Blog for hpHosts, and whatever else I feel like writing about ....

Sunday 25 April 2010

Crimeware friendly ISPs: Alantron BLTD

Accredited by ICANN as of March 25th 2010, Turkey based registrar, Alantron (alantron.com, 212.175.233.69 - mailer2.alantron.com, TurkTelecom AS9121) has been a thorn in the side of the internet community, with so far, not a single legit domain having been registered by their "customers" (that I've seen). Every single one has been either spam/fraud (1, 2, 3), malware (1) or exploits.

If you remember, I reported previously on Alantrons WhoIs service being unavailable, and the good news is, ICANN sent notice to them to correct this on April 16th (PDF here), and checks show their WhoIs is now working (can't take credit for this one, that's thanks to someone else).

Domains known to have been registered by this registrar include several fake AV MITMs, the latest of which, frodocomeon.net (200.63.46.130 - 27716 200.63.46.0/24 Eveloz), having been registered on March 17th.

Although only accredited recently, Alantron has been churning out this rubbish for quite a while, and to be honest, this has me puzzled as to what ICANN were thinking when they accredited them.

MDL records show a small amount for this registrar, which is unusual (going to look into that, as I know there's a heck of alot more), most of which are Zeus related from 2009;

http://www.malwaredomainlist.com/mdl.php?search=alantron&colsearch=All&quantity=100&inactive=on

MalwareURL has even less it seems, so far anyway, all of which are fake AV related;

http://www.malwareurl.com/search.php?domain=&s=alantron&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on

I'll get with Anthony (MalwareURL) and fellow MDL admin, Holger, later today concerning this, and will update this blog in due course.

No comments: