Ever get the feeling HostNOC/Burst aren't taking this seriously? They took 3 years to boot these guys the first time, and now all they're doing, is jumping across different IPs on the HostNOC/Burst AS.
The new IP they're using as of today, 173.212.255.31
Filenames occasionally change (new ones: New-Video-Addon.40028.exe, FlashPlayer.40028.exe, old ones produce fake 404s), but the infection certainly doesn't.
Based on what I'm seeing on the rest of the /24 (still to be confirmed, so no details yet folks), I'd personally recommend blackholing it. Then again, and perhaps I'm being overly harsh here (who knows, maybe it'll force HostNOC/Burst to pull their finger out), it may be an idea to blackhole their entire AS.
References
Part 4: Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/part-4-interserver-malware-and-scottish.html
Part 3: Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/part-3-interserver-malware-and-scottish.html
Part 2: Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/part-2-interserver-malware-and-scottish.html
Interserver, malware, and the Scottish weather
http://hphosts.blogspot.com/2011/06/interserver-malware-and-scottish.html
Monday, 27 June 2011
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment