Sponsored by..

Tuesday, 13 October 2009

Piradius.net running Zbot infrastructure servers

Piradius.net appears to be up to its dark grey hat antics again with a server at 124.217.251.179 which is providing services to the current run of Zbot trojans, as seen (for example) with this recent ThreatExpert report.

Robtex reports the the server is also being used as the NS for a number of Zbot related domains, notably x2dns.ru, cedns.ru, updata-1.com, admin-systems.com, db-1.net, upd01.net, ssl-updates.net and several others connected with this spam run. 124.217.251.179 is also the download server for various Zbot components.

Although Piradius.net probably has many legitimate customers (primarily from Malaysia, Thailand and South-East Asia), it seems to have a lot of bad ones too (including Yohost.org). Prudent network administrators may want to consider blocking 124.217.224.0 - 124.217.255.255 which will probably not cause too many problems.

3 comments:

Αλέξανδρος said...
This comment has been removed by the author.
Sundae said...

Hi,

The IP 124.217.251.179 seems to be offline, couldn't find any suspicious activities in it......Piradius is terminating all bad user isn't it?

Piradius said...

On behalf of Piradius, the user was terminated since last year 2009 early October when we received a notification from Spamhaus telling us that the this is bad user. The user was banished from our network.