Blog

Bad Actors Part 7 – 3fn (Or: Cutwail – How to do it right)

“Wait … *beep beep* back up for a
second, Alex.  I heard 3fn was brought down
by the FTC!” 

That would be correct!  On June 4th the FTC served a
takedown notice that essentially dropped 3fn (aka “Triple Fiber Network”, Pricewert,
APX Telecom, APS Communications) off the Internet.  I was approached by law enforcement looking
for evidence of malicious activities, and luckily, I was in the midst of
writing up an article for my Bad Actors blog series.  I decided to wait until a little time had
passed before publishing details as not to tip off 3fn and possibly ruin an
investigation.  (Note that the investigatory
group that approached me was at the federal level, but was not the FTC)

Below you’ll find my analysis of their
IP blocks and a large amount of data about the Bad Actors whom they supported.  Most of the links below are completely Not
Safe For Work, possibly malicious, and frankly, many of them are disgusting in name as well as content.  It’s not advised that you actually visit any of them.  I also have more content that I didn't post, and if you're interested in it, feel free to drop me a line.

As I’ve been talking about in previous
posts, there are many different aspects of a network infrastructure that a
criminal needs to have in place to operate a successful organization.  Let’s think about some of the pieces that
need to be stable for a simple client-server SPAM botnet such as Cutwail, which
was mainly hosted at 3fn. 

First of all, you need to infect a user
with the Cutwail malware.  This malware
could be delivered via a web exploit (such as one of the recent vulnerabilities
in Adobe PDF, Office, FireFox, or DirectShow), via a social engineering attack
(“You’re missing this video codec – press OK to install), or possibly through other
vectors like E-mail or IM.  I’ve only
seen Pushdo/Cutwail distributed through Exploits and Social Engineering, so let’s
focus on those.   You need to
control the sites that are hosting exploits or malware, and you need to be able
to redirect users, or otherwise get users to visit said site.  3fn was doing plenty of both the redirection, and the actual hosting, as I’ll detail
below.  

To weaponize a web page, one needs to
be able to load custom malicious code onto it, such as javascript that attacks a
browser.  That means
either hacking a page to load your malicious code (like we saw with the big SQL
injection worms) or running all that infrastructure in-house on your own
dedicated sites.  In-house was the
Cutwail route, which shows the uptime and QoS that they required.  Running a website also requires controlling
DNS records, and to do the job right, you should control both the authoritative
nameservers for your domains, as well your local recursive resolvers
to be sure you aren’t being poisoned for your outbound communication (like
crawling for email addresses).  This is
the level of infrastructure the bad guys were using at 3fn.

Thus far, we need a web server to host
the exploit and a DNS server to point users in the right direction, and these things can lead to a successful delivery of an infection. 
What else?  Well, for one, you’re
going to need a Command and Control server. 
This is the server to which the malware (the infection "payload") will “phone home” to get
updates, instructions, etc.  We no longer
see these behemoth pieces of monolithic malware; everything is modular and able to be updated by a remote C&C server.  These
C&C servers will be reached either via a direct IP hard coded into the malware,
which is inflexible, or a domain name, which is flexible but can be hijacked by
Internet Good Guys like a registrar, registry, me ;-), etc..  Running a C&C requires another server, if to be done properly.  In the case of Cutwail, you’ll also need a
server to provide SPAM “templates”.  I
showed a simple template in an earlier post, although it was not a Cutwail template.  3fn was hosting a whole array of Cutwail SPAM
template servers, which I’ll detail further.

Another interesting problem facing
spammers is that, contrary to popular
belief, the Internet Good Guys are very
quick to blacklist SPAM related IP addresses. 
These IP addresses used to be mainly large servers pumping out massive
amounts of SPAM, but as most SPAM these days is sent by Bots (home users,
corporate users using their company’s infrastructure, etc) these
blacklists have been very difficult to maintain, although are certainly effective to
a degree.  A tactic that's come into favor
is tracking the IP addresses that host URLs (exploit sites, pharma sites, etc) that
are advertised inside SPAM, and then classifying other SPAM based on where the
embedded links are hosted.  Lists such as
the Spamhaus SBL/XBL work well to detect these types of malicious web servers,
and in turn the SPAM that takes advantage of these servers.   So to be sure you aren’t experiencing
diminishing returns on your SPAM campaigns, you better control a large number
of IPs as they are only going to be usable for a short period. 

So far, for a SPAM infrastructure you
need an infection web server, a DNS server (or two as most registrations do/should
require a primary and secondary), a C&C server, at least one template server, and a ton of IPs.  With that in place, you
would be ready to start sending SPAM. 
Let’s think about common SPAM – Rolex watches, Pharmaceutical, porn,
etc.  What is the content of that
SPAM?  Just text?  Probably not – there will be a link in there
for the user to click.  That link needs
to be hosted somewhere, and you have similar infrastructure needs as noted
above.  My purpose for detailing
infrastructure needs is that one may read the laundry list of domains hosted
below and think “well, those are shady-looking domains, but why is that illegal?”.  It’s illegal because these domains were being
used in SPAM (Blog, E-Mail, or otherwise) to spread exploits, perform ad/click/referer fraud, peddle illegal goods,
etc.  Sending unsolicited mail using botnets, regardless of what they're selling, is not an accepted business practice.

Back to 3fn – much like McColo and
Intercage, they were based out of Northern California.  However, unlike the name suggests, uplinks to Abovenet and Level3 does not a "Triple Fiber Network" make. 
When asked by a top law enforcement official back in March if “there was
another McColo in the US” I said that there was 3fn, but that they were no
McColo.  I stand by that statement –
these guys were bad news, but they were no McColo.  

Below we see the servers responsible
for Pushdo and Cutwail, the C&C and SPAM engine, respectively, since
October of ’08.  Recently Cutwail has been distributed independent of Pushdo, but this gives a higher level overview of the whole operation.  Note that many of the
IPs listed (such as the McColo ones) are no longer active and shown for posterity.  The bolded addresses are at 3fn – as you can
see it was a massive part of the SPAM infrastructure

119.42.149.221
174.36.201.82
194.8.75.216
195.2.252.220
195.2.253.199
195.5.116.242
195.5.117.232
195.5.117.238
200.63.45.46
206.51.226.14
207.218.237.82
208.43.154.226
208.43.162.82
208.43.162.84
208.66.193.130
208.66.193.131
208.66.193.133
208.66.193.134
208.66.193.135
208.66.193.139
208.66.193.140
208.66.193.141
208.66.194.180
208.66.194.227
208.66.194.231
208.66.194.232
208.66.194.240
208.66.194.242
208.66.195.15
208.66.195.165
208.66.195.71
208.72.168.211
208.72.168.84
208.72.169.105
208.72.169.133
208.72.169.143
208.72.169.158
208.72.169.210
208.72.169.233
209.66.122.176
209.66.122.238
216.195.47.193
216.195.47.194
216.195.47.235
216.195.47.245
216.195.50.221
216.195.52.179
216.195.54.186
216.195.55.10
216.195.55.132
216.195.55.50
216.195.55.77
216.195.56.119
216.195.56.120
216.195.56.122
216.195.56.18
216.195.56.19
216.195.56.21
216.195.56.22
216.195.56.225
216.195.56.226
216.195.56.228
216.195.56.229
216.195.56.23
216.195.56.230
216.195.56.24
216.195.56.251
216.195.57.114
216.195.58.100
216.195.58.111
216.195.58.113
216.195.58.15
216.195.58.15
216.195.58.17
216.195.58.98
216.195.61.148
216.195.61.160
216.195.61.212
216.195.61.214
216.195.61.215
216.195.61.242
216.195.61.243
216.195.61.61
216.195.61.65
216.195.61.86
216.195.61.87
216.195.61.96
216.195.61.97
216.195.61.98
216.195.62.100
216.195.62.101
216.195.62.34
216.195.62.94
216.195.63.22
216.195.63.72
216.195.63.73

216.245.213.162
216.245.223.34
217.170.77.146
64.191.38.117
64.191.90.181
65.19.154.4
65.19.154.6
66.197.131.69
66.197.153.37
66.197.159.197
66.197.167.21
66.199.251.242
66.232.109.44
66.232.113.80
66.246.252.215
66.45.246.146
66.96.214.197
67.18.114.98
67.228.160.10
69.147.239.106
69.162.122.170
69.162.64.146
69.162.66.26
69.162.79.82
69.46.27.141
70.38.68.137
72.232.201.202
72.36.130.90
72.9.108.82
74.222.1.115
74.50.125.84
74.53.251.34
74.53.42.34
74.53.42.61
74.54.135.202
74.54.77.82
75.125.207.50
75.125.207.82
75.125.238.10
75.126.208.82
75.126.215.18
75.126.22.226
88.255.94.2
91.203.92.189
91.203.92.7
91.211.64.117
91.212.65.57
92.62.100.91
92.62.101.118
94.103.4.217
94.103.4.230
94.247.2.95
94.247.3.44
94.247.3.46
97.74.115.222

Without further ado, here is a selection of the the
content that was hosted at 3fn.  If you are curious whether a domain has been used for SPAM or other malicious intentions, simply do a Yahoo! search for the domain and make your own judgment.  The following domains sell illegal/fake medicine, sell illegal mp3s, sell fake AV software, host "warez", send SPAM and host its infrastructure, serve Kiddie Porn, and just about every other malicious thing you could imagine.

64.124.84.188 – bootleg mp3s
Host: allsweetmp3.com

64.124.84.228 – Illegal pharma
Host: pharmadrugs.us (dns 216.195.51.25, another 3fn IP)

64.124.84.229 – rogue AV
blinds-shades.genericshop.biz redirects to http://antivirusonlineproscanner.com/promo/1/freescan.php?nu=880172&back=%3DDQx4jD2OMMMMI%3DO

64.124.84.235 – pharma dns hosting for:
trustedsitelist.com hosted on 216.195.51.44 (3fn)

GET /img/amoxicillin/9.png HTTP/1.1
Accept: */*
Referer: http://www.blogcrowds.com/forum/viewtopic.php?t=7410
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Host: trustedsitelist.com
Connection: Keep-Alive

64.124.210.9 – search/click fraud.  You can clearly see below that there is search hijacking going on, where you attempt to search on one engine, and you are redirected to one participating in an "affiliate" program such that the malware author gets a few cents per redirection.   In this case, the original search queries after faked by the malware as well.

GET /pass/?c=SJf%2FKTzaDMKxhPa2KyKG4b%2Fo1nJrdK6N6aISRRdXYH%2FnOKMa%2Fb32NfjGLU3kefUO%2BtuN1hookBg7%2BYLI0%2BtMIS8M%2BUHVJtbO1XVU8Z%2FlYGgKldRiuuEpyVRuBHt9ZCQPGz
c4DmQ7iHKX89F0UFqTxGT1u3Zy0vjl0QJiWBjMT5GTA8SHl%2FsVR9m%2Fmp%2Ft6cEsdthgEZhKhKBO9OASxlI97b1ynssj7KuzY0QW39SwA8ltO%2FRqO9cynfa2iPbcDwxzxAztwRXXM5P37Y4I6HhP4ADEcjZ7WwYLeL5iGQN4xUDCQbb4vJRYgmA7tDb5Qg0%2FqNq7y
YgmgcZ7mEGF8VKOSeiNRy7X5p%2BNlKVnTscse8OxzxS5UWT6Ttt5uPiWD55jEyoHFBJDbamV29u%2BUCZ5GMm2Y5yuwJoBpWRA3xd86w7mn8gwo9cK8hbxeL8611YKv2mJ7gCPj5WR66uKwr3oEmMYsiAJ0ywrnzxNQMC3AjJVGG9qdoryZs%2BsQpve0nfg HTTP/1.1
Accept: */*
Referer: http://www.ovgue.com/cgi-bin/search/search.cgi?username=20080806&keywords=Motorcycle Insurance
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
Host: 64.124.210.9

HTTP/1.1 302 Found
Server: nginx/0.4.0
Content-Type: text/html
Connection: close
Location: http://www.searchfeed.com/rd/Clk.jsp?id=41774004&r=2&a=55963&lid=16097426&la=2%2726&lnk2=rhhE%3F..tExeyiAhyG%27AtpDy%27pDB.%3Eyxp%3DyEyf9%29yekxpr%3DnD%26neh%26mh%23G9%29X%3DkihD+sCyixkCpe%29kffs
Askhe%3D%5CPmd%5B&k=motorcycle+insurance&p=48262&sid=75365&ex=1238361895515&snid=63
Content-Length: 0


root@alex_lanstein.eng.fireeye.com — {~/3fn} cat infection | egrep Referer:\|Location:

Referer: http://netyell.com/cgi-bin/search/search.cgi?username=26717&keywords=bad credit home equity loan
Location: http://www.abcjmp.com/jump1/?affiliate=savehits&subid=21232&terms=bad%20credit%20home%20equity%20loan&sid=Z742044591%40EzXyEjMzUTOx8FM0kjMfljMfNTNy8FMxcTO1MDOzITM&a=fniruvgf&mr=1&rc=0
Referer: http://slimfruitsearch.com/?q=Home%20Mortgage
Location: http://iad.xmlsearch.miva.com/bin/findwhat.dll?clickthrough&y=52593&x=QNJ9Vd6JrLjSk6roJk72u1NttlHetH;6O2JkIVLLEX8zkGJEbGH4gG;6R4Hhukw1XdSZVVwkVlgHjVA0X4zoxeMukcgPJFjI74ogaF7NkFAnbNtV0sXIF9JsOFwKLcMSjkNBGw8mQoAwIlBeu7;kF1HMGLZwgc6HFG6V3hcPY2IRt6cPRdsea
Referer: http://skypharmacist.com/?aid=8422&q=business loan
Location: http://iad.xmlsearch.miva.com/bin/findwhat.dll?clickthrough&y=52593&x=bRxCI2okmrFCFBXtT49Y1qonH4pwmb7jZsztKPRdhtHHVsxZ7qoPts7jyOiDLB75yaBmQWHjDo;s9PySyYHqHrcCtUB8TazzSVRUgaxwVaci7P9ZzYxJgtUACajDBUmvX4fP8Yxq9BiYl4EEwNG9TNxBZCiL2f8qrbzVdw38NsTnmoOJxIyEP
Referer: http://www.epulsar.com/index.php?uid=&REQ=Home+Insurance
Location: http://atl.xmlsearch.miva.com/bin/findwhat.dll?clickthrough&y=52593&x=4C0QJWmy9Be9SBK1vR9Y:E11R1ET4nrRtY01fYTmklbK:Y05J9m6cYrRXzeFFtNSRvYhjkbkcBXicYfPX6utQPpkf3Tcv4fNTZYEzWfl:4h40nZ39D0Sj2ayq4Eu9LR1ZR1MZZbFfRAvatiTZCNnvEmBstmzk31XjCYnI1vcfeMH4P8JX4aVZX$ZZ
Referer: http://slimfruitsearch.com/?q=Sport%20Betting

64.124.210.22 – illegal mp3 hosting
mp3sparks.com
img.mp3sparks.com
mp3sparks.com.          600     IN      A       200.63.45.7
mp3sparks.com.          600     IN      A       115.126.5.76
mp3sparks.com.          600     IN      A       115.126.5.122
mp3sparks.com.          600     IN      A       94.247.3.34
mp3sparks.com.          86367   IN      NS      ns2.aomp.cc.
mp3sparks.com.          86367   IN      NS      ns1.aomp.cc.
;; ADDITIONAL SECTION:
ns2.aomp.cc.            14367   IN      A       64.124.210.22
ns1.aomp.cc.            2442    IN      A       80.86.87.219

64.124.210.54 – directly sending spam, as well as hosting a domain used in spam

;; ANSWER SECTION:
wwwshamwarigallery.com. 80663   IN      A       64.124.210.54
;; AUTHORITY SECTION:
wwwshamwarigallery.com. 80663   IN      NS      ns.wwwshamwarigallery.com.


From: "Lucile Butcher" <kefwwwshamwarigallerydiz@wwwshamwarigallery.com>
Subject: Boost your energy with Acai Diet
Date: (removed)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMa
il-Priority: Normal

X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Return-Path: kefwwwshamwarigallerydiz@wwwshamwarigallery.com

Salute Mdawson

Acai Berry, Lose wieght feel great
Free trial of hollywoods weight loss secret Acai Berry

I've always had trouble with my weight ever since I was young.Of course I tried all the "best" fat loss products, nothing helped very much.It wasn't til I tried Acai that I saw the pounds seriously start to melt away! Nothing helped me lose weight faster.I literally saw 15 pounds melt away within the first few weeks! There is nothing more exciting than watching pounds disappear, especially when you've tried all sorts of different methods and products before. I've since read up on Acai and am amazed at the number of people who have benefited from its amazing results.I'm halfway to my goal, Acai will get me the rest of the way ;)
Cheers!


64.124.210.161
nude-male-celebrities.net
celebrity-tgp.com
www.best-celeb-porn.com
kopyha.com
nudesonline.us
www.kristin-davis-nude.com

64.124.210.167 – dns hosting for spam domain
www.nudesonline.us

64.124.210.169 – link farm
absolutax.com

64.124.222.132 – pharma domains
Host: skypharmacist.com
Host: slimfruitsearch.com

64.124.222.133 – spam domains
Host: glamouranimals.com
Host: technosearcher.com

64.124.222.166 – pharma spam domains

www.online-pharmacy-adviser.com. 24057 IN CNAME online-pharmacy-adviser.com.
online-pharmacy-adviser.com. 24060 IN   A       64.124.222.228

64.124.222.169 – porn spam domain
Host: celebrity-tgp.com

64.124.222.176 – ad/search/click fraud

Host: 64.124.222.176

Referer: http://www.thegoldxml.com/cgi-bin/search/search.cgi?username=9001&keywords=car+insurance
Location: http://www.abcjmp.com/jump1/?affiliate=savehits&subid=21103&terms=car%20insurance&sid=Z145044247%40%40QMfBTO0EzM5EzX5MDNy8lNy8VO08FM0MTO0MDOzITM&a=fniruvgf&mr=1&rc=0
Referer: http://www.lyclick.com/cgi-bin/search/search.cgi?username=kerry1&keywords=Consumer+Credit+Counseling
Location: http://www.searchfeed.com/rd/Clk.jsp?id=43185968&r=2&a=63996&lid=16946244&la=2%2792&lnk2=rhhE%3F..tExeyiAhyG%27AtpDy%27pDB.%3Eyekxpr%3DnD%26neh%26mh%23G9%29X%3DXxeqsh%26%23G4%26deoh%26XDiCyeAsCg%26Yexjspey%29yxp%3DYPYcG%29kffsAskhe%3D%5CPmd%5B&k=consumer+credit+counseling&p=48262&sid=648745&ex=1238349910739&snid=208

64.124.222.180 – porn spam domains
crazymatures.com
musicfind.us
lyricfind.net
stupidgals.com
anal-sex.org.uk

64.124.222.188 – affiliate website.  I can't find anything directly illegal about this page, although they do have some Not Safe For Work thoughts on the 3fn shutdown

Host: shopxml.com
GET /EXPORT/quantity.php?shop=504 HTTP/1.1
Host: shopxml.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.8) Gecko/2009032608 Firefox/3.0.8
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

64.124.222.189 – porn spam domains
i.penisbot.com
porninspector.com

64.124.222.190 – dns for spam domains
brutalorgies.com
www.realhomevids.net
technosearcher.com
bdsmrapes.com
skypharmacist.com
filesdump.com
mx1.comfortablerabbit.com
barby-cuties.com
my.pornostrike.com
tvnylons.com
mature4fuck.com
www.fetishpains.com
www.bdsmscreams.com
www.jungeboystop.com
embership-choice.com
www.jewelryboom.com
fuckzoo.net
hiddencamsfree.com
bestzoosex.com
college-cuties.net
bangtubevideos.com.
gotslaves.com
www.beastrating.com
animals.takezoo.com
slimfruitsearch.com
teenvideoclub.com
thepillsguide.com
extreme-board.com
teen-boys-sex.com
truepornotube.com
fuckhardclips.com

64.124.222.198 – mostly illegal products to pass drug tests (in the US of course)
mbdetox.com
medical-test.com

216.195.32.118
dns for mbdetox.com
"At MB Detox we understand that drug testing is often an unfair and unwarranted invasion of your privacy. Whether you're a recreational user or someone who self medicates, we can provide you with legal nutritional supplements to help you detoxify your blood, saliva, hair, and urine."

216.195.32.128 – a paid blog spam service.  I suggest you actually check out this link to see the brazen way they advertise being spammers.  Also take a look at an article by Brian Krebs on them from 2007.
Host: botmasternet.com

216.195.32.130 – a paid blog spam service
Host: botmasterru.com

216.195.32.131 – a paid blog spam service
Host: botmasternet.com

216.195.32.251 – supported by porn spam domains
Host: www.realitympegs.com
Referer: http://fishmpegs.com/
Referer: http://realcumvideo.com/
Referer: http://www.123clips.com/
Referer: http://www.homewhores.com/

216.195.32.252
dns for www.realitympegs.com

216.195.33.44 – click/search/ad fraud

GET /pass/?c=RUVA9HJHS9jgqSC%2BMBwUcSWEY3O7Ge5Cs6mKEjRqQKGnn5qHllmVO%2FdZDN6nh9yJaaFx5ZL3xI9AVS%2Bbaq7qUm5P5sUi6I%2Bp2C6My0ct6LlLfJyf7fHm59e42GmI2QhxI1VQiIFrwzLg%2B%2Bp9pY6edA%2BVfgLItRg2TjDryy5r3LKwM0CNXkIAdoL0XSTk%2Bdi2JxxytLczjXTZzj4CU5jQ22U1w1RPGjuDZoJMF8562fdsughyWDPLbBgjyXbw9SnfKgpteJcjj6TyhPYGDPu%2FLDmoAqOGTnz5uYKegsi%2FG7afv%2B8V96AldvTFZlpGnDklIhe4TdUtRNxKUthKJ9caZIZIkyc8%2FwhSq3JyEQS0OR9exRYFbEpa8xlLaQmsc0J6O9se3sxPpNRiZ4oeirBzFq609LMrC25xqbwDwmHRqfou39lVUH39uLfq0GmEbikGAIP4P27%2FX6992zLMRm5Q4eocBCt9n6NvjYwNDNUWj%2Fg%3D HTTP/1.1
Referer: http://www.highlandersearch.com/search.php?username=1989514&query=car+free+insurance+quote
GET /pass/?c=mkr2mB7s6vO6zOPVJUmmjoW0h2kilpNFhAopO2ZLhs%2FTm5IdHXi9DiAkOeejVfYwZHjqYbU6a%2FWxNSBAd4CB1IbDnvD3X%2Bve7sH0OA5T1uglPVhairemjAZTyLIVyqbdoBKfDUN%2FO5xfdD32mcMQd9RLSXVaRtIGV7DO2mCVz%2Fe2r3FGsTNEO9qBcOXH%2BYmDLISW6GFVEH6hMN4SxJN4SKChYOI8LHgrKjy6WC%2B6tr3vZnqOZEQozFVYtCiRTu0GpCxJ1em3wiKVY8hQMuMxBelx5IfCWCFK6aESh5TiJP48ZEBsulM9WyIiDD%2B9rrLtNytJQ4NzwJ4LmnuL5YRE1MMO%2BnXI0rxS%2FTCzBkcM47Rlf2XFMPSSwbyfXBflx5n1 HTTP/1.1
Referer: http://www.ovgue.com/cgi-bin/search/search.cgi?username=6237393&keywords=Cheap Car Insurance
GET /pass/?c=baQXRHH1jkCRm%2B2zDxxRMbNURK16FzTIE1WVocECXt9LsUD7F89qGYwTc0n0He79NAUFrfgdY7Fl9gknuTxkdE8aqtYnsnBeVQTZMmLEM2shjB7022DkWSLusqyuUkOoJvhocPAHVXLYSQDd%2FPGsNtRQzvqdjHYaWPm4MFlw7Z8b7xsJTIavoBU8fllX%2B4IWYym5IP4BhGaQKJFKx1%2BVjXgn%2FH99qTPos0VwqJN2x4Xm%2BXBP0yT6pqAzz5Hu1XKlcwP4vUbpQlrUY04GuVHo24YWBbRcQ%2BCdFf%2Fuvb4sMW6VGVIYiaHRdqdHN7Dt4CITBEW1wWSR622ROKDwwuQaMj89At8r7wFq2VtjeI6wXxHOAgxY1WpgoyOctvO0KXk2zs51%2FEbND04Awo%2FMmmchzyqTzSwRNVXnMUef4g4OP%2FXkRjndAbdf9tdl6upr78PWdQHZ6Rtk3pkR0%2F5zGCs9b%2FV6fvCb3bnd34Fh%2Bq9TR%2BtKicUBs
qiq1zVdhEa%2FfJVzcod74Vro00AtoBAtd68Dmw%3D%3D HTTP/1.1

Referer: http://www.ovgue.com/cgi-bin/search/search.cgi?username=7555935&keywords=California Car Insurances

216.195.33.53 – spam porn domains
http://www.robtex.com/ip/216.195.33.53.html

216.195.33.54 – spam porn domains
http://www.robtex.com/ip/216.195.33.54.html

216.195.33.55 – spam porn domains
http://www.robtex.com/ip/216.195.33.55.html

216.195.33.58 – spam porn domain
Host: www.keyholevids.com

216.195.33.105 – spam porn domain
Host: rusadult.com

216.195.33.107 – latex fetish porn.  Illegal?  Does not appear so.
Host: www.likera.com

