And in todays firing line, competing with the rest for the title of worlds most crimeware friendly ISP, we have AS8206, Latvian based ISP, Junik-Riga-LV.
Junik is being listed for 2 very specific reasons, they're providing connectivity for;
AS29106 VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
AS49314 NEVAL PE Nevedomskiy Alexey Alexeevich
Oh dear, this isn't going to end well is it?
Neval has been home to a plethora of malicious content over the years, and like a few others, I've not yet seen a single legit domain hosted over there. Criminals they DO however host include the miscreants responsible for the YES exploit pack who are housed at say-yes.biz (91.212.198.156).
Not exactly hiding what they're offering are they? (hat tip to SysAdMini for the heads up)
Then of course, there's the usual selection of rogues such as mcafee-malware.com, which is housed at 91.212.198.236, or this piece of malicious goodness (sadly, only one vendor is detecting this at the time of writing this), which is housed at dowmowvid.ru which was living on 91.212.198.171 and has now moved to another criminal network, 91.213.121.122 (AS24826 KHARKOV-TERMINALS-AS PE Viktor Nastechenko, see here).
Indeed, I'll tell you what, just pick ANY domain within the Neval network, and you'll find it's involved in malicious activity of one description or another.
And then we get to VolgaHost, which is yet another network whose connectivity is provided by Junik, that doesn't contain a single legit domain. Every single one is involved in either exploits or malware of one description or another (ZeUs and Fragus exploits primarily). For example;
http://www.malwareurl.com/search.php?s=AS29106
http://www.malwaredomainlist.com/mdl.php?search=91.213.174&colsearch=All&quantity=50
hosts-file.net/?s=91.213.174&direct=1&view=history
http://www.robtex.com/cnet/91.213.174.html
One can't help wondering why Junik are allowing this to continue, especially given neither VolgaHost nor Neval are exactly trying to hide it. Well Junik - care to explain yourselves?
Until they do bother to boot these criminals, I'd personally recommend everyone blackhole their ranges. Sadly, this seems to be the only way these ISP's are going to learn.
Saturday, 16 January 2010
Subscribe to:
Post Comments (Atom)
2 comments:
Keep the good data coming dude. Every time you give me a new nasty AS record as bad, I incorporate.
Query, if you want credit, what should I credit, you, or one of your sites?
Zap :)
No credit required, just happy to help :o)
Post a Comment