Sponsored by..

Showing posts with label Romania. Show all posts
Showing posts with label Romania. Show all posts

Friday 9 October 2015

Malware spam: "Your latest DHL invoice : MSE7396821" / "e-billing.uk1@dhl.com"

This fake invoice spam is not from DHL, but is instead a simple forgery with a malicious attachment:

From:    e-billing.uk1@dhl.com
Date:    9 October 2015 at 09:54
Subject:    Your latest DHL invoice : MSE7396821



THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY

Dear Customer,

Please find attached your invoice in DOC format, dated 09/09/2015 for shipments and services supplied by DHL Express.

If you would like to download your invoice in a different format, click here to go to the DHL e-Billing website. You can also view your account details and on line invoice history here.

In the event of a problem with opening the attachment, please contact the e-Billing support team on 020 8831 5363 for assistance.

If you would like to verify the digital signature on this invoice, click here to go to the DHL e-Billing website and go to the FAQ section for instructions.

For all invoice content related queries, please contact 08442 480 777.

We look forward to receiving your payment in due course, and within the agreed credit terms as stated on your invoice.

We would like to thank you for using the services of DHL Express.

With kind regards,

The DHL e-Billing team


PROTECT YOUR PASSWORD

In the only sample I have seen, the attached file is named MSE7396821.doc and has a VirusTotal detection rate of 5/55. This contains a malicious macro [pastebin] which downloads a file from the following location:



flexicall.co.uk/fsf4fd32/8ik6sc.exe

There will undoubtedly be different versions of the document with different download locations. This binary is saved as %TEMP%\vtsAbd.exe and has a VirusTotal detection rate of 2/54. That VirusTotal report, this Malwr report and this Hybrid Analysis report show network traffic to:

86.105.33.102 (Data Net SRL, Romania)

I recommend that you block traffic to and from that IP address. The payload appears to be the Dridex banking trojan.

MD5s:
79b6080e3c2de566ee7c284a64f62a40
31f6d50a5757d5b5ba24a6f5dab01567

Friday 8 August 2014

"Security concern on your AmericanExpress Account" spam

This fake AmEx spam appears to lead to a phishing site on multiple URLs:

From:     American Express [AmericanExpress@welcome.aexp.com]
Date:     24 July 2014 10:35
Subject:     Security concern on your AmericanExpress Account   

Dear Customer:

We are writing to you because we need to speak with you regarding a security concern on your account. Our records indicate that you recently used your American Express card on August 8, 2014.

For your security, new charges on the accounts listed above may be declined. If applicable, you should advise any Additional Card Member(s) on your account that their new charges may also be declined.

To secure your account , please click log on to : http://americanexpress.com

Your prompt response regarding this matter is appreciated.

Sincerely,

American Express Identity Protection Team   
   
Please do not reply to this e-mail. This customer service e-mail was sent to you by American Express. You may receive customer service e-mails even if you have unsubscribed from marketing e-mails from American Express.

Contact Customer Service | View our Privacy Statement | Opt Out

This email was sent to [redacted].

American Express Customer Service Department
P.O. Box 297817 | Ft. Lauderdale, FL 33329-7817

2014 American Express Company. All rights reserved.

In this case the link goes to a phishing site at anerican-fortress.com/americanexpress/ but there seem to be a bunch of them at the moment:

anerikan-regress.com/americanexpress/
american-progrecs.com/americanexpress/
anerican-fortress.com/americanexpress/
amerikan-sunfacess.com/americanexpress/

IPs in use are:
91.219.29.35 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
188.240.32.75 (SC CH-NET SRL, Romania)

I recommend blocking these IPs (
91.219.29.35
188.240.32.75

Thursday 13 March 2014

Sky.com "Statement of account" spam

This fake Sky.com email comes with a malicious attachment:

Date:      Thu, 13 Mar 2014 12:23:09 +0100 [07:23:09 EDT]
From:      "Sky.com" [statement@sky.com]
Subject:      Statement of account

Afternoon,

Please find attached the statement of account.

We look forward to receiving payment for the December invoice as this is now due for
payment.

Regards,
Carmela

This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP.
Attached is an archive Statement.zip which in turn contains a malicious executable Statement.scr which has a VirusTotal detection rate of 6/50. Automated analysis tools [1] [2] [3] show attempted connections to the following domains and IPs:

188.247.130.190 (Prime Telecom SRL, Romania)
gobemall.com
gobehost.info

184.154.11.228 (Singlehop, US)
terenceteo.com

184.154.11.233 (Singlehop, US)
quarkspark.org

The two Singlehop IPs appear to belong to Host The Name (hostthename.com) which perhaps indicates a problem at that reseller.

Recommended blocklist:
184.154.11.228
184.154.11.233
188.247.130.190
gobemall.com
gobehost.info
terenceteo.com
quarkspark.org

Friday 21 February 2014

Something evil on 74.50.122.8, 5.61.36.231 and 94.185.85.131

Thanks to @Techhelplistcom for the heads up on this little mystery..



It all starts with a spam evil (described here)..

The link goes to a URLquery report that seems pretty inconclusive,  mentioning a URL of [donotclick]overcomingthefearofbeingfabulous.com/xjvnsqk/fbktojkxbxp.php [an apparently poorly secured server at 74.50.122.8, Total Internet Solutions Pvt. Ltd in India] that just does a redirect to a spammy diet pill site at thefxs.com [94.177.128.10, Linkzone Media Romania] if you have a Windows User Agent set.

As Techhelplist says, set the UA to an Android one and you get a very different result. In this case you get bounced to a site hosted on 5.61.36.231 (3NT Solutions / Inferno.name)
[donotclick]mobile.downloadadobecentral.ru/FLVupdate.php  then to
[donotclick]mobile.downloadadobecentral.ru/FLVupdate2.php from where it attempts to download a file FlashUpdate.apk

3NT Solutions / inferno.name is a known bad actor and you should block all their IPs on sight, in this case they have a netblock 5.61.32.0/20 which I strongly recommend that you route to the bitbucket.

FlashUpdate.apk has a VirusTotal detection rate of 22/47, but most Android users are probably not running anti-virus software. The Andrubis analysis of that .apk shows a network connection to 94.185.85.131 (Netrouting Telecom, Sweden) plus (oddly) some pages loaded from ticketmaster.com.

It just goes to show that what you think might be harmless spam can actually be something very, very different if you access it on a mobile device.

Recommended blocklist:
5.61.32.0/20
94.177.128.10
74.50.122.8
94.185.85.131
downloadadobecentral.ru
jariaku.ru
350600700200.ru
overcomingthefearofbeingfabulous.com

UPDATE 2014-05-25: Note that overcomingthefearofbeingfabulous.com has been cleaned up and appears to be no longer compromised.

Tuesday 21 January 2014

Something evil on 5.254.96.240 and 185.5.55.75

This malware attack appears to be aimed at German speakers, and is presumably spreading through spam although I don't have a sample of the email message. What I do have is a nasty EXE-in-ZIP payload that masquerades as a bill or other communication from Deutsche Telekom, Vodafone, Fiducia or Volksbank.


URLquery shows one such download in this example, the victim has been directed to [donotclick]gf-58.ru/telekom_deutschland which in turn downloads a ZIP file Rechnungsruckstande_9698169830015295.zip which in turn contains a malicious executable Mitteilung, Rechnungsruckstande 9901169820005294 Telekom Deutschland GmbH vom Januar 2014.exe which has a VirusTotal detection rate of 7/48.


The malware is downloaded from a server at 5.254.96.240 (Voxility, Romania). Sample URLs on this server (according to URLquery and VirusTotal) are:

[donotclick]gdevseesti.ru/telekom_deutschland/
[donotclick]gdevseesti.ru/vodafone_online/
[donotclick]gf-58.ru/telekom_deutschland/
[donotclick]gf-58.ru/volksbank_eg/
[donotclick]goodwebtut.ru/fiducia/
[donotclick]goodwebtut.ru/telekom_deutschland/
[donotclick]goodwebtut.ru/vodafone_online/
[donotclick]mnogovsegotut.ru/fiducia/
[donotclick]uiuim.ru/fiducia/

The Anubis report and ThreatExpert report [pdf] show that the malware calls home to dshfyyst.ru on 185.5.55.75 (UAB "Interneto vizija", Lithunia). There are some other suspect sites on the same server which may be worth blocking (see below).

All these sites are .ru domains registered to the infamous "Private Person" so there are no clues as to their ownership.

Recommended blocklist:
5.254.96.240
gf-58.ru
uiuim.ru
okkurp.ru
gdevseesti.ru
goodwebtut.ru
mnogovsegotut.ru
185.5.55.75
gossldirect.ru
dshfyyst.ru

Update: this appears to be Cridex aka Feodo, read more.

Monday 14 October 2013

Malware sites to block 14/10/2013

It's been a while since I trawled around the activities of the "Amerika" gang, but here is a new set of malicious domains and IPs to block, replacing this list.

24.111.103.183 (Midcontinent Media, US)
42.121.84.12 (Aliyun Computing Co, China)
59.99.226.17 (BB-Multiplay, India)
60.199.253.165 (Taiwan Fixed Network Co, Taiwan)
62.141.46.8 (fast IT, Germany)
65.189.35.129 (Time Warner Cable, US)
67.207.155.24 (Rackspace, US)
69.163.40.39 (DirectSpace LLC, US)
71.91.8.200 (Charter Communications , US)
78.100.140.171 (Qatar Telecom, Qatar)
81.91.159.212 (Datak Internet Engineering, Iran)
103.28.255.207 (Ani Network Pvt Ltd, India)
108.206.235.75 (AT&T, US)
109.71.136.140 (OpWan, France)
112.124.27.158 (Alibaba Advertising Co, China)
125.20.14.222 (Price Water House Cooperation, India)
146.185.147.26 (Digital Ocean, Netherlands)
165.132.27.59 (Yonsei, Korea)
176.56.228.134 (Routelabel / WeservIT, Netherlands)
186.3.101.235 (Clientes Quito, Ecuador)
186.151.240.197 (Municipalidad De Zaragoza, Guatemala)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
195.225.58.43 (C&A Connect SRL, Romania)
198.71.82.48 (Enzu Inc, US)
208.115.114.69 (Wowrack, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
222.127.21.35 (Network IP, Philippines)
223.30.27.251 (Sify Limited, India)

24.111.103.183
42.121.84.12
59.99.226.17
60.199.253.165
62.141.46.8
65.189.35.129
67.207.155.24
69.163.40.39
71.91.8.200
78.100.140.171
81.91.159.212
103.28.255.207
108.206.235.75
109.71.136.140
112.124.27.158
125.20.14.222
146.185.147.26
165.132.27.59
176.56.228.134
186.3.101.235
186.151.240.197
186.251.180.205
195.225.58.43
198.71.82.48
208.115.114.69
211.71.99.66
222.127.21.35
223.30.27.251
acomboramboarmiab722.net
acormushkivsenamizv992.net
altertraveldream.com
ampala.net
attitude.su
autodlakobiety.net
avasdayspa.net
beo.su
bnamecorni.com
catdigest.net
cormoviedobavkikemm200.com
cormoviedobavkitenn100.com
cremoviedobavkimoj53.net
cronshtainymorenah55.net
crovlianemoyaahule52.net
diggingentert.com
dotier.net
dropdistri-butions.net
dulethcentury.net
eeemoskoymany560.com
ejanormalteene250.com
enanisgotttornee564.com
ermirovaniedoom153.com
ermirovanienony151.com
ermirovanievood152.com
excelledblast.net
fertsonline.net
gjoonalitikeer310.com
glums.net
gormonigraetnapovalahule26.net
grndstyle.ru
groove.su
hdmltextvoice.net
idersnonvirus.com
instotsvin.ru
introlinkage.com
lodanart.net
micnetwork100.com
mobile-unlocked.net
mymulejams.net
nokiasharethelove.net
nvufvwieg.com
ollerblogging.net
ordersdeluxe.com
primthaispa.net
pro-senioren.net
rentimpress.com
robberypolice.net
rojecttalkway.com
rolotto.net
scoutmoor.net
securesmartconnect.net
servidorestable.net
simplesso.com
skather.net
smartsecureconnect.net
smdserver.net
spottingculde.com
streetgreenlj.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
tumble.su
u-janusa.net
uprisingquicks.net
vip-proxy-to-tor.com
whosedigitize.net
wingsawards.net
workathomeuk.net

Tuesday 23 July 2013

Malware sites to block 23/7/13

These malicious domains and IPs are associated with this prolific gang.  As usual, I've listed IPs with hosts first and then a plain list of IPs and domains for copy-and-pasting at the end.

5.175.191.106 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson-NET, Turkey)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
50.97.253.162 (Softlayer, US)
54.225.124.116 (Amazon AWS, US)
59.77.36.225 (CERNET, China)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.126.142.186 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA Communications, India)
61.28.143.133 (ETPI, Philippines)
62.76.44.105 (IT House / Clodo-Cloud, Russia)
69.60.115.92 (Colopronto, US)
74.62.189.22 (Time Warner Cable, US)
74.93.56.83 (Comcast, US)
74.208.246.145 (1&1, US)
85.17.224.131 (Leaseweb, Netherlands)
85.119.187.145 (UniWeb, Belgium)
88.86.100.2 (Supernetwork / Castlegem, Czech Republic)
88.150.191.194 (Redstation, UK)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Mobitel EAD, Bulgaria)
108.170.32.179 (Secured Servers, US)
108.179.8.103 (Tyco / Cablevision, US)
109.123.125.68 (UK2.net, UK)
114.112.172.34 (Worldcom Teda Networks Technology, China)
119.92.209.120 (Makati  IPG, Philippines)
120.124.132.123 (TANET, Taiwan)
121.83.197.179 (K-Opticom Corporation, Japan)
128.252.158.57 (Washington University, US)
138.80.14.27 (Charles Darwin University, Australia)
140.120.113.18 (TANET, Taiwan)
162.209.80.221 (Rackspace, US)
165.225.149.235 (Joyent, US)
166.78.183.28 (Rackspace, US)
172.245.16.47 (New Wave NetConnect / ColoCrossing, US)
172.255.106.126 (Nobis Technology Group, US)
182.72.216.173 (CusDelight Consultancy Services, India)
188.40.92.12 (Hetzner, Germany)
188.132.213.115 (Mars Global Datacenter Services, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
189.15.96.61 (Companhia De Telecomunicacoes Do Brasil Central , Brazil)
190.85.249.159 (Telmex Colombia, Colombia)
190.238.107.240 (Telefonica del Peru, Peru)
192.95.54.119 (OVH, Canada)
192.241.205.26 (Digital Ocean, US)
195.225.58.122 (C&A Connect SRL, Romania)
198.61.213.12 (Rackspace, US)
198.98.102.165 (Enzu, US)
198.175.124.17 (DNSSLAVE.COM, US)
202.197.127.42 (Hunan Normal University, China)
203.236.232.42 (KINX, Korea)
208.69.42.50 (Bay Area Video Coalition, US)
208.115.114.68 (WOWRACK, US)
209.222.67.251 (Razor Inc, US)
210.200.0.95 (Asia Pacific On-line Services, Taiwan)
211.224.204.141 (KINX, Korea)
212.143.233.159 (013 Netvision Network, Israel)
217.64.107.108 (Society Of Mali's Telecommunications , Mali)

5.175.191.106
24.173.170.230
31.145.19.17
41.196.17.252
46.246.41.68
46.45.182.27
50.97.253.162
54.225.124.116
59.77.36.225
59.124.33.215
59.126.142.186
59.160.69.74
61.28.143.133
62.76.44.105
69.60.115.92
74.62.189.22
74.93.56.83
74.208.246.145
85.17.224.131
85.119.187.145
88.86.100.2
88.150.191.194
95.87.1.19
95.111.32.249
108.170.32.179
108.179.8.103
109.123.125.68
114.112.172.34
119.92.209.120
120.124.132.123
121.83.197.179
128.252.158.57
138.80.14.27
140.120.113.18
162.209.80.221
165.225.149.235
166.78.183.28
172.245.16.47
172.255.106.126
182.72.216.173
188.40.92.12
188.132.213.115
188.134.26.172
189.15.96.61
190.85.249.159
190.238.107.240
192.95.54.119
192.241.205.26
195.225.58.122
198.61.213.12
198.98.102.165
198.175.124.17
202.197.127.42
203.236.232.42
208.69.42.50
208.115.114.68
209.222.67.251
210.200.0.95
211.224.204.141
212.143.233.159
217.64.107.108
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
abundanceguys.net
allgstat.ru
amimeseason.net
annot.pl
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
aurakeep.net
autocompletiondel.net
autorize.net.models-and-kits.net
badstylecorps.com
basedbreakpark.su
beachfiretald.com
bebomsn.net
biati.net
blacklistsvignet.pl
blackragnarok.net
blindsay-law.net
bnamecorni.com
boats-sale.net
brasilmatics.net
buffalonyroofers.net
businessdocu.net
buty24-cool.com
buycushion.net
cbstechcorp.net
centow.ru
chairsantique.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
clik-kids.com
condaleunvjdlp55.net
condalinarad72234652.ru
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu37.net
condalinneuwu5.ru
condalnua745746.ru
cooldeaflympics.com
cpa.state.tx.us.tax-returns.mattwaltererie.net
crossplatformcons.com
cryoroyal.net
datapadsinthi.net
doorandstoned.com
driversupdate.pw
dulethcentury.net
e-citystores.net
e-eleves.net
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
eliroots.ru
epackage.ups.com.shanghaiherald.net
ergopets.com
erminwanbuernantion20.net
ermitirationifyouwau30.net
estateandpropertty.com
etiquetteinsp.net
fastfragcheck.com
feminineperceiv.pl
fenvid.com
filmstripstyl.com
firefoxupd.pw
firerice.com
flashedglobetrot.pl
foremostorgand.su
foremostorgand.suc
fulty.net
gamnnbienwndd70.net
gcoordinatind.com
gebelikokulu.net
generationpasswaua40.net
genie-enterprises.com
germany.no-ip.biz
ghroumingoviede.ru
gnanosnugivnehu.ru
gondamtvibnejnepl.net
goodread.pl
greenleaf-investment.net
gromovieotvodidiejj40.net
handwrittenma.com
hdmltextvoice.net
heavygear.net
heidipinks.com
hemorelief.net
hiddenhacks.com
highsecure155.com
hingpressplay.net
homesforsaleftwaltonbea.com
hotkoyou.net
hotpubblici.com
housesales.pl
iberiti.com
icensol.net
independinsy.net
info-for-health.net
insectiore.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
kistrotilewest.su
klermont.net
klwines.com.order.complete.prysmm.net
kubiwaya.net
ledfordlawoffice.net
letsgofit.net
linguaape.net
linkedin.com-update-report.taltondark.net
links.emails.bmwusa.com.open.pagebuoy.net
locavoresfood.net
mackay-revealed.net
made-bali.net
magiklovsterd.net
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
metalcrew.net
microsoftnotification.net
mifiesta.ru
modshows.net
momotlawfirm.net
morphed.ru
mosher.pl
motobrio.net
mycanoweb.com
myfreecamgirls.net
mywebsitetips.net
neplohsec.com
nipslippage.net
nvufvwieg.com
onemessage.verizonwireless.com.verizonwirelessreports.com
ontria.ru
organizerrescui.pl
outbounduk.net
oydahrenlitu346357.ru
package.ups.com.shanghaiherald.net
pagebuoy.net
pass-hc.com
peertag.com
playtimepixelating.su
pool-inter.com
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
prothericsplk.com
prysmm.net
quipbox.com
ratenames.net
relectsdispla.net
rentipod.ru
restless.su
saberig.net
safebrowse.pw
sai-uka-sai.com
sartorilaw.net
scourswarriors.su
secureaction120.com
securednshooki.com
sendkick.com
sensetegej100.com
seodirect-proxy.com
shanghaiherald.net
sludgekeychai.net
soberimages.com
susubaby.net
tagcentriccent.net
tagcentriccent.pl
tax-returns.gov.cpa.state.us.gebelikokulu.net
teakfromafrica.net
techno5room.ru
thegalaxyatwork.com
thosetemperat.net
tor-connect-secure.com
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
u-janusa.net
ukbash.ru
usergateproxy.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net
vivendacalangute.net
wic-office.com
wordstudio.pl
wow-included.com
zestrecommend.com

Tuesday 16 July 2013

Malware sites to block 16/7/13

These domains and IPs are associated with this gang. This time there appear to be some diet pill sites in the mix, these may be spammy or they may be malicious.. I would recommend blocking them all though.

24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson, Turkey)
38.96.42.60 (PSInet / WiLogic Inc, US)
41.196.17.252 (Link Egypt, Egypt)
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S, Turkey)
46.246.41.68 (Portlane Networks, Sweden)
46.38.51.162 (TCTEL, Russia)
50.97.253.162 (Softlayer, US)
58.196.7.174 (CERNET, China)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.126.142.186 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA, India)
61.220.221.92 (HINET / Chungwa Telecom, Taiwan)
64.49.246.226 (Rackspace, US)
69.162.76.10 (Limestone Networks, US)
74.93.56.83 (Comcast Business Communications, US)
77.240.118.69 (Acens Technlogies, Spain)
80.52.135.172 (TPNET, Poland)
81.17.140.138 (Velton.telecom, Ukraine)
82.165.41.13 (1&1, Philippines)
85.17.224.131 (Leaseweb, Netherlands)
85.119.187.145 (UNIWEB, Belgium)
87.236.211.159 (Azar Online, Iran)
88.86.100.2 (Supernetwork, Czech Republic)
89.161.255.30 (Home.pl, Poland)
89.248.161.146 (Ecatel, Netherlands)
95.111.32.249 (Mobitel / Megalan, Bulgaria)
98.192.168.80 (Comcast Communications, US)
103.9.23.34 (TPL Trakker, Pakistan)
108.179.8.103 (Tyco / Cablevision, US)
111.121.193.198 (China Telecom, China)
111.121.193.199 (China Telecom, China)
111.121.193.200 (China Telecom, China)
114.32.97.58 (HINET / Chungwa Telecom, Taiwan)
119.1.109.40 (QianXiNan County, China)
119.1.109.48 (QianXiNan County, China)
119.92.209.120 (Philippine Long Distance Telephone Company, Philippines)
128.252.158.57 (Washington University, US)
138.80.14.27 (Charles Darwin University, Australia)
140.115.43.187 (TANET, Taiwan)
143.239.87.38 (University College Cork, Ireland)
150.244.233.146 (Universidad Autonoma De Madrid , Spain)
151.155.25.109 (Novell, US)
151.155.25.111 (Novell, US)
172.255.106.17 (Nobis Technology Group, US)
173.167.54.139 (Iceweb Storage Corp / Comcast, US)
176.31.46.7 (OVH, France)
180.166.172.122 (China Telecom, China)
184.105.135.29 (Hurricane Electric, US)
188.132.213.115 (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)
190.85.249.159 (Telmex Colombia, Colombia)
192.241.205.26 (Digital Ocean, US)
193.95.91.78 (Agence Tunisienne Internet, Tunisia)
195.225.58.122 (C&A Connect SRL, Romania)
198.56.238.36 (Enzu Inc, US)
201.163.145.125 (Alestra, S. de R.L. de C.V., Mexico)
202.28.69.195 (UniNet, Thailand)
202.63.210.182 (CubeXS Private Lmited, Pakistan)
203.122.26.124 (Citycom Networks Pvt Ltd, India)
203.235.181.181 (Sejong Telecom, Korea)
203.236.232.42 (KINX, Korea)
207.254.1.17 (Virtacore Systems Inc, US)
208.115.114.68 (Wowrack, US)
209.222.67.251 (Razor Inc, US)
210.200.0.95 (Asia Pacific On-line Services Inc., Taiwan)
212.143.233.159 (013 Netvision Network, Israel)
222.20.90.25 (CERNET, China)

Blocklist:
24.173.170.230
31.145.19.17
38.96.42.60
41.196.17.252
46.45.182.27
46.246.41.68
46.38.51.162
50.97.253.162
58.196.7.174
59.124.33.215
59.126.142.186
59.160.69.74
61.220.221.92
64.49.246.226
69.162.76.10
74.93.56.83
77.240.118.69
80.52.135.172
81.17.140.138
82.165.41.13
85.17.224.131
85.119.187.145
87.236.211.159
88.86.100.2
89.161.255.30
89.248.161.146
95.111.32.249
98.192.168.80
103.9.23.34
108.179.8.103
111.121.193.198
111.121.193.199
111.121.193.200
114.32.97.58
119.1.109.40
119.1.109.48
119.92.209.120
128.252.158.57
138.80.14.27
140.115.43.187
143.239.87.38
148.81.111.91
148.81.111.92
150.244.233.146
151.155.25.109
151.155.25.111
172.255.106.17
173.167.54.139
176.31.46.7
180.166.172.122
184.105.135.29
188.132.213.115
190.85.249.159
192.241.205.26
193.95.91.78
195.225.58.122
198.56.238.36
201.163.145.125
202.28.69.195
202.63.210.182
203.122.26.124
203.235.181.181
203.236.232.42
207.254.1.17
208.115.114.68
209.222.67.251
210.200.0.95
212.143.233.159
222.20.90.25
abundanceguys.net
allgstat.ru
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
americimblog.com
amimeseason.net
androv.pl
aniolyfarmacij.com
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
augel.pl
autocompletiondel.net
autorize.net.models-and-kits.net
autotradeguide.net
avenues.pl
basedbreakpark.su
beachfiretald.com
beatenunwield.com
bebomsn.net
beirutyinfo.com
bestofallforallas.pl
blacklistsvignet.pl
blindsay-law.net
bnamecorni.com
boats-sale.net
brandeddepend.com
brasilmatics.net
businessdocu.net
buty24-cool.com
buycushion.net
cabby.pl
centow.ru
chairsantique.net
charismasalonme.net
childrensuck.net
cirormdnivneinted40.ru
clik-kids.com
com.amazon.com.first4supplies.net
condalinarad72234652.ru
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu5.ru
condalinrwgw136.ru
condalnua745746.ru
cotime.pl
cpa.state.tx.us.tax-returns.mattwaltererie.net
cryoroyal.net
dasay.pl
datapadsinthi.net
doorandstoned.com
driversupdate.pw
dulethcentury.net
e-citystores.net
editionscode.com
e-eleves.net
effectivenesspre.com
eftps.gov.charismasalonme.net
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
eliroots.ru
enchantingfluid.com
ensutringscal.net
enuhhdijsnenbude40.ru
ergopets.com
estateandpropertty.com
exterms.pl
faststream.pl
feminineperceiv.pl
filmstripstyl.com
fincal.pl
first4supplies.net
foremostorgand.su
freakable.net
fulty.net
gamnnbienwndd70.net
gcoordinatind.com
gebelikokulu.net
genie-enterprises.com
gentonoesleep.com
gerlos-hotel.net
getstatsp.ru
ghroumingoviede.ru
gnanosnugivnehu.ru
gondamtvibnejnepl.net
goodread.pl
gotip.pl
grivnichesvkisejj50.ru
guardianforyou.pl
gumfart.ru
hdmltextvoice.net
heidipinks.com
hemorelief.net
highsecure155.com
hingpressplay.net
hospitalinstitutee.com
hotautoflot.com
hotkoyou.net
hotpubblici.com
how-about-we.net
huang.pl
independinsy.net
info-for-health.net
initiationtune.su
insectiore.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
kirki.pl
krasalco.com
ledfordlawoffice.net
letsgofit.net
libulionstreet.su
linefisher.com
linkedin.com-update-report.taltondark.net
m.krasalco.com
made-bali.net
magiklovsterd.net
mantuma.pl
mattwaltererie.net
maxapps.pl
microsoftnotification.net
missdigitalworld.net
models-and-kits.net
modshows.net
morphed.ru
mosher.pl
nailapp.pl
namastelearning.net
ns3.thebodyfatsolutioncb.pl
nvufvwieg.com
offeringshowt.com
ompute.pl
oneday-movie.net
organizerrescui.pl
oupwareplanets.su
oydahrenlitu346357.ru
pinterest.com.reports0701.net
polymerplanet.net
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
przcloud.net
questphoneservice.net
quipbox.com
ratenames.net
recatalogfinger.net
relationshipa.com
relectsdispla.net
rentipod.ru
reports0701.net
rustin.pl
safebrowse.pw
scourswarriors.su
secrettapess.com
secureaction120.com
securednshooki.com
sendkick.com
sensetegej100.com
sitemax.pl
sklephoreca.pl
soberimages.com
spros.pl
stilos.pl
streetgreenlj.com
susubaby.net
tagcentriccent.net
tagcentriccent.pl
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
teakfromafrica.net
telecomerra.com
thebodyfatsolutioncb.pl
thebodyfatsolutionoi.pl
thegalaxyatwork.com
theguardian-newspaper.pl
therichboysmail.net
thetimesforyou.pl
thosetemperat.net
toetotoetimef.net
tor-connect-secure.com
treehouse-dreams.net
trymaximumslimbaba.pl
trymaximumslimbia.pl
trymaximumslimboa.pl
trymaximumslimbua.pl
trymaximumslimbuta.pl
trymaximumslimdel.pl
trymaximumslimeta.pl
trymaximumslimfea.pl
trymaximumslimfoa.pl
trymaximumslimfol.pl
trymaximumslimhoa.pl
trymaximumslimhol.pl
trymaximumslimhowa.pl
trymaximumsliminl.pl
trymaximumslimlacl.pl
trymaximumslimlal.pl
trymaximumslimlea.pl
trymaximumslimleta.pl
trymaximumslimlitta.pl
trymaximumslimmaa.pl
trymaximumslimmal.pl
trymaximumslimmea.pl
trymaximumslimmia.pl
trymaximumslimnel.pl
trymaximumslimnota.pl
trymaximumslimota.pl
trymaximumslimpaa.pl
trymaximumslimpal.pl
trymaximumslimpara.pl
trymaximumslimrata.pl
trymaximumslimroba.pl
trymaximumslimroll.pl
trymaximumslimroma.pl
trymaximumslimsaa.pl
trymaximumslimsal.pl
trymaximumslimsanda.pl
trymaximumslimsil.pl
trymaximumslimsina.pl
trymaximumslimsofa.pl
trymaximumslimsofl.pl
trymaximumslimsparl.pl
trymaximumslimteda.pl
trymaximumslimulda.pl
trymaximumslimundl.pl
tstatbox.ru
tvblips.net
u-janusa.net
ukbash.ru
unabox.pl
usenet4ever.net
usergateproxy.net
vahvahchicas.ru
vip-proxy-to-tor.com
vivendacalangute.net
wickedpl.com
wic-office.com
wordstudio.pl
wow-included.com
yourbodyfatsolutionaningm.pl
yourbodyfatsolutionharm.pl
yourbodyfatsolutionhom.pl
yourbodyfatsolutionlgf.pl
yourbodyfatsolutionlittm.pl
yourbodyfatsolutionlpa.pl
yourbodyfatsolutionlub.pl
yourbodyfatsolutionlui.pl
yourbodyfatsolutionmem.pl
yourbodyfatsolutionnak.pl
yourbodyfatsolutionncb.pl
yourbodyfatsolutionnff.pl
yourbodyfatsolutionnzk.pl
yourbodyfatsolutionronm.pl
yourbodyfatsolutionsam.pl
yourbodyfatsolutionsim.pl
yourbodyfatsolutionterm.pl
yourbodyfatsolutiontinm.pl
yourbodyfatsolutionuca.pl
yourbodyfatsolutionucb.pl
yourbodyfatsolutionuee.pl
yourbodyfatsolutionufd.pl
yourbodyfatsolutionuff.pl
yourbodyfatsolutionufg.pl
yourbodyfatsolutionugd.pl
yourbodyfatsolutionugf.pl
yourbodyfatsolutionuhh.pl
yourbodyfatsolutionukk.pl
yourbodyfatsolutionunb.pl
yourbodyfatsolutionunc.pl
yourbodyfatsolutionuoi.pl
yourbodyfatsolutionupa.pl
yourbodyfatsolutionusd.pl
yourbodyfatsolutionuub.pl
yourbodyfatsolutionuui.pl
yourbodyfatsolutionuvb.pl
yourbodyfatsolutionuvc.pl
yourbodyfatsolutionuzk.pl
yourbodyfatsolutionwam.pl
zestrecommend.com

Thursday 20 June 2013

ADP spam / planete-meuble-pikin.com

This fake ADP spam leads to malware on planete-meuble-pikin.com:

Date:      Thu, 20 Jun 2013 07:12:28 -0600
From:      EasyNetDoNotReply@clients.adpmail.org
Subject:      ADP EasyNet: Bank Account Change Alert

Dear Valued ADP Client,

As part of ADP's commitment to provide you with exceptional service, ADP is taking additional steps to ensure that your payroll data is secure. Therefore, we are sending you this e-mail as a security precaution to confirm that you have added or changed a bank account for the following employee(s) on your account:

** Dominic Johnson **
** Ayden Campbell **

Use this links to: Review or Decline this changes.

If you have not made and authorized this bank account change, please contact your ADP Service Team immediately.

This security precaution is another reason why so many businesses like yours choose ADP, the world's leading payroll provider for over 60 years, to handle their payroll.
Sincerely,

Your ADP Service Team

This e-mail comes from an unattended mailbox. Please do not reply.
The link in the email goes through a legitimate but hacked site and end up on a malware landing page at [donotclick]planete-meuble-pikin.com/news/network-watching.php (report here) hosted on:
173.254.254.110 (Quadranet, US)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.147.61.250 (Universidad Rey Juan Carlos, Spain)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET, Pakistan)

Recommended blocklist:
173.254.254.110
190.93.23.10
193.147.61.250
193.254.231.51
202.147.169.211
appasnappingf.com
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
diamondbearingz.net
drivesr.com
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
ergopets.com
ermitajohrmited.ru
ghroumingoviede.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gromimolniushed.ru
gurieojgndieoj.ru
jetaqua.com
joinproportio.com
multipliedfor.com
nipiel.com
oxfordxtg.net
oydahrenlitutskazata.ru
pc-liquidations.net
planete-meuble-pikin.com
pnpnews.net
profurnituree.com
reportingglan.com
rmacstolp.net
safe-browser.biz
safe-time.net
smartsecurityapp2013.com
televisionhunter.com
teszner.net
theislandremembered.com
trleaart.net
usforclosedhomes.net
winne2000.net
winudpater.com
ww2.condalinneuwu5.ru
ww2.gnunirotniviepj.ru
www.condalinarad72234652.ru


Tuesday 18 June 2013

UPS Spam / rmacstolp.net

This fake UPS spam leads to malware on rmacstolp.net:

Date:      Tue, 18 Jun 2013 01:21:34 -0800 [05:21:34 EDT]
From:      UPSBillingCenter@upsmail.net
Subject:      Your UPS Invoice is Ready

UPS Billing Center
   
This is an automatically generated email. Please do not reply to this email address.

Dear UPS Customer,

Thank you for your business.

New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.

Please visit the UPS Billing Center to view your paid invoice.



Questions about your charges? To get a better understanding of surcharges on your invoice, click here.


Discover more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online

© 2013 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS


The link in the email goes through a legitimate hacked site but then ends up on a malicious payload at [donotclick]rmacstolp.net/news/fishs_grands.php (report here and here). The payload appears to be the Blackhole Exploit kit, but the site seems to be either not working or (more likely) is being resistant to analysis.

If not called properly, the malware appears to serve up random payload pages.. I think they may be fake ones to evade detection. Here are some of them:
[donotclick]shop.babeta.ru/ftyxsem.php
[donotclick]kontra-antiabzocker.net/cpdedlp.php
[donotclick]www.cyprusivf.net/iabsvkc.php
[donotclick]clubempire.ru/ayrwoxt.php
[donotclick]artstroydom.com/rwlqqtq.php
[donotclick]www.masthotels.gr/ysmaols.php

rmacstolp.net is hosted on the following IPs:
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
202.147.169.211 (LINKdotNET Telecom Limited, Pakistan)

Recommended blocklist:
186.215.126.52
190.93.23.10
193.254.231.51
202.147.169.211
balckanweb.com
buyparrots.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
diamondbearingz.net
drivesr.com
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
ergopets.com
ermitajohrmited.ru
federal-credit-union.com
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gromimolniushed.ru
gurieojgndieoj.ru
haicut.com
jetaqua.com
nipiel.com
oxfordxtg.net
oydahrenlitutskazata.ru
ozonatorz.com
pnpnews.net
profurnituree.com
rmacstolp.net
safe-browser.biz
safe-time.net
smartsecurityapp2013.com
televisionhunter.com
teszner.net
theislandremembered.com
trleaart.net
usforclosedhomes.net
winudpater.com
ww2.condalinneuwu5.ru
ww2.gnunirotniviepj.ru
zurcherarchitectz.com


Wednesday 12 June 2013

BBB Spam / trleaart.net

This fake BBB spam with a "PLAINT REPORT" (sic) leads to malware on trleaart.net:

From: Better Business Bureau [mailto:rivuletsjb72@bbbemail.org]
Sent: 11 June 2013 18:04

Subject: Better Business Beareau Complaint ¹ S3452568
Importance: High

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser

Better Business Bureau ©
Start With Trust
Tue , 11 Jun 2013
Issue N. S3452568
The Better Business Bureau has been booked the above said claim letter from one of your customers in respect of their dealings with you. The detailed description of the consumer's trouble are available visiting a link below. Please pay attention to this matter and inform us about your mind as soon as possible.
We amiably ask you to open the PLAINT REPORT to answer on this claim.
We awaits to your prompt response.
Faithfully yours
Daniel Cox
Dispute Advisor
Better Business Bureau
________________________________________
________________________________________
Better Business Bureau
3083   Wilson Blvd, Suite 600   Arlington, VA 25301
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277
  
This information was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The link goes through a legitimate hacked site and end up with a malware landing page on [donotclick]trleaart.net/news/members_guarantee.php (report here) hosted on the following IPs:


160.75.169.49 (Istanbul Technical University, Turkey)
186.215.126.52 (Global Village Telecom, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)

This network of evil sites is rather large and I haven't had the time to look at it closely, but in the meantime here is a partial blocklist:
160.75.169.49
186.215.126.52
190.93.23.10
193.254.231.51
abacs.pl
balckanweb.com
biati.net
buyparrots.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
ehchernomorskihu.ru
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
enway.pl
ergopets.com
federal-credit-union.com
freemart.pl
genown.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gstoryofmygame.ru
haicut.com
icensol.net
janefgort.net
jetaqua.com
kirki.pl
klosotro9.net
ludena.ru
mantuma.pl
mortolkr4.com
myhispress.com
nipiel.com
onlinedatingblueprint.net
oydahrenlitutskazata.ru
ozonatorz.com
pleak.pl
pnpnews.net
relectsdispla.net
safe-browser.biz
safe-time.net
smartsecurityapp2013.com
sngroup.pl
televisionhunter.com
trleaart.net
twintrade.net
usforclosedhomes.net

Monday 13 May 2013

Something evil on 188.241.86.33

188.241.86.33 (Megahost, Romania) is a malware server currently involved in injection attacks, serving up the Blackhole exploit kit, Zbot and a side order of Cdorked [1] [2].

This IP hosts a variety of domains, some of which are purely malicious, some of which are hijacked subdomains of legitimate ones. Blocking the IP address is the easiest approach, else I would recommend blocking all the domains that are being abused:

01libertynet.fr.fo
0-film.com
100girlsfree.com
365conseils.net
4unblock.info
5becquet.fr.fo
6x0.fr
7eebr.com
8-cents.com
8cents.fr.fo
a2smadagascar.mg
abc-maroc.com
abcm-jeanpetit.eu
aberkane.org
abjworld.com
abkari.fr
abkaribrahem.com
abousajid.net
abshore.com
acabimport.fr
acajb.org
acgl-congo.com
acgl-congo.fr
achacunsoncartable.com
acl-africa.com
actionalternance.fr
activbold.com
acts42.fr
actu-assurance.com
actubuntu.fr.fo
actu-minecraft.com
garmonyoy.eu
gmzuwr.ru
harmonyoy.eu
hrgvrl.ru
kinyng.ru
luiwmt.ru
ntdsapi.com
ntimage.net
ntmsapi.net
olpnso.ru
pastaoyto.eu
piparse.com
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru
tpxhpz.ru
trlnps.ru
zuihwg.ru
zuknsr.ru

The full list of malicious domains that I can find are below, although I would not expect these to be comprehensive:
040071c6fea7a5bb.365conseils.net
040071c6fea7a5bb01510713050515418167059c09c0824647b0d28469f9a86.365conseils.net
0433a1152ec475d801921313051101474089711298c7e6a1fd7545bc5552d41.achacunsoncartable.com
0433a1152ec475d811601613051104237096368adea8ce55a82f4544fbc01c0.achacunsoncartable.com
0488a1ee2eff75e301425213050201233048184bab90de52abca095e43c0e9e.0-film.com
04bb718dfefca5e0.5becquet.fr.fo
04bb718dfefca5e001607913050610062053256cc4d0ecce785bc8e30493292.5becquet.fr.fo
04cc71bafe5ba5470150421305111855518829847e724828b3c53aec8153583.acts42.fr
157790811f40445c.acajb.org
157790811f40445c01601013051008229123947a4ec000bad7503601a8b8345.acajb.org
157790811f40445c016138130510070780741784317a42a2bccfff6c9b9b979.acajb.org
157790811f40445c019162130510065681946385f315786814d0cea69ce8664.acajb.org
15bba06d2f1c7400.6x0.fr
15bba06d2f1c740001620213050615286119192adfefaf19e4e8a5586a6dd7e.6x0.fr
15ff3069bf78e464.01libertynet.fr.fo
15ff3069bf78e4640110311305011655920288060206a1a1261478459ff3e75.01libertynet.fr.fo
15ff3069bf78e4640142371305011633812870254adfea351ba45ccd84b6ed9.01libertynet.fr.fo
15ffa0792ff874e4.8-cents.com
15ffa0e92f18740401401013051215157128702d9606903880327e698feccbe.actu-minecraft.com
15ffa0e92f1874040141021305121800510682957d930ed7606e94e5678e741.actu-minecraft.com
15ffa0e92f187404014185130512171461299704fdc6792b87c632c2dc8ea0b.actu-minecraft.com
260093561ce747fb.abousajid.net
260093561ce747fb0140101305091529613535950ae91792a9d74ca508e99ad.abousajid.net
260093561ce747fb01603113050915274112535b852cc96df15044d0c5bab97.abousajid.net
26bb633dec4cb75001620213050607357124264d8f6315b9f394ea624df9b66.4unblock.info
26bb633dec4cb75011613913050607052045014adf4c310b3e0bdc47f2861d7.4unblock.info
26bb633dec4cb750116139130506075451302874ade020351e0c39fd5a78c27.4unblock.info
26cc33cabc2be737.actionalternance.fr
26cc33cabc2be73701612213051111086088443c09a6c2cac05c63f7129fe6a.actionalternance.fr
26cc33cabc2be73711601013051110582102074d8f6315c81c1d1cdcd96f60e.actionalternance.fr
26ff93b91cb847a4.100girlsfree.com
26ffa3892c787764019185130512123091695955dc240716cf6878a05b14ee3.actu-minecraft.com
378852cedd4f8653015013130507031910377234406e79b09f6cd6bc3f531b4.8-cents.com
3788a28e2d1f760301404913050802257090662bc33361ff65bce2fa3130839.8cents.fr.fo
40bb751dfa9ca180.8-cents.com
517794411bd040cc.100girlsfree.com
620007168887d39b0141851305072124915913454b8c0a26fb88da3bde7a868.8-cents.com
620007168887d39b01918513050722262103342525b024b1b95bf7573a67195.8-cents.com
623307c58864d378.abc-maroc.com
62333795a894f38801400913051305512080201a47fe7464fbbe561520e01bc.actu-minecraft.com
62333795a894f38801603113051303131041527adf4c310ff3253949005312c.actu-minecraft.com
62446762e8c3b3df.a2smadagascar.mg
62ff57f9c8f893e4.actu-minecraft.com
7344966219c342df.aberkane.org
73cca65a29eb72f7.abshore.com
73cca65a29eb72f701512413050919272107463ccba6e6189fc6986eb8f2d7c.abshore.com
73cca65a29eb72f701601013050919063097002c09c2522cddbf7f407171835.abshore.com
73ff2629a9d8f2c4.actu-minecraft.com
73ff2629a9d8f2c4014010130512092430878098d3a2e5e755dff1f2afa2bf8.actu-minecraft.com
73ffc65949981284.100girlsfree.com
8c443932b693ed8f11601013050822381104927d18d35b903767ba446417aca.aberkane.org
8cffe9c966783d64.abkaribrahem.com
8cffe9c966783d6401401013050909354101757b20d50dc4a53c3f60028ce42.abkaribrahem.com
8cffe9c966783d64015129130509101070859078f510042f6ec44d7e433dae2.abkaribrahem.com
9d3358f5d7848c98.7eebr.com
9d3358f5d7848c9801120213050617401078933d8645f3e106c2cfc1598a843.7eebr.com
9d7718418740dc5c.actu-minecraft.com
9d77b8b137606c7c.acgl-congo.fr
9d77b8b137606c7c01512913051017572124898c056644eb855f5a4b166d2b9.acgl-congo.fr
9d88a81e27af7cb3.abkaribrahem.com
9dbb984d17cc4cd01160101305062232917783743db39d1cf46f37b436dd266.8-cents.com
9dbbb80d37ac6cb0015186130508121671023918f51f80188036111f6dc1f72.a2smadagascar.mg
aeff6b49e4a8bfb4015258130512004781489908ea4b42446e65516bff5ab95.actu-assurance.com
aeff6b49e4a8bfb411601613051200491038674c7b4814aa786570ce3c5098f.actu-assurance.com
bf008a6605f75eeb014010130507173520947835ffc0f0fb081b68065c7e066.8-cents.com
bf008a6605f75eeb01412613050720045090345594f60a636367054ee54e604.8-cents.com
bf33fa7575d42ec8.abc-maroc.com
bf33fa7575d42ec801401013050814009075129bad428136689be7a7da2e9cb.abc-maroc.com
bf33fa7575d42ec8014086130508152020843224d40b5b7505fae9f56aea685.abc-maroc.com
bf33fa7575d42ec801510713050813215101440d61264b31e2cab4662a78b84.abc-maroc.com
bf33fa7575d42ec8016010130508150860906628cb9bce1fcee0c3f22846b31.abc-maroc.com
bf77da9155000e1c.100girlsfree.com
bfbbfaed65ec3ef0.100girlsfree.com
bfccba4a359b6e87.acgl-congo.com
bfccba4a359b6e87014075130510163331172904d4082d81aa81553b5898a2f.acgl-congo.com
bfccba9a259b7e87014010130512212151534285c4d64918e520db9a4a99c7a.actu-minecraft.com
c833cdf542641978.8-cents.com
c833cdf54264197801423713050716106092564c3e2cfb86aac81596dd164e8.8-cents.com
c833cdf542641978019037130507161140855905a1d39c59b9e2e19868866db.8-cents.com
c833fd7572942988014075130511135972133414d40dcf123ee454bb96f2478.activbold.com
c8777de1f220a93c.acajb.org
c8777de1f220a93c014237130510094241134864ffcf0d244b3e0d591c517c2.acajb.org
c8777de1f220a93c114181130510110690897115be0c137c3bfca9956675ebe.acajb.org
c8778d3102a059bc.100girlsfree.com
c8bbfd5d72ec29f0.100girlsfree.com
c8cc1d7a928bc997.actu-minecraft.com
c8cc1d7a928bc9970160931305121954723299543db39d15a4534253bd539f9.actu-minecraft.com
c8cc2deaa26bf977.8-cents.com
c8cc2deaa26bf97701112913050712338147722412926bcc5c4907c1308b240.8-cents.com
c8cc2deaa26bf9770140251305071408106561954a1b95da26542af79a4589c.8-cents.com
c8cc2deaa26bf977016185130507134131011234162579342dbc1f47b4f7fd2.8-cents.com
c8ff1d1992d8c9c4.acgl-congo.com
c8ff1d1992d8c9c401410113051011536170546863d58f33f68331b59ea7c90.acgl-congo.com
c8ff1d1992d8c9c401502213051013158117290d619001d01efd2a3e1b3f29b.acgl-congo.com
d900ac1623d778cb.acabimport.fr
d9442c22a383f89f01408613050902089060547bb26d67892ae078d34f997c1.abjworld.com
d9772c61a390f88c.100girlsfree.com
d9777cd1f360a87c.abkari.fr
d9bb3cfdb36ce870.8cents.fr.fo
d9cc9c8a137b4867.actubuntu.fr.fo
ea003fc6b017eb0b.acl-africa.com
ea003fc6b017eb0b0140551305110632611348655c9f49488e5a4ecb8292208.acl-africa.com
ea33af4520847b9811601013051002514098270cc4d0ed8f39b52f8e725fadc.acabimport.fr
ea776f71e0c0bbdc.abkari.fr
ea776f71e0c0bbdc01401013050912097090662863d2ab4a57e7f0a96b25cf1.abkari.fr
ea776f71e0c0bbdc01920213050913332090345d02caa653dae6865511b8036.abkari.fr
ea885f2ed0bf8ba301620213050804177079250c7c38ecdab30e8e836a60be8.8cents.fr.fo
ea885f2ed0bf8ba301620213050804285084005d073cf45420d7a00dd3d73a2.8cents.fr.fo
ea885f2ed0bf8ba311601013050802399148356d812e2a73d403f9c106d463c.8cents.fr.fo
ea886f6ee0efbbf3.8-cents.com
eacc6f4ae0ebbbf7.abcm-jeanpetit.eu
eacc6f4ae0ebbbf701401013050819143098587bcc05684f8eaabdbf34aacb5.abcm-jeanpetit.eu
eacc6f4ae0ebbbf7014098130508182081375786dd748438ddc6d700470919b.abcm-jeanpetit.eu
eacc6f4ae0ebbbf711601013050818299170546cc4d0ecc24766a4257413c24.abcm-jeanpetit.eu
fbbb6e6de11cba00.5becquet.fr.fo
fbbb6e6de11cba0011601013050614153074812c6661d86385ba30356756c7e.5becquet.fr.fo
garmonyoy.eu
gmzuwr.ru
harmonyoy.eu
hrgvrl.ru
kinyng.ru
luiwmt.ru
ntdsapi.com
ntimage.net
ntmsapi.net
olpnso.ru
pastaoyto.eu
piparse.com
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru
tpxhpz.ru
trlnps.ru
zuihwg.ru
zuknsr.ru

Friday 21 December 2012

Malware sites to block 21/12/12

There are a series of malware domains on 91.201.215.173 apparently using a Java and PDF exploit to infect visitors. The infection machanism appears to be coming from an unidentifiedad running on the centerblog.net blogging system (I think specifically [donotclick]zezete2.centerblog.net/i-247-136-1356095651.html)

The malware URLs are quite lengthy and appear to be resistant to analysis, in the attack I have seen the following URLs were in use (don't visit these sites, obviously)

[donotclick]svwlekwtaign.avigorstats.pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/
[donotclick]mcruxdufxwnp.avigorstats.pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/

[break]indicated where I've added a linebreak to get it to fit on the page, remove that and the linebreak for a valid URL.

avigorstats.pro and its subdomains are hosted on 91.201.215.173 (PS Internet Company Ltd, Kazakhstan, but this is just the tip of a huge iceberg of malicious IPs and domains that are all interconnected.

Let's start with my personal recommended blockist. If you are in Russia or Ukraine then you might want to be a bit more conservative with the Russian netblocks and refer to the raw IP list below (there's one list with ISPs listed, one plain for for copy and pasting)..

Recommended blockist (annotated):

5.39.121.18 (OVH, Ireland)
5.135.20.2 (OVH, France)
5.135.67.144/28 (MMuskatov / OVH, Belgium)
5.135.67.192/28 (MMuskatov / OVH, Czech Republic)
5.135.97.6 (OVH, Ireland)
5.135.204.16/28 (Shah Sidharth / OVH, Ireland)
5.135.218.32/27 (Shah Sidharth / OVH, France)
5.135.223.96/27 (Shah Sidharth / OVH, France)
5.199.172.0/22 (BALTICSERVERS, Lithunia)
37.9.53.0/24 (Sheludyak-NET, Russia)
37.221.170.88 (Voxility, Romania)
46.28.71.68 (UA Servers, Ukraine)
46.105.102.18 (OVH, France)
46.235.8.175 (Teknik Data Internet Teknolojileri San.Tic.Ltd. Sti., Turkey)
46.249.42.0/24 (Serverius Holding, Netherlands)
62.76.40.0/21 (Rosniiros, Russia)
62.76.176.0/22 (Rosniiros, Russia)
62.76.180.0/24 (Rosniiros, Russia)
62.76.184.0/21 (Rosniiros, Russia)
62.109.0.0/21 (The First, Russia)
62.122.74.0/23 (Leksim, Poland)
63.247.91.188 (Global Net Access, US)
64.120.193.0/24 (HostNOC, US)
78.140.135.128/25 (Webazilla, Gibraltar)
84.200.77.204 (Misterhost, Germany)
85.17.92.146 (Leaseweb, Netherlands)
85.143.166.0/24 (Pirix, Russia)
88.198.30.19 (Hetzner, Germany)
91.201.214.0/23 (PS Internet, Kazakhstan)
91.211.116.0/22 (Zharkov Mukola Mukolayovuch, Ukraine)
91.220.131.0/24 (teterin Igor Ahmatovich, Russia)
91.231.156.0/24 (Sevzapkanat-Unimars, Russia)
91.232.29.70 (Realon Service LLC, Ukraine)
91.235.128.0/23 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
91.238.83.0/24 (Standart LLC, Moldova)
91.243.115.0/24 (Aztec, Russia)
92.46.62.128/25 (Shevchenko Sergey, Kazakhstan)
93.170.13.4 (Alfa Telecom, Czech Republic)
93.170.128.253 (Alfra Telecom, Russia)
95.211.199.34 (Leaseweb, Netherlands)
108.163.188.250 (iWeb, Canada)
142.0.37.60 (VolumeDrive, US)
142.54.183.96/27 (Datashack, US)
146.185.255.0/24 (Petersburg Internet Network Ltd, Russia)
151.248.116.54 (Reg.ru, Russia)
178.162.134.128/26 (Silin-Vitaly-Petrovich, Belarus)
178.162.147.111 (Leaseweb, Germany)
184.82.222.126 (HostNOC, US)
184.82.222.127 (HostNOC, US)
185.4.227.42 (Sayfa.NET, Turkey)
188.93.211.114 (Logol, Russia)
188.190.127.118 (Infium LTD, Ukraine)
188.208.32.0/23 (Ch-net Srl, Romania)
193.107.16.0/22 (Ideal Solution Ltd, Seychelles)
194.62.233.0/24 (Stils Grupp, Russia)
195.3.145.45 (RN Data, Latvia)
195.3.145.51 (RN Data, Latvia)
195.20.141.0/24 (Sigma Ltd, Russia)
195.138.240.0/21 (Creative Telematics & Trade s.r.o., Czech Republic)
198.49.66.159 (Hostdime, US)
198.147.22.69 (Front Range Hosting, US)
199.231.210.231 (Enzu Inc, US)
206.212.240.202 (Colostore, US)
206.212.240.206 (Colostore, US)
206.222.17.136/29 (XLHost, US)
208.88.226.230 (WZ Communitions, US)
208.88.226.231 (WZ Communitions, US)
217.23.11.103 (Worldstream, Netherlands)
217.23.15.110 (Worldstream, Netherlands)

Recommended blockist (Plain list):

5.39.121.18
5.135.20.2
5.135.67.144/28
5.135.67.192/28
5.135.97.6
5.135.204.16/28
5.135.218.32/27
5.135.223.96/27
5.199.172.0/22
37.9.53.0/24
37.221.170.88
46.28.71.68
46.105.102.18
46.235.8.175
46.249.42.10/24
62.76.40.0/21
62.76.176.0/22
62.76.180.0/24
62.76.184.0/21
62.109.0.0/21
62.122.74.0/23
63.247.91.188
64.120.193.0/24
78.140.135.128/25
84.200.77.204
85.17.92.146
85.143.166.0/24
88.198.30.19
91.201.214.0/23
91.211.116.0/22
91.220.131.0/24
91.231.156.0/24
91.232.29.70
91.235.128.0/23
91.238.83.0/24
91.243.115.0/24
92.46.62.128/25
93.170.13.4
93.170.128.253
95.211.199.34
108.163.188.250
142.0.37.60
142.54.183.96/27
146.185.255.0/24
151.248.116.54
178.162.134.128/26
178.162.147.111
185.4.227.42
188.93.211.114
188.190.127.118
188.208.32.0/23
193.107.16.0/22
194.62.233.0/24
195.3.145.45
195.3.145.51
195.20.141.0/24
195.138.240.0/21
198.49.66.159
198.147.22.69
199.231.210.231
206.212.240.202
206.212.240.206
206.222.17.136/29
208.88.226.230
208.88.226.231
217.23.11.103
217.23.15.110

Raw list of malicious IPs:
5.39.121.18
5.135.20.2
5.135.67.145
5.135.67.198
5.135.97.6
5.135.204.19
5.135.204.20
5.135.218.33
5.135.223.127
5.199.174.99
5.199.175.36
5.199.175.59
5.199.175.60
37.9.53.71
37.221.170.88
46.28.71.68
46.105.102.18
46.235.8.175
46.249.42.161
46.249.42.168
62.76.41.75
62.76.41.208
62.76.178.9
62.76.180.191
62.76.184.246
62.76.185.206
62.76.185.211
62.76.186.109
62.109.2.239
62.109.12.166
62.109.16.94
62.122.74.45
63.247.91.188
64.120.193.144
64.120.193.177
64.120.193.218
64.120.193.219
78.140.135.194
78.140.135.195
84.200.77.204
85.17.92.146
85.143.166.87
85.143.166.202
85.143.166.219
88.198.30.19
91.201.215.173
91.211.119.56
91.211.119.63
91.211.119.66
91.211.119.67
91.220.131.67
91.231.156.50
91.231.156.98
91.231.156.188
91.232.29.70
91.235.129.35
91.238.83.46
91.238.83.56
91.243.115.28
92.46.62.252
93.170.13.4
93.189.40.223
93.170.128.253
94.242.219.3
94.242.219.6
95.211.199.34
108.163.188.250
142.0.37.60
142.54.183.110
146.185.255.66
151.248.116.54
178.162.134.138
178.162.134.139
178.162.132.202
178.162.134.198
178.162.134.200
178.162.134.201
178.162.134.202
178.162.134.212
178.162.147.111
178.162.134.141
184.82.222.126
184.82.222.127
185.4.227.42
188.93.211.114
188.190.127.118
188.208.33.10
193.107.17.105
193.107.19.76
194.62.233.26
194.62.233.31
194.62.233.63
194.62.233.79
194.62.233.137
194.62.233.146
194.62.233.171
194.62.233.173
194.62.233.183
194.62.233.242
195.3.145.45
195.3.145.51
195.20.141.22
195.20.141.23
195.20.141.85
195.20.141.86
195.138.241.79
195.138.241.88
195.138.241.92
195.138.241.93
195.138.241.95
198.49.66.159
198.147.22.69
199.231.210.231
206.212.240.202
206.212.240.206
206.222.17.138
208.88.226.230
208.88.226.231
217.23.11.103
217.23.15.110

Known malicious domains:
001dtbflutxcy.changeip.org
001vlcjibtwrh.changeip.org
002yfzwqyhhqi.changeip.org
003wceqzsouib.changeip.org
004wifxfqqelw.changeip.org
004wsragrwziy.changeip.org
005litvisulyl.changeip.org
005pqlvqwowvh.changeip.org
005szgfxyhyuf.changeip.org
006epphovwevl.changeip.org
006jowpvflxwu.changeip.org
006okqwhyklyg.changeip.org
007gydbgxftcl.changeip.org
007hppoqubtvs.changeip.org
007lvsqhpjtrd.changeip.org
008ftuuqluzoq.changeip.org
008rdzfkykqdv.changeip.org
009g.domaiinn.be
009kkuhgyrazq.changeip.org
009xxqqflqvec.changeip.org
010ipjzyqeuor.changeip.org
017bqelicwssl.changeip.org
020bedzycxryv.changeip.org
020qagbfqxtzq.changeip.org
021lkukzxbuuu.changeip.org
022xwsejqchre.changeip.org
023qrgoreztit.changeip.org
023zqpiblrfso.changeip.org
024vkaoabwhsf.changeip.org
025cldzpffyvl.changeip.org
026cocyjbhahg.changeip.org
027yzlofltfyp.changeip.org
16nnb7b.gm9.com
17vfdvr.gm9.com
2012-2013.org
3d27bc5173b799ec363ebb6a.mine.nu
42f0e25d8baf2c5df64842f5.merseine.nu
555flashpoker.com
555flashpoker.info
555flashpoker.me
555flashpoker.net
7domaindns.com
888flashpoker.com
888flashpoker.info
8domaindns.com
8xvideos-tube.com
8xvideos-tube.info
8xvideos-tube.mobi
a0246d72.mayhemavz.pro
a1000000.mayhemavz.pro
a2b3490dc28df6ec1db21d10.merseine.nu
aboutmailmerging.net
accelerationarrangement.info
acclaimny.pro
acquiringhawaiian.asia
addservice.flu.cc
adobestyledives.org
adriano-bull.com
adriano-bull.net
adsquatropower.com
adsquatropower.info
adsquatropower.net
adsquatropower.org
adventureslh.net
ae1830b97080c83176b59c94.mine.nu
af9b7985802bc09fb9e19663.merseine.nu
affairlikely.net
agegateguru.net
agelumosityroad.net
ahjlfmm.freewww.biz
ahzhfvfjn.freewww.biz
aimedmetaballs.org
airprintlacks.net
ajsuqhsq.freewww.biz
ajwvnwcm.freewww.biz
aktsf.freewww.biz
alhmzpxsdtj.net
altsjhin.mynumber.org
amountinterrupting.pro
analytics-djmusic-online.de
ananasert.cu.cc
anbab.freewww.biz
anti-carding.info
antivirusscleanuponly.info
approximatelyshopkeepers.net
appsfordefaultappear.pro
aqxetx.freewww.biz
archaicpatron.asia
areoperations.net
arltdbsg.freewww.biz
armiesboxes.info
arndlink.com
arny.nazleennoor.com
artilleryupgrading.com
asefeferea.uni.me
asifq.freewww.biz
asimuthstats.pro
associatesgymnastic.asia
astrotester.com
attataponger.ru
audiodevelop.net
auraletterandnumber.org
authoringtriplecore.net
autoplaycyberdrive.info
avenuerequests.net
avigorstats.pro
axis.lenuerry.com
bajoqavu.tk
ballfill.net
baltes.verikanam.com
barpoxert.cu.cc
basun.lenuerry.com
bathtubdanger.net
bazarafcantoscabiz.com
bctwqsgcu.freewww.biz
bdslength.net
beansreschedule.com
beautifullytriangulate.info
bedtimeroes.pro
begpkcd.freewww.biz
bellevident.pro
bestcountstat.com
bestlastnest.asia
besttipscars.info
beta.lenuerry.com
betterlookingflabby.org
bhrhrim.freewww.biz
bicyclesteachers.info
bicyclingsecondfastest.pro
bigprobivbig.net
billtrackerremoval.info
biosopers.pro
bioticshypermodular.org
bitsrentr.pro
bizon.verikanam.com
bkuoq.freewww.biz
blanki-basa.info
bliclink.com
blikke.verikanam.com
blogtoolonsteroidscreations.net
bmfield.pro
bmgdrive.net
bobodrive.info
bobson7ka.pro
bomba.bonocchio.com
brandnewtransfer.pro
brandsanalog.info
breakingretouching.net
bregfxul.mynumber.org
brighterintuitiveness.info
browsecomplaints.org
brtrampolines.biz
brustramestra.org
buenos-varilias.com
bufferlumia.info
bunat.verikanam.com
buttonjp.org
c446fe861bdb8a2bbea44022.merseine.nu
cakuxeco.tk
calderatextletting.net
campaignmanagementmoneys.info
candyruns.pro
cantothemebased.pro
canyoninstructed.net
capricioussample.info
carswhilestaff.biz
cassettesbeauty.org
caubqj.freewww.biz
cdsbandwidthsaving.info
cejinayu.tk
centurylogmeinnow.net
cfarcto.freewww.biz
cheapbiotics.info
cheche.jrm-enterprises.com
checklistearpiercing.net
chidedpointofinterest.pro
cilidep.tk
cityscaperollbacks.net
ciwabiha.tk
clackt.freewww.biz
clarificationspackages.info
classbasecamp.pro
clckllink.com
clean-service.info
clearlydefinedjr.net
click2click.pro
click4click.org
clipboardbarely.pro
closedeasy.net
cloudtalkepicture.info
cloutremote.asia
cmesrearranged.pro
cogsfeet.net
cohostedpareddown.pro
coincidentlyreduce.net
collaborativerationals.info
collectingtabletfriendly.info
collectionsbleeding.pro
combinedbecause.org
common.thebattleroyal.com
conductinability.net
consciousnessmobileoptimized.info
constructionverified.org
contentdeliveryworldwide.pro
contentnomasterwork.net
convenienceconclusions.org
conversionitlegendary.info
convertervocal.net
corantipursue.info
correspondingpchoused.net
counterattackaltercast.asia
courseworktitanium.net
coxmxvku.freewww.biz
creast.afkepock.com
crosscountrypertinent.info
crossingpivot.info
crustwatch.com
crytprodom.net
cullinghenry.pro
curmudgeonlowerquality.net
cutlongurls.com
cwnddazt.freewww.biz
czxsazzz.cu.cc
dapuyok.tk
darkroomimageport.info
data.fossilflour.org
datcikas.co.uk
dazzlingthirst.info
dbzptwxhm.freewww.biz
dc21.asia
dckikyas.1dumb.com
dcrriklc.freewww.biz
ddbnbmpt.freewww.biz
dealingcas.pro
delawareriveromainssinglwwerx.com
delivercdn.com
demonstratepowerfully.net
denialdeduplication.net
densepromissory.info
deomainssinglwwerx.net
departuresheettogo.asia
dependenciesusers.net
deraman.cu.cc
dereteweret.org
desreappear.pro
devicetantalized.pro
dialerseasoned.org
digitalbrio.net
digitalspointsstorys.net
disappointsultra.net
discoverleaving.net
disperseconceptdraw.net
districtagenda.net
dixoxupo.tk
diysweeper.net
dkpjumouz.mynumber.org
dns20number.org
dnsnum10.com
dnsnum11.com
dnsnum12.pro
dnsnum9.com
dnsnumber1.com
dnsnumber14.pro
dnsnumber15.pro
dnsnumber2.com
dnsnumber3.com
docktoolsthe.org
docstogolists.info
docxlassos.net
doggedmask.pro
domaincreations.info
domainjustmails.net
domainscingapurs.net
domainsgweate.net
domainsjinniks.net
domainsnetstatts.net
domainsplaylgtaxes.com
domainsplaylgtaxes.net
domainsrighbind.net
domainssinglargetaxes.net
domainssinglgirs.net
domainssinglsnet.info
domainssinglssin.info
domainssmiles43.net
domainsstressadd.com
domssingomangos.net
downloaderchippers.org
dqytgefar.freewww.biz
dragonocerusfluidity.info
dramaticmacromedia.info
drumspeedthrottled.pro
dunfe.lenuerry.com
durhamdirