How many Trojans does it take?

How many Trojans or malicious files does it take before someone takes action to shut down some of these sites … that’s something I was asking myself while checking some of the entries in my HOSTS file thru Google’s SafeBrowser Diagnostic …

# [Netplace][AS41947][77.91.229.32 – 77.91.229.47]
77.91.229.38  try-count .net #[Javascript.Exploit]

# [Netplace][AS41947][77.91.229.48 – 77.91.229.63]
77.91.229.55  v2statscount .net #[Javascript.Exploit]
77.91.229.55  v2count .net #[Javascript.Exploit]
77.91.229.55  pluscount .net #[Google.Warning]
77.91.229.55  newv2count .net

newv2count .net = Malicious software includes 331 trojan(s). [Google Diagnostic]
pluscount .net = Malicious software includes 64905 trojan(s), 1285 scripting exploit(s), 4 exploit(s).  [Google Diagnostic]
try-count .net = Malicious software includes 3553 trojan(s), 79 exploit(s).  [Google Diagnostic]
v2count .net = Malicious software includes 5628 trojan(s), 704 scripting exploit(s).  [Google Diagnostic]
v2statscount .net = Malicious software includes 11727 trojan(s).  [Google Diagnostic]

Now if you add up the numbers from these seemingly related sites you get 85,944 Trojans Wow!!! … well we all know it’s useless to complain to the abuse department at these Russian servers … so how about complaining to their “Upstream Provider” much like the tactics used to take down Intercage/Atrivo.

In this case the Upstream Provider is “AS41947 WEBALTA AS Wahome networks” … [source] sadly it doesn’t look like that will do much good … as it seems “Wahome” is hosting their own crop of nasties …

# [Wahome Colocation][AS41947][92.241.163.0 – 92.241.163.255]
92.241.163.27  adv-a-v .com
92.241.163.27  a-a-v-2008 .com
92.241.163.27  aav2008 .com
92.241.163.30  wi-a-v .com
92.241.163.30  wav2008 .com
92.241.163.30  windows-av .com
92.241.163.31  uav2008 .com
92.241.163.32  spypreventers .com
92.241.163.32  sp-preventer .com
92.241.163.33  download.wi-a-v .com
92.241.163.33  download.wav2008 .com
92.241.163.33  download.uav2008 .com
92.241.163.33  download.adv-a-v .com
92.241.163.33  download.a-a-v-2008 .com
92.241.163.33  download.aav2008.com
92.241.163.33  download.windows-av .com
92.241.163.33  download.spypreventers .com
92.241.163.33  download.sp-preventer .com #[Win32/Adware.Antivirus2008]
92.241.163.34  secure2.softpaydirect .com
92.241.163.34  secure.softpaydirect .com
92.241.163.90  piterserv .com

Notice the “AS41947” is the same … oh well so much for that idea … matter of fact in checking a few other entries (Still Trade – AS47486) you can see from the “Graph” tab that “Still Trade” routes thru … you guessed it “AS41947 WEBALTA AS Wahome networks”

# [Still Trade][AS47486][91.208.0.0 – 91.208.0.255]
91.208.0.220  rapidantivirus .com
91.208.0.223  microantivirus-2009 .com#[Win32/Adware.Antivirus2008]
91.208.0.223  microantivirus2009 .com
91.208.0.223  microantivir2009 .com
91.208.0.223  microantivir-2009 .com
91.208.0.223  micro-antivir-2009 .com
91.208.0.224  soft-traff6 .com
91.208.0.224  soft-traff5 .com
91.208.0.224  soft-traff4 .com #[Google.Diagnostic]
91.208.0.224  soft-traff3 .com #[Google.Diagnostic]
91.208.0.224  soft-traff2 .com
91.208.0.224  soft-traff .com
91.208.0.228  scanner.ms-scanner .com
91.208.0.228  scanner.msscanner .com
91.208.0.228  scanner.ms-scan .com
91.208.0.229  msantivirus-xp.com
91.208.0.239  winxsecuritycenter .com
91.208.0.240  download.vav2008 .com
91.208.0.240  vav2008 .com
91.208.0.241  winsafer .com
91.208.0.244  software-traffic .com
91.208.0.244  software-traff .com
91.208.0.246  scanner.vav-x-scanner .com #[Win32/FakeAlert.CU]
91.208.0.246  scanner.vav-scanner .com #[Win32/Adware.Antivirus2008]
91.208.0.246  scanner.vav-scan .com
91.208.0.246  scanner.vavscan .com
91.208.0.246  scanner-pwrantivirus .com #[Win32/Adware.Antivirus2008]
91.208.0.249  watcher-scan .com
91.208.0.249  scanner2.defender-scan .com
91.208.0.251  scanner.win-x-defenders .com
91.208.0.251  win-x-defenders .com #[Google.Warning]
91.208.0.251  win-x-defender .com

Starting to see a pattern here? … the culprits use the first five sites to inject legitimate sites with exploits that lead to these bogus Antispyware sites. Where some people still are conned into giving these criminals their credit card info … and we all know where that leads to …

Someone needs to come up with a better idea on getting these culprits shut down … as it took years to finally close the operations at Intercage/Atrivo … “ICANN” (Internet Corporation for Assigned Names and Numbers) seems to do little to curb these illegal practices. Just look at the fiasco involving EstDomains and ICANN … looks like we are left to fend for ourselves …



Comments are closed.