Some TurkTelekom IP Ranges Aren’t Your Friends
December 9th, 2007 by Steven AdairDo a WHOIS on an IP address in 88.255.0.0/16 and you will get back something like this as part of your response:
% Information related to ‘88.255.0.0/16AS9121′
route: 88.255.0.0/16
descr: TurkTelekom
origin: AS9121
mnt-by: AS9121-MNT
source: RIPE # Filtered
Now not everything on 88.255.0.0/16 or AS9121 is evil. However, there are some ranges that are definitely pretty bad. We have been seeing a lot of malware out of some of these ranges for a while. Even some of the stuff that used to be housed on over on the main Russian Business Network IP ranges have moved here. Remember the Virut trojan that used “proxima.ircgalaxy.pl” as part of its operation and used to be on RBN IP space? Well, it’s now at 88.255.74.140.
Now let’s give you a list of some of the ranges you should be concerned about.
88.255.90.0/24
88.255.91.0/24
88.255.92.0/24
88.255.93.0/24
88.255.94.0/24
88.255.74.0/24
The first five IP ranges belong to AbdAllah Internet Hizmetleri (AbdAllah_Internet) and are particularly nasty. Some of the ranges are seen a lot more than others, but there’s a pretty consistent pattern what is housed here. All kinds of drive-by exploit sites are on these IP addresses. Most of them seem to be geared towards information theft. A number of Nethell, Pinch, and other infostealer/banker trojans are live on those IPs.
The sixth and last IP range above is listed under “AKSERVERS_INTERNET_HIZMETLERI”. No idea if these are some how related, but this subnet also has a lot of the same bad stuff. Consider blocking these ranges or monitoring what goes in and out to them from your networks.
March 4th, 2008 at 7:59 am
[…] is pretty good news as we have previously blogged about these IP ranges here. One of my Shadowserver colleagues also just recently published a whitepaper about AbdAllah […]