Turkish based ISP, VITAL TEKNOLOJI (AS44565) have been appearing on my radar for quite some time, and not under the most flattering of terms - they've been and continue to be, home to a major source of badness. Namely, exploits and fake AV's.
They actually have several ranges under their control, the most active of which are;
79.171.16.0/21
93.186.112.0/20
188.124.0.0/19
I can't say which has been the worst of the lot, as there's been badness across every single one so far. 79.171.16.0/21 has been the least active of the 3 over the past week or three.
By far the biggest problem across these ranges has been with fake AV's and exploits, just some of which includes;
20100301005241 188.124.7.148 static.vitalhosting.com.tr www1.free-scan-and-allcure.in http://www1.free-scan-and-allcure.in/build6_195.php?cmd=sendFile&counter=1&p=p52dcWltbV%2FCj8bYboNuilik12qYVp%2FZatrauZqqppeLw8ydb5aYfX1sXq3VmaGXYmRhaGiammObZFbZocTY2KR0Y1zWnomtm6ilmXVanqLNkqGMp5mSq29ezZ2faGKUYJySlGNqYGubh9WemHGhqKykcmiQpNvdX5eco5mkyVvFn52VoMjF1ZSfcZ7RnsinWJWmpHOldZzJltDLXJWOpqag1aLDm5WRkczF0ZKZpK%2FGz4man6R0p6epqpzGlsijn5Gjl56hyZvWXZbMU8TR02ypnrCikqVseXuAgJeZppjAjLm5Y2NeWpOl1GjLlW27gamRm1eYn6agwtR2alqaoahvp6qeU9jZbmFfamlslGCbZmOModaWoGJpaG2ZkZZyaGdfl5txf3s%3D
20100303181740 188.124.5.165 static.vitalhosting.com.tr 188.124.5.165 http://188.124.5.165/index.html
20100303181745 188.124.5.165 static.vitalhosting.com.tr 188.124.5.165 http://188.124.5.165/hitin.php?land=20&affid=92800
20100303181748 188.124.5.165 static.vitalhosting.com.tr 188.124.5.165 http://188.124.5.165/downloader.php?affid=92800
20100304210208 188.124.3.233 static.vitalhosting.com.tr 188.124.3.233 http://188.124.3.233/a/go.php
20100304210221 188.124.5.170 static.vitalhosting.com.tr 188.124.5.170 http://188.124.5.170/index.html
20100304210229 93.186.127.201 static.vitalhosting.com.tr 93.186.127.201 http://93.186.127.201/hitin.php?land=20&affid=92800
20100304210232 188.124.5.170 static.vitalhosting.com.tr 188.124.5.170 http://188.124.5.170/hitin.php?land=20&affid=92800
20100304210234 93.186.127.201 static.vitalhosting.com.tr 93.186.127.201 http://93.186.117.22/2_2fb798.php?&affid=92800
20100304210237 188.124.5.170 static.vitalhosting.com.tr 188.124.5.170 http://188.124.5.170/2_2fb798.php?affid=92800
20100304225141 93.186.117.22 static.vitalhosting.com.tr 93.186.117.22 http://93.186.117.22/index.html
20100304225147 93.186.117.22 static.vitalhosting.com.tr 93.186.117.22 http://93.186.117.22/hitin.php?land=20&affid=92800
20100304225149 93.186.117.22 static.vitalhosting.com.tr 93.186.117.22 http://93.186.117.22/2_21eb39.php?affid=92800
20100304225154 188.124.5.170 static.vitalhosting.com.tr 188.124.5.170 http://188.124.5.170/2_21eb39.php?affid=92800
20100305020416 188.124.16.18 static.vit.com.tr horovod.in http://horovod.in/soft/exe/yamba.exe
20100305020418 188.124.16.18 static.vit.com.tr huil.in http://huil.in/x/severa.exe
20100305120736 93.186.118.48 static.vitalhosting.com.tr convira.com http://convira.com/px/
20100307203817 79.171.22.154 static.vitalhosting.com.tr candlewq.com http://candlewq.com/tst/porta/reastrn.pdf
20100307204211 188.124.16.18 static.vit.com.tr horovod.in http://horovod.in/soft/exe/dogma.exe
20100307205413 188.124.9.69 static.vitalhosting.com.tr arraysaw.net http://arraysaw.net/files/goofybeautiful.pdf
20100307205448 188.124.16.35 static.vit.com.tr bodeg.in http://bodeg.in/x/pdfnew.php
20100307205825 188.124.16.35 static.vit.com.tr itkornoval.in http://itkornoval.in/x/pdfnew.php
20100307205902 188.124.16.35 static.vit.com.tr koren.in http://koren.in/x/?html=1&id=992&hash=6339a5f067adeab2eb7cd0e942c81583
20100307210300 188.124.16.35 static.vit.com.tr vesen.in http://vesen.in/x/pdfnew.php
20100307210302 188.124.16.35 static.vit.com.tr vesen.in http://vesen.in/x/pdfnew.php?src=boss&id=bomba
20100307210455 188.124.16.35 static.vit.com.tr www.vesen.in http://www.vesen.in/x/pdfnew.php
20100307210651 188.124.16.35 static.vit.com.tr bodeg.in http://bodeg.in/x/pdf.php?src=tb&id=766
20100307210653 188.124.16.35 static.vit.com.tr bodeg.in http://bodeg.in/x/pdf.php?src=tb&id=887
20100307210656 188.124.16.35 static.vit.com.tr bodeg.in http://bodeg.in/x/pdfnew.php?src=tb&id=766
20100307210658 188.124.16.35 static.vit.com.tr bodeg.in http://bodeg.in/x/pdfnew.php?src=tb&id=887
20100307210905 188.124.16.35 static.vit.com.tr landoftraffic.in http://landoftraffic.in/x/?html=1&id=992&hash=6339a5f067adeab2eb7cd0e942c81583
20100307210907 188.124.16.35 static.vit.com.tr landoftraffic.in http://landoftraffic.in/x/pdfnew.php
20100307211215 79.171.22.154 static.vitalhosting.com.tr ttcandle.com http://ttcandle.com/kavo/nitbjs.php
20100307211217 79.171.22.154 static.vitalhosting.com.tr ttcandle.com http://ttcandle.com/kavo/stard/owareyo.pdf
20100307211542 93.186.127.45 static.vitalhosting.com.tr 93.186.127.45 http://93.186.127.45/downloader.php
20100307212047 188.124.16.19 static.vit.com.tr huil.in http://huil.in/x/pdfnew.php
20100307212111 188.124.16.35 static.vit.com.tr itkornoval.in http://itkornoval.in/x/pdf.php?src=tb&id=992
20100307212148 188.124.16.35 static.vit.com.tr koren.in http://koren.in/x/pdf.php?src=tb&id=992
20100307212150 188.124.16.35 static.vit.com.tr landoftraffic.in http://landoftraffic.in/x/pdf.php?src=tb&id=992
20100307212548 188.124.16.35 static.vit.com.tr vesen.in http://vesen.in/x/pdf.php?src=tb&id=992
20100307212814 188.124.5.151 static.vitalhosting.com.tr 188.124.5.151 http://188.124.5.151/a_adc40d.php
20100307214641 188.124.5.155 static.vitalhosting.com.tr 188.124.5.155 http://188.124.5.155/1_1af700.php
20100307222224 188.124.9.53 static.vitalhosting.com.tr analiticdirect.com http://analiticdirect.com/n/g/index.php
20100307223719 93.186.127.53 static.vitalhosting.com.tr 93.186.127.53 http://93.186.127.53/a_ad3c19.php
20100307223738 188.124.9.69 static.vitalhosting.com.tr arraysaw.net http://arraysaw.net/files/g.i.surprise.pdf
20100307224321 188.124.16.35 static.vit.com.tr koren.in http://koren.in:80/x/pdf.php?src=tb&id=766
20100307225037 188.124.5.156 static.vitalhosting.com.tr 188.124.5.156 http://188.124.5.156/2_27f754.php
20100307225335 188.124.9.69 static.vitalhosting.com.tr arraysaw.net http://arraysaw.net/newload.php?ids=MDAC
20100307225614 188.124.16.35 static.vit.com.tr koren.in http://koren.in/x/?id=766&hash=a25144ea1f7195206c5f614241cd4844
20100307225616 188.124.16.35 static.vit.com.tr koren.in http://koren.in/x/pdfnew.php
20100307230040 188.124.16.35 static.vit.com.tr www.koren.in http://www.koren.in/x/pdfnew.php
20100307230426 188.124.9.69 static.vitalhosting.com.tr arraysaw.net http://arraysaw.net/files/eccentricbamboo.pdf
20100307230817 188.124.16.35 static.vit.com.tr koren.in http://koren.in/x/pdfnew.php?src=marcos&id=bomba
20100307230819 188.124.16.35 static.vit.com.tr koren.in http://koren.in:80/x/pdfnew.php?src=marcos&id=bomba
20100307231337 188.124.16.35 static.vit.com.tr vesen.in http://vesen.in/x/pdf.php?src=boss&id=bomba
20100307233447 188.124.16.35 static.vit.com.tr vesen.in http://vesen.in/x/?html=1&id=992&hash=6339a5f067adeab2eb7cd0e942c81583
20100308145215 188.124.9.56 static.vitalhosting.com.tr solaruploader.com http://solaruploader.com/46.exe
20100309194542 93.186.118.53 static.vitalhosting.com.tr getbonuszcheck.biz http://getbonuszcheck.biz/crystal/help.exe
20100309195112 188.124.16.18 static.vit.com.tr horovod.in http://horovod.in/soft/load.php?id=CNwdYyWTfvsmxDY&src=&requestID=sHVSkgmfwI
20100309195409 188.124.16.18 static.vit.com.tr horovod.in http://horovod.in/soft/load.php?id=CNwdYyWTfvsmxDY&src=&requestID=tzrLKzfWDY
20100309195411 188.124.16.18 static.vit.com.tr horovod.in http://horovod.in/soft/exe/severa.exe
20100309195414 188.124.16.18 static.vit.com.tr kornoval.in http://kornoval.in/counter/jar.jar
20100309195515 188.124.16.18 static.vit.com.tr kornoval.in http://kornoval.in/counter/pdf.php?src=
20100309195623 188.124.16.18 static.vit.com.tr kornoval.in http://kornoval.in/counter/exe.php?src=&x=jas
20100309195626 188.124.16.18 static.vit.com.tr kornoval.in http://kornoval.in/counter/exe.php?src=&x=mdac
20100309195628 188.124.16.18 static.vit.com.tr kornoval.in http://kornoval.in/counter/exe.php?src=&x=snap
20100309195745 188.124.16.18 static.vit.com.tr horovod.in http://horovod.in/soft/load.php?id=CNwdYyWTfvsmxDY&src=&requestID=fdJhxQSJOF
20100309201412 93.186.117.25 static.vitalhosting.com.tr 93.186.117.25 http://93.186.117.25/7_7575fc.php
20100309231412 188.124.5.65 static.vitalhosting.com.tr www2.asdsystemms.in http://www2.asdsystemms.in/?uid=213&pid=3&ttl=e154c66797c
20100310142908 188.124.3.233 static.vitalhosting.com.tr 188.124.3.233 http://188.124.3.233/a/go.php?p=3778410
20100311010024 93.186.117.26 static.vitalhosting.com.tr 93.186.117.26 http://93.186.117.26/index1.html
20100311010035 93.186.117.26 static.vitalhosting.com.tr 93.186.117.26 http://93.186.117.26/hitin.php?land=20&affid=92800
20100311010038 93.186.117.26 static.vitalhosting.com.tr 93.186.117.26 http://93.186.117.26/d_d09259.php?affid=92800
20100311213244 93.186.117.30 static.vitalhosting.com.tr 93.186.117.30 http://93.186.117.30/hitin.php?land=20&affid=92800
20100311213247 93.186.117.30 static.vitalhosting.com.tr 93.186.117.30 http://93.186.117.30/5_52254f.php?affid=92800
Rather interestingly, I have noticed they've stopped bothering trying to make it a challenge to identify the payloads when it comes to the fake AV's. No longer do I have to actually decode anything or run anything, I just grab the source and look for a line such as the following;
dl_755e = '7_755eab.html';
Replace .html (also seen as .jpg and .php) with .php and voila, you've got your payload (had to point that out to Jerome at Paratologic
last month incidentally).
They also seem to be keeping the redirection domains in place a little longer than previously. For example;
freshgetline.net/redirect/
freshgetline.net/redirect2/
freshgetline.net/redirect3/
freshgetline.net/redirect4/
safetytripstyle.net/redirect/
safetytripstyle.net/redirect2/
safetytripstyle.net/redirect3/
safetytripstyle.net/redirect4/
gosafezone.net/redirect/
gosafezone.net/redirect2/
gosafezone.net/redirect3/
gosafezone.net/redirect4/
All of which, still reside at
200.63.46.130, which I'm sure you'll recognize as being from the equally
crimeware friendly Eveloz.
Annoyingly however, there's still a plethora of this to be found via the likes of Google (yep I know, surprise surprise).