Sponsored by..

Friday 23 November 2012

Something evil on 5.135.192.16/30

It looks like there are a set of exploit sites in the range 5.135.192.16/30 serving up TrueType exploits (such as CVE-2011-3402) which is being pushed by a malicious URL at [donotclick]mwko.zsomteltepngs.info/40c0dee71a9b9d715539b7d56c3d5f23.eot . The potentially malicious sites in this range include:

10bloodek.info
1bloodek.info
5helnima.net
anotepad.info
asomteltepngs.info
jhqp.bcodec.info
ksmuaelteory.net
mwko.zsomteltepngs.info
osmuaelteory.net
psmuaelteory.net
qfgc.hlegolaj.net
qsomteltepngs.info
rsomelostell.net
shelnima.net
whelnima.net
xsomteltepngs.info
ysomteltepngs.info
zbav.hsomteltepngs.info

If you're interesting in blocking whole domains rather than subdomains then here's a list you can use:

10bloodek.info
1bloodek.info
5helnima.net
anotepad.info
asomteltepngs.info
bcodec.info
hlegolaj.net
hsomteltepngs.info
ksmuaelteory.net
osmuaelteory.net
psmuaelteory.net
qsomteltepngs.info
rsomelostell.net
shelnima.net
whelnima.net
xsomteltepngs.info
ysomteltepngs.info
zsomteltepngs.info

The netblock is controlled by OVH, but suballocated:

organisation:   ORG-AL263-RIPE
org-name:       Anton Legaev
org-type:       OTHER
address:        Ukraine, 61033, Kharkiv, Sadovo-Naveregnaja 21-1
abuse-mailbox:  angelesgower@inbox.com
phone:          +3.809287783621
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
source:         RIPE # Filtered


Blocking access to this (small) IP range and/or these domains should offer some protection, although the best bet is to make sure that your user PCs are fully patched at all times.

No comments: