July 2009 Malicious Links: 14 Hotspots

#1

http://asert.arbornetworks.com/2009/08/ ... -hotspots/

Posted on Thursday, August 20th, 2009 | Bookmark on del.icio.us
July 2009 Malicious Links: 14 Hotspots
by Jose Nazario

Inspired by a friend’s question of which CIDRs to block first, I went looking into our malicious URL database for July, 2009, data and dug for the top IPs and netblocks. This was pretty easy: what URLs did the malware we analyze go to, what were the IP addresses associated, and then process that list with “aguri” to discover trends and hot spots. Some of the results are malicious and run by abusers, some are abused networks that are run by otherwise responsible network admins. I’ve tried to describe what we’ve found in each of them and note that none of them are the next “McColo” or “RBN”, just the loving locations that malware phones home to.

The list below shows the IP or narrow CIDR blocks we found that popped out, together with the contributions (raw number of observations and percentage of overall activity seen for the month).
8.12.206.126 263 (1.09%)

Located in AS3356 (Level 3 Communications). Appears to be related to MSN hosting. Often contacted by what appear to be a lot of games and executables of dubious repute. We get a lot of Trojan horse programs in here, no surprise they piggyback on otherwise healthy networks.
60.173.8.0/21 661 (2.73%/2.73%)

AS4134, ChinaNet Backbone. Lots of malcode hosted here that we see, and the network is a victim of its own success. Downloaders, infostealers, etc. Been seeing a lot of downloaders phoning back here that install dozens (!) of pieces of malware in one shot all hosted on the same host.
64.34.228.126 311 (1.28%)

AS13678, Peer 1 Network. A lot of search hijack and toolbars associated with this IP. A lot of “hxxp://64.34.228.126/tba/p” in our database where we see stuff like this posted:

POST /tba/p HTTP/1.1
Content-Length: 269
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; 6.0.79.0; Windows NT 5.1)
Accept-Encoding: gzip
Host: ads.netbios-local.com
.
guid=2923514082588C8C84CB8C4B77FE87C3334E&version=86442206692A&clientid=696CD7897DEF73884430&time=AE5E7DD0AE33F9&idle=925089&locale=F94122913C22&session=B10B&activeWindows=E17B02&ticksBoot=AB363FD944633BEE&ticksAlive=336CA641989A53&installTime=0F0C26&launchCount=9E3962
66.220.17.154 647 (2.67%)

AS6939, Hurricane Electric. Lots of Swizzor related activity.
67.29.139.153 400 (1.65%)

AS3356, Level 3. Lots of FakeAV associated with this IP, such as this sample.
68.169.70.134 247 (1.02%)

AS23393, ISPrime. Seems to be associated with “Fake Alert” or “Renos” based on some Google searches and VTotal results for some samples.
78.108.0.0/14 281 (1.16%/1.16%)

Associated with Cutwail botnet activity, porn, and even Koobface activity. Spread over a few providers, but lumped into this /14.
94.75.207.219 293 (1.21%)

Coincident with 68.169.70.134 above, hosted in AS16265 LEASEWEB. Fake Alerts and such …
121.11.0.0/16 244 (1.01%/1.01%) and 121.12.0.0/16 438 (1.81%/1.81%)

Associated with AS4134, ChinaNet Backbone. Lots of malware in this space from random individuals.
195.2.253.240/30 328 (1.35%/2.41%)

AS12695, Digital Network JSC. Lots of malware in the family of Alureon associate with URLs in this small netblock.
209.84.29.126 273 (1.13%)

AS3356, Level 3. Looks similar to what we’re seeing on the IP 8.12.206.126 above.
209.205.196.16 286 (1.18%)

AS20228, Pacnet, S.A. de C.V. Lots of random malware, appears to be a free hosting provider in South America that kids are abusing.
216.240.157.91 305 (1.26%)

AS7796, ATMLink. More Renos and Fake Alert stuff associated with the malware we’re analyzing phoning back here.
218.149.84.0/25 251 (1.04%/1.04%)

AS4766, Korea Telecom. Lots of KwSearchGuide Adware associated with this netblock. Lots of EXEs, DLLs, and PHP scripts called here.