Well that didn't take them long. They're back to .in domains, and have moved to the well known SwiftWay (AS35017).
New payload URL;
rhyzilch.in/FlashPlayer.40028.exe
IP: 46.21.159.228
PTR: 228.159.21.46.inferno.name
MD5: 42a61ad4f894d9d21434cc5d5819aaef
This /24 of course, as with all SwiftWay ranges, is no stranger to malicious content, having hosted everything from fake AVs to trojans, and even fake meds. Rather confusing then, that they've move it here given most should already have this range blackholed? Though perhaps not so confusing when you notice the PTR - inferno.name, a "host" already well established as criminal friendly.
References
Part 3: Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/part-3-interserver-malware-and-scottish.html
Part 2: Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/part-2-interserver-malware-and-scottish.html
Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/interserver-malware-and-scottish.html
Wednesday, 22 June 2011
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment