If you've been anywhere online lately, especially Google or the likes, you'll no doubt have noticed or read about, the blackhat SEO campaigns. One of the many ISP's involved, whether deliberately or otherwise, is EuroConnex. This ISP has an excessively large amount of malicious domains currently present within their network.
One of the most recent I came across, was actually whilst writing this, or rather, whilst considering writing this (was deciding whether to write about EuroConnex or Ecatel, thought I'd leave Ecatel till next time). As you can see from the above screenshot, this is you're typical fake scan page, that tells you your computer is so badly infected that you really really really, need their "software" (don't worry, by the time they're finished, it will definately be really really really, infected). The site that is responsible for taking you there (and bear in mind, this is one of thousands), is;
www3.xsssuez.2y.net/seroundrth.html
IP: 94.76.205.176
IP PTR: 94-76-205-176.static.as29550.net
ASN: 29550 94.76.192.0/18 EUROCONNEX-AS Blueconnex Networks Ltd
Which appeared in the Google results. It's worth noting, as with the vast majority of these, it'll only work if you give it the correct referrer. Further, I had flash and ActiveX disabled when clicking it (will load it on the test machine later), so you'll possibly see different results if you've got these enabled (you'll no doubt end up with the same resulting site, and the same infections). The site takes you to the following if you've got Flash/ActiveX disabled;
Clicking either of the "results" shown here, results in your being taken to;
online-spyware-remover.com/secure1/?id=259b4c25aa08557e7c8892c5d64253db
IP: 78.129.166.11
IP PTR: bod11.i0waterford.net
ASN: 29131 78.129.128.0/17 RAPIDSWITCH-AS RapidSwitch Ltd
Side note: No, I'm not surprised to see RapidSwitch here either, but that's for another article
Which then infects you courtesy of;
lisoft.eu/get.php?sc=1&id=259b4c25aa08557e7c8892c5d64253db
IP: 91.212.107.37
IP PTR: Resolution failed
ASN: 29550 91.212.107.0/24 EUROCONNEX-AS Blueconnex Networks Ltd
Which downloads as win_protection_update.exe, which is 1.88MB of malicious goodness.
VirusTotal results
http://www.virustotal.com/analisis/5b98079b510d4b46a2850b972b20f2afed963cc22625373f9e767a5528ebbb02-1258058290
EuroConnex have not surprisingly, been completely unresponsive, just like many others, and due to the sheer amount that is on their network (over 500 recorded domains on 91.212.107.0/24 alone), I wouldn't be surprised to find they're directly involved (note this is only a suspicion, not fact).
I'm posting this article for two main reasons. First and foremost, because I'd like to see people blackholing the networks responsible for this rubbish, until they "clean house" as it were, and secondly because I'd like to hope (yep, I know), that they'll finally take security and responsibility seriously, and boot those responsible for filling their networks with this rubbish, instead of focusing on lining their own pockets instead.
Thursday 12 November 2009
Subscribe to:
Post Comments (Atom)
3 comments:
OMG... What a can of worms this AS29550 EUROCONNEX is!
http://www.robtex.com/as/as29550.html#bgp
It looks like they scraped up and bought a bunch of orphaned netblocks, formed them into one AS record, and are now using them as disposable IPs for various nefarious actions.
Or am I reading this wrong?
Lacks guidance to the ordinary user whose computer is raging all over the place to unsummoned searches and then warning windows demand one goes to online-spyware-remover.org.
I'm resisting, but what am I supposed to do to make my computer work right?
Apologies for not mentioning that.
If you're having problems with an infection, please pop over to either of the following, and we'll help you clean it up;
http://www.malwarebytes.org/forums/index.php?showtopic=9573
http://temerc.com/forums/viewforum.php?f=12
Post a Comment