Sponsored by..

Monday, 19 September 2011

Evil network: Alexey Klimenko / UAHOSTER-NET / uahoster.org / GreatHost-ALTNET, AS41390 (91.217.153.0/24)

This sordid little corner of the internet came up while investigating some SpyEye C&C servers on 91.217.153.110:

webchoke.com
webdisar.com
webdecay.com
webawoke.com

These servers sit in a netblock of  91.217.153.0/24 (91.217.153.0 - 91.217.153.255) and form part of AS41390 (more of which later). The contact details for the block are:

inetnum:        91.217.153.0 - 91.217.153.255
netname:        UAHOSTER-NET
descr:          PP Alexey Klimenko
country:        UA
org:            ORG-PAK5-RIPE
admin-c:        AK6545-RIPE
tech-c:         AK6545-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-by:         ROWER-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-routes:     ROWER-MNT
mnt-domains:    ROWER-MNT
source:         RIPE #Filtered
                                     
organisation:   ORG-PAK5-RIPE
org-name:       PP Alexey Klimenko
org-type:       OTHER
address:        Ukraine, Sevastopol,
address:        Heroev Sevastopola 21-10
phone:          +380994015332
abuse-mailbox:  abuse@uahoster.org
mnt-ref:        ROWER-MNT
mnt-by:         ROWER-MNT
source:         RIPE #Filtered
                                      
person:         Alexey Klimenko
address:        Ukraine, Sevastopol,
address:        Heroev Sevastopola 21-10
phone:          +380994015332
nic-hdl:        AK6545-RIPE
mnt-by:         ROWER-MNT
source:         RIPE #Filtered

                                      
route:          91.217.153.0/24
descr:          GreatHost-ALTNET
origin:         AS41390
mnt-by:         ROWER-MNT
source:         RIPE #Filtered

These details largely match those on the domain uahoster.org which is hosted in the domain.

An examination of the sites on 91.217.153.0/24 show a high proportion of malware, work-at-home-scams, money mule operations, phishing (especially for VKontakte credentials), fake prescription sites, and dubious pay-per-install schemes. Just about the only sites that don't fit into these categories are porn sites. There seems to be nothing worth visiting in this range, so blocking 91.217.153.0/24 is probably a good idea.

A list of sites can be found at the end of this post, alternatively you can download a list with IP addresses and myWOT rating from here [csv].

91.217.153.0/24 resides in AS41390, which appears to consist of three loosely connected blocks:

91.217.153.0/24   GreatHost-ALTNET
194.247.48.0/24   WorkStone-AltNET
195.3.144.0/22    RN DATA DC

Usually, all the networks in an AS belong to the same company. In this case two of them say "Altnet". In fact, we came across Altnet and AS41390 last year when they were hosting crap on the 195.3.144.0/22 range. They seem to have changed their name since then, and the new "RN DATA DC" block does seem largely clean. Altnet are (or were) a colo, so perhaps the "GreatHost" block is in one of their datacenters.

This is what Google thinks of AS41390:

Safe Browsing
Diagnostic page for AS41390 (RN)


What happened when Google visited sites hosted on this network?

    Of the 180 site(s) we tested on this network over the past 90 days, 4 site(s), including, for example, fusker.lv/, claw429.ltd.ua/, airline-promo.com/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-09-18, and the last time suspicious content was found was on 2011-09-18.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 4 site(s) on this network, including, for example, filesd.in/, bradpittfanclub.org/, rotatobanner.com/, that appeared to function as intermediaries for the infection of 57 other site(s) including, for example, healthcarevolunteer.com/, aratilis.org/, thejourneyonline.org/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 37 site(s), including, for example, cokk87.com/, chairframeede.com/, filesd.in/, that infected 668 other site(s), including, for example, imevial.cl/, daum.net/, cinemundo.cl/.

