The Latest in IT Security

Malware sites to block 19/12/12


This group of sites appears to be using a fake AV applications to download a malicious file scandsk.exe (report here) via (eTop, Poland) and (Easyspeedy, Denmark) which then attempts to call home to (OVH, Ireland).

This is a screenshot of the fake AV in action:

From this point, the scandsk.exe gets download either through an exploit or social engineering. This executable looks like some sort of downloader, which attempt to pull down additional data from these non-responding domains:

There’s some sort of trickery here, perhaps it requires exactly the right kind of factors to hit a valid URL, the automated analysis tools are inconsistent [1] [2] [3] but seem to indicate a C&C on This IP belongs to OVH (no surprises there) but seems to have been suballocated:

inetnum: –
netname:        marysanders1
descr:          marysanders1net
country:        IE
org:            ORG-OH5-RIPE
admin-c:        OTC9-RIPE
tech-c:         OTC9-RIPE
status:         ASSIGNED PA
mnt-by:         OVH-MNT
source:         RIPE # Filtered

I suspect that this whole block is being used for malicious purposes, hosts a site called registered in China which has been fingered as an attack site before (e.g. here, click at your own risk). I would recommend blocking the entire to be on the safe side.

The infection sites are on and, they make extensive use of subdomains of, and There are probably legitimate sites making use of these domains, but blocking them completely should give you few headaches.

Recommended blocklist:

Alternatively, these are some of the subdomains in use.. there are a lot of them, and probably more than I have listed here.

Leave a reply





Latest Comments

Social Networks