How many Trojans does it take?
How many Trojans or malicious files does it take before someone takes action to shut down some of these sites … that’s something I was asking myself while checking some of the entries in my HOSTS file thru Google’s SafeBrowser Diagnostic …
# [Netplace][AS41947][77.91.229.32 – 77.91.229.47]
77.91.229.38 try-count .net #[Javascript.Exploit]
# [Netplace][AS41947][77.91.229.48 – 77.91.229.63]
77.91.229.55 v2statscount .net #[Javascript.Exploit]
77.91.229.55 v2count .net #[Javascript.Exploit]
77.91.229.55 pluscount .net #[Google.Warning]
77.91.229.55 newv2count .net
newv2count .net = Malicious software includes 331 trojan(s). [Google Diagnostic]
pluscount .net = Malicious software includes 64905 trojan(s), 1285 scripting exploit(s), 4 exploit(s). [Google Diagnostic]
try-count .net = Malicious software includes 3553 trojan(s), 79 exploit(s). [Google Diagnostic]
v2count .net = Malicious software includes 5628 trojan(s), 704 scripting exploit(s). [Google Diagnostic]
v2statscount .net = Malicious software includes 11727 trojan(s). [Google Diagnostic]
Now if you add up the numbers from these seemingly related sites you get 85,944 Trojans Wow!!! … well we all know it’s useless to complain to the abuse department at these Russian servers … so how about complaining to their “Upstream Provider” much like the tactics used to take down Intercage/Atrivo.
In this case the Upstream Provider is “AS41947 WEBALTA AS Wahome networks” … [source] sadly it doesn’t look like that will do much good … as it seems “Wahome” is hosting their own crop of nasties …
# [Wahome Colocation][AS41947][92.241.163.0 – 92.241.163.255]
92.241.163.27 adv-a-v .com
92.241.163.27 a-a-v-2008 .com
92.241.163.27 aav2008 .com
92.241.163.30 wi-a-v .com
92.241.163.30 wav2008 .com
92.241.163.30 windows-av .com
92.241.163.31 uav2008 .com
92.241.163.32 spypreventers .com
92.241.163.32 sp-preventer .com
92.241.163.33 download.wi-a-v .com
92.241.163.33 download.wav2008 .com
92.241.163.33 download.uav2008 .com
92.241.163.33 download.adv-a-v .com
92.241.163.33 download.a-a-v-2008 .com
92.241.163.33 download.aav2008.com
92.241.163.33 download.windows-av .com
92.241.163.33 download.spypreventers .com
92.241.163.33 download.sp-preventer .com #[Win32/Adware.Antivirus2008]
92.241.163.34 secure2.softpaydirect .com
92.241.163.34 secure.softpaydirect .com
92.241.163.90 piterserv .com
Notice the “AS41947” is the same … oh well so much for that idea … matter of fact in checking a few other entries (Still Trade – AS47486) you can see from the “Graph” tab that “Still Trade” routes thru … you guessed it “AS41947 WEBALTA AS Wahome networks”
# [Still Trade][AS47486][91.208.0.0 – 91.208.0.255]
91.208.0.220 rapidantivirus .com
91.208.0.223 microantivirus-2009 .com#[Win32/Adware.Antivirus2008]
91.208.0.223 microantivirus2009 .com
91.208.0.223 microantivir2009 .com
91.208.0.223 microantivir-2009 .com
91.208.0.223 micro-antivir-2009 .com
91.208.0.224 soft-traff6 .com
91.208.0.224 soft-traff5 .com
91.208.0.224 soft-traff4 .com #[Google.Diagnostic]
91.208.0.224 soft-traff3 .com #[Google.Diagnostic]
91.208.0.224 soft-traff2 .com
91.208.0.224 soft-traff .com
91.208.0.228 scanner.ms-scanner .com
91.208.0.228 scanner.msscanner .com
91.208.0.228 scanner.ms-scan .com
91.208.0.229 msantivirus-xp.com
91.208.0.239 winxsecuritycenter .com
91.208.0.240 download.vav2008 .com
91.208.0.240 vav2008 .com
91.208.0.241 winsafer .com
91.208.0.244 software-traffic .com
91.208.0.244 software-traff .com
91.208.0.246 scanner.vav-x-scanner .com #[Win32/FakeAlert.CU]
91.208.0.246 scanner.vav-scanner .com #[Win32/Adware.Antivirus2008]
91.208.0.246 scanner.vav-scan .com
91.208.0.246 scanner.vavscan .com
91.208.0.246 scanner-pwrantivirus .com #[Win32/Adware.Antivirus2008]
91.208.0.249 watcher-scan .com
91.208.0.249 scanner2.defender-scan .com
91.208.0.251 scanner.win-x-defenders .com
91.208.0.251 win-x-defenders .com #[Google.Warning]
91.208.0.251 win-x-defender .com
Starting to see a pattern here? … the culprits use the first five sites to inject legitimate sites with exploits that lead to these bogus Antispyware sites. Where some people still are conned into giving these criminals their credit card info … and we all know where that leads to …
Someone needs to come up with a better idea on getting these culprits shut down … as it took years to finally close the operations at Intercage/Atrivo … “ICANN” (Internet Corporation for Assigned Names and Numbers) seems to do little to curb these illegal practices. Just look at the fiasco involving EstDomains and ICANN … looks like we are left to fend for ourselves …
Comments Off on How many Trojans does it take?
Filed under: Uncategorized