A few days ago, Brian Krebs blogged about a report, published by RSA Research, that uncovered a network of compromised Windows machines being used as VPN exit nodes. The idea was to sell VPN access at premium points across the world to customers within China who needed to bypass the Great Firewall. Compromised machines included those at a major Fortune 500 hotel chain and a hi-tech manufacturer.
Part of what turned the group on to this Terracotta VPN, as they’re calling it, was that some of the exit nodes, perhaps as many as 52, were linked by their IP address to nation-state and other known-APT actors. Apparently, this wasn’t a service used only by consumers; sophisticated actors were also using it to hide their identity and legitimize their connections.
It also highlights why looking at the IP address of a connection alone isn’t helpful, and could even be misleading. That’s why we at DomainTools focus on domain names, and apparently, so does Krebs!
Krebs wanted to go deeper, but all he had was a screenshot of the software from the RSA report and a single domain name: 8800free[dot]info. He’s a power user, though, so one domain was all he needed.
He explained how he started with a historic lookup at DomainTools, found an email address from 2010, pivoted through our Reverse Whois dataset to nine other domains. He also used the current email address for that one starter domain, found 39 other sites again with Reverse Whois, then walked through each of those site’s historical data to find more identities.
In the end, he took his newly-discovered list of domains, downloaded the VPN software, and conducted a mini usability study on each one! He also used Wireshark to sniff the packets, see which IP’s were being used, and finally uncovered a few of the organizations that had compromised machines.
This story is typical of the kind of research people do every day with DomainTools.