Malicious IP that pushes Rogue-Ware Options

[koolkat]

I have discovered that this IP 216.24.138.135 is behind about 90% of Rogue-AV-Ware on the intenet.


I recommend everyone have these sites Blocked by a Firewall.

Malicious Site

Block sites:

66.220.17.154

216.24.138.135

217.73.66.16

hxxp://123urlaub.info ip 216.24.138.135

antimalwareguard.com ip 216.24.138.135

antispyexpert.com ip 216.24.138.135

antivirus2009.com ip 82.165.245.27

Anti-VirusNumber1.com ip 216.24.138.135

AntivirusXPPro.com ip 216.24.138.135

avsystemcare.com ip ptr-216-8-179-24.ptr.next.dimensioninc.com or 216.8.179.23

hxxp://best-click-scanner.info ip 216.24.138.135

hxxp://bs.serving-sys.com ip 12.129.210.76 or 12.129.210.71 or 216.24.138.135

call-kelly.com ip 216.155.138.228.choopa.net or 216.155.138.228

hxxp://click-my-scanner.info ip 216.24.138.135

clicksor.com ip 66.48.81.155

crackle.com ip 12.129.210.76 or 208.78.224.202

edebiyatogretmeni.net ip 85.25.120.83 ip loft1404.serverloft.de

hxxp://emediate.eu ip 216.24.138.135

hxxp://get.virusscanneronline.info/ ip 216.24.138.135

gomyhit.com ip 216.24.138.135

greenantivirus2009.com ip-70-38-73-28.static.privatedns.com or 70.38.73.28

imageservr.com ip 208.73.210.121 ip parkinglot.searchportal.informatiom.com

infolinks.com ip 194.90.11.196

insightexpressai.com ip 209.244.156.19 unknown.Level3.net

interclick.com ip 216.52.167.80

kaaza.com ip 12.129.210.76 or 66.226.75.118

live365.com ip 216.235.95.145 www.live365.com

MalwareDefender2009.com ip 211.95.73.189

malware-scan.com ip 64.40.103.249 ns 1.domainmanager.com or 209.59.194.20

malwarealarm.com ip 74.54.82.209 d1.52.364a.stactic.theplanet.com

hxxp://www.maxmind.com//GeoIP.dat.gz ip 216.24.138.135

Noadware.net ip 69.20.104.139

hxxp://online.antivirusscan1.info ip 208.43.47.213 208.43.47.213-static.reverse.softlayer.com

onerateId.com ip 216.24.138.135

hxxp://onlinescannerav1.info ip 216.24.138.135

hxxp://regedintheclub.info ip 216.24.138.135

hxxp://run.av-best.info ip 209.59.194.20 vip-vr20tuk.trafficz.com or 216.24.138.135

s1.on-line-virus-scanner.info ip 208.43.47.213

hxxp://safetydownload.com ip 216.24.138.135

hxxp://scanner.av-best.info/ ip 216.24.138.135

securityclick.net ip 216.24.138.135

hxxp://serving-sys.com ip 216.24.138.135

sevdayeri.net ip 85.25.120.145

spywareguardpro.com ip 216.24.138.135

spywareprotect2009.com ip 204.13.161.102

hxxp://spywarestormer.com ip 216.24.138.135

hxxp://statsreportserver.com ip 216.24.138.135

svinushka.net ip 216.24.138.135

hxxp://tds.best-click-go.info ip 216.24.138.135

hxxp://tds.checkclick-1.info ip 216.24.138.135

tlal.exelator.net ip 8.19.18.81 or 209.190.74.70

hxxp://trafficconverter.biz ip 216.24.138.135

hxxp://trustedantivirus.com ip 216.24.138.135

virusranger.com ip 216.86.155.41

virusremover2008.com ip 216.24.138.135

virusremover2008flash.com ip 216.24.138.135

virusremover2009.com ip 69.46.228.182

virusrescue.com ip 82.98.86.175

virusschlacht.com ip 216.24.138.135

hxxp://websecurityexamine.com/ ip 216.24.138.135

WinPCDefender.net ip 216.24.138.135

zango.com ip 64.94.137.72


I hope this helps out everyone.

Avoid being infected by Rogue-AV-Ware in the first place & have these sites Blocked.


Edited to disable malicious links - Gal

This post has been edited by Galadriel: Apr 24 2009, 02:06 AM

[buttoni]

Great research, but that's too much host file editing or firewall rules for most users, myself included. I'll wait until MVPS.org (Spybot, SpywareBlaster or other hosts files creators) to add them to their list. FAIK they may be on the lists already.

[koolkat]

Fine suit yourself , but don't say I didn't warn you. Anyway you should at least have these 2 IP's blocked with a Firewall.

216.24.138.135 This IP is behind most of the Rogue-AV-Ware.

spywareprotect2009.com IP 204.13.161.102 This IP is behind the dangerous Rogue-AV-Ware that can infect your computer with the Conficker Worm !!


I added these to the list above.

Anti-VirusNumber1.com ip 216.24.138.135

AntivirusXPPro.com ip 216.24.138.135

MalwareDefender2009.com ip 211.95.73.189

WinPCDefender.net ip 216.24.138.135





Warning ! Do not even think about visiting these sites ! They can severally damage your computer !

This post has been edited by koolkat: Apr 21 2009, 11:15 AM

[Romeo29]

Outpost Firewall blocks access to these IP address

[o_rly]

hxxp:// regedintheclub.info

[Nawtheasta]

I have started working my way down the list. I am cutting and pasting these to my McAfee Firewall banned IP list. One I cannot get to add. It says it is not a valid IP address. Just the 1st from this line, 2nd added ok. I just noticed as I am typing this, is it because there are dashes between the numbers and not periods?

avsystemcare.com ip ptr-216-8-179-24.ptr.next.dimensioninc.com or 216.8.179.23

I know I should know this but is an I.P. address always just numbers and periods? Also is there a minimum or maximum number of digits in an I.P. address??
Does anyone know where that Virut infection comes from? I would love to block that.
Thanks for the research and posting of these evil addresses!
Best Regards
Nawtheasta

[Galadriel]

First i want to warn everyone to NOT visit any of these sites. I'll be disabling the links. In the future when pasting a list like this, it would be much more prudent to disable them like o_rly has done by changing the http to hxxp.

One I cannot get to add. It says it is not a valid IP address. Just the 1st from this line, 2nd added ok. I just noticed as I am typing this, is it because there are dashes between the numbers and not periods?

avsystemcare.com ip ptr-216-8-179-24.ptr.next.dimensioninc.com or 216.8.179.23

That's because it isn't a valid IP. The one I colored blue is a Resolved Host Name, and the one in red, is an actual IP. It's not because of the dashes, although that's part of it, it's the whole structure that's different.

A good tool to research IPs and Hostnames is http://www.domaintools.com/

I know I should know this but is an I.P. address always just numbers and periods? Also is there a minimum or maximum number of digits in an I.P. address??

A valid IP will always be in the nnn.nnn.nnn.nnn format. *Where n= any digit from 0 through 9. So the maximum number of digits is 12. A maximum of 3 for every section of the whole. That's a rather simple explanation of a pretty complex system, but for clarity's sake, it should do. If you want to learn more about IPs, I'm sure google can shed some light on the more technical aspects of this.

Does anyone know where that Virut infection comes from? I would love to block that.

I would be very surprised if Virut came from a single IP/Range. You have to understand the differences between a domain pushing rogue applications and a file infector that can actually spread. Typically, Rogues do not spread. They infect by using social engineering tactics (in other words, by making you do what they want you to do) to make sure the program is initiated/executed. Most of those rogues require some type of interaction (most, not all) to 'install/infect' a computer. Their purpose is to trick the user into spending money to buy an application (scam). Virut is in a different category entirely. It's purpose is to do as much damage as it can (whether intentional on the malware writer's part or not, that's what file infectors are really good at) and to attach/inject itself to as many executable files (exes, dlls, some types of archives like rars and zips and some html files among others) as it can find. Virut doesn't care about making you click here, or there. Most of the times, it will be silent, until the damage to the Operating System files is already irreversible. And it can actively search for new hosts to infect, without interaction.

While block lists are good to have, they can also be tedious to maintain, and are not, nor should they be expected to provided full protection. New malware pushing domains pop up by the thousands daily. A comprehensive block list is not something that is 'easily attainable'.

[Romeo29]

A valid IP address is made of four octets. All octets are written seperated by a dot. Each octet can range from 0 to 255.

in general ip address can be of form a.b.c.d where all a,b,c and d are four octets and they all can be from 0 to 255.

[koolkat]

@Galadriel well I am sorry to post the http:// links , I meant no harm ( thats why I also posted Warning do
not even think about visiting these sites !).

Nothing is full protection & although tedious to maintain , a block list is a %100 better than no block list.
I can't tell you how much this block list has saved me from being re-infected by the the same bugs.


@Nawtheasta
The actual IP for avsystemcare.com is 216.8.179.23 unless they have a new IP now ,or are using a proxy ,or stactic IP.
If your firewall allows it , type just the host name avsystemcare.com & your firewall should look up & block the IP.

You could try this with Virut , but I have to agree with Galadriel I don't think Virut is being pushed through a domain
like Rogue-AV-Ware.

As Galadriel just explained Rogue-AV-Ware is designed to hold your computer at Ransom so they can get you to pay
them to undo it, which is a lie they just take your money and leave you with a infected computer.

Virut is a whole different bug that plain simply wants to destroy your computer !! Ransom & money is not Virut's goal.


@o_rly Look you goofball ,I didn't post hxxp://. The Mods changed it to make the links not clickable !!

This post has been edited by koolkat: Apr 24 2009, 10:48 AM

[Nawtheasta]

Thanks to all who have answered my questions. This is why Bleepingcomputer is so great. Those with the knowledge share with us who do not in a respectful way.
I do understand the difference between pure virus authors , who for their own twisted reason want to poison the pond for everybody and the rougeware people that are really just criminals out to make a buck. A curse on both their houses!! Just imagine how the internet would explode if viruses and other forms of malware could be defeated once and for all!
Octets , now that’s a new word for me. Always something new to learn!
Thanks for the explanation on I.P. Structure.
Since my experience with malware in early 2008 I try to stay far away from typing anything remotely associated with a bad site. As long as it is ok to do I will just cut and paste the IP addresses from the listing to my banned I.P. list
In regards to Virut. Well it was just a thought about blocking. Is this virus, if that is what it is, in some sort of form that anti virus programs can guard against? I wonder if who every came up with this has their own defense so that their system would not be infected.
Again , My thanks to all in the Bleepingcomputer community!
Best Regards
Nawtheasta

[scff249]

This is why Bleepingcomputer is so great. Those with the knowledge share with us who do not in a respectful way.

It's basically the same reason why I come here as well. It's full of knowledgeable people as well as a great deal of information. Another thing is that it comes out in a respectful way as well.

Well it was just a thought about blocking. Is this virus, if that is what it is, in some sort of form that anti virus programs can guard against?

This, I wouldn't know since I'm not really a part of a security specialistic...something...(wow random words are now coming out of my mouth). In Layman's terms, I'm not sure. I want to assume yes; but at the same time, I want to say no since, from the sounds of it, it's unstable and can misinfect or something along those lines. Whether or not that can affect how Virut infects .exe files is another issue that I'm not sure of.

I'd better shut up.

This post has been edited by scff249: Apr 25 2009, 11:37 PM

[m0le]

hxxp:// regedintheclub.info

@o_rly Look you goofball ,I didn't post hxxp://. The Mods changed it to make the links not clickable !!

I think o_rly was just liking that particular URL name rather than laughing at a random hxxp prefix from the list.

[koolkat]

New updated list .

Malicious Sites

Block these sites:

66.220.17.154

85.25.120.145

216.24.138.135

217.73.66.16

hxxp://123urlaub.info ip 216.24.138.135

Angsecuritycenter.info or hxxp://online.antivirusscan1.info ip 208.43.47.213

antimalwareguard.com ip 216.24.138.135

antispyexpert.com ip 216.24.138.135

antivirus2009.com ip 82.165.245.27 or ip 217.73.66.16

Anti-VirusNumber1.com ip 216.24.138.135

AntivirusXPPro.com ip 216.24.138.135

avsystemcare.com ip 216.8.179.23

hxxp://best-click-scanner.info ip 216.24.138.135

hxxp://bestvirusremover2009.com/ ip 216.24.138.135

hxxp://bs.serving-sys.com ip 12.129.210.76 or 12.129.210.71 or 216.24.138.135

call-kelly.com ip 216.155.138.228

hxxp://click-my-scanner.info ip 216.24.138.135

clicksor.com ip 66.48.81.155

Coolwebsearch.com ip 66.250.74.150

Coolwebsearch.net ip 69.46.228.189

Coolwebsearch.org 77.232.68.11

crackle.com ip 12.129.210.76 or 208.78.224.202

edebiyatogretmeni.net ip 85.25.120.83

hxxp://emediate.eu ip 216.24.138.135

hxxp://get.virusscanneronline.info/21/bWUwQzE0eDBDMTQ3OWl3MUFORw== ip 216.24.138.135

gomyhit.com ip 216.24.138.135

greenantivirus2009.com ip 70.38.73.28

imageservr.com ip 208.73.210.121

infolinks.com ip 194.90.11.196

insightexpressai.com ip 209.244.156.19

interclick.com ip " 216.52.167.80 ?" or 216.24.138.135

kaaza.com ip 12.129.210.76 or 66.226.75.118

live365.com ip 216.235.95.145

MalwareDefender2009.com ip 211.95.73.189

malware-scan.com ip 64.40.103.249 or 209.59.194.20

malwarealarm.com ip 74.54.82.209

hxxp://www.maxmind.com//GeoIP.dat.gz ip 216.24.138.135

hxxp://www.mobularity.net ip 74.86.46.8

noadware.com ip 216.40.230.4

Noadware.net ip 69.20.104.139

onerateId.com ip 216.24.138.135

hxxp://onlinescannerav1.info ip 216.24.138.135

powerfulvirusremover2008.com ip 216.24.138.135

hxxp://regedintheclub.info ip 216.24.138.135

hxxp://run.av-best.info ip 209.59.194.20 or 216.24.138.135

hxxp://s1.on-line-virus-scanner.info ip 208.43.47.213

hxxp://safetydownload.com ip 216.24.138.135

hxxp://scanner.av-best.info/scan.php?campaign=mmb_7853320802&landid=4 ip 216.24.138.135

securityclick.net ip 216.24.138.135

hxxp://serving-sys.com ip 216.24.138.135

sevdayeri.net ip 85.25.120.145

spywareguardpro.com ip 216.24.138.135

spywareprotect2009.com ip 204.13.161.102

hxxp://spywarestormer.com ip 216.24.138.135

hxxp://statsreportserver.com ip 216.24.138.135

svinushka.net ip 216.24.138.135

hxxp://tds.best-click-go.info ip 216.24.138.135

hxxp://tds.checkclick-1.info ip 216.24.138.135

hxxp://tlal.exelator.net ip 8.19.18.81 or 209.190.74.70

hxxp://trafficconverter.biz ip 216.24.138.135

hxxp://www.traffz.com/stats.php?p=megaclickdsmu ip 72.20.122.66

hxxp://trustedantivirus.com ip 216.24.138.135

Vegatradingltd.com ip 70.38.73.28

virusdoctor.com ip 208.87.33.150

virusdoctor.net ip 66.116.109.44

virusranger.com ip 216.86.155.41

virusremover2008.com ip 216.24.138.135

virusremover2008flash.com ip 216.24.138.135

virusremover2009.com ip 69.46.228.182

virusrescue.com ip 82.98.86.175

virusschlacht.com ip 216.24.138.135

hxxp://websecurityexamine.com/scan/index2.php?affid=02100 ip 216.24.138.135

WinPCDefender.net ip 216.24.138.135

zango.com ip 64.94.137.72


Warning do not even think about visiting these sites !



all http's have been changed to hxxp



This post has been edited by koolkat: May 22 2009, 08:38 AM

[quietman7]

To expand further on Galadriel's noteworthy reply.

Virus writers and attackers use various methods and techniques to spread malware.

A large number of infections are contracted and spread via Internet Relay Chat, by visiting gaming sites, porn sites, using pirated software, cracking tools, and keygens.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

Infections also spread by using peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The infection also spreads through emails containing links to websites that exploit your web browser’s security holes and by exploiting a vulnerability in older versions of Sun Java. When you click on an infected email link or spam, Internet Explorer launches a site that stealthy installs a Trojan so that it can run every time you startup Windows and download more malicious files.

Rogue security programs infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware and is often seen with a Vundo infection. Vundo is a Trojan that infects a system with malicious Browser Helper Objects and .dll (Dynamic Link Library) modules attached to system files like Winlogon and Explorer.exe. The infection is responsible for launching unwanted pop ups, advertising for rogue antispyware programs, and downloading more malicious files which hampers system performance. Newer variants of Vundo typically use bogus warning messages and alerts to indicate that your computer is infected with spyware or has critical errors as a scare tactic to goad you into downloading a malicious security application to fix it. The messages can mimic system messages so they appear as if they are generated by the Windows Operating System. The problem with these types of infections is that they can download other malicious files so the extent of the infection can vary to include backdoor Trojans and rootkit components which make it more difficult to remove. For more detail on how these types of rogue programs and infections install themselves, read:

• Anatomy of a malware scam.
• Beware of rogue security software.

Other types of infections spread by downloading malicious applets or by visiting legitimate web sites that have been compromised through various hacking techniques used to host and deliver malware via malicious code, automated SQL Injection and exploitation of the browser/operating system vulnerabilities.

• Malicious website evolution
• 70 Of Top 100 Web Sites Spread Malware
• Researchers uncover tool used to infect websites, spread malware
• Malicious HTML Tags Embedded in Client Web Requests
• Malicious Applets in Java cache directory

...More than 90 percent of these webpages belong to legitimate sites that have been compromised through hacking techniques such as SQL Injection...Hackers are apparently planting viruses into websites instead of attaching them to email. Users without proper security in place get infected by simply clicking on these webpages.

One webpage gets infected by virus every 5 seconds

• SQL Injection Overview
• Threat and Vulnerability Mitigation: SQL Injection

[koolkat]

Wow ! Very informative quietman7.

An yes even good legitimate sites can be infected. When this happens , I try to contact the owner of the site to let them know.


Just say No to all Malware !

This post has been edited by koolkat: May 22 2009, 08:19 AM