Sunday, March 29, 2009

RBN Domains Fleeing HostFresh

After receiving information that the RBN malware bastion, HostFresh (aut-num: AS23898 as-name: HOSTFRESH-AS-AP), was in the process of being depeered, I decided to track fleeing malware domains.

During the takedowns of Atrivo, McColo and UkrTelegroup, we observed domains being migrated to other IP ranges, as the owners sought to keep their criminal enterprises alive.

As of Sunday morning 29 March 2009, 61% of the 18 malware domains that I sampled had been migrated:

Host Fresh malware migrations

DNS Infrastructure:

58.65.236.129
ns1.dnszno.com - name server for wcontact.cn

58.65.236.130
ns2.dnszno.com - name server for wcontact.cn

58.65.237.153
ns1.arsofcaribion.com - name server for arsofcaribion.com

62.80.102.253
ns1.phreneticus.at - name server for iframe.cc

64.251.10.77
ns3.us.editdns.net - name server for strhq.cn

66.48.82.31
*.google-counter.com
ns2.google-counter.com - name server for google-counter.com

72.249.105.234
ns2.us.editdns.net - name server for strhq.cn

74.52.212.235
ns1.us.editdns.net - name server for strhq.cn

78.159.124.235
ns1.antimalwareguard-plus.com
ns1.antimalwareguardplus.com
ns1.antimalwaresuite2009.com
ns1.bestvirusremover2009.com
ns1.pc-virusremover2008.com
ns1.redirectfor-me.com
ns1.redirectforutoo.com
ns1.spywareremover2009plus.com
ns1.svcbox.com
ns1.virusremover2008-offer.com
ns4.systemprotectioncenter.com
78.159.124.235.internetserviceteam.com

80.86.89.131
ns2.systemprotectioncenter.com
ns3.beststatsreport.com
ns4.adtrafficsolution.com
ns4.antimalwareguard-plus.com
ns4.antimalwareguardplus.com
ns4.antimalwaresuite2009.com
ns4.antispywareexpertplus.com
ns4.bestvirusremover2009.com
ns4.mycleaner2009.com
ns4.pc-virusremover2008.com
ns4.redirectfor-me.com
ns4.redirectforme.com
ns4.redirectforutoo.com
ns4.spywareremover2009plus.com
ns4.virusremover2008-offer.com
xbbx.serv.lt

81.177.8.189
ns2.reg.ru - name server for pornozver.ru

83.170.82.53
ns2.phreneticus.at - name server for iframe.cc

85.10.208.252
85-10-208-252.clients.your-server.de
ns1.systemprotectioncenter.com
ns2.adtrafficsolution.com
ns2.antimalwareguard-plus.com
ns2.antimalwareguardplus.com
ns2.antimalwaresuite2009.com
ns2.antispywareexpertplus.com
ns2.beststatsreport.com
ns2.bestvirusremover2009.com
ns2.mycleaner2009.com
ns2.pc-virusremover2008.com
ns2.redirectfor-me.com
ns2.redirectforme.com
ns2.spywareremover2009plus.com
ns2.virusremover2008-offer.com

88.198.62.171
ns1.mihailfedorov.net - name server for mihailfedorov.net

88.198.103.122
mihailfedorov.net - Mihail B Fedorov (whois@mihailfedorov.ru)

88.208.0.179
b.ns.isvbr.net - name server for isvbr.net
rondo.urlhurt.net - name server for isvbr.net

88.208.0.182
b.ns.caricare.net - name server for e.caricare.net
steel.people-info.com - name server for e.caricare.net

88.208.1.195
c.ns.isvbr.net - name server for isvbr.net
cart.dnshelp.info - name server for isvbr.net

88.208.1.198
c.ns.caricare.net - name server for e.caricare.net
river.urlhurt.net - name server for e.caricare.net

89.149.244.29
89-149-244-29.internetserviceteam.com
ns1.antimalwareguardsolution.com
ns1.antispywareexpert-plus.com
ns1.antispywareexpertsolution.com
ns1.antispywareexpertsolutions.com
ns1.best-secureexpertcleaner.com
ns1.cashpanic.com
ns1.cleaner2009solution.com
ns1.hits-traff.com
ns1.pcprivacycleaner-plus.com
ns1.pcprivacycleanerplus.com
ns1.quickinstallpackpro.com
ns1.rdrmepls.com
ns1.redirectforutoo.com
ns1.registrydoctor2008scan.com
ns1.secureexpertcleaner-pro.com
ns1.secureexpertcleanerpro.com
ns1.thesecureexpertcleaner.com
ns1.thevirusremover2008.com
ns1.traffandgo.com
ns1.virusremover2008-flash.com
ns1.virusremover2008plus.com
ns1.virusremover2008pro.com
ns1.virusremoversolution.com
ns1.vmaff.com
ns1.xpboosterpro.com
ns1.yourpcprivacycleanerplus.com
ns1.yourpcprivacycleanerpro.com
ns4.virusremover2008pro.com
ns5.adclickdirect.com
ns5.adtrafficdriver.com
ns5.adtrafficstats.com
ns5.extrafreead.com
ns5.gbpltw.com
ns5.gomyron.com
ns5.hit-traff.com
ns5.onlinepromostats.com
ns5.rdrbroz.com
ns5.traff-true.com
ns5.traff2money.com
ns5.uniqs-traff.com
ns5.webstatsmaster.com

89.149.249.237
*.caricare.net
caricare.net

92.241.180.114
ns1.reg.ru - name server for pornozver.ru

93.190.139.229
antispywareexpertplus.com
best-secureexpertcleaner.com
bestvirusremover2009.com
flog.bestvirusremover2008.com
inetservicepack.com
iservicepack.com
mysecureexpertcleaner.com
ns4.registrydoctor2008pro.com
registrydoctor2008.com
registrydoctor2008pro.com
registrydoctor2008scan.com
registrydoctor2008solution.com
registrydoctorpro2008.com
secureexpertcleaner-pro.com
secureexpertcleanerpro.com
thesecureexpertcleaner.com
thevirusremover2008.com
virus-doctor-site.com
virusremover2008flash.com
winsecureexpertcleaner.com
www.best-secureexpertcleaner.com
www.bestsecureexpertcleaner.com
www.inetservicepack.com
www.iservicepack.com
www.mysecureexpertcleaner.com
www.pc-virusremover2008.com
www.pcvirusremover2008.com
www.powerfulvirusremover2008.com
www.registrydoctor2008.com
www.registrydoctor2008scan.com
www.registrydoctorpro2008.com
www.secureexpertcleaner-pro.com
www.secureexpertcleanerpro.com
www.thesecureexpertcleaner.com
www.thevirusremover2008.com
www.virus-doctor-site.com
www.virusremover2008-flash.com
www.virusremover2008flash.com
www.virusremover2008offer.com
www.virusremover2008plus.com
www.virusremover2008pro.com
www.winsecureexpertcleaner.com
www.yoursecureexpertcleaner.com
yoursecureexpertcleaner.com

116.0.103.115
ns2.google-counter.com - name server for google-counter.com

193.232.130.14
beta.mihailfedorov.net - name server for mihailfedorov.net

194.85.61.20
alpha1.mihailfedorov.net - name server for mihailfedorov.net

194.226.96.8
alpha2.mihailfedorov.net - name server for mihailfedorov.net

209.8.151.186
a.ns.caricare.net - name server for e.caricare.net
stomp.defunct.in - name server for e.caricare.net

209.8.151.190
lake.people-info.com - name server for isvbr.net

213.133.100.58
213-133-100-58.clients.your-server.de
linkscrescent.com
modernstance.com
ns2.virusremover2008offer.com
ns3.adtrafficsolution.com
ns3.antimalwareguardsolution.com
ns3.antimalwareguardsolutions.com
ns3.antimalwaresuite2009.com
ns3.antispywareexpertsolution.com
ns3.antispywareexpertsolutions.com
ns3.best-secureexpertcleaner.com
ns3.cashpanic.com
ns3.hits-traff.com
ns3.mycleaner2009.com
ns3.pc-virusremover2008.com
ns3.pcprivacycleaner-plus.com
ns3.pcprivacycleanerplus.com
ns3.quickinstallpackpro.com
ns3.rdrmepls.com
ns3.redirectforutoo.com
ns3.secureexpertcleaner-pro.com
ns3.secureexpertcleanerpro.com
ns3.thesecureexpertcleaner.com
ns3.thevirusremover2008.com
ns3.traffandgo.com
ns3.virusremover2008-flash.com
ns3.virusremover2008-offer.com
ns3.virusremover2008offer.com
ns3.virusremoversolution.com
ns3.vmaff.com
ns3.xpboosterpro.com
ns3.yourpcprivacycleanerplus.com
ns3.yourpcprivacycleanerpro.com
ns4.virusremoversolution.com
ns7.adclickdirect.com
ns7.adtrafficdriver.com
ns7.adtrafficstats.com
ns7.extrafreead.com
ns7.gbpltw.com
ns7.gomyhit.com
ns7.gomyron.com
ns7.hit-traff.com
ns7.onlinepromostats.com
ns7.rdrbroz.com
ns7.statisticsmanager.com
ns7.traff-true.com
ns7.traff2money.com
ns7.webstatsmaster.com
ronnieandlynda.com
squits.net
static.213-133-100-58.clients.your-server.de

213.174.153.153
a.ns.isvbr.net - name server for isvbr.net

AS23898