A couple of interesting posts over at Malware Must Die! showed some significant nastiness on a few IP ranges you might want to block. The IPs mentioned are:
91.243.115.140 (Aztek Ltd, Russia)
46.166.169.238 (Santrex, Netherlands)
62.76.184.93 (IT House / Clodo-Cloud, Russia)
I'll list the sites on these domains at the end of the post for readability. But in these cases, blocking just the single IPs is not enough as they reside in pretty evil netblocks which should be blocked altogether.
91.243.115.0/24 (Aztek Ltd) is part of this large collection of malware hosts. Perhaps not all sites in the network are malicious, but certainly a lot of them are. I would err on the side of caution and block access to all sites in this /24, legitimate or not.
46.166.169.0/24 (Santrex) is another horrible network. According to Google, out of 4604 tested sites in this block, at least 3201 (70%) are involved in malware distribution. There may be legitimate sites in this /24, but since customer service is allegedly atrocious then it's hard to see why they would stick around. Again, blocking this /24 is probably prudent.
62.76.184.0/21 (IT House / Clodo-Cloud) is quite a large range to block, but I have seen many malicious sites in this range, and like Aztek it is part of this large network of malware hosts and it has a poor reputation. This is only a part of this netblock, if you want to go further you could consider blocking 62.76.160.0/19.
These following domains are all connected to these two attacks:
amgstaying.net
awczh.portrelay.com
bestchange001.ru
bestchange002.ru
bestchange003.ru
bestchange004.ru
bestchange005.ru
bestchange006.ru
bestchange007.ru
bestchange050.ru
bestchange051.ru
bestchange053.ru
bestchange054.ru
blydjkqtj.2waky.com
clientlink011.ru
clientlink015.ru
clientlink018.ru
clientlink024.ru
clientlink026.ru
clientlink027.ru
clientlink034.ru
clientlink038.ru
clientlink040.ru
clientlink042.ru
clientlink046.ru
clientlink063.ru
clientlink067.ru
clientlink070.ru
clientlink073.ru
clientlink074.ru
clientlink075.ru
clientlink076.ru
clientlink077.ru
clientlink078.ru
clientlink079.ru
clientlink080.ru
clientlink083.ru
clientlink084.ru
clientlink085.ru
clientlink086.ru
clientlink087.ru
clientlink089.ru
clientlink090.ru
clientlink091.ru
clientlink093.ru
clientlink094.ru
clientlink095.ru
clientlink100.ru
coshqa.2waky.com
diresofnetbook.com
djondonetwork.com
dukcwhmc.portrelay.com
ewarmz.2waky.com
fiendishtask.info
frnujzogt.2waky.com
glcuofjx.2waky.com
glrozxsjk.portrelay.com
gvcrtf.2waky.com
hrwusuf.portrelay.com
husvmp.portrelay.com
hvgzklbx.portrelay.com
igrhcsfdx.portrelay.com
imvkmu.portrelay.com
inherentlywriters.info
ipaeh.portrelay.com
iqtbzwa.2waky.com
jbygu.2waky.com
jjfzxpim.2waky.com
jzkwt.2waky.com
khmdkcath.portrelay.com
ksgha.2waky.com
lbuym.2waky.com
lgoqsh.portrelay.com
museumsnimble.net
ndcukbk.2waky.com
nvzlyez.portrelay.com
oaigq.2waky.com
owowgjqof.2waky.com
oyobalz.2waky.com
pavingcorroborated.org
pefmpltrz.2waky.com
pjmbpvacm.portrelay.com
pxsthim.portrelay.com
qqmtqy.portrelay.com
reservedir003.ru
rndhezha.portrelay.com
root.kaovo.com
simplicitypernicious.org
snxecl.2waky.com
supportservice001.ru
supportservice002.ru
supportservice003.ru
supportservice004.ru
supportservice005.ru
supportservice006.ru
supportservice008.ru
supportservice009.ru
supportservice010.ru
supportservice011.ru
supportservice012.ru
supportservice013.ru
supportservice014.ru
supportservice015.ru
supportservice016.ru
supportservice017.ru
supportservice018.ru
supportservice019.ru
supportservice020.ru
supportservice021.ru
supportservice022.ru
supportservice023.ru
supportservice025.ru
supportservice028.ru
supportservice029.ru
supportservice030.ru
supportservice031.ru
supportservice032.ru
supportservice033.ru
supportservice035.ru
supportservice038.ru
supportservice042.ru
supportservice044.ru
supportservice047.ru
supportservice054.ru
supportservice055.ru
supportservice058.ru
supportservice060.ru
supportservice064.ru
supportservice065.ru
supportservice066.ru
supportservice068.ru
supportservice069.ru
supportservice075.ru
supportservice078.ru
supportservice082.ru
supportservice083.ru
supportservice085.ru
supportservice089.ru
supportservice093.ru
supportservice095.ru
supportservice096.ru
supportservice097.ru
supportservice098.ru
tezjytph.portrelay.com
tpfoc.2waky.com
trghfx.2waky.com
uretf.2waky.com
utilityremember.net
uzmai.portrelay.com
vzaxmfgz.portrelay.com
wfeanf.2waky.com
wibeay.2waky.com
wpacule.portrelay.com
xycoordinatesskinny.org
yfvvmj.portrelay.com
zbwss.portrelay.com
zrwhrkm.portrelay.com
zzspkyrcr.portrelay.com
1 comment:
Hi Conrad, thank's for the comment on MalwareMustDie and the mention!
I am on this writings 100%. Yes, everything you said is correct/very true & also is far from being (excuse my poor english) "paranoia at all. We see in daily basis and crusade events of what Conrad wrote about the evilness of those network.
I URGE network admins to implement what this post is recommended to the blocking policy, and trust us, it won't bring demerit to you at all. We still do the best to shut those down, God speed.
All the best for Dynamoo! Great Project! Respect from #MalwareMustDie!
Post a Comment