Sponsored by..

Wednesday 3 October 2012

Something evil on 66.45.251.224/29 and 199.71.233.226

The IP address 199.71.233.226 (Netrouting, US)  and the range 66.45.251.224/29 (Interserver, US) are currently being used to distribute malware through advertising. Of these the 66.45.251.224/29 has been suballocated to an anonymous person, which I didn't even know was permitted:

network:Class-Name:network
network:ID:NETBLK-INTSRV.66.45.224.0/19
network:Auth-Area:66.45.224.0/19
network:Network-Name:INTSRV-66.45.251.224
network:IP-Network:66.45.251.224/29
network:Org-Name:Private Customer
network:Street-Address:Private Residence
network:City:Moscow
network:State:77
network:Postal-Code:119192
network:Country-Code:US
network:Created:20120701
network:Updated:20120816
network:Updated-By:abuse@interserver.net


The domains listed below are on those IP addresses, all appear to be disributing malware (see example) and they seem to have fake or anonymous WHOIS details. Blocking traffic to 66.45.251.224/29 (66.45.251.224 - 66.45.251.231) and 199.71.233.226 should be effective in countering this threat.

Update 95.211.193.36 (Leaseweb, Netherlands) and 77.95.230.77 (Snel Internet Services, Netherlands) may also be distributing malware in connection with this (report here).

Update 2:  Another IP in this cluster is 96.44.139.218 (OC3 networks, US), running malicious ads using the domain perclickbank.org (scroll down for more information)

1sedobazole.info
acpacompany.info
acpvcompany.info
adp.marketsamples.info
alladulttest.info
alttubesite.info
appvcompany.info
artsellernet.com
blabeladstarget.info
boldcpaportal.info
boldcpvportal.info
boldpopportal.info
boldppvportal.info
coldcpvportal.info
coldppvportal.info
cpaintermediary.info
cpamarketer.biz
cpappvportel.info
cpvtoolswork.info
cpvtoolwork.info
domycpa.info
domycpv.info
domyppv.info
ecpamarkets.info
ecpmmarkets.info
ecpvmarkets.info
egoodsstore.info
egoodystore.info
eppvmarkets.info
forcpamarkets.info
forcpmmarkets.info
frankinews.info
goladero.info
higeaisedo.in
hinsmart.ca
joyforcpa.info
joyforcpm.info
joyforcpv.info
joyforppv.info
juniorcpa.info
juniorcpm.info
juniorcpv.info
juniorppv.info
kabitopa.info
lowcost4hosting.info
marketsamples.info
marketsamplestore.info
nameurneeds.com
ppvadulttools.info
ppvcpaportal.info
ppvcpatools.info
ppvdatetools.info
ppvsystemgate.info
ppvsystemgateway.info
ppvsystemleadaway.info
ppvsystemnet.info
ppvsystemnetwork.info
ppvsystempointer.info
ppvsystemportal.info
ppvworktools.info
prolixppv.info
raberolasi.info
renaissancestylingstudio.com
rencai.com.ar
theforgottentruth1937.com
toolsforppv.info

Added: 6/10/12
adp.joyforppv.info
giantppv.info
giantcpa.info

Added: 10/10/12
highloadcpa.info
highloadppa.info
entry.highloadppa.info
giantppa.info
highloadpop.info
highloadcpv.info
highloadppv.info

Also, on  96.44.139.218:
perclickbank.org
google-analitlcs.com
google-statistic.com
nailart4designs.com

No comments: