Sponsored by..

Wednesday 25 April 2012

Something evil on 85.17.222.80, lpicture.info and ghjvodka.info

Some sites appear to have been hit by a sophisticated multi-part injection attack that triggers only once per IP (so difficult to track down).

There are two injected elements, one is a .in site hosted on 85.17.222.80 [Leaseweb, Netherlands] which could be one of the following:

sds.vaselisa.in
dds.kiriloid.in
drf.yerevano.in
sddr.margarit.in
cd.fancyclu.in

There's a pretty inconclusive Wepawet report here but be assured that these domains have a malicious payload.

The second injection is a reference to lpicture.info which is hosted on 95.168.173.151, this is a Leasweb Germany IP address suballocated to inferno.name who appear to be a Serbian firm fronted in the UK. I strongly recommend blocking all their IP ranges (listed here) if you can. lpicture.info merely forwards to a malicious payload on ghjvodka.info (report here) and that in turn is listed on 37.59.198.55 (OVH, France) along with some other suspect looking sites that lead be to conclude that this IP address is worth blocking too:

ns2.deftheory.org
abcvodka.info
defvodka.info
ghjvodka.info
abcfree.info
ns1.abcfree.info
deffree.info
ghjfree.info
ns1.ghjfree.info
klmfree.info
opqfree.info
ns1.opqfree.info
rstfree.info
uvwfree.info
ns1.uvwfree.info
xyzfree.info
ns1.xyzfree.info
deflocal.info
ns1.deflocal.info
ghjlocal.info
klmlocal.info
noplocal.info
ghjseat.info
klmseat.info
ns1.klmseat.info

This malware seems to be quite good at avoid analysis. But if you can block these IPs then I strongly recommend that you block them.

No comments: