Sponsored by..

Wednesday 30 October 2013

"Corporate eFax message" spam / bulkbacklinks[.]com and Xeex.com

Oh my, do people really fall for this "Corporate eFax message" spam? Apparently people do because the spammers keep sending it out.

Date:      Wed, 30 Oct 2013 23:33:23 +0900 [10:33:23 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message from "673-776-6455" - 2 pages

Fax Message [Caller-ID: 673-776-6455] You have received a 2 pages fax at 2013-30-10
02:22:22 CST.* The reference number for this fax is
latf1_did11-1995781774-8924188505-39.View this fax using your PDF reader.Please visit
www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service!Home | Contact | Login | 2013 j2 Global
Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global
Communications, Inc.This account is subject to the terms listed in the eFax Customer
Agreement.

-----------------------

Date:      Wed, 30 Oct 2013 10:04:50 -0500 [11:04:50 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message from "877-579-4466" - 5 pages

Fax Message [Caller-ID: 877-579-4466] You have received a 5 pages fax at 2013-30-10
05:55:55 EST.* The reference number for this fax is
latf1_did11-1224528296-8910171724-72.View this fax using your PDF reader.Please visit
www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service!Home | Contact | Login | 2013 j2 Global
Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global
Communications, Inc.This account is subject to the terms listed in the eFax Customer
Agreement. 
Attached to the message is a file FAX_10302013_1013.zip which in turn contains FAX_10302013_1013.exe (although the date is encoded into the filename so your version may be different) which has an icon that makes it look like a PDF file.

This has a very low detection rate at VirusTotal of just 1/46. Automated analysis tools [1] [2] [3] show an attempted connection to a domain bulkbacklinks.com on 69.26.171.187. This is part of the same compromised Xeex address range as seen here and here.

Xeex have not responded to notifications of a problem (apart from an AutoNACK). I recommend that you treat the entire 69.26.171.176/28 range as being malicious and you should block according to this list.

Something evil on 144.76.207.224/28

The network block 144.76.207.224/28 is currently hosting the Magnitude exploit kit (example report) [hat tip to Malekal.com judging from the report].

This is a Hetzner IP range suballocated to:
inetnum:        144.76.207.224 - 144.76.207.239
netname:        SPHERE-LTD
descr:          Sphere LTD.
country:        DE
admin-c:        AR10715-RIPE
tech-c:         AR10715-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
source:         RIPE # Filtered

person:         Alexander Redko
address:        Russia, 107031, Moscow, Proezd Dmitrosvkiy 8
phone:          +79104407852
nic-hdl:        AR10715-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered


Domains hosted on this range include the following, ones in bold are flagged by Google as being malicious:
1valubin.info
2valubin.info
3valubin.info
4valubin.info
5valubin.info
6valubin.info
7valubin.info
8valubin.info
9valubin.info
10valubin.info
11valubin.info
12valubin.info
13valubin.info
14valubin.info
1togenhaym.info
2togenhaym.info
3togenhaym.info
4togenhaym.info
5togenhaym.info
6togenhaym.info
7togenhaym.info
8togenhaym.info
9togenhaym.info
10togenhaym.info
11togenhaym.info
12togenhaym.info
13togenhaym.info
14togenhaym.info
15togenhaym.info
16togenhaym.info
17togenhaym.info
poovergosa.info
galikvento.info

I would recommend blocking all those domains plus the 144.76.207.224/28 range.

Sphere Ltd seem to have some quite big operations in Russia. For information only, these are the other IP address ranges that I can find.
5.9.217.0/26
5.9.249.112/28
5.9.255.192/27
46.22.212.16/28
78.46.169.160/27
78.47.67.128/29
78.47.217.112/28
80.79.117.168/29
80.79.118.132/30
80.79.118.252/30
88.198.103.96/28
144.76.192.96/27
144.76.207.224/28
195.2.252.0/23
195.88.208.0/23

Tuesday 29 October 2013

Suspect network: 69.26.171.176/28

69.26.171.176/28 is a small network range is suballocated from Xeex to the following person or company which appears to have been compromised.

%rwhois V-1.5:0000a0:00 rwhois.xeex.com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@xeex.com
network:class-name:network


There are three very recent Malwr reports involving sites in this range:

69.26.171.179 - bookmarkingbeast.com
69.26.171.181 - allisontravels.com
69.26.171.182 - robotvacuumhut.com

As a precaution, I would recommend temporarily blocking the whole range. These other sites are also hosted in the same block, and if you are seeing unusual traffic going to them then I would suspect that it is a malware infection:
bookmarkingbeast.com
antonseo.com
allisontravels.com
robotvacuumhut.com
glenburnlaw.com
timinteriorsystems.com
bulkbacklinks.com
prblogcomments.com
highprlinks.com
facebookadsppc.com

"Division of Unemployment Assistance" spam / attached_forms.exe

This spam comes with a malicious attachment:

Date:      Tue, 29 Oct 2013 11:12:18 -0600 [13:12:18 EDT]
From:      "info@victimdomain" [info@victimdomain]
Subject:      [No Subject]

A former employee(s) of your company or organization recently filed a claim for benefits
with the Division of Unemployment Assistance (DUA). In order to process this claim, DUA
needs information about each former employee. You are requested to:

Provide Wage and Separation information (Form 1062/1074)

And/or

Provide Separation Pay Information

If you do not provide this information, you may lose your right to appeal any
determination made on the claim.
To provide this information electronically, <b>please print attached claim (file) and
complete any outstanding forms.

This message may contain privileged and/or confidential information. Unless you are the
addressee (or authorized to receive for the addressee), you may not use, copy,
disseminate, distribute or disclose to anyone the message or any information contained in
the message.
Attached is a file with the rather long name of  case#976179103613297~9392736683167.zip which contains a malicious executable attached_forms.exe with an icon that makes it look like a PDF file. The VirusTotal detections stand at 8/46 and automated analysis [1] [2] shows an attempted connection to bookmarkingbeast.com on 69.26.171.179 (Xeex Communications, US). That's just two IP addresses away from this other Xeex server mentioned here. I strongly suspect that there is a problem with servers in the 69.26.171.176/28 range so you might want to block those temporarily. This range is suballocated from Xeex to:

%rwhois V-1.5:0000a0:00 rwhois.xeex.com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@xeex.com
network:class-name:network



Something evil on 82.211.31.147

Still investigating this one, but 82.211.31.147 (IP-Projects, Germany) appears to be a completely rogue server hosting exploit kits and malware [1] [2].

The following domains and subdomains are associated with with IP address. I recommend blocking them, or more easily the IP address itself.

(Note, this is an updated and shorter version that in the original post)

civuxedajijo.biz
civuxedajijo.com
civuxedajijo.info
civuxedajijo.net
civuxedajijo.org
cytisyzahafo.info
cytisyzahafo.org
dedukoxejyki.info
dedukoxejyki.org
dihepopylira.info
dihepopylira.org
fagowemocule.net
ferehehusaro.info
ferehehusaro.org
geqybucubep.biz
geqybucubep.com
geqybucubep.info
geqybucubep.net
geqybucubep.org
herufexejinu.org
hozibojadygu.biz
hozibojadygu.com
hozibojadygu.info
hozibojadygu.net
hozibojadygu.org
kywyjolahoq.info
kywyjolahoq.net
kywyjolahoq.org
lugifosuwap.info
lugifosuwap.org
lunyhoqagotu.biz
lunyhoqagotu.com
lunyhoqagotu.info
lunyhoqagotu.net
lunyhoqagotu.org
nisahybonub.biz
nisahybonub.com
nisahybonub.info
nisahybonub.net
rycarimijoje.biz
rycarimijoje.com
rycarimijoje.info
rycarimijoje.net
rycarimijoje.org
sinigumawup.info
sinigumawup.org
vumytataciza.biz
vumytataciza.com
vumytataciza.info
vumytataciza.net
vumytataciza.org
zepykedaluto.biz
zepykedaluto.com
zepykedaluto.info
zepykedaluto.net
zepykedaluto.org
cassetewrt.biz
cassetewrt.com
cassetewrt.info
cassetewrt.net
cassetewrt.org
childho.com
childho.info
childho.net
childho.org
childhoodhnj.biz
childhoodhnj.com
childhoodhnj.info
childhoodhnj.net
childhoodhnj.org
cytisyzahafo.com
cytisyzahafo.net
delitenaryx.net
delitenaryx.us
dihepopylira.biz
dihepopylira.com
dihepopylira.net
dusixibanej.info
dusixibanej.net
dusixibanej.org
dusixibanej.us
fagowemocule.com
fagowemocule.info
ferehehusaro.biz
ferehehusaro.com
ferehehusaro.net
foqanapybiq.biz
foqanapybiq.com
foqanapybiq.info
foqanapybiq.net
foqanapybiq.org
geqybucube.biz
geqybucube.com
geqybucube.net
gonohulovene.net
guxulekabac.biz
guxulekabac.com
guxulekabac.info
guxulekabac.net
guxulekabac.org
hiluposukux.net
hiluposukux.org
hogyverysopi.biz
hogyverysopi.com
hogyverysopi.info
hogyverysopi.net
hogyverysopi.org
identitysdf.biz
identitysdf.com
identitysdf.info
identitysdf.net
identitysdf.org
kyqozozijugy.com
kyqozozijugy.info
kyqozozijugy.net
kyqozozijugy.org
letecaqawuxa.com
letecaqawuxa.info
letecaqawuxa.net
letecaqawuxa.org
lugifosuwap.biz
lugifosuwap.com
lugifosuwap.net
qegihugob.com
qegihugob.info
qegihugob.net
qegihugob.org
qegihugobag.com
qegihugobag.info
qegihugobag.net
qegihugobag.org
qynekugajyj.com
qynekugajyj.info
qynekugajyj.net
qynekugajyj.org
rekarunezyvi.net
signingnm.biz
signingnm.com
signingnm.info
signingnm.net
signingnm.org
sinigumawup.com
sinigumawup.net
tabletbvn.biz
tabletbvn.com
tabletbvn.net
tabletbvn.org
zobecokiloca.biz
zobecokiloca.com
zobecokiloca.info
efuvwguvoum.mine.nu
brbhogbfxxgu.mine.nu
ydmxkkyiqhiu.mine.nu
cppeklsmuexss.mine.nu
fhqfohlvdihxk.mine.nu
feqbesisuqi.blogdns.net
qhghiflvncq.blogdns.net
tilhuvmdefwu.gotdns.org
xjjfgjljivir.gotdns.org
dohotbiyotfx.blogdns.net
rqbiyiidrcrj.blogdns.net
ulchtvrwuvtnl.gotdns.org
pcowstdlxmd.for-our.info
dbgjkrymwqhgwcrxs.mine.nu
iykhbgluscjlbt.gotdns.org
tpvdjxyneijvwhlpxw.mine.nu
nomojmvmkmloxc.blogdns.net
kvworynoybhmxhv.gotdns.org
kwxlmthghilglps.gotdns.org
yibjilgetfssusp.gotdns.org
wnhsslxbrwtwc.for-our.info
cnlfdlfttgnmgks.blogdns.net
eyrdiygbcwkssld.blogdns.net
syieiqlwijppljs.blogdns.net
qjkmgebqexfgwyhe.gotdns.org
cwxqkwglydvwvnigepnf.mine.nu
kudtgttrrlyxibqhttgv.mine.nu
kxtrkjpihconmvhwfsps.mine.nu
wgsdqrgmpcbxhenujrub.mine.nu
hdledvwqiiyektoq.blogdns.net
huxvcjbdkycohlkg.blogdns.net
jlhyrfjbnwfcuyhd.blogdns.net
rkbyifuckfvgjqqk.blogdns.net
vfnxdwquisqdyxjk.blogdns.net
xhipdqfcvlukkgbj.blogdns.net
eimvggsifelgrmh.for-our.info
swlhtfbvqyjspng.for-our.info
mggkitlimroemebpnxobd.mine.nu
ershitlccewsljyou.blogdns.net
yqvvsfvsiswkjjipq.blogdns.net
gmldxogembxcuftnpo.gotdns.org
sljrowpdwiydhesmtx.gotdns.org
xkykencovusmcgxefn.gotdns.org
fxnbonjidwnsrpwp.for-our.info
puywylsnmkjuculhuo.blogdns.net
ubkdjenlfqiwdrvrmy.blogdns.net
gxtvostqmdlnvdvshmp.gotdns.org
imhsupwkkqcshqtowwd.gotdns.org
ptgssluejuimsnqljtf.gotdns.org
rprylexfclxbfdwffru.gotdns.org
xrffskqnesvosqydnwo.gotdns.org
enbiumecswjwbudrh.for-our.info
jrlqfbdtjppvbdhocjo.blogdns.net
nykqxjyihvcibbdwedp.blogdns.net
sbvhhiqnhxfutfktvet.blogdns.net
tgiglyojdggtsfevfvx.blogdns.net
jcgosegivocugffhhx.for-our.info
ucexdvultugwnnigkt.for-our.info
rhdsenonxuohknxhkrlg.blogdns.net
kxjhuuvdnguhwhxhqkmuk.gotdns.org
msxtfwbcupycminnlfihr.gotdns.org
pwhwjmbdrtummlxwhulxt.gotdns.org
rvfyeqfpgxleppjibyues.gotdns.org
xocxtcgbdujvvlphskrtq.gotdns.org
ffemcdevbudrefxswcx.for-our.info
hqoubobqtbowsceoyyqib.blogdns.net
wsbexuveyriuqurvjpxgg.blogdns.net
kecnbcjdtnirgfsekqrrk.for-our.info
trdhhkkkyjkwmyiqnlwyy.for-our.info
tkjesdouypdw.is-a-personaltrainer.com
cchllttcnxvur.is-a-personaltrainer.com
xxoyqcpvhhjycp.is-a-personaltrainer.com
sbhmdtlxodrnnbsd.is-a-personaltrainer.com
gbhenbnngbsnqggqm.is-a-personaltrainer.com
hurvqrlsoihvmsdge.is-a-personaltrainer.com
thdrugkitlcwbhwhll.is-a-personaltrainer.com
xljgonmwrxntjygnghp.is-a-personaltrainer.com
niflgslwubsdiddjrfdd.is-a-personaltrainer.com

Wells Fargo "Check copy" spam / Copy_10292013.zip

These fake Wells Fargo spam messages have a malicious attachment:

Date:      Tue, 29 Oct 2013 22:34:50 +0800 [10:34:50 EDT]
From:      Wells Fargo [Emilio.Hendrix@wellsfargo.com]
Subject:      FW: Check copy

We had problems processing your latest check, attached is a image copy.

Emilio Hendrix
Wells Fargo Check Processing Services
817-576-4067 office
817-192-2390 cell Emilio.Hendrix@wellsfargo.com

Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.

--------------------

Date:      Tue, 29 Oct 2013 14:41:46 +0000 [10:41:46 EDT]
From:      Wells Fargo [Leroy.Dale@wellsfargo.com]
Subject:      FW: Check copy

We had problems processing your latest check, attached is a image copy.

Leroy Dale
Wells Fargo Check Processing Services
817-480-3826 office
817-710-4624 cell Leroy.Dale@wellsfargo.com

Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you. 
Attached is an executable file Copy_10292013.zip which contains an executable file Copy_10292013.exe which is (of course) malicious. Note that the date is encoded into the filenames, so future versions of this will vary.

The VirusTotal detection rate is just 3/47. Automated analysis [1] [2] shows an attempted connection to allisontravels.com on 69.26.171.181 (Xeex Communications, US) which appears to be the only site currently on this server. I would recommend blocking one or both of these.

gg

Monday 28 October 2013

Google Ads and #FFF7ED.. what's wrong with this picture?

So here's a long-standing source of irritation that I decided to have a poke at today.. Google Ads in search results. Now, obviously this is one of the main ways that Google makes money and frankly it's part of the deal in them giving you all those search results for free.

Let's take a look at a typical results page, for the term data recovery software (this is traditionally one of the most expensive search terms to advertise for).

The first three results are advertisements, they are displayed on a very pale pink background with a hex colour of #FFF7ED (compared to #FFFFFF for pure white). Can you see them?

The answer seems to be.. some people can, and some people can't. Now, I am colour blind.. but sometimes I can see the background, but other times it appears to be completely invisible. It really seems to depend on the monitor that I'm using.. it does seem that quite a lot of displays are very poor at displaying that particular colour.

Frankly this sort of thing is poor design, with very similar contrast levels between the two areas that are meant to be distinguishable. The coloured area is about 97% of the brightness of the white area, which isn't enough to make it clear in my opinion.

Just in case you can't see the ads, here's the same screenshot with a histogram equalise function applied.

Here are the two colours side-by-side. You might find that moving your head from side-to-side will make the colour more apparent, but on some monitors it makes no difference.

The pink background is on the left. Can you see it? On some monitors I can, but on others I can't. So, let's take a photo of one of the monitors that seems to be struggling.

Can you see the difference now? Almost definitely not, because the slight red cast has vanished. And it isn't just one monitor either, this seems to be common among many different monitors that I have looked at. By and large, all these monitors are set to their default settings, but some fiddling around can usually make the background more apparent.. usually at the cost of some weird colours elsewhere.

There is of course a security issue here.. many of these ads lead are rather misleading. Do a search for download skype (or any other free download) and check the ads that appear (some of which are on the top rather than the side). Do you really want to click those?



No, you probably don't.. but there's a danger with more obscure software that you could end up downloading something that you don't want because the ads are not always easily distinguishable from the real search results. And I have certainly noticed an uptick in crapware installations for people who thought they were downloading an official version of something, only to discover that they are not.

And yes, I do know that the ads shows "Ads related to.." above them, but how many ads are there? One? Two? Three? If you can't see the colour then it is hard to tell.

Has something changed? Has Google deliberately chosen a colour that is hard to make out on some monitors? Or do some monitors (and these are mostly mainstream Dell units) have very poor colour fidelity? What do people thing?

American Express "Fraud Alert" spam / steelhorsecomputers.net

This fake Amex spam leads to malware on steelhorsecomputers.net:

       
From:     American Express [fraud@aexp.com]
Date:     28 October 2013 14:14
Subject:     Fraud Alert : Irregular Card Activity


Irregular Card Activity
                   
               
Dear Customer,

We detected irregular card activity on your American Express

Check Card on 28th October, 2013.

As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions
placed on your account.

To review your account as soon as possible please.

Please click on the link below to verify your information with us:

https://www.americanexpress.com/

If you account information is not updated within 24 hours then your ability
to access your account will be restricted.

We appreciate your prompt attention to this important matter.


© 2013 American Express Company. All rights reserved.        

AMEX Fraud Department


The link in the email goes through a legitimate but hacked site and then runs of of the following three scripts:
[donotclick]kaindustries.comcastbiz.net/imaginable/emulsion.js
[donotclick]naturesfinest.eu/eroding/patricians.js
[donotclick]winklersmagicwarehouse.com/handmade/analects.js

From there, the victim is sent to a malware landing page at [donotclick]steelhorsecomputers.net/americanexpress/ which is a hijacked GoDaddy domain hosted on 96.126.102.8 (Linode, US). There are other hijacked GoDaddy domains too, listed below in italics.

Recommended blocklist:
96.126.102.8
8353333.com
chrisfrillman.com
steelhorsecomputers.net
steelhorsecomputers.com

kaindustries.comcastbiz.net
naturesfinest.eu
winklersmagicwarehouse.com

           
                   
       

Sunday 27 October 2013

"You are a Mercedes-Benz winner !!!" spam

This is a slightly novel twist on an advanced fee fraud scam:

From:     Mercedes-Benz [desk_notification@yahoo.com]
Reply-To:     bmlot20137@live.com
Date:     27 October 2013 13:44
Subject:     You are a Mercedes-Benz winner !!!

Dear Recipient,

You have received a loyalty reward from Mercedes-Benz, Answer the Below question correctly and stand a chance of winning our Promotional Award Grand prize of $4,000,000USD and a Brand New 2013 Mercedes-Benz GLK350 4Matic SUV Car. If you have never had a Mercedes-Benz Product, this is your chance to benefit from our company while if you have any of our products this is your opportunity of enjoying some of our benefits apart from the comfortability and efficiency of our products. Just answer the questions asked below and you could be a winner:

QUESTION:

(1). What year was Mercedes-Benz found?
(a). 1946
(b). 1926
(c). 1936

(2). Who was the founder of Benz?
(a). Terry Benz
(b). Tom Benz
(c). Karl Benz

(3). In which country is the Benz Headquarter Located?
(a). Germany
(b). United Kingdom
(c). United State of America

Note that you are to send your answers along with your Full Name, Sex, Age, Phone Number, Country and Occupation.to our Fiduciary agent:

Mr.Richard Ashton
Email: bmlot20137@live.com
TEL: +44 703 590 2283
Fax: +44 871-247-6031

Our aims to support the abilities of the neediest groups to fulfill human dignity and social justice in cooperation with development partners in the world.

Kind Regards,
Mrs.Katherine Dooley
Mercedes-Benz,Online coordinator
The email was sent to a spamtrap address from 41.138.182.219 which is in Lagos, Nigeria via a mail server in the US at 65.40.236.192 (Embarq).

You might wonder what the scam is because it looks like a competition.. once you have answered the three trivially easy questions (we all know that Mercedes Benz was founded by Terry Benz in 1946 and is headquartered in the UK, after all) then you will find that you'll need to pay a stiff fee to get your prize.. which will never materialise.

Saturday 26 October 2013

Never mind the NSA, here is LinkedIn Intro

LinkedIn recently announced LinkedIn Intro which is an add-in to the iOS mail app, allowing you do display a contact's LinkedIn data in the message you are reading by injected code into the datastream. This is of marginal use to most people, and many reader will recognise this as being something that annoying browser plugins have done for some time.

Despite LinkedIn's Pledge of Privacy, many people are concerned that LinkedIn is intercepting and reading your email. I don't believe that LinkedIn is at all interested in the content of your email, but I do believe that it is interested in finding out who you contact instead in order to sell its so-called "product" on to more and more people.

Here's a thing - I use LinkedIn under an assumed name, but somehow LinkedIn thinks that I may know various people. Now, some of those are obviously connected to my fake profile.. but then it suggested that I know my own wife. We obviously I do, but the fake profile has no connection to her.. so the only source of this information must have been our shared IP address at home.

Then LinkedIn goes on a data-mining spree and suggests that I know all my coworkers who I also share an IP address with - which is true, but the fake profile I created does not. So, it seems pretty clear that LinkedIn uses your IP address to match you up with others.

LinkedIn has often been accused of rummaging through people's mailboxes without permission, but in this case it was not possible as my LinkedIn account is not linked to any mailboxes and uses a different username and password, so IP address is the only logical source of this.

But one day my wife (an occasional LinkedIn user) reported something very creepy indeed.. it reported that she may know a relative of mine that she does not really ever contact. And then some time later, I had another relative pop up in my fake profile. Where the hell does this information come from?

I have several theories about what is going on, including a deep suspicion that LinkedIn creates shadow profiles of non-members, and that it also includes hidden data about the relationships of members as well.. but those are just my opinions and I have nothing concrete to back them up. But what I do know from playing around with fake profiles is that LinkedIn is extremely clever and building up a network of suggested contacts whether you want them to or not.

LinkedIn's primary resource is the personal connections of its users. And just possibly that extends to shadow profiles of non-users as well. And that brings us back to LinkedIn Intro.. the quickest way of building up a truly massive collection of data about personal relationships is to do a traffic analysis on their email. You don't need to know the content, but if you know who they send and receive emails from then you will easily enumerate their professional and personal relationships. And then you can monetise that.

In the end, it doesn't matter if you sign up for LinkedIn Intro or not, because if just one person in your email chain does us it, then there's the possibility that LinkedIn will slurp up all that data for its own use.

LinkedIn has been accused by some of being the creepiest social network, and some commentators have gone even deeper into the risks of using Intro. There's even a lawsuit claiming that LinkedIn hacked email contacts but actually I suspect that LinkedIn wouldn't even need to bother doing that as it is clearly very efficient in working out contacts without it.

I suspect that at some point the issue of LinkedIn's data gathering will become a big issue, and the company will either need to explain exactly how it collects its data or perhaps someone on the inside will leak it out. Are they doing something illegal? Probably not. Are they doing something very creepy? Almost definitely yes.

Friday 25 October 2013

"You have received a new debit" Lloyds TSB spam

This fake Lloyds TSB message has a malicious attachment:

Date:      Fri, 25 Oct 2013 13:55:41 +0200 [07:55:41 EDT]
From:      LloydsTSB [noreply@lloydstsb.co.uk]
Subject:      You have received a new debit
Priority:      High Priority 1 (High)

This is an automatically generated email by the Lloyds TSB PLC LloydsLink online payments Service.

The details of the payment are attached.

============================================================================
This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments.
Attached is a zip file in the format Report_recipientname.zip which in turn contains a malicious executable Report_10252013.exe (note the date is encoded into the filename). The file has an icon to make it look like a PDF file, but it isn't.

The VirusTotal detection rate is a so-so 13/47. Automated analysis [1] [2] shows an attempted connection to www.baufie.com on 173.203.199.241 (Rackspace, US). Often these callbacks indicate a completely compromised server, so it may be possible that there are other sites being abused on the same box.


Malware sites to block 25/10/2013

This list replaces this one, and mostly contains domains and IPs connected with this gang. The list starts with IPs and web hosts, followed by plain IPs and domains for copy-and-pasting.

5.175.171.89 (GHOSTnet, Germany)
5.231.40.197 (GHOSTnet, Germany)
5.231.47.92 (GHOSTnet, Germany)
31.210.112.28 (Veri Merkezi Hizmetleri, Turkey)
42.121.84.12 (Aliyun Computing Co, China)
60.199.253.165 (Taiwan Fixed Network Co, Taiwan)
63.251.135.19 (Internap, US)
78.100.140.171 (Qatar Telecom, Qatar)
81.91.159.212 (Datak Internet Engineering, Iran)
103.28.255.207 (Ani Network Pvt Ltd, India)
112.124.27.158 (Alibaba Advertising Co, China)
146.185.147.26 (Digital Ocean, Netherlands)
161.24.16.127 (Centro Tecnico Aeroespacial, Brazil)
181.41.200.191 (Host1plus Brazil, Brazil)
186.3.101.235 (Clientes Quito, Ecuador)
186.151.240.197 (Municipalidad De Zaragoza, Guatemala)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
189.1.169.28 (Maxihost Hospedagem de Sites Ltda, Brazil)
196.40.9.113 (Terminales Santamaria, Costa Rica)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
223.30.27.251 (Sify Limited, India)

5.175.171.89
5.231.40.197
5.231.47.92
31.210.112.28
42.121.84.12
60.199.253.165
63.251.135.19
78.100.140.171
81.91.159.212
103.28.255.207
112.124.27.158
146.185.147.26
161.24.16.127
181.41.200.191
186.3.101.235
186.151.240.197
186.251.180.205
189.1.169.28
196.40.9.113
211.71.99.66
223.30.27.251
acondorwoonkary120.com
avasdayspa.net
blackbox-e.net
bonds.su
carefordying.net
carrykeyboard.net
ceravdilicheskinevoz76.net
consumersshow.net
cormushkaneplohatak300.com
cronshtainymorenah55.net
derivatiexchange.com
dotier.net
dropdistri-butions.net
dulethcentury.net
ermeentroper110.com
ermirovaniedoom153.com
ermirovanievood152.com
ermxxrtroper210.com
eventlogselfn.net
excelledblast.net
foi.su
gormonnsnter105.net
gromydoonye250.com
groove.su
gumatexx.net
hdmltextvoice.net
idersnonvirus.com
introlinkage.com
introlinkage.su
jurassic-spa.net
kotzebuepolice.net
leedsprobate.net
lyvegetarians.net
mesmultimedia.com
milkdriver.com
mymulejams.net
nacase.net
ny-headsets.org
ordersdeluxe.com
pro-senioren.net
rojecttalkway.com
sandlord.com
stabilitymess.net
thetokion.com
uprisingquicks.net
zigbeejournal.net



Thursday 24 October 2013

"My resume" spam / Resume_LinkedIn.exe

This rather terse spam email message has a malicious attachment:

Date:      Thu, 24 Oct 2013 15:45:37 +0200 [09:45:37 EDT]
From:      Elijah Parr [Elijah.Parr@linkedin.com]
Subject:      My resume

Attached is my resume, let me know if its ok.

Thanks,
Elijah Parr

------------------------

Date:      Thu, 24 Oct 2013 19:14:37 +0530 [09:44:37 EDT]
From:      Greg Barnes [Greg.Barnes@linkedin.com]
Subject:      My resume

Attached is my resume, let me know if its ok.

Thanks,
Greg Barnes 
The attachment is Resume_LinkedIn.zip which in turn contains a malicious executable Resume_LinkedIn.exe with an icon to make it look like a Word Document rather than an executable.

VirusTotal is timing out at the moment, but earlier only one AV engine detected it (Norman). Automated analysis tools [1] [2] show an attempted connection to homevisitor.co.uk on 64.50.166.122 (Lunarpages, US). This server was distributing malware last month too, so we must assume that it is compromised. Blocking that IP address would probably be a good idea as there are several other compromised domains on that same server [1] [2].

Wednesday 23 October 2013

"Voice Message from Unknown" spam / VoiceMessage.exe

These bogus voice message spams have a malicious attachment:

Date:      Wed, 23 Oct 2013 19:17:42 +0530 [09:47:42 EDT]
From:      Administrator [voice8@victimdomain]
Subject:      Voice Message from Unknown (553-843-8846)

- - -Original Message- - -

From: 553-843-8846
Sent: Wed, 23 Oct 2013 19:17:42 +0530
To: [recipient list at victimdomain]
Subject: Important: to all Employee



Date:      Wed, 23 Oct 2013 08:36:24 -0500 [09:36:24 EDT]
From:      Administrator [voice3@victimdomain]
Subject:      Voice Message from Unknown (586-898-9333)

- - -Original Message- - -

From: 586-898-9333
Sent: Wed, 23 Oct 2013 08:36:24 -0500
To: [recipient list at victimdomain]
Subject:  Employees Only 



Date:      Wed, 23 Oct 2013 16:40:22 +0300 [09:40:22 EDT]
From:      Administrator [voice2@victimdomain]
Subject:      Voice Message from Unknown (998-948-7548)

- - -Original Message- - -

From: 998-948-7548
Sent: Wed, 23 Oct 2013 16:40:22 +0300
To: [recipient list at victimdomain]
Subject:  Employees Only

In each case there is an attachment VoiceMessage.zip which in turn contains an executable VoiceMessage.exe with an icon to make it look like an audio file.

Obviously this is malicious, and the detection rate at VirusTotal is a pretty poor 5/46. Automated analysis [1] [2] shows an attempted connection to glyphs-design.com on 212.199.115.173 (012 Smile Communications Ltd, Israel). Blocking that domain is probably prudent, however there are several hundred legitimate domains on the same server, so bear that in mind if you choose to block it.

Added:
The mail goes as far to include fake mail headers to suggest that the spam comes from inside the victim's network (when it does not). For example..
from unknown (192.168.1.88) by filter8.******** with QMQP; 23 Oct 2013 13:47:40 -0000
from unknown (HELO aexp.com) (203.193.165.78) by mxin1.******** with SMTP; 23 Oct 2013 13:48:41 -0000
from voice903.******** (10.0.0.168) by ******** (10.0.0.109) with Microsoft SMTP Server (TLS) id FUOMD6AZ; Wed, 23 Oct 2013 19:17:42 +0530
from voice5005.******** (10.179.13.59) by smtp.******** (10.0.0.34) with Microsoft SMTP Server id YEP40NNY; Wed, 23 Oct 2013 19:17:42 +0530

Tuesday 22 October 2013

ADP spam / abrakandabr.ru

This fake ADP spam leads to malware on abrakandabr.ru:

From:     ClientService@adp.com [ClientService@adp.com]
Date:     22 October 2013 18:04
Subject:     ADP RUN: Account Charge Alert

ADP Urgent Communication

Note ID: 33400

October, 22 2013
Valued ADP Partner

Account operator with ID 58941 Refused Yesterday Payroll Operation from your ADP account recently. Report(s) have been uploaded to the website:

Sign In here

Please see the following notes:

• Please note that your bank account will be debited within 1 banking day for the total shown on the Summary(s).

•  Please don't try to reply to this message. auto informer system can't accept incoming email. Please Contact your ADP Benefits Specialist.

This notification was sent to current clients in your system that approach ADP Netsecure.

As always, thank you for choosing ADP as your business partner!

Note ID: 33400 



The link goes through a legitimate hacked site and then onto a malware landing page at [donotclick]abrakandabr.ru:8080/adp.report.php (if running Windows, else they get sent to adp.com). This is hosted on quite a lot of IP addresses:

69.46.253.241 (RapidDSL & Wireless, US)
91.205.17.80 (TOV Adamant-Bild, Ukraine)
111.68.229.205 (NTT Communications, Japan)
114.32.54.164 (Chunghwa Telecom, Taiwan)
118.163.216.107 (Chunghwa Telecom, Taiwan)
163.18.62.51 (TANET, Taiwan)
202.6.120.103 (TSKL, Kiribati)
203.80.16.81 (MYREN, Malaysia)
203.114.112.156(PhetchaboonHospital, Thailand)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.166.209.15 (Prox Communicator, Japan)
212.154.192.122 (Hoster.KZ, Kazakhstan)
213.214.74.5 (BBC Cable, Bulgaria)

As mentioned before, this is either the return of the infamous RU:8080 gang, or it is somebody pretending to be the gang. But one rather peculiar factor is that in this case the bad guys only seem to have a small pool of servers that have been compromised for some time, and don't seem to have added any news ones.

Recommended blocklist:
69.46.253.241
91.205.17.80
111.68.229.205
114.32.54.164
118.163.216.107
163.18.62.51
202.6.120.103
203.80.16.81
203.114.112.156
210.56.23.100
210.166.209.15
212.154.192.122
213.214.74.5
abrakandabr.ru
dynamooblog.ru
inkrediblehalk.ru
intro2seo.ru
hankoksuper.ru


Monday 21 October 2013

"Last Month Remit" spam / Remit_10212013.exe

This bogus remittance spam comes a malicious attachment:

Date:      Mon, 21 Oct 2013 15:08:15 +0100 [10:08:15 EDT]
From:      Administrator [docs9@victimdomain]
Subject:      FW: Last Month Remit

File Validity: 21/10/2013
Company : http://[victimdomain]
File Format: Office - Excel
Internal Name: Remit File
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Last month remit file.xls

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.

The email appears to originate from the victim's own domain, and mentions that domain in the body of the text. The attachment also contains the victims domain in the format Remit_domain.tld.zip  which in turn contains a malicious executable with an icon designed to look like a Microsoft Excel file, in this case it is called Remit_10212013.exe but note that the date is encoded into the filename.

The malicious payload has a very low detection rate at VirusTotal of just 2/47. Automated analysis tools [1] [2] [3] show an attempted connection to p3-sports.com on 192.232.198.101 (Websitewelcome, US). There may be other infected domains on the same IP if previous patterns are repeated. Also, the malware appears to try to connect to the following IPs demonstrating a peer-to-peer capability.



Friday 18 October 2013

Malware sites to block 18/10/2013

These IPs and domains are associated with this spam run. Some of these servers have been compromised for some time by the looks of things. There's a plain list for copy-and-pasting at the end.

12.46.52.147 (Compact Information Systems / AT&T, US)
41.203.18.120 (Hetzner, South Africa)
62.75.246.191 (Intergenia, Germany)
62.76.42.58 (Clodo-Cloud / IT House, Russia)
69.46.253.241 (RapidDSL & Wireless, US)
70.159.17.146 (F G Wilson / AT&T , US)
91.205.17.80 (TOV Adamant-Bild, Ukraine)
94.102.14.239 (Netinternet , Turkey)
111.68.229.205 (NTT Communications, Japan)
114.32.54.164 (Chunghwa Telecom, Taiwan)
118.163.216.107 (Chunghwa Telecom, Taiwan)
140.174.98.150 (NTT America, US)
163.18.62.51 (TANET, Taiwan)
182.237.17.180 (Uclix, India)
201.151.0.164 (Alestra, Mexico)
202.6.120.103 (TSKL, Kiribati)
203.80.16.81 (MYREN, Malaysia)
203.114.112.156 (PhetchaboonHospital, Thailand)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.166.209.15 (Prox Communicator, Japan)
212.154.192.122 (Hoster.KZ, Kazakhstan)
213.5.182.144 (RackSRV Communications, UK)
213.143.121.133 (Wien Energie, Austria)
213.214.74.5 (BBC Cable, Bulgaria)

12.46.52.147
41.203.18.120
62.75.246.191
62.76.42.58
69.46.253.241
70.159.17.146
91.205.17.80
94.102.14.239
111.68.229.205
114.32.54.164
118.163.216.107
140.174.98.150
163.18.62.51
182.237.17.180
201.151.0.164
202.6.120.103
203.80.16.81
203.114.112.156
210.56.23.100
210.166.209.15
212.154.192.122
213.5.182.144
213.143.121.133
213.214.74.5
alenikaofsa.ru
alionadorip.ru
dynamooblog.ru
inkrediblehalk.ru
intro2seo.ru

Added:
hankoksuper.ru is now active on those same IPs.

Dropbox spam leads to malware on.. errr.. dynamooblog.ru

Two days ago I wrote about the apparent return of the RU:8080.. well it appears that in order to celebrate their return, they've acknowledged my acknowledgement in the form of a malware landing page of dynamooblog.ru.

Well... hi guys. Things have been a bit quieter without you. Anyway, this is the latest spam email purportedly from Dropbox, and using the same template as used in this ThreeScripts spam run.


Date:      Fri, 18 Oct 2013 16:00:54 -0500 [17:00:54 EDT]
From:      Dropbox [no-reply@dropboxmail.com]
Subject:      Please update your Expired Dropbox Password
Priority:      High Priority 1

Hello [redacted].

We have a warning in our system that you recently tried to login in to Dropbox with a password that you haven't changed long time already. Your old password has expired and you'll need to create a new one to log in.

Please visit the page to update your password

Set New Password

Enjoy!
- The Dropbox Team    
    © 2013 Dropbox


The attack and payload is exactly the same as this one, and the executable is unchanged but now has a better VirusTotal detection rate of 29/48. The domain dynamooblog.ru was registered yesterday to the infamous Russian "Private Person" and is hosted on a lot of IPs that have been serving up Zbot for some time.

I'll have a closer poke at this network in a moment, but in the meantime this is my recommended blocklist:
dynamooblog.ru
12.46.52.147
41.203.18.120
62.76.42.58
69.46.253.241
70.159.17.146
91.205.17.80
94.102.14.239
111.68.229.205
114.32.54.164
118.163.216.107
140.174.98.150
163.18.62.51
182.237.17.180
202.6.120.103
203.80.16.81
203.114.112.156
210.56.23.100
210.166.209.15
212.154.192.122
213.5.182.144
213.143.121.133
213.214.74.5


Avaya "Voice Mail Message" spam with a malicious payload

This fake voice mail message appears to originate from within the victim's own domain (although that is just a forgery):

Date:      Fri, 18 Oct 2013 09:19:42 -0600 [11:19:42 EDT]
From:      Voice Mail Message [1c095eb9-fa18-74e5-b@victimdomain.com]
Subject:      Voice Mail Message ( 45 seconds )

This voice message was created by Avaya Modular Messaging. To listen to this voice
message,just open it.

Attached is a file VoiceATT0685424.zip which in turn contains a malicious executable VoiceMessageTT.exe with an icon to make it look like an audio file. This trick can work if users have decided to hide the extensions of files in Windows, a stupid default setting that has no doubt infected millions of Windows users over the years.

Of course, the .exe file is malware with a pretty low detection rate of just 3/48 at VirusTotal. Automated analysis [1] [2] [3] shows a connection to a domain called adamdevarney.com on 209.236.71.58 (Westhost, US) which has been seen twice before. This means that there are potentially hundreds of compromised domains on the same server, blocking traffic to the IP address will be the most effective way of giving yourself some protection.

"Microsoft Windows Update" phish

A random and untargeted attempt at phishing with a Windows Update twist.

From:     Microsoft Office [accounts-updates@microsoft.com]
Date:     17 October 2013 02:54
Subject:     Microsoft Windows Update

Dear Customer,

Evaluation period has expired. For information on how to upgrade your windows software please Upgrade Here.

Thank you,

Copyright © 2013 Microsoft Inc. All rights reserved.
The email originates from 66.160.250.236 [mail.andrustrucking.com] which is a trucking company called Doug Andrus Distributing.. so perhaps Microsoft are farming out the updates to a random Idaho company. Or perhaps they have had their email system compromised (maybe by someone using the same phishing technique).

Anyway, the link in the email goes to a legitimate but hacked site and then lands on a phishing page hosted on [donotclick]www.cycook.com/zboard//microsoft-update/index.php.htm. Despite the email saying "Windows Update", the landing page has had Office branding crudely pasted into it.


Entering your credentials simply takes you to a genuine Microsoft page:

Phishing isn't restricted to stuff like bank accounts, the spammers also like a fresh supply of email accounts to abuse, so as ever.. exercise caution.

Thursday 17 October 2013

"Scan from a Xerox WorkCentre" spam / A136_Incoming_Money_Transfer_Form.exe

The malware spammers are suffering from a chronic lack of imagination with this familiar fake printer spam:

Date:      Thu, 17 Oct 2013 13:01:52 -0600 [15:01:52 EDT]
From:      Incoming Fax [Incoming.Fax3@victimdomain.com]
Subject:      Scan from a Xerox WorkCentre

Please download the document.  It was scanned and sent to you using a Xerox multifunction device.

File Type: pdf
Download: Scanned from a Xerox multi~9.pdf

multifunction device Location: machine location not set
Device Name: Xerox1552


For more information on Xerox products and solutions, please visit http://www.xerox.com
Attached is an executable file Scanned from a Xerox multi~6.zip which in turn contains a file A136_Incoming_Money_Transfer_Form.exe which has a VirusTotal detection rate of 6/48.

Automated analysis [1] [2] [3] shows a connection to cushinc.com on 209.236.71.58 (Westhost, US). This is the same server as seen yesterday, so  my best guess is that the server is compromised and potentially all the 600+ domains on it are too. Blocking that IP address may be prudent.

Wednesday 16 October 2013

"Atlantics Post LLC" fake job offer

A bit of Money Mule recruiting that isn't really trying very hard..
Date:      Wed, 16 Oct 2013 14:54:34 -0300 [13:54:34 EDT]
From:      Atlantics Post [misstates7@compufort.com]
Subject:      Career with Atlantics Post LLC

Atlantics Post LLC is now hiring for a Shipping Clerk. If You are young, enthusiastic person. Looking for a great job opportunity with a stable in come this job is for you.

Duties:
Receive packages at workplace (out of home possition);
Transfer the packages to our business partners nationwide;
Keeping accurate records of operations and report them

Requirements:
- Thorough knowledge of quality improvement techniques and experience with process and service delivery improvement.
- Strong ability to analyze, organize and simplify complex processes and data.
- Exceptional attention to detail.
- Considerable experience with data reporting systems.
- Leisure business experience an asset.
- Flexible, adaptable to change, and resourceful in the face of shifting priorities and demands.

WHAT'S NEXT?
If you have any questions, you can call our toll-free number 866-652-8106.
If you are interested in this opportunity, please submit your resume by e-mail JoyDugganagg@yahoo.com or fax (904-212-0897).

Originating IP is 181.165.70.97 in Argentina. Avoid.

LinkedIn spam / Contract_Agreement_whatever.zip

This fake LinkedIn spam has a malicious attachment:

Date:      Wed, 16 Oct 2013 11:57:55 -0600 [13:57:55 EDT]
From:      Shelby Gordon [Shelby@linkedin.com]

Attached is your new contract agreements.

Please read the notes attached, then complete, sign and return this form.

Shelby Gordon
Contract Manager
Online Division - LinkedIn
Shelby.Gordon@linkedin.com
Office: 302-449-8859 Ext. 33
Direct: 302-184-9426

This email was intended for dynamoo@spamcop.net.
© 2013, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

The attachment has the format Contract_Agreement_recipientname.zip and in turn contains a malicious executable Contract_Agreement_10162013.exe (note the date encoded into the filename). VirusTotal detections are 10/48.

Automated analysis tools [1] [2] [3] show an attempted connection to miamelectric.com on 209.236.71.58 (Westhost, US). I recommend that you block outbound traffic to that particular domain.

Pinterest spam, alenikaofsa.ru and the return of the RU:8080 gang?

This fake Pinterest spam leads to a malicious download on alenikaofsa.ru:

Date:      Wed, 16 Oct 2013 12:03:11 -0300 [11:03:11 EDT]
From:      Pinterest [pinbot@pinterest.biz]
Subject:      Your Facebook friend Andrew Hernandez joined Pinterest

A Few Updates...
[redacted]
   
Andrew Hernandez    

Your Facebook friend Andrew Hernandez just joined Pinterest. Help welcome Carol to the community!
   
Visit Profile
       
Happy pinning!

©2013 Pinterest, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions
Andrew is a pretty feminine looking bloke. The link in the email goes through a legitimate hacked site and then ends up on a fake browser download page (report here) that attempts to download [donotclick]alenikaofsa.ru:8080/ieupdate.exe  which has a VirusTotal detection rate of just 1/48 (only Kaspersky detects it.. again).

The ThreatTrack report [pdf] looks like peer-to-peer Zeus to be, the Malwr report and Comodo CAMAS report also give some insight.

alenikaofsa.ru is registered to the infamous Russian "private person" and is hosted on the following IPs:
62.75.246.191 (Intergenia AG, Germany)
69.46.253.241 (RapidDSL & Wireless, US)
The domain alionadorip.ru is also hosted on these IPs.

What's interesting is that 69.46.253.241 was seen here months ago, which makes this look like the unwelcome return of the RU:8080 gang after a long absence.

Recommended blocklist:
62.75.246.191
69.46.253.241
alenikaofsa.ru
alionadorip.ru

Footnote:
The malware page uses a similar script to that used here although with the rather cheeky comment

// It's "cool" to let user wait 2 more seconds :/



Tuesday 15 October 2013

"Payroll Received by Intuit" spam / payroll_report_147310431_10112013.zip

This fake Intuit spam comes with a malicious attachment:

Date:      Tue, 15 Oct 2013 16:20:40 +0000 [12:20:40 EDT]
From:      Intuit Payroll Services IntuitPayrollServices@payrollservices.intuit.com]
Subject:      Payroll Received by Intuit

Dear, [redacted]
We received your payroll on October 11, 2013 at 4:41 PM .

Attached is a copy of your Remittance. Please click on the attachment in order to view it.

Please note the deadlines and status instructions below: If your payroll is received
BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the
date received or on your paycheck date, whichever is later.  If your payroll is received
AFTER 5 p.m., your employees will be paid three (3) banking days from the date received
or on your paycheck date, whichever is later.  YOUR BANK ACCOUNT WILL BE DEBITED THE DAY
BEFORE YOUR CHECKDATE. Funds are typically withdrawn before normal banking hours so
please make sure you have sufficient funds available by 12 a.m. on the date funds are to
be withdrawn. Intuit must receive your payroll by 5 p.m., two banking days before your
paycheck date or your employees will not be paid on time.  Intuit does not process
payrolls on weekends or federal banking holidays. A list of federal banking holidays can
be viewed at the Federal Reserve website. Thank you for your business.

Sincerely, Intuit Payroll Services

IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software. If you
have any questions or comments about this email, please DO NOT REPLY to this email. If
you need additional information please contact us.

If you receive an email message that appears to come from Intuit but that you suspect is
a phishing email, please forward it to immediately to spoof@intuit.com. © 2013 Intuit
Inc. All rights reserved. Intuit and the Intuit Logo are registered trademarks and/or
registered service marks of Intuit Inc. in the United States and other countries. All
other marks are the property of their respective owners, should be treated as such, and
may be registered in various jurisdictions.

Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706 
The attachment is payroll_report_147310431_10112013.zip which in turn contains payroll_report_10112013.exe (note the date is encoded into those files).

That executable currently has a detection rate of 9/46 at VirusTotal. Automated analysis [1] [2] [3] shows that it attempt to make a connection to mtfsl.com on 184.22.215.50 (Network Operations Center, US). Blocking those temporarily may give some protection against any additional threats using that server.

USPS spam / Label_ZFRLOADD5PGGZ0Z_USPS.zip

This fake USPS spam has a malicious attachment:

Date:      Tue, 15 Oct 2013 09:36:02 -0500 [10:36:02 EDT]
From:      USPS Express Services [service-notification@usps.com]
Subject:      USPS - Missed package delivery

Notification

Our company's courier couldn't make the delivery of package.

REASON: Postal code contains an error.
DELIVERY STATUS: Sort Order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: USPSZFRLOADD5PGGZ0Z
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
USPS Global.

*** This is an automatically generated email, please do not reply ***

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (USPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies.  Thank You 
There is an attachment Label_ZFRLOADD5PGGZ0Z_USPS.zip which contains a malicious executable Label_101513_USPS.exe (note the date encoded into the filename).

VirusTotal shows just 4/46 vendors detect it at present. Automated analysis [1] [2] [3] shows an attempted communication with traderstruthrevealed.com on 103.8.27.82 (SKSA Technology, Malaysia).

There is also another email using this format with the same payload.

Recommended blocklist:
103.8.27.82
traderstruthrevealed.com

Monday 14 October 2013

Malware sites to block 14/10/2013

It's been a while since I trawled around the activities of the "Amerika" gang, but here is a new set of malicious domains and IPs to block, replacing this list.

24.111.103.183 (Midcontinent Media, US)
42.121.84.12 (Aliyun Computing Co, China)
59.99.226.17 (BB-Multiplay, India)
60.199.253.165 (Taiwan Fixed Network Co, Taiwan)
62.141.46.8 (fast IT, Germany)
65.189.35.129 (Time Warner Cable, US)
67.207.155.24 (Rackspace, US)
69.163.40.39 (DirectSpace LLC, US)
71.91.8.200 (Charter Communications , US)
78.100.140.171 (Qatar Telecom, Qatar)
81.91.159.212 (Datak Internet Engineering, Iran)
103.28.255.207 (Ani Network Pvt Ltd, India)
108.206.235.75 (AT&T, US)
109.71.136.140 (OpWan, France)
112.124.27.158 (Alibaba Advertising Co, China)
125.20.14.222 (Price Water House Cooperation, India)
146.185.147.26 (Digital Ocean, Netherlands)
165.132.27.59 (Yonsei, Korea)
176.56.228.134 (Routelabel / WeservIT, Netherlands)
186.3.101.235 (Clientes Quito, Ecuador)
186.151.240.197 (Municipalidad De Zaragoza, Guatemala)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
195.225.58.43 (C&A Connect SRL, Romania)
198.71.82.48 (Enzu Inc, US)
208.115.114.69 (Wowrack, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
222.127.21.35 (Network IP, Philippines)
223.30.27.251 (Sify Limited, India)

24.111.103.183
42.121.84.12
59.99.226.17
60.199.253.165
62.141.46.8
65.189.35.129
67.207.155.24
69.163.40.39
71.91.8.200
78.100.140.171
81.91.159.212
103.28.255.207
108.206.235.75
109.71.136.140
112.124.27.158
125.20.14.222
146.185.147.26
165.132.27.59
176.56.228.134
186.3.101.235
186.151.240.197
186.251.180.205
195.225.58.43
198.71.82.48
208.115.114.69
211.71.99.66
222.127.21.35
223.30.27.251
acomboramboarmiab722.net
acormushkivsenamizv992.net
altertraveldream.com
ampala.net
attitude.su
autodlakobiety.net
avasdayspa.net
beo.su
bnamecorni.com
catdigest.net
cormoviedobavkikemm200.com
cormoviedobavkitenn100.com
cremoviedobavkimoj53.net
cronshtainymorenah55.net
crovlianemoyaahule52.net
diggingentert.com
dotier.net
dropdistri-butions.net
dulethcentury.net
eeemoskoymany560.com
ejanormalteene250.com
enanisgotttornee564.com
ermirovaniedoom153.com
ermirovanienony151.com
ermirovanievood152.com
excelledblast.net
fertsonline.net
gjoonalitikeer310.com
glums.net
gormonigraetnapovalahule26.net
grndstyle.ru
groove.su
hdmltextvoice.net
idersnonvirus.com
instotsvin.ru
introlinkage.com
lodanart.net
micnetwork100.com
mobile-unlocked.net
mymulejams.net
nokiasharethelove.net
nvufvwieg.com
ollerblogging.net
ordersdeluxe.com
primthaispa.net
pro-senioren.net
rentimpress.com
robberypolice.net
rojecttalkway.com
rolotto.net
scoutmoor.net
securesmartconnect.net
servidorestable.net
simplesso.com
skather.net
smartsecureconnect.net
smdserver.net
spottingculde.com
streetgreenlj.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
tumble.su
u-janusa.net
uprisingquicks.net
vip-proxy-to-tor.com
whosedigitize.net
wingsawards.net
workathomeuk.net