Sponsored by..

Showing posts with label Latvia. Show all posts
Showing posts with label Latvia. Show all posts

Wednesday, 14 September 2011

Some fake Bundeskriminalamt and Bundespolizei sites

Here are some more fake sites pretending to be the Bundeskriminalamt and Bundespolizei (agencies of the German Federal Police) which are probably worth blocking, following on from these.

193.105.240.204 [Sia Vps Hosting, Latvia]
bundespolizei-de.net
bundespolizei-de.org
bundespolizei-online.com
dpolg-bundespolizei.org
inter-bundeskriminalamt.org

77.87.229.14 [Invalid pointer to bundespolizei.de]
inter-bundeskriminalamt.eu
dpolg-bundespolizei.org [also on 193.105.240.204]
inter-bundeskriminalamt.org [also on 193.105.240.204]

211.154.153.49 [China Motion Network Communication]
agentbundeskriminalamt.net
bundeskriminalamtde.net
onlinebundeskriminalamt.net
torrentbundeskriminalamt.net

Note that 77.87.229.14 is actually the real IP for bundespolizei.de, but the scammers are pointing their DNS records to it, presumably to cause confusion.

You can safely block access to 193.105.240.0/24 (Sia VPS) without much fear of losing anything important. The Chinese netblock is more mixed, but blocking at least 211.154.153.49 might be a good idea if you are in Germany.

Monday, 12 September 2011

bundespolizei-online.com is not the Bundespolizei

bundespolizei-online.com is a fake domain pretending to be the Bundespolizei (German Federal Police). It appears to be part of a malware scam that has been around for a while, where the victim is told that they have done something illegal and need to pay a fine to the police.

The text of the message might vary, but the last scam domain  was used in conjunction with a message that read:

Es ist ungesetzliche Tätigkeit enthüllt
Achtung!!!
Ein Vorgang illegaler Aktivitäten wurde erkannt.
Das Betriebssystem wurde im Zusammenhang mit Verstoßen gegen die Gesetze der Bundesrepublik Deutschland gesperrt! Es wurde folgender Verstoß festgestelltt: Ihre IP Adresse lautet "x.x.x.x" mit dieser IP wurden Seiten mit pornografischen Inhalten,Kinderpornographie, Sodomie und Gewalt gegen Kinder aufgerufen Auf Ihrem Computer wurden ebenfalls Videodateien mit pornografischen Inhalten, Elementen von Gewalt und Kinderpornografie festgestellt! Es wurden auch Emails in Form von Spam, mit terroristischen Hintergründen, verschickt. Diese Sperre des Computers dient dazu, Ihre illegalen Aktivitäten zu unterbinden.
Ihre IP: x.x.x.x
Location: XXXXX
ISP: XXXXX
Um die Sperre des Computers aufzuheben, sind Sie dazu verflichtet eine Strafe von 100 Euro zu zahlen. Sie haben zwei Möglichkeiten die Zahlung von 100 Euro zu leisten.

    1) Die Zahlung per Ukash begleichen:
    Dazu geben Sie bitte den erworbenen Code in das Zahlungsfeld ein und drücken Sie anschliessend auf OK (haben Sie mehrere Codes,so geben Sie Diese einfach nacheinander ein und drücken Sie anschliessend auf OK) Sollte das System Fehler melden,so müssen Sie den Code per Email (einzahlung@dpolg-bundespolizei.org) versenden.
    2) Die Zahlung per Paysafecard begleichen:
    Dazu geben Sie bitte den erworbenen Code (gegebenfalls inkl. Passwort) in das Zahlungsfeld ein und drücken Sie anschliessend auf OK (haben Sie mehrere Codes,so geben Sie Diese einfach nacheinander ein und drücken Sie anschliessend auf OK) Sollte das System Fehler melden,so müssen Sie den Code per Email(einzahlung@dpolg-bundespolizei.org) versenden.
This roughly translates as:

It is illegal activity revealed
Attention!
An operation of illegal activity has been detected.
The operating system was blocked in connection with Violating the laws of the Federal Republic of Germany! It was festgestelltt following violation: Your IP address is "xxxx" with the IP were pages containing pornography, child pornography, bestiality and violence invoked against children on the computer were also video files containing pornography, found elements of violence and child pornography! There were also emails sent in the form of spam, with terrorist backgrounds. This serves to lock the computer to stop your illegal activities.
Your IP: x.x.x.x
Location: XXXXX
ISP: XXXXX
To unlock the computer, you have to pay a penalty verflichtet of 100 €. You have two ways to make the payment of 100 €.

     1 pay) Payment via Ukash:
     You enter the acquired code into the payment box and then press OK (you have multiple codes, enter this simply a sequence, then press OK) If the system is wrong, you have the code by email (einzahlung@dpolg-bundespolizei.org) ship.
     2) The payment by paysafecard to pay:
     You enter the acquired code (if necessary including password) into the payment box and then press OK (you have multiple codes, enter this simply a sequence, then press OK) If the system is wrong, so you must send the code by email (einzahlung@dpolg-bundespolizei.org).

A €100 fine for terrorist likes and download child pornography? Obviously this is nonsense, but the victim might well try to pay to get rid of the trojan.

The bundespolizei-online.com is quite interesting to look at. First, there is the WHOIS record:

    Steffen Schüssler
    Email: t-mart-admin@teiekom.de
    Organization: Hostmaster T-Systems
    Address: Vahrenwalder Strasse 240-247
    City: Hannover
    State: Hannover
    ZIP: 30159
    Country: DE
    Phone: +49.43171633486
    Fax: +49.43171633486

It looks legitimate enough. T-Systems is the hosting division of Deutsche Telekom, and the email address looks legitimate at first glance.. but wait, it says teiekom.de and not telekom.de which can't be right.

The domain is registered through the Russian registrar Regtime Ltd. The site bundespolizei-online.com is hosted on 193.105.240.204 in Latvia. Latvia is pretty much a hotbed of crime, and the AS12578 block has a pretty bad reputation, and the whole 193.105.240.0/24 range looks quite toxic. As is common with malicious sites such as this, all the mail is handled by Google.

So.. if you see a message soliciting an email reply to bundespolizei-online.com or running on the same website then it is malware, and you should try to disinfect your machine using up-to-date antivirus software, or you could try following the instructions here.

Friday, 15 July 2011

Christwire.org hacked with sokoloperkovuske.com redirect

Update: this site is now clean :)

Christwire.org is a satirical site about religion, not a million miles away from The Onion in terms of content. It's quite a popular site in the US.

Unfortunately, the site has been hacked and the .htaccess file has been altered. Visitors Googling from "Christwire" (I suggest that you don't try this!) get redirected to a URL at sokoloperkovuske.com/in.php?pp=138 .. but if you visit the site directly, then you don't see anything. This type of trickery is quite common as it make it harder for the site owner to detect the problem.



sokoloperkovuske.com is registered with fake registration details and is hosted on 91.220.0.19 which is SIA Business Aviation Service in Latvia (Latvia is a common place for the bad guys to hang out). I would recommend blocking the entire 91.220.0.0/24 range to be on the safe side.. the SiteVet report shows a sharp uptick in malicious activity for this AS.

Visitors are then redirected to a fake anti-virus site at www2.bestaholder.co.cc which is multihomed on 112.175.243.24, 112.175.243.21, 112.175.243.22 and 112.175.243.23 in Korea. Those servers have a lot of .co.cc sites.. it's worth blocking access to ALL .co.cc sites if you can.


Other potentially malicious sites on the Korean cluster are:
3adalat.co.cc
440amg.co.cc
4ggw.com
9movies.co.cc
alldir.co.cc
alynwap.co.cc
anjatan.co.cc
arai.owner.linuxmaster.co.cc
araup.co.cc
articleinfo.co.cc
asiancatchy.co.cc
astrazeneca.co.cc
baby.d0ll.co.cc
bacha.chutiya.co.cc
baithuctap.co.cc
bangkokmusic.co.cc
bayer-ah.co.cc
bayerhealthcare.co.cc
bayeryoungenvoy.co.cc
bestmusic4u.co.cc
bharwa.ghashti.ka.bacha.chutiya.co.cc
bokepmurah.co.cc
cafeislam.co.cc
campingalhassan.co.cc
cardio-bayer.co.cc
cardplanet.co.cc
carolebayersager.co.cc
cbm64.co.cc
cclmail.co.cc
chitthumyar.co.cc
chutiya.co.cc
cialislevitrasalesviagra.co.cc
cimahi.co.cc
cuimu.com
cyberwhitestar.co.cc
d0ll.co.cc
danielm2.co.cc
davidsaw.co.cc
dc-fansite.co.cc
deafdating.co.cc
desidigg.co.cc
diane.co.cc
dianearbus.co.cc
dianebishtv.co.cc
dianekruger.co.cc
dianelanenude.co.cc
dianestanley.co.cc
dianeturton.co.cc
dnf2683.com
dogs4u.co.cc
ebookprovider.co.cc
ecstechnologies.net
evanj8.co.cc
exicorp.co.cc
exs-ti.co.cc
faceboox.co.cc
femalelife.co.cc
filmesgratis.co.cc
forward.lookup.co.cc
free-mature-pics.co.cc
fullmusick.co.cc
funadult.co.cc
gamebazaar.co.cc
gameslowd.com
getarticles.co.cc
ghashti.ka.bacha.chutiya.co.cc
gocthethao.co.cc
gombel.co.cc
guapunye.nick.arai.owner.linuxmaster.co.cc
hdytaufik.co.cc
hesitate.with.malaysian-hackers.co.cc
hk.co.cc
hot.k1ss.co.cc
igratatin.co.cc
ilman-media.co.cc
intercambiosvirtuales.co.cc
iosdiy.com
jawamark.co.cc
jeff-dunham.co.cc
jilnul.co.cc
k1ss.co.cc
ka.bacha.chutiya.co.cc
kecoakwap.co.cc
kn4h.co.cc
kutopersada.co.cc
lanxess-europe.co.cc
la-videoteca.co.cc
law4u.co.cc
leechouse.co.cc
lenadianejennings-blogspot.co.cc
levitravardenafilhcl.co.cc
limsadiane.co.cc
linuxmaster.co.cc
look.sexy.with.baby.d0ll.co.cc
mail.chitthumyar.co.cc
mail.co.cc
mail.kecoakwap.co.cc
mail.pvpdestiny.co.cc
malaysian-hackers.co.cc
malekmaktabi.co.cc
marshadianearnold.co.cc
mastineedz-com.co.cc
maturecunt.veronichka.co.cc
mdacom.co.cc
me.hot.k1ss.co.cc
microchip123.co.cc
misiondejesus.com
mobitech-forums.co.cc
moccainside.co.cc
moneysukh.co.cc
my-exploit.co.cc
name-server.co.cc
navanblog.co.cc
nestle.co.cc
nestle-gifts.co.cc
nestle-icecream.co.cc
neswangy.co.cc
nick.arai.owner.linuxmaster.co.cc
nutricys.com
outerxcircle.co.cc
owner.linuxmaster.co.cc
pacar.yang.sangat.perhatian.co.cc
paltak-vip.co.cc
paullzn.com
perely.co.cc
perhatian.co.cc
picallo.co.cc
pkfc.co.cc
pprox.co.cc
proxy999.co.cc
purwokerto-allnet.co.cc
pvpdestiny.co.cc
radiowahrheit.co.cc
rafaelius.co.cc
rapiddown.co.cc
rawbeen.co.cc
realoiltd.co.cc
richardwalean.co.cc
rodrigoecheverry.co.cc
r-o-o-t.co.cc
rumbayan.co.cc
sangat.perhatian.co.cc
sawa7.co.cc
sawomanis.co.cc
sexy.with.baby.d0ll.co.cc
shibukg.co.cc
smabugil.co.cc
smppanderman.co.cc
sweetlady.co.cc
tablat.co.cc
techcenter-lanxess.co.cc
tintob.co.cc
tjssr.com
torrentmovies.co.cc
traviansoftware.co.cc
uatu.co.cc
veronichka.co.cc
viancom.co.cc
vipfashiononline.com
viuu.co.cc
vobase.com
webkontes.co.cc
wiredtree.co.cc
with.baby.d0ll.co.cc
with.malaysian-hackers.co.cc
woman-fucking-animals.veronichka.co.cc
woshiyezhu.net
xuanye.tw
yahgoo.co.cc
yang.sangat.perhatian.co.cc
yasmindavidds.co.cc
ycmi-med.co.cc
zipwaves.co.cc

Thursday, 23 June 2011

Peteris Sahurovs and Marina Maslobojeva arrested: Sagade hopefully busted

Another victory for the good guys, according to El Reg.
The Department of Justice and the FBI have cracked an international scareware ring believed to have scammed over $72m (£45m).

The gang screwed money out of more than a million victims. They installed software on their computers which falsely claimed to have detected viruses or malware. The gang then took payment for supposedly cleaning up the machines.

22-year-old Peteris Sahurovs and 23-year-old Marina Maslobojeva were arrested in Latvia on charges made in court in Minnesota. 
Although there are several bad hosts in Latvia, the one that really stands out is Sagade Ltd. And it looks very much as if Peteris Sahurovs worked for Sagade, his screen name on the internet was piotrek89 which was also the abuse address for the Sagade network.

Sagade seemed to be linked to a number of other Latvian outfits, so hopefully this will make a major dent in malicious activity from that country. Until it gets cleaned up though, Latvian netblocks should still be treated with suspicion.

The FBI have a press release about it here.

Monday, 7 March 2011

Evil network: Sagade Latvia AS52055 (46.252.130.0/23) and traff4you.info

I've covered Sagade before, which appears to be a completely black hat web host with no legitimate domains at all. Sagade appear to have a new IP range in the 46.252.130.0 - 46.252.131.255 range which are completely full of toxic sites that should be blocked.

This IP range forms AS52055, of which Google says:

Safe Browsing
Diagnostic page for AS52055 (RELIKT)

What happened when Google visited sites hosted on this network?

    Of the 159 site(s) we tested on this network over the past 90 days, 9 site(s), including, for example, opanaw.com/, videospartyh.info/, galleryhotf.info/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-02-23, and the last time suspicious content was found was on 2011-02-23.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 16 site(s) on this network, including, for example, welcometotheglobalisnet.com/, 46.252.129.0/, welcometotheglobaliscom.com/, that appeared to function as intermediaries for the infection of 507 other site(s) including, for example, ctwatchdog.com/, deewanapan.com/, thedailyherald.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 55 site(s), including, for example, 46.252.129.0/, sontollones.co.cc/, toney.co.cc/, that infected 2312 other site(s), including, for example, cmsocial.com/, mediafire.com/, aotsargentina.org.ar/.

SiteVet oddly shows the AS as being offline, but the accompanying "badness" chart shows a big leap in evilness since the beginning of the year, so perhaps the block was reallocated.

As well as .com domains and the like, the block hosts several hard-to-spot .cz.cc and .vv.cc domains which host malware, much of which is being distributed through an apparently bogus ad network at traff4you.info.

So far, I can see see the following domains in the block (a list with IP addresses and MyWOT ratings can be downloaded from here):

ertmovs.com
lkjsnfs.com
antivirussystem2011get.com
bbuydelivery.com
berrydush.net
brewtonconsult.net
collach.com
ddk2200.com
enter-way.net
euro2012corp.com
facebook-surprise-njwo.tk
facebook-surprise-njww.tk
fire6495ksd.com
fotoshare-2dknc.com
gigomark.com
grapndet.com
htss.su
hyipl.info
ibifit.com
lokia.info
lost-pass.ru
lostpass.ru
mailx.su
mittmax.com
nanosearchpro.net
novasystemutils2011.com
sentex10zx.in
shabgdr.com
softstoreinc.com
spy4.net
stylus2641fm.com
trabniyd.com
turb-o-search.com
x-pass.ru
xaker.me
nalmeron.cz.cc
agamaris.vv.cc
dalalore.vv.cc
thetakus.vv.cc
maribandis.vv.cc
mogrinn.vv.cc

Registration details for this block are:

inetnum:        46.252.130.0 - 46.252.131.255
netname:        Sagade
descr:          users
country:        LV
admin-c:        AK6804-RIPE
tech-c:         AK6804-RIPE
status:         ASSIGNED PA
mnt-by:         andrejskaminskis-mnt
source:         RIPE # Filtered

person:         Andrejs Kaminskis
address:        Latgales 32/34, Rezekne, Latvia
phone:          +37127580487
e-mail:         reliktbvk@gmail.com
nic-hdl:        AK6804-RIPE
mnt-by:         andrejskaminskis-mnt
source:         RIPE # Filtered

route:          46.252.130.0/23
descr:          users
origin:         AS52055
mnt-by:         andrejskaminskis-mnt
source:         RIPE # Filtered

As I said, traffic seems to be fed through traff4you.info, registered on 10th Decemeber 2010 with anonymous registration details and currently hosted on a dedicated server at 206.161.200.11, but until recently it was on a shared server on 69.65.48.218. This is probably a good domain to block, and I can't see much harm in blocking access to 206.161.200.0/24 and 69.95.48.0/24 while you're at it too.

Thursday, 21 October 2010

Evil network: DG Holding SIA / ALTNET-LV AS41390 (195.3.144.0/22)

DG Holding SIA / ALTNET-LV is another evil network, and it's no surprise to see that it is in Latvia. The 195.3.144.0/22 hosts sites involved in hacking, malware distribution, MLM scams, fake goods and porn plus a number of ZeuS C&C servers.

There are a small number of legitimate customers in this block, but they most cater for Latvian users only.. if you are outside of Latvia, then very little will be lost by blocking this entire /22 (195.3.144.0 - 195.3.147.255).

There's a listing of domains, IPs and MyWOT ratings here [csv] if you want to probe more deeply and avoid blocking the handul of legitimate sites.. otherwise, I would recommend blocking the lot.

Monday, 11 October 2010

[Updated] Evil network: Donstroy Ltd AS29557 (194.8.250.0/23)

UPDATE:  this IP range is now used by a completely different organisation, and malicious activity no longer exists and the block is safe to use. However, the post will remain up for research purposes.

Another network worth blocking, Donstroy Ltd appears to be a Latvia entity hosting in Moldova, closely affiliate with Sagade Ltd who are one of the most scummy networks around at the moment.

The WHOIS details show a tell-tale link to Sagade in the email address:

inetnum:         194.8.250.0 - 194.8.251.255
netname:         Donstroy-1
descr:           Donstroy Ltd.
country:         LV
org:             ORG-DL107-RIPE
admin-c:         JS1050
tech-c:          JS1050
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          MNT-DONSTROY
mnt-routes:      MNT-DONSTROY
mnt-domains:     MNT-DONSTROY
source:          RIPE # Filtered

organisation:    ORG-DL107-RIPE
org-name:        Donstroy Ltd.
org-type:        OTHER
address:         Kalinina 19, 6, Bendery, Moldova
e-mail:          sagade95@gmail.com
mnt-ref:         MNT-DONSTROY
mnt-by:          MNT-DONSTROY
source:          RIPE # Filtered

person:          Juris Sahurovs
address:         Rezekne Darzu iela 21
phone:           +37120034981
nic-hdl:         JS1050
e-mail:          sagade95@gmail.com
source:          RIPE # Filtered

% Information related to '194.8.250.0/23AS29557'

route:           194.8.250.0/23
descr:           donstroy-route-1
origin:          AS29557
mnt-by:          MNT-DONSTROY
source:          RIPE # Filtered

Google's Safe Browsing diagnostics are not good:

Safe Browsing
Diagnostic page for AS29557 (ASNOVIFORUM)

What happened when Google visited sites hosted on this network?

    Of the 42 site(s) we tested on this network over the past 90 days, 2 site(s), including, for example, fastprosearch.com/, twilightsex.cz.cc/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-10-10, and the last time suspicious content was found was on 2010-10-10.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 10 site(s) on this network, including, for example, manoso.cz.cc/, noaos1.cz.cc/, sunporno.cz.cc/, that appeared to function as intermediaries for the infection of 31 other site(s) including, for example, business-standard.com/, ddl-blog.org/, onlyteensx.net/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 22 site(s), including, for example, 194.8.251.0/, prostodomen.in/, globalvalidator.cz.cc/, that infected 215 other site(s), including, for example, business-standard.com/, renisyqaqir.freehostking.com/, hetivilesum.freehostking.com/.

A search against MyWOT reputations reveals a concentration of very bad sites (report here), the best thing to do is to block all traffic to 194.8.250.0 - 194.8.251.255 (194.8.250.0/23) and/or the domains listed below:

Girlongirllibido.info
Homeownersinsuranceratings.com
Testertestfree.org
Vmhostingboxx.org
Dscodec.com
Fastprosearch.com
Ttyur.com
Vlopw.com
Bmlsk.com
Bumzc.com
Fjoty.com
Fruuf.com
Hjoty.com
Nwsplt.com
Palcaug.com
Potyur.com
Uoptyr.com
Uprtx.com
Medicpillsana.com
Medicpillsbba.com
Medicpillsbia.com
Medicpillsbta.com
Medicpillscaa.com
Medicpillscea.com
Medicpillscha.com
Medicpillscia.com
Medicpillscka.com
Medicshopnas.net
Medicshopnds.net
Medicshopnks.net
Medicshopnts.net
Medicshopoes.net
Asemedic.net
Astmedic.net
Encmedic.net
Enmedic.net
Frmedic.net
Hismedic.net
Icmedic.net
Intmedic.net
Krmedic.net
Letmedic.net
Medicci.net
Medicdi.net
Medicfr.net
Medicha.net
Mediclg.net
Medicni.net
Medicnr.net
Medicpo.net
Medicpu.net
Medicri.net
Ajeslovshord.com
Akvodhhead.com
Alsodhesedhoujhd.com
Aniarioli.com
Askpressjame.com
Bejokohafder.com
Blackmodhersdep.com
Bodhlearkfil.com
Busyplakdovk.com
Cutyacttin.com
Deheverbejak.com
Dhadhaveopek.com
Dheyherevhole.com
Dovkbackbord.com
Fallanlot.com
Gavilaugddiri.com
Hadakcourse.com
Hojharedokd.com
Kameuspoukd.com
Losdsodemoss.com
Lovioinwdoli.com
Medpillsna1.com
Medpillsna2.com
Medpillsna3.com
Medpillsna4.com
Medpillsna5.com
Medpillsni1.com
Medpillsni2.com
Medpillsni3.com
Medpillsni4.com
Medpillsni5.com
Minanwaut.com
Offobjecdfamoly.com
Okchfudboy.com
Oslakdexampleas.com
Pajeukdolmaok.com
Posekipbrokj.com
Pukdraokclass.com
Redovksay.com
Resdlaujhmoss.com
Savsdadeschul.com
Sduigancdangi.com
Sliicrymuli.com
Stooddandwi.com
Suchjrikoh.com
Travilfuriwdin.com
Addsecovdtook.com
Aoutdonttdrii.com
Assiafull.com
Commoklakjuajemeak.com
Dalkplakdaor.com
Deachhodkear.com
Dhadledad.com
Dhohdhokjearly.com
Dhokjbroujhdmusd.com
Dojcourseleark.com
Domesdopdhousakd.com
Dopmedic.net
Dovardhohdhoh.com
Efimedic.net
Enemedic.net
Feetdoldakayvst.com
Femedic.net
Hamedic.net
Joldiplosd.com
Kodocedoldappear.com
Launflymost.com
Lederbojdhad.com
Letdourwere.com
Lodledellmek.com
Medshopcu1.com
Medshopcu2.com
Medshopcu3.com
Medshopcu4.com
Medshopcu5.com
Medshopde1.com
Medshopde2.com
Medshopde3.com
Medshopde4.com
Medshopde5.com
Muchplakdokly.com
Okcevhekvadch.com
Oldbesdjrik.com
Passourdu.com
Pocdurejudcold.com
Rockdomeacd.com
Rockroundsung.com
Sicondkniwgo.com
Slovkevvell.com
Soldmarkacte.com
Strovkuproad.com
Ukmedicineel.com
Ukmedicineho.com
Ukmedicineit.com
Vadchdeachmokd.com
Vekdhadjrov.com
Vhadreachmusoc.com
Vholevucemay.com
Vokdercarryjod.com
Vordeachsdud.com
Ydeamavturv.com
Advsecsmart.com
Digitall-soft.com
Extrafullprotection.com
Mypc-repair.com
Payforsec.com
Secsmartsuper.com
Smartsecadv.com
Smartsecsuper.com
Smartsecurityadvisor.com
Smartsupersecurity.com
Stable-soft.com
Supersecadvizor.com
Supersecurepay.com
Supersmartantivirus.com
Supersmartsec.com
Bbnhs.com
Bumzec.com
Ddleb.com
Drutp.com
Gasdda.com
Gradtz.com
Hewraq.com
Hgptd.com
Htresq.com
Krclear.com
Nadwq.com
Nmkop.com
Utrvc.com
Vbnrte.info
Kobqq.com
Jgtee.com
Jyiop.com
Mptim.com
Nhytx.com
Ptyre.com
Woptr.com
Yopte.com
Ypuii.com
Checkingassociateeditor.com
Bestcheckingconnect.com
Checking-associate-editor.com
Checking-associate.com
Checkingassociatemembership.com
Checkingconnectdata.com
Checkingconnectnow.com
Checkingconnectshop.com
Cogus.net
Gromz.net
Mochos.net
Zorter.net
Movies-celeb.info
Onlymoviesporn.info
Porn-video-4u.info
Pornyardmovies.info
Videostreamporn.info
Moviesfreestar.info
Nanocloudcontroller.com
Iliked.org
Yougoodvideo.net
Shloesandrooneys.com
1200kb.net
Banfieldsbest.com
Btp-tags.com
Doit-4-u.com
In-ta.net
Media-share.org
Mwcdirect.com
Pixel-pie.com
Planetsoldat.com
Sainser.com
Wnizip.com
Dsfungssdfg.com
Sbgfdfsggf.com
Sportstickets.tv
Sufdngsg.com
Missing-codecs.com
Missing-codecs.net
Missing-codecs.org
Vidscentral.net
Consp.net
Thestability.com
Traffcity.com
Polytech-electronics.net
Blackmaven.in
Blueace.in
Whiteace.in
Whiteoso.in
Whitewizard.in
Globalcloudbackup.com

Wednesday, 25 August 2010

Evil network: Sagade Ltd / ATECH-SAGADE AS6851 (85.234.190.0/23)

I've mentioned Sagade Ltd before, it's a totally Black Hat Latvian network that should be blocked on sight. Google's Safe Browsing diagnostic for this range is fairly damning:

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, 85.234.190.0 appeared to function as an intermediary for the infection of 476 site(s) including lekarnar.com/, mysofa.es/, audiofile.org.ua/.

Has this site hosted malware?

    Yes, this site has hosted malicious software over the past 90 days. It infected 1999 domain(s), including audiofile.org.ua/, votailprof.it/, capinaremos.com/.
There's very little point playing whack-a-mole with these Latvian IP addresses. It's probably worth null-routing the entire country until some government agency that isn't being paid off by Russian organised criminals sorts the mess out. There's a list of major Latvian IP address allocations here- unless you do business in the Baltic states, then blocking all of them will probably do no harm.

Domains in the IP address range 85.234.190.0 - 85.234.191.255 are:
Marre.in
Monre.in
Sdaya.in
Dnsdnsprovider.com
Respw.info
Tonew.info
Wbypa.info
Celebsalon.net
Celebsvideos.net
Soltberger.net
Sumerki-saga.com
Zatmenie-saga.com
Bestgoogleanalytics.com
Bestgenerics.org
Dhag.org
Autoseon7.com
Auou.info
Premiaa.com
Tdyeah.com
Oeema.info
Oeeme.info
Toptrep.biz
Staticdnsdns.com
Aaasphereezine.com
Aopsompamspn.com
Hsudsasodams.com
Ieksmanskasdk.com
Mopsdiamsas.com
Alert-system.net
Ffgde.com
Gdlka.com
Khhfg.com
Nnmty.com
Ppolr.com
Rcchr.com
Rrtyu.com
Rttye.com
Trrre.com
Uyyty.com
Ccdfr.com
Ffeeq.com
Kklou.com
Kkuyt.com
Oouty.com
Ppuut.com
Ppyur.com
Ttyww.com
Wrraa.com
Yyrew.com
Bbhty.com
Ggbdb.com
Rggsd.com
Rihdd.com
Rrryu.com
Bbgtr.com
Kjhtr.com
Wrrrt.com
Mylote.com
Tube-free-online.com
Adminka.org
Bbcxq.com
Bnfgd.com
Cbdfr.com
Dettt.com
Fggpr.com
Ggffr.com
Hhyyr.com
Ssmmb.com
Trdvr.com
Darkseo.org
Dbsoft.in
Domainpc.in
Exinfo.in
Lightdebug.in
Microsoft-security-center.com
Mxinfo.in
Statreview.in
Uimode.in
Unport.in
Bestdomainforus.info
Bestvido.info
Bluffycrob.info
Domain-for-email-us.info
Domain-for-gain-us.info
Domain-for-lease-us.info
Domain-for-us.info
Domainfordollarsus.info
Domainforemailus.info
Domainforgainus.info
Domainforleaseus.info
Domainforus.info
Domainforusblog.info
Domainforusnow.info
Domainforusonline.info
Domainforusshop.info
Domainforussite.info
Domainforusstore.info
Domainforustoday.info
Fffvideo.info
Freedomainforus.info
Freevido.info
Microoplata.info
Moplata.info
Mydomainforus.info
Myvido.info
Newdomainforus.info
Newvido.info
Stupid-domain-for-us.info
Stupiddomainforus.info
Thebluffycrob.info
Thedomainforus.info
Thefffvideo.info
Vi-do.info
Vidonow.info
Vidoonline.info

Evil network: Latnet Serviss Ltd (latnet.lv) AS2588 (159.148.117.0/24)

Latvia is definitely becoming a problem when it comes to black hat hosting. The 159.148.117.0/24 range (159.148.117.0 - 159.148.117.255) is another malicious block, forming part of AS2588 belonging to Latnet (similar to microlines.lv). At a rough calculation, roughly half the IP address ranges I am currently blocking are based in Latvia.

This bunch of domains is a mix of fake pharma sites, browser exploits, illegal downloads and possibly some hijacked domains. In any case, there is nothing of use here and either blocking the entire IP range, or the list below is probably a good idea.

There's a more detailed file with MyWOT ratings and IP addresses to download here.

Bitssit.com
Solid-pay-gate.com
Bombastats.com
1001meds.info
101doctors.info
101health.info
11doctors.info
333tabs.info
5meds.info
911drugs.info
99pharmacy.info
99pills.info
Abouttabs.info
Actualdrugs.info
Actualtabs.info
Addhealth.info
Addpills.info
Advancedsoft.in
Allpills.info
Anyhealth.info
Anymeds.info
Anytabs.info
Atlanticdrugs.info
Atlantictabs.info
Bestwesthost.info
Bluedoctor.info
Buycheapnow3.info
Buyfdatabs.info
Buygeneric1.info
Buyld.info
Buyonline5.info
Buytramadol5.info
Buytramadolf.info
Buytramadolk.info
Buytramadolp.info
Buytramadolt.info
Buytramadoly.info
Buyxanax1.info
Buyxanaxk.info
Cheap2tramadol.info
Cheaponline2.info
Cheaprt.info
Cheaptramadolh.info
Cheaptramadoli.info
Cheaptramadolss.info
Cheaptramadolw.info
Cheaptramadolz.info
Cheapxanaxz.info
Doctor01.info
Doctorarea.info
Doctordaily.info
Doctorgiant.info
Doctorjones.info
Dogoal.in
Drugs01.info
Drugs12.info
Drugsapple.info
Drugsbasket.info
Drugsblue.info
Drugscenter.info
Drugsclub.info
Drugscompany.info
Drugsdaily.info
Drugsfast.info
Drugsgood.info
Drugslife.info
Drugsreview.info
Drugstoree.info
Fasttabs.info
Fdapillsonline.info
Fulink.in
Fustat.in
Generictramadolb.info
Generictramadolc.info
Generictramadoln.info
Generictramadolr.info
Generictramadolv.info
Genericxanaxn.info
Getonlinehealth.info
Getonlinemeds.info
Haycorn.info
Health911.info
Healthbasket.info
Healthblue.info
Healthgreat.info
Healthlabel.info
Kinghealth.info
Kingpills.info
Knownmeds.info
Knowntabs.info
Labeldrugs.info
Labelhealth.info
Meds01.info
Meds333.info
Meds4him.info
Medsapple.info
Medsarea.info
Medsdaily.info
Medsexpress.info
Medsguard.info
Medshealth.info
Medslife.info
Medslocate.info
Medssearch.info
Mmlist.in
Mmsoft.in
Moderndrugs.info
Modernpills.info
Mxstat.in
Needsdoctor.info
Olstat.in
Online01.info
Onlinecasinosbestusa.info
Onlineow.info
Ordercheapnow6.info
Orderoj.info
Orderonline4.info
Ordertramadold.info
Ordertramadole.info
Ordertramadolj.info
Ordertramadolo.info
Ordertramadolx.info
Orderxanaxx.info
Owndoctor.info
Pacificdoctor.info
Pills007.info
Pills01.info
Pills4him.info
Pills4men.info
Pillsaccept.info
Pillsarea.info
Pillsblue.info
Pillscontrol.info
Pillsdaily.info
Pillsfast.info
Pillsgood.info
Pillslabel.info
Pillslife.info
Pillslocate.info
Pillsoffice.info
Pillsreview.info
Pillssearch.info
Pillstoday.info
Pillsworld.info
Realtabs.info
Rx999.info
Safedoctor.info
Searchtabs.info
Sermyagino.info
Ssmode.in
Ssnews.in
Tabs01.info
Tabs4him.info
Tabs5.info
Tabsaccept.info
Tabsapple.info
Tabsarea.info
Tabscenter.info
Tabsclub.info
Tabscompany.info
Tabscontrol.info
Tabsdaily.info
Tabsexpress.info
Tabsguard.info
Tabsguide.info
Tabslife.info
Tabsoffice.info
Tabspills.info
Tabsreview.info
Tabssearch.info
Tabsworld.info
Todaypills.info
Todaytabs.info
Tramadolonline7.info
Tramadolonlinea.info
Tramadolonlineg.info
Tramadolonlinel.info
Tramadolonlineq.info
Tramadolonlineu.info
Tramadoltramadol1.info
Tramadoltramadol10.info
Tramadoltramadol2.info
Tramadoltramadol3.info
Tramadoltramadol4.info
Tramadoltramadol5.info
Tramadoltramadol6.info
Tramadoltramadol7.info
Tramadoltramadol8.info
Tramadoltramadol9.info
Uiplus.in
Usaapharm.info
Usausaonlinecasinossuper.info
Xanaxonlinee.info
Xanaxonlinel.info
Pupseg.net
Pupseg.org
Pixelstatservice.com
Mybesttubeporn.com
Rowfirst.com
Java-9update.com
Update-00server.com
Hqll.ru
Xacz.ru
Aloa.asia
Vniz.asia
Bbls.ru
Vaseagruzitkorm.com
Vaseajretikru.com
Ewacx.com
Yacver.com
Security-defencing.com
Mypctech.net
1200kb.net
Banfieldsbest.com
Btp-tags.com
Doit-4-u.com
In-ta.net
Media-share.org
Mwcdirect.com
Pixel-pie.com
Planetsoldat.com
Sainser.com
Wnizip.com
Thebestporn.in
Cormoupo.info
Zombie-world.org
Alterparadigma.net
Brickplayer.ru
Chilauter.ru
Compromendes.com
Moretds.org
Danjg.com
Aftui.in
Ammew.info
Armrm.in
Aspow.info
Clasd.in
Coerw.info
Demim.in
Diasw.info
Diaui.in
Expew.info
Eynew.info
Gatui.in
Harui.in
Highw.info
Homow.in
Jenyx.in
Jusui.in
Katre.in
Lisni.in
Manui.in
Marsw.in
Marui.in
Micre.in
Neigw.info
Ningl.in
Nitan.in
Nvenc.in
Nvene.in
Nvild.in
Nvill.in
Pockw.info
Praaw.info
Pulpm.in
Racew.info
Recei.in
Recky.in
Recto.in
Regaw.info
Rendm.in
Sepsd.in
Slovw.in
Socyx.in
Stpsd.in
Synre.in
Thiui.in
Torsw.in
Uianh.in
Volnv.in
Yxiac.in
California-ns.com

UPDATE 2014-06-25:  It's been a long time since I wrote this, and it looks like the block was cleaned up some time ago and now contains some Latvian government sites.

