Is Earth Station Five a Hoax?

Is Earth Station Five a media industry sting operation? A few friends told me about this site today, so I poked around a bit. ES5 appears to be some sort of file-sharing network which thumbs its nose to the Recording Industry Association of America and the Motion Picture Association of America.


ES5 seems to have made its biggest splash in this CNET News.com article where ES5 "President" "Ras Kabir" claims "We're in Palestine, in a refugee camp." The earliest reference I found dates from 18 March 2003 in a post at a digital music site. It was also discussed on 25 June 2003 at the filesharing site Zeropaid.com. Prior to the News.com story, I found press releases which appear to be from 27 June 2003, 1 July 2003 and 7 July 2003.
The News.com story states:


"According to Earthstation 5 founder Kabir, the company was formed after a conversation with his brother Nasser in Ramallah two years ago, as Napster was circling toward its nadir. Over time, they won the financial backing of investors in Israel, Saudi Arabia and Russia, who have asked to remain anonymous. Those funds were used in part to pay contract programmers, largely in Russia, to help build the basic software.

The 35-year-old Kabir, who speaks fluent English, says he is Palestinian but spent much of his childhood in Manchester, England, with his mother. He now has homes in Jenin and elsewhere in Palestine, where Earthstation 5 is based, he said."


It's convenient that someone presenting himself as a Palestinian speaks fluent English. Next ES5 issued a "declaration of war" via press release, claiming:


"In response to the email received today from the Motion Picture Association of America (MPAA) to Earthstation 5 for copyright violations for streaming FIRST RUN movies over the internet for FREE, this is our official response! Earthstation 5 is at war with the Motion Picture Association of America (MPAA) and the Record Association of America (RIAA), and to make our point very clear that their governing laws and policys have absolutely no meaning to us here in Palestine, we will continue to add even more movies for FREE."


I uncovered some "investigative reporting" at slyck.com, whereby the site owner interviewed "Ras Kabir," ES5 "president." He focused mainly on usage statistics: "Slyck asked Ras Kabir to explain how his program could possibly have 3 times the level of usage of FastTrack and be one of the most downloaded software applications in such a short period. This especially seems hard to explain given the fact that it is difficult to find content for some artists. Surely these figures are inflated?"

I'm more concerned with the odd language used by the site. I have two explanations. First, it's the sort of "wanna-be-cool, fight-the-man" language used by a marketing-drone-turned-sting operator. For example, the ES5 Chronicles page, which features the image shown above and uses terms like "evil empire" and "enemy hands" too many times for my tastes. Other people, besides several who spoke up in links listed earlier, express doubts about ES5's authenticity. See this thread and this SlashDot story.

Putting on my intel officer hat, I did some cursory research on the "Jenin refugee camp" from where ES5 allegedly operates. After seeing the pictures on this site, I wondered what kind of infrastructure is there to support major file sharing operations! Still, lots of rebuilding is going on. You can check the United Nations Relief and Works Agency for Palestine Refugees in the Near East site for information. I couldn't find anything specifically mentioning a "Jenin refugee camp 23."


For the sake of research, here's some ownership information on the domains associated with ES5:


Checking server [whois.crsnic.net]
Checking server [whois.namescout.com]
Results:
Domain earthstation5.com

Date Registered: 2002-2-26
Date Modified: 2002-6-13
Expiry Date: 2005-2-26
DNS1: ns1.earthstationv.com
DNS2: ns2.earthstationv.com

Registrant

Earthstationv Ltd, A Vanuatu Corporation
Jenin refugee camp #23
Jenin
PS
NONE

Administrative Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin
NONE
PS
067351065
67351065
ras@earthstationv.com

Technical Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin
NONE
PS
067351065
67351065
ras@earthstationv.com

Registrar: NameScout.com

Register your domain now at www.namescout.com

===

Checking server [whois.crsnic.net]
Checking server [whois.namescout.com]
Results:
Domain es5.com

Date Registered: 12/9/2001
Date Modified: 3/28/2003
Expiry Date: 12/9/2004
DNS1: NS1.EARTHSTATIONV.COM
DNS2: NS2.EARTHSTATIONV.COM

Registrant

Earthstationv Ltd., A Vanuatu Corporation
Jenin refugee camp #23
Jenin (PS)
NONE

Administrative Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin (PS)
NONE
067351065
67351065
N-88532yfvx@usersa5.namescout.com

Technical Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin (PS)
NONE
067351065
67351065
N-88532yfvx@usersa5.namescout.com

Registrar: NameScout.com

Register your domain now at www.namescout.com

===

Checking server [whois.crsnic.net]
Checking server [whois.namescout.com]
Results:
Domain earthstationv.com

Date Registered: 3/10/2002
Date Modified: 2002-6-13
Expiry Date: 2005-3-10
DNS1: NS1.EARTHSTATIONV.COM
DNS2: NS2.EARTHSTATIONV.COM

Registrant

Earthstationv Ltd, A Vanuatu Corporation
Jenin refugee camp #23
Jenin
PS
NONE

Administrative Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin
PS
NONE
067351065
67351065
ras@earthstationv.com

Technical Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin
NONE
PS
067351065
67351065
ras@earthstationv.com

Registrar: NameScout.com

Register your domain now at www.namescout.com

==

Checking server [whois.crsnic.net]
Checking server [whois.namescout.com]
Results:
Domain earthstationfive.com

Date Registered: 2002-2-26
Date Modified: 2002-6-10
Expiry Date: 2005-2-26
DNS1: NS1.EARTHSTATIONV.COM
DNS2: NS2.EARTHSTATIONV.COM

Registrant

Earthstationv Ltd, A Vanuatu Corporation
Jenin refugee camp #23
Jenin
PS
NONE

Administrative Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin (PS)
NONE
067351065
67351065
ras@earthstationv.com

Technical Contact

EarthstationV Ltd., A Vanuatu Corporation
Mr Domain Administrator
Jenin refugee camp #23
Jenin (PS)
NONE
067351065
67351065
ras@earthstationv.com

Registrar: NameScout.com

Register your domain now at www.namescout.com



Here is a query against ns1.earthstationv.com for DNS records:


; <<>> DiG 8.2 <<>> @ns1.earthstationv.com earthstationv.com ANY
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2
;; QUERY SECTION:
;; earthstationv.com, type = ANY, class = IN

;; ANSWER SECTION:
earthstationv.com. 1H IN SOA earthstationv.com.earthstationv.com. root.earthstationv.com. (
200350918 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum

earthstationv.com. 1H IN NS ns2.earthstationv.com.
earthstationv.com. 1H IN NS ns1.earthstationv.com.
earthstationv.com. 1H IN A 213.152.100.163
earthstationv.com. 1H IN MX 10 earthstationv.com.

;; ADDITIONAL SECTION:
ns1.earthstationv.com. 1H IN A 213.152.100.163
ns2.earthstationv.com. 1H IN A 213.152.119.35

;; Total query time: 262 msec
;; FROM: gp.centergate.com to SERVER: ns1.earthstationv.com 213.152.100.163
;; WHEN: Thu Aug 28 21:12:19 2003
;; MSG SIZE sent: 35 rcvd: 194


Here's traceroute output, first to the site's home page in Israel and then to its movie download page, also in Israel. How can that be? Well, the last resolved router name in the first trace is 212.199.218.130.forward.012.net.il, which makes us think the end node is in Israel. The last resolved router name in the second trace is unknown.Level3.net, which tells us nothing. The prior router is gige10-2.ipcolo1.Amsterdam1.Level3.net, which makes us think the end node might be in Amsterdam too. This is not the case. We'll see in the BGP data later that Level 3 is listed as an "adjacent" AS, which might indicate its placement in the traceroute data. Both end nodes, the web site and the download site, belong to the same company (ES5). ES5 receives its connectivity from "SpeedNet," which we'll learn about later. First, traceroutes from a publicly available tracerouter server to each host:


FROM www.above.net TO www.earthstationv.com.

traceroute to www.earthstationv.com (213.152.100.163), 30 hops max, 40 byte packets
1 inside.fw1.sjc2.mfnx.net (208.184.213.129) 0.311 ms 0.245 ms 0.219 ms
2 99.ge-5-1-1.er10a.sjc2.us.above.net (64.124.216.10) 0.534 ms 0.545 ms 0.500 ms
3 so-2-0-0.mpr3.sjc2.us.above.net (64.125.30.89) 0.569 ms 0.513 ms 0.500 ms
4 so-5-1-0.cr1.dca2.us.above.net (208.184.233.134) 66.905 ms 66.742 ms 66.736 ms
5 so-6-0-0.cr1.lhr3.uk.above.net (64.125.31.185) 138.525 ms 138.568 ms 138.596 ms
6 pos9-0.cr1.ams2.nl.above.net (64.125.31.154) 144.160 ms 144.232 ms 144.174 ms
7 pos14-0.mpr1.ams1.nl.above.net (208.184.231.53) 144.717 ms 144.756 ms 144.712 ms
8 so-1-3-0.cr2.fra1.de.above.net (64.125.30.149) 151.540 ms 151.440 ms 151.498 ms
9 pos3-0.pr1.fra1.de.mfnx.net (216.200.116.210) 151.395 ms 151.640 ms 151.411 ms
10 decix-abovenet-us.fra.seabone.net (195.22.211.45) 151.487 ms 151.320 ms 151.478 ms
11 pal6-pal8-racc1.pal.seabone.net (195.22.218.229) 180.994 ms 181.401 ms 180.925 ms
12 goldenlines-1-il-pal6.seabone.net (195.22.196.194) 206.393 ms 206.489 ms 206.300 ms
13 212.199.28.65 (212.199.28.65) 221.834 ms 206.473 ms 206.520 ms
14 212.199.28.242 (212.199.28.242) 208.880 ms 208.337 ms 208.309 ms
15 212.199.26.35 (212.199.26.35) 210.346 ms 210.450 ms 210.242 ms
16 212.199.218.130.forward.012.net.il (212.199.218.130) 211.823 ms 210.629 ms 210.658 ms
17 213.152.100.254 (213.152.100.254) 208.999 ms 209.503 ms 209.039 ms
18 213.152.100.163 (213.152.100.163) 211.880 ms * 212.004 ms

