[Emerging-Sigs] emerging bad networks

James McQuaid jim.mcquaid at gmail.com
Sat Oct 16 11:32:02 EDT 2010


This morning I reviewed the IP addresses listed yesterday by
malwaredomainlist.com.  There are significant concentrations of malware
domains in the following networks.  These can be blocked with little
collateral damage:

Concentrations of Malware IP's Listed by MalwareDomainList.com on
10-15-2010:
109.196.128.0/21    AS39150 VLTELECOM-AS VLineTelecom LLC Moscow, Russia
109.196.130.42
109.196.134.18
109.196.134.39
109.196.134.40
109.196.134.53

109.196.142.0/23    AS39150 VLTELECOM-AS VLineTelecom LLC Moscow, Russia
109.196.142.18
109.196.143.107
109.196.143.130
109.196.143.131
109.196.143.33
109.196.143.60
109.196.143.67
109.196.143.92
109.196.143.94
109.196.143.95

77.78.239.0/24    AS42560    BA-GLOBALNET-AS GlobalNET Bosnia (Moldova)
77.78.239.11
77.78.239.12
77.78.239.13
77.78.239.14
77.78.239.15
77.78.239.16
77.78.239.17
77.78.239.18
77.78.239.19
77.78.239.2
77.78.239.20
77.78.239.21
77.78.239.22
77.78.239.23
77.78.239.24
77.78.239.25
77.78.239.26
77.78.239.27
77.78.239.28
77.78.239.29
77.78.239.3
77.78.239.30
77.78.239.31
77.78.239.32
77.78.239.33
77.78.239.34
77.78.239.35
77.78.239.36
77.78.239.37
77.78.239.38
77.78.239.39
77.78.239.40
77.78.239.41
77.78.239.5
77.78.239.53
77.78.239.6
77.78.239.62
77.78.239.65
77.78.239.7
77.78.239.8
77.78.239.9

77.78.240.0/24    AS42560    BA-GLOBALNET-AS GlobalNET Bosnia (Moldova)
77.78.240.16
77.78.240.168
77.78.240.17
77.78.240.211
77.78.240.214
77.78.240.22
77.78.240.24
77.78.240.28
77.78.240.3
77.78.240.36
77.78.240.44
77.78.240.88
77.78.240.89
77.78.248.32
77.78.249.129
77.78.249.29

85.234.160.0/19    AS6851 BKCNET Autonomous System (Latvia)
85.234.190.10
85.234.190.16
85.234.190.22
85.234.190.23
85.234.190.31
85.234.190.40
85.234.190.52
85.234.190.74
85.234.190.75
85.234.190.77
85.234.190.92
85.234.191.141
85.234.191.174
85.234.191.190
85.234.191.195
85.234.191.206
85.234.191.208
85.234.191.210
85.234.191.30
85.234.191.50
85.234.191.51

88.214.192.0/20    AS46636    Missing route record (United Kingdom)
88.214.193.121
88.214.193.196
88.214.194.188
88.214.196.146
88.214.198.10
88.214.198.130
88.214.198.230
88.214.198.25
88.214.198.250
88.214.198.8
88.214.198.80
88.214.200.36
88.214.200.5
88.214.200.50
88.214.200.60
88.214.200.65
88.214.200.70
88.214.202.10
88.214.202.105
88.214.202.120
88.214.202.180
88.214.202.224
88.214.202.30
88.214.203.165
88.214.203.171
88.214.204.100
88.214.232.22
88.214.242.12

91.188.32.0/19    AS6851 BKCNET Autonomous System (Latvia)
91.188.59.10
91.188.59.150
91.188.59.197
91.188.59.199
91.188.59.220
91.188.59.225
91.188.59.42
91.188.59.55
91.188.59.61
91.188.59.74
91.188.59.93
91.188.59.95
91.188.60.10
91.188.60.100
91.188.60.107
91.188.60.126
91.188.60.16
91.188.60.175
91.188.60.26
91.188.60.3
91.188.60.4
91.188.60.5
91.188.60.61
91.188.60.75
91.188.60.89
91.188.60.91
91.188.60.93

91.213.174.0/24    AS29106 VolgaHost-as PE Bondarenko Dmitriy Vladimirov
(Russian Federation)
91.213.174.10
91.213.174.110
91.213.174.113
91.213.174.117
91.213.174.18
91.213.174.19
91.213.174.220
91.213.174.221
91.213.174.6
91.213.174.60
91.213.174.61
91.213.174.62
91.213.174.9

91.216.215.0/24    AS51274 ENCORE-NET Encore Lt (Russian Federation)
91.216.215.100
91.216.215.101
91.216.215.195
91.216.215.196
91.216.215.197
91.216.215.66
91.216.215.75
91.216.215.80
91.216.215.84

AS6851 BKCNET has been a dedicated criminal host for some time.  Here are
their other ranges:
AS6851 BKCNET Autonomous System (Latvia) in BGP (10-15-2010):
62.84.0.0/19
62.84.12.0/23
62.84.19.0/24
84.38.128.0/20
85.234.160.0/19
91.123.64.0/20
91.188.32.0/19
109.110.0.0/19
195.244.128.0/20
217.24.64.0/20

I noted that LeaseWeb's advertised segments have changed slightly since the
7th.

Jart Armin and Dancho Danchev might want to provide Evil Ghost with
additional input on the emerging-bad_networks.rules.  Jart has been
publishing a quarterly study quantifying the subject.

James McQuaid


> Message: 5
> Date: Thu, 7 Oct 2010 15:11:38 -0500
> From: Miso Patel <miso.patel at gmail.com>
> Subject: Re: [Emerging-Sigs] Comprehensive list of LeaseWeb CIDR
>        blocks?
> To: Jason Lewis <jlewis at packetnexus.com>
> Cc: Emerging-sigs at emergingthreats.net
> Message-ID:
>        <AANLkTinWb9CJrkr+X3mFwogfRYoDDSNuErCt6F=PV21z at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Thanks for this and the other off-list responses I received.  Maybe we
> should create an emerging-leaseweb-BLOCK.rules that people could enable if
> they wanted.  Just kidding.  Sort of.
>
> Miso Patel
>
> On Thu, Oct 7, 2010 at 2:20 PM, Jason Lewis <jlewis at packetnexus.com>
> wrote:
>
> > I see these advertised from their AS 16265.
> >
> > 62.212.64.0/19
> > 62.212.64.0/21
> > 62.221.192.0/18
> > 62.221.254.0/23
> > 77.73.16.0/21
> > 77.75.120.0/21
> > 77.235.32.0/19
> > 80.65.32.0/20
> > 81.17.32.0/19
> > 82.192.64.0/19
> > 83.149.64.0/18
> > 83.223.32.0/20
> > 85.17.0.0/16
> > 87.236.96.0/21
> > 87.254.160.0/19
> > 89.104.161.0/24
> > 89.104.162.0/24
> > 89.104.168.0/24
> > 90.156.224.0/20
> > 91.184.48.0/20
> > 91.184.48.0/21
> > 91.195.81.0/24
> > 91.195.118.0/23
> > 91.213.195.0/24
> > 92.114.86.0/23
> > 94.75.192.0/18
> > 94.124.56.0/21
> > 94.126.32.0/21
> > 95.211.0.0/16
> > 109.69.56.0/22
> > 109.70.0.0/21
> > 109.70.0.0/22
> > 109.237.208.0/21
> > 109.237.216.0/22
> > 178.18.20.0/23
> > 178.18.22.0/24
> > 188.95.136.0/22
> > 193.43.92.0/24
> > 193.104.219.0/24
> > 193.227.134.0/24
> > 193.239.6.0/23
> > 193.242.108.0/24
> > 193.254.254.0/23
> > 195.42.134.0/24
> > 195.140.240.0/22
> > 195.200.82.0/23
> > 195.242.98.0/23
> > 212.32.224.0/19
> > 212.32.224.0/24
> > 212.32.226.0/24
> > 213.142.136.0/21
> > 213.142.144.0/22
> > 213.196.0.0/18
> > 213.227.128.0/19
> > 217.148.16.0/20
> >
> > On Thu, Oct 7, 2010 at 2:27 PM, Joe Pampel <jpampel at paladyne.com> wrote:
> > > If they are in Europe, start with their whois listings on the RIPE
> site.
> > >
> > >
> >
> http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=leaseweb&do_search=Search
> > >
> > > would be nice if this /24 is the whole thing. ;)
> > >
> > > On Oct 7, 2010, at 2:15 PM, Miso Patel wrote:
> > >
> > >> I'm fed up with the plethora of malware/fake AV hosted on LeaseWeb and
> > I've decided to just go ahead and block them completely at the firewall.
> >  Does anyone have a comprehensive list of CIDR blocks that they own?  I
> > already use the ET RBN and Known Compromised lists but at this point I
> feel
> > like blocking LeaseWeb completely does more good than harm.  Not that I
> have
> > anything personal against the Dutchbags at LeaseWeb....
> > >>
> > >> Thanks.
> > >>
> > >> Miso Patel
> > >> <ATT00001..txt>
> > >
> > >
> > > The information contained in this correspondence is intended solely for
> > the person or entity entitled to receive the confidential and/or
> privileged
> > material that it may contain. Any review, retransmission, dissemination
> or
> > other use of, or taking of any action in reliance upon, the information
> in
> > this correspondence (including any attachments) by anyone other than the
> > intended recipient is strictly prohibited. If you believe that you may
> not
> > be the intended recipient, please destroy and/or delete this
> correspondence
> > and the attachment(s).
> > >
> > > _______________________________________________
> > > Emerging-sigs mailing list
> > > Emerging-sigs at emergingthreats.net
> > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > >
> > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> > Lanyards
> > >
> >
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> > >
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> > Lanyards
> >
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101007/2dec440e/attachment.html
>
> ------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
> End of Emerging-sigs Digest, Vol 35, Issue 31
> *********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101016/9f2a681f/attachment-0001.html


More information about the Emerging-sigs mailing list