[nsp-sec] Heads up AS49365|Group Vertical Ltd - 91.212.220.0/24

Shelton, Steve sshelton at Cogentco.com
Thu Nov 5 09:38:31 EST 2009 

All,

Just a heads up here, we [AS174] found ourselves in the AS path for
AS49365 | Group Vertical Ltd - 91.212.220.0/24 and appeared to translate
to a ton of ugly and looked to be facilitating cybercrime as it's
primary function.

91.212.220.0/24

 - 10-12 Zues|Zbot engines [MW, dropzones etc.]


Host	A record	status	files online	SBL	level
dateadded (UTC)	Lastchecked (UTC)	Lastupdated (UTC)
91.212.220.119	91.212.220.119	online	0	Not listed	4
2009-10-30 19:25:41	2009-11-04 12:53:48	never
91.212.220.229	91.212.220.229	online	2	Not listed	4
2009-10-25 15:40:34	2009-11-04 13:11:42	2009-10-30 13:16:39
91.212.220.162	91.212.220.162	online	2	Not listed	4
2009-10-18 10:45:43	2009-11-04 13:33:24	2009-10-30 13:40:16
duffimail.info	91.212.220.145	online	0	Not listed	4
2009-10-06 21:05:24	2009-11-04 14:09:06	2009-11-01 00:14:23
formulatedform.com	91.212.220.55	online	0	Not listed
4	2009-09-30 06:17:53	2009-11-04 14:34:02	2009-10-30
14:55:22
91.212.220.118	91.212.220.118	online	0	Not listed	4
2009-09-16 18:23:24	2009-11-04 15:30:05	2009-10-30 15:45:54
freedom3.cn	91.212.220.118	online	0	Not listed	4
2009-09-07 18:16:48	2009-11-03 23:19:02	2009-10-30 00:47:33
kilibinchek.cn	91.212.220.118	online	0	Not listed	4
2009-09-01 11:55:43	2009-11-04 00:22:43	2009-11-04 00:22:43
91.212.220.2	91.212.220.2	online	0	Not listed	4
2009-08-27 06:42:37	2009-11-04 00:33:14	2009-10-30 01:54:45
woocasino.com	91.212.220.120	online	0	Not listed	4
2009-08-26 19:36:12	2009-11-04 00:34:50	2009-11-03 11:01:11
tertechet-vings.net	91.212.220.118	online	0	Not listed
4	2009-08-09 19:31:18	2009-11-04 01:04:32	2009-10-30
02:12:50
kerchon.com	91.212.220.105	online	0	Not listed	4
2009-05-06 17:24:17	2009-11-04 04:20:58	2009-11-03 14:45:08

Example:

2009/11/04_10:04 | 91.212.220.229/vrd/cf1.bin
91-212-220-229.ptrzonez.com.	zeus/wsnpoem v2 config file	-
49365

Additional malware references [public] can be observed at the following
url.

http://www.malwareurl.com/search.php?domain=&s=91.212.220.&match=0&rp=50
&urls=on&redirs=on&ip=on&reverse=on&as=on

As of late, the prefix and ASN appear to be gone which apparently
occurred once I alerted our customer yesterday after a good bit of time
validating and poking the critters.

Just and FYI to all to keep an eye out for the ASN and prefix.

Steve Shelton
Security Engineer
Cogent Communications

More information about the nsp-security mailing list