Sponsored by..

Showing posts with label China. Show all posts
Showing posts with label China. Show all posts

Wednesday, 27 January 2016

Malware spam: "Enterprise Invoices No.91786" / Enterprise Security Distribution (South West) Limited

This fake financial spam does not come from Enterprise Security Distribution (South West) Limited but is instead a simple forgery with a malicious attachment.

From:    Vicki Harvey
Date:    27 January 2016 at 15:30
Subject:    Enterprise Invoices No.91786

Please find attached invoice/s from
Enterprise Security Distribution (South West) Limited
Unit 20, Avon Valley Business Park
St Annes Road
St Annes
Bristol
BS4 4EE


Vicki Harvey
Accountant
Tel: 0117 977 5373

The name of the sender and references will vary. There seem to be several different versions of the attachment named in a format Canon-mf30102A13A@altel.kz_2615524.xls, some example results at VirusTotal are here [1] [2] [3] [4].

The attachments are malformed. You may not be able to download them, or it may appear there are no attachments. It will vary from email client to email client.

Analysis of the attachments is pending, although these Malwr analyses [1] [2] [3] attempted downloads from:

109.234.35.37/californication/ninite.php
5.189.216.105/californication/ninite.php

This binary has a zero detection rate at VirusTotal.  That VirusTotal report and this Malwr report indicate network traffic to:

8.254.218.46 (Level 3, US)

I strongly recommend that you block traffic to that IP. This will be some variant of the Dridex banking trojan.

[UPDATE]

This additional Malwr report shows another IP worth blocking:

103.224.83.130 (#2 of Group 1, Lingshan, China)

Monday, 11 January 2016

Malware spam: "E-Service (Europe) Ltd Invoice No: 10013405" / "Andrew Williams [andrew.williams@eurocoin.co.uk]"

This fake financial spam does not come from E-Service (Europe) Ltd but is instead a simple forgery with a malicious attachment:

From     Andrew Williams [andrew.williams@eurocoin.co.uk]
Date     Mon, 11 Jan 2016 17:07:38 +0700
Subject     E-Service (Europe) Ltd Invoice No: 10013405

Dear Customer,

Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you
to make payment for all transactions on or before their due date.

Please contact E-Service (Europe) if you have any issues or queries preventing your
prompt payment on:

Tel (44) 01707 280000
Email: accounts@e-service.co.uk
Or logon and register to access your  customer portal where you can view all historic
orders & transactions on www.e-service.co.uk

PLEASE NOTE NEW E-SERVICE (EUROPE)  BANK DETAILS:

Currency        A/C No.         Sort Code         Swift Code      IBAN No.

GBP               21698613         40-04-37         MIDLGB22            GB48MIDL40043721698613
EUR               71685997         40-05-15         MIDLGB22           GB75MIDL40051571685997

Kind regards

E-Service (Europe) Accounts Team
E-Service have been exceptionally quick about posting an update on their Twitter page. However, they have not been hacked at all as it is trivially easy to forge an email message. The attachment is a malicious Excel spreadsheet which leads to the Dridex banking trojan.

So far, I have seen five different versions of the attachment, all named Invoice 10013405.XLS and with detection rates of about 8/55 [1] [2] [3] [4] [5]. Analysis of the attachments is pending, please check back later.

UPDATE

The Malwr reports for the attachment [1] [2] [3] [4] [5] show that the macro in the spreadsheet downloads a file from the following locations:

arellano.biz/5fgbn/7tfr6kj.exe
pastorsschoolinternational.org/5fgbn/7tfr6kj.exe
www.c0-qadevtest.net/5fgbn/7tfr6kj.exe


This dropped file has a detection rate of 1/55. It is the same binary as found in this earlier spam run which phones home to:

114.215.108.157 (Aliyun Computing Co, China)

This is an IP that I strongly recommend blocking.

Dropped file MD5:
3d59b913f823314ca85839b60a9d563a

Attachment MD5s:
0a4cf4956f7725cc48809bf19759371c
b1bbced1425bcba77735017f6da21659
8f2803bb7564e85e4a5db6c877067a9f
295fe8083a872b9c3edf4439f3a00c67
9440167e49553f2a1d8aa1e38752e497


Malware spam: "Your latest invoice from UKFast No.1228407" / UKFast Accounts [accounts@ukfast.co.uk]

This fake financial spam does not come from UKFast but is instead a simple forgery with a malicious attachment.
From     UKFast Accounts [accounts@ukfast.co.uk]
Date     Mon, 11 Jan 2016 11:00:10 +0300
Subject     Your latest invoice from UKFast No.1228407
I am unable to determine what the body text is at the moment. In this case, the attachment was named Invoice-1228407.doc and has a VirusTotal detection rate of 3/54. The Malwr report shows that the malicious macro [pastebin] downloads an executable from:

www.vmodal.mx/5fgbn/7tfr6kj.exe

This binary has a detection rate of 2/54 and an MD5 of 3d59b913f823314ca85839b60a9d563a.  This Malwr report for the dropped file indicates network traffic to:

114.215.108.157 (Aliyun Computing Co, China)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.

Wednesday, 16 December 2015

Domain registration scan: cn-registry.net / "Huabao Ltd"

This type of Chinese domain registration scam has been around for years.

From:    Jim Gong [jim.gong@cnregistry.net]
Date:    15 December 2015 at 13:40
Subject:    "petroldirect"

Dear CEO,

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.

We received an application from Huabao Ltd on December 14, 2015. They want to register " petroldirect " as their Internet Keyword and " petroldirect .cn "、" petroldirect .com.cn " 、" petroldirect .net.cn "、" petroldirect .org.cn " 、" petroldirect .asia " domain names etc.., they are in China and Asia domain names. But after checking it, we find " petroldirect " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

 
Best Regards,
  Jim
General Manager 
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Shanghai, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cn-registry.net
In fact, there is no Huabao Ltd - it's just a made-up name that the scammers use to try to persuade you into buying some overpriced and worthless domains. Nobody is interested in buying these domains, and no domain registrar would contact you before registration in any case as it is not the responsibility of registrar to do so*.

I certainly don't recommend forwarding this to your CEO, as many CEOs will not understand the scam and may fall for it. If you do forward it, make you that you point out that this is a scam.

This scam has been around for so long, that I even made a video about it..


These following domains are all variations of the same rogue Chinese registrar:

cnregistry.net
cn-registry.net
cnwebregistry.net
cn-registry.com
cnweb-registry.com
cnwebregistry.com
cnwebregistry.org
cnweb-registry.org
cnregistry.com.cn
cn-registry.org.cn
cnweb.org.cn
webregistry.org.cn


* except in specific and limited circumstances (e.g sunrise applications) that do not apply here.


Saturday, 10 October 2015

Scam: "Jim Bing [jim.bing@cn-registry.cn]" / "Huayin Ltd"


This email is part of a long-running Chinese domain scam:
From:    Jim Bing [jim.bing@cn-registry.cn]
Date:    10 October 2015 at 13:52
Subject:    Re:"slimeware"





Dear CEO,
(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.

We received an application from Huayin Ltd on October 9, 2015. They want to register " slimeware " as their Internet Keyword and " slimeware .cn "、" slimeware .com.cn " 、" slimeware .net.cn "、" slimeware .org.cn " 、" slimeware .asia " domain names etc.., they are in China and Asia domain names. But after checking it, we find " slimeware " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?


Best Regards,

Jim
General Manager 
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cn-registry.cn

Slimeware.com is an ancient site of mine that parodies adware companies. I doubt very much that anyone is trying to use this as a domain name for a legitimate business, and I couldn't care less if they did anyway. In fact, what is happening here is that the scammer "Jim Bing" (is he related to Terry Google?) is just trying to get you to panic and buy and overpriced and worthless domain name.

It's a pretty common scam, and I have explained the basics in the video below..


Wednesday, 29 April 2015

cnwebregistry.cn / chinaygregistry.com scam and "Huayu Ltd"

This spam email is actually part of a long-running Chinese scam.

From:    Jim Bing [jim.bing@cnwebregistry.cn]
Date:    29 April 2015 at 14:27
Subject:    Re:"[redacted]"

Dear CEO,

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China.
We received an application from Huayu Ltd on April 27, 2015. They want to register " [redacted] " as their Internet Keyword and " [redacted] .cn "、" [redacted] .com.cn " 、" [redacted] .net.cn "、" [redacted] .org.cn " domain names etc.., they are in China domain names. But after checking it, we find " [redacted] " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim
General Manager
Shanghai Office (Head Office)
3008, Jiulong Building, No. 836 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cnwebregistry.cn
Whoever "Huayu Ltd" are is irrelevant, as they aren't actually interested in registering these domains, even if they exist. Instead, this is an attempt by a rogue Chinese domain registrar to get you to buy overpriced and worthless domains.

In this case the spam mentions the domain cnwebregistry.cn, but chinaygregistry.com is also on the same server and will be similarly fraudulent.

This video I made a while ago explains the scam in more detail:



Wednesday, 15 April 2015

pdatamc.org / publicdmc.cn domain scam

This email message is actually a spam promoting a long-running scam where an unscrupulous party is attempting to sell overpriced and worthless domains to their intended victim.

From: Bruce Lo [mailto:bruce@publicdmc.cn]
Date: 14:59 Wednesday 15th April 2015
Subject: [victimdomain] Registration
Priority: High

To whom it may concern:

We are the Registrars accredited by China Internet Network Information Center. We have something to confirm with you. On April 7, 2015, we received an application in which a company by the name Presg Group applied to register " victimdomain " as their Brand Name and some Asia domain names through our firm.

Now we are handling this registration. After our initial checking, we found that the name are identical to your company's. We need to check with you whether your company has authorized that company to register these names. If you have authorized this, we will finish the registration at once. If not, please let us know within 7 workdays, in which case we will dicuss the matter more thoroughly. If not otherwise advised within that time limit we will proceed with the registration for Presg Group . We will be waiting for your reply. Have a nice day!

Best Regards

Bruce Lo
Registration Dept.
Phone: +86.55165184482
Fax:    +86.55165128724
Website:http://www.pdatamc.org/
Address: No. 789, XiYou Road, Zhengwu District, HeFei City, AnHui Province, China  
I've explained this particular scam so many times that I made a video explaining it..

businessexecutives01.com / theexecutivesbrand.com scam

This is a grubby "Who's Who scam"

From:    Sterling Hudson
Date:    15 April 2015 at 14:12
Subject:    Re: you were chosen as a potential candidate...

Dear,

You were recently chosen as a potential candidate to represent 2015 Worldwide Branding Registry of Distinguished Professionals and Executives.
We are pleased to inform you that your candidacy was formally approved May 2nd. Congratulations. The Publishing Committee selects potential candidates based not only upon their current standing, but focusing as well on criteria from executive and professional directories, associations, and trade journals.
Given your background, the Director believes your profile makes a fitting addition to our publication. There is no fee nor obligation to be listed. As we are working off of secondary sources, we must receive verification from you that your profile is accurate. After receiving verification, we will validate your registry listing within seven business days.
Once finalized, your listing will share prominent registry space with thousands of fellow accomplished individuals across the globe, each representing accomplishments within their own geographical area.
To verify your profile and accept the candidacy, please visit here.

Our registration deadline for this year's candidates is May 28th. To ensure you are included, we must receive your verification on or before this date. On behalf of our Committee, I salute your achievement and look forward to welcoming you to our association.
Sincerely,

Benjamin Morisson
Editor in Chief
Worldwide Selection Committee 2015

If you don't want to receive emails any more, please Unsubscribe
The link in the email does to www.businessexecutives01.com:8133/wayne/ which is an anonymously registered domain hosted on a spam server at 123.249.39.89 in China. The links on businessexecutives01.com  website all lead to theexecutivesbrand.com which is basically a mirror of the content.

There are a number of this scammy spam sites on the same servers. I recommend that you block all the following sites as spam:

businessexecutives01.com
dirtyemojis.ru
foldemholdem.com
ironchampusa.ru
truepeptide.net
theexecutivesbrand.com




Tuesday, 25 November 2014

What the heck is with 104.152.215.0/25?

A contact gave me the heads up to an exploit kit running on 104.152.215.90 [virustotal] which appears to be using MS16-064 among other things [urlquery].

104.152.215.90 belongs to Query Foundry LLC in Wyoming, however they suballocated it to a customer:

NetRange:       104.152.215.0 - 104.152.215.127
CIDR:           104.152.215.0/25
NetName:        QUERYFOUNDRY
NetHandle:      NET-104-152-215-0-1
Parent:         QUERYFOUNDRY-06 (NET-104-152-212-0-1)
NetType:        Reassigned
OriginAS:       AS62638
Customer:       Shanghe Yang (C05354145)
RegDate:        2014-09-30
Updated:        2014-09-30
Ref:            http://whois.arin.net/rest/net/NET-104-152-215-0-1

CustName:       Shanghe Yang
Address:        707 Wilshire Blvd
City:           Los Angeles
StateProv:      CA
PostalCode:     90017
Country:        US
RegDate:        2014-09-30
Updated:        2014-09-30
Ref:            http://whois.arin.net/rest/customer/C05354145
707 Wilshire Boulevard is a massive office block  but I suspect that this is just an accommodation address, so there's no real lead on who this customer is.

A look at the contents of the /25 is puzzling, because I can see almost 1500 sites [csv] on a number of active IPs [txt], almost none of which have any kind of discernible web presence or reputation. 

Drilling down into the domains and registrants [csv] shows a list of either Chinese or US registrants, but in the vast majority of cases they look to be fake. The key indicator is that the email addresses listed are all of a similar format and bear no relationship whatsoever to the name of the registrant.

The random structure of most of the domains is an indicator of possible maliciousness. The few domains that don't meet these pattern seem to be .fr domains which look like they have been hijacked or re-registered.. and oddly they are all registered to different (often obviously fake) people at the same address in France:


address:     13, rue de rohrwiller bischwiller,67240 Bas-Rhin, France 139 a
address:     67240 Bischwiller
address:     Bas-Rhin
country:     FR


It isn't a big place according to Google.  I doubt if there is a Assad Sfdsadsfw, Yfdsjshfk Ynagkjhk, Qewqewq Sfwad or Poiug Pppobflgk living in that location.

Although there is not much data about the range, there are a couple of domains that are also flagged a malicious:

sxzav.xyz [Google diagnostics]
klioz.xyz [Google diagnostics]

Quite why they are flagged as malicious is a puzzle.

My personal opinion is that there is enough evidence to treat 104.152.215.0/25 as a suspect network. It does not appear to have any legitimate sites, the sites that do exist are of an unknown purpose and often have apparently fake WHOIS details for the domains.

Blocking or monitoring for traffic to and from that /25 is the easiest way of doing it, alternatively these are the domains being used in this network block:

izhse.com.cn
nmfcd.com.cn
szeeo.com.cn
trfqg.com.cn
uzwqy.com.cn
ycrlru.cn
yifxu.cn
yivuu.cn
yoezuu.cn
yrmhmu.cn
yszrru.cn
yyknu.cn
bcczrvo.com
bzvod.com
cyhgeqm.com
dgudwco.com
dhidzbo.com
dhwgfub.com
dnzwafr.com
dqlivdc.com
enndmfy.com
eufxdtc.com
eugutxh.com
fprtrsz.com
fytwhsw.com
gwrvwed.com
heghsbq.com
hotkii.com
hsephqf.com
iondydc.com
jeyztjy.com
jjfnshu.com
jpkwin.com
jtgypou.com
jtvkrv.com
kudnzpq.com
lgyudpy.com
mhmzyqf.com
mhxipaw.com
mtqlgko.com
nekclhr.com
ngieznn.com
nwnfbmn.com
okjepel.com
pbqbgkd.com
pcerrxh.com
plqrwgl.com
qebywad.com
qtknjnb.com
ripyiht.com
scauyfs.com
svyqkuu.com
sxfkzgf.com
tfwvtxy.com
ubqyfht.com
uewswa.com
umremdh.com
uuyrvtf.com
vdblrqb.com
vjqmryt.com
wgsunfk.com
wubpcb.com
xjgvtvs.com
xqyvqtx.com
ypnmxpe.com
ysmryfm.com
yyxkaqs.com
zakagps.com
zbecfan.com
mudanguojiyulecheng.eu
feldo-luxury.fr
latable-brasserie.fr
lestudio-orthez.fr
limpid.fr
mariepapier.fr
mobile-prepaye.fr
piscines-spas-95.fr
taxi-saint-medard-de-guizieres.fr
thermoservices.fr
tout-com-magny.fr
vansboutique.fr
fxy101.org
fxy102.org
fxy103.org
fxy105.org
fxy106.org
fxy107.org
fxy108.org
fxy109.org
sz101.org
sz103.org
sz118.org
sz188.org
tz100.org
tz110.org
7381.pw
97897.pw
417700.pw
ccbjz.pw
cdjgey.pw
dfjglr.pw
dfojy.pw
dgkjgy.pw
dlgjt.pw
hljbjz.pw
hrbbz.pw
hzkhj.pw
jlbzj.pw
jsbzj.pw
kdjjt.pw
kjdkg.pw
lnbzj.pw
njkuy.pw
sdbzj.pw
sdjkls.pw
sdljog.pw
sjaux.pw
sldjog.pw
sxbzj.pw
sybzj.pw
szjbzj.pw
tjbyee.pw
whgiut.pw
cmslj.xyz
fdslj.xyz
fjdxz.xyz
hbdxz.xyz
hkdxz.xyz
hljdxz.xyz
hndxz.xyz
klioz.xyz
myslj.xyz
nhslj.xyz
njdxz.xyz
sxzav.xyz
tlslj.xyz
tnslj.xyz
whslj.xyz
wzslj.xyz
ycslj.xyz
yqslj.xyz
yyslj.xyz
zwslj.xyz

Thursday, 9 October 2014

chinaregistry.org.cn domain scam

This is an old scam that can safely be ignored.
From:     Henry Liu [henry.liu@chinaregistry.org.cn]
Date:     9 October 2014 07:53
Subject:     [redacted] domain and keyword in CN

(Please forward this to your CEO, because this is urgent. Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China. On Oct 7, 2014, we received an application from Huaya Holdings Ltd requested "[redacted]" as their internet keyword and China (CN) domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company is your distributor or business partner in China?Kind regards

Henry Liu 
General Manager 
China Registry (Headquarters)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai, China
Tel: +86 21 6191 8696
Mobile: +86 138 1642 8671
Fax: +86 21 6191 8697
Web:
www.chinaregistry.org.cn

Nobody is trying to register your domain name, this is simply a long-running scam aimed at getting you to spend too much money on something that you don't need. And I strongly recommend that you don't forward junk email like this to your CEO either.

