A small fragment of Rove Digital (and others)

Just in case I forget.

inetnum:        213.155.22.192 - 213.155.22.199
netname:        singhajeet3
descr:          singhajeet3 - Singh Ajeet
country:        UA
admin-c:        SA5766-RIPE
tech-c:         SA5766-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-HOSTINGUA
source:         RIPE # Filtered

person:         Singh Ajeet
address:        34203, Florida, United States, Bradenton, 1901 60th Place E. Suite L4257
abuse-mailbox:  abuse@hosting.ua
phone:          +380487281518
nic-hdl:        SA5766-RIPE
source:         RIPE # Filtered

% Information related to '213.155.0.0/19AS41665'

route:          213.155.0.0/19
descr:          Datacenter Hosting.UA
origin:         AS41665
mnt-by:         MNT-HOSTINGUA
source:         RIPE # Filtered

I’ll probably forget the connection, so here is the short version:

A tweet from one of the good guys I’m following:
Details about the MediaTemple security issues (injected spam and .htaccess redirects) http://bit.ly/4POUnQ and http://bit.ly/7o1oyA
[https://twitter.com/unmaskparasites/statuses/6141708994]

And somehow I ended up at redbuszoen. com via you-search. in.
Probably some kind of dynamic, now I end up at cyber-shop. net at 88.208.21.144, advancedhosters.com. Russians in the Netherlands. Shitty place that too.

That’s probably all, sorry for that.

If you want a little bit more, spamhaus is the usual reliable source:
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK8751
But they forgot to list 213.155.22.192 – 213.155.22.199.
Or the whole freaking 213.155.0.0/19.
More evil stuff in there. Like the skiddie forum at evilzone.org (forum.evilzone.org).

But then the whole .UA space should be nuked.
Much safer internet without it.
I’m beginning to have the same thoughts about .NL too.

(And I am now on day 13 in my career as a non-smoker. This is probably what hell will be when that time comes. Now I am prepared for it)

Update a bit later
When following the link from cyber-shop. net, I ended up downloading scareware from securitytoolsediting. net.
Virustotal tells med that 11 out of 40 vendors recognize the file install.exe.
The different names given contain “FakeAlert”, “RogueSecurity”, “Krap”.

securitytoolsediting. net appears to live at 194.60.205.20, “Baltic Center of Innovations TechPromInvest LTD”.
Probably a shitty place too. A quick google search seems to agree with me.

Posted in malware, bots, RBN. Comments Off on A small fragment of Rove Digital (and others)