Further Koobface Analysis
by Jago Maniscalchi // August 15, 2009 // Exploits and Malware // 1 Comment
How much information is available on those responsible for the koobface attack? One of the main attack servers – kukuruku-290709.com – is registered to Polev Andrei. This article looks for information on Andrei Polev using his name and e-mail address kuku.ruku.pam@gmail.com. Note the false address in Paris (Kuku Avenue).
Registrant:
Polev Andrei (kuku.ruku.pam@gmail.com)
kuku av. 54 -10
Paris,139123
FR
Tel. +001.41512345678
An Andrei Polev was also associated with other malware serving domains, such as freehostinternet.com and hostindianet.com.
Registrant:
Andrei Polev andypolev@bestpanda.com +7.4963612199
Krasnaya str. d.117 kv.119
Solnechnogorsk,Moskovskaya,RUSSIAN FEDERATION 199538
This address, pictured above, appears valid though on closer inspection 199xxx postcodes are for St. Petersburg, not Moscow.
WHOIS results for rabota2.info reveal the same address (this time with an invalid postcode) and a third e-mail address of europarks@pochta.ru.
Registrant ID:DI_8622071 Registrant Name:Polev Andrei Registrant Street1:Krasnaia str., 117-119 Registrant City:Solnechnogorsk Registrant Postal Code:23563 Registrant Country:RU Registrant Phone:+7.45743255233 Registrant Email:europarks@pochta.ru
A further e-mail address is exposed courtesy of cheapestpharmacy.at.
personname: Andrei Polev street address: Krasnaya str. d.117 kv.119 postal code: 199538 city: Solnechnogorsk country: Russland phone: +74963612199 e-mail: andypolev@fishmedia.info
An old Koobface C&C server at zaebalinax.com reveals yet another e-mail address and variation on the name. The postcode is, again, not for Moscow, but for Lipetsk.
Registrant:
Mir trud mai
Aleksandr Polev (krotreal@gmail.com)
ul. Mira 32 - 90
Moscow,398540
RU
Tel. +7.4954115553
A website, upr0306.com, hosted on the same server as zaebalinax.com is registered to an Andrej Polev.
Registrant:
Andrej Polev
Email: bigvillyxxx@gmail.com
Address: Furshtatskaya ul. 25 - 65
City: Moskva
State: Moskva
ZIP: 187523
Country: RU
Phone: +7.4953440978
The bigvillyxxx e-mail address leads to myfastfind.com, registered to Ivan Petrov with the samee-mail address.
Registrant:
Ivan Petrov (bigvillyxxx@gmail.com)
Guglovskaya 21-90
Moscow
Moskovskaya oblast,167450
RU
Tel. +07.4951986709
A cached copy of irchackers.ru shows a user named krotreal leaving #icqhackers but back in 2003. The user is located in russia, but the DNS no longer resolves to an IP.
While there are plenty of other references to a krotreal user (on flickr etc), none of them appear to have links to hacking or malware.
A series of postal addresses have been discovered, though all have inconsistencies indicating that they are invented or otherwise not genuine. A possible handle has been identified and a series of five e-mail addresses have been discovered.
kuku.ruku.pam@gmail.com europarks@pochta.ru andypolev@fishmedia.info krotreal@gmail.com bigvillyxxx@gmail.com
One Comment on "Further Koobface Analysis"
Andrei Polev apparently owns the site http://www.vexmarc.com, here is whois.org results, so he also has email “elegy@blogbuddy.ru”:
Arastirilan alan adi: vexmarc.com
Ad / Name Andrei Polev
Adres ul. Krasnaya d.117 kv.119 Solnechnogorsk Moskovskaya oblast 199538
Tel +7.4963612199
Faks +7.4963612199
E-posta elegy@blogbuddy.ru
Guncelleme / Updated
Ad gizli
Ad / Name Andrei Polev
Adres ul. Krasnaya d.117 kv.119 Solnechnogorsk Moskovskaya oblast 199538
Tel +7.4963612199
Faks +7.4963612199
E-posta elegy@blogbuddy.ru
Guncelleme / Updated
Ad gizli
Ad / Name Andrei Polev
Adres ul. Krasnaya d.117 kv.119 Solnechnogorsk Moskovskaya oblast 199538
Tel +7.4963612199
Faks +7.4963612199
E-posta elegy@blogbuddy.ru
Guncelleme / Updated
Alan Adi Sunucusu1 / DNS1 ns.openhosting.ru
Alan Adi Sunucusu1 IP / DNS1 IP
Alan Adi Sunucusu2 / DNS2 ns2.openhosting.ru
Alan Adi Sunucusu2 IP / DNS2 IP
Son Guncelleme/ Last Updated
Kayit Tarihi / Registration Date 2009-09-16
SKT / Exp. Date 2010-09-16
Statu Aktif