Sponsored by..

Showing posts with label Angler EK. Show all posts
Showing posts with label Angler EK. Show all posts

Tuesday, 24 May 2016

Evil network: OVH / kaminskiy@radiologist.net

Here's an Angler EK cluster, hosted on multiple ranges rented from OVH France.. working first from this list of Angler IPs in OVH address space we can see a common factor.

5.135.249.214
5.135.249.215
51.255.59.119
51.255.59.120
51.255.59.121
51.255.59.123
91.134.206.128
91.134.206.129
91.134.206.130
91.134.206.131
91.134.204.217
91.134.204.218
91.134.204.219
91.134.204.243
91.134.204.245
91.134.204.247

One handy thing that OVH does with suballocated ranges is give clear details about the customer. This certainly helps track down abusers. In this case, the ranges these IPs are in are allocated to:

organisation:   ORG-KM91-RIPE
org-name:       Kaminskiy Mark
org-type:       OTHER
address:        Bema 73
address:        01-244 Warszawa
address:        PL
e-mail:         kaminskiy@radiologist.net
abuse-mailbox:  kaminskiy@radiologist.net
phone:          +48.224269043
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
created:        2016-05-18T14:46:09Z
last-modified:  2016-05-18T14:46:09Z
source:         RIPE


That ORG-KM91-RIPE reference can be looked up on the RIPE database: giving more of these little /30 blocks:

5.135.249.212/30
51.255.59.116/30
51.255.59.120/30
51.255.59.124/30
91.134.206.128/30
91.134.204.212/30
91.134.204.216/30
91.134.204.220/30
91.134.204.240/30
91.134.204.244/30
91.134.204.248/30
91.134.204.252/30
164.132.223.192/30


OVH have been pretty good at cleaning up this sort of thing lately (unlike PlusServer) so hopefully they will get this under control.

If you want to find other Angler EK ranges then I have a bunch of 'em in my Pastebin.

Monday, 25 April 2016

Evil networks to block 2016-04-25

Following on from this post and previous ones in that series, here is a new set of IP ranges where the Angler EK seems to be clustering. In addition, I updated the list of PlusServer ranges where Angler is becoming a critical problem too.

5.39.47.0/27
31.25.241.0/24
46.183.220.128/25
51.254.69.64/26
85.14.253.128/25
91.227.18.96/27
95.46.98.0/24
95.215.108.0/24
131.72.139.0/24
185.45.193.0/24
185.49.69.0/24
192.52.167.0/24
193.9.28.0/24
209.126.120.0/24
209.126.122.0/24
209.126.123.0/24
212.76.140.0/24

Tuesday, 12 April 2016

PlusServer has a PlusSized problem with Angler

PlusServer GmbH is a legitimate German hosting company. But unfortunately, the bad guys keep hosting Angler EK sites in their IP ranges over and over again.

So far I have seen many /24 blocks which have effectively been burned by out-of-control Angler (and other EK) infections. There are many individual IPs too, but below I list some of the worst blocks (links go to Pastebin).

85.25.102.0/24
85.25.107.0/24
85.25.160.0/24 
85.93.93.0/24
188.138.17.0/24
188.138.70.0/24 
188.138.71.0/24
188.138.75.0/24
188.138.102.0/24
188.138.105.0/24 
188.138.125.0/24 
217.172.189.0/24
217.172.190.0/24

Blocking these ranges will block some legitimate sites, but if Angler is causing you a problem then I would lean towards blocking those ranges and accepting the chance of some minor or moderate collateral damage. There are other bad ranges here for other hosts too.

UPDATE 2016-04-25

Here are some more PlusServer ranges where Angler has been rampant:

85.25.218.0/24
85.25.237.0/24
188.138.25.0/24
188.138.68.0/24

UPDATE 2016-05-10

Heavy Angler activity has also been spotted in the following ranges:

62.75.203.0/24
62.75.207.0/24
85.25.43.0/24 
85.25.79.0/24
85.25.159.0/24
85.25.217.0/24
188.138.33.0/24
188.138.68.0/24
188.138.125.0/24

In addition, some Angler activity has been observed in the following ranges but is not yet widespread (I will update if I see more activity):

62.75.167.0/24
85.25.41.0/24

85.25.74.0/24

85.25.106.0/24
85.25.207.0/24

188.138.41.0/24
188.138.57.0/24
188.138.69.0/24
188.138.102.0/24

PlusServer (or more likely one or more of their resellers) appear to be responsible for a large number of active Angler EK IPs (at a guesstimate, about a quarter). The problem is that some of these ranges are so badly infected (e.g. there are around 48 past and present bad IPs in 188.138.105.0/24) that the only safe option is to block traffic to those network ranges.

With black hat hosts such as Qhoster or Host Sailor and to some extent Agava you can block the entire network ranges and not block anything of value at all. In using PlusServer, the bad guys can hide their evil sites among legitimate sites where administration might fear to block something accidentally. My personal opinion is that admins need to be bold and block anyway.. it should usually be possible to block individual sites where needed.

Monday, 11 April 2016

Evil networks to block 2016-04-11

I realise it has been a while since my last list of bad networks you might want to block. Hopefully in the next couple of days I will have another list outlining some bad problems with PlusServer IP ranges, in the mean times here are a load of network blocks with a high concentration of Angler EK and other nastiness. (The links go to my Pastebin with more details).

31.148.99.0/24
51.255.61.48/30
51.255.96.56/30 
51.255.143.80/30
65.49.8.64/26
83.217.11.0/24
85.93.93.0/24
85.143.209.0/24
91.221.36.0/24 
92.83.104.0/21
93.115.38.0/24
94.242.206.0/24 
131.72.136.0/24 
178.57.217.0/24
185.46.9.0/24
185.46.10.0/24
185.49.68.0/24
185.75.46.0/23
185.104.8.0/22 
194.1.238.0/24
204.155.31.0/24 

Friday, 18 March 2016

Friday, 26 February 2016

Evil networks to block 2016-02-26

These networks are clusters of the Angler EK and other badness. I tend to Tweet about Angler IPs rather than blog about them. Following the #AnglerEK hashtag at Twitter can yield more information, often in realtime.

All the links go to Pastebin with more information about the IPs and the blocks. Note that a few of these blocks do contain some legitimate Russian-language sites, but if your users don't visit that sort of site then you should be OK to block them.

51.254.240.0/24
64.79.88.16/29
86.106.93.0/24
88.198.229.184/29
88.214.237.0/24
89.45.67.0/24
146.0.43.64/26
176.9.226.160/29
176.223.111.0/24
184.154.53.136/29
185.66.9.0/24
185.66.10.0/24
185.46.11.0/24
185.86.76.0/22
185.86.149.0/24
185.104.8.0/22
185.118.65.0/24
188.227.72.0/22
191.96.66.0/24 
195.128.125.0/24
204.45.251.128/26 
204.155.30.0/24
207.182.141.200/29
212.22.85.0/24
212.109.192.224/27

Wednesday, 13 January 2016

Evil network: 46.30.40.0/21 / Eurobyte LLC and GoDaddy

Recently I kept coming across the name "Eurobyte LLC" when it came to hosting malware [1] [2] to an extent that I became rather suspicious about this Russian hosting company and what it is they actually do.

From looking around, it seemed that whoever Eurobyte rented servers to had an unhealthy interest in CryptoWall and the Angler EK. Eurobyte is a Russian hosting company, which in turn is a customer of Webzilla in the Netherlands. One of Webzilla's other customers is McHost.ru who also have a shitty reputation.

A look at Webzilla's AS35415 range shows that Eurobyte LLC is allocated the following blocks:

46.30.40.0/24
46.30.41.0/24
46.30.42.0/24
46.30.43.0/24
46.30.44.0/24
46.30.45.0/24
46.30.46.0/24
46.30.47.0/24

These coincide with a large-ish block of 46.30.40.0/21 which contains all the Eurobyte /24s.

Using DNSDB I found over 70,000 sites associated with this block. By associated I mean site currently hosted in the /21, or hosted there in the past few years. Crucially, that includes a lot of somedomains, nameservers and that sort of thing. In order to keep things manageable, I consolidated almost all the subdomains down into their main domains, leaving 18,260 domains and sites.

The next step was to take that data and look up the current IPs and Google prognosis (results here), giving 4048 sites with their main domains currently hosted at Eurobyte. Of this, only the following 16 appear to be malicious, 0.4% of the total.

promodoms.ru
androiddeff.ru
xpopkax.ru
xxxplayx.ru
justyoutube.ru
maineaquaventus.info
dallasdispute.com
waysecureforyou.pw
mammals.ru
101curtesty.pw
hitbambar.pw
topgradations.pw
getgradations.us
igrakon.biz
alwrgame.ru
igrakon-loads.ru

0.4% is a tiny amount.. I would typically expect to see about 1-2% on any network. So, Eurobyte LLC looks squeaky clean, yes?

In fact, this low number of malicious sites is misleading. If we go back to the original 18,260 domains and look at the number of malicious domains there, the total is 3,129. That's 17.1% of the original dataset.. a very high figure indeed.

The discrepancy appears to exist because there are thousands of subdomains hosted in the 46.30.40.0/21 range, where the main domain (e.g. www.) is hosted in a completely different location. The subdomains are then used to host malware such as the Angler Exploit Kit, while leaving the main domain completely untouched. The attack is known sometimes as domain shadowing.

Out of the malicious sites, 2793 are currently hosted at GoDaddy. That's 89.2% of the sites listed as malicious. But it turns out, that out of the other 336 sites taggest as malicious, about 300 are either registered with GoDaddy but hosted elsewhere, or use GoDaddy name servers. In other words, approximately 99% of the malicious sites belong to someone with a GoDaddy account.

But in fact, it is even worse than that. Looking at the domains that aren't tagged as malicious by Google reveals hundreds more similar hijacked GoDaddy domains. This list contains 5201 domains that are both parked on GoDaddy servers and have had malicious subdomains running in the Eurobyte LLC IP range. There are probably hundreds more that are hosted elsewhere.

What appears to be going on here is a domain shadowing attack on a massive scale, primarily leading victims to exploit kits.

There do appear to be some genuine Russian-language sites hosted in this block. But if you don't tend to send visitors to Russian sites, I would very strongly recommend blocking 46.30.40.0/21 from your network.

If you are a GoDaddy customer then enabling-two factor authentication might give you some additional protection against this type of attack.

While researching this topic, I discovered that Talos had done some similar work which also pointed a finger at Eurobyte and their very lax control over their network.

Monday, 22 December 2014

Angler EK on 193.109.69.59

193.109.69.59 (Mir Telematiki Ltd, Russia) is hosting what appears to be the Angler Exploit Kit.

The infection chain that I have seen is as follows (don't click those links, obviously):

[donotclick]www.opushangszer.hu/hora-at-200-b-csiptetos-gitarhangolo/1-864-359
-->
[donotclick]bettersaid.net/7b614b6f9fb62682c46d303fea879a38.swf
-->
[donotclick]www.smallbusinesssnapshot.com/

a6107b69be5422d82da0c2109cc7f20f.php?q=7a7581fad469383e7313d27d1cedf2d3
-->
[donotclick]qwe.holidayspeedfive.biz/em3t8gxum0
-->
[donotclick]qwe.holidayspeedfive.biz/

KuCRwb_Bwr38O4rT6dqEUCT9x5K26Bw_PNEHE3DJ_U9vgmcD31TZILN2BlAmHabL

The last step is where the badness happens, hosted on 193.109.69.59 (Mir Telematiki Ltd, Russia) which is also being used to host the following malicious domains:

qwe.holidayspeedsix.biz
qwe.holidayspeedfive.biz
qwe.holidayspeedseven.biz


A quick look at the contents of 193.109.68.0/23 shows some other questionable sites. A look at the sites hosted in this /23 indicates that most of them appear to be selling counterfeit goods, so blocking the entire /23 will probably be no great loss.

Recommended minimum blocklist:
193.109.69.59
holidayspeedsix.biz
holidayspeedfive.biz
holidayspeedseven.biz

Tuesday, 9 December 2014

Something evil on 5.196.33.8/29

This Tweet from @Kafeine about the Angler EK drew my attention to a small block of OVH UK addresses of 5.196.33.8/29 which appear to be completely dedicated to distributing malware.

Specifically, VirusTotal lists badness on the following IPs:

5.196.33.8
5.196.33.9
5.196.33.10

There are also some doubtful looking IP addresses on 5.196.33.15 which may we have a malicious purpose.

All of these subdomains and domains [pastebin] are hosted in this block and I would suggest that you treat them as malicious.

Recommended blocklist:
5.196.33.8/29
jipwoyrnopwa.biz
kospoytrw.biz
belligerentladybug.com
hoplofrazoore.com
joptraeazalok.com
kiogosphwuysvx12.com
nelipraderson3.com
aderradpow.in
akojdurczopat.in
amoptrafnoger.in
apo83ggacer.in
apowiurbera.in
asdlpoqnoosgteer.in
asdpqwoieu12.in
asdqpwcya2.in
ashcytiqwer.in
askio2iytqrefa.in
asnodp3booztrea.in
azlaowumoa.in
blomcreaters.in
bvioplorazeno.in
bvopqcawea.in
bxpqy7everas.in
bzoapitradetn.in
cnertazootreas.in
coiqpyteramed.in
foksatboks3.in
golhahorsea.in
greolkopanx9.in
hiapwjertas.in
hokayreenols.in
jonofogolor.in
kiaowqptrea.in
koapnoxopaiuw72.in
kutradopretano98.in
lapouiqwg28.in
loatu27amop.in
looperfter4.in
mozgyterfaopetr.in
mxopa3ieravuk.in
nioapowedrakt.in
nitreamoptec.in
nloopboobs.in
npcowytrar.in
nxaopautrmoge.in
opqertasopma.in
poltraderano.in
sapertzalofasmo.in
vjogersamxe.in
vokjotreasmo.in
xboapvogtase.in
xnaiojipotram.in
xnaioqowhera.in
ywusbopa63a.in
zbtywraser.in
gpjfwsznuhdjgzwg.com
zntddwqtteq4.com

Incidentally, the .IN domains are not anonymised, but I would assume that the contact details are fake:
Registrant ID:WIQ_27860746
Registrant Name:Gennadiy Borisov
Registrant Organization:N/A
Registrant Street1:ul. Lyulyak 5
Registrant Street2:
Registrant Street3:
Registrant City:Varna
Registrant State/Province:
Registrant Postal Code:9000
Registrant Country:BG
Registrant Phone:+359.52601705
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:yingw90@yahoo.com


Wednesday, 3 December 2014

More malware on Crissic Solutions LLC

Another bunch of IPs on Crissic Solutions LLC, leading to what appears to be the Angler EK (see this URLquery report):

167.160.164.102 [VirusTotal report]
167.160.164.103 [VirusTotal report]
167.160.164.141 [VirusTotal report]
167.160.164.142 [VirusTotal report]

The following domains are being exploited (although there will probably be more soon).

citycentralone.biz
citycentraltwo.biz
citycentralfive.biz
citycentralfour.biz
seasononecoming.biz
seasonsixcoming.biz
seasontwocoming.biz
citycentralthree.biz
seasonfivecoming.biz
seasonfourcoming.biz
seasonsevencoming.biz
seasonthreecoming.biz
ultimateconnectioneleven.biz
saturdaynightsnow.biz
saturdaynightzero.biz
saturdaynightwater.biz
saturdaynighteleven.biz
saturdaynightknight.biz
mvsmicrocomcontrol.net
mvseyeoperationcontrol.net
dateswellsfolls.asia
limississippiviewsdooms.asia
limsviewsdooms.asia
limsviewsmakeoms.asia
dateshealthysfolls.asia

Subdomains in use start with one of qwe. or asd. or zxc. (see examples here [pastebin]).

Crissic Solutions LLC operates 167.160.160.0/19 which does have some legitimate sites in it, but since I have previously recommended blocking 167.160.165.0/24 and 167.160.166.0/24 and now with multiple servers on 167.160.164.0/24 also compromised then I suspect that temporarily blocking the entire /19 is the way to go.

Saturday, 18 October 2014

Evil network: 5.135.230.176/28 (OVH / "Eldar Mahmudov" / mahmudik@hotmail.com)

These domains are currently hosted or have recently been hosted on 5.135.230.176/28 and all appear to be malicious in some way, in particular some of them have been hosting the Angler EK (hat tip).

Domains that are currently hosted in the range are in listed below, domains flagged as malicious by Google are highlighted. I think it is safe to assume that all these domains are in fact malicious.

basedgi.com
californikationde.com
weryipols.com

califkoli.com
cxzpolnaser.com
drifaert.com
duewks.com
gutjikolma.com
jioksud.com
metrixhistory.com
metrix-history.com
metrixhistory.net
metrix-history.net
metrixhistory.org
msdiw.com
oilbuyrew.com
qwecufd.com
siteinformationews.com
tregtpol.com
vfnpol.com
zasd-a.com
zdkuvb.com
zxlkjv.com
zxobciu.com
nhmnewf.com
youfromneverais.com

akssfmqw.com
asdpvo.com
asdv-dvd.com
car0project.com
car-auto.org
car-project.net
car-purchased.com
dfgxz.net
fg-kcdj.com
ghjkhfyoufromnever.com
groupsert.com
iubhss.com
lolitesgray.com
nzolas.com
poilcebert.com
ppilohbh.com
scentifickol.com
sedrcsepol.com
trust-plast.com
trustplast.net
trustplast.org
trust-plast.org
ucxy-pop.com
youfromnev.com
youfromnever.com
youfromneveras.com
youfromneverhg.com
youfromneverjia.com
youfromneverkils.com
youfromnevermin.com
youfromneverplo.com
youfromneverred.com
youfromneverret.com
youfromneversjh.com
fg-kcdj.net
oiunfc.com
polsheru.com
sc-sdj.com
vpn-portable.com
xcuvh.com
xdg-hn.com
xdg-yuj.com

aisuvhn.com
aodivbjka.com
aodivja.com
asoiuvaq.com
asvuyhaq.com
iauygcaik.com
qiosunva.com
qixzefka.com
qoibvjma.com
sc-sdj.net
sdiuvhnsd.com
siduv.com
siduyvh.com
siudh.com
siudhbns.com
siudvhswa.com
siuhnsdv.com
skicuhvs.com
sodiuvq.com
usdyvb.com
wdhyb.com
wiudcn.com
xciub.com
xdg-hn.net
xdvn-vpn.com
zidxvhnd.com
zixuvhk.com
zkiuxhvs.com
zo9x8vh.com
zouvhasd.com
zsudhxcvnsdv.com
zucxvyb.com
aisduyh.com
aisuha.com
aaiuwd.com

aisduhvaq.com
aosduawq.com
aqsuyh.com
aqswif.com
asdiuha.com
asdiuvhas.com
asduihqnw.com
asioduh.com
asoicuh.com
ausyc.com
ausytb.com
fsdiyhv.com
ixuvnsd.com
ozdhgq.com
pok-da.com
pokda.net
qeivndv.com
qisucybv.com
quwysbn.com
qweyfbdx.com
sdifyvhw.com
sdivuwnq.com
shop-akicj.com
siduvns.com
siuvnsk.com
uaihc.com
usdybcn.com
uwysbx.com
uwytbgynua.net
uycvnxc.co
uycvnxc.com
uycvnxc.net
uycvnxc.org
wivnsals.com
wqduy.com
wyefb.com
zuyxgc.com
asiuvhwn.com
asycha.com
ausycgv.com
dvyhgqq.com
dxuyvg.com
iasduvh.com
ioaqus.com
iounsdv.com
isauwmo.com
isdnwekal.com
ixuzdaov.com
oiswzvppiosa.com
qasiu8ych.com
qinasc.com
qweoiuvf.com

The following domains have recently been hosted in this space. Ones marked malicious by Google are highlighted, although I would again assume they are all malicious.

oficinaempleo.net
dinpdfob.com
doifbd.com
dovibm.com
fclkq.com
fc-sr.com
fc-sr.net
fcsr.org
fc-su.info
fc-su.net
fc-su.org
fc-we.com
fc-we.net
fc-we.org
fc-web.info
fc-web.org
gregogyparkinsold.com
ihkvh.com
ihk-vh.com
iuhcv.com
iuyuj.com
lifeforclablive.com
parkinonstreet.com
pro-fone.com
psodkb.com
pzxo.org
qsdgi.com
qs-dgi.com
sd-gg.org
selectionswest.com
sfiub.com
sharedskip.com
softlabprofessional.com
softportaldb.net
start-voice.com
trercvu.com
uygbko.com
werynewsgood.com
wetasqard.com
wetermarknilop.com
xpsharedwindow.com
zxxo.biz
zx-xo.com
zx-xo.net
alexwritter.com
asertqgj.com
combypist.com
doifnj.com
dvpok.com
fastimportkimy.com
fc-slose.com
fcsr.info
fc-su.com
fc-we.info
fc-website.com
fc-website.net
greengerlplaz.com
highfightertrack.com
htkw.info
ihkvh.net
ihk-vh.net
ihkvh.org
iuhcv.net
jxoei.com
lilpootwestside.com
mainrainbrain.com
opsdf.com
panterrosestat.com
proffottballstart.com
pzvo.net
pz-xo.com
pzxo.net
qfsdv.com
qsdgi.net
sdfjwq.com
sdgg.info
sd-gg.info
sd-gg.net
sdiouvb.com
softlab-professional.com
softlabprofessional.net
softlabprofessional.org
softportaldb.com
soinvplk.com
startvoice.net
stupidgirlcoolnice.com
w9gpo.com
wivbu.com
wqergjv.com
xocbjw.com
ysudpokv.com
zxxo.info
zxxo.org
gremypolicer.com
juaspo.com
justbulshed.com
utswbs.com
westsideclop.com

awertujiko.com
dertukilocer.com
dsbretcompany.com
dsbretcompanyinfo.com
dsbretcompanytv.com
dukillopder.com
fighteryouxc.com
juanitokilasrte.com
juaspo.net
noobhanter.com
opqwxcmn.com
pilotprof.com
politbujil.com
respozytoryol.com
retwsaerop.com
semenasder.com
systebnmilk.com
vhoermoer.com
vitopralik.com
westunasder.com
xpwindowssolut.com
asusstandbuy.com
bertaser.com
bestgreengey.com
fixmewhere.com
gjhytfg.com
h-tkw.net
iuojrt.com
kilsderc.com
lidhv.com
nerstdl.com
nulexgreen.com
oiyyio.com
oop-bn.com
oopbn.info
oop-bn.net
oopbn.org
oopcclop.com
siduvn.com
tgbkpo.com
usdygc.com
uytrd.com
uytrd.net
uytrd.org
wicunvw.com

aduyf.com
andourhernain.com
bestgreengay.com
bestgreenguy.com
bestguyup.com
betstgeyup.com
bmw-audi.com
bmw-seat.com
eofiu.com
fdgjmbv.com
h-tkw.com
htkw.org
maintrast.com
oopbn.com
oopgf.com
oop-gf.com
oopgf.net
oop-gf.net
oopgf.org
poljiocall.com
qiuewfh.com
quewyb.com
qwieuhf.com
sdiuh.com
sdufybn.com
siuww3.com
thebestpowriter.com
transnatgeo.com
uy-trd.com
zaqwscueexp.com
zixelgreen.com

5.135.230.176/28 is an OVH IP range allocated to what might be a ficticious customer:

organisation:   ORG-EM25-RIPE
org-name:       eldar mahmudov
org-type:       OTHER
address:        ishveran 9
address:        75003 paris
address:        FR
e-mail:         mahmudik@hotmail.com
abuse-mailbox:  mahmudik@hotmail.com
phone:          +33.919388845
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
changed:        noc@ovh.net 20140621
source:         RIPE


There appears to be nothing legitimate at all in this IP address range, I strongly recommend that you block traffic going to it.


Tuesday, 16 September 2014

"Unpaid invoice notification" spam leads to Angler Exploit Kit

This convincing-looking but fake spam leads to an exploit kit.

From:     Christie Foley [christie.foley@badinsky.sk]
Reply-to:     Christie Foley [christie.foley@badinsky.sk]
Date:     16 September 2014 13:55
Subject:     Unpaid invoice notification

We are writing to you about fact, despite previous reminders, there remains an outstanding amount of GBP 278.59 in respect of the invoice(s) contained in current letter . This was due for payment on 26 August, 2014.
    Our credit terms stipulate full payment within 3 days and this amount is now more than 14 days overdue.The total amount due from you is therefore GBP 308.43

    If the full amount of the sum outstanding, as set above, is not paid within 7 days of the date of this email, we shall have to begin legal action, without warning, for a court order requiring payment. We may also commence insolvency proceedings. Legal proceedings can take effect on any credit rating. The costs of legal proceedings and any other amounts which the court orders must also be paid in addition to the debt.

    This email is being sent to you according to the Practice Direction on Pre-Action Conduct (the PDPAC) contained in the Civil Procedure Rules, The court has the power to sanction your continuing decline to respond.

To view the the original invoice please follow link

  We immediate answer to this email.

Sincerely, Christie Foley.

The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
© 2014, All rights reserved

The link in the email goes to:
[donotclick]tiragreene.com/aspnet_client/system_web/4_0_30319/invoice_unn.html

Which in turn goes to an Angler EK landing page at:
[donotclick]108.174.58.239:8080/wn8omxftff

You can see the URLquery report for the EK here. I would strongly recommend blocking web traffic to 108.174.58.239 (ColoCrossing, US).

UPDATE 2014-09-17:

A second round of these is doing the rounds, leading to an exploit kit on [donotclick]109.232.105.106:8080/xolbnl9ehz (report) so I also recommend blocking 109.232.105.106 (Thyphone Communications, Russia)

The content of the email is essentially the same, but the subject and sender vary. Here are some examples:

[IMPORTANT] Invoice overdue notification
[IMPORTANT] Unpaid invoice notification
Last letter before commencing legal action
[IMPORTANT] Invoice overdue

[IMPORTANT] Recent invoice unpaid

Carmelo Erickson
Rosie Robertson
Tabitha Patterson
Phil Bates

Luisa Maso



Thursday, 12 June 2014

pcwelt.de hacked, serving EK on 91.121.51.237

The forum of popular German IT news site pcwelt.de has been hacked and is sending visitors to the Angler exploit kit.

Visitors to the forum are loading up a compromised script hxxp://www[.]pcwelt[.]de/forum/map/vbulletin_sitemap_forum_13.xml.js which contains some Base64 obfuscated malicious code (see Pastebin here) which uses a date-based DGA (domain generation algorithm) to direct visitors to a URL with the following format:

[7-or-8-digit-hex-string].pw/nbe.html?0.[random-number]

The .pw domain contains Base64 encoded data which points to the payload kit, in this case [donotclick]exburge-deinothe.type2consulting.net:2980/meuu5z7b3w.php (Pastebin) which is hosted on 91.121.51.237 (OVH, France). This appears to be the Angler EK.

It looks like the EK domains rotate regularly, but the following sites can be observed on this address:

ingetrekte.valueoptimizationfrontier.com
shellshellwillbomb.type2consulting.net
voorspannenzl.valueoptimizationfrontier.com
tourmenterai.afiduciaryfirst.com
kingyoku.typetwoconsulting.com
mittelbau.typetwoconsulting.com
yogeespith1.typetwoconsulting.com
rozrzewnienie.typetwoconsulting.com
geschaeftlichen.typetwoconsulting.com
kyhtyy-pimprinum.typetwoconsulting.com
jezuietendriesthe.typetwoconsulting.com
depolitsuperconfusion.typetwoconsulting.com
degivreraitdeorganization.typetwoconsulting.com
sknktekonzile-streelsters.typetwoconsulting.com
shogunalbeschenktet.viverebenealcaldo.com
subigi.valueoptimizationfrontier.com
totalize.valueoptimizationfrontier.com
puyaljoukou.valueoptimizationfrontier.com
weisungsgemaess.valueoptimizationfrontier.com
kezune-palpitera.valueoptimizationfrontier.com
remorquervltimme.valueoptimizationfrontier.com
clackdisfundamellemting.valueoptimizationfrontier.com
doscall.type2consulting.net
pehmoilla.type2consulting.net
moariesubigissem.type2consulting.net
unvigilant-straucht.type2consulting.net
mycetozoanreassesses.type2consulting.net

It is worth noting that these domains appear to have been hijacked from a GoDaddy customer:
type2consulting.net
valueoptimizationfrontier.com
typetwoconsulting.com
afiduciaryfirst.com

The following .pw sites are live right now, hiding behind Cloudflare:
7411447a.pw
31674ec.pw
e4ae59eb.pw
95bded0e.pw

Recommended blocklist:
91.121.51.237
type2consulting.net
valueoptimizationfrontier.com
typetwoconsulting.com
afiduciaryfirst.com
7411447a.pw
31674ec.pw
e4ae59eb.pw
95bded0e.pw
(and if you can block all .pw domains then it is probably worth doing that too)

Thanks to the #MalwareMustDie crew and Steven Burn for help with this analysis.

Friday, 11 April 2014

Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.120.207.254

[NOTE: the IPs listed here appear to have been cleaned up]

This set of IPs is being used to push the Angler EK [1] [2]:

Intergenia, Germany
62.75.140.236
62.75.140.237
62.75.140.238

Network Operations Center (HostNOC), US
64.120.207.253
64.120.207.254

A look at the /24s that these ranges are in indicates a mix of malicious and legitimate sites, but on the whole it might be a good idea to consider blocking traffic to 62.75.140.0/24 and 64.120.207.0/24.

Sites on these IPs consist of hijacked subdomains of (mostly) legitimate domains in the Intergenia range and purely malicious domains in the HostNOC range. I would recommend that you block the following:

(Intergenia)
casga.sogesca.al
enetian.reddigitalonline.com
southerly.rademsis.com
smallpox.purehealthforyou.com
vender.puteando.com.ar
tender.revsanders.com
lordly.pxz55.com
plumbing.ranperhar.com
flatness.radioxto.com.ar
implement.webshark.com.br
incendiary.whitennerdy.com
instructor.valiza.com
penal.unhasdeouro.com.br
afia.fotigrafia.com.ar
fanny.gamesgamesgames.eu
fug.fugusg.com
intermediary.roboticdreamblog.com
lithium.thiersheetmetal.com
lyrical.thoitrangtre360.com
maximum.riversofgrog.com.au
meaty.vvw5.com
sevice.fuzzyservice.ru
tough.thingiebox.com
transfigure.rmtradinggroup.com
vibrate.saltaland.com.ar
ford.somerford.me
recoil.quintafeira.com.br
solaris.solartrailers.net
surgery.replikacctv.com
wore.quietbytes.com
all.inews4all.com
andre.andro-tech2.info
andy.animadeco.pl
back.bbb-tl.com
begun.beatrizcarrillo.com
belsu.benda.si
binolyt.diymodstore.net
bird.mjdpe.net
bunny.doctorcat.org
bvirtual.t25workoutsale.com
creat.hijac-creative.com
dario.casio-c.com
dd.adamknight.info
desolate.soarstudio.com
dolly.shoppingadvisor.com.ar
emoc.cccuauhtemoc.mx
facilitator.tricksshop.com.br
ff.advidlabs.com
ff.variedades.info
fina.canecafina.com.br

(HostNOC)
odtoidcwe.info
odtoidcwe.com
odtoidcwe.net
bychemawe.info
bychemawe.net
bychemawe.com
cunideawe.net
cunideawe.com
cunideawe.info