SiteVet's prognosis is also not very good. It has to be said though that the bulk of the bad activity is in the 256 IPs (and less than 200 sites) in the 91.217.153.0/24 range. Blocking access to 91.217.153.0/24 will probably be sufficient, or if you block by domains only then use the following list:

11vk.ru
2011vk.com
2011vk.ru
2-bloggers.com
4sale-drugs.com
ackerman-gmbh.com
adaltamo.com
adaltest.com
adaltest.in
adaltpornpics.in
adaporntumul.com
adfgsfgrsdf.com
aeroshark.com
agathonbernard-sarl.com
albertathomas-sarl.com
allavi.in
american-pharm.com
anicetrichard-sarl.com
aquarium-stakany.org
asiawatertrade.org
augustelaurent-sarl.com
augustinmichel-sarl.com
austerlitz-gmbh.com
avjobnews.com
azhenordavid-sarl.com
belbci.com
berchtwald-gmbh.com
besthottestsites.com
b-l-investments.org
bradpittfanclub.org
brand-viagra.com
bulilit.tk
buylicens.com
buyperfecthealth.com
buyviagraed.com
caminsiders.com
casinonewsblog.org
chairframeede.com
chjobnews.com
clmeyer-gmbh.com
cokk87.com
com-message.in
com-watch-id181222ooo.info
com-watch-id181223ooo.org
dajobnews.com
datatrsfdl.com
dateforall.org
degasu.org
divalis.org
donotbesoshy.com
dorotydiary.org
drjobnews.com
drunkenhole.com
duerrgmbh.com
ed-italia.name
eetryy.com
eichelberger-gmbh.com
elox.ru
etzel-gmbh.com
exotic-tour.in
fajobnews.com
fejd23.com
first-choice-investments.org
floes-blog.com
fotkarus.ru
frankfurter-gmbh.com
freejoinsites4u.com
freesites4you.com
freitag-gmbh.com
freud-gmbh.com
fruehaufgmbh.com
fuhasp.com
gejobnews.com
gentelmen.info
gghjobnews.com
googlad.in
h0n.ru
haknuto-maknuto.com
hartmanngmbh.com
hojobnews.com
holydolly.com
honey18girls.com
hotandwillinq.com
inpills.com
installcash.org
iojobnews.com
isp5.ru
isp7.ru
ispromo.info
ispromo.net
jasamjebenadomena.com
jaspercruiser.com
jaspertrawler.com
jobnewsis.com
jobnewslir.com
jujobnews.com
kevc.ru
klugegmbh.com
koertig-gmbh.com
kupeer-gmbh.com
libeetlead.com
liebepillen.net
lipu11.com
londonredbus.org
lujobnews.com
maill-password.com
mercetgroup.org
mfks.org
mismojebenadomena.com
mmstx.ru
m-timesinvestment.org
muller-zoits.com
muzloid.net
nature-c-clinic.com
odnuklassniki.net
oklahomasporttv.org
oojobnews.com
opensitehere.com
pillsonline.ws
pojobnews.com
porntumov.com
potenstabletter.com
prnrservice.com
psjobnews.com
purplealititi.com
pusikuracbre.com
quacricketert.com
rojobnews.com
scanmedipc-derop.tk
secure-med.net
sexmagics.com
skypallete.net
softp0rtal.net
sve-ce-da-nas-pojebe.com
sve-ce-da-nas-pojebe.net
tabforhealth.com
tdsfree.org
tishh.com
tishh.org
tisijebenadomena.com
tornadogames.org
transport7.com
traypka.ru
tyujobnews.com
uahoster.org
usaglobalmail.com
viagrabuyonline.net
visionbridgel.com
vitaline.in
vk11.ru
vk-11.ru
vk2011.ru
vk-2011.ru
vkao.ru
vkee.ru
vkgost.ru
vk-newyear.ru
vkoa.ru
vkonatikte.ru
vkonatkite.ru
vkontaklle.ru
vkontakte-id.com
vkonzakte.ru
vk-opros.ru
vvsmail.com
vz33.ru
webawoke.com
webchoke.com
webdecay.com
webdisar.com
webstrong.ru
weib-gmbh.com
whitenikana.com
windowsupdatews.com
woadaplorntum.com
xevk.ru
ypijobnews.com

No comments: