Another one bites the dust...
This time it is McColo - Brian's report here:
Just a few of the malvertizement domains associated with McColo in recent times include:
Now, it just so happens that I have been tracking not only who is hosting malvert sites, but also who the ICANN Registrar is, and the WHOIS information supplied and name servers used and have just stated putting together a spreadsheet to make it easier for my readers to see what is going on. Let's have a look at the McColo sites above:
ONELINENIC is proving to be quite a problem nowadays, and is a worthy successor to the mantle vacated by Intercage/Atrivo and Estdomains, as is freefastdns.com. Regtime is also appearing more and more often.
BTW, you may be interested to see just who is behind freefastdns.com:
ICANN Registrar: ONELINENIC
Created 17 September 208
Registered but no web site
Goroshko Igor (firstname.lastname@example.org)
That email address is familiar. It has also been used by a "Shestakov Yuriy" and an "Alexey Vasiliev" and a Ser Volo. Sheshtakov and Alexey use more than one email address...
I should point out that my spreadsheet is very new - I've only collated a hundred or so of the more recent malware sites discovered - I have thousands more awaiting my attention and I haven't even looked at what may be sharing IP address. As the data grows trends will become more and more obvious and easy to demonstrate, but so far it looks to me like the next big hit items to go after will be ONLINENIC, FREEFASTDNS and REGTIME. Netdirekt is moving up in prevalence, as is vdhost.
BTW, GLobal is still McColo's upstream but, according to Brian Krebs, they seem to have set up some filtering: