Dynamoo's Blog

Friday, 27 January 2012

Oh yeah..

..chicka chickaaah!

"INTUIT INC" malicious spam and {int_link} fail

A new version of a familiar spam that is meant to have a malicious payload:

Date:     Thu, 25 Jan 2012 20:43:03 +0100
From:     "INTUIT INC." [onlinebanking@ealerts.bankofamerica.com]
Subject:     Your tax information needs verification.

Dear Sir/Madam,

In our continuing effort to assure that exact information is being kept up on our systems, as well as to provide you better quality of service; INTUIT INC. has taken part in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have found out, that your name and/or Employer Identification Number, that is indicated on your account is different from the information on file with the IRS.

In order to check and update your account, please enter the secure section.

Yours sincerely,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

OK, the sharp eyed amongst you will have noticd that "INTUIT" and "bankofamerica.com" are two different entities. What you can't see is that the moron spammer has sent out all the links pointing to just http://{int_link}/ rather than remembering to include the spam URL. No doubt the next version of this will have a malicious payload, so take care.

Thursday, 26 January 2012

Some malware sites to block 26/1/12

Some more malware sites to block, being used in current spam runs to distribute the blackhole exploit kit. Block the domains and IPs if you can.

Eonix, Canada
173.213.93.203
clostescape.com

Zerigo, US
173.248.190.37
chilleloot.com

Colo4Dallas, US
174.136.0.87
chillegraph.com
chilleline.com

Ixvar, Canada
174.142.247.164
clostery.com

Hostforweb, US
205.234.187.6
sulusient.com

Networld Internet, US
207.210.96.45
clostehold.com
72.249.126.223
chillemap.com

Confluence Networks, BVI
208.91.197.27 (parked)
closteyard.com

Endurance International, US
209.59.220.57
closteland.com
closterange.com
209.59.220.65
sulusity.com
209.59.220.202
chillency.com
209.59.221.158
closteation.com

Nuclear Fallout Enterprises, US
66.150.164.192
chilletect.com
74.91.119.202
sulusality.com

Linode, US
69.164.199.231
chillepay.com
96.126.96.123
chillechart.com
96.126.102.252
sulusium.com

Not resolving
chillebucks.com
chillecash.com
chillefunds.com
chillestruct.com
sulusius.com
sulusize.com

NACHA Spam / chillechart.com and chillepay.com

More fake NACHA spam leading to malware, this time the malicious payload is at chillechart.com on 96.126.96.123 (Linode, New Jersey).

Date:     Thu, 25 Jan 2012 10:40:06 +0100
From:     "alerts@nacha.org" [alerts@nacha.org]
Subject:     Your pending ACH debit transfer

Dear Account Holder,

This message includes an important notice about the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction #:    766253676295142
Transaction status:    pending

In order to resolve this matter, we prompt you to check the details of your transaction using the link below.

Faithfully yours,
Stephanie Barrera
Accounting Department

This follows the same pattern we have seen over the past few days. A Wepawet report for the malicious page is here. Blocking the IP address rather than the domain should block any other malicious sites on the server.

Update: chillepay.com is also being used in this spam run, hosted on 69.164.199.231 (also Linode)

Wednesday, 25 January 2012

Lazy BBB / "ACH transfer pending" spam, chillestruct.com and closteation.com

Here's a lazy spam about an "ACH transfer" that appears to come from the BBB, because the spammers have mixed up the campaigns.

Date:     Wed, 24 Jan 2012 13:31:58 +0100
From:     "manager@bbb.org" [manager@bbb.org]
Subject:     ACH transfer pending

Dear Sir or Madam,

This message includes a notification about the ACH debit transfer sent on your behalf, that was held by our bank:

Transaction ID: 471209863177939
Transaction status: pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Yours faithfully,
Kathy Quirk
Accounting Department

The link in the spam routes through a couple of hacked sites to a malicious payload at chillestruct.com on 173.248.190.37 (Zerigo Inc, California) and closteation.com on 209.59.221.158 (Endurance International, Massachusetts). Wepawet reports are here and here.

Blocking the IPs will prevent any other malicious sites on those servers from causing problems.

Tuesday, 24 January 2012

BBB Spam / chillebucks.com, sulusize.com and sulusity.com

More fake BBB spam leading to a malicious payload, this time hosted on the domain sulusize.com on 174.136.4.211 (Colo4, US). The server appears to be a legitimate hacked server, but blocking traffic to that IP is probably a wise idea if you can do it.

Some sample emails (the usual fake BBB approach):

Date:     Tue, 23 Jan 2012 11:51:58 +0100
From:     "BBB" [info@bbb.org]
Subject:     Better Business Bureau service
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 23387543) from your customer with respect to their dealership with you.

Please open the COMPLAINT REPORT below to find the details on this question and suggest us about your position as soon as possible.

We hope to hear from you very soon.

Sincerely,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau

Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==============

Date:     Tue, 23 Jan 2012 12:16:00 +0100
From:     "Better Business Bureau" [risk.manager@bbb.org]
Subject:     Re: your customer�s complaint ID 83031311
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau notifies you that we have received a complaint (ID 83031311) from one of your customers in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this question and suggest us about your point of view as soon as possible.

We hope to hear from you very soon.

Regards,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau

The malware tries to download further code from sulusity.com on 209.59.220.65 (Endurance International Group, US).. another one to block. A Wepawet analysis is here.

Update #1: another version is doing the rounds with the initial malware hosted on chillebucks.com (69.163.37.22, Bula Networks California).

Update #2: The Wepawet analysis indicates that this might do something with the user's Facebook account as well as the usual malware payload.

Monday, 23 January 2012

Virus: "I'm in trouble!" spam (again)

This is an email with a link leading to malware. We've seen this pitch before:

Subject: Re: I'm in trouble!

I was at a party yesterday, got drunk, couldn't drive the car, somebody gave me a lift on my car, and crossed on the red light!
I've just got the pictures, maybe you know him???
Here is the photo

I need to find him urgently!

Thank you
Belita

The link goes to a legitimate hacked site, then to a multihomed .ru site on the following IPs:
125.214.74.8
129.67.100.11
173.201.187.225
173.230.137.129
173.255.229.33
174.122.121.154
209.59.222.145
211.44.250.173
213.193.231.210
24.37.34.163
46.105.28.61
50.57.77.119
50.57.118.247
74.208.205.185
78.47.135.105
78.129.233.8
80.90.199.196
81.31.43.43
82.165.197.58
83.170.91.152
84.246.210.87
85.214.204.32
87.106.201.119
93.189.88.198
97.74.87.3

This is pretty much the same IP list as seen last week (new IPs highlighted). It's unclear at the moment which domains are on the IPs (though there are some Redret domains here), so blocking the addresses is the safest bet.

Tylers Coffees (tylerscoffees.com) tastes of spam

Here's an annoying spam I have been getting lately:

From:     "Coffee News" [news.coffee@yahoo.com]
Subject:     Check out this coffee


Acid Free Coffee
A little cup of java can mean a big problem for stomachs. Acid levels in coffee, as well as impurities and resins, may wreak havoc on the digestive tract. Our customers with sensitive stomachs are relieved to learn that they can still continue enjoying a great cup of coffee whenever they want.

Benefits of an acid free coffee are tooth enamel is protected and teeth are stronger leading to fewer cavities.
    for $5

Where it Comes From

The Finest hand-picked Arabica beans are shipped from South America to our roasting factory in Arizona.We use Swiss Water Based Process to decaffeinate our Arabica coffee beans
Read more
How We Make It

We use a “Z-Roasting” process that optimizes the time the coffee beans are cooked; the result is high levels of caffeine and free of acid. Benefits of an acid free coffee are tooth enamel is protected and teeth are stronger leading to fewer cavities.
Read more
Regular vs. Decaf

Regular: Rockets you forward with level of caffeine that exceeds most other coffee brands.

Decaf: Same great taste as the regular coffee minus the rocket energy, so that you can finally take that sleep you deserve.

Either way - you will LOVE IT !!

Read more

If you want us to take you off our mailing list, please click on the link below
Not interested anymore? Unsubscribe here.

I've seen this several times, to begin with they were trying to use tinyurl.com to mask their URL, but they're pretty good at terminating spammers.

Subsequent runs use the domain justcoffee-noacid.com in the emails. Although the domain has anonymous WHOIS details, it's notable that the spammer is using Piradius Net, a black hat web host from Malaysia as a host. We've seen these guys before.

justcoffee-noacid.com has a miminal amount of content, and depending on which link you click through, you either get redirected to tylerscoffees.com or you get a spammy page tempting you to click through.

In all cases the spam comes through 118.123.6.123 in China.

tylerscoffees.com is a website belonging to Tylers Coffee, a firm in Arizona.

The domain is registered to:

      ornsteins, ian ian@innovativeformulations.com
      1810 s 6th ave
      tucson, Arizona 85713
      United States
      (520) 628-1553      Fax -- (520) 628-1580

The company seems to be legitimate (although personally I have doubts about their claims over "acidic coffee"), but it looks like someone has decided to try some web site promotion without fully checking what was being done. Spamming out from China via a black hat host in Malaysia is one very easy way to damage your brand..

Friday, 20 January 2012

0catch.com and malicious BBB spam

We're currently seeing a spate of malicious BBB spam (like this) being routed through free web hosting sites operated by 0catch.com.

A simple way of blocking this attack is to block the 0catch.com domains. I've never found anything really valuable hosted by this firm, so you probably won't be missing much.

These are all the domains that I can find, if you know of any others then please consider sharing them in the comments:

00freehost.com
00freeweb.com
012webpages.com
0catch.com
0-catch.com
100freemb.com
100megsfree5.com
150m.com
1freewebspace.com
1sweethost.com
741.com
angelcities.com
arcadepages.com
bigheadhosting.net
builtfree.org
designcarthosting.com
digitalzones.com
dreamstation.com
easyfreehosting.com
envy.nu
exactpages.com
ez-sites.ws
fcpages.com
freecities.com
freehostyou.com
freesite.org
freewaywebhost.com
freewebpages.org
freewebportal.com
freewebsitehosting.com
fw.bz
greatnow.com
instantwebgenius.com
just-allen.com
justicewasgreen.com
maddsites.com
megz-bytes.com
mindnmagick.com
o-f.com
parknhost.com
reco.ws
servetown.com
usafreespace.com
virtue.nu
website-home.ws
wtcsites.com

Thursday, 19 January 2012

Wire transfer malicious spam / monikabestolucci.ru:8801 and 78.159.118.226

More malicious spam doing the rounds, but this time it's more complicated than before.

From: accounting@victimdomain.com [mailto:accounting@victimdomain.com]
Sent: 18 January 2012 02:14
Subject: Re: Wire Transfer Confirmation (FED_93711S15719)

Dear Bank Account Operator,
WIRE TRANSACTION: FWD-7563133392175652
CURRENT STATUS: PENDING

Please Review your transaction as soon as possible.

The link goes to a legitimate hacked site containing some heavily obfuscated javascript, in turn this points to monikabestolucci.ru:8801 and then downloads further code from 78.159.118.226/forum/hp.php?i=8 (Netdirect, Germany) - the Wepawet report is here, there also an Anubis report on the binary here.

monikabestolucci.ru is massively multihomed (a raw list is at the end of the post) presumably on legitimate hacked servers.

24.37.34.163 (Videotron, Canada)
46.105.28.61 (OVH Systems, Italy)
50.57.77.119 (Slicehost, Texas)
50.57.118.247 (Slicehost, Texas)
74.207.248.120 (Linode, New Jersey)
74.208.205.185 (1&1, US)
78.47.122.11 (Hetzner, Germany)
80.90.199.196 (Webfusion, UK)
81.31.43.43 (Master Internet, Czech Republic)
82.165.197.58 (1&1, Germany)
83.170.91.152 (UK2.NET, UK)
84.246.210.87 (Infortelecom, Spain)
88.191.97.108 (Dedibox SAS, France)
97.74.87.3 (GoDaddy, Arizona)
124.11.65.210 (TFN, Taiwan)
125.214.74.8 (Web24, Australia)
129.67.100.11 (Oxford University, UK)
173.201.187.225 (GoDaddy, Arizona)
173.230.137.129 (Linode, Florida)
173.255.229.33 (Linode, New Jersey)
174.122.121.154 (ThePlanet, Texas)
209.59.222.145 (Endurance International, Massachusetts)
211.44.250.173 (SK Broadband, Korea)

Blocking these IPs might be a pain, but it would block any other malicious sites on the same servers.

Raw list:
24.37.34.163
46.105.28.61
50.57.77.119
50.57.118.247
74.207.248.120
74.208.205.185
78.47.122.11
80.90.199.196
81.31.43.43
82.165.197.58
83.170.91.152
84.246.210.87
88.191.97.108
97.74.87.3
124.11.65.210
125.214.74.8
129.67.100.11
173.201.187.225
173.230.137.129
173.255.229.33
174.122.121.154
209.59.222.145
211.44.250.173

BBB Spam / freecities.com and 78.129.132.82

A couple of BBB spams, both leading to malware on different domains on the same IP of 78.129.132.82 (Rapidswitch / Iomart Hosting, UK).

Example 1:

Date:     Thu, 18 Jan 2012 10:24:33 +0000
From:     "Better Business Bureau"
Subject:     Urgent information from BBB
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have received a complaint (ID 38423165) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.

We are looking forward to your prompt reply.

Regards,

Theresa Morris

Dispute Counselor
Better Business Bureau

Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Example 2:

Date:     Thu, 18 Jan 2012 11:27:55 +0100
From:     "Better Business Bureau"
Subject:     BBB complaint report
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 52266668) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to find more information on this issue and let us know of your point of view as soon as possible.

We hope to hear from you very soon.

Sincerely,

Arnold Melendez

Dispute Counselor
Better Business Bureau

Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

In these two examples, the malicious payload is on wihdshop.net/main.php?page=c61c8ae4358e765e and ionsclinics.net/main.php?page=4875f07aa6fe472a (Wepawet report is here) , reached through a page on a freecities.com web site (apparently part of 0catch.com). You could consider blocking access to the entire freecities.com domain, but you should certainly block 78.129.132.82 if you can.

These other domains are hosted on 78.129.132.82 and are probably malicious:

0riginalcheck.net
ambasadorka.com
centerjobdepart.com
comparmory.org
digitalarmory.net
gitadocs.com
gitafiles.com
ionsclinics.net
lifesdigi.org
marketjob.net
nextddefence.com
originalsyst.org
ourdefence.net
stafffire.net
stub-search.net
systemdwall.com
theyardesale.com
wihdshop.net
yourdefse.com

Update: angelcities.com is also being used as an intermediate infection step, also part of 0catch.com. It looks like the intermediate sites might be freshly created, there is no indication that 0catch.com sites have been breached.