Turkish based ISP, VITAL TEKNOLOJI (AS44565) have been appearing on my radar for quite some time, and not under the most flattering of terms - they've been and continue to be, home to a major source of badness. Namely, exploits and fake AV's.
They actually have several ranges under their control, the most active of which are;
I can't say which has been the worst of the lot, as there's been badness across every single one so far. 220.127.116.11/21 has been the least active of the 3 over the past week or three.
By far the biggest problem across these ranges has been with fake AV's and exploits, just some of which includes;
Rather interestingly, I have noticed they've stopped bothering trying to make it a challenge to identify the payloads when it comes to the fake AV's. No longer do I have to actually decode anything or run anything, I just grab the source and look for a line such as the following;
Replace .html (also seen as .jpg and .php) with .php and voila, you've got your payload (had to point that out to Jerome at Paratologic last month incidentally).
They also seem to be keeping the redirection domains in place a little longer than previously. For example;
All of which, still reside at 18.104.22.168, which I'm sure you'll recognize as being from the equally crimeware friendly Eveloz.
Annoyingly however, there's still a plethora of this to be found via the likes of Google (yep I know, surprise surprise).