The absolute worst culprit that I’ve come across so far in terms of bad IPs is Still Trade LTD from Russia. They have their own /24, AS47486. Out of 34 web servers in their IP block, 30 are bad. Spamhaus has the block blacklisted as a source of crimeware, see their report here.
person: Perevitskiy Sergey
address: Russian Federation,
address: St. Petersburg, Fedosenko st, 30 liter A, 24-N
mnt-by: STILLTRADE-MNT
abuse-mailbox: abuse@still-trade.com
e-mail: perevitzky.sergey@still-trade.com
phone: +7 (960) 257-87-90
nic-hdl: PERE1-RIPE
changed: lexa@wahome.ru 20080624
source: RIPE
Still Trade hosts a ton of fake/rogue anti virus domains and applications. We’ve seen these hosts pop up recently:
91.208.0.220
2008-12-01
scanner.rapidantivirus.com /setup/setup.exe – Fake AV
Trojan:Win32/FakePowav
FraudTool.Win32.ExtraAntivir.c
Win32/FakeAV!generic
91.208.0.221
2008-12-11
myprivatetubes09.net /cd/650/1749/wmpcdcs.exe – Zlob
DR/Zlob.Gen
TrojanDownloader:Win32/Renos.HB
Mal/Emogen-G
91.208.0.253
2008-12-03
myprivatetubes2009.net /cd/650/1663/wmpcdcs.exe – Zlob
Same as above
The following IPs are associated with malicious applications:
91.208.0.220
91.208.0.221
91.208.0.223
91.208.0.224
91.208.0.225
91.208.0.228
91.208.0.229
91.208.0.230
91.208.0.231
91.208.0.234
91.208.0.235
91.208.0.236
91.208.0.237
91.208.0.238
91.208.0.239
91.208.0.240
91.208.0.241
91.208.0.242
91.208.0.243
91.208.0.244
91.208.0.245
91.208.0.246
91.208.0.247
91.208.0.248
91.208.0.249
91.208.0.250
91.208.0.251
91.208.0.252
91.208.0.253
91.208.0.254
BISS also has a comprehensive list of domains and malware being served by these guys.
Real Security 
Leave a comment