Friday, 30 July 2010

Evil network: Microlines (microlines.lv), AS2588 (79.135.128.0/19)

Latvia seems to be getting a bad reputation for supporting criminal activity. The latest accomplice is Microlines (microlines.lv) who mix in a large number of bad sites with a few legitimate ones.

Their netblock AS2588 (79.135.128.0/19) actually ranges from 79.135.128.0 - 79.135.159.255, although the badness is concentrated in 79.135.152.0/24, all legitimate web sites are hosted outside of that /24.

I used the MyWOT API to query the reputation of the hosted domains, and it shows a clear differentiation between the /24 and the rest of the /19. You can download a CSV of the analysis from here.

Out of 157 domains looked at, 4 (2.5%) were rated "excellent", 3 (1.9%) were rated "good", 43 (27.4%) were unrated and 107 (68.1%) were "very poor". You might want to block the whole /19 on that basis, certainly you should block 79.135.152.0 - 79.135.152.255 at the very least.

A list of bad domains to block:
Best-scanner-2010.net
First-online-scanner.com
Nameservice-worldwide.com
Scanner2010.com
Scanner2010.org
Scannerglobal.com
Scannerglobal.net
Super-scanner.net
Super-scanner.org
Volunteer-scan.com
Best-scanner-2010.org
First-online-scanner.net
Scanner2010.net
Best-scanner-2010.com
Huisko.cn
Lokisko.cn
First-online-scanner.org
Ad-parking.net
S-powerlink.com
Creatives-labs.com
Brick-layer888.com
Advdefender.com
Goadvdef.com
Advanced-def.com
Advanceddefender.org
Getadvdef.com
Goadvdef2.com
Kavascansecurity.com
Iuysdjerh.com
Lkhysayte.com
Sadangez.com
Evdoilsdus.com
Hhsdgbes.com
Jkhasels.com
Sfahdasjw.com
Maniyakat.cn
Kljdskrza.com
Kipyatok.cn
Head-moron.cn
Youaskedthedomain.cn
Asdagj.com
Banubanasy.cn
Love2coffe.cn
Sadahesz.com
Rebornendkit.cn
Qsfgyee.com
Sakjgeyq.com
Tottaldomain.cn
Salkjyhx.com
Pogodanet.cn
Vipsocks.cn
Mdsget1.com
Opudsjh.com
Sdasfj6.com
Kjast3z.com
Lkfjfuisdh.com
Safniiyew.com
Mjsgsawz.com
Jkhteqa.com
About-joga.ru
Icq4all.net
Bravqwer.com
Ajhsfget.com
Ajytse5.com
Dkeh38oz.com
Fd1a234sa.com
Ilui45iu7.com
Jhrez76.com
Kjdst6ey.com
Lasur8e.com
Sfah3sz.com
Sjb653xz.com
Sadkajt357.com
Fuchroot.com
Gagainco.com
Mcd0nalds.com
B00tlife.com
Dlkasfgatker.com
Klitar.cn
Breenders.com
Directbinary.com
Gasredbox.com
Kaljv63s.com
Kdy7rsxa.com
Lovinezer.com
Mdmasege.com
Rmbtoor.com
Safe3etfejwqf.com
Wdggtwegww.com
S0cksps.com
87jonsonfd.com
Gosrmecalonl16.com
Gosrmecalonl20.com
Gosrmecalonl21.com
Gosrmecalonl3.com
Gosrmecalonl30.com
Gosrmecalonl4.com
Gosrmecalonl5.com
Gosrmecalonl8.com
Gosrmecalonl9.com
Gosrmecalodnl38.com
Gosrmedicalonl13.com
Gosrmedicalonl14.com
Gosrmedicalonl2.com
Gosrmedicalonl20.com
Gosrmedicalonl1.com
Gosrmedicalonl10.com
Gosrmedicalonl11.com
Gosrmedicalonl16.com
Gosrmedicalonl17.com
Gosrmedicalonl19.com
Gosrmedicalonl3.com
Gosrmedicalonl5.com
Gosrmedicalonl6.com
Gosrmedicalonl7.com
Gosrmedicalonl9.com
Gosrmedicalonl18.com
Sweethost.org
Twowildgirls.net
Profithobby.net
Antiviractive.com
Antivirback.com
Antispysp.com
Webantispy.com
Antispymv.com
Antispynew.com
Antispybox.com
Antispyutil.com
Avmirror.com
Antispymega.com
Cyber-deployment.com

Thursday, 29 July 2010

freead.name / mybar.us / toolbarcom.org / adsnet.biz

A slightly novel attack, found injected into a Javascript library and using freshly-registered domains. The attack uses obfuscated Javascript to send visitors to one of the following domains: myads.name, adsnet.biz, toolbarcom.org, mybar.us, freead.name, and to the front of this is appended a subdomain of vagi., vain., vale., vars., vary., vasa., vaut., vavs., viny., viol., vrow., vugs., vuln.

Despite all the combinations (a list is at the bottom of the post if you want to paste it in somewhere), there are only a small number of IP addresses involved:

66.221.212.92
66.221.212.94
66.221.212.96
66.221.212.98
66.221.212.99
69.13.73.203
69.13.73.205
69.13.73.248
69.13.73.250
69.13.154.250
69.13.154.251

All of those IPs belong to C I Host, some seem to have legitimate sites hosted on them.

One one domain (mybar.us) is not anonymised:

Registrar URL (registration services):       www.publicdomainregistry.com
Domain Status:                               clientTransferProhibited
Registrant ID:                               DI_11638984
Registrant Name:                             Andrew Black
Registrant Organization:                     N/A
Registrant Address1:                         555 Taylor Rd.
Registrant City:                             Enfield
Registrant State/Province:                   Connecticut
Registrant Postal Code:                      06082
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +860.7492291
Registrant Email:                            dday.rabbit@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11


Although the address and phone number are no doubt fake, the email address of dday.rabbit@gmail.com is known.

The next hop uses a subdomain of a legitimate domain registered at GoDaddy that appears to have been phished: out.outdoorkitchendistributors.com - this site is hosted on 94.75.243.31.. it's just worth pausing to note that the legitimate domain specchart.com also appears to have been hijacked via a GoDaddy phish and moved to this server.

The endpoint is a Java exploit on a server at 79.135.152.194 belonging to microlines.lv (AS2588 / 79.135.128.0/19) which appears to be a pretty evil network. How the hell they got a /19 is a mystery when I can't see any verifiably legitimate sites.

If you want to block the intermediate domains, they are:
vagi.adsnet.biz
vain.adsnet.biz
vale.adsnet.biz
vars.adsnet.biz
vary.adsnet.biz
vasa.adsnet.biz
vaut.adsnet.biz
vavs.adsnet.biz
viny.adsnet.biz
viol.adsnet.biz
vrow.adsnet.biz
vugs.adsnet.biz
vuln.adsnet.biz
vagi.toolbarcom.org
vain.toolbarcom.org
vale.toolbarcom.org
vars.toolbarcom.org
vary.toolbarcom.org
vasa.toolbarcom.org
vaut.toolbarcom.org
vavs.toolbarcom.org
viny.toolbarcom.org
viol.toolbarcom.org
vrow.toolbarcom.org
vugs.toolbarcom.org
vuln.toolbarcom.org
vagi.mybar.us
vain.mybar.us
vale.mybar.us
vars.mybar.us
vary.mybar.us
vasa.mybar.us
vaut.mybar.us
vavs.mybar.us
viny.mybar.us
viol.mybar.us
vrow.mybar.us
vugs.mybar.us
vuln.mybar.us
vagi.freead.name
vain.freead.name
vale.freead.name
vars.freead.name
vary.freead.name
vasa.freead.name
vaut.freead.name
vavs.freead.name
viny.freead.name
viol.freead.name
vrow.freead.name
vugs.freead.name
vuln.freead.name

Thursday, 1 July 2010

Sagade Ltd is still evil

I blogged about AS6851 / Sagade Ltd / ATECH-SAGADE a little while ago. A Java-based drive-by download from one of their servers brought them to my attention again.

Basically, 91.188.59.0 - 91.188.59.255 is completely evil and has no legitimate use as far as I can see. Block this range if you can. At the moment the following sites are hosted, none of which appear to be good:

AS6851
1zabslwvn538n4i5tcjl.com
Urodinam.net
A-fast.com
Td0.ru
Fgavno.ru
Kerrimckeetq.info
Marguriiexyhamlin.info
Privatetechnology.biz
Systemcodec.net
Traffcash.biz
Maiamaribeihlv.info
Fastglobosearch.com
Kimirleonarda.info
Fastprosearch.com
Nitrosearch.info
Syscodec.net
System-codec.com
Mokato.com
Viasot.com
Brenz.pl
Chura.pl
Ghura.pl
Lometr.pl
Trenz.pl
Zief.pl
Best-web-365.com
Better-web-247.com
Better-web-365.com
Better-web-777.com
My-best-web.com
Pakwer.com
Facebook-hacking.com
Hack-vk.ru
Hacked-facebook.com
Hacks-centre.com
Icq-hk.com
Icq-lom.ru
Message-history.ru
Myspace-hk.com
Polomali.ru
Twitter-hk.com
Vk-lom.ru
Vzlomaem-kontakt.ru
Vzlomaem-vk.ru
Hitstable.com
Macromediasetup.com
Dewesan.cn
Domen-zaibisya.com
Get-money-now.net
Webgetsmart.com
Webmovedesigns.com
Mediagotech.com
Networkget.com
Webgetwisdom.com
Websitecoolgo.com
Edscorpor.com
Edsctrum.com
Edsletter.com
Edsnewter.com
Edsogos.com
Edsprofit.com
Edsrise.com
Edsspectr.com
Edstofee.com
Engduates.com
Blogslivehost.in
Freeblogshost.in
Mysuperblogs.in
Freeliveblog.in
Blogs4free.in
Host4blogs.in
Freehomeblogs.in
Myhomeblog.in
Webblog4you.in
Getfreeblog.in
Blogservice.in
Freejournal.in
Billsolutions.net
Fastsecurebilling.com
Fast-payments.com
Easypayments-online.com
Billingonline.net
Manytis.com
Winepsy.com
Yourprofitclub.net
Yourerolive.com
Bombastats.com
Happyinstalls.com
Pornowars.info
Superspuperporn.com
Pornopeace.info
Smackmybitch.info
Hnarmettis.com
Mnuyetsgrr.com
Nuvolokijj.com
Smackbybitch.com
Videosite1.com
Fuck-studies.com
Ns00ns11.com
Sys-mesage.com
Syssmessage.com
Sysstem-mesage.com
Traffic-server1.org
Traffic-source.org
Traffic-source1.org
Trafficserver1.org
Trafic-source.org
Traficserver.org
Viiistifor1.com
Visiocarii1l.net
Skachivay.com
Eupharmacie.eu
Propeciacheappills.com
Allforyouplus.net
Asianrapemovies.com
Hotfilesfordownload.com
Hotquickiefuck.com
Rape-rape-rape.com
Rapepornrape.com
Sasha-blonde.com
You-porn-movies.com
Youfoundporn.com
Youpornfiles.com
Allforil1i.com
Alltubeforfree.com
Allxtubevids.net
Downloadfreenow.in
Freeanalsextubemovies.com
Freetube06.com
Freeviewgogo.com
Homeamateurclips.com
Hotxtube.in
Hotxxxtubevideo.com
Iil10oil0.com
Ilio01ili1.com
Illinoli1l.in
Porn-tube-video.com
Porntube2000.com
Porntubefast.com
Viewnowfast.com
Viewxxxfreegall.net
Xhuilil1ii.com
Youvideoxxx.com
Cern-a.com
Xbasex.com
Asspuc.com
Bux.kz
Kinorik.com
Pussylover.in
Conikor.com
Igottrafa.in
Life-dvd.ru
Maydaydom1.in
Magnabent.com
Gillestmh.com
Gillestmh.info
Indyvettes.info
Perviewguide.com
Perviewguide.info
Tesmundo.info
Todostes.info
Allhomeinfo.com
Allhomeinfo.net
Cheapsoftware.cc
Deswelt.com
Deswelt.net
Rodfirst.com
Solaruploaderz.com
Kdjkfjskdfjlskdjf.com
Stablednsstuff.com

These sites are either involved in illegal activities or malware distribution, avoid them.

Monday, 10 May 2010

Evil network: Sagade Ltd / ATECH-SAGADE

There's been an awful lot of badness from Latvia recently, with several fake AV apps and other Very Bad Things hosted in the range 91.188.59.0 - 91.188.59.255, which appears to be a wholly bad subnet of pure evil. It looks like a similar setup to Real Host Ltd which was shut down last year.

inetnum: 91.188.59.0 - 91.188.59.255
netname: ATECH-SAGADE
descr: Sagade Ltd.
descr: Latvia, Rezekne, Darzu 21
descr: +371 20034981
remarks: abuse-mailbox: piotrek89@gmail.com
country: LV
admin-c: JS1449-RIPE
tech-c: JS1449-RIPE
status: ASSIGNED PA
mnt-by: AS6851-MNT
source: RIPE # Filtered

person: Juris Sahurovs
remarks: Sagade Ltd.
address: Latvia, Rezekne, Darzu 21
phone: +371 20034981
abuse-mailbox: piotrek89@gmail.com
nic-hdl: JS1449-RIPE
mnt-by: ATECH-MNT
source: RIPE # Filtered

% Information related to '91.188.32.0/19AS6851'

route: 91.188.32.0/19
descr: BKCNET Autonomous System
descr: IZZI SIA
descr: Ieriku 67a, Riga, LATVIA
origin: AS6851
mnt-by: AS6851-MNT
source: RIPE # Filtered

All these websites appear to be malicious, I cannot find a single site that I can identify as being legitimate. Most have obviously fake WHOIS details too. I would recommend blocking access to the whole IP block.

1zabslwvn538n4i5tcjl.com
Urodinam.net
A-fast.com
00g00.ru
Odnotraxniki.ru
Td0.ru
Kerrimckeetq.info
Maiamaribeihlv.info
Marguriiexyhamlin.info
Privatetechnology.biz
Syscodec.com
Systemcodec.net
Traffcash.biz
Kimirleonarda.info
Nitrosearch.info
Fastglobosearch.com
Likinto.com
Mcml1.com
Trol0l0.com
Mokato.com
Ziko.in
Viasot.com
Billsolutions.net
Fastsecurebilling.com
Fast-payments.com
Easypayments-online.com
Billingonline.net
Lotise.com
Manytis.com
Membernameserver.com
Ossarix.com
Soterpo.com
Stepil.com
Winepsy.com
Zingis.com
Bombastats.com
Pornowars.info
Superspuperporn.com
Pornopeace.info
Smackmybitch.info
Belleplaceurl.com
Christophecoinurl.com
Coinurlredirect.com
Coinurlredirection.com
Endroiturlredirect.com
Glossipfd.com
Goldcoinurl.com
Gork.in
Gulk.in
Hnarmettis.com
Hotelplaceurl.com
Lieuurlredirect.com
Mnuyetsgrr.com
My654bestsite.com
Nuvolokijj.com
Parkplaceurl.com
Polk.in
Rozg.in
Samk.in
Sekmoon.net
Silvercoinurl.com
Sumk.in
Vvven.in
Worldplaceurl.com
Zoid.in
Smackbybitch.com
Videosite1.com
Beeape.com
Supercrazynight.com
Supersporns.com
Sys-force.ru
Firsttunesclub.in
Viiistifor1.com
Visiocarii1l.net
Skachivay.com
Allforyouplus.net
Hotfilesfordownload.com
Allforil1i.com
Alltubeforfree.com
Allxtubevids.net
Freeanalsextubemovies.com
Freetube06.com
Freeviewgogo.com
Homeamateurclips.com
Hotxtube.in
Hotxxxtubevideo.com
Iil10oil0.com
Ilio01ili1.com
Illinoli1l.in
Porn-tube-video.com
Porntube2000.com
Porntubefast.com
Viewnowfast.com
Viewxxxfreegall.net
Xhuilil1ii.com
Yourbestway.cn
Youvideoxxx.com
Cern-a.com
Xbasex.com
Rowfirst.com
Autouploaders.net
Poafirst.com
Rodfirst.com
Solaruploader.com
Noafirst.com
My-best-web.com
Pakwer.com
Kdjkfjskdfjlskdjf.com
Stablednsstuff.com
Oklahomacitycom.com

Thursday, 23 July 2009

"Real Host Ltd" is a real sewer

"Real Host Ltd" occupies 256 IP addresses in the 213.182.197.* range, hosted in Latvia in an address space apparently leased from Junik Ltd.

The netblock registration details claim to belong to an address in Kazakhstan:

person: Alex Spiridonov
address: Kazakhstan, Almaty , Abay street 2a
abuse-mailbox: abusemailhost@gmail.com
phone: + 87771697576
nic-hdl: SA5926-RIPE
source: RIPE # Filtered

This block is of interest because out of hundreds of web sites hosted, there appear to be none at all which are legitimate. And out of all of these, Hit-senders.cn is one of the most interesting because it is currently being used for a zero day Flash/PDF exploit. Many domains are registered to Michell.Gregory2009@yahoo.com who has featured on this blog many times before.

Some other interesting domains are Cashspyware.com, Botnet.su and Iframepartners.com which are pretty much openly operating as black hat sites.

All of these sites are either fraudulent, dangerous to visit or both - so if you receive an email or link pointing to them, leave well alone!

213.182.197.10
Vkontalcte.ru, Private Person, admin@0neway.ru

213.182.197.11
Index683.com, Registration suspended
Presentsdelivery.com, Private Person, abuseemaildhcp@gmail.com

213.182.197.12
Barmatuxa.info, Brad Higginbotham, EmersonDuffyZP@gmail.com
Bombim.cn, KuserElizabeth, eakuser@yahoo.com
Decine.cn, realmaria teresa, popeskusin@yahoo.com

213.182.197.13
0neway.ru, Private Person, onewayru@ya.ru
2todays.com, PrivacyProtect.org
2trades.com, alan pakerson, apakerson@googlemail.com
Adulttopvids.info, Lorraine Hoguseir / LueMettterTeam, lorrainefactr@gmail.com
Caffemax.com, Private Person, abuseemaildhcp@gmail.com
Clicksvideo.com, PrivacyProtect.org
Cutietubeee.com, Mark Cristy, evilinside99@gmail.com
Dasper.ru, Sergey V Levitskiy, levitcky@gmail.com
Dataartsoft.com, John A Backham , igusow@gmail.com
Dslcaffe.com, Private Person, abuseemaildhcp@gmail.com
Freegirla.com, PrivacyProtect.org
Fucksexadult.com, PrivacyProtect.org
Gauleyriverraftinginfo.com, Gordon Freeman, evilinside20@gmail.com
Googep.com, PrivacyProtect.org
Homemadez.com, PrivacyProtect.org
Informatoion.com, Tamara Polishuk, kenylotus@yahoo.com
Insky.biz, PrivacyProtect.org
Koka-tube.info, Budulay Romale, budulay_romale@inbox.ru
Linktovideo.com, PrivacyProtect.org
Mac-videos.com, PrivacyProtect.org
Major-don.com, Carl Lee, levitraviagrashop@rambler.ru
Masstrade.us, Yuri, sypiboryrecinih15976@gmail.com
Myspnace.com, PrivacyProtect.org
Odnoklassniki-and-you.ru, Private Person, newlive09@yandex.ru
Online-defence.cn, GuferDerek, asyonurubu@gmail.com
Onlylo.com, PrivacyProtect.org
Photovideox.com, PrivacyProtect.org
Playtstation.com, PrivacyProtect.org
Pornsamateur.com, PrivacyProtect.org
Serialtxt.com, Breitenbach Margery, breitenbach621@yahoo.com
Sexlevitra.com, Carl Lee, levitraviagrashop@rambler.ru
Sexmamba.com, Igor Bogdanov, Igor
Singleslady.com, Registration suspended
Soundrugs.ru, Private Person, workalliance@mail.ru
Tdssim.com, Djon Digan, major.leva@yahoo.com
Thehat.net, Carl Padilla, thehatnkm@gmail.com
Tube84.com, PrivacyProtect.org
Tubeee.com, Whois Privacy Protection Service
Viagrabe.com, PrivacyProtect.org
Video-tube-online.info, Budulay Romale, budulay_romale@inbox.ru
Videomoviex.com, PrivacyProtect.org
Videos-movie.com, PrivacyProtect.org
Vipbabes.com.ua, Андрей Дехтяренко / Andrei Dehtyareno, may-vit@bk.ru
Virgin-x.com, PrivacyProtect.org
Wikjipedia.com, Tamara Polishuk, kenylotus@yahoo.com
Worldtube.su, Private Person, novikov_ds@bk.ru
Xtubex.org, konstantin ololo, scaryscream@gmail.com
Yesey.net, Bob AKKAWA, akkawa@gmail.com
Yhxoo.com, PrivacyProtect.org
Yourko.com, PrivacyProtect.org
Youtube19.com, PrivacyProtect.org
Youviewx.com, Dedinan Galena, galendediweb78@yahoo.com

213.182.197.14
Cashspyware.com, N/A, faloimitator@list.ru
Casinousa.cn, LucasSteven / Cehhost, steven_lucas_2000@yahoo.com
Hostnsload.cn, LucasSteven, steven_lucas_2000@yahoo.com
Iframepartners.com, Chen Poon, chen.poon1732646@yahoo.com
Megavipsite.cn, LucasSteven, steven_lucas_2000@yahoo.com
Sitewebsupport.com, Michell, Michell.Gregory2009@yahoo.com

213.182.197.20
Best-casinox.com, MyPrivateRegistration.com
Best-prices-pharma.com, Igor Durov, larsontomas@gmail.com
Best-prices-pharmacy.net, Oleg Demin, premiumwebart@gmail.com
Causas-de-impotencia.com, Private Person, premiumwebart@gmail.com
Causas-de-impotencia.net, Private Person, premiumwebart@gmail.com
Css-csript.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Dns-lv9720.com, Michell, Michell.Gregory2009@yahoo.com
Druggs.net, MyPrivateRegistration.com
Druggsonline.com, MyPrivateRegistration.com
Drugsbrokerpharma.com, Oleg Demin, premiumwebart@gmail.com
Edproductos-en-espana.com, Grigory Panin, gragorybland@gmail.com
Erosuka.ru, Private Person, callpartners@gmail.com
Farmacia-venta-on-line.com, Private Person, premiumwebart@gmail.com
Fly-pro.net, MyPrivateRegistration.com
Herbal-impotencecure.com, Oleg Demin, premiumwebart@gmail.com
Hzone66.cn, MichellGregory, Michell.Gregory2009@yahoo.com
Impotence-natural-cure.com, Oleg Demin, premiumwebart@gmail.com
Kamagra-tratamiento-impotencia.com, Mark Nefidov, markglan1@gmail.com
Lkll.net, Damir Stolbische, damirmuh@gmail.com
Marcusmed.com, Steven Lucas, steven_lucas_2000@yahoo.com
Medicamentosgenericosonline.com, Grigory Panin, gragorybland@gmail.com
Microsoftprogram.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Onlinemedicamentosgenericos.com, Grigory Panin, gragorybland@gmail.com
Pharmacy-drugs-broker.com, Oleg Demin, premiumwebart@gmail.com
Pharmacy-drugsbroker.com, Oleg Demin, premiumwebart@gmail.com
Pharmacy-pills-rx.com, Igor Durov, larsontomas@gmail.com
Pharmacy-pillsrx.com, Igor Durov, larsontomas@gmail.com
Rx-onlinestore.com, Igor Durov, larsontomas@gmail.com
Rxtrustedtabs.net, Igor Durov, larsontomas@gmail.com
Smsgogo.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Superflyaccess.com, MyPrivateRegistration.com
Traffcount.cn, LucasSteven / steven_lucas_2000@yahoo.com
Treatment-online.com, Aprichev Igor, info@betting-profits.com
Trust-ed-tablets.com, Igor Durov, larsontomas@gmail.com
Tutuuuu.cn, IveevPlansky / SerjCOm, ru@rupoisk.in
Usa-pills-rx.com, Igor Durov, larsontomas@gmail.com
Vitofarmatratamientoimpotencia.com, Private Person, markglan1@gmail.com
Vkpleer.ru, Private Person, callpartners@gmail.com
Vybory2007.ru, Private Person, callpartners@gmail.com
Xxzonexx.com. Chen Poon, chen.poon1732646@yahoo.com
Yandex2.cn, IveevPlansky / SerjCOm, ru@rupoisk.in

213.182.197.227
Corbsc.com, Chen Poon, chen.poon1732646@yahoo.com
Co5v.cn, TiankaiCui, cuitiankai@googlemail.com

213.182.197.228
Chlenopopik.com, Denis Pupkin, pisssun2006@mail.ru

213.182.197.229
3ballslottery.com, Klan Jored, support@hosting-offshore.biz
44mm.ru, Private Person, mik58109117@ya.ru
Admins-mail.ru, Private Person, ivttyeivrdyl@yandex.ru
Andors.ru, Private Person, 10000002@mail.ru
Antighost.cn, null, dasidoruk@mail.ru
Avpro-labs.com, PrivacyProtect.org via Erdomain.com
Avtoresa.ru, Private Person, 10000002@mail.ru
Businessconsulting312.com, Nikolay Viktorovich Stepashin, businessconsulting312.com@hvosting.ua
Businesscoorptru.cn, Real Host, abuseemaildhcp@gmail.com
Comforttrade.biz, Klan Jored, support@hosting-offshore.biz
Dfds-seaways.biz, Klan Jored, support@hosting-offshore.biz [note, domain has been seized by the trademark holder]
Digitdbofmusic.org, Petr Karlov, dunkanmac3@mail.ru
Elita-online.ru, Private Person, votub@nm.ru
Fedion.ru, Private Person, 10000002@mail.ru
Firex-labz.com, SharedHSD, roomart2008@yandex.ru
Firsttimesite.us, Olah Istvan, olah.istvan.ny@gmail.com
Gbd-carrers.com, Aleksej Bagrov, deretx@rambler.ru
Gerdok.ru, Private Person, 10000002@mail.ru
Gnk-msk2.com, Alexey MIRKINO, 324635647@mail.ru
Isell.cc, Jhon Balsmen, ukmcuk@googlemail.com
Isellcc.com, Jhon Balsmen, ukmcuk@googlemail.com
Kalopes.ru, Private Person, 10000002@mail.ru
Kobash.ru, Private Person, 10000002@mail.ru
Kovero.ru, Private Person, 10000002@mail.ru
Leadingdelivery.com, WhoisPrivacyProtect.com
Leapdelivery.net, WhoisPrivacyProtect.com
Megatt.cn, LucasSteven, steven_lucas_2000@yahoo.com
Midlway.com, Real Host LTD, real2030@gmail.com
Molide.ru, Private Person, 10000002@mail.ru
Motile.ru, Private Person, 10000002@mail.ru
Mssys.net, Klan Jored, support@hosting-offshore.biz
Muhamed.cn, Caroline Krajka, caroline.krajka@gmail.com
Myeasyhosting.us, Olah Istvan, olah.istvan.ny@gmail.com
Newskyag.com, Robert Baker, robertbaker2110@yahoo.com
Obosraca.net, Nungoyanrgrr Pimdulya, cumo@mail.ru
Ru-r.ru, Anton A Baklanov, pinch18@rambler.ru
Slikons.ru, Private Person, 10000002@mail.ru
Smsvor.ru, Private Person, n.shahov@yandex.ru
Superioradz.info, Bryony, blaze_sanchez3@yahoo.com
Swegol.ru, Private Person, 10000002@mail.ru
Uni-tele-com.ru, Private Person, n.shahov@yandex.ru
Valebe.ru, Private Person, 10000002@mail.ru
Vkonlahte.ru, Private Person, eert@inbox.ru
Vkortakt.ru, Private Person, asfsdfgsg@yandex.ru
Waderos.ru, Private Person, 10000002@mail.ru
Webinst.ru, Private Person, 10000002@mail.ru
Wedikas.ru, Private Person, 10000002@mail.ru
Wedows.ru, Private Person, 10000002@mail.ru
Welcomeone.cn, LucasSteven, steven_lucas_2000@yahoo.com
Werobin.ru, Private Person, 10000002@mail.ru
Wetese.ru, Private Person, 10000002@mail.ru
Wldomen.com, Klan Jored, support@hosting-offshore.biz
Wogolot.ru, Private Person, 10000002@mail.ru
Xaker.cn, Real Host, abuseemaildhcp@gmail.com
Xxhackmail.ru, Private Person, 365346546@mail.ru
Xxvhost.com, Klan Jored, support@hosting-offshore.biz
Yes04ka.cn, Gregory, Michell.Gregory2009@yahoo.com
Yourgoogleanalytics.cn, Real Host, abuseemaildhcp@gmail.com
Yourgoogleanalytics.us, Olah Istvan, olah.istvan.ny@gmail.com


213.182.197.230
Benzonasoss.com, Aleksey Melnikov, mel1simkov@gmail.com
Csollw.com, Aleksey Melnikov, mel1simkov@gmail.com
Jlopi.com, Aleksey Melnikov, mel1simkov@gmail.com
Joltuiwater.com, Aleksey Melnikov, mel1simkov@gmail.com
Kartoshkachamp.com, Aleksey Melnikov, mel1simkov@gmail.com
Lipesr.com, Aleksey Melnikov, mel1simkov@gmail.com
Minfpafs.com, Aleksey Melnikov, mel1simkov@gmail.com
Nerkol.com, Aleksey Melnikov, mel1simkov@gmail.com
Updateserversoft.com, Chen Poon, chen.poon1732646@yahoo.com
Vizllp.com, Aleksey Melnikov, mel1simkov@gmail.com
Vmbs4.com, Aleksey Melnikov, mel1simkov@gmail.com
Werkp.com, Aleksey Melnikov, mel1simkov@gmail.com
Wherg.com, Aleksey Melnikov, mel1simkov@gmail.com

213.182.197.233
Banished.ru, Private Person, abuseemaildhcp@gmail.com
Bargian-hunt.com, Sean McCann, sean.mccann.1@hotmail.com
Pornonova.net, Anya Montague, gr4ndth3ft@hotmail.com
Proxyrent.cn, Chen Poon, chen.poon1732646@yahoo.com

213.182.197.234
Updategoogle.cn, Real Host LTD, abuseemaildhcp@gmail.com
Uppgoogle.cn, Real Host LTD, abuseemaildhcp@gmail.com

213.182.197.235
Aepi.ru, Private Person, polevweb@gmail.com
Evamedstore.com, Nikolai Vukolov, baton@bronzemail.net
Traffic-exchange.ru, Aleksej D Brozdov, ru-traffic-exchange@gmail.com

213.182.197.236
1gen1.ru, Andrey G Zubkov, a.zubkov@exeda.info
71sense.info, Vicky Chan, chan.wai.kay.1@gmail.com
71soldo.info, Vicky Chan, chan.wai.kay.1@gmail.com
71speed.info, Vicky Chan, chan.wai.kay.1@gmail.com
71spice.info, Vicky Chan, chan.wai.kay.1@gmail.com
7addition.info, Vicky Chan, chan.wai.kay.1@gmail.com
8addition.info, Vicky Chan, chan.wai.kay.1@gmail.com
8addition.org, Vicky Chan, chan.wai.kay.1@gmail.com
Add-content-filter.info, PrivacyProtect.org
Deonix.biz, Aleksey Melnikov, mel1simkov@gmail.com
Doplin.biz, Aleksey Melnikov, mel1simkov@gmail.com
Gnbd1.cn, Chen Poon, chen.poon1732646@yahoo.com
Hamatauto.biz, Aleksey Melnikov, mel1simkov@gmail.com
Hel90.biz, Aleksey Melnikov, mel1simkov@gmail.com
Lalalabemsbams.name, Aleksey Melnikov, mel1simkov@gmail.com
Tfx2corp.cn, TiankaiCui, cuitiankai@googlemail.com
Vip-internal.ru, Private Person, spy-logs-l12@inbox.ru

213.182.197.237
1gigabayt.com, Hau Cheng, haucheng@yahoo.com
Beauty-hot-pornxxx.com, Aleksey Melnikov, mel1simkov@gmail.com
Downloadoemsoftware.com, Chen Poon, chen.poon1732646@yahoo.com
Fire-hot-pornxxx.com, Aleksey Melnikov, mel1simkov@gmail.com
Hotflashplayer.com, Aleksey Melnikov, mel1simkov@gmail.com
Metroking.ws, Aleksey Melnikov, mel1simkov@gmail.com
Oneminute2u.biz, Aleksey Melnikov, mel1simkov@gmail.com
Rbckc.com, Aurore Hetu, AuroreHetu@fontdrift.com
Scans.cc, PrivacyProtect.org
Sexual69.ru, Artur G Antonov, antonov@rbcmail.ru
Thebestplayer.biz, Aleksey Melnikov, mel1simkov@gmail.com
Verivell.com, Hau Cheng, haucheng@yahoo.com
Xtraff.cn, Hau Cheng, haucheng@yahoo.com

213.182.197.238
Agroautoparts.com, Aleksey Melnikov, mel1simkov@gmail.com

213.182.197.243
Einrock.com, Puprov Ivan, captainjs@yandex.ru
Geo555.com, Vladim Ivanov, captainjs@yandex.ru
Makomset.com, Vladimir Ivanovich, captainjs@yandex.ru
Ribcot.com, Sergeev Kirill Nikolaevich, captainjs@yandex.ru

213.182.197.247
Sex-proector.ru, Private Person, toolssoft@mail.ru

213.182.197.249
Feed-place.cn, Gregory, Michell.Gregory2009@yahoo.com
Hit-senders.cn, Gregory, Michell.Gregory2009@yahoo.com
Search890.com, Chen Poon, chen.poon1732646@yahoo.com
Traffic-searches.cn, Chen Poon, chen.poon1732646@yahoo.com
Vikd3jj-1.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vikd3jj-2.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vikd3jj-3.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vikd3jj-4.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vintorrils-grag1.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vintorrils-grag2.com, Dmitry Ostupin, conroetxwelc@gmail.com
Vintorrils-grag3.com, Dmitry Ostupin, conroetxwelc@gmail.com


213.182.197.251
Botnet.su, Mihail V Morozov, sdhj3jk@yandex.ru
2k90.cn, Real Host LTD, abuseemaildhcp@gmail.com
Abdulabah.cn, LucasSteven, steven_lucas_2000@yahoo.com
Babjr.cn, LucasSteven, steven_lucas_2000@yahoo.com
D4rkst4r.cn, Real Host LTD, abuseemaildhcp@gmail.com
Luks5.cn, LucasSteven / Cehhost, Michell.Gregory2009@yahoo.com
Serverinlit.cn, Real Host LTD, abuseemaildhcp@gmail.com

213.182.197.254
Go-file.ru, Grigoriy M Aleksandrov, aleksandrov@mail333.com