Posted by: realsecurity | December 15, 2008

Sources of Badness – ZlKon

After a weekend hiatus, I’m back with the next host of interest – ZlKon.

role:           ZlKon HostMaster
address:        Lilijas iela 4-74
address:        Riga, LV-1055
address:        Latvija
phone:          +371 26330593
e-mail:         hostmaster@zlkon.lv
admin-c:        AD5952-RIPE
tech-c:         AD5952-RIPE
nic-hdl:        ZK508-RIPE
mnt-by:         ZLKON-MNT
changed:        hostmaster@zlkon.lv 20081125
source:         RIPE
abuse-mailbox:  abuse@zlkon.lv

Based in Latvia, Zlkon seems to have a high ratio of bad IPs to it’s small
address space. A customer of the larger DATORU EXPRESS SERVISS, Zlkon
has two /24s 94.247.2.0 – 94.247.3.255.

% Information related to '94.247.0.0/21AS12553'

route:          94.247.0.0/21
descr:          "DATORU EXPRESS SERVISS" Ltd.
origin:         AS12553
mnt-by:         PCEXPRESS-MNT
changed:        igors@pcexpress.lv 20081121
source:         RIPE

94.247.2.11
2008-12-02 – not accessible
pro-scanner-online.com /2009/download/trial/A9installer_880135.exe

94.247.2.183
2008-12-09
fire-movie.com /download/Keygen.Image.for.DOS.2.08c3098.exe
Win32:Fabot
Trojan:Win32/Alureon.gen!J
Worm/AutoRun.ER

2008-12-02
spacekeys.net /download/windows311megaupload_3019.exe
Same as fire-movie.net above

2008-12-12
moonmovie.net /download/moonmovie.v.3.484.exe
Same as fire-movie.net above

94.247.2.215
2008-11-27 – not accessible
antivirus–plus.com /installer_00004.exe

94.247.2.222
2008-12-02 – not accessible
pro-scanner-online.com/2009/download/trial/A9installer_880147.exe

94.247.3.228
2008-12-02 – not accessible
pro-scanner-online.com/2009/download/trial/A9installer_880473.exe

2008-12-12
get-frsh-files.com /MCLiteodecVer.6.20467.exe
Same as files-upload.21.com below

2008-12-13
files-upload-21.com /MCLiteodecVer.6.20271.exe
TrojanDownloader:Win32/Renos.FH

94.247.2.231
2008-12-03 – not accessible
pro-scanner-online.com /2009/download/trial/A9installer_880147.exe

94.247.3.232
2008-12-14
codecdownload.3d-softwareportal.com /exclusivemovie.1518.exe
TrojanDownloader:Win32/Renos.FU
Trojan.Win32.Undef.uhx

So we’ve got some fake antivirus, Renos, zlob, etc. Nothing overly terrible like a banking trojan or spam bot but who knows what else is being hosted in Zlkon’s address space.

Advertisements

Responses

  1. FlashPlayer.v3.181.exe
    Do a search for Hunt’s Point within Google video,
    and then click on the hit entitled,
    Hunts Point Pimps And Hookers @ kooldvd.com
    page redirects, foisting fake Flash installer upon.
    Reverse traces to Latvia.IP Address: 94.247.2.34
    Location: RIGA (56.944N, 24.117E)
    Network: 94-RIPE
    domain: zlkon.lv
    admin-c: 86617-LUMII
    tech-c: 86617-LUMII
    nserver: ns1.zlkon.lv
    nserver: ns2.zlkon.lv
    changed: dns-reg@nic.lv 20081121
    source: LUMII

    person:
    address: none
    phone: +371 26330593
    e-mail: arkadzi.daniyelian@zlkon.lv
    nic-hdl: 86617-LUMII
    source: LUMII

    File Info Description
    Report Generated 25.1.2009 at 0.32.30 (GMT 1)
    Time for scan: 31 seconds
    Filename: FlashPlayer.v3.181.exe
    File size: 110 KB
    MD5 Hash: D3EE381464C72DA4671C1B8F15A8281B
    SHA1 Hash: B48EA7824B3DFC130FBF200BE7AB5D1D7ED96484
    CRC32: 3376619150
    Application Type: Executable (EXE) 32bit
    Scanner results : 22% Scanner(8/37) found malware!
    Time : 2009/01/27 12:26:29 (CST)
    Scanner Engine Ver Sig Ver Sig Date Scan result Time
    a-squared 4.0.0.29 20090127170226 2009-01-27 – 3.033
    AhnLab V3 2009.01.27.01 2009.01.27 2009-01-27 – 1.106
    AntiVir 7.9.0.60 7.1.1.188 2009-01-27 – 1.883
    Antiy 2.0.18 20090118.2063925 2009-01-18 – 0.018
    Authentium 5.1.1 200901262001 2009-01-26 – 1.172
    AVAST! 3.0.1 090127-0 2009-01-27 – 0.001
    AVG 7.5.52.442 270.10.14/1918 2009-01-27 – 1.896
    BitDefender 7.81008.2614896 7.23357 2009-01-27 Gen:Trojan.Heur.TDSS.1 2.848
    CA (VET) 9.0.0.143 31.6.6329 2009-01-27 – 10.359
    ClamAV 0.94.2 8912 2009-01-28 – 0.060
    Comodo 3.0 948 2009-01-27 – 0.894
    CP Secure 1.1.0.715 2009.01.28 2009-01-28 – 6.971
    Dr.Web 4.44.0.9170 2009.01.27 2009-01-27 – 4.011
    F-Prot 4.4.4.56 20090126 2009-01-26 – 1.218
    F-Secure 5.51.6100 2009.01.27.05 2009-01-27 Packed.Win32.Tdss.a [AVP] 0.600
    Fortinet 2.81-3.117 9.972 2009-01-27 W32/AutoTDSS.BNA!worm 0.334
    GData 19.2614/19.200 20090127 2009-01-27 Packed.Win32.Tdss.a [Engine:A] 8.087
    Ikarus T3.1.01.45 2009.01.27.72218 2009-01-27 – 3.527
    JiangMin 11.0.706 2009.01.27 2009-01-27 – 2.568
    Kaspersky 5.5.10 2009.01.27 2009-01-27 Packed.Win32.Tdss.a 0.125
    KingSoft 2008.9.8.18 2009.1.27.20 2009-01-27 – 0.630
    McAfee 5.3.00 5507 2009-01-26 – 2.977
    Microsoft 1.4205 2009.01.27 2009-01-27 Trojan:Win32/Alureon.gen!J 13.541
    mks_vir 2.01 2009.01.27 2009-01-27 – 4.350
    Norman 5.93.01 5.93.00 2009-01-20 – 6.921
    nProtect 20090127.02 3071863 2009-01-27 – 12.179
    Panda 9.05.01 2009.01.26 2009-01-26 – 10.230
    Quick Heal 10.00 2009.01.27 2009-01-27 – 1.201
    Rising 20.0 21.13.50.00 2009-01-24 Trojan.Win32.Nodef.aia 2.259
    Sophos 2.82.1 4.37 2009-01-28 Mal/FakeVirPk-A 2.530
    Sunbelt 4756 4756 2009-01-08 – 0.595
    Symantec 1.3.0.24 20090127.004 2009-01-27 – 0.053
    The Hacker 6.3.1.5 v00229 2009-01-26 – 0.770
    Trend Micro 8.700-1004 5.798.05 2009-01-27 – 0.064
    VBA32 3.12.8.11 20090127.0856 2009-01-27 – 2.673
    ViRobot 20090123 2009.01.23 2009-01-23 – 0.758
    VirusBuster 4.5.11.10 10.100.40/784661 2009-01-27 – 1.153
    http://virscan.org/report/601f5b7e549c57fb60063d8a592a84f4.html

  2. Here’s one for you…when I attempt to get on the backend of my wordpress site, hosted on Godaddy, the status bar show 94.247.2.195, which belongs to these jackasses, according to a whois lookup.

    I can’t even add content to my site now, this locks Firefox down, then my whole system.

    Any suggestions to get rid of this junk?

  3. I am also getting the same issue for my websites. points to 94.247.2.195 in status bar. Upon whois and searches it is listed on malware websites. 2009/04/03_00:00 – 193.200.255.19/~timchenko/cms/index.php s9.x-host.net.ua exploits/trojan –

    Any help and quick helps would be appreciated.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: