Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 27 December 2009

Crimeware friendly ISP's: Eveloz (AS27716, 200.63.40.0/21, 200.63.48.0/23, 190.5.224.0/22)

The topic today is blackhat SEO, fake AV's and phishing. The culprit responsible for this boatload of maliciousness, is Eveloz (AS27716).

Eveloz has 3 upstream providers, namely;

AS11556 PA-CAPA2-LACNIC Cable-Wireless Panama
AS14551 ALTERNET-SA-AS UUNET Technologies
AS23520 NEWWORLDNETWORK New World Network USA, Inc.

Eveloz is also directly related to Panamaservers.com, an ISP with a history of badness. This blog isn't appropriate for that however, so I'll go into that at a later date.

You'll note, I've blogged recently (as have others) about the blackhat SEO campaigns on Google (and there's similar campaigns on the other search engines). Most of these have one thing in common - the redirector. The most recent redirector or MITM (Man in the middle) is protectcareone.net, which resides at 200.63.46.130. This domain uses the following redirs;

/in.cgi?{NO}
/redirect/
/redirect2/
/redirect3/
/redirect4/

The redir you're taken to (1-4) seems to vary depending on the domain, but all 4 will take you to various infections (the target domain appears to change every 12-24 hours, so I'd suggest monitoring it constantly). At present, these are;

/redirect/
-> goscanmoth.com/?uid=13400
--> cunamot.cn/?uid=13400
---> cunamot.cn/download/install.php?uid=13400 (Internet Antivirus Pro)

IP: 193.169.235.5
ASN 32181 193.169.234.0/23 ASN-ECOMD-COLOQUEST - GigeNET

IP: 193.169.235.6
ASN 32181 193.169.234.0/23 ASN-ECOMD-COLOQUEST - GigeNET

/redirect2/
-> family2reunion.com/go.php?id=2004&key=ff0057594&d=1

IP: 66.232.102.67
ASN: 29802 66.232.102.0/19 HVC

At the time of publishing, this one is returning a 404 for me for the payload (blocked IP perhaps?)

/redirect3/

-> new-proper.cn/?pid=283s01&sid=2a15a0

IP: 95.143.192.52
ASN: 49770 SERVERCONNECT-AS ServerConnect Sweden AB

At the time of publishing, this one is returning a 404 for me for the payload (blocked IP perhaps?)

/redirect4/
-> onlinenonmalware.com/hitin.php?land=20&affid=92800
--> onlinenonmalware.com/index.php?affid=92800
---> onlinenonmalware.com/downloader.php?affid=92800 (System Security variant)

IP: 193.104.153.245
ASN: 5577 193.104.153.0/24 ROOT root eSolutions

Over the past couple of weeks or so, only the first and fourth have resulted in an actual payload being delivered for me, the second and third have failed (the second with what looks like a fake 404, suggesting they've got all of my IP's blocked, and the third keeps timing out).

Whilst quite obviously annoyed at Google and the likes, for not doing enough to remove the results from their indexes to begin with, I find myself increasingly annoyed with their upstreams for allowing this behaviour to continue.

Eveloz for example, if we look at just one of their ranges, doesn't have so much as a single legit domain - every single one is either delivering malware or phishing scams;

bootsame.com
cheap-uggs-boots.com
childrenuggboots.com
dior-boots.com
ghdhairtrade.com
girlsugg.com
gosafezone.net
guccichothes.com
guccisneaekrs.com
jewelleryvip.com
linksmvp.com
metallicuggboots.com
oklouisvuitton.com
pandora2010.com
protectcareone.net
replica-bags-sale.com
safetytripstyle.net
the-documentary.net
uggbestsell.com
uggbootsforkids.com
uggbroome.com
uggcrochetboots.com
uggerin.com
ugglow.com
uggminiboots.com
uggpinkboots.com
ugg-sandals.com
uggsaustralian.org
uggtasmina.com
uggwomensboots.com
womengucci.com
womenguccishoes.com
www.bootsame.com
www.cheap-uggs-boots.com
www.childrenuggboots.com
www.dior-boots.com
www.ghdhairtrade.com
www.girlsugg.com
www.gosafezone.net
www.guccichothes.com
www.guccisneaekrs.com
www.jewelleryvip.com
www.linksmvp.com
www.metallicuggboots.com
www.mgbcorporation.com
www.oklouisvuitton.com
www.pandora2010.com
www.protectcareone.net
www.replica-bags-sale.com
www.safetytripstyle.net
www.uggbestsell.com
www.uggbootsforkids.com
www.uggbroome.com
www.uggcrochetboots.com
www.uggerin.com
www.ugglow.com
www.uggminiboots.com
www.uggpinkboots.com
www.ugg-sandals.com
www.uggsaustralian.org
www.uggtasmina.com
www.uggwomensboots.com
www.womengucci.com
www.womenguccishoes.com
www.xnike.com
xnike.com


I've got a router to change over now however, so we'll come back to this later.

3 comments:

govert said...

Hi Steven,

The inbetweenie "protectcareone.net" now redirects to a server at 95.143.192.169, again in Serverconnect's range. Serverconnect seems to be interested in getting on the list of crimeware-friendly companies ....

Regards,

Govert

MysteryFCM said...

Nice one, cheers :o)

Zaphod said...

Looks like they've spread into 64.11x.x.x land...

http://www.robtex.com/as/as27716.html#bgp

Zap :)