Dynamoo's Blog: Latvia

Showing posts with label Latvia. Show all posts

Wednesday 14 September 2011

Some fake Bundeskriminalamt and Bundespolizei sites

Here are some more fake sites pretending to be the Bundeskriminalamt and Bundespolizei (agencies of the German Federal Police) which are probably worth blocking, following on from these.

193.105.240.204 [Sia Vps Hosting, Latvia]
bundespolizei-de.net
bundespolizei-de.org
bundespolizei-online.com
dpolg-bundespolizei.org
inter-bundeskriminalamt.org

77.87.229.14 [Invalid pointer to bundespolizei.de]
inter-bundeskriminalamt.eu
dpolg-bundespolizei.org [also on 193.105.240.204]
inter-bundeskriminalamt.org [also on 193.105.240.204]

211.154.153.49 [China Motion Network Communication]
agentbundeskriminalamt.net
bundeskriminalamtde.net
onlinebundeskriminalamt.net
torrentbundeskriminalamt.net

Note that 77.87.229.14 is actually the real IP for bundespolizei.de, but the scammers are pointing their DNS records to it, presumably to cause confusion.

You can safely block access to 193.105.240.0/24 (Sia VPS) without much fear of losing anything important. The Chinese netblock is more mixed, but blocking at least 211.154.153.49 might be a good idea if you are in Germany.

Monday 12 September 2011

bundespolizei-online.com is not the Bundespolizei

bundespolizei-online.com is a fake domain pretending to be the Bundespolizei (German Federal Police). It appears to be part of a malware scam that has been around for a while, where the victim is told that they have done something illegal and need to pay a fine to the police.

The text of the message might vary, but the last scam domain was used in conjunction with a message that read:

Es ist ungesetzliche Tätigkeit enthüllt
Achtung!!!
Ein Vorgang illegaler Aktivitäten wurde erkannt.
Das Betriebssystem wurde im Zusammenhang mit Verstoßen gegen die Gesetze der Bundesrepublik Deutschland gesperrt! Es wurde folgender Verstoß festgestelltt: Ihre IP Adresse lautet "x.x.x.x" mit dieser IP wurden Seiten mit pornografischen Inhalten,Kinderpornographie, Sodomie und Gewalt gegen Kinder aufgerufen Auf Ihrem Computer wurden ebenfalls Videodateien mit pornografischen Inhalten, Elementen von Gewalt und Kinderpornografie festgestellt! Es wurden auch Emails in Form von Spam, mit terroristischen Hintergründen, verschickt. Diese Sperre des Computers dient dazu, Ihre illegalen Aktivitäten zu unterbinden.
Ihre IP: x.x.x.x
Location: XXXXX
ISP: XXXXX
Um die Sperre des Computers aufzuheben, sind Sie dazu verflichtet eine Strafe von 100 Euro zu zahlen. Sie haben zwei Möglichkeiten die Zahlung von 100 Euro zu leisten.

    1) Die Zahlung per Ukash begleichen:
    Dazu geben Sie bitte den erworbenen Code in das Zahlungsfeld ein und drücken Sie anschliessend auf OK (haben Sie mehrere Codes,so geben Sie Diese einfach nacheinander ein und drücken Sie anschliessend auf OK) Sollte das System Fehler melden,so müssen Sie den Code per Email (einzahlung@dpolg-bundespolizei.org) versenden.
    2) Die Zahlung per Paysafecard begleichen:
    Dazu geben Sie bitte den erworbenen Code (gegebenfalls inkl. Passwort) in das Zahlungsfeld ein und drücken Sie anschliessend auf OK (haben Sie mehrere Codes,so geben Sie Diese einfach nacheinander ein und drücken Sie anschliessend auf OK) Sollte das System Fehler melden,so müssen Sie den Code per Email(einzahlung@dpolg-bundespolizei.org) versenden.

This roughly translates as:

It is illegal activity revealed
Attention!
An operation of illegal activity has been detected.
The operating system was blocked in connection with Violating the laws of the Federal Republic of Germany! It was festgestelltt following violation: Your IP address is "xxxx" with the IP were pages containing pornography, child pornography, bestiality and violence invoked against children on the computer were also video files containing pornography, found elements of violence and child pornography! There were also emails sent in the form of spam, with terrorist backgrounds. This serves to lock the computer to stop your illegal activities.
Your IP: x.x.x.x
Location: XXXXX
ISP: XXXXX
To unlock the computer, you have to pay a penalty verflichtet of 100 €. You have two ways to make the payment of 100 €.

     1 pay) Payment via Ukash:
     You enter the acquired code into the payment box and then press OK (you have multiple codes, enter this simply a sequence, then press OK) If the system is wrong, you have the code by email (einzahlung@dpolg-bundespolizei.org) ship.
     2) The payment by paysafecard to pay:
     You enter the acquired code (if necessary including password) into the payment box and then press OK (you have multiple codes, enter this simply a sequence, then press OK) If the system is wrong, so you must send the code by email (einzahlung@dpolg-bundespolizei.org).

A €100 fine for terrorist likes and download child pornography? Obviously this is nonsense, but the victim might well try to pay to get rid of the trojan.

The bundespolizei-online.com is quite interesting to look at. First, there is the WHOIS record:

    Steffen Schüssler

    Email: t-mart-admin@teiekom.de

    Organization: Hostmaster T-Systems

    Address: Vahrenwalder Strasse 240-247

    City: Hannover

    State: Hannover

    ZIP: 30159

    Country: DE

    Phone: +49.43171633486 

    Fax: +49.43171633486

It looks legitimate enough. T-Systems is the hosting division of Deutsche Telekom, and the email address looks legitimate at first glance.. but wait, it says teiekom.de and not telekom.de which can't be right.

The domain is registered through the Russian registrar Regtime Ltd. The site bundespolizei-online.com is hosted on 193.105.240.204 in Latvia. Latvia is pretty much a hotbed of crime, and the AS12578 block has a pretty bad reputation, and the whole 193.105.240.0/24 range looks quite toxic. As is common with malicious sites such as this, all the mail is handled by Google.

So.. if you see a message soliciting an email reply to bundespolizei-online.com or running on the same website then it is malware, and you should try to disinfect your machine using up-to-date antivirus software, or you could try following the instructions here.

Friday 15 July 2011

Christwire.org hacked with sokoloperkovuske.com redirect

This summary is not available. Please click here to view the post.

Thursday 23 June 2011

Peteris Sahurovs and Marina Maslobojeva arrested: Sagade hopefully busted

Another victory for the good guys, according to El Reg.

The Department of Justice and the FBI have cracked an international scareware ring believed to have scammed over $72m (£45m).

The gang screwed money out of more than a million victims. They installed software on their computers which falsely claimed to have detected viruses or malware. The gang then took payment for supposedly cleaning up the machines.

22-year-old Peteris Sahurovs and 23-year-old Marina Maslobojeva were arrested in Latvia on charges made in court in Minnesota.

Although there are several bad hosts in Latvia, the one that really stands out is Sagade Ltd. And it looks very much as if Peteris Sahurovs worked for Sagade, his screen name on the internet was piotrek89 which was also the abuse address for the Sagade network.

Sagade seemed to be linked to a number of other Latvian outfits, so hopefully this will make a major dent in malicious activity from that country. Until it gets cleaned up though, Latvian netblocks should still be treated with suspicion.

The FBI have a press release about it here.

Monday 7 March 2011

Evil network: Sagade Latvia AS52055 (46.252.130.0/23) and traff4you.info

I've covered Sagade before, which appears to be a completely black hat web host with no legitimate domains at all. Sagade appear to have a new IP range in the 46.252.130.0 - 46.252.131.255 range which are completely full of toxic sites that should be blocked.

This IP range forms AS52055, of which Google says:

Safe Browsing
Diagnostic page for AS52055 (RELIKT)

What happened when Google visited sites hosted on this network?

    Of the 159 site(s) we tested on this network over the past 90 days, 9 site(s), including, for example, opanaw.com/, videospartyh.info/, galleryhotf.info/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-02-23, and the last time suspicious content was found was on 2011-02-23.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 16 site(s) on this network, including, for example, welcometotheglobalisnet.com/, 46.252.129.0/, welcometotheglobaliscom.com/, that appeared to function as intermediaries for the infection of 507 other site(s) including, for example, ctwatchdog.com/, deewanapan.com/, thedailyherald.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 55 site(s), including, for example, 46.252.129.0/, sontollones.co.cc/, toney.co.cc/, that infected 2312 other site(s), including, for example, cmsocial.com/, mediafire.com/, aotsargentina.org.ar/.

SiteVet oddly shows the AS as being offline, but the accompanying "badness" chart shows a big leap in evilness since the beginning of the year, so perhaps the block was reallocated.

As well as .com domains and the like, the block hosts several hard-to-spot .cz.cc and .vv.cc domains which host malware, much of which is being distributed through an apparently bogus ad network at traff4you.info.

So far, I can see see the following domains in the block (a list with IP addresses and MyWOT ratings can be downloaded from here):

ertmovs.com
lkjsnfs.com
antivirussystem2011get.com
bbuydelivery.com
berrydush.net
brewtonconsult.net
collach.com
ddk2200.com
enter-way.net
euro2012corp.com
facebook-surprise-njwo.tk
facebook-surprise-njww.tk
fire6495ksd.com
fotoshare-2dknc.com
gigomark.com
grapndet.com
htss.su
hyipl.info
ibifit.com
lokia.info
lost-pass.ru
lostpass.ru
mailx.su
mittmax.com
nanosearchpro.net
novasystemutils2011.com
sentex10zx.in
shabgdr.com
softstoreinc.com
spy4.net
stylus2641fm.com
trabniyd.com
turb-o-search.com
x-pass.ru
xaker.me
nalmeron.cz.cc
agamaris.vv.cc
dalalore.vv.cc
thetakus.vv.cc
maribandis.vv.cc
mogrinn.vv.cc

Registration details for this block are:

inetnum:        46.252.130.0 - 46.252.131.255

netname:        Sagade

descr:          users

country:        LV

admin-c:        AK6804-RIPE

tech-c:         AK6804-RIPE

status:         ASSIGNED PA

mnt-by:         andrejskaminskis-mnt

source:         RIPE # Filtered

person:         Andrejs Kaminskis

address:        Latgales 32/34, Rezekne, Latvia

phone:          +37127580487

e-mail:         reliktbvk@gmail.com

nic-hdl:        AK6804-RIPE

mnt-by:         andrejskaminskis-mnt

source:         RIPE # Filtered

route:          46.252.130.0/23

descr:          users

origin:         AS52055

mnt-by:         andrejskaminskis-mnt

source:         RIPE # Filtered

As I said, traffic seems to be fed through traff4you.info, registered on 10th Decemeber 2010 with anonymous registration details and currently hosted on a dedicated server at 206.161.200.11, but until recently it was on a shared server on 69.65.48.218. This is probably a good domain to block, and I can't see much harm in blocking access to 206.161.200.0/24 and 69.95.48.0/24 while you're at it too.

Thursday 21 October 2010

Evil network: DG Holding SIA / ALTNET-LV AS41390 (195.3.144.0/22)

DG Holding SIA / ALTNET-LV is another evil network, and it's no surprise to see that it is in Latvia. The 195.3.144.0/22 hosts sites involved in hacking, malware distribution, MLM scams, fake goods and porn plus a number of ZeuS C&C servers.

There are a small number of legitimate customers in this block, but they most cater for Latvian users only.. if you are outside of Latvia, then very little will be lost by blocking this entire /22 (195.3.144.0 - 195.3.147.255).

There's a listing of domains, IPs and MyWOT ratings here [csv] if you want to probe more deeply and avoid blocking the handul of legitimate sites.. otherwise, I would recommend blocking the lot.

Monday 11 October 2010

[Updated] Evil network: Donstroy Ltd AS29557 (194.8.250.0/23)

UPDATE: this IP range is now used by a completely different organisation, and malicious activity no longer exists and the block is safe to use. However, the post will remain up for research purposes.

Another network worth blocking, Donstroy Ltd appears to be a Latvia entity hosting in Moldova, closely affiliate with Sagade Ltd who are one of the most scummy networks around at the moment.

The WHOIS details show a tell-tale link to Sagade in the email address:

inetnum:         194.8.250.0 - 194.8.251.255

netname:         Donstroy-1

descr:           Donstroy Ltd.

country:         LV

org:             ORG-DL107-RIPE

admin-c:         JS1050

tech-c:          JS1050

status:          ASSIGNED PI

mnt-by:          RIPE-NCC-END-MNT

mnt-lower:       RIPE-NCC-END-MNT

mnt-by:          MNT-DONSTROY

mnt-routes:      MNT-DONSTROY

mnt-domains:     MNT-DONSTROY

source:          RIPE # Filtered

organisation:    ORG-DL107-RIPE

org-name:        Donstroy Ltd.

org-type:        OTHER

address:         Kalinina 19, 6, Bendery, Moldova

e-mail:          sagade95@gmail.com

mnt-ref:         MNT-DONSTROY

mnt-by:          MNT-DONSTROY

source:          RIPE # Filtered

person:          Juris Sahurovs

address:         Rezekne Darzu iela 21

phone:           +37120034981

nic-hdl:         JS1050

e-mail:          sagade95@gmail.com

source:          RIPE # Filtered

% Information related to '194.8.250.0/23AS29557'

route:           194.8.250.0/23

descr:           donstroy-route-1

origin:          AS29557

mnt-by:          MNT-DONSTROY

source:          RIPE # Filtered

Google's Safe Browsing diagnostics are not good:

Safe Browsing
Diagnostic page for AS29557 (ASNOVIFORUM)

What happened when Google visited sites hosted on this network?

    Of the 42 site(s) we tested on this network over the past 90 days, 2 site(s), including, for example, fastprosearch.com/, twilightsex.cz.cc/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-10-10, and the last time suspicious content was found was on 2010-10-10.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 10 site(s) on this network, including, for example, manoso.cz.cc/, noaos1.cz.cc/, sunporno.cz.cc/, that appeared to function as intermediaries for the infection of 31 other site(s) including, for example, business-standard.com/, ddl-blog.org/, onlyteensx.net/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 22 site(s), including, for example, 194.8.251.0/, prostodomen.in/, globalvalidator.cz.cc/, that infected 215 other site(s), including, for example, business-standard.com/, renisyqaqir.freehostking.com/, hetivilesum.freehostking.com/.

A search against MyWOT reputations reveals a concentration of very bad sites (report here), the best thing to do is to block all traffic to 194.8.250.0 - 194.8.251.255 (194.8.250.0/23) and/or the domains listed below:

Girlongirllibido.info
Homeownersinsuranceratings.com
Testertestfree.org
Vmhostingboxx.org
Dscodec.com
Fastprosearch.com
Ttyur.com
Vlopw.com
Bmlsk.com
Bumzc.com
Fjoty.com
Fruuf.com
Hjoty.com
Nwsplt.com
Palcaug.com
Potyur.com
Uoptyr.com
Uprtx.com
Medicpillsana.com
Medicpillsbba.com
Medicpillsbia.com
Medicpillsbta.com
Medicpillscaa.com
Medicpillscea.com
Medicpillscha.com
Medicpillscia.com
Medicpillscka.com
Medicshopnas.net
Medicshopnds.net
Medicshopnks.net
Medicshopnts.net
Medicshopoes.net
Asemedic.net
Astmedic.net
Encmedic.net
Enmedic.net
Frmedic.net
Hismedic.net
Icmedic.net
Intmedic.net
Krmedic.net
Letmedic.net
Medicci.net
Medicdi.net
Medicfr.net
Medicha.net
Mediclg.net
Medicni.net
Medicnr.net
Medicpo.net
Medicpu.net
Medicri.net
Ajeslovshord.com
Akvodhhead.com
Alsodhesedhoujhd.com
Aniarioli.com
Askpressjame.com
Bejokohafder.com
Blackmodhersdep.com
Bodhlearkfil.com
Busyplakdovk.com
Cutyacttin.com
Deheverbejak.com
Dhadhaveopek.com
Dheyherevhole.com
Dovkbackbord.com
Fallanlot.com
Gavilaugddiri.com
Hadakcourse.com
Hojharedokd.com
Kameuspoukd.com
Losdsodemoss.com
Lovioinwdoli.com
Medpillsna1.com
Medpillsna2.com
Medpillsna3.com
Medpillsna4.com
Medpillsna5.com
Medpillsni1.com
Medpillsni2.com
Medpillsni3.com
Medpillsni4.com
Medpillsni5.com
Minanwaut.com
Offobjecdfamoly.com
Okchfudboy.com
Oslakdexampleas.com
Pajeukdolmaok.com
Posekipbrokj.com
Pukdraokclass.com
Redovksay.com
Resdlaujhmoss.com
Savsdadeschul.com
Sduigancdangi.com
Sliicrymuli.com
Stooddandwi.com
Suchjrikoh.com
Travilfuriwdin.com
Addsecovdtook.com
Aoutdonttdrii.com
Assiafull.com
Commoklakjuajemeak.com
Dalkplakdaor.com
Deachhodkear.com
Dhadledad.com
Dhohdhokjearly.com
Dhokjbroujhdmusd.com
Dojcourseleark.com
Domesdopdhousakd.com
Dopmedic.net
Dovardhohdhoh.com
Efimedic.net
Enemedic.net
Feetdoldakayvst.com
Femedic.net
Hamedic.net
Joldiplosd.com
Kodocedoldappear.com
Launflymost.com
Lederbojdhad.com
Letdourwere.com
Lodledellmek.com
Medshopcu1.com
Medshopcu2.com
Medshopcu3.com
Medshopcu4.com
Medshopcu5.com
Medshopde1.com
Medshopde2.com
Medshopde3.com
Medshopde4.com
Medshopde5.com
Muchplakdokly.com
Okcevhekvadch.com
Oldbesdjrik.com
Passourdu.com
Pocdurejudcold.com
Rockdomeacd.com
Rockroundsung.com
Sicondkniwgo.com
Slovkevvell.com
Soldmarkacte.com
Strovkuproad.com
Ukmedicineel.com
Ukmedicineho.com
Ukmedicineit.com
Vadchdeachmokd.com
Vekdhadjrov.com
Vhadreachmusoc.com
Vholevucemay.com
Vokdercarryjod.com
Vordeachsdud.com
Ydeamavturv.com
Advsecsmart.com
Digitall-soft.com
Extrafullprotection.com
Mypc-repair.com
Payforsec.com
Secsmartsuper.com
Smartsecadv.com
Smartsecsuper.com
Smartsecurityadvisor.com
Smartsupersecurity.com
Stable-soft.com
Supersecadvizor.com
Supersecurepay.com
Supersmartantivirus.com
Supersmartsec.com
Bbnhs.com
Bumzec.com
Ddleb.com
Drutp.com
Gasdda.com
Gradtz.com
Hewraq.com
Hgptd.com
Htresq.com
Krclear.com
Nadwq.com
Nmkop.com
Utrvc.com
Vbnrte.info
Kobqq.com
Jgtee.com
Jyiop.com
Mptim.com
Nhytx.com
Ptyre.com
Woptr.com
Yopte.com
Ypuii.com
Checkingassociateeditor.com
Bestcheckingconnect.com
Checking-associate-editor.com
Checking-associate.com
Checkingassociatemembership.com
Checkingconnectdata.com
Checkingconnectnow.com
Checkingconnectshop.com
Cogus.net
Gromz.net
Mochos.net
Zorter.net
Movies-celeb.info
Onlymoviesporn.info
Porn-video-4u.info
Pornyardmovies.info
Videostreamporn.info
Moviesfreestar.info
Nanocloudcontroller.com
Iliked.org
Yougoodvideo.net
Shloesandrooneys.com
1200kb.net
Banfieldsbest.com
Btp-tags.com
Doit-4-u.com
In-ta.net
Media-share.org
Mwcdirect.com
Pixel-pie.com
Planetsoldat.com
Sainser.com
Wnizip.com
Dsfungssdfg.com
Sbgfdfsggf.com
Sportstickets.tv
Sufdngsg.com
Missing-codecs.com
Missing-codecs.net
Missing-codecs.org
Vidscentral.net
Consp.net
Thestability.com
Traffcity.com
Polytech-electronics.net
Blackmaven.in
Blueace.in
Whiteace.in
Whiteoso.in
Whitewizard.in
Globalcloudbackup.com

Wednesday 25 August 2010

Evil network: Sagade Ltd / ATECH-SAGADE AS6851 (85.234.190.0/23)

I've mentioned Sagade Ltd before, it's a totally Black Hat Latvian network that should be blocked on sight. Google's Safe Browsing diagnostic for this range is fairly damning:

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, 85.234.190.0 appeared to function as an intermediary for the infection of 476 site(s) including lekarnar.com/, mysofa.es/, audiofile.org.ua/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 1999 domain(s), including audiofile.org.ua/, votailprof.it/, capinaremos.com/.

There's very little point playing whack-a-mole with these Latvian IP addresses. It's probably worth null-routing the entire country until some government agency that isn't being paid off by Russian organised criminals sorts the mess out. There's a list of major Latvian IP address allocations here- unless you do business in the Baltic states, then blocking all of them will probably do no harm.

