|Net Range||18.104.22.168 – 22.214.171.124|
|CIDR||126.96.36.199/18 – KRYPT / D/B/A VPLSNET|
|Net Range||188.8.131.52 – 184.108.40.206|
|CIDR||220.127.116.11/18 – KRYPT / D/B/A VPLSNET|
|Net Range||18.104.22.168 – 22.214.171.124|
|CIDR||126.96.36.199/16 – KRYPT / D/B/A VPLSNET|
|Net Range||188.8.131.52 – 184.108.40.206|
|CIDR||220.127.116.11/22 – D/B/A – JONES WEB SERVICES|
Krypt Technologies D/B/A VPLS, Inc. has multiple data centers and is a large corporation. We have our own suspicions that they work with and coverup specific internet usage and abuse. By trying to contact them using their firstname.lastname@example.org email multiple times over the past 4 months with stats, IP’s, and other data of abuse from their Multiple IP Networks we have not got any communication back nor has the abuse stopped. So hence our interpretation of them being a cover company for malicious activities. This is a shame since the company appears to have great core values and built on good values, but then again Enron was thought to be a great company of value as well.
So I ask how can a company that pushes security as a part of their business and have so many abusive IP’s originating from their so called safe and monitored network?
** NOW FOR OUR THOUGHTS AND WHAT OUR RESEARCH HAS FOUND **
First Krypt Technologies D/B/A VPLS, Inc. shows big possibilities and affiliations to Pixelgun Development Inc. Not only do both of these so called legitimate hosting environments use and host some of the same ambiguous** domain names, They tend to also have the same malicious traffic and internet abuse trends, while utilizing different business names and multiples of D/B/A’s to follow them. Our research also shows a very large possibility that they are using the same hosting data centers as well as sharing the same internet links between each other. So not only does this so called business have many DBA’s and other business names that they use to hide behind, it appears that their intent is far more malicious then for legal purposes.
Although some of their systems show what would appear to be legal & legitimate hosted websites and businesses. It has been found that many of these so called legitimate websites are actually fronts for hosting virus’s and other malicious distributed files, attacks and other malicious activities.
Most of the activities that have been monitored through their internet access has been Spam, Virus Activity, Hacking Attempts, as well as Malicious file distribution. Some malicious software activities are done without user consent when some of these websites are directly accessed, either by being directed by advertising or other traffic forwarding techniques such as search engines, links on other websites, ect.
While monitoring their internet activities it has been found that some of their attacks are synchronous with each other although looking like it is from multiple users or networks. We have noticed this activity during times that spam and hack attempts against RDP(Remote Desktop Protocol) are done.
With these attacks it has been correlated to multiples of server from their hosted networks and environments as well as coming from multiple subnets from which they have control. In doing this they try to bypass Spam Filtering as well as bypassing certain firewall and spamwall products on the market.
After reviewing 1,000’s of spam messages that their systems have transferred from multiple subnets that are controlled by them. The emails may not always have the same subject, nor the same link to the virus they are trying to distribute, but have noticed that the emails carry the same digital signatures, bad use of English and vocabulary.
This is where we have also found that the websites that appear to be legitimate are just hosts and fronts for the hidden malicious files that they try to distribute to unsuspecting internet users. Out of the 1,000’s of emails going to our systems as well as networks and systems monitored and maintained by us. We have found that the files will link to either the home or sub directory of these so called legitimate looking websites with ambiguous** domain names.
Now even more interesting is that not all of their malicious activities are set through email, but includes activities towards FTP & RDP, abuse as well as P2P file distribution. FTP and RDP abuse appears to be part of the BOTNET that is running on these servers spanning multiple subnets. BOTNET activities appear to do their own dirty deeds and information gathering techniques as well. So far it has been seen that it is a large possibility that several BOT NETS exist on these subnets to handle specific tasks jointly as well as independently. This activity is currently being investigated further, but one of these independent attacks appear to be in attacking specific hardware appliances connected to the internet. We will not release more data on specifics until all data has been compiled.
** Domain Names that are just letters, numbers and or a string of characters that do not make up any real name or use for a legitimate business name or intent for advertising, but only to be hidden and confusing to any basic internet user.