In the course of my work, I see or hear about a lot of sites used for phishing and for distribution of malware. There are teams of people working constantly toward getting these shut down, but some just keep distributing malware even after the ISP/hosting company is notified. Security expert Jose Nazario of Arbor Networks blogged about one such site today. This site has been in operation since at least 2002 and is based in the UK. The site in question lives at IP address 18.104.22.168 (link to whois at domaintools.com). Nazario has a screenshot of a directory listing at the site, showing malware files with dates ranging from 11-Feb-2002 to 19-June 2006. Nazario states there are a "few thousand" files and explains:
So, what do all of these files do? They’re small agents - just downloaders really - that use the browser to change the dial-up networking settings to get you to dial a for-pay service..essentially, billing you and fueling them. Visit a malicious site, your browser starts to install this and voila, you’re hosed.
Nazario states it's been in use since 2002 and that he's tried to get the site shut down.
What’s more, this has been going on since at least 2002! According to this Computer Associates (CA) write-up, this is well-known and no one has done anything about it. :-/ I have been pinging a few sites about takedown, because it’s active malware.
Emphasis mine. The link at CA describes "ComLoad" and calls it a RAT (Remote Administration Tool) from vendor Coulomb Internet Payment Systems. Coulumb describes themselves as a ISP on their website here. Coulumb is also known for their porn dialer (CA's description); Symantec's description is here.
Looking at the whois information for that IP address again, the IP block belongs to Coulumb.
inetnum: 22.214.171.124 - 126.96.36.199
descr: Coulomb Ltd
person: Ben Daniel
address: Coulomb Ltd.
address: First Floor
address: 2 East Street
There's a phone number and email address as well. This is public record, by the way. Anyone can do a whois look up and find the same info.
I don't know what laws there might be in the UK about operations such as Coulumb, but I believe it would be illegal in the US. Just look at the FTC's complaint against Seismic Entertainment, et al, for example.
So what to do since this malware distribution sites lives on, unchecked? Nazario's recommendation:
If you want to protect your users, consider blackhole’ing this malicious network: 188.8.131.52/20, belonging to AS16238. So far nothing, but long term suspicious activity there. And here I thought this was new, sadly it’s not!
Update June 24: UK spyware fighter Nellie2 has blogged about this situation and is ready to take action.