Ecatel (AS29073) have been on the radar for quite some time now, and looking at the amount of malicious content on their network, I'm not expecting this to go away any time soon.
What I do find interesting, is the newest domains I've come across on their network, appear to be trying (and very badly I might add) to confuse automated analysis by obfuscating the code of the site you're eventually taken to by for example, the blackhat SEO campaigns. The following for example, is a couple of those I've recently come across:
online-check-v1.com is located at 18.104.22.168 (AS: 29073 22.214.171.124/21 ECATEL-AS AS29073, Ecatel Network), with perfectscan01.com being located at 126.96.36.199 (AS: 29073 188.8.131.52/21 ECATEL-AS AS29073, Ecatel Network).
If we take a look at the source code for one of these, we see the following bit of lovelyness;
Decoding this is extremely easy (which surprises me), and shows it spits out the following;
Identifying the download URL, shows the payload (in this case, Alpha Antivirus) comes from;
IP PTR: Failed resolution
ASN: 29073 184.108.40.206/21 ECATEL-AS AS29073, Ecatel Network
Threat Expert results show it also downloads the following using the Microsoft BITS (Background Intelligent Transfer Service) service;
IP PTR: Resolution failed
ASN: 28753 220.127.116.11/19 NETDIRECT AS NETDIRECT Frankfurt, DE
Threat Expert results
There are currently hundreds of such sites across the Ecatel ranges, and no sign at all, of Ecatel's giving a damn, which means very little chance of their doing anything about it (yep, I know what that likely means too). Because of this, I'm personally blackholing ALL of Ecatels ranges, and suggest others do the same. Until we force these ISP's to change, they're simply going to continue doing this, which is unacceptable.
Whilst we're waiting for Ecatel to explain themselves (should be interesting), you can see details on what is located within their ranges, at;
MalwareURL - AS29073
MalwareDomainList - AS29073
hpHosts - 89.248.*
hpHosts - 93.174.*
hpHosts - 94.102.*
Sidenote: hpHosts doesn't currently store the AS info, so you can't search the database using the AS# or AS description as the query. This will however, change once I get round to doing the re-write of the hpHosts code. I've also got a few hundred malicious URL's on the Ecatel range, that aren't on hpHosts yet, but are still on my internal only malware DB, these will be added to hpHosts once they've been processed