[anti-abuse-wg] Malware/ransomware current live distribution IPs

This is an update to my earlier post today on this same topic.
The list below is somewhat more complete and somewnat more
up-to-date.

+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_+_

The various domains and IP address listed in the following file
are, as we speak, acting as distribution/infection points for
some sort of Javascript malware which is almost certainly a
flavor of ransomware.

** FAIR WARNING *** Please use exceptional caution when browsing
to any of the domains listed within the following file.  Doing so
with a vlunerable browser and/or from a vulnerable platform is
likely to cause encryption of your entire harddrive.  Such encryption
may perhaps be irreversable without paying a ransom.

    ftp://ftp.tristatelogic.com/pub/cases/295165/20160629-1.txt

I am including below the same information as is present within the
above referenced file, but without the associated domain names.  I do
this in order to avoid having this message improperly filtered, as
it might be, by some of the spam filters being used by some of the
people who really should see this message.  (But example malware-
distribution domain names that currently resolve to the IP addresses
listed below are all readily available in the above file.)

Note that the domain names involved in this particular set of malware
distributors are all third-level .COM domains, and that in all cases,
the actual text of the first (leftmost) of the three domain name labels
is irrelevant and can be replaced by any other valid domain name label
because the second level domains have all been wildcarded in the DNS.

The following list has been sorted numerically, based on the AS number.

RIR  ASN   IP address
--------------------------
ARIN 8100 192.169.6.40
ARIN 8100 192.169.7.101
RIPE 16276 188.165.62.14
RIPE 16276 188.165.62.17
RIPE 16276 5.196.36.42
RIPE 16276 51.254.240.149
ARIN 19531 155.94.69.167
ARIN 19531 155.94.69.172
ARIN 19757 107.155.188.126
ARIN 33182 184.171.243.123
ARIN 33182 184.171.243.81
ARIN 33182 198.136.53.210
ARIN 46562 107.181.174.10
RIPE 47583 195.110.58.247
RIPE 47583 195.110.59.85
RIPE 50673 217.12.208.160
RIPE 50979 195.123.209.49
RIPE 50979 195.123.209.55
RIPE 51852 141.255.161.67
RIPE 52048 46.183.216.167
ARIN 53340 199.241.137.159
RIPE 56322 91.219.237.211
RIPE 56577 31.41.44.155
RIPE 59432 5.134.117.190
RIPE 59729 185.82.216.204
RIPE 59729 217.12.203.211
RIPE 62240 185.120.20.107
APNIC 63912 111.221.44.152
RIPE 201133 82.118.226.13
RIPE 201133 82.118.226.35
RIPE 203557 185.29.11.137
RIPE 203557 185.29.11.178
RIPE 203557 185.29.11.184

If you are an administrator of one of the above listed ASNs, or if you
know someone who is, please spend a few minutes and help get this hostile
trash off the Internet.

Thank you.


Regards,
rfg


P.S.  Those who do elect to browse to the domains listed in the file
cited above, and who do so without getting infected, will notice that
the underyling actual web sites are all identical, and are all selling
a completely bogus diet supplement called "CLA Safflower Oil".  It is
unclear at this time whether the criminals behind these IPs and domains
are making more money from their ransomware extortion racket, or from
selling this bogus diet supplement to naive idiots.