Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 14 October 2009

Crimeware friendly ISP's: Netelligent

Netelligent have been around the block a few times, and are no strangers when it comes to malicious activity within their networks. Their network has been found to be involved in everything from exploits to rogues, blackhat SEO, and everything else besides.

Alas, someone from Netelligent recently dropped by the Malwarebytes forums, professing their innocence (their last post was September 21st). Now to be fair, it's possible they're waiting for me to post the URL's to the thread as I mentioned, but given the nature of the URL's, the amount of them, and most importantly, the fact the Malwabytes support forums are for Malwarebytes, and not to be used as an ISP's drop desk, I felt it best to e-mail the list to them instead, and just like NetDirekt, I have had no response from them.

However, the problem we've got with Netelligent, is the fact that we're seeing a slew of malicious domains popping up on their network with the frequency that assures me, they're doing absolutely nothing as far as prevention. Waiting for a post on a forum, or a domain in a blacklist, before they do anything, is like waiting 5 hours for a bus to take you 5 minutes up the road - it's madness!.

Anthony over at MalwareURL, sent me the following a few minutes ago, which shows quite a few malicious domains on one of the Netelligent ranges;

http://www.malwareurl.com/search.php?domain=&s=209.44.114.&match=0&rp=50&urls=on&redirs=on&ip=on&reverse=on&as=on

And the above isn't all of them either, there's likely more in the MalwareDomainList, Clean-MX, hpHosts etc etc, databases (I know there's been a ton of them in hpHosts for ages now), and likely even more that haven't been identified yet.

You'd have though that an ISP such as Netelligent, would have facilities in place, to identify such activity within the network logs, even if they don't have it at the server level (and a note to the ISP's - we're not buying the "we don't have access to our customers servers" excuse, they're your networks, your servers - YOUR RESPONSIBILITY!!!). If we can find it this easily, they should find it a piece of cake.

Important note: Malicious sites have a tendancy to sometimes only last for up to 12-24 hours, so we never expect all of them to be alive by the time the reports are looked at.

References:

S!Ri.URZ - System Tuner
http://siri-urz.blogspot.com/2009/07/system-tuner.html

A Diverse Portfolio of Fake Security Software - Part Twenty One
http://ddanchev.blogspot.com/2009/06/diverse-portfolio-of-fake-security.html

GazTranzitStroyInfo - a Fake Russian Gas Company Facilitating Cybercrime
http://ddanchev.blogspot.com/2009/05/gaztranzitstroyinfo-fake-russian-gas.html

A Diverse Portfolio of Fake Security Software - Part Twenty
http://ddanchev.blogspot.com/2009/05/diverse-portfolio-of-fake-security.html

Google poisoning, IST, rogues and 250+ reasons to avoid 209.44.* ......
http://hphosts.blogspot.com/2009/05/google-poisoning-ist-rogues-and-250.html

Live.com poisoning - Gumblar/Martuz isn't the only infection around .....
http://hphosts.blogspot.com/2009/05/livecom-poisoning-gumblarmartuz-isnt.html

Black Hat SEO and Rogue Antivirus p.4
http://malware-web-threats.blogspot.com/2009/04/black-hat-seo-and-rogue-antivirus-p4.html

1 comment:

Unknown said...

thanks for writing this up, it's very useful information.