These domains and IP addresses are connected to
this malware spam run and belong to a group I call the "
Amerika" gang (because they tend to use fake US addresses for their WHOIS details but really seem to be Russian).
It's quite a long set of lists: first there is a list of malware domains, then a list of malicious IPs and their web hosts, followed by a plain recommended blocklist list of IPs for copy-and-pasting, finally a list of IPs that are advertised as nameservers within this group for research purposes only.
You might notice something odd going on at the University of Illinois in the 128.174.240.0/24 range. Hmm..
Domains:
adverstindotanes.com
assumedwhacked.su
auditbodies.net
autocanonicals.com
aviachecki.ru
avtotracki.ru
balckanweb.com
bebomsn.net
bednotlonely.com
beveragerefine.su
biati.net
businessdocu.net
buyparrots.net
carambatv.net
chairsantique.net
cocainism.net
condalinaradushko.ru
condalinaradushko5.ru
condalinradishevo.ru
confideracia.ru
coping-capacity.com
crossdissstep.com
crushandflussh.net
curilkofskie.ru
decimallogme.com
docudat.ru
doorandstoned.com
down-vid.net
e-eleves.net
ernutkskiepro.ru
exrexycheck.ru
fastkrug.ru
federal-credit-union.com
fenvid.com
flipboardre-late.com
gangrenablin.ru
garohoviesupi.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
heavygear.net
heidipinks.com
hiddenhacks.com
hotamortisation.net
iberiti.com
icensol.net
independinsy.net
initiationtune.su
insectiore.net
jounglehoodeze.su
letsgofit.net
linguaape.net
metalcrew.net
mgdooling.ru
mortolkr4.com
multipliedfor.com
mydkarsy.com
myfreecamgirls.net
nitrogrenberd.net
normansvenn.com
notyetratedwort.com
nvufvwieg.com
ochengorit.ru
otoperhone.com
outbounduk.net
outlookexpres.net
peertag.com
penetratedsync.su
pizdecnujzno.ru
proxy-tor-service.com
recorderbooks.net
relectsdispla.net
reportingglan.com
restaurantequipmentparadise.net
roobihhooerses.at
rusistema.ru
salesplaytime.net
sbliteratedtum.su
scanskype.pl
secrettapess.com
secureaction120.com
sludgekeychai.net
smartsecurity-app.com
smartsecurityapp2013.com
smurfberrieswd.su
solidlettersiz.su
stackltiplied.net
streetgreenlj.com
streetlookups.com
susubaby.net
sweetcarsinkas.at
tasteh-pux.com
techno5room.ru
testerpro5.ru
timeschedulin.com
time-update.com
time-update.net
trackerpro5.ru
twintrade.net
uestsradiates.net
usergateproxy.net
virgin-altantic.net
xenaidaivanov.ru
yelpwapphoned.com
zeouk-gt.com
zoohits.net
IPs and hosts:
5.175.155.183 (GHOSTnet, Germany)
37.131.214.69 (Interra Ltd, Russia)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal, China)
50.193.197.178 (Comcast, US)
54.214.22.177 (Amazon AWS, US)
62.109.30.168 (TheFirst-RU, Russia)
77.237.190.22 (Parsun Network Solutions, Iran)
82.50.45.42 (Telecom Italia, Italy)
91.93.151.127 (Global Iletisim Hizmetleri, Turkey)
91.193.75.55 (KGB Hosting, Serbia)
94.249.208.228 (GHOSTnet, Germany)
95.43.161.50 (BTC, Bulgaria)
99.61.57.201 (AT&T, US)
103.7.251.36 (Fiberathome, Bangladesh)
109.169.64.170 (ThrustVPS, US)
112.196.2.39 (Quadrant Televentures / HFCL Infotel, India)
114.4.27.219 (Indosat, Indonesia)
114.247.121.139 (China Unicom, China)
115.28.35.163 (HiChina Web Solutions, China)
122.160.51.9 (ABTS, Delhia)
128.174.240.37 (University of Illinois, US)
128.174.240.52 (University of Illinois, US)
128.174.240.74 (University of Illinois, US)
128.174.240.153 (University of Illinois, US)
128.174.240.213 (University of Illinois, US)
140.117.164.154 (Sun Yat-sen University, Taiwan)
151.1.224.118 (Itnet, Italy)
159.253.18.253 (FastVPS, Russia)
162.209.12.86 (Rackspace, US)
166.78.136.235 (Rackspace, US)
177.5.244.236 (Brasil Telecom, Brazil)
178.20.231.214 (Salay Telekomunikasyon Ticaret Limited, Turkey)
178.209.126.87 (WestCall Ltd, Russia)
181.52.237.17 (Telmex, Colmbia)
183.82.221.13 (Hitech, India)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
190.106.207.25 (Comcel, Guatemala)
192.154.103.81 (Gorillaservers, US)
192.210.216.53 (ColoCrossing, US)
197.246.3.196 (The Noor Group, Egypt)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
201.170.148.171 (Telefonos del Noroeste, Mexico)
204.45.7.213 (FDCservers.net, US)
208.68.36.11 (Digital Ocean, US)
210.61.8.50 (Chunghwa Telecom, Taiwan)
212.179.221.31 (Bezeq International, Israel)
213.113.120.211 (Telenor, Sweden)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)
Recommended IP blocklist:
5.175.155.183
37.131.214.69
41.89.6.179
42.62.29.4
50.193.197.178
54.214.22.177
62.109.28.0/22
77.237.190.0/24
82.50.45.42
91.93.151.127
91.193.75.0/24
94.249.208.228
95.43.161.50
99.61.57.201
103.7.251.36
109.169.64.170
112.196.2.39
114.4.27.219
114.247.121.139
115.28.35.163
122.160.51.9
128.174.240.0/24
140.117.164.154
151.1.224.118
159.253.18.0/24
162.209.12.86
166.78.136.235
177.5.244.236
178.20.231.214
178.209.126.87
181.52.237.17
183.82.221.13
186.215.126.52
188.32.153.31
190.106.207.25
192.154.103.81
192.210.216.53
197.246.3.196
201.65.23.153
201.170.148.171
204.45.7.213
208.68.36.11
210.61.8.50
212.179.221.31
213.113.120.211
217.174.211.1
222.200.187.83
IPs advertising as nameservers (I'm pretty sure some of these are bogus, so use these for research purposes only):
2.121.229.200 (Sky Broadband, UK)
5.175.146.153 (GHOSTnet, Germany)
5.175.154.17 (GHOSTnet, Germany)
5.175.154.149 (GHOSTnet, Germany)
5.231.18.4 (GHOSTnet, Germany)
6.18.199.178 (Department of Defense, US)
6.20.13.25 (Department of Defense, US)
8.13.139.1 (Level 3 Communications, US)
8.18.19.15 (Level 3 Communications, US)
8.18.19.16 (Level 3 Communications, US)
11.3.51.158 (Department of Defense, US)
12.179.132.98 (Intuit, US)
14.139.209.13 (National Institute Of Technology, India)
15.78.78.23 (Hewlett Packard, US)
15.84.23.131 (Hewlett Packard, US)
17.19.12.100 (Apple Inc, US)
20.2.45.143 (CSC, US)
22.100.28.100 (Department of Defense, US)
29.125.31.77 (Department of Defense, US)
42.96.142.17 (Alibaba, China)
42.96.194.13 (Alibaba, China)
46.254.18.79 (Internet-Hosting Ltd, Russia)
65.34.1.1 (RoadRunner / Bright House, US)
65.180.199.2 (Sprint, US)
66.100.109.112 (Savvis, US)
71.123.11.14 (Verizon, US)
77.99.44.18 (Virgin Media, UK)
80.249.65.80 (Djaweb, Algeria)
81.31.227.60 (Chapar Raseneg, Iran)
85.25.189.163 (Intergenia / PlusServer AG, Germany)
91.215.156.62 (Infinite Technologies, Netherlands)
91.242.214.33 (Hostcircle, India)
92.190.190.191 (France Telecom, France)
95.143.41.41 (Inline Internet / VPS4less, Germany)
112.72.64.217 (VTC Wireless Broadband Company, Vietnam)
114.199.141.85 (Hyundai Communications, Korea)
125.39.104.86 (Beijing Sinainternetinformationservice, China)
153.127.248.205 (Kagoya Japan Corporation, Japan)
162.209.14.28 (Rackspace, US)
173.1.12.57 (GoGrid LLC, US)
175.102.0.187 (Shanghai Yovole Networks, China)
176.19.224.180 (Mobily, Saudi Arabia)
177.5.230.242 (Brasil Telecom, Brazil)
184.106.229.74 (Rackspace, US)
186.25.27.65 (Telcel, Venezuela)
186.25.27.66 (Telcel, Venezuela)
201.101.98.89 (UniNet, Mexico)
202.63.105.86 (Southern Online Bio Technologies, India)
202.93.114.90 (FirstasiaNet, Indonesia)
207.58.158.186 (Servint, US)
207.182.146.247 (Xlhost, US)
209.140.18.37 (Landis Holdings, US)
210.25.137.197 (China Education and Research Network, China)
211.20.45.138 (Chunghwa Telecom, Taiwan)
214.191.12.134 (Department of Defense, US)
214.191.102.34 (Department of Defense, US)
This spam email contains an encrypted ZIP file with password-protected malware.
%2520by%2520Amazon%252C%2520http%253A%252F%252Fwww.amazon.com%252Fdp%252FKA1VWV379O%252Fref%253Dcm_sw_r_pi_doce%26is_video%3Dfalse%26media%3Dhttp%253A%252F%252Fecx.images-amazon.com%252Fimages%252FI%252F318kLHptllL._SCLZZZZZZZ__SY115_SX115_.jpg%26title%3D%26url%3Dhttp%253A%252F%252Fwww.amazon.com%252Fdp%252FAF315WJ990%252Fref%253Dcm_sw_r_pi_doce&token=E4YYZ4EB1E6ZAC6MDX3CYPS4E3FPDVYVDFBYPONCSA){kind=small}
