Fake Adobe Flash Updater in 173.246.102.2 - Win32/Fareit downloads Win32/Medfos (to then download OTHER malware at Megaupload.com)

This story is all started from an EK landing page at:



?




1



"h00p://17.247nycr.com/news/breaks-harmless.php"





in the IP: 173.246.102.2
At the below network registration:



?




1


2


3


4


5


6


7


8


9


10


11


12


13


14


15


16


17


18


19


20


21


22


23


24



NetRange:       173.246.96.0 - 173.246.111.255


CIDR:           173.246.96.0/20


OriginAS:       AS29169


NetName:        GANDI-NET-DC1-1


NetHandle:      NET-173-246-96-0-1


Parent:         NET-173-0-0-0-0


NetType:        Direct Allocation


Comment:        http://www.gandi.net/


RegDate:        2010-06-18


Updated:        2012-02-24


Ref:            http://whois.arin.net/rest/net/NET-173-246-96-0-1


OrgName:        Gandi US Inc.


OrgId:          GANDI-2


Address:        Gandi US Inc.


Address:        PO Box 32863


City:           Baltimore


StateProv:      MD


PostalCode:     21282


Country:        US


RegDate:        2010-05-20


Updated:        2010-06-24


Comment:        Gandi is an ICANN accredited registrar and VPS/Cloud hosting provider withoperations inFrance, UK, and the United States.


Comment:        http://www.gandi.net/


Ref:            http://whois.arin.net/rest/org/GANDI-2





Which I checked it further to find a Blackhole Eexploit Kit:



?




1


2


3


4


5



Server: nginx/0.7.67


Date: Thu, 07 Mar 2013 11:19:07 GMT


Content-Type: text/html


Connection: close


X-Powered-By: PHP/5.3.14-1~dotdeb.0





As a reference infector(URL)-->>[urlquery.net]
And a long list of historical reports of same IP-->>[urlquery.net]

read more.......http://malwaremustdie.blogspot.kr/2013/03/fake-adobe-flash-updater-in-1732461022.html