Sponsored by..

Thursday, 13 March 2014

Evil network: OVH Canada / r5x.org / Penziatki

Note: a more up-to-date list can be found here.

Hat tip to Frank Denis (@jedisct1) for this report on Nuclear EK's hosted by OVH Canada using their infamous "Penziatki" customer which is linked to black-hat host r5x.org. The blocks have been identified as belonging to that customer and I would recommend that you block them:

OVH Canada have repeatedly hosted exploit kits for this customer to the extent that I am suspicious that either they have been compromised in some way. These following blocks have been identified as serving up malware in the recent past:

Obviously there is a problem here. If you are in a security-sensitive environment then you might simply want to block traffic to the following ranges:

Of course this will block many legitimate sites, but if stopping exploit kits is a priority over some user inconvenience then you may want to consider it. If you want a slightly more nuanced blocklist then these ranges contain the biggest concentration of malware:

OVH must be aware of the reputation of their customer. I wonder why they keep tolerating them on their network?

No comments: