Evil network revisited: Specialist Ltd / Specialist-ISP-PI2 AS48691(194.28.112.0/22)

Specialist Ltd is a small Black Hat hosting company in Transnistria, a breakaway part of the former Soviet Republic of Moldavia. No UN members recognise Transnistria, and effectively it sits beyond the reach of international law enforcement. Quite a handy place for criminals to do business then.

I first wrote about this block last year, but it recently came into my sights again as the host for a very widespread injection attack using the lilupophilupop.com domain.

Since last year the number of malicious sites has dropped, but there is still not a legitimate site in sight. Most of the bad sites are currently on 194.28.114.102 but you should block access to 194.28.112.0/22 (194.28.112.0 - 194.28.115.255) if you can, because this range of IP addresses is nothing but trouble.

A list of sites hosted in this range is at the end of this post, or you can download a CSV with the MyWOT ratings and IP addresses from here.

Google's prognosis of this block is pretty horrible:

Safe Browsing
Diagnostic page for AS48691 (SPECIALIST)

What happened when Google visited sites hosted on this network?

    Of the 44 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example, rthur87seeks.rr.nu/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-12-12, and the last time suspicious content was found was on 2011-12-12.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 15 site(s) on this network, including, for example, lilupophilupop.com/, sweepstakesandcontestsinfo.com/, sweepstakesandcontestsnow.com/, that appeared to function as intermediaries for the infection of 190 other site(s) including, for example, teas.com.au/, rogersplus.ca/, cicomra.org.ar/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 30 site(s), including, for example, lilupophilupop.com/, sweepstakesandcontestsinfo.com/, sweepstakesandcontestsnow.com/, that infected 2524 other site(s), including, for example, jri.ir/, psu.ac.th/, longoservice.it/.

The WHOIS details for the bloack are:

inetnum:         194.28.112.0 - 194.28.115.255
netname:         Specialist-ISP-PI2
descr:           Specialist, Ltd.
country:         MD
org:             ORG-SL206-RIPE
admin-c:         VP2841-RIPE
tech-c:          AB16163-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          SPECIALIST-MNT
mnt-routes:      SPECIALIST-MNT
mnt-domains:     SPECIALIST-MNT
source:          RIPE # Filtered

organisation:   ORG-SL206-RIPE
org-name:       Specialist, Ltd
org-type:       OTHER
descr:          Specialist, Ltd, Rybnitsa, MD
address:        I. Soltysa 12, Rybnitsa, MD
phone:          +373-777-12921
phone:          +373-693-18189
phone:          +373-777-65071
fax-no:         +373-555-43073
mnt-ref:        MONITORING-MNT
abuse-mailbox:  abuse@lan-rybnitsa.com
mnt-by:         SPECIALIST-MNT
source:         RIPE # Filtered

person:         Vladimir Pilan
address:        I. Soltysa 12, Rybnitsa, MD
phone:          +373-777-12921
fax-no:         +373-555-43073
nic-hdl:        VP2841-RIPE
source:         RIPE # Filtered
mnt-by:         SPECIALIST-MNT

person:         Anatoly Belitsky
address:        I. Soltysa 12, Rybnitsa, MD
phone:          +373-777-65071
fax-no:         +373-555-43073
nic-hdl:        AB16163-RIPE
source:         RIPE # Filtered
mnt-by:         SPECIALIST-MNT

route:          194.28.112.0/22
descr:          Specialst-route2
origin:         AS48691
mnt-by:         SPECIALIST-MNT
source:         RIPE # Filtered

Some domains and sites hosted in this block are:



ation72histor.rr.nu
blogsvk.ru
cliffordtravel.biz
comm98andsp.rr.nu
doutl31inesst.rr.nu
earni61ngunde.rr.nu
ensm60erch.rr.nu
eorge00gamee.rr.nu
ggesti51ngbina.rr.nu
globalpoweringgathering.com
globalpoweringgatheringit.com
globalpoweringgatheringon.com
h102-114.net.lan-rybnitsa.com
hoperjoper.ru
iess70elec.rr.nu
ift72hbot.rr.nu
ilto27nint.rr.nu
infoitpoweringgathering.com
infoitpoweringgatheringit.com
infoitpoweringgatheringon.com
inful07commi.rr.nu
lessthenaminutehandle.com
lessthenaseconddeal.com
lilupophilupop.com
lilypophilypop.com
llowe31dmeth.rr.nu
mail.lilupophilupop.com
mail.sweepstakesandcontestsinfo.com
ns1.hoperjoper.ru
ns2.hoperjoper.ru
root.sweepstakesandcontestsinfo.com
sekurepays.org
sical59lymemo.rr.nu
sokoloperkovuske.com
sokoloperkovuskeci.com
sokoloperkovuskedi.com
sweepstakesandcontestsdo.com
sweepstakesandcontestsinfo.com
sweepstakesandcontestsnow.com
tyco93uplin.rr.nu
wbesnancer.org
welcometotheglobaliscom.com
welcometotheglobalisnet.com
welcometotheglobalisorg.com
zevkblog.ru

Evil network: MD-ISP-MONITORING, AS25129 (89.187.32.0/19)

AS25129 (89.187.32.0/19) features a lot of refugees from another evil network, Najada. There's nothing of value in this netblock, sites seem to feature illegal software, fake anti-virus, criminal support infrastructure, fake pharma sites and phishing.

The IP range is allocated to:

inetnum:         89.187.52.0 - 89.187.55.255
netname:         MD-ISP-MONITORING
remarks:         INFRA-AW
descr:           Hi-speed users
country:         MD
admin-c:         ABA3-RIPE
tech-c:          ABA3-RIPE
status:          ASSIGNED PA
mnt-by:          MONITORING-MNT
source:          RIPE # Filtered

person:          Alexander Basunov
address:         R&D Centre "Monitoring"
address:         Komsomolskaya 2a
address:         3200 Bendery
address:         Moldova
e-mail:          hostmaster@bendery.md
mnt-by:          MONITORING-MNT
nic-hdl:         ABA3-RIPE
phone:           +37377786335
source:          RIPE # Filtered

% Information related to '89.187.32.0/19AS25129'

route:           89.187.32.0/19
descr:           R&DC Monitoring, PA
origin:          AS25129
mnt-by:          MONITORING-MNT
source:          RIPE # Filtered

The myWOT reputation of these sites is very bad [CSV], my recommendation is that you block 89.187.52.0 - 89.187.55.255 (89.187.32.0/19) or alternatively null route the sites below.

Anonymousstats.com
Storageprotectorx.com
Hostlogarea.in
Blogblogfirst.in
Bestblogbest.in
High-blogicio.eu
High-blogster.eu
High-picicio.eu
Hostspacebest.in
Mega-blogster.eu
Mega-picicio.eu
Mega-picster.eu
Turbo-blogster.eu
Turbo-imagicio.eu
A-lot-of-appz.com
Activation-codes.net
Activationcrack.net
Any-filez.net
Check-4-apps.org
Crack-file.net
Crack-serial-numbers.net
Crack-usa.com
Crackandcrack.com
Crackcrack.net
Crackcrackcrack.net
Crackdelivery.net
Crackdownload.net
Crackkeys.net
Crackorginal.net
Crackpatch.net
Crackpatchkeygen.net
Crackprokeygen.net
Crackrapidshare.net
Cracks-explorer.net
Crackserialcode.net
Crackserialcodes.net
Crackserialkey.net
Crackserialkeygens.net
Crackserialkeys.net
Crackserialnumber.net
Crackserialnumbers.net
Crackshare.net
Cracktrial.net
Crackwin.net
Dlfeed.com
Downloadcracks.net
Fastcrack.net
Fileserialkey.net
Free-serial.net
Freecrackdownload.net
Freekeygencrack.net
Freeserialkey.net
Fullcrackserial.net
Fullkeygen.net
Fullserialcrack.net
Fullserialnumber.net
Fullserialnumbers.net
Getserial.net
Hosthosthost.net
Key-code.net
Keygen-crack.net
Keygen-serial.net
Keygenc.net
Keygencrackpatch.net
Keygenerators.net
Keygenforserial.net
Keygenkeygen.net
Keygenned.com
Keygenpatch.net
Keygens-for-soft.org
Keygenserialcrack.net
Keygenserialnumber.net
Keygenserials.net
Keygensite.net
Keygentrial.net
Keygenwin.net
Keyproduct.net
Killtrial.net
Licensekeygen.net
Maximumwarez.com
Microposters.org
Newserialcracks.net
Numberserial.net
Orginalcrack.net
Patchcrack.net
Registrationcode.net
Registrationkey.net
Registrationkeys.net
Seialkeymaker.net
Serial-codes.net
Serial-crack.net
Serial-key-generator.net
Serial-keygen.net
Serial-keygens.net
Serial-keys.net
Serial-number-crack.net
Serial-numbers-crack.net
Serialcodesfor.net
Serialcrackcodes.net
Serialcrackkeygen.net
Serialkeycodes.net
Serialkeycrack.net
Serialkeygencracks.net
Serialkeygenerator.net
Serialkeygenpro.net
Serialkeygens.net
Serialkeynumber.net
Serialkeynumbers.net
Serialnumbercode.net
Serialnumbercrack.net
Serialnumberfor.net
Serialnumberkeygen.net
Serialnumberscrack.net
Serialpost.net
Serialserial.net
Shared-fro-you.com
Shared-news.net
Soft-dont-stop.org
Softwareserialnumber.net
Softwareserialnumbers.net
Superpagehost.in
Thecrackserial.net
Trusted-warez.com
Vipcrack.net
Warezpad.net
Wincracks.net
Bestwebspace.in
Besthostfree.in
Gigimon.net
Beribegi.com
Beribegi1.com
Googlemaps5.com
Hostnetblog.in
Judatrafic.com
Trafficforalz.com
Trafficforalz.org
Blogareaweb.in
Hostfreearea.in
Firstblogbest.in
Bloghomelog.in
Netnetblog.in
Bestspacelog.in
Firstblogspace.in
Brendonlfile.org
Coderstrin.org
Codesfreling.org
Cripesload.org
Daungradeoffs.org
Falenslaodins.org
Flaasnesfile.org
Fre-lan-fileess.org
Freecodonlaans.org
Frefrefiless.org
Friilasopn.org
Frilandfile.org
Grandisfreshdown.org
Hostsuperarea.in
Internalsfile.org
Jebaunfols.org
Kachaenfailisi.org
Linefirtsfilee.org
Loadslinecod.org
Med-on-downl.org
Media-delison.org
Media-l-file.org
Medlinefils.org
Ogrisfile.org
Oldinfilefree.org
Onl-for-fils.org
Orange-flis.org
Organisupload.org
Qaredline.org
Qwerfileorg.org
Sigruiqwe.org
Skachfiles.org
Traedenopenres.org
Vades-loadec.org
Valdec-lains.org
Youfileoke.org
Allingspl.com
Superbestfirst.in
Allingtramp.com
Freespacehost.in
Statflus4.com
Webhosthost.in
Leninvgorkax.net
Storereturn.cc
Firstclassresults.cc
Fb-cdn1.com
Installs.tv
Msdefender2011.com
Creativetmx.com
Updatetechno.com
Zverolab.com
Mynewpass.com
Downloadcheapsoft.com
Trafficforalz.net
Z0g7yail0.com
Ebayinvoice.com
Ebayitemhosting.com
Paypal-moneypak-processing.com
Backstab.biz
Cardzone.cc
D-9.cc
Ebayitemhosting.net
Megavendor.biz
Check-crypt.com
Check-domain.cn
Samclubclearance.com
Sams-clearance.com
Samsclubcl.com
Samsclubsales.com
Start-domain.cn
Free-image-uploads.com
Human-nature.org
Imagesshack.net
The-imageshack.com
Gsm-seacher-v10.ru
Blackosogs.com
Riverchick.com
Gabstreamj.com
Ecurrencynews.org
Ancoraimages.com
Mmsbonus.com
Everydayer.com
Celebrition.com
Celebritylabor.com
Getimpressed.com
Goldouncemedia.com
Hollywoodmajestic.com
Lincolnfinserv.com
Mcknightportugal.org
Metacaffe.info
Misteriks.net
Nanosolutionssoft.com
Peksone.net
Peree.ru
Tv-onlines.net
Tv-world-online.net
Vaulttech13.cn
Webarh.com
Vk-base.org
Vksledi.ru
Aniroti.com
Aniroti.net
Pharmpills.net
Mediashares.org
Video-shares.com
Video-shares.net
Videoall.net

Evil network: Specialist Ltd / Specialist-ISP-PI2 AS48691(194.28.112.0/22)

This summary is not available. Please click here to view the post.

[Updated] Evil network: Donstroy Ltd AS29557 (194.8.250.0/23)

UPDATE:  this IP range is now used by a completely different organisation, and malicious activity no longer exists and the block is safe to use. However, the post will remain up for research purposes.

Another network worth blocking, Donstroy Ltd appears to be a Latvia entity hosting in Moldova, closely affiliate with Sagade Ltd who are one of the most scummy networks around at the moment.

The WHOIS details show a tell-tale link to Sagade in the email address:

inetnum:         194.8.250.0 - 194.8.251.255
netname:         Donstroy-1
descr:           Donstroy Ltd.
country:         LV
org:             ORG-DL107-RIPE
admin-c:         JS1050
tech-c:          JS1050
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          MNT-DONSTROY
mnt-routes:      MNT-DONSTROY
mnt-domains:     MNT-DONSTROY
source:          RIPE # Filtered

organisation:    ORG-DL107-RIPE
org-name:        Donstroy Ltd.
org-type:        OTHER
address:         Kalinina 19, 6, Bendery, Moldova
e-mail:          sagade95@gmail.com
mnt-ref:         MNT-DONSTROY
mnt-by:          MNT-DONSTROY
source:          RIPE # Filtered

person:          Juris Sahurovs
address:         Rezekne Darzu iela 21
phone:           +37120034981
nic-hdl:         JS1050
e-mail:          sagade95@gmail.com
source:          RIPE # Filtered

% Information related to '194.8.250.0/23AS29557'

route:           194.8.250.0/23
descr:           donstroy-route-1
origin:          AS29557
mnt-by:          MNT-DONSTROY
source:          RIPE # Filtered

Google's Safe Browsing diagnostics are not good:

Safe Browsing
Diagnostic page for AS29557 (ASNOVIFORUM)

What happened when Google visited sites hosted on this network?

    Of the 42 site(s) we tested on this network over the past 90 days, 2 site(s), including, for example, fastprosearch.com/, twilightsex.cz.cc/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-10-10, and the last time suspicious content was found was on 2010-10-10.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 10 site(s) on this network, including, for example, manoso.cz.cc/, noaos1.cz.cc/, sunporno.cz.cc/, that appeared to function as intermediaries for the infection of 31 other site(s) including, for example, business-standard.com/, ddl-blog.org/, onlyteensx.net/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 22 site(s), including, for example, 194.8.251.0/, prostodomen.in/, globalvalidator.cz.cc/, that infected 215 other site(s), including, for example, business-standard.com/, renisyqaqir.freehostking.com/, hetivilesum.freehostking.com/.

A search against MyWOT reputations reveals a concentration of very bad sites (report here), the best thing to do is to block all traffic to 194.8.250.0 - 194.8.251.255 (194.8.250.0/23) and/or the domains listed below:

Girlongirllibido.info
Homeownersinsuranceratings.com
Testertestfree.org
Vmhostingboxx.org
Dscodec.com
Fastprosearch.com
Ttyur.com
Vlopw.com
Bmlsk.com
Bumzc.com
Fjoty.com
Fruuf.com
Hjoty.com
Nwsplt.com
Palcaug.com
Potyur.com
Uoptyr.com
Uprtx.com
Medicpillsana.com
Medicpillsbba.com
Medicpillsbia.com
Medicpillsbta.com
Medicpillscaa.com
Medicpillscea.com
Medicpillscha.com
Medicpillscia.com
Medicpillscka.com
Medicshopnas.net
Medicshopnds.net
Medicshopnks.net
Medicshopnts.net
Medicshopoes.net
Asemedic.net
Astmedic.net
Encmedic.net
Enmedic.net
Frmedic.net
Hismedic.net
Icmedic.net
Intmedic.net
Krmedic.net
Letmedic.net
Medicci.net
Medicdi.net
Medicfr.net
Medicha.net
Mediclg.net
Medicni.net
Medicnr.net
Medicpo.net
Medicpu.net
Medicri.net
Ajeslovshord.com
Akvodhhead.com
Alsodhesedhoujhd.com
Aniarioli.com
Askpressjame.com
Bejokohafder.com
Blackmodhersdep.com
Bodhlearkfil.com
Busyplakdovk.com
Cutyacttin.com
Deheverbejak.com
Dhadhaveopek.com
Dheyherevhole.com
Dovkbackbord.com
Fallanlot.com
Gavilaugddiri.com
Hadakcourse.com
Hojharedokd.com
Kameuspoukd.com
Losdsodemoss.com
Lovioinwdoli.com
Medpillsna1.com
Medpillsna2.com
Medpillsna3.com
Medpillsna4.com
Medpillsna5.com
Medpillsni1.com
Medpillsni2.com
Medpillsni3.com
Medpillsni4.com
Medpillsni5.com
Minanwaut.com
Offobjecdfamoly.com
Okchfudboy.com
Oslakdexampleas.com
Pajeukdolmaok.com
Posekipbrokj.com
Pukdraokclass.com
Redovksay.com
Resdlaujhmoss.com
Savsdadeschul.com
Sduigancdangi.com
Sliicrymuli.com
Stooddandwi.com
Suchjrikoh.com
Travilfuriwdin.com
Addsecovdtook.com
Aoutdonttdrii.com
Assiafull.com
Commoklakjuajemeak.com
Dalkplakdaor.com
Deachhodkear.com
Dhadledad.com
Dhohdhokjearly.com
Dhokjbroujhdmusd.com
Dojcourseleark.com
Domesdopdhousakd.com
Dopmedic.net
Dovardhohdhoh.com
Efimedic.net
Enemedic.net
Feetdoldakayvst.com
Femedic.net
Hamedic.net
Joldiplosd.com
Kodocedoldappear.com
Launflymost.com
Lederbojdhad.com
Letdourwere.com
Lodledellmek.com
Medshopcu1.com
Medshopcu2.com
Medshopcu3.com
Medshopcu4.com
Medshopcu5.com
Medshopde1.com
Medshopde2.com
Medshopde3.com
Medshopde4.com
Medshopde5.com
Muchplakdokly.com
Okcevhekvadch.com
Oldbesdjrik.com
Passourdu.com
Pocdurejudcold.com
Rockdomeacd.com
Rockroundsung.com
Sicondkniwgo.com
Slovkevvell.com
Soldmarkacte.com
Strovkuproad.com
Ukmedicineel.com
Ukmedicineho.com
Ukmedicineit.com
Vadchdeachmokd.com
Vekdhadjrov.com
Vhadreachmusoc.com
Vholevucemay.com
Vokdercarryjod.com
Vordeachsdud.com
Ydeamavturv.com
Advsecsmart.com
Digitall-soft.com
Extrafullprotection.com
Mypc-repair.com
Payforsec.com
Secsmartsuper.com
Smartsecadv.com
Smartsecsuper.com
Smartsecurityadvisor.com
Smartsupersecurity.com
Stable-soft.com
Supersecadvizor.com
Supersecurepay.com
Supersmartantivirus.com
Supersmartsec.com
Bbnhs.com
Bumzec.com
Ddleb.com
Drutp.com
Gasdda.com
Gradtz.com
Hewraq.com
Hgptd.com
Htresq.com
Krclear.com
Nadwq.com
Nmkop.com
Utrvc.com
Vbnrte.info
Kobqq.com
Jgtee.com
Jyiop.com
Mptim.com
Nhytx.com
Ptyre.com
Woptr.com
Yopte.com
Ypuii.com
Checkingassociateeditor.com
Bestcheckingconnect.com
Checking-associate-editor.com
Checking-associate.com
Checkingassociatemembership.com
Checkingconnectdata.com
Checkingconnectnow.com
Checkingconnectshop.com
Cogus.net
Gromz.net
Mochos.net
Zorter.net
Movies-celeb.info
Onlymoviesporn.info
Porn-video-4u.info
Pornyardmovies.info
Videostreamporn.info
Moviesfreestar.info
Nanocloudcontroller.com
Iliked.org
Yougoodvideo.net
Shloesandrooneys.com
1200kb.net
Banfieldsbest.com
Btp-tags.com
Doit-4-u.com
In-ta.net
Media-share.org
Mwcdirect.com
Pixel-pie.com
Planetsoldat.com
Sainser.com
Wnizip.com
Dsfungssdfg.com
Sbgfdfsggf.com
Sportstickets.tv
Sufdngsg.com
Missing-codecs.com
Missing-codecs.net
Missing-codecs.org
Vidscentral.net
Consp.net
Thestability.com
Traffcity.com
Polytech-electronics.net
Blackmaven.in
Blueace.in
Whiteace.in
Whiteoso.in
Whitewizard.in
Globalcloudbackup.com