[Emerging-Sigs] emerging bad networks

Jart Armin jart at jartarmin.com
Mon Oct 18 05:24:02 EDT 2010


Jim & All

Yes good focus on these IPs - server analysis =

AS39150 HE Index: 219.2  HE Rank: 2 = Crime server -
http://sitevet.com/db/asn/AS39150

AS Name: VLTELECOM-AS VLineTelecom LLC Moscow, Russia
IPs allocated: 5376
Blacklisted URLs: 231


AS42560 HE Index: 105.5  HE Rank: 53 = Bad server -
http://sitevet.com/db/asn/AS42560

AS Name: BA-GLOBALNET-AS GlobalNET Bosnia
IPs allocated: 33536
Blacklisted URLs: 167

AS6851 HE Index: 166.6   HE Rank: 7 = Bad server -
http://sitevet.com/db/asn/AS6851

AS Name: BKCNET "SIA" IZZI
IPs allocated: 49152
Blacklisted URLs: 1061


Of real interest = AS46636 HE Index: 68.1  HE Rank: 184 = Hiding who
is - http://sitevet.com/db/asn/AS46636

AS Name: NATCOWEB - NatCoWeb Corp.
IPs allocated: 19200
Blacklisted URLs: 879

Name	Soldatov , Maxim
Handle	MSO59-ARIN
Company	NatCoWeb
Street	244 Fifth Ave #S211
City	New York
State/Province	NY
Postal Code	10001-7604
Country	US
Registration Date	2008-03-03
Last Updated	2010-07-09
Comments	
Phone	+1-212-591-6245 (Fax)
+1-646-233-3035 (Office)
Email	makc at natcoweb.com
RESTful Link	http://whois.arin.net/rest/poc/MSO59-ARIN

This is not US or UK as appears in some DNS look ups, best guess via
traffic triangulation actually based in Lithuania


AS29106 - HE Index: 184.1  HE Rank: 3 = Crime server -
http://sitevet.com/db/asn/AS29106

AS Name: VOLGAHOST-AS PE Bondarenko Dmitriy Vladimirovich
IPs allocated: 256
Blacklisted URLs: 479


AS51274 - HE Index: 60.7  - HE Rank: 269 = Going bad -
http://sitevet.com/db/asn/AS51274

AS Name: ENCORE-NET Encore Ltd.
IPs allocated: 256
Blacklisted URLs: 4





On Sat, Oct 16, 2010 at 4:32 PM, James McQuaid <jim.mcquaid at gmail.com> wrote:
> This morning I reviewed the IP addresses listed yesterday by
> malwaredomainlist.com.  There are significant concentrations of malware
> domains in the following networks.  These can be blocked with little
> collateral damage:
>
> Concentrations of Malware IP's Listed by MalwareDomainList.com on
> 10-15-2010:
> 109.196.128.0/21    AS39150 VLTELECOM-AS VLineTelecom LLC Moscow, Russia
> 109.196.130.42
> 109.196.134.18
> 109.196.134.39
> 109.196.134.40
> 109.196.134.53
>
> 109.196.142.0/23    AS39150 VLTELECOM-AS VLineTelecom LLC Moscow, Russia
> 109.196.142.18
> 109.196.143.107
> 109.196.143.130
> 109.196.143.131
> 109.196.143.33
> 109.196.143.60
> 109.196.143.67
> 109.196.143.92
> 109.196.143.94
> 109.196.143.95
>
> 77.78.239.0/24    AS42560    BA-GLOBALNET-AS GlobalNET Bosnia (Moldova)
> 77.78.239.11
> 77.78.239.12
> 77.78.239.13
> 77.78.239.14
> 77.78.239.15
> 77.78.239.16
> 77.78.239.17
> 77.78.239.18
> 77.78.239.19
> 77.78.239.2
> 77.78.239.20
> 77.78.239.21
> 77.78.239.22
> 77.78.239.23
> 77.78.239.24
> 77.78.239.25
> 77.78.239.26
> 77.78.239.27
> 77.78.239.28
> 77.78.239.29
> 77.78.239.3
> 77.78.239.30
> 77.78.239.31
> 77.78.239.32
> 77.78.239.33
> 77.78.239.34
> 77.78.239.35
> 77.78.239.36
> 77.78.239.37
> 77.78.239.38
> 77.78.239.39
> 77.78.239.40
> 77.78.239.41
> 77.78.239.5
> 77.78.239.53
> 77.78.239.6
> 77.78.239.62
> 77.78.239.65
> 77.78.239.7
> 77.78.239.8
> 77.78.239.9
>
> 77.78.240.0/24    AS42560    BA-GLOBALNET-AS GlobalNET Bosnia (Moldova)
> 77.78.240.16
> 77.78.240.168
> 77.78.240.17
> 77.78.240.211
> 77.78.240.214
> 77.78.240.22
> 77.78.240.24
> 77.78.240.28
> 77.78.240.3
> 77.78.240.36
> 77.78.240.44
> 77.78.240.88
> 77.78.240.89
> 77.78.248.32
> 77.78.249.129
> 77.78.249.29
>
> 85.234.160.0/19    AS6851 BKCNET Autonomous System (Latvia)
> 85.234.190.10
> 85.234.190.16
> 85.234.190.22
> 85.234.190.23
> 85.234.190.31
> 85.234.190.40
> 85.234.190.52
> 85.234.190.74
> 85.234.190.75
> 85.234.190.77
> 85.234.190.92
> 85.234.191.141
> 85.234.191.174
> 85.234.191.190
> 85.234.191.195
> 85.234.191.206
> 85.234.191.208
> 85.234.191.210
> 85.234.191.30
> 85.234.191.50
> 85.234.191.51
>
> 88.214.192.0/20    AS46636    Missing route record (United Kingdom)
> 88.214.193.121
> 88.214.193.196
> 88.214.194.188
> 88.214.196.146
> 88.214.198.10
> 88.214.198.130
> 88.214.198.230
> 88.214.198.25
> 88.214.198.250
> 88.214.198.8
> 88.214.198.80
> 88.214.200.36
> 88.214.200.5
> 88.214.200.50
> 88.214.200.60
> 88.214.200.65
> 88.214.200.70
> 88.214.202.10
> 88.214.202.105
> 88.214.202.120
> 88.214.202.180
> 88.214.202.224
> 88.214.202.30
> 88.214.203.165
> 88.214.203.171
> 88.214.204.100
> 88.214.232.22
> 88.214.242.12
>
> 91.188.32.0/19    AS6851 BKCNET Autonomous System (Latvia)
> 91.188.59.10
> 91.188.59.150
> 91.188.59.197
> 91.188.59.199
> 91.188.59.220
> 91.188.59.225
> 91.188.59.42
> 91.188.59.55
> 91.188.59.61
> 91.188.59.74
> 91.188.59.93
> 91.188.59.95
> 91.188.60.10
> 91.188.60.100
> 91.188.60.107
> 91.188.60.126
> 91.188.60.16
> 91.188.60.175
> 91.188.60.26
> 91.188.60.3
> 91.188.60.4
> 91.188.60.5
> 91.188.60.61
> 91.188.60.75
> 91.188.60.89
> 91.188.60.91
> 91.188.60.93
>
> 91.213.174.0/24    AS29106 VolgaHost-as PE Bondarenko Dmitriy Vladimirov
> (Russian Federation)
> 91.213.174.10
> 91.213.174.110
> 91.213.174.113
> 91.213.174.117
> 91.213.174.18
> 91.213.174.19
> 91.213.174.220
> 91.213.174.221
> 91.213.174.6
> 91.213.174.60
> 91.213.174.61
> 91.213.174.62
> 91.213.174.9
>
> 91.216.215.0/24    AS51274 ENCORE-NET Encore Lt (Russian Federation)
> 91.216.215.100
> 91.216.215.101
> 91.216.215.195
> 91.216.215.196
> 91.216.215.197
> 91.216.215.66
> 91.216.215.75
> 91.216.215.80
> 91.216.215.84
>
> AS6851 BKCNET has been a dedicated criminal host for some time.  Here are
> their other ranges:
> AS6851 BKCNET Autonomous System (Latvia) in BGP (10-15-2010):
> 62.84.0.0/19
> 62.84.12.0/23
> 62.84.19.0/24
> 84.38.128.0/20
> 85.234.160.0/19
> 91.123.64.0/20
> 91.188.32.0/19
> 109.110.0.0/19
> 195.244.128.0/20
> 217.24.64.0/20
>
> I noted that LeaseWeb's advertised segments have changed slightly since the
> 7th.
>
> Jart Armin and Dancho Danchev might want to provide Evil Ghost with
> additional input on the emerging-bad_networks.rules.  Jart has been
> publishing a quarterly study quantifying the subject.
>
> James McQuaid
>
>>
>> Message: 5
>> Date: Thu, 7 Oct 2010 15:11:38 -0500
