Sponsored by..

Showing posts with label Gogax. Show all posts
Showing posts with label Gogax. Show all posts

Monday, 6 September 2010

Tainted network: InterWeb Media / Gogax.com AS21793 (76.76.96.0/19)

Trading under various names including Gogax, InterWeb Media and Exist Hosting , this Canadian company mixes some extremely dangerous sites with links to organised crime with legitimate businesses.

Gogax's business model appears to be to delegate small chunks of its IP address range to third parties, while presumably hosting the servers for them.  In this case of this this $600,000 fraud the IP addresses were delegated by Gogax to a company called Krutikservers in Azerbaijan.

There are also several fake and/or illegal pharmaceutical sites in the address range, which makes it odd that a legitimate organisation like the Swedish Covenant Hospital should choose to host in the same IP range as criminals.

Google's safe browsing diagnostic is pretty damning:

Safe Browsing
Diagnostic page for AS21793 (GOGAX)

What happened when Google visited sites hosted on this network?

    Of the 595 site(s) we tested on this network over the past 90 days, 35 site(s), including, for example, ajvar.com/, freezlylo.com/, no-ip.be/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-09-05, and the last time suspicious content was found was on 2010-09-05.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 225 site(s) on this network, including, for example, nakedfridaydresscode.com/, lykqug.cn/, hejaza.cn/, that appeared to function as intermediaries for the infection of 3632 other site(s) including, for example, rubensf.com/, rebeccaflinn.com/, jesus-messiah.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 207 site(s), including, for example, nakedfridaydresscode.com/, lykqug.cn/, hejaza.cn/, that infected 3270 other site(s), including, for example, rubensf.com/, jesus-messiah.com/, ottomiller.com/.



The full list of domains, MyWOT ratings, delegations and a prognosis as to whether it's the sort of site you might want to visit can be found here, below is a summary of some of the more suspect delegates (note that some of the delegate names could be forgeries):

Abdto He
China
Counterfeit Goods

Allen Jason
United States
HYIP schemes

Cecile Dagorne (Possible forged name)
France
Malware distribution

Emil Vdovin
Russia
Fake / illegal pharmaceuticals & counterfeit goods

Global
Argentina
Fake / illegal pharmaceutical

Gogax
Canada / US
Rogue anti-virus, malware distribution, fake / illegal pharamceuticals

James Schumaker (Possible forged name)
US
Fake / illegal pharamceuticals

Krutikservers
Azerbaijan
Fake jobs / money laundering

Loyalty Servers
Russia
Fake / illegal pharamceuticals, malware distribution, hardcore pornography, illegal software downloads

Michael Chekin
Russia
Fake / illegal pharamceuticals

Paule Uvinekov
Ukraine
Child pornography (reference)

Saman Mazaheri
Iran
HYIP schemes

Telekurs Holding (possible forged name)
Switzerland
Malware distribution

Valeria Duarte
Argentina
Fake / illegal pharamceuticals

Vlad Rybak
Ukraine
Fake / illegal pharamceuticals

Weiliang Zhang
China
Counterfeit goods

WellHost
Ukraine
Fake / illegal pharamceuticals, malware distribution

The bad stuff on this network easily outnumbers the legitimate stuff, blocking the entire 76.76.96.0/19 (76.76.96.0 - 76.76.127.255) will probably not cause significant problems. And if you are a legitimate site operator hosting with Gogax.. they it might well be time to change hosts before the whole lot gets blackholed.

Update: 23/5/11

Gogax claims that the block is now clean. However, the MyWOT rankings for this block still show some sites with very poor reputations (you can see a list of domains and ratings here).