I created a brief video explaining the scam that you can view below:

Monday, 14 July 2014

Scam: "CNnet Dispute Solutions Ltd" cn-network.com / cn-network.org

This email from a Chinese domain registrar styling itself as "CNnet Dispute Solutions Ltd" is a scam.

From:     james@cn-network.org
Date:     14 July 2014 11:12
Subject:     About Internet Trademark Issue: [redacted]


Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

We are a organization specializing in trademark consulting and domain name registration services in China. We just received an application sent from "HaiTon Importing Co., Ltd" on 13/07/2014, requesting for applying the "[redacted]" as the Internet Brand and some Chinese domains such as .cn/.com.cn/.hk/.asia ect... for their business running. Though our preliminary review and verification, we found that this keyword is currently being used by your company and is applied as your domain name. In order to avoid any potential risks in terms of trademark dispute and impact on your market businesses in China and Asia in future, we need to confirm with you whether "HaiTon Importing Co., Ltd" is your own subsidiary or partner.

Will your businesses in China and Asia be impacted potentially if they apply for this trademark? And will you agree this company to apply for this trademark? Please contact us immediately within 10 working days, otherwise, you will be deemed as waived by default.

Please contact us in time in order that we can handle this issue better.


Best Regards,

James Tan

Auditing Department.

Registration Department Manager
4/F,No.9 XingHui West Street,

JinNiu ChenDu, China

Office: +86 2887662861

Fax: +86 2887783286

Web: http://www.cn-network.com



Please consider the environment before you print this e-mail.
Don't worry, this is a scam. There is no such company as "HaiTon Importing Co". Nobody is trying to register these worthless domains, there is really nothing to worry about. I've explained it all in this video.

They have a website at cn-network.com and are soliciting replies to cn-network.org. Registration details are as follows:

Registry Registrant ID:
Registrant Name: Wang XiaoGang
Registrant Organization: Cheng Du Chuang Ning Wang Luo Ke Ji You Xian Gong Si
Registrant Address: No. 69  JinFangYuanDong Road  ChengDuJinNiu District
Registrant City: ChengDuShi
Registrant Province/state: SC
Registrant Country: CN
Registrant Postal Code: 610000
Registrant Phone: +86.2887783286
Registrant Phone EXT: +86.2887783286
Registrant Fax: +86.2887783286
Registrant Fax EXT: +86.2887783286
Registrant Email: 253885777@qq.com
Registrant Email EXT: 253885777@qq.com
Registry Admin ID: 42771277


I can find the following domains that use the same contact details:

cn-nic.org
cn-network.org
cn-network.com
cn-network.net
cnnetcor.com
cnnetpro.com


This scam has been going around for years, and it is just being randomly spammed out and you should simply ignore it.

Video: Chinese Domain Scams


Monday, 23 June 2014

Obama sends me an important message about surveillance

Obama sends me an important message about surveillance. No, really. But perhaps not the Obama you are thinking of.

Date:      Mon, 23 Jun 2014 23:36:02 +0800 [11:36:02 EDT]
From:      CCTV Surveillance [mail@globalsourcescctv.com]
Reply-To:      mail@globalsourcescctv.com
Subject:      [IMPORTANT] Surveillance

Hi,
Good day

We would like to take this opportunity to introduce our company.
WEISKYTECH founded in 2006.
Export 90% products to developed countries in North America and Europe,
established close business relationship with many famous security companies around the world.

Our Products Line
| CCTV camera. (IP CAMERA.HD-CVI CAMERA.ANALOG CMOS/CCD.)
| NVTKITs. DVRKITs.CVRKITs. (4CH,8CH,16CH)
| POE SWITCH (4.8.16.24CH POE SWITCH. 15W.25W POE MODULE).
| NVR.CVR.DVR

We want to give to you GOOD - CHEAP - FAST Surveillance products.
Obama here, looking for your reply needs and questions.

Reply me & quality products can be stand your inspection!

Best Regards,

Mr Obama, 
There's no website, so this spam is soliciting replies via email so globalsourcescctv.com must be valid for receiving mail (indeed, the MXes are mxbiz1.qq.com and mxbiz2.qq.com). Let's have a look at those WHOIS details then..

Registry Registrant ID: 1821794
Registrant Name: WILSON
Registrant Organization: Obama
Registrant Street: LONGHUA
Registrant City: shenzhen
Registrant State/Province: Guangdong
Registrant Postal Code: 518000   
Registrant Country: China
Registrant Phone: +86.75536956066                        
Registrant Phone Ext:
Registrant Fax: +86.75536956066                        
Registrant Fax Ext:
Registrant Email: 595642135@qq.com                       
Registry Admin ID: 1821795


Wow.. Obama again. Must be legit. Or perhaps not..

Sunday, 2 March 2014

Malware sites to block 2/3/14

These domains and IPs are all connected with this gang, some of it appears to be involved in malware distribution, fraud or other illegal activities. I recommend that you block these IPs and domains.

Note that some of the IPs listed below are compromised nameservers (marked [ns]) which look like they are insufficiently well locked down. There is a plain list of IPs at the end for copy-and-pasting.

accounting-kent.net
aerostat-adventures.net
aim-darts.net
airnavrace.net
amia.cc
aqu.su
artplat.com
binfile.net
brigadiramoon170.com
ccl.su
clubkindergarten.net
combonicer200.com
ehk.su
flatroom.net
gefesosexwithjimmy.org
iceselinsgrove.com
kartaby.com
keksnownikolle.biz
kirr.cc
lollipollyboobs.org
lostpetutah.net
macdegredo.com
mecheti.com
megemind.com
onetimedns.com
orimylife.net
pcg.su
quarter.su
sandwars.net
sec-one-dns.com
security-apps24.com
securityappsmart.com
security-safedomains.com
security-trust.com
smis.cc
stepnitres.ru
studio-sands.net
unicttaskforce.com
usgunlavs.net
webercountyfairr.net
wildscot-tv.com
world-motorhome.net

