[LINK] Spamhaus: Wikileaks Mirror Malware Warning

Steven Clark steven.clark at internode.on.net
Sun Dec 19 13:56:10 AEDT 2010


FYI:

Wikileaks Mirror Malware Warning
2010-12-14 17:00 GMT, by Quentin Jenkins

On Monday Spamhaus became aware that the main Wikileaks website,
wikileaks.org, was redirecting web traffic to a 3rd party mirror site,
mirror.wikileaks.info. This new web site is hosted in a very dangerous
"neighborhood", Webalta's 92.241.160.0/19 IP address space, a "blackhat"
network which Spamhaus believes caters primarily to, or is under the
control of, Russian cybercriminals.

/Important: this warning is issued only for wikileaks./*INFO*/, /NOT/
Wikileaks itself or any other Wikileaks site. Wikileaks.info is /NOT/
connected with Julian Assange or the Wikileaks organization. For a list
of real Wikileaks mirror sites please go to wikileaks.ch
<http://wikileaks.ch/mirrors.html>/

The Webalta 92.241.160.0/19 netblock has been listed on the Spamhaus
Block List (SBL) since October 2008. Spamhaus regards the Russian
Webalta host (also known as Wahome) as being "blackhat" - a known
cybercrime host from whose IP space Spamhaus only sees malware/virus
hosting, botnet C&Cs, phishing and other cybercriminal activities. These
include routing traffic for Russian cybercriminals who use malware to
infect the computers of thousands of Russian citizens.

The fact that recently some unknown person or persons decided to put a
Wikileaks mirror on Webalta IP address 92.241.190.202 should raise an
alarm; how was it placed there and by whom. Our concern is that any
Wikileaks archive posted on a site that is hosted in Webalta space might
be infected with malware. Since the main wikileaks.org website now
transparently redirects visitors to mirror.wikileaks.info and thus
directly into Webalta's controlled IP address space, there is
substantial risk that any malware infection would spread widely.

Spamhaus also notes that the DNS for wikileaks.info is controlled by
Webalta's even more blackhat webhosting reseller "heihachi.net", as
evidenced by the DNS records for the domain:

wikileaks.info.        14400  IN  A   92.241.190.202
wikileaks.info.        14400  IN  NS  ns2.heihachi.net.
wikileaks.info.        14400  IN  NS  ns1.heihachi.net.

Spamhaus has for over a year regarded Heihachi as an outfit run 'by
criminals for criminals' in the same mould as the criminal Estdomains.
The Panama-registered but Russian/German-run heihachi.net is highly
involved in botnet command and control and the hosting of Russian
cybercrime.

We also note that the content at mirror.wikileaks.info is rather unlike
what's at the real Wikileaks mirrors which suggests that the
wikileaks.info site may not be under the control of Wikileaks itself,
but rather some other group. You can find the real site at wikileaks.ch,
wikileaks.is, wikileaks.nl, and many other mirror sites around the world.

Spamhaus takes no political stand on the Wikileaks affair. We do have an
interest in preventing spam and related types of internet abuse however
and hope that the Wikileaks staff will quickly address the hosting issue
to remove the possibility of cybercriminals using Wikileaks traffic for
illicit purposes.

More information on the SBL listing of Webalta's 92.241.160.0/19 is here:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL68370

Spamhaus is not alone in issuing this Wikileaks mirror malware caution.
On Sunday researcher Feike Hacquebord at fellow anti-spam system Trend
Micro issued a similar warning in the Trend Micro Malware Blog
<http://blog.trendmicro.com/wikileaks-in-a-dangerous-internet-neighborhood/>.

-------------------------

*Update 15 December*

In a statement released today on wikileaks.info entitled "Spamhaus'
False Allegations Against wikileaks.info
<http://www.spamhaus.org/news.lasso?article=665>", the person running
the wikileaks.info site (which is not connected with Julian Assange or
the real Wikileaks organization) called Spamhaus's information on his
infamous cybercrime host "false" and "none of {your} business" and
called on people to contact Spamhaus and "voice your opinion".
Consequently Spamhaus has now received a number of emails some asking if
we "want to be next", some telling us to stop blacklisting Wikileaks
(obviously they don't understand that we never did) and others claiming
we are "a pawn of US Government Agencies".

None of the people who contacted us realised that the "Wikileaks press
release" published on wikileaks.info was not written by Wikileaks and
not issued by Wikileaks - but by the person running the wikileaks.info
site only - the very site we are warning about. The site data, disks,
connections and visitor traffic, are all under the control of the
Heihachi cybercrime gang. There are more than 40 criminal-run sites
operating on the same IP address as wikileaks.info, including
carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes
paypal-securitycenter.com and postbank-kontodirekt.com.

Because they are using a Wikileaks logo, many people thought that the
"press release" was issued "by Wikileaks". In fact there has been no
press release about this by Wikileaks and none of the official Wikileaks
mirrors sites even recognise the wikileaks.info mirror. We wonder how
long it will be before Wikileaks supporters wake up and start to
question why wikileaks.info is not on the list of real Wikileaks mirrors
at wikileaks.ch <http://wikileaks.ch/mirrors.html>.

*Currently wikileaks.info is serving highly sensitive leaked documents
to the world, from a server fully controlled by Russian and German
malware cybercriminals, to an audience that faithfully believes anything
with a 'Wikileaks' logo on it.

Spamhaus continues to warn Wikileaks readers to make sure they are
viewing and downloading documents only from an official Wikileaks mirror
site. We're not saying "don't go to Wikileaks" we're saying "Use the
wikileaks.ch server instead".*

-- 
Steven




More information about the Link mailing list