Russian MVD announces arrest of CARBERP gang

Today the Russian MVD and FSB have announced the arrest of eight cybercriminals who have stolen more than 60 million rubles ($2 million USD) from at least ninety victim bank accounts in the charges documented in this case.

The Ministry of Internal Affairs (Ministerstvo Vnutrennikh Del or Министерство внутренних дел) better known as the MVD has a computer crimes unit known as "Department K". In this case they worked together with the Russian Federal Security Service's Center for Information Security. (The Federal Security Service, or FSB for Federal'naya sluzhba bezopasnosti, Федеральная служба безопасности is the equivalent to the FBI in the United States.)

Similar to charges brought in the United States against cyber criminals, the MVD Press Release only documents charges that can be proven beyond any reasonable doubt. The total activities of these criminals are likely to greatly exceed what can be formally charged. The formal charges are significant though.

According to Russian computer forensics and investigations company, Group-IB, the Russian government received assistance in the investigation from Group-IB as well as Dutch company Fox-IT. Group-IB says that the group primarily used the malware families Win32/Carberp and Win32/RDPdor.

The Carberp trojan is a financial crimes trojan that has been said to have "High Damage Potential" by anti-virus companies like Trend Micro. Trend was able to show some interesting statistics about who was infected with at least one version of CARBERP by "sink-holing" the CARBERP Command and Control server. S21Sec also did some great research on how to decrypt Carberp communications.

Carberp has continued to evolve and add functionality beyond simple banking credential theft. More recently Carberp has been used for DDOS attacks and to grant remote control access to infected computers, giving the criminals access to everything on the computer, or the ability to use that computer to mask origins of other attacks.

Department K has been tracking these particular criminals since October of 2011, and says the group was run by two brothers, born in 1983 and 1986. One of those brothers was already a known criminal having a record related to real estate fraud.

This particular gang of eight criminals would gain access to banking credentials and cause money to be electronically transferred to accounts controlled by the criminals. They actually rented office space under the guise of a legal computer company and spent their days taking remote control of compromised computers in order to set up the fraudulent banking transactions. Once the money had been transferred to accounts controlled by the gang, it was withdrawn from a variety of ATM machines in the Moscow area.

The malware was distributed by hacking into popular Internet sites and leaving traps, including the websites of some prominent newspapers.

All of the criminals were arrested simultaneously in cooperation between the MVD and the FSB, from the botnet administrator all the way down to the criminals who made the ATM withdrawals.

If I'm reading the Russian translation correctly, the ringleader is in custody, his elder brother was released on 3 million rubles bond, and the other six are under house arrest.

The charges brought against them were based on three Russian laws:

- Article 272 - "Illegal access to computer information"
- Article 273 - "The creation, use and dissemination of harmful computer programs"
- Article 158 - "Theft"

The hackers could face up to 10 years imprisonment, if convicted.

It is not known at this time how this arrest will impact other use of the CARBERP trojan. The trojan continues to be active, with criminals continuing to take advantage of the lack of enforcement of domain name registration rules, and the gullibility of human computer users. One quick example of each.

One of the domains associated with CARBERP recently was: n9ewpon98euohfe.org

Here is the WHOIS information for that domain:

Registrant name: trgtrf trgtrf
Registrant organization: trgtrf
Registrant street: trgtrf
Registrant state: trgtrf
Registrant postal code: trgtrf
Registrant country: CN
Registrant phone: +86.6857463454
Registrant email: gewtghdcu@mail.cn

See if you can spot the inaccuracy in that WHOIS data? Did you pass? Of course! It's a Russian phone number (+86) claiming to be in China! Oh, the fact that trgtrf may not be a valid postal code, or name, or address, might also be a hint. Rather strange that this Russian in China chooses to use as his nameserver "Primaryns.kiev.ua" as well.

On the Social Engineering front, Trusteer CEO Amit Klein recently blogged about a Facebook related scam being pushed to users infected with Carberp. In that scam, users were told that their Facebook account was locked, and that they needed to provide a 20 Euro "Ukash Voucher #" to unlock the account:

(click image to visit Trusteer blog article).

Ukash started in the United Kingdom (UK-cash = Ukash?) but now has partnerships with certain mobile phone companies and with Mastercard.

Operation Open Market: Jonathan Vergnetti

On Friday, March 16, 2012, the United States Secret Service announced the results of "Operation Open Market" in a headquarters press release lead by A.T. Smith, the Assistant Director for Investigations. (Open Market press release can be found at OpenMarket.)

They announced charges against 50 individuals in three separate indictments. One indictment of 39 defendants (with 16 of those individuals yet to be arrested, eleven of which are still listed as John Does), another indictment charging seven individuals, and a third indictment charging four individuals.

Arrested in the operation are people in California, Florida, New York, Georgia, Michigan, Ohio, New Jersey, and West Virginia. During the search warrants executed on March 16 counterfeit credit card manufacturing equipment, electronic media, and even an ATM machine were seized. All three indictments were unsealed in Las Vegas.

Five of the arrests were in Las Vegas, including:

Michael Lofton, 34
David Ray Camez, 20
Thomas Lamb, 47
Jonathan Vergnetti, 40

All of the defendants were said to be "members, associates, or employees" of a criminal organization called "Carder.su" where "su" refers to the old Internet Top Level Domain for "Soviet Union."

Carder.su has been around since at least late 2007, originally registered to "Maria A Ageeva, 886824@mail.ru" and for some time using the gmail account "cardersu@gmail.com".

To join Carder.su, criminals had to be "vouched" into the forum by two existing members. The site is no longer active, with members being sent to the newer sites run by the same admin, crdrsu.su and carder.pro.



Carder.pro receives an average of 777 visitors per day, 372 from the United States, 218 from Russia, and 23 from Albania. (source: Alexa.com) (Carder.pro has been live for about 14 months, registered by Maria A Ageeva, cardersu@gmail.com.) To join Carder.pro, members must pay a fee of 33 "Liberty Reserve" or "WebMoney" dollars.

Jonathan Edward Vergnetti

While we wait for the names of other "Open Market" criminals to be released, I thought it might be interesting to look at one of those named so far who has plenty of familiarity with Identity Theft, Carding, and the Legal System, Jonathan Vergnetti. Often in the case of these type of law enforcement "Operations" the operation combines recent arrests that clearly are related. In the case we'll examine today, the arrest actually occurred in June of 2010, but the new information is that the previously undisclosed "internet" source of Vergnetti's credit card information is now known to be the Carder.su website.

Making False Statement to Law Enforcement

Jonathan Edward Vergnetti first shows up in the federal courts system after being arrested along with Gabriella Jiminez, Robert Albert Zabala, and Barbra Jo Van Horn back in June of 2010 in the Northern District of Oklahoma.

Jonathan and his friends apparently vacated a Best Western Hotel in Grove, Oklahoma in a hurry and forgot to take with them a shoe box full of credit cards and papers containing lists of other credit card numbers. The hotel manager contacted the Grove, Oklahoma Police Department, and detectives from the GPD did a good job of tracking down people who had worked with Vergnetti. They found six individuals who had been provided with fake credit cards that Vergnetti had created for them, and were encouraged to use the cards to obtain cash in exchange for which they would provide Vergnetti a 60% share of whatever they got. They determined the hotel rooms Vergnetti and his ring were currently operating out of and hit them with search warrants, recovering a laptop computer, equipment for embossing credit cards (printing the names and numbers on them) and writing the magnetic stripes, as well as "a significant number" of identification cards and drivers licenses.

Oklahoma filed state charges on six individuals, but were given false identities for the four featured in this charge. They claimed to be (and presented matching identification cards) David Washington, Mehrdad Maknouni, Susan Lee Nuveman, and Barbara Jo Jeffries. Oklahoma submitted their fingerprints to CJIS and were able to learn the real identities as a result of the fingerprint matches. The four were questioned individually with three refusing to talk, but Barbara Jeffries (later found to be Barbra Jo Van Horn) cooperated and claimed that Vergnetti was the head of a criminal organization consisting of "40 to 50 people" in Oklahoma, California, and Nevada for which he provided credit cards and identities using data he received from "an internet chat room". The group mostly used these identities to obtain cash advances from casinos, including casinos in Las Vegas, but also numerous Indian casinos, including those in Oklahoma.

(see Vergnetti False Statement Criminal Complaint)

Vergnetti's First Grand Jury

Although making false statements to an arresting officer was enough to get Vergnetti into the federal system, by the time the Grand Jury was assembled July 8, 2010, there were better charges to bring. In addition to Vergnetti, Jiminez, Zabala, and Van Horn, Joseph Elijah Johnson and Cree Frances Clapper, both in their early twenties, were charged with this Original Indictment.

The charges were:
18 USC § 371 - Conspiracy
18 USC § 1029(a)(4)
and 18 USC §§ 1029(c)(1)(A)(ii) - Possession of Device Making Equipment
18 USC § 2(a) - Aiding and Abetting
18 USC §§ 922(g)(1) and 924(a)(2) - Felon in Possession of Firearm (Jiminez)
18 USC §§ 113(a)(5), 1151 and 1152 - Simple Assault in Indian Country (Vergnetti)
18 USC §§ 1028(a)(7), 1028(c)(1), 1028(b)(1)(A)(i) - Identity Theft

The indictment says that the gang would obtain pre-paid debit cards and then replace the magnetic stripe information with information that he burned on with his card writing information. He also could emboss names and numbers and the cards, and create matching identification documents in order to withdraw funds from casinos.

Some examples -

May 18, 2010, Vergnetti used a Nevada driver's license with his photo and the name "Berry Decker" at the River Spirit Casino in Tulsa to obtain a cash advance.

At the same casino on the same day, he also used a California driver's license in the name "Stephen Graham" and presented it to law enforcement to avoid revealing his identity.

Superseding Indictment

After the original indictment, which was enough to move procedings forward, a Superseding Indictment was filed on August 3, 2010, which brought sixty additional charges, mostly related to additional detective work to identify some of the particular frauds that were committed by the gang of six.

So, for example, on June 4th, 6th, and 8th, Vergnetti did transactions on cards belonging to Mario Chacon and Kimberly McGee - $1263.99, $1263.99, $1075.00, $1048.99, $1048.99, and $1075.00.

Jiminez used an account belonging to Brandon Walser to do cash advances on June 5th, 6th, 7th, and 8th in the amounts of $1505, $2079.99, $2079.99, $2150, $2050, $2079.99, $2050, $2460, $1540, and $1030.

Van Horn used an account belonging to Hector Ramirez to advance 1540 on June 8th.

Clapper used an account belonging to Floyd Farmer to advance 1612.50, 1540, and 1540 on June 6th and 7th.

Johnson used accounts belonging to Ernest Richmond, Amber Beck, and Hermon Galloway to advance $1080, $1620, $2079, $1048.99, $1048.99, $1540, $1540, $1080 on June 1st, 6th, 7th, and 8th.

Zabala used an account belonging to Phillip Carney to take $500 out on June 11th.

All of those charges are the results of looking at TEN DAYS worth of transactions in Oklahoma by this gang.

The Plea Agreement

Vergnetti decided with the information against him, he would plea out. He agreed to provide $107,235.74 in restitution and the prosecution agreed to drop all but two of the charges. The Plea lists who he has to pay restitution to as part of the bargain:

Bank of America - $9235.89
Bank of Commerce - $1554.80
Bank of Hawaii - $5064.98
Bank of Oklahoma - $9010.54
Charles Schwabb Bank - $4288.99
Community Bank of the Arbuckles - $1277.99
Cosden Federal Credit Union - $1075.00
Discover Card Services - $1801.42
First Hawaiian Bank - $1044.99
JP Morgan Chase Bank - $15,948.66
Merrill Lynch - $3183.99
Mountain American Federal Credit Union - $5872.76
RBS Citizens - $5746.47
Regions Bank - $33,475.15
TCM Bank - $1075.00
USAA Savings Bank - $5065.00
Village Bank - $1170.81
Zions First National Bank - $1342.00

Here's his actual "plea":

I, Jonathan Edward Vergnetti, admit that from Spring 2010, through June 8, 2010, I conspired and agreed with my named co-conspirators to possess device making equipment, to produce and use counterfeit access devices with the intent to defraud, and to possess and use the means of identification of other persons.

Generally, my named co-conspirators and I manufactured, possessed, and used counterfeit access devices. We obtained pre-paid debit cards from retail stores, and then frauduntely imprinted the electronic banking information of other persons onto the pre-paid debit cards without the knowledge of the true account holders. We obtained the banking information through a third party source over the internet. We embossed the characters of account numbers and names on the face of the fraudulent access devices. We then used the counterfeit access devices, along with false identification documents, to obtain cash advances at tribal gaming establishments and for other purchases. This conspiracy and the overt acts in the conspiracy occurred in the Northern District of Oklahoma and elsewhere.

Specifically, in order to carry out the objects of the conspiracy and to commit aggravated identity thieft, I admit that on June 6, 2010, I knowingly possessed and used a counterfeit access device that was a means of identification of another indivual to fraudulently obtain a cash advance in the amount of $1048.99 from the Grand Lake Casino located in the Northern District of Oklahoma, and the use of the counterfeit access device affected interstate commerce.

The Sentence

Having the plea agreement all lined up that basically said, "pay back the money and we'll only charge you with Conspiracy and Aggravated Identity Theft" on January 31, 2011 Judge James H. Payne, Northern District of Oklahoma, sentenced Jonathan Edward Vergnetti to pay $114,931.74 in restitution (garnishing wages at 50% of income while in prison and 10% of income after prison) until paid. The sentence called for imprisonment of 84 months, which were 60 months for the Conspiracy, and 24 months for the Aggravated Identity theft, which were to run Consecutively.

The Status

According to the Bureau of Prisons Inmate Locator Service, Jonathan Edward Vergnetti, Register # 10908-062, a 40 year old white male, is scheduled to be released on July 14, 2016 and is currently held at the Federal Correctional Institution in Lompoc, California (175 miles northwest of Los Angeles, adjacent to Vandenberg Air Force Base.)

ACH / WireTransfer Failed spam goes crazy!

Yesterday we saw two HUGE spam campaigns that continue into this morning advertising various alternatives of "your wire transfer failed" as subject lines.

We saw at least 86,197 copies of this spam on November 15th, that I am mentally dividing into "Named Institution / zfin" spam and "random intermediary" spam.

The "zfin" spam was far more prevalent, with 62,331 copies of the 86,197 copies pointing to a URL that contained "zfin.php" in the path.

The "zfin" spam has a mail message that reads something like this:

Dear Account Holder,

Money Transfer sent by you or on your behalf was hold by our bank.

Transaction ID: 17019302204565051
Current status of transaction: on hold

Please review transaction details as soon as possible.

N. B. Abel
Treasury Management

The "non-zfin" email has a message that reads something like this:

Dear Bank Account Operator,
I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.

Transaction: 238006864683285
Current transaction status: Pending

Please review transaction details as soon as possible.

In both versions a very large number of "intermediary" spam domains are used. These are "page forwarders" that have been placed on compromised web servers. The hackers have gathered a very large list of website userids and passwords where they can place new content at will, without the knowledge of the webmaster. They log in as the webmaster, upload their "forwarder" page, and then use that newly created page as the destination in spam messages.

More than 15% of the spam that we saw at the UAB Spam Data Mine yesterday belonged to this pair of campaigns, and the volume is still extremely high this morning.

Many of the emails used the faked "from" domains:

uba.org 5785
lba.org 5762
aba.com 5724
bankersonline.com 5681
cbanet.org 5674
vabankers.org 5672
mbaa.org 5645
nationalbankers.org 5634
icba.org 5620
allbankers.org 5604
fiba.net 5532
direct.nacha.org 5024


Forty-seven destinations were listed by the "zfin" spam, where a Financial Institution was included in the subject line. These destinations heavily favored Argentinian domain names:

adsr.com.ar /zfin.php
alarpargentina.com.ar /zfin.php
amhbra.com.ar /zfin.php
berlinonbike.de /zfin.php
blbtranslations.com.ar /zfin.php
cargadedatos.com.ar /zfin.php
cienciarama.com /zfin.php
diagonalpro.com.ar /zfin.php
diloplas.com.ar /zfin.php
f-guazzaroni.com.ar /zfin.php
grupoaie.com /zfin.php
healthsolution.com.ar /zfin.php
hebamme-hindenberg.de /zfin.php
horsejack.com.ar /zfin.php
horuz.com.ar /zfin.php
iguazuwonderful.com /zfin.php
imevial.cl /zfin.php
juliancortary.com /zfin.php
mecanicamm.zzl.org /zfin.php
mikromesh.de /zfin.php
mileycyrusdaily.com /zfin.php
monialberti.com.ar /zfin.php
ohoven.de /zfin.php
onpacker.de /zfin.html
picturereport.net /zfin.php
playamarinaestates.com /zfin.php
regionalvanesaduran.com.ar /zfin.php
saboresdecordoba.com /zfin.php
safarisfotograficos.com.ar /zfin.php
schoss-objekt.de /zfin.php
sindy.com.ar /zfin.php
sindy-arg.com.ar /zfin.php
tamandua-transporte.com.ar /zfin.php
vanessahudgens.bz /zfin.php
video-professionell.de /zfin.php
visiondelnoroeste.com.ar /zfin.php
viveroelparaiso.com.ar /zfin.php
whitehorsemedia.de /zfin.php
www.ava-kunden.de /zfin.php
www.bx000471.ferozo.com /zfin.php
www.enpuntasdepie.com.ar /zfin.php
www.profileinformatica.com.ar /zfin.php
www.samavi.com.ar /zfin.php
www.seebek.com.ar /zfin.php
www.tecnosistemas.com.ar /zfin.php
www.tecnotrucos.com.ar /zfin.php
www.tetraisotopos.com /zfin.php

By mixing a "prefix" with an "institution name" more than 10,000 unique subject lines were created. 702 Financial Institutions have been named so far . . .

The prefix for the subject is selected from this list:

ACH debit transfer was hold by
ACH debit transfer was not accepted by
ACH payroll payment was hold by
ACH payroll payment was not accepted by
ACH Transfer was hold by
ACH Transfer was not accepted by
Bill Payment was hold by
Bill Payment was not accepted by
Domestic Wire Transfer was hold by
Domestic Wire Transfer was not accepted by
Funds transfer was hold by
Funds transfer was not accepted by
Money Transfer was hold by
Money Transfer was not accepted by
Payment was hold by
Payment was not accepted by
Wire Transfer was hold by
Wire Transfer was not accepted by

and then suffixed with a financial institution name from the list found at the end of this email. . . .

The "non-zfin" form of the list uses one of these subjects: (Random number use is notated by #RND#)

ACH payment canceled
ACH payment rejected
ACH transaction canceled
ACH Transfer canceled
ACH transfer rejected
ACH transfer was hold by our bank
Declined Direct Deposit payment
Direct Deposit payment ID #RND# rejected
Direct Deposit payment was cancelled
Direct Deposit payment was declined
Direct Deposit payment was rejected
Disallowed Direct Deposit payment
Fwd: Wire Transfer (#RND#)
Fwd: Wire Transfer Confirmation
Fwd: Wire Transfer Confirmation (FED #RND#)
Fwd: Your Wire Transfer
Notification about the rejected Direct Deposit payment
Payment ID #RND# rejected
Re: your Direct Deposit payment ID #RND#
Regarding your Direct Deposit via ACH
Rejected ACH payment
Rejected ACH transaction
Rejected ACH transfer
Urgent notice about your electronic payments
Your ACH transaction
Your ACH transfer
Your Direct Deposit payment ID #RND# was declined
Your Direct Deposit payment via ACH was declined
Your Direct Deposit payments were disallowed
Your Direct Deposit payments were rejected

These spam messages directed users to one of 1962 unique URLs that all SEEM to be compromised websites, with the exception of some "free hosting" sites, and a handful of URL shortening services. That list is presented below, with the list reduced to 671 instances by eliminating all but a single example URL per host computer:

015cc13.netsolhost.com /7o1otl/index.html
119.245.150.188 /
163.30.58.134 /
164.125.9.9 /~kimjw/gigl.php
173.193.15.56 /~assalamt/13xwph/index.html
193.59.73.242 /
194.51.85.73 /~tlariviere/zmtg.html
195.244.192.61 /
200.13.224.125 /
200.58.114.11 /
202.43.73.66 /
203.174.34.130 /
210.239.8.82 /~kenmin/akatx.php
212.110.96.163 /
213.191.128.17 /
216.172.186.5 /~peacock/9f46fnr/index.html
38.103.167.38 /
4a.4b.354a.static.theplanet.com /~playcas/5be1urt/index.html
60.251.4.82 /
62.193.216.26 /
62.233.121.21 /
62.233.121.25 /
66.133.129.5 /~nsmarc1166/gbsmofb.html
74.86.158.236 /
82.140.32.161 /
82.223.150.99 /
83.243.20.173 /
84.32.77.200 /
87.98.187.244 /
90plan.ovh.net /~aventureo/1k87cy0/index.html
a.md /9Q6
abandonedontario.ca /
abbastravel.com /
ad.f8.5546.static.theplanet.com /~outdoors/0nnpob/index.html
adagadoxig.freecities.com /acjxur.html
adamant.az /deuhgi.html
adanovan968.100megsfree5.com /oduarg705.html
adi-tobyfatud.fcpages.com /oprirtir.html
ady-ufodopyrub.envy.nu /bezuvee0.html
afucezox706.bigheadhosting.net /nofloudabuse.html
agrooyl.ro /inlcude.html
airteksystems.com /
airworkscompressors.com /
ajubecujal-tope.freewebsitehosting.com /lrosperousneslaa08.html
akapela.gr /7as4xe/index.html
akat-tech.com /
alahpe.notlong.com /
alasimipi-akad.maddsites.com /poadkh.html
ale-jygowesop.lookseekpages.com /leonijii785.html
aleksrdest.com /
alfra-tools.be /contents/index11.html
alfra-tools.nl /
alided-isig.freewebportal.com /noninfecluoufyy45.html
all-expo.eu /0uktna/index.html
alphametal.info /
alphashop.nl /
alugiceb34.lookseekpages.com /pptopwaner.html
alzmetall.be /shared_files/index11.html
alzmetall.nl /contents/index11.html
amanibap105.envy.nu /pdiasamd.html
amidopysud.greatnow.com /pytacinc.html
amolijuza795.freewaywebhost.com /novdurabbebii57.html
amylo.ca /
annelotte.com /
anu-efitodose.maddsites.com /pinuda.html
anwaltskanzlei-apw.de /dxocq8/index.html
apibopeco-isex.maddsites.com /pammtqqaw.html
apnea-creativa.net /
apollox.net /
aqas-rijaxatoc.virtue.nu /polivlex.html
aqo-awiwyzyhot.lookseekpages.com /phaxa12.html
aquastats.nl /
ariane-services.com /~ph_laura/1trr7oh/index.html
asewad722.freewebsitehosting.com /petrqeisec.html
askara.ca /
assilphone.com /46in4f/index.html
assistantarea.com /0dt038i/index.html
astola.com.au /03ajwnt/index.html
athmajothi.com /2kejqlu/index.html
atlas.nseasy.com /~athmajot/995rxv/index.html
atomicdigitalcapture.com /4srpft/index.html
atscaf.fr /0w019w/index.html
audier.nl /1vz1hs/index.html
aunesty.com /34n6z2t/index.html
aurorabraces.com /
autodc.fr /5s82w4/index.html
auvalon.sk /0wffuo/index.html
aviorr.com /0jlklp6/index.html
axux-oxylule.s-enterprize.com /nikeuu5.html
aze-seqyqan.dreamstation.com /rorihigotikano.html
aziatische-ingredienten.nl /52n8pw/index.html
azuma.co.th /
babytake.com /7r7hr4p/index.html
badcompanyeredar.ba.ohost.de /2m23xd6/index.html
balconesdelparque.com /3sdl39/index.html
baldimanuela.it /inlcude.html
bandzaagmachine.nl /
banyanchildrenlibrary.com /qbbxnth/index.html
barpetra.com /hsldl6/index.html
bb4f.net /0pwbvz/index.html
bedrijftekooptiel.nl /
bedrijftekoopzetten.nl /
benice.pytalhost.de /8ir8he9/index.html
berufskolleg-brilon.de /2jt3oy/index.html
beststockbook.com /21jrj7g/index.html
bidenurefu-upi.servetown.com /nixqczzn.html
bifapuniho-nyna.digitalzones.com /jypajpa.html
birchip.com /c2xollw/index.html
biru.web.id /nemi5k/index.html
bi-vent.de /51kk7o/index.html
bizalgerie.com /92usm9/index.html
bjay12.com /2pamuex/index.html
blog.forumfan.pl /
blog.tedinet.com /kissnza/index.html
boatbooks.ca /
boatlicences.com.au /msp9nc/index.html
boncukhaliyikama.com /echhgst/index.html
boroth.servers.rbl-mer.misp.co.uk /~attract/3vpite/index.html
bosokovemi1800.maddsites.com /wizim.html
bosugixe.sdhost.tk /ugisogu.html
brouze.fr /inlcude.html
brutalfun.net /0p4tl4/index.html
bumblebeeman.enixns.com /~bookmi/726d5mn/index.html
buwynobolo.freehostyou.com /wlrbo.html
buzeqok.222mb.tk /aruvivy.html
byqopoveni-apyl.fcpages.com /redberunnez290.html
c2.16.344a.static.theplanet.com /~peterfur/hqrgv4/index.html
caddcentre.org /1do876d/index.html
caddcentre.ws /4yeqtja/index.html
cadokeduzi207.100freemb.com /paxhokuh.html
cafeamerika.de /2n7a13/index.html
cahev.com /
caqiwy-mora.greatnow.com /pgonham.html
casinospoker-online.info /3z0ugvx/index.html
casu-urenywyje.lookseekpages.com /sasg0211.html
cazonof1845.greatnow.com /nisolicoo8933.html
celluloidtamil.com /inlcude.html
cgworkshops.net /inlcude.html
ChaitanyaHolidays.in /
champagne-ruelle-pertois.com /
chateau-haut-gachin.com /
chilp.it /496e27
ciata.be /
cihawuva.webclot.org /yruwevu.html
cim-byzowofy.freewaywebhost.com /polairs.html
citydibo1446.exactpages.com /protenluuu41.html
citynewsservice.de /g5nfpqn/index.html
cizomixo.freehosting.bg /uxicutov.html
classicknits.co.in /6j3o6e/index.html
click1.goshadowshopping.com /iyyvyncqkbpwvhkcwbmpkwtnthwhmyhthfmyfkmynymzmc_lkhdmzdwhjzw.html
clickandclaimcouk.site.securepod.com /5n4uxw/index.html
cm.digiportal.com /php/CR/cmregister.php%3Fdata=cR2NA4mi3ED%2B9KZ3KbHZoLUlSJRqo2hCZWTTw7FA86yfesTTa7T5mz8nIfQIsOEJqCYEjlrSL2Kb22pt1bCNT9YgXTqnV9Hq0szMhVjmIj7KYTbpAXf8d9rdvs9EUK7IwIuiNhR4mho%3D
cocynuvoxo.virtue.nu /pabter255.html
cojojibi.4sql.net /amematy.html
conred.com /65q7jj/index.html
contimac.eu /
copofude.freehost.artonat.com /ugisogux.html
cornwell.cz /f.html
cos-ovaxyrex.mindnmagick.com /pashtetdqivuz.html
cp05.digitalpacific.com.au /~austraqc/6g6dif/index.html
crm.ndr.it /
cukydyvu.exactpages.com /uu3920.html
cuzihyket1405.bigheadhosting.net /dosf882.html
cygnus.inc.cl /~planhost/jgf5m7/index.html
cyta-qorizatovy.greatnow.com /onarban303.html
czester.freehost.pl /
dab-gynyto.1accesshost.com /ofyt745.html
dachshund.ru /
dahlih.nl /
dashramspa.com /79q2h6/index.html
daxilymapo-ymeg.exactpages.com /atextn858.html
degogoyi.hosto2.info /ruvivyfu.html
deko-bett.de /04eozwl/index.html
dembs.com /
denohifi.builtfree.org /xqibitaa90.html
desmidspijk.nl /inlcude.html
dhseminars.com /5zn712w/index.html
dialog-translations.com /00kzr4/index.html
diamanza.50webs.com /
dirimukysu.1accesshost.com /polarbead7610.html
disasterrecovery.org /
djxcube.com /
dollysgroceries.com /
domuxurasu.envy.nu /pyia234.html
dos-ykyratih.fcpages.com /lromisemyngerii62.html
douglasgwynnsmith.com /
dubimajis1142.bigheadhosting.net /noncallapsabmeyy05.html
durl.me /mikas
dykutimopa.servetown.com /nanablelutionuu14.html
edenindustries.ca /
egifat-kysi.maddsites.com /wlsejenro.html
ehykigicos1194.freehostyou.com /plogmafter111.html
eishohwa.notlong.com /
eja-upigewary.fcpages.com /nokh529.html
ekuin.notlong.com /
ekuxylylak-zowo.100freemb.com /osazatu.html
em003.czechian.net /
enafej1554.digitalzones.com /jity890.html
enfantsdoprata.org /
enyqypuhys.lookseekpages.com /pvopyliticii404.html
eqywazogif-uno.lookseekpages.com /paniauu96.html
eterysam.1accesshost.com /deipmus.html
europa-haus-leipzig.de /7k75p9/index.html
evil-knievel.gmxhome.de /
evy-evaqahup.freewebsitehosting.com /odbug.html
ewamosy1959.freewaywebhost.com /mttygesyy87.html
ewivisabec-jig.envy.nu /opium206.html
ewoutjonker.nl /
exirevoka.builtfree.org /kfhyra.html
eyeicu.notlong.com /
ezexezeba703.100megsfree5.com /sawv636.html
ezomusic.ez.funpic.de /
ezuwaqi-zoqa.1accesshost.com /wereipacd.html
fej-anepyveruw.fcpages.com /paradyseii170.html
f-guazzaroni.com.ar /
finsko.hostuju.cz /
fiwawax.10gb.tk /uhezivog.html
france-azur.nl /
fullmex.iblogger.org /inlcude.html
fyparor1321.freecities.com /rushantassdanov.html
galaxy.host-care.com /~perthbe1/fmkvw3/index.html
gia-jp.net /
gibobe1829.freewebportal.com /mutmitchell.html
gihujakabu.greatnow.com /promutzeis.html
giloziz-ijub.envy.nu /rorf.html
