Sponsored by..

Thursday, 22 September 2011

Evil network: Relikts BVK / Sagade Ltd (46.252.130.0/23)

One of the most persistently evil IP ranges on the net, Sagade Ltd appears to deal exclusively with criminals and it is hard to find any legitimate customers at all. Despite the arrest of two people closely related to Sagade, the 46.252.130.0/23 netblock seems to be very much active and still up to its old tricks.

Sites in this block are used for injection attacks, malware distribution, phishing and money mule recruitment.

The contact details for this block are:

inetnum:        46.252.130.0 - 46.252.131.255
netname:        Sagade
descr:          users
country:        LV
admin-c:        AK6804-RIPE
tech-c:         AK6804-RIPE
status:         ASSIGNED PA
mnt-by:         andrejskaminskis-mnt
source:         RIPE #Filtered

person:         Andrejs Kaminskis
address:        Latgales 32/34, Rezekne, Latvia
phone:          +37127580487
e-mail:         reliktbvk@gmail.com
nic-hdl:        AK6804-RIPE
mnt-by:         andrejskaminskis-mnt
source:         RIPE #Filtered
                                     
route:          46.252.130.0/23
descr:          users
origin:         AS52055
mnt-by:         andrejskaminskis-mnt
source:         RIPE #Filtered

This gives the "Sagade" netname, Digging deeper into AS52055 gives:

aut-num:        AS52055
as-name:        Relikt
descr:          SIA "Relikts BVK"
org:            ORG-SB308-RIPE
import:         from AS15626 accept ANY
export:         to AS15626 announce AS52055
admin-c:        AK6804-RIPE
tech-c:         AK6804-RIPE
notify:         reliktbvk@gmail.com
mnt-by:         RIPE-NCC-END-MNT
mnt-by:         andrejskaminskis-mnt
mnt-routes:     andrejskaminskis-mnt
changed:        reliktbvk@gmail.com 20110601
source:         RIPE

Was the block transferred from Sagade to Relikts BVK? Possibly. RIPE gives the following contact details:

SIA "Relikts BVK"
Latgales 32/34
LV-4601 Rezekne
LATVIA

phone:   +37127580487
fax:  +37125390001
e-mail:  reliktbvk (at) gmail (dot) com
So, what's so evil on the  Relikts BVK / Sagade Ltd block. Here are some examples:


acrossuniverseitbenet.com (46.252.130.6)
Injection attacks [1] [2] [3]

acrossuniverseitbeorg.com (46.252.130.6)
Injection attacks [4] [5]

globalpoweringgathering.com (46.252.130.6)
Injection attacks [6] [7]

globalpoweringgatheringon.com (46.252.130.6)
Injection attacks [8] [9] [10]

infoitpoweringgatheringit.com (46.252.130.6)
Injection attacks [11]

infoitpoweringgatheringon.com (46.252.130.6)
Injection attacks [12]

lessthenaseconddeal.com (46.252.130.6)
Injection attacks [13]

cryptsnet.net (46.252.130.34)
Malware distribution [14] [15]

yahoostat.com (46.252.130.121)
Malware distribution [16]  [17] [18]

ipcountstat.ru (46.252.130.122)
Malware distribution [19] 

elita-od.ru (46.252.130.156)
Phishing [20]

katherinegordonwilliams.com (46.252.130.205)
Injection attacks [21]

facebook-surprise-njwo.tk (46.252.131.7)
Malware distribution [22] [23]

ddk100.com (46.252.131.8)
Malware distribution [24] [25] [26]

tubemoviesforfree.com (46.252.131.28)
Malware distribution [27]

your24domain.com (46.252.131.55)
Malware distribution [28] 

Clearly, blocking access to 46.252.130.0/23 is an excellent idea, or use the list of domains at the end of the post. You can download a full list of current Relikts / Sagade hosted site from here [csv] with myWOT ratings attached.

What is amazing about this operation is that they still have upstream providers who are happy to allow this clearly criminal operation to continue.

acrossuniverseitbenet.com
acrossuniverseitbeorg.com
alsochooseand.com
amateursexreality.com
antivirussystem2011get.com
antivirussystem2011up.com
blogmydurov.ru
com-12bcb778b7793d78.ru
com-id239900477415089629.ru
cryptsnet.net
ddk100.com
djbest.org
elita-od.ru
enter-way.net
exof.net
facebook-surprise-njwo.tk
facebook-surprise-njww.tk
fire6495ksd.com
forsando.com
geryeter.in
globalpoweringgathering.com
globalpoweringgatheringit.com
globalpoweringgatheringon.com
gopston.in
gopstop.in
grapndet.com
hoperjoper.ru
hqxvideofree.com
infoitpoweringgatheringit.com
infoitpoweringgatheringon.com
intoawebthere.com
ipcountstat.ru
joiurew.in
juicypic.net
katherinegordonwilliams.com
lessthenaseconddeal.com
nanokefo.ru
od-priz.ru
od-prizs.ru
prinderkales.org
rapepornrape.com
rape-rape-rape.com
ru-14743094540009320.ru
ru-id205000000001140736703.ru
ru-id4605191385644259564425.ru
ru-ig419544039061293.ru
shabgdr.com
sierra-express.net
spedzone.ru
stats02-advertsting.com
stylus2641fm.com
trabniyd.com
tubemoviesforfree.com
urllogtolswile.com
usfinanceinst.com
vkon-blog.ru
yahoostat.com
your24domain.com
zeknex.mobi

No comments: