Since reverse engineering has awakened my interest in malware or should I say vice versa, I have been on the lookout for "sources". Some of those sources have been casual emails with some security researchers I encountered. Today, I got an email with the link "http://126.96.36.199/ms" (don't worry it's not live anymore). This person encountered the link on a certain mailinglist.
This IP was hosting quite a bit of malware, if I read some reports and this page from google cache. Apparently I was just too late to download all the binaries for analysis. At least the directory doesn't have the same name anymore. When I looked up the AS number, it seemed to belong to RBN-AS RBusiness Network.
40989 RBN-AS RBusiness NetworkYay, those guys again. If you have been reading this blog, you should know what RBN means and what it stands for. I was about ready to publish this post and had a quick glance at my RSS feeds of today. It seemed I wasn't the first to blog about this "discovery", Over 100 Malwares Hosted on a Single RBN IP (ddanchev). Oh well...... sometimes you have to be faster. At least, the investigation lead me to some interesting forums and rss feeds to add to my collection.
Adjacency: 2 Upstream: 1 Downstream: 1
Upstream Adjacent AS list
AS41173 SBT-AS SBT Telecom
Downstream Adjacent AS list
AS28866 AKIMON-AS Aki Mon Telecom
BONUS: RBN's Fake Security Software (ddanchev).