FYI...Exploits, malware, and scareware courtesy of AS6851, BKCNET, Sagade Ltd.
July 14, 2010 - "Never trust an AS whose abuse-mailbox is using a Gmail account
(firstname.lastname@example.org), and in particular one that you've come across to during several malware campaigns over the past couple of months
. It's AS6851
, BKCNET "SIA" IZZI* I'm referring to, also known as Sagade Ltd... It's the Koobface
gang connection in the face of urodinam .net, which is also hosted within AS6851, currently responding to 18.104.22.168
... Currently active exploits/malware/scareware serving domain portfolios within AS6851: Parked at/responding to 22.214.171.124
... Parked at/responding to 126.96.36.199
... Parked at/responding to 188.8.131.52
... Parked at/responding to 184.108.40.206
... Parked at/responding to 220.127.116.11
... Parked at/responding to 18.104.22.168
... Detection rates for the currently active malware samples
, including the HOSTS file modifications on infected hosts
, for the purpose of redirecting users to cybercrime-friendly search engines
, monetized through traffic trading affiliate programs:
- 78490.jar - Result: 0/42 (0%)
- ad3.exe - Result: 41/42 (97.62%)
- a-fast.exe - Result: 36/42 (85.72%)
- dm.exe - Result: 37/42 (88.1%)
- iv.exe - Result: 8/42 (19.05%)
- j2_t895.jar - Result: 0/42 (0%)
- movie.exe - Result: 40/42 (95.24%)
- tst.exe - Result: 35/42 (83.34%)
- wsc.exe - Result: 37/42 (88.1%) - HOSTS file modification ...
- rc.exe - Result: 41/42 (97.62%) - HOSTS file modification ...
- installer.0028.exe - Result: 9/42 (21.43%)
- HOSTS file modification ...
- installer.0022.exe - Result: 9/42 (21.43%)
- HOSTS file modification ..."(More detail and links at the ddanchev blog URL above.)
"Of the 1035 site(s) we tested on this network over the past 90 days, 33 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... last time Google tested a site on this network was on 2010-07-15, and the last time suspicious content was found was on 2010-07-15.
Over the past 90 days, we found 50 site(s) on this network... that appeared to function as intermediaries for the infection of 2661 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 550 site(s)... that infected 16759 other site(s)