Monday, February 18, 2008

Geolocating Malicious ISPs

Here are some of the ISPs knowingly or unknowingly providing infrastructure to the RBN and the New Media Malware Gang, a customer of the RBN or RBN's actual operational department. To clarify even further, these are what can be defined as malicious ecosystems that actually interact with each other quite often.

- Ukrtelegroup Ltd
85.255.112.0 - 85.255.127.255
UkrTeleGroup Ltd.
Mechnikova 58/5
65029 Odessa
UKRAINE
phone: +380487311011
fax-no: +380487502499

- Turkey Abdallah Internet Hizmetleri
TurkTelekom
88.255.0.0/16 - 88.255.0.0/17



- Hong Kong Hostfresh
58.65.232.0 - 58.65.239.255
Hong Kong Hostfresh
No. 500, Post Office,
Tuen Mun, N.T,
Hong Kong
phone: +852-35979788
fax-no: +852-24522539

These are not just some of the major malware hosting and C&C providers, their infrastructure is also appearing on each and every high-profile malware embedded attack assessment that I conduct. And since all of these are malicious, the question is which one is the most malicious one? Let's say certain netblocks at TurkTelecom are competing with certain netblocks at UkrTeleGroup Ltd, however, the emphasis shouldn't be on the volukme of malicious activities, but mostly regarding the ones related to the RBN, and the majority of high-profile malware embedded attacks during 2007, and early 2008.