Sponsored by..

Tuesday 9 December 2014

Something evil on 5.196.33.8/29

This Tweet from @Kafeine about the Angler EK drew my attention to a small block of OVH UK addresses of 5.196.33.8/29 which appear to be completely dedicated to distributing malware.

Specifically, VirusTotal lists badness on the following IPs:

5.196.33.8
5.196.33.9
5.196.33.10

There are also some doubtful looking IP addresses on 5.196.33.15 which may we have a malicious purpose.

All of these subdomains and domains [pastebin] are hosted in this block and I would suggest that you treat them as malicious.

Recommended blocklist:
5.196.33.8/29
jipwoyrnopwa.biz
kospoytrw.biz
belligerentladybug.com
hoplofrazoore.com
joptraeazalok.com
kiogosphwuysvx12.com
nelipraderson3.com
aderradpow.in
akojdurczopat.in
amoptrafnoger.in
apo83ggacer.in
apowiurbera.in
asdlpoqnoosgteer.in
asdpqwoieu12.in
asdqpwcya2.in
ashcytiqwer.in
askio2iytqrefa.in
asnodp3booztrea.in
azlaowumoa.in
blomcreaters.in
bvioplorazeno.in
bvopqcawea.in
bxpqy7everas.in
bzoapitradetn.in
cnertazootreas.in
coiqpyteramed.in
foksatboks3.in
golhahorsea.in
greolkopanx9.in
hiapwjertas.in
hokayreenols.in
jonofogolor.in
kiaowqptrea.in
koapnoxopaiuw72.in
kutradopretano98.in
lapouiqwg28.in
loatu27amop.in
looperfter4.in
mozgyterfaopetr.in
mxopa3ieravuk.in
nioapowedrakt.in
nitreamoptec.in
nloopboobs.in
npcowytrar.in
nxaopautrmoge.in
opqertasopma.in
poltraderano.in
sapertzalofasmo.in
vjogersamxe.in
vokjotreasmo.in
xboapvogtase.in
xnaiojipotram.in
xnaioqowhera.in
ywusbopa63a.in
zbtywraser.in
gpjfwsznuhdjgzwg.com
zntddwqtteq4.com

Incidentally, the .IN domains are not anonymised, but I would assume that the contact details are fake:
Registrant ID:WIQ_27860746
Registrant Name:Gennadiy Borisov
Registrant Organization:N/A
Registrant Street1:ul. Lyulyak 5
Registrant Street2:
Registrant Street3:
Registrant City:Varna
Registrant State/Province:
Registrant Postal Code:9000
Registrant Country:BG
Registrant Phone:+359.52601705
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:yingw90@yahoo.com


1 comment:

The Don said...

Great post. One minor correction:

"There are also some doubtful looking IP addresses on 5.196.33.15"

I think you meant to say "domains" instead of "IP addresses"?