Sponsored by..

Showing posts with label Lithunia. Show all posts
Showing posts with label Lithunia. Show all posts

Tuesday 21 January 2014

Something evil on 5.254.96.240 and 185.5.55.75

This malware attack appears to be aimed at German speakers, and is presumably spreading through spam although I don't have a sample of the email message. What I do have is a nasty EXE-in-ZIP payload that masquerades as a bill or other communication from Deutsche Telekom, Vodafone, Fiducia or Volksbank.


URLquery shows one such download in this example, the victim has been directed to [donotclick]gf-58.ru/telekom_deutschland which in turn downloads a ZIP file Rechnungsruckstande_9698169830015295.zip which in turn contains a malicious executable Mitteilung, Rechnungsruckstande 9901169820005294 Telekom Deutschland GmbH vom Januar 2014.exe which has a VirusTotal detection rate of 7/48.


The malware is downloaded from a server at 5.254.96.240 (Voxility, Romania). Sample URLs on this server (according to URLquery and VirusTotal) are:

[donotclick]gdevseesti.ru/telekom_deutschland/
[donotclick]gdevseesti.ru/vodafone_online/
[donotclick]gf-58.ru/telekom_deutschland/
[donotclick]gf-58.ru/volksbank_eg/
[donotclick]goodwebtut.ru/fiducia/
[donotclick]goodwebtut.ru/telekom_deutschland/
[donotclick]goodwebtut.ru/vodafone_online/
[donotclick]mnogovsegotut.ru/fiducia/
[donotclick]uiuim.ru/fiducia/

The Anubis report and ThreatExpert report [pdf] show that the malware calls home to dshfyyst.ru on 185.5.55.75 (UAB "Interneto vizija", Lithunia). There are some other suspect sites on the same server which may be worth blocking (see below).

All these sites are .ru domains registered to the infamous "Private Person" so there are no clues as to their ownership.

Recommended blocklist:
5.254.96.240
gf-58.ru
uiuim.ru
okkurp.ru
gdevseesti.ru
goodwebtut.ru
mnogovsegotut.ru
185.5.55.75
gossldirect.ru
dshfyyst.ru

Update: this appears to be Cridex aka Feodo, read more.

Tuesday 13 August 2013

Pharma sites to block

These fake pharma sites and IPs seem related to these malware domains, and follows on from this list last week.

31.184.241.32 (Petersburg Internet Network, Russia)
46.29.18.176 (Sprint SA, Poland)
61.57.103.241 (Taoyuan TBC, Taiwan)
61.133.234.105 (Haidong Telecom, China)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.204.162.81 (Network Communication, Poland)
91.204.162.95 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
91.216.163.92 (Informacines Sistemos Ir Technologijos UAB, Lithunia)
185.5.99.145 (Biznes-host.pl, Poland)
185.8.106.161 (HybridServers, Lithunia)
197.231.210.165 (Inspiring Networks LTD, Seychelles)
199.180.100.82 (PEG TECH INC, US)
199.180.100.85 (PEG TECH INC, US)

Recommended blocklist:
31.184.241.0/24
46.29.18.176
61.57.103.241
61.133.234.105
91.199.149.0/24
91.204.162.0/24
91.216.163.92
185.5.99.145
185.8.106.161
197.231.210.165
199.180.100.82
199.180.100.85
0xm0v3t1.mediastoreplus.com
17z2h9ue.mediastoreplus.com
1dsnx7pjs.mediastoreplus.com
2hdija03.mediastoreplus.com
2pillsonline.com
353.mediastoreplus.com
3qtpidpzlw.mediastoreplus.com
4ow5mu5.mediastoreplus.com
53zx71we.mediastoreplus.com
6gi.mediastoreplus.com
7boma.mediastoreplus.com
7umio9jjc.mediastoreplus.com
8hk0oib.mediastoreplus.com
8vi8.mediastoreplus.com
androidrugstoretablet.com
b6m0z.mediastoreplus.com
benedictaselie.com
bidh.ru
biotechealthcarepills.pl
boschmedicaremeds.com
briannecarlotta.com
b-wfkif3p.mediastoreplus.com
canadaipad.com
canadiancanada.com
coopaq.ru
danyetteeaster.com
dehxqc.elut.ru
dieein.com
dietrxhcg.com
dl6xmehg.mediastoreplus.com
drugslnessmedicine.com
drugstorepillsdrugs.com
drugstorepillwalgreens.com
dysm.ru
eyg.mediastoreplus.com
fvecare.com
gtyktdli.com
hece.ru
herbalburdette.com
herbalpillecstasy.com
htta.ru
inningmedicare.com
inningmedicare.pl
jdok.mediastoreplus.com
joam.ru
jsp0.mediastoreplus.com
jvtbkpmtkv.mediastoreplus.com
kaleic.ru
knei.ru
kxh.mediastoreplus.com
l3l1h.mediastoreplus.com
laug.ru
li2.mediastoreplus.com
mbid.ru
medicaidarmedicare.com
medicaretabletandroid.com
medicinetabletsurface.com
medopioid.pl
menono.ru
menutabmed.com
mwpzi.mediastoreplus.com
myviagragenerics.pl
n3zb4o5u9.mediastoreplus.com
nexuslevitra.com
nispw96.mediastoreplus.com
oshu.ru
patientsviagramedicare.com
pharmedtransplant.com
pharmreit.com
pharmysmartrend.com
pilldrugprescription.net
pillsstreetinsider.com
prescriptioncarecenter.com
prescriptionmedicinepatients.com
prescriptionmedwalgreen.com
qgb7zxj.mediastoreplus.com
quzkobeox.com
ruld.ru
rxdrugspills.ru
rxnicu.com
rzu1b.mediastoreplus.com
s5bw.mediastoreplus.com
shelbieleni.com
sieh.ru
skah.ru
tabcialbenghazi.com
tabherbalsummary.com
thegenericsprescription.com
torontocanadapharm.com
torontotab.pl
us0cyezkn.mediastoreplus.com
viagramedicaid.com
viagramedicineveterinary.com
viagramedicineveterinary.pl
vsn268zo3.mediastoreplus.com
w5lpytop.mediastoreplus.com
weightdietpharm.com
welnesslevinikita.com
welnessnsmt.com
wpakq.mediastoreplus.com
wroo.ru
ya3zwmrmgk.mediastoreplus.com
zva4p7457.mediastoreplus.com
zwig.ru

Malware sites to block 13/8/13

These IPs and domains belong to this gang and this list follows on from the one I made last week.

5.39.14.148 (OVH, France)
5.231.57.253 (GHOSTnet, Germany)
15.185.121.30 (HP Cloud Services, US)
24.173.170.230 (Time Warner Cable, US)
37.99.18.145 (2day Telecom, Kazakhstan)
42.121.84.12 (Aliyun Computing Co / Alibaba Advertising Co, China)
50.2.109.148 (Eonix Corporation, US)
50.56.172.149 (Rackspace, US)
59.77.36.225 (CERNET, China)
59.124.33.215 (Chunghwa Telecom, Taiwan)
61.36.178.236 (LG DACOM, Korea)
65.190.51.124 (Time Warner Cable, US)
66.230.163.86 (Goykhman And Sons LLC, US)
68.174.239.70 (Time Warner Cable, US)
74.207.251.67 (Linode, US)
75.147.133.49 (Comcast Business Communcations, US)
78.47.248.101 (Hetzner, Germany)
88.86.100.2 (Supernetwork SRO, Czech Republic)
89.163.170.134 (Unitedcolo, Germany)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Mobiltel EAD, Bulgaria)
95.188.76.14 (Sibirtelecom OJSC, Russia)
95.138.165.133 (Rackspace, UK)
109.107.128.13 (The Blue Zone East, Jordan)
114.112.172.34 (Worldcom Teda Networks Technology, China)
123.202.15.170 (Hong Kong Broadband Network, Hong Kong)
140.113.87.153 (TANET, Taiwan)
140.116.72.75 (TANET, Taiwan)
173.224.211.216 (Psychz Networks, US)
177.53.80.39 (Cordeirópolis Ltda, Brazil)
185.5.54.162 (Interneto Vizija UAB, Lithunia)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
188.132.213.115 (Mars Global Datacenter Services, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
190.85.249.159 (Telmex Colombia, Colombia)
190.95.222.196 (Homenet CIA. Ltda / Telconet, Ecuador)
198.211.115.228 (Digital Ocean Inc, US)
199.231.188.226 (Interserver Inc, US)
202.197.127.42 (CERNET, China)
204.124.182.30 (Volumedrive, US)
209.222.67.251 (Razor Inc, US)
212.68.34.88 (Mars Global Datacenter Services, Turkey)
216.158.67.42 (Webnx Inc, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)

Recommended blocklist:
5.39.14.148
5.231.57.253
15.185.121.30
24.173.170.230
37.99.18.145
42.121.84.12
50.2.109.148
50.56.172.149
59.77.36.225
59.124.33.215
61.36.178.236
65.190.51.124
66.230.163.86
68.174.239.70
74.207.251.67
75.147.133.49
78.47.248.101
88.86.100.2
89.163.170.134
95.87.1.19
95.111.32.249
95.188.76.14
95.138.165.133
109.107.128.13
114.112.172.34
123.202.15.170
140.113.87.153
140.116.72.75
173.224.211.216
177.53.80.39
185.5.54.162
186.251.180.205
188.132.213.115
188.134.26.172
190.85.249.159
190.95.222.196
198.211.115.228
199.231.188.226
202.197.127.42
204.124.182.30
209.222.67.251
212.68.34.88
216.158.67.42
217.64.107.108
50plus-login.com
abundanceguys.net
acautotentsale.net
allgstat.ru
amnsreiuojy.ru
amods.net
antidoctorpj.com
askfox.net
astarts.ru
autocompletiondel.net
avini.ru
badstylecorps.com
bbmasterbuilders.net
beachfiretald.com
beldenindcontacts.net
blindsay-law.net
bnamecorni.com
boardsxmeta.com
boats-sale.net
breakingtextediti.com
briltox.com
businessdocu.net
buycushion.net
calenderlabor.net
casinocnn.net
cbstechcorp.net
centow.ru
condalinneuwu37.net
condrskajaumaksa66.net
controlsalthoug.com
creativerods.net
credit-find.net
crossplatformcons.com
culturalasia.net
cyberflorists.su
datapadsinthi.net
devicesta.ru
dulethcentury.net
ehnihjrkenpj.ru
endom.net
evishop.net
exhilaratingwiki.net
exnihujatreetrichmand77.net
exowaps.com
fitstimekeepe.net
fivelinenarro.net
flashedglobetrot.pl
frontrunnings.com
frontsidecash.net
frutpass.ru
gatumi.com
gondorskiedelaahuetebanj88.net
gonulpalace.net
gormoshkeniation68.net
gotoraininthecharefare88.net
hdmltextvoice.net
hotkoyou.net
includedtight.com
info-for-health.net
inningmedicare.pl
intcheck.com
jonkrut.ru
kneeslapperz.net
legalizacionez.com
lhobbyrelated.com
liliputttt9999.info
lucams.net
made-bali.net
magiklovsterd.net
medusascream.net
micnetwork100.com
microsoftnotification.net
mifiesta.ru
mirris.ru
mobile-unlocked.net
moonopenomy.com
motobrio.net
musicstudioseattle.net
namastelearning.net
neplohsec.com
nightclubdisab.su
nvufvwieg.com
onsayoga.net
onsespotlight.net
ordersdeluxe.com
organizerrescui.pl
pacifista.ru
palmer-ford.net
partyspecialty.su
pinterest.com.onsayoga.net
prysmm.net
pure-botanical.net
quill.com.account.settings.musicstudioseattle.net
raekownholida.com
relectsdispla.net
restless.su
ringosfulmobile.com
saberig.net
sai-uka-sai.com
scourswarriors.su
sensetegej100.com
sensing-thefuture.com
seoworkblog.net
suburban.su
tagcentriccent.net
tagcentriccent.pl
taltondark.net
templateswell.net
thegalaxyatwork.com
thesecuritylistfx.net
tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
tor-connect-secure.com
u-janusa.net
viperlair.net
vip-proxy-to-tor.com
wildgames-orb.net
workeschaersecure.net
x-pertwindscreens.net
zestrecommend.com
zukkoholsresv.pl

Wednesday 8 June 2011

94.244.80.7 / bookpolo.com / booksolo.com / bookgusa.com injection attacks

The crew responsible for the LizaMoon and Worid-Of-Books.com are back with a new set of injection attacks, this time hosted on 94.244.80.7 in Lithuania.

The following domains are currently in use:
bookaros.com
bookarra.com
bookavio.com
bookdolo.com
bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
bookmylo.com
booknunu.com
bookpolo.com
booksgou.com
booksoco.com
booksolo.com
booktuba.com
bookvila.com
bookvivi.com
bookvoxy.com
bookzoul.com
bookzula.com


Registrant details are familiar and fake:

JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 1180
us

Injection attacks seem to be either trying to insert an anchor with the word "book" pointing to one of the bad sites, presumably as a "Worid of Books"-type SEO campaign, or alternatively they are using the ur.php approach the LizaMoon used.

The whole 94.244.64.0/18 block looks toxic and is worth blocking. I'll post more details on that when I get the time.