Sponsored by..

Friday, 1 March 2013

Casino-themed Blackhole sites

Here's a a couple of URLs that looks suspicious like a BlackHole Exploit kit, hosted on 130.185.105.74:

[donotclick]888casino-luckystar.net/discussing/sizes_agreed.php
[donotclick]555slotsportal.org/discussing/alternative_distance.php
[donotclick]555slotsportal.net/shrift.php
[donotclick]555slotsportal.net/discussing/alternative_distance.php
[donotclick]555slotsportal.me/discussing/alternative_distance.php
[donotclick]sexstreamsmatez.biz/discussing/alternative_distance.php

You can find a sample report here.  Let's dig a little deeper into that IP address.

inetnum:        130.185.105.0 - 130.185.105.127
netname:        Creative-Telematics-Trade
descr:          Creative Telematics & Trade s.r.o.
country:        CZ
admin-c:        AT1717-RIPE
tech-c:         AT1717-RIPE
status:         ASSIGNED PA
mnt-by:         XIRRA
source:         RIPE # Filtered

person:         Alexey Terentyev
address:        Czech Republic
address:        Praha 1, Na Prikope 10
address:        11000 Praha Czech Republi
address:        CZ
phone:          +420 228880161
fax-no:         +420 227204027
abuse-mailbox:  abuses@nkvdteam.ru
nic-hdl:        AT1717-RIPE
mnt-by:         NETDIRECT-MNT
source:         RIPE # Filtered

route:          130.185.105.0/24
descr:          XIRRA-NET
origin:         AS51191
mnt-by:         XIRRA
source:         RIPE # Filtered


"Alexey Terentyev" isn't a very Czech name, and neitgher is the domain name of nkvdteam.ru.. wait.. NKVD? You have to have a certain mind-set to call yourself that I guess..

So what can we find hosted on 130.185.105.74?

cams4xonline.me
555slotsportal.me
888casino-luckystar.me
klom555slots.me
zitex555slots.me
555slotsgamestoday.me
sexstreamsmatez.me
cams4xonline.org
555slotsportal.org
ttlxpoker.org
555pokerstreamx.org
sexstreamsmatez.org
555slotsportal.com
888casino-luckystar.com
ttlxpoker.com
888slotmachines.com
klom555slots.com
555slotsgamestoday.com
sexstreamsmatez.com
cams4xonline.info
555slotsportal.info
888casino-luckystar.info
ttlxpoker.info
klom555slots.info
zitex555slots.info
555slotsgamestoday.info
sexstreamsmatez.info
cams4xonline.net
555slotsportal.net
ttlxpoker.net
zitex555slots.net
daisy555slots.net
555slotsgamestoday.net
sexstreamsmatez.net
555slotsportal.biz
888casino-luckystar.biz
ttlxpoker.biz
muxxx4cams.biz
zitex555slots.biz
555slotsgamestoday.biz
sexstreamsmatez.biz

I'm going to suggest that there's nothing of value here and these sites are probably malicious and should be blocked. You might want to consider blocking 130.185.105.0/24 too.


No comments: