Sponsored by..

Monday, 6 September 2010

Tainted network: InterWeb Media / Gogax.com AS21793 (76.76.96.0/19)

Trading under various names including Gogax, InterWeb Media and Exist Hosting , this Canadian company mixes some extremely dangerous sites with links to organised crime with legitimate businesses.

Gogax's business model appears to be to delegate small chunks of its IP address range to third parties, while presumably hosting the servers for them.  In this case of this this $600,000 fraud the IP addresses were delegated by Gogax to a company called Krutikservers in Azerbaijan.

There are also several fake and/or illegal pharmaceutical sites in the address range, which makes it odd that a legitimate organisation like the Swedish Covenant Hospital should choose to host in the same IP range as criminals.

Google's safe browsing diagnostic is pretty damning:

Safe Browsing
Diagnostic page for AS21793 (GOGAX)

What happened when Google visited sites hosted on this network?

    Of the 595 site(s) we tested on this network over the past 90 days, 35 site(s), including, for example, ajvar.com/, freezlylo.com/, no-ip.be/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-09-05, and the last time suspicious content was found was on 2010-09-05.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 225 site(s) on this network, including, for example, nakedfridaydresscode.com/, lykqug.cn/, hejaza.cn/, that appeared to function as intermediaries for the infection of 3632 other site(s) including, for example, rubensf.com/, rebeccaflinn.com/, jesus-messiah.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 207 site(s), including, for example, nakedfridaydresscode.com/, lykqug.cn/, hejaza.cn/, that infected 3270 other site(s), including, for example, rubensf.com/, jesus-messiah.com/, ottomiller.com/.



The full list of domains, MyWOT ratings, delegations and a prognosis as to whether it's the sort of site you might want to visit can be found here, below is a summary of some of the more suspect delegates (note that some of the delegate names could be forgeries):

Abdto He
China
Counterfeit Goods

Allen Jason
United States
HYIP schemes

Cecile Dagorne (Possible forged name)
France
Malware distribution

Emil Vdovin
Russia
Fake / illegal pharmaceuticals & counterfeit goods

Global
Argentina
Fake / illegal pharmaceutical

Gogax
Canada / US
Rogue anti-virus, malware distribution, fake / illegal pharamceuticals

James Schumaker (Possible forged name)
US
Fake / illegal pharamceuticals

Krutikservers
Azerbaijan
Fake jobs / money laundering

Loyalty Servers
Russia
Fake / illegal pharamceuticals, malware distribution, hardcore pornography, illegal software downloads

Michael Chekin
Russia
Fake / illegal pharamceuticals

Paule Uvinekov
Ukraine
Child pornography (reference)

Saman Mazaheri
Iran
HYIP schemes

Telekurs Holding (possible forged name)
Switzerland
Malware distribution

Valeria Duarte
Argentina
Fake / illegal pharamceuticals

Vlad Rybak
Ukraine
Fake / illegal pharamceuticals

Weiliang Zhang
China
Counterfeit goods

WellHost
Ukraine
Fake / illegal pharamceuticals, malware distribution

The bad stuff on this network easily outnumbers the legitimate stuff, blocking the entire 76.76.96.0/19 (76.76.96.0 - 76.76.127.255) will probably not cause significant problems. And if you are a legitimate site operator hosting with Gogax.. they it might well be time to change hosts before the whole lot gets blackholed.

Update: 23/5/11

Gogax claims that the block is now clean. However, the MyWOT rankings for this block still show some sites with very poor reputations (you can see a list of domains and ratings here).

11 comments:

simon said...

This issue has been resolved. We have take considerable ammount of pre-cautions for new customers.

We have as well investigated all our customers. Evberything coming out of our network is now clean

Conrad Longmore said...

Clean? Google's Safe Browsing Diagnostic says:

Safe Browsing
Diagnostic page for AS21793 (GOGAX)

What happened when Google visited sites hosted on this network?

Of the 1499 site(s) we tested on this network over the past 90 days, 133 site(s), including, for example, ajvar.com/, koromuna.com/, offgirls.org/, served content that resulted in malicious software being downloaded and installed without user consent.

The last time Google tested a site on this network was on 2011-05-06, and the last time suspicious content was found was on 2011-05-06.

Has this network hosted sites acting as intermediaries for further malware distribution?

Over the past 90 days, we found 222 site(s) on this network, including, for example, 76.76.115.0/, melice123.com/, vwv007.ru/, that appeared to function as intermediaries for the infection of 2149 other site(s) including, for example, shoubiznes.uz/, kpsinfosystems.com/, smdailyjournal.com/.

Has this network hosted sites that have distributed malware?

Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 903 site(s), including, for example, 76.76.115.0/, gool15.ipq.co/, 757qwerty.ru/, that infected 14302 other site(s), including, for example, shoubiznes.uz/, vuzlib.net/, coloriages.biz/.


And SiteVet reports that although the "badness" ratio has dropped a bit recently, it's still not very clean.

simon said...

Hi sir,

All the sites showing up on the google page does not resolve to our network. We have removed them already.

We have also registered our AS on Google Labs to receive notifications as soon as they are found by the crawlers.

As for sitevet, The badness has effectively dropped however, the pdf report is out of date and all issues on it are resolved.

We are also monitoring various other sites and have yet to find a live issue.

Conrad Longmore said...

A quick look shows the following problem servers:
76.76.99.2 - fake news sites supporting dubious "work at home jobs"
76.76.104.251 - fake goods
76.76.104.252 - fake goods
76.76.104.253 - fake goods
76.76.106.26 - fake anti-virus software
76.76.106.29 - fake anti-virus software
76.76.116.102 - fake goods
76.76.116.171 - fake anti-virus software
76.76.116.174 - fake anti-virus software
and 76.76.124.0/24 appears to be wholly dedicated to various brands of fake goods.

That's excluding malware URLs and the like. Hardly pristine, is it?

Conrad Longmore said...

I added an updated list of active domains to the bottom of the original post (or click here).

simon said...

Hi sir,

Thanks for your work, i will evaluate your report very shortly.

However, i am not sure where your sources are coming from.

Looking quickly through the csv, i can see that most of the domains on this report were abusers that were removed from our systems a month ago at least.

I will send you an updated csv as soon as i have identified all issues and went through every record.

Best regards.

simon said...

Hi sir,

Here is a minor update. I have gone roughly through 80% of the CSV list.

76.76.99.2 - fake news sites supporting dubious "work at home jobs" = Cancelled before CSV
76.76.104.251 - fake goods = DISABLED. THANK YOU
76.76.104.252 - fake goods = DISABLED. THANK YOU
76.76.104.253 - fake goods = DISABLED. THANK YOU
76.76.106.26 - fake anti-virus software = NEW CLIENT
76.76.106.29 - fake anti-virus software = NEW CLIENT
76.76.116.102 - fake goods = DISABLED. THANK YOU
76.76.116.171 - fake anti-virus software = NEW CLIENT
76.76.116.174 - fake anti-virus software = NEW CLIENT

Best Regards

Conrad Longmore said...

It's certainly looking better, but those fake AV sites are a concern. It's good to see that Gogax is making progress though!

simon said...

Those fake av sites were related to a russian hacker that has been disabled since mid - march.

The domains are simply still pointing to our ips. If you verify these ip are actually used for the project vanillux.org.

Everything is now legit concerning to these ips.

I would appreciate if this page is removed.

Best Regards

simon said...

Hi sir,

Could you please remove this blog post ? Gogax is now completely clean and monitored constantly.

Best Regards

Simon Choucroun

Director Of Operations

simon said...

Hi sir,

Please remove this page as all the complaints and abuse issues on our network are resolved. We have and are continuously monitoring our network for any incidents.

Best Regards