Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 11 March 2010

Crimeware friendly ISP's: VITAL TEKNOLOJI (AS44565)

Turkish based ISP, VITAL TEKNOLOJI (AS44565) have been appearing on my radar for quite some time, and not under the most flattering of terms - they've been and continue to be, home to a major source of badness. Namely, exploits and fake AV's.

They actually have several ranges under their control, the most active of which are;

79.171.16.0/21
93.186.112.0/20
188.124.0.0/19

I can't say which has been the worst of the lot, as there's been badness across every single one so far. 79.171.16.0/21 has been the least active of the 3 over the past week or three.

By far the biggest problem across these ranges has been with fake AV's and exploits, just some of which includes;

20100301005241     188.124.7.148     static.vitalhosting.com.tr     www1.free-scan-and-allcure.in     http://www1.free-scan-and-allcure.in/build6_195.php?cmd=sendFile&counter=1&p=p52dcWltbV%2FCj8bYboNuilik12qYVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaGXYmRhaGiammObZFbZocTY2KR0Y1zWnomtm6ilmXVanqLNkqGMp5mSq29ezZ2faGKUYJySlGNqYGubh9WemHGhqKykcmiQpNvdX5eco5mkyVvFn52VoMjF1ZSfcZ7RnsinWJWmpHOldZzJltDLXJWOpqag1aLDm5WRkczF0ZKZpK%2FGz4man6R0p6epqpzGlsijn5Gjl56hyZvWXZbMU8TR02ypnrCikqVseXuAgJeZppjAjLm5Y2NeWpOl1GjLlW27gamRm1eYn6agwtR2alqaoahvp6qeU9jZbmFfamlslGCbZmOModaWoGJpaG2ZkZZyaGdfl5txf3s%3D

20100303181740     188.124.5.165     static.vitalhosting.com.tr     188.124.5.165     http://188.124.5.165/index.html

20100303181745     188.124.5.165     static.vitalhosting.com.tr     188.124.5.165     http://188.124.5.165/hitin.php?land=20&affid=92800

20100303181748     188.124.5.165     static.vitalhosting.com.tr     188.124.5.165     http://188.124.5.165/downloader.php?affid=92800

20100304210208     188.124.3.233     static.vitalhosting.com.tr     188.124.3.233     http://188.124.3.233/a/go.php

20100304210221     188.124.5.170     static.vitalhosting.com.tr     188.124.5.170     http://188.124.5.170/index.html

20100304210229     93.186.127.201     static.vitalhosting.com.tr     93.186.127.201     http://93.186.127.201/hitin.php?land=20&affid=92800

20100304210232     188.124.5.170     static.vitalhosting.com.tr     188.124.5.170     http://188.124.5.170/hitin.php?land=20&affid=92800

20100304210234     93.186.127.201     static.vitalhosting.com.tr     93.186.127.201     http://93.186.117.22/2_2fb798.php?&affid=92800

20100304210237     188.124.5.170     static.vitalhosting.com.tr     188.124.5.170     http://188.124.5.170/2_2fb798.php?affid=92800

20100304225141     93.186.117.22     static.vitalhosting.com.tr     93.186.117.22     http://93.186.117.22/index.html

20100304225147     93.186.117.22     static.vitalhosting.com.tr     93.186.117.22     http://93.186.117.22/hitin.php?land=20&affid=92800

20100304225149     93.186.117.22     static.vitalhosting.com.tr     93.186.117.22     http://93.186.117.22/2_21eb39.php?affid=92800

20100304225154     188.124.5.170     static.vitalhosting.com.tr     188.124.5.170     http://188.124.5.170/2_21eb39.php?affid=92800

20100305020416     188.124.16.18     static.vit.com.tr     horovod.in     http://horovod.in/soft/exe/yamba.exe

20100305020418     188.124.16.18     static.vit.com.tr     huil.in     http://huil.in/x/severa.exe

20100305120736     93.186.118.48     static.vitalhosting.com.tr     convira.com     http://convira.com/px/

20100307203817     79.171.22.154     static.vitalhosting.com.tr     candlewq.com     http://candlewq.com/tst/porta/reastrn.pdf

20100307204211     188.124.16.18     static.vit.com.tr     horovod.in     http://horovod.in/soft/exe/dogma.exe

20100307205413     188.124.9.69     static.vitalhosting.com.tr     arraysaw.net     http://arraysaw.net/files/goofybeautiful.pdf

20100307205448     188.124.16.35     static.vit.com.tr     bodeg.in     http://bodeg.in/x/pdfnew.php

20100307205825     188.124.16.35     static.vit.com.tr     itkornoval.in     http://itkornoval.in/x/pdfnew.php

20100307205902     188.124.16.35     static.vit.com.tr     koren.in     http://koren.in/x/?html=1&id=992&hash=6339a5f067adeab2eb7cd0e942c81583

20100307210300     188.124.16.35     static.vit.com.tr     vesen.in     http://vesen.in/x/pdfnew.php

20100307210302     188.124.16.35     static.vit.com.tr     vesen.in     http://vesen.in/x/pdfnew.php?src=boss&id=bomba

20100307210455     188.124.16.35     static.vit.com.tr     www.vesen.in     http://www.vesen.in/x/pdfnew.php

20100307210651     188.124.16.35     static.vit.com.tr     bodeg.in     http://bodeg.in/x/pdf.php?src=tb&id=766

20100307210653     188.124.16.35     static.vit.com.tr     bodeg.in     http://bodeg.in/x/pdf.php?src=tb&id=887

20100307210656     188.124.16.35     static.vit.com.tr     bodeg.in     http://bodeg.in/x/pdfnew.php?src=tb&id=766

20100307210658     188.124.16.35     static.vit.com.tr     bodeg.in     http://bodeg.in/x/pdfnew.php?src=tb&id=887

20100307210905     188.124.16.35     static.vit.com.tr     landoftraffic.in     http://landoftraffic.in/x/?html=1&id=992&hash=6339a5f067adeab2eb7cd0e942c81583

20100307210907     188.124.16.35     static.vit.com.tr     landoftraffic.in     http://landoftraffic.in/x/pdfnew.php

20100307211215     79.171.22.154     static.vitalhosting.com.tr     ttcandle.com     http://ttcandle.com/kavo/nitbjs.php

20100307211217     79.171.22.154     static.vitalhosting.com.tr     ttcandle.com     http://ttcandle.com/kavo/stard/owareyo.pdf

20100307211542     93.186.127.45     static.vitalhosting.com.tr     93.186.127.45     http://93.186.127.45/downloader.php

20100307212047     188.124.16.19     static.vit.com.tr     huil.in     http://huil.in/x/pdfnew.php

20100307212111     188.124.16.35     static.vit.com.tr     itkornoval.in     http://itkornoval.in/x/pdf.php?src=tb&id=992

20100307212148     188.124.16.35     static.vit.com.tr     koren.in     http://koren.in/x/pdf.php?src=tb&id=992

20100307212150     188.124.16.35     static.vit.com.tr     landoftraffic.in     http://landoftraffic.in/x/pdf.php?src=tb&id=992

20100307212548     188.124.16.35     static.vit.com.tr     vesen.in     http://vesen.in/x/pdf.php?src=tb&id=992

20100307212814     188.124.5.151     static.vitalhosting.com.tr     188.124.5.151     http://188.124.5.151/a_adc40d.php

20100307214641     188.124.5.155     static.vitalhosting.com.tr     188.124.5.155     http://188.124.5.155/1_1af700.php

20100307222224     188.124.9.53     static.vitalhosting.com.tr     analiticdirect.com     http://analiticdirect.com/n/g/index.php

20100307223719     93.186.127.53     static.vitalhosting.com.tr     93.186.127.53     http://93.186.127.53/a_ad3c19.php

20100307223738     188.124.9.69     static.vitalhosting.com.tr     arraysaw.net     http://arraysaw.net/files/g.i.surprise.pdf

20100307224321     188.124.16.35     static.vit.com.tr     koren.in     http://koren.in:80/x/pdf.php?src=tb&id=766

20100307225037     188.124.5.156     static.vitalhosting.com.tr     188.124.5.156     http://188.124.5.156/2_27f754.php

20100307225335     188.124.9.69     static.vitalhosting.com.tr     arraysaw.net     http://arraysaw.net/newload.php?ids=MDAC

20100307225614     188.124.16.35     static.vit.com.tr     koren.in     http://koren.in/x/?id=766&hash=a25144ea1f7195206c5f614241cd4844

20100307225616     188.124.16.35     static.vit.com.tr     koren.in     http://koren.in/x/pdfnew.php

20100307230040     188.124.16.35     static.vit.com.tr     www.koren.in     http://www.koren.in/x/pdfnew.php

20100307230426     188.124.9.69     static.vitalhosting.com.tr     arraysaw.net     http://arraysaw.net/files/eccentricbamboo.pdf

20100307230817     188.124.16.35     static.vit.com.tr     koren.in     http://koren.in/x/pdfnew.php?src=marcos&id=bomba

20100307230819     188.124.16.35     static.vit.com.tr     koren.in     http://koren.in:80/x/pdfnew.php?src=marcos&id=bomba

20100307231337     188.124.16.35     static.vit.com.tr     vesen.in     http://vesen.in/x/pdf.php?src=boss&id=bomba

20100307233447     188.124.16.35     static.vit.com.tr     vesen.in     http://vesen.in/x/?html=1&id=992&hash=6339a5f067adeab2eb7cd0e942c81583

20100308145215     188.124.9.56     static.vitalhosting.com.tr     solaruploader.com     http://solaruploader.com/46.exe

20100309194542     93.186.118.53     static.vitalhosting.com.tr     getbonuszcheck.biz     http://getbonuszcheck.biz/crystal/help.exe

20100309195112     188.124.16.18     static.vit.com.tr     horovod.in     http://horovod.in/soft/load.php?id=CNwdYyWTfvsmxDY&src=&requestID=sHVSkgmfwI

20100309195409     188.124.16.18     static.vit.com.tr     horovod.in     http://horovod.in/soft/load.php?id=CNwdYyWTfvsmxDY&src=&requestID=tzrLKzfWDY

20100309195411     188.124.16.18     static.vit.com.tr     horovod.in     http://horovod.in/soft/exe/severa.exe

20100309195414     188.124.16.18     static.vit.com.tr     kornoval.in     http://kornoval.in/counter/jar.jar

20100309195515     188.124.16.18     static.vit.com.tr     kornoval.in     http://kornoval.in/counter/pdf.php?src=

20100309195623     188.124.16.18     static.vit.com.tr     kornoval.in     http://kornoval.in/counter/exe.php?src=&x=jas

20100309195626     188.124.16.18     static.vit.com.tr     kornoval.in     http://kornoval.in/counter/exe.php?src=&x=mdac

20100309195628     188.124.16.18     static.vit.com.tr     kornoval.in     http://kornoval.in/counter/exe.php?src=&x=snap

20100309195745     188.124.16.18     static.vit.com.tr     horovod.in     http://horovod.in/soft/load.php?id=CNwdYyWTfvsmxDY&src=&requestID=fdJhxQSJOF

20100309201412     93.186.117.25     static.vitalhosting.com.tr     93.186.117.25     http://93.186.117.25/7_7575fc.php

20100309231412     188.124.5.65     static.vitalhosting.com.tr     www2.asdsystemms.in     http://www2.asdsystemms.in/?uid=213&pid=3&ttl=e154c66797c

20100310142908     188.124.3.233     static.vitalhosting.com.tr     188.124.3.233     http://188.124.3.233/a/go.php?p=3778410

20100311010024     93.186.117.26     static.vitalhosting.com.tr     93.186.117.26     http://93.186.117.26/index1.html

20100311010035     93.186.117.26     static.vitalhosting.com.tr     93.186.117.26     http://93.186.117.26/hitin.php?land=20&affid=92800

20100311010038     93.186.117.26     static.vitalhosting.com.tr     93.186.117.26     http://93.186.117.26/d_d09259.php?affid=92800

20100311213244     93.186.117.30     static.vitalhosting.com.tr     93.186.117.30     http://93.186.117.30/hitin.php?land=20&affid=92800

20100311213247     93.186.117.30     static.vitalhosting.com.tr     93.186.117.30     http://93.186.117.30/5_52254f.php?affid=92800


Rather interestingly, I have noticed they've stopped bothering trying to make it a challenge to identify the payloads when it comes to the fake AV's. No longer do I have to actually decode anything or run anything, I just grab the source and look for a line such as the following;

dl_755e = '7_755eab.html';


Replace .html (also seen as .jpg and .php) with .php and voila, you've got your payload (had to point that out to Jerome at Paratologic last month incidentally).

They also seem to be keeping the redirection domains in place a little longer than previously. For example;

freshgetline.net/redirect/
freshgetline.net/redirect2/
freshgetline.net/redirect3/
freshgetline.net/redirect4/
safetytripstyle.net/redirect/
safetytripstyle.net/redirect2/
safetytripstyle.net/redirect3/
safetytripstyle.net/redirect4/
gosafezone.net/redirect/
gosafezone.net/redirect2/
gosafezone.net/redirect3/
gosafezone.net/redirect4/

All of which, still reside at 200.63.46.130, which I'm sure you'll recognize as being from the equally crimeware friendly Eveloz.

Annoyingly however, there's still a plethora of this to be found via the likes of Google (yep I know, surprise surprise).

1 comment:

Unknown said...

My trusted norton has blocked an intrusion attempt to my home computer comming from IP address 188.124.5.155