Sponsored by..

Showing posts with label Gogax. Show all posts
Showing posts with label Gogax. Show all posts

Monday, 6 September 2010

Tainted network: InterWeb Media / Gogax.com AS21793 (

Trading under various names including Gogax, InterWeb Media and Exist Hosting , this Canadian company mixes some extremely dangerous sites with links to organised crime with legitimate businesses.

Gogax's business model appears to be to delegate small chunks of its IP address range to third parties, while presumably hosting the servers for them.  In this case of this this $600,000 fraud the IP addresses were delegated by Gogax to a company called Krutikservers in Azerbaijan.

There are also several fake and/or illegal pharmaceutical sites in the address range, which makes it odd that a legitimate organisation like the Swedish Covenant Hospital should choose to host in the same IP range as criminals.

Google's safe browsing diagnostic is pretty damning:

Safe Browsing
Diagnostic page for AS21793 (GOGAX)

What happened when Google visited sites hosted on this network?

    Of the 595 site(s) we tested on this network over the past 90 days, 35 site(s), including, for example, ajvar.com/, freezlylo.com/, no-ip.be/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-09-05, and the last time suspicious content was found was on 2010-09-05.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 225 site(s) on this network, including, for example, nakedfridaydresscode.com/, lykqug.cn/, hejaza.cn/, that appeared to function as intermediaries for the infection of 3632 other site(s) including, for example, rubensf.com/, rebeccaflinn.com/, jesus-messiah.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 207 site(s), including, for example, nakedfridaydresscode.com/, lykqug.cn/, hejaza.cn/, that infected 3270 other site(s), including, for example, rubensf.com/, jesus-messiah.com/, ottomiller.com/.

The full list of domains, MyWOT ratings, delegations and a prognosis as to whether it's the sort of site you might want to visit can be found here, below is a summary of some of the more suspect delegates (note that some of the delegate names could be forgeries):

Abdto He
Counterfeit Goods

Allen Jason
United States
HYIP schemes

Cecile Dagorne (Possible forged name)
Malware distribution

Emil Vdovin
Fake / illegal pharmaceuticals & counterfeit goods

Fake / illegal pharmaceutical

Canada / US
Rogue anti-virus, malware distribution, fake / illegal pharamceuticals

James Schumaker (Possible forged name)
Fake / illegal pharamceuticals

Fake jobs / money laundering

Loyalty Servers
Fake / illegal pharamceuticals, malware distribution, hardcore pornography, illegal software downloads

Michael Chekin
Fake / illegal pharamceuticals

Paule Uvinekov
Child pornography (reference)

Saman Mazaheri
HYIP schemes

Telekurs Holding (possible forged name)
Malware distribution

Valeria Duarte
Fake / illegal pharamceuticals

Vlad Rybak
Fake / illegal pharamceuticals

Weiliang Zhang
Counterfeit goods

Fake / illegal pharamceuticals, malware distribution

The bad stuff on this network easily outnumbers the legitimate stuff, blocking the entire ( - will probably not cause significant problems. And if you are a legitimate site operator hosting with Gogax.. they it might well be time to change hosts before the whole lot gets blackholed.

Update: 23/5/11

Gogax claims that the block is now clean. However, the MyWOT rankings for this block still show some sites with very poor reputations (you can see a list of domains and ratings here).