Endgame Systems and ipTrust

Our colleagues at Engdame Systems run a quite interesting product – ipTrust. It is the Virus Tracker from 2010/2011 and Endgame Systems is the Kleissner & Associates from 2010/2011. There is quite some information available, cited within this report herein later. [1] [2] [3] [4] [5]

They have contracts and ties to CIA and NSA (one executive of Endgame Systems was the Director of NSA). Endgame Systems took off all their internet presence including iptrust.com and LinkedIn profiles in “summer 2011” (according to one linked source above) – a step that is understandable. If Kleissner & Associates was making contracts with CIA and NSA this blog entry would probably vanish magically too. Technically the ipTrust.com website completely vanished on 7/4/2012 (stopped resolving to an IP).

Some information from the linked sources:

Security software provider Endgame Systems raised $29 million in the fall and simultaneously launched ipTrust, a product meant to detect and manage the harm caused by malware and botnets in cloud computing environments

IpTrust’s strategy is to register the domain names these botnets try to contact; thus, when the botnet attempts to communicate with command and control it contacts ipTrust, revealing itself and the IP address of the infected computer

Endgame executives will bring up maps of airports, parliament buildings, and corporate offices. The executives then create a list of the computers running inside the facilities, including what software the computers run, and a menu of attacks that could work against those particular systems. Endgame weaponry comes customized by region-the Middle East, Russia, Latin America, and China-with manuals, testing software, and “demo instructions.” There are even target packs for democratic countries in Europe and other U.S. allies. Maui (product names tend toward alluring warm-weather locales) is a package of 25 zero-day exploits that runs clients $2.5 million a year. The Cayman botnet-analytics package gets you access to a database of Internet addresses, organization names, and worm types for hundreds of millions of infected computers, and costs $1.5 million. A government or other entity could launch sophisticated attacks against just about any adversary anywhere in the world for a grand total of $6 million.

Their HQ in Atlanta, Georgia

Interestingly, they are based in Atlanta, Georgia. In Georgia there is also based Georgia Tech (University) and Damballa, both doing a lot research & development regarding sinkholing and DNS identification on malware. They might share their sinkhole data with each other (even though that is just pure speculation). Endgame Systems CFO Mark Snell studied at Georgia State University (though just MBA, not an IT technical study).

Sinkholing infrastructure

We have identified that this infrastructure described below belong directly to Endgame Systems and ipTrust. The exact multiple connections and hints to this discovery are described later in this section.

Sinkhole IP: 166.78.144.80

malware-sinkhole.com -> 50.16.214.154 (formerly)
ns1.malware-sinkhole.com -> 69.20.95.4

malware-sinkhole.com was pointing to 50.16.214.154, according to DomainTools:

50.16.214.154

The IP 50.16.214.154 is part of Amazon EC2 (Amazon Web Services):


NetRange:       50.16.0.0 - 50.19.255.255
CIDR:           50.16.0.0/14
OriginAS:       
NetName:        AMAZON-EC2-8
NetHandle:      NET-50-16-0-0-1
Parent:         NET-50-0-0-0-0
NetType:        Direct Assignment

RegDate:        2010-10-07
Updated:        2012-03-02
Ref:            http://whois.arin.net/rest/net/NET-50-16-0-0-1

OrgName:        Amazon.com, Inc.
OrgId:          AMAZO-4
Address:        Amazon Web Services, Elastic Compute Cloud, EC2
Address:        1200 12th Avenue South
City:           Seattle
StateProv:      WA
PostalCode:     98144
Country:        US
RegDate:        2005-09-29
Updated:        2009-06-02
Comment:        For details of this service please see
Comment:        http://ec2.amazonaws.com/
Ref:            http://whois.arin.net/rest/org/AMAZO-4

Looking on the former ipTrust website https://www.iptrust.com/howitworks/ reveals that Endgame Systems uses Amazon Web Services for their infrastructure:

1

The more interesting thing on malware-sinkhole.com is the date of registration. The who-is data reveals that it was registered on 12/14/2010. 2 months earlier, in October 2010 Endgame Systems got a 29 million funding to create iPTrust, a “cloud-based botnet and malware detection service that collects and distills security data into a reputation engine. This could be a timely coincidence, however the registration of malware-sinkhole.com totally fits into Endgame Systems product timeline and evolvement. Their domain iptrust.com was just as malware-sinkhole.com also registered via godaddy.com.

Domain Name: MALWARE-SINKHOLE.COM
Registrar URL: http://www.godaddy.com
Updated Date: 2013-04-04 10:08:21
Creation Date: 2010-12-14 13:40:51
Registrar Expiration Date: 2013-12-14 13:40:51
Registrar: GoDaddy.com, LLC
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy.com
Registrant Street: 14747 N Northsight Blvd Suite 111, PMB 309
Registrant City: Scottsdale
Registrant State/Province: Arizona
Registrant Postal Code: 85260
Registrant Country: United States
Admin Name: Registration Private
Admin Organization: Domains By Proxy, LLC
Admin Street: DomainsByProxy.com
Admin Street: 14747 N Northsight Blvd Suite 111, PMB 309
Admin City: Scottsdale
Admin State/Province: Arizona
Admin Postal Code: 85260
Admin Country: United States
Admin Phone: (480) 624-2599
Admin Fax: (480) 624-2598
Admin Email: malware-sinkhole.com@domainsbyproxy.com
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy.com
Tech Street: 14747 N Northsight Blvd Suite 111, PMB 309
Tech City: Scottsdale
Tech State/Province: Arizona
Tech Postal Code: 85260
Tech Country: United States
Tech Phone: (480) 624-2599
Tech Fax: (480) 624-2598
Tech Email: malware-sinkhole.com@domainsbyproxy.com
Name Server: DNS1.STABLETRANSIT.COM
Name Server: DNS2.STABLETRANSIT.COM

Their sinkhole (166.78.144.80) and formerly used name server (ns1.malware-sinkhole.com -> 69.20.95.4) are both hosted at Racketspace Hosting in San Antonio, Texas:

Endgame System Sinkhole IPs

Below are all domains currently pointing to the sinkhole server at 166.78.144.80. They act as sinkhole domains, i.e. infected machines (bots) connect to these. Some of them used to use (not anymore) ns1.malware-sinkhole.com – now they use pdns01.domaincontrol.com and ns1.dynadot.com.

026ac50bb7a03a66.net, 12eriujdjdjjdunog.info, 4vaamaakapku.com, advdomain2.com, aeorclucdlhzdzdmdqhyppn.info, afsdfsyb.info, akkixiodzmfdbntasp.com, alrhsfbz.info, amnsreiuojy.biz, anhfqzmzcliuahobamnrs.com, aqxpsonn.info, asjdiweur87wsdcnb.info, aspnet5ulalalala-lux-premium.info, auaitionalgalsworthymr.com, avilantup.com, b08e6870b2a1ef9e.com, b18h34h34l68duezgsm29luorgybsdrlvcrdr.info, b4canadahatea.com, blogsmoneyok.info, bniwedsafe.com, bol3eraxermitser27erty.com, bpfq02.info, brfroadh.org, bxnet-nt.com, c29mzb68ivnrgqpqb38euiyluh44dtfxhyhr.info, camnetfbvoor5.info, camnetfdfoor4.info, camnetqwfoor4.info, carambmaining.net, caravelaoroltd.com, cirriantiworksansidd89.net, cleansales-agent9.info, cqlrpartbulkyf.com, cqtssgpduscfuaikjeagmozljnrylzt.info, crimatorieviedirkiofthe68.net, cteqgyjsere21jyltprauo41pzaqg23j46os.info, cydzctpxd10crf12aukueqgwo31lunyivjz.info, cyuxrqripzalpspqkoldwlabx.com, daily-poo-91.biz, data-forumziforsexxi01.info, defeatswirly1.net, dggubvhxorb.com, dikixy.info, ditwkukaylebyxhmmzjqoj.info, dofipsdfkjfifps.com, doubtcatch.net, draftlxn.com, dwveuejf.com, dxfetecs.biz, dysaqsjuzuijcvkljyzatbfn.com, dzp52mrlrjunzo11a17pzj16nzcspzhqpzhw.info, dzsmahpcki.info, e41jqd40argtp22owfrjrg13kudqareqbxe11.info, e51lzlvfsg23htf12hrlzb38p12i55orhxoxcy.info, e61gtg53pqotfsm39lxlwbtm69h44mzk57mvbq.info, ebbfmd29fnbs4ww363.info, eigauvlvljonlnhxpnh.info, electrichonor.net, elementarimagine.net, eocfa.org, etlfexgfuxctbypvidxopcq.info, f5ds1jkkk4d.info, fifaua1914aaafa2.info, foemwwi.info, frjgeljennanariq.com, froyoexplainss.com, fvhtedsafe.com, fvvcxjst.biz, fwmavqvphidhnrxcxvcnx.com, fzbtf32ozmto61kqktowd10cyo31gvitiqgw.info, fzbvaydropud.com, g13lviqi45f22d20n20ftevd20k67c49j26aucrb48.info, g1ikdcvns3sdsal.info, gabrabnopolesite.net, gladshoe.net, gmtkkhmnbudlbobaepnhyhiyh.info, golesgo.com, googlesafebrowsing-ads.com, gqnjdudibuphikjsdcuhl.info, grayhorse-love1.info, greatestvacationeverx.com, gtcqiypsarprlvmtd40ktmyc69arescwd30.info, gtiva67ara27o11krjzerg63mvjqbvfrixbs.info, gulibyvwtwxvguktwszxaiscr.info, gvbvgreve45by4dd33.com, gxkyg13n20fxm49lxgudzp62k27dunue61mun20.info, gxvybytxd.info, h44d40pxhqevnwh54gwb58n40kwozpsdxd40c29.info, hambqwqfggnablouonee.com, hamburdgoutversionenable.com, he3ns1k.info, hqasf52jyowhzpvoqn20l28l68mycyoza57f42.info, htbwe31arbrhui65d60c59ftm69cwovk57kzjt.info, hugcicpatk.com, hunuczfibkpglbqfgjun.com, hvm49fybqk67bvc59f32ltj36a57isgsb48fyb18.info, i35cym19ltg63lvj46n10p62duj46lsdvo11dvn10.info, ibmzuwqsugnvpjuotkgfmnrdezl.info, ickxxkwv.biz, ieujje239cm.com, iffqqrgvkdlbtsofrfipbdiwcytpj.info, ikehifhjduufjd77ddjfj.info, irmzxsjviwceikceknvozdprmbtgqk.info, ivpdakfaifyhihnvjftdaikn.info, ixa17gzludqlybuj56fqksf12n30d60c69bto61.info, iym39hzj16i55greuk57cskwfxjrpymqdtav.info, izcqmvhwlznvdizlftkovtknv.info, j26nrdqdwn20lrk47cvawcyewl38l38ordyc59.info, j66bujqnyezotl18asixo11fumsj46iuf22f62.info, jckhbgjj.com, jegh34kjhwe8889321.com, jifyhsqkbyykzamdeuceakjf.info, jimsterdark3746.com, jknceldiknaxgmnfgedd.info, jks49sdgrled9.com, jrttuuemjk.biz, justiceforpeople.net, jxmgowupblossomylixuf.com, k57mymqbsmudxkzaslxn50psavb28g53f22iw.info, keywordkr.com, kinstelertiong.com, kjuhhwiusatt.org, kkdydy.com, kltxyyd.info, kmrmbbemjtotaepnpfqkrwgvwin.info, koreasys2.com, koteroselvo.com, krexjdsamdx.com, ktiijejk.biz, kulnd.com, kwngbladderfiorenzewn.com, kwtoestnessbiophysicalohax.com, l28b38drlyjvg63kyevmua37o21humwo11pso11.info, ladadensuarupddipl.info, lenexiusdeotime.net, lettheimmoralityrule2.org, lfvbondencycausticallywutaq.com, litcyleyzrglkulaifkrx.com, ljsomjonmvushavkgaqwtpzjf.info, ljupvinskycattederifg.com, lnprpshztsceyoblrzrowcfiauae.info, lolofaa888mfudodkfkfjdkf.info, look4profits1.net, lpnzrseayswdydwcivzprfqs.info, lprkmfswgqmnfmlvovtwibovgifm.info, lruwxvqgruwswrwifhymzmnyleu.info, lxpznvbqewh14k47pqc19i35g13fzjrnri45av.info, lye21h44f62atb68e21c29b28ish34m39mwp62ive11.info, mafia-ag.info, maltest.info, mdrftwyy.info, miamiola.com, microupdate14.info, mkkuei4kdsz.com, mkvrpknidkurcrftiqsfjqdxbn.com, mopiiueus.com, motionubpo.com, mpgspjpl.info, mtewotiwmtma.com, mtfsf42e11oxmrfwd20fvg53o41aupvexmyjv.info, mxfhfg.info, nblraumbahittwwglzxeawgztaqlv.info, netdanet.com, newdomainsconf2221.com, northgeremy.info, ns2275ab.com, nzipesroater.com, obnyi-pesxbeg.net, odksm9luj.biz, ok-money-blogs.info, orbxpvaxi65avm59a27bzh24hwm29a17kvczl18.info, ovpxbvmsc29gymwfwl18o11d20nwiqo11gufw.info, oxc69htgrl48irixp62f42a57kwhsp42czavp62.info, pbajancorml.com, pgdzcic.info, prgeuzydfucylrqspgigiyl.info, pricheshueisherstkugladko.com, protectionadaptss.com, proton-tm9999999.org, psxgwcydypvaknheqk.info, ptlbaemhupbcuizguvszddyqk.info, pxvlcs.info, qbsiauhmoxfkrgfqey.com, qedoluv.info, qekyqop.com, qetyfuv.com, qpafmch.info, qszxaboxdiubxfxsooeio.com, quarterjelly.com, quitfsasaf144new.net, recorduntil.net, rgefa-bugin.com, rjxudurrij.info, rqqyfomgpnqqfrnn.info, s87g7g81ffsdb.com, satriavision.net, sdkhwniuslkjdhfjd.com, sfbnjwetermbkaerynioerter.info, sfmnkyriowjnetnwietwryet.info, sgeagqjfucuwjrhdaitzof.info, singleshotscreen.info, smrebrf.info, smspex201.com, soddddfdddda.com, streetchildhood.net, submit-moonlight-pictures.info, swtryldgapbbyeiirljxtgvohqxc.info, tfmwtnykfxw.net, tiktak10.com, tnyshuxmiax.com, tspddtovautjvtcethathm.info, ubibictj.biz, uhenovqtemgvennnvugvtu.com, uopobqtyhorogupjdcigl.info, uqyfierihon.com, uwggpbhfemzplnrgxtklba.info, vfucck.info, vgfsowmleomwconnxmnyfhle.com, vieajzkg.info, vijthukg.com, vjlvchretllifcsgynuq.com, vperedzaddos.com, vwqoxobapgehxseufamwgrs.info, wadkeci.com, wgcairpfqcdlhthmrsqccmdy.info, wgylqqcqwovdztucwljbrkvcypbe.info, wimeamead.com, winsoft3.com, wokrguxvopgitsxdinjumjx.info, wvwuihci.biz, xbytclrzlwkrukmjayxhimnovpfov.info, xgbmeyqcrchiytcvgcmlktzh.info, xkfqbarkcfyhjzaifgerfqbu.info, xkxfpyur.info, xlotxdxtorwfmvuzfuvtspel.com, xmgwapexg.info, yardlive.net, ymbjswagenherefordacyl.com, yoillzlag.net, ypauwsljdalrbijfakffunztsrg.info, zbijbnrushlvaeypovfimfzijvwv.info, zmdgqi.info, zxddadmxdskamcqemlzlzddqc.info 

One email address connected to “malware-sinkhole.com” (set in the SOA record of it) could be recovered and is malsinkhole@gmail.com.

What happens now?

Kleissner & Associates has a good history and experience with “playing with open cards”. We do not think that there is any necessity for security companies to hide their technical infrastructure (including servers, domains, IPs, who-is info, used technology) behind anonymity. This equals to security by obscurity and just hides it rather than securing it.

It is fascinating and interesting to see how closely Endgame Systems is tied to the US government and how they closed their public appearance in 2011. There are clear reports that they not only passively sinkhole but actively provide the infrastructure for attacking infected systems. Providing offensive tools and at the same time hiding behind anonymity – just like the criminals – makes it nebulous about who is actually the good and the bad guy.