216.195.33.142
Host: www.mo-08.info redirects to illegal movies

GET /stat/track.php?id=xxxxx HTTP/1.1
Host: www.mo-08.info
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9) Gecko/2008061004 Firefox/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://swedeboyp.blogspot.com/2008/10/watch-interstate-60-2002-online-now.html

HTTP/1.1 200 OK
Date: Sun, 29 Mar 2009 05:32:40 GMT
Server: Apache/2.0.53 (Fedora)
X-Powered-By: PHP/4.3.11
Content-Length: 162
Connection: close
Content-Type: text/html

<script>
top.location.href="ht"+"tp://www.zm"+"l.c"+"o"+"m/mo"+"vie/in"+"ter"+"st"+"ate"+"-"+"60"+"-40419."+"htm?d"+"id=3"+"1&ta"+"g"+"1=s"+"p"+"l";
</script>

(which is an obfuscated version of http://www.zml.com/movie/interstate-60-40419.htm?did=31&tag1=spl)

216.195.33.143 – link farm
Host: m-phone.info
http://www.google.com/search?q=site:m-phone.info+m-phone.info&hl=en&start=20&sa=N

216.195.33.153 – Odd that a porn site pimps anti spyware software….but not illegal.
Host: www.bigbustymodels.com
links to http://www.nuker.com/info/evn/?hop=bigmember

216.195.33.192 – incest porn
Host: parentalvideo.com

216.195.33.193 – dns for the above

216.195.33.196 – hosting for a porn rating page.  Does not appear to be illegal.
Host: community.porninspector.com
Host: site.definebabe.com
Host: site.freudbox.com
Host: site.porninspector.com
Host: www.porninspector.com

216.195.34.92
Host: hiddencamsfree.com

216.195.34.107
Host: asianstory.net
Host: asiasexland.com
Host: fastorgazm.com
Host: www.ladyboyporn.net

216.195.34.108 – Previously hosted at Atrivo – need I say more?
Host: asiantale.net

216.195.34.114
dns from above

216.195.34.133
Host: cruel-action.com

216.195.34.135
Host: portal.cruel-action.com
Host: rape.cruel-action.com

216.195.34.165 – dns for child porn domains
exxxlusive.com
porno-traffic.biz
delassaletta.com
www.bdsmsm.com
little-love.us
little-princess.org
little-young.org
loli-samples.net
shit-sex.net
xxx-movie.us
yo-models.com
cy4ku.net
young-angels.name
young-barby.com
young-xxx.org
little-barby.com
little-princess.org
onlinehelpsupport.com
themicrosoftonline.net

216.195.34.176 – porn spam domains
Host: www.celebritynudevideos.net
Host: www.celebsmovies-online.com

216.195.34.177
Host: porno-traffic.biz
Host: themicrosoftonline.net

216.195.34.184
Host: exxxlusive.com
Host: www.bdsmsm.com

216.195.34.212
Host: www.kinkybondagesex.com

216.195.34.220
Host: www.3dxxxsite.com
Host: www.cartoon-fuck.net

216.195.34.221
Host: www.dirtyporncartoons.com

216.195.34.226
Host: www.adulttoonssite.net
Host: www.sextoonsworld.net

216.195.34.229
Host: www.toonpornguide.net

216.195.35.11
Host: momcool.com
Host: nylonertop.com
Host: pantyhosecharm.com
Host: pantyhoselabel.com
Host: trannymarch.com
Host: tvnylons.com

216.195.35.35
Host: www.bluemans.net

216.195.35.99
Host: seaarch.info

216.195.35.108
Host: tn.hot-sex-tube.com

216.195.35.109
Host: www.hot-sex-tube.com

216.195.35.168
Host: www.fatvideo.net

216.195.35.170
Host: www.japangals.net

216.195.35.172
Host: momsvideo.net

216.195.35.174
Host: www.onlyasian.net

216.195.35.175
Host: www.onlyasianmovies.net

216.195.35.178
Host: www.shemale-film.com

216.195.35.186
Host: www.wildasianlove.com

216.195.35.187
Host: www.teenshomemade.com

216.195.36.5
Host: www.fpgalleries.com

216.195.36.83 – warez hosting
Host: www.drigg-code.org
Host: www.freesoftwaremagazine.com
Host: www.fsdaily.com
Host: www.illiterarty.com

216.195.36.123
Host: incest2k.com
Host: www.passgay.com
Host: www.violinks.com

216.195.37.205
Host: asqw.ru

216.195.37.210
Host: protopsites.com
Host: voyeurs.upskirttoplist.com
Host: www.facesittingfantasy.com

216.195.37.251
Host: xwarezzz.com

216.195.38.114
Host: dpcelebrity.com

216.195.40.63
Host: pisshiddencams.com

216.195.40.65
Host: bangtubevideos.com
Host: www.bangtubevideos.com

216.195.40.66
Host: tn.bangtubevideos.com

216.195.40.67
Host: www.fuckhardclips.com

216.195.40.68
Host: tn.fuckhardclips.com

216.195.40.75
Host: gaychan.ru
Host: gchan.ru

216.195.40.76 (fake av)
Host: yourcompguard.com

216.195.40.77 (fake av)
Host: compguard.org

216.195.40.114
Host: dogfart-sex-series.com
Host: www.getresultnoew.com

216.195.40.117 https://safeweb.norton.com/report/show?name=firstgate.ru
Host: firstgate.ru

216.195.40.121
Host: allforpets.ru

216.195.41.25
Host: incest4you.com

216.195.41.32
Host: sexshop365.ru
Host: www.rozoviykrolik.com

216.195.41.50
Host: messyshare.com

216.195.41.132
Host: www.bigcocksex.biz
Host: www.blackmonsterz.com

216.195.41.158
Host: members.bannedfamilyporn.com
Host: www.slavafilm-extreme.com

216.195.41.161
Host: brutalfamily.cruelnetwork.com
Host: cruelmovies.cruelnetwork.com
Host: www.cruelnetwork.com
Host: www.cruelplanet.com
Host: www.shockinghomemovies.com

216.195.41.162
Host: www.bannedfamilyporn.com

216.195.41.163
Host: www.cruelmoney.com

216.195.41.181
Host: galleries.pantyhosesexylegs.com
Host: www.pantyhosesexylegs.com

216.195.41.191
Host: www.1mature-sex.com

216.195.41.204
Host: img.1mature-sex.com

216.195.41.214 – file uploading service that appears to turn their back on uploaded content that violates copyrights
Host: www.filesdump.com

216.195.41.221 – child porn
Host: www.allals.com
Host: www.allftv.com
Host: www.allkarupspc.com r />Host: www.allmetart.com
Host: www.karups1.com
Host: www.nubiles1.com
Host: www.nubilesthumbs.com
Host: www.pimpmykarups.com
Host: www.pimpmynubiles.com

216.195.41.226
Host: dl10.filesdump.com

216.195.41.229 – the title of the page is "Good Warez Blog :)"
Host: flowgaleria.org

216.195.42.90
Host: incest-samples.com

216.195.42.94 – child porn
Host: adult-guide.us
Host: little-incest.com

216.195.42.96  – child porn
Host: little-young.com

216.195.42.127 – forum talking about SEO.  It's in Russian so I can't confirm if it's malicious or not
Host: www.umaxforum.com

216.195.42.162 – illegal mp3s
Host: mp3slot.com

216.195.42.190 – a site that advertises their other porn sites
Host: pay-sites-list.com

216.195.42.193
Host: www.all-rape.com
Host: www.brutal-fuck.com
Host: www.teenr.com
Host: www.torturesru.com

216.195.42.207
Host: anal-diary-online.com
Host: scat-slave.com

216.195.42.208
Host: girls-scat-movies.net

216.195.42.209
Host: forced-videos.net

216.195.42.210
Host: eat-shit-blog.com

216.195.42.211
Host: teen-rape-movies.com

216.195.42.214
Host: www.teenageimage.com

216.195.42.216
Host: www.gagaholic.net

216.195.42.242
Host: movies-city.com
Host: spympegs.net
Host: www.realhomevids.net

216.195.42.243
Host: www.spymovs.com

216.195.42.245
Host: www.wowsexmovie.com

216.195.42.246
Host: mature4fuck.com
Host: www.mature4fuck.com
Host: www.truepornotube.com

216.195.42.248
Host: my.wowsexmovie.com
Host: tube.spymovs.com

216.195.42.249
Host: my.movies-city.com
Host: my.pornostrike.com
Host: my.truepornotube.com
Also, malware:

GET /sig3.exe HTTP/1.1
Host: 216.195.42.249:80
Accept: */*
Referer: 216.195.42.249:80
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Pragma: no-cache
Cache-Control: no-cache
Connection: close
216.195.44.14
Host: adult-reviews.org

216.195.44.15 – links to malware
Host: llll11l.cn
Host: llll18l.cn

216.195.44.61
Host: www.bustymomsvideo.com

216.195.44.62
Host: www.spicymilfs.com

216.195.44.67
Host: www.hiddencamsvideo.com

216.195.44.68
Host: www.delightmovies.com
Host: www.homemadempegs.com

216.195.44.70 – warez hosting
Host: loweimages.com

216.195.44.74 – illegal mp3s
Host: pure-mp3.com

216.195.44.77 – beating drug tests illegally
Host: best4drugtest.com

216.195.44.106 – malware
Host: 216.195.44.106

216.195.44.136
Host: hotmaledicks.com

216.195.44.166 – adult affiliate program
Host: img.awmbrains.com

216.195.44.179 – "extreme" porn
Host: www.extreme-board.com

216.195.44.181 – this appears to be legitimate
Host: www.autoxp.ru

216.195.44.203
Host: forced.gay18.org
Host: japan.asiachix.com
Host: japs.asiachix.com
Host: spanking.movies18.net
Host: voyeur.pee18.com
Host: www.bdsm666.com
Host: www.bdsmbrutal.com
Host: www.boysexvideo.com
Host: www.elitepaysites.com
Host: www.extreme-bdsm-movie.com
Host: www.forcedteenagers.net
Host: www.ritual666.com
Host: www.slave18.com
Host: www.victimz.com
Host: www.x-wm.biz

216.195.44.228
Host: x-crime.com

216.195.46.254 – ad/click fraud

216.195.47.16
Host: wc-video.voyeur-russian.com

216.195.47.20
Host: img.voyeur-russian.com
Host: video.voyeur-russian.com

216.195.47.24
Host: img.pisshiddencams.com
Host: img.showersexvids.com

216.195.47.25
Host: img.hiddenbucks.com

216.195.47.26
Host: www.pissingmovs.com

216.195.47.119
Host: lbporn.com

216.195.47.145 – illegal mp3s
Host: rinop.com

216.195.47.171
Host: www.homepornfiles.com
Host: www.mambamovies.com

216.195.47.173
Host: www.realcumvideo.com

216.195.47.174
Host: www.privatepornclips.com
Host: www.teenshomemovies.com

216.195.47.199 – fake bank http://db.aa419.org/fakebanksview.php?key=14835

216.195.47.205
Host: rapeblog.actiondev.com

216.195.47.218 – direct spam
Host: 4nrop.com

216.195.47.219
Host: www.rape–porn.com

216.195.47.234
Host: www.voyeur-russian.com

216.195.48.45 – malware
Host: pornhunters.info

GET /calc.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 216.195.48.45
Connection: Keep-Alive

216.195.48.46
Host: www.pop-up-sex.com

216.195.48.101 click/ad fraud

216.195.48.110 – "extreme" porn
Host: 3xniche.com

216.195.48.244 – malware

GET /back.gif?nocache=0.7055475 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 216.195.48.244
Connection: Keep-Alive

216.195.49.82
Host: www.amateurteensvideo.com

216.195.49.88
Host: www.uncensored-movies.com

216.195.49.132 – malware

GET /x/gallery.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 216.195.49.132
Connection: Keep-Alive

216.195.50.11
Host: www.teenvideoclub.com

216.195.50.17
Host: www.momstaboo.com

216.195.50.18
Host: www.momswhores.net

216.195.50.19
Host: www.momstaped.com

216.195.50.26
Host: www.whorestube.com

216.195.50.36
Host: image.voyeur-fotos.info
Host: image.voyeur-nudism.info

216.195.50.37
Host: thumb.voyeur-nudism.info

216.195.50.38
Host: forum.voyeur-russian.com

216.195.50.39
Host: voyeur-nudism.info

216.195.50.43
Host: img.russian-voyeur.com

216.195.50.51
Host: forced-witness.biz
Host: rapedirect.org
Host: runx.org
Host: www.rapedirect.org

216.195.50.54
Host: pornfat.net

216.195.50.98
Host: www.pantyhoseline.com

216.195.50.103
Host: www.nylonfeetline.com

216.195.50.107
Host: www.pantyhosediscounts.com

216.195.50.108
Host: www.actionmatures.com
Host: www.analsaga.com
Host: www.backdoorlesbians.com
Host: www.boyslovematures.com
Host: www.ferronetwork.com
Host: www.ladieskissladies.com
Host: www.maturestoday.com
Host: www.momsgiveass.com
Host: www.straponsissies.com

216.195.50.109
Host: www.transpantyhose.com

216.195.50.111
Host: www.wiredshemales.com

216.195.50.117
Host: www.maturesandpantyhose.com

216.195.50.124
Host: www.girlsformatures.com
Host: www.shemalesfuckshemales.com

216.195.50.127
Host: rs.voyeur-russian.com

216.195.50.197
Host: www.shemalediscounts.com

216.195.50.209 – legitimate jewery site?
Host: www.jewelryboom.com<
br />
216.195.51.44 – pharma spam
Host: trustedsitelist.com

216.195.51.63 – exploits
Host: offerscube.com

216.195.51.114 – Zlob
myhotsearch.org
http://www.malwaredomainlist.com/mdl.php?search=myhotsearch.org&colsearch=All&quantity=50&inactive=on

216.195.51.142
Host: premiumpharm.com

216.195.51.205 – pharma
Host: aimedsearch.com

216.195.51.210
Host: top10pharms.com

216.195.51.243 – link farm
Host: 10bestsearch.com

216.195.52.27
Host: teenshdd.com

216.195.52.30
Host: myfreegals.com

216.195.52.31
Host: xxxfusion.com

216.195.52.33
Host: galleries.twinkiemovies.com

216.195.52.34
Host: galls.teenburg.com
Host: moviegalls1.teenburg.com
Host: moviegalls2.teenburg.com

216.195.52.52
Host: digbone.com
Host: toptravel10.com
Host: www.lookuplive.com
Host: www.myshovel.com
Host: www.searchadv.com
Host: www.topauto10.com
Host: www.topmeds10.com
Host: www.topsearch10.com

216.195.52.58
Host: www.sexzone-x.com

216.195.52.59
Host: www.forcedsexy.com

216.195.52.61
Host: www.forcedsexextreme.com

216.195.52.62
Host: www.forcedsexphoto.com

216.195.52.64
Host: www.bondagelatex.net
Host: www.brutally-sex.com

216.195.52.100 ad/click fraud

216.195.52.119
Host: s1.filesdump.com

216.195.52.125
Host: img.filesdump.com

216.195.52.150 – scam http://www.scamclub.com/blog/2006/11/reviewstreamcom-dont-try-it.html
Host: www.reviewstream.com

216.195.52.176
Host: www.mybigblack.com

216.195.52.205
Host: www.myprivatecameras.com

216.195.52.222
Host: teengalls.teenburg.com

216.195.52.242 – illegal movies
Host: loadmovies.ru

216.195.54.45
Host: www.pornstar-land.com

216.195.54.47
Host: www.ultra-xxx.net

216.195.54.152
Host: taboopornclips.com

216.195.54.155
Host: www.collegesexfilms.com

216.195.54.156
Host: teensexalbum.com
Host: teenspleasures.com

216.195.54.157
Host: mature-amateur.tv

216.195.54.159
Host: 36plusvoyeur.com

216.195.54.165
Host: strictrestraint.extreme-bdsm-porn.com

216.195.54.170
Host: teens-in-love.com
Host: www.moms-avenue.com
Host: www.pervertedcoeds.com

216.195.54.210
Host: www.videosmotr.ru

216.195.54.212 – knockoff Harvard scam website
Host: harvard-university.biz

216.195.54.238
Host: banners1.more-toons.com
Host: banners2.more-toons.com
Host: banners3.more-toons.com
Host: banners4.more-toons.com
Host: banners5.more-toons.com
Host: banners.more-toons.com
Host: banners.toons-fuck.com
Host: banners.toons-online.com
Host: banners.yourcartoons.com
Host: pics.courtneysite.com
Host: pics.greatincest.com
Host: pics.incestart.name
Host: pics.thepornxxx.com
Host: pics.toons3dfuck.com
Host: pics.x-tranny.com
Host: www.courtneysite.com
Host: www.homeincest.name
Host: www.theoldyoung.com
Host: www.thepornxxx.com
Host: www.x-tranny.com

216.195.54.239
Host: hostedby.3fn.net

216.195.55.33
Host: theoldyoung.the-anime.com
Host: thepornxxx.the-anime.com
Host: x-tranny.anime-site.com

216.195.55.34
Host: i3d.the-anime.com
Host: thepornxxx.the-cartoon.com
Host: x-tranny.the-anime.com

216.195.55.35
Host: thepornxxx.pornohelp.com
Host: x-tranny.the-cartoon.com

216.195.55.36
Host: theoldyoung.toons-3d.com
Host: thepornxxx.toons-3d.com
Host: x-tranny.3d2you.com

216.195.55.37
Host: thepornxxx.easy-thumbs.com

216.195.55.38
Host: thepornxxx.more-toons.com

216.195.55.41
Host: www.webporn.ru

216.195.55.88
Host: 24h.3fn.net
Host: affiliatedock.com

216.195.55.116
Host: www.boobs-movies.net

216.195.55.118
Host: www.ebonydays.com

216.195.55.120
Host: moms-movies.com
Host: www.moms-movies.com

216.195.55.121
Host: www.onlyasianwhores.com

216.195.55.122
Host: www.privatemov.com

216.195.55.124
Host: homewhores.com
Host: www.homewhores.com

216.195.55.140 – obvious spam domains
Host: ajuxoxulywu.com
Host: akytuvidude.com
Host: atibypin.com
Host: awyguwik.com
Host: axytyxyh.com
Host: bonuliwirik.com
Host: dajusuvi.com
Host: dehykavyx.com
Host: ecixyzir.com
Host: edigysevuf.net
Host: eluxocog.com
Host: enotymiv.com
Host: erepisopy.net
Host: opopanuhur.com
Host: ypyqexyzyny.com

216.195.56.39
Host: courtneysite323.thepornxxx.com
Host: greatincest.anime-site.com
Host: homeincest323.thepornxxx.com
Host: incestart.anime-site.com

216.195.56.40
Host: courtneysite323.easy-thumbs.com
Host: greatincest.the-cartoon.com
Host: homeincest323.easy-thumbs.com
Host: incestart.the-anime.com

216.195.56.41
Host: courtneysite323.pornohelp.com
Host: greatincest.3d2you.com
Host: homeincest323.pornohelp.com
Host: incestart.the-cartoon.com

216.195.56.42
Host: banners.pornohelp.com
Host: banners.toons-net.com
Host: courtneysite323.anime-site.com
Host: gallery.toons-3d.com
Host: homeincest323.anime-site.com
Host: www.basictoons.com
Host: www.greatincest.com
Host: www.super-toons.com
Host: www.toons-fuck.com
Host: www.yourcartoons.com
Host: yourcartoons.com

216.195.56.43
Host: courtneysite323.the-anime.com
Host: greatincest.toons3dfuck.com
Host: homeincest323.the-anime.com

216.195.56.44
Host: courtneysite323.homeincest.name
Host: greatincest.toons-3d.com

216.195.56.45
Host: courtneysite323.incestart.name
Host: incestart.toons3dfuck.com
Host: www.incestart.name

216.195.56.112 – link farm
Host: www.jasmine38.com

216.195.56.115 – affiliate links
Host: freeringtones365.net

216.195.56.164
Host: www.extremefuckclips.com

216.195.56.178
Host: gagged-bondage.com

216.195.56.179
Host: www.fantasyrapevideos.com

216.195.56.180
Host: www.forced-orgasms.com

216.195.56.182
Host: www.rapemovies.biz

216.195.56.231
Host: gallery.homemadenetwork.com
Host: movies.bustymomsvideo.com

216.195.56.235
Host: pejnya.ru

216.195.56.244 – This is a republican activism site, mentioned here: http://www.dailypaul.com/node/47658
Host: www.msp2008.com

216.195.56.254
Host: courtneysite323.everydayporn.com
Host: homeincest323.everydayporn.com

216.195.57.44 click fraud
Host: clickhotelonline.net

216.195.57.49
Host: nightdating.us

216.195.57.50
Host: classicincesttheater.com

216.195.57.51
Host: sexprof.net

216.195.57.53
Host: 2.madbe.net
Host: www.mega-porka.com

216.195.57.54 affiliate program
Host: buy-sell-traffic.com

216.195.57.56 – malware hosting

GET /download/sas.9.2.exe HTTP/1.1
Host: 2009sx.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Co
nnection: keep-alive

Referer: http://2.madbe.net/tag/sas-9-2

216.195.57.181
Host: www.bondagedbitches.com

216.195.57.183
Host: tn.bondagedbitches.com

216.195.57.184
Host: www.bdsmfaces.com

216.195.57.196 – Ukrainian escort service
Host: bunniesofkiev.com

216.195.57.217
Host: pornostar.su

216.195.57.238
Host: courtesansinukraine.com

216.195.57.240
Host: nudismporn.com

216.195.58.40
Host: drugviagr.info

216.195.58.109 – link farm
Host: mounth.biz

216.195.59.75 – exploits
Host: woteenhas.cn

216.195.59.77 – link farm
Host: 99off.com

216.195.59.78 – exploits
Host: clickmatter.net
Host: ligamex.cn
Host: redeedit.cn
Host: yourgirltube3.cn

216.195.59.79
Host: subway.umka.org
Host: sweetsoncams.com

216.195.59.80
Host: incestwebsites.org

216.195.59.81 – exploits
Host: ligevideo.cn
Host: yourgirltube5.cn

216.195.59.129
Host: bannedrapes.com

216.195.59.137
Host: gaggingwhore.org

216.195.59.144
Host: teendeepthroat.eu

216.195.59.160
Host: night-incest.com

216.195.61.21
Host: jun05.teenboysmag.com

216.195.61.22
Host: www.teenboydreams.com

216.195.61.24
Host: www.boymedexams.com

216.195.61.26
Host: www.gladirexonline.com

216.195.61.33
Host: www.juicyteenboys.tv

216.195.61.48
Host: free.boymedexams.com
Host: free.cfnmdogging.com

216.195.61.51
Host: free.badboyton.com
Host: free.boysfever.com

216.195.61.63
Host: elteensex.net
Host: pornenjoy.net

216.195.61.72
Host: www.teenhomegalleries.com

216.195.61.73
Host: www.homewhoresgalleries.com

216.195.61.74
Host: galleries.whorestube.com

216.195.61.140
Host: lust-tgp.com

216.195.61.141
Host: lustgal.com
Host: sexplanet.name

216.195.61.161
Host: stat.77onlinecasinos.com

216.195.61.209
Host: free.nunwhores.com
Host: toilet.piss-porn.com
Host: www.adultcybersites.com
Host: www.byldog.com
Host: www.horny-cheerleader.com
Host: www.menstruationgalleries.com
Host: www.newtoplists.com
Host: www.pregnant-links.com
Host: www.uniform-chicks.com
Host: www.uniformpages.com

216.195.62.10
Host: www.teenhomereality.com

216.195.62.12
Host: www.asianland.net

216.195.62.13
Host: www.bestboobsvideo.com

216.195.62.16
Host: www.boyandfilm.com

216.195.62.18
Host: www.gaysfilm.net

216.195.62.19
Host: www.gaystaped.com

216.195.62.20
Host: www.livehomemade.com

216.195.62.21
Host: www.moviesboy.net

216.195.62.24
Host: www.whoregays.com

216.195.62.25
Host: www.handyteens.com

216.195.62.27
Host: www.teenfeelings.com

216.195.62.29
Host: www.fuckmytoons.com

216.195.62.30
Host: www.virginstaped.com

216.195.62.33
Host: www.teenstaped.com

216.195.62.37
Host: www.cutepornlinks.com

216.195.62.94 – malware/C&C

GET /d_log1/stata.php?uniq=0×00&data=secdrv.sys HTTP/1.1
Host: 216.195.62.94

216.195.62.65
Host: join.springtimebeauties.com
Host: join.teenburg.com
Host: join.teensexfusion.com

216.195.62.76
Host: burumba.net
Host: free-adult-tube.net

216.195.62.94 – malware (Virut)
Host: 216.195.62.94

216.195.62.124
Host: mrbigcock.net

216.195.62.125
Host: teensfuck.tv

216.195.62.126
Host: azureteens.com
Host: topporngirls.com
Host: www.azureteens.com

216.195.62.129
Host: vip-teens.net

216.195.62.130
Host: free.azureteens.com
Host: galls.mrbigcock.net
Host: th.elteensex.net
Host: th.teengag.net
Host: th.topporngirls.com
Host: th.vip-teens.net

216.195.62.150
Host: extremepornfilms.com

216.195.62.212
Host: freepicsserver.info

And, as always, our good friends over at hpHosts and MalwareDomainList have plenty to say on the topic as well!

Alex Lanstein @ FireEye Malware Intelligence Lab

Question/Comments : research {at} fireeye [.] com