Understanding Ecatel

 http://www.secanalyst.org/2011/08/23/understanding-ecatel/

Some people have been visiting to websites hosted in Europe which are part of the Ecatel network. Seclist says that the Ecatel network is the source of a rootkit called Zero Access, “…purpose of this rootkit is to set up a stealthy, undetectable and un-removable platform to deliver malicious software to victim computers.” [1] As of writing, the Elcatel Network is rated second, in the Top 10 Hosts Bad for the 1st quarter of 2011. [2]

A malware site has only one goal: to do something bad to you like getting confidential/private
information and doing something harmful to your computer. Considerably, many sites under the said network are considered harmful but of course, we cannot generalize that all of them are. But since it’s coming from the same network, then we might consider it as suspicious.

The Ecatel Network is part of the Russian Business Network (RBN) which is known for cybercrime activities since 2007. News also say that Russian authorities don’t give enough attention to the cybercrimes made.

A lot of articles tell that this particular network is noted for spammers. Spamhaus event named it as “The Most Notorious Spammers.” Further, it listed 15 known sites which were classified as popular for Zeus Botnet Command & Control Activity, Showshoe Spam Sources, Heavily Abused Redirect, Botnet Pharma Spammers and Cybercrime Hosting of Fake A/V Malware. [4] It also plants rootkits on infected machines which can monitor and control personal workstations illegally. Some sites under Ecatel also trick users of Fake Antivirus crimeware. These crimeware resulted to more than 250,000 computers became affected. [5]

To make our measurement of Ecatel Network’s maliciousness quantitative, let’s look at the numbers: [6]

1 Zeus server
3285 malicious URLs
1076 badware instances
846 spam bots
16 spam IPs

Here are also the IP addresses that are considered the “dangerous” as related to Ecatel Network: [7]

62.41.26.0/24
62.41.27.0/24
89.248.160.0/21
89.248.168.0/24
89.248.169.0/24
89.248.170.0/23
89.248.172.0/23
89.248.174.0/24
89.248.175.0/24
93.174.88.0/21
94.102.48.0/20
94.102.49.0/24
94.102.62.0/24

Now that we know some knowledge about Elcatel and how it can affect us then I suggest that we do best practices when doing transactions through the net. Of course, it’s good to have an AV with updated set of signatures. I know that new malwares are emerging everyday but AV will also help somehow. We should also have our personal firewall installed because it will help in classifying rules.
For example, there might be site redirection and might bring you to a malicious site. If the firewall has restricted that particular IP/URL to your network, then it can’t enter. And try to avoid going to sites that you are not familar with. Chances are, it may be a malicious site. But when that comes and there’s a pop-up that says that you need to run this kind of AV, you know that it is a Fake AV. So don’t.

Finally, as what I always say when there is an infected workstation, remove it from the network immediately and run an AV with updated set of signatures. But to be sure, it is a best recommendation to re-image the system to completely remove any malware.

References:

[1] Reverse Engineering the source of the ZeroAccess crimeware rootkit from http://seclists.org
/pen-test/2010/Nov/33

[2] Top 10 Bad Hosts – 2011 Q1 from http://www.hostexploit.com/

[3] Shadowy Russian Firm Seen as Conduit for Cybercrime from http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101202461.html

[4] The Spamhaus Project Reports Ecatel.net Network Host The Most Notorious Spammers Cybe from http://www.scamfraudalert.com/identity_theft_phishing_spam_blackmails/13773-spamhaus_project_reports_ecatel_net_network_host_most_notorious_spammers_cybe.html

[5] White Hat Hacker Cracks ZeroAccess Rootkit from http://www.informationweek.com/news/windows/security/228300156

[6] AS29073 – ECATEL-AS from http://badhost.info/AS29073

[7] Ecatel: Need more proof of their being crimeware? from http://hphosts.blogspot.com/2010/04/as29073-ecatel-need-more-proof-of-their.html
Article in PDF:

Understanding Ecatel