12.42.61.221    (AT&T, US)   
19.214.121.54    (Ford Motor Company, US)    [ns]
22.15.199.21    (DOD, US)    [ns]
23.253.75.234    (Rackspace, US)   
31.210.107.33    (Radore Veri Merkezi Hizmetleri, Turkey)   
32.21.129.43    (AT&T, US)    [ns]
32.90.65.25    (AT&T, US)    [ns]
37.255.241.29    (TCE, Iran)   
41.66.55.3    (Cote d'Ivoire Telecom, Cote d'Ivoire)    [ns]
41.106.3.132    (FTTH, Algeria)    [ns]
42.96.195.183    (Alibaba, China)    [ns]
54.81.32.208    (Amazon AWS, US)   
65.27.155.176    (Time Warner Cable, US)   
79.88.112.206    (Societe Francaise du Radiotelephone, France)   
83.239.90.244    (OJSC Rostelecom Macroregional Branch South, Russia)   
89.39.83.177    (C&A Connect SRL, Romania)   
89.69.138.91    (UPC, Poland)   
92.84.13.131    (Romtelecom, Romania)    [ns]
93.190.137.5    (Worldstream, Netherlands)   
95.57.118.56    (Dmitry Davydenko / Goldhost LLC, Kazakhstan)   
96.44.143.179    (Quadranet Inc, US)   
103.31.251.202    (Argon Data Communication, Indonesia)   
108.81.248.139    (William Allard / AT&T, US)   
109.24.255.129    (Societe Francaise du Radiotelephone, France)   
112.222.201.43    (LG DACOM Corporation, Korea)   
115.28.39.216    (Hichina Web Solutions, China)   
128.101.154.25    (University of Minnesota, US)    [ns]
128.199.235.196    (DigitialOcean Cloud, Singapore)   
130.255.185.19    (Bradler & Krantz, Germany)   
147.249.171.10    (IDD Information Services, US)    [ns]
152.46.17.236    (North Carolina Research and Education Network, US)   
162.243.39.118    (Digital Ocean, US)   
167.15.26.219    (Munich Reinsurance America Inc, US)    [ns]
167.120.25.43    (The Dow Chemical Company, US)    [ns]
171.76.101.11    (Bharti Cellular Ltd, India)    [ns]
175.107.192.56    (Cyber Internet Services Pakistan, Pakistan)   
176.53.125.6    (Radore Veri Merkezi Hizmetleri, Turkey)   
181.41.194.253    (HOST1FREE at Brazil, Brazil)   
184.154.170.10    (SingleHop, US)    [ns]
185.9.159.205    (Salay Telekomunikasyon Ticaret Limited Sirketi, Turkey)   
186.194.39.139    (FMG Macabuense com serv distrib ltda-me, Brazil)    [ns]
186.202.184.178    (Locaweb Serviços de Internet S/A, Brazil)   
186.214.212.64    (Global Village Telecom, Brazil)   
188.165.91.216    (OVH, France / DoHost, Egypt)    [ns]
188.168.142.57    (Transtelecom CJSC, Russia)   
193.17.184.247    (Biznes-Host.pl, Poland)   
194.209.82.222    (blue-infinity, Switzerland)    [ns]
203.235.181.138    (KRNIC, Korea)   
208.167.238.115    (Choopa LLC, US)   
209.203.50.200    (Vox Telecom, South Africa)   
222.218.13.91    (Chinanet Guangxi Province Network , China)    [ns]


12.42.61.221
19.214.121.54
22.15.199.21
23.253.75.234
31.210.107.33
32.21.129.43
32.90.65.25
37.255.241.29
41.66.55.3
41.106.3.132
42.96.195.183
54.81.32.208
65.27.155.176
79.88.112.206
83.239.90.244
89.39.83.177
89.69.138.91
92.84.13.131
93.190.137.5
95.57.118.56
96.44.143.179
103.31.251.202
108.81.248.139
109.24.255.129
112.222.201.43
115.28.39.216
128.101.154.25
128.199.235.196
130.255.185.19
147.249.171.10
152.46.17.236
162.243.39.118
167.15.26.219
167.120.25.43
171.76.101.11
175.107.192.56
176.53.125.6
181.41.194.253
184.154.170.10
185.9.159.205
186.194.39.139
186.202.184.178
186.214.212.64
188.165.91.216
188.168.142.57
193.17.184.247
194.209.82.222
203.235.181.138
208.167.238.115
209.203.50.200
222.218.13.91

Monday, 16 December 2013

Video: Chinese domain scams


yiyu-ipr.org domain scam

Yet another Chinese domain scam, this time trying to punt the "Tiger Direct" trademark (which I don't own!).

From:     lisa [lisa@yiyu-ipr.org]
Date:     16 December 2013 04:04
Subject:     International Trademark " tigerdirect"

(Please forward this to your CEO or President, because this is urgent. Thank you.)

Dear President & CEO,

We are an IPR registration service law office in China. On Dec.13, 2013, we received an application from "TD Investment Co., Ltd." wants to register the following Trademark and Domains:

Trademark:
tigerdirect

Domains:
 tigerdirect.com.hk
 tigerdirect.com.tw
 tigerdirect.hk
 tigerdirect.net.cn
 tigerdirect.org.cn
 tigerdirect.tw

Based on the registration procedure, we found that the name is the same as your company's name,and we must check these for you. If your company and this "TD Investment Co., Ltd." are the same company,there is no need to reply to us,We will accept their application and will register those for them soon. If your company has no relationships with that company nor authorized,please reply to us asap at latest within 7 workdays. But if we can't get any information from your side over 7 workdays,we will unconditionally approve the application submitted by "TD Investment Co., Ltd." Thanks for your cooperation.


Kind Regards,

Lisa Zeng

***************************************************
Lisa Zeng / Attorney
YIYU Chengdu Office(Head Office)
3/F,1st Building Citang Street No.8,
Qingyang District, ChengDu, China.
Tel: +86 28 8777 5008
Fax: +86 28 6246 5008
Web: http://www.yiyu-ipr.org
This e-mail contains information (including any attachments) intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient or the authorized employee or agent responsible for delivering it to the intended recipient, any dissemination, publication or copying of this e-mail is strictly prohibited and may be illegal. If you have received this communication in error, please notify the sender. Thank you for your cooperation.
P Please consider the environment before you print this e-mail.
This scam has been running for a long time. In reality registrars are in no way responsible for checking trademarks before registration, and my experience is that even after these dire warnings nobody actually registers the domains in any case.

I don't know if the WHOIS details for this domain are genuine, but there are:
Registrant ID:f0dda025f296d026
Registrant Name:David Tang
Registrant Organization:YIYU LAW OFFICE
Registrant Street1:chengdushi
Registrant Street2:
Registrant Street3:
Registrant City:chengdushi
Registrant State/Province:sichuan
Registrant Postal Code:100000
Registrant Country:CN
Registrant Phone:+86.2887775008
Registrant Phone Ext.:
Registrant FAX:+86.2862465008
Registrant FAX Ext.:
Registrant Email:296304138@qq.com


These other domains are all associated with the same outfit and you can probably assume that any similar pitch from them is a scam.

yiyu-ipr.org
yiyuinternational.com
yiyuit.org
yiyuiprlaw.com
yiyulaw.com
yiyullc.com
yy-ipr.org
yyipr.org
chadlaw.asia
chadlaw.org
chadlawoffice.org
chadiprlaw.org
marchiorousa.asia
wanbaojisige.com

Tuesday, 10 December 2013

"EUROPOL" scareware / something evil on 193.169.87.247

193.169.87.247 ("PE Ivanov Vitaliy Sergeevich", Ukraine) is currently serving up scareware claiming that the victim's PC is locked, using the following domains:

a1751.com
b4326.com
d2178.com
f1207.com
h5841.com
k6369.com

The scareware is multilingual and detects the country that the visitor is calling from. In this case I visited from the UK and got the following:


Europol   EUROPEAN CYBERCRIME CENTRE    Europol EC3

All activities of this computer have been recorded. All your files are encrypted.

ATTENTION!

All your files are encrypted to prevent their distribution and use.
Due to violations of the law, your browser has been blocked
because of at least one of the reasons below.

1. You have been subjected to violation of Copyright and Related Rights Law and illegally using or distributing copyrighted contents such as Video, Music or\and Software (files were found in your browser's temporary files and your documents), thus conflicting with Article 1, Section 8, Clause 8 of the Criminal Code of the United Kingdom.
Article 1, Section 8, Cause 8 of the Criminal Code states a fine or two hundred minimal wages or a deprivation of liberty of two to eight years.
2. You have been viewing or distributing prohibited Pornographic contents: Child Porno photos and such, were found in browser's temporary files and your documents.
Thus, you are violating article 202 of the Criminal Code of the United Kingdom. Article 202 of the Criminal Code states a deprivation of liberty of four to twelve years.
3. Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected with malware, thus you are violating the law of Neglectful Use of your Personal Computer. Article 210 of the Criminal Code declares a fine of up to £50,000 and/or deprivation of liberty of four to nine years.
Pursuant to the amendment of the Criminal Code of the United Kingdom of May 28, 2011, this law infringement (if it is a first time offence) may be considered as conditional in case you pay the fine.

To unlock your computer and avoid other legal consequences, you are obliged to pay a release fee of £200, payable through Ukash (you must purchase the Ukash card and enter the code). You can buy the card at any store or gas station, payzone or paypoint.

Find the nearest epay or payzone location.
Go to any location with a PayPoint or Payzone terminal.
Ask for Ukash: £200.00 (one voucher code).

Please note: Fine can only be paid within 12 hours. As soon as 12 hours expire, the possibility to pay the fine is lost forever. All your PC data will be detained and criminal's procedure will be initiated against you if the fine will not be paid!

The text varies depending on the country the visitor is in, for example URLquery displays the text in Norwegian.

 The bad guys use subdomains to obfuscate the domain somewhat, so instead of just getting f1207.com (for example), you get europol.europe.eu.id176630100-8047697129.f1207.com instead which looks a little more official. You can see some more examples here.

All the domains in use are registered through scam-friendly registrar BIZCN to:

Registrant Name: Zhong Si
Registrant Organization: Xicheng Co.
Registrant Street: Huixindongjie 15  2
Registrant City: Beijing
Registrant State/Province: Chaoyang
Registrant Postal Code: 101402
Registrant Country: cn
Registrant Phone: 01066569215
Registrant Phone Ext:
Registrant Fax: 01066549216
Registrant Fax Ext:
Registrant Email: zhongguancun@yahoo.com


Now, I would normally suggest that the WHOIS details were fake but a Google search for the email address shows that it has been active for over two years including this injection attack I documented in September 2011. It is possible therefore that Zhong Si and Xicheng Co are actually responsible.

193.169.87.247 is regiesterd to "PE Ivanov Vitaliy Sergeevich" (i.e. Vitaliy Ivanov or Виталий Сергеевич Иванов) as follows:

organisation:   ORG-IV2-RIPE
org-name:       PE Ivanov Vitaliy Sergeevich
org-type:       OTHER
address:        42-A Tobolskaya street, office 230, Kharkov, Ukraine
mnt-ref:        MNT-IV25
mnt-by:         MNT-IV25
source:         RIPE # Filtered


193.169.87.247 forms part of 193.169.86.0/23 AS48031 which has a so-so reputation according to Google, it does look like there are a lot of legitimate sites in the neighbourhood as well as these malicious ones.

Recommended blocklist:
193.169.87.247
a1751.com
b4326.com
d2178.com
f1207.com
h5841.com
k6369.com

Update: a similar attack has also taken place on 193.169.86.250 on the same netblock.

Friday, 25 October 2013

Malware sites to block 25/10/2013

This list replaces this one, and mostly contains domains and IPs connected with this gang. The list starts with IPs and web hosts, followed by plain IPs and domains for copy-and-pasting.

5.175.171.89 (GHOSTnet, Germany)
5.231.40.197 (GHOSTnet, Germany)
5.231.47.92 (GHOSTnet, Germany)
31.210.112.28 (Veri Merkezi Hizmetleri, Turkey)
42.121.84.12 (Aliyun Computing Co, China)
60.199.253.165 (Taiwan Fixed Network Co, Taiwan)
63.251.135.19 (Internap, US)
78.100.140.171 (Qatar Telecom, Qatar)
81.91.159.212 (Datak Internet Engineering, Iran)
103.28.255.207 (Ani Network Pvt Ltd, India)
112.124.27.158 (Alibaba Advertising Co, China)
146.185.147.26 (Digital Ocean, Netherlands)
161.24.16.127 (Centro Tecnico Aeroespacial, Brazil)
181.41.200.191 (Host1plus Brazil, Brazil)
186.3.101.235 (Clientes Quito, Ecuador)
186.151.240.197 (Municipalidad De Zaragoza, Guatemala)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
189.1.169.28 (Maxihost Hospedagem de Sites Ltda, Brazil)
196.40.9.113 (Terminales Santamaria, Costa Rica)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
223.30.27.251 (Sify Limited, India)

5.175.171.89
5.231.40.197
5.231.47.92
31.210.112.28
42.121.84.12
60.199.253.165
63.251.135.19
78.100.140.171
81.91.159.212
103.28.255.207
112.124.27.158
146.185.147.26
161.24.16.127
181.41.200.191
186.3.101.235
186.151.240.197
186.251.180.205
189.1.169.28
196.40.9.113
211.71.99.66
223.30.27.251
acondorwoonkary120.com
avasdayspa.net
blackbox-e.net
bonds.su
carefordying.net
carrykeyboard.net
ceravdilicheskinevoz76.net
consumersshow.net
cormushkaneplohatak300.com
cronshtainymorenah55.net
derivatiexchange.com
dotier.net
dropdistri-butions.net
dulethcentury.net
ermeentroper110.com
ermirovaniedoom153.com
ermirovanievood152.com
ermxxrtroper210.com
eventlogselfn.net
excelledblast.net
foi.su
gormonnsnter105.net
gromydoonye250.com
groove.su
gumatexx.net
hdmltextvoice.net
idersnonvirus.com
introlinkage.com
introlinkage.su
jurassic-spa.net
kotzebuepolice.net
leedsprobate.net
lyvegetarians.net
mesmultimedia.com
milkdriver.com
mymulejams.net
nacase.net
ny-headsets.org
ordersdeluxe.com
pro-senioren.net
rojecttalkway.com
sandlord.com
stabilitymess.net
thetokion.com
uprisingquicks.net
zigbeejournal.net



Monday, 14 October 2013

Malware sites to block 14/10/2013

It's been a while since I trawled around the activities of the "Amerika" gang, but here is a new set of malicious domains and IPs to block, replacing this list.

24.111.103.183 (Midcontinent Media, US)
42.121.84.12 (Aliyun Computing Co, China)
59.99.226.17 (BB-Multiplay, India)
60.199.253.165 (Taiwan Fixed Network Co, Taiwan)
62.141.46.8 (fast IT, Germany)
65.189.35.129 (Time Warner Cable, US)
67.207.155.24 (Rackspace, US)
69.163.40.39 (DirectSpace LLC, US)
71.91.8.200 (Charter Communications , US)
78.100.140.171 (Qatar Telecom, Qatar)
81.91.159.212 (Datak Internet Engineering, Iran)
103.28.255.207 (Ani Network Pvt Ltd, India)
108.206.235.75 (AT&T, US)
109.71.136.140 (OpWan, France)
112.124.27.158 (Alibaba Advertising Co, China)
125.20.14.222 (Price Water House Cooperation, India)
146.185.147.26 (Digital Ocean, Netherlands)
165.132.27.59 (Yonsei, Korea)
176.56.228.134 (Routelabel / WeservIT, Netherlands)
186.3.101.235 (Clientes Quito, Ecuador)
186.151.240.197 (Municipalidad De Zaragoza, Guatemala)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
195.225.58.43 (C&A Connect SRL, Romania)
198.71.82.48 (Enzu Inc, US)
208.115.114.69 (Wowrack, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
222.127.21.35 (Network IP, Philippines)
223.30.27.251 (Sify Limited, India)

24.111.103.183
42.121.84.12
59.99.226.17
60.199.253.165
62.141.46.8
65.189.35.129
67.207.155.24
69.163.40.39
71.91.8.200
78.100.140.171
81.91.159.212
103.28.255.207
108.206.235.75
109.71.136.140
112.124.27.158
125.20.14.222
146.185.147.26
165.132.27.59
176.56.228.134
186.3.101.235
186.151.240.197
186.251.180.205
195.225.58.43
198.71.82.48
208.115.114.69
211.71.99.66
222.127.21.35
223.30.27.251
acomboramboarmiab722.net
acormushkivsenamizv992.net
altertraveldream.com
ampala.net
attitude.su
autodlakobiety.net
avasdayspa.net
beo.su
bnamecorni.com
catdigest.net
cormoviedobavkikemm200.com
cormoviedobavkitenn100.com
cremoviedobavkimoj53.net
cronshtainymorenah55.net
crovlianemoyaahule52.net
diggingentert.com
dotier.net
dropdistri-butions.net
dulethcentury.net
eeemoskoymany560.com
ejanormalteene250.com
enanisgotttornee564.com
ermirovaniedoom153.com
ermirovanienony151.com
ermirovanievood152.com
excelledblast.net
fertsonline.net
gjoonalitikeer310.com
glums.net
gormonigraetnapovalahule26.net
grndstyle.ru
groove.su
hdmltextvoice.net
idersnonvirus.com
instotsvin.ru
introlinkage.com
lodanart.net
micnetwork100.com
mobile-unlocked.net
mymulejams.net
nokiasharethelove.net
nvufvwieg.com
ollerblogging.net
ordersdeluxe.com
primthaispa.net
pro-senioren.net
rentimpress.com
robberypolice.net
rojecttalkway.com
rolotto.net
scoutmoor.net
securesmartconnect.net
servidorestable.net
simplesso.com
skather.net
smartsecureconnect.net
smdserver.net
spottingculde.com
streetgreenlj.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
tumble.su
u-janusa.net
uprisingquicks.net
vip-proxy-to-tor.com
whosedigitize.net
wingsawards.net
workathomeuk.net

Tuesday, 24 September 2013

Malware sites to block 24/9/2013

The malicious IPs and domains on this list are operated by this gang, and it replaces the list last week.

5.135.42.104 (OVH, Netherlands)
24.111.103.183 (Midcontinent Media, US)
24.173.170.230 (Time Warner Cable, US)
32.64.143.79 (AT&T, US)
37.153.192.72 (Routit BV, Netherlands)
37.221.163.174 (Voxility SRL, Romania)
42.121.84.12 (Aliyun Computing Co, China)
46.32.47.24 (Syd Energi, Denmark)
46.246.111.159 (Portlane Networks, Sweden)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
62.141.46.8 (fast IT, Germany)
69.94.163.22 (Region 18 Education Service Center, US)
69.163.40.39 (DirectSpace LLC, US)
77.123.54.28 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
79.190.173.125 (TPNET, Poland)
81.28.199.18 (KNET, France)
84.52.66.244 (West Call Ltd, Russia)
85.246.142.214 (PT Comunicacoes, Portugal)
91.220.77.83 (NTH Media, Switzerland)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
109.71.136.140 (OpWan, France)
123.183.210.42 (China Telecom, China)
125.20.14.222 (Price Water House Cooperation, India)
153.127.243.80 (Kagoya Japan Corporation, Japan)
163.32.78.2 (TANET, Taiwan)
174.142.186.89 (iWeb, Canada)
184.82.233.29 (Network Operations Center, US)
186.3.101.235 (Clientes Quito, Ecuador)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
194.44.93.219 (UARNet, Ukraine)
194.158.4.42 (Interoute Communications, France)
198.71.90.239 (Enzu Inc, US)
199.175.49.118 (VPS Cheap, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.115.114.69 (Wowrack, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
216.218.208.55 (Hurricane Electric, US)
223.30.27.251 (Sify Limited, India)
220.68.231.30 (Hansei University, Korea)

5.135.42.104
24.111.103.183
24.173.170.230
32.64.143.79
37.153.192.72
37.221.163.174
42.121.84.12
46.32.47.24
46.246.111.159
58.68.228.148
58.246.240.122
61.36.178.236
62.141.46.8
69.94.163.22
69.163.40.39
77.123.54.28
79.190.173.125
81.28.199.18
84.52.66.244
85.246.142.214
91.220.77.83
95.111.32.249
103.20.166.67
109.71.136.140
123.183.210.42
125.20.14.222
153.127.243.80
163.32.78.2
174.142.186.89
184.82.233.29
186.3.101.235
186.251.180.205
187.60.172.18
194.44.93.219
194.158.4.42
198.71.90.239
199.175.49.118
208.52.185.178
208.115.114.69
211.71.99.66
216.218.208.55
223.30.27.251
220.68.231.30
24kstudio.net
achrezervations.com
acomboramboarmiab722.net
aconsturcioneoftherive677.net
acormushkivsenamizv992.net
airfare-ticketscheap.com
aristonmontecarlo.net
bnamecorni.com
bundle.su
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
consistingsec.net
cremenatthemomenter56.net
crovvirnskieertater55.net
crovviyyyyyyuutater90.net
curse.su
deepsealinks.com
demuronline.net
diggingentert.com
dropdistri-butions.net
dulethcentury.net
ehtiebanishkeobprienrt25.net
ejanormalteene250.com
ejanormatoone240.com
elvisalive4ever.com
euteus.com
evreisorinejsopgmrjnet28.net
excelledblast.net
exeteenofthemid74.com
explorerlikem.com
fdic.gov.horse-mails.net
gigiandrose-sf.net
gjoonalitikeer310.com
gjoonanalitik300.com
glums.net
goodnoontoon11.net
gormonigraetnapovalahule26.net
grannyhair.ru
gromovierashodyna73.net
hdmltextvoice.net
higherpricedan.com
horse-mails.net
hotsuperfilms.com
infomashe.com
instotsvin.ru
isightbiowares.su
joyrideengend.net
kolopeto.net
lights-awake.net
loreddiverting.su
macache.net
maxichip.com
micnetwork100.com
mobile-unlocked.net
mssoft.in.net
multiachprocessor.com
myaxioms.com
nacha.org.smscente.net
nacha-ach-processor.com
namastelearning.net
nvufvwieg.com
oadims.net
ollerblogging.net
ordersdeluxe.com
outcastii.com
oversearadios.net
pardus-wiki.com
picturesoftdeath.com
pidrillospeeder.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
smartsecureconnect.com
smscente.net
softwareup.pw
spottingculde.com
stjamesang.net
techno-arena.net
thefastor.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
treesmustdownload.su
u-janusa.net
uprisingquicks.net
video-withtext.com
vip-proxy-to-tor.com
virginiarealtyonline.net
whosedigitize.net
wow-included.com
www.ejanormalteene250.com
www.fdic.gov.horse-mails.net
www.gjoonalitikeer310.com
www.nacha.org.demuronline.net
www.nacha.org.smscente.net



Friday, 20 September 2013

WhatsApp "3 New Voicemail(s)" spam and 219.235.1.127

I am indebted to Gary Warner for his analysis of this malware. But I can't resist having a poke at it myself. This malware is particularly cunning.

First of all, it starts with a WhatsApp-themed spam:

From:     WhatsApp Messaging Service
Date:     20 September 2013 19:36
Subject:     3 New Voicemail(s)

WhatsApp

You have a new voicemail!
Details
Time of Call: Sep-17 2013 04:05:07
Lenth of Call: 04 seconds

Play

*If you cannot play, move message to the "Inbox" folder.

2013 WhatsApp Inc 

I'm sort-of-vaguely aware of the existence of WhatsApp in the same way that I am vaguely aware of my wife's birthday. Here's the thing though.. click on the link on the PC and you get a fake Plesk 404 page (see this report). But click on it using an Android device and you get something very different.

So, armed with a random Android user agent string and WGET, I accessed the link (in this case [donotclick]www.organocontinuo.com/app.php?message=hADXwckiPdaYKjapSiWJyMR/guGMDz4l8/PCDGmSemg=) and ended up with a 2,735,848 byte file called WhatsApp.apk instead.

I didn't test this on an Android device or the ADK, but apparently it is possible that clicking the link installs the malware without asking on certain devices. The VirusTotal score for this .apk is a pretty health 21/48, but who runs anti-virus software on their Android? (If you aren't running AV, then try this).

So what does it do? Well, I've been using the Anubis sandbox to analyse Windows binaries for a while, but it can analyse the results of Android .apk files too, which is pretty darned cool. And this is what Anubis sees the malicious Android app doing.

Now, if you've read Gary's blog then you will know that this is an Android-based fake anti-virus application. Anubis says that the application's reported URL is defenderandroid.org but I am not sure if this is fake. However, the application certainly seems to send traffic to 219.235.1.127 (Shanghai QianWan Network, China) which is probably a darned good candidate for blocking (if you can). This IP has been spotted with PC-based fake AV programs before [1] [2] [3].

Up until April, the IP  219.235.1.127  hosted the domains w0580.com and juyuanfang.com, both registered to the same person using the email address sisibin@qq.com. I do not know if they are connected with the fake AV in any way.

Although mobile malware is getting more common, this is the first time that I have seen an attack like this. All smartphone and tablet users need to be aware of the very real risks of malware on thier devices and should take the appropriate steps to keep themselves safe.