RESULTS OF LOOKUP

190.216.184.186 is listed

This IP address was detected and listed 9 times in the past 28 days, and 0 times in
the past 24 hours. The most recent detection was at Thu Aug 16 21:15:00 2018 UTC
+/- 5 minutes

This IP address is infected with, or is NATting for a machine infected with a botnet,
usually associated with the Avalanche malware network. This infection will
probably be of the Dofoil or Gamarue malware (or one of the other Anti-Virus
vendor aliases, such as: Andromeda, Smoke Loader, Win3/Dofoil,
W32/Zurgop.BK!tr.dldr, Gamarue and many others

This is one of the most dangerous bot networks ever to be discovered, every node is
fully capable of participating in identity theft, keystroke logging, disk erasure,
camera capture, or encrypting files and holding them for ransom (for example the
recent Wannacry debacle).

Gamarue is a downloader (also known as smoke loader/dofoil) largely used in the

Andromeda and Avalanche botnets.

Andromeda is a very large scale malware delivery platform, using Gamarue (and
other downloaders) to download malicious software to infected machines. At it's
peak (Nov/Dec 2017) had more than 5 million infected machines.

Avalanche is a large-scale content and management platform also designed for the
delivery of bullet-proof botnets, and used Andromeda to bootstrap. Avalanche's
scale and scope spanned victims from 180 countries, over 800,000 domains in 60+
top-level domains (TLD), more than one million phishing and spam e-mails,
500,000 infected machines worldwide, and 130TB of captured and analyzed data.

There was a coordinated effort from international law enforcement agencies that
included Germany's Public Prosecutor's Office Verden and the Lüneburg Police, the
U.S. Attorney Office for the Western District of Pennsylvania, Department of
Justice and the Federal Bureau of Investigation (FBI), Europol, and Eurojust as well
as partners in ShadowServer, resulted in one of the most successful anti-cybercrime
operations in recent years (late 2016).

An even more successful take down of Andromeda took place in Nov 29/2017.

WARNING: Despite the above, it MUST NOT be assumed that since the network
has been disabled that this listing no longer matters. As long as the malware remains
present on your machine, there is a strong possibility that this infection may become
re-enabled. Therefore, all effort should be made to find and eradicate it.

This was detected by a TCP connection from "190.216.184.186" on port "n/a" going
to IP address "184.105.192.2" (the sinkhole) on port "443".

The botnet command and control domain for this connection was "fr4vkbdr.ru".

This detection corresponds to a connection at Thu Aug 16 21:14:15 2018 UTC (this
timestamp is believed accurate to within one second).

Detection Information Summary

Destination IP 184.105.192.2

Destination port 443

Source IP 190.216.184.186

Source port n/a

C&C name/domain fr4vkbdr.ru

Protocol TCP

Time Thu Aug 16 21:14:15 2018 UTC

Behind a NAT, you should be able to find the infected machine by looking for
attempted connections to IP address "184.105.192.2" or host name "fr4vkbdr.ru" on
any port with a network sniffer such as Wireshark. Equivalently, you can examine
your DNS server or proxy server logs to references to "184.105.192.2" or
"fr4vkbdr.ru". See Advanced Techniques for more detail on how to use Wireshark -
ignore the references to port 25/SMTP traffic - the identifying activity is NOT on
port 25.

Please note that some of the above quoted information may be empty ("") or "na" or
"-". In those cases, the feed has declined or is unable to give us that information.
Hopefully enough information will be present to allow you to pinpoint the
 connections. If not, the destination ports to check are usually port 80, 8080, 443 or
high ports (around 16000) outbound from your network. Most of these infections
make very large numbers of connections; they should stand out.

These infections are rated as a "severe threat" by Microsoft. It is a trojan

downloader, and can download and execute ANY software on the infected
computer.

You will need to find and eradicate the infection before delisting the IP address.

Norton Power Eraser is a free tool and doesn't require installation. It just needs to be
downloaded and run. One of our team has tested the tool with Zeus, Ice-X, Citadel,
ZeroAccess and Cutwail. It was able to detect and clean up the system in each case.
It probably works with many other infections.

If Microsoft Windows Defender is available to you, use it!

We strongly recommend that you DO NOT simply firewall off connections to the
sinkhole IP address[es] given above. These IP address[es] are of sinkholes operated
by malware researchers. In other words, they are "sensors" (only) run by "the good
guys". The bot "thinks" its a command and control server run by the spambot
operators but it isn't. It DOES NOT actually download anything, and is not a threat.
If you firewall the sinkhole addresses, your IPs will remain infected, will still be
able to connect to command and control servers under the botnet owner's control,
and they will STILL be stealing your users/customers personal information,
including banking information to the criminal bot operators.

If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you
which internal machine is connecting to them so that you can identify the infected
machine yourself and fix it.

We are enhancing the instructions on how to find these infections, and more
information will be given here as it becomes available.

Virtually all detections made by the CBL are of infections that do NOT leave any
"tracks" for you to find in your mail server logs. This is even more important for the
viruses described here - these detections are made on network-level detections of
malicious behaviour and may NOT involve malicious email being sent.

For more information on this botnet, and mitigation strategies, please see:

1. Andromeda Takedown
2. Trend Micro on Gamarue::
3. Microsoft
4. FortiGuard
5. Malwarebytes Labs Smoke loader still alive
6. Microsoft on Gamarue
7. Data Security Blog on possible recurrence