Many of these sites have wholly ficticious WHOIS entries or are registered through known black hat registrars. Some examples and references are:
A simple Google search bring up lots of matches that indicate malicious activity, for example 91.200.240 and 91.200.242. There are also fake business sites such as Adclickmarket.com which gives WHOIS contact details as:
Ad Click Market Ltd.
AdClickMarket (info@adclickmarket.com)
PO Box 279
Alderley Edge
Cheshire,SK9 7UQ
GB
Tel. +44.2854327
AdClickMarket (info@adclickmarket.com)
PO Box 279
Alderley Edge
Cheshire,SK9 7UQ
GB
Tel. +44.2854327
There is no company in the UK with the name Ad Click Market Ltd according to Companies House.
There is also another group of fake businesses using the "Advertising German Group" name, such as traveleshop.biz (also implicated in malware distribution here):
Advertising German Group (AGG)
Niclas Kappel (niclas.kappel@yahoo.com)
Kurt-Schumacher-Str. 5
Bonn
Nordrhein-Westfalen,D-53110
DE
Tel. +490.2284290
Niclas Kappel (niclas.kappel@yahoo.com)
Kurt-Schumacher-Str. 5
Bonn
Nordrhein-Westfalen,D-53110
DE
Tel. +490.2284290
According to SiteVet, the AS48709 block has been bad ever since it was allocated late last year. The digief.eu domain associated with it is currently suspended, and it isn't clear if the WHOIS details for the netblock are accurate (they are probably not).
inetnum: 91.200.240.0 - 91.200.243.255
netname: DIGIEF-NET
descr: Didjief internation kulinari koncept LLC
address: 112 Kifissias Ave & Sina Str.Marousi
address: Athens, Greece
phone: +30 210 6159812
fax-no: +30 210 6159812
person: Adonis Mozanakis
netname: DIGIEF-NET
descr: Didjief internation kulinari koncept LLC
address: 112 Kifissias Ave & Sina Str.Marousi
address: Athens, Greece
phone: +30 210 6159812
fax-no: +30 210 6159812
person: Adonis Mozanakis
abuse-mailbox: abuse@digief.eu
On the subject of reputation, Google's safe browsing diagnostics for this block are pretty horrible:
Safe Browsing
Diagnostic page for AS48709 (XISOFT)
What happened when Google visited sites hosted on this network?
Of the 114 site(s) we tested on this network over the past 90 days, 2 site(s), including, for example, waistor.com/, 91.200.240.0/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2011-02-05, and the last time suspicious content was found was on 2011-02-05.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 21 site(s) on this network, including, for example, geodemy.com/, waistor.com/, 91.200.240.0/, that appeared to function as intermediaries for the infection of 2096 other site(s) including, for example, marchex.com/, semettreauvert.com/, fcolimpi.ge/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 58 site(s), including, for example, waistor.com/, searchalthough.org/, pushot.com/, that infected 4866 other site(s), including, for example, fcolimpi.ge/, interhosting.kr/, schoenweb.nl/.
This is the full list of sites that I have found in this block (or are associated with it) , or you can download a more complete list with MyWOT ratings from here.
49oo.info
Abouthealth.name
Adclickmarket.com
Adobesoft.net
Adobesoftware.net
Allrequestsallowed.com
Allrequestsallowed.net
Animegarrett.com
Arinstasche.com
Avsk.ws
Bubendotcom.com
Chyoexte.com
Clickabundant.org
Clickcareless.org
Clickclumsy.org
Coffeescorer.com
Disdarred.info
Dontess.com
Easyregcleaner.net
Easysellerguide.net
Findcopper.org
Findcousin.org
Findfight.org
Findwild.org
Flashupdates.net
Gampbel.biz
Gnarenyawr.com
Guglionesi.net
Iaqhuberschewis.com
Juiceamount.com
Jukdoout0.com
Julianoserhio.com
Ltc-center.com
Montanessi.com
Negnsrevers.com
Nemotired.org
Offpaymentbiz.com
Olarkstats.com
Pipisutka.com
Qgceneuknash.com
Rammjyuke.com
Ranmjyuke.com
Result-lookup.info
Rinderwayr.com
Searchaddition.org
Searchadvertisement.org
Searchaffect.org
Searchafrica.org
Searchafter.org
Searchalthough.org
Searcharound.org
Searchcold.org
Searchdefeated.org
Searchfindaggressive.org
Searchjewel.org
Searchquiet.org
Searchrainy.org
Searchraspy.org
Selinect.ru
Superbulkmanager.com
Swltcho0.com
Teameter.net
Traveleshop.biz
Turbochange.com
Turboprotect.com
Vvps.ws
Xylylon.ru
Zoness.biz
1 comment:
It looks as though 91.200.241.49 (which indicates a location in Switzerland) is a current manifestation of the same outfit. See also http://forums.malwarebytes.org/index.php?showtopic=91241
My Malwarebytes is regularly showing output from Firefox to this ISP being blocked.
Would be interested to know if others are having specific problems with 91.200.241.49.
bookcraftjohn
Post a Comment