Sponsored by..

Tuesday 30 April 2013

"Your Wire Transfer 82932922 canceled" spam / Payment reeceipt.exe / 78.139.187.6

This fake wire transfer spam comes with a malicious attachment:

Date:      Tue, 30 Apr 2013 15:27:44 -0500 [16:27:44 EDT]
From:      Federal Reserve [alerts@federalreserve.gov]
Subject:      Your Wire Transfer 82932922 canceled

The Wire transfer , recently sent from your bank account , was not processed by the FedWire.
Transfer details attached to the letter.
This service is provided to you by the Federal Reserve Board. Visit us on the web at website
To report this message as spam, offensive, or if you feel you have received this in error, please send e-mail to email address including the entire contents and subject of the message. It will be reviewed by staff and acted upon appropriately 

In this case there is an attachment PAYMENT RECEIPT 30-04-2013-GBK-75.zip which contains a malicious executable crafted to look like a Word document called Payment reeceipt.exe . This executable has a so-so VirusTotal detection rate of 29/46.

The malware has the following checksums according to Comodo CAMAS:
Size371712
MD50a3723483e06dcf7e51073972b9d1ef3
SHA1293735a9fdc7e786b12c2ef92f544ffc53a0a0e7
SHA2560eb5dd62e32bc6480bae638967320957419ba70330f0b9ad5759c2d3f25753dd

Anubis has a pretty detailed report of what this malware does. In particular, you might want to monitor network traffic to and from 78.139.187.6 (Caucasus Online, Georgia) which seems to be a C&C server. This IP has also been seen here. There are several other IPs involved, but these look like DSL subscribers with dynamic address, so probably a part of a botnet. For the sake of completeness they are:

64.231.249.250
69.183.226.70
78.139.187.6
81.133.189.232
123.237.234.67


Something evil on 96.126.108.132

These sites are on (or are likely to be created on) 96.126.108.132 (Linode, US) which is a known malware server [1] [2] [3]. Blocking this IP would be wise. Some of the domains are rather.. unusual ;)

0-0-0-0-0-0-0-0-0-0-0-0-0-1-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-10-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-11-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-12-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-13-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-14-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-15-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-16-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-17-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-18-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-19-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-2-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-20-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-21-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-22-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-23-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-24-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-25-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-26-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-27-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-29-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-3-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-30-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-31-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-32-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-33-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-34-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-35-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-36-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-37-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-38-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-39-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-4-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-40-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-41-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-42-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-43-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-44-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-45-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-46-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-47-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-48-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-49-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-5-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-50-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-51-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-52-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-53-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-54-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-55-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-56-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-57-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-58-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-59-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-6-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-60-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-8-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-0-0-0-0-0-0-0-9-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-1-0-0-1-1-0-0-0-1-0-0-1-0-1-1-0-0-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-1-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-0-1-1-1-0-0-1-0-0-1-1-1-0-0-0-0-1-1-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-2-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-1-0-0-1-1-0-0-0-1-0-0-1-0-1-1-0-0-1-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-3-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-1-0-1-1-1-1-1-0-1-0-1-1-1-1-0-0-0-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-4-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-0-1-1-1-0-0-1-0-0-1-1-1-0-0-0-0-1-1-0-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-5-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-1-0-0-0-0-1-0-1-1-0-0-0-0-0-1-1-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-6-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-1-0-0-1-1-0-0-0-1-0-0-1-0-1-1-0-0-1-1-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-1-0-1-0-1-0-1-1-1-0-1-0-1-0-0-1-0-1-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-8-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-1-0-1-1-1-1-1-0-1-0-1-1-1-1-0-0-0-0-0-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-9-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-1-1-0-1-0-0-0-1-1-1-0-0-1-1-1-0-1-1-1-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-10-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-1-1-1-0-0-1-0-0-1-1-1-0-0-0-0-1-1-0-1-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-11-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-0-1-1-1-1-0-1-1-1-1-1-1-1-0-1-0-0-1-0-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-12-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-1-0-0-0-0-1-0-1-1-0-0-0-0-0-1-1-1-0-1-0-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-13-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-1-0-0-0-1-1-1-1-0-0-0-0-1-1-0-1-0-0-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-14-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-1-0-0-1-1-0-0-0-1-0-0-1-0-1-1-0-0-1-1-1-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-15-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-1-0-1-0-0-0-1-0-0-0-0-1-1-1-1-1-1-1-1-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-16-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-1-0-1-0-1-0-1-1-1-0-1-0-1-0-0-1-0-1-0-0-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-17-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-1-0-1-1-0-1-0-1-0-0-1-1-0-0-1-0-1-0-1-1-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-18-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-1-0-1-1-1-1-1-0-1-0-1-1-1-1-0-0-0-0-0-1-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-19-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-1-1-0-0-1-0-0-0-0-1-0-0-0-1-0-1-1-0-0-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-20-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-1-1-0-1-0-0-0-1-1-1-0-0-1-1-1-0-1-1-1-0-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-21-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-1-1-0-1-1-0-1-1-0-1-0-1-1-0-0-0-0-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-22-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-1-1-1-0-0-1-0-0-1-1-1-0-0-0-0-1-1-0-1-1-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-23-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-1-1-1-0-1-1-1-0-0-1-1-0-1-0-1-1-0-0-1-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-24-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-0-1-1-1-1-0-1-1-1-1-1-1-1-0-1-0-0-1-0-0-0-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-25-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-0-0-0-0-0-0-0-1-0-1-1-1-1-1-0-1-1-1-1-1-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-26-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-0-0-0-0-1-0-1-1-0-0-0-0-0-1-1-1-0-1-0-1-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-27-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-0-0-0-1-0-1-0-0-1-0-0-1-0-0-0-0-1-1-0-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-0-0-0-1-1-1-1-0-0-0-0-1-1-0-1-0-0-0-1-0-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-29-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-0-0-1-0-0-1-1-1-1-0-1-0-0-0-1-1-1-0-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-30-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-0-0-1-1-0-0-0-1-0-0-1-0-1-1-0-0-1-1-1-1-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-31-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-0-0-1-1-1-0-1-0-1-0-1-1-0-1-1-0-0-1-1-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-32-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-0-1-0-0-0-1-0-0-0-0-1-1-1-1-1-1-1-1-0-0-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-33-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-0-1-0-0-1-1-0-1-1-1-0-0-1-0-0-1-0-0-1-1-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-34-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-0-1-0-1-0-1-1-1-0-1-0-1-0-0-1-0-1-0-0-1-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-35-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-0-1-1-0-0-0-0-0-1-1-0-1-1-1-0-0-0-0-0-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-36-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-0-1-1-0-1-0-1-0-0-1-1-0-0-1-0-1-0-1-1-0-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-37-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-0-1-1-1-0-0-1-1-1-1-1-0-1-1-1-0-1-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-38-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-0-1-1-1-1-1-0-1-0-1-1-1-1-0-0-0-0-0-1-1-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-39-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-1-0-0-0-0-1-1-1-0-0-0-0-0-0-0-1-1-0-1-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-40-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-1-0-0-1-0-0-0-0-1-0-0-0-1-0-1-1-0-0-0-0-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-41-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-1-0-0-1-1-0-1-0-0-0-0-1-0-1-0-0-0-1-1-1-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-42-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-1-0-1-0-0-0-1-1-1-0-0-1-1-1-0-1-1-1-0-1-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-43-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-1-0-1-0-1-1-0-1-0-0-1-0-0-1-1-1-0-1-0-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-44-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-1-0-1-1-0-1-1-0-1-0-1-1-0-0-0-0-1-0-1-0-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-45-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-1-1-0-0-0-0-0-0-0-0-1-1-1-0-1-0-0-0-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-46-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-1-1-0-0-1-0-0-1-1-1-0-0-0-0-1-1-0-1-1-1-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-47-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-1-1-0-1-0-0-1-1-0-1-0-0-1-1-0-0-1-1-1-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-48-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-1-1-0-1-1-1-0-0-1-1-0-1-0-1-1-0-0-1-0-0-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-49-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-1-1-1-0-0-1-1-0-0-1-0-1-1-1-1-1-1-0-1-1-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-50-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-1-1-1-0-1-1-1-1-1-1-1-0-1-0-0-1-0-0-0-1-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-51-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-0-1-1-1-1-1-1-0-0-1-0-1-1-1-0-0-1-0-1-0-0-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-52-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-1-0-0-0-0-0-0-0-1-0-1-1-1-1-1-0-1-1-1-1-1-0-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-53-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-1-0-0-0-0-0-1-1-0-0-1-0-0-0-0-1-0-1-0-1-0-1-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-54-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-1-0-0-0-0-1-0-1-1-0-0-0-0-0-1-1-1-0-1-0-1-1-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-55-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-1-0-0-0-0-1-1-1-1-1-1-0-0-1-1-0-0-0-0-0-1-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-56-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-1-0-0-0-1-0-1-0-0-1-0-0-1-0-0-0-0-1-1-0-0-0-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-57-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-1-0-0-0-1-1-0-0-1-0-1-0-1-0-1-0-1-0-1-1-1-1-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-58-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-1-0-0-0-1-1-1-1-0-0-0-0-1-1-0-1-0-0-0-1-0-1-1-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-59-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-1-0-0-1-0-0-0-1-0-1-1-0-1-1-1-1-0-1-1-1-0-0-0-1-1-1-1-1-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-60-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-2-4-3-x-c-l-3-a-m-1-v-6-s-u-4-h-9-1-y-0-l-8-l-3-5-1-k-g-8-c-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-4-5-8-o-3-q-6-t-k-m-r-b-a-m-8-v-w-0-v-6-p-1-4-0-i-v-1-s-d-u-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-9-y-5-e-r-x-2-t-1-s-z-2-7-2-9-k-s-g-2-e-h-r-8-j-r-1-9-e-e-v-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
0-y-4-2-4-f-x-2-5-y-6-8-i-9-b-d-9-v-z-e-y-g-0-n-1-6-c-q-6-7-a-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
1-6-1-5-6-3-0-2-3-8-3-3-6-6-5-4-1-4-4-4-4-8-2-6-0-1-3-5-0-8-4-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
1-7-1-3-7-0-4-6-7-0-8-0-2-4-3-5-6-8-7-1-2-8-2-8-3-5-8-1-3-1-5-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
1-8-2-7-5-1-7-1-2-0-4-2-5-3-8-6-0-3-3-5-2-8-3-2-8-6-8-4-2-7-0-.0-0-0-0-0-0-0-0-0-0-0-0-0-19-0-0-0-0-0-0-0-0-0-0-0-0-0.info
1-9-5-7-3-2-4-4-5-4-7-3-2-7-2-4-5-5-5-2-3-8-5-2-1-2-1-4-6-2-7-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
1-x-5-5-8-0-9-3-7-1-5-7-c-g-r-6-z-m-h-n-7-b-7-9-3-s-3-0-4-j-t-.0-0-0-0-0-0-0-0-0-0-0-0-0-38-0-0-0-0-0-0-0-0-0-0-0-0-0.info
2-1-4-2-5-3-7-4-1-6-6-5-7-1-7-1-8-0-0-7-3-4-1-1-1-0-6-4-5-1-4-.0-0-0-0-0-0-0-0-0-0-0-0-0-19-0-0-0-0-0-0-0-0-0-0-0-0-0.info
2-5-q-i-2-1-6-9-k-a-2-i-6-a-h-3-5-6-u-8-8-t-9-e-0-8-8-t-6-7-f-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
2-7-t-q-2-7-l-0-2-4-k-c-0-q-0-c-k-a-6-4-z-h-9-r-u-w-8-4-4-3-9-.0-0-0-0-0-0-0-0-0-0-0-0-0-38-0-0-0-0-0-0-0-0-0-0-0-0-0.info
2-a-7-7-1-f-5-r-e-s-s-f-0-h-l-7-d-o-8-s-a-i-p-z-8-2-a-4-0-c-z-.0-0-0-0-0-0-0-0-0-0-0-0-0-38-0-0-0-0-0-0-0-0-0-0-0-0-0.info
2-m-1-m-s-g-f-1-6-k-5-4-5-f-d-f-9-7-2-v-c-2-9-j-d-6-7-8-8-c-x-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
3-4-4-6-0-5-8-3-1-3-6-3-3-6-3-6-4-1-2-0-8-2-5-2-7-2-7-1-2-0-4-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
3-4-5-3-3-8-5-7-2-8-6-0-1-6-5-8-0-3-5-6-3-2-8-6-8-6-5-0-3-8-6-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
3-6-j-6-a-y-j-1-h-q-m-b-z-m-3-2-s-5-p-0-f-7-1-0-0-h-f-2-7-g-d-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
4-6-9-6-f-x-k-4-w-7-4-9-d-4-m-1-8-v-3-z-5-d-v-a-t-d-a-6-8-2-9-.0-0-0-0-0-0-0-0-0-0-0-0-0-38-0-0-0-0-0-0-0-0-0-0-0-0-0.info
4-7-5-3-0-1-1-2-8-4-6-7-6-6-1-0-8-7-5-7-2-1-8-6-2-7-1-2-2-8-0-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
5-4-5-2-8-8-1-2-4-6-7-2-5-6-7-4-4-7-3-8-2-7-2-3-7-3-6-8-7-3-6-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
5-l-8-w-i-7-4-4-z-x-9-c-0-c-0-0-d-o-4-0-9-9-8-4-i-1-s-0-j-e-j-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
5-u-e-o-w-x-8-i-3-n-p-c-6-9-0-6-7-w-s-3-8-f-2-d-e-1-d-3-3-k-8-.0-0-0-0-0-0-0-0-0-0-0-0-0-38-0-0-0-0-0-0-0-0-0-0-0-0-0.info
6-2-0-0-2-7-2-2-4-2-3-0-4-1-7-5-6-8-2-4-0-5-3-8-1-8-5-3-1-4-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
6-3-1-g-6-3-n-4-4-5-d-j-h-6-i-g-1-j-2-4-0-0-3-3-3-1-r-s-6-9-u-.0-0-0-0-0-0-0-0-0-0-0-0-0-38-0-0-0-0-0-0-0-0-0-0-0-0-0.info
6-4-5-2-2-6-0-6-7-6-0-3-7-7-3-8-7-0-8-3-4-6-0-5-4-2-5-5-2-2-7-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
6-6-2-6-5-4-7-1-7-8-6-7-5-6-1-6-3-3-9-8-9-7-2-5-4-7-5-6-2-2-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-19-0-0-0-0-0-0-0-0-0-0-0-0-0.info
6-h-o-f-m-7-8-7-g-4-e-p-x-1-z-1-a-0-0-4-3-3-k-8-j-9-n-7-z-4-s-.0-0-0-0-0-0-0-0-0-0-0-0-0-19-0-0-0-0-0-0-0-0-0-0-0-0-0.info
7-2-2-4-7-9-7-4-8-3-6-2-9-1-2-7-8-8-7-9-3-6-5-3-5-9-9-3-9-2-6-.0-0-0-0-0-0-0-0-0-0-0-0-0-38-0-0-0-0-0-0-0-0-0-0-0-0-0.info
765b394e34.biz
8-0-5-4-7-4-7-7-0-5-4-7-3-8-1-6-6-6-4-8-7-1-5-2-7-6-3-0-5-0-6-.0-0-0-0-0-0-0-0-0-0-0-0-0-19-0-0-0-0-0-0-0-0-0-0-0-0-0.info
8-6-5-7-7-9-6-5-2-9-9-2-2-2-5-7-9-4-5-9-5-7-5-4-3-2-6-3-3-5-7-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
8-8-6-2-6-4-2-6-9-9-5-5-4-6-4-5-2-9-6-4-8-6-2-9-8-5-2-6-3-2-7-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
8-9-3-6-8-0-8-0-4-j-6-0-v-w-y-o-h-8-u-0-y-q-1-1-g-t-4-1-3-6-f-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
9-6-m-8-2-v-i-6-4-0-9-l-v-v-e-e-d-4-r-j-u-9-z-0-9-2-r-t-3-8-a-.0-0-0-0-0-0-0-0-0-0-0-0-0-19-0-0-0-0-0-0-0-0-0-0-0-0-0.info
9-8-1-4-c-i-s-n-7-2-3-0-e-z-h-7-3-4-r-u-w-6-n-0-2-f-a-a-m-7-a-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
9-8-g-3-q-g-2-h-d-x-b-u-o-o-v-7-o-f-7-4-x-5-3-e-9-6-v-6-y-9-8-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
9-f-z-s-e-6-2-k-y-f-7-4-7-8-g-m-9-p-5-7-n-g-3-d-o-s-q-0-m-4-a-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
alfa.homeunix.com
alotibi.xylocomod.com
arta.romail3arnest.info
b-8-8-l-0-5-e-8-k-d-a-o-9-u-9-6-3-p-a-d-1-s-a-n-p-0-1-h-u-u-l-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
chk3.eu
cirimpapacirimpapa-fghbvsfdbfdbfd875t67rfv7dsgyvsu.com
clickbrief.org
clickfremont.org
config1007.iwillhavesexygirls.com
config1130.iwillhavesexygirls.com
dentbeen.eu
disafuwokis.eu
down1130.iwillhavesexygirls.com
expl0it.homeunix.org
fe28753777.com
file0129.iwillhavesexygirls.com
finansgroups.com
findcourageous.org
findcurly.org
findrasup.org
findwandering.org
fl.ue1tio.in
flashi.in
foqaqehacew.eu
fotyriwavix.eu
gaquviwyrup.eu
gduf.info
iwillhavesexygirls.com
jayno.swastikano.net
jbalbfhkewo7i487fksd.info
jewish.r4t.biz
juno.swastikano.net
kefuwidijyp.eu
kejitanokon.eu
kezapyjolek.eu
kinderplus.in
li365-132.members.linode.com
love.swastikano.net
lysovidacyx.eu
mashka.in
maxyjofytyt.eu
mx2.finansgroups.com
mx3.finansgroups.com
mx4.finansgroups.com
mx5.finansgroups.com
n98usfhcyughdcsbchjb.com
n-o-2-8-1-6-k-y-0-e-8-x-j-g-0-e-8-a-a-p-0-1-b-8-c-4-e-z-b-f-p-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
nomebemenid.eu
o-b-0-j-9-7-h-8-0-2-d-6-m-3-4-9-l-c-8-v-g-h-4-u-u-9-1-n-b-t-c-.0-0-0-0-0-0-0-0-0-0-0-0-0-38-0-0-0-0-0-0-0-0-0-0-0-0-0.info
o-j-j-k-1-9-4-1-4-7-z-1-h-p-l-2-8-3-w-n-f-l-r-9-0-5-8-s-0-6-q-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
ourfreespaces.com
p.r4t.biz
pufiluqudic.eu
q-1-4-5-v-s-z-e-r-0-3-v-d-8-8-e-6-i-8-6-q-8-5-2-2-4-3-s-j-g-6-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
qjisnelmcjtg.com
r-2-8-l-3-d-a-0-c-0-r-4-6-u-l-p-6-7-a-4-1-k-9-2-c-8-8-9-z-3-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
r4t.biz
reslove-dns.com
r-k-7-4-w-r-5-4-8-g-x-3-s-4-4-q-k-v-1-i-5-3-u-g-u-1-4-r-0-3-v-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
romail3arnest.info
ryleryqacic.eu
searchalaska.org
searchalice.org
searchalike.org
searchalphabet.org
searchatmosphere.org
searchbowl.org
searchbreeze.org
searchbrick.org
searchdefeated.org
searcheager.org
servf.zyns.com
spotrate.info
srnubetbguwfet.com
svaravinoplaks.com
swastikano.net
tefy.net
tep.xylocomod.com
tufecagemyl.eu
u-3-o-7-u-2-5-9-h-d-b-j-1-x-w-k-2-2-y-c-y-0-0-z-3-4-b-3-3-z-q-.0-0-0-0-0-0-0-0-0-0-0-0-0-28-0-0-0-0-0-0-0-0-0-0-0-0-0.info
ue1tio.in
update.longmusic.com
vfdykmselcv.com
w-7-2-9-h-1-s-9-8-x-7-e-4-8-4-i-6-l-0-5-f-7-9-0-7-4-x-7-x-7-8-.0-0-0-0-0-0-0-0-0-0-0-0-0-19-0-0-0-0-0-0-0-0-0-0-0-0-0.info
wesaf341.org
windows-update-server.com
wsef32asd1.org
wvvexfux.com
www.flashi.in
xylocomod.com
y-3-z-i-j-2-5-t-y-s-g-0-1-f-3-9-w-k-7-c-0-5-n-i-1-a-3-r-4-p-3-.0-0-0-0-0-0-0-0-0-0-0-0-0-19-0-0-0-0-0-0-0-0-0-0-0-0-0.info
y-4-5-3-k-a-n-6-2-w-p-b-s-2-4-i-3-t-0-4-k-7-3-r-a-t-6-p-f-1-1-.0-0-0-0-0-0-0-0-0-0-0-0-0-7-0-0-0-0-0-0-0-0-0-0-0-0-0.info
y-t-s-t-2-x-8-5-p-m-h-1-x-8-9-c-5-8-4-3-d-t-s-8-5-1-3-7-s-0-i-.0-0-0-0-0-0-0-0-0-0-0-0-0-19-0-0-0-0-0-0-0-0-0-0-0-0-0.info
yummcxgbkyknsbvrui.com
z-6-b-1-5-2-c-2-l-e-m-4-1-6-6-9-z-n-a-2-8-3-z-p-s-7-9-5-r-0-2-.0-0-0-0-0-0-0-0-0-0-0-0-0-38-0-0-0-0-0-0-0-0-0-0-0-0-0.info
zeqsmmiwj3d.com

Monday 29 April 2013

"Requested Reset of Yoyr PayPal Password" spam / frustrationpostcards.biz

This fake PayPal spam leads to malware on frustrationpostcards.biz:

 Date:      Mon, 29 Apr 2013 13:22:03 -0500
From:      "service@paypalmail.com" [chichisaq0@emlreq.paypalmail.com]
Subject:      Requested Reset of Yoyr PayPal Password
  
Your account will stay on hold untill password reset.
How to reset your PayPal password

Hello [redacted],

To get back into your PayPal account, you'll have to create a new password.

It's easy:

    Click the link below to open a secure browser window.
    Confirm that you're the owner of the account, and then follow the instructions.

  Reset your password now

If you didn't requested help with your password, let us know immediately. Reporting it is important because it helps us prevent fraudsters from stealing your information.

  
Help Center | Security Center

Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.

Copyright © 2013 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95132.

PayPal Email ID 2A7X1
The link goes through a legitimate but hacked site to land on a malicious payload at [donotclick]frustrationpostcards.biz/news/institutions-trusted.php (report here) hosted on the following IPs:

82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)


TheWHOIS details identify this domain as belonging to the Amerika gang:

Registrant ID:                          INTEGOY3JBV8IIHG
Registrant Name:                        Shouli Cowper
Registrant Address1:                    40 W 17th St
Registrant City:                        New York
Registrant Postal Code:                 10011
Registrant Country:                     United States
Registrant Country Code:                US
Registrant Phone Number:                +1.4682697453
Registrant Email:                       shouli_cowper563@bikeracer.com

 
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
app-smart-system.com
contonskovkiys.ru
curilkofskie.ru
egetraktovony.ru
exrexycheck.ru
fenvid.com
frustrationpostcards.biz
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
miniscule.pl
mortalsrichers.info
mortolkr4.com
peertag.com
pricesgettos.info
priorityclub.pl
smartsecurity-app.com
zonebar.net

Saturday 27 April 2013

Is CB3ROB a champion of free speech? Or a spammer?

The alleged arrest of Sven Olaf Kamphuis (aka CB3ROB) of CyberBunker and the eponymous CB3ROB Ltd has thrown Anonymous into a tizzy, with a #freecb3rob campaign running on Twitter.

The arrest was made because of a suspicion that Kamphius might be behind a massive DDoS attack on Spamhaus that also impacted Cloudflare. I don't have any evidence that CB3ROB or any of his business associates are behind the DDoS attack, but there's a well-known public spat between Spamhaus (who accuse Cyberbunker of being spammers) and Cyberbunker (who accuse Spamhaus of being vigilantes who want to stifle free speech).

It's hard to see why Anon is pro-CB3ROB and so anti-Spamhaus. Yes, it has been reported that CyberBunker has helped to host the Pirate Bay and Wikileaks in the past, both favourites of Anon and not necessarily bad things in themselves. And Spamhaus doesn't actually block anything - it provides a reputation scoring system that others can use to see if they want to accept or reject email, but Spamhaus's very assertive actions against CyberBunker seem to have been the trigger.

But perhaps the critical question is this - what does CyberBunker (and CB3ROB Ltd) actually host?

I identified 866 websites in the large 84.22.96.0/19 block (84.22.96.0 - 84.22.127.255) allocated to both CyberBunker and CB3ROB, although this list is probably not comprehensive. This is what I discovered:
  • 74% of them are flagged as spam domains by multi.surbl.org
  • 39% are flagged as spam on more than one blacklist
  • 0.9% of them are flagged as malware domains by Google
  • 78% of them have a poor WOT reputation
You can download the complete set of results from here [csv]. This data includes the domain name, IP, decimalised IP (good for sorting in Excel), WOT rankings, Google Safe Browsing diagnostic and SURBL prognosis.


Given the high level of domains flagged for spam, the obvious conclusion is that CyberBunker has a serious spam problem and a less serious malware problem mostly centered on 84.22.104.244 and also 84.22.104.246 (more info here) Perhaps there are some legitimate sites in this list who have been caught up in the crossfire, although nothing seems to stand out. I'd love to know who is using CyberBunker for anything other than spam and malware.

You can look at the evidence yourself and decide if CB3ROB is a champion of free speech or someone who supports spammers. I know what my conclusion is though.

Friday 26 April 2013

Something evil on 199.71.212.122

199.71.212.122 is an IP address belonging to Psychz Networks in the US. It hosts a number of sites with malware one them according to VirusTotal and URLquery. Some of the malicious domains were recently hosted on this IP.

I suspect that there are lot more domains than the ones listed on this server, blocking access to it is probably the best approach. Sites flagged by Google as malicious are marked in  red , you should assume that all sites on this server are equally evil though.

5realgame.deaftone.com
atomzmarquee.org
byfiletypepreparing.org
newssearch048.ru
ohlikeminded.org
printboyexplore.biz
yearlyvoiceover.org

2record-fact.3d-game.com
3coopertu.4irc.com
3perioda.3d-game.com
4poitesla.3d-game.com
4terpanf.3d-game.com
4terropet.flnet.org
5perebor.3d-game.com
5teasure.3d-game.com
a3debora.3d-game.com
a4bebeshka.3d-game.com
a5sonfar.3d-game.com
boxbelow.scieron.com
documentingglanced.org
entirelynumerical.scieron.com
fashionbrands2013.com
formkindmasculine.biz
headsskypeme.org
iolan5da.3d-game.com
newssearch040.ru
newssearch041.ru
newssearch042.ru
newssearch043.ru
newssearch044.ru
newssearch045.ru
newssearch046.ru
newssearch047.ru
newssearch049.ru
noireresponsible.org
perry4out.3d-game.com
strugglestabs.biz
truespaceia.biz
usecanatt.biz
visualagenostalgic.org
worldsgiver.biz
youcandoitshop.info

Something evil on 193.107.16.213 / Ideal Solution Ltd

193.107.16.213 is a web server run by Ideal Solution Ltd in the Seychelles. It contains many malware sites that should be blocked, and you might well want to consider blocking the entire 193.107.16.0/22 (193.107.16.0 - 193.107.19.255) range.

VirusTotal detects a number of malicious sites on this server (see report) but blocking access to this IP address is probably the easiest approach. However there seems to be very little of value in the whole /22 and I have personally had it blocked for some months with no ill effects.

The sites that I can identify, their MyWOT ratings and Google prognosis can be download from here [csv]. Use this data as you see fit.

The following sites are on 193.107.16.213. Ones marked in  red  are flagged by Google as being malicious, although you should assume that they all are and block them accordingly.

allbestauto097.ru
forumsupport015.ru
forumsupport016.ru
forumsupport017.ru
forumsupport018.ru
forumsupport019.ru
forumsupport020.ru
forumsupport023.ru
forumsupport024.ru
forumsupport025.ru
forumsupport026.ru
forumsupport027.ru
forumsupport028.ru
forumsupport029.ru
forumsupport030.ru
forumsupport034.ru
forumsupport037.ru
forumsupport038.ru
forumsupport039.ru
forumsupport040.ru
forumsupport041.ru
forumsupport043.ru
forumsupport044.ru
forumsupport045.ru
forumsupport046.ru
forumsupport047.ru
forumsupport048.ru
forumsupport049.ru
forumsupport050.ru
newssearch001.ru
newssearch002.ru
newssearch003.ru
newssearch010.ru
newssearch017.ru
newssearch024.ru
newssearch039.ru
overviewdrive023.ru
overviewdrive026.ru
overviewdrive027.ru
overviewdrive028.ru
overviewdrive030.ru
overviewdrive032.ru
overviewdrive034.ru
overviewdrive035.ru
overviewdrive036.ru
overviewdrive039.ru
overviewdrive040.ru
overviewdrive041.ru
overviewdrive042.ru
overviewdrive043.ru
overviewdrive044.ru
overviewdrive045.ru
overviewdrive046.ru
overviewdrive047.ru
overviewdrive051.ru
overviewdrive054.ru
overviewdrive056.ru
overviewdrive059.ru
overviewdrive061.ru
overviewdrive063.ru
overviewdrive065.ru
overviewdrive066.ru
overviewdrive070.ru
overviewdrive072.ru
overviewdrive075.ru
overviewdrive087.ru
overviewdrive092.ru
overviewdrive093.ru
overviewdrive094.ru
overviewdrive100.ru
promoution242.ru
rotatorjps001.ru
rotatorjps030.ru
rotatorjps044.ru
rotatorjps046.ru
rotatorjps050.ru

newssearch004.ru
newssearch005.ru
newssearch006.ru
newssearch007.ru
newssearch008.ru
newssearch009.ru
newssearch011.ru
newssearch012.ru
newssearch013.ru
newssearch014.ru
newssearch015.ru
newssearch016.ru
newssearch018.ru
newssearch019.ru
newssearch020.ru
newssearch021.ru
newssearch022.ru
newssearch023.ru
newssearch025.ru
newssearch026.ru
newssearch027.ru
newssearch028.ru
newssearch029.ru
newssearch030.ru
newssearch031.ru
newssearch033.ru
newssearch034.ru
newssearch035.ru
newssearch036.ru
newssearch037.ru
newssearch038.ru
newssearch050.ru
overviewdrive091.ru
overviewdrive095.ru
overviewdrive097.ru
overviewdrive098.ru
permanentbiz.com
promoution115.ru
promoution181.ru
promoution218.ru
promoution221.ru
promoution222.ru
promoution223.ru
promoution224.ru
promoution225.ru
promoution226.ru
promoution227.ru
promoution228.ru
promoution229.ru
promoution231.ru
promoution246.ru
promoution247.ru
promoution248.ru
promoution250.ru
roger001.ru
roger002.ru
roger003.ru
roger004.ru
roger005.ru
roger006.ru
roger007.ru
roger008.ru
roger009.ru
roger010.ru

"USPS delivery failure report" spam / LABEL-ID-56723547-GFK72.zip

This fake USPS message has a malicious attachment:

Date:      Fri, 26 Apr 2013 12:46:25 +0400 [04:46:25 EDT]
From:      USPS client manager Lelia Holden [reports@usps.com]
Subject:      USPS delivery failure report
Priority:      High Priority 1

Notification

Our company’s courier couldn’t make the delivery of package.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: UGL38SHK4T
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
USPS Global.

There is an attachment LABEL-ID-56723547-GFK72.zip which in turn contains an executable file LABEL-ID-56723547-GFK72.exe which is designed to look like a PDF file. VirusTotal results are a pretty poor 7/46.

The malicious binary has the following checksums:
MD5df81b21e9526c571d03bc1fb189f233c
SHA1dd2fe390e3f16a7f12786799af927f62df6754c4
SHA256db001675033574e5291b1717b7b704d43d9bd676604b623f781d2f4cde60590a

Comodo CAMAS reports some very unusual behaviour around LDAP registry keys, not present in the Anubis report or ThreatExpert report.

Update: a rather more comprehensive ThreatTrack report can be found here [pdf].

Thursday 25 April 2013

RU:8080 timeline


A quick bit of research for anyone following the RU:8080 gang.. where has the spam gone? Recently we've seen RU:8080 spam every weekday for some time, and there hasn't been anything since 19th April (nearly a week ago).

The current RU:8080 runs started in February 2012 (although there had been similar malware spam URLs before that). A timeline of the dates of the runs I spotted can be found here.

The spam runs always happen on a weekday, not a weekend. Mondays are slightly less common than the other weekdays. Usually there are no more than 4 or 5 days between runs.. but the RU:8080 gang has shut down for longer.

For example, in April 2012 they shut down for up to 46 days, in July 2012 it was 21 days, August 2012 was 31 days, December 2012 for 13 days and February 2013 for 10 days.

Of note the April 2012 shutdown coincided roughly with start of Orthodox Easter, the December 2012 shutdown was from the period between the Western and Orthodox Christmas. The summer shutdowns could simply be because the RU:8080 gang were on holiday (they don't work weekends, after all).

Show a brief shutdown doesn't mean a permanent shutdown. But if it lasts for longer than a month then it's a different matter..

Updated 22/5/13: and now it has been over a month without a peep..

The "Signature Strengths" (behaviourlibrary.com) fiasco

A post over at the Sqwawkbox Blog highlights the absurdity of an online behavioural survey site called "Signature Strengths" that jobseekers are "encouraged" to use. It makes the claim that no matter what you enter, it always comes up with some positive reason why you should be working. OK.. perhaps that isn't a bad thing, but it is clearly pretty absurd.

Try it for yourself by taking the test. I answered all the questions with the mindset of an feckless, depressive sociopath and this is what I was told:

Your results!
Think about how you can use these strengths in your job search and in your life in general
Try to find a new way to use them then everyday

Strength 1. Curiosity
You are curious about everything. You are always asking questions, and you find all subjects and topics fascinating. You like exploration and discovery.

Strength 2. Love of learning
You love learning new things, whether in a class or on your own. You have always loved school, reading, and museums-anywhere and everywhere there is an opportunity to learn.

Strength 3. Critical Thinking
Thinking things through and examining them from all sides are important aspects of who you are. You do not jump to conclusions, and you rely only on solid evidence to make your decisions. You are able to change your mind.

Strength 4. Originality
Thinking of new ways to do things is a crucial part of who you are. You are never content with doing something the conventional way if a better way is possible.

Strength 5. Social Intelligence
You are aware of the motives and feelings of other people. You know what to do to fit in to different social situations, and you know what to do to put others at ease.

Fill in your email address address below to have your strengths emailed to you. You may want to discuss these with your advisor at your next meeting.



Sounds positive? But the answers that I gave to the questions completely contradict this:

1. I am always curious about the world
Very much unlike me [contradicts Strength 1]

2. I am easily bored
Very much like me

3. I am thrilled when I learn something new
Very much unlike me [contradicts Strength 2]

4. I never go out of my way to visit museums
Very much like me [contradicts Strength 2]

5. When the topic called for it, I can be a highly rational thinker
Very much unlike me [contradicts Strength 3]

6. I tend to make snap judgements
Very much like me [contradicts Strength 3]

7. I like to think of new ways to do things
Very much unlike me [contradicts Strength 4]

8. Most of my friends are more imaginative than I am
Very much like me

9. No matter what the social situation, I am able to fit in
Very much unlike me [contradicts Strength 5]

10. I am not very good at sensing what other people are feeling
Very much like me [contradicts Strength 5]

11. I am always able to look at things and see the big picture
Very much unlike me [contradicts Strength 3]

12. Others rarely come to me for advice
Very much like me

13. I have taken frequent stands in the face of strong opposition
Very much unlike me

14. Pain and disappointment often get the better of me
Very much like me

15. I always finish what I start
Very much unlike me

16. I get sidetracked when I work
Very much like me

17. I always keep my promises
Very much unlike me [partly contradicts Strength 5]

18. My friends never tell me I’m down to earth
Very much like me

19. I voluntarily helped a neighbour last month
Very much unlike me

20. I am rarely as excited about the good fortune of others as I am about my own
Very much like me [contradicts Strength 5]

21. There are people in my life who care as much about my feelings and well-being as they do about their own
Very much unlike me

22. I have trouble accepting love from others
Very much like me

23. I work best when I am part of a group
Very much unlike me [partly contradicts Strength 5]

24. I hesitate to sacrifice my self-interest for the benefit of groups I am in
Very much like me [partly contradicts Strength 5]

25. I treat all people equally, regardless of who they might be
Very much unlike me [partly contradicts Strength 5]

26. If I do not like someone, it is difficult for me to treat him or her fairly
Very much like me [partly contradicts Strength 5]

27. I can always get people to do things together without nagging them
Very much unlike me [partly contradicts Strength 5]

28. I am not very good at planning group activities
Very much like me

29. I can control my emotions
Very much unlike me

30. I can rarely stay on a diet
Very much like me

31. I avoid activities that are physically dangerous
Very much unlike me

32. I sometimes make poor choices in friendships and relationships
Very much like me [partly contradicts Strength 5]

33. I change the subject when people pay me compliments
Very much unlike me

34. I often brag about my accomplishments
Very much like me [partly contradicts Strength 5]

35. In the last month, I have been thrilled by excellence in music, art, drama, film, sport, science or mathematics
Very much unlike me [partly contradicts Strength 2]

36. I have not created anything of beauty in the last year
Very much like me [partly contradicts Strength 2]

37. I always say thank you, even for little things
Very much unlike me [partly contradicts Strength 5]

38. I rarely stop and count my blessings
Very much like me

39. I always look on bright side
Very much unlike me

40. I rarely have a well thought out plan for what I want to do
Very much like me [contradicts Strength 3]

41. My life has a strong purpose
Very much unlike me

42. I do not have a calling in life
Very much like me

43. I always let bygones be bygones
Very much unlike me [partly contradicts Strength 5]

44. I always try to get even
Very much like me [partly contradicts Strength 5]

45. I always mix work and play as much as possible
Very much unlike me

46. I rarely say funny things
Very much like me

47. I throw myself into everything I do
Very much unlike me

48. I mope a lot
Very much like me
So who owns this site? A look at the WHOIS records come up blank:

   Administrative Contact:
      Private, Registration  behaviourlibrary.com@domainsbyproxy.com
      Domains By Proxy, LLC
      DomainsByProxy.com
      14747 N Northsight Blvd Suite 111, PMB 309
      Scottsdale, Arizona 85260
      United States
      (480) 624-2599      Fax -- (480) 624-2598

Not to worry, because a historical WHOIS gives us the real records:

   Administrative Contact:
      Nguyen, Samuel  samuel.nguyen@cabinet-office.gsi.gov.uk
      1123 Aquarius House
      19 St George Wharf
      London, England SW82FG
      United Kingdom
      0-782-183-6785

That's this chappie.

As The Register points out, this is a completely bogus test that appears to be designed to make people feel more positive about work (and to perhaps collect email addresses) rather than offering any constructive advice. Positive thinking is not a bad thing, but this is a wasted opportunity to achieve something constructive in terms of critical analysis. Surely it wouldn't be too difficult to create (or buy in) a test to do this properly?

"Organ donation" spam

This isn't the first time that I've seen this spam...

From: timur146@mail.ru
Date: 25 April 2013 02:26
Subject: Organ donation.

Hello.
My name is Alex and I'm from Ukraine. I found your address on medical website.
I want to be a living donor. I am ready to give one of my kidneys or part of my liver, but I want to receive a big compensation for that.
If you need kidney or liver transplant contact me. If you don't need it, but you know somebody who need it, please send my message or keep it.
I am 33 years old man. I don't smoke cigarettes and don't drink alcohol. My blood is O+ and I have a good health.
This is not a joke, I am ready to do it. I will listen the offer and conditions of recipient.

Don't reply to this letter, but write to me on one of these e-mail addresses:

organ.donation@yandex.ua
organ.donation_ua@yahoo.com

P.S. I am sorry if I was mistaken or you received my e-mail twice. I won't disturb you any more.

..presumably Alex hasn't manage to punt his internal organs yet as I saw the same Alex spamming two years ago. Given that he was 31 then and is 33 now, then I have the horrible feeling that this is a genuine offer for used body parts.

The originating IP appears to be 74.54.201.178 (ThePlanet, US) which looks like a rented server.

Wednesday 24 April 2013

"New Secure Message" spam / pricesgettos.info

This spam leads to malware on pricesgettos.info:

Date:      Wed, 24 Apr 2013 16:41:50 +0100 [11:41:50 EDT]
From:      Cooper.Anderson@csiweb.com
Subject:      New Secure Message Received from Cooper.Anderson@csiweb.com

New Secure Message
Respective [redacted],

You have received a new secure message from Cooper.Anderson@csiweb.com.

If you are using the Secure Message Plugin in Lotus Notes this message will be in your SecureMessages Inbox.

If you are NOT using the Secure Message Plugin, you are able to view it by clicking https://www.csiweb.com/5890424-13QZUR797870/?inbox_idf3795430A7NO9 to retrieve your secure message or to begin using the convenient Lotus Notes Plugin.


Sincerely Yours,

CSIe
The link displayed in the email is fake and actually goes to a legitimate (but hacked) site and is then forwarded to the Blackhole payload site at [donotclick]pricesgettos.info/news/done-heavy_hall_meant.php (report here) hosted on the following IPs:

1.235.183.241 (SK Broadband, Korea)
130.239.163.24 (Umea University, Sweden)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)
203.64.101.145 (Taiwan Academic Network, Taiwan)

Blocklist:
1.235.183.241
130.239.163.24
155.239.247.247
202.31.139.173
203.64.101.145
airtrantran.com
antidoterskief.net
app-smartsystem.com
app-smart-system.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko5.ru
conficinskiy.ru
contonskovkiys.ru
cormoviesutki.ru
curilkofskie.ru
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
docudat.ru
dyntic.com
egetraktovony.ru
excuticoble.ru
exrexycheck.ru
fenvid.com
freedblacks.net
gangrenablin.ru
gatareykahera.ru
independinsy.net
janefgort.net
klosotro9.net
libertyusadist.info
mortalsrichers.info
mortolkr4.com
peertag.com
pricesgettos.info
ricepad.net
securitysmartsystem.com
tempandhost.com
thesecondincomee.com
zonebar.net



American Express spam / SecureMail.zip

Something bad happened to this spam on the way out from wherever spam emerges from. Still, it contains a malicious attachment which should be avoided.

Date:      Wed, 24 Apr 2013 12:59:38 -0500 [13:59:38 EDT]
From:      American Express [Christian_Frey@aexp.com]
Subject:      Confidential - Secure Message from AMEX

                            Secure Message                                                                                                   
                                                                                                                                                                 
                                                                                                                                                                                   
                                                                                                                                             
                                                                                                                                                                    
                                            The security of your personal information is of the utmost
importance to American Express, so we have sent the attached as a secure electronic file.
                       Note: The attached file contains encrypted data.                  
                 If you have any questions, please call us at 800-964-7890, option 3.
Representatives are available to assist you Monday through Thursday between 8:00 a.m. and
8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.                        The
information contained in this message may be privileged, confidential and protected from
disclosure. If the reader of this message is not the intended recipient, or an employee
or agent responsible for delivering this message to the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this communication is
strictly prohibited.                                                                 Thank you,           
American Express                                                                                                                   
                2012 American Express Company. All rights reserved.                                        
                                                              ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,    ,

The attachment SecureMail.zip contains a file called SecureMail.exe with a detection rate of 21/46 at VirusTotal. Comodo CAMAS doesn't tell us much except that it seems to phone home to angels-mail.com and has the following checksums:

MD56870fd8fd2b2bedd83e218d9e7e4de8b
SHA14b7a2c0cee63634907c5ccc249c8cd4c0231f03a
SHA256ac0368159001950e4f62e073a289113c2cab135af9ea0f48f5ca660fb2cb45e3

What about angels-mail.com then? Well, it looks like a legitimate domain hosted on 5.77.45.108 (eUKhost, UK). ThreatExpert gives a bit more information about the traffic, indicating a malicious web site operating on port 8080 on that server. However, the ThreatTrack sandbox comes up with the best analysis a copy of which can be found here [pdf].

Recommended blocklist:
5.77.45.108
64.90.61.19
212.58.4.13
angels-mail.com
clients.duncanwisniewski.com
mail.yaklasim.com

Need a new PDP-11 or VAX?

As a former VAX 11/750 admin it give me a little warm glow to discover that there's still a company out there making PDP-11 and VAX compatible systems, only with more modern components in a unit that you can fit in a rack rather than a whole room.

These systems are really aimed at military and government customers who can't migrate mission critical systems (often literally mission critical) to other platforms. You can assume that these boxes are probably not cheap.

Of course, you'll probably want a terminal to go with it.. and the old DEC VT520 (now made by Boundless Technologies) is still available for a fairly hefty $550 a pop.

You can do it in software too with an emulator called CHARON which has a free version for noncommercial use. You can't stick your ancient Qbus cards on that though.

Now, if this Multics emulator ever gets made then that would be super awesome.

Something evil on 151.248.123.170

151.248.123.170 (Reg.Ru, Russia) is currently hosting a number of malicious sites being used in injection attacks (example 1, example 2). These domains appear to be almost all dynamic DNS domains which I would recommend blocking, I also recommend blocking the IP address. Trying to block individual domains would probably be ineffective.

Recommended blocklist:
151.248.123.170
ns3.name
zapto.org
hopto.org
no-ip.org
changeip.org
myftp.org
servemp3.com
dns04.com
itemdb.com
ikwb.com
myvnc.com
mefound.com
servehalflife.com
servequake.com
servecounterstrike.com
servegame.com
youdontcare.com
4mydomain.com
otzo.com
organiccrap.com
serveftp.com
dsmtp.com
servehttp.com
servebeer.com
servepics.com
3utilities.com
freeddns.com
mysecondarydns.com
jetos.com
serveusers.com
4pu.com
ocry.com
xxuz.com
ns01.info
mypicture.info
no-ip.info
ddns.ms
ns02.us
ddns.us
myfw.us
redirectme.net
serveblog.net
lflinkup.net
sytes.net
dynamic-dns.net
no-ip.biz

Detected domains (almost all of these are marked as unsafe by Google)
1aj1l2.redirectme.net
2l9cy2.myftp.org
3lejjwtbog.no-ip.info
4g8v7cg.no-ip.org
598l7qdz.3utilities.com
71dalp61hx.servequake.com
78mudv.redirectme.net
7fht7r.redirectme.net
81jtjlit.3utilities.com
8bqve7sn.servebeer.com
8mau1o8kl7.servepics.com
93rpglw.servequake.com
agapcpaa.ns01.info
ahbedbxyo.myfw.us
aivcdizhr.myfw.us
akkly1t.servemp3.com
aqbpswfpj.myfw.us
arhecexdij.mypicture.info
aturlejd.dns04.com
aupmbeutcbr.myfw.us
azxbxx.organiccrap.com
bdkvtjss.mysecondarydns.com
bdtrehpi.dsmtp.com
bfmkeke.servebeer.com
bgmya4t.no-ip.biz
bietzhsh.mefound.com
biirnrxhz.mypicture.info
bksthi5.servegame.com
briirddzbn.myfw.us
bzyphcsjcrhs.myfw.us
ckbqvlouqe.serveusers.com
ckowva.mypicture.info
clwjaqmz.ocry.com
ctgqrapvt.4pu.com
cxubqrtqv.dynamic-dns.net
cybaqwzoai.jetos.com
cyt4n83.zapto.org
djrarpcpp.organiccrap.com
dousvpd.mysecondarydns.com
dwsfdgem.mysecondarydns.com
ecrbtc.mefound.com
efterbiwkc.freeddns.com
ehvrwxyev.ns3.name
elxvpf6prq.myvnc.com
eojriwvpt.serveusers.com
esmiqsq.mysecondarydns.com
exrjzleph.myfw.us
fgcnxamjp.ddns.us
fm7vxw.serveblog.net
fmdetqh.dsmtp.com
fqguhzwcasmj.myfw.us
fxbjpg.itemdb.com
fyuccxbvon.jetos.com
fz1a9crr7i.no-ip.info
gbeonh.servehttp.com
gclpzkt.mefound.com
gcojpbiwb.mefound.com
getbwoedccls.myfw.us
gipjuqnyp.mysecondarydns.com
gpbqicpq.ns01.info
gpqhomgo.ocry.com
gtpjrnkte.itemdb.com
gwhwyvf.ocry.com
gykobwnn.ddns.ms
gyxjclzy.dsmtp.com
hbjadoipd.mefound.com
hdbbzvxejqn.myfw.us
hdygywog.youdontcare.com
hidzgz.otzo.com
hiweya.lflinkup.net
hmkdmjn.ikwb.com
hsqyvzz.ddns.ms
iolwnr.freeddns.com
iuvrmzszjx.ns02.us
j7h9c34fip.servehalflife.com
jayrkypqxx.ns02.us
jkjehvt4k6.servegame.com
jnsvbykd.ns02.us
joukprhng.ocry.com
jpwhgfrc.dynamic-dns.net
jwufzame.youdontcare.com
jxrxuuqs.ddns.ms
jxxaoeufjs.serveusers.com
k05c1jx3lm.sytes.net
k23901iiv.no-ip.org
k40q5bx.servemp3.com
k6fgu8.hopto.org
klmgaqrtem.jetos.com
kmxxvdey.dsmtp.com
krnwhhhtwvh.myfw.us
kuebyfoh.ddns.us
kukxizdui.4mydomain.com
kunwxont.ikwb.com
kzbeyyvkl.jetos.com
kzfxvrz.ns02.us
ladmbbwxmm.no-ip.info
lrymhkrah.dsmtp.com
m938c18.no-ip.info
meaymayetx.organiccrap.com
meuquma.ddns.us
mfbovxps.serveftp.com
mgz0bf6g46.servehttp.com
mpqeydocoiq.myfw.us
mpwtwer.ns01.info
mrnmqdsxfyze.myfw.us
mvdqmecbf.myfw.us
mztlzbd.dynamic-dns.net
ncopbisrmn.xxuz.com
ndmvpgslci.itemdb.com
ngyuwfpaa.dsmtp.com
nmwikbwrxia.myfw.us
nngbpjevv.mefound.com
nuzmis.itemdb.com
nxcgynyedfs.myfw.us
odybreg.ikwb.com
ojew5yj.servecounterstrike.com
okbriapkfb.mefound.com
opxphpg.dns04.com
oqpslwchym.ns3.name
ortqptto.organiccrap.com
ou5hiad9.redirectme.net
owljtjpwb.myfw.us
ozyiivww.youdontcare.com
pbsezsidc.ns01.info
peifdnc.4pu.com
pmjqkxgxz.ddns.us
pmkihqq.mypicture.info
ppmdbwqxcrv.myfw.us
pwemctzvq.ns02.us
pwkwxztpaj.myfw.us
pzcbqmnxv.ddns.ms
qfnisv1h.servehttp.com
qgfs3q0.redirectme.net
qntfwt.changeip.org
qnwycifjfl.myfw.us
qsbmgof.ns3.name
qtbxjkot.ocry.com
quludwdcaq.mypicture.info
qzlkluald.myfw.us
r6x4yz.no-ip.org
rbnumsmbygqb.myfw.us
rcezlgb.ns3.name
rcumgx.jetos.com
rkaseooypl.myfw.us
rkhcyhk4o3.servecounterstrike.com
rnrbdynkblyb.myfw.us
rpbdqzdemsu.myfw.us
seronwzic.myfw.us
sgcdujudgzm.myfw.us
sglrpbgnvl.freeddns.com
sjsw9ne.servecounterstrike.com
slcvzheogxph.myfw.us
sozsybvook.myfw.us
sppbfcemw.jetos.com
synvmclp.dynamic-dns.net
tfqvhdg.otzo.com
tgckjiq.mysecondarydns.com
tin57d1.sytes.net
tlq8aw7lxc.servequake.com
tlvayh.4mydomain.com
tmipoitnfj.myfw.us
tnfzfdd.mypicture.info
trgcrumzlo.xxuz.com
tuewfxrwos.xxuz.com
uegnytqslcm.myfw.us
uftmrikaydi.myfw.us
umhlefsfo.dynamic-dns.net
uniomlciyi.otzo.com
uttptbyvgr.organiccrap.com
uucnwdbptssb.myfw.us
uureflcf.lflinkup.net
vbhxqbwpt.myfw.us
vesooyzw.serveusers.com
vewvfb.ikwb.com
vgyxuawyxb.myfw.us
voskghrg.ns3.name
vpogbb.ns01.info
vpxnbn.organiccrap.com
wdpyffpv.dsmtp.com
whaumhrm.organiccrap.com
whpiiimwpodx.myfw.us
wmnrrskry.myfw.us
wobxsdlv5r.no-ip.info
wrnkzkxjea.servemp3.com
wtriylabiccu.myfw.us
wucsutja.servecounterstrike.com
wwrhxrrvx2.serveftp.com
wywiapwvh.dns04.com
xkfrazfa.changeip.org
xlumergew.ns02.us
xugjnwfw.dsmtp.com
xxyneb.4pu.com
xygvilyksie.myfw.us
xzbqujbaj.ocry.com
ybdrgilms.4pu.com
ybywobw.mysecondarydns.com
yywgvpqrpeym.myfw.us
zakiie.ocry.com
zhudyeczk.myfw.us
zihoqd.ns3.name
zkgctmm4h.myftp.org
znhkad.xxuz.com
zqieuqgwt.ns3.name
zylzvbn.ns02.us
zyzniusdlq.ns01.info

Tuesday 23 April 2013

"CareerBuilder Notification" spam / CB_Offer_04232013_8817391.zip

This fake CareerBuilder email has a malicious attachment containing malware.

Date:      Tue, 23 Apr 2013 11:13:54 -0700 [14:13:54 EDT]
From:      CareerBuilder [Herman_Gallagher@careerbuilder.com]
Subject:      CareerBuilder Notification

Hello,

I am a customer service employee at CareerBuilder. I found a vacant position that you may be interested in based on information from your resume or a recent online submission you made on our site.

You can review the position on the CareerBuilder by downloading the attached PDF file.

Attached file is scanned in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com

Best wishes in your job search !
Hal_Shields
Careerbuilder Customer Service Team
CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092

The attachment CB_Offer_04232013_8817391.zip contains a file called CB_Offer_04232013_8817391.exe with an icon designed to look like a PDF file. Note that the date is encoded into the file and future variants will have a different filename.

VirusTotal detections are patchy at 18/46. I'm still waiting for some sort of analysis..

MD5924310716fee707db1ea019c3b4eca56
SHA12d0d9c7da13f9ec9e4f49918ae99e9f17505a9cd
SHA256e66a9c463e3f4eb4ca2994a29ec34e0a021ff2541f6a9647dfd3b9131ba38dd5

Something evil on 173.246.104.104

173.246.104.104 (Gandi, US) popped up on my radar after a malvertising attack apparently utilising a hacked OpenX server (I'm not 100% which one so I won't name names) and leading to a payload on [donotclick]laserlipoplasticsurgeon.com/news/pint_excluded.php (report here).

Both VirusTotal and  URLquery detect multiple malicious domains on this IP. It appears that the domains were originally legitimate, but it looks like they have been hijacked by the bad guys somehow. Domains that are flagged by Google as being malicious are marked in  red  (which is most of them!). I recommend that you apply the following blocklist for the time being:

173.246.104.104
kneetite.com
labodysculpt.com
lacellulaze.com
laserabs.com
laserbod.com
laserbodycontour.com
laserbodyfit.com
laserbodysculpt.com
laserbodysculpt.info
laserbodysculpt.net
laserbodysculpt.org
laserbodyshape.com
laserbodytight.com
laserfigure.com
laserlipobanking.com
laserlipofirm.com
laserlipomanhattan.com
laserlipoplasticsurgeon.com
laserlipo-plasticsurgeon.com
laserlipoplasticsurgeons.com
laserlipo-plasticsurgeons.com
laserlipopro.com
laserliposolution.com
laser-sculpt.com
laser-sculpting.com


Update:
I really do recommend blocking all the domains on this IP, including kneetite.com (see report) and these following ones which have also been discovered on the same server.
laserlipotight.com
laserlipotopdocs.com
laserniptuck.com




DHL Spam / DHL-LABEL-ID-2456-8344-5362-5466.zip

This fake DHL spam has a malicious attachment.

Date:      Tue, 23 Apr 2013 12:21:40 +0800 [00:21:40 EDT]
From:      Ramon Brewer - DHL regional manager [reports@dhl.com]
Subject:      DHL DELIVERY REPORT NY73377
   
Web Version  |  Update preferences  |  Unsubscribe
       
DHL notification

Our company’s courier couldn’t make the delivery of parcel.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
DHL Global
                   

Edit your subscription | Unsubscribe

Attached is a ZIP file called DHL-LABEL-ID-2456-8344-5362-5466.zip which contains an executable DHL-LABEL-ID-2456-8344-5362-5466.exe. VirusTotal detections are patchy at 22/45.

Checksums are as follows:
MD585f908a5bd0ada2d72d138e038aecc7d
SHA1017e82b1074dd210c0c41c8129d81e577d3c121b
SHA256bb60e72387030c957226e173de173a97241dec0a46c1d4aa3194ecd0257d185b

Whatever this is, it seems to be hard to analyse with automated tools. Comodo CAMAS does report the following registry key being created, which may help to clean up any infections.

NameTypeSizeValue
LM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSchedREG_SZ96"C:\Documents and Settings\All Users\svchost.exe"

Monday 22 April 2013

"Loss Avoidance Alerts" spam / tempandhost.com

I haven't seen this particular spam before. It leads to malware on tempandhost.com:

Date:      Tue, 23 Apr 2013 05:41:32 +0900 [16:41:32 EDT]
From:      personableop641@swacha.org
Subject:      4/22/13 The Loss Avoidance Alerts that you requested are now available on the internet

Loss Avoidance Alert System

April 22, 2013
  
Loss Avoidance Report:
The Loss Avoidance Alerts that was processed are now available   on a secure website at:

www.lossavoidancealert.org

http://www.lossavoidancealert.org

Alerts:

CL0017279 – Sham Checks (ALL)

Note: If the Alert Number does not appear on the Home Page - just go to the top left Search Box,
enter the Alert Number and hit Go.


Thank you for your participation!
Loss Avoidance Alert System Administrator

This email is confidential and intended for the use of the individual to whom it is addressed.  Any views or opinions presented are solely
those of the author and do not necessarily represent those of SWACHA-The Electronic Payments Resource.   SWACHA will not be held
responsible for the information contained in this email if it is not used for its original intent.  Before taking action on any information contained
in this email, please consult legal counsel.   If you are not the intended recipient, be advised that you have received this email in error and that any use,
dissemination, forwarding, printing or copying of this email is strictly prohibited.
If you received this email in error, please contact the sender.



The link in the email appears to point to www.lossavoidancealert.org but actually goes through a legitimate hacked site (in this case [donotclick]samadaan.com/wp-content/plugins/akismet/swacha.html) to a landing page of [donotclick]tempandhost.com/news/done-heavy_hall_meant.php or [donotclick]tempandhost.com/news/done-meant.php (sample report here and here) which is.. err.. some sort of exploit kit or other. It doesn't seem to be responding well to analysis tools, which could either indicate overloading or some trickery, most likely something very like this. Anyway, tempandhost.com is hosted on the following servers:

1.235.183.241 (SK Broadband Co Ltd, Korea)
46.183.147.116 (Serverclub.com, Netherlands)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)

The WHOIS details indicate that this is the Amerika crew:

   Administrative Contact:
   clark, emily                twinetourt@aol.com
   38b butman st
   beverly, MA 01915
   US
   9784734033

Blocklist:
1.235.183.241
46.183.147.116
155.239.247.247
202.31.139.173
airtrantran.com
antidoterskief.net
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko5.ru
conficinskiy.ru
contonskovkiys.ru
cormoviesutki.ru
curilkofskie.ru
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
excuticoble.ru
fenvid.com
fenvid.com
gatareykahera.ru
hurienothing.ru
independinsy.net
klosotro9.net
libertyusadist.info
mortalsrichers.info
peertag.com
ricepad.net
securitysmartsystem.com
tempandhost.com
thesecondincomee.com
zonebar.net


Malware sites to block 22/4/13

These domains form part of a large Kelihos botnet described over at Malware Must Die and which is related to the recent Boston Marathon and Texas Fertilizer Plant spam runs. There are probably thousands of IP addresses, but so far I have identified just 76 domains that seem to be active (there are a large number of subdomains). Monitoring for these may reveal Kelihos activity on your network.

Update: a list of associated IPs can be found here. There are too many to analyze, but the majority seem to be hacked PCs in Ukraine, Russia, Bulgaria and Poland.

agrybnyd.ru
akafneyd.ru
aqloqsis.ru
bajidmed.ru
butlesuh.ru
ciwefbod.ru
conrozof.ru
dapxonuq.ru
derdepan.ru
dijxohqa.ru
dydebmek.ru
dypuhtiw.ru
emysgual.ru
ewhynwox.ru
fadanres.ru
fubkimab.ru
funkabyv.ru
fuqiwriv.ru
gojzawde.ru
howoggoc.ru
ickyrjum.ru
ivsykifa.ru
jabfetiq.ru
jakyskyf.ru
jehbuqri.ru
jigzilys.ru
jujeblob.ru
juqhasri.ru
jykoamny.ru
kezamzoq.ru
kolasoeg.ru
kuiffaam.ru
lohdyrpa.ru
melijfes.ru
meuhwycu.ru
migyxluk.ru
mujosdim.ru
needhed.com
nudegnuc.ru
nurwiwur.ru
nyhhakfi.ru
okxusout.ru
ovxurxom.ru
poretget.ru
qeqgomha.ru
qevihnit.ru
qyxpucaf.ru
rezselix.ru
rigyhdyq.ru
rithakip.ru
sagucqyp.ru
sahiwten.ru
siajxenu.ru
sigkeqvi.ru
soljasek.ru
taurbael.ru
tuhoxkyt.ru
tuklicit.ru
tuswusah.ru
ubhyfnyz.ru
ufqinweb.ru
ulvojfol.ru
vezylgys.ru
wirxopiz.ru
wylovpuc.ru
xikgygga.ru
xujxiwli.ru
yddivvev.ru
yhwursyn.ru
yhzewguv.ru
ymvuchyq.ru
yskicfuw.ru
ytliywax.ru
zahebfox.ru
zaszigic.ru
zurgeqyr.ru