The result of building extra confidence into your malicious hosting provider's ability to remain online, is a scammy ecosystem that's constantly jumping from one netblock to another, whose very latest exploit URLs and rogue security software nexto to the codecs served, always represent a decent sample of malicious activities to analyze.
UkrTeleGroup Ltd (188.8.131.52-184.108.40.206 UkrTeleGroup UkrTeleGroup Ltd. 27595 ASN ATRIVO), a personal favorite due to its historical connection with the Russian Business Network, and hosting provider for a countless of number of injected and malware embedded campaigns during the last two years, is still keeping it as lazy as possible, a laziness allowing you to easily expose a great deal of the malicious activities going on there, and establish the connections between the hosting provider, its current and historical customers.
Take microsoftcodecs.com (220.127.116.11) for instance, and avxp08.com where it redirects the user into yet another rogue security software. avxp08.com is responding to 18.104.22.168; 22.214.171.124; 126.96.36.199; 188.8.131.52, and to UkrTeleGroup Ltd's 184.108.40.206.
Each of these IPs are also being shared by other rogue software and fake codecs simultaneously :
It gets even more UkrTeleGroup Ltd related upon the malware (Trojan:Win32/Tibs.HK) served at the avxp08.com gets sandboxed. The malware phones back home stat.avxp08 .com (220.127.116.11) announcing the successful infection winifixer .com/log2.php?affid=980382bdb4e7b779ff6308b0b706571c&uid=06f80eaf-94d7-4b8b-9cf0-5c6f75d2c69f&tm=1211198022 (18.104.22.168), and the scammy ecosystem continues using the same hosting provider. The rest of the rogue tools are also using the same subdomain structure, and IP, stat.antivirusxp2008 .com (22.214.171.124), stat.antivirxp08 .com (126.96.36.199), stat.antivirusxp08 .com (188.8.131.52) in order to phone back home.
Now that it's becoming clear who's providing the hosting infrastructure, it's perhaps also worth pointing out who's using the hosting infrastructure to serve rogue security software and fake codecs on the basis of participating in an affiliate program? A great number of domains used by the rogue security software are registered by email@example.com behind which is supposedly Mishakov Viktor Ivanovich firstname.lastname@example.org, and ironically tobesoftware.com is again hosting within UkrTeleGroup (184.108.40.206). The personal efforts into the number of the typosquatted domains and the persistence applied when registered and spamming them across the web, is the result of the incentives provided to them by the affiliate program they participate in.