Sponsored by..

Thursday 6 February 2014

Trouble at CtrlS?

CtrlS is a large Indian hosting provider who seldom feature in this blog which is always a positive sign. However, the last two Zeus spam smail runs exclusively use CtrlS servers to host encrypted malware.

Three of the four domains are easy to spot:
wahidexpress.com is on
bsitacademy.com is on
oilwellme.com is on

The last one of the four domains is hosted on a Cloudflare IP.. but Cloudflare is only a reverse proxy and a bit of digging at IP records show that newz24x.com appears to be hosted on another CtrlS IP of

So, four out of four IPs belong to CtrlS. It could be a coincidence, but I wonder if anybody else is seeing traffic (especially for downloads of .enc files) in CtrlS IP ranges?

No comments: