Sponsored by..

Wednesday 31 December 2014

Evil network: 217.71.50.0/24 / ELTAKABEL-AS / TXTV d.o.o. Tuzla / aadeno@inet.ba

This post by Brian Krebs drew my attention to a block of Bosnian IP addresses with an unusually bad reputation. The first clue is given by Google's safe browsing diagnostics..

Safe Browsing
Diagnostic page for AS198252 (ELTAKABEL-AS)

What happened when Google visited sites hosted on this network?

    Of the 165 site(s) we tested on this network over the past 90 days, 6 site(s), including, for example, office-hosts.org/, invoice-ups.org/, refforwarding.eu/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2014-12-31, and the last time suspicious content was found was on 2014-12-26.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 10 site(s) on this network, including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that appeared to function as intermediaries for the infection of 525 other site(s) including, for example, webtretho.com/, detik.com/, zaodich.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 15 site(s), including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that infected 572 other site(s), including, for example, webtretho.com/, detik.com/, zaodich.com/.
Some of those domains rang a bell to do with recent malware attacks. One odd thing that struck me was that this is a sparsely populated but relatively large collection of IP addresses that appear to be mostly allocated to broadband customers rather than web hosts.

An investigation into what was lurking in this AS highlighted a problem block of 217.71.50.0/24 which contains very many bad sites, the WHOIS details for that block being..

inetnum:        217.71.48.0 - 217.71.63.255
descr:          TXTV d.o.o. Tuzla
org:            ORG-TdT1-RIPE
netname:        BA-TXTV-20030807
country:        BA
admin-c:        IK879-RIPE
tech-c:         IK879-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MNT-NSC1
mnt-routes:     MNT-NSC1
notify:         ripe@txtv.ba
changed:        hostmaster@ripe.net 20030807
changed:        hostmaster@ripe.net 20040625
changed:        hostmaster@ripe.net 20050719
changed:        bitbucket@ripe.net 20081003
changed:        hostmaster@ripe.net 20110804
changed:        hostmaster@ripe.net 20140324
changed:        bit-bucket@ripe.net 20140325
source:         RIPE

organisation:   ORG-TdT1-RIPE
org-name:       TXTV d.o.o. Tuzla
org-type:       LIR
address:        TXTV d.o.o.
address:        Admir Jaganjac
address:        Focanska 1N
address:        75000
address:        Tuzla
address:        BOSNIA AND HERZEGOVINA
phone:          +38735353333
fax-no:         +38735266114
tech-c:         TXTV1-RIPE
abuse-mailbox:  abuse@txtv.ba
mnt-ref:        MNT-TXTV
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
admin-c:        AJ2947-RIPE
admin-c:        AA26986-RIPE
admin-c:        IK879-RIPE
abuse-c:        NSC11-RIPE
source:         RIPE
e-mail:         ripe@txtv.ba
changed:        bitbucket@ripe.net 20140324

person:         Igor Krneta
address:        Majora Drage Bajalovica 18
address:        78000 Banjaluka, BA
e-mail:         ripe@elta-kabel.com
phone:          +387 51 961 001
nic-hdl:        IK879-RIPE
mnt-by:         MNT-NAVIGOSC
changed:        ikrneta@navigosc.net 20071126
source:         RIPE

route:          217.71.50.0/24
descr:          Inet subnet #1
origin:         AS31630
mnt-by:         GENELEC-MNT
changed:        aadeno@inet.ba 20061029
source:         RIPE


I highlighted the part of most interest, which appears to be a block suballocated to someone using the email address aadeno@inet.ba.

I took a look at the sites hosted in this /24 and these are the results [csv]. There are 37 malicious websites (identified by Google) out of 185 that I found in this network range. The usual level of badness tends to be around 1%, but here it is 20%. Looking at the domains, it appears that there is nothing at all of value here and you can probably count them all as malicious.

Recommended blocklist:
217.71.50.0/24
darotkskeu.com
hijuvchr.com
humhfsara.com
lomospaoerotr.com
noerdfjkieswp.com
p28aa.com
pkoefkosaep.com
teeirkfoews.com
niggercar.es
invoice-ups.net
www-myups.net
invoice-myups.org
invoice-ups.org
office-hosts.org
softupdates.org
updatedns.org
www-myups.org
abdilo.ru
bihilafes.ru
cloudughtold.su
dedicnqher.su
dnspqajr.su
dnsxjkd.su
hosrvnwj.su
hostfjwmr.su
hostsple.su
hostyksn.su
servergotold.su
serverhersse.su
servermexyr.su
serveruey.su
serverxpqk.su
serviolt.su
ugulddedic.su
usehostru.su
uttofhost.su
vpsjsner.su
vpslopwz.su
baycityads.biz
blingstarscpm.biz
plustimber.biz
plutoads.biz
tempomedia.biz
dsffdsk323721372131.com
ny-discount-sales.com
rxmega-shop.com
rx-product-shop.com
safe-refill-rx.com
viphealhtmarket.com
datadirects.eu
dataremark.eu
dataresultsid.eu
datasynchronize.eu
datavail.eu
datsunplus.eu
dedistarid.eu
detectionstream1.eu
dmpcheck.eu
drellmedia.eu
elitemembers.eu
eplymedia.eu
eravideoads.eu
euserviceid.eu
forwardingref.eu
glowcheck.eu
iprecognition.eu
newsettingso.eu
ordealsting.eu
planacheck.eu
pluginverifys.eu
proudeuro.eu
refforwarding.eu
resellerapis.eu
rpmstatus.eu
samjectstar.eu
secondtierdirect.eu
selldataset.eu
soundads.eu
spokenads.eu
stretchstrong.eu
syncdata1.eu
trackingstreamchk.eu
trackstats.eu
trafficlax.eu
verablade.eu
club-rx-bestseller.ru
fuckaustralia.ru
rx-bestseller.ru




No comments: