Sponsored by..

Thursday 28 October 2010

Evil network: Alex Gorbunov / GORBY-VPN-NET AS51303 (195.226.197.0/24)

A small but nasty netblock hosting ZeuS C&C servers and Phoenix exploit kit attacks, GORBY-VPN-NET (registered to an Alex Gorbunov) seems to have no legitimate sites at all. There aren't a lot of sites in this range (I see just 24) but there does seem to be quite a lot of malicious activity. I recommend that you block access to 195.226.197.0/24.

RIPE says:

inetnum:         195.226.197.0 - 195.226.197.255
netname:         GORBY-VPN-NET
descr:           Alexandr Gorbunov
remarks:         MyVPN service
country:         UA
org:             ORG-AG58-RIPE
admin-c:         AG10224-RIPE
tech-c:          AG10224-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          GORBY-MNT
mnt-routes:      GORBY-MNT
mnt-domains:     GORBY-MNT
source:          RIPE # Filtered
organisation:    ORG-AG58-RIPE
org-name:        Alexandr Anatolyevich Gorbunov
remarks:         MyVPN service
org-type:        OTHER
address:         Moskva, Yasniy proezd 14a, kv. 73
phone:           +79025392311
admin-c:         AAG76-RIPE
tech-c:          AAG76-RIPE
mnt-ref:         GORBY-MNT
abuse-mailbox:   gorby@land.ru
mnt-by:          GORBY-MNT
source:          RIPE # Filtered
person:          Alex Gorbunov
address:         Moskva, Yasniy proezd 14a, kv. 73
phone:           +79025392311
nic-hdl:         AG10224-RIPE
mnt-by:          GORBY-MNT
source:          RIPE # Filtered
% Information related to '195.226.197.0/24AS51303'
route:           195.226.197.0/24
descr:           GORBY-AS Route Object
origin:          AS51303
mnt-by:          GORBY-MNT
source:          RIPE # Filtered


Google says of AS51303:

Safe Browsing
Diagnostic page for AS51303


What happened when Google visited sites hosted on this network?

    Of the 23 site(s) we tested on this network over the past 90 days, none served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-10-27, and the last time suspicious content was found was on 2010-10-27.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 5 site(s) on this network, including, for example, semikemi.info/, surogatesm.info/, meinisp.info/, that appeared to function as intermediaries for the infection of 16 other site(s) including, for example, vlasti.net/, inmobiliaria-habitat.es/, inoxmarti.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 15 site(s), including, for example, semikemi.info/, terikmask.info/, qstrokes.info/, that infected 176 other site(s), including, for example, montealea.com/, ideal.es/, crosswordscrucigramas.com/.

You can see a list of domains and MyWOT reputations here [csv], the current list of domains that I can see is below:

Hello-larry.com
Reklamaservice.org
Solarisgrand.net
Bungalougrand.net
Lintuage.net
Miksint.net
Mistiriks.net
Limpop.net
Gitrometro.net
Gennuine.com
Mussiss.com
Meinisp.info
Leimdungl.info
Terikmask.info
Traveldens.info
Simanticwerd.info
Balacenewiq.info
Afishatop.com
Afishaintop.com
Inafishatop.com
Kinakoi.net
Salimko.com
Simrako.com
Sipolin.net

No comments: