These are fake AVs and drive-by downloads mostly, some seem to promoted through low-grade banner ads, all hosted on 31.193.12.3 (Burstnet, UK) and suballocated to:
person: Olexii Kovalenko
address: Pavlova, 15, Zaporozhye, Zaporozhye, 69000, Ua
phone: +1 570 343 2200
fax-no: +1 570 343 9533
nic-hdl: OK2455-RIPE
source: RIPE # Filtered
mnt-by: mnt-burst-au
mnt-by: mnt-burst-mu
The registration for the .asia and .eu domains is consistent in the ones I have checked:
Registrant ID:DI_23063626
Registrant Name:Javier
Registrant Organization:n/a
Registrant Address:Nevskaya street 41
Registrant Address2:
Registrant Address3:
Registrant City:Belgorad
Registrant State/Province:Belgorodskaya oblast
Registrant Country/Economy:RU
Registrant Postal Code:494980
Registrant Phone:+007.9487728744
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:007uyfo007@mail.ru
I've broken the list into three parts, it's a bit messy sorry..
The first part are a bunch of short domains used with subdomains to create a malicious payload:
List 1:
a1ft.asia
a3ew.asia
ah2b.asia
av5n.asia
c2wj.asia
cj4d.asia
ck3l.asia
bs3d.asia
d4xi.asia
d8dx.asia
dj7k.asia
dk3i.asia
ef1r.asia
f4dw.asia
fj2j.asia
fm5h.asia
g2wy.asia
g4av.asia
gi4b.asia
h2ju.asia
j2qd.asia
j5hn.asia
ja6l.asia
k3lr.asia
l3gv.asia
m1eb.asia
m1eq.asia
m4nj.asia
n0un.asia
n3mi.asia
nw2r.asia
p0rv.asia
p0ry.asia
pq8c.asia
q2hm.asia
q2hv.asia
q3bz.asia
qk3x.asia
r4dx.asia
s6wm.asia
t5ha.asia
t5hj.asia
t5zb.asia
u7bo.asia
uh7f.asia
v8ul.asia
ve4z.asia
w3wc.asia
w3wz.asia
w2jf.asia
x6fr.asia
x8ru.asia
y1uh.asia
y6np.asia
z1ha.asia
jp5s.info
pe5a.info
gw1c.eu
Subdomains in use:
be-ttraccker
dipppboxx
dippbboxx
diiipp-box
diippss-box
faat-llood
fatssllooads
fiilespooisk1
fiilepoiick
filles-looads
fileloood
file-looadds
files-loooads
ffilelooadd
ffile-poiick
ffiles-poiick1
filles-poiick
fille-poiick
ffilespooiisk
fillepoiick
fileppooiisk
filespooiisk
file-ppooiisk
file-pooiisk
files-poiiick
filess-poiick
file-poiicck
filles-pooisk
fiiles-poiisk1
files-poooiisk1
files-pooiiisk1
files-poooisk1
files-pooiick
fiiles-pooiisk
filespooiissk
file-pooiick
files-poiickk
file-poooiisk
files-ppoiick
geettefiiiles1
geetefiiless
geetteffiiles1
gette-fillees1
geette-fiilees1
geetee-fiiles
gette-fillees
getsefilles
getssatfiles
geettefiilees
ggets-filles
j-t0rrreentt1
jjt0rreentts
l0adss-ffiles
l0adss-ffile
l0addes-flilee
l0addesflilee
l0addes-fillee
l0adds-fiile
load-fiilles
load-fiilee
load-fiille
loaddfiiles
qipsefilles
qiips-fiiles1
qips-fiilee
qippfiile1
qippsfiiles1
qip-ffiile1
hhiitfiles1
This list are domains detected through passive DNS detection:
List 2:
babyload.asia
beastlyload.asia
bestialload.asia
childlikeload.asia
childlyload.asia
deliveryload.asia
infantload.asia
inwardload.asia
perfectload.asia
ptload.asia
singleload.asia
soleload.asia
sparingload.asia
supernalload.asia
alonefile.asia
animalfile.asia
childishfile.asia
festivefile.asia
finefile.asia
infantilefile.asia
innerfile.asia
largestfile.asia
sacredfile.asia
alertloads.asia
artloads.asia
artisticalloads.asia
animateloads.asia
chronicloads.asia
excitableloads.asia
friendlessloads.asia
licitloads.asia
lonelyloads.asia
lovingloads.asia
nakedloads.asia
primalloads.asia
primevalloads.asia
stateloads.asia
vivaciousloads.asia
vivirloads.asia
activefiles.asia
alertfiles.asia
alivefiles.asia
artfiles.asia
artisticalfiles.asia
drawnfiles.asia
looadfilees.asia
primevalfiles.asia
quickfiles.asia
savagefiles.asia
arimara1.org.ua
arimara3.org.ua
akciya.pp.ua
lis4.biz.ua
affectionateload.org
file-load.net
gbait.com
tevon.tk
joload.mooo.com
loadfile.us.to
8-loaadiing.info
agents-load1.info
ageentoloods.info
lloadfi1es.info
resonantfile.info
stabilitytrojanssaver.info
v-x.info
windowsinspectionon-line.info
lodifiles.eu
alfabiblioteka.ru
book-darom.ru
detki-travel.ru
haxo.ru
loads-filse.ru
lptds.ru
megaload2filebaza.ru
j-torents.ru
jumpcat.ru
u8l.ru
zona-trafika.ru
Finally, this long list (too long to post here) contains other detected domains on the same IP. Frankly, blocking the IP address is the most easy option.. there are actually more domains than listed here and some are duplicated, but it's the best I could do at the moment.
Many of these domains show as evil in Google's Safe Browsing Diagnostics (example) and I can file zero legitimate domains on this IP.
2 comments:
So dumb question - When you recommend blocking these, are you saying block SMTP coming from them? Or block e-mails containing links from them? I've just started reading your blog and want to get it right
thanks
@svirfnebli - the best way to block these is through some sort of web egress filtering (e.g. a proxy server or firewall), preferably by IP address else it gets messy. Exact methods will vary according to whatever product you are using.
Post a Comment