The Latest in IT Security

Fashion site falls into the hands of Russian Blackhat ISP Webalta

12
May
2011

This German site (in-vogue.de) is hosting malware:

in-vogue.de/Scripts/DSC000034774321.exe

VirusTotal (4/43)

Upon execution you might see fireworks (if you are running Process Explorer):

This is poorly written malware, although whoever wrote it made sure it would run after a reboot:

After execution, the malware downloads an additional component from: in-vogue.de/Scripts/update.exe (Virus Total 4/42).

Also noticeable are constant pings to 92.241.168.23 (Russian IP).

The IP leads us to AS41947 known as WEBALTA-AS OAO Webalta.

This ISP is very well known for having all sorts of badness (spam, bots, phishing, exploits).

Google’s Safe Browsing report highlights that “32695 site(s) we tested on this network over the past 90 days, 1905 site(s) served content that resulted in malicious software.”


Malc0de.com has 9 pages of malicious URLs related to AS41947.

If you remember, the Wikileaks website was hosted on this Russian Blackhat ISP back in December 2010.

Webalta is enjoying a good run so far but is closely watched by the security community. It will be shutdown eventually, but most likely will give birth to another blackhat or bullet-proof ISP.

Jerome Segura

Leave a reply


Categories

SATURDAY, SEPTEMBER 23, 2017

Featured

Archives

Latest Comments

Social Networks