===

FROM www.above.net TO movies.earthstationv.com.

traceroute to movies.earthstationv.com (213.152.119.82), 30 hops max, 40 byte packets
1 inside.fw1.sjc2.mfnx.net (208.184.213.129) 0.301 ms 0.533 ms 0.227 ms
2 99.ge-5-1-1.er10a.sjc2.us.above.net (64.124.216.10) 0.573 ms 0.496 ms 0.467 ms
3 so-1-0-0.mpr4.sjc2.us.above.net (64.125.30.93) 0.506 ms 0.519 ms 0.484 ms
4 pos-1-0.mpr2.pao1.us.above.net (209.249.0.125) 0.932 ms 0.894 ms 0.834 ms
5 GigabitEthernet6-0.edge1.paix-sjo1.Level3.net (209.245.146.157) 0.877 ms 1.041 ms 0.799 ms
6 GigabitEthernet3-1.core1.SanJose1.Level3.net (209.244.3.249) 1.213 ms 1.185 ms 1.188 ms
7 ae0-55.mp1.SanJose1.Level3.net (64.159.2.129) 1.692 ms 1.622 ms 1.680 ms
8 so-0-1-0.bbr1.Washington1.level3.net (64.159.0.229) 80.943 ms 79.589 ms 79.546 ms
9 so-2-0-0.mp1.London2.Level3.net (212.187.128.137) 147.371 ms 147.342 ms 147.247 ms
10 so-2-0-0.mp1.Amsterdam1.Level3.net (212.187.128.26) 160.888 ms 160.546 ms 160.582 ms
11 gige10-2.ipcolo1.Amsterdam1.Level3.net (213.244.165.99) 160.796 ms 160.925 ms 160.833 ms
12 unknown.Level3.net (213.244.164.18) 160.973 ms 161.061 ms 161.095 ms
13 213.152.119.253 (213.152.119.253) 161.885 ms 161.306 ms 161.367 ms
14 213.152.119.82 (213.152.119.82) 161.864 ms 161.294 ms 162.110 ms


RIPE reports that ES5 owns the following netblocks:


213.152.100.0 - 213.152.101.255
213.152.102.0 - 213.152.102.127
213.152.102.128 - 213.152.102.192
213.152.102.193 - 213.152.102.209
213.152.119.0 - 213.152.120.255
213.152.121.0 - 213.152.121.63
213.152.123.0 - 213.152.123.128


Both "Nasser" and "Ras" Kabir are listed as owners. Here are the details on netblocks owned by earthstationv, as returned by RIPE:


inetnum: 213.152.119.0 - 213.152.120.255
netname: EARTHSTATIONV
descr: Employee's VOIP and workstations in the
Jenin refugee camp #23
country: PS
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
remarks: Speednet's # 2002122740
status: ASSIGNED PA
mnt-by: SPEEDNET-MNT
notify: admin@earthstationv.com
mnt-routes: EARTHSV-MNT
mnt-lower: EARTHSV-MNT
changed: speednet@email.com 20021231
source: RIPE

inetnum: 213.152.102.0 - 213.152.102.127
netname: EARTHSTATIONV
descr: VOIP Dialup Gateway
country: PS
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
status: ASSIGNED PA
notify: admin@earthstationv.com
remarks: Speednet's #2002122740
mnt-by: SPEEDNET-MNT
mnt-routes: EARTHSV-MNT
mnt-lower: EARTHSV-MNT
changed: speednet@email.com 20021231
source: RIPE

inetnum: 213.152.121.0 - 213.152.121.63
netname: EARTHSTATIONV
descr: Peer to Peer IP network
country: PS
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
status: ASSIGNED PA
notify: admin@earthstationv.com
remarks: Speednet's #2002122740
mnt-by: SPEEDNET-MNT
mnt-routes: EARTHSV-MNT
mnt-lower: EARTHSV-MNT
changed: speednet@email.com 20021231
source: RIPE

inetnum: 213.152.102.128 - 213.152.102.192
netname: EARTHSTATIONV
descr: Internet Café in Hebron, Gaza City and Jenin
Palestine
country: PS
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
status: ASSIGNED PA
notify: admin@earthstationv.com
remarks: Speednet's #2002122740
mnt-by: SPEEDNET-MNT
mnt-routes: EARTHSV-MNT
mnt-lower: EARTHSV-MNT
changed: speednet@email.com 20021231
source: RIPE

inetnum: 213.152.102.193 - 213.152.102.209
netname: EARTHSTATIONV
descr: Video and sound Broadcasting
from the El-Bureij Refugee Camp in Gaza, Palestine
country: PS
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
status: ASSIGNED PA
notify: admin@earthstationv.com
remarks: Speednet's #2002122740
mnt-by: SPEEDNET-MNT
mnt-routes: EARTHSV-MNT
mnt-lower: EARTHSV-MNT
changed: speednet@email.com 20030102
source: RIPE

inetnum: 213.152.100.0 - 213.152.101.255
netname: EARTHSTATIONV
descr: Peer to Peer Ebay Web Pages
country: PS
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
status: ASSIGNED PA
notify: admin@earthstationv.com
remarks: Speednet's #2002122740
mnt-by: SPEEDNET-MNT
mnt-routes: EARTHSV-MNT
mnt-lower: EARTHSV-MNT
changed: speednet@email.com 20021231
source: RIPE

inetnum: 213.152.123.0 - 213.152.123.128
netname: EARTHSTATIONV
descr: DialUP Palestine
country: PS
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
status: ASSIGNED PA
mnt-by: SPEEDNET-MNT
changed: speednet@email.com 20030325
source: RIPE

role: Earthstationv Hostmaster
address: Jenin refugee camp #23
Palestine
notify: raskabir@gaza.net
trouble: If you have a problem you can email us at
help@earthstationv.com For sales contact
sales@earthstationv.com
phone: +972 673 51065
e-mail: admin@earthstationv.com
admin-c: RAS9905-RIPE
tech-c: NKA9905-RIPE
nic-hdl: EAR0007-RIPE
mnt-by: SPEEDNET-MNT
changed: raskabir@gaza.net 20021231
source: RIPE

person: Ras Kabir
address: 121 Gaza
address: Gaza, Palestine
phone: +972 673 51065
fax-no: +972 673 51065
mnt-by: SPEEDNET-MNT
e-mail: ras@earthstationv.com
nic-hdl: RAS9905-RIPE
changed: ras@earthstationv.com 20030717
source: RIPE

person: Nasser Kabir
address: 121 Gasa
address: Gaza, Palestine
phone: +972 673 51065
fax-no: +972 673 51065
mnt-by: SPEEDNET-MNT
e-mail: ras@earthstationv.com
nic-hdl: NKA9905-RIPE
changed: ras@earthstationv.com 20030717
source: RIPE


The records show SpeedNet is the provider:


mntner: SPEEDNET-MNT
descr: SPEEDNET maintainer
admin-c: MM9905-RIPE
tech-c: MO2551-RIPE
upd-to: domain@17q.com
mnt-nfy: domain@17q.com
auth: MD5-PW $1$hlXT6LEy$iBPFGRF8VXAjVUVBVkdZG1
mnt-by: SPEEDNET-MNT
referral-by: RIPE-DBM-MNT
changed: speednet@email.com 20020924
changed: ripe-dbm@ripe.net 20030508
source: RIPE

person: Moshe Maimone
address: 63 Saudia Gaon
Hertzlya, Israel
phone: +39247585
nic-hdl: MM9905-RIPE
mnt-by: SPEEDNET-MNT
changed: Speednet@email.com 20030508
source: RIPE

person: Motti Oran
address: 25 Hasivin Street
Petach Tikva, Israel 49170
phone: +039247585
fax-no: +039247736
mnt-by: SPEEDNET-MNT
notify: speednet@email.com
e-mail: motti@speed-net.com
nic-hdl: MO2551-RIPE
changed: speednet@email.com 20030105
source: RIPE


I determined SpeedNet's Autonomous System Number (ASN) using a route server:


route-server.he.net>show ip bgp 213.152.100.163
BGP routing table entry for 213.152.100.0/24, version 245489010
Paths: (7 available, best #6, table Default-IP-Routing-Table)
Not advertised to any peer
7911 6762 9116 25276
64.200.150.105 from 216.218.252.147 (216.218.252.147)
Origin IGP, metric 46, localpref 100, valid, internal
Originator: 216.218.252.146, Cluster list: 216.218.252.147
7911 6762 9116 25276
64.200.150.105 from 216.218.252.149 (216.218.252.149)
Origin IGP, metric 46, localpref 100, valid, internal
Originator: 216.218.252.146, Cluster list: 216.218.252.149
7911 6762 9116 25276
216.218.252.146 from 216.218.252.146 (216.218.252.146)
Origin IGP, metric 46, localpref 100, valid, internal
7911 6762 9116 25276
64.200.150.105 from 216.218.252.151 (216.218.252.151)
Origin IGP, metric 60, localpref 100, valid, internal
Originator: 216.218.252.146, Cluster list: 216.218.252.151
7911 6762 9116 25276
64.200.150.105 from 216.218.252.145 (216.218.252.145)
Origin IGP, metric 46, localpref 100, valid, internal
Originator: 216.218.252.146, Cluster list: 216.218.252.145
6461 6762 9116 25276
216.66.23.99 from 216.66.23.99 (216.66.23.99)
Origin IGP, metric 45, localpref 100, valid, internal, best
6461 6762 9116 25276
216.200.56.53 from 216.218.252.152 (216.218.252.152)
Origin IGP, metric 45, localpref 100, valid, internal
Originator: 216.66.23.99, Cluster list: 216.218.252.152


SpeedNet's ASN was the last number in each list, meaning '25276'. I then queried cidr-report.org for more information on ASN 25276. I could have also queried ARIN for similar information.


Report for AS25276
SPEEDNET-AS Speednet Ltd, An Israel Corporation
--------------------------------------------------------------------------------
Whois Entry
IANA has recorded AS25276 as originally allocated by RIPE
RIRs have AS25276 whois information provided by RIPE
-No Whois Entry Obtained-
--------------------------------------------------------------------------------
AS Adjancency Report

In the context of this report "Upstream" indicates that there is an adjacent AS that lines between the BGP table collection point (in this case at AS4637) as the specified AS. Similarly, "Downstream" referes to an adjacent AS that lies beyond the specified AS. This upstream / downstream categorisation is strictly a description relative topology, and should not be confused with provider / customer / peer inter-AS relationships.

5963 AS25276 SPEEDNET-AS Speednet Ltd, An Israel Corporation
Adjacency: 2 Upstream: 2 Downstream: 0
Upstream Adjacent AS list
AS3356 LEVEL3 Level 3 Communications, LLC
AS9116 AS9116 Goldenlines main autonomous system
--------------------------------------------------------------------------------
Announced Prefixes
Rank AS Type Originate Addr Space (pfx) Transit Addr space (pfx) Description
9865 AS25276 ORIGIN Originate: 1280 /21.68 Transit: 0 /0.00 SPEEDNET-AS Speednet Ltd, An Israel Corporation

Aggregation Suggestions

This report does not take into account conditions local to each origin AS in terms of policy or traffic engineering requirements, so this is an approximate guideline as to aggregation possibilities.


Rank AS AS Name Current Wthdw Aggte Annce Redctn %
3730 AS25276 SPEEDNET-AS Speednet Ltd, An Israel Cor 5 2 1 4 1 20.00%


AS25276: SPEEDNET-AS Speednet Ltd, An Israel Corporation
Prefix (AS Path) Aggregation Action
213.152.96.0/24 6762 9116 25276
213.152.99.0/24 3356 25276
213.152.100.0/23 6762 9116 25276 + Announce - aggregate of 213.152.100.0/24 (6762 9116 25276) and 213.152.101.0/24 (6762 9116 25276)
213.152.100.0/24 6762 9116 25276 - Withdrawn - aggregated with 213.152.101.0/24 (6762 9116 25276)
213.152.101.0/24 6762 9116 25276 - Withdrawn - aggregated with 213.152.100.0/24 (6762 9116 25276)
213.152.119.0/24 3356 25276


What does this all mean? I'm not sure, but I hope you followed along and discovered all the different sorts of information you can learn given only a few IP addresses and domain names. I didn't touch ES5 to get any of this, other than visiting their web site to grab a few screen shots. I'd like to download their software and test it in the lab next.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics