The Spamhaus Project
BETA

news

Wikileaks Mirror Malware Warning

On Monday Spamhaus became aware that the main Wikileaks website, wikileaks.org, was redirecting web traffic to a 3rd party mirror site, mirror.wikileaks.info. This new web site is hosted in a very dangerous "neighborhood", Webalta's 92.241.160.0/19 IP address space, a "blackhat" network which Spamhaus believes caters primarily to, or is under...

by The Spamhaus TeamDecember 14, 201011 minutes reading time
Malware
Threat Intelligence
Service Providers
IP Reputation

On Monday Spamhaus became aware that the main Wikileaks website, wikileaks.org, was redirecting web traffic to a 3rd party mirror site, mirror.wikileaks.info. This new web site is hosted in a very dangerous "neighborhood", Webalta's 92.241.160.0/19 IP address space, a "blackhat" network which Spamhaus believes caters primarily to, or is under the control of, Russian cybercriminals.

Important: this warning is issued only for wikileaks.INFO, NOT Wikileaks itself or any other Wikileaks site. Wikileaks.info is NOT connected with Julian Assange or the Wikileaks organization. For a list of real Wikileaks mirror sites please go to wikileaks.ch

The Webalta 92.241.160.0/19 netblock has been listed on the Spamhaus Block List (SBL) since October 2008. Spamhaus regards the Russian Webalta host (also known as Wahome) as being "blackhat" - a known cybercrime host from whose IP space Spamhaus only sees malware/virus hosting, botnet C&Cs, phishing and other cybercriminal activities. These include routing traffic for Russian cybercriminals who use malware to infect the computers of thousands of Russian citizens.

The fact that recently some unknown person or persons decided to put a Wikileaks mirror on Webalta IP address 92.241.190.202 should raise an alarm; how was it placed there and by whom. Our concern is that any Wikileaks archive posted on a site that is hosted in Webalta space might be infected with malware. Since the main wikileaks.org website now transparently redirects visitors to mirror.wikileaks.info and thus directly into Webalta's controlled IP address space, there is substantial risk that any malware infection would spread widely.

Spamhaus also notes that the DNS for wikileaks.info is controlled by Webalta's even more blackhat webhosting reseller "heihachi.net", as evidenced by the DNS records for the domain:


wikileaks.info.		14400  IN  A   92.241.190.202
wikileaks.info.		14400  IN  NS  ns2.heihachi.net.
wikileaks.info.		14400  IN  NS  ns1.heihachi.net.

Spamhaus has for over a year regarded Heihachi as an outfit run 'by criminals for criminals' in the same mould as the criminal Estdomains. The Panama-registered but Russian/German-run heihachi.net is highly involved in botnet command and control and the hosting of Russian cybercrime.

We also note that the content at mirror.wikileaks.info is rather unlike what's at the real Wikileaks mirrors which suggests that the wikileaks.info site may not be under the control of Wikileaks itself, but rather some other group. You can find the real site at wikileaks.ch, wikileaks.is, wikileaks.nl, and many other mirror sites around the world.

Spamhaus takes no political stand on the Wikileaks affair. We do have an interest in preventing spam and related types of internet abuse however and hope that the Wikileaks staff will quickly address the hosting issue to remove the possibility of cybercriminals using Wikileaks traffic for illicit purposes.

More information on the SBL listing of Webalta's 92.241.160.0/19 is here:

http://www.spamhaus.org/sbl/query/SBL68370

Spamhaus is not alone in issuing this Wikileaks mirror malware caution. On Sunday researcher Feike Hacquebord at fellow anti-spam system Trend Micro issued a similar warning in the Trend Micro Malware Blog.


Update 15 December

In a statement released today on wikileaks.info entitled "Spamhaus' False Allegations Against wikileaks.info", the person running the wikileaks.info site (which is not connected with Julian Assange or the real Wikileaks organization) called Spamhaus's information on his infamous cybercrime host "false" and "none of {your} business" and called on people to contact Spamhaus and "voice your opinion". Consequently Spamhaus has now received a number of emails some asking if we "want to be next", some telling us to stop blacklisting Wikileaks (obviously they don't understand that we never did) and others claiming we are "a pawn of US Government Agencies".

None of the people who contacted us realised that the "Wikileaks press release" published on wikileaks.info was not written by Wikileaks and not issued by Wikileaks - but by the person running the wikileaks.info site only - the very site we are warning about. The site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com.

Because they are using a Wikileaks logo, many people thought that the "press release" was issued "by Wikileaks". In fact there has been no press release about this by Wikileaks and none of the official Wikileaks mirrors sites even recognise the wikileaks.info mirror. We wonder how long it will be before Wikileaks supporters wake up and start to question why wikileaks.info is not on the list of real Wikileaks mirrors at wikileaks.ch.

**Currently wikileaks.info is serving highly sensitive leaked documents to the world, from a server fully controlled by Russian and German malware cybercriminals, to an audience that faithfully believes anything with a 'Wikileaks' logo on it.

Spamhaus continues to warn Wikileaks readers to make sure they are viewing and downloading documents only from an official Wikileaks mirror site. We're not saying "don't go to Wikileaks" we're saying "Use the wikileaks.ch server instead".**


function unhide(divID) { var item = document.getElementById(divID); if (item) { item.className=(item.className=='hidden')?'unhidden':'hidden'; } }

.mystri {text-decoration: line-through;} .hidden { visibility: hidden; position : absolute; left : -1000px; } .unhidden { display: block; }

Update 18 December ***Incorrect data redacted*** ([click to read](javascript: unhide('redacted');))

[See update below for newer information on DDoS]

A DDoS attack was launched on www.spamhaus.org today in retaliation for us warning Internet users about the Russian-German cyber criminals behind the Wikileaks mirror wikileaks.info.

Spamhaus is currently under a 2.1Gbps DDoS attack which began at 05:20 CET. As we are used to DDoS attacks from cybercriminals our anti-ddos defences are holding and our web servers are still operating, a little slower than normal.

By no coincidence, the 'AnonOps' DDoS group irc.anonops.net is also hosted by the same Heihachi Russian-German cybercrime gang in the same CIDR as wikileaks.info:


wikileaks.info  = 92.241.190.202
irc.anonops.net = 92.241.190.94

In addition to the LOIC and *OIC tools issued to dimwitted script kiddies to DDoS "enemies of Anon" with, AnonOps appears to be now escalating its DDoS attacks using dedicated criminal botnets (botnets of illegally hijacked PCs), and now appears to be directing DDoS attacks not at "enemies of Wikileaks" but at "enemies of our criminal bosses".

There is palpable irony in a DDoS being used to prevent exposure of a probably-false Wikileaks mirror that could potentially harm Wikileaks and Wikileaks readers. We hope that AnonOps supporters appreciate the irony as much as we do.


Update 19 December

After analyzing the traffic patters of the attempted DDoS attack against Spamhaus that started yesterday, we have concluded that the attack did not come from LOIC or another *OIC tool issued to script kiddies so that they can DDoS "enemies of Anon". The attack against us consists of UDP and Syn flood packets, which are not the profile of the *OIC tools. In addition, in some semi-private forums AnonOps members have denied responsibility for the DDoS. They have stated how much they hate spam and would not attack Spamhaus. It would seem some actually read and understood what our warning message was about. Rumors are that they have also distanced themselves from members who were promoting the use of botnets to attack sites.

It now appears far more likely that the DDoS was the work of people running, or hosting at, the Heihachi cybercrime group. Possibly they were angered by the attention this article brought to their dirty section of the internet. When one hosts malware, Zeus/SpyEye and other botnet command and control (C&C) servers, phish sites and "backends", child pornography sites, and other types of abusive web sites, avoiding attention is a must. Perhaps Russian authorities will now take a closer look at this Heihachi and its host Webalta, as Russian citizens and banks are often the target of the abusive activities hosted there.

As usual when we come under a DDoS, Spamhaus is working with both network experts and law-enforcement agencies to find and shut down the botnet used for the DDoS, and to try and track who may be behind it.


Update 28 September 2011

The 3rd party mirror site, mirror.wikileaks.info is no longer hosted at the Heihachi cybercrime group. It has now moved to hosting a "cloudflare.com" in the USA. This should be safer.