Sponsored by..

Showing posts with label Black Hat. Show all posts
Showing posts with label Black Hat. Show all posts

Monday, 13 May 2013

Something evil on 188.241.86.33

188.241.86.33 (Megahost, Romania) is a malware server currently involved in injection attacks, serving up the Blackhole exploit kit, Zbot and a side order of Cdorked [1] [2].

This IP hosts a variety of domains, some of which are purely malicious, some of which are hijacked subdomains of legitimate ones. Blocking the IP address is the easiest approach, else I would recommend blocking all the domains that are being abused:

01libertynet.fr.fo
0-film.com
100girlsfree.com
365conseils.net
4unblock.info
5becquet.fr.fo
6x0.fr
7eebr.com
8-cents.com
8cents.fr.fo
a2smadagascar.mg
abc-maroc.com
abcm-jeanpetit.eu
aberkane.org
abjworld.com
abkari.fr
abkaribrahem.com
abousajid.net
abshore.com
acabimport.fr
acajb.org
acgl-congo.com
acgl-congo.fr
achacunsoncartable.com
acl-africa.com
actionalternance.fr
activbold.com
acts42.fr
actu-assurance.com
actubuntu.fr.fo
actu-minecraft.com
garmonyoy.eu
gmzuwr.ru
harmonyoy.eu
hrgvrl.ru
kinyng.ru
luiwmt.ru
ntdsapi.com
ntimage.net
ntmsapi.net
olpnso.ru
pastaoyto.eu
piparse.com
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru
tpxhpz.ru
trlnps.ru
zuihwg.ru
zuknsr.ru

The full list of malicious domains that I can find are below, although I would not expect these to be comprehensive:
040071c6fea7a5bb.365conseils.net
040071c6fea7a5bb01510713050515418167059c09c0824647b0d28469f9a86.365conseils.net
0433a1152ec475d801921313051101474089711298c7e6a1fd7545bc5552d41.achacunsoncartable.com
0433a1152ec475d811601613051104237096368adea8ce55a82f4544fbc01c0.achacunsoncartable.com
0488a1ee2eff75e301425213050201233048184bab90de52abca095e43c0e9e.0-film.com
04bb718dfefca5e0.5becquet.fr.fo
04bb718dfefca5e001607913050610062053256cc4d0ecce785bc8e30493292.5becquet.fr.fo
04cc71bafe5ba5470150421305111855518829847e724828b3c53aec8153583.acts42.fr
157790811f40445c.acajb.org
157790811f40445c01601013051008229123947a4ec000bad7503601a8b8345.acajb.org
157790811f40445c016138130510070780741784317a42a2bccfff6c9b9b979.acajb.org
157790811f40445c019162130510065681946385f315786814d0cea69ce8664.acajb.org
15bba06d2f1c7400.6x0.fr
15bba06d2f1c740001620213050615286119192adfefaf19e4e8a5586a6dd7e.6x0.fr
15ff3069bf78e464.01libertynet.fr.fo
15ff3069bf78e4640110311305011655920288060206a1a1261478459ff3e75.01libertynet.fr.fo
15ff3069bf78e4640142371305011633812870254adfea351ba45ccd84b6ed9.01libertynet.fr.fo
15ffa0792ff874e4.8-cents.com
15ffa0e92f18740401401013051215157128702d9606903880327e698feccbe.actu-minecraft.com
15ffa0e92f1874040141021305121800510682957d930ed7606e94e5678e741.actu-minecraft.com
15ffa0e92f187404014185130512171461299704fdc6792b87c632c2dc8ea0b.actu-minecraft.com
260093561ce747fb.abousajid.net
260093561ce747fb0140101305091529613535950ae91792a9d74ca508e99ad.abousajid.net
260093561ce747fb01603113050915274112535b852cc96df15044d0c5bab97.abousajid.net
26bb633dec4cb75001620213050607357124264d8f6315b9f394ea624df9b66.4unblock.info
26bb633dec4cb75011613913050607052045014adf4c310b3e0bdc47f2861d7.4unblock.info
26bb633dec4cb750116139130506075451302874ade020351e0c39fd5a78c27.4unblock.info
26cc33cabc2be737.actionalternance.fr
26cc33cabc2be73701612213051111086088443c09a6c2cac05c63f7129fe6a.actionalternance.fr
26cc33cabc2be73711601013051110582102074d8f6315c81c1d1cdcd96f60e.actionalternance.fr
26ff93b91cb847a4.100girlsfree.com
26ffa3892c787764019185130512123091695955dc240716cf6878a05b14ee3.actu-minecraft.com
378852cedd4f8653015013130507031910377234406e79b09f6cd6bc3f531b4.8-cents.com
3788a28e2d1f760301404913050802257090662bc33361ff65bce2fa3130839.8cents.fr.fo
40bb751dfa9ca180.8-cents.com
517794411bd040cc.100girlsfree.com
620007168887d39b0141851305072124915913454b8c0a26fb88da3bde7a868.8-cents.com
620007168887d39b01918513050722262103342525b024b1b95bf7573a67195.8-cents.com
623307c58864d378.abc-maroc.com
62333795a894f38801400913051305512080201a47fe7464fbbe561520e01bc.actu-minecraft.com
62333795a894f38801603113051303131041527adf4c310ff3253949005312c.actu-minecraft.com
62446762e8c3b3df.a2smadagascar.mg
62ff57f9c8f893e4.actu-minecraft.com
7344966219c342df.aberkane.org
73cca65a29eb72f7.abshore.com
73cca65a29eb72f701512413050919272107463ccba6e6189fc6986eb8f2d7c.abshore.com
73cca65a29eb72f701601013050919063097002c09c2522cddbf7f407171835.abshore.com
73ff2629a9d8f2c4.actu-minecraft.com
73ff2629a9d8f2c4014010130512092430878098d3a2e5e755dff1f2afa2bf8.actu-minecraft.com
73ffc65949981284.100girlsfree.com
8c443932b693ed8f11601013050822381104927d18d35b903767ba446417aca.aberkane.org
8cffe9c966783d64.abkaribrahem.com
8cffe9c966783d6401401013050909354101757b20d50dc4a53c3f60028ce42.abkaribrahem.com
8cffe9c966783d64015129130509101070859078f510042f6ec44d7e433dae2.abkaribrahem.com
9d3358f5d7848c98.7eebr.com
9d3358f5d7848c9801120213050617401078933d8645f3e106c2cfc1598a843.7eebr.com
9d7718418740dc5c.actu-minecraft.com
9d77b8b137606c7c.acgl-congo.fr
9d77b8b137606c7c01512913051017572124898c056644eb855f5a4b166d2b9.acgl-congo.fr
9d88a81e27af7cb3.abkaribrahem.com
9dbb984d17cc4cd01160101305062232917783743db39d1cf46f37b436dd266.8-cents.com
9dbbb80d37ac6cb0015186130508121671023918f51f80188036111f6dc1f72.a2smadagascar.mg
aeff6b49e4a8bfb4015258130512004781489908ea4b42446e65516bff5ab95.actu-assurance.com
aeff6b49e4a8bfb411601613051200491038674c7b4814aa786570ce3c5098f.actu-assurance.com
bf008a6605f75eeb014010130507173520947835ffc0f0fb081b68065c7e066.8-cents.com
bf008a6605f75eeb01412613050720045090345594f60a636367054ee54e604.8-cents.com
bf33fa7575d42ec8.abc-maroc.com
bf33fa7575d42ec801401013050814009075129bad428136689be7a7da2e9cb.abc-maroc.com
bf33fa7575d42ec8014086130508152020843224d40b5b7505fae9f56aea685.abc-maroc.com
bf33fa7575d42ec801510713050813215101440d61264b31e2cab4662a78b84.abc-maroc.com
bf33fa7575d42ec8016010130508150860906628cb9bce1fcee0c3f22846b31.abc-maroc.com
bf77da9155000e1c.100girlsfree.com
bfbbfaed65ec3ef0.100girlsfree.com
bfccba4a359b6e87.acgl-congo.com
bfccba4a359b6e87014075130510163331172904d4082d81aa81553b5898a2f.acgl-congo.com
bfccba9a259b7e87014010130512212151534285c4d64918e520db9a4a99c7a.actu-minecraft.com
c833cdf542641978.8-cents.com
c833cdf54264197801423713050716106092564c3e2cfb86aac81596dd164e8.8-cents.com
c833cdf542641978019037130507161140855905a1d39c59b9e2e19868866db.8-cents.com
c833fd7572942988014075130511135972133414d40dcf123ee454bb96f2478.activbold.com
c8777de1f220a93c.acajb.org
c8777de1f220a93c014237130510094241134864ffcf0d244b3e0d591c517c2.acajb.org
c8777de1f220a93c114181130510110690897115be0c137c3bfca9956675ebe.acajb.org
c8778d3102a059bc.100girlsfree.com
c8bbfd5d72ec29f0.100girlsfree.com
c8cc1d7a928bc997.actu-minecraft.com
c8cc1d7a928bc9970160931305121954723299543db39d15a4534253bd539f9.actu-minecraft.com
c8cc2deaa26bf977.8-cents.com
c8cc2deaa26bf97701112913050712338147722412926bcc5c4907c1308b240.8-cents.com
c8cc2deaa26bf9770140251305071408106561954a1b95da26542af79a4589c.8-cents.com
c8cc2deaa26bf977016185130507134131011234162579342dbc1f47b4f7fd2.8-cents.com
c8ff1d1992d8c9c4.acgl-congo.com
c8ff1d1992d8c9c401410113051011536170546863d58f33f68331b59ea7c90.acgl-congo.com
c8ff1d1992d8c9c401502213051013158117290d619001d01efd2a3e1b3f29b.acgl-congo.com
d900ac1623d778cb.acabimport.fr
d9442c22a383f89f01408613050902089060547bb26d67892ae078d34f997c1.abjworld.com
d9772c61a390f88c.100girlsfree.com
d9777cd1f360a87c.abkari.fr
d9bb3cfdb36ce870.8cents.fr.fo
d9cc9c8a137b4867.actubuntu.fr.fo
ea003fc6b017eb0b.acl-africa.com
ea003fc6b017eb0b0140551305110632611348655c9f49488e5a4ecb8292208.acl-africa.com
ea33af4520847b9811601013051002514098270cc4d0ed8f39b52f8e725fadc.acabimport.fr
ea776f71e0c0bbdc.abkari.fr
ea776f71e0c0bbdc01401013050912097090662863d2ab4a57e7f0a96b25cf1.abkari.fr
ea776f71e0c0bbdc01920213050913332090345d02caa653dae6865511b8036.abkari.fr
ea885f2ed0bf8ba301620213050804177079250c7c38ecdab30e8e836a60be8.8cents.fr.fo
ea885f2ed0bf8ba301620213050804285084005d073cf45420d7a00dd3d73a2.8cents.fr.fo
ea885f2ed0bf8ba311601013050802399148356d812e2a73d403f9c106d463c.8cents.fr.fo
ea886f6ee0efbbf3.8-cents.com
eacc6f4ae0ebbbf7.abcm-jeanpetit.eu
eacc6f4ae0ebbbf701401013050819143098587bcc05684f8eaabdbf34aacb5.abcm-jeanpetit.eu
eacc6f4ae0ebbbf7014098130508182081375786dd748438ddc6d700470919b.abcm-jeanpetit.eu
eacc6f4ae0ebbbf711601013050818299170546cc4d0ecc24766a4257413c24.abcm-jeanpetit.eu
fbbb6e6de11cba00.5becquet.fr.fo
fbbb6e6de11cba0011601013050614153074812c6661d86385ba30356756c7e.5becquet.fr.fo
garmonyoy.eu
gmzuwr.ru
harmonyoy.eu
hrgvrl.ru
kinyng.ru
luiwmt.ru
ntdsapi.com
ntimage.net
ntmsapi.net
olpnso.ru
pastaoyto.eu
piparse.com
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru
tpxhpz.ru
trlnps.ru
zuihwg.ru
zuknsr.ru

Monday, 20 September 2010

The incredibly dangerous world of browser prefetch

Perhaps I've been living under a rock, but this apparently has been a suicidally stupid feature built into Firefox for some time, but it seems to be seldom used.

It started with a short spam apparently advertising a fairly well known black hat forum for hackers and illicit trades. It's not the sort of place that would choose to advertise itself though (it is strictly by invitation only), so quite possibly this is a Joe Job by one set of black hatters against another.

Now I guess that many recipients will have done the same thing, and typed the name of the site into Google to find out about it.. under the assumption that they'll find something that doesn't involve visiting the spamvertised site itself. But if you're using Firefox (and this possibly applies to IE8 and IE9 too, then the following message pops up:


Secure Connection Failed

-----------.com:443 uses an invalid security certificate.

The certificate is not trusted because it is self signed.

(Error code: sec_error_untrusted_issuer)

It could be a problem with the server's configuration or it could be someone trying to impersonate the server.

If you have connected to this server successfully in the past the error may be temporary and you can try again later.
Right at this point I kicked myself because I thought I had accidentally clicked through. But no... the certificate error was showing on the Google search page and I hadn't clicked through at all.. so why was Google trying to load the page and showing the HTTPS error because of the invalid certificate?

The answer lies in prefetch - a combination of a tag on the site, Google and the default browser configuration meant that the browser tried to automatically load content from the bad site just by Googling for something.

Link prefetching (and how to turn it off) is explained in this FAQ or this HOWTO guide.. if you are using a Mozilla based browser then go and turn if off NOW by going into about:config and setting network.prefetch-next to false.

So why is it so dangerous? Have there been any cases of malware using link prefetching to spread? Not as I know.. although it might be theoretically possible. The danger is that you have just revealed your IP address without knowing it..

Let's look at a particular scenario where this can be used. Let's say the attacker is targetting a victim who is using an unidentifiable email address, and the attacker wants to find that victim's IP to tie them down to a location or organisation. In this scenario, the victim is not stupid.. they don't click on links in spam, they don't reply to untrusted messages, never send read receipts and they don't load external images in their mail client.. but the attacker uses social engineering to send an email with details that the victim might Google (for example a telephone number). The victim may then search for references on Google and even without clicking on anything, the prefetch may reveal their IP address.

Alternatively, prefetch could be used to download illegal content onto a target machine without the victim knowing about it, or there are probably several other ways in which it can be abused.

So it's hard to tell if the original spam was a Joe Job, or someone using prefetch to collect IP addresses for evil purposes. But I'll bloody well keep the prefetch switched off in future..

Sunday, 11 July 2010

Evil network: Pegashosting Network / pegashosting.com 178.162.135.0/24 (AS28753)

Hosting a very large number of sites offering fake job (such as hiring-westunion.com), Pegashosting Network of Kiev in the Ukraine uses the IP range 178.162.135.0 - 178.162.135.255, and appears to have no obvious legitimate sites whatsoever.

Part of a larger block allocated to netdirekt e. K., AS28753 has a pretty horrible reputation.Pegashosting is only a part of that though, and the main drive appears to be as a support for money mule operations and the like.

I cannot verify if the netblock WHOIS details are accurate:

inetnum:        178.162.135.0 - 178.162.135.255
netname:        Maxim-Staricin-966729
descr:          PegasHosting Network
country:        UA
admin-c:        MS20894-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:         Maxim Staricin
address:        6/40 Mira str.
address:        Kiev 03134
address:        Ukraine
phone:          +380994005332
fax-no:         +380994005332
abuse-mailbox:  abuse@pegashosting.com
nic-hdl:        MS20894-RIPE
mnt-by:         NETDIRECT-MNT
source:         RIPE # Filtered

pegashosting.com was only registered in February, so hardly an old company.

Service Provided By: Center of Ukrainian Internet Names
Website: http://www.ukrnames.com
Contact: +380.577626123

Domain Name: PEGASHOSTING.COM

Creation Date: 01-Feb-2010
Modification Date: 01-Feb-2010
Expiration Date: 01-Feb-2011

Domain servers in listed order:
ns1.pegashosting.com
ns2.pegashosting.com

Registrant:
Staricin Maxim
PegasHosting.com
6/40 Mira str.
Kiev, 03134
UKRAINE
+380.994005332

Billing Contact:
Staricin Maxim abuse@pegashosting.com
Private person
6/40 Mira str.
Kiev, 03134
UKRAINE
+380.994005332

Administrative Contact:
Staricin Maxim abuse@pegashosting.com
PegasHosting.com
6/40 Mira str.
Kiev, 03134
UKRAINE
+380.994005332

Technical Contact:
Staricin Maxim abuse@pegashosting.com
PegasHosting.com
6/40 Mira str.
Kiev, 03134
UKRAINE
+380.994005332

Hosted web sites include fake pharmacies, fake job sites, hacking, porn and what appear to be fake dating sites.Blocking the entire 178.162.135.0/24 (178.162.135.0 - 178.162.135.255) will probably do you no harm.

Escrow-ento.com
Careers-kivox.com
Careers-tekset.com
Deutschenoote.com
Es-trabajowug.com
Gamestaff.org
Hat.am
Intelligentlogistics.biz
Jobs-kivox.com
Jobs-tekset.com
Kivox-careers.com
Kivox-company.com
Kivox-consulting.com
Kivox-jobs.com
Kivox-today.com
Mcashjdg.com
Mejdskas.com
Mhasdhfg.com
Mksdjhfu.com
Myasjhaa.com
Pootervom.com
Shop-n-ship.net
Tekset-careers.com
Tekset-consulting.com
Tekset-jobs.com
Tekset-news.com
Trilane-careers.com
Trilane-consulting.com
Trilane-jobs.com
Trilanecareers.com
Trilaneconsulting.com
Work-at-duolux.com
Work-at-tekset.com
Spicegrossisten.com
Spicegrossisten.org
Mlhsgdhh.com
Jacksonstatue.com
Gl-transport.com
N-transport.com
Hiring-westunion.com
Ebaysquaretrade.com
Bongblogs.net
Bonglove.net
Kydesniki.net
Love4net.net
Office-exchange.biz
Office-exchange.info
Avalonassistants.com
Bettertasks.com
Kptarnews.com
Adjustedresults.com
Resultscache.com
Mailcenter-yahoo.com
Allhdmovies.com
X-torrents.info
X-torrents.name
X-torrents.net
X-torrents.nu
X-torrents.org
X-torrents.ru
Beachamateursite.info
Hotlatinotube.info
Hotnudistmix.info
Partyhotpregnant.info
Redheadvideovideos.info
Siteblondhot.info
Todaysnewest.com
Tubegirlsexy.info
Tuberedheadnudist.info
Tuberedheadsexy.info
Wetlesbianstube.info
Big-stan.ru
Careers-at-lexor.com
Careers-stendal.com
Europe-stendal.com
Hallway-careers.com
Hallway-group-careers.com
Hallway-group-jobs.com
Hallway-jobs.com
Hallway-news.com
Hallway-today.com
Immobilie-vitrea.com
Jobs-at-stendalgroup.com
Jobs-stendal.com
Kernet.name
Lexor-careers.com
Lexor-consulting.com
Lexor-jobs.com
Lexor-sl-careers.com
Lexor-sl-consulting.com
Lexor-sl.com
Lexorsl.com
Mybisiness.org
News-stendal.com
Onlinerentalparadise.com
Silentspy.ru
Stendal-applications.com
Stendal-careers-now.com
Stendal-careers-today.com
Stendal-consulting-group.com
Stendal-consulting.com
Stendal-news.com
Stendal-today.com
Stendalcareers.com
Stendaljobs.com
Stendaltoday.com
Vitrea-arbeit.com
Vitrea-deutchland.eu
Vitrea-estate-agents.com
Vitrea-estate.eu
Vitrea-immobilie-karrieren.com
Vitrea-immobilie.com
Vitrea-karrieren.com
Vitrea-today.com
Vitrea-uk.com
Vitreaestate-europe.com
Vitreaestatecareers.com
Vitreajobs.com
Vitreanews.com
Wr-mail.ru
Arbeit-vitrea.com
Careers-at-stendal.com
Careers-at-vitrea.com
Jobs-at-hallway-group.com
Jobs-at-lexor.com
Jobs-at-stendal.com
Jobs-lexor.com
Karrieren-immobilie-vitrea.com
Karrieren-vitrea.com
Msk-guvd.org
Westunionhiring.com
Romlife.net
Mypsp.my
Qzzb.ru
Softcracks.com
Mayki.in
Sms-partner.net
Wmmailz.com
Xandgo.net
Dragporno.ru
Megaru.com
Nafani.net
Pop-banner.ru
Watchporno.ru
Xlivetv.ru
Alternativedabell.com
Alternativedago.com
Alternativedasound.com
Alternativedassound.com
Alternativedasting.com
Best-freemovie.com
Best-freemovies.com
Dasoundservices.com
Datingprivates.com
Datingteen.net
Datingteenonline.net
Datingwork.com
Free-moviebest.com
Freemoviebest.com
Fremoviesbest.com
Moviebest-free.com
Moviefree-best.com
Moviesbest-free.com
Moviesfree-best.com
Myalternativedating.com
Naebalova.net
Releaseadultsex.com
Releaseating.com
Thefreedating.com
Webalternativedating.com
Webfreeadultsexnet.com
Sportsbear.net
Tdsse.net
Qctsupport.com
Neomaks.ru
Videobum.net
Pornogandon.ru
Mp3gigant.net
Gpssystemsused.com
Mangomeds.net
Mangomeds.org
Medswhite.com
Ourmeds.org
4aclepsa.com
Medisupprt.com
Cadipll.com
Bonus-file.net
Yastreb.biz

Incidentally, I think that filing reports with abuse@pegashosting.com  would be futile and possibly counterproductive, if you do have an issue with a site on this list then email abuse:@netdirekt.de instead.

Monday, 10 May 2010

Evil network: Sagade Ltd / ATECH-SAGADE

There's been an awful lot of badness from Latvia recently, with several fake AV apps and other Very Bad Things hosted in the range 91.188.59.0 - 91.188.59.255, which appears to be a wholly bad subnet of pure evil. It looks like a similar setup to Real Host Ltd which was shut down last year.

inetnum: 91.188.59.0 - 91.188.59.255
netname: ATECH-SAGADE
descr: Sagade Ltd.
descr: Latvia, Rezekne, Darzu 21
descr: +371 20034981
remarks: abuse-mailbox: piotrek89@gmail.com
country: LV
admin-c: JS1449-RIPE
tech-c: JS1449-RIPE
status: ASSIGNED PA
mnt-by: AS6851-MNT
source: RIPE # Filtered

person: Juris Sahurovs
remarks: Sagade Ltd.
address: Latvia, Rezekne, Darzu 21
phone: +371 20034981
abuse-mailbox: piotrek89@gmail.com
nic-hdl: JS1449-RIPE
mnt-by: ATECH-MNT
source: RIPE # Filtered

% Information related to '91.188.32.0/19AS6851'

route: 91.188.32.0/19
descr: BKCNET Autonomous System
descr: IZZI SIA
descr: Ieriku 67a, Riga, LATVIA
origin: AS6851
mnt-by: AS6851-MNT
source: RIPE # Filtered

All these websites appear to be malicious, I cannot find a single site that I can identify as being legitimate. Most have obviously fake WHOIS details too. I would recommend blocking access to the whole IP block.

1zabslwvn538n4i5tcjl.com
Urodinam.net
A-fast.com
00g00.ru
Odnotraxniki.ru
Td0.ru
Kerrimckeetq.info
Maiamaribeihlv.info
Marguriiexyhamlin.info
Privatetechnology.biz
Syscodec.com
Systemcodec.net
Traffcash.biz
Kimirleonarda.info
Nitrosearch.info
Fastglobosearch.com
Likinto.com
Mcml1.com
Trol0l0.com
Mokato.com
Ziko.in
Viasot.com
Billsolutions.net
Fastsecurebilling.com
Fast-payments.com
Easypayments-online.com
Billingonline.net
Lotise.com
Manytis.com
Membernameserver.com
Ossarix.com
Soterpo.com
Stepil.com
Winepsy.com
Zingis.com
Bombastats.com
Pornowars.info
Superspuperporn.com
Pornopeace.info
Smackmybitch.info
Belleplaceurl.com
Christophecoinurl.com
Coinurlredirect.com
Coinurlredirection.com
Endroiturlredirect.com
Glossipfd.com
Goldcoinurl.com
Gork.in
Gulk.in
Hnarmettis.com
Hotelplaceurl.com
Lieuurlredirect.com
Mnuyetsgrr.com
My654bestsite.com
Nuvolokijj.com
Parkplaceurl.com
Polk.in
Rozg.in
Samk.in
Sekmoon.net
Silvercoinurl.com
Sumk.in
Vvven.in
Worldplaceurl.com
Zoid.in
Smackbybitch.com
Videosite1.com
Beeape.com
Supercrazynight.com
Supersporns.com
Sys-force.ru
Firsttunesclub.in
Viiistifor1.com
Visiocarii1l.net
Skachivay.com
Allforyouplus.net
Hotfilesfordownload.com
Allforil1i.com
Alltubeforfree.com
Allxtubevids.net
Freeanalsextubemovies.com
Freetube06.com
Freeviewgogo.com
Homeamateurclips.com
Hotxtube.in
Hotxxxtubevideo.com
Iil10oil0.com
Ilio01ili1.com
Illinoli1l.in
Porn-tube-video.com
Porntube2000.com
Porntubefast.com
Viewnowfast.com
Viewxxxfreegall.net
Xhuilil1ii.com
Yourbestway.cn
Youvideoxxx.com
Cern-a.com
Xbasex.com
Rowfirst.com
Autouploaders.net
Poafirst.com
Rodfirst.com
Solaruploader.com
Noafirst.com
My-best-web.com
Pakwer.com
Kdjkfjskdfjlskdjf.com
Stablednsstuff.com
Oklahomacitycom.com

Thursday, 23 July 2009

"Real Host Ltd" is a real sewer

"Real Host Ltd" occupies 256 IP addresses in the 213.182.197.* range, hosted in Latvia in an address space apparently leased from Junik Ltd.

The netblock registration details claim to belong to an address in Kazakhstan:

person: Alex Spiridonov
address: Kazakhstan, Almaty , Abay street 2a
abuse-mailbox: abusemailhost@gmail.com
phone: + 87771697576
nic-hdl: SA5926-RIPE
source: RIPE # Filtered

This block is of interest because out of hundreds of web sites hosted, there appear to be none at all which are legitimate. And out of all of these, Hit-senders.cn is one of the most interesting because it is currently being used for a zero day Flash/PDF exploit. Many domains are registered to Michell.Gregory2009@yahoo.com who has featured on this blog many times before.

Some other interesting domains are Cashspyware.com, Botnet.su and Iframepartners.com which are pretty much openly operating as black hat sites.

All of these sites are either fraudulent, dangerous to visit or both - so if you receive an email or link pointing to them, leave well alone!

213.182.197.10
Vkontalcte.ru, Private Person, admin@0neway.ru

213.182.197.11
Index683.com, Registration suspended
Presentsdelivery.com, Private Person, abuseemaildhcp@gmail.com

213.182.197.12
Barmatuxa.info, Brad Higginbotham, EmersonDuffyZP@gmail.com
Bombim.cn, KuserElizabeth, eakuser@yahoo.com
Decine.cn, realmaria teresa, popeskusin@yahoo.com

213.182.197.13
0neway.ru, Private Person, onewayru@ya.ru
2todays.com, PrivacyProtect.org
2trades.com, alan pakerson, apakerson@googlemail.com
Adulttopvids.info, Lorraine Hoguseir / LueMettterTeam, lorrainefactr@gmail.com
Caffemax.com, Private Person, abuseemaildhcp@gmail.com
Clicksvideo.com, PrivacyProtect.org
Cutietubeee.com, Mark Cristy, evilinside99@gmail.com
Dasper.ru, Sergey V Levitskiy, levitcky@gmail.com
Dataartsoft.com, John A Backham , igusow@gmail.com
Dslcaffe.com, Private Person, abuseemaildhcp@gmail.com
Freegirla.com, PrivacyProtect.org
Fucksexadult.com, PrivacyProtect.org
Gauleyriverraftinginfo.com, Gordon Freeman, evilinside20@gmail.com
Googep.com, PrivacyProtect.org
Homemadez.com, PrivacyProtect.org
Informatoion.com, Tamara Polishuk, kenylotus@yahoo.com
Insky.biz, PrivacyProtect.org
Koka-tube.info, Budulay Romale, budulay_romale@inbox.ru
Linktovideo.com, PrivacyProtect.org
Mac-videos.com, PrivacyProtect.org
Major-don.com, Carl Lee, levitraviagrashop@rambler.ru
Masstrade.us, Yuri, sypiboryrecinih15976@gmail.com
Myspnace.com, PrivacyProtect.org
Odnoklassniki-and-you.ru, Private Person, newlive09@yandex.ru
Online-defence.cn, GuferDerek, asyonurubu@gmail.com
Onlylo.com, PrivacyProtect.org
Photovideox.com, PrivacyProtect.org
Playtstation.com, PrivacyProtect.org
Pornsamateur.com, PrivacyProtect.org
Serialtxt.com, Breitenbach Margery, breitenbach621@yahoo.com
Sexlevitra.com, Carl Lee, levitraviagrashop@rambler.ru
Sexmamba.com, Igor Bogdanov, Igor
Singleslady.com, Registration suspended
Soundrugs.ru, Private Person, workalliance@mail.ru
Tdssim.com, Djon Digan, major.leva@yahoo.com
Thehat.net, Carl Padilla, thehatnkm@gmail.com
Tube84.com, PrivacyProtect.org
Tubeee.com, Whois Privacy Protection Service
Viagrabe.com, PrivacyProtect.org
Video-tube-online.info, Budulay Romale, budulay_romale@inbox.ru
Videomoviex.com, PrivacyProtect.org
Videos-movie.com, PrivacyProtect.org
Vipbabes.com.ua, Андрей Дехтяренко / Andrei Dehtyareno, may-vit@bk.ru
Virgin-x.com, PrivacyProtect.org
Wikjipedia.com, Tamara Polishuk, kenylotus@yahoo.com
Worldtube.su, Private Person, novikov_ds@bk.ru
Xtubex.org, konstantin ololo, scaryscream@gmail.com
Yesey.net, Bob AKKAWA, akkawa@gmail.com
Yhxoo.com, PrivacyProtect.org
Yourko.com, PrivacyProtect.org
Youtube19.com, PrivacyProtect.org
Youviewx.com, Dedinan Galena, galendediweb78@yahoo.com

213.182.197.14
Cashspyware.com, N/A, faloimitator@list.ru
Casinousa.cn, LucasSteven / Cehhost, steven_lucas_2000@yahoo.com
Hostnsload.cn, LucasSteven, steven_lucas_2000@yahoo.com
Iframepartners.com, Chen Poon, chen.poon1732646@yahoo.com
Megavipsite.cn, LucasSteven, steven_lucas_2000@yahoo.com
Sitewebsupport.com, Michell, Michell.Gregory2009@yahoo.com

213.182.197.20
Best-casinox.com, MyPrivateRegistration.com
Best-prices-pharma.com, Igor Durov, larsontomas@gmail.com
Best-prices-pharmacy.net, Oleg Demin, premiumwebart@gmail.com
Causas-de-impotencia.com, Private Person, premiumwebart@gmail.com
Causas-de-impotencia.net, Private Person, premiumwebart@gmail.com
Css-csript.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Dns-lv9720.com, Michell, Michell.Gregory2009@yahoo.com
Druggs.net, MyPrivateRegistration.com
Druggsonline.com, MyPrivateRegistration.com
Drugsbrokerpharma.com, Oleg Demin, premiumwebart@gmail.com
Edproductos-en-espana.com, Grigory Panin, gragorybland@gmail.com
Erosuka.ru, Private Person, callpartners@gmail.com
Farmacia-venta-on-line.com, Private Person, premiumwebart@gmail.com
Fly-pro.net, MyPrivateRegistration.com
Herbal-impotencecure.com, Oleg Demin, premiumwebart@gmail.com
Hzone66.cn, MichellGregory, Michell.Gregory2009@yahoo.com
Impotence-natural-cure.com, Oleg Demin, premiumwebart@gmail.com
Kamagra-tratamiento-impotencia.com, Mark Nefidov, markglan1@gmail.com
Lkll.net, Damir Stolbische, damirmuh@gmail.com
Marcusmed.com, Steven Lucas, steven_lucas_2000@yahoo.com
Medicamentosgenericosonline.com, Grigory Panin, gragorybland@gmail.com
Microsoftprogram.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Onlinemedicamentosgenericos.com, Grigory Panin, gragorybland@gmail.com
Pharmacy-drugs-broker.com, Oleg Demin, premiumwebart@gmail.com
Pharmacy-drugsbroker.com, Oleg Demin, premiumwebart@gmail.com
Pharmacy-pills-rx.com, Igor Durov, larsontomas@gmail.com
Pharmacy-pillsrx.com, Igor Durov, larsontomas@gmail.com
Rx-onlinestore.com, Igor Durov, larsontomas@gmail.com
Rxtrustedtabs.net, Igor Durov, larsontomas@gmail.com
Smsgogo.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Superflyaccess.com, MyPrivateRegistration.com
Traffcount.cn, LucasSteven / steven_lucas_2000@yahoo.com
Treatment-online.com, Aprichev Igor, info@betting-profits.com
Trust-ed-tablets.com, Igor Durov, larsontomas@gmail.com
Tutuuuu.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Usa-pills-rx.com, Igor Durov, larsontomas@gmail.com
Vitofarmatratamientoimpotencia.com, Private Person, markglan1@gmail.com
Vkpleer.ru, Private Person, callpartners@gmail.com
Vybory2007.ru, Private Person, callpartners@gmail.com
Xxzonexx.com. Chen Poon, chen.poon1732646@yahoo.com
Yandex2.cn, IveevPlansky / SerjCOm, ru@rupoisk.in

213.182.197.227
Corbsc.com, Chen Poon, chen.poon1732646@yahoo.com
Co5v.cn, TiankaiCui, cuitiankai@googlemail.com

213.182.197.228
Chlenopopik.com, Denis Pupkin, pisssun2006@mail.ru

213.182.197.229
3ballslottery.com, Klan Jored, support@hosting-offshore.biz
44mm.ru, Private Person, mik58109117@ya.ru
Admins-mail.ru, Private Person, ivttyeivrdyl@yandex.ru
Andors.ru, Private Person, 10000002@mail.ru
Antighost.cn, null, dasidoruk@mail.ru
Avpro-labs.com, PrivacyProtect.org via Erdomain.com
Avtoresa.ru, Private Person, 10000002@mail.ru
Businessconsulting312.com, Nikolay Viktorovich Stepashin, businessconsulting312.com@hvosting.ua
Businesscoorptru.cn, Real Host, abuseemaildhcp@gmail.com
Comforttrade.biz, Klan Jored, support@hosting-offshore.biz
Dfds-seaways.biz, Klan Jored, support@hosting-offshore.biz [note, domain has been seized by the trademark holder]
Digitdbofmusic.org, Petr Karlov, dunkanmac3@mail.ru
Elita-online.ru, Private Person, votub@nm.ru
Fedion.ru, Private Person, 10000002@mail.ru
Firex-labz.com, SharedHSD, roomart2008@yandex.ru
Firsttimesite.us, Olah Istvan, olah.istvan.ny@gmail.com
Gbd-carrers.com, Aleksej Bagrov, deretx@rambler.ru
Gerdok.ru, Private Person, 10000002@mail.ru
Gnk-msk2.com, Alexey MIRKINO, 324635647@mail.ru
Isell.cc, Jhon Balsmen, ukmcuk@googlemail.com
Isellcc.com, Jhon Balsmen, ukmcuk@googlemail.com
Kalopes.ru, Private Person, 10000002@mail.ru
Kobash.ru, Private Person, 10000002@mail.ru
Kovero.ru, Private Person, 10000002@mail.ru
Leadingdelivery.com, WhoisPrivacyProtect.com
Leapdelivery.net, WhoisPrivacyProtect.com
Megatt.cn, LucasSteven, steven_lucas_2000@yahoo.com
Midlway.com, Real Host LTD, real2030@gmail.com
Molide.ru, Private Person, 10000002@mail.ru
Motile.ru, Private Person, 10000002@mail.ru
Mssys.net, Klan Jored, support@hosting-offshore.biz
Muhamed.cn, Caroline Krajka, caroline.krajka@gmail.com
Myeasyhosting.us, Olah Istvan, olah.istvan.ny@gmail.com
Newskyag.com, Robert Baker, robertbaker2110@yahoo.com
Obosraca.net, Nungoyanrgrr Pimdulya, cumo@mail.ru
Ru-r.ru, Anton A Baklanov, pinch18@rambler.ru
Slikons.ru, Private Person, 10000002@mail.ru
Smsvor.ru, Private Person, n.shahov@yandex.ru
Superioradz.info, Bryony, blaze_sanchez3@yahoo.com
Swegol.ru, Private Person, 10000002@mail.ru
Uni-tele-com.ru, Private Person, n.shahov@yandex.ru
Valebe.ru, Private Person, 10000002@mail.ru
Vkonlahte.ru, Private Person, eert@inbox.ru
Vkortakt.ru, Private Person, asfsdfgsg@yandex.ru
Waderos.ru, Private Person, 10000002@mail.ru
Webinst.ru, Private Person, 10000002@mail.ru
Wedikas.ru, Private Person, 10000002@mail.ru
Wedows.ru, Private Person, 10000002@mail.ru
Welcomeone.cn, LucasSteven, steven_lucas_2000@yahoo.com
Werobin.ru, Private Person, 10000002@mail.ru
Wetese.ru, Private Person, 10000002@mail.ru
Wldomen.com, Klan Jored, support@hosting-offshore.biz
Wogolot.ru, Private Person, 10000002@mail.ru
Xaker.cn, Real Host, abuseemaildhcp@gmail.com
Xxhackmail.ru, Private Person, 365346546@mail.ru
Xxvhost.com, Klan Jored, support@hosting-offshore.biz
Yes04ka.cn, Gregory, Michell.Gregory2009@yahoo.com
Yourgoogleanalytics.cn, Real Host, abuseemaildhcp@gmail.com
Yourgoogleanalytics.us, Olah Istvan, olah.istvan.ny@gmail.com


213.182.197.230
Benzonasoss.com, Aleksey Melnikov, mel1simkov@gmail.com
Csollw.com, Aleksey Melnikov, mel1simkov@gmail.com
Jlopi.com, Aleksey Melnikov, mel1simkov@gmail.com
Joltuiwater.com, Aleksey Melnikov, mel1simkov@gmail.com
Kartoshkachamp.com, Aleksey Melnikov, mel1simkov@gmail.com
Lipesr.com, Aleksey Melnikov, mel1simkov@gmail.com
Minfpafs.com, Aleksey Melnikov, mel1simkov@gmail.com
Nerkol.com, Aleksey Melnikov, mel1simkov@gmail.com
Updateserversoft.com, Chen Poon, chen.poon1732646@yahoo.com
Vizllp.com, Aleksey Melnikov, mel1simkov@gmail.com
Vmbs4.com, Aleksey Melnikov, mel1simkov@gmail.com
Werkp.com, Aleksey Melnikov, mel1simkov@gmail.com
Wherg.com, Aleksey Melnikov, mel1simkov@gmail.com

213.182.197.233
Banished.ru, Private Person, abuseemaildhcp@gmail.com
Bargian-hunt.com, Sean McCann, sean.mccann.1@hotmail.com
Pornonova.net, Anya Montague, gr4ndth3ft@hotmail.com
Proxyrent.cn, Chen Poon, chen.poon1732646@yahoo.com

213.182.197.234
Updategoogle.cn, Real Host LTD, abuseemaildhcp@gmail.com
Uppgoogle.cn, Real Host LTD, abuseemaildhcp@gmail.com

213.182.197.235
Aepi.ru, Private Person, polevweb@gmail.com
Evamedstore.com, Nikolai Vukolov, baton@bronzemail.net
Traffic-exchange.ru, Aleksej D Brozdov, ru-traffic-exchange@gmail.com

213.182.197.236
1gen1.ru, Andrey G Zubkov, a.zubkov@exeda.info
71sense.info, Vicky Chan, chan.wai.kay.1@gmail.com
71soldo.info, Vicky Chan, chan.wai.kay.1@gmail.com
71speed.info, Vicky Chan, chan.wai.kay.1@gmail.com
71spice.info, Vicky Chan, chan.wai.kay.1@gmail.com
7addition.info, Vicky Chan, chan.wai.kay.1@gmail.com
8addition.info, Vicky Chan, chan.wai.kay.1@gmail.com
8addition.org, Vicky Chan, chan.wai.kay.1@gmail.com
Add-content-filter.info, PrivacyProtect.org
Deonix.biz, Aleksey Melnikov, mel1simkov@gmail.com
Doplin.biz, Aleksey Melnikov, mel1simkov@gmail.com
Gnbd1.cn, Chen Poon, chen.poon1732646@yahoo.com
Hamatauto.biz, Aleksey Melnikov, mel1simkov@gmail.com
Hel90.biz, Aleksey Melnikov, mel1simkov@gmail.com
Lalalabemsbams.name, Aleksey Melnikov, mel1simkov@gmail.com
Tfx2corp.cn, TiankaiCui, cuitiankai@googlemail.com
Vip-internal.ru, Private Person, spy-logs-l12@inbox.ru

213.182.197.237
1gigabayt.com, Hau Cheng, haucheng@yahoo.com
Beauty-hot-pornxxx.com, Aleksey Melnikov, mel1simkov@gmail.com
Downloadoemsoftware.com, Chen Poon, chen.poon1732646@yahoo.com
Fire-hot-pornxxx.com, Aleksey Melnikov, mel1simkov@gmail.com
Hotflashplayer.com, Aleksey Melnikov, mel1simkov@gmail.com
Metroking.ws, Aleksey Melnikov, mel1simkov@gmail.com
Oneminute2u.biz, Aleksey Melnikov, mel1simkov@gmail.com
Rbckc.com, Aurore Hetu, AuroreHetu@fontdrift.com
Scans.cc, PrivacyProtect.org
Sexual69.ru, Artur G Antonov, antonov@rbcmail.ru
Thebestplayer.biz, Aleksey Melnikov, mel1simkov@gmail.com
Verivell.com, Hau Cheng, haucheng@yahoo.com
Xtraff.cn, Hau Cheng, haucheng@yahoo.com

213.182.197.238
Agroautoparts.com, Aleksey Melnikov, mel1simkov@gmail.com

213.182.197.243
Einrock.com, Puprov Ivan, captainjs@yandex.ru
Geo555.com, Vladim Ivanov, captainjs@yandex.ru
Makomset.com, Vladimir Ivanovich, captainjs@yandex.ru
Ribcot.com, Sergeev Kirill Nikolaevich, captainjs@yandex.ru

213.182.197.247
Sex-proector.ru, Private Person, toolssoft@mail.ru

213.182.197.249
Feed-place.cn, Gregory, Michell.Gregory2009@yahoo.com
Hit-senders.cn, Gregory, Michell.Gregory2009@yahoo.com
Search890.com, Chen Poon, chen.poon1732646@yahoo.com
Traffic-searches.cn, Chen Poon, chen.poon1732646@yahoo.com
Vikd3jj-1.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vikd3jj-2.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vikd3jj-3.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vikd3jj-4.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vintorrils-grag1.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vintorrils-grag2.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vintorrils-grag3.com, Dmitry Ostupin, conroetxwelc@gmail.com


213.182.197.251
Botnet.su, Mihail V Morozov, sdhj3jk@yandex.ru
2k90.cn, Real Host LTD, abuseemaildhcp@gmail.com
Abdulabah.cn, LucasSteven, steven_lucas_2000@yahoo.com
Babjr.cn, LucasSteven, steven_lucas_2000@yahoo.com
D4rkst4r.cn, Real Host LTD, abuseemaildhcp@gmail.com
Luks5.cn, LucasSteven / Cehhost, Michell.Gregory2009@yahoo.com
Serverinlit.cn, Real Host LTD, abuseemaildhcp@gmail.com

213.182.197.254
Go-file.ru, Grigoriy M Aleksandrov, aleksandrov@mail333.com

Monday, 2 February 2009

UkrTeleGroup vanishes, morphs.

First some good news (via the WaPo Security Fix blog): well known black hat web host UkrTeleGroup appears to have vanished from the internet. The bad news is that seems to have morphed into a company called Internet Path which is masquerading as a US company.

Unfortunately, it does not appear that this is an Atrivo / McColo / Estdomains style situation where the bad guys are permanently shut down.. yet. But perhaps continued pressure on upstream providers might have some effect.. who knows?

Friday, 14 November 2008

McColo dead - spam 69% down

If there was any doubt the McColo was behind a vast majority of the world spam, then I think the figures speak for themselves. We're seeing a 69% drop in spam volumes day-on-day (although we still only have one day's worth of post-McCole data). It will be interesting to see how long this takes to recover back to "normal" levels of awfulness.