As we add more and more feeds and get more and more subscribers we gather ever mode confirmation that some IP addresses (and for that matter some entire subnets) are the online equivalent of the habitual repeat offender.

Wanted for malware - IP address 98.124.198.1

Take, for example, the IP address 98.124.198.1. This address shows up on 5 different feeds we have at different times over the last year and was last seen by one of our customers attempting to send email to him. It is possible that this email is genuine and worthy of being received but the chances are fairly low. Specifically this address was listed as bad by

  • PhishTank (and PhishTank2) - lists of active Phish sites
  • Parasites - list of miscellaneous unethical sites and spyware domains
  • BLADE - list of sites that drop Fake AV and similar malware
  • ZeuS - the list of active  ZeuS command and control addresses
  • DShield - list of currently active attacking sites (bots, spam etc.)

(Readers can confirm all of this by entering the IP address into our check address tool)

Although there is some overlap - for example the ZeuS entry partially overlaps the DShield one in time - this IP address has been responsible for different sorts of malware intermittently since March 2009. Although this IP address is bad, it is far from unique and may well not be the worst IP address in our records. If it were a person, it would presumably now be facing a prison term or two, but as an IP address it will, for the most part, remain free and able to continue its misdeeds unchecked.

One of the reasons ThreatSTOP was founded was to provide a way to "jail" these addresses because, no matter who they claim to be and what they claim to be offering, it is highly unlikely that they will actually provide anything useful and hence unlikely that anyone really ought to talk to them. ThreatSTOP doesn't care why an address is bad, it just lets our subscribers' firewalls block it. This is good because as this exmaple shows, criminal IP addresses are so often reused. Thus the IP address that yesterday was being used to phish for credentials will be serving up the latest 0-day flash exploit and next month it will be controlling thousands of bots.