This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Malware/ransomware current live distribution points
- Previous message (by thread): [anti-abuse-wg] AS201133
- Next message (by thread): [anti-abuse-wg] Weird Packets from source ::0/64
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Thu Jun 30 01:27:00 CEST 2016
The various domains and IP address listed in the following file
are, as we speak, acting as distribution/infection points for
some sort of Javascript malware which is almost certainly a
flavor of ransomeware. Note that the majority of these malware
slinging IP are on ASNs associated with the RIPE region.
** FAIR WARNING *** Please use exceptional caution when browsing
to any of the domains listed within the following file. Doing so
with a vlunerable browser and/or from a vulnerable platform is
likely to cause encryption of your entire harddrive. Such encryption
may perhaps be irreversable without paying a ransom.
ftp://ftp.tristatelogic.com/pub/cases/295165/20160629-0.txt
I am including below the same information as is present within the
above referenced file, but without the associated domain names. I do
this in order to avoid having this message improperly filtered. as
it might be, by some of the spam filters being used by some of the
people who really should see this message. (But the domain names
are all readily available in the above file.)
Note that the domain names involved in this particular set of malware
distributors are all third-level .com domains, and that in all cases,
the actual text of the first (leftmost) of the three domain name labels
is irrelevant and could be replaced by any other valid domain name label,
i.e. because the second level domains have all been wildcarded in DNS.
The following list has been sorted numerically, based on the AS number.
RIR ASN IP address
--------------------------
RIPE 16276 188.165.62.14
RIPE 16276 5.196.36.42
ARIN 19531 155.94.69.167
ARIN 19757 107.155.188.126
ARIN 33182 184.171.243.123
ARIN 33182 184.171.243.81
ARIN 33182 198.136.53.210
ARIN 46562 107.181.174.10
RIPE 47583 195.110.58.82
RIPE 50673 217.12.208.160
RIPE 50979 195.123.209.55
RIPE 51852 141.255.161.67
RIPE 52048 46.183.216.167
RIPE 56322 91.219.237.211
RIPE 56577 31.41.44.155
RIPE 59432 5.134.117.190
RIPE 59729 185.82.216.204
RIPE 62240 185.120.20.107
APNIC 63912 111.221.44.152
RIPE 201133 82.118.226.13
If you are an administrator of one of the above listed ASNs, or if you
know someone who is, please spend a few minutes and help get this hostile
trash off the Internet.
Thank you.
Regards,
rfg
P.S. Those who do elect to browse to the domains listed in the file
cited above, and so do so without getting infected, will notice that
the underyling actual web sites are all identical, and are all selling
a completely bogus diet supplement called "CLA Safflower Oil". It is
unclear at this time whether the criminals behind these IPs and domains
are making more money from their ransomware scheme, or from selling
this bogus diet suppliment to naive idiots.
- Previous message (by thread): [anti-abuse-wg] AS201133
- Next message (by thread): [anti-abuse-wg] Weird Packets from source ::0/64
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]