An informal anti-virus comparison

I use VirusTotal quite a lot for looking at malware and determining how difficult it is to determine, and over time I've built up a fair amount of data on what performs well with the sort of malware that I throw at it.

This isn't a particularly scientific test, the malware I scan has a strong tendency to arrive by email rather than a being a drive-by download and the product settings in VirusTotal may not match typical settings when deployed.

The small print: Data is taken from the past six months and only products that have been active on VirusTotal for that whole time period are included. The scans are those that I took at the time, and they don't take into account that products would be updatesd probably catch them later (once they have infected your system). It also doesn't take into account that other components would be downloaded, some of which would subsequently be detected (again, once they have infected your system).Your mileage may vary. Other anti-virus comparisons are available.

So, which was best in this test? The full details are below, but the product that was clearly the best with detecting nastiness was Kaspersky with a very impressive 73% of samples detected. McAfee (58%), Malwarebytes (53%) and Emsisoft (50%) were the other products that detected half or more of the 62 samples.

The hall of shame is pretty shocking. ClamAV, ViRobot and Antiy-AVL detected no samples at all. TotalDefense and TheHacker detected just one sample (1.6%). Fifteen products detected 10% or less.

The Kaspersky result was surprisingly good, but McAfee's showing indicates that this product has improved a lot over recent years, leaving arch-rivals Symantec lagging with 58% detected compared to 34%. SUPERAntiSpyware has a surprisingly low detection rate of 3.2%, considering that this is a product I often use for difficult task. F-Secure, Sophos, Trend and Norman all had disappointing results. But the results for TotalDefense were shocking as this product is widely used within corporate customers, and is the endpoint security business spun out of CA.. for a paid product it seems to be essentially worthless.

The chart below shows the staggering difference in detection rates between the best and worst vendors.

Or if you prefer a table..

 

Product	Detection rate	Type
Kaspersky	72.58%	Paid
McAfee	58.06%	Paid
Malwarebytes	53.23%	Free / Paid
Emsisoft	50.00%	Free / Paid
ESET-NOD32	48.39%	Paid
McAfee-GW-Edition	48.39%	Corporate
DrWeb	43.55%	Paid
Fortinet	41.94%	Corporate
Commtouch	38.71%	Corporate
Sophos	38.71%	Corporate
Comodo	37.10%	Free / Paid
Symantec	33.87%	Paid
AntiVir (Avira)	32.26%	Free / Paid
BitDefender	32.26%	Paid
GData	32.26%	Paid
F-Prot	29.03%	Paid
AhnLab-V3	27.42%	Paid
Ikarus	27.42%	Paid
F-Secure	25.81%	Paid
MicroWorld-eScan	24.19%	Free / Paid
TrendMicro-HouseCall	24.19%	Free
Norman	19.35%	Paid
VIPRE	19.35%	Paid
AVG	17.74%	Free /Paid
Microsoft	14.52%	Free
Avast	12.90%	Free / Paid
Kingsoft	11.29%	Free
Panda	11.29%	Paid
TrendMicro	11.29%	Paid
ByteHero	9.68%	Corporate
CAT-QuickHeal	6.45%	Paid
PCTools	6.45%	Paid
VBA32	6.45%	Paid
K7AntiVirus	4.84%	Paid
Agnitum	3.23%	Paid
Jiangmin	3.23%	Paid
NANO-Antivirus	3.23%	Free
nProtect	3.23%	Corporate
SUPERAntiSpyware	3.23%	Free / Paid
TheHacker	1.61%	Paid
TotalDefense	1.61%	Paid
Antiy-AVL	0.00%	Corporate
ClamAV	0.00%	Free
ViRobot	0.00%	Paid

In my opinion, your anti-virus product should always be the very last line of defence. But that last line should at least be effective and it may well be time to switch if your vendor is sitting near the bottom of this list.

Fake Well Fargo spam comes with a malicious attachment / lasub-hasta.com

This fake Wells Fargo spam is a retread of this one, but comes with a slightly different attachment:

Date:      Mon, 7 Oct 2013 19:56:29 +0100 [10/07/13 14:56:29 EDT]
From:      "Harry_Buck@wellsfargo.com" [Harry_Buck@wellsfargo.com]
Subject:      Documents - WellsFargo

Please review attached files.

Harry_Buck
Wells Fargo Advisors
817-487-2882 office
817-683-6287 cell Harry_Buck@wellsfargo.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you. 

Attached is a ZIP file containing a malicious EXE file. The VirusTotal detection rate is a fairly healthy 27/48. Automated analysis [1] [2] [3] shows that the malware tries to phones home to lasub-hasta.com  on 205.251.152.178 (Global Net Access, US). A quick look at that server shows that it has several hundred sites on, most of which are probably legitimate.. but there is a great deal of suspect activity on this server which you might want to take into account if you are thinking of blocking this IP.

Fake Dropbox spam leads to malware on adelect.com

This fake Dropbox spam leads to malware:

Date:      Fri, 4 Oct 2013 16:24:30 +0330 [08:54:30 EDT]
From:      Dropbox [no-reply@dropboxmail.com]
Subject:      Please update your Expired Dropbox Password

Hi [redacted].

We noticed that you recently tried to login in to Dropbox with a password that you haven't changed more than 90 days. Your old password has expired and you'll need to create a new one to log in.

Please visit the page to update your password

Reset Password

Thanks!
- The Dropbox Team

The link in the email goes through a legitimate hacked site and then on to a set of three scripts:

[donotclick]12.158.190.75/molls/smudgier.js
[donotclick]freetraffic2yourweb.com/palermo/uneconomic.js
[donotclick]www.bathroomchoice.com/huntsmen/bestsellers.js

From there the victim is delivered to a malware landing page at [donotclick]adelect.com/topic/latest-blog-news.php which follows a predictable pattern of being a hijacked GoDaddy domain hosted on 66.150.155.210 (Nuclear Fallout Enterprises, US). There are some other hijacked domains on this same server listed below in italics.

Recommended blocklist:
66.150.155.210
wrightleasing.com
renewalbyandersendayton.com
adelect.com
12.158.190.75
freetraffic2yourweb.com
www.bathroomchoice.com

Fake Amazon spam uses email address harvested from Comparethemarket.com

This fake Amazon spam was sent to an email address only used for the UK price comparison site Comparethemarket.com.

From:     Amazon.com [ship-confirm@amazon.com]
Reply-To:     "Amazon.com" [ship-confirm@amazon.com]
Date:     3 October 2013 15:43
Subject:     Your Amazon.com order of "Canon EOS 60D DSLR..." has shipped!

 Amazon.com        
Kindle Store
     |  Your Account  |  Amazon.com
Order Confirmation
Order #159-2060285-0376154
[redacted]

Thank you for shopping with us. We’d like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.

Your estimated delivery date is:
Thursday, Oct 3, 2013 -
Friday, Oct 4, 2013

Your shipping speed:
Next Day Air
Your Orders    

Your order was sent to:
Evan Young
1235 Sunset Dr
San Paolo, NE 69700-0290
United States
Order Details
Order #159-2060285-0376154
Placed on Wensday, May 29, 2013
    Canon EOS 60D DSLR 22.3 MP Full Frame CMOS with 1080p Full-HD Video Mode Digital SLR Camera (Body)
Electronics
In Stock
Sold by Electronic Express, Inc.
    Facebook     Twitter     Pinterest
    $1,397.99
Item Subtotal:     $1,397.99
Shipping & Handling:     $0.00

Total Before Tax:     $1,397.99
Estimated Tax:     $0.00

Order Total:     $1,397.99

To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help.

Thank you for shopping with us.
Amazon.com
DVD
   
Books

Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information.

This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message. 

How the email address was extracted from Comparethemarket.com is not known.

The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:

[donotclick]berkahabadi.de/unclear/unsettle.js
[donotclick]sigmarho.zxq.net/ragas/sextant.js
[donotclick]wni9e7311.homepage.t-online.de/creel/eccentrically.js


This redirects the victim to a malware page at [donotclick]globalrealty-nyc.info/topic/latest-blog-news.php which is a hijacked GoDaddy domain hosted on 96.126.103.252 (Linode, US). THis is currently the only domain that I can detect on this computer, but the usual pattern is that there will be several others so blocking that IP address would be prudent.

Recommended blocklist:
96.126.103.252
globalrealty-nyc.info
berkahabadi.de
sigmarho.zxq.net
wni9e7311.homepage.t-online.de

Fake Staples spam leads to malware on tootle.us

This fake Staples spam leads to malware on a site called tootle.us:

Date:      Wed, 2 Oct 2013 08:40:11 -0500 [09:40:11 EDT]
From:      support@orders.staples.com
Subject:      Staples order #: 1353083565
           

Thank you for shopping Staples.
Here's what happens next:
Order No.:1353083565
   
Customer No.:1278823232     Method of Payment:Credit or Debit Card
Track order: Track your order
Delivery Address:
Caleb Lewis
41 COMMERCE ST
GREENFIELD WA 092980135    
           
    Item1     Qty.     Subtotal
    DELL 1320 BLACK TONER
Item No.:744319Price:$60.38/each
Expected delivery:10/4/2013byUPS     2     $125.26
    Item2     Qty.     Subtotal
    DELL RY854 CYAN TONER
Item No.:717860Price:$61.87/each
Expected delivery:10/4/2013byUPS     2     $124.03
       
Subtotal::     $243.59    
Delivery:     FREE    
Tax:     $17.66    
Total:     $250.35    

    Your order is subject to review and the expected delivery date(s) noted above are pending credit or check approval.
    Won't be there to sign for your order from 9 am to 5 pm, Monday - Friday. Print ourDriver Release. Some residential orders may be delivered by UPS as late as 7 pm.
    Questions about your order? Call us at 1-800-3STAPLE (1-800-378-2753) or email us atsupport@orders.staples.com. You can also fax us at 1-800-333-3199.
    See our return policy.
    Our prices vary from store prices. Not responsible for typographical errors. Not all items are available. We reserve the right to limit quantities, including the right to prohibit sales to resellers.
    Thanks for shopping Staples.

[snip]

The link in the email goes to a legimate (but hacked site) and then attempt to load one of the following three scripts:
[donotclick]algmediation.org/inventory/symphony.js
[donotclick]apptechgroups.net/katharine/bluejacket.js
[donotclick]ctwebdesignshop.com/marquetry/bucket.js


From there the victim is redirected to a malware landing page at [donotclick]tootle.us/topic/latest-blog-news.php hosted on 23.92.22.75 (Linode, US) which is yet another hijacked GoDaddy domain (there are some more on this server, listed below in italics).


Recommended blocklist:
23.92.22.75
tootle.us
tungstenrents.com
tweetbyte.com
algmediation.org
apptechgroups.net
ctwebdesignshop.com

Fake NACHA spam leads to malware on thewalletslip.com

This fake NACHA spam leads to malware on thewalletslip.com:

Date:      Tue, 1 Oct 2013 15:05:56 +0330 [07:35:56 EDT]
From:      ACH Network [markdownfyye396@nacha.org]
Subject:      Your ACH transfer


The ACH processing (ID: 428858072307), recently was made from your bank account (by you or any other person), was rejected by the other financial institution.

Aborted transfer
ACH transfer ID:     428858072307
Reason of Cancellation     Notice information in the report below
Transaction Report     View Report 428858072307

About NACHA

Established in 1974, NACHA - The Electronic Payments Association was formed by the California ACH Association, the Georgia Association, the New England ACH Association, and the Upper Midwest ACH Association, to establish uniform operating rules for the exchange of Automated Clearing House (ACH) payments among ACH associations.

To help guide advocacy and related communication activities, NACHA established a Communications and Marketing Advisory Group (CMAG) in early 2010. CMAG brings together practitioners representing ACH Network participants to engage in work efforts to benefit the Network and those who utilize it.

NACHA and its member Regional Payments Associations help industry professionals expand their payments knowledge to further their professional development and benefit their employers. Offerings include in-person, desk-top, and distance learning courses, publications, and the Accredited ACH Professional (AAP) Program. Payments education offered by NACHA at the national level augments the rich offering of educational programs provided by the Regional Payments Associations throughout the country.

18580 Seaside Vale Drive, Suite 235
Herndon, VA 20171

© 2013 NACHA - The Electronic Payments Association

The link in the email goes through a legitimate hacked site and then runs one of three scripts:
[donotclick]theodoxos.gr/hairstyles/defiling.js
[donotclick]web29.webbox11.server-home.org/volleyballs/cloture.js
[donotclick]www.knopflos-combo.de/subdued/opposition.js

Then the victim is directed to a malware landing page at [donotclick]thewalletslip.com/topic/latest-blog-news.php and if you follow this blog regularly then you will not be at all surprised to find that it has been hijacked from GoDaddy (others listed in italics below). It is hosted on 75.98.172.238 (A2 Hosting, US) which is the same server spotted yesterday.

Recommended blocklist:
75.98.172.238
herbrim.com
illusioninfusion.com
inspireddesignsbykathy.com
joojle.org
meettherims.com
noonle.org
oooole.org
poople.us
printslip.com
sellmention.com
smartstartfinancial.com
thewalletslip.com
tootle.us
theodoxos.gr
web29.webbox11.server-home.org
www.knopflos-combo.de

Wells Fargo "Important Documents" spam with a malicious ZIP file

This fake Wells Fargo spam comes with a malicious attachment:

Date:      Mon, 30 Sep 2013 11:54:15 -0600 [13:54:15 EDT]
From:      Bryon Faulkner [Bryon.Faulkner@wellsfargo.com]
Subject:      Important Documents


Please review attached documents.

Bryon Faulkner
Wells Fargo Advisors
817-527-6769 office
817-380-3921 cell Bryon.Faulkner@wellsfargo.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.  

The attached document is starts with "Documents_" and then has the first part of the recipient's email address as part of the filename. Or that's the way it is meant to work because in practice it will probably be a different recipient in the same domain. Inside is an executable file with the date encoded into the filename (in this case Documents_09302013.exe).

The executable file is (obviously) malware, and has a VirusTotal detection rate of just 3/48. Automated analysis [1] [2] [3] shows an attempted connection to the site demandtosupply.com on 84.22.177.37 (ioMart, UK) which is a server spotted in a similar attack a few weeks ago.

Unfortunately, where more than one domain on a server is compromised then it looks like the bad guys have complete control of the server and can do what they like. There are a number of legitimate sites (including one IT security company) on this box (listed below), so exercise caution if deciding to block them.

Recommended blocklist:
84.22.177.37
demandtosupply.com
ce-cloud.com

Sites hosted on 84.22.177.37, for information only:
agoraclinic.co.uk
agoraclinic.com
agorafertility.co.uk
agorafertility.com
assetprotector.co.uk
avicamhomes.co.uk
avicamhomes.com
axiom-ltd.com
batchy.net
bebesta.com
bebesta.org
brighton-cloud.com
cavdb.co.uk
cav-it.com
ce-cloud.com
chriscatering.co.uk
computer-eyez.co.uk
computereyez.com
computer-eyez.com
crewcutdiamond.co.uk
demandtosupply.com
eurovehiclecontracts.co.uk
eyezhosting.net
eyezonline.net
gatwicksaab.co.uk
guardyourmail.co.uk
guardyourmail.com
guidetoveganliving.org.uk
hmbookkeeping.co.uk
i-filter.co.uk
igloosecurity.com
infacom.co.uk
is-it-ok.co.uk
is-it-ok.com
lanoguard.co.uk
mwfencing.co.uk
newhavenplumbingservices.co.uk
oddsquad.co.uk
pentruder.co.uk
planetdiamonduk.com
plugtugs.co.uk
plug-tugs.co.uk
plugtugs.com
plug-tugs.com
prestige-products.co.uk
producepackdeliver.com
questsolutions.co.uk
renewtech.co.uk
rippletech.co.uk
rockeyracing.com
rye4ukbreaks.co.uk
saab-city.co.uk
saab-kent.co.uk
saab-london.co.uk
saab-surrey.co.uk
shorelineaccountants.co.uk
smickersgang.com
southerntesting.co.uk
stconsult.co.uk
stepaheadnlp.co.uk
stepaheadnlp.com
stlc.co.uk
sussexcloud.com
sussex-cloud.com
taskercatchpole.com
thevintagehaven.co.uk
turnershillgarage.com
turnershillsaab.com
uk3.eyezonline.net
worldveganday.com
worldveganmonth.net
young-lee.co.uk

IRS "Invalid File Email Reminder" spam / oooole.org

This fake IRS spam leads to malware on oooole.org:

Date:      Mon, 30 Sep 2013 03:44:12 -0800 [07:44:12 EDT]
From:      "Fire@irs.gov" [burbleoe9@irs.org]
Subject:      Invalid File Email Reminder

9/30/2013

Valued Transmitter,

We few weeks agoreceived your electronic file(s) of information returns; but, the file(s) contained errors. As of the date of this email, we have not received a good replacement file. If we do not receive the replacement file within the allowed time from your transmission, late filing payoff may be applied. For further clarification on sending a timely filed replacement, please see Publication 1220, Part B, Section 7.03. The following is a list of your incorrect file(s) that need to be replaced:

Filename    # of Times
Email Has
Been Sent    Tax
Year
ORIG.62U55.2845    2    2012


If you did not know your file contained invalid data, the results are posted on the FIRE (Filing Information Returns Electronically) System within two business days of your transmission. It is your onus to check your filing results. To view your file results open the page: Check File Status.

If you have sent an acceptable file that you think replaces the above file(s) or if you are uncertain how to resolve the errors in your file(s), please contact the IRS/Information Returns Branch: Please fill in the contact form; 

The link in the email goes through a legitimate hacked site and then redirects through one of the following three scripts:
[donotclick]savingourdogs.com/boneheads/meditatively.js
[donotclick]solaropti.manclinux3.ukdns.biz/resonators/sunbonnet.js
[donotclick]polamedia.se/augusts/fraudulence.js

The next step is a malware landing page on a hijacked GoDaddy domain at [donotclick]oooole.org/topic/latest-blog-news.php hosted on 75.98.172.238 (A2 Hosting, US) along with several other hijacked domains listed in italics below.

Recommended blocklist:
75.98.172.238
herbrim.com
illusioninfusion.com
inspireddesignsbykathy.com
joojle.org
meettherims.com
noonle.org
oooole.org
savingourdogs.com
solaropti.manclinux3.ukdns.biz
polamedia.se

Facebook "You have new notifications" spam / directgrid.org

This fake Facebook spam leads to malware on directgrid.org:

Date:      Fri, 27 Sep 2013 16:22:58 +0300 [09:22:58 EDT]
From:      Facebook [notification+W85BNFWX@facebookmail.com]
Subject:      You have 21 friend suggestions, 11 friend requests and 14 photo tags

facebook
You have new notifications.
A lot has happened on Facebook since you last logged in. Here are some notifications
you've missed from your friends.
3 messages

11 friend requests

21 friend suggestions

14 photo tags

View Notifications

Go to Facebook

This message was sent to [redacted]. If you don't want to receive these emails
from Facebook in the future, please unsubscribe.Facebook, Inc., Attention: Department
415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes through a legitimate (but hacked) site and then loads one of the following three scripts:
[donotclick]3dbrandscapes.com/starker/manipulator.js
[donotclick]dtwassociates.com/marry/sullies.js
[donotclick]repairtouch.co.za/lollypops/aquariuses.js

This leads to a malware landing page hosted on a hijacked GoDaddy domain at [donotclick]directgrid.org/topic/lairtg-nilles-slliks.php hosted on 50.116.10.71 (Linode, US) where there are a number of other hijacked domains (listed below in italics)

Recommended blocklist:
50.116.10.71
directgrid.biz
directgrid.com
directgrid.info
directgrid.net
directgrid.org
directgrid.us
gilkjones.com
integra-inspection.ca
taxipunjab.com
taxisamritsar.com
watttrack.com
3dbrandscapes.com
dtwassociates.com
repairtouch.co.za

Something evil on 91.231.98.149 and boats.net

This injection attack [urlquery] on boats.net caught my attention, a nasty bit of injected code pointing to a (now suspended) domain called gamelikeboards.biz hosted on 91.231.98.149 (Neohost.net, Ukraine). Basically, the victim website has code injected pointing to [donotclick]gamelikeboards.biz/_cp/crone/ which cannot be anything good.

What do we know about gamelikeboards.biz? As luck would have it, the domain was suspended by the registrar, who also removed the Privacy Protection giving the following WHOIS details:

Registrant ID:             DI_29743100
Registrant Name:           Deni Kember
Registrant Organization:   N/A
Registrant Address1:       350 W 42nd St #37D
Registrant City:           New York
Registrant State/Province: NY
Registrant Postal Code:    10036
Registrant Country:        United States
Registrant Country Code:   US
Registrant Phone Number:   +1.6337362122
Registrant Email:          deni_kember658@ghanamail.com

I suspect that these details are fake. The address given is this rather nice $2.1 million apartment in New York, which I suspect has been chosen at random.

I can identify some other (almost definitely malicious) domains that are either on the same server or have been there recently:
eschewsramping.biz
gamelikeboards.biz
sixteenups.biz
sorelyzipmagics.biz
technicaltutoring.biz
zarazagorakakaxx1.org
zarazagorakakaxx2.com

The IP address is allocted as follows:

inetnum:        91.231.98.0 - 91.231.98.255
netname:        NEOHOST
descr:          FOP ILIUSHENKO VOLODYMYR OLEXANDROVUCH
descr:          Neohost.net
country:        UA
org:            ORG-FIVO1-RIPE
admin-c:        IV1015-RIPE
tech-c:         IV1015-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-by:         NEOHOST-MNT
mnt-routes:     NEOHOST-MNT
mnt-domains:    NEOHOST-MNT
source:         RIPE # Filtered

organisation:   ORG-FIVO1-RIPE
org-name:       Neohost.net
org-type:       other
address:        Ukraine, Kyiv, 03039, Nauki
admin-c:        IV1015-RIPE
mnt-ref:        NEOHOST-MNT
mnt-by:         NEOHOST-MNT
source:         RIPE # Filtered

person:         ILIUSHENKO VOLODYMYR
address:        Ukraine, Kyiv, 03039
phone:          +38 (044) 599-79-85
nic-hdl:        IV1015-RIPE
mnt-by:         NEOHOST-MNT
source:         RIPE # Filtered

route:          91.231.98.0/24
descr:          Neohost.net
origin:         AS57311
mnt-by:         NEOHOST-MNT
source:         RIPE # Filtered

The name "ILIUSHENKO VOLODYMYR OLEXANDROVUCH" is a weird translation of a name we would more commonly call Vladimir Iliushenko who is the administrator of Neohost. A look at 91.231.98.0/24 indicates a mix of spammy sites plus a number of local Russian and Ukranian sites that look legitimate. Google's prognosis of AS57311 isn't too bad.

I don't know what the payload is, but the IP address was also used in this recent malware attack. The IP and domains are definitely malicious, and I would recommend the following blocklist:

91.231.98.149
eschewsramping.biz
gamelikeboards.biz
sixteenups.biz
sorelyzipmagics.biz
technicaltutoring.biz
zarazagorakakaxx1.org
zarazagorakakaxx2.com

Added: it looks like this site has been compromised before [1] [2] [3]

Intuit spam / Invoice_3056472.zip

It's an email from a company I have no dealings with, with a ZIP file that contains an EXE file! What could possible go wrong? Oh..

Date:      Wed, 25 Sep 2013 09:37:48 -0600 [11:37:48 EDT]
From:      Lewis Muller [Lewis.Muller@intuit.com]
Subject:      FW: Invoice 3056472

Your invoice is attached.

Sincerely,
Lewis Muller

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected
from disclosure. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in error, please notify
your representative immediately and delete this message from your computer. 

The attachment is Invoice_3056472.zip which in turn contains a malicious file Invoice_092513.exe which has a pretty low VirusTotal detection rate of just 4/48.

Automated analysis [1] [2] [3] [4] shows the usual sort of badness, including a call home to gidleybuilders.com on 78.157.201.219  (UK Dedicated Servers Ltd, UK) which we also saw being used in an attack last week. Two compromised domains in a week seems a bit more than a coincidence. For information only, the following legitimate domains are also on that same server:

allcool.co.uk
ashmanufacturing.co.uk
ashmanufacturing.com
ashmanufacturing.net
ashmanufacturing.org
awcoomer.com
beingwell.me
bhmlondon.com
bigtinbox.com
buckmastergames.co.uk
buffey.co.uk
colemansfarm.co.uk
connect4commercial.com
connect4recruitment.com
flestates.co.uk
geocom.co.uk
gidleybuilders.com
graysaccountant.com
intoirelandtravel.com
matthewtomich.com
onlinestoregroup.com
paddlers.co.uk
pedalads.co.uk
pedalads.net
photoaweek.com
pickout.co.uk
richardgidley.com
smudgeinc.co.uk
sofmagazine.com
swim24.com
wakeham.co.uk
wakehamgroup.com
wakehamphotographic.com
westside-village.com