Part 2: Interserver, malware, and the Scottish weather

Not surprisingly, since my last post, they've switched the latest ones back to HostNOC/Burst.Net (same company that took 3 years to boot them last time). Registrars are primarily DirectI and UK2 (who don't seem to be replying ....). DirectI have been shutting down those I've found, within 30 mins of their being reported.

I've likely missed quite a few since my sleeping meds knocked me out for a considerable amount of time (2300 until approx 0900 this morning), but those I've caught so far include;

DATE    IP(S)    IPPTR(S)    AS    AS_DESCRIPTION    HOSTNAME    URL    MD5

20110619174334    66.197.233.168    evodvdstar.com    21788    21788 66.197.128.0/17 NOC - Network Operations Center Inc.    filesmediastorage.net    http://filesmediastorage.net/FlashPlayer.4.exe    bf810e055f9c61052c154aad1630f48c

20110619160546    66.197.233.168    evodvdstar.com    21788    21788 66.197.128.0/17 NOC - Network Operations Center Inc.    toolmedia-2011.biz    http://toolmedia-2011.biz/FlashPlayer.4.exe    76529b3840bab87bfb961702543ac171

20110618202630    66.197.233.168    evodvdstar.com    21788    21788 66.197.128.0/17 NOC - Network Operations Center Inc.    multimediamoresoft.com    http://multimediamoresoft.com/FlashPlayer.4.exe    dd793fd7422cb47e75f5f58497ee4ace

20110618202255    66.197.233.168    evodvdstar.com    21788    21788 66.197.128.0/17 NOC - Network Operations Center Inc.    mediaplussoft.com    http://mediaplussoft.com/FlashPlayer.4.exe    9cb3a50d5e12fb90d9adefb29361f6c2

20110618182942    66.197.233.168    evodvdstar.com    21788    21788 66.197.128.0/17 NOC - Network Operations Center Inc.    mediaflv-service.us    http://mediaflv-service.us/FlashPlayer.4.exe    aa47878435a1d88885b7e16f9d345938

20110618165858    66.197.233.168    evodvdstar.com    21788    21788 66.197.128.0/17 NOC - Network Operations Center Inc.    flvmultimediaservice.us    http://flvmultimediaservice.us/FlashPlayer.4.exe    3db48722c8657b51baf665ebb7d82855

20110618154609    66.197.233.168    evodvdstar.com    21788    21788 66.197.128.0/17 NOC - Network Operations Center Inc.    newpluginsflash.net    http://newpluginsflash.net/FlashPlayer.4.exe    b6580e3a7d0a7c1a30b607843c4c486f

20110618154559    66.197.233.168    evodvdstar.com    21788    21788 66.197.128.0/17 NOC - Network Operations Center Inc.    newflashmedia.net    http://newflashmedia.net/FlashPlayer.4.exe    92ec2a392b6cf76b77614bbe5001df6d

20110618130236    66.197.233.168    evodvdstar.com    21788    21788 66.197.128.0/17 NOC - Network Operations Center Inc.    fusioncoolcode.in    http://fusioncoolcode.in/FlashPlayer.4.exe    d5853b3c46ecae42f47588829b7dc661

20110520115255    66.197.233.168    evodvdstar.com    21788    21788 66.197.128.0/17 NOC - Network Operations Center Inc.    66.197.233.168    http://66.197.233.168/FlashPlayer.45187.exe    0dfe88ed5dc40880ae1bae8b0064df8d

As you'll note, there's no more on Interserver since the last post, but given it's not been suspended yet, given one of the IPs is still spewing the malicious file (501b010046accf0f6755a85588a5ebd0 as of 2 seconds ago). I've finally had someone from Interserver contact me via e-mail, following my follow up call to them yesterday, but he's having problems reproducing the instructions I provided.

References

Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/interserver-malware-and-scottish.html