Sponsored by..

Showing posts with label .SU. Show all posts
Showing posts with label .SU. Show all posts

Tuesday, 8 September 2015

ipserver.su, 5.133.179.0/24 and 212.38.166.0/24

A follow-up to this post, I took a look at the netblocks 5.133.179.0/24 and 212.38.166.0/24 suballocated to:

person:         Oleg Nikol'skiy
address:        British Virgin Islands, Road Town, Tortola, Drake Chambers
phone:          +18552100465
e-mail:         abuse@ipserver.su
nic-hdl:        ON929-RIPE
mnt-by:         IPSERVER-MNT
changed:        abuse@ipserver.su 20150528
created:        2015-05-28T11:11:09Z
last-modified:  2015-05-28T11:11:09Z
source:         RIPE


I'm going to say straight away that my methodology is flawed, but I will share what I have. Very many IPs in this range have hosted badness in the past year-and-a-bit (e.g. 5.133.179.165), mostly using subdomains.. to the extent that there are too many sites to analyse easily if I take the data from a passive DNS service.

Instead, I elected to use the DomainTools reverse DNS which limits the results to domains only (not subdomains) and these are mostly active sites. Running the list through my analyser checks that the IPs are valid, and would normally tell me things such as the Google Safebrowsing Diagnostics and SURBL rating.

Here's what is odd. None of the sites that I found [pastebin] have a negative reputation, I would expect to see about 1% in a normal sample, and out of 399 sites it comes back with zero. In fact, none of these sites seem to have any web presence at all, and all the ones that I have tried come back with almost no references on Google at all.

I am going to suggest that there is nothing of value in these IP ranges, and given that historically .SU domains have a bad reputation, then my suggestion is that you block traffic to:

5.133.179.0/24
212.38.166.0/24

In the meantime I will continue digging..

Evil network: 89.144.2.0/24 / spoofing Echo Romeo LLP (AS199762)

This post at malware.kiwi caught my eye after a sort-of challenge by Techhelplist. Well, the bottom line is that these get-rich-quick schemes are run by serious organised criminals who tend not to leave too many traces behind.

This appears to be a binary options scam that is using illegally hacked sites as redirectors, and I suspect that it is using a botnet to send the spam in the first place, although this is not clear. Eventually, victims are sent via an affiliate link to a site searchingprofit.me, more of which in another post.

It turns out that dailybusinessdirect.com is hosted alongside a cluster of related domains on a set of IPs apparently belonging to a firm called Echo Romeo LLP in the UK. From the research I have done, it appears that Echo Romeo are a legitimate small business doing web design and hosting. However, they are listed as the owner 89.144.2.0/24 which seems to be almost completely full of spam, scam and malware sites.

UPDATE: there is evidence that Echo Romeo are the victim of a type of corporate identity theft. Scroll to the bottom for me.

Here's an oddity - Echo Romeo have a portfolio on their site of designs they have done for customers. As far as I can tell, none of those customer sites are actually hosted in this IP address range.

The first thing I noticed was a cluster of sites and IPs that appear to be closely related to dailybusinessdirect.com:

89.144.2.85
topinvestmentnews.com
news-finance-today.com

89.144.2.86
profit-method.biz
thesknews.com
huffnewstoday.com
businessnewsclub.com
businessdailygroup.com
investmentnewstoday.com

89.144.2.157
24-finances-news.com
finance-news-cbm.com

89.144.2.158
finances24-news.com
businessinfodaily.com
finance-today-news.com
dailybusinessdirect.com

Some of these domains have anonymous WHOIS details, some have details that look fake. I have not found any way to trace ownership of these domains.. after all, these are not amateurs, these are professional fraudsters who tend not to make silly mistakes.

I checked all the active sites in the 89.144.2.0/24 range against SURBL which came up with these results [csv]. Out of 56 sites identified, 13 are identified by SURBL as being spamming and/or phishing. But what of the rest?

A look at the Google Safe Browsing Diagnostic for AS199762 gave some interesting results:

Safe Browsing

Diagnostic page for AS199762 (ECHOROMEO-AS)

What happened when Google visited sites hosted on this network?
Of the 13 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example, 89.144.2.0/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2015-09-07, and the last time suspicious content was found was on 2015-08-24.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, this network has not hosted any sites that appeared to function as intermediaries for the infection of any other sites.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 2 site(s), including, for example, t9e.net/, 89.144.2.0/, that infected 7 other site(s), including, for example, kgdbase.com/, kgdbase.eu/, softbase.xyz/.
Drilling down to the Google diagnostic for t9e.net is surprising:

Safe Browsing

Diagnostic page for t9e.net

What is the current listing status for t9e.net?
This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 150 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 22277 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2015-09-07, and the last time suspicious content was found on this site was on 2015-08-24.Malicious software includes 25596 trojan(s), 61 exploit(s).
This site was hosted on 2 network(s) including AS199762 (ECHOROMEO-AS), AS35042 (ISP4P).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, t9e.net did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 3 domain(s), including kgdbase.com/, kgdbase.eu/, softbase.xyz/.
25,596 trojans and 61 exploits? I think that's a site to avoid, and as you might guess t9e.net has anonymous WHOIS details.

Also in this range:
  • The domains travsolut.com and travsolut.org on 89.144.2.143 are associated with suspect-looking job offers and claim to have been founded in 2002 in Australia, yet the domains were only created in 2015 with the .org being registered to an address in Spain.
  • On 89.144.2.148, the domains weksrubaz.ru, linturefa.ru and xablopefgr.ru are all associated with with the POSeidon malware.  On the same IP, srachechno.com is associated with a later version of the same malware.
  • Meanwhile on 89.144.2.149, dornegromant.com is also associated with POSeidon [pdf]
  • On 89.144.2.150 another POSeidon domain lurks, repherfeted.com.
  • And on 89.144.2.151 there is litramoloka.com which is again POSeidon, as is cawasuse.ru on 89.144.2.152.
  • On 89.144.2.153 is the domain ranferolto.com tagged as Infostealer.Posfind by Symantec. 
  • On 89.144.2.154 the domains gowasstalpa.com and nasedrontit.com are associated with the Pony Downloader
  • On 89.144.2.180 the website clarkgrp.org has been accused of being fake. If that is the case, then marlin-staff.com on the same IP will probably be too.
Overall, the evil-ness factor of 89.144.2.0/24 seems very high indeed (for example, this Damballa report on POSeidon shows how the bad guys moved to this netblock), and yet Echo Romeo LLP seems to be completely legitimate. I even went to the effort of checking them out at Companies House, and all seems OK. I wonder if perhaps the bad guys have either gained control of the IP block or have popped a large number of their servers?

UPDATE:
I asked Echo Romeo about this and their response was very quick..

Echo Romeo had pointed out something that I had missed. The registrant details for the IP block were very similar to their real details..

organisation:   ORG-ERL2-RIPE
org-name:       ECHO ROMEO LLP
org-type:       OTHER
address:        47 GLENMOOR ROAD , WEST PARLEY , FERNDOWN , DORSET , UNITED KINGDOM
admin-c:        JL7999-RIPE
phone:          +44 1202872908
e-mail:         info@echoromeonet.co.uk
abuse-mailbox:  abuse@echoromeonet.co.uk
mnt-ref:        echoromeo-mnt
mnt-by:         echoromeo-mnt
changed:        info@echoromeonet.co.uk 20140128
created:        2014-01-28T17:28:45Z
last-modified:  2014-02-17T12:18:41Z
source:         RIPE


But in fact, their domain name is just echoromeo.co.uk and not echoromeonet.co.uk at all. The WHOIS details for the fake domain are:

Domain name:
        echoromeonet.co.uk

    Registrant:
        ECHO ROMEO LLP

    Registrant type:
        Unknown

    Registrant's address:
        47 GLENMOOR ROAD
        WEST PARLEY
        FERNDOWN
        BH22 8QE
        United Kingdom

    Data validation:
        Nominet was able to match the registrant's name and address against a 3rd party data
source on 25-Jan-2014

    Registrar:
        101Domain, Inc. [Tag = 101INC-US]
        URL: https://101domain.com

    Relevant dates:
        Registered on: 25-Jan-2014
        Expiry date:  25-Jan-2016
        Last updated:  03-Nov-2014

    Registration status:
        Registered until expiry date.

    Name servers:
        ns1.echoromeonet.co.uk    212.38.166.68
        ns2.echoromeonet.co.uk    5.133.179.64

These closely match the real contact details of Echo Romeo. The fake website itself is hosted on 212.38.166.68 (one of the nameservers). It looks very different from the real website.

But all the contact details on the FAKE website point to the REAL Echo Romeo. The whole site looks like a fake created just to get hold of a range of IP address.

Let's go back to these IPs..

The 89.144.2.0/24 range with the fake registration details is carved out of an IP block belonging to isp4p.net (IP Interactive UG, Germany). Presumably the bad guys used the fake Echo Romeo domain and name to persuade IP Interactive to lease them a set of IP addresses.

Although the nameservers of 212.38.166.68 and 5.133.179.64 appear to be on very different blocks, they are actually allocated to the same person:

inetnum:        5.133.179.0 - 5.133.179.255
netname:        IPSERVER
descr:          IPSERVER WORLD LTD
remarks:        abuse-mailbox: abuse@ipserver.su
country:        GB
admin-c:        ON929-RIPE
tech-c:         ON929-RIPE
status:         ASSIGNED PA
mnt-by:         RAPIDSWITCH-MNT
changed:        abuse@rapidswitch.com 20120918
created:        2012-09-18T09:09:38Z
last-modified:  2015-08-12T07:25:02Z
source:         RIPE

person:         Oleg Nikol'skiy
address:        British Virgin Islands, Road Town, Tortola, Drake Chambers
phone:          +18552100465
e-mail:         abuse@ipserver.su
nic-hdl:        ON929-RIPE
mnt-by:         IPSERVER-MNT
changed:        abuse@ipserver.su 20150528
created:        2015-05-28T11:11:09Z
last-modified:  2015-05-28T11:11:09Z
source:         RIPE

route:          5.133.176.0/21
descr:          RapidSwitch
origin:         AS20860
mnt-by:         RAPIDSWITCH-MNT
mnt-routes:     GB10488-RIPE-MNT
changed:        richard@iomart.com 20120712
created:        2012-07-12T15:08:31Z
last-modified:  2012-07-12T15:08:31Z
source:         RIPE


Both have been leased from Iomart in the UK. .SU domains such as ipserver.su are such a strong indicator of badness that I even have a little graphic for them.

A quick look at the 5.133.179.0/24 and 212.38.166.0/24 ranges indicates they are full of crap. There may be legitimate sites hosted there, but I would recommend blocking them.

The evidence that I can find does seem to point toward this spoof IP range being set up by organised criminals in Russia, and my opinion is that Echo Romeo LLP have nothing to do with this at all and are the good guys.

Recommended blocklist:
89.144.2.0/24
5.133.179.0/24
212.38.166.0/24

Monday, 24 August 2015

Malware spam: "Message from scanner" / "scanner.coventrycitycentre@brianholt.co.uk"

I don't have the body text for this particular message, but I can tell you this is not from Brian Holt (a property agent in Coventry, UK) but is instead a simple forgery with a malicious attachment.

Subject     Message from scanner
From     scanner.coventrycitycentre@brianholt.co.uk
X-Mailer     KONICA MINOLTA bizhub C360
Date     Wed, 12 Aug 2015 08:19:28 +0000
Message-Id     [55CB0190.015.00206B68D2CD.scanner.coventrycitycentre@brianholt.co.uk]
MIME-Version     1.0
Content-Type     multipart/mixed; boundary="KONICA_MINOLTA_Internet_Fax_Boundary"
Content-Transfer-Encoding     7bit

To show the level of detail the bad guys go to, they have even included extra mail headers (usually hidden) to attempt to identify the sender as a Konica MFD. It's a strange thing to do, considering that anyone skilled enough to examine the mail headers should also notice the malicious executable Sscanner15081208190.exe embedded into the attachment Sscanner15081208190.zip . This executable has a detection rate of just 5/54.

The Hybrid Analysis report shows the malware POSTing to:

smboy.su/mu/tasks.php

.SU (Soviet Union) domains are almost always bad news. If you can block them on your web filter then I recommend that you do so. This particular site is hosted on 95.172.146.73 (RTComm-Sibir, Russia). The  network range of 95.172.146.0/23 does seem to contain some legitimate Russian-language sites, but you might want to block the whole range to be on the safe side.

The payload is unknown, but typically malware like this will drop either the Dyre banking trojan or some sort of ransomware.

Wednesday, 19 August 2015

Malware spam: "SHIPMENT NOTICE" / "serviceuk@safilo.com"

This fake financial spam does not come from Safilo UK Ltd but is instead a simple forgery with a malicious attachment:

From     serviceuk@safilo.com
Date     Wed, 19 Aug 2015 17:47:46 +0700
Subject     SHIPMENT NOTICE

Dear Customer,

 please be informed that on Aug 19, 2015 we sent you the following items:

1    pieces from order 1I5005729
1    pieces from order 1I5005841


IMPORTANT

To find out all details concerning your orders and shipments open the file here attached
or go to the Order status page of the site.

Safilo UK Ltd.
serviceuk@safilo.com
-------
Attached is a file ship20150817.zip which in turn contains a malicious executable ship20150817.exe which has a detection rate of 4/56. According to these automated analysis tools [1] [2] the malware attempts to phone home to:

megapolisss006.su/go/gate.php

.SU (Soviet Union) domains are bad news in general, if you can I would recommend blocking traffic to all of them. This domain is hosted on the following IPs:

195.2.88.196 (Zenon N.S.P., Russia)
94.229.22.39 (Bashrtcomm LIR, Russia)
94.229.22.42 (Bashrtcomm LIR, Russia)

You might want to consider blocking:

195.2.88.0/24
94.229.16.0/21


This though is the recommended minimum blocklist:
195.2.88.196
94.229.22.39
94.229.22.42


I am not entirely certain of the payload as the download locations seem to be unreliable.


Thursday, 16 October 2014

A bunch of .su and .ru domains leading to malware

These sites lead to some sort of malware. The presence of .SU domains hosted on what looks like a botnet is probably all you need to know. I haven't had much time to poke at these properly though, but I'd recommend watching out for these:

alinbot.ru
angryflo.ru
arnebbc.su
brokenpiano.ru
bubkagops.su
everydaypp.ru
f11europe.ru
fixiland.su
fumondaydns.in
funnygronni.com
goliathuz.com
icaldns.in
kimberlydns.in
kineshevasto.ru
levdnjord.su
madagask.ru
monkeysea.su
mysweetmon.ru
nitmurmansk.su
nomoreblack.su
odekon.su
opolla.ru
proffygroup.ru
salgarian.su
slimsize1.su
slowdownn.ru
solofrikred.su
superbup.su
temeluchus.ru
tomasz.su
whoisjohnthefirst.ru
winstent.su
wzorcd.ru
xchy3yzbdcavqij3dcr3.ru
ywaiukgcmmmcwqmk.org

108.21.223.101
109.104.174.109
109.104.184.20
109.120.7.117
109.162.32.234
109.162.6.112
109.184.141.196
109.196.77.198
109.201.232.221
109.227.103.153
109.227.105.88
109.227.114.50
109.227.91.150
109.254.116.68
109.60.243.38
109.86.76.58
109.86.83.167
119.18.77.27
121.176.22.15
125.135.166.159
130.204.235.160
134.19.225.199
134.249.15.60
134.249.65.178
14.33.25.64
141.101.27.2
141.101.3.150
158.181.134.227
158.181.14.38
158.181.169.88
158.181.175.126
159.224.101.52
173.171.103.248
173.49.70.65
174.61.141.129
176.100.28.115
176.102.209.127
176.104.253.21
176.104.97.17
176.105.201.21
176.106.31.227
176.114.32.97
176.114.38.72
176.118.144.240
176.118.45.228
176.120.39.87
176.193.22.49
176.193.37.112
176.215.117.210
176.239.12.104
176.36.48.185
176.36.68.13
176.8.203.177
176.8.95.116
176.98.22.147
176.99.226.87
178.132.2.153
178.137.175.36
178.137.215.186
178.137.232.234
178.141.98.158
178.150.104.8
178.151.0.25
178.158.135.20
178.158.16.193
178.158.16.248
178.159.122.213
178.212.101.94
178.213.175.151
178.213.189.58
178.216.227.71
178.219.91.40
178.74.212.207
178.74.226.67
178.89.203.41
178.90.99.120
178.91.41.119
178.94.92.212
185.10.2.11
185.32.120.210
188.0.120.49
188.163.31.16
188.163.50.18
188.214.33.160
188.230.1.99
188.230.15.191
188.230.87.17
188.239.5.123
193.111.241.125
193.34.94.85
194.187.111.74
194.44.252.229
194.44.37.3
195.114.145.188
195.114.147.96
195.138.75.163
195.174.42.216
195.242.81.56
195.72.156.236
2.132.61.249
2.135.129.248
2.135.87.207
206.174.99.120
208.107.176.24
212.22.192.224
212.79.119.49
212.90.32.62
212.92.237.199
212.92.253.167
213.111.151.156
213.111.183.205
213.129.111.70
213.164.123.63
213.174.10.241
213.231.11.136
213.231.49.184
217.112.220.202
217.12.122.58
217.175.85.76
217.197.252.11
218.52.52.157
24.163.109.78
24.214.93.170
27.147.182.44
31.130.4.1
31.131.137.63
31.133.79.131
31.133.79.205
31.134.19.130
31.134.211.43
31.135.140.114
31.170.156.146
31.192.156.153
31.28.249.94
31.41.116.88
31.41.72.159
37.110.12.9
37.115.110.8
37.115.229.27
37.115.33.96
37.115.65.28
37.140.106.117
37.229.189.190
37.229.54.152
37.25.103.214
37.25.106.88
37.53.73.152
37.55.61.26
37.57.159.200
37.57.244.98
37.57.97.229
46.118.162.62
46.118.220.117
46.118.228.6
46.118.46.202
46.119.157.204
46.119.85.215
46.119.90.143
46.146.40.134
46.149.177.86
46.149.48.133
46.160.79.233
46.164.179.75
46.172.211.150
46.172.230.166
46.173.171.118
46.185.51.76
46.185.98.100
46.191.172.157
46.211.40.28
46.211.74.12
46.219.77.143
46.33.243.82
46.61.62.152
46.63.135.3
46.63.66.102
46.98.171.128
46.98.174.49
5.1.27.92
5.1.28.199
5.105.120.46
5.137.71.123
5.153.189.97
5.246.178.134
5.248.243.117
5.34.18.37
5.56.111.111
50.134.47.136
50.154.149.189
62.16.38.131
62.220.53.85
62.80.181.42
62.84.254.75
67.183.123.151
70.114.48.81
70.53.172.129
72.185.199.204
72.80.145.90
74.103.3.126
75.131.252.100
75.76.166.8
76.17.60.31
77.120.183.13
77.121.105.26
77.121.129.150
77.121.140.120
77.122.153.68
77.71.188.240
77.95.92.254
78.131.93.231
78.27.159.75
78.27.183.113
79.113.160.194
79.114.113.151
79.132.17.125
79.134.2.105
79.171.124.211
80.245.117.198
80.64.81.51
81.162.70.55
81.162.75.68
81.163.142.181
81.163.153.185
81.200.148.6
81.90.233.231
82.117.243.39
83.218.228.46
85.198.171.90
85.237.35.122
85.29.154.152
87.110.167.54
87.76.61.30
88.135.93.105
89.105.249.250
89.116.191.51
89.161.84.65
89.209.91.107
89.252.29.97
89.254.147.242
91.196.97.220
91.197.187.189
91.198.143.44
91.200.232.86
91.201.243.191
91.203.89.26
91.207.86.210
91.210.87.242
91.222.63.1
91.223.86.185
91.243.203.238
91.250.34.68
92.112.156.8
92.113.161.218
92.113.4.121
92.114.123.227
92.245.40.208
92.55.30.207
93.170.68.140
93.171.77.198
93.183.247.117
93.76.240.22
93.76.57.57
93.77.75.2
93.78.145.22
93.79.177.59
93.79.199.81
94.100.95.109
94.153.125.201
94.153.53.132
94.153.69.169
94.178.216.34
94.179.99.149
94.231.32.32
94.231.72.194
94.244.173.95
94.45.92.6
95.135.58.25
95.215.117.207
95.47.128.209
95.66.202.226
95.76.64.224
95.87.94.65
96.26.196.66
98.111.140.190
98.244.185.173
98.245.227.235




Monday, 15 September 2014

"Overdue invoice #6767390" spam has a malicious .arj attachment

This fake invoice email has a malicious attachment:
From:     Mauro Reddin
Date:     15 September 2014 10:32
Subject:     Overdue invoice #6767390

Morning,

I was hoping to hear from you by now. May I have payment on invoice #84819995669 today please, or would you like a further extension?

Best regards,
Mauro Reddin
+07843 329907
The attachment is an archive file invc_2014-09-15_15-07-11_6767390.arj so in order to get infected you would need an application capable of handling ARJ archives. Once unpacked, there is a malicious executable called invc_2014-09-15_15-07-11_88499270.exe which has a VirusTotal detection rate of just 1/55.

The Comodo CAMAS report shows the malware attemping to phone home to golklopro.com/bitrix/modules.php which is multihomed on a number of IPs that look like a botnet to me.

UPDATE:  The ThreatExpert report also shows an attempted phone-home to cosjesgame.su (also on a botnet) plus an attempted download from the following locations:

teles4.com/333.exe
gavilan.cl/333.exe
emstudio.fr/333.exe
calduler.com/333.exe
iamsaved.org/333.exe

This malware looks like Zbot and is poorly detected by VirusTotal. The ThreatTrack report [pdf] shows that the malware attempts to connect to a bunch of domains that do not currently resolved (listed here [pastebin]).

I recommend that you apply the following blocklist:

golklopro.com
cosjesgame.su
teles4.com
gavilan.cl
emstudio.fr
calduler.com
iamsaved.org
71.204.29.102
80.87.146.106
87.244.34.238
94.154.220.16
109.200.151.96
141.101.28.223
176.36.186.138
178.151.131.75
198.200.87.184
213.110.131.122
213.177.115.141
46.46.104.39
62.122.92.41
91.237.109.103
92.112.228.242
94.244.177.42
95.76.204.117
98.14.34.141
109.161.32.192
109.229.198.37
134.249.73.242
134.249.202.165
194.187.111.74
217.12.122.58
217.175.148.201

Added:
For information, the WHOIS details for cosjesgame.su are as follows:
domain:        COSJESGAME.SU
nserver:       ns1.floujorjnska.su.
nserver:       ns2.floujorjnska.su.
nserver:       ns3.floujorjnska.su.
nserver:       ns4.floujorjnska.su.
state:         REGISTERED, DELEGATED
person:        Private Person
e-mail:        agartudd@85mail.com
registrar:     R01-REG-FID
created:       2014.09.10
paid-till:     2015.09.10
free-date:     2015.10.13
source:        TCI


UPDATE 2014-09-16: a second binary is doing the rounds, the detection rate for this at the moment is 27/55. Initial analysis suggests that it calls home to the same domains and IPs as listed above.

Friday, 15 November 2013

Malware sites to block 15/11/2013 (Caphaw)

Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity).

The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting these Caphaw domains:

5.175.173.219 (GHOSTnet, Germany)
5.231.66.192 (GHOSTnet, Germany)
23.90.28.12 (ServerHub Dallas, US)
46.4.47.20 (Hetzner, Germany)
46.4.47.21 (Hetzner, Germany)
46.4.47.22 (Hetzner, Germany)
88.198.57.178 (Hetzner, Germany)
88.200.98.137 (Studentski domovi v Ljubljani, Slovenia)
91.186.19.48 (Simply Transit, UK)
92.48.122.132 (Simply Transit, UK)
108.170.54.251 (eWebGuru, India / Secured Servers, US)
109.200.4.114 (Redstation, UK)
109.123.127.228 (UK2, UK)
141.8.225.5 (Rook Media, Switzerland)
151.236.49.136 (Simply Transit, UK)
153.153.19.23 (Open Computer Network, Japan)
181.41.193.168 (Host1plus Brazil, Chile)
184.22.246.31 (Network Operations Center, US)
184.82.62.95 (Network Operations Center, US)
188.227.161.26 (Redstation, UK)
198.52.243.229 (Centarra Networks, US)
199.68.199.178 (Lightwave Networking, US)
213.229.90.199 (Simply Transit, UK)

The following hosts appear to be hosting nameservers for these domains (note that USAISC has been identified doing this before):

1.165.101.158 (Chunghwa Telecom, Taiwan)
6.79.15.154 (USAISC, US)
31.83.89.143 (Orange PCS, UK)
62.75.232.182 (Eurostream, Lithunia / Intergenia AG, Germany)
78.188.5.201 (Turk Telekom, Turkey)
85.25.152.130 (Intergenia AG, Germany)
87.98.136.239 (OVH, France)
91.121.199.45 (OVH, France)
95.143.32.212 (Inline Internet, Germany)
188.138.10.29 (EvroHoster.ru. Ukraine / Intergenia AG, Germany)
188.138.10.30 (EvroHoster.ru. Ukraine / Intergenia AG, Germany)
188.138.78.229 (Eurostream, Lithunia / Intergenia AG, Germany)
188.138.78.232 (Eurostream, Lithunia / Intergenia AG, Germany)
188.138.78.248 (Stepan Alexander Mereuta, Moldova / Intergenia AG, Germany)
196.44.161.31 (Dar Es Salaam University, Tanzania)
198.52.240.8 (Avante Hosting Services, Canada)
217.172.187.9 (Intergenia AG, Germany)

These are the domains involved (I would strongly recommend blocking them):

afn.cc
akf.cc
alphard-info.net
astats.su
bai.su
blinking-imgs.su
caf.su
careservice.su
ciz.cc
collectserv.su
digital-in-one.cc
dig-services.at
dmf.su
eewuiwiu.cc
eguards.cc
enp.cc
e-statistics.su
estatus.cc
estatus.su
eux.cc
exy.su
fey.su
fooyuo.cc
frnm.su
g4-maxservice.su
giuchito.cc
guodeira.cc
gva.cc
higuards.su
ieguards.cc
iestat.cc
imgscores.cc
inetprotections.cc
infoenv.cc
invisibleski.com
iostat.su
istat.cc
iwebstats.cc
iwebstats.su
klr.su
lbb.su
lbp.cc
lil-web-svcs.su
limited-hsbc.com
llc-services.su
low-rates.su
lrnm.su
main2woo.su
nitecapvideo.net
nmbc.cc
nomorefees.cc
ognelisblog.net
online-verification.su
oprn.su
ormu.su
peguards.cc
pmr.cc
protected-onlinebanking.net
sj148-storage.net
standartextens.net
stat-service.net
sys-img-stores.cc
sysinfo.su
uceebeel.cc
up-stores.cc
veeceefi.cc
visite-mexico.net
webstats.su
wgate.su
wgate.su
wownthing.cc
wsysinfonet.su
zprn.su


Recommend IP blocklist (nameservers are in italics):

5.175.173.219
5.231.66.192
23.90.28.12
46.4.47.0/27
88.198.57.178
88.200.98.137
91.186.19.48
92.48.122.132
108.170.54.251
109.200.4.114
109.123.127.228
141.8.225.5
151.236.49.136
153.153.19.23
181.41.193.168
184.22.246.31
184.82.62.95
188.227.161.26
198.52.243.229
199.68.199.178
213.229.90.199

1.165.101.158
6.79.15.154
31.83.89.143
62.75.232.182
78.188.5.201
85.25.152.130
87.98.136.239
91.121.199.45
95.143.32.212
188.138.10.29
188.138.10.30
188.138.78.229
188.138.78.232
188.138.78.248
196.44.161.31
198.52.240.8
217.172.187.9

Friday, 25 October 2013

Malware sites to block 25/10/2013

This list replaces this one, and mostly contains domains and IPs connected with this gang. The list starts with IPs and web hosts, followed by plain IPs and domains for copy-and-pasting.

5.175.171.89 (GHOSTnet, Germany)
5.231.40.197 (GHOSTnet, Germany)
5.231.47.92 (GHOSTnet, Germany)
31.210.112.28 (Veri Merkezi Hizmetleri, Turkey)
42.121.84.12 (Aliyun Computing Co, China)
60.199.253.165 (Taiwan Fixed Network Co, Taiwan)
63.251.135.19 (Internap, US)
78.100.140.171 (Qatar Telecom, Qatar)
81.91.159.212 (Datak Internet Engineering, Iran)
103.28.255.207 (Ani Network Pvt Ltd, India)
112.124.27.158 (Alibaba Advertising Co, China)
146.185.147.26 (Digital Ocean, Netherlands)
161.24.16.127 (Centro Tecnico Aeroespacial, Brazil)
181.41.200.191 (Host1plus Brazil, Brazil)
186.3.101.235 (Clientes Quito, Ecuador)
186.151.240.197 (Municipalidad De Zaragoza, Guatemala)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
189.1.169.28 (Maxihost Hospedagem de Sites Ltda, Brazil)
196.40.9.113 (Terminales Santamaria, Costa Rica)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
223.30.27.251 (Sify Limited, India)

5.175.171.89
5.231.40.197
5.231.47.92
31.210.112.28
42.121.84.12
60.199.253.165
63.251.135.19
78.100.140.171
81.91.159.212
103.28.255.207
112.124.27.158
146.185.147.26
161.24.16.127
181.41.200.191
186.3.101.235
186.151.240.197
186.251.180.205
189.1.169.28
196.40.9.113
211.71.99.66
223.30.27.251
acondorwoonkary120.com
avasdayspa.net
blackbox-e.net
bonds.su
carefordying.net
carrykeyboard.net
ceravdilicheskinevoz76.net
consumersshow.net
cormushkaneplohatak300.com
cronshtainymorenah55.net
derivatiexchange.com
dotier.net
dropdistri-butions.net
dulethcentury.net
ermeentroper110.com
ermirovaniedoom153.com
ermirovanievood152.com
ermxxrtroper210.com
eventlogselfn.net
excelledblast.net
foi.su
gormonnsnter105.net
gromydoonye250.com
groove.su
gumatexx.net
hdmltextvoice.net
idersnonvirus.com
introlinkage.com
introlinkage.su
jurassic-spa.net
kotzebuepolice.net
leedsprobate.net
lyvegetarians.net
mesmultimedia.com
milkdriver.com
mymulejams.net
nacase.net
ny-headsets.org
ordersdeluxe.com
pro-senioren.net
rojecttalkway.com
sandlord.com
stabilitymess.net
thetokion.com
uprisingquicks.net
zigbeejournal.net



Monday, 19 August 2013

Malware sites to block 19/8/13

These sites and IPs belong to this gang, and this list follows one from this one:

5.39.14.148 (OVH, France)
24.173.170.230 (Time Warner Cable, US)
31.52.14.209 (BT Broadband, UK)
37.200.69.43 (Selectel Ltd, Russia)
42.121.84.12 (Aliyun Computing Co, China)
59.124.33.215 (Chunghwa Telecom Co, Taiwan)
61.36.178.236 (LG DACOM, Korea)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime Inc, US)
70.184.34.191 (Cox Communications, US)
74.207.251.67 (Linode, US)
75.147.133.49 (Comcast Business Communications, US)
78.47.248.101 (Hetzner, Germany)
86.183.191.35 (BT, UK)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Megalan Mobiltel EAD, Bulgaria)
95.188.76.14 (Sibirtelecom OJSC, Russia)
114.112.172.34 (Beijing STTD Communication Technology Co, China)
140.113.160.149 (TANET, Taiwan)
140.116.72.75 (TANET, Taiwan)
173.242.123.152 (Volumedrive, US)
177.53.80.39 (Telecom Cordeirópolis Ltda, Brazil)
185.5.54.162 (Interneto Vizija UAB, Lithunia)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
188.132.213.115 (Mars Global Datacenter Services LLC, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
190.85.249.159 (Telmex Colombia, Colombia)
193.147.49.154 (Universidad Rey Juan Carlos, Spain)
196.1.95.44 (Ensut-computer Department, Senegal)
198.52.243.229 (Centarra Networks Inc, US)
198.211.115.228 (Digital Ocean, US)
212.68.34.88 (Mars Global Datacenter Services LLC, Turkey)
216.158.67.42 (TMZHosting LLC, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)
221.133.1.21 (Saigon Postel Corporation, Vietnam)
222.35.102.133 (China Tietong Telecommunications Corporation, China)

5.39.14.148
24.173.170.230
31.52.14.209
37.200.69.43
42.121.84.12
59.124.33.215
61.36.178.236
66.230.163.86
66.230.190.249
70.184.34.191
74.207.251.67
75.147.133.49
78.47.248.101
86.183.191.35
95.87.1.19
95.111.32.249
95.188.76.14
114.112.172.34
140.113.160.149
140.116.72.75
173.242.123.152
177.53.80.39
185.5.54.162
186.251.180.205
188.132.213.115
188.134.26.172
190.85.249.159
193.147.49.154
196.1.95.44
198.52.243.229
198.211.115.228
212.68.34.88
216.158.67.42
217.64.107.108
221.133.1.21
222.35.102.133
actiry.com
amnsreiuojy.ru
arriowzzetobe.net
askfox.net
avini.ru
bbmasterbuilders.net
beachfiretald.com
beldenindcontacts.net
bluavoughogma.com
bnamecorni.com
boardsxmeta.com
breakfast.su
businessdocu.net
calenderlabor.net
casinocnn.net
cbstechcorp.net
checklistsseesmics.su
condalekskajaunini77.net
condrskajaumaksa66.net
controlsalthoug.com
cosamortranas.com
countyforsetttttt21.net
credit-find.net
culturalasia.net
cyberflorists.su
devicesta.ru
dolekotoukart.com
dulethcentury.net
ehnihjrkenpj.ru
evishop.net
exhilaratingwiki.net
facebook.com.n.find-friends.lindoliveryct.net
fitstimekeepe.net
fivelinenarro.net
frutpass.ru
gaphotoid.net
garmonievieraboti50.net
gatumi.com
gonulpalace.net
hdmltextvoice.net
hotkoyou.net
includedtight.com
isightbiowares.su
jdbcandschema.su
jessesautobody.net.rcom-dns.eu
kneeslapperz.net
komsetup.com
labscaner.com
legalizacionez.com
liliputttt9999.info
lindoliveryct.net
logovend.net
lsstats.ru
lucams.net
magiklovsterd.net
mcneillseptictall.net
medusascream.net
melexcia.com
micnetwork100.com
mirris.ru
mobile-unlocked.net
musicstudioseattle.net
myaxioms.com
namastelearning.net
netbeirut.net
nightclubdisab.su
nvufvwieg.com
oneuppositions.net
ordersdeluxe.com
partyspecialty.su
pure-botanical.net
qualysguardviewin.su
quill.com.account.settings.musicstudioseattle.net
raekownholida.com
relectsdispla.net
restless.su
restlesz.su
ringosfulmobile.com
secureprotection5.com
shawnlautzlaw.net
srddesigns.net
suburban.su
tagcentriccent.net
taltondark.net
templateswell.net
thefastor.com
thegalaxyatwork.com
tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
tor-connect-secure.com
u-janusa.net
uprisingquicks.net
vip-proxy-to-tor.com
wildgames-orb.net
x-pertwindscreens.net
zestrecommend.com
zinvolarstikel.com



Thursday, 8 August 2013

TigerDirect.com spam / palmer-ford.net

This fake TigerDirect.com spam leads to malware on palmer-ford.net:

Date:      Thu, 8 Aug 2013 21:54:14 +0400 [13:54:14 EDT]
From:      "TigerDirect.com" [noreply@tigerdirect.com]
Subject:      Your TigerDirect.com Order I9179488 Shipment Update

ComputersComputer PartsElectronicsTV & VideoCameras & SurveillanceCell Phones
Order Shipped:
   
08/07/2013
Order No.
   
I9179488
Shipment Total:
   
$732.20
Shipment Confirmation

[redacted],

Your order shipped on 08/07/2013 and is on its way to you. Click here to log in to MY ACCOUNT for the latest information on your order.

Below, you’ll find a recap of the shipped item(s):

TRACKING NUMBER(S):
1Z2V811KO067774417
(Note: Tracking information may not be available immediately; it may take up to 1 full business day for packages that have reached the shipper to have activity associated with the tracking number. Shipping confirmations for USPS and international shipments as well as for some special order items will not include a tracking number.)
Shipped Items:
   
Quantity
Lenovo H718 Desktop PC - 2nd Gen. Intel Core i3-1130 3.2GHz, 4GB DDR3, 500GB HDD, DVDRW, Windows 8 64-bit, Keyboard & Mouse, (65412680) (T56-C5300 )
   
   
1
   
   
(Click Image Above To Track Your Order) Allow 24 hours for the tracking # to appear in the Shippers' System.
Manufacturer Tech Support: 1-877-453-6686
Manufacturer Tech URL: www.lenovo.com


Again, for the latest information on your order, please click here to log in to MY ACCOUNT. You can also view your Order History, get Invoice Copies, Return Authorizations, add Product Reviews and much more.

Regards,

TigerDirect.com
Customer Care Team

CHECK OUT THE LATEST DEALS - CLICK HERE

Shipment Information
Abigail Hall
2864 N Bell Rd

Pasadena, SC 72936
Your shipping method varies. Please view the chart below for approximate transit times.

Transit Times
Truck Delivery: 7 - 10 Business Days
EconoShip Delivery: 4 - 9 Business Days
UPS Ground: 2 - 7 Business Days
UPS Second Day: 2 Business Days
UPS Next Day Air: 1 Business Day
US Postal Service: 2-3 Business Day Including Saturdays

Saturdays, Sundays and holidays do not count toward the estimated transit days. Packages that leave our fulfillment center on Saturdays, Sundays or holidays will not actually reach the shipper until Monday or the next business day.

Should you have any additional questions regarding your order, please feel free to visit our customer help pages at http://www.tigerdirect.com/help/.

Should you need to exchange or return a product, please visit http://www.tigerdirect.com/sectors/help/return.asp
   
Other Items to Consider

Home Theater Week

Search over 100,000 Products in Stock...
            Refer-A-Friend            
Deal Alerts via
    Sign up for RSS

TigerDirect.com is not responsible for typographical errors or omissions. This email was sent to dynamoo@spamcop.net in response to Order # I9179488.

Note that TigerDirect.com never sells, rents, or shares your email address For more information, please review the TigerDirect.com Privacy Policy at: http://www.tigerdirect.com/sectors/aboutus/privacy.asp

Call Center Hours of Operation: Mon - Fri: 7am til 1am ET and Sat - Sun: 8am til Midnight ET

For Merchandise Returns: c/o TigerDirect Warehouse - 175 Ambassador Drive, Naperville, IL 60540

Copyright © 2013 - TigerDirect, Inc. 7795 West Flagler Street, Suite 35, Miami, FL 33144 (Corporate Headquarters: No Returns Accepted)
LEGAL NOTICES| PRIVACY POLICY
The email looks pretty convincing:


Clicking on the links in the email takes you to a legitimate hacked site and then on to a malware landing page at [donotclick]www.tigerdirect.com.secure.orderlogin.asp.palmer-ford.net/news/tiger-direct.php (report here) which contains an exploit kit.

Although it looks a bit like the link is actually on the tigerdirect.com site, it is actually hosted on the recently registered domain palmer-ford.net which has characteristically fake WHOIS details that mark it out as belonging to the Amerika gang.

   Administrative Contact, Technical Contact:
   Mills, Lawrence  rexona1948@live.com
   5700 Arlington Ave
   Bronx, NY 10471
   US
   7185432402


The malware domain is hosted on the following IPs along with some other malicious domains:
95.111.32.249 (Mobitel EAD, Bulgaria)
199.231.188.226 (Interserver Inc, US)
216.158.67.42 (Webnx Inc, US)

Recommended blocklist:
95.111.32.249
199.231.188.226
216.158.67.42
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
askfox.net
briltox.com
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
cirriantisationsansidd79.net
condalinneuwu37.net
condrskajaumaksa66.net
cyberflorists.su
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihujasebejav15.ru
evishop.net
exnihujatreetrichmand77.net
facebook.com.n.find-friends.oncologistoncology.net
firefoxupd.pw
firerice.com
fulty.net
gnanosnugivnehu.ru
gotoraininthecharefare88.net
klwines.com.order.complete.prysmm.net
liliputttt8888.info
links.emails.bmwusa.com.open.pagebuoy.net
lucams.net
merchantcenter.intuit.com.click-for-click.com
micnetwork100.com
mifiesta.ru
onemessage.verizonwireless.com.verizonwirelessreports.com
onsayoga.net
partyspecialty.su
paypal.com.us.planetherl.net
pinterest.com.onsayoga.net
quill.com.account.settings.managemyaccount.moonopenomy.com
quipbox.com
sai-uka-sai.com
sartorilaw.net
seoworkblog.net
tintencenter.net
verizonwirelessreports.com
vitans.net
www.aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
www.klwines.com.order.complete.prysmm.net
www.linkedin.com.e.v2.kennebunkauto.net
www.paypal.com.us.planetherl.net
www.pinterest.com.onsayoga.net
www.tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
www.verizonwirelessreports.com

Tuesday, 6 August 2013

Malware sites to block 6/8/13

Following on from last week's list, this week seems to see a smaller number of servers and malicious domains from this crew.

5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
41.196.17.252 (Link Egypt, Egypt)
54.218.249.132 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
61.36.178.236 (DACOM Corp, Korea)
68.174.239.70 (Time Warner Cable, US)
78.47.248.101 (Hetzner, Germany)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
114.112.172.34 (Worldcom Teda Networks Technology Co. Ltd, China)
140.116.72.75 (TANET, Taiwan)
182.72.216.173 (Cusdelight Consultancy SE, India)
190.85.249.159 (Telmex Colombia, Colombia)
202.197.127.42 (CERNET, China)
208.115.237.88 (Limestone Networks / 123Systems Solutions, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)

5.175.191.124
24.173.170.230
41.196.17.252
54.218.249.132
59.124.33.215
61.36.178.236
68.174.239.70
78.47.248.101
95.87.1.19
114.112.172.34
140.116.72.75
182.72.216.173
190.85.249.159
202.197.127.42
208.115.237.88
217.64.107.108
abundanceguys.net
amods.net
annot.pl
autocompletiondel.net
avini.ru
badstylecorps.com
beachfiretald.com
cbstechcorp.net
crossplatformcons.com
datapadsinthi.net
dulethcentury.net
endom.net
exhilaratingwiki.net
exowaps.com
explicitlyred.com
fivelinenarro.net
flashedglobetrot.pl
frontrunnings.com
hdmltextvoice.net
housesales.pl
ignitedannual.com
includedtight.com
jdbcandschema.su
lhobbyrelated.com
magiklovsterd.net
onsespotlight.net
operapoland.com
ordersdeluxe.com
organizerrescui.pl
playtimepixelating.su
prgpowertoolse.su
relectsdispla.net
ringosfulmobile.com
scourswarriors.su
sludgekeychai.net
streetgreenlj.com
tagcentriccent.net
tagcentriccent.pl
wildgames-orb.net
zestrecommend.com
zukkoholsresv.pl

Tuesday, 30 July 2013

Malware sites to block 30/7/13

These sites and IPs are associated with this gang, and are either currently in use or they have been in use recently. The list has individual IPs and web hosts first, followed by a plain list of recommended items to block.

5.175.191.106 (GHOSTnet, Germany)
5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
24.188.19.227 (Optimum Online, US)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)
50.97.253.162 (Softlayer Networks, US / ucvhost.com, India)
54.225.124.116 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA Communications, India)
68.174.239.70 (Time Warner Cable, US)
69.60.115.92 (Colopronto, US)
75.147.133.49 (Comcast Business Communications, US)
78.47.248.101 (Hetzner, Germany)
88.86.100.2 (Supernetwork, Czech Republic)
88.150.191.194 (Redstation, UK)
89.145.185.121 (Yeni Telekom Internet Hizmetleri, Turkey)
89.163.170.134 (Unitedcolo, Germany)
91.200.13.16 (SKS-Lugan, Ukraine)
91.210.189.157 (Eqvia LLC, Ukraine)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Megalan EAD, Bulgaria)
108.170.32.179 (Secured Servers, US / tudohost, Spain)
109.123.125.68 (UK2.NET, UK)
114.112.172.34 (Worldcom Teda Networks Technology Co. Ltd, China)
120.124.132.123 (TANET, Taiwan)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
162.209.80.221 (Rackspace, US)
166.78.124.4 (Rackspace, US)
182.72.216.173 (Cusdelight Consultancy SE, India)
185.4.252.124 (Eaglenet, Lebanon)
185.10.200.89 (GBServers Ltd, UK)
188.132.213.115 (Mars Global Datacenter Services LLC, Turkey)
190.85.249.159 (Telmex Colombia, Colombia)
192.162.100.225 (MediaServicePlus Ltd, Russia)
192.162.102.225 (MediaServicePlus Ltd, Russia)
193.105.210.211 (FOP Budko Dmutro Pavlovuch, Ukraine)
193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine)
193.239.242.83 (TRN Telecom, Russia)
196.1.95.44 (Ensut-Computer Department, Senegal)
198.61.213.12 (Rackspace, US)
198.98.102.165 (Enzu Inc, US)
202.197.127.42 (CERNET, China)
208.115.114.68 (Wowrack, US)
208.115.237.88 (Limestone Networks / 123Systems Solutions, US)
209.222.67.251 (Razor Inc, US)
211.224.204.141 (Korea Telecom, Korea)

Recommended blocklist:
5.175.191.106
5.175.191.124
24.173.170.230
24.188.19.227
41.196.17.252
46.246.41.68
50.97.253.160/27
54.225.124.116
59.124.33.215
59.160.69.74
68.174.239.70
69.60.115.92
75.147.133.49
78.47.248.101
88.86.100.2
88.150.191.194
89.145.185.121
89.163.170.134
91.200.13.0/24
91.210.189.157
95.87.1.19
95.111.32.249
108.170.32.176/29
109.123.125.68
114.112.172.34
120.124.132.123
122.128.109.46
162.209.80.221
166.78.124.4
182.72.216.173
185.4.252.124
185.10.200.89
188.132.213.115
190.85.249.159
192.162.100.225
192.162.102.225
193.105.210.0/24
193.239.242.83
196.1.95.44
198.61.213.12
198.98.102.165
202.197.127.42
208.115.114.68
208.115.237.88
209.222.67.251
211.224.204.141
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
acehheadline.net
aldenizturizm.com
allgstat.ru
annot.pl
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
aurakeep.net
beachfiretald.com
bebomsn.net
blindsay-law.net
bnamecorni.com
boats-sale.net
buffalonyroofers.net
businessdocu.net
businessua.com
buycushion.net
casinocnn.net
cbstechcorp.net
centow.ru
chromeupd.pw
cirriantisationsansidd79.net
condaleunvjdlp55.net
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu37.net
condalnua745746.ru
condrskajaumaksa66.net
crossplatformcons.com
doorandstoned.com
dulethcentury.net
duzybiust.net
ehnihjrkenpj.ru
eliroots.ru
erminwanbuernantion20.net
ermitirationifyouwau30.net
evenyouseemeinmin49.net
explicitlyred.com
facebook.com.n.find-friends.oncologistoncology.net
firerice.com
foremostorgand.su
fulty.net
generationpasswaua40.net
goingtothestreetofive59.net
gormoshkeniation68.net
gotoraininthecharefare88.net
greenleaf-investment.net
gromovieotvodidiejj40.net
hdmltextvoice.net
heidipinks.com
hotkoyou.net
housesales.pl
independinsy.net
info-for-health.net
jessesautobody.net
jonkrut.ru
kennebunkauto.net
klermont.net
klwines.com.order.complete.prysmm.net
kneeslapperz.net
linkedin.com.e.v2.kennebunkauto.net
links.emails.bmwusa.com.open.pagebuoy.net
locavoresfood.net
lsstats.ru
made-bali.net
medusascream.net
metanoiaonline.com
microsoftnotification.net
mifiesta.ru
mobile-unlocked.net
modshows.net
moonopenomy.com
motobrio.net
neplohsec.com
ns3.ozyurtdesign.com
ns4.ozyurtdesign.com
nvufvwieg.com
oncologistoncology.net
onemessage.verizonwireless.com.verizonwirelessreports.com
ontria.ru
organizerrescui.pl
oydahrenlitu346357.ru
pagebuoy.net
paypal.com.us.planetherl.net
playtimepixelating.su
prgpowertoolse.su
privat-tor-service.com
prothericsplk.com
prysmm.net
quill.com.account.settings.managemyaccount.moonopenomy.com
quipbox.com
relectsdispla.net
renouveaugatinois.com
saberig.net
sai-uka-sai.com
scourswarriors.su
secureprotection5.com
sendkick.com
sensetegej100.com
sludgekeychai.net
templateswell.net
thegalaxyatwork.com
thosetemperat.net
thybrothers.net
tintencenter.net
tor-connect-secure.com
tvblips.net
u-janusa.net
usergateproxy.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net
vivendacalangute.net
whitegocteenviet.com
wow-included.com
zestrecommend.com
zinvolarstikel.com
zukkoholsresv.pl

Tuesday, 16 July 2013

Malware sites to block 16/7/13

These domains and IPs are associated with this gang. This time there appear to be some diet pill sites in the mix, these may be spammy or they may be malicious.. I would recommend blocking them all though.

24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson, Turkey)
38.96.42.60 (PSInet / WiLogic Inc, US)
41.196.17.252 (Link Egypt, Egypt)
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S, Turkey)
46.246.41.68 (Portlane Networks, Sweden)
46.38.51.162 (TCTEL, Russia)
50.97.253.162 (Softlayer, US)
58.196.7.174 (CERNET, China)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.126.142.186 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA, India)
61.220.221.92 (HINET / Chungwa Telecom, Taiwan)
64.49.246.226 (Rackspace, US)
69.162.76.10 (Limestone Networks, US)
74.93.56.83 (Comcast Business Communications, US)
77.240.118.69 (Acens Technlogies, Spain)
80.52.135.172 (TPNET, Poland)
81.17.140.138 (Velton.telecom, Ukraine)
82.165.41.13 (1&1, Philippines)
85.17.224.131 (Leaseweb, Netherlands)
85.119.187.145 (UNIWEB, Belgium)
87.236.211.159 (Azar Online, Iran)
88.86.100.2 (Supernetwork, Czech Republic)
89.161.255.30 (Home.pl, Poland)
89.248.161.146 (Ecatel, Netherlands)
95.111.32.249 (Mobitel / Megalan, Bulgaria)
98.192.168.80 (Comcast Communications, US)
103.9.23.34 (TPL Trakker, Pakistan)
108.179.8.103 (Tyco / Cablevision, US)
111.121.193.198 (China Telecom, China)
111.121.193.199 (China Telecom, China)
111.121.193.200 (China Telecom, China)
114.32.97.58 (HINET / Chungwa Telecom, Taiwan)
119.1.109.40 (QianXiNan County, China)
119.1.109.48 (QianXiNan County, China)
119.92.209.120 (Philippine Long Distance Telephone Company, Philippines)
128.252.158.57 (Washington University, US)
138.80.14.27 (Charles Darwin University, Australia)
140.115.43.187 (TANET, Taiwan)
143.239.87.38 (University College Cork, Ireland)
150.244.233.146 (Universidad Autonoma De Madrid , Spain)
151.155.25.109 (Novell, US)
151.155.25.111 (Novell, US)
172.255.106.17 (Nobis Technology Group, US)
173.167.54.139 (Iceweb Storage Corp / Comcast, US)
176.31.46.7 (OVH, France)
180.166.172.122 (China Telecom, China)
184.105.135.29 (Hurricane Electric, US)
188.132.213.115 (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)
190.85.249.159 (Telmex Colombia, Colombia)
192.241.205.26 (Digital Ocean, US)
193.95.91.78 (Agence Tunisienne Internet, Tunisia)
195.225.58.122 (C&A Connect SRL, Romania)
198.56.238.36 (Enzu Inc, US)
201.163.145.125 (Alestra, S. de R.L. de C.V., Mexico)
202.28.69.195 (UniNet, Thailand)
202.63.210.182 (CubeXS Private Lmited, Pakistan)
203.122.26.124 (Citycom Networks Pvt Ltd, India)
203.235.181.181 (Sejong Telecom, Korea)
203.236.232.42 (KINX, Korea)
207.254.1.17 (Virtacore Systems Inc, US)
208.115.114.68 (Wowrack, US)
209.222.67.251 (Razor Inc, US)
210.200.0.95 (Asia Pacific On-line Services Inc., Taiwan)
212.143.233.159 (013 Netvision Network, Israel)
222.20.90.25 (CERNET, China)

Blocklist:
24.173.170.230
31.145.19.17
38.96.42.60
41.196.17.252
46.45.182.27
46.246.41.68
46.38.51.162
50.97.253.162
58.196.7.174
59.124.33.215
59.126.142.186
59.160.69.74
61.220.221.92
64.49.246.226
69.162.76.10
74.93.56.83
77.240.118.69
80.52.135.172
81.17.140.138
82.165.41.13
85.17.224.131
85.119.187.145
87.236.211.159
88.86.100.2
89.161.255.30
89.248.161.146
95.111.32.249
98.192.168.80
103.9.23.34
108.179.8.103
111.121.193.198
111.121.193.199
111.121.193.200
114.32.97.58
119.1.109.40
119.1.109.48
119.92.209.120
128.252.158.57
138.80.14.27
140.115.43.187
143.239.87.38
148.81.111.91
148.81.111.92
150.244.233.146
151.155.25.109
151.155.25.111
172.255.106.17
173.167.54.139
176.31.46.7
180.166.172.122
184.105.135.29
188.132.213.115
190.85.249.159
192.241.205.26
193.95.91.78
195.225.58.122
198.56.238.36
201.163.145.125
202.28.69.195
202.63.210.182
203.122.26.124
203.235.181.181
203.236.232.42
207.254.1.17
208.115.114.68
209.222.67.251
210.200.0.95
212.143.233.159
222.20.90.25
abundanceguys.net
allgstat.ru
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
americimblog.com
amimeseason.net
androv.pl
aniolyfarmacij.com
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
augel.pl
autocompletiondel.net
autorize.net.models-and-kits.net
autotradeguide.net
avenues.pl
basedbreakpark.su
beachfiretald.com
beatenunwield.com
bebomsn.net
beirutyinfo.com
bestofallforallas.pl
blacklistsvignet.pl
blindsay-law.net
bnamecorni.com
boats-sale.net
brandeddepend.com
brasilmatics.net
businessdocu.net
buty24-cool.com
buycushion.net
cabby.pl
centow.ru
chairsantique.net
charismasalonme.net
childrensuck.net
cirormdnivneinted40.ru
clik-kids.com
com.amazon.com.first4supplies.net
condalinarad72234652.ru
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu5.ru
condalinrwgw136.ru
condalnua745746.ru
cotime.pl
cpa.state.tx.us.tax-returns.mattwaltererie.net
cryoroyal.net
dasay.pl
datapadsinthi.net
doorandstoned.com
driversupdate.pw
dulethcentury.net
e-citystores.net
editionscode.com
e-eleves.net
effectivenesspre.com
eftps.gov.charismasalonme.net
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
eliroots.ru
enchantingfluid.com
ensutringscal.net
enuhhdijsnenbude40.ru
ergopets.com
estateandpropertty.com
exterms.pl
faststream.pl
feminineperceiv.pl
filmstripstyl.com
fincal.pl
first4supplies.net
foremostorgand.su
freakable.net
fulty.net
gamnnbienwndd70.net
gcoordinatind.com
gebelikokulu.net
genie-enterprises.com
gentonoesleep.com
gerlos-hotel.net
getstatsp.ru
ghroumingoviede.ru
gnanosnugivnehu.ru
gondamtvibnejnepl.net
goodread.pl
gotip.pl
grivnichesvkisejj50.ru
guardianforyou.pl
gumfart.ru
hdmltextvoice.net
heidipinks.com
hemorelief.net
highsecure155.com
hingpressplay.net
hospitalinstitutee.com
hotautoflot.com
hotkoyou.net
hotpubblici.com
how-about-we.net
huang.pl
independinsy.net
info-for-health.net
initiationtune.su
insectiore.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
kirki.pl
krasalco.com
ledfordlawoffice.net
letsgofit.net
libulionstreet.su
linefisher.com
linkedin.com-update-report.taltondark.net
m.krasalco.com
made-bali.net
magiklovsterd.net
mantuma.pl
mattwaltererie.net
maxapps.pl
microsoftnotification.net
missdigitalworld.net
models-and-kits.net
modshows.net
morphed.ru
mosher.pl
nailapp.pl
namastelearning.net
ns3.thebodyfatsolutioncb.pl
nvufvwieg.com
offeringshowt.com
ompute.pl
oneday-movie.net
organizerrescui.pl
oupwareplanets.su
oydahrenlitu346357.ru
pinterest.com.reports0701.net
polymerplanet.net
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
przcloud.net
questphoneservice.net
quipbox.com
ratenames.net
recatalogfinger.net
relationshipa.com
relectsdispla.net
rentipod.ru
reports0701.net
rustin.pl
safebrowse.pw
scourswarriors.su
secrettapess.com
secureaction120.com
securednshooki.com
sendkick.com
sensetegej100.com
sitemax.pl
sklephoreca.pl
soberimages.com
spros.pl
stilos.pl
streetgreenlj.com
susubaby.net
tagcentriccent.net
tagcentriccent.pl
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
teakfromafrica.net
telecomerra.com
thebodyfatsolutioncb.pl
thebodyfatsolutionoi.pl
thegalaxyatwork.com
theguardian-newspaper.pl
therichboysmail.net
thetimesforyou.pl
thosetemperat.net
toetotoetimef.net
tor-connect-secure.com
treehouse-dreams.net
trymaximumslimbaba.pl
trymaximumslimbia.pl
trymaximumslimboa.pl
trymaximumslimbua.pl
trymaximumslimbuta.pl
trymaximumslimdel.pl
trymaximumslimeta.pl
trymaximumslimfea.pl
trymaximumslimfoa.pl
trymaximumslimfol.pl
trymaximumslimhoa.pl
trymaximumslimhol.pl
trymaximumslimhowa.pl
trymaximumsliminl.pl
trymaximumslimlacl.pl
trymaximumslimlal.pl
trymaximumslimlea.pl
trymaximumslimleta.pl
trymaximumslimlitta.pl
trymaximumslimmaa.pl
trymaximumslimmal.pl
trymaximumslimmea.pl
trymaximumslimmia.pl
trymaximumslimnel.pl
trymaximumslimnota.pl
trymaximumslimota.pl
trymaximumslimpaa.pl
trymaximumslimpal.pl
trymaximumslimpara.pl
trymaximumslimrata.pl
trymaximumslimroba.pl
trymaximumslimroll.pl
trymaximumslimroma.pl
trymaximumslimsaa.pl
trymaximumslimsal.pl
trymaximumslimsanda.pl
trymaximumslimsil.pl
trymaximumslimsina.pl
trymaximumslimsofa.pl
trymaximumslimsofl.pl
trymaximumslimsparl.pl
trymaximumslimteda.pl
trymaximumslimulda.pl
trymaximumslimundl.pl
tstatbox.ru
tvblips.net
u-janusa.net
ukbash.ru
unabox.pl
usenet4ever.net
usergateproxy.net
vahvahchicas.ru
vip-proxy-to-tor.com
vivendacalangute.net
wickedpl.com
wic-office.com
wordstudio.pl
wow-included.com
yourbodyfatsolutionaningm.pl
yourbodyfatsolutionharm.pl
yourbodyfatsolutionhom.pl
yourbodyfatsolutionlgf.pl
yourbodyfatsolutionlittm.pl
yourbodyfatsolutionlpa.pl
yourbodyfatsolutionlub.pl
yourbodyfatsolutionlui.pl
yourbodyfatsolutionmem.pl
yourbodyfatsolutionnak.pl
yourbodyfatsolutionncb.pl
yourbodyfatsolutionnff.pl
yourbodyfatsolutionnzk.pl
yourbodyfatsolutionronm.pl
yourbodyfatsolutionsam.pl
yourbodyfatsolutionsim.pl
yourbodyfatsolutionterm.pl
yourbodyfatsolutiontinm.pl
yourbodyfatsolutionuca.pl
yourbodyfatsolutionucb.pl
yourbodyfatsolutionuee.pl
yourbodyfatsolutionufd.pl
yourbodyfatsolutionuff.pl
yourbodyfatsolutionufg.pl
yourbodyfatsolutionugd.pl
yourbodyfatsolutionugf.pl
yourbodyfatsolutionuhh.pl
yourbodyfatsolutionukk.pl
yourbodyfatsolutionunb.pl
yourbodyfatsolutionunc.pl
yourbodyfatsolutionuoi.pl
yourbodyfatsolutionupa.pl
yourbodyfatsolutionusd.pl
yourbodyfatsolutionuub.pl
yourbodyfatsolutionuui.pl
yourbodyfatsolutionuvb.pl
yourbodyfatsolutionuvc.pl
yourbodyfatsolutionuzk.pl
yourbodyfatsolutionwam.pl
zestrecommend.com

Thursday, 11 July 2013

Malware sites to block 11/7/13

I noticed 188.138.89.106 (Intergenia AG, Germany) was the originating IP being used in this spam run using a hijacked 1&1 account, and VirusTotal thinks that the server is pretty darned evil. A quick poke at this box shows that has a number of multihomed malicious and C&C domains.

Looking at some of these servers, I'm suspicious that they may have been compromised using a Plesk vulnerability. Various domains are used for botnets, including some Bitcoin miners. There may be some formerly legitimate domains in this mix, but given the compromised nature of the servers I would not trust them.

37.123.112.147 (UK2.NET, UK)
37.123.113.7 (UK2.NET, UK)
68.169.38.143 (Westhost Inc, US)
68.169.42.177 (Westhost Inc, US)
74.208.133.134 (1&1, US)
85.25.86.198 (Intergenia AG, Germany)
109.123.95.8 (UK2.NET, UK)
188.138.89.106 (Intergenia AG, Germany)
212.53.167.13 (FASTCOM IP Net, Poland)
212.227.53.20 (1&1, Germany)
212.227.252.92 (1&1, Germany)
213.165.71.238 (1&1, Germany)
217.160.173.154 (1&1, Germany)

Recommended blocklist:
37.123.112.147
37.123.113.7
68.169.38.143
68.169.42.177
74.208.133.134
85.25.86.198
109.123.95.8
188.138.89.106
212.53.167.13
212.227.53.20
212.227.252.92
213.165.71.238
217.160.173.154
bayrische-kampfplantage.de
f.eastmoon.pl
final.toles.org
final.twiaci.com
fujimoto-group.jp
gigasbh.org
gigasphere.su
jobs.4zox.com
ks-reifenservice.de
mh-wellnesscoach.de
mikimouse.net
move-aube.fr
naturalcuresdoc.com
naturalcuresdocanswers.com
newbigjob.de
p15114714.pureserver.info
s.richlab.pl
secure.redirectsite.net
soulvampire-ice.de
streetdanceroom.de
tests.gigasbh.org
toles.org
treibholzundmeer.de
try.aktivoxigen.com
wireless-work.su
xixbh.com
xixbh.net
xray868.server4you.de
xxxxxxxxxxxxxxx.kei.su

Tuesday, 9 July 2013

Malware sites to block 9/7/13

These are the current IPs and domains that appear to be in use by this gang. IPs are listed with hosting companies and countries first, and then a plain list of IPs and domains for copy-and-pasting:
5.135.198.41 (OVH, France)
14.63.198.119 (Korea Telecom, Korea)
24.173.170.230 (Time Warner Cable, US)
46.14.182.109 (Swisscom, Switzerland)
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
54.232.86.91 (Amazon AWS, Brazil)
59.124.33.215 (Chungwa Telecom, Taiwan)
62.165.254.220 (Tvnetwork, Hungary)
62.169.58.22 (Phoenix Informatica, Italy)
64.49.246.226 (Rackspace, US)
69.162.76.10 (Limestone Networks, US)
74.63.195.131 (Limestone Networks, US)
74.93.56.83 (Comcast Communications, US)
77.240.118.69 (Acens Technlogies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
80.52.135.172 (Telekomunikacja Polska, Poland)
80.218.115.92 (Cablecom, Switzerland)
82.79.4.33 (RCS & RDS Business, Romania)
82.165.41.13 (1&1 Internet, Philippines)
89.45.83.92 (Nlink SRL, Romania)
89.93.219.156 (Bouygues Telecom, France)
89.96.141.43 (IPS SRL, Italy)
89.248.161.137 (Ecatel, Netherlands)
89.248.161.146 (Ecatel, Netherlands)
95.111.32.249 (Mobitel, Bulgaria)
95.173.187.8 (Netinternet Bilgisayar Telekominukasyo, Turkey)
97.79.214.75 (Time Warner Cable, US)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
109.169.86.196 (iomart / ThrustVPS, UK)
109.234.84.213 (Servicleop, Spain)
113.161.207.101 (VNPT, Vietnam)
115.28.45.30 (HiChina Web Solutions / Alibaba, China)
115.146.93.25 (Nectar Research Cloud, Australia)
116.251.213.12 (OneAsiaHost, Singapore)
117.102.102.170 (Servo Buana Resources, Indonesia)
117.239.224.145 (ZAD Institute, India)
123.30.50.245 (VNPT, Vietnam)
129.64.95.45 (Brandeis University, US)
134.159.143.12 (Telstra-Telewhite, Hong Kong)
138.80.14.27 (Charles Darwin University, Australia)
143.239.87.38 (University College Cork, Ireland)
151.155.25.111 (Novell Inc, US)
172.246.122.111 (Enzu Inc, US)
173.167.54.139 (Iceweb Storage Corp, US)
173.245.7.158 (Leland Private Systems, US)
177.87.104.21 (Alberto Torres Barreto, Brazil)
181.54.174.204 (Telmex Colombia, Colombia)
184.22.36.4 (HostNOC, US)
184.105.135.29 (Hurricane Electric, US)
186.227.53.43 (Via Cabo Provedor de Internet e Informática Ltda, Brazil)
189.84.25.188 (DataCorpore Serviços e Representações, Brazil)
190.85.249.159 (Telmex Colombia, Colombia)
190.238.107.240 (TDP ERX, Peru)
192.210.205.208 (New Wave Netconnect / Colocrossing, US)
193.242.126.78 (Lemminkainen Oyj, Finland)
195.241.208.160 (Telfort / Tiscali / KPN, Netherlands)
198.46.131.100 (New Wave Netconnect / Colocrossing, US)
198.50.136.166 (OVH, Brazil)
198.175.124.17 (DNSSLAVE.COM, US)
198.199.70.149 (Digital Ocean, US)
199.233.234.83 (Nodedeploy, US)
202.28.69.195 (UniNet, Thailand)
202.56.170.28 (Ningnet, Indonesia)
203.235.181.181 (GNGAS Enterprise Networks, Korea)
207.254.1.17 (Virtacore Systems, US)
210.200.0.95 (Asia Pacific On-line Services Inc, Taiwan)
213.56.125.97 (OBS, France)
222.20.90.25 (HuaZhong University of Science and Technology, China)

5.135.198.41
14.63.198.119
24.173.170.230
46.14.182.109
46.45.182.27
54.232.86.91
59.124.33.215
62.165.254.220
62.169.58.22
64.49.246.226
69.162.76.10
74.63.195.131
74.93.56.83
77.240.118.69
78.108.86.169
80.52.135.172
80.218.115.92
82.79.4.33
82.165.41.13
89.45.83.92
89.93.219.156
89.96.141.43
89.248.161.137
89.248.161.146
95.111.32.249
95.173.187.8
97.79.214.75
103.9.23.34
109.169.86.196
109.234.84.213
113.161.207.101
115.28.45.30
115.146.93.25
116.251.213.12
117.102.102.170
117.239.224.145
123.30.50.245
129.64.95.45
134.159.143.12
138.80.14.27
143.239.87.38
151.155.25.111
172.246.122.111
173.167.54.139
173.245.7.158
177.87.104.21
181.54.174.204
184.22.36.4
184.105.135.29
186.227.53.43
189.84.25.188
190.85.249.159
190.238.107.240
192.210.205.208
193.242.126.78
195.241.208.160
198.46.131.100
198.50.136.166
198.175.124.17
198.199.70.149
199.233.234.83
202.28.69.195
202.56.170.28
203.235.181.181
207.254.1.17
210.200.0.95
213.56.125.97
222.20.90.25
101ndstreetymha.com
afabind.com
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
andertiua200.com
androv.pl
aniolyfarmacij.com
astarts.ru
auditbodies.net
beachfiretald.com
beatenunwield.com
bebomsn.net
beirutyinfo.com
blacklistsvignet.pl
bnamecorni.com
boats-sale.net
brandeddepend.com
buycushion.net
cardpalooza.su
centow.ru
centsvisualcaf.net
chairsantique.net
chrismortonlaw.net
ciriengrozniyivdd.ru
cirienkoidrugied50.ru
cirormdnivneinted40.ru
cocainism.net
collegialwar.com
com.amazon.com.first4supplies.net
condalinarad72234652.ru
condalinaradushko5.ru
condalinneuwu5.ru
condalinrwgw136.ru
condalnua745746.ru
datapadsinthi.net
delines.ru
dirvers.net
doorandstoned.com
driversupdate.pw
editionscode.com
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
enchantingfluid.com
enuhhdijsnenbude40.ru
ergopets.com
feminineperceiv.pl
filmstripstyl.com
fincal.pl
firefoxupd.pw
first4supplies.net
freakable.net
fulty.net
gamnnbienwndd70.net
gatorovnskeinbueed60.ru
genie-enterprises.com
gerlos-hotel.net
getstatsp.ru
ghroumingoviede.ru
gnanisienviwjunlp.ru
gnanosnugivnehu.ru
grivnichesvkisejj50.ru
hdmltextvoice.net
heidipinks.com
hexactos.com
hingpressplay.net
hospitalinstitutee.com
hotkoyou.net
independinsy.net
infostarter.net
initiationtune.su
insectiore.net
joinproportio.com
jonkrut.ru
letsgofit.net
lexus-lfa.net
libulionstreet.su
lifeline-tv.net
lifestylelbinfo.com
linefisher.com
liocolostrum.net
magiklovsterd.net
mail1.infostarter.net
modshows.net
mychildrenss.com
ns1.infostarter.net
nvufvwieg.com
organizerrescui.pl
oydahrenlitu346357.ru
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
przcloud.com
quipbox.com
recatalogfinger.net
relationshipa.com
relectsdispla.net
rentipod.ru
reports0701.net
reveck.com
salesplaytime.net
sartorilaw.net
secrettapess.com
securednshooki.com
sendkick.com
smartsecurity-app.com
soberimages.com
spros.pl
streetgreenlj.com
susubaby.net
syncbinderanalog.net
tagcentriccent.net
tagcentriccent.pl
telecomerra.com
tor-connect-secure.com
transplantee.net
tstatbox.ru
ukbash.ru
usenet4ever.net
utraining.us
vahvahchicas.ru
ventstandart.net
vip-proxy-to-tor.com
voippromotion.su
webhelphighestp.net
wic-office.com
widnows.net
winodwsupd.pw
wow-included.com
zestrecommend.com

Wednesday, 13 March 2013

Zbot sites to block 13/3/13

These domains and IPs seem to be active as Zbot C&C servers. The obsolete .su (Soviet Union) domain is usually a tell-tale sign of.. something.

76.185.101.239
77.74.197.190
89.202.183.27
89.253.234.247
201.236.78.182
218.249.154.140
aesssbacktrack.pl
beveragerefine.su
dinitrolkalor.com
dugsextremesda.su
establishingwi.su
eurasianpolicy.net
euroscientists.at
ewebbcst.info
fireinthesgae.pl
girdiocolocai.com
machinelikeleb.su
mixedstorybase.su
satisfactorily.su
smurfberrieswd.su
sputtersmorele.pl
suggestedlean.com
trashinesscro.com
upkeepfilesyst.su

URLs seen:
[donotclick]beveragerefine.su/hjz/file.php
[donotclick]euroscientists.at/hjz/file.php
[donotclick]machinelikeleb.su/fiv/gfhk.php
[donotclick]mixedstorybase.su/hjz/file.php
[donotclick]satisfactorily.su/hjz/file.php
[donotclick]smurfberrieswd.su/hjz/file.php

And for the record, those IPs belong to:
76.185.101.239 (Road Runner, US)
77.74.197.190 (UK Dedicated Servers, UK)
89.202.183.27 (Interoute / PSI, UK)
89.253.234.247 (Rusonyx, Russia)
201.236.78.182 (Municipalidad De Quillota, Chile)
218.249.154.140 (Beijing Zhongbangyatong Telecom, China)

Monday, 28 January 2013

Zbot sites to block 28/1/13

These domains and IPs are currently acting as C&C and distribution servers for Zbot. I would advise blocking these IPs and domains if you can.

There are three parts to the list: IPs with hosting company names, plain IPs for copy-and-pasting and domains identified on these servers.

5.45.181.164 (Bradler & Krantz, Germany)
5.175.148.207 (GHOSTnet, Germany)
24.126.203.109 (Comcast, US)
31.170.106.13 (Bradler & Krantz, Germany)
37.26.244.86 (Digicube, France)
37.59.76.3 (OVH, Netherlands)
42.96.136.158 (Alibaba, China)
43.101.119.123 (Kokusai-kougyou-kanda Bldg., Japan)
46.249.46.182 (Serverius, Netherlands)
50.19.77.237 (Amazon, US)
50.31.99.126 (Steadfast Networks, US)
59.90.147.31 (BSNL Internet, India)
59.167.120.210 (Internode, Australia)
64.221.210.108 (XO Communications, US)
69.65.47.245 (Bodhost, US)
69.85.92.155 (Hostigation, US)
72.66.16.146 (Verizon, US)
73.123.5.128 (Comcast, US)
80.152.149.121 (Deutsche Telekom, Germany)
84.253.2.244 (Cybernet, Switzerland)
85.93.219.253 (Visual Online, Luxembourg)
88.88.101.162 (Telenor Norge, Norway)
91.121.248.127 (OVH, Spain)
92.21.156.70 (TalkTalk, UK)
92.146.246.96 (France Telecom, France)
93.92.207.86 (Saint-Petersburg Computer Networks Ltd, Russia)
94.76.234.163 (Simply Transit, UK)
95.225.161.106 (Telecom Italia, Italy)
99.169.151.134 (SBC Internet Services, US)
101.89.80.132 (China Telecom, China)
115.153.226.65 (China Telecom, China)
118.41.184.73 (Kornet, Korea)
119.252.162.18 (Comnets Plus, Indonesia)
123.224.196.84 (Open Computer Network, Japan)
125.63.91.52 (Spectra ISP, India)
128.32.149.121 (University Of California, US)
141.0.176.155 (Avantel, Russia)
141.0.176.231 (Avantel, Russia)
159.253.20.217 (FastVPS, Estonia)
166.111.143.248 (Tsinghua University, China)
173.213.112.245 (Eonix Corporation, US)
176.56.229.201 (RouteLabel, Netherlands)
184.82.187.181 (HostNOC, US)
189.75.96.19 (Brasil Telecom, Brazil)
193.254.233.242 (Teleradiocompany Soniko-Svyaz Ltd, Ukraine)
202.57.189.141 (Internet Service Provider Co. Ltd., Thailand)
209.207.112.195 (Treasuremart, Canada)
210.56.15.19 (COMSATS, Pakistan)
211.20.45.138 (Chunghwa Telecom, Taiwan)
216.224.176.47 (Earthlink, US)

5.45.181.164
5.175.148.207
24.126.203.109
31.170.106.13
37.26.244.86
37.59.76.3
42.96.136.158
43.101.119.123
46.249.46.182
50.19.77.237
50.31.99.126
59.90.147.31
59.167.120.210
64.221.210.108
69.65.47.245
69.85.92.155
72.66.16.146
73.123.5.128
80.152.149.121
84.253.2.244
85.93.219.253
88.88.101.162
91.121.248.127
92.21.156.70
92.146.246.96
93.92.207.86
94.76.234.163
95.225.161.106
99.169.151.134
101.89.80.132
115.153.226.65
118.41.184.73
119.252.162.18
123.224.196.84
125.63.91.52
128.32.149.121
141.0.176.155
141.0.176.231
159.253.20.217
166.111.143.248
173.213.112.245
176.56.229.201
184.82.187.181
189.75.96.19
193.254.233.242
202.57.189.141
209.207.112.195
210.56.15.19
211.20.45.138
216.224.176.47

advstar.com
aldio.ru
askwhite.net
atkit.ru
autocanonicals.com
billablelisten.pl
bioshift.net
boxtralsurvisv.pl
cflyon.ru
cipriotdilingel.ru
confloken.ru
dinitrolkalor.com
dobar.pl
dqnouce.ru
encounterkaspe.pl
evamaro.ru
fearedembracin.su
fitoteafclope.pl
gellax.com
haicut.com
htimemanagemen.su
indianayellow.net
infocyber.pl
jintropictonic.pl
kcrio-oum.com
litfors.com
mypicshare.net
namelesscorn.net
netfest.pl
ntrolingwhitel.pl
orlandotenerife.net
phicshappening.com
photoshopya.net
porkystory.net
quliner.ru
rolino.pl
sadertokenupd.ru
secmicroupdate.ru
secondhandfurnitur.com
seldomname.com
sminiviolatede.pl
stadionservisecheck.ru
steppinglegalzoom.com
stockanddraw.net
suggestedlean.com
svictrorymedia.ru
trainyardscree.pl
uawxaeneh.com
usergateproxy.net
weatherrecord.net
widexsecconnect.ru
youhavegomail.com