Blog for hpHosts, and whatever else I feel like writing about ....

Saturday, 30 January 2010

Full Circle Magazine: Issue 33

Issue 33 is out: creating a media center, education, and sync

A new month (well, in two days) and a new magazine issue is out.
This month, we’ve got:

- Command and Conquer.
- How-To : Program in Python – Part 7, Create A Media Center with a Revo, Ubuntu and Boxee, and The Perfect Server – Part 3.
- My Story – Ubuntu in Public Education, and Why I Use Linux.
- Review – Exaile.
- MOTU Interview – Didier Roche.
- Top 5 – Synchronization Clients.
- Ubuntu Women, Ubuntu Games and all the usual goodness!

Read more
http://fullcirclemagazine.org/2010/01/30/issue-33-is-out-creating-a-media-center-education-and-sync/

Get it while it's hot!
http://fullcirclemagazine.org/issue-33/

Issues 0 - Current
http://fullcirclemagazine.org/downloads/

Forums:
http://ubuntuforums.org/forumdisplay.php?f=270

Wiki:
http://wiki.ubuntu.com/UbuntuMagazine

Spambot Search Tool: v0.43

* Fixed bug when SBST run on Windows Server systems (doesn't seem to like some of the error handling)
* Fixed Colours for new manual submission ;o)

Download:
http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

As if by magic .....

... awww, did my last post annoy someone? T'would seem so, as I noticed the following new user registration whilst going through the new account;



Recognize the IP range? (same IP as the Craigslist fraud rubbish, and same range as Blackhatworld - both mentioned in the previous post).

Friday, 29 January 2010

Craigs List: Allow me to beat you over the head (softly of course)

I received an e-mail around 30 mins or so ago, pointing me to craigslistinc.org. The individual that reported it had been called by someone referencing this site, claiming to be an employee of Craigs List.

I did a little digging and yep, it's a phishing scam. I decided to call Craigs List to inform them of the site, and the additional stuffage I found - a decision I was about to regret. Calling the US from the UK isn't cheap, so Craigs List leaving me on hold to wait for an operator, for 25 mins, to then be told AFTER the 25 mins, and AFTER the damn automated voice told me I was "now first in the queue", that there were no CS reps available and to leave a message, has me more than a little annoyed with them.

Dear Craigs List, if you're going to provide a phone number, and going to tell people they're in queue - don't then proceed to tell them there's no-one available, that just annoys the hell out of us. Tell me as soon as the damn automated service answers, and I'll be happy with that, I understand sometimes call centers/offices get extremely "busy" (I've had my share of having to try getting through to BT ;o)). I'd ask why these companies don't just hire more staff if they can't deal with the call volume, but we know the answer to that so lets not bother.

Anywho, the site in question, craigslistinc.org, resides at 74.118.193.100 (AS46664 74.118.192.0/22 VOLUMEDRIVE - VolumeDrive). Looking at it's DNS servers showed quite an interesting little relationship. The sites WhoIs is privacy protected, but the DNS servers WhoIs isn't. The DNS servers domain, dnblocker.com resides at the same IP and is owned by;

Melissa Walker
P.O, Box 122
La Crosse, Kansas 67548
United States
+785 623-8544
Providingservices4u81@gmail.com


If we do a little digging on this one, we see not only are they running a "work from home" scam;


But more interestingly, there's also a tie to Blackhatworld.com (amongst others), which resides on the same /24 (74.118.193.250-74.118.193.253), and which is known for everything from fraud to malware and everything else inbetween.

I'm working on gathering a list of domains owned by "Melissa Walker" (pretty confident the WhoIs details are faked), and will post those as soon as I have gathered them. In the meantime, I'd suggest blocking this entire /24 as I'm not seeing any legit domains residing there.

If you have received an e-mail, or received a phone call, offering anything to do with work from home rubbish, or from someone claiming to be from Craigs List (or any other company), HANG UP!. DO NOT engage them, DO NOT reply to them, and NEVER give them any credit card etc details (doing so opens you up to the risk of identity theft), and if they're claiming to be calling on behalf of Microsoft, Malwarebytes or any other IT/security company, DO NOT give them remote access to your computer (neither Microsoft, Malwarebytes nor any other legit company I'm aware of, will cold-call you).

If someone is calling or e-mailing, claiming to be from a company you are used to dealing with, ask for their name, then hang up and call the company using the number you usually use to deal with them (and this especially goes for those times when they're claiming to be from your bank etc).

Remember: Legit companies should NEVER call you unless YOU have asked them to (i.e. they're returning your call), and even then - always treat them with the utmost suspicion.

Side note: The same content that's at craigslistinc.org was also previously at premiumverification.com (Cached on Jan 15th 2010, but this site whilst still registered, currently does not resolve)

Pinball Publisher Network: The ghost of Zango toolbar has a Facebook fan page

Here’s something they don’t teach in marketing 101: If you’re pushing software that no one wants -- like, say, annoying adware -- and your downloads are going nowhere, what do you do?

Answer: you push somebody else’s popular software AND BUNDLE YOUR CRAP WITH IT!

Remember Zango? It was that irritating adware company that spent years and a million weasel words trying to make its operation seem legitimate. It was fined $3 million in 2006 by the U.S. Federal Trade Commission and it unsuccessfully sued anti-virus vendor Kaspersky in Federal Court in 2007 for calling the Zango malcode “malcode?” After several years of sagging revenue amidst a larger collapse of the adware industry, the company finally folded and sold its assets at fire sale prices last April. (Sunbelt Blog story here. )



The buyer, Pinball Publisher Network, is still distributing Zango and sadly enough it still offers users nothing of any value, which is why PPN offers Open Office, 7-Zip and Firefox bundled with it. PPN and its affiliates are simply trying to piggyback on those programs and in the process, leech from their value and good name.


Read more
http://sunbeltblog.blogspot.com/2010/01/ghost-of-zango-toolbar-has-facebook-fan.html

Tuesday, 26 January 2010

Info: hpHosts server downtime

Just a note folks, I'm beginning the conversion of the hpHosts databases as I write this, so the hpHosts website will be down for the next few hours whilst the conversion takes place.

Monday, 25 January 2010

vURL Online: Now back online

I've just gotten back folks, and am happy to announce, vURL has now been fully converted to MySQL, and is now back online.

Please let me know if you notice any problems.

Sunday, 24 January 2010

The Great 99 Cent Software Experiment of 2010

I’m curious and thinking a crazy single day experiment could be fun and may be worth the risk. So what the hell. If you want to upgrade to WinPatrol PLUS on January 29th, I’ll give you a lifetime WinPatrol membership for less than a dollar. Instead of the regular price of $29.95 I’ll provide a coupon on WinPatrol.com that brings the price down to $0.99 USD. That comes out to approx. .70 € to our international friends

This will be a one-day only “experiment” starting at midnight EST on Jan 29th and will last 24 hours. Will over 30 times the normal number customers upgrade to WinPatrol PLUS? If so, will other software developers notice?

Like our current $30 plan, the 99¢ license will be good for life. Like sales in the App Store or Droid Market however, this license is only valid for a single computer. Coupons are also limited to one per customer. Sound fair enough? If you’ve been someday planning on upgrading to WinPatrol PLUS, January 29th is the day to remember. Just go to www.WinPatrol.com this Friday and you may be a part of history


http://billpstudios.blogspot.com/2010/01/great-99-cent-software-experiment-of.html

Saturday, 23 January 2010

Enigma Software Group: So much for "building relationships"

I'll not go into the ESG/SpyHunter history, you can read about that elsewhere. Suffice to say, after discussions with Enigma Software Group, and changes they made, I removed them from hpHosts back in 2008;

http://hphosts.blogspot.com/2008/08/enigma-software-group-removed-from.html

So you'll forgive me for being surprised to receive an e-mail from their lawyer, threatening to sue me. I did however, find it funny that a lawyer working in the security field, would've sent an e-mail with a PDF attached, and the content of the e-mail being simply;

Dear Sir

Please see attached letter.

Yours faithfully


Dominic Bray


Needless to say, this is hillarious. There are millions of e-mails floating round with malicious PDF's attached, and simple sentences such as the above. At first I thought it was a spear campaign, given my name was in the subject line, but alas nope - it was to be far from funny.

ESG's and their lawyer have demanded that I do the following by Tuesday, else they're taking me to court;

1. Remove the reference to SpyHunter from the FSA description (this is the *only* thing I did wrong - I forgot about it's being there when I delisted them, plain and simple, and I removed them when I got the e-mail, all ESG had to do was drop me an e-mail)

2. Remove the following 3 sites, which they're now claiming are theirs;

pcthreat.com
pc1news.com
anti-spyware-101.com

FYI, these DO NOT make any mention of their being owned by ESG, they're affiliate sites, or were last time I spoke to Alvin. Aside from this, they're listed because they fail to clearly mention the user has to pay for whatever the program finds, and fail to mention the relationship to ESG - both of these are misleading and covered under the FSA classification

As I told them, I would've included these sites regardless of the product they're peddling, due to the methods in which they're doing such.


3. Send them an apology worded as;

"I accept that Enigma Software Group's product, SpyHunter, is not a rogue, bogus or fraudulent application, and should not be classified as one.

I regret that I have previously criticised Enigma Software Group and that I made a number of incorrect statements about them and their products. Many of these statements were inaccurate and portrayed Enigma Software Group in a particularly unfair light, for which I apologise."


And yep, they worded that for me, how nice. However, I've not said ESG/SpyHunter are rogue/malicious since prior to their removal in 2008, indeed I stated both on my site and my blog that they were no longer considered such, and clarified that after hearing from a Mr Criswell earlier this year.

I am happy to apologise for forgetting to remove the word SpyHunter from the FSA classification description, but I'm not going to apologise for something I've not said or done.

4. To post said apology on the hpHosts website (or at least, I'm assuming it's the hpHosts site they want it on, they never specified which of my sites they wanted it on)

5. To post an apology to each one of the following;

(a) http://www.siteadvisor.com/sites/xp-vista.com;
(b) http://www.siteadvisor.com/sites/wiki-security.com;
(c) http://www.siteadvisor.com/sites/uninstall-spyware.com;
(d) http://www.siteadvisor.com/sites/2-freespywareremoval.com
(e) http://www.siteadvisor.com/sites/anti-spyware-101.com
(f) http://www.siteadvisor.com/sites/eliminar-spyware.com
(g) http://www.siteadvisor.com/sites/enigmasoftware.com
(h) http://www.siteadvisor.com/sites/enigmasoftwaregroup.com
(i) http://www.siteadvisor.com/sites/entfernen-spyware.de
(j) http://www.siteadvisor.com/sites/pc1news.com
(k) http://www.siteadvisor.com/sites/pchubs.com
(l) http://www.siteadvisor.com/sites/pcthreat.com
(m) http://www.siteadvisor.com/sites/removal-instructions.com
(n) http://www.siteadvisor.com/sites/spyhunterstore.com
(o) http://www.siteadvisor.com/sites/spyware-entfernen.com
(p) http://www.siteadvisor.com/sites/spywareremove.com
(q) http://www.siteadvisor.com/sites/spyware-techie.com

Here's the problem with this one - I've not rated anything on SiteAdvisor for aslong as I can remember, and I've certainly not rated anything to do with ESG/SH on SiteAdvisor. I'm guessing the comments they believe I posted, are those that have been posted by other people, and happen to reference hpHosts. Sorry ESG, I'm not going to be held liable for something OTHER PEOPLE have posted.

6. "Not to make any statement, whether written, oral or otherwise, which is defamatory of or represents a malicious falsehood about ESG"

Again, I've done no such thing.

7. "Not to allege in any way that the current version of ESG's SpyHunter software is "rogue" or "malware" or any other kind of harmful software"

And again, I've done no such thing.

8. "Within 14 days of notification of the amount, to provide my proposals for paying ESG its legal costs incurred in relation to this matter"

Err, I guess ESG have forgotten hpHosts is a non-profit "hobby" site, and as such, doesn't make any money. Not sure what they're expecting me to pay them with.

9. "To provide, by Friday 29 January 2010, my proposals for compensating ESG for damage caused to it as a result of the defamatory allegations and malicious falsehoods published on the Website; and"

And again, hpHosts !=making money.

10. "To agree to incorporate the above in a court order if so required by ESG."

Needless to say, the only thing I've done wrong here, is forgetting to remove a single word from the FSA description - that's it. I've not said ESG/SH are rogue, I've not said they're malicious, I've not posted anything claiming they're rogue/malicious to SiteAdvisor, or anywhere else for that matter.

Alas it seems ESG have decided they don't want to build relationships within the security community, they just want to sue everyone instead. Guess we know who their nex target is going to be. I am wondering why they've chosen to threaten to sue me however, given I found alot of sites where people *have* called them rogue/malicious within the past 1-6 months! (i.e. not 2 years ago!).

Thursday, 21 January 2010

SEVAHOST-AS Seva-Host Ltd (AS49313) and SMS Fraud

I received an e-mail earlier, pointing to an Angelfire hosted site;

yzisuteq.angelcities.com/utakeseh.html

Expecting malware or fake meds, I decided to take a look to see which of the two it was. Surprisingly I was wrong - it was neither. The site leads to mobilnaked.com, a site completely in Russian (and annoyingly, given most of the text is actually image based, untranslatable with Google). Remembering a previous episode and something my friend Dmitry at Kaspersky advised me, I took a closer look.

mobilnaked.com claims to offer a program for your mobile phone, that will allow you to see through everyones clothes (errr, yeah, you can see where this is going). Indeed, shown on the site is a woman dancing, and someone holding a phone in front of her, showing her clothing magically removed whilst she's dancing, and all via the program offered by the site.

However, to get this miracle program, you've got to send them an SMS at a charge of approx £0.14GBP. The real cost however, is likely MUCH higher (indeed, the one Dmitry looked at for me, actually cost you closer to £5, though that one was claiming to be a rogue!!, ah the joys).

The short codes (numbers) you are told to send the SMS to (for those in the UK) are 79067 or 69067. There is of course, a list of others (/download.php), that appear to be used for other countries;

NB: The numbers encased in [], match up with the short code, cost, country etc

var jph=newArray();
jph[27]='19995577';
jph[5]='930399999';
jph[30]='1003';
jph[24]='7259';
jph[7]='7796';
jph[6]='1098';
jph[23]='79067';
jph[15]='90645045';
jph[9]='82300';
jph[10]='1945';
jph[25]='4070';
jph[12]='5339';
jph[4]='9915';
jph[3]='1171';
jph[17]='1874';
jph[16]='1645';
jph[26]='141991';
jph[29]='2332';
jph[19]='7117';
jph[18]='2322';
jph[20]='7910';
jph[21]='4565';
jph[1]='7122';
jph[2]='5373';
jph[13]='179479';
jph[14]='83868';
jph[31]='1600';
jph[8]='9090199';
jph[28]='9292';
jph[22]='72170';
jph[11]='17013';
var japh=newArray();
japh[27]='19995577';
japh[5]='930399999';
japh[30]='7001';
japh[24]='7255';
japh[7]='7796';
japh[6]='1098';
japh[23]='69067';
japh[15]='90645045';
japh[9]='82300';
japh[10]='1945';
japh[25]='4070';
japh[12]='5339';
japh[4]='9916';
japh[3]='1171';
japh[17]='1873';
japh[16]='1624';
japh[26]='141991';
japh[29]='7250';
japh[19]='7117';
japh[18]='2322';
japh[20]='7910';
japh[21]='4565';
japh[1]='7132';
japh[2]='7250';
japh[13]='179479';
japh[14]='83868';
japh[31]='1600';
japh[8]='9090150';
japh[28]='9292';
japh[22]='72170';
japh[11]='17012';
var jm=newArray();
jm[27]='wm771270';
jm[5]='4049270';
jm[30]='wm771270';
jm[24]='wm771270';
jm[7]='4049270';
jm[6]='4049270';
jm[23]='4049270';
jm[15]='4049270';
jm[9]='dx353270';
jm[10]='4049270';
jm[25]='wm5771270';
jm[12]='4049270';
jm[4]='4049270';
jm[3]='4049270';
jm[17]='4049270';
jm[16]='4049270';
jm[26]='wm771270';
jm[29]='wm771270';
jm[19]='4049270';
jm[18]='4049270';
jm[20]='4049270';
jm[21]='4049270';
jm[1]='353270';
jm[2]='771270';
jm[13]='4049270';
jm[14]='4049270';
jm[31]='wm771270';
jm[8]='4049270';
jm[28]='wm771270';
jm[22]='4049270';
jm[11]='4049270';
var jv=newArray();
jv[27]='AUD';
jv[5]='EURO';
jv[30]='AMD';
jv[24]='BYR';
jv[7]='EURO';
jv[6]='BGN';
jv[23]='GPB';
jv[15]='HUF';
jv[9]='EURO';
jv[10]='DKK';
jv[25]='ILS';
jv[12]='EURO';
jv[4]='KZT';
jv[3]='USD';
jv[17]='LVL';
jv[16]='LTL';
jv[26]='USD';
jv[29]='MDL';
jv[19]='EURO';
jv[18]='NOK';
jv[20]='PLT';
jv[21]='EURO';
jv[1]='рублей';
jv[2]='гривен';
jv[13]='EURO';
jv[14]='EURO';
jv[31]='EURO';
jv[8]='CZK';
jv[28]='CHF';
jv[22]='SEK';
jv[11]='EEK';
var jc=newArray();
jc[27]='0.08';
jc[5]='0.05';
jc[30]='26.6';
jc[24]='135';
jc[7]='0.05';
jc[6]='0.07';
jc[23]='0.14';
jc[15]='18.33';
jc[9]='0.14';
jc[10]='0.53';
jc[25]='0.18';
jc[12]='0.04';
jc[4]='20.67';
jc[3]='0.16';
jc[17]='0.28';
jc[16]='0.28';
jc[26]='0.03';
jc[29]='0.8';
jc[19]='0.04';
jc[18]='0.53';
jc[20]='0.3';
jc[21]='0.07';
jc[1]='10';
jc[2]='0.83';
jc[13]='0.05';
jc[14]='0.08';
jc[31]='0.01';
jc[8]='2.77';
jc[28]='0.08';
jc[22]='0.53';
jc[11]='1.41';

function getText(id)
{
    $('#smsMsg').text(jm[id]);
    $('#smsNum').text(jph[id]);
    if(jph[id]!=japh[id])
    {
       $('#smsAdvNum').text(japh[id]);
       $('#orText').text('или');
    }
    else
    {
       $('#orText').text('');
       $('#smsAdvNum').text('');
    }
    $('#smsCost').text(jc[id]);
    $('#smsVal').text(jv[id]);
    
    if(id==24)
    {
       $('span#byCountry').show();
       $('span#BYhide').hide();
       
       
    }
    else
    {
       $('span#byCountry').hide();
       $('span#BYhide').show();
       
    }
}


The scam is run, from what I can find, by Sergey S Pirozhnikov (papa.racot@gmail.com), owner of smsdostup.ru and sms911.ru (and several others apparently, still looking into that), registered in 2007 and 2008 via RegTime (surprise surprise) and NAUNET (associated with spam, Zeus and other criminal activities), and hosted at 92.241.166.5 and 92.241.166.166 respectively.

inetnum: 92.241.166.0 - 92.241.166.255
netname: RM-INVEST
descr: RM-INVEST Ltd
country: RU
admin-c: PIRO1-RIPE
tech-c: PIRO1-RIPE
status: ASSIGNED PA
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered

person: Sergey Pirozhnikov
address: Kazanskaya, 7,
193000 St.Petersburg,
RUSSIAN FEDERATION
mnt-by: RU-WEBALTA-MNT
phone: +7 (911) 400-16-11
nic-hdl: PIRO1-RIPE
source: RIPE # Filtered

route: 92.241.160.0/19
descr: Wahome IP's =)
origin: AS41947
mnt-by: RU-WEBALTA-MNT
source: RIPE # Filtered


You'll also have noticed the link to ephelp.ru, which as you've guessed, is also involved. ephelp.ru was also registered in 2008 (again via NAUNET) by someone that apparently doesn't want to be known. It's hosted at 91.212.210.192.

Getting back to mobilnaked.com et al. They do of course, provide a "rules" page, which when translated reads (I've formatted it for readability);

Terms of Use mobilnaked.com:

Terms

Terms of Use mobilnaked.com: Terms This User Agreement (hereinafter "Agreement") governs the relationship between «mobilnaked.com» (hereinafter "Service" or "Site"), which is located at mobilnaked.com, and natural or legal person (hereinafter "User") on the Internet.

1. Subject user agreement to the User Services offers its services on terms that are the subject of this Agreement. Agreement may be changed Site «mobilnaked.com» unilaterally and without notice to User.

2. Description of Services Based on Service Agreement provides its services to users who have access to the Internet and pre-installed software to work with web-interface available exclusively at mobilnaked.com. «Mobilnaked.com» - this is a joke gaming service that gives users access to the Java-application for a fee. mobilnaked.com provides user access to the Java-application after the payment made by the user. It is a software application provided by the white-pc user how to help to optimize computer performance. Animated objects are part of the registration site.

3. Entry into force, the Agreement shall enter into force as soon as the User acknowledges and accepts the rules of the Site «mobilnaked.com», by sending an appropriate SMS message. By accessing imply its consent to this Agreement. Using services of Service means that you have read and agree with the Agreement, even if the user has not finished the stage of registration.

4. Obligations and responsibilities of the user after registration user receives a key to access the personal information section. Service reserves the right not to allow the use of certain passwords or remove these passwords without prior notice. User is responsible for the security of your password and all information publicly published by the User through the Service, including but not limited to comments on the Site «mobilnaked.com».

5. To gain access you need to send 3 SMS to short number. * Price per page of payment is for 1 day. * Access to the software available for 90 (ninety) days. . Lump sum user pays the entire period of use uslugoy. Oplata Service Service To gain access you need to send 3 SMS to short number. The cost of an SMS message to service number 9690 and 9691 is approximately 300 rubles (for Russia);

Info short numbers and tariffs - to http://www.nlinfo.ru. Cost of SMS to 7122 for the operator MTS is 258.3 rubles without VAT, for the rest of about 250 rubles depending on the operator. The approximate cost of a SMS to number 1874 for Latvia - 3.3 lats NDS.Ctoimost window without payment is for 1 test. Cost of SMS to 4171 for Ukraine - 30 hryvnia VAT excluding duty to the pension fund in the amount of 7.5% of the cost of SMS without NDS.Pri accessing the subscriber is able to conduct 100 inspections. The exact cost of SMS, you can check with your mobile operator or website:

http://sms911.ru

6. DISCLAIMER OF WARRANTIES

a) The user uses the service «mobilnaked.com» at your own risk. Facilities & Services «mobilnaked.com» The user is provided on an "as is". Service
«mobilnaked.com» does not assume any liability, including but not limited to the search results match the user's request,

b) Site «mobilnaked.com» represents a source of information that is entertaining. All information presented on this site is partly fictitious and should not be taken seriously;

c) Service «mobilnaked.com» does not warrant that: services «mobilnaked.com» will comply with your requirements, the quality of services of Service «mobilnaked.com» will match User's expectations, the results obtained by the User on the Site «mobilnaked.com» will be accurate; software bugs in the site «mobilnaked.com» will be corrected;

d) Service Rules

«mobilnaked.com» does not return the amount of money spent by the User;

d) Service «mobilnaked.com» is not responsible for any damages, direct, indirect, actual or consequential damages related to the Service, lost profits and other risks, even if the service and its owners have been advised of the possibility of such damages, or if such damages were foreseeable. Thus, the user assumes all risks associated with use of the Service «mobilnaked.com».


As you've no doubt noticed, this miracle application doesn't exist at all. You've been scammed, and will continue to be, given it's not a single SMS you've got to send. It's apparently a "joke gaming service" (some joke huh?), that provides you with some "java application" once you've been gullible enough to pay them via SMS.

There is of course, as there always is with this type of thing, a long list of other domains involved, and for your viewing pleasure, here they are.

adult-movierus.com
adult-videosru.com
adult-vidsrus.com
adult-xmovies.com
bestxfiles.com
bestxfilesru.com
ephelp.ru
eromamba.com
glubokie-glotki.com
hardsexru.com
helpscrus.com
hotmovierus.com
hotmovsrus.com
need4seks.com
needforsexxx.com
sevadns.com
sevadns.net
seva-host.com
rushomex.com
rushomexxx.com
rushotgirls.com
rusxgirls.com
rusxxxgirls.com
ruxxxgay.com
sc-traffic.com
sevadns.com
sevadns.net
seva-host.com
sevahost.net
forewa.ru
mxlove.ru
mobilpoisk.com
sex-klassniki.com
sexklassniki.com
euromixxx.com
eropays.ru
eropays2.com
erolesbi.com
erogayxxx.com
ero-pays.com
sexcashrus.com
sexcashv2.com
sms4videorus.com
sms911.ru
smsdostup.ru
xxxodnoklassniki.com
xxxrusvideo.com
xxxruvideo.com
xxx-telkiru.com
xxx-telkirus.com
ero-bdsm.com
sms2movierus.com
sms-datalizer.com
sms-poiski.com
sms-poiskrus.com
sms-proverki.com
russserotika.com
ruserotika.com
sexcashvip.com
vip-traffic.com


A few of these are no longer alive (failing to resolve). You'll find the validation results (domains were verified as of a few seconds ago) at;

http://hosts-file.net/misc/hpObserver_results_-_AS49313_Sevahost_fraud.html

I'm in no doubt that there's alot more I've not yet identified.

So who is providing the upstream connectivity for Seva-Host, and why are they allowing this? Well, the connectivity is provided courtesy of AS47143 TDHN Transit Data Hyper Network, an ISP with ties to other well known criminal organizations, such as root eSolutions, Kabelfoon, WEDARE We Dare BV, amongst many others (it's worth noting aswell, TDHN also have ties to a plethora of LEGIT companies aswell).

A tracert result is also showing Seva-host have connections to UK based firm, c4l.co.uk. Their offices are apparently closed now (ISP's really should learn to run 24/7, abuse and technical issues aren't time specific .....), but I'll be looking into that too.

In the meantime, I'd strongly urge everyone blackhole Seva-Host Ltd's entire range. There's not a single legit domain present, so you're not going to miss anything.

Wednesday, 20 January 2010

AdSlash.com is a bogus ad network

We've seen a number of ads being punted through AdSlash.com to legitimate ad networks, but it appears that these are leading to a PDF Exploit (don't visit these sites, obviously!).

For example:
fwlink.nx7.zedo.com.adslash.com/?alx=a27131939386&td=qcbp71pz=42834&sz=728x90&_zm=359161&st=n1n4&id=131939386&zcw=gh17chl277&xryr=3913771&mp=1460h1
fwlink.nx7.zedo.com.adslash.com/stats_js_e.php?id=131939386
fwlink.nx7.zedo.com.adslash.com/bdb/Health/banner_728.gif
fridayalways.com/kven/index.php
fridayalways.com/kven/js/common.js
fridayalways.com/kven/pdfadmnplay.php
fridayalways.com/kven/files/backoutblack.pdf

or
...


Read more
http://www.dynamoo.com/blog/2010/01/adslashcom-is-bogus-ad-network.html

Tuesday, 19 January 2010

Yet another phishing campaign: ukbusinessforums.co.uk + Netelligent + touchcampaign.com + v2mailservice.com

I received a rather surprising e-mail earlier. Surprising because it was sent to an e-mail address I used specifically for registering on the ukbusinessforums.co.uk website a few years ago, and not an address I'd published anywhere (and nope, I'd not given them permission to give it to anyone else).

This particular e-mail is shown to the left, but in short, advertises pdf-adobe.org, which leads to pdfnewdownload.com and secure.signup-way.com (SSL certificate for signup-way.com is provided by GoDaddy). These sites are all not surprisingly, involved in fraud.


The people and sites responsible for this are;

touchcampaign.com (lives at 118.69.203.7, AS18403
FPT-AS-AP FPT Telecom Company 66-68 Vo Van Tan Ho Chi Minh City Vietnam)
v2mailservice.com (lives at 77.68.54.173, FastHosts)

Domain name: TOUCHCAMPAIGN.COM
Name Server: dns15.fpt.vn
Name Server: dns16.fpt.vn
Creation Date: 2010.01.17
Updated Date: 2010.01.17
Expiration Date: 2011.01.17

Status: DELEGATED

Registrant ID: RNCV48A-RU
Registrant Name: Kevin Stubbs
Registrant Organization: Kevin Stubbs
Registrant Street1: 23 Bringston Rd
Registrant City: Lancers
Registrant State: Cheshire
Registrant Postal Code: SM2 7LS
Registrant Country: GB

Administrative, Technical Contact
Contact ID: RNCV48A-RU
Contact Name: Kevin Stubbs
Contact Organization: Kevin Stubbs
Contact Street1: 23 Bringston Rd
Contact City: Lancers
Contact State: Cheshire
Contact Postal Code: SM2 7LS
Contact Country: GB
Contact Phone: +44 645 8393820
Contact E-mail: kevinstub1231@yahoo.co.uk

Registrar: ANO Regional Network Information Center dba RU-CENTER


Oh and yes, the WhoIs details are fake (for starters, 0645 isn't a valid UK dialing code, it was changed to 0845 years ago)

Domain name: V2MAILSERVICE.COM
Name Server: ns1.v2mailservice.com 77.68.54.173
Name Server: ns2.v2mailservice.com 77.68.54.172
Creation Date: 2010.01.03
Updated Date: 2010.01.04
Expiration Date: 2011.01.03

Status: DELEGATED

Registrant ID: LXHHBQO-RU
Registrant Name: Laurie Harford
Registrant Organization: Laurie Harford
Registrant Street1: 72 Sunshine Rd
Registrant City: Torquay
Registrant Postal Code: TQ2 6AM
Registrant Country: GB

Administrative, Technical Contact
Contact ID: LXHHBQO-RU
Contact Name: Laurie Harford
Contact Organization: Laurie Harford
Contact Street1: 72 Sunshine Rd
Contact City: Torquay
Contact Postal Code: TQ2 6AM
Contact Country: GB
Contact Phone: +44 7976776382
Contact E-mail: laurieharford@yahoo.co.uk

Registrar: ANO Regional Network Information Center dba RU-CENTER


The phone number listed here is valid, and belongs to an Orange Telecom customer (I'd have called it if it weren't 04:00).

A lovely little list of domains they are also the owners of are;

5-startv.com
antivirus-new-downloads.com
antivirusofficialdownload.com
ares-ultradownloads.com
ares-ultrapro.com
aresultra-pro.com
best-chef-recipes.com
bestmovies-net.com
browserdownloadsnow.com
browsernewdownload.com
build-army-of-followers.com
burnerdownloads.com
buy-all-wholesale.com
cddvd-burner-pro.com
completeantivirusprotection.com
download-gamespro.com
download-mediahome.com
download-musicpro.com
downloadantiviruspro.com
downloadfor-all.com
downloadfree-movies.com
downloadmusicnew.com
emp3now.com
fast-free-movies.com
fast-movies-download.com
fast-movies-downloads.com
fastmovie-download.com
fastmovie-downloads.com
fasttv-downloads.com
find-keywords-guide.com
find-niche-guide.com
fivestar-tv.com
foreclosure-guide-site.com
free-movienow.com
full-tvdownloading.com
full-tvdownloads.com
fullmedia-access.com
game-mediacenter.com
games-download-network.com
getall-togo.com
getalltogonow.com
getfollowersblog.com
hot-mp3-downloads.com
hot-mp3download.com
hypnosis-guide-pro.com
internet-televisiononline.com
internet-tv-networks.com
isoftwaretvdownloads.com
isoftwaretvstations.com
latestmobiledownloads.com
live-boxingchannel.com
live-cricketchannel.com
live-soccerchannel.com
live-tennischannel.com
live-tv-channels-online.com
livebaseball-channel.com
livecyclingchannel.com
livefootball-channel.com
livegolf-channel.com
medianewdownload.com
mobiledownloads-pro.com
movie-downloadsnow.com
moviedownloads-pro.com
mp3-download-network.com
mp3-downloadingnet.com
mp3download-net.com
mp3downloading-net.com
mp3sectionentitled.com
music-moviesnetwork.com
musicdownload-site.com
musictoyourplayer.com
mydownloadings.com
net-gamedownloading.com
net-moviedownloads.net
net-movies-download.com
netdownloadsnow.com
netmovies-download.com
new-gamingexperience.com
new-internettelevision.com
new-satellite-tv-for-pc.com
newantivirusdownload.com
newplayer-downloads.com
newsatellite-tv-forpc.com
officesuite-download.com
onlinebasketballchannel.com
onlinefightingchannel.com
onlinehockeychannel.com
onlineracingchannel.com
onlinerugbychannel.com
onlinestream-movies.com
onlinewatersportschannel.com
overload-yourconsole.com
pdf-pro2009.com
pdfnewdownload.com
pdfprodownload.com
premium-tattoo-design.com
profit-foreclosure-guide.com
profit-forex-market.com
quick-free-movie.com
quickfree-movie.com
recession-guide-pro.com
sattv-downloads.com
searchdestroypro.com
securityantivirussite.com
stream-and-watch.com
streamcinemas.com
the-best-download-place.com
the-movie-download.com
the-moviecenter.com
the-movies-downloading.com
the-moviesdownload.com
thebest-mediaonline.com
themovie-downloading.com
total-acne-treatments.com
ultimateofficesuites.com
ultra-games-downloads.com
ultra-gamesdownload.com
ultragames-download.com
unlimited-download-center.com
unlimited-mediaaccess.com
unlimitedconsole-games.com


These are all hosted at 67.212.90.67. And who owns this IP? Why, our old friends Netelligent of course.

