Sponsored by..

Showing posts with label Simply Transit. Show all posts
Showing posts with label Simply Transit. Show all posts

Wednesday 2 April 2014

Something evil on 213.229.69.41

This tweet by Malmouse got me investigating what was happening on 213.229.69.41.. and the answer is that it appears to be unmitigated badness.

First of all, these domains are either currently or recently hosted on 213.229.69.41, or are associated with it in some way. Ones currently regarded as malicious by Google are highlighted.

cdnjscript.com
cssjscript.com
cssjscript.com
dolinkjs.com
domainjscript.com
getjslink.com
gfthost.com
gotojscript.com
hrefjscript.com
jscriptcdn.com
jscriptcss.com
jscriptin.com
jscriptmod.com
jscriptnow.com
jscriptstyle.com
js-href.com
js-link.com
linkinscript.com
linkjscript.com
metajscript.com
modjscript.com
namejscript.com
regjscript.com
scriptaccept.com
scriptdo.com
scripthttp.com
scriptshttp.com
stylejscript.com
timejscript.com
webjavascript.com
webjslink.com
webjsname.com

VirusTotal gives a good overview of the badness on this IP.


All these domains appear to be recently registered with the exception of gfthost.com which has ns1.gfthost.com and ns2.gfthost.com hosted on the same IP. Both those nameservers are used exclusively for these malware domains, so there must be some sort of connection. The WHOIS details for that are:

Registrant Name: Nikolay Legkov
Registrant Organization: -
Registrant Street: Nevsky 23-7
Registrant City: Saint-Petersburg
Registrant State/Province: Saint-Petersburg
Registrant Postal Code: 197008
Registrant Country: ru
Registrant Phone: +79052789848
Registrant Phone Ext:
Registrant Fax: +79052789848
Registrant Fax Ext:
Registrant Email: admin@gfthost.com


Of course it is trivially easy to fake WHOIS details, so I cannot guarantee that this is really the person behind the malware domains.

Anyway, I recommend that you block 213.229.69.41 (Simply Transit, UK) and/or the domains listed above.

Friday 15 November 2013

Malware sites to block 15/11/2013 (Caphaw)

Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity).

The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting these Caphaw domains:

5.175.173.219 (GHOSTnet, Germany)
5.231.66.192 (GHOSTnet, Germany)
23.90.28.12 (ServerHub Dallas, US)
46.4.47.20 (Hetzner, Germany)
46.4.47.21 (Hetzner, Germany)
46.4.47.22 (Hetzner, Germany)
88.198.57.178 (Hetzner, Germany)
88.200.98.137 (Studentski domovi v Ljubljani, Slovenia)
91.186.19.48 (Simply Transit, UK)
92.48.122.132 (Simply Transit, UK)
108.170.54.251 (eWebGuru, India / Secured Servers, US)
109.200.4.114 (Redstation, UK)
109.123.127.228 (UK2, UK)
141.8.225.5 (Rook Media, Switzerland)
151.236.49.136 (Simply Transit, UK)
153.153.19.23 (Open Computer Network, Japan)
181.41.193.168 (Host1plus Brazil, Chile)
184.22.246.31 (Network Operations Center, US)
184.82.62.95 (Network Operations Center, US)
188.227.161.26 (Redstation, UK)
198.52.243.229 (Centarra Networks, US)
199.68.199.178 (Lightwave Networking, US)
213.229.90.199 (Simply Transit, UK)

The following hosts appear to be hosting nameservers for these domains (note that USAISC has been identified doing this before):

1.165.101.158 (Chunghwa Telecom, Taiwan)
6.79.15.154 (USAISC, US)
31.83.89.143 (Orange PCS, UK)
62.75.232.182 (Eurostream, Lithunia / Intergenia AG, Germany)
78.188.5.201 (Turk Telekom, Turkey)
85.25.152.130 (Intergenia AG, Germany)
87.98.136.239 (OVH, France)
91.121.199.45 (OVH, France)
95.143.32.212 (Inline Internet, Germany)
188.138.10.29 (EvroHoster.ru. Ukraine / Intergenia AG, Germany)
188.138.10.30 (EvroHoster.ru. Ukraine / Intergenia AG, Germany)
188.138.78.229 (Eurostream, Lithunia / Intergenia AG, Germany)
188.138.78.232 (Eurostream, Lithunia / Intergenia AG, Germany)
188.138.78.248 (Stepan Alexander Mereuta, Moldova / Intergenia AG, Germany)
196.44.161.31 (Dar Es Salaam University, Tanzania)
198.52.240.8 (Avante Hosting Services, Canada)
217.172.187.9 (Intergenia AG, Germany)

These are the domains involved (I would strongly recommend blocking them):

afn.cc
akf.cc
alphard-info.net
astats.su
bai.su
blinking-imgs.su
caf.su
careservice.su
ciz.cc
collectserv.su
digital-in-one.cc
dig-services.at
dmf.su
eewuiwiu.cc
eguards.cc
enp.cc
e-statistics.su
estatus.cc
estatus.su
eux.cc
exy.su
fey.su
fooyuo.cc
frnm.su
g4-maxservice.su
giuchito.cc
guodeira.cc
gva.cc
higuards.su
ieguards.cc
iestat.cc
imgscores.cc
inetprotections.cc
infoenv.cc
invisibleski.com
iostat.su
istat.cc
iwebstats.cc
iwebstats.su
klr.su
lbb.su
lbp.cc
lil-web-svcs.su
limited-hsbc.com
llc-services.su
low-rates.su
lrnm.su
main2woo.su
nitecapvideo.net
nmbc.cc
nomorefees.cc
ognelisblog.net
online-verification.su
oprn.su
ormu.su
peguards.cc
pmr.cc
protected-onlinebanking.net
sj148-storage.net
standartextens.net
stat-service.net
sys-img-stores.cc
sysinfo.su
uceebeel.cc
up-stores.cc
veeceefi.cc
visite-mexico.net
webstats.su
wgate.su
wgate.su
wownthing.cc
wsysinfonet.su
zprn.su


Recommend IP blocklist (nameservers are in italics):

5.175.173.219
5.231.66.192
23.90.28.12
46.4.47.0/27
88.198.57.178
88.200.98.137
91.186.19.48
92.48.122.132
108.170.54.251
109.200.4.114
109.123.127.228
141.8.225.5
151.236.49.136
153.153.19.23
181.41.193.168
184.22.246.31
184.82.62.95
188.227.161.26
198.52.243.229
199.68.199.178
213.229.90.199

1.165.101.158
6.79.15.154
31.83.89.143
62.75.232.182
78.188.5.201
85.25.152.130
87.98.136.239
91.121.199.45
95.143.32.212
188.138.10.29
188.138.10.30
188.138.78.229
188.138.78.232
188.138.78.248
196.44.161.31
198.52.240.8
217.172.187.9

Tuesday 18 June 2013

Something phishy on 92.48.75.214

A couple of phishing sites 92.48.75.214 (Simply Transit, UK):

linkedlne.com - LinkedIn / Webmail Phish

This laughable fake LinkedIn login page is trying to harvest webmail addresses, being sent out via a spam message and leading to a link at [donotclick]www.linkedlne.com/login/user/:

From:     Linkedln Support [Support@supportlinkedln.com]
Date:     18 June 2013 06:53
Subject:     You need to confirm your email address.

LinkedIn

We write to inform you that your LinkedIn account has been blocked due to inactivity.

To ensure that your online services with LinkedIn will no longer be interrupted

Click here to unblock your account.

You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.

We ask you to confirm your email address before sending invitations or requesting contacts at LinkedIn. You can have several email addresses, but one will need to be confirmed at all times to use the system.

If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.

Thank you for using LinkedIn!

--The LinkedIn Team
http://www.linkedin.com/

Learn why we included this. © 2013, LinkedIn Corporation. 2029 Stierlin 
Really this is just phishing for webmail addresses and passwords rather than LinkedIn credentials:



suncoaslfcn.org - Suncoast Schools Federal Credit Union phish

Hosted on the same server is an attempted phish for something called the "Suncoast Schools Federal Credit Union" which has an actual website at suncoastfcu.org rather than suncoaslfcn.org. The phish page is at [donotclick]sunnet.suncoaslfcn.org/SignIn/ but the phishers have left a full copy of the phishing kit which is available at [donotclick]sunnet.suncoaslfcn.org (more of which in a moment)

There's also an attempted Co-op bank phish which has been reported at [donotclick]co-operativebank.co.uk.suncoaslfcn.org/login/online-access/login.php.

There are two email addresses than can be phone in the phishing site themselves (for research purposes you can download a copy here, password is "phish"). The file verification_data.php reveals two email addresses, jsrh444@188.com and davenport1001@hotmail.com.

A quick bit of Googling around links jsrh444@188.com to the following phishing domains:
cheapflightsreserv.com
mypennystocksprofile.net
pennystocksprofile.net
sunloancom.net

A similar bit of Googling around links the other email address to the following domains:
aicuaee.com
sutherlandhostings.com
rredbulls.info
theclearfund.net

Thursday 18 April 2013

Malware sites to block 18/4/13, revisited

Quite late last night I posted some malicious IP address that I recommend blocking. I've had a chance to look at these more deeply, and some of them are in known bad IP ranges that you should consider blocking.

Most of these IP ranges are in Russia, blocking them will probably block some legitimate sites. If you don't do much business with Russia then it will probably not be an issue, if you do then you should exercise caution. There's a plain list at the bottom if you simply want to copy-and-paste.


Detected IP Recommended block Owner
5.9.191.179 5.9.191.160/26 (CyberTech LLC, Russia / Hetzner, Germany)
5.45.183.91 5.45.183.91 (Bradler & Krantz, Germany)
5.135.67.215 5.135.67.208/28 (MMuskatov-IE / OVH, France)
5.135.67.217

23.19.87.38 23.19.87.32/29 (Di & Omano Ltd, Germany / Nobis Technology, US)
37.230.112.83 37.230.112.0/23 (TheFirst-RU, Russia)
46.4.179.127 46.4.179.64/26 (Viacheslav Krivosheev, Russia / Hetzner Germany)
46.4.179.129

46.4.179.130

46.4.179.135

46.37.165.71 46.37.165.71 (BurstNET, UK)
46.37.165.104 46.37.165.104 (BurstNET, UK)
46.105.162.112 46.105.162.112/26 (Shah Sidharth, US / OVH, France)
62.109.24.144 62.109.24.0/22 (TheFirst-RU, Russia)
62.109.26.62

62.109.27.27

80.67.3.124 80.67.3.124 (Portlane Networks, Sweden)
80.78.245.100 80.78.245.0/24 (Agava JSC, Russia)
91.220.131.175 91.220.131.0/24 (teterin Igor Ahmatovich, Russia)
91.220.131.178

91.220.163.24 91.220.163.0/24 (Olevan plus, Ukraine)
94.250.248.225 94.250.248.0/23 (TheFirst-RU, Russia)
108.170.4.46 108.170.4.46 (Secured Servers, US)
109.235.50.213 109.235.50.213 (xenEurope, Netherlands)
146.185.255.97 146.185.255.0/24 (Petersburg Internet Network, Russia)
146.185.255.207

149.154.64.161 149.154.64.0/23 (TheFirst-RU, Russia)
149.154.65.56

149.154.68.145 149.154.68.0/23 (TheFirst-RU, Russia)
173.208.164.38 173.208.164.38 (Wholesale Internet, US)
173.234.239.168 173.234.239.160/27 (End of Reality LLC, US / Nobis, US)
176.31.191.138 176.31.191.138 (OVH, France)
176.31.216.137 176.31.216.137 (OVH, France)
184.82.27.12 184.82.27.12 (Prime Directive LLC, US)
188.93.211.57 188.93.210.0/23 (Logol.ru, Russia)
188.120.238.230 188.120.224.0/20 (TheFirst-RU, Russia)
188.120.239.132

188.165.95.112 188.165.95.112/28 (Shah Sidharth, US / OVH France)
188.225.33.62 188.225.33.0/24 (Transit Telecom, Russia)
188.225.33.117

192.210.223.101 192.210.223.101 (VPS Ace, US / ColoCrossing, US)
193.106.28.242 193.106.28.242 (Centr Informacionnyh Technologii Online, Ukraine)
193.169.52.144 193.169.52.0/23 (Promobit, Russia)
195.3.145.99 195.3.145.99 (RN Data, Latvia)
195.3.147.150 195.3.147.150 (RN Data, Latvia)
198.23.250.142 198.23.250.142 (LiquidSolutions, Bulgaria / ColoCrossing, US)
198.46.157.174 198.46.157.174 (Warfront Cafe LLC, US / ColoCrossing, US)
205.234.204.151 205.234.204.151 (HostForWeb, US)
205.234.204.190 205.234.204.190 (HostForWeb, US)
205.234.253.218 205.234.253.218 (HostForWeb, US)
213.229.69.40 213.229.69.40 (Poundhost, UK / Simply Transit, UK)

5.9.191.160/26
5.45.183.91
5.135.67.208/28
23.19.87.32/29
37.230.112.0/23
46.4.179.64/26
46.37.165.71
46.37.165.104
46.105.162.112/26
62.109.24.0/22
80.67.3.124
80.78.245.0/24
91.220.131.0/24
91.220.163.0/24
94.250.248.0/23
108.170.4.46
109.235.50.213
146.185.255.0/24
149.154.64.0/23
149.154.68.0/23
173.208.164.38
173.234.239.160/27
176.31.191.138
176.31.216.137
184.82.27.12
188.93.210.0/23
188.120.224.0/20
188.165.95.112/28
188.225.33.0/24
192.210.223.101
193.106.28.242
193.169.52.0/23
195.3.145.99
195.3.147.150
198.23.250.142
198.46.157.174
205.234.204.151
205.234.204.190
205.234.253.218
213.229.69.40

Monday 4 February 2013

StumbleUpon spam / drugstorepillstablets.ru

This fake StumbleUpon spam is something new, it leads to a fake pharma site on drugstorepillstablets.ru:

Date:      Mon, 4 Feb 2013 01:01:46 -0600 (CST)
From:      StumbleUpon [no-reply@stumblemail.com]
Subject:      Update: Changes to Your Email Settings

   

Hi [redacted],

This is a quick note to let you know about some changes we've made to the email settings in your StumbleUpon account. We've created a bunch of new notification options that allow you to have more control over what types of emails you'll receive from us. These new notification options are not compatible with the old settings, so your settings have been reset. We apologize for any inconvenience, and want to make sure we only send you the emails you want to receive.

Now what? Please click here to head over to your email settings and update your preferences, so we know exactly what emails you'd like to receive from StumbleUpon.

Want to receive all notifications about shares from friends, recommended Stumbles, and more? Great, you don't have to do anything at all!

Thanks for Stumbling,

The StumbleUpon Team

P.S. Haven't signed in for a while and can't remember your password? You can reset it here by entering the email address used in this email.
   
   

Please don't reply to this message - for all questions, check out our Help Center. To visit your email settings, please click here.

StumbleUpon | 301 Brannan Street, 6th Floor, San Francisco, CA 94107
There's no surprise to see that the IP address of the spamvertised site is 92.48.119.139 (Simply Transit, UK) along with the following other possibly spammy sites:

ariseharsh.info
biah.ru
birthmed.com
carepillshealthcare.com
climbedwelness.com
drugripdrugshealth.ru
drugstorepharmacycenterline.com
drugstorepillstablets.ru
dvicemedicalrx.net
fatdietrx.com
genericsperrigo.com
goaddscan.com
gokeyscan.com
gorayscan.com
healthviagracare.com
healthwiblackwell.com
herbalwelgarcinia.net
ipadiet.net
ladenlismeds.com
lxie.ru
mail.carepillshealthcare.com
mediamoviestar.com
medicalwelhealthcare.com
medicaremedsromney.net
medpillsprescription.com
movietestworld.com
mytabhealth.com
ongy.ru
pharmacycialismeningitis.net
physicianslnesshealth.com
pilltabletsfitness.eu
rxdrugstorewalgreens.com
tabletspharmacynutrition.ru
tabletspharmacywellbeing.ru
tabpharmacyhealth.ru
theviagrahealth.com
treatmentsdrugstorepharmacy.ru
vikingsnotdead.com


Monday 28 January 2013

Zbot sites to block 28/1/13

These domains and IPs are currently acting as C&C and distribution servers for Zbot. I would advise blocking these IPs and domains if you can.

There are three parts to the list: IPs with hosting company names, plain IPs for copy-and-pasting and domains identified on these servers.

5.45.181.164 (Bradler & Krantz, Germany)
5.175.148.207 (GHOSTnet, Germany)
24.126.203.109 (Comcast, US)
31.170.106.13 (Bradler & Krantz, Germany)
37.26.244.86 (Digicube, France)
37.59.76.3 (OVH, Netherlands)
42.96.136.158 (Alibaba, China)
43.101.119.123 (Kokusai-kougyou-kanda Bldg., Japan)
46.249.46.182 (Serverius, Netherlands)
50.19.77.237 (Amazon, US)
50.31.99.126 (Steadfast Networks, US)
59.90.147.31 (BSNL Internet, India)
59.167.120.210 (Internode, Australia)
64.221.210.108 (XO Communications, US)
69.65.47.245 (Bodhost, US)
69.85.92.155 (Hostigation, US)
72.66.16.146 (Verizon, US)
73.123.5.128 (Comcast, US)
80.152.149.121 (Deutsche Telekom, Germany)
84.253.2.244 (Cybernet, Switzerland)
85.93.219.253 (Visual Online, Luxembourg)
88.88.101.162 (Telenor Norge, Norway)
91.121.248.127 (OVH, Spain)
92.21.156.70 (TalkTalk, UK)
92.146.246.96 (France Telecom, France)
93.92.207.86 (Saint-Petersburg Computer Networks Ltd, Russia)
94.76.234.163 (Simply Transit, UK)
95.225.161.106 (Telecom Italia, Italy)
99.169.151.134 (SBC Internet Services, US)
101.89.80.132 (China Telecom, China)
115.153.226.65 (China Telecom, China)
118.41.184.73 (Kornet, Korea)
119.252.162.18 (Comnets Plus, Indonesia)
123.224.196.84 (Open Computer Network, Japan)
125.63.91.52 (Spectra ISP, India)
128.32.149.121 (University Of California, US)
141.0.176.155 (Avantel, Russia)
141.0.176.231 (Avantel, Russia)
159.253.20.217 (FastVPS, Estonia)
166.111.143.248 (Tsinghua University, China)
173.213.112.245 (Eonix Corporation, US)
176.56.229.201 (RouteLabel, Netherlands)
184.82.187.181 (HostNOC, US)
189.75.96.19 (Brasil Telecom, Brazil)
193.254.233.242 (Teleradiocompany Soniko-Svyaz Ltd, Ukraine)
202.57.189.141 (Internet Service Provider Co. Ltd., Thailand)
209.207.112.195 (Treasuremart, Canada)
210.56.15.19 (COMSATS, Pakistan)
211.20.45.138 (Chunghwa Telecom, Taiwan)
216.224.176.47 (Earthlink, US)

5.45.181.164
5.175.148.207
24.126.203.109
31.170.106.13
37.26.244.86
37.59.76.3
42.96.136.158
43.101.119.123
46.249.46.182
50.19.77.237
50.31.99.126
59.90.147.31
59.167.120.210
64.221.210.108
69.65.47.245
69.85.92.155
72.66.16.146
73.123.5.128
80.152.149.121
84.253.2.244
85.93.219.253
88.88.101.162
91.121.248.127
92.21.156.70
92.146.246.96
93.92.207.86
94.76.234.163
95.225.161.106
99.169.151.134
101.89.80.132
115.153.226.65
118.41.184.73
119.252.162.18
123.224.196.84
125.63.91.52
128.32.149.121
141.0.176.155
141.0.176.231
159.253.20.217
166.111.143.248
173.213.112.245
176.56.229.201
184.82.187.181
189.75.96.19
193.254.233.242
202.57.189.141
209.207.112.195
210.56.15.19
211.20.45.138
216.224.176.47

advstar.com
aldio.ru
askwhite.net
atkit.ru
autocanonicals.com
billablelisten.pl
bioshift.net
boxtralsurvisv.pl
cflyon.ru
cipriotdilingel.ru
confloken.ru
dinitrolkalor.com
dobar.pl
dqnouce.ru
encounterkaspe.pl
evamaro.ru
fearedembracin.su
fitoteafclope.pl
gellax.com
haicut.com
htimemanagemen.su
indianayellow.net
infocyber.pl
jintropictonic.pl
kcrio-oum.com
litfors.com
mypicshare.net
namelesscorn.net
netfest.pl
ntrolingwhitel.pl
orlandotenerife.net
phicshappening.com
photoshopya.net
porkystory.net
quliner.ru
rolino.pl
sadertokenupd.ru
secmicroupdate.ru
secondhandfurnitur.com
seldomname.com
sminiviolatede.pl
stadionservisecheck.ru
steppinglegalzoom.com
stockanddraw.net
suggestedlean.com
svictrorymedia.ru
trainyardscree.pl
uawxaeneh.com
usergateproxy.net
weatherrecord.net
widexsecconnect.ru
youhavegomail.com

Friday 23 November 2012

Malware sites to block 23/11/12

This bunch of IPs and domains are being used in a series of fairly well-targeted attacks involving malicious spam messages that look like they come from real financial organisations (such as this one).  The payload is apparently "Ponyloader".

The domains seem to be legitimate but hacked, and in some cases the server infrastructure also looks like it is something legitimate that has been taken over by the bad guys. However, the chances are that you are more likely to see these sites as the result of a malicious spam run rather than anything else, and you should consider blocking them.

Malware servers:
50.116.16.118 (Bluehost, US)
64.94.101.200 (Nuclear Fallout Enterprises, US)
69.194.194.216 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
94.76.235.199 (Simply Transit, UK)
173.246.103.59 (Gandi, US)
173.246.103.112 (Gandi, US)
173.246.103.124 (Gandi, US)
173.246.103.184 (Gandi, US)
173.246.104.21 (Gandi, US)
174.140.168.143 (DirectSpace Networks, US)
198.74.52.86 (Linode, US)
209.188.0.118 (Secured Servers, US / Jolly Works Hosting, Philippines)

Plain list of IPs for copy-and-pasting:
50.116.16.118
64.94.101.200
69.194.194.216
70.42.74.152
94.76.235.199
173.246.103.59
173.246.103.112
173.246.103.124
173.246.103.184
173.246.104.21
174.140.168.143
198.74.52.86
209.188.0.118

Apparently malicious domains and subdomains:
50.116.16.118 (Bluehost, US)
64.94.101.200 (Nuclear Fallout Enterprises, US)
69.194.194.216 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
94.76.235.199 (Simply Transit, UK)
173.246.103.59 (Gandi, US)
173.246.103.112 (Gandi, US)
173.246.103.124 (Gandi, US)
173.246.103.184 (Gandi, US)
173.246.104.21 (Gandi, US)
174.140.168.143 (Gandi, US)
198.74.52.86 (Linode, US)
209.188.0.118 (Secured Servers, US)

1.alikeword.com
1.basicwheel.com
1.bigbroshark.net
1.blueseadolphin.net
1.callteamverve.com
1.connectedwheel.com
1.forrest-lake.info
1.killerwheel.com
1.lake-forrest.com
1.lake-forrest.info
1.lake-forrest.net
1.lowcowroller.com
1.lowcowroller.net
1.metallbeaar.net
1.rabbitharky.com
1.rabbitharky.net
1.roboxanger.net
2.5900bracknell.info
2.alikeword.com
2.allenpremierhomes.com
2.aloeups.com
2.alohevera.com
2.basicwheel.com
2.bigbroshark.net
2.blueseadolphin.net
2.boxanh.com
2.callteamverve.com
2.carrollton-realestate.com
2.connectedwheel.com
2.forrest-lake.info
2.frommyhousetoyours.com
2.killerwheel.com
2.lake-forrest.com
2.lake-forrest.info
2.lake-forrest.net
2.lowcowroller.com
2.lowcowroller.net
2.metallbeaar.net
2.pacbancwholesale.com
2.pacificbancwholesale.com
2.rabbitharky.com
2.rabbitharky.net
2.refiinc.com
2.roboxanger.net
2.taxreliefofamerica.com
2.webdedang.com
2.webdedang.net
2.wholesalepbm.com
2.zerocostfha.com
2.zfhaloan.com
3.alikeword.com
3.amandahuynh.com
3.basicwheel.com
3.bigbroshark.net
3.bluepointmortgage.com
3.blueseadolphin.net
3.callteamverve.com
3.connectedwheel.com
3.coolerpillow.com
3.directfhafunding.com
3.forrest-lake.info
3.gutterkings.biz
3.helpmemodify.com
3.insulkings.com
3.killerwheel.com
3.lake-forrest.com
3.lake-forrest.info
3.lake-forrest.net
3.lowcowroller.com
3.lowcowroller.net
3.markmatta.com
3.metallbeaar.net
3.rabbitharky.com
3.rabbitharky.net
3.roboxanger.net
4.alikeword.com
4.androidislamic.com
4.basicwheel.com
4.bigbroshark.net
4.blueseadolphin.net
4.callteamverve.com
4.collecorvino.org
4.connectedwheel.com
4.dlevo.com
4.forrest-lake.info
4.habitacoesferiasacores.com
4.icedambusters.net
4.icedambusters.org
4.insul-king.com
4.insulking.org
4.insul-king.org
4.insul-kings.org
4.islamicandroid.com
4.islamicmid.com
4.islamictab.com
4.killerwheel.com
4.lake-forrest.com
4.lake-forrest.info
4.lake-forrest.net
4.lowcowroller.com
4.lowcowroller.net
4.lowellgeneralcarjacking.com
4.lowellgeneralhospitalcarjacking.com
4.lowellgeneralhospitalcarjacking.net
4.metallbeaar.net
4.rabbitharky.com
4.rabbitharky.net
4.roboxanger.net
5.alikeword.com
5.attilacrm.com
5.basicwheel.com
5.bigbroshark.net
5.bitwin.com
5.blueseadolphin.net
5.callteamverve.com
5.connectedwheel.com
5.forrest-lake.info
5.killerwheel.com
5.lake-forrest.com
5.lake-forrest.info
5.lake-forrest.net
5.lowcowroller.com
5.lowcowroller.net
5.metallbeaar.net
5.rabbitharky.com
5.rabbitharky.net
5.roboxanger.net
6.alikeword.com
6.alohevera.com
6.basicwheel.com
6.bigbroshark.net
6.blueseadolphin.net
6.callteamverve.com
6.connectedwheel.com
6.fionabuchanan.com
6.forevergreen.us.com
6.forrest-lake.info
6.grapafood.com
6.hotels-rooms.com
6.incidentalrecruitment.com
6.killerwheel.com
6.lake-forrest.com
6.lake-forrest.info
6.lake-forrest.net
6.lowcowroller.com
6.lowcowroller.net
6.metallbeaar.net
6.negutterking.org
6.negutterkings.biz
6.negutterkings.info
6.negutterkings.net
6.negutterkings.org
6.nomoreicedams.com
6.nomoreicedams.net
6.rabbitharky.com
6.rabbitharky.net
6.roboxanger.net
7.alikeword.com
7.basicwheel.com
7.bigbroshark.net
7.blueseadolphin.net
7.callteamverve.com
7.connectedwheel.com
7.forrest-lake.info
7.killerwheel.com
7.lake-forrest.com
7.lake-forrest.info
7.lake-forrest.net
7.lowcowroller.com
7.lowcowroller.net
7.metallbeaar.net
7.rabbitharky.com
7.rabbitharky.net
7.roboxanger.net
8.alikeword.com
8.aloeventures.com
8.aloeverasoftdrinks.com
8.aloevirgin.com
8.basicwheel.com
8.bigbroshark.net
8.blueseadolphin.net
8.cafesexcelentes.com
8.callteamverve.com
8.connectedwheel.com
8.corporatemodeler.com
8.elbancodelospobres.com
8.foodex.us
8.forrest-lake.info
8.joanvaldez.com
8.killerwheel.com
8.klipette.com
8.koguis.com
8.lake-forrest.com
8.lake-forrest.info
8.lake-forrest.net
8.lowcowroller.com
8.lowcowroller.net
8.metallbeaar.net
8.rabbitharky.com
8.rabbitharky.net
8.roboxanger.net
9.alikeword.com
9.basicwheel.com
9.bigbroshark.net
9.blueseadolphin.net
9.bohmamei.com
9.boondocksdistillery.com
9.callteamverve.com
9.connectedwheel.com
9.forrest-lake.info
9.hclinstitute.com
9.i-am-a-pussy.com
9.killerwheel.com
9.lake-forrest.com
9.lake-forrest.info
9.lake-forrest.net
9.lowcowroller.com
9.lowcowroller.net
9.metallbeaar.net
9.rabbitharky.com
9.rabbitharky.net
9.roboxanger.net
alikeword.com
app-market.it
basicwheel.com
bigbroshark.com
bigbroshark.net
blueseadolphin.com
blueseadolphin.net
callteamverve.com
connectedwheel.com
forrest-lake.info
killerwheel.com
lake-forrest.com
lake-forrest.info
lake-forrest.net
lowcowroller.com
lowcowroller.net
maxiwheel.com
metallbeaar.com
metallbeaar.net
rabbitharky.com
rabbitharky.net
roboxanger.net
selfwheel.com
subwheel.com

Or if you just want to block domains rather than subdomains:
alikeword.com
app-market.it
basicwheel.com
bigbroshark.com
bigbroshark.net
blueseadolphin.com
blueseadolphin.net
callteamverve.com
connectedwheel.com
forrest-lake.info
killerwheel.com
lake-forrest.com
lake-forrest.info
lake-forrest.net
lowcowroller.com
lowcowroller.net
maxiwheel.com
metallbeaar.com
metallbeaar.net
rabbitharky.com
rabbitharky.net
roboxanger.net
selfwheel.com
subwheel.com

Monday 5 November 2012

Fake statistics domains lead to malware

The following fake "statistics" domains lead to malware. All have been registered very recently in the past few days and are used as a redirector to other exploit kits. Perhaps they are actually performing black hat statistical tracking. Blocking them (or the associated IPs) would be wise.

bilingstats.org
bombast-atse.org
bombastatse.org
ceastats.org
colinstats.org
expertstats.org
informazionestatistica.org
melestats.org
nonolite.org
statisticaeconomica.org
statspps.org
superbombastatse.org
topbombastatse.org
ufficiostatistica.org

Hosting IPs:
31.193.133.212 (Simply Transit, UK)
91.186.19.42 (Simply Transit, UK)
95.211.180.143 (Leaseweb, Netherlands)