Domains in the IP address range 85.234.190.0 - 85.234.191.255 are:
Marre.in
Monre.in
Sdaya.in
Dnsdnsprovider.com
Respw.info
Tonew.info
Wbypa.info
Celebsalon.net
Celebsvideos.net
Soltberger.net
Sumerki-saga.com
Zatmenie-saga.com
Bestgoogleanalytics.com
Bestgenerics.org
Dhag.org
Autoseon7.com
Auou.info
Premiaa.com
Tdyeah.com
Oeema.info
Oeeme.info
Toptrep.biz
Staticdnsdns.com
Aaasphereezine.com
Aopsompamspn.com
Hsudsasodams.com
Ieksmanskasdk.com
Mopsdiamsas.com
Alert-system.net
Ffgde.com
Gdlka.com
Khhfg.com
Nnmty.com
Ppolr.com
Rcchr.com
Rrtyu.com
Rttye.com
Trrre.com
Uyyty.com
Ccdfr.com
Ffeeq.com
Kklou.com
Kkuyt.com
Oouty.com
Ppuut.com
Ppyur.com
Ttyww.com
Wrraa.com
Yyrew.com
Bbhty.com
Ggbdb.com
Rggsd.com
Rihdd.com
Rrryu.com
Bbgtr.com
Kjhtr.com
Wrrrt.com
Mylote.com
Tube-free-online.com
Adminka.org
Bbcxq.com
Bnfgd.com
Cbdfr.com
Dettt.com
Fggpr.com
Ggffr.com
Hhyyr.com
Ssmmb.com
Trdvr.com
Darkseo.org
Dbsoft.in
Domainpc.in
Exinfo.in
Lightdebug.in
Microsoft-security-center.com
Mxinfo.in
Statreview.in
Uimode.in
Unport.in
Bestdomainforus.info
Bestvido.info
Bluffycrob.info
Domain-for-email-us.info
Domain-for-gain-us.info
Domain-for-lease-us.info
Domain-for-us.info
Domainfordollarsus.info
Domainforemailus.info
Domainforgainus.info
Domainforleaseus.info
Domainforus.info
Domainforusblog.info
Domainforusnow.info
Domainforusonline.info
Domainforusshop.info
Domainforussite.info
Domainforusstore.info
Domainforustoday.info
Fffvideo.info
Freedomainforus.info
Freevido.info
Microoplata.info
Moplata.info
Mydomainforus.info
Myvido.info
Newdomainforus.info
Newvido.info
Stupid-domain-for-us.info
Stupiddomainforus.info
Thebluffycrob.info
Thedomainforus.info
Thefffvideo.info
Vi-do.info
Vidonow.info
Vidoonline.info

Evil network: Latnet Serviss Ltd (latnet.lv) AS2588 (159.148.117.0/24)

Latvia is definitely becoming a problem when it comes to black hat hosting. The 159.148.117.0/24 range (159.148.117.0 - 159.148.117.255) is another malicious block, forming part of AS2588 belonging to Latnet (similar to microlines.lv). At a rough calculation, roughly half the IP address ranges I am currently blocking are based in Latvia.

This bunch of domains is a mix of fake pharma sites, browser exploits, illegal downloads and possibly some hijacked domains. In any case, there is nothing of use here and either blocking the entire IP range, or the list below is probably a good idea.

There's a more detailed file with MyWOT ratings and IP addresses to download here.

Bitssit.com
Solid-pay-gate.com
Bombastats.com
1001meds.info
101doctors.info
101health.info
11doctors.info
333tabs.info
5meds.info
911drugs.info
99pharmacy.info
99pills.info
Abouttabs.info
Actualdrugs.info
Actualtabs.info
Addhealth.info
Addpills.info
Advancedsoft.in
Allpills.info
Anyhealth.info
Anymeds.info
Anytabs.info
Atlanticdrugs.info
Atlantictabs.info
Bestwesthost.info
Bluedoctor.info
Buycheapnow3.info
Buyfdatabs.info
Buygeneric1.info
Buyld.info
Buyonline5.info
Buytramadol5.info
Buytramadolf.info
Buytramadolk.info
Buytramadolp.info
Buytramadolt.info
Buytramadoly.info
Buyxanax1.info
Buyxanaxk.info
Cheap2tramadol.info
Cheaponline2.info
Cheaprt.info
Cheaptramadolh.info
Cheaptramadoli.info
Cheaptramadolss.info
Cheaptramadolw.info
Cheaptramadolz.info
Cheapxanaxz.info
Doctor01.info
Doctorarea.info
Doctordaily.info
Doctorgiant.info
Doctorjones.info
Dogoal.in
Drugs01.info
Drugs12.info
Drugsapple.info
Drugsbasket.info
Drugsblue.info
Drugscenter.info
Drugsclub.info
Drugscompany.info
Drugsdaily.info
Drugsfast.info
Drugsgood.info
Drugslife.info
Drugsreview.info
Drugstoree.info
Fasttabs.info
Fdapillsonline.info
Fulink.in
Fustat.in
Generictramadolb.info
Generictramadolc.info
Generictramadoln.info
Generictramadolr.info
Generictramadolv.info
Genericxanaxn.info
Getonlinehealth.info
Getonlinemeds.info
Haycorn.info
Health911.info
Healthbasket.info
Healthblue.info
Healthgreat.info
Healthlabel.info
Kinghealth.info
Kingpills.info
Knownmeds.info
Knowntabs.info
Labeldrugs.info
Labelhealth.info
Meds01.info
Meds333.info
Meds4him.info
Medsapple.info
Medsarea.info
Medsdaily.info
Medsexpress.info
Medsguard.info
Medshealth.info
Medslife.info
Medslocate.info
Medssearch.info
Mmlist.in
Mmsoft.in
Moderndrugs.info
Modernpills.info
Mxstat.in
Needsdoctor.info
Olstat.in
Online01.info
Onlinecasinosbestusa.info
Onlineow.info
Ordercheapnow6.info
Orderoj.info
Orderonline4.info
Ordertramadold.info
Ordertramadole.info
Ordertramadolj.info
Ordertramadolo.info
Ordertramadolx.info
Orderxanaxx.info
Owndoctor.info
Pacificdoctor.info
Pills007.info
Pills01.info
Pills4him.info
Pills4men.info
Pillsaccept.info
Pillsarea.info
Pillsblue.info
Pillscontrol.info
Pillsdaily.info
Pillsfast.info
Pillsgood.info
Pillslabel.info
Pillslife.info
Pillslocate.info
Pillsoffice.info
Pillsreview.info
Pillssearch.info
Pillstoday.info
Pillsworld.info
Realtabs.info
Rx999.info
Safedoctor.info
Searchtabs.info
Sermyagino.info
Ssmode.in
Ssnews.in
Tabs01.info
Tabs4him.info
Tabs5.info
Tabsaccept.info
Tabsapple.info
Tabsarea.info
Tabscenter.info
Tabsclub.info
Tabscompany.info
Tabscontrol.info
Tabsdaily.info
Tabsexpress.info
Tabsguard.info
Tabsguide.info
Tabslife.info
Tabsoffice.info
Tabspills.info
Tabsreview.info
Tabssearch.info
Tabsworld.info
Todaypills.info
Todaytabs.info
Tramadolonline7.info
Tramadolonlinea.info
Tramadolonlineg.info
Tramadolonlinel.info
Tramadolonlineq.info
Tramadolonlineu.info
Tramadoltramadol1.info
Tramadoltramadol10.info
Tramadoltramadol2.info
Tramadoltramadol3.info
Tramadoltramadol4.info
Tramadoltramadol5.info
Tramadoltramadol6.info
Tramadoltramadol7.info
Tramadoltramadol8.info
Tramadoltramadol9.info
Uiplus.in
Usaapharm.info
Usausaonlinecasinossuper.info
Xanaxonlinee.info
Xanaxonlinel.info
Pupseg.net
Pupseg.org
Pixelstatservice.com
Mybesttubeporn.com
Rowfirst.com
Java-9update.com
Update-00server.com
Hqll.ru
Xacz.ru
Aloa.asia
Vniz.asia
Bbls.ru
Vaseagruzitkorm.com
Vaseajretikru.com
Ewacx.com
Yacver.com
Security-defencing.com
Mypctech.net
1200kb.net
Banfieldsbest.com
Btp-tags.com
Doit-4-u.com
In-ta.net
Media-share.org
Mwcdirect.com
Pixel-pie.com
Planetsoldat.com
Sainser.com
Wnizip.com
Thebestporn.in
Cormoupo.info
Zombie-world.org
Alterparadigma.net
Brickplayer.ru
Chilauter.ru
Compromendes.com
Moretds.org
Danjg.com
Aftui.in
Ammew.info
Armrm.in
Aspow.info
Clasd.in
Coerw.info
Demim.in
Diasw.info
Diaui.in
Expew.info
Eynew.info
Gatui.in
Harui.in
Highw.info
Homow.in
Jenyx.in
Jusui.in
Katre.in
Lisni.in
Manui.in
Marsw.in
Marui.in
Micre.in
Neigw.info
Ningl.in
Nitan.in
Nvenc.in
Nvene.in
Nvild.in
Nvill.in
Pockw.info
Praaw.info
Pulpm.in
Racew.info
Recei.in
Recky.in
Recto.in
Regaw.info
Rendm.in
Sepsd.in
Slovw.in
Socyx.in
Stpsd.in
Synre.in
Thiui.in
Torsw.in
Uianh.in
Volnv.in
Yxiac.in
California-ns.com

UPDATE 2014-06-25: It's been a long time since I wrote this, and it looks like the block was cleaned up some time ago and now contains some Latvian government sites.

Friday 30 July 2010

Evil network: Microlines (microlines.lv), AS2588 (79.135.128.0/19)

Latvia seems to be getting a bad reputation for supporting criminal activity. The latest accomplice is Microlines (microlines.lv) who mix in a large number of bad sites with a few legitimate ones.

Their netblock AS2588 (79.135.128.0/19) actually ranges from 79.135.128.0 - 79.135.159.255, although the badness is concentrated in 79.135.152.0/24, all legitimate web sites are hosted outside of that /24.

I used the MyWOT API to query the reputation of the hosted domains, and it shows a clear differentiation between the /24 and the rest of the /19. You can download a CSV of the analysis from here.

Out of 157 domains looked at, 4 (2.5%) were rated "excellent", 3 (1.9%) were rated "good", 43 (27.4%) were unrated and 107 (68.1%) were "very poor". You might want to block the whole /19 on that basis, certainly you should block 79.135.152.0 - 79.135.152.255 at the very least.

A list of bad domains to block:
Best-scanner-2010.net
First-online-scanner.com
Nameservice-worldwide.com
Scanner2010.com
Scanner2010.org
Scannerglobal.com
Scannerglobal.net
Super-scanner.net
Super-scanner.org
Volunteer-scan.com
Best-scanner-2010.org
First-online-scanner.net
Scanner2010.net
Best-scanner-2010.com
Huisko.cn
Lokisko.cn
First-online-scanner.org
Ad-parking.net
S-powerlink.com
Creatives-labs.com
Brick-layer888.com
Advdefender.com
Goadvdef.com
Advanced-def.com
Advanceddefender.org
Getadvdef.com
Goadvdef2.com
Kavascansecurity.com
Iuysdjerh.com
Lkhysayte.com
Sadangez.com
Evdoilsdus.com
Hhsdgbes.com
Jkhasels.com
Sfahdasjw.com
Maniyakat.cn
Kljdskrza.com
Kipyatok.cn
Head-moron.cn
Youaskedthedomain.cn
Asdagj.com
Banubanasy.cn
Love2coffe.cn
Sadahesz.com
Rebornendkit.cn
Qsfgyee.com
Sakjgeyq.com
Tottaldomain.cn
Salkjyhx.com
Pogodanet.cn
Vipsocks.cn
Mdsget1.com
Opudsjh.com
Sdasfj6.com
Kjast3z.com
Lkfjfuisdh.com
Safniiyew.com
Mjsgsawz.com
Jkhteqa.com
About-joga.ru
Icq4all.net
Bravqwer.com
Ajhsfget.com
Ajytse5.com
Dkeh38oz.com
Fd1a234sa.com
Ilui45iu7.com
Jhrez76.com
Kjdst6ey.com
Lasur8e.com
Sfah3sz.com
Sjb653xz.com
Sadkajt357.com
Fuchroot.com
Gagainco.com
Mcd0nalds.com
B00tlife.com
Dlkasfgatker.com
Klitar.cn
Breenders.com
Directbinary.com
Gasredbox.com
Kaljv63s.com
Kdy7rsxa.com
Lovinezer.com
Mdmasege.com
Rmbtoor.com
Safe3etfejwqf.com
Wdggtwegww.com
S0cksps.com
87jonsonfd.com
Gosrmecalonl16.com
Gosrmecalonl20.com
Gosrmecalonl21.com
Gosrmecalonl3.com
Gosrmecalonl30.com
Gosrmecalonl4.com
Gosrmecalonl5.com
Gosrmecalonl8.com
Gosrmecalonl9.com
Gosrmecalodnl38.com
Gosrmedicalonl13.com
Gosrmedicalonl14.com
Gosrmedicalonl2.com
Gosrmedicalonl20.com
Gosrmedicalonl1.com
Gosrmedicalonl10.com
Gosrmedicalonl11.com
Gosrmedicalonl16.com
Gosrmedicalonl17.com
Gosrmedicalonl19.com
Gosrmedicalonl3.com
Gosrmedicalonl5.com
Gosrmedicalonl6.com
Gosrmedicalonl7.com
Gosrmedicalonl9.com
Gosrmedicalonl18.com
Sweethost.org
Twowildgirls.net
Profithobby.net
Antiviractive.com
Antivirback.com
Antispysp.com
Webantispy.com
Antispymv.com
Antispynew.com
Antispybox.com
Antispyutil.com
Avmirror.com
Antispymega.com
Cyber-deployment.com

Thursday 29 July 2010

freead.name / mybar.us / toolbarcom.org / adsnet.biz

A slightly novel attack, found injected into a Javascript library and using freshly-registered domains. The attack uses obfuscated Javascript to send visitors to one of the following domains: myads.name, adsnet.biz, toolbarcom.org, mybar.us, freead.name, and to the front of this is appended a subdomain of vagi., vain., vale., vars., vary., vasa., vaut., vavs., viny., viol., vrow., vugs., vuln.

Despite all the combinations (a list is at the bottom of the post if you want to paste it in somewhere), there are only a small number of IP addresses involved:

66.221.212.92
66.221.212.94
66.221.212.96
66.221.212.98
66.221.212.99
69.13.73.203
69.13.73.205
69.13.73.248
69.13.73.250
69.13.154.250
69.13.154.251

All of those IPs belong to C I Host, some seem to have legitimate sites hosted on them.

One one domain (mybar.us) is not anonymised:

Registrar URL (registration services):       www.publicdomainregistry.com
Domain Status:                               clientTransferProhibited
Registrant ID:                               DI_11638984
Registrant Name:                             Andrew Black
Registrant Organization:                     N/A
Registrant Address1:                         555 Taylor Rd.
Registrant City:                             Enfield
Registrant State/Province:                   Connecticut
Registrant Postal Code:                      06082
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +860.7492291
Registrant Email:                            dday.rabbit@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11

Although the address and phone number are no doubt fake, the email address of dday.rabbit@gmail.com is known.

The next hop uses a subdomain of a legitimate domain registered at GoDaddy that appears to have been phished: out.outdoorkitchendistributors.com - this site is hosted on 94.75.243.31.. it's just worth pausing to note that the legitimate domain specchart.com also appears to have been hijacked via a GoDaddy phish and moved to this server.

The endpoint is a Java exploit on a server at 79.135.152.194 belonging to microlines.lv (AS2588 / 79.135.128.0/19) which appears to be a pretty evil network. How the hell they got a /19 is a mystery when I can't see any verifiably legitimate sites.

If you want to block the intermediate domains, they are:
vagi.adsnet.biz
vain.adsnet.biz
vale.adsnet.biz
vars.adsnet.biz
vary.adsnet.biz
vasa.adsnet.biz
vaut.adsnet.biz
vavs.adsnet.biz
viny.adsnet.biz
viol.adsnet.biz
vrow.adsnet.biz
vugs.adsnet.biz
vuln.adsnet.biz
vagi.toolbarcom.org
vain.toolbarcom.org
vale.toolbarcom.org
vars.toolbarcom.org
vary.toolbarcom.org
vasa.toolbarcom.org
vaut.toolbarcom.org
vavs.toolbarcom.org
viny.toolbarcom.org
viol.toolbarcom.org
vrow.toolbarcom.org
vugs.toolbarcom.org
vuln.toolbarcom.org
vagi.mybar.us
vain.mybar.us
vale.mybar.us
vars.mybar.us
vary.mybar.us
vasa.mybar.us
vaut.mybar.us
vavs.mybar.us
viny.mybar.us
viol.mybar.us
vrow.mybar.us
vugs.mybar.us
vuln.mybar.us
vagi.freead.name
vain.freead.name
vale.freead.name
vars.freead.name
vary.freead.name
vasa.freead.name
vaut.freead.name
vavs.freead.name
viny.freead.name
viol.freead.name
vrow.freead.name
vugs.freead.name
vuln.freead.name

Thursday 1 July 2010

Sagade Ltd is still evil

I blogged about AS6851 / Sagade Ltd / ATECH-SAGADE a little while ago. A Java-based drive-by download from one of their servers brought them to my attention again.

Basically, 91.188.59.0 - 91.188.59.255 is completely evil and has no legitimate use as far as I can see. Block this range if you can. At the moment the following sites are hosted, none of which appear to be good:

AS6851
1zabslwvn538n4i5tcjl.com
Urodinam.net
A-fast.com
Td0.ru
Fgavno.ru
Kerrimckeetq.info
Marguriiexyhamlin.info
Privatetechnology.biz
Systemcodec.net
Traffcash.biz
Maiamaribeihlv.info
Fastglobosearch.com
Kimirleonarda.info
Fastprosearch.com
Nitrosearch.info
Syscodec.net
System-codec.com
Mokato.com
Viasot.com
Brenz.pl
Chura.pl
Ghura.pl
Lometr.pl
Trenz.pl
Zief.pl
Best-web-365.com
Better-web-247.com
Better-web-365.com
Better-web-777.com
My-best-web.com
Pakwer.com
Facebook-hacking.com
Hack-vk.ru
Hacked-facebook.com
Hacks-centre.com
Icq-hk.com
Icq-lom.ru
Message-history.ru
Myspace-hk.com
Polomali.ru
Twitter-hk.com
Vk-lom.ru
Vzlomaem-kontakt.ru
Vzlomaem-vk.ru
Hitstable.com
Macromediasetup.com
Dewesan.cn
Domen-zaibisya.com
Get-money-now.net
Webgetsmart.com
Webmovedesigns.com
Mediagotech.com
Networkget.com
Webgetwisdom.com
Websitecoolgo.com
Edscorpor.com
Edsctrum.com
Edsletter.com
Edsnewter.com
Edsogos.com
Edsprofit.com
Edsrise.com
Edsspectr.com
Edstofee.com
Engduates.com
Blogslivehost.in
Freeblogshost.in
Mysuperblogs.in
Freeliveblog.in
Blogs4free.in
Host4blogs.in
Freehomeblogs.in
Myhomeblog.in
Webblog4you.in
Getfreeblog.in
Blogservice.in
Freejournal.in
Billsolutions.net
Fastsecurebilling.com
Fast-payments.com
Easypayments-online.com
Billingonline.net
Manytis.com
Winepsy.com
Yourprofitclub.net
Yourerolive.com
Bombastats.com
Happyinstalls.com
Pornowars.info
Superspuperporn.com
Pornopeace.info
Smackmybitch.info
Hnarmettis.com
Mnuyetsgrr.com
Nuvolokijj.com
Smackbybitch.com
Videosite1.com
Fuck-studies.com
Ns00ns11.com
Sys-mesage.com
Syssmessage.com
Sysstem-mesage.com
Traffic-server1.org
Traffic-source.org
Traffic-source1.org
Trafficserver1.org
Trafic-source.org
Traficserver.org
Viiistifor1.com
Visiocarii1l.net
Skachivay.com
Eupharmacie.eu
Propeciacheappills.com
Allforyouplus.net
Asianrapemovies.com
Hotfilesfordownload.com
Hotquickiefuck.com
Rape-rape-rape.com
Rapepornrape.com
Sasha-blonde.com
You-porn-movies.com
Youfoundporn.com
Youpornfiles.com
Allforil1i.com
Alltubeforfree.com
Allxtubevids.net
Downloadfreenow.in
Freeanalsextubemovies.com
Freetube06.com
Freeviewgogo.com
Homeamateurclips.com
Hotxtube.in
Hotxxxtubevideo.com
Iil10oil0.com
Ilio01ili1.com
Illinoli1l.in
Porn-tube-video.com
Porntube2000.com
Porntubefast.com
Viewnowfast.com
Viewxxxfreegall.net
Xhuilil1ii.com
Youvideoxxx.com
Cern-a.com
Xbasex.com
Asspuc.com
Bux.kz
Kinorik.com
Pussylover.in
Conikor.com
Igottrafa.in
Life-dvd.ru
Maydaydom1.in
Magnabent.com
Gillestmh.com
Gillestmh.info
Indyvettes.info
Perviewguide.com
Perviewguide.info
Tesmundo.info
Todostes.info
Allhomeinfo.com
Allhomeinfo.net
Cheapsoftware.cc
Deswelt.com
Deswelt.net
Rodfirst.com
Solaruploaderz.com
Kdjkfjskdfjlskdjf.com
Stablednsstuff.com

These sites are either involved in illegal activities or malware distribution, avoid them.

Dynamoo's Blog

Link List

Sponsored by..