[anti-abuse-wg] Malware/ransomware current live distribution IPs

On Wed, 29 Jun 2016 22:40:06 -0700
"Ronald F. Guilmette" <rfg at tristatelogic.com> wrote:
> The various domains and IP address listed in the following file
> are, as we speak, acting as distribution/infection points for
> some sort of Javascript malware which is almost certainly a
> flavor of ransomware.
> ** FAIR WARNING *** Please use exceptional caution when browsing
> to any of the domains listed within the following file.  Doing so
> with a vlunerable browser and/or from a vulnerable platform is
> likely to cause encryption of your entire harddrive.  Such encryption
> may perhaps be irreversable without paying a ransom.
> 
>     ftp://ftp.tristatelogic.com/pub/cases/295165/20160629-1.txt
> 
I have a small public DNSBL here: superblock.ascams.com I see that most
of these are listed, 

dig TXT @superblock.ascams.com 160.208.12.217.superblock.ascams.com

I have added the ones that were not there, thank you Ronald :)

superblock.ascams.com currently has a few million entries and it seems
to go up and down as new IPv4 is added and removed - ipv6 is server
whitelist, am also building different lists for different usage (sep
phish, etc - as I have time)

If you would like to add superblock.ascams.com - these seem like good links:

Exim : http://www.exim.org/howto/rbl.html
postfix :https://www.howtoforge.com/block_spam_at_mta_level_postfix

Anyone with good reliable datafeeds are most welcome to email me off
list, although I do run a few hundred thousand spam traps over four
continents, so data is fresh and usable

Am rate limiting, if anyone needs more please mail me to either lift
connection rates on your ip's or to exchange data :)

I am moving this to Germany (from the USA) in the next few weeks,
anyone with spare resources that can offer/help/contribute dns hosting,
or in any other way, it is always welcome :) 

Andre



> I am including below the same information as is present within the
> above referenced file, but without the associated domain names.  I do
> this in order to avoid having this message improperly filtered, as
> it might be, by some of the spam filters being used by some of the
> people who really should see this message.  (But example malware-
> distribution domain names that currently resolve to the IP addresses
> listed below are all readily available in the above file.)
> 
> Note that the domain names involved in this particular set of malware
> distributors are all third-level .COM domains, and that in all cases,
> the actual text of the first (leftmost) of the three domain name
> labels is irrelevant and can be replaced by any other valid domain
> name label because the second level domains have all been wildcarded
> in the DNS.
> 
> The following list has been sorted numerically, based on the AS
> number.
> 
> RIR  ASN   IP address
> --------------------------
> ARIN 8100 192.169.6.40
> ARIN 8100 192.169.7.101
> RIPE 16276 188.165.62.14
> RIPE 16276 188.165.62.17
> RIPE 16276 5.196.36.42
> RIPE 16276 51.254.240.149
> ARIN 19531 155.94.69.167
> ARIN 19531 155.94.69.172
> ARIN 19757 107.155.188.126
> ARIN 33182 184.171.243.123
> ARIN 33182 184.171.243.81
> ARIN 33182 198.136.53.210
> ARIN 46562 107.181.174.10
> RIPE 47583 195.110.58.247
> RIPE 47583 195.110.59.85
> RIPE 50673 217.12.208.160
> RIPE 50979 195.123.209.49
> RIPE 50979 195.123.209.55
> RIPE 51852 141.255.161.67
> RIPE 52048 46.183.216.167
> ARIN 53340 199.241.137.159
> RIPE 56322 91.219.237.211
> RIPE 56577 31.41.44.155
> RIPE 59432 5.134.117.190
> RIPE 59729 185.82.216.204
> RIPE 59729 217.12.203.211
> RIPE 62240 185.120.20.107
> APNIC 63912 111.221.44.152
> RIPE 201133 82.118.226.13
> RIPE 201133 82.118.226.35
> RIPE 203557 185.29.11.137
> RIPE 203557 185.29.11.178
> RIPE 203557 185.29.11.184
> 
> If you are an administrator of one of the above listed ASNs, or if you
> know someone who is, please spend a few minutes and help get this
> hostile trash off the Internet.
> 
> Thank you.
> 
> 
> Regards,
> rfg
> 
> 
> P.S.  Those who do elect to browse to the domains listed in the file
> cited above, and who do so without getting infected, will notice that
> the underyling actual web sites are all identical, and are all selling
> a completely bogus diet supplement called "CLA Safflower Oil".  It is
> unclear at this time whether the criminals behind these IPs and
> domains are making more money from their ransomware extortion racket,
> or from selling this bogus diet supplement to naive idiots.
> 
>