Other connected domains include;

64.40.114.87 (AS14280 NETNATION Communications Inc.)

termsandprivacy.com
faqandtestimonials.com
online-disclaimer.com

67.205.108.166 (AS32613
IWEB-AS iWeb Technologies Inc.)


signup-way.com

77.68.54.172 (AS15418
FASTHOSTS-INTERNET Fasthosts Internet Ltd. Gloucester, UK.)


adobe-pdf-new-download.com
pdf-reader-writer.com

What's funny of course, is Netelligent recently wanted to convince us they were simply victims, and they'd killed off the criminals on their network. Wonder how they're going to explain this one huh? Especially given the history of the particular /24 in question (previously used by US based XLMarketing, who weren't exactly known for legit marketing methods)

/update 14:28 20-01-2010

I called the mobile number for v2mailservice.com, and not surprisingly, the number no longer exists.

Lunarpages followup

Remember this folks?

http://hphosts.blogspot.com/2009/08/update-google-webalizer-exploits.html

Well, I've been seeing more and more sites across LP IP ranges, containing malicious code, and since I'd not heard back from them concerning the sites listed in the above, I decided to go through those previously mentioned back in August last year, to see which are still carrying malicious code. Thankfully, not many have, with most either being cleaned, closed or cleaned and moved elsewhere.

The following are those still carrying malicious code;

hlstudiophoto.com (216.97.236.240)
dccpa.us (216.97.236.245)
whichhue.com.au (67.210.120.30)
erm-energy-ops.com (216.97.235.70)
happycamperhaven.com (216.97.235.70)
madnesscoaching.org (216.97.235.70)
lockwasherdesign.com (216.97.232.230)
maps-online.org (216.97.230.50)
vernonmusic.com (216.97.237.30)
joydragon.com (216.97.225.90)
geekymom.com (216.97.235.15)
urban-smile.com (216.97.232.210)
xzonesports.com (216.97.230.35)
theboehringers.com (216.97.231.205)


The following have all been cleaned, closed down, or cleaned and moved elsewhere;

aadamsart.com
adammcgrath.ca
amju.com
behindthescenesmarketing.com
billywhitemusic.com
bognorbadmintonclub.org.uk
box-mag.com
cameronandlinda.com
canoeflorida.com
centralboilerservice.com
dakistech.com
designstage.net
distantmind.org
drsaliterman.com
elevendistant.com
fishmaldives.com
flashsrealm.com
focalpointfoto.com
gohoot.com
healingcreative.com
house2homeinspections.biz
houseofsixten.com
inmex-qro.com
jjfrancis.com
kellycatchings.com
lauriello.lunarpages.com
luginbill.net
lynnmariedesigns.com
mattandmelissaberg.com
memories-in-thread.net
mhergert.com
michaelweglinski.com
milamstreet.com
nextquestion.org
otddelivery.com
pathontechnologies.com
projectconsultingspecialists.com
rinconmineral.com
rosenbergchiropractic.com
selectgold.com
sgecon.org
shankbonemystic.com
smilson.com
talon-systems.com
theatreetc.com
thelionkingmind.com
unruly1.com
usapersonaltraining.com
vijgeboom.com
wendycass.net
windsorbreads.com
wordwacker.com
yourpartygirls.net


I've already e-mailed Lunarpages yet again, to see if they're ready to do something about those still affected, and have also mentioned the new ones I've come across (more on that later).

Saturday, 16 January 2010

msmvps.com down

Seems msmvps.com is down at present folks. No idea why, it's resolving just fine, but the server is refusing the connection (checked via several different sources).



/edit

It's back folks :o)

Crimeware friendly ISP's: AS8206 JUNIK-RIGA-LV JUNIKNET Autonomous System JUNIK ISP Network Riga, Latvia

And in todays firing line, competing with the rest for the title of worlds most crimeware friendly ISP, we have AS8206, Latvian based ISP, Junik-Riga-LV.

Junik is being listed for 2 very specific reasons, they're providing connectivity for;

AS29106 VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
AS49314 NEVAL PE Nevedomskiy Alexey Alexeevich

Oh dear, this isn't going to end well is it?

Neval has been home to a plethora of malicious content over the years, and like a few others, I've not yet seen a single legit domain hosted over there. Criminals they DO however host include the miscreants responsible for the YES exploit pack who are housed at say-yes.biz (91.212.198.156).

Not exactly hiding what they're offering are they? (hat tip to SysAdMini for the heads up)

Then of course, there's the usual selection of rogues such as mcafee-malware.com, which is housed at 91.212.198.236, or this piece of malicious goodness (sadly, only one vendor is detecting this at the time of writing this), which is housed at dowmowvid.ru which was living on 91.212.198.171 and has now moved to another criminal network, 91.213.121.122 (AS24826 KHARKOV-TERMINALS-AS PE Viktor Nastechenko, see here).

Indeed, I'll tell you what, just pick ANY domain within the Neval network, and you'll find it's involved in malicious activity of one description or another.

And then we get to VolgaHost, which is yet another network whose connectivity is provided by Junik, that doesn't contain a single legit domain. Every single one is involved in either exploits or malware of one description or another (ZeUs and Fragus exploits primarily). For example;

http://www.malwareurl.com/search.php?s=AS29106
http://www.malwaredomainlist.com/mdl.php?search=91.213.174&colsearch=All&quantity=50
hosts-file.net/?s=91.213.174&direct=1&view=history
http://www.robtex.com/cnet/91.213.174.html

One can't help wondering why Junik are allowing this to continue, especially given neither VolgaHost nor Neval are exactly trying to hide it. Well Junik - care to explain yourselves?

Until they do bother to boot these criminals, I'd personally recommend everyone blackhole their ranges. Sadly, this seems to be the only way these ISP's are going to learn.

Botnet domains + DNS resolution

Just a note folks, whilst investigating why the domains associated with botnets weren't resolving (been receiving a plethora of e-mails for everything from SendSpace to HM Revenue and Customs to HSBC etc etc), I did a check on OpenDNS's servers and discovered an issue with their Lodon based server (still failed to resolve even after a cache check).

All of their other servers are unaffected by whatever is causing the issue, and correctly resolve these domains.

As an FYI, the following is a list of those from the latest e-mails;

Subjects:

Notice of Underreported Income
Obtain Digital Certificate
This Document Contains Important Information
Please read this important information concerning your privacy
Fw: look
Re: your photo
A new settings file for the dev_null@it-mate.co.uk mailbox has just been released
Hello my friend , you have received a new greeting from somebody who cares you !!!
Fw: techrepublic@gauging.co.uk's photo


NB: The subject with "dev_null@it-mate.co.uk" in it, for those unaware, is the subject used for the OWA lookie-like, and contained whatever e-mail address it was being sent to, i.e. victim@their-domain.com

Links:

http://online.hmrc.gov.uk.yuf6.kr/SecurityWebApp/httpsmode/statement.php?id=428730841651702408676439861796&email=bodyshop@gaynorsmotorcompany.co.uk&tid=bodyshop-00000176220410UK
http://online.hmrc.gov.uk.yuf6.ne.kr/SecurityWebApp/httpsmode/statement.php?id=438381855880902695061364876864959676477948842673595379553191581446&email=hqwvoh@it-mate.co.uk&tid=hqwvoh-00000675902201UK
http://online.hmrc.gov.uk.yuf6.ne.kr/SecurityWebApp/httpsmode/statement.php?id=438381855880902695061364876864959676477948842673595379553191581446&email=hqwvoh@it-mate.co.uk&tid=hqwvoh-00000675902201UK
http://online.hmrc.gov.uk.olpiku5b.com.pl/SecurityWebApp/httpsmode/statement.php?id=888102433856823215207197652103993816158087526528379422593293919&email=baldybrothersfann@it-mate.co.uk&tid=baldybrothersfann-00000113885815UK
http://online.hmrc.gov.uk.olpiku5b.com.pl/SecurityWebApp/httpsmode/statement.php?id=888102433856823215207197652103993816158087526528379422593293919&email=baldybrothersfann@it-mate.co.uk&tid=baldybrothersfann-00000113885815UK
http://online.hmrc.gov.uk.olpiku5b.com.pl/SecurityWebApp/httpsmode/statement.php?id=888102433856823215207197652103993816158087526528379422593293919&email=baldybrothersfann@it-mate.co.uk&tid=baldybrothersfann-00000113885815UK
http://online.hmrc.gov.uk.olpiku5b.com.pl/SecurityWebApp/httpsmode/statement.php?id=888102433856823215207197652103993816158087526528379422593293919&email=baldybrothersfann@it-mate.co.uk&tid=baldybrothersfann-00000113885815UK
http://online.hmrc.gov.uk.olpiku5b.com.pl/SecurityWebApp/httpsmode/statement.php?id=888102433856823215207197652103993816158087526528379422593293919&email=baldybrothersfann@it-mate.co.uk&tid=baldybrothersfann-00000113885815UK
http://online.hmrc.gov.uk.olpiku5b.com.pl/SecurityWebApp/httpsmode/statement.php?id=888102433856823215207197652103993816158087526528379422593293919&email=baldybrothersfann@it-mate.co.uk&tid=baldybrothersfann-00000113885815UK
http://online.hmrc.gov.uk.yuf6.co.kr/SecurityWebApp/httpsmode/statement.php?id=77986821101726399897686260687866453064443516585276907027111012303404630054605&email=hqwvohn@it-mate.co.uk&tid=hqwvohn-00000909247537UK
http://online.hmrc.gov.uk.t111uy.me.uk/SecurityWebApp/httpsmode/statement.php?id=6227556064290035219392055848660162543047873437&email=hqwvoh@it-mate.co.uk&tid=hqwvoh-00000096450372UK
http://online.hmrc.gov.uk.tgyr5rtc.kr/SecurityWebApp/httpsmode/statement.php?id=507985516433377977129236649953144597794601&email=baldybrothersfannn@it-mate.co.uk&tid=baldybrothersfannn-00000344450625UK
http://online.hmrc.gov.uk.tgyr5rtc.kr/SecurityWebApp/httpsmode/statement.php?id=507985516433377977129236649953144597794601&email=baldybrothersfannn@it-mate.co.uk&tid=baldybrothersfannn-00000344450625UK
http://online.hmrc.gov.uk.tgyr5rtc.kr/SecurityWebApp/httpsmode/statement.php?id=507985516433377977129236649953144597794601&email=baldybrothersfannn@it-mate.co.uk&tid=baldybrothersfannn-00000344450625UK
http://online.hmrc.gov.uk.tgyr5rtc.kr/SecurityWebApp/httpsmode/statement.php?id=507985516433377977129236649953144597794601&email=baldybrothersfannn@it-mate.co.uk&tid=baldybrothersfannn-00000344450625UK
http://online.hmrc.gov.uk.tgyr5rtc.kr/SecurityWebApp/httpsmode/statement.php?id=507985516433377977129236649953144597794601&email=baldybrothersfannn@it-mate.co.uk&tid=baldybrothersfannn-00000344450625UK
http://online.hmrc.gov.uk.ujo9it.com.pl/SecurityWebApp/httpsmode/statement.php?id=8509392666869312311531809049611251194241034577170914126002518387256499790792&email=anjlee@paperdragon.info&tid=anjlee-00000864352228UK
http://www.hsbc.co.uk/1/2/HSBCINTEGRATION/banking.php?jsessionid=30250772278461137747641563692466383157613894539823377&email=maria@it-mate.co.uk
http://www.hsbc.co.uk.visdlpro1.com.pl/1/2/HSBCINTEGRATION/banking.php?jsessionid=30250772278461137747641563692466383157613894539823377&email=maria@it-mate.co.uk
http://www.hsbc.co.uk/1/2/HSBCINTEGRATION/banking.php?jsessionid=9244003359048209403608110207157652792565425229380158691271568924&email=dunganrfpkivaq@it-mate.co.uk
http://www.hsbc.co.uk.leptprs.or.kr/1/2/HSBCINTEGRATION/banking.php?jsessionid=9244003359048209403608110207157652792565425229380158691271568924&email=dunganrfpkivaq@it-mate.co.uk
http://www.hsbc.co.uk/1/2/HSBCINTEGRATION/banking.php?jsessionid=0623649991646807373416679766220612261050665329103042871724326353995821418&email=ces@it-mate.co.uk
http://www.hsbc.co.uk.dezzzzx.com.pl/1/2/HSBCINTEGRATION/banking.php?jsessionid=0623649991646807373416679766220612261050665329103042871724326353995821418&email=ces@it-mate.co.uk
http://www.hsbc.co.uk/1/2/HSBCINTEGRATION/banking.php?jsessionid=0623649991646807373416679766220612261050665329103042871724326353995821418&email=ces@it-mate.co.uk
http://www.hsbc.co.uk.dezzzzx.com.pl/1/2/HSBCINTEGRATION/banking.php?jsessionid=0623649991646807373416679766220612261050665329103042871724326353995821418&email=ces@it-mate.co.uk
http://www.hsbc.co.uk/1/2/HSBCINTEGRATION/banking.php?jsessionid=0623649991646807373416679766220612261050665329103042871724326353995821418&email=ces@it-mate.co.uk
http://www.hsbc.co.uk.dezzzzx.com.pl/1/2/HSBCINTEGRATION/banking.php?jsessionid=0623649991646807373416679766220612261050665329103042871724326353995821418&email=ces@it-mate.co.uk
http://www.hsbc.co.uk/1/2/HSBCINTEGRATION/banking.php?jsessionid=5475883831707584790056259275139130567901955318368102881574020&email=claire@richardsonbrown.co.uk
http://www.hsbc.co.uk.dezzzzd.com.pl/1/2/HSBCINTEGRATION/banking.php?jsessionid=5475883831707584790056259275139130567901955318368102881574020&email=claire@richardsonbrown.co.uk
http://www.hsbc.co.uk/1/2/HSBCINTEGRATION/banking.php?jsessionid=5475883831707584790056259275139130567901955318368102881574020&email=claire@richardsonbrown.co.uk
http://www.hsbc.co.uk.dezzzzd.com.pl/1/2/HSBCINTEGRATION/banking.php?jsessionid=5475883831707584790056259275139130567901955318368102881574020&email=claire@richardsonbrown.co.uk
http://www.hsbc.co.uk/1/2/HSBCINTEGRATION/banking.php?jsessionid=5475883831707584790056259275139130567901955318368102881574020&email=claire@richardsonbrown.co.uk
http://www.hsbc.co.uk.dezzzzd.com.pl/1/2/HSBCINTEGRATION/banking.php?jsessionid=5475883831707584790056259275139130567901955318368102881574020&email=claire@richardsonbrown.co.uk
http://www.sendspace.com.iko999jw.com.pl/file/shares/upload.php?file_id=sh5u3o9pejeb49w8vg871kigpl5tyn1mr31tvc6l0pscqckjx&email=ent-m1_com@it-mate.co.uk
http://www.sendspace.com.iko999jw.com.pl/file/shares/upload.php?file_id=sh5u3o9pejeb49w8vg871kigpl5tyn1mr31tvc6l0pscqckjx&email=ent-m1_com@it-mate.co.uk
http://www.sendspace.com.iko999je.com.pl/file/shares/upload.php?file_id=43j48eulqcfdqwxi98gcyi49nhu0y6swskctxrs9y&email=baldybrothersfannn@it-mate.co.uk
http://it-mate.co.uk/owa/service_directory/settings.php?email=dev_null@it-mate.co.uk&from=it-mate.co.uk&fromname=dev_null
http://it-mate.co.uk.vcrtp.eu/owa/service_directory/settings.php?email=dev_null@it-mate.co.uk&from=it-mate.co.uk&fromname=dev_null
http://it-mate.co.uk/owa/service_directory/settings.php?email=dev_null@it-mate.co.uk&from=it-mate.co.uk&fromname=dev_null
http://it-mate.co.uk.vcrtp.eu/owa/service_directory/settings.php?email=dev_null@it-mate.co.uk&from=it-mate.co.uk&fromname=dev_null
http://www.sendspace.com.iko999j0.com.pl/file/shares/upload.php?file_id=l25thky0ven5qmw356dxmsngwunwu035erpx14ke72565hz3p7&email=techrepublic@gauging.co.uk
http://www.sendspace.com.iko999j0.com.pl/file/shares/upload.php?file_id=l25thky0ven5qmw356dxmsngwunwu035erpx14ke72565hz3p7&email=techrepublic@gauging.co.uk
http://www.sendspace.com.iko999j1.com.pl/file/shares/upload.php?file_id=jnfiah3zmpx0d0n2avlgry4brpjwypfd3w14ln129adk3djw3q&email=technicdlsupport@it-mate.co.uk
http://www.sendspace.com.iko999j1.com.pl/file/shares/upload.php?file_id=jnfiah3zmpx0d0n2avlgry4brpjwypfd3w14ln129adk3djw3q&email=technicdlsupport@it-mate.co.uk


NB: The URL with "dev_null@it-mate.co.uk" in it, for those unaware, is the URL used for the OWA lookie-like, and contained whatever e-mail address it was being sent to, i.e. victim@their-domain.com

IP Details:

NB: A few were failing to resolve at the time of posting this, I've included them in the list anyway for the sake of clarity