>> From: Miso Patel <miso.patel at gmail.com>
>> Subject: Re: [Emerging-Sigs] Comprehensive list of LeaseWeb CIDR
>>        blocks?
>> To: Jason Lewis <jlewis at packetnexus.com>
>> Cc: Emerging-sigs at emergingthreats.net
>> Message-ID:
>>        <AANLkTinWb9CJrkr+X3mFwogfRYoDDSNuErCt6F=PV21z at mail.gmail.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Thanks for this and the other off-list responses I received.  Maybe we
>> should create an emerging-leaseweb-BLOCK.rules that people could enable if
>> they wanted.  Just kidding.  Sort of.
>>
>> Miso Patel
>>
>> On Thu, Oct 7, 2010 at 2:20 PM, Jason Lewis <jlewis at packetnexus.com>
>> wrote:
>>
>> > I see these advertised from their AS 16265.
>> >
>> > 62.212.64.0/19
>> > 62.212.64.0/21
>> > 62.221.192.0/18
>> > 62.221.254.0/23
>> > 77.73.16.0/21
>> > 77.75.120.0/21
>> > 77.235.32.0/19
>> > 80.65.32.0/20
>> > 81.17.32.0/19
>> > 82.192.64.0/19
>> > 83.149.64.0/18
>> > 83.223.32.0/20
>> > 85.17.0.0/16
>> > 87.236.96.0/21
>> > 87.254.160.0/19
>> > 89.104.161.0/24
>> > 89.104.162.0/24
>> > 89.104.168.0/24
>> > 90.156.224.0/20
>> > 91.184.48.0/20
>> > 91.184.48.0/21
>> > 91.195.81.0/24
>> > 91.195.118.0/23
>> > 91.213.195.0/24
>> > 92.114.86.0/23
>> > 94.75.192.0/18
>> > 94.124.56.0/21
>> > 94.126.32.0/21
>> > 95.211.0.0/16
>> > 109.69.56.0/22
>> > 109.70.0.0/21
>> > 109.70.0.0/22
>> > 109.237.208.0/21
>> > 109.237.216.0/22
>> > 178.18.20.0/23
>> > 178.18.22.0/24
>> > 188.95.136.0/22
>> > 193.43.92.0/24
>> > 193.104.219.0/24
>> > 193.227.134.0/24
>> > 193.239.6.0/23
>> > 193.242.108.0/24
>> > 193.254.254.0/23
>> > 195.42.134.0/24
>> > 195.140.240.0/22
>> > 195.200.82.0/23
>> > 195.242.98.0/23
>> > 212.32.224.0/19
>> > 212.32.224.0/24
>> > 212.32.226.0/24
>> > 213.142.136.0/21
>> > 213.142.144.0/22
>> > 213.196.0.0/18
>> > 213.227.128.0/19
>> > 217.148.16.0/20
>> >
>> > On Thu, Oct 7, 2010 at 2:27 PM, Joe Pampel <jpampel at paladyne.com> wrote:
>> > > If they are in Europe, start with their whois listings on the RIPE
>> > > site.
>> > >
>> > >
>> >
>> > http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=leaseweb&do_search=Search
>> > >
>> > > would be nice if this /24 is the whole thing. ;)
>> > >
>> > > On Oct 7, 2010, at 2:15 PM, Miso Patel wrote:
>> > >
>> > >> I'm fed up with the plethora of malware/fake AV hosted on LeaseWeb
>> > >> and
>> > I've decided to just go ahead and block them completely at the firewall.
>> >  Does anyone have a comprehensive list of CIDR blocks that they own?  I
>> > already use the ET RBN and Known Compromised lists but at this point I
>> > feel
>> > like blocking LeaseWeb completely does more good than harm.  Not that I
>> > have
>> > anything personal against the Dutchbags at LeaseWeb....
>> > >>
>> > >> Thanks.
>> > >>
>> > >> Miso Patel
>> > >> <ATT00001..txt>
>> > >
>> > >
>> > > The information contained in this correspondence is intended solely
>> > > for
>> > the person or entity entitled to receive the confidential and/or
>> > privileged
>> > material that it may contain. Any review, retransmission, dissemination
>> > or
>> > other use of, or taking of any action in reliance upon, the information
>> > in
>> > this correspondence (including any attachments) by anyone other than the
>> > intended recipient is strictly prohibited. If you believe that you may
>> > not
>> > be the intended recipient, please destroy and/or delete this
>> > correspondence
>> > and the attachment(s).
>> > >
>> > > _______________________________________________
>> > > Emerging-sigs mailing list
>> > > Emerging-sigs at emergingthreats.net
>> > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> > >
>> > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
>> > Lanyards
>> > >
>> >
>> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>> > >
>> >
>> > _______________________________________________
>> > Emerging-sigs mailing list
>> > Emerging-sigs at emergingthreats.net
>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >
>> > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
>> > Lanyards
>> >
>> > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101007/2dec440e/attachment.html
>>
>> ------------------------------
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>> End of Emerging-sigs Digest, Vol 35, Issue 31
>> *********************************************
>
>



-- 
Regards,
Jart Armin

Editor - HostExploit.com

Twitter.com/HostExploit

Blog - InternetEvolution.com

PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x28E5C605


More information about the Emerging-sigs mailing list