then I suggest that we do best practices when doing transactions through the net. Of course, it’s good to have an AV with updated set of signatures. I know that new malwares are emerging everyday but AV will also help somehow. We should also have our personal firewall installed because it will help in classifying rules. For example, there might be site redirection and might bring you to a malicious site. If the firewall has restricted that particular IP/URL to your network, then it can’t enter. And try to avoid going to sites that you are not familar with. Chances are, it may be a malicious site. But when that comes and there’s a pop-up that says that you need to run this kind of AV, you know that it is a Fake AV. So don’t.

Finally, as what I always say when there is an infected workstation, remove it from the network immediately and run an AV with updated set of signatures. But to be sure, it is a best recommendation to re-image the system to completely remove any malware.

References:

[1] Reverse Engineering the source of the ZeroAccess crimeware rootkit from http://seclists.org/pen-test/2010/Nov/33

[2] Top 10 Bad Hosts – 2011 Q1 from http://www.hostexploit.com/

[3] Shadowy Russian Firm Seen as Conduit for Cybercrime from http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101202461.html

[4] The Spamhaus Project Reports Ecatel.net Network Host The Most Notorious Spammers Cybe from http://www.scamfraudalert.com/identity_theft_phishing_spam_blackmails/13773-spamhaus_project_reports_ecatel_net_network_host_most_notorious_spammers_cybe.html

[5] White Hat Hacker Cracks ZeroAccess Rootkit from http://www.informationweek.com/news/windows/security/228300156

[6] AS29073 – ECATEL-AS from http://badhost.info/AS29073

[7] Ecatel: Need more proof of their being crimeware? from http://hphosts.blogspot.com/2010/04/as29073-ecatel-need-more-proof-of-their.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s