Rogue RBN Software Pushed Through Blackhat SEO
This is yet another example of the KISS strategy uncovering another huge IFRAME campaign, again taking advantage of locally cached pages generated upon searching for a particular word, and the IFRAME itself. In the previous example for instance, we had an second ongoing IFRAME campaign with just 4 pages injected with 89.149.243.201, however, what Keep it Simple Stupid really means in this case is that the next IP in their netblock 89.149.243.202 is currently getting injected at many other sites as well.More here.
The difference between the previous campaign and this one, is that the previous one was targeting just two high page rank-ed sites, while in the second one, the malicious parties pushing RBN's rogue XP AntiVirus are relying on a much more diverse set of domains loading the IFRAME. One factor remains the same, both campaigns continue pushing the rogue XP AntiVirus.
Note: Okay, the time has come to start naming names, apparently.
netdirekt e.K. - a hosting provider based in Frankfurt, Germany - has long been a (perhaps unwittingly) hosting provider for RBN activities for well over a year. So has Layered Technologies, Inc. (based in Plano, Texas), InterCage, Inc. (Concord, California), and SoftLayer Technologies, Inc. (Dallas, Texas). Each of these have long been known to be operational deployment platforms for RBN-related activities.
And yes, each of them have been contact through formal channels to inform them of these activities, to no avail.
Isn't it time for these companies to be called to task for continuing to turn a blind eye to criminal activities hosted in their networks? -ferg
2 Comments:
Hello,
I am the abuse admin for Softlayer and can assure you that we take every abuse report serious.
With that said, the following comment isn't accurate when it pertains to our network.
-------------------------
And yes, each of them have been contact through formal channels to inform them of these activities, to no avail.
-------------------------
In the past when we have encountered issues with RBN, we acted immediately hard disco'n equipment that was infected to be scanned offline.
I take it you pulled our name from the article you referenced. In this case, the first two domains/accounts are suspended and the third isn't on our network. It's on GoDaddy's now.
hotantivirus.info 74.86.81.80
easyantivirus.info 74.86.81.80
a2zantivirus.com [OLD -74.86.81.80]
NEW - 68.178.232.100
While i'm not looking for any kind of retraction of course, how about making another comment based off your last comment and the facts above?
Thank you.
Hello "abuse admin for Softlayer",
Thanks for the follow-up. I have sent several abuse reports over the course of the past year, and it is nice to see that you are finally acting upon this situation.
We'll keep an eye open and continue to report any subsequent suspicious or overtly criminal activity through the abuse contact(s).
- ferg
Post a Comment
<< Home