Sponsored by..

Thursday 4 December 2014

Something evil on (KolosokIvan-net / Ivan Kolosok)

The IP address range of (KolosokIvan-net) appears to be dedicated purely to providing phone-home servers for TorrentLocker or some other similar malware.

In the past, this IP range has hosted various sites which have moved off. At the moment it seems to host just the following domains:


Active IPs are as follows:

Out of those domains, these following ones are linked with some sort of file locker malware:

casinoroyal7.ru [report]
clubstore29.ru [report]
yourwebsupport.ru [report]
chooseyourhost.ru [report]

The other domains have virtually no reference to them at all, which is somewhat suspicious.

The block as allocated as follows:

inetnum: -
netname:        KolosokIvan-net
descr:          Net for customer ID 12510
country:        RU
admin-c:        KI811-RIPE
tech-c:         KI811-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-by:         MNT-PINSUPPORT
mnt-routes:     MNT-SELECTEL
changed:        admin@pinspb.ru 20130904
source:         RIPE

person:         Kolosok Ivan
address:        ul Lenina 19-56
phone:          +380766553642
e-mail:         kolosokivan@i.ua
nic-hdl:        KI811-RIPE
mnt-by:         KolosokIvan
changed:        kolosokivan@i.ua 20130830
source:         RIPE

descr:          Selectel Customer
origin:         AS49505
mnt-by:         MNT-SELECTEL
changed:        korsakov@selectel.ru 20140901
source:         RIPE

There are no legitimate sites in this network range, so I strongly recommend that you block the entire range.

No comments: