Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 12 November 2009

Crimeware friendly ISP's: EuroConnex

If you've been anywhere online lately, especially Google or the likes, you'll no doubt have noticed or read about, the blackhat SEO campaigns. One of the many ISP's involved, whether deliberately or otherwise, is EuroConnex. This ISP has an excessively large amount of malicious domains currently present within their network.

One of the most recent I came across, was actually whilst writing this, or rather, whilst considering writing this (was deciding whether to write about EuroConnex or Ecatel, thought I'd leave Ecatel till next time). As you can see from the above screenshot, this is you're typical fake scan page, that tells you your computer is so badly infected that you really really really, need their "software" (don't worry, by the time they're finished, it will definately be really really really, infected). The site that is responsible for taking you there (and bear in mind, this is one of thousands), is;
ASN: 29550 EUROCONNEX-AS Blueconnex Networks Ltd

Which appeared in the Google results. It's worth noting, as with the vast majority of these, it'll only work if you give it the correct referrer. Further, I had flash and ActiveX disabled when clicking it (will load it on the test machine later), so you'll possibly see different results if you've got these enabled (you'll no doubt end up with the same resulting site, and the same infections). The site takes you to the following if you've got Flash/ActiveX disabled;

Clicking either of the "results" shown here, results in your being taken to;
ASN: 29131 RAPIDSWITCH-AS RapidSwitch Ltd

Side note: No, I'm not surprised to see RapidSwitch here either, but that's for another article

Which then infects you courtesy of;
IP PTR: Resolution failed
ASN: 29550 EUROCONNEX-AS Blueconnex Networks Ltd

Which downloads as win_protection_update.exe, which is 1.88MB of malicious goodness.

VirusTotal results

EuroConnex have not surprisingly, been completely unresponsive, just like many others, and due to the sheer amount that is on their network (over 500 recorded domains on alone), I wouldn't be surprised to find they're directly involved (note this is only a suspicion, not fact).

I'm posting this article for two main reasons. First and foremost, because I'd like to see people blackholing the networks responsible for this rubbish, until they "clean house" as it were, and secondly because I'd like to hope (yep, I know), that they'll finally take security and responsibility seriously, and boot those responsible for filling their networks with this rubbish, instead of focusing on lining their own pockets instead.


Zaphod said...

OMG... What a can of worms this AS29550 EUROCONNEX is!

It looks like they scraped up and bought a bunch of orphaned netblocks, formed them into one AS record, and are now using them as disposable IPs for various nefarious actions.

Or am I reading this wrong?

Larry Thorson said...

Lacks guidance to the ordinary user whose computer is raging all over the place to unsummoned searches and then warning windows demand one goes to

I'm resisting, but what am I supposed to do to make my computer work right?

MysteryFCM said...

Apologies for not mentioning that.

If you're having problems with an infection, please pop over to either of the following, and we'll help you clean it up;