This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/anti-abuse-wg@ripe.net/
[anti-abuse-wg] Malware/ransomware current live distribution points
- Previous message (by thread): [anti-abuse-wg] AS201133
- Next message (by thread): [anti-abuse-wg] Weird Packets from source ::0/64
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Thu Jun 30 01:27:00 CEST 2016
The various domains and IP address listed in the following file are, as we speak, acting as distribution/infection points for some sort of Javascript malware which is almost certainly a flavor of ransomeware. Note that the majority of these malware slinging IP are on ASNs associated with the RIPE region. ** FAIR WARNING *** Please use exceptional caution when browsing to any of the domains listed within the following file. Doing so with a vlunerable browser and/or from a vulnerable platform is likely to cause encryption of your entire harddrive. Such encryption may perhaps be irreversable without paying a ransom. ftp://ftp.tristatelogic.com/pub/cases/295165/20160629-0.txt I am including below the same information as is present within the above referenced file, but without the associated domain names. I do this in order to avoid having this message improperly filtered. as it might be, by some of the spam filters being used by some of the people who really should see this message. (But the domain names are all readily available in the above file.) Note that the domain names involved in this particular set of malware distributors are all third-level .com domains, and that in all cases, the actual text of the first (leftmost) of the three domain name labels is irrelevant and could be replaced by any other valid domain name label, i.e. because the second level domains have all been wildcarded in DNS. The following list has been sorted numerically, based on the AS number. RIR ASN IP address -------------------------- RIPE 16276 188.165.62.14 RIPE 16276 5.196.36.42 ARIN 19531 155.94.69.167 ARIN 19757 107.155.188.126 ARIN 33182 184.171.243.123 ARIN 33182 184.171.243.81 ARIN 33182 198.136.53.210 ARIN 46562 107.181.174.10 RIPE 47583 195.110.58.82 RIPE 50673 217.12.208.160 RIPE 50979 195.123.209.55 RIPE 51852 141.255.161.67 RIPE 52048 46.183.216.167 RIPE 56322 91.219.237.211 RIPE 56577 31.41.44.155 RIPE 59432 5.134.117.190 RIPE 59729 185.82.216.204 RIPE 62240 185.120.20.107 APNIC 63912 111.221.44.152 RIPE 201133 82.118.226.13 If you are an administrator of one of the above listed ASNs, or if you know someone who is, please spend a few minutes and help get this hostile trash off the Internet. Thank you. Regards, rfg P.S. Those who do elect to browse to the domains listed in the file cited above, and so do so without getting infected, will notice that the underyling actual web sites are all identical, and are all selling a completely bogus diet supplement called "CLA Safflower Oil". It is unclear at this time whether the criminals behind these IPs and domains are making more money from their ransomware scheme, or from selling this bogus diet suppliment to naive idiots.
- Previous message (by thread): [anti-abuse-wg] AS201133
- Next message (by thread): [anti-abuse-wg] Weird Packets from source ::0/64
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]