gofipipy-syg.100freemb.com /olofjolindur.html
goksenmuhendislik.com /
gozaqoba.eg.vg /nezivogo.html
gtpikes.com /6cqmid/index.html
gud-exonad.lookseekpages.com /nizibc.html
gulohr.notlong.com /
guptaservices.com /
guwe-syginyn.100megsfree5.com /fapux250.html
gyk-yrubecata.digitalzones.com /gacezoo7.html
halliemgt.com /59ybsd/index.html
hamibukike-qan.builtfree.org /sonyxplosivoee56.html
hammerrassebande.de /8jz5glg/index.html
harmonie-travaux.com /1lvsq8k/index.html
hax1234.ha.funpic.de /
hepidyzozo.1accesshost.com /ppoisee90.html
hero.host-care.com /~pin/9es7srf/index.html
hetigy-kyju.builtfree.org /urangahoua.html
himalayanweavers.org /
hipuhaq.simik.net /nezivog.html
hiralix.mblogger.info /vozalah.html
hiranobag.co.jp /
hitcombo.com /inlcude.html
hitechcsi.com /
hiz-ysupyso.100megsfree5.com /pbiccehc.html
hockeydykeincanada.ca /images/main.html
hoepner-lacke.de /89fj0g/index.html
hoguzud.blogerpa.com /nezivog.html
hokifuxu.greatnow.com /outsmature.html
homesatthebeach.ca /
honestlawyer.ca /
honkafusion.ch /o55zj1/index.html
honkafusion.es /bpmxh6/index.html
honkafusion.fr /1h0wgog/index.html
honmononoyosa.sakura.ne.jp /
hotelkayisi.com /inlcude.html
hsh-sh.de /04y855/index.html
icppo.ic.funpic.de /
icyryxure.digitalzones.com /paracletasiz.html
iduposywa.freewebsitehosting.com /pumilaoo62.html
iheartmypet.ca /
ihoje.notlong.com /
ijicuzajy-esu.arcadepages.com /ppkboris.html
ijy-ymexegahix.freewebsitehosting.com /nintwove.html
ikiwulete.mindnmagick.com /jordert1711.html
ikylec1342.o-f.com /bobico.html
ilidavy-pow.mindnmagick.com /zilku.html
ilipinyqez1193.fcpages.com /rickaa3447.html
inkwellgraphics.ca /
inteligus.pl /0xp8fz/index.html
interasia.co.in /
iphoneipadexperts.com /
ipigipo-ese.lookseekpages.com /nocregs.html
iqiturixug1179.lookseekpages.com /baljk891.html
iqodew493.o-f.com /bonsaa93.html
iqopuc-himi.100freemb.com /nurlajidealmarky.html
iru-ynonywecid.mindnmagick.com /rutipog.html
is.gd /2vNBBj
i-sites.hu /inlcude.html
ivywej69.s-enterprize.com /purtygmress.html
iwefedoj.dreamstation.com /viomondas.html
iwynokybar-ovu.virtue.nu /phantomnrue.html
ixoboqyqe-eme.greatnow.com /pajvar.html
jabowabi.zbyte.org /edoruvyh.html
japodubyj254.envy.nu /alexee94.html
japuseny.fcpages.com /paasoz.html
jaylau.com /
jel-acofuhagi.envy.nu /gapereno7210.html
jemadab1072.exactpages.com /owylfrudu.html
jeqy-qogiqyw.100megsfree5.com /qeeml.html
jimpruden.com /html/main11.html
jixucewa.arcadepages.com /hrovidableoo414.html
joakimdo.com /main11.html
johannessendesign.com /
john-adams.ca /main11.html
johnspassmonsterkingfish.com /
jozacupub.mindnmagick.com /proliderousnyaa88.html
ju-kreis-olpe.de /13z229/index.html
jup-oqupiwyf.lookseekpages.com /rickeskenmop.html
jydinoxoto.dreamstation.com /phit47tiz37.html
kakexo-xyho.builtfree.org /packran866.html
kamiqudob.lookseekpages.com /memgaful8510.html
karlo-b.de /1wls5te/index.html
kierwinski.pl /
kinditech.org /
kisyholy971.arcadepages.com /vsynu.html
kizodyxy.1accesshost.com /pesrul7910.html
klu-inkleur.nl /
kociqaw.websitehostfree.com /nezivog.html
kon.wheel.sk /4ypcij5/index.html
kowalczyk.cz /
ks31295.kimsufi.com /~palmthre/3dg825m/index.html
ks355256.kimsufi.com /~pool/bdw27yh/index.html
kuczka.eu /j9xiw3/index.html
kukawow.heikalhost.tk /ugisogu.html
kumquatphoto.com /
kutrite.ca /
laboiteabonheur.fr /
langleykinsmen.ca /
latiwusa.freewebportal.com /mipailmironuxko.html
latunogu.blogstar.tk /ovyruwev.html
lavegliacarlone.it /inlcude.html
lexisutherland.com /4fbf35l/index.html
lezisah.notlong.com /
lieuwedevries.com /
lifeart-petra-eischeid.de /7pm4la2/index.html
liveinconcerto.nl /08e4wt2/index.html
LNK.by /ff843
locker-ba.com.br /site/inlcude.html
loru-lazetes.o-f.com /ovtorko.html
lozamita.freewebportal.com /pallelundttjoeg.html
lusepewe.sertdisk.net /ugisogu.html
lutesylo421.100megsfree5.com /mfyainyy7.html
luyized.metrohosting.info /erygegy.html
lywobaneb-omic.1accesshost.com /oo90rufat.html
lyxnia.gr /2khjpzg/index.html
macservice.vn /
maddogphotography.ca /images/main11.html
majs.ca /
mcars.pl /
mesinuangku.net /2krnil/index.html
migre.me /69SRA
miron.notlong.com /
mixland.ca /
mkmdevcenter.ca /
mohidumo.sooot.cn /ubijemat.html
molihove.goearni.info /gizazago.html
moq-ydygafyko.greatnow.com /povuuk.html
moruyime.pi6.info /nezivog.html
muguhesi.3host.tk /furuser.html
mysejofov1845.fcpages.com /selegaaa0808.html
myuu.de /
n2testing.co.uk /
naf-tufamur.dreamstation.com /vherzodjor8810.html
nailandhammer.net /
nakayimahotel.com /
nefelefi1879.fcpages.com /niskish.html
netdekorasyoninsaat.com /
ntlauf.nt.ohost.de /inlcude.html
nyjicited.freewebportal.com /nurdete.html
nylaneri-mac.servetown.com /ditonii1167.html
nytezuva-pyh.100megsfree5.com /eqq6911.html
nz-wolfenhausen.de /kpqnpk/index.html
obehumekid.lookseekpages.com /ovenhrehv.html
ochrona-almar.neostrada.pl /inlcude.html
ocig-ujaforisoc.exactpages.com /podvouskiialezj.html
oficinasvirtualesimc.cl /5j4k0ke/index.html
oguce.notlong.com /
ohquudi.notlong.com /
okeg-gyhydyq.dreamstation.com /oo67ao.html
okywijejaf.maddsites.com /ssorpuonu1.html
one-egizad.fcpages.com /vavilugxa.html
onipuwavy-oge.dreamstation.com /pwuptro.html
ontariobuildingtrades.com /5vfe149/index.html
ooblu.com /
ooquoobe.notlong.com /
opezopan.100freemb.com /pvodateconnection.html
opibak-baw.freewebportal.com /mobodultyy04.html
oqomijoh.virtue.nu /nyculmoaa0.html
oral-hekegudu.arcadepages.com /zrooo72000.html
ostwestfalen-lippe.de /8ffzcx1/index.html
otrasexshopmas.com /81p88fk/index.html
ourdogz.nl /04x6pt/index.html
oursdes4saisons.com /~oursdess/fjnopyy/index.html
outsourcemanpower.com /~outso4/4jz88e/index.html
outtheboxmusik.com /1vpj9l/index.html
ovarc.us /3df0ta/index.html
overnightclippingpath.com /a3g2pwc/index.html
ovijujase.exactpages.com /rmren.html
owehyrufiz.freewebportal.com /wubuyukiyndo.html
owips.square7.ch /pc6ypb1/index.html
oxodopi-cuce.maddsites.com /uurnorld15.html
oxu-yvurobuboh.freehostyou.com /topcaf881.html
oxymarketing.com.br /inlcude.html
oyuncumusun.com /2sfjyh2/index.html
ozcanymm.net /
ozinocug.o-f.com /njuf.html
p131879.webspaceconfig.de /d07a0hw/index.html
p7902.typo3server.info /9f9bp6n/index.html
paetzold-beratung.de /cvo8xq/index.html
PageDr.com /d1mqfg7/index.html
pagedrakemusic.com /1o1eis/index.html
paintball-bohinj.si /00vb7md/index.html
paiportacf.com /7t62aei/index.html
palathinkalktm.org /hogm7g/index.html
panmotorsports.com /53412dc/index.html
panteleon.de /6t73qt/index.html
panzercrom.com /1yd59f/index.html
paokvolos.gr /13abr4/index.html
paperequipment.com /1lt2bt/index.html
ParkGina.com /2xi5al/index.html
partnersarl.lu /a6c9j6d/index.html
pascal-bellefroid.be /627bqd6/index.html
paspartoy.gr /77j0m9/index.html
passgo.ca /
paszczak.pl /6vgjxor/index.html
paynterparmesan.com.au /0tnx3ta/index.html
pcapinvest.com /t373ygr/index.html
p-center.biz /169mdzp/index.html
pchelpch.pc.ohost.de /1fdlwp/index.html
pcmswitch.co.uk /1so14g/index.html
pc-tuning.be /5mgsw8z/index.html
pcwbc.ca /
pdc.bplaced.net /5c9tin/index.html
pdrg.zxq.net /5rte95/index.html
pdsignatures.com /o1l5a4/index.html
peachesandcreamspas.com /
peelcruise.com /3xw40nk/index.html
peluangusahaonlines.com /57tt9o/index.html
penisenlargementcourse.com /bb8yhu/index.html
perfilthermik.com /lkpeam/index.html
perso.ovh.net /~polyverr/74r128/index.html
personalinjuryaccidents.com /dogsyd/index.html
peruvision.de /95nivmn/index.html
PeshawarJin.com /13d4tx/index.html
peveduto.com.br /
pheebaha.notlong.com /
philipdc.ph.funpic.de /cx52om/index.html
philippe-decotte.fr /~philippezm/i7nsv9i/index.html
philippinetyphoons.com /25jy8gd/index.html
phobiaman.co.uk /9af3v8/index.html
ph-online.net /37tyaxa/index.html
photosdumonde.info /
phprecdb.bplaced.net /7s4y1p/index.html
pictureahealthierworld.org /4e7h78z/index.html
piefaez.notlong.com /
pies.edu.pk /~piesedup/f0grdvr/index.html
pifadew.bdlike.com /buluvivy.html
pinskylickstein.com /h3fywd/index.html
pioneerweb.in /a9zkq8i/index.html
pite-olacelyb.100freemb.com /gvizdikvk.html
pixa-design.de /4xmbbut/index.html
pixe.mx /
pixelyn.co.za /~pbxnet/0p9gu8/index.html
pkphotography.com /93b6jfu/index.html
plasticimages.com /504mcxt/index.html
playgroupstudio.com /4ycljge/index.html
playweb.6po.pl /
plexuscomms.com.au /chu594/index.html
plummessage.com /lt7joa/index.html
pmtm.com /78gr9so/index.html
poizonroze.com /1ujn1kg/index.html
Pokerworld.com.au /4mebwl2/index.html
polidor.eu /29e41h/index.html
polimitlc.altervista.org /119976/index.html
poliprodukt.pl /frjawen.html
popihug.indiv.in /ugisogu.html
poppenhouse.ru /2x1gsy/index.html
porezi.rs /
portonesautomaticos-ferrobone.cl /260je7o/index.html
portrait-skulpturen.de /6d138g6/index.html
prismproductions.net /0edicf/index.html
prodomoelec.com /
pronutrition.ca /
prosolv.se /
puqupity-sase.bigheadhosting.net /lapwevuu04.html
pushkardesigns.com /
putovuve.arcadepages.com /abee680.html
qarehuq.hosthost.info /ruvyhupa.html
qejazocuf-adus.dreamstation.com /nightshado257.html
qejuticu.pubwebhost.com /ygegysed.html
qezevosak.s-enterprize.com /dcbadur.html
qibuxumu-gen.freewebportal.com /ovehdiligenz.html
qim-tajomuhu.virtue.nu /xnryy596.html
qoge-wigiqiber.freewebportal.com /hhaj.html
qr.net /fqv2
queller-gemeinschaft.de /3rysoo/index.html
quze-fegabugage.freewebportal.com /qbohrint.html
qybo-hubybewu.freewebsitehosting.com /nonplatentiluu21.html
qyn-otomibezo.1accesshost.com /nobolybo13.html
qyxozoxija.dreamstation.com /ptym2111.html
racogad-upy.greatnow.com /plaloj.html
ramebeny1368.greatnow.com /prompncyyy42.html
rapidosports.com /
raum-wolfenhausen.de /39zvuv3/index.html
redir.ec /8aOr5
rekufel.3host4.info /wuvyhup.html
rerajo-qaz.digitalzones.com /onioo8.html
restaurantposthalterey.de /1gml2xu/index.html
rid-yzytawaj.1accesshost.com /bursopaff.html
riteyolu.0fees.net /lodugiz.html
safe.mn /3tJR
safer63and881.com /
saform.com.pl /
sahecafa.3net.tk /furuser.html
saracens-fhc.ca /
scrapbookersbliss.com /
seasonal56.ca /
semineedevis.ro /
sensalights.com /in11.html
senuyave.yk0.net /wuvyhupa.html
sezaylighting.com /
sezogoca-epy.mindnmagick.com /restole.html
shangpalace.com.vn /
shorl.com /difratresutyby
siamrestaurant.ca /
simurl.com /bepnac
siperbinvestments.com /
smx1.hostdime.com.mx /~periodic/0hfmuib/index.html
snipr.com /2oalgv
snipurl.com /2oalwc
sojesif.hostingforfree.org /gagicyb.html
sorupemu.4ever20bucks.info /kejaruv.html
sothbys.ho.ua /
srisaipearls.com /
stepnik.de /9u4ougo/index.html
stykky.pl /
succesvol.su.funpic.org /
sudarom-dyke.dreamstation.com /qfoiio6g.html
surarena.rs /inlcude.html
sweetroute.com /
sytixytex140.s-enterprize.com /nicolahg.html
taklitci.com /
tamilsudartv.com /fejkb8e/index.html
tasaqifa.hostingwithu.com /uhezivo.html
tassilomusic.com /
taximihywe-pyri.bigheadhosting.net /kipusyy00.html
tbspirit.com /
tcjc.ca /
tcproperties.co.za /
teamprimerib.com /12evdr/index.html
tegikobi.w9l.in /edoruvy.html
telusplanet.net /~polihale/40ht0fa/index.html
teqaqybu.freewebportal.com /nermox.html
ternama.com /
tesuzuma-tah.freehostyou.com /zhavneree1971.html
thaore.notlong.com /
thegrandehaven.com /
thesacredvoicegallery.com /
thesurl.com /11
ticoyez.297m.com /gudylog.html
tie.ly /_ggeqie
tisilume.qualityprohost.com /sedejodu.html
tllg.net /aUm4
tm-studio.com.pl /
tolenaars.nl /
topolema.koon.pl /ivyfurus.html
toronto-orienteering.com /pictures/main.html
totavalaw-zejy.freewebportal.com /nunes.html
toyamakitokito.web.fc2.com /
trmfiltration.com /
trucksidefunding.ca /
tujeqexo.000adz.com /nezivogo.html
tuvoca1466.freewebportal.com /rdobyllo.html
u-china-consulting.com /1qvkcx5/index.html
uci-nyhiguve.fcpages.com /trobexso.html
ucugywyl.fcpages.com /brntschrmnf.html
ugi-ypuwewipax.freewebportal.com /otakunojoworo.html
uhocekef.servetown.com /heaami.html
ujugob-ytoz.100megsfree5.com /ivadpomidorivf.html
ulmer-shop.de /2rsl1a/index.html
ultraline.it /
umy-qekuqi.dreamstation.com /irnuschel.html
unbrockandice.ca /images/in11.html
unitedbookgroup.com /
upihigajar.1accesshost.com /pipkertyn.html
upmarketing.mx /
url.ie /dia9
usifof-ufy.o-f.com /prosencaphalecii21.html
usyrepihon-elaz.1accesshost.com /pronessorsii62.html
vabefod-uron.greatnow.com /ldnrkaa5.html
vahaxisasu.mindnmagick.com /vokolak.html
valanali.cuccfree.com /icutovov.html
vaneenoo.eu /images/index11.html
vbvastgoed.nl /
velvetropemiami.com /jl3o9c/index.html
vesadofefy.freewaywebhost.com /nuhedreampirls.html
vetmobile.ca /
video.web2001.cz /
viphoco.notlong.com /
vlamos-homerealty.gr /
voyibopa.cuscovirtual.tk /ivefuquw.html
vugojape.mindnmagick.com /nonspors.html
vuhyzeto1234.exactpages.com /wroromunticii71.html
walther-reinhardt.de /bvbiohh/index.html
wanaqecu.onlin-e.net /lodugiz.html
wca8532g2.homepage.t-online.de /d2gcop/index.html
webresourcecentral.com /2858sa/index.html
webseosmoservices.com /
welfare114.net /
welfens.de /8tc00m/index.html
wetyqifu1471.1accesshost.com /sluvataxo.html
whistleradio.com /
wiyetipa.webhostingforfree.org /ymanibu.html
wohi-xygumu.1accesshost.com /dystemhakem.html
wp.tedinet.com /bx0koa/index.html
wsconsulting.ca /
wuda-lolexu.maddsites.com /murokchiok.html
www.africanelections.org /4qtmbt/index.html
www.athmainfosolutions.com /29ial3/index.html
www.avtkhyber.com /1tcnzx/index.html
www.bakou.gr /h1hmsp/index.html
www.casainlegnohonka.it /wmi34d/index.html
www.desmidspijk.nl /
www.dldsrl.it /
www.flooringin.ae /
www.garagevanstraelen.be /
www.hadi-art.com /
www.honkafusion.it /t8xfifq/index.html
www.jenabakery.com /
www.lumhongye.com /13f2em/index.html
www.mesinuangku.net /~peluang4/sa0hxip/index.html
www.parimpood.ee /16e6beb/index.html
www.pcrutchfield.com /1g9wxxn/index.html
www.peluangusahaonlines.com /28dvhds/index.html
www.pension-kleinekorte-guestrow.de /
www.phobiaman.co.uk /81ccngg/index.html
www.photoeditingservices.co.uk /3sr31z5/index.html
www.physicaltherapy.co.ke /9a54nqy/index.html
www.pies.edu.pk /2nktlke/index.html
www.plasticsurgeryinstituteofcalifornia.com /aojaas/index.html
www.poodlesislandwear.com /eoqf7q/index.html
www.postandparcel.net /52xxjn/index.html
www.proalkoholici.cz /atb.html
www.publishingoutsourcing.com /2e0dh9/index.html
www.seriilanlar-antalya.com /
www.stockkamp.com /
www.wouda-assu.nl /
xagemume.bdlike.com /iticuto.html
xechuyendung.net /
xikuga486.1accesshost.com /anrrey216vorkuta.html
xizakobiv1963.freewebsitehosting.com /avevbroaren.html
xoragam.hostingperron.com /cacejodu.html
xumubowo.johaneswisnu.info /ejodugiz.html
ycomefy1524.bigheadhosting.net /aanbelochik.html
yeasheve.notlong.com /
ygo-foxucobyzy.virtue.nu /mojoqens.html
yiprint.com.tw /
yjoliveba.freewebsitehosting.com /demonidi9.html
ymob-cezulu.freewaywebhost.com /quak0610.html
ymoz-afydybime.mindnmagick.com /pichugana627.html
yosulag.freehost.artonat.com /oruvyhup.html
yulasuhu.adsfree.ru /xubijema.html
yusaduy.123bemyhost.com /uhezivo.html
yxydyt-caxa.mindnmagick.com /oxueywro.html
yzic-kuligu.lookseekpages.com /oupslyng.html
yzid-ufehupuse.servetown.com /mlitvyaj.html
zawizifani366.freewaywebhost.com /qumusegu.html
zebuana.de /
zeh-patinuli.lookseekpages.com /nicsfev.html
zespol-millenium.home.pl /
zil-vakahidyti.lookseekpages.com /umnyk.html
zoom.nsjet.com /~pochince/28nz9l/index.html
zulu-ezaxodevic.freewebsitehosting.com /dimenhofigan.html
zymuzymugo271.s-enterprize.com /bcretkon.html
zyvu-umodecy.1accesshost.com /rvm.html
zyxukifuzo.1accesshost.com /dmimkac.html



====================
List of Financial Institutions used by the "zfin" spam . . .

1st Bank Yuma
1st Capital Bank
1st Centennial Bank
1st Enterprise Bank
1st National Bank of Scotia
1st Pacific Bank of California
1st Source Bank
Abacus Federal SAvings Bank
ABC International Bank
ABN AMRO Bank
Abrams Centre National Bank
Affinity Bank
Agriland FCS
AgTexas
Aig Federal SAvings Bank
Alamerica Bank
Aliant Bank
Allegiance Community Bank
Alliance Bank
Alliance Bank of Arizona
Allied Irish Bank
Alta Alliance Bank
Amalgamated Bank of Chicago
Amarillo National Bank
Amcore Bank
Amegy Bank of Texas
Ameriana Bank and Trust
America California Bank
American Bank
American Bank of Commerce
American Bank of Texas
American Business Bank
American Express Bank Limited
American National Bank
American National Bank of Texas
American River Bank
American Riviera Bank
American Savings Bank
American State ABnk
American State Bank
Americas United Bank
Amsouth Bank
Amsterdam Savings Bank
ANZ Bank
Applied Card Systems
Archer Bank
Artisans Bank
Atlantic Bank of New York
Atlantic Pacific Bank
Atlas Savings Bank
AuburnBank
Austin Bank
Austin County State Bank
Austin Telco Federal Creit Union
Balboa Thrift and Loan Association
Balcones Bank
Ballston Spa National Bank
Bank Atlantic
Bank Calumet
Bank Independent
Bank of Agriculture and Commerce
Bank of Akron
Bank of Amador
Bank of Baroda
Bank of Castile
Bank of Evergreen
Bank Of Illinois
Bank of India
Bank of Los Altos
Bank of Marin
Bank of Marion
Bank of New York
Bank of Orange County
Bank of Pensacola
Bank of Petaluma
Bank of Pine Hill
Bank of Prattville
Bank of Quincy
Bank of Rantoul
Bank of Rio Vista
Bank of Sacramento
Bank of Santa Barbara
Bank of Santa Clarita
Bank of Springfield
Bank of Stockton
Bank of Tampa
Bank of the Orient
Bank of the Sierra
Bank of the Southwest
Bank of the West
Bank of Tidewater
Bank of Tuscaloosa
Bank of Vernon
Bank of Walnut Creek
Bank of Waukegan
Bank One
Bank United
BankChampaign
Bankers Trust Company
BankFIRST
BankUnited Express
Barclays Bank
Barrington Bank and Trust
Bay Area Bank
Bay Cities National Bank
Bay Commercial Bank
Beal Bank
Belvidere Bank
Benchmark Bank
Beverly Bank
Bluestem National Bank
Borel Bank
Borrego Springs Bank
Brady National Bank
Brenham National Bank
Brickyard Bank
Bridgehampton National Bank
Broadway Bank
Broadway Federal Bank
Broadway Federal Bank FSB
Broadway National Bank
Brooklyn Federal Savings Bank
Brown Brothers Harriman
Busey Bank
Business Bank of California
Business First National Bank
Butte Community Bank
Caledonian Fund Services
California Bank and Trust
California Community Bank
California Federal Bank
California National Bank
California Oaks State Bank
California State Bank
Canadaigua National Bank and Trust Company
Canyon Community Bank
Canyon National Bank
Capital City Bank
Capital Farm Credit
Cardinal Services Corp
Carlinville National Bank
Carver Federal SAvings Bank
Cathay Bank
Cattaraugus County Bank
Centier Bank
Central California Bank
Central Illinois Bank
Central National Bank of Waco
Central Trust and Savings Bank
Central Valley Community Bank
Century Bank
CFS Bank
Champlain National Bank
Chang Hwa Commercial Bank Ltd
Charlotte State Bank
Charter National Bank
Charter Oak Bank
Chase Manhattan Bank
Chicago Community Bank
Chino Commercial Bank NA
Circle Bank
Citibank
Citizens Bank
Citizens Bank Baytown
Citizens Bank of Northern California
Citizens Business Bank
Citizens Community Bank
Citizen's Federal Savings Bank
Citizens First Bank
Citizens National Bank
Citizens National Bank of Macomb
Citizens State Bank
Citrus Bank NA
City Bank Lubbock
City National Bank
City National Bank of Florida
City State Bank of Palacios
CivicBank of Commerce
Clarendon Hills Bank
Claritybank
Clay County Bank
Clear Lake National Bank
Coast Commercial Bank
Coast National Bank
Cohen Financial
Cohoes SAvings Bank
Coldwell Banker Commercial PR
Columbia Bank
Comerica
Commerce Bank of Folsom
Commerce National Bank
Commercial Bank of California
Commercial National Bank
Commerzbank
Commonwealth Business Bank
Commonwealth Trust Company
Community 1st Bank
Community Bank
Community Bank and Trust
Community Bank of Elmhurst
Community Bank of Florida
Community Bank of Naples
Community Bank of San Joaquin
Community Bank of Santa Maria
Community Bank of the Bay
Community Bank Texas
Community Banks of Northern California
Community Business Bank
Community Commerce Bank
Community First Bank of Howard County
Community Savings
Community West Bank
Compass Bank
Coppermark Bank
Cornerstone Community Bank
Coronado First Bank
Corus Bank
County Bank
Credit Suisse First Boston
Cross County Federal Savings Bank
Crown Bank
Crystal Lake Bank
DeAnza National Bank
Delaware National Bank
Delta Bank
Delta National Bank
Delta National Bank And Trust Company
Demotte State Bank
DEPFA BANK
Desert Commercial Bank
Deutsche Asset Management
Deutsche Bank
Devon Bank Online
Downers Grove National Bank
Downey Savings
Eagle Bank
East West Bank
Edens Bank
Edgar County Bank and Trust
Effingham State Bank
EFG Capital International Corp
Eisenhower National Bank
El Dorado Savings Bank
El Paseo Bank
Eldorado Bank
Elgin Financial Savings Bank
Elmira Savings Bank FSB
Emerald Coast Bank
Englewood Bank
Esse Hypothekenbank
Eureka Bank
Eurohypo Aktiengesellschaft
European American Bank
Evans National Bank
Evertrust Bank
Excel National Bank
Exchange Bank
Fairport Saving Bank
Falcon International Bank
Far East National Bank
Farm Credit Bank of Texas
Farmers and Merchants Bank
Farmers National Bank
Farmers State Bank of Hoffman
Federal Home Loan Bank
Federal Home Loan Bank of Dallas
Federal Land Bank
Federal Reserve Bank of Chicago
Federal Reserve Bank of Dallas
Federal Reserve Bank of New York
Federal Reserve Bank of San Francisco
Federal Trust Bank
Fidelity Federal Bank
Fidelity Federal Savings Bank
Fifth Third Bank
Fireside Bank
First American Bank
First Bank
First Bank and Trust
First Bank and Trust Company
First Bank of Clewiston
First Bank of San Luis Obispo
First California Bank
First Chicago Capital
First Choice Bank
First Citrus Bank
First City Bank
First Commerce Bank
First Commercial Bank
First Commercial Bank of Florida
First Community Bank
First Convenience Bank
First Federal Bank
First Franklin Bank
First General Bank
First Gulf Bank
First Home Bank
First Indiana Bank
First Internet Bank of Indiana
First Mercantile Bank
First Metro Bank
First Mountain Bank
First National Bank
First National Bank and Trust
First National Bank of Abilene
First National Bank of Ashford
First National Bank of Bellville
First National Bank of Brookfield
First National Bank of Central California
First National Bank of Chillicothe
First National Bank of Danville
First National Bank of Dryden
First National Bank of Eagle Lake
First National Bank of Jasper
First National Bank of Marengo
First National Bank of Mineola Texas
First National Bank of North County
First National Bank of Northern California
First National Bank of Northern New York
First National Bank of Paris
First National Bank of San Benito
First National Bank of Scottsboro
First National Bank of Steeleville
First National Bank of Trenton
First National Bank of Valparaiso
First National Bank of Waterloo
First Navy Bank
First Niagara Bank
First Northern Bank
First of America
First Priority Bank
First Regional Bank
First Savings Bank FSB
First SAvings Bank of Hegewisch
First Southern National Bank
First Standard Bank
First State Bank
First State Bank Frankston
First State Bank of Eldorado
First State Bank of Shallowater
First State Bank of the Florida Keys
First State Bank of Western Illinois
First United Bank
First USA Bank
First Victoria National Bank
FirstBank of Palm Desert
Five Star Bank
Flatbush Federal Savings
FLBA of Texas
Florida Choice Bank
Florida First Bank
Folsom Lake Bank
Foothill Independent Bank
Fort Hood National Bank
Founders Bank
Founders Community Bank
Franklin Bank
Fremont Bank
Frontier Bank
Frost Bank
Frost National Bank
Fullerton Community Bank
Gateway National Bank
Geddes Federal Savings
General Bank
Genesee Regional Bank
Gerard Klauer Mattison
Gibraltar Bank
Global Resource Bank
Golden Security Bank
Goleta National Bank
Grabill Bank
Grand Bank of Florida
Grand National Bank
Grapeland State Bank
Guaranty Bank
Guaranty Bond Bank
Guaranty Federal Bank
Gulf State Community Bank
Habib American Bank
Hanmi Bank
Hardware State Bank
Harris Trust and savings Bank
Hendricks County Bank and Trust
Heritage Bank East Bay
Heritage Bank of Central Illinois
Heritage Bank of Commerce
Heritage Bank South Valley
Heritage Commerce Corp
Heritage Land Bank
Heritage National Bank
Hickory Point Bank and Trust
Highwood Bank
Hinsdale Bank and Trust
Hinsdale Bank Trust Co
Home National Bank
Honda Bank
Horizon Bank
HSBC Bank
Hudson Valley Bank
Humboldt Bank Merchant Services
Hypo Real Estate Bank International
Illini State Bank
Imperial Bank
Imperial Capital LLC
Independent National Bank
Independent Online
ING Capital LLC
Intercredit Bank
International Bancshares
Interstate Bank of Oak Forest
Invex Grupo Financiero
Irwin Financial Corporation
Israel Discount Bank of New York
Itasca Bank and Trust Co
Jackson County Bank
Jacksonville Savings Bank
Jefferson Heritage Bank
Jefferson State Bank
Jourdanton State Bank
JP Morgan Chase Bank
Key West Bank
Kookmin Bank
Lafayette Bank And Trust
Lafayette Savings Bank
Lake Forest Bank and Trust
Lake Shore SAvings And Loan
Lamar National Bank
Landmark Bank
LaSalle State Bank
Lavine Financial Capital
Legacy Bank of Texas
Lehman Brothers
Liberty Bank
Liberty Federal Bank
Liberty Federal Savings Bank
Libertyville Bank
LIFE Bank
Lone Star Federal Land Bank Association
Long Island Commercial Bank
Long Island Savings Bank
Los Angeles National Bank
Lubbock National Bank
Luther Burbank Savings
Madison Bank
Malaga Bank
Mansfield Bank
Manufacturers Bank
Marathon National Bank
Marina Bank
Marketplace Bank
Mazon State Bank
Mellon 1st Business Bank
Melon Bank by
Mercantile Bank
Mercantile Trust and Savings Bank
Merchants and Southern Bank
Merchants Bank of California
Merchants Bank of Jackson
Merchants National Bank of Aurora
Meridian Bank
Merrill Lynch
MetroBank
Metropolitan Bank
MFB Financial
Mission Community Bank
Mission Oaks National Bank
Modern Bank
Mohave Community
Mohave State Bank
Monroe County Bank
Montecito Bank and Trust
Moody National Bank
Morgan Stanley
Morton Community Bank
Murphy Wall State Bank
Mutual Federal Savings Bank
Mutual of Omaha Bank
Nara Bank National Association
NatBank
National Bank
National Bank of California
National City Bank
New Century Bank
New South Federal Savings Bank
Nexity Bank
North Coast Bank
North Community Bank
North County Bank
North County Savings Bank
North Houston Bank
North Valley Bank
Northern Trust Bank
Northern Trust Company
Northfield Savings Bank
NorthShore Trust Saving
NorthStar Bank
Oak Brook Bank
Oak Lawn Bank
Oak Valley Community Bank
Oceanic Bank
Oceanmark Bank
Oceanside Bank of Jacksonville
Old Florida Bank
Old National Bank
Old Second Bancorp
Old Second Bank of Aurora
OptimumBank
Ossian State Bank
Oswego Community Bank
our bank
Overton Bank and Trust
Owen County State Bank
Pacesetter Bank
Pacific Crest Bank
Pacific National Bank
Pacific Trust Bank
Palm Desert National Bank
Palmer Bank
Park Avenue Capital
Park National Bank
Partners Bank
PathFinder Bank
Peoples Bank of Graceville
Peoples Bank of Lubbock
Peoples Bank of North Alabama
Peoples National Bank
People's Trust Company
Permanent Federal Savings Bank
Perryton National Bank
Pff Bank Trust
Phillipine National Bank
Pilgrim Bank
Pinnacle Bank
Pioneer Savings Bank
Plains National Bank Financial
Plaza Bank
Plumas Bank
Pna Bank
Pointe Bank
Ponce de Leon Federal Savings Bank
Popular Bank of Florida
Power Project Financing
Premier Valley Bank
Prosperity Bank
Provident Bank
Queens County Savings Bank
Raiffeisen Zentralbank AG
Randolf County Bank
Redding Bank of Commerce
Regents Bank
Reliance Bank
Ridgewood Bank
Ripley County Bank
River City Bank
Riverside National Bank
Robertson Stephens
Rondout Savings Bank
Roseville Banking Center
Roslyn Savings Bank
Royal Oaks Bank
RZB Finance LLC
Salin Bank and Trust Company
San Diego National Bank
San Jose National Bank
Sand Ridge Bank
Santa Barbara Bank and Trust
Santa Monica Bank
Saratoga National Bank
Scott State Bank
Seacoast National Bank
Second Federal Savings
Security Federal Savings Bank
Seneca Federal Savings and Loan
Sierra Vista Bank
Silicon Valley Bank
Silverado Bank
Six Rivers National Bank
Sonoma Valley Bank
South Alabama Bank
South County Bank
South Pointe Bank
Southern California Funding
Southern Security Bank
Southwest Bank
Southwest Bank of Texas
Sovereign Bank
Spencer County Bank
Star Bank
Star Bank of Texas
Star Financial Bank
State Bank of Ashland
State Bank of Countryside
State Bank of India
State Bank of Lizton
State Bank of Long Island
State Bank of Texas
State Bank of The Lakes
State Bank of Waterloo
State Farm
State National Bank of West Texas
Staten Island Savings Bank
Sterling Bank
Sterling National Bank
Stone City Bank
Strategic Partners
Success National Bank
Suffolk County National Bank
Sumitomo Bank of California
Summit Bank
Surety Bank
Synergy Bank
Tallahassee State Bank
TCB Bank
TCF National Bank
Tempo Bank
Terre Haute Savings Bank
Texas Bank
Texas Capital Bank
Texas Champion Bank
Texas First Banks
Texas Independent Bank
Texas Land Bank
Texas State Bank
The Astoria Federal Savings Bank
The Bank
The Bank and Trust
The Carson Medlin Company
The Dime Savings Bank of New York
The First American Investment Banking Corporation
The First National Bank of Hico
The First National Bank of Long Island
The First State Bank of North Dakota
The Foothills Bank
The Gifford State Bank
The Independent Bankers Bank
The Laredo National Bank
The Mechanics Bank
The SAvings Bank of Utica
The South Holland Bank
The State National Bank
The Warwick Savings Bank
TIB Bank of the Keys
Tokai Bank of California
Tompkins County Trust Company
Town North Bank
Tremont SAvings Bank
Troy Bank and Trust
Troy Savings Bank
Trustbank
Ulster Savings Bank
Unicredito Italiano
Union Bank of Arizona
Union Bank of California
Union Federal
Union Federal Savings Bank
Union Planters Bank
Union State Bank
United Bank
United California Bank
United Commercial Bank
United Community Bank
United Fidelity Bank
United Security Bank
United Southern Bank
Universal Bank
Upstate Niagara Cooperative
us
Valley Business Bank
Valley Commerce Bank
Valley Independent Bank
Valrico State Bank
Vantage Bank of Alabama
Ventura County Business Bank
Viewpoint Bank
Village Banc of Naples
Vineyard Bank
Vintage Bank
VirtualBank
Visalia Community Bank
Vista Bank
Walden Savings Bank
Warrington Bank
Washington Federal Bank
Washington Savings and Loan
Wells Fargo Bank
West Coast Bank
West Suburban Bank
Western Financial Bank
Western Security Bank
Western Springs Bank
Western Springs National Bank
Whisperwood National Bank
Wilber National Bank
Wilmington Trust
Wilshire State Bank
Wintrust Financial Corporation
Woodforest National Bank
Worth National Bank
WSFS bank
Yolo Community Bank

==========================

Operation Ghost Click: DNSChanger Malware Ring Dismantled

Since 2007 computers around the internet have been suffering from a secret ailment. Sometimes when their owners clicked on a link, they didn't go where they were supposed to go! The problem was caused by a fairly simple piece of malware called a DNSChanger. This family of malware only does one thing -- it changes the DNS settings on your computer from the one that you are supposed to use, to one that a cyber criminal has chosen for you to use.

Today the FBI and NASA's Office of the Inspector General (NASA-OIG) announced "Operation: Ghost Click" and the arrests of six Estonian criminals who have been involved in this scam since 2007.

Those arrested by the Estonian Police and Border Guard Board were:

Vladimir Tsastsin, age 31
Timur Gerassimenko
Dmitri Jegorov
Valeri Aleksejev
Konstantin Poltev
Anton Ivanov

Andrey Taame, age 31, Russian, is still at large

We were especially pleased by the sidebar entitled "Success Through Partnerships".

A complex international investigation such as Operation Ghost Click could only have been successful through the strong working relationships between law enforcement, private industry, and our international partners.

Announcing today’s arrests, Preet Bharara, (above left) U.S. Attorney for the Southern District of New York, praised the investigative work of the FBI, NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, and he specially thanked the National High Tech Crime Unit of the Dutch National Police Agency. In addition, the FBI and NASA-OIG received assistance from multiple domestic and international private sector partners, including Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, University of Alabama at Birmingham, and members of an ad hoc group of subject matter experts known as the DNS Changer Working Group (DCWG).

The Manhattan U.S. Attorney's office released a much more detailed announcement with the headline Manhattan U.S. Attorney Charges Seven Individuals for Engineering Sophisticated Internet Fraud Scheme That Infected Millions of Computers Worldwide and Manipulated Internet Advertising Business:
Malware Secretly Re-Routed More Than 4 Million Computers, Generating at Least $14 Million in Fraudulent Advertising Fees for the Defendants.

Congratulations to all who were involved! Especially to the FBI's Botnet Threat Focus Cell, NASA's incredible Office of the Inspector General, the FBI's Southern District of New York office, and those who attended Bar-Con in 2009.

What is DNS? DNS, or Domain Name Services, is what tells your computer how to find the website you are looking for by turning the name you type, such as www.fbi.gov, into an IP address, such as 205.128.73.105. For most users, this happens by asking the Name Server at your Internet Service Provider.

Pay Per Click Fraud

If you were infected by this DNSChanger malware, instead of asking your ISP for that information, you would be asking a criminal. MOST of the time the criminals would simply give you the same answer that your ISP would give you ... but whenever they wanted to make some extra money, they could tell your computer the wrong answer!

In an example taken from the indictment, an infected user goes to Google and types in "itunes". The first link that they are returned shows the destination "www.apple.com/itunes/" which the real Apple website where someone can download the iTunes software.


(source: Tsastsin Indictment)

When an infected computer clicks the link, the user's computer would go to the criminal's nameserver who would send them to the wrong computer. In this case, instead of going to "apple.com" the user is sent to "www.idownload-store-music.com" which looks just like the Apple store, but which charges your credit card to sell you iTunes! The criminals received a payment each time they sent someone to this fake websites.

In other examples, the company where the traffic is sent to is a legitimate company. For example, H&R Block, the Tax preparation people, have an affiliate program. If you have a website, you can put an ad on your website that advertises the H&R Block website. If people click on your ad, you might receive a tiny amount of money, and if they buy something at the H&R website, you might receive a larger amount of money. Instead of advertising, the criminals made a link that redirected you to the H&R Block website if you tried to visit www.irs.gov. So, because you were using the criminal's nameserver, if you typed or clicked on "irs.gov" you could be redirected to H&R Block, earning an "affiliate payment" for the criminals!

Ad Replacement

The other way the criminal earned money was to replace your ads with their ads. How does that earn money? The most common way is that when your computer is told to go get an advertisement from a certain website, such as Google or Bing or Yahoo, instead of showing you the advertisement from those organizations, it would show you an ad from an organization that was run by the criminal instead.

In an example for the court documents, a visitor to ESPN's webpage should have seen an advertisement for Dr. Pepper. But when the infected computer visited the webpage, the criminal's nameserver redirected the request to an advertisement for a timeshare instead!

More than 4 million computers in 100 countries, including 500,000 computers in the United States were infected with this malware. The earnings generated by these young men from the false advertisements exceeded $14 Million Dollars!

Blocking Antivirus

In addition to using the nameserver to send false advertisements, the criminals also used the nameserver to stop infected computers from being able to reach their anti-virus vendors. This prevented the user from being able to install new anti-virus products or to update the definitions on their existing anti-virus products. If the computer attempted to visit any major anti-virus, it would simply give an error saying the server was unavailable.

The Charges

All the criminals are charged with:
1. Wire fraud conspiracy
2. Computer intrusion conspiracy
3. Wire fraud
4. Computer intrusion (furthering fraud)
5. Computer intrusion

In addition, the ringleader, Vladimir Tsastsin was charged with:
6. Money laundering
7. Engaging in monetary transactions of value over $10,000 involving fraud proceeds.

So, Are you infected?

The Protective Order associated with this case lists the IP addresses involved in the fake nameserver business.

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

The FBI has provided a helpful document that explains how to check your DNS settings to see whether you are using one of these "Rogue DNS Servers". See DNSChanger Malware.

If your IP address is on the list, you are encouraged to fill out the form Register as a Victim of DNS Malware.

The criminals used many different data centers, some of which were featured more prominently in the case than others.

Pilosoft, in New York City known as "The Manhattan Data Center" in the court documents.

ColoSecure, in Chicago, Illinois

ThePlanet, in Houston, Texas

Multacom Corporation, in Canyon County, California

Layered Technologies, in Plano, Texas

Network Operation Center, in Scranton, Pennsylvania

Wholesale Internet, in Kansas City, Missouri

SingleHop, in Chicago, Illinois

PremiaNet, in Las Vegas, Nevada

Interserver, in Secaucus, New Jersey

ISPrime, in Weehawken, New Jersey

Global Net Access, in Atlanta, Georgia

The Challenge

The big challenge faced by this case was this -- if the FBI were to simply "turn off" all of these nameservers, four million computers would no longer be able to find anything on the Internet! If your computer has been programmed by the DNSChanger malware to look up names using the criminals' nameserver, and that nameserver goes away, there is no "fall back" to use some other nameserver, your computer just stops being able to look up names! If that had happened, when you typed in "www.facebook.com" your computer would say something like "No Such Server" or "Host Unknown". Then you couldn't play Farmville! How sad!

To address this challenge, the FBI filed a Protective Order that identified all of the Rogue DNS Servers, and assigned the IP addresses belonging to those servers to the Internet Systems Consortium, or ISC. ISC established "replacement DNS servers" that would behave properly, and replaced all of the "Rogue DNS servers" with properly configured DNS servers. After this was accomplished, none of the infected computers would be redirected to the wrong content anymore, and they would once again be able to update their anti-virus software.

The other benefit of this action is that ISC is now in a position to be able to compile a list of the computers that have been infected. Each time a computer uses one of the formerly Rogue DNS servers, ISC will log that action so that we can have accurate knowledge of how many computers have been infected, and this class of victims can be offered assistance.

The Protective Order was approved by the Honorable William H. Pauly III on November 3rd in the Southern District of New York.

The Criminal Companies

The Estonian criminals controlled a number of corporations to enable this activity.

Rove Digital, in Estonia, was a software development company that created and managed the malware.

Tamme Arendus, also in Estonia, was a real estate development business that acquired most of Rove's assets.

SPB Group was the name of the company that leased the Manhattan Data Center from Pilosoft.

Cernel Inc, in California, Internet Path Limited, in New York, Promnet Limited, in Ukraine, ProLite Limited, in Russia, Front Communications, in New York, and others were involved with registering thousands of IP addresses that were used by the criminals for various activities.

Furox Aps (Gathi.com), Onwa Limited (Uttersearch.com), Lintor Limited (Crossnets.com) and others were used to create and broker advertising deals which would be used in the Replacement Ad schemese.

Other Things You Must Read

TrendMicro's Malware Blog - EstHost Taken Down - Biggest Cybercriminal Takedown in History - An important link that must be pointed out. Vladimir Tsastsin, the CEO of Rove Digital, was also the CEO of EstHost, one of the first registrars to have its ICANN Accreditation pulled because of criminal activity.

TrendMicro: A Cybercrime Hub - this report, in August 2009, laid out the basics of the criminal activity that Trend had been able to identify. Industry contributions such as this are part of the "Partnership for Success" that the FBI spoke about today, and TrendMicro really lead the way on this case!

Brian Krebs authoritative journalism on Vladimir - "EstDomains: A Sordid History and a Storied CEO"

SpamHaus ROKSO file on Rove Digital - ROKSO File (Registry Of Known Spam Offenders) on Rove Digital

Newsweek calls Rove Digital one of the "Top Ten Spammers" -(December 2009).