127.0.0.1        it-mate.co.uk.vcrtp.eu
127.0.0.1        online.hmrc.gov.uk.olpiku5b.com.pl
127.0.0.1        online.hmrc.gov.uk.t111uy.me.uk
222.231.8.226        online.hmrc.gov.uk.tgyr5rtc.kr
127.0.0.1        online.hmrc.gov.uk.ujo9it.com.pl
127.0.0.1        online.hmrc.gov.uk.yuf6.co.kr
222.231.8.226        online.hmrc.gov.uk.yuf6.kr
127.0.0.1        online.hmrc.gov.uk.yuf6.ne.kr
127.0.0.1        www.hsbc.co.uk.dezzzzd.com.pl
127.0.0.1        www.hsbc.co.uk.dezzzzx.com.pl
127.0.0.1        www.hsbc.co.uk.leptprs.or.kr
127.0.0.1        www.hsbc.co.uk.visdlpro1.com.pl
190.53.161.236        www.sendspace.com.iko999j0.com.pl
190.82.255.179        www.sendspace.com.iko999j0.com.pl
190.213.51.157        www.sendspace.com.iko999j0.com.pl
196.217.223.186        www.sendspace.com.iko999j0.com.pl
201.13.152.173        www.sendspace.com.iko999j0.com.pl
201.164.132.205        www.sendspace.com.iko999j0.com.pl
201.165.216.169        www.sendspace.com.iko999j0.com.pl
201.233.36.12        www.sendspace.com.iko999j0.com.pl
114.27.157.60        www.sendspace.com.iko999j0.com.pl
117.197.210.44        www.sendspace.com.iko999j0.com.pl
121.96.205.109        www.sendspace.com.iko999j0.com.pl
125.0.40.185        www.sendspace.com.iko999j0.com.pl
189.78.48.239        www.sendspace.com.iko999j0.com.pl
189.105.169.151        www.sendspace.com.iko999j0.com.pl
190.34.46.168        www.sendspace.com.iko999j0.com.pl
196.217.223.186        www.sendspace.com.iko999j1.com.pl
201.13.152.173        www.sendspace.com.iko999j1.com.pl
201.164.132.205        www.sendspace.com.iko999j1.com.pl
201.165.11.26        www.sendspace.com.iko999j1.com.pl
201.165.216.169        www.sendspace.com.iko999j1.com.pl
201.233.36.12        www.sendspace.com.iko999j1.com.pl
114.27.157.60        www.sendspace.com.iko999j1.com.pl
121.96.205.109        www.sendspace.com.iko999j1.com.pl
124.28.64.25        www.sendspace.com.iko999j1.com.pl
125.0.40.185        www.sendspace.com.iko999j1.com.pl
189.78.48.239        www.sendspace.com.iko999j1.com.pl
189.105.169.151        www.sendspace.com.iko999j1.com.pl
190.34.46.168        www.sendspace.com.iko999j1.com.pl
190.82.255.179        www.sendspace.com.iko999j1.com.pl
190.213.51.157        www.sendspace.com.iko999j1.com.pl
196.217.223.186        www.sendspace.com.iko999je.com.pl
201.13.152.173        www.sendspace.com.iko999je.com.pl
201.164.132.205        www.sendspace.com.iko999je.com.pl
201.165.216.169        www.sendspace.com.iko999je.com.pl
201.233.36.12        www.sendspace.com.iko999je.com.pl
114.27.157.60        www.sendspace.com.iko999je.com.pl
117.198.149.60        www.sendspace.com.iko999je.com.pl
121.96.205.109        www.sendspace.com.iko999je.com.pl
124.28.64.25        www.sendspace.com.iko999je.com.pl
125.0.40.185        www.sendspace.com.iko999je.com.pl
189.78.48.239        www.sendspace.com.iko999je.com.pl
189.105.169.151        www.sendspace.com.iko999je.com.pl
190.34.46.168        www.sendspace.com.iko999je.com.pl
190.82.255.179        www.sendspace.com.iko999je.com.pl
190.213.51.157        www.sendspace.com.iko999je.com.pl
201.164.132.205        www.sendspace.com.iko999jw.com.pl
201.165.216.169        www.sendspace.com.iko999jw.com.pl
201.233.36.12        www.sendspace.com.iko999jw.com.pl
114.27.157.60        www.sendspace.com.iko999jw.com.pl
117.198.149.60        www.sendspace.com.iko999jw.com.pl
121.96.205.109        www.sendspace.com.iko999jw.com.pl
124.28.64.25        www.sendspace.com.iko999jw.com.pl
125.0.40.185        www.sendspace.com.iko999jw.com.pl
189.78.48.239        www.sendspace.com.iko999jw.com.pl
189.105.169.151        www.sendspace.com.iko999jw.com.pl
190.34.46.168        www.sendspace.com.iko999jw.com.pl
190.82.255.179        www.sendspace.com.iko999jw.com.pl
190.213.51.157        www.sendspace.com.iko999jw.com.pl
196.217.223.186        www.sendspace.com.iko999jw.com.pl
201.13.152.173        www.sendspace.com.iko999jw.com.pl


Incase you've not also noticed, those with numbers in the hostname, also appear to be valid where the number is 0-9, for example;

iko999j0.com.pl
iko999j1.com.pl
iko999j2.com.pl
iko999j3.com.pl
iko999j4.com.pl
iko999j5.com.pl
iko999j6.com.pl
iko999j7.com.pl
iko999j8.com.pl
iko999j9.com.pl

Friday, 15 January 2010

Dear PayPal: What the heck are you smoking?

With the blackhat SEO campaigns taking advantage of Haiti to infect people and rip them all of, you'd have thought PayPal would've had a little forethought before sending this out.

I must ask PayPal, what the heck were you thinking when the thought "Ooooh, lets send an EMAIL to our members, in HTML of course, to ask them for MONEY!".

Anyone ever tell you about phishing scams and the like?

Your sending this e-mail out is beyond belief. If you're going to ask your members for money, for christs sake, at least do it responsibly.

Wednesday, 13 January 2010

Immediate hpHosts server downtime

Just a note folks, the hpHosts server is making some very strange noises (typical, get 2 servers re-built and another decides it wants to be a problem), and doesn't sound too well, so I'm going to take it offline with immediate effect, to take a look and see what the problem is.

I'm not expecting the downtime to be more than 30-45 mins or so.

Tuesday, 12 January 2010

hpHOSTS - UPDATED January 12th, 2010

hpHOSTS - UPDATED January 12th, 2010

The hpHOSTS Hosts file has been updated. There is now a total of 118,743 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 12/01/2010 18:00
  2. Last Verified: 11/01/2010 12:00

Download hpHosts now!
http://hosts-file.net/?s=Download

Monday, 11 January 2010

Riccom Ltd: Where'd they go?

I thought you guys would be interested in the latest validation results, which shows where quite a few prior Riccom customers have now gone over to. Note: the results do not include PTR details (only did a quick validation as I'm busy with work and hpHosts at present).

http://hosts-file.net/misc/hpObserver_results_-_Riccom_91.212.107.0-255-update-12012010.html

The shortlist of ISP's they've moved to are;

1. AS29073 94.102.48.0/20 Ecatel (no surprise there)
2. AS29073 93.174.88.0/21 Ecatel (no surprise there)
3. AS17431 61.4.188.0/22 TONET Beijing TONEK Information Technology Development Company (Previously: AS17620 61.4.176.0/20 CNCGROUP-BJ CNCGROUP IP network of Beijing region MAN network)
4. AS39369 93.158.64.0/18 PORT80 AB, Sweden Rix Telecom AB, Sweden
5. AS24826 91.213.121.0/24 KHARKOV-TERMINALS-AS PE Viktor Nastechenko
6. AS29550 92.48.64.0/18 EUROCONNEX-AS Blueconnex Networks Ltd Formally Euroconnex Networks www.blueconnex.net
7. AS16265 85.17.0.0/16 LeaseWeb AS Amsterdam, Netherlands
8. AS28753 84.16.224.0/19 NETDIRECT AS NETDIRECT Frankfurt, DE (surprise surprise)
9. AS8551 82.80.245.0/24 BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbone
10. AS21844 74.52.0.0/14 THEPLANET-AS2 ThePlanet.com Internet Services, Inc.
11. AS29550 213.175.192.0/19 EUROCONNEX-AS Blueconnex Networks Ltd Formally Euroconnex Networks www.blueconnex.net
12. AS32181 193.169.234.0/23 ASN-CQ-GIGENET ColoQuest/GigeNet ASN (Customer Route [BODHOST])
13. AS5577 193.169.12.0/23 ROOT eSolutions (nope, I'm not surprised either)

There's a handful presently not resolving, but more interestingly, quite a few still resolving to (the still non-routed) Riccom range.

HostExploit: Top Bad Hosts

HostExploit has provided a facility that now allows you to see which of the ISP's currently online, are within their list of the worlds worst. Names you'll currently see include Velcom, Netelligent, ZHM, NetDirect, Neval etc etc etc.

Take a peek, and pop over to their new SiteVet (well, new to me anyway) site, which provides extensive details (some details only provided if you pay a fee apparently) on the hosts in question.

http://hostexploit.com/index.php?option=com_content&view=article&id=201&Itemid=106

Sunday, 10 January 2010

Crimeware friendly ISP's: RETN-AS (AS9002)

You may be asking yourself, why are RETN-AS being listed as crimeware friendly? Well, to keep this short and simple, I'll tell you - NET-UA-AS limited corp (AS40965 195.95.151.0/24) and SOFTNET (AS50073 193.104.110.0/24 SOFTNET Software Service Prague s.r.o.).

The SOFTNET range was first seen in November 2009, and ever since then, has served nothing but exploits, rogues, and other malicious goodness. As an example;

20091203144843        193.104.110.50        Failed resolution        testavrdown.com        http://testavrdown.com/cgi-bin/get_exe.pl?adv=1090&p=3

20091203144849        193.104.110.50        Failed resolution        testavrdown.com        http://testavrdown.com/cgi-bin/get_exe.pl?adv=1090&p=3

20091203144856        193.104.110.50        Failed resolution        testavrdown.com        http://testavrdown.com/cgi-bin/get_exe.pl?adv=1090&p=3

20091203170625        193.104.110.50        Failed resolution        downloadavr11.com        http://downloadavr11.com/cgi-bin/download.pl?code=0001138

20091203170625        193.104.110.50        Failed resolution        downloadavr11.com        http://downloadavr11.com/cgi-bin/download.pl?code=0001138

20091203174552        193.104.110.50        Failed resolution        coolcount1.com        http://coolcount1.com/820/e1.html

20091203174559        193.104.110.50        Failed resolution        coolcount2.com        http://coolcount2.com/820/e1.html

20091203184004        193.104.110.50        Failed resolution        advancedvirusremover-2010.com        http://advancedvirusremover-2010.com/cgi-bin/setup.pl?code=00000000

20091203184035        193.104.110.50        Failed resolution        avrdownnew7.com        http://avrdownnew7.com/cgi-bin/setup.pl

20091203184043        193.104.110.50        Failed resolution        avrdownnew7.com        http://avrdownnew7.com/cgi-bin/setup.pl?adv=1233&p=9

20091203185116        193.104.110.50        Failed resolution        testavrdown.com        http://testavrdown.com/cgi-bin/get_exe.pl?adv=1090&p=3

20091203185122        193.104.110.50        Failed resolution        testavrdown.com        http://testavrdown.com/cgi-bin/get_exe.pl?adv=1090&p=3

20091216232337        193.104.110.50        Failed resolution        downloadavr13.com        http://downloadavr13.com/cgi-bin/download.pl

20091216232743        193.104.110.50        Failed resolution        pc-scanner-2012.com        http://pc-scanner-2012.com/?code=1122

20091216234048        193.104.110.50        Failed resolution        downloadavr11.com        http://downloadavr11.com/dfghfghgfj.dll

20091217162619        193.104.110.50        Failed resolution        advanced-virus-remover2011.com        http://advanced-virus-remover2011.com/cgi-bin/setup.pl??code=00000000

20091217162625        193.104.110.50        Failed resolution        advanced-virus-remover2011.com        http://advanced-virus-remover2011.com/cgi-bin/setup.pl?code=00000000

20091217172430        193.104.110.50        Failed resolution        pc-scanner2010.com        http://pc-scanner2010.com:80/cgi-bin/setup.pl?adv=944&p=5

20091217220200        193.104.110.50        Failed resolution        downloadavr15.com        http://downloadavr15.com/cgi-bin/download.pl?code=0001325

20091218204222        193.104.110.50        Failed resolution        buy-internetsecurity-2010.com        http://buy-internetsecurity-2010.com/

20091218204229        193.104.110.50        Failed resolution        buy-internetsecurity-2010.com        http://buy-internetsecurity-2010.com/cgi-bin/setup.pl?code=00000000

20091219223809        193.104.110.50        Failed resolution        pc-scanner-2010.biz        http://pc-scanner-2010.biz/cgi-bin/setup.pl?adv=1122

20091219230806        193.104.110.50        Failed resolution        pc-scanner-2011.net        http://pc-scanner-2011.net/?code=1122

20091219230813        193.104.110.50        Failed resolution        pc-scanner-2012.org        http://pc-scanner-2012.org/

20091219230820        193.104.110.50        Failed resolution        pc-scanner-2012.org        http://pc-scanner-2012.org/cgi-bin/setup.pl

20091220202254        193.104.110.50        Failed resolution        downloadavr20.com        http://downloadavr20.com/cgi-bin/download.pl?code=0000743

20091222194031        193.104.110.50        Failed resolution        downloadavr20.com        http://downloadavr20.com/cgi-bin/download.pl?code=0001302

20091226180004        193.104.110.50        Failed resolution        pc-scanner-2011.biz        http://pc-scanner-2011.biz/cgi-bin/setup.pl?adv=1122

20091226180011        193.104.110.50        Failed resolution        pc-scanner-2012.biz        http://pc-scanner-2012.biz/cgi-bin/setup.pl?adv=1122

20091226180017        193.104.110.50        Failed resolution        pc-scanner-2010.com        http://pc-scanner-2010.com/cgi-bin/setup.pl?adv=1122

20091226180024        193.104.110.50        Failed resolution        pc-scanner-2011.com        http://pc-scanner-2011.com/cgi-bin/setup.pl?adv=1122

20091226180031        193.104.110.50        Failed resolution        pc-scanner-2012.com        http://pc-scanner-2012.com/cgi-bin/setup.pl?adv=1122

20091226180038        193.104.110.50        Failed resolution        pc-scanner-2010.org        http://pc-scanner-2010.org/cgi-bin/setup.pl?adv=1122

20091226180045        193.104.110.50        Failed resolution        pc-scanner-2011.org        http://pc-scanner-2011.org/cgi-bin/setup.pl?adv=1122

20091226180052        193.104.110.50        Failed resolution        pc-scanner-2012.org        http://pc-scanner-2012.org/cgi-bin/setup.pl?adv=1122

20091226180059        193.104.110.50        Failed resolution        pc-scanner-2010.net        http://pc-scanner-2010.net/cgi-bin/setup.pl?adv=1122

20091226180106        193.104.110.50        Failed resolution        pc-scanner-2011.net        http://pc-scanner-2011.net/cgi-bin/setup.pl?adv=1122

20091226180113        193.104.110.50        Failed resolution        pc-scanner-2012.net        http://pc-scanner-2012.net/cgi-bin/setup.pl?adv=1122

20091229041225        193.104.110.50        Failed resolution        white-xxxx-tube.net        http://white-xxxx-tube.net/cgi-bin/setuppatch.pl?adv=876

20091229044150        193.104.110.50        Failed resolution        downloadavr21.com        http://downloadavr21.com/dfghfghgfj.dll

20091231003134        193.104.110.50        Failed resolution        downloadavr22.com        http://downloadavr22.com/cgi-bin/download.pl?code=0001290

20100106000146        193.104.110.50        Failed resolution        downloadavr25.com        http://downloadavr25.com/cgi-bin/download.pl?code=0001346

20100107013523        193.104.110.88        Failed resolution        googleservice.xxxliefx.in        http://googleservice.xxxliefx.in/

20100107014531        193.104.110.88        Failed resolution        boolred.in        http://boolred.in/fog/spl/pdf.pdf

20100107014903        193.104.110.88        Failed resolution        193.104.110.88        http://193.104.110.88

20100107015151        193.104.110.88        Failed resolution        googleservice.xxxliefx.in        http://googleservice.xxxliefx.in

20100107015325        193.104.110.88        Failed resolution        klitar.cn        http://klitar.cn/test47/1.pdf?id=1165

20100107015358        193.104.110.50        Failed resolution        pc-scanner2010.net        http://pc-scanner2010.net

20100107015952        193.104.110.88        Failed resolution        xxxliefx.in        http://xxxliefx.in

20100107020255        193.104.110.88        Failed resolution        boolred.in        http://boolred.in/fog/index.php

20100107023038        193.104.110.81        Failed resolution        spyeraser-trial.com        http://spyeraser-trial.com/SpyEraser_Install.exe

20100107023145        193.104.110.81        Failed resolution        vipimagine.cn        http://vipimagine.cn/spyeraser096.exe

20100107023351        193.104.110.81        Failed resolution        www.vipimagine.cn        http://www.vipimagine.cn/spyeraser096.exe

20100107024238        193.104.110.88        Failed resolution        www.boolred.in        http://www.boolred.in/fog/index.php

20100108140135        193.104.110.50        Failed resolution        scannerpc-2010.org        http://scannerpc-2010.org/cgi-bin/setup.pl?adv=944&p=5

20100109062406        193.104.110.50        Failed resolution        scannerpc-2010.org        http://scannerpc-2010.org/?code=1373


Fancy an example of the malicious goodness on the NET-UA-AS range? Ah, go on then;

20090724003339        195.95.151.174        Failed resolution        av-plus-pay-online.com        http://av-plus-pay-online.com

20090724004208        195.95.151.174        Failed resolution        searchrizotto.com        http://searchrizotto.com/cmd.php

20090724004214        195.95.151.174        Failed resolution        searchopt7.com        http://searchopt7.com/cmd.php

20090724004228        195.95.151.176        Failed resolution        realantivirusplus.com        http://realantivirusplus.com/se.exe

20090724004235        195.95.151.176        Failed resolution        realantivirusplus.com        http://realantivirusplus.com/install/AntivirusPlus_ba.exe

20090724190105        195.95.151.174        Failed resolution        baqcemy.cn        http://baqcemy.cn

20090724190230        195.95.151.174        Failed resolution        dajugif.cn        http://dajugif.cn

20090727102324        195.95.151.174        Failed resolution        bazyrpe.cn        http://bazyrpe.cn/installer_1.exe

20090729012523        195.95.151.174        Failed resolution        befovby.cn        http://befovby.cn/installer_1.exe

20090729190907        195.95.151.174        Failed resolution        ezuxevo.cn        http://ezuxevo.cn/installer_70309.exe

20090729192140        195.95.151.174        Failed resolution        befovby.cn        http://befovby.cn/installer_1.exe

20090801135738        195.95.151.176        Failed resolution        nextantivirusplus.com        http://nextantivirusplus.com/setup.exe

20090802010328        195.95.151.184        Failed resolution        195.95.151.184        http://195.95.151.184/smrtprt/setup.php?track_id=10001

20090802010417        195.95.151.174        Failed resolution        betsuq.cn        http://betsuq.cn

20090802010506        195.95.151.174        Failed resolution        dakbesy.cn        http://dakbesy.cn

20090802010630        195.95.151.176        Failed resolution        internetantivirusplus.com        http://internetantivirusplus.com/install/AntivirusPlus.exe

20090802010712        195.95.151.176        Failed resolution        mybestantivirusplus.com        http://mybestantivirusplus.com/install/AntivirusPlus.exe

20090802010909        195.95.151.180        Failed resolution        www.smartprotectorpro.com        http://www.smartprotectorpro.com/download/?track_id=10001

20090802011108        195.95.151.174        Failed resolution        akoetly.cn        http://akoetly.cn/

20090802011201        195.95.151.174        Failed resolution        aveylpa.cn        http://aveylpa.cn/?wm=70141

20090802011303        195.95.151.174        Failed resolution        dahure.cn        http://dahure.cn/?wm=70159&l=1

20090802012441        195.95.151.174        Failed resolution        dahure.cn        http://dahure.cn/?wm=70001&l=1

20090802014108        195.95.151.174        Failed resolution        axiufow.cn        http://axiufow.cn/installer_70001.exe

20090802014142        195.95.151.174        Failed resolution        dahure.cn        http://dahure.cn/?wm=70106

20090802015755        195.95.151.174        Failed resolution        avyciso.cn        http://avyciso.cn/

20090802022755        195.95.151.174        Failed resolution        ateylqo.cn        http://ateylqo.cn

20090802022801        195.95.151.174        Failed resolution        axaonyc.cn        http://axaonyc.cn/installer_70106.exe

20090802022806        195.95.151.174        Failed resolution        axeonar.cn        http://axeonar.cn

20090802024138        195.95.151.174        Failed resolution        awupayk.cn        http://awupayk.cn

20090802024144        195.95.151.174        Failed resolution        awupayk.cn        http://awupayk.cn/installer_1.exe

20090802031326        195.95.151.174        Failed resolution        ateygi.cn        http://ateygi.cn

20090802035102        195.95.151.174        Failed resolution        awixys.cn        http://awixys.cn

20090802035108        195.95.151.174        Failed resolution        awoenpa.cn        http://awoenpa.cn

20090802035114        195.95.151.174        Failed resolution        awohebu.cn        http://awohebu.cn/installer_70159.exe

20090802035120        195.95.151.174        Failed resolution        awointa.cn        http://awointa.cn/?wm=70159&l=1

20090802035127        195.95.151.174        Failed resolution        awukoga.cn        http://awukoga.cn/installer_70159.exe

20090802035324        195.95.151.176        Failed resolution        goodantivirusplus.com        http://goodantivirusplus.com/se.exe

20090802042445        195.95.151.174        Failed resolution        awakuvi.cn        http://awakuvi.cn

20090802043730        195.95.151.174        Failed resolution        awaviyh.cn        http://awaviyh.cn

20090802055341        195.95.151.174        Failed resolution        atuican.cn        http://atuican.cn

20090802055348        195.95.151.174        Failed resolution        aveylpa.cn        http://aveylpa.cn/

20090802055353        195.95.151.174        Failed resolution        avyciso.cn        http://avyciso.cn/?wm=70159&l=1

20090802055501        195.95.151.174        Failed resolution        dahure.cn        http://dahure.cn/?wm=

20090802055517        195.95.151.174        Failed resolution        fimcuoj.cn        http://fimcuoj.cn

20090802055523        195.95.151.174        Failed resolution        fisruba.cn        http://fisruba.cn

20090802055529        195.95.151.174        Failed resolution        focunqa.cn        http://focunqa.cn

20090802055535        195.95.151.174        Failed resolution        fogpak.cn        http://fogpak.cn

20090802064312        195.95.151.174        Failed resolution        avoapyt.cn        http://avoapyt.cn/installer_70084.exe

20090802074324        195.95.151.174        Failed resolution        ajufeiv.cn        http://ajufeiv.cn

20090802074330        195.95.151.174        Failed resolution        akeraoq.cn        http://akeraoq.cn

20090802074336        195.95.151.174        Failed resolution        akeraoq.cn        http://akeraoq.cn/installer_1.exe

20090802074356        195.95.151.174        Failed resolution        aniulu.cn        http://aniulu.cn

20090802074414        195.95.151.174        Failed resolution        atuypha.cn        http://atuypha.cn

20090802075818        195.95.151.174        Failed resolution        azaujyr.cn        http://azaujyr.cn/installer_70106.exe

20090802075824        195.95.151.174        Failed resolution        azeifko.cn        http://azeifko.cn

20090802132148        195.95.151.174        Failed resolution        bicqoej.cn        http://bicqoej.cn/installer_1.exe

20090803182114        195.95.151.174        Failed resolution        befvazi.cn        http://befvazi.cn/installer_1.exe

20090803182121        195.95.151.174        Failed resolution        betsuq.cn        http://betsuq.cn/?wm=70106

20090803182127        195.95.151.174        Failed resolution        bexazyj.cn        http://bexazyj.cn/installer_1.exe

20090804002137        195.95.151.176        Failed resolution        nextantivirusplus.com        http://nextantivirusplus.com/install/AntivirusPlus.grn

20090806135925        195.95.151.174        Failed resolution        bizeda.cn        http://bizeda.cn/installer_1.exe

20090806205128        195.95.151.176        Failed resolution        mybestantivirusplus.com        http://mybestantivirusplus.com/uninstaller.exe

20090810182304        195.95.151.174        Failed resolution        ajowah.cn        http://ajowah.cn/installer_1.exe

20090810182310        195.95.151.174        Failed resolution        akaysu.cn        http://akaysu.cn/installer_1.exe

20090811160630        195.95.151.174        Failed resolution        bocisak.cn        http://bocisak.cn/installer_1.exe

20090811164314        195.95.151.174        Failed resolution        bomkyvi.cn        http://bomkyvi.cn/installer_1.exe

20090811164608        195.95.151.174        Failed resolution        akaysu.cn        http://akaysu.cn/video.php?wm=70157&n=15

20090811164648        195.95.151.174        Failed resolution        boziqdu.cn        http://boziqdu.cn/installer_1.exe

20090811170333        195.95.151.174        Failed resolution        akaysu.cn        http://akaysu.cn/installer_70157.exe

20090811232842        195.95.151.174        Failed resolution        atiqad.cn        http://atiqad.cn/installer_70157.exe

20090812172835        195.95.151.174        Failed resolution        bozradi.cn        http://bozradi.cn/installer_1.exe

20090812190313        195.95.151.174        Failed resolution        atiqad.cn        http://atiqad.cn/installer_70157.exe

20090813122310        195.95.151.174        Failed resolution        yourcheckpoisonpro.cn        http://yourcheckpoisonpro.cn/installer_1.exe

20090813122316        195.95.151.174        Failed resolution        yourfriskdisease.cn        http://yourfriskdisease.cn/installer_1.exe

20090813122322        195.95.151.174        Failed resolution        yourguardpro.cn        http://yourguardpro.cn/installer_90001.exe

20090813124050        195.95.151.174        Failed resolution        adayby.cn        http://adayby.cn/installer_70100.exe

20090813124055        195.95.151.176        Failed resolution        addedantiviruspro.com        http://addedantiviruspro.com/se.exe

20090813124104        195.95.151.176        Failed resolution        bestcountedantivirus.com        http://bestcountedantivirus.com/

20090813135519        195.95.151.174        Failed resolution        yourfriskviruspro.cn        http://yourfriskviruspro.cn/installer_70127.exe

20090813140957        195.95.151.174        Failed resolution        adayby.cn        http://adayby.cn/installer_70172.exe

20090813150613        195.95.151.174        Failed resolution        adiuqga.cn        http://adiuqga.cn/installer_70127.exe

20090815190141        195.95.151.176        Failed resolution        yesantivirusplus.com        http://yesantivirusplus.com/buy.php?id=

20090818201700        195.95.151.184        Failed resolution        195.95.151.184        http://195.95.151.184/smrtprt/install.php?

20090819063120        195.95.151.174        Failed resolution        ezuxevo.cn        http://ezuxevo.cn/10/video.php?Author=Daniel&Length=54:44&Rating=5&Views=45263&thumbn=/10/img/thumbs/tvo024.jpg&wm=70309

20090819063336        195.95.151.185        Failed resolution        scan.thehyperpcsecurity2.com        http://scan.thehyperpcsecurity2.com/smrtprt_2/6/40013/

20090823174614        195.95.151.174        Failed resolution        aguraot.cn        http://aguraot.cn/installer_70307.exe

20090823174704        195.95.151.176        Failed resolution        antivirusplus2010.com        http://antivirusplus2010.com/install/AntivirusPlus.exe

20090823174709        195.95.151.176        Failed resolution        antivirusplus2010.com        http://antivirusplus2010.com/install/AntivirusPlus.grn

20090823174715        195.95.151.176        Failed resolution        antivirusplus2010.com        http://antivirusplus2010.com/install/AntivirusPlus_ba.exe

20090823174720        195.95.151.176        Failed resolution        antivirusplus2010.com        http://antivirusplus2010.com/install/avplus.exe

20090823174726        195.95.151.176        Failed resolution        antivirusplus2010.com        http://antivirusplus2010.com/install/InternetExplorer.dll

20090823174732        195.95.151.176        Failed resolution        antivirusplus2010.com        http://antivirusplus2010.com/se.exe

20090823230052        195.95.151.176        Failed resolution        antivirusplus2010.com        http://antivirusplus2010.com/

20090823230058        195.95.151.176        Failed resolution        mybestantivirusplus.com        http://mybestantivirusplus.com/

20090823230104        195.95.151.176        Failed resolution        internetantivirusplus.com        http://internetantivirusplus.com/

20090823230109        195.95.151.176        Failed resolution        antivirusplus09.com        http://antivirusplus09.com/

20090823230115        195.95.151.176        Failed resolution        antivirus-plus-now.com        http://antivirus-plus-now.com/

20090823230121        195.95.151.176        Failed resolution        yesantivirusplus.com        http://yesantivirusplus.com/

20090823230127        195.95.151.176        Failed resolution        goodantivirusplus.com        http://goodantivirusplus.com/

20090823230132        195.95.151.176        Failed resolution        i-antivirusplus.com        http://i-antivirusplus.com/

20090823230138        195.95.151.176        Failed resolution        nextantivirusplus.com        http://nextantivirusplus.com/

20090823230144        195.95.151.176        Failed resolution        antivirusplus-ok.com        http://antivirusplus-ok.com/

20090823230149        195.95.151.176        Failed resolution        getavplusnow.com        http://getavplusnow.com/

20090823230155        195.95.151.176        Failed resolution        megaantivirusplus.com        http://megaantivirusplus.com/

20090823230201        195.95.151.176        Failed resolution        antivirusplusnow.com        http://antivirusplusnow.com/

20090823230207        195.95.151.176        Failed resolution        getantivirusplusnow.com        http://getantivirusplusnow.com/

20090823230212        195.95.151.176        Failed resolution        freeantivirusplus09.com        http://freeantivirusplus09.com/

20090823230218        195.95.151.176        Failed resolution        realantivirusplus09.com        http://realantivirusplus09.com/

20090823230224        195.95.151.176        Failed resolution        addedantivirusstore.com        http://addedantivirusstore.com/

20090823230229        195.95.151.176        Failed resolution        addedantivirusonline.com        http://addedantivirusonline.com/

20090823230235        195.95.151.176        Failed resolution        myplusantiviruspro.com        http://myplusantiviruspro.com/

20090823230241        195.95.151.176        Failed resolution        easyaddedantivirus.com        http://easyaddedantivirus.com/

20090823230246        195.95.151.176        Failed resolution        yourcountedantivirus.com        http://yourcountedantivirus.com/

20090823230252        195.95.151.176        Failed resolution        addedantiviruslive.com        http://addedantiviruslive.com/

20090823230258        195.95.151.176        Failed resolution        addedantiviruspro.com        http://addedantiviruspro.com/

20090823231013        195.95.151.176        Failed resolution        antivirusplus2010.com        http://antivirusplus2010.com/cfg/dmns.cfg

20090823231019        195.95.151.176        Failed resolution        antivirusplus2010.com        http://antivirusplus2010.com/install/AntivirusPlus_ba.exe

20090823231024        195.95.151.176        Failed resolution        antivirusplus2010.com        http://antivirusplus2010.com/install/AntivirusPlus.exe

20090823231030        195.95.151.176        Failed resolution        antivirusplus2010.com        http://antivirusplus2010.com/buy.php

20090823231035        195.95.151.176        Failed resolution        antivirusplus2010.com        http://antivirusplus2010.com/redirect.php

20090826170607        195.95.151.176        Failed resolution        realantivirusplus.com        http://realantivirusplus.com/se.exe

20090826170839        195.95.151.176        Failed resolution        yesantivirusplus.com        http://yesantivirusplus.com/install/InternetExplorer.dll

20090828060028        195.95.151.176        Failed resolution        addedantiviruslive.com        http://addedantiviruslive.com/order.php

20090828060034        195.95.151.176        Failed resolution        addedantivirusonline.com        http://addedantivirusonline.com/order.php

20090828060041        195.95.151.176        Failed resolution        addedantiviruspro.com        http://addedantiviruspro.com/order.php

20090828060047        195.95.151.176        Failed resolution        addedantivirusstore.com        http://addedantivirusstore.com/order.php

20090828060106        195.95.151.174        Failed resolution        akaysu.cn        http://akaysu.cn/cvi_busy_lib.js

20090828060158        195.95.151.176        Failed resolution        antivirusplus09.com        http://antivirusplus09.com/order.php

20090828060204        195.95.151.176        Failed resolution        antivirusplus2010.com        http://antivirusplus2010.com/order.php

20090828060210        195.95.151.176        Failed resolution        antivirus-plus-now.com        http://antivirus-plus-now.com/order.php

20090828060217        195.95.151.176        Failed resolution        antivirusplusnow.com        http://antivirusplusnow.com/order.php

20090828060223        195.95.151.176        Failed resolution        antivirusplus-ok.com        http://antivirusplus-ok.com/order.php

20090828060252        195.95.151.174        Failed resolution        aziduon.cn        http://aziduon.cn/cvi_busy_lib.js

20090828060702        195.95.151.174        Failed resolution        dajugif.cn        http://dajugif.cn/cvi_busy_lib.js

20090828060911        195.95.151.176        Failed resolution        easyaddedantivirus.com        http://easyaddedantivirus.com/order.php

20090828061049        195.95.151.176        Failed resolution        freeantivirusplus09.com        http://freeantivirusplus09.com/order.php

20090828061128        195.95.151.176        Failed resolution        getantivirusplusnow.com        http://getantivirusplusnow.com/order.php

20090828061134        195.95.151.176        Failed resolution        getavplusnow.com        http://getavplusnow.com/order.php

20090828061148        195.95.151.176        Failed resolution        goodantivirusplus.com        http://goodantivirusplus.com/order.php

20090828061240        195.95.151.176        Failed resolution        i-antivirusplus.com        http://i-antivirusplus.com/order.php

20090828061305        195.95.151.176        Failed resolution        internetantivirusplus.com        http://internetantivirusplus.com/order.php

20090828061405        195.95.151.176        Failed resolution        megaantivirusplus.com        http://megaantivirusplus.com/order.php

20090828061423        195.95.151.176        Failed resolution        myplusantiviruspro.com        http://myplusantiviruspro.com/order.php

20090828061447        195.95.151.176        Failed resolution        nextantivirusplus.com        http://nextantivirusplus.com/order.php

20090828061619        195.95.151.176        Failed resolution        realantivirusplus09.com        http://realantivirusplus09.com/order.php

20090828062354        195.95.151.176        Failed resolution        yesantivirusplus.com        http://yesantivirusplus.com/order.php

20090828062400        195.95.151.176        Failed resolution        yourcountedantivirus.com        http://yourcountedantivirus.com/order.php

20090829001049        195.95.151.176        Failed resolution        antivirplus2009.com        http://antivirplus2009.com/setup.exe

20090830023412        195.95.151.174        Failed resolution        ijisuho.cn        http://ijisuho.cn/installer_1.exe

20090831175124        195.95.151.176        Failed resolution        addedantiviruslive.com        http://addedantiviruslive.com/install/InternetExplorer.dll

20090831175130        195.95.151.176        Failed resolution        addedantiviruslive.com        http://addedantiviruslive.com/se.exe

20090831175136        195.95.151.176        Failed resolution        addedantiviruslive.com        http://addedantiviruslive.com/setup.exe

20090831175143        195.95.151.176        Failed resolution        addedantiviruspro.com        http://addedantiviruspro.com/install/AntivirusPlus_ba.exe

20090831175149        195.95.151.176        Failed resolution        addedantiviruspro.com        http://addedantiviruspro.com/setup.exe

20090831182337        195.95.151.174        Failed resolution        ascertaindiseasepro.cn        http://ascertaindiseasepro.cn/installer_70100.exe

20090831184412        195.95.151.174        Failed resolution        bestcover4u.cn        http://bestcover4u.cn/installer_1.exe

20090831184418        195.95.151.174        Failed resolution        bestdefenselive.cn        http://bestdefenselive.cn/installer_1.exe

20090831184424        195.95.151.174        Failed resolution        bestexaminedisease.cn        http://bestexaminedisease.cn/installer_1.exe

20090831184430        195.95.151.174        Failed resolution        bestfriskviruslive.cn        http://bestfriskviruslive.cn/installer_1.exe

20090831184541        195.95.151.174        Failed resolution        bestprotectiononline.cn        http://bestprotectiononline.cn/installer_1.exe

20090831185520        195.95.151.174        Failed resolution        bigprotectionlive.cn        http://bigprotectionlive.cn/installer.exe

20090831204333        195.95.151.176        Failed resolution        easyaddedantivirus.com        http://easyaddedantivirus.com/setup.exe

20090831204339        195.95.151.174        Failed resolution        easybestprotection.cn        http://easybestprotection.cn/installer.exe

20090831204345        195.95.151.174        Failed resolution        easypersonalprotection.cn        http://easypersonalprotection.cn/installer_1.exe

20090831204410        195.95.151.174        Failed resolution        easyserviceprotection.cn        http://easyserviceprotection.cn/installer_1.exe

20090831204845        195.95.151.174        Failed resolution        examinepoisonstore.cn        http://examinepoisonstore.cn/installer_1.exe

20090831210431        195.95.151.174        Failed resolution        freecoverstore.cn        http://freecoverstore.cn/installer_1.exe

20090831210437        195.95.151.174        Failed resolution        freedefenseforyou.cn        http://freedefenseforyou.cn/installer_1.exe

20090831210602        195.95.151.174        Failed resolution        friskdiseaselive.cn        http://friskdiseaselive.cn/installer_1.exe

20090901001525        195.95.151.174        Failed resolution        myascertainpoison.cn        http://myascertainpoison.cn/installer_70101.exe

20090901001551        195.95.151.174        Failed resolution        mycheckdiseasestore.cn        http://mycheckdiseasestore.cn/installer_1.exe

20090901001617        195.95.151.174        Failed resolution        myexaminevirusstore.cn        http://myexaminevirusstore.cn/installer_1.exe

20090901023211        195.95.151.176        Failed resolution        searchopt7.com        http://searchopt7.com/cmd.php

20090901023220        195.95.151.176        Failed resolution        searchrizotto.com        http://searchrizotto.com/cmd.php

20090902033417        195.95.151.176        Failed resolution        bestcountedantivirus.com        http://bestcountedantivirus.com

20090902114515        195.95.151.176        Failed resolution        195.95.151.176        http://195.95.151.176/

20090902114521        195.95.151.174        Failed resolution        195.95.151.174        http://195.95.151.174/

20090902114823        195.95.151.174        Failed resolution        yourfriskviruspro.cn        http://yourfriskviruspro.cn/installer.1.exe

20090902114829        195.95.151.174        Failed resolution        befynru.cn        http://befynru.cn/installer.1.exe

20090902114835        195.95.151.174        Failed resolution        adoimi.cn        http://adoimi.cn/installer.1.exe

20090902114906        195.95.151.174        Failed resolution        yourfriskviruspro.cn        http://yourfriskviruspro.cn

20090902114912        195.95.151.174        Failed resolution        befynru.cn        http://befynru.cn

20090902114918        195.95.151.174        Failed resolution        adoimi.cn        http://adoimi.cn

20090902115224        195.95.151.176        Failed resolution        yesantivirusplus.com        http://yesantivirusplus.com/buy.php?id

20090903151514        195.95.151.174        Failed resolution        fitnyze.cn        http://fitnyze.cn/installer_1.exe

20090909020308        195.95.151.174        Failed resolution        easypersonalprotection.cn        http://easypersonalprotection.cn/installer.70084.exe

20090909020325        195.95.151.174        Failed resolution        friskdiseaselive.cn        http://friskdiseaselive.cn/installer.70131.exe

20090909020331        195.95.151.174        Failed resolution        atioqe.cn        http://atioqe.cn/installer.70141.exe

20090909040833        195.95.151.174        Failed resolution        atioqe.cn        http://atioqe.cn/installer.70141.exe

20090909040839        195.95.151.174        Failed resolution        friskdiseaselive.cn        http://friskdiseaselive.cn/installer.70131.exe

20090909040858        195.95.151.174        Failed resolution        easypersonalprotection.cn        http://easypersonalprotection.cn/installer.70084.exe

20090909040904        195.95.151.174        Failed resolution        bomkyvi.cn        http://bomkyvi.cn/installer.1.exe

20090910191743        195.95.151.176        Failed resolution        avplus2010.com        http://avplus2010.com/install/AntivirusPlus.exe

20090910191749        195.95.151.176        Failed resolution        antivirplus2009.com        http://antivirplus2009.com/install/avplus.exe

20090910191755        195.95.151.176        Failed resolution        avplus2010.com        http://avplus2010.com/se.exe

20090910191801        195.95.151.176        Failed resolution        avplus2010.com        http://avplus2010.com/install/InternetExplorer.dll

20090910191806        195.95.151.176        Failed resolution        avplus2010.com        http://avplus2010.com/install/AntivirusPlus_ba.exese.exe

20090910191813        195.95.151.176        Failed resolution        antivirplus2009.com        http://antivirplus2009.com/install/InternetExplorer.dll

20090910191820        195.95.151.176        Failed resolution        antivirplus2009.com        http://antivirplus2009.com/install/AntivirusPlus.exe

20090910191826        195.95.151.176        Failed resolution        avplus2010.com        http://avplus2010.com/install/AntivirusPlus_ba.exe

20090910191832        195.95.151.176        Failed resolution        antivirplus2009.com        http://antivirplus2009.com/install/AntivirusPlus_ba.exe

20090910191839        195.95.151.176        Failed resolution        addedantiviruspro.com        http://addedantiviruspro.com/install/InternetExplorer.dll

20090910191845        195.95.151.176        Failed resolution        addedantiviruspro.com        http://addedantiviruspro.com/install/avplus.exe

20090910191854        195.95.151.176        Failed resolution        addedantiviruslive.com        http://addedantiviruslive.com/install/avplus.exe

20090910191901        195.95.151.176        Failed resolution        addedantiviruslive.com        http://addedantiviruslive.com/install/AntivirusPlus_ba.exe

20090910191907        195.95.151.176        Failed resolution        yourcountedantivirus.com        http://yourcountedantivirus.com/se.exe

20090910191914        195.95.151.176        Failed resolution        yourcountedantivirus.com        http://yourcountedantivirus.com/install/InternetExplorer.dll

20090910191920        195.95.151.176        Failed resolution        yourcountedantivirus.com        http://yourcountedantivirus.com/install/avplus.exe

20090910191927        195.95.151.176        Failed resolution        yourcountedantivirus.com        http://yourcountedantivirus.com/install/AntivirusPlus.exe

20090910191933        195.95.151.176        Failed resolution        yourcountedantivirus.com        http://yourcountedantivirus.com/install/AntivirusPlus_ba.exe

20090910191939        195.95.151.176        Failed resolution        easyaddedantivirus.com        http://easyaddedantivirus.com/se.exe

20090910191945        195.95.151.176        Failed resolution        easyaddedantivirus.com        http://easyaddedantivirus.com/install/InternetExplorer.dll

20090910191951        195.95.151.176        Failed resolution        easyaddedantivirus.com        http://easyaddedantivirus.com/install/avplus.exe

20090910191959        195.95.151.176        Failed resolution        easyaddedantivirus.com        http://easyaddedantivirus.com/install/AntivirusPlus.exe

20090910192005        195.95.151.176        Failed resolution        easyaddedantivirus.com        http://easyaddedantivirus.com/install/AntivirusPlus_ba.exe

20090910192011        195.95.151.176        Failed resolution        myplusantiviruspro.com        http://myplusantiviruspro.com/se.exe

20090910192017        195.95.151.176        Failed resolution        myplusantiviruspro.com        http://myplusantiviruspro.com/install/InternetExplorer.dll

20090910192023        195.95.151.176        Failed resolution        myplusantiviruspro.com        http://myplusantiviruspro.com/install/avplus.exe

20090910192029        195.95.151.176        Failed resolution        myplusantiviruspro.com        http://myplusantiviruspro.com/install/AntivirusPlus.exe

20090910192035        195.95.151.176        Failed resolution        myplusantiviruspro.com        http://myplusantiviruspro.com/install/AntivirusPlus_ba.exe

20090910192043        195.95.151.176        Failed resolution        addedantivirusonline.com        http://addedantivirusonline.com/se.exe

20090910192049        195.95.151.176        Failed resolution        addedantivirusonline.com        http://addedantivirusonline.com/install/InternetExplorer.dll

20090910192055        195.95.151.176        Failed resolution        addedantivirusonline.com        http://addedantivirusonline.com/install/avplus.exe

20090910192102        195.95.151.176        Failed resolution        addedantivirusonline.com        http://addedantivirusonline.com/install/AntivirusPlus_ba.exe

20090910192108        195.95.151.176        Failed resolution        addedantivirusstore.com        http://addedantivirusstore.com/se.exe

20090910192114        195.95.151.176        Failed resolution        addedantivirusstore.com        http://addedantivirusstore.com/install/InternetExplorer.dll

20090910192119        195.95.151.176        Failed resolution        addedantivirusstore.com        http://addedantivirusstore.com/install/avplus.exe

20090910192125        195.95.151.176        Failed resolution        addedantivirusstore.com        http://addedantivirusstore.com/install/AntivirusPlus.exe

20090910192131        195.95.151.176        Failed resolution        addedantivirusstore.com        http://addedantivirusstore.com/install/AntivirusPlus_ba.exe

20090910192137        195.95.151.176        Failed resolution        realantivirusplus09.com        http://realantivirusplus09.com/se.exe

20090910192143        195.95.151.176        Failed resolution        realantivirusplus09.com        http://realantivirusplus09.com/install/InternetExplorer.dll

20090910192149        195.95.151.176        Failed resolution        realantivirusplus09.com        http://realantivirusplus09.com/install/avplus.exe

20090910192155        195.95.151.176        Failed resolution        realantivirusplus09.com        http://realantivirusplus09.com/install/AntivirusPlus.exe

20090910192201        195.95.151.176        Failed resolution        realantivirusplus09.com        http://realantivirusplus09.com/install/AntivirusPlus_ba.exe

20090910192207        195.95.151.176        Failed resolution        freeantivirusplus09.com        http://freeantivirusplus09.com/se.exe

20090910192213        195.95.151.176        Failed resolution        freeantivirusplus09.com        http://freeantivirusplus09.com/install/InternetExplorer.dll

20090910192221        195.95.151.176        Failed resolution        freeantivirusplus09.com        http://freeantivirusplus09.com/install/avplus.exe

20090910192227        195.95.151.176        Failed resolution        freeantivirusplus09.com        http://freeantivirusplus09.com/install/AntivirusPlus.exe

20090910192233        195.95.151.176        Failed resolution        freeantivirusplus09.com        http://freeantivirusplus09.com/install/AntivirusPlus_ba.exe

20090910192239        195.95.151.176        Failed resolution        getantivirusplusnow.com        http://getantivirusplusnow.com/se.exe

20090910192247        195.95.151.176        Failed resolution        getantivirusplusnow.com        http://getantivirusplusnow.com/install/InternetExplorer.dll

20090910192253        195.95.151.176        Failed resolution        getantivirusplusnow.com        http://getantivirusplusnow.com/install/avplus.exe

20090910192259        195.95.151.176        Failed resolution        getantivirusplusnow.com        http://getantivirusplusnow.com/install/AntivirusPlus.exe

20090910192305        195.95.151.176        Failed resolution        getantivirusplusnow.com        http://getantivirusplusnow.com/install/AntivirusPlus_ba.exe

20090910192311        195.95.151.176        Failed resolution        antivirusplusnow.com        http://antivirusplusnow.com/se.exe

20090910192317        195.95.151.176        Failed resolution        antivirusplusnow.com        http://antivirusplusnow.com/install/InternetExplorer.dll

20090910192324        195.95.151.176        Failed resolution        antivirusplusnow.com        http://antivirusplusnow.com/install/avplus.exe

20090910192330        195.95.151.176        Failed resolution        antivirusplusnow.com        http://antivirusplusnow.com/install/AntivirusPlus.exe

20090910192336        195.95.151.176        Failed resolution        antivirusplusnow.com        http://antivirusplusnow.com/install/AntivirusPlus_ba.exe

20090910192342        195.95.151.176        Failed resolution        megaantivirusplus.com        http://megaantivirusplus.com/se.exe

20090910192348        195.95.151.176        Failed resolution        megaantivirusplus.com        http://megaantivirusplus.com/install/InternetExplorer.dll

20090910192354        195.95.151.176        Failed resolution        megaantivirusplus.com        http://megaantivirusplus.com/install/avplus.exe

20090910192400        195.95.151.176        Failed resolution        megaantivirusplus.com        http://megaantivirusplus.com/install/AntivirusPlus.exe

20090910192407        195.95.151.176        Failed resolution        megaantivirusplus.com        http://megaantivirusplus.com/install/AntivirusPlus_ba.exe

20090910192413        195.95.151.176        Failed resolution        getavplusnow.com        http://getavplusnow.com/se.exe

20090910192419        195.95.151.176        Failed resolution        getavplusnow.com        http://getavplusnow.com/install/InternetExplorer.dll

20090910192425        195.95.151.176        Failed resolution        getavplusnow.com        http://getavplusnow.com/install/avplus.exe

20090910192431        195.95.151.176        Failed resolution        getavplusnow.com        http://getavplusnow.com/install/AntivirusPlus.exe

20090910192437        195.95.151.176        Failed resolution        getavplusnow.com        http://getavplusnow.com/install/AntivirusPlus_ba.exe

20090910192443        195.95.151.176        Failed resolution        antivirusplus-ok.com        http://antivirusplus-ok.com/se.exe

20090910192449        195.95.151.176        Failed resolution        antivirusplus-ok.com        http://antivirusplus-ok.com/install/InternetExplorer.dll

20090910192455        195.95.151.176        Failed resolution        antivirusplus-ok.com        http://antivirusplus-ok.com/install/avplus.exe

20090910192501        195.95.151.176        Failed resolution        antivirusplus-ok.com        http://antivirusplus-ok.com/install/AntivirusPlus.exe

20090910192507        195.95.151.176        Failed resolution        antivirusplus-ok.com        http://antivirusplus-ok.com/install/AntivirusPlus_ba.exe

20090910192514        195.95.151.176        Failed resolution        nextantivirusplus.com        http://nextantivirusplus.com/se.exe

20090910192521        195.95.151.176        Failed resolution        nextantivirusplus.com        http://nextantivirusplus.com/install/InternetExplorer.dll

20090910192527        195.95.151.176        Failed resolution        nextantivirusplus.com        http://nextantivirusplus.com/install/avplus.exe

20090910192532        195.95.151.176        Failed resolution        nextantivirusplus.com        http://nextantivirusplus.com/nstall/AntivirusPlus.exe

20090910192538        195.95.151.176        Failed resolution        nextantivirusplus.com        http://nextantivirusplus.com/install/AntivirusPlus_ba.exe

20090910192544        195.95.151.176        Failed resolution        i-antivirusplus.com        http://i-antivirusplus.com/se.exe

20090910192550        195.95.151.176        Failed resolution        i-antivirusplus.com        http://i-antivirusplus.com/install/InternetExplorer.dll

20090910192556        195.95.151.176        Failed resolution        i-antivirusplus.com        http://i-antivirusplus.com/install/avplus.exe

20090910192602        195.95.151.176        Failed resolution        i-antivirusplus.com        http://i-antivirusplus.com/install/AntivirusPlus.exe

20090910192608        195.95.151.176        Failed resolution        i-antivirusplus.com        http://i-antivirusplus.com/install/AntivirusPlus_ba.exe

20090910192615        195.95.151.176        Failed resolution        goodantivirusplus.com        http://goodantivirusplus.com/install/InternetExplorer.dll

20090910192621        195.95.151.176        Failed resolution        goodantivirusplus.com        http://goodantivirusplus.com/install/avplus.exe

20090910192627        195.95.151.176        Failed resolution        goodantivirusplus.com        http://goodantivirusplus.com/install/AntivirusPlus.exe

20090910192633        195.95.151.176        Failed resolution        goodantivirusplus.com        http://goodantivirusplus.com/install/AntivirusPlus_ba.exe

20090910192639        195.95.151.176        Failed resolution        yesantivirusplus.com        http://yesantivirusplus.com/se.exe

20090910192646        195.95.151.176        Failed resolution        yesantivirusplus.com        http://yesantivirusplus.com/install/avplus.exe

20090910192652        195.95.151.176        Failed resolution        yesantivirusplus.com        http://yesantivirusplus.com/install/AntivirusPlus.exe

20090910192659        195.95.151.176        Failed resolution        yesantivirusplus.com        http://yesantivirusplus.com/inse.exestall/AntivirusPlus_ba.exe

20090910192705        195.95.151.176        Failed resolution        antivirus-plus-now.com        http://antivirus-plus-now.com/install/InternetExplorer.dll

20090910192711        195.95.151.176        Failed resolution        antivirus-plus-now.com        http://antivirus-plus-now.com/se.exe

20090910192717        195.95.151.176        Failed resolution        antivirus-plus-now.com        http://antivirus-plus-now.com/install/avplus.exe

20090910192723        195.95.151.176        Failed resolution        antivirus-plus-now.com        http://antivirus-plus-now.com/install/AntivirusPlus.exe

20090910192729        195.95.151.176        Failed resolution        antivirus-plus-now.com        http://antivirus-plus-now.com/install/AntivirusPlus_ba.exe

20090910192735        195.95.151.176        Failed resolution        antivirusplus09.com        http://antivirusplus09.com/se.exe

20090910192741        195.95.151.176        Failed resolution        antivirusplus09.com        http://antivirusplus09.com/install/InternetExplorer.dll

20090910192747        195.95.151.176        Failed resolution        antivirusplus09.com        http://antivirusplus09.com/install/avplus.exe

20090910192753        195.95.151.176        Failed resolution        antivirusplus09.com        http://antivirusplus09.com/install/AntivirusPlus.exe

20090910192759        195.95.151.176        Failed resolution        antivirusplus09.com        http://antivirusplus09.com/install/AntivirusPlus_ba.exe

20090910192805        195.95.151.176        Failed resolution        internetantivirusplus.com        http://internetantivirusplus.com/se.exe

20090910192811        195.95.151.176        Failed resolution        internetantivirusplus.com        http://internetantivirusplus.com/install/InternetExplorer.dll

20090910192816        195.95.151.176        Failed resolution        internetantivirusplus.com        http://internetantivirusplus.com/install/avplus.exe

20090910192823        195.95.151.176        Failed resolution        internetantivirusplus.com        http://internetantivirusplus.com/install/AntivirusPlus_ba.exe

20090910192829        195.95.151.176        Failed resolution        mybestantivirusplus.com        http://mybestantivirusplus.com/se.exe

20090910192835        195.95.151.176        Failed resolution        mybestantivirusplus.com        http://mybestantivirusplus.com/install/InternetExplorer.dll

20090910192841        195.95.151.176        Failed resolution        mybestantivirusplus.com        http://mybestantivirusplus.com/install/avplus.exe

20090910192848        195.95.151.176        Failed resolution        mybestantivirusplus.com        http://mybestantivirusplus.com/install/AntivirusPlus_ba.exe

20090910220405        195.95.151.176        Failed resolution        antivirusplus1.com        http://antivirusplus1.com/cfg/dmns.cfg

20090910223610        195.95.151.176        Failed resolution        avplus2010.com        http://avplus2010.com/install/AntivirusPlus.grn

20090910223619        195.95.151.176        Failed resolution        avplus2010.com        http://avplus2010.com/install/avplus.exe

20090910223625        195.95.151.176        Failed resolution        avplus2010.com        http://avplus2010.com/buy.php

20090910223630        195.95.151.176        Failed resolution        avplus2010.com        http://avplus2010.com/redirect.php

20090910224418        195.95.151.176        Failed resolution        antivirusplus1.com        http://antivirusplus1.com/cfg/dmns.cfg

20090912015912        195.95.151.174        Failed resolution        easyincomeprotection.cn        http://easyincomeprotection.cn/installer_90001.exe

20090912015922        195.95.151.174        Failed resolution        gilugmo.cn        http://gilugmo.cn/installer_70172.exe

20090912020121        195.95.151.174        Failed resolution        acajelu.cn        http://acajelu.cn/installer_1.exe

20090912020130        195.95.151.174        Failed resolution        akipahu.cn        http://akipahu.cn/installer_1.exe

20090912020140        195.95.151.174        Failed resolution        atoylev.cn        http://atoylev.cn/installer_70087.exe

20090912020145        195.95.151.174        Failed resolution        atuyfe.cn        http://atuyfe.cn/installer_70126.exe

20090912020212        195.95.151.174        Failed resolution        fexonhu.cn        http://fexonhu.cn/installer_1.exe

20090912020222        195.95.151.174        Failed resolution        gihugyx.cn        http://gihugyx.cn/installer_1.exe

20090912020231        195.95.151.174        Failed resolution        giwgeam.cn        http://giwgeam.cn/installer_1.exe

20090912020248        195.95.151.174        Failed resolution        gojaxty.cn        http://gojaxty.cn/installer_1.exe

20090912020300        195.95.151.176        Failed resolution        megaantivirusplus.com        http://megaantivirusplus.com/cb/installs.php?id=1

20090912020306        195.95.151.176        Failed resolution        megaantivirusplus.com        http://megaantivirusplus.com/cb/real.php?id=1

20090912020313        195.95.151.176        Failed resolution        megaantivirusplus.com        http://megaantivirusplus.com/redirect.php

20090912020458        195.95.151.174        Failed resolution        atuican.cn        http://atuican.cn/

20090912020506        195.95.151.174        Failed resolution        aveylpa.cn        http://aveylpa.cn/installer_70141.exe

20090912020513        195.95.151.174        Failed resolution        avyewi.cn        http://avyewi.cn/installer_1.exe

20090912020520        195.95.151.174        Failed resolution        awakuvi.cn        http://awakuvi.cn/

20090912020527        195.95.151.174        Failed resolution        awaviyh.cn        http://awaviyh.cn/

20090912020532        195.95.151.174        Failed resolution        awixys.cn        http://awixys.cn/

20090912020538        195.95.151.174        Failed resolution        awoenpa.cn        http://awoenpa.cn/

20090912020548        195.95.151.174        Failed resolution        axevoq.cn        http://axevoq.cn/installer_70159.exe

20090912020555        195.95.151.174        Failed resolution        axominy.cn        http://axominy.cn/installer_1.exe

20090912020627        195.95.151.174        Failed resolution        fimcuoj.cn        http://fimcuoj.cn/

20090912020634        195.95.151.174        Failed resolution        fisruba.cn        http://fisruba.cn/

20090912020641        195.95.151.174        Failed resolution        focunqa.cn        http://focunqa.cn/

20090912020648        195.95.151.174        Failed resolution        fogpak.cn        http://fogpak.cn/

20090912020658        195.95.151.176        Failed resolution        goodantivirusplus.com        http://goodantivirusplus.com/install/AntivirusPlus.grn

20090912020842        195.95.151.174        Failed resolution        bexazyj.cn        http://bexazyj.cn/installer_70159.exe

20090912024107        195.95.151.174        Failed resolution        azecuid.cn        http://azecuid.cn/installer_1.exe

20090912024153        195.95.151.174        Failed resolution        fidyqxo.cn        http://fidyqxo.cn/installer_1.exe

20090912024202        195.95.151.174        Failed resolution        gecyte.cn        http://gecyte.cn/installer_1.exe

20090920200647        195.95.151.176        Failed resolution        antivirus-plus09.com        http://antivirus-plus09.com/install/AntivirusPlus.exe

20090920200653        195.95.151.176        Failed resolution        antivirus-plus09.com        http://antivirus-plus09.com/install/avplus.exe

20090920200658        195.95.151.176        Failed resolution        antivirus-plus09.com        http://antivirus-plus09.com/install/InternetExplorer.dll

20090920200704        195.95.151.176        Failed resolution        antivirus-plus09.com        http://antivirus-plus09.com/se.exe

20090929015616        195.95.151.185        Failed resolution        scan.join2secureplace.com        http://scan.join2secureplace.com/download/smrtprt/install.php

20090929032538        195.95.151.185        Failed resolution        scan.helpyourpcsecuritynow.com        http://scan.helpyourpcsecuritynow.com:80/download/smrtprt/install.php?track_id=40039

20090929032543        195.95.151.185        Failed resolution        scan.helpyourpcsecuritynow.com        http://scan.helpyourpcsecuritynow.com:80/smrtprt_3/6/40039/

20090929203012        195.95.151.185        Failed resolution        195.95.151.185        http://195.95.151.185/download/smrtprt/install.php

20090929204317        195.95.151.185        Failed resolution        scan.join2secureplace.com        http://scan.join2secureplace.com:80/download/smrtprt/install.php?track_id=40039

20090930141221        195.95.151.180        Failed resolution        smartprotectpro.com        http://smartprotectpro.com/install/?track_id=10001

20090930141305        195.95.151.181        Failed resolution        gosmrtprt3.com        http://gosmrtprt3.com/install/?track_id=10001

20090930141920        195.95.151.176        Failed resolution        coolantivirusplus09.com        http://coolantivirusplus09.com/cfg/dmns.cfg

20090930141925        195.95.151.176        Failed resolution        coolantivirusplus09.com        http://coolantivirusplus09.com/buy.php

20090930141931        195.95.151.176        Failed resolution        coolantivirusplus09.com        http://coolantivirusplus09.com/se.exe

20090930141937        195.95.151.176        Failed resolution        coolantivirusplus09.com        http://coolantivirusplus09.com/redirect.php

20090930142059        195.95.151.185        Failed resolution        scan.helpyourpcsecuritynow.com        http://scan.helpyourpcsecuritynow.com/download/smrtprt/install.php

20090930142849        195.95.151.176        Failed resolution        coolantivirusplus09.com        http://coolantivirusplus09.com/install/avplus.exe

20090930165802        195.95.151.185        Failed resolution        scan.helpyourpcsecuritynow.com        http://scan.helpyourpcsecuritynow.com

20090930165808        195.95.151.185        Failed resolution        scan.helpyourpcsecuritynow.com        http://scan.helpyourpcsecuritynow.com/download/smrtprt/install.php?track_id=10001

20091001165819        195.95.151.185        Failed resolution        scan.todaybestpcscnas.com        http://scan.todaybestpcscnas.com/download/smrtprt/install.php

20091002170409        195.95.151.176        Failed resolution        realantivirusplus09.com        http://realantivirusplus09.com/redirect.php

20091002170416        195.95.151.185        Failed resolution        scan.webscantodaypc.com        http://scan.webscantodaypc.com/download/smrtprt/install.php?track_id=40014

20091003180400        195.95.151.185        Failed resolution        scan.unitedsecurityscans.com        http://scan.unitedsecurityscans.com/smrtprt_3/6/40033/

20091003180406        195.95.151.185        Failed resolution        scan.webscantodaypc.com        http://scan.webscantodaypc.com/download/smrtprt/install.php?track_id=40042

20091003180412        195.95.151.185        Failed resolution        scan.webscantodaypc.com        http://scan.webscantodaypc.com/smrtprt_3/6/40039/

20091010212343        195.95.151.185        Failed resolution        195.95.151.185        http://195.95.151.185

20091014001840        195.95.151.185        Failed resolution        scan.how2scanyourpcs.com        http://scan.how2scanyourpcs.com/smrtprt_3/6/40014/

20091014183446        195.95.151.176        Failed resolution        av-plus-2009.com        http://av-plus-2009.com/install/avplus.exe

20091014210133        195.95.151.185        Failed resolution        scan.how2scanyourpcs.com        http://scan.how2scanyourpcs.com/smrtprt_3/6/40033/

20091101131708        195.95.151.185        Failed resolution        scan.scanpcalertstoday.com        http://scan.scanpcalertstoday.com/smrtprt_3/6/40017/

20091101131722        195.95.151.185        Failed resolution        scan.securitymilescan.com        http://scan.securitymilescan.com/smrtprt_3/6/40033/

20091105131909        195.95.151.185        Failed resolution        scan.scanlookpcnow.com        http://scan.scanlookpcnow.com/download/smrtprt/install.php


We're not done however, NET-UA-AS also have ties to other well known malicious networks, such as;

AS24826 KHARKOV-TERMINALS-AS PE Viktor Nastechenko (81.25.128.0/21, 91.213.121.0/24)

Who house (amongst others) this lovely lot;

20091108003231        91.213.121.42        Failed resolution        www.windesktopdefender.com        http://www.windesktopdefender.com/DefenderInstall.exe

20091120105541        91.213.121.180        Failed resolution        personalprotector.net        http://personalprotector.net/download/?

20091203154847        91.213.121.180        Failed resolution        personalprotector.net        http://personalprotector.net/dl/setup.exe

20091203173009        91.213.121.185        Failed resolution        scan.lssecuritywebscan.com        http://scan.lssecuritywebscan.com/smrtprt_3/6/40017/

20091203183153        91.213.121.185        Failed resolution        scan.2009securitycenter.in        http://scan.2009securitycenter.in/download/smrtprt/install.php

20091203212829        91.213.121.220        Failed resolution        ihaerxi.cn        http://ihaerxi.cn/installer.70148.exe

20091203212849        91.213.121.220        Failed resolution        iqoysab.cn        http://iqoysab.cn/installer.70155.exe

20091203212855        91.213.121.220        Failed resolution        isyoti.cn        http://isyoti.cn/installer.70155.exe

20091203212902        91.213.121.220        Failed resolution        iveigyr.cn        http://iveigyr.cn/installer.70155.exe

20091203212915        91.213.121.220        Failed resolution        julxyaf.cn        http://julxyaf.cn/10/video.php?Author=Hugo&Length=49:16&Rating=5&Views=45890&thumbn=/10/img/thumbs/tvo041.jpg&wm=70394

20091203212928        91.213.121.220        Failed resolution        latgeuv.cn        http://latgeuv.cn/installer.1.exe

20091216200944        91.213.121.176        Failed resolution        1stantivirusplus.com        http://1stantivirusplus.com/install/avplus.exe

20091216225125        91.213.121.220        Failed resolution        ilipyw.cn        http://ilipyw.cn

20091216225137        91.213.121.220        Failed resolution        iniwuv.cn        http://iniwuv.cn

20091216230047        91.213.121.220        Failed resolution        www.komcyax.cn        http://www.komcyax.cn

20091218230707        91.213.121.86        Failed resolution        qzeo-ad.info        http://qzeo-ad.info/cgi-bin/gjj/eH891dd8d9V0100f060006R8f341c38102Tc23621f0203l0409317P000000080

20091218230714        91.213.121.86        Failed resolution        qzeo-ad.info        http://qzeo-ad.info/cgi-bin/gjj/eH891dd8d9V0100f060006R8f341c38102Tc23621f0203l0409317P000000081

20091218230720        91.213.121.86        Failed resolution        qzeo-ad.info        http://qzeo-ad.info/cgi-bin/gjj/eH891dd8d9V0100f060006R8f341c38102Tc23621f0203l0409317P000000082

20091219221451        91.213.121.176        Failed resolution        antivirusplus7.com        http://antivirusplus7.com/install/avplus.dll

20091219230615        91.213.121.19        Failed resolution        fastdownloadprotocol.org        http://fastdownloadprotocol.org/setup.exe

20091220001155        91.213.121.220        Failed resolution        ihagoin.cn        http://ihagoin.cn/load.exe

20091220001202        91.213.121.220        Failed resolution        ijobuaw.cn        http://ijobuaw.cn/load.exe

20091220001211        91.213.121.220        Failed resolution        ileufby.cn        http://ileufby.cn/load.exe

20091220001318        91.213.121.220        Failed resolution        iveigyr.cn        http://iveigyr.cn/load.exe

20091220002410        91.213.121.185        Failed resolution        scan.2009securitycenter.in        http://scan.2009securitycenter.in/download/smrtprt2/install.php?track_id=10001

20091222194806        91.213.121.88        Failed resolution        www.pelmeshko.cn        http://www.pelmeshko.cn/ketchup/trava.exe

20091230150650        91.213.121.220        Failed resolution        mofadic.cn        http://mofadic.cn/load.exe

20100107013408        91.213.121.176        Failed resolution        anti-virus-plus2011.com        http://anti-virus-plus2011.com/install/avplus.dll


AS49536 DENTA-AS DENTAGLOBAL SYS (91.207.116.0/23)

20090803185100        91.207.116.22        Failed resolution        kervinly.com        http://kervinly.com/bs2/file.exe

20090808063743        91.207.116.22        Failed resolution        hellnax.com        http://hellnax.com/e/ikl.exe

20090808064306        91.207.116.22        Failed resolution        hellnax.com        http://hellnax.com/e/238.exe

20090808065605        91.207.116.22        Failed resolution        kvgrtt.com        http://kvgrtt.com/r/mail.exe

20090808071254        91.207.116.22        Failed resolution        hellnax.com        http://hellnax.com/e/install_126.exe

20090808071300        91.207.116.22        Failed resolution        hellnax.com        http://hellnax.com/e/lich.exe

20090808071306        91.207.116.22        Failed resolution        hellnax.com        http://hellnax.com/e/ml.exe

20090808082827        91.207.116.22        Failed resolution        hellnax.com        http://hellnax.com/e/eg.exe

20090820175828        91.207.116.22        Failed resolution        shipal.eu        http://shipal.eu/z/win.exe

20090820175835        91.207.116.22        Failed resolution        shipal.eu        http://shipal.eu/iereg.exe

20090823184023        91.207.116.22        Failed resolution        tralalzlocc.com        http://tralalzlocc.com/ee/238.exe

20090823184029        91.207.116.22        Failed resolution        tralalzlocc.com        http://tralalzlocc.com/ee/cb.exe

20090823184034        91.207.116.22        Failed resolution        tralalzlocc.com        http://tralalzlocc.com/ee/ear.exe

20090823184040        91.207.116.22        Failed resolution        tralalzlocc.com        http://tralalzlocc.com/ee/mp.exe

20090914174808        91.207.116.11        Failed resolution        wwwaaa101.com        http://wwwaaa101.com/work/money.exe

20091001164708        91.207.116.55        Failed resolution        best-scanpc.org        http://best-scanpc.org/cgi-bin/load.pl

20091002184731        91.207.116.55        Failed resolution        onlinescanxppro.com        http://onlinescanxppro.com/cgi-bin/download.pl?code=0000920

20091002184737        91.207.116.55        Failed resolution        onlinescanxppro.com        http://onlinescanxppro.com/cgi-bin/get.pl?l=0000920

20091002184743        91.207.116.55        Failed resolution        onlinescanxppro.com        http://onlinescanxppro.com/dfghfghgfj.dll

20091002184749        91.207.116.55        Failed resolution        onlinescanxppro.com        http://onlinescanxppro.com/loads.php?code=0000920

20091003025943        91.207.116.44        Failed resolution        aahsdvsynrrmwnbmpklb.cn        http://aahsdvsynrrmwnbmpklb.cn/259b4c25aa08557e7c8892c5d64253db.exe

20091003175954        91.207.116.44        Failed resolution        91.207.116.44        http://91.207.116.44/u5.exe

20091004183057        91.207.116.44        Failed resolution        barykcpveiwsgexkitsg.cn        http://barykcpveiwsgexkitsg.cn/get.php?id=crossales

20091004183119        91.207.116.44        Failed resolution        bfichgfqjqrtkwrsegoj.cn        http://bfichgfqjqrtkwrsegoj.cn/get.php?id=crossales

20091004231259        91.207.116.44        Failed resolution        91.207.116.44        http://91.207.116.44/1.dll

20091004231305        91.207.116.44        Failed resolution        barykcpveiwsgexkitsg.cn        http://barykcpveiwsgexkitsg.cn/88354926d0f0a49fc589ac0a7ccd4d4f.exe

20091004231351        91.207.116.44        Failed resolution        barykcpveiwsgexkitsg.cn        http://barykcpveiwsgexkitsg.cn/u5.exe

20091004231357        91.207.116.44        Failed resolution        barykcpveiwsgexkitsg.cn        http://barykcpveiwsgexkitsg.cn/crossales.exe

20091004231708        91.207.116.55        Failed resolution        downloadavr5.com        http://downloadavr5.com/dfghfghgfj.dll

20091004231714        91.207.116.55        Failed resolution        downloadavr5.com        http://downloadavr5.com/cgi-bin/download.pl?

20091004231838        91.207.116.44        Failed resolution        91.207.116.44        http://91.207.116.44/crossales.exe

20091004235932        91.207.116.55        Failed resolution        hard-xxx-tube.com        http://hard-xxx-tube.com/cgi-bin/flashpatch.pl?adv=820

20091007205011        91.207.116.44        Failed resolution        bfichgfqjqrtkwrsegoj.cn        http://bfichgfqjqrtkwrsegoj.cn/get.php?id=02979

20091007205216        91.207.116.44        Failed resolution        dhbomnljzgiardzlzvkp.cn        http://dhbomnljzgiardzlzvkp.cn/crossales.exe

20091007205224        91.207.116.44        Failed resolution        dhbomnljzgiardzlzvkp.cn        http://dhbomnljzgiardzlzvkp.cn/f4d3450bed777852be000d9ee1f4498e.exe

20091007205229        91.207.116.44        Failed resolution        dhbomnljzgiardzlzvkp.cn        http://dhbomnljzgiardzlzvkp.cn/get.php?id=f4d3450bed777852be000d9ee1f4498e

20091007205235        91.207.116.44        Failed resolution        dhbomnljzgiardzlzvkp.cn        http://dhbomnljzgiardzlzvkp.cn/u5.exe

20091007205241        91.207.116.44        Failed resolution        dlukhonqzidfpphkbjpb.cn        http://dlukhonqzidfpphkbjpb.cn/get.php?id=f4d3450bed777852be000d9ee1f4498e

20091007210403        91.207.116.44        Failed resolution        dlukhonqzidfpphkbjpb.cn        http://dlukhonqzidfpphkbjpb.cn/get.php?id=02979

20091007210409        91.207.116.44        Failed resolution        dlukhonqzidfpphkbjpb.cn        http://dlukhonqzidfpphkbjpb.cn/get.php?id=88354926d0f0a49fc589ac0a7ccd4d4f

20091010022315        91.207.116.55        Failed resolution        best-scan-pc.com        http://best-scan-pc.com/cgi-bin/load.pl

20091014184020        91.207.116.44        Failed resolution        downloadmasters.org        http://downloadmasters.org/get.php?id=crossales

20091014184829        91.207.116.44        Failed resolution        xmiueftbmemblatlwsrj.cn        http://xmiueftbmemblatlwsrj.cn:80/get.php?id=02979

20091014194646        91.207.116.55        Failed resolution        testavrdown.com        http://testavrdown.com/cgi-bin/get.pl?l=0001124

20091014194652        91.207.116.55        Failed resolution        downloadavr6.com        http://downloadavr6.com/cgi-bin/download.pl?code=0001124

20091014194755        91.207.116.44        Failed resolution        downloadmasters.org        http://downloadmasters.org/crossales.exe

20091014194802        91.207.116.44        Failed resolution        downloadmasters.org        http://downloadmasters.org/u5.exe

20091014200903        91.207.116.44        Failed resolution        xmiueftbmemblatlwsrj.cn        http://xmiueftbmemblatlwsrj.cn/1.dll

20091014201006        91.207.116.44        Failed resolution        xmiueftbmemblatlwsrj.cn        http://xmiueftbmemblatlwsrj.cn/crossales.exe

20091014201015        91.207.116.44        Failed resolution        xmiueftbmemblatlwsrj.cn        http://xmiueftbmemblatlwsrj.cn/u5.exe

20091014201026        91.207.116.44        Failed resolution        xmiueftbmemblatlwsrj.cn        http://xmiueftbmemblatlwsrj.cn/get.php?id=02910

20091014210807        91.213.94.130        Failed resolution        91.213.94.130        http://91.213.94.130/cgi-bin/options.cgi?user_id=1087349536&version_id=3&passphrase=fkjvhsdvlksdhvlsd&socks=28102&version=130&crc=00000000

20091015224214        91.207.116.44        Failed resolution        downloadmasters.org        http://downloadmasters.org/get.php?id=02979

20091015225545        91.207.116.55        Failed resolution        xxx-white-tube.net        http://xxx-white-tube.net/cgi-bin/flashpatch.pl?adv=1166&p=9

20091020011220        91.207.116.55        Failed resolution        best-scan-pc.net        http://best-scan-pc.net/cgi-bin/load.pl

20091020011939        91.207.116.55        Failed resolution        xxx-white-tube.net        http://xxx-white-tube.net/cgi-bin/flashpatch.pl

20091021232805        91.207.117.220        Failed resolution        iqoysab.cn        http://iqoysab.cn

20091021232831        91.207.117.220        Failed resolution        kinyfy.cn        http://kinyfy.cn

20091021232837        91.207.117.220        Failed resolution        komcyax.cn        http://komcyax.cn

20091023003118        91.207.117.220        Failed resolution        kotehiz.cn        http://kotehiz.cn

20091023003124        91.207.117.220        Failed resolution        kotehiz.cn        http://kotehiz.cn/installer.1.exe

20091024015233        91.207.116.55        Failed resolution        downloadavr6.com        http://downloadavr6.com/cgi-bin/download.pl?code=0001186

20091024015240        91.207.116.55        Failed resolution        downloadavr6.com        http://downloadavr6.com/dfghfghgfj.dll

20091024015607        91.207.117.220        Failed resolution        kotehiz.cn        http://kotehiz.cn/?wm=90001

20091024020151        91.207.117.220        Failed resolution        www.ijeife.cn        http://www.ijeife.cn

20091024020159        91.207.117.220        Failed resolution        www.ixohiyr.cn        http://www.ixohiyr.cn

20091026180701        91.207.116.44        Failed resolution        zcjsyrjiasdkohwgbpfs.cn        http://zcjsyrjiasdkohwgbpfs.cn/get.php?id=crossales

20091026181540        91.207.116.55        Failed resolution        downloadavr7.com        http://downloadavr7.com/cgi-bin/download.pl

20091026195438        91.207.116.55        Failed resolution        xxx-white-tube.org        http://xxx-white-tube.org/cgi-bin/flashpatch.pl

20091028023459        91.207.116.55        Failed resolution        coolcount1.com        http://coolcount1.com/1198/e1.html

20091028023852        91.207.117.220        Failed resolution        latgeuv.cn        http://latgeuv.cn/?wm=7036701054

20091101130036        91.207.116.55        Failed resolution        best-scan.com        http://best-scan.com/?code=1205

20091101130926        91.207.117.220        Failed resolution        iwagily.cn        http://iwagily.cn/?wm=70349

20091101130933        91.207.117.220        Failed resolution        iwagily.cn        http://iwagily.cn/video.php

20091101130942        91.207.117.220        Failed resolution        jatokfi.cn        http://jatokfi.cn/video.php

20091101131439        91.207.117.220
91.207.117.220        Failed resolution
Failed resolution        ns1.ns-free-acc7.com        http://ns1.ns-free-acc7.com

20091101131446        91.207.117.220        Failed resolution        ns2.ns-free-acc7.com        http://ns2.ns-free-acc7.com

20091101133854        91.207.117.220        Failed resolution        lesrynu.cn        http://lesrynu.cn/?wm=7036701059

20091105131234        91.207.116.55        Failed resolution        downloadavr8.com        http://downloadavr8.com/cgi-bin/download.pl

20091105131241        91.207.116.55        Failed resolution        downloadavr8.com        http://downloadavr8.com/dfghfghgfj.dll

20091108003134        91.207.117.176        Failed resolution        avirplus2009.com        http://avirplus2009.com/install/avplus.exe

20091115160033        91.207.117.176        Failed resolution        antiivirusplus.com        http://antiivirusplus.com/install/avplus.exe

20091115160739        91.207.116.55        Failed resolution        malware-scan.biz        http://malware-scan.biz/cgi-bin/get_exe.pl?adv=1100&p=9

20091115161816        91.207.116.55        Failed resolution        coolcount1.com        http://coolcount1.com/1097/e1.html

20091115162135        91.207.116.55        Failed resolution        malware-scan.biz        http://malware-scan.biz

20091115162408        91.207.116.55        Failed resolution        testavrdownnew.com        http://testavrdownnew.com/cgi-bin/get_exe.pl

20091115162934        91.207.116.55        Failed resolution        best-scan.com        http://best-scan.com

20091120101346        91.207.116.55        Failed resolution        downloadavr9.com        http://downloadavr9.com/cgi-bin/download.pl?code=0000058

20091120101354        91.207.116.55        Failed resolution        downloadavr9.com        http://downloadavr9.com/dfghfghgfj.dll

20091120101834        91.207.116.55        Failed resolution        malware-scaner.org        http://malware-scaner.org:80/cgi-bin/setup.pl?adv=1097&p=5

20091120104445        91.207.116.55        Failed resolution        downloadavr10.com        http://downloadavr10.com/cgi-bin/download.pl

20091120105143        91.207.117.220        Failed resolution        lisukaj.cn        http://lisukaj.cn/?wm=70352&st=of

20091120105204        91.207.116.55        Failed resolution        malware-scaner.biz        http://malware-scaner.biz/?code=1243

20091120110245        91.207.116.55        Failed resolution        white-xxx-tube.com        http://white-xxx-tube.com/cgi-bin/setuppatch.pl

20091120112820        91.207.117.176        Failed resolution        aviirusplus.com        http://aviirusplus.com/install/avplus.dll

20091120112823        91.207.117.176        Failed resolution        aviirusplus.com        http://aviirusplus.com/install/avplus.exe

20091120112850        91.207.116.55        Failed resolution        coolcount1.com        http://coolcount1.com/1138/e1.html

20091120113157        91.207.117.220        Failed resolution        iqoysab.cn        http://iqoysab.cn/

20091120113223        91.207.117.220        Failed resolution        kazyjdi.cn        http://kazyjdi.cn

20091120113223        91.207.117.220        Failed resolution        kazyjdi.cn        http://kazyjdi.cn

20091120113244        91.207.117.220        Failed resolution        lizugco.cn        http://lizugco.cn/

20091120113244        91.207.117.220        Failed resolution        lizugco.cn        http://lizugco.cn/

20091120113250        91.207.117.220        Failed resolution        lojatge.cn        http://lojatge.cn/?wm=7036701060

20091120113251        91.207.117.220        Failed resolution        lojatge.cn        http://lojatge.cn/?wm=7036701060

20091120113257        91.207.117.220        Failed resolution        lojatge.cn        http://lojatge.cn/installer.7036701060.exe

20091120113257        91.207.117.220        Failed resolution        lojatge.cn        http://lojatge.cn/installer.7036701060.exe

20091120113304        91.207.117.220        Failed resolution        lybokag.cn        http://lybokag.cn/

20091120113304        91.207.117.220        Failed resolution        lybokag.cn        http://lybokag.cn/

20091120113312        91.207.117.220        Failed resolution        lyqteip.cn        http://lyqteip.cn/

20091120113312        91.207.117.220        Failed resolution        lyqteip.cn        http://lyqteip.cn/

20091120113322        91.207.117.220        Failed resolution        macgum.cn        http://macgum.cn/

20091120113322        91.207.117.220        Failed resolution        macgum.cn        http://macgum.cn/

20091120113339        91.207.117.220        Failed resolution        mazhywe.cn        http://mazhywe.cn/

20091120113339        91.207.117.220        Failed resolution        mazhywe.cn        http://mazhywe.cn/

20091122183110        91.207.116.55        Failed resolution        coolcount1.com        http://coolcount1.com/cgi-bin/setup.pl?1138

20091122183117        91.207.116.55        Failed resolution        coolcount1.com        http://coolcount1.com/cgi-bin/go.jpg

20091122183124        91.207.116.55        Failed resolution        coolcount1.com        http://coolcount1.com/cgi-bin/logo.gif

20091124151805        91.207.116.55        Failed resolution        pc-scanner.info        http://pc-scanner.info/?code=1138

20091124151821        91.207.116.55        Failed resolution        pc-scanner.info        http://pc-scanner.info/cgi-bin/setup.pl?adv=1138&p=5

20091124192005        91.207.116.55        Failed resolution        malware-scaner.biz        http://malware-scaner.biz/cgi-bin/setup.pl?adv=1243&p=5

20091125000124        91.207.116.55        Failed resolution        pc-scanner.net        http://pc-scanner.net/?code=1140


Both of these networks are dedicated to malicious activity from what I've seen.

Anyone else seeing a pattern here? It's begging the question of why RETN aren't putting a stop to this. They're the ones providing the upstream connectivity, so surely, as was done to Riccom a few weeks ago, they could shut this lot down?

There's also a connection here, to Rise

http://www.robtex.com/asmacro/as-rise.html

Which has ties to NETASSIST (and yep, so 3 of the above). NETASSIST have ties to the likes of root eSolutions and several other Ukrainian AS's;

http://www.robtex.com/as/as29632.html#peer

I'm looking forward to RETN's explanation for this one, whatever it may be.