Sponsored by..

Monday 5 December 2011

czredret.ru is getting on my nerves

I don't know what has been going on with spam for the past couple of weeks, but there has been a tidal wave of the same old spam hammering away at filters over and over again. Today, about half are directing traffic to a Blackhole exploit kit on czredret.ru (see an analysis here).

The spam today is about airline tickets, but it could be on anything.. including the infamous NACHA spam that we keep seeing.

czredret.ru is hosted on 188.190.99.26 in the Ukraine, a block allocated to:

inetnum:        188.190.96.0 - 188.190.127.255
netname:        INFIUM
descr:          Infium LTD
country:        UA
org:            ORG-INFI1-RIPE
admin-c:        INF20-RIPE
tech-c:         INF20-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-by:         NETASSIST-MNT
mnt-routes:     NETASSIST-MNT
mnt-domains:    NETASSIST-MNT
source:         RIPE #Filtered

organisation:   ORG-INFI1-RIPE
org-name:       Infium Ltd.
org-type:       OTHER
address:        61129, Ukraine, Kharkov, Traktorostroiteley 156/41 ave, office 200
mnt-ref:        INFIUM-MNT
mnt-by:         INFIUM-MNT
source:         RIPE #Filtered

person:         Infium Ltd
address:        61129, Kharkov, Ukraine, Traktorostroiteley 156/41, office 200
abuse-mailbox:  abusemail@infiumhost.com
phone:          +380577632339
phone:          +1425606-33-07
nic-hdl:        INF20-RIPE
mnt-by:         INFIUM-MNT
source:         RIPE #Filtered

Google's prognosis of this block (AS197145) isn't brilliant:

Safe Browsing
Diagnostic page for AS197145 (ASINFIUM)


What happened when Google visited sites hosted on this network?

    Of the 536 site(s) we tested on this network over the past 90 days, 14 site(s), including, for example, myegy.com/, ql3a-soft.com/, irkasoft.ru/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-12-05, and the last time suspicious content was found was on 2011-12-05.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 9 site(s) on this network, including, for example, playingfieldforallstore.com/, immerconsult.com/, seafarers333.co.cc/, that appeared to function as intermediaries for the infection of 15 other site(s) including, for example, alexsandra.ucoz.net/, seafarers.ucoz.ru/, fpbqax.in/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 11 site(s), including, for example, myshop-ideal.com/, retailer-ideal.com/, abrorl.dlinkddns.com/, that infected 74 other site(s), including, for example, carrollmanorathletic.com/, nihadragab.com/, fathyradwan.com/.
SiteVet's report shows that while it isn't a brilliant block, it certain has problems.

If you don't do business in the Ukraine then it could well be worth blocking 188.190.96.0/19 just to be on the safe side.

No comments: