Evil network: Intermedia Top SRL / INTERMEDIA-TOP AS49873 (95.64.8.0/24)

Intermedia Top SRL is a Romanian host operating a network in the 95.64.8.0/24 range. This range appears to contain nothing but malicious sites, including malware distribution, fake news sites (designed to help sell fake products), and fake anti-virus and utility applications.

Update 2/4/11: you should also block  95.64.9.0/24 which is allocated to the same people.

AS49873 is flagged as having Zeus C&C servers, and has a pretty bad reputation at SiteVet which shows that badness shot up at the beginning of March.

Google says:

Safe Browsing
Diagnostic page for AS49873 (TELECOMPO)

What happened when Google visited sites hosted on this network?

    Of the 640 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example, absolutiovbf2n.info/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-03-19, and the last time suspicious content was found was on 2011-03-19.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 17 site(s) on this network, including, for example, zelwwu4kk.info/, tawdry4d.info/, gru12.info/, that appeared to function as intermediaries for the infection of 33 other site(s) including, for example, nowatermark.net/, itanil.com/, itcomputerservers.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 611 site(s), including, for example, sasae.co.cc/, slumbes.tk/, clemowceer.cz.cc/, that infected 1143 other site(s), including, for example, iwilltellyouhow.com/, saatihajj.com/, icabbies.org/.

Contact details for the block are:

inetnum:        95.64.8.0 - 95.64.8.255
netname:        INTERMEDIA-TOP
descr:          INTERMEDIA TOP SRL
descr:          BDUL. 1 DECEMBRIE 1918 nr. 105
descr:          Alba Iulia, Jud. Alba
country:        RO
admin-c:        AP13061-RIPE
tech-c:         AP13061-RIPE
status:         ASSIGNED PA
mnt-by:         NETSERV-MNT
mnt-routes:     MNT-TELECOMPO
mnt-domains:    MNT-TELECOMPO
source:         RIPE # Filtered

person:         Adrian Popa
remarks:        INTERMEDIA TOP SRL
address:        BDUL. 1 DECEMBRIE 1918 nr. 105
address:        Alba Iulia, Jud. Alba
phone:          +40214302223
abuse-mailbox:  imintermediatop90@gmail.com
mnt-by:         NETSERV-MNT
nic-hdl:        AP13061-RIPE
source:         RIPE # Filtered

route:          95.64.8.0/24
descr:          INTERMEDIA TOP SRL
origin:         AS49873
mnt-by:         MNT-TELECOMPO
source:         RIPE # Filtered

Below is a partial list of sites found on this network, although there are a lot of others not listed here. Blocking the whole 95.64.8.0/24 is probably the best approach. A CSV of the list plus MyWOT ratings can be downloaded from here.

machmit.cc
servat.cc
serwaz.com
testaz.cc
financeprogramm.com
localnews47.com
localnews69.com
mmtrx.com
newslocal64.com
newslocal74.com
newslocal89.com
nwolbcom.cc
atlaty.com
atydut.com
buroti.com
fileac.com
itapos.com
lsrato.com
memhys.com
morafu.com
mupoga.com
muposs.com
nlosaf.com
onfiro.com
podyme.com
poisor.com
posjuc.com
posunn.com
qertys.com
scoolq.com
tmwars.com
usudom.com
abrogatesdv.info
absolutiovbf2n.info
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fop22.info
fre94.info
gez20.info
gru12.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
her33.info
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
mag20.info
mia16.info
mineral-beauty.net
nuzzlefgf.info
nyb90.info
obduratexv.info
obfuscate98y.info
opa63.info
ova22.info
plauditaz.info
plethoradtb.info
reprieve8mf.info
tedium34n.info
xxxpornteensex.com