Inside Cyber Warfare

Jeffrey Carr

Part 12

Report Chapter

Every bulletproof network begins with the inherent weakness of ICANN to enforce accurate WHOIS information.


ICANN is a nonprofit organization with headquarters in Marina del Rey, CA. The organization took over registration and accreditation responsibilities from the US government in 1998.

When you register a domain name with an accredited registrar, ICANN issues a corresponding IP address. The registration process requires that the customer provide accurate WHOIS information. Unfortunately, ICANN hasn't been effective in enforcing its own rules.

A GAO audit in 2005 looked into this problem and found that an estimated "2.31 million domain names (5.14 percent) have been registered with patently false data-data that appeared obviously and intentionally false without verification against any reference data-in one or more of the required contact information fields" (from the GAO report "Internet Management-Prevalence of False Contact Information for Registered Domain Names," published in November 2005; see Figure 7-2).

Figure 7-2. GAO a.n.a.lysis of domain contact information ICANN relies on registrars to enforce the collection of accurate registration information, which is level two of the bulletproof network: an ICANN-accredited registrar.

The Accredited Registrar.

A person who wants to create an Internet presence for nefarious purposes needs to find an accredited registrar that won't seek to verify false registration information. This will allow her to enter a pseudonym instead of her real name, as well as false contact information (email and telephone). In the case of, that registrar was Naunet, a Russian Internet services company that offers domain registration and hosting services.

The Hosting Company.

In the case of, the registrant acquired hosting services through a small Russian company,, which in turn was a reseller for a London company, Innovation IT Solutions Corp, which contracted with a very large data center and hosting company, SoftLayer Technologies.

SoftLayer Technologies and The Planet, both based in Texas, have proven to be attractive options for spam and phishing websites, as had Atrivo/Intercage, based in Northern California. Atrivo was finally shut down in October 2008, resulting in a temporary world-wide plunge in spam levels, according to the Washington Post's Security Fix column of October 9, 2008.

The Bulletproof Network of

Figure 7-3 shows linkages between companies that support the forum.

As we discussed in Chapter 2, was a pa.s.sword-protected forum built with a bulletin board software application (phpBB) and launched within 24 hours after the commencement of Russia's ground, sea, and air a.s.sault on the nation of Georgia on August 8, 2008.

Cyber attacks against Georgian government websites occurred as early as July 21, 2008, but this particular forum was not active until the day after the invasion. It provided hackers of all levels with vetted target lists, links to malware to be used to attack Georgian government websites, and expert advice for novice hackers (of which there were many).

A WHOIS search on the domain revealed the following information: Domain Type CORPORATE.

Nserver Nserver State Registered, Delegated Person Private Person Phone

7 908 3400066.

E-mail [email protected] Registrar NAUNET-REG-RIPN.

Figure 7-3. The network.


NAUNET is a Russian registrar that is blacklisted by the Spamhaus Project for providing cyber crime/spam/phish domains (Spamhaus SBL advisory #SBL67369 01 Dec 2008).

The domain name was acquired at Part of the complaint against Naunet on file at Spamhaus is that it has knowingly accepted false information (specifically related to invalid IP DNS addresses in the WHOIS info), which is in violation of Russian Inst.i.tute for Public Networks (RIPN) rules.

In the WHOIS info for, the phone number 7 908 3400066 and email address [email protected] are both listed in the registrar information for a variety of websites selling things such as fake pa.s.sports, adult p.o.r.n, and ATM skimmers.

Although the domain information for doesn't list a person's name, opting instead for the ubiquitous "private person," other domains with the same telephone number and email address have been registered under the name Andrej V Uglovatyj.

Andrej V Uglovatyj, however, is most likely a fict.i.tious person. A search on returns only two unique hits for the name. Considering the amount of data being collected online for individuals today, as well as the fact that Andrej V Uglovatyj is purportedly conducting a number of businesses online, receiving so few hits can only be due to this name being a pseudonym used in shady domain registrations. For example, see the one shown in Figure 7-4 for fake pa.s.sports at a website named

Figure 7-4. One of Andrej V Uglovatyj's shady domains selling forged doc.u.ments The tagline under reads "Creation of pa.s.sports and driver licenses for Russia and EU countries."

Performing a WHOIS on the IP address is an important step in the money trail process. Someone needed to purchase time on a server to host the PHP forum, which, ironically, used the Army-themed forum template (the ever-stylish camouflage look). The IP address is, which resolves to a small Russian company called SteadyHost (

The domain registration for provides the following information: Domain Type CORPORATE.

Nserver Nserver State Registered, delegated Person Sergey A Deduhin Phone.

7 905 4754005.

*** You are reading on ***

Email [email protected] Registrar RUCENTER-REG-RIPN.

If you examine the WHOIS records in the following table, you'll see that Mr. Nesterenko is apparently employed by both companies, and both companies have the same business address: 95 Wilton Road, Suite 3, London. A Google search for that address brings up a variety of businesses, including a p.o.r.n site (Cheeky-Touch), a teen site, Goldstein Equitas, Inc., and Global Securities Consulting; in other words, 95 Wilton Road, Suite 3, London, is a mail drop.

Domain name Registrant Innovation IT Solutions Corp Andrey Nesterenko 95 Wilton Road, Suite 3 London London,SW1V 1BZ GB Tel. +44.8458692184 Fax. +44.8450205104 Creation date 10/10/04.

Expiration date 10/10/09.

Domain servers Administrative contact Innovation IT Solutions Corp Status Active Innovation IT Solutions Corp is not a registered business in the UK or anywhere else, and it doesn't seem to exist outside of its London mail drop address. provides some substantive information on its website regarding its services, albeit in the Russian language. According to Dun and Bradstreet, its and sole stockholder, Andrey Nesterenko, is a Russian national living in the Netherlands, yet his business address is a mail drop in London-the same one used by Innovation IT Solutions Corp (see the following WHOIS data): Domain name Registrant Innovation IT Solutions Corp Andrey Nesterenko 95 Wilton Road, Suite 3 London London,SW1V 1BZ GB Tel. +44.8458692184 Fax. +44.8450205104 Creation date 10/10/04.

Expiration date 10/10/09.

Domain servers Administrative contact Innovation IT Solutions Corp Status Active.

SoftLayer Technologies.

The IP address for the forum ( can be traced backward from SteadyHost to Innovation IT Solutions Corp to SoftLayer Technologies, a US company based in Dallas, TX, with server locations in Seattle, WA, and Washington, DC. See Figure 7-7.

Figure 7-7. WHOIS data for SoftLayer Technologies and The Planet (also in Dallas, TX) share the unique distinction of being on's top 10 worst badware network blocks (Figure 7-8). To add some perspective to this,'s May 2008 report reveals China to be the world leader, hosting 52% of all badware sites, whereas the United States hosts 21%. None of the other countries involved, including Russia, individually hosts more than 4%.

When released its report, it attempted to contact the companies that it named to give them an opportunity to respond. SoftLayer Technologies issued the following statement, published on the blog on June 24, 2008: SoftLayer Technologies is a provider of data center services centered around the delivery of on-demand server infrastructure. We do not manage the content or applications hosted from our infrastructure as this is the direct responsibility of our customers, many of which are in fact hosting resellers. Having said that, we also have a very strict acceptable use policy which you can find here:

We try to be as proactive as possible in eliminating any and all content from our network that breaches the terms of this policy. But, as I am sure you are aware, this is not always an easy task.

I have forwarded your email to our abuse department so that they can start investigating the findings you have suggested below. We will take all necessary actions to remove any malicious material from our network so that we can better serve our customers and the entire Internet community.

Figure 7-8. Top 10 network blocks hosting badware sites About 45 days later, the forum, hosted on a SoftLayer server, became a focal point for a nationalistic Russian hacker attack against Georgian government websites. At no time did SoftLayer Technologies take a proactive role and cancel's access to its servers for a Terms of Service violation.


*** You are reading on ***

Popular Novel