Sponsored by..

Friday 16 September 2016

Malicious domains to block 2016-09-16

These domains are part of a cluster, some of with are serving the EITEST RIG exploit kit (similar to that described here). They all share nameservers running on 62.75.167.186 and 62.75.167.187.

kisliy.com
tatar28.com
netvoyne.com
susana24.com
tigkolor.com
wartan24.com
kitoboyka.com
koktail24.com
salagriva.com
konektyfor.com
shophodoki.com
livefreedns.com
liveskansys.com
longzonenet.com
vestostnord.com
2f8d2n456f0x.com
freensservic.com
nshun89qvgxa.com
tujkh6ncxqzc.com
wtyr0lu7cxm3.com
blizorsysdate.com
shopslovyanka.com
prowebanalityc.com
roginozsecurnet.com
adobesecurupdate.com
linksbacksreport.com
websecuranalitic.com
adobe-flesh-update.com
adobe-secur-update.com
microsoft-securety.com
securetypostanalityc.com
pronetanaliz.info
1i3w9az49av0.net
345uzwpqnohu.net
4lmbkpqrklqv.net
705qvchqrk5e.net
8d6fw1i3ot67.net
f4tir0dqb01u.net
fg1238tq38le.net
no1q349azgpm.net
o92rgx6r456b.net
pev09m38laj4.net
ty78lizc9ung.net
yrwlejglq3wl.net
aligosecurety.net
3wdev4pqfw1u.org
j8le7s5q745e.org
o9aj8xa34xaf.org
v8p2zw96vg5e.org
outsecurety.pw
kisliy.com
tatar28.com
netvoyne.com
susana24.com
tigkolor.com
wartan24.com
kitoboyka.com
koktail24.com
salagriva.com
konektyfor.com
shophodoki.com
livefreedns.com
liveskansys.com
longzonenet.com
vestostnord.com
2f8d2n456f0x.com
bwl2rola3cpm.com
freensservic.com
nshun89qvgxa.com
tujkh6ncxqzc.com
wtyr0lu7cxm3.com
blizorsysdate.com
shopslovyanka.com
prowebanalityc.com
roginozsecurnet.com
adobesecurupdate.com
linksbacksreport.com
websecuranalitic.com
adobe-flesh-update.com
adobe-secur-update.com
microsoft-securety.com
securetypostanalityc.com
businessprofessionalzgroup.com
1i3w9az49av0.net
345uzwpqnohu.net
4lmbkpqrklqv.net
705qvchqrk5e.net
8d6fw1i3ot67.net
f4tir0dqb01u.net
fg1238tq38le.net
no1q349azgpm.net
o92rgx6r456b.net
pev09m38laj4.net
ty78lizc9ung.net
yrwlejglq3wl.net
aligosecurety.net
3wdev4pqfw1u.org
j8le7s5q745e.org
o9aj8xa34xaf.org
v8p2zw96vg5e.org
siteanalytics.pro
pronetanaliz.info

The EK domains are running on a botnet (those are listed in italics). The other domains seem to serve some other sort of nastiness. Those IPs form part of a range rented from Host Europe Group consisting of the following IPs:

62.75.167.186
62.75.167.187
62.75.167.188
62.75.167.189
62.75.167.190

This is roughly analogous to 62.75.167.184/29 which might be worth blocking, but note that won't stop IP traffic to the EK domains which are on different IPs. These IPs are allocated to:

person:         Vasiliy Buyanov
address:        Tereshkovoy 37
address:
address:        664000 Irkutsk
address:        Russia
phone:          +7 901 6508840
e-mail:         admin@realhosters.com
nic-hdl:        VB5472-RIPE
remarks:        5408042
abuse-mailbox:  admin@realhosters.com
mnt-by:         BSB-SERVICE-MNT
created:        2015-10-07T08:35:50Z
last-modified:  2015-10-07T08:35:50Z
source:         RIPE


Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)