July 2009 Malicious Links: 14 Hotspots
Inspired by a friend’s question of which CIDRs to block first, I went looking into our malicious URL database for July, 2009, data and dug for the top IPs and netblocks. This was pretty easy: what URLs did the malware we analyze go to, what were the IP addresses associated, and then process that list with “aguri” to discover trends and hot spots. Some of the results are malicious and run by abusers, some are abused networks that are run by otherwise responsible network admins. I’ve tried to describe what we’ve found in each of them and note that none of them are the next “McColo” or “RBN”, just the loving locations that malware phones home to.
The list below shows the IP or narrow CIDR blocks we found that popped out, together with the contributions (raw number of observations and percentage of overall activity seen for the month).
22.214.171.124 263 (1.09%)
Located in AS3356 (Level 3 Communications). Appears to be related to MSN hosting. Often contacted by what appear to be a lot of games and executables of dubious repute. We get a lot of Trojan horse programs in here, no surprise they piggyback on otherwise healthy networks.
126.96.36.199/21 661 (2.73%/2.73%)
AS4134, ChinaNet Backbone. Lots of malcode hosted here that we see, and the network is a victim of its own success. Downloaders, infostealers, etc. Been seeing a lot of downloaders phoning back here that install dozens (!) of pieces of malware in one shot all hosted on the same host.
188.8.131.52 311 (1.28%)
AS13678, Peer 1 Network. A lot of search hijack and toolbars associated with this IP. A lot of “hxxp://184.108.40.206/tba/p” in our database where we see stuff like this posted:
POST /tba/p HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; 220.127.116.11; Windows NT 5.1)
18.104.22.168 647 (2.67%)
AS6939, Hurricane Electric. Lots of Swizzor related activity.
22.214.171.124 400 (1.65%)
AS3356, Level 3. Lots of FakeAV associated with this IP, such as this sample.
126.96.36.199 247 (1.02%)
AS23393, ISPrime. Seems to be associated with “Fake Alert” or “Renos” based on some Google searches and VTotal results for some samples.
188.8.131.52/14 281 (1.16%/1.16%)
Associated with Cutwail botnet activity, porn, and even Koobface activity. Spread over a few providers, but lumped into this /14.
184.108.40.206 293 (1.21%)
Coincident with 220.127.116.11 above, hosted in AS16265 LEASEWEB. Fake Alerts and such …
18.104.22.168/16 244 (1.01%/1.01%) and 22.214.171.124/16 438 (1.81%/1.81%)
Associated with AS4134, ChinaNet Backbone. Lots of malware in this space from random individuals.
126.96.36.199/30 328 (1.35%/2.41%)
AS12695, Digital Network JSC. Lots of malware in the family of Alureon associate with URLs in this small netblock.
188.8.131.52 273 (1.13%)
AS3356, Level 3. Looks similar to what we’re seeing on the IP 184.108.40.206 above.
220.127.116.11 286 (1.18%)
AS20228, Pacnet, S.A. de C.V. Lots of random malware, appears to be a free hosting provider in South America that kids are abusing.
18.104.22.168 305 (1.26%)
AS7796, ATMLink. More Renos and Fake Alert stuff associated with the malware we’re analyzing phoning back here.
22.214.171.124/25 251 (1.04%/1.04%)
AS4766, Korea Telecom. Lots of KwSearchGuide Adware associated with this netblock. Lots of EXEs, DLLs, and PHP scripts called here.