How many Trojans does it take?

How many Trojans or malicious files does it take before someone takes action to shut down some of these sites … that’s something I was asking myself while checking some of the entries in my HOSTS file thru Google’s SafeBrowser Diagnostic …

# [Netplace][AS41947][ –]  try-count .net #[Javascript.Exploit]

# [Netplace][AS41947][ –]  v2statscount .net #[Javascript.Exploit]  v2count .net #[Javascript.Exploit]  pluscount .net #[Google.Warning]  newv2count .net

newv2count .net = Malicious software includes 331 trojan(s). [Google Diagnostic]
pluscount .net = Malicious software includes 64905 trojan(s), 1285 scripting exploit(s), 4 exploit(s).  [Google Diagnostic]
try-count .net = Malicious software includes 3553 trojan(s), 79 exploit(s).  [Google Diagnostic]
v2count .net = Malicious software includes 5628 trojan(s), 704 scripting exploit(s).  [Google Diagnostic]
v2statscount .net = Malicious software includes 11727 trojan(s).  [Google Diagnostic]

Now if you add up the numbers from these seemingly related sites you get 85,944 Trojans Wow!!! … well we all know it’s useless to complain to the abuse department at these Russian servers … so how about complaining to their “Upstream Provider” much like the tactics used to take down Intercage/Atrivo.

In this case the Upstream Provider is “AS41947 WEBALTA AS Wahome networks” … [source] sadly it doesn’t look like that will do much good … as it seems “Wahome” is hosting their own crop of nasties …

# [Wahome Colocation][AS41947][ –]  adv-a-v .com  a-a-v-2008 .com  aav2008 .com  wi-a-v .com  wav2008 .com  windows-av .com  uav2008 .com  spypreventers .com  sp-preventer .com  download.wi-a-v .com  download.wav2008 .com  download.uav2008 .com  download.adv-a-v .com  download.a-a-v-2008 .com .com  download.spypreventers .com  download.sp-preventer .com #[Win32/Adware.Antivirus2008]  secure2.softpaydirect .com  secure.softpaydirect .com  piterserv .com

Notice the “AS41947” is the same … oh well so much for that idea … matter of fact in checking a few other entries (Still Trade – AS47486) you can see from the “Graph” tab that “Still Trade” routes thru … you guessed it “AS41947 WEBALTA AS Wahome networks”

# [Still Trade][AS47486][ –]  rapidantivirus .com  microantivirus-2009 .com#[Win32/Adware.Antivirus2008]  microantivirus2009 .com  microantivir2009 .com  microantivir-2009 .com  micro-antivir-2009 .com  soft-traff6 .com  soft-traff5 .com  soft-traff4 .com #[Google.Diagnostic]  soft-traff3 .com #[Google.Diagnostic]  soft-traff2 .com  soft-traff .com .com  scanner.msscanner .com .com  winxsecuritycenter .com  download.vav2008 .com  vav2008 .com  winsafer .com  software-traffic .com  software-traff .com  scanner.vav-x-scanner .com #[Win32/FakeAlert.CU]  scanner.vav-scanner .com #[Win32/Adware.Antivirus2008]  scanner.vav-scan .com  scanner.vavscan .com  scanner-pwrantivirus .com #[Win32/Adware.Antivirus2008]  watcher-scan .com  scanner2.defender-scan .com .com  win-x-defenders .com #[Google.Warning]  win-x-defender .com

Starting to see a pattern here? … the culprits use the first five sites to inject legitimate sites with exploits that lead to these bogus Antispyware sites. Where some people still are conned into giving these criminals their credit card info … and we all know where that leads to …

Someone needs to come up with a better idea on getting these culprits shut down … as it took years to finally close the operations at Intercage/Atrivo … “ICANN” (Internet Corporation for Assigned Names and Numbers) seems to do little to curb these illegal practices. Just look at the fiasco involving EstDomains and ICANN … looks like we are left to fend for ourselves …

Comments are closed.