Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 10 December 2009

BlueConnex/EuroConnex (AS29550): Riccom LTD (91.212.107.*, AS49038,

Dear BlueConnex/EuroConnex, I wonder if you'd mind explaining to the ladies and gents of the internet, why you have STILL not booted Riccom? Why you continue providing connectivity for them, despite their not being a single legit domain within their IP range!.

BlueConnex/EuroConnex's still providing connectivity is the reason they got a mention in the crimeware friendly ISP's listings, and sadly, to date, there has still not been so much as an auto-response to e-mails sent to them.

There's a whole host of malicious goodness currently over there, and amongst them, is, which of course, is a malicious version of the real, run by my friend Anthony (you'll also notice, it's exactly the same impersonation as the one documented concerning by the way, takes you through;

hxxps:// is hosted at (AS5577 ROOT root eSolutions), and is hosted at (AS49981 WORLDSTREAM WorldStream). The SSL certificate is provided by Thawte (anyone awake over there?).

Then there's, also valid as;

All of which, resolve to And of course, all of which, will give your PC some malicious goodness it'll never forget;

Wepawet results:

Virus Total results (18/41): win_protection_update.exe

There's currently well over 500 domains in hpHosts for the Riccom range, with 700 or so, in the historical records.

Historical records for:

hpHosts listings for:

Note: I've still not gotten round to writing the monitor to keep the IP's in hpHosts, up to date, so it's possible some of the domains are either dead, or have moved elsewhere. The current validation results for those listed in hpHosts, as of 2 seconds ago, can be found at;

hpObserver validation results for:

The current list of domain names for those that want them, is;

If you know of a domain that's also hosted on this range, that is not listed in hpHosts, please do feel free to drop by the hpHosts forums and let me know.

The net-block info for this range is;

inetnum: -
netname: Riccom-NET
descr: Riccom LTD
descr: The research center of Cyprys
country: CY
org: ORG-RL70-RIPE
admin-c: MC16000-RIPE
tech-c: MC16000-RIPE
mnt-by: MNT-RICCOM
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: MNT-RICCOM
mnt-routes: blueconnex-mnt
mnt-routes: MNT-EUKHOST
mnt-domains: MNT-RICCOM
source: RIPE # Filtered

organisation: ORG-RL70-RIPE
org-name: Riccom LTD
org-type: OTHER
address: 89 Digenis Akritas Ave, Nicosia, Cyprus
mnt-ref: MNT-RICCOM
mnt-by: MNT-RICCOM
source: RIPE # Filtered

person: Marios Christos
address: 89 Digenis Akritas Ave, Nicosia, Cyprus
phone: +357-02-447121
nic-hdl: MC16000-RIPE
mnt-by: MNT-RICCOM
source: RIPE # Filtered

:: Information related to ''

descr: Riccom route object
mnt-by: MNT-RICCOM
mnt-by: blueconnex-mnt
origin: AS29550
source: RIPE # Filtered

Additional resources

MalwareURL: AS49038

MalwareURL: AS29550

MalwareDomainList: AS29550

Clean-MX: 91.212.107.* desc&review=91.212.107.%

No comments: