Intercage with lots of wmf exploits
I was reading up on SANS, and found this gem:
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System
Basically, they advocate blocking all of Intercage due to a large number of wmf exploits.
Since Microsoft released the patch, those might be harmless by now (if you’re running a patched XP computer).
But the point is, when there’s a new exploit, Intercage (and it seems Inhoster), are likely to have a lot of exploits hidden in their IP range. Until they find and disable them. But considering ESThost is on Intercage, and the regular recruitment of badasses from there, the problem is they first have to find the exploits and shut them down.
So, I guess blocking those ranges might be a good idea in general.
Ann Elisabeth,
There are even some live examples (though no longer working) of the implementation. Some time ago I wrote about an annoying spammer called James Wuster aka Vasiliy Pupklindtovich. If you pick up any of the domains I listed and look up the source you’ll notice as top line a very suspicious iframe containing a link to a document on afris.biz, a domain no longer working because the server was apparently taken down. But there’s still a google cache version of it and it contains very interesting code, that shouldn’t be triggered with an unpatched Internet Explorer ;-). It even featured the usage of active-x and I strongly suspect this implementation was serving as not quite voluntary recruitment for fresh zombies “James Wuster” used for spamming sites.
By the time afriz.biz (registered by Vasiliy Pupklindtovich) was still working it had the ip address 69.50.191.68, the same address of “goodcounter.net” (one of the “James Wuster” domains). Given that James Wuster uses dedicated servers (one default host and a set of virtual hosts) we can assume that James Wuster and Vasiliy Pupklindtovich are the same person. The entire inhosting/coteco/esthost story is more than interesting, as this appears to be a huge network of criminals. And what we know may only be the tip of the iceberg.
Olliver
By chance this morning a new spamrun has been initiated by our friend “James Wuster” alias “Vasiliy Pupklindtovich” and makes use of the wmf exploit. All people that reach his spamvertized sites from Google, MSN and Yahoo will be redirected to a personal wmf copy. I made some investigations and wrote an article about it:
Wmf exploit spamrun by James Wuster
This incedence proves that SANS is right in recommending to blackhole the entire Inhoster range.
Olliver
I’m getting really fed up with the guestbook spammer who is using Inhoster (on 85.255.116.178, 85.255.116.179, 85.255.116.180, and 85.255.116.182) to spam the world with my name and e-mail address as well as his dodgy spamvertised sites. I’m receiving lots of e-mail messages from the spammed guestbooks (and forms). If this continues, I’m going to take up the issue with the upstream provider to Inhoster. SANS says that Inhoster (and Intercage) are “non-responsive” so there’s probably no point in trying a direct approach?
There’s also a whole lot of Trackback spam coming out of Inhoster’s address range. I did send a message to them once but got no reply and the spam didn’t stop either.
If you find anything else about Inhoster, please let me know. Google searches are currently showing over 300 uses of my name/e-mail in association with the spammer’s messages and spamvertised sites. This is up by about 100 hits since yesterday. I reckon the upstream provider is wvfiber.net.
Following more e-mails showing guestbook (and other forms) spam (the spammer is therefore still active), I’ve just sent a complaint to Inhoster via their web form and an e-mail to support@. We’ll see what happens. If there is no acknowledgement, I will be complaining to the upstream provider.
[...] That’s just a fraction of ths story. I’ve blogged about InterCage/Atrivo previously, several times, as have others here, here and here, to name a few. [...]