Something new for me.
Over the last few days Norton's AV has been blocking a steady stream of connection attempts from a server in Portugal, reportedly related to some sort of cryptolocker ransomware scheme.
See screenshot here:
http://i.imgur.com/LcMi1vi.png
The 'attacks' are coming from a convoluted URL:
sso.anbtr.com/domain/www.alterati.net - notice the double domain names.
sso.anbtr.com and anbtr.com resolve to:
195.22.28.222 - server hosted in Portugal, blacklisted by malwaredomains.com as of 1 Feb 2016
As to the anbtr.com server, many security services have recently added it to their blacklists.
For examples see:
http://tinyurl.com/zpb57qp
The same reporting site gives alterati.net a clean bill of health.
www.alterati.net and alterati.net resolve to:
195.22.26.248 - iow, same B class subnet as anbtr.com
Alterati.net seems to provide tracker and RSS services related to torrents. Since I added its IP to my block list, over 100 tracker and RSS connection attempts to Tixati.exe have been intercepted and blocked. I am assuming normal traffic. But could I be wrong?
Recall the block report by Norton's indicated the 'attacks' were targeting my torrent client, Tixati.exe
Since whoever is behind this knows they are dealing with torrent clients, do they know of some potentially exploitable weaknesses in any particular client?
Has someone at or using anbtr.com compromised servers at alterati.net? Are they somehow learning torrent tracker user's IPs then hitting them from anbtr.com with port probes or other connection attempts?
Or could alterati.net be in cohoots in some nefarious cryptolocker ransomware scheme?
All I have is questions at this point, but given the serious nature of cryptoLocker ransomware attacks, I am concerned.
