Malware threat IP - Is it being blocked?

polonus · February 8, 2014, 11:48pm

This malware on threat IP is being blocked and detected also by avast! : https://www.virustotal.com/nl/file/6c3e4c98c2da25cb441d1924c47b3a9f53f2f80cb3f2d6329c70b71c07d0b2f6/analysis/
Here no alerts detected for IP: http://urlquery.net/report.php?id=8906706
IP blacklisted for spam and abuse in two instances: http://www.ipvoid.com/scan/212.111.205.92/
Abuse from uran.net dot ua with active malware according to kraken Virus Tracker classification:
uran.net dot ua,212.111.212.227,ns2.uran.net dot ua,Criminals, (Criminals only denote active macode is being detected - no more, no less!)
→ Phishing reported on IP: http://support.clean-mx.de/clean-mx/phishing.php?email=abuse@uran.net.ua&response=
→ http://www.mrp.net/ipv6_survey/diagnostics/uran.ua.html
Listed on major IP sites blocked for Ukrain: http://www.nirsoft.net/countryip/ua.html
→ 212.111.192.0 212.111.223.255 8192 25/05/99 Association of users of Ukrainian Research & Academic Network “URAN”
On sending I get a disconnected!

polonus

polonus · February 9, 2014, 12:23am

Another example from SRI Malware Threat Center: 7 2 01/19 01/29 neo.net dot id ID deny ip host 117.103.67.166 any log
Not clear: http://www.ipvoid.com/scan/117.103.67.166/
For neo.net dot id I get a 11004 [11004] Valid name, no data record (check DNS setup)
But see: http://jsunpack.jeek.org/?report=d4147d8f3ed9da2a40733f205d76ee96622304b5
Microsoft Terminal Service DNS test warnings SOA
Reverse for 203.79.29.11 points to an unknown host name (blizt.juragan.net). blizt.juragan dot net,Not in namespace,

probably compiler cannot see it, classes need to be reconstructed

Quote ;D = note by me Polonus URL resolves to a invalid IP address! Server redirect warning status: Content cannot be read! -> http://dnslookup.fr/blizt.juragan.net Host did not accept hostmasterATanyonecloud.com as SMTP recipient. Delivery over IPv4 to hostmasterATanyonecloud.com could not be done. Failed to deliver email for SOA RNAME of anyonecloud dot com (hostmaster.anyonecloud dot com) using hostmasterATanyonecloud.com. BLIZT.JURAGAN dot NET is running on the ip address blizt.juragan dot net that belongs to the network . This network is part of the autonomus system from the company . Total of domains on blizt.juragan dot net: 0 I get an error 11004 [11004] Valid name, no data record (check DNS setup) See also: https://www.mywot.com/en/scorecard/203.79.29.11?utm_source=addon&utm_content=popup-donuts (two red alerts on WOT web rep) No alerts here: http://urlquery.net/report.php?id=9320440 Things do not add up - therefore IP should be blocked?

polonus

polonus · February 9, 2014, 3:17pm

Checked this abuse IP at ThreatSTOP - see attached.
See: https://www.virustotal.com/nl/ip-address/182.118.124.184/information/
Sucuri detects: http://sitecheck2.sucuri.net/results/182.118.124.184
Suspicious conditional redirect. Details: htxp://sucuri.net/malware/entry/MW:HTA:7
Redirects users to: htxp://140.206.165.81:80/ ITAR, site first seen 3 years ago. [dotted quad host - ITAR IP]
Avast does not detect? → https://www.virustotal.com/nl/file/40bbd8ebec6282d4fd979dc0e58c31b5ad5389493ddbad787b4bbad359c49405/analysis/1389305185/
Tool.Rooter malware up and alive: http://support.clean-mx.de/clean-mx/viruses?id=17632215
DrWeb detects, avast! does not have it: https://www.virustotal.com/nl/file/6142a5cffa55cf7a06c5fce6cbbc63ef26ff08b70009e48344307a37f4d247c7/analysis/
IDS alerts here: http://urlquery.net/report.php?id=8311206

polonus

polonus · February 9, 2014, 3:58pm

Another one checked here, rResearch for IP 91.66.177.135 → 44 hours ago 4 hours ago ADVANCED threat from superkabel dot de
Here SSL report seems OK: http://www.networking4all.com/nl/helpdesk/tools/site+check/report/?fqdn=https%3A%2F%2Fsso.kabelmail.de%2Fportal%2Findex.aspx&protocol=https
But Spam abuse: zen.spamhaus dot org says 127.0.0.11
91.66.177.135 is used by an End-user & not a Mail Transfer Agent
listed on PBL
b.barracudacentral dot org says 127.0.0.2
91.66.177.135 was used to send spam or viruses. poor reputation.
Parked, expired? see: http://urlquery.net/report.php?id=9325740
→ http://www.dnswatch.info/dns/dnslookup?la=en&host=91.66.177.135&type=A&submit=Resolve
Verdict active malcode: 91-66-177-135-dynip dot superkabel dot de,91.66.177.135,Criminals,

polonus

polonus · February 9, 2014, 4:22pm

A very recent one, from 8 minutes ago:
Research IP 210.86.239.72 months ago 8 min ago Cyber-TA Top 1000
5 months ago 8 min ago ADVANCED
ci239-10 dot netnam dot vn → 01/25-21:11:42.869584 [] [1:22466:7] E2[rb] NETBIOS SMB-DS IPC$ unicode share access [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 210.86.239.72:1294 → 192.168.1.43:445
01/25-21:12:07.821714 [] [1:2001683:3] E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host [] [Priority: 0] {TCP} 210.86.239.72:9616 → 192.168.1.43:1029
01/25-21:12:07.821714 [] [1:5001684:99] E3[rb] BotHunter Malware Windows executable (PE) sent from remote host [] [Priority: 0] {TCP} 210.86.239.72:9616 → 192.168.1.43:1029
→ http://urlquery.net/report.php?id=9325964 - I get a disconnected → http://www.telephoneactivity.com/861/141/4626.html
→ http://cgi.mtc.sri.com/popups/binaries/01-31-2014/000ed84d4f7a670eda64a1ee9f0b73d6.html

pol

polonus · February 9, 2014, 10:13pm

Checked on this: https://www.virustotal.com/nl/url/ccb906ee5c4f24dd9da9896b6f453b9ec720560fed73e2cb3ba30e225c3f65d8/analysis/
VertexNet malware, uraak-booter.corewebserver dot com,93.188.160.4,ns4.main-hosting dot com,Criminals,
PHISHING IP: http://support.clean-mx.de/clean-mx/phishing?id=3652407
IDS alert for “ET RBN Known Russian Business Network IP group 434”
Nothing further alerted: http://urlquery.net/report.php?id=9328001
Bot or Trojan IPs # of Connections First Identified Last Seen Threat Danger Level
93.188.160.4 17 3 years ago 4 hours ago Russian Business Network 2

                                                                            24 months ago	2 days ago	DNSChanger                          3

                                                                            24 months ago	2 days ago	Sinkhole                                 3

                                                                            24 months ago	2 days ago	BASIC                                     4

Unable to properly scan site. Site empty ?
Site powered by: PHP/5.2.17 → http://www.rexswain.com/cgi-bin/httpview.cgi?url=http://www.uraak-booter.corewebserver.com/&uag=MSIE+8.0+Trident&ref=http://www.google.com&aen=&req=GET&ver=1.1&fmt=AUTO

Waiting for additional response until connection closes…contains
“JCE.php”>·JCE.php
“WMCS-Hashes.txt”>·WMCS-Hashes.txt
“_file-manager/”>·_file-manager
“exploit.php”>·exploit.php
“php.ini”>·php.ini
“shell.php.txt”>·shell.php.txt
Blocked by Bitdefender’s TrafficLight as malicious site,
WOT flags as https://www.mywot.com/en/scorecard/uraak-booter.corewebserver.com?utm_source=addon&utm_content=popup-donuts
losted in https://easylist-downloads.adblockplus.org/malwaredomains_full.txt "

polonus

polonus · February 9, 2014, 11:18pm

Normal scanners do not flag this Plasma site, Antivirus Plasma(-miner) is a rogue security program that shows false Warning messages.
See: https://www.virustotal.com/nl/url/fe826218bbc9ebfb2c5291e146364e45da909d384524ca870198cb9e4a57ec8b/analysis/

urlquery flags it with an IDS alert: http://urlquery.net/report.php?id=9328465

Bot or Trojan IPs # of Connections First Identified Last Seen Threat Danger Level
93.174.95.19 6 3 years ago 63 min ago Russian Business Network 2

5 days ago 65 min ago AlienVault 4

5 weeks ago 68 min ago AlienvaultScanSpam 2

6 weeks ago 11 hours ago DShield Block List 3

6 weeks ago 11 hours ago COMMUNITY 3

6 weeks ago 11 hours ago ADVANCED 3

Results of this Blacklistchecker are just ridiculous: https://www.gamasec.com/gsf/BlackList.aspx
The domain name DOES NOT appear to be banned. Currently Safe
No active threats were reported recently by users anywhere on this domain.

A severity 3 “ET RBN Known Russian Business Network IP group 434” IDS alert for IP qualifies for flagging i.m.h.o… ;D

polonus

polonus · February 10, 2014, 1:36pm

From the following IP a kcloud virus is being spread: https://www.virustotal.com/nl/url/d84fce3fb547f3907b50306306ead350530ac9ca21a54733bc8885b9db72c3ef/analysis/1392038441/
and filescan: https://www.virustotal.com/nl/file/9390ab4fc28cbb544014a6c08f6866a81702adb667b2c7019f41f02fb302cb8c/analysis/1392015096/
ThreatSTOP has it
Bot or Trojan IPs # of Connections First Identified Last Seen Threat Danger Level
222.186.60.16 4 3 years ago 3 days ago CHINA 1

                                                                            3 years ago	3 days ago	Modified ITAR        1

                                                                            3 years ago	3 days ago	China                    1

                                                                            3 years ago	3 days ago	ITAR                      1

Flagged: http://urlquery.net/report.php?id=9345306
Not detected here: http://app.webinspector.com/public/reports/19627352
Site is blacklisted and likely compromised: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fsoft.sumge.com%2F1391355170%2Fsetup_27_1.exe
Norton flags a Drive-by-downlaod at Norton Safe Web: http://safeweb.norton.com/report/show?url=soft.sumge.com

Name of threat: Malicious Site: Malicious Domain Request 2 → http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24312
One yellow from WOT on trustworthiness: https://www.mywot.com/en/scorecard/soft.sumge.com?utm_source=addon&utm_content=rw-viewsc
No block from avast!

polonus

polonus · February 10, 2014, 5:11pm

This Japanese attack IP was signalled on iPillion: “Exploit attempt”
ThreatSTOP had it
Bot or Trojan IPs # of Connections First Identified Last Seen Threat Danger Level
203.189.96.196 4 5 weeks ago 4 days ago DenyHosts 1

                                                            5 weeks ago	4 days ago	UNIX SERVER  2

Also flagged here as abuse: http://www.badips.com/info/203.189.96.196 in Cat: in category ssh
Nothing here: http://urlquery.net/report.php?id=9348981

polonus

polonus · February 10, 2014, 6:38pm

A banned hacker IP: http://www.badips.com/info/96.44.154.122 &
Bot or Trojan IPs # of Connections First Identified Last Seen Threat Danger Level
96.44.154.122 5 3 weeks ago 20 hours ago AlienvaultScanSpam 2
See: http://bannedhackersips.blogspot.nl/2014/01/fail2ban-ssh-banned-9644154122.html
and: https://www.virustotal.com/nl/ip-address/96.44.154.122/information/
See: http://us.hive.sshhoneypot.com/iplog.php?ip=96.44.154.122
See: http://www.ipillion.com/ip/96.44.154.122
See: http://filemare.com/en-nl/browse/96.44.154.122
See: https://stat.ripe.net/96.44.154.122#tabId=at-a-glance
Nothing here: http://www.urlvoid.com/scan/96.44.154.122.static.quadranet.com/ and also not the link to:
htxp://www.bidvertiser.com/bdv/BidVertiser/bdv_advertiser.dbm
alive malcode: http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=96.44.154.%

→ https://www.virustotal.com/nl/url/1aee03f9295c31bfd0b3c24c107844db60eadfdb28314b16fb78abcb5302334c/analysis/1392057398/
→ urlopen error timed out

pol

polonus · February 10, 2014, 10:29pm

Another one, found at log matapala: 80.82.64.90 udp 56702 53 00:25:26
See report: http://www.abuseipdb.com/report-history/80.82.64.90
See ThreatSTOP attached
IDS alert for RBN IP group 355 → The requested URL was not found on this server.

polonus

Malware threat IP - Is it being blocked?

Announcements