Sponsored by..

Friday, 29 November 2013

Registered Express Corporation (RGTX) pump and dump spam

It's taken me a few days to get around to this due to moving house, but here's a new pump-and-dump spam run promoting a stock Registered Express Corporation (OTC:RGTX).

As ever, there are a massive number of different subjects and random body-texts, for example:

Subject: This Bottom Bouncer has taken off!
Subject: Our analysis right on the MONEY!
Subject: Seven Reasons To Love This Company
Subject: Breakout coming!
Subject: Get Ready for Another Money Making New Trade Idea Tomorrow
Subject: What a HUGE day we had!

Over The Counter Morning Highlight! Land Your Orders In Early
To Gain Big!!!

Registered Express Corporation (RG TX)
Per share price: 0.0148

Safe, Reliable, Secure. Confirmable Shipment of Electronic
Docs.


---
Это сообщение свободно от вирусов и вредоносного ПО благодаря защите от вирусов avast!
http://www.avast.com

=========

Pink Sheet AM Alarm! Obtain Your Orders In Early To Score
Large!!!

Registered Express, Corp. (R_G-T X)
Buy at: $0.0148

Secure, Safe, Reliable. Verifiable Transfer of E-Documents.

=========

Pink Sheet Daily Signal! Pull Your Buy Order In Soon To Rack Up
Huge.

REGISTERED EXPRESS, CORP. (R-G T X)
Latest Pricing: .0148

Safe, Reliable, Secure!!! Verifiable Delivery of Electronic
Documents.

=========

Exchange Morning Signal! Pull Your Buy Order In Beforehand To Rack Up
Massive.

Registered Express Corporation (R_G T X)
Priced at: .0148

Secure, Safe, Reliable! Correct Delivery of E-Documents.

=========

Happy Turkey Day

Exchange Morning Alert! Score Your Buy Order In Quick To Gain
Massive!!!

Registered Express Corp (RG_TX)
Last Trade: $0.0148

Safe, Secure, Reliable!!! Confirmable Transmission of E-Docs.

=========

Pink Sheet AM Alarm!!! Grab Your Buy Order In Quick To Gain Big!!!

Registered Express Corporation (R-G-T X)
Now: .0148

Secure, Safe, Reliable. Confirmable Consignment of E-Docs.
The spam volumes are not as high as some previous pump-and-dump runs, and the first incident that I can see is on Saturday 23rd November, a typical approach to try to pump the market when it opens on Monday morning.

RGTX has been through a few incarnations, most recently as a firm specialising the the secure transmission of electronics documents. According to its own reports [1] [2] this firm has never had an income, holds no notable cash reserves and basically borrows cash against its own intellectual property and business value. Registered Express says that it is a business in development, it is not clear if and when it will ever start to make an income.

A look at the stock charts show that shares are traded in moderate volumes. On the 21st and 22nd November (before the spam run) a total of 849,477 shares were traded, about ten times the volume of the previous two days.


We know from past experience that either the spammers or another involved part will move in and buy stock before the spam run. I estimate that about 750,000 shares were bought in this way at between $0.012 and $0.020.  Since then about three million shares have been traded, presumably people being motivated by the spam run or who are simply following the increase in volume with a speculative buy.

The folks at RGTX are probably not involved in the spam run. My previous analysis on these stocks indicates that these stocks are usually in terminal decline. Buying stocks on the basis of a spammed email would be exceptionally foolish and should be avoided.

Wednesday, 27 November 2013

"ADP - Reference #274135902580" spam / Transaction.exe

Is it Salesforce or ADP? Of course.. it is neither.

Date:      Wed, 27 Nov 2013 11:50:07 +0100 [05:50:07 EST]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      ADP - Reference #274135902580

We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.

Transaction details are shown in the attached file.

Reference #274135902580

This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.
Attached is a file Transaction_274135902580.zip which in turn contains a malicious executable named Transaction.exe which has an icon to make it look like a PDF file and a VirusTotal detection rate of 8/48.
Malwr reports an attempted connection to seribeau.com on 103.6.196.152 (Exa Bytes Network, Malaysia). This IP has several hundred legitimate web sites on it, and it is not possible to determine if these are clean or infected.

Tuesday, 26 November 2013

Something evil on 46.19.139.236

46.19.139.236 (Private Layer Inc, Switzerland) seems to be serving up some sort of Java exploit kit via injection attacks which is utilising hijacked legitimate domains, but the domains in use seem to rotate pretty quickly and I haven't got a copy of the payload, but VirusTotal has some examples. These are the domains that I can find running from this IP:

ihavefound.boostprep.com
greedka.byjohnwhitaker.com
green.byjohnwhitaker.com
calc.clermontjumps.com
createmore.clermontjumps.com
freesam.clermontjumps.com
team.clermontjumps.com
breast.ddghost.com
edit.ddghost.com
podkast.ddghost.com
fingerpro.golfrangefinderpro.com
goingup.golfrangefinderpro.com
hksnet.golfrangefinderpro.com
wolfram.golfrangefinderpro.com
bracers.harrismetals.net
cupholder.harrismetals.biz
marriage.harrismetals.biz
materials.harrismetals.biz
stockings.harrismetals.biz
resume.hemorrhoidhometreatmentremedy.com
automatic.herdprogram.com
changed.herdprogram.com
selection.herdprogram.com
variator.herdprogram.com
customers.houston-heights-realtor.com
employee.houston-heights-realtor.com
management.houston-heights-realtor.com
salesmanager.houston-heights-realtor.com
trunam.migweldersforsale.org
demonstration.modelagent.com
promotion.modelagent.com
resume.modelagent.com
servers.modelagent.com
grand.q-host.com
coaches.redbrickplayers.org
concrete.redbrickplayers.org
fiit.redbrickplayers.org
newone.redbrickplayers.org
teams.redbrickplayers.org
button.roadally.org
cars.roadally.org
forums.roadally.org
honest.shattertag.com
server.shattertag.com
service.shattertag.com
tagger.shattertag.com
enter.skillstuff.com
horners.skillstuff.com
sim4you.skillstuff.com
skill.skillstuff.com
urllink.skillstuff.com
servers.sleepets.com
somethingnew.sleepets.com
buddies.southlakehosting.com
goodie.southlakehosting.com
goodluck.southlakehosting.com
honest.southlakehosting.com
namefiest.sugarlandtxhouses.com
soft4you.sugarlandtxhouses.com
blogs.treatmentforeczemaguide.com
disconnected.treatmentforeczemaguide.com
italia.treatmentforeczemaguide.com
template.treatmentforeczemaguide.com
ball.wildbounce.com
savannah.wildbounce.com

These seem to be a mix of GoDaddy, 1&1 and eNom registered domains that have been hijacked. Ones listed in italics have been flagged as malicious by Google:
boostprep.com
byjohnwhitaker.com
clermontjumps.com
ddghost.com

golfrangefinderpro.com
harrismetals.net
harrismetals.biz
hemorrhoidhometreatmentremedy.com

herdprogram.com
houston-heights-realtor.com
migweldersforsale.org

modelagent.com
q-host.com

redbrickplayers.org
roadally.org
shattertag.com
skillstuff.com
sleepets.com
southlakehosting.com

sugarlandtxhouses.com
treatmentforeczemaguide.com
wildbounce.com

"You requested a new Facebook password!" spam / Recoverypassword.zip and Facebook-SecureMessage.exe


This fake Facebook message comes with a malicious attachment:

Date:      Tue, 26 Nov 2013 04:58:18 +0300 [11/25/13 20:58:18 EST]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password!

facebook
Hello,

You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

Read your secure message by opening the attachment, Facebook-SecureMessage.zip.

Didn't request this change?
If you didn't request a new password, let us know immediately.

This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The attachment is Recoverypassword.zip which in turn contains a malicious executable Facebook-SecureMessage.exe which has a VirusTotal detection rate of 16/42. Automated analysis tools [1] [2] [3] shows attempted connections to developmentinn.com on 38.102.226.252 (Cogent, US) and spotopia.com on 199.229.232.99 (Enzu, US). Note that the servers on those IPs host dozens of legitimate sites and I cannot say for certain if they are all compromised or note.

Monday, 18 November 2013

0844 number scam (08445715179)

This is a particularly insidious scam that relies on mobile phone users in the UK not knowing that an 0844 number is much, much more expensive than a normal phone call. The scam SMS goes something like this:

ATTENTION! We have tried to contact you, It is important we speak to you today. Please call 08445715179 quoting your reference 121190. Thank You.

In this case the sender's number was +447453215347 (owned by Virgin Media Wholesale Ltd, but operated by a third party). The catch is that the calls to an 0844 number can cost up to 40p per minute (see more details here), a large chunk of which goes into the operator's pockets. So what happens when you ring back? You get put on hold.. and left on hold until you have racked up a significant bill.

Sadly, I don't know who is behind this scam, and in this case it was illegally sent to a TPS-registered number.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints. You should also send a complaint to the ICO who may be able to take more serious action against these spammers.

Friday, 15 November 2013

RingCentral "Bank of America" fax message spam / 442074293440-1116-084755-242.zip

This fake fax message email has a malicious attachment:

Date:      Fri, 15 Nov 2013 12:05:36 -0500 [12:05:36 EST]
From:      RingCentral [notify-us@ringcentral.com]
Subject:      New Fax Message on 11/15/2013 at 09:51:51 CST

You Have a New Fax Message

From
Bank of America

Received:
11/15/2013 at 09:51:51 CST

Pages:
5
   
To view this message, please open the attachment.

Thank you for using Ring Central .


There is an attachment 442074293440-1116-084755-242.zip which unzips into a malicious exectuable 442074293440-1116-084755-242.exe which has a VirusTotal detection rate of 11/47. Automated analysis tools [1] [2] show an attempted connection to aspenhonda.com on 199.167.40.33 (FAM Info Systems / ServInt, US). The domain in question has been hacked, it is not possible to tell if the entire server is compromised but there are other legitimate sites on that box.

Malware sites to block 15/11/2013 (Caphaw)

Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity).

The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting these Caphaw domains:

5.175.173.219 (GHOSTnet, Germany)
5.231.66.192 (GHOSTnet, Germany)
23.90.28.12 (ServerHub Dallas, US)
46.4.47.20 (Hetzner, Germany)
46.4.47.21 (Hetzner, Germany)
46.4.47.22 (Hetzner, Germany)
88.198.57.178 (Hetzner, Germany)
88.200.98.137 (Studentski domovi v Ljubljani, Slovenia)
91.186.19.48 (Simply Transit, UK)
92.48.122.132 (Simply Transit, UK)
108.170.54.251 (eWebGuru, India / Secured Servers, US)
109.200.4.114 (Redstation, UK)
109.123.127.228 (UK2, UK)
141.8.225.5 (Rook Media, Switzerland)
151.236.49.136 (Simply Transit, UK)
153.153.19.23 (Open Computer Network, Japan)
181.41.193.168 (Host1plus Brazil, Chile)
184.22.246.31 (Network Operations Center, US)
184.82.62.95 (Network Operations Center, US)
188.227.161.26 (Redstation, UK)
198.52.243.229 (Centarra Networks, US)
199.68.199.178 (Lightwave Networking, US)
213.229.90.199 (Simply Transit, UK)

The following hosts appear to be hosting nameservers for these domains (note that USAISC has been identified doing this before):

1.165.101.158 (Chunghwa Telecom, Taiwan)
6.79.15.154 (USAISC, US)
31.83.89.143 (Orange PCS, UK)
62.75.232.182 (Eurostream, Lithunia / Intergenia AG, Germany)
78.188.5.201 (Turk Telekom, Turkey)
85.25.152.130 (Intergenia AG, Germany)
87.98.136.239 (OVH, France)
91.121.199.45 (OVH, France)
95.143.32.212 (Inline Internet, Germany)
188.138.10.29 (EvroHoster.ru. Ukraine / Intergenia AG, Germany)
188.138.10.30 (EvroHoster.ru. Ukraine / Intergenia AG, Germany)
188.138.78.229 (Eurostream, Lithunia / Intergenia AG, Germany)
188.138.78.232 (Eurostream, Lithunia / Intergenia AG, Germany)
188.138.78.248 (Stepan Alexander Mereuta, Moldova / Intergenia AG, Germany)
196.44.161.31 (Dar Es Salaam University, Tanzania)
198.52.240.8 (Avante Hosting Services, Canada)
217.172.187.9 (Intergenia AG, Germany)

These are the domains involved (I would strongly recommend blocking them):

afn.cc
akf.cc
alphard-info.net
astats.su
bai.su
blinking-imgs.su
caf.su
careservice.su
ciz.cc
collectserv.su
digital-in-one.cc
dig-services.at
dmf.su
eewuiwiu.cc
eguards.cc
enp.cc
e-statistics.su
estatus.cc
estatus.su
eux.cc
exy.su
fey.su
fooyuo.cc
frnm.su
g4-maxservice.su
giuchito.cc
guodeira.cc
gva.cc
higuards.su
ieguards.cc
iestat.cc
imgscores.cc
inetprotections.cc
infoenv.cc
invisibleski.com
iostat.su
istat.cc
iwebstats.cc
iwebstats.su
klr.su
lbb.su
lbp.cc
lil-web-svcs.su
limited-hsbc.com
llc-services.su
low-rates.su
lrnm.su
main2woo.su
nitecapvideo.net
nmbc.cc
nomorefees.cc
ognelisblog.net
online-verification.su
oprn.su
ormu.su
peguards.cc
pmr.cc
protected-onlinebanking.net
sj148-storage.net
standartextens.net
stat-service.net
sys-img-stores.cc
sysinfo.su
uceebeel.cc
up-stores.cc
veeceefi.cc
visite-mexico.net
webstats.su
wgate.su
wgate.su
wownthing.cc
wsysinfonet.su
zprn.su


Recommend IP blocklist (nameservers are in italics):

5.175.173.219
5.231.66.192
23.90.28.12
46.4.47.0/27
88.198.57.178
88.200.98.137
91.186.19.48
92.48.122.132
108.170.54.251
109.200.4.114
109.123.127.228
141.8.225.5
151.236.49.136
153.153.19.23
181.41.193.168
184.22.246.31
184.82.62.95
188.227.161.26
198.52.243.229
199.68.199.178
213.229.90.199

1.165.101.158
6.79.15.154
31.83.89.143
62.75.232.182
78.188.5.201
85.25.152.130
87.98.136.239
91.121.199.45
95.143.32.212
188.138.10.29
188.138.10.30
188.138.78.229
188.138.78.232
188.138.78.248
196.44.161.31
198.52.240.8
217.172.187.9

Thursday, 14 November 2013

Malware sites to block 14/11/2013 (Caphaw)

These domains and IPs appear to be involved in a Caphaw malware attack, such as this one. All the IPs involved belong to Hetzner in Germany, and although some also host legitimate sites I would strongly recommend blocking them.

Recommended blocklist:
141.8.225.5
46.4.47.20
46.4.47.22
88.198.57.178
astats.su
blinking-imgs.su
careservice.su
collectserv.su
digital-in-one.cc
dig-services.at
eguards.cc
estatus.cc
fooyuo.cc
giuchito.cc
higuards.su
iestat.cc
inetprotections.cc
iostat.su
istat.cc
iwebstats.cc
iwebstats.su
klr.su
lbb.su
limited-hsbc.com
llc-services.su
nomorefees.cc
online-verification.su
peguards.cc
protected-onlinebanking.net
sj148-storage.net
standartextens.net
stat-service.net
sys-img-stores.cc
sysinfo.su
up-stores.cc
veeceefi.cc
webstats.su
wgate.su

Wednesday, 13 November 2013

The EXE-in-ZIP spam storm continues

Two more EXE-in-ZIP spams.. the first is a terse one with a subject "Voice Message from Unknown Caller" or "Voicemail Message from unknown number" not much else with a malicious EXE-in-ZIP (VoiceMessage.zip) attachment with VirusTotal score of 7/46 which calls home [1] [2] [3] to amandas-designs.com on 80.179.141.8 (012 Smile Communications Ltd., Israel)

The second one is a fake Wells Fargo spam similar to this:

We have received this documents from your bank, please review attached documents.

Lela Orozco
Wells Fargo Advisors
817-232-5887 office
817-067-3871 cell Lela.Orozco@wellsfargo.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.  
In this case the EXE-in-ZIP attachment (BankDocs.zip) has a VirusTotal detection rate of 14/47 and calls home [4] [5] [6]  to kidgrandy.com on 184.154.15.190 (Singlehop, US).

Given the massive onslaught of EXE-in-ZIP spam, I would strongly recommend blocking ZIP files with executables in them at the perimeter.

PayPal "Identity Issue" spam / Identity_Form_04182013.zip

This fake PayPal (or is it Quickbooks?) spam has a malicious attachment:

Date:      Wed, 13 Nov 2013 02:27:39 -0800 [05:27:39 EST]
From:      Payroll Reports [payroll@quickbooks.com]
Subject:      Identity Issue #PP-679-223-724-838

We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@paypal.com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )

Your case ID for this reason is PP-TEBY66KNZPMU

For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.

Thanks,

PayPal

CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain
information intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information belonging to the sender (PayPal , Inc.) that is
proprietary, privileged, confidential and/or protected from disclosure under applicable
law. If you are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distributions of this electronic message are violations of federal
law. Please notify the sender of any unintended recipients and delete the original
message without making any copies.  Thank You

PayPal Email ID PP89759 

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which has an icon to make it look like a PDF file.

The detection rate for this at VirusTotal is 9/47, automated analysis tools [1] [2] [3] shows an attempted connection to signsaheadgalway.com on 78.137.113.21 (UKfastnet Ltd, UK) which is the same server used in this attack, so you can safely assume that the whole server is compromised and I recommend that you block that particular IP.

"Rodrigo Sawyer and Associates" fake job offer

This laughable primitive fake job offer is recruiting for money mules, package reshipping or some other scam.

From:     RSA-CAREER! [anthonykather1@gmail.com]
Reply-To:     anthonykather1@gmail.com
Date:     12 November 2013 20:43
Subject:     please read


Hi...
  We Have a PT/job. we pay $250 per job and we want you to participate.
Your job is only to act as a regular customer and conduct normal business, Customer service is valuable.

If interested,send the information below after which we would send you an application form

   1. FuII N4ME :
   2. FullAdress :
   3. Stte | Cty :
   4. CodZ!p :
   5. Phones :
   6.Alternate E-mail:
   7. O.c.c.u.p.a.t.i.o.n :

Your response would be greatly appreciated.

Sincerely,
Rodrigo sawyer and associates.
Originating IP is pro1042.server4you.de [62.75.181.174]. Avoid.

Tuesday, 12 November 2013

"2012 and 2013 Tax Documents; Accountant's Letter" spam / tax 2012-2013.exe

This fake tax spam comes with a malicious attachment:

Date:      Wed, 13 Nov 2013 00:44:46 +0800 [11:44:46 EST]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      FW: 2012 and 2013 Tax Documents; Accountant's Letter

I forward this file to you for review. Please open and view it.
Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant's letter.

This email message may include single or multiple file attachments of varying types.
It has been MIME encoded for Internet e-mail transmission. 
Attached to the file is a ZIP file called dlf2365.zip which contains a malicious executable file tax 2012-2013.exe which has an icon to make it look like a PDF file.

VirusTotal detection rates are 17/47. Automated analysis tools [1] [2] show an attempted connection to nishantmultistate.com on 216.157.85.173 (Peer 1, US). This is the same server as used in this attack, and you can safely assume that the whole server is compromised. Blocking this IP is probably a good idea.




"Important - New Outlook Settings" spam / Outlook.zip

This spam email has a malicious attachment:

Date:      Tue, 12 Nov 2013 16:22:38 +0100 [10:22:38 EST]
From:      Undisclosed Recipients
Subject:      Important - New Outlook Settings

Please carefully read the attached instructions before updating settings.

This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ

This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@victimdomain and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it. 
The body text of the spam contains a faked email address made to look like helpdesk@ the victim's domain. Attached to the email is a password-protected ZIP file Outlook.zip that has to be decoded with the PaSdIaoQ key in the body text of the email (hopefully intelligent people will realise that you wouldn't send the password with the encrypted attachment.. you'd have to be really daft to do that).

Unzipping the file gives a malicious executable Outlook.exe which has an icon designed to look like Microsoft Outlook.

The detection rate at VirusTotal is 5/45. Automated analysis tools [1] [2] show an attempted connection to dchamt.com on 216.157.85.173 (Peer 1 Dedicated Hosting, US). That IP address contains about 70 websites which may or may not be clean.

"You have received new messages from HMRC" spam, HMRC_Message.zip and qualitysolicitors.com

This fake HMRC spam comes with a malicious attachment. Because the spammers have copied-and-pasted the footer from somewhere random it also effectively joe jobs an innocent site called qualitysolicitors.com:

Date:      Tue, 12 Nov 2013 05:29:28 -0500 [05:29:28 EST]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      You have received new messages from HMRC

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.

Please do not reply to this e-mail.

1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system. 2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices. For further details, please visit our website
http://www.qualitysolicitors.com/punchrobson
Perhaps the spammers were as irritated by the overblown mail footer as I was. Anyway, there's a ZIP file called HMRC_Message.zip which in turn contains a malicious executable HMRC_Message.exe which has a VirusTotal detection rate of 12/47.

Automated analysis tools [1] [2] show that it attempts to communicate with alibra.co.uk  on 78.137.113.21 (UKfastnet Ltd, UK) and then it attempts to download additional components from:

[donotclick]synchawards.com/a1.exe
[donotclick]itcbadnera.org/images/dot.exe

a1.exe has a detection rate of 16/47, and Malwr reports further HTTP connections to:
[donotclick]59.106.185.23/forum/viewtopic.php
[donotclick]new.data.valinformatique.net/5GmVjT.exe
[donotclick]hargobindtravels.com/38emc.exe
[donotclick]bonway-onza.com/d9c9.exe
[donotclick]friseur-freisinger.at/t5krH.exe

dot.exe has a much lower detection rate of 6/47, ThreatExpert, ThreatTrack [pdf] and Malwr report various types of activity including keylogging and credential harvesting. There are also many, many HTTP connections to various hosts, I suspect this is attempting to mask the actual C&C servers it is connecting to.

a1.exe downloads several more files, all of which appear to be the same. The VirusTotal detection rate for these is 5/47, Malwr reports several attempted IP connections that look a bit like peer-to-peer Zeus.

Recommended blocklist:
59.106.185.23
new.data.valinformatique.net
hargobindtravels.com
bonway-onza.com
friseur-freisinger.at
synchawards.com
itcbadnera.org
alibra.co.uk


Dynamic DNS sites you might want to block, 12/11/13

These domains are used for dynamic DNS and are operated by a company called Dyn who offer a legitimate service, but unfortunately it is abuse by malware writers. If you are the sort of organisation that blocks dynamic DNS IPs then I recommend that you consider blocking the following.

Dyn are pretty good at dealing with abuse complaints (you can contact them here). Blocking these domains will block some legitimate sites, primarily webcams and access to home PCs.. so bear this in mind if you choose to do so.

Sites below listed in yellow  have been identified as having some malware by Google, ones listed in red are blocked by Google. Ones listed in italics are flagged as malicious by SURBL. The links go to the Google diagnostic page.

at-band-camp.net
barrel-of-knowledge.info
barrell-of-knowledge.info
besteverydns.com
better-than.tv
bitferret.com
bitferret.net
bitferret.org
blogdns.com
blogdns.net
blogdns.org
blogsite.org
boldlygoingnowhere.org
broke-it.net

buyshouses.net
cechire.com
certaindns.com
certaindns.net
certaindns.org
damnserver.org
ddns-example-1.com
ddns-example-2.com
ddns-example-3.com
depower2go.com
dinedns.com
dinedns.net
dinedns.org
dns-gateway.net
dnsalias.com
dnsalias.net
dnsalias.org

dnscog.org
dnsdojo.com
dnsdojo.net
dnsdojo.org
dnsforall.net
dnsforall.org
dnsinc.org
dnssettings.com
dnssettings.info
dnssettings.net
dnssettings.org
dnssetup.info
does-it.net
doesntexist.com
doesntexist.org
dontexist.com
dontexist.net
dontexist.org
doomdns.com
doomdns.org
dvrdns.org
dyn-o-saur.com
dynalias.com
dynalias.net
dynalias.org

dynamic-dns-server.org
dynathome.net
dyndn.org
dyndns.biz

dyndns.cn
dyndns.info
dyndns.tv
dyndns.ws

dynds.org
dyndsn.net
dyndsn.org
editdns.net
edudns.org
est-a-la-maison.com
est-a-la-masion.com
est-le-patron.com
est-mon-blogueur.com
everydns.com
everydns.net
for-better.biz
for-more.biz
for-our.info
for-some.biz
for-the.biz
from-ak.com
from-al.com
from-ar.com

from-az.net
from-ca.com
from-co.net
from-ct.com
from-dc.com
from-de.com
from-fl.com
from-ga.com
from-hi.com

from-ia.com
from-id.com
from-il.com
from-in.com
from-ks.com

from-ky.com
from-la.net
from-ma.com
from-md.com
from-me.org
from-mi.com
from-mn.com
from-mo.com

from-ms.com
from-mt.com
from-nc.com
from-nd.com
from-ne.com
from-nh.com
from-nj.com
from-nm.com
from-nv.com

from-ny.net
from-oh.com
from-ok.com
from-or.com
from-pa.com
from-pr.com
from-ri.com
from-sc.com
from-sd.com
from-tn.com
from-tx.com
from-ut.com
from-va.com
from-vt.com
from-wa.com
from-wi.com
from-wv.com
from-wy.com
ftpaccess.cc
fuettertdasnetz.de
game-host.org
game-server.cc
getmyip.com
gets-it.net
gotdns.co.uk
gotdns.com
gotdns.org
groks-the.info
groks-this.info
guilded.org
ham-radio-op.net
here-for-more.info
hobby-site.com

hobby-site.org
homedns.org
homeftp.net
homeftp.org
homeip.net
homelinux.com
homelinux.net
homelinux.org
homeunix.com
homeunix.net
homeunix.org

in-the-band.net
invaliddns.com
ipupdate.org
is-a-anarchist.com
is-a-blogger.com
is-a-bookkeeper.com

is-a-bruinsfan.org
is-a-candidate.org
is-a-caterer.com
is-a-celticsfan.org
is-a-chef.com
is-a-chef.net

is-a-chef.org
is-a-conservative.com
is-a-cpa.com
is-a-cubicle-slave.com
is-a-democrat.com
is-a-designer.com
is-a-doctor.com

is-a-financialadvisor.com
is-a-geek.com
is-a-geek.net
is-a-geek.org

is-a-green.com
is-a-guru.com
is-a-hard-worker.com
is-a-hunter.com
is-a-knight.org

is-a-landscaper.com
is-a-lawyer.com
is-a-liberal.com
is-a-libertarian.com
is-a-linux-user.org
is-a-llama.com
is-a-musician.com
is-a-nascarfan.com
is-a-nurse.com
is-a-painter.com
is-a-patsfan.org
is-a-personaltrainer.com
is-a-photographer.com
is-a-player.com
is-a-republican.com
is-a-rockstar.com
is-a-socialist.com
is-a-soxfan.org
is-a-student.com

is-a-teacher.com
is-a-techie.com
is-a-therapist.com
is-an-accountant.com
is-an-actor.com

is-an-actress.com
is-an-anarchist.com
is-an-artist.com
is-an-engineer.com
is-an-entertainer.com
is-by.us
is-certified.com
is-found.org
is-gone.com
is-into-anime.com
is-into-cars.com
is-into-cartoons.com
is-into-games.com
is-leet.com
is-lost.org
is-not-certified.com
is-saved.org
is-slick.com
is-uberleet.com
is-very-bad.org
is-very-evil.org
is-very-good.org
is-very-nice.org
is-very-sweet.org
is-with-theband.com
isa-geek.com
isa-geek.net
isa-geek.org
isa-hockeynut.com
issmarterthanyou.com
isteingeek.de
istmein.de
it-geek.net
kicks-ass.net
kicks-ass.org
knowsitall.info
land-4-sale.us
lebtimnetz.de
leitungsen.de
likes-pie.com
likescandy.com
listhop.com
listhop.net
listhop.org
merseine.nu
mine.nu
misconfused.org
mydyndns.biz
mydyndns.com
mydyndns.info
mydyndns.net
mydyndns.org
mypets.ws
myphotos.cc
neat-url.com
no-ip.tv
office-on-the.net
on-the-web.tv
podzone.net
podzone.org
readmyblog.org
revyxorp.com
saves-the-whales.com
scrapper-site.net
scrapping.cc
scriptkiddie.net
sec-dns.net
secondary.net
selfip.biz
selfip.com
selfip.info
selfip.net
selfip.org
sells-for-less.com
sells-for-u.com
sells-it.net
sellsyourhome.org
servebbs.com
servebbs.net
servebbs.org
serveftp.net
serveftp.org
servegame.org
shacknet.nu
simple-url.com
smallbizdns.com
smallbizdns.net
smallbizdns.org
space-to-rent.com
stuff-4-sale.org
stuff-4-sale.us
teaches-yoga.com
thruhere.net
tomdaly.org
traeumtgerade.de
webhop.biz
webhop.info
webhop.net
webhop.org
worse-than.tv
writesthisblog.com


Monday, 11 November 2013

"Identity Issue #PP-716-097-521-587" spam / Identity_Form_04182013.zip

For some reason EXE-in-ZIP attacks are all the rage at the moment, here is a fake spam pretending to be from PayPal with a malicious attachment:

Date:      Mon, 11 Nov 2013 19:14:10 +0330 [10:44:10 EST]
From:      Payroll Reports [payroll@quickbooks.com]
Subject:      Identity Issue #PP-716-097-521-587

We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@paypal.com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )

Your case ID for this reason is PP-D503YC19DXP3

For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.

Thanks,

PayPal

CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain
information intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information belonging to the sender (PayPal , Inc.) that is
proprietary, privileged, confidential and/or protected from disclosure under applicable
law. If you are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distributions of this electronic message are violations of federal
law. Please notify the sender of any unintended recipients and delete the original
message without making any copies.  Thank You

PayPal Email ID PP51954 
Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which as you might guess is malicious. VirusTotal detections are 16/47, and automated analysis [1] [2] shows an attempted connection to trc-sd.com which is the same domain seen in this attack.

"To all Employees - Confidential Message" spam / To All Employees 2013.zip.exe

This fake "all employees" email comes with a malicious attachment:

Date:      Mon, 11 Nov 2013 11:28:29 +0000 [06:28:29 EST]
From:      DocuSign Service [dse@docusign.net]
Subject:      To all Employees - Confidential Message

                                                                                         
                                                Your document has been completed         
                                                                                         
                                                                                         
                   Sent on behalf of administrator@victimdomain.                          
                                                                                         
                                                                                         
                          All parties have completed the envelope 'Please DocuSign this
document: To All Employees 2013.doc'.                        To view or print the
document download the attachment .                                                       
                                                                                         
                                                                                         
                                                                      (self-extracting
archive, Adobe PDF)                                                               This
document contains information confidential and proprietary to spamcop.net                
                                                                                         
     LEARN MORE:   New Features  |  Tips & Tricks  |  Video Tutorials                    
                                                                                         
                                                                                         
                                                                                         
             DocuSign. The fastest way to get a signature.                        If you
have questions regarding this notification or any     enclosed documents requiring your
signature, please contact the sender     directly. For technical assistance with the
signing process, you can email support.                        This message was sent to
you by administrator@victimdomain who is using the DocuSign Electronic Signature Service.
If you would rather not receive email from this sender you may contact the sender with
your request.
The attachment to the email is called To All Employees 2013.zip which contains To All Employees 2013.zip.exe which has an icon that makes it look like a PDF file. This malicious file has a VirusTotal detection rate of 7/47.

Automated analysis [1] [2] shows a callback to trc-sd.com on 121.127.248.74 (Sun Network, Hong Kong). This IP address hosts several legitimate sites, so bear that in mind if you block the IP.

"Consumer Benefit Ltd" adware sites to block

A couple of network blocks came to my attention after investigating some adware ntlanmbn.exe (VirusTotal report) and GFilterSvc.exe (report) both in C:\WINDOWS\SYSTEM32.

The blocks are 212.19.36.192/27 and 82.98.97.192/28 and are allocated to:

netname:        Consumer-Benefit-AV-NET
descr:          Consumer Benefit LTD
descr:          Suite F 1st floor, New City Chambers
descr:          36 Wood Street
descr:          WF1 2HB Wakefield
country:        GB
admin-c:        KH2166-RIPE
tech-c:         PLN
status:         ASSIGNED PA
mnt-by:         PLUSLINE-MNT
source:         RIPE # Filtered


The problem is that there is no active company in the UK called Consumer Benefit Ltd.. there was a short-lived Manchester company number 06505446 which was dissolved in 2011, but I can't find any evidence that they are connected other than the similar name.

Many of the domains currently or recently hosted in these IP ranges are clearly deceptive in nature (e.g. awsmazon.com, tradesdoubler.com, ebayrt.com, zanox-afiliate.com) and these use pseudo-anonymous WHOIS details also using the Wakefield address:

Registry Registrant ID:
Registrant Name: whois Protect Service
Registrant Organization:
Registrant Street: Suite F 1st floor, New City,
Registrant Street: Chambers, 36 Wood Street
Registrant City: Wakefield
Registrant State/Province: GB
Registrant Postal Code: WF1 2HB
Registrant Country: GB
Registrant Phone: +44.7077087721
Registrant Phone Ext:
Registrant Fax: +44.7077087502
Registrant Fax Ext:
Registrant Email: whois@sl.to


One .com using services in this range with apparently genuine details is ns-lookups.com:

Registry Registrant ID:
Registrant Name: Andrea Bégerová
Registrant Organization: BA Market Slovakia s. r. o.
Registrant Street: Klincová 37/B
Registrant City: Bratislava
Registrant State/Province: Slovenská Republika
Registrant Postal Code: 821 08
Registrant Country: SK
Registrant Phone: +421.259348122
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@bam-sk.com


Also hosted are some .to domains with anonymous registration, plus some German domains the only one of which with reliable WHOIS details seems to be gutscheinfilter.de registered to:

Type: PERSON
Name: Frank Dümpelmann
Organisation: Domport GmbH & Co KG
Address: Markt 32
PostalCode: 18273
City: Güstrow
CountryCode: DE
Phone: +49-9001-118840
Fax: +49-9001-118860
Email: adminc@domport.de


Domport seem to be invovled in domain parking and they have their own range of 212.19.39.192/28 that they use for this.

The adware in question attempted to call home to the following URLs:
f05e0362515f5125.srv.gutscheinfilter.de
dce645501bc1af9f.srv.ns-lookups.com
a.ns-lookups.com/updatecheck

Anyway, the following domains and IPs are all part of these "Consumer Benefit Ltd ranges and appear to be adware-related and have unclear ownership details. If you block adware sites on your network then I would recommend using the following blocklist:
212.19.36.192/27
82.98.97.192/28
awsmazon.com
beelboon.com
htmladserver.com
tradesdoubler.com
ad-googlelinks.com
zanox-afiliate.com
linktrackingnet.com
googlesyntication.com
ns-lookups.com
download-web-shield.com
linkvista.de
adcall.de
gutscheinfilter.de
ebayrt.com
score.to
uses.to
vill.to
howto.to
setup.to
thats.to
trans.to
public.to
public-load.com
goal.to
vree.to
64-up.to
feeds.to
stopp.to
64-bit.to
hunter.to
trends.to
win-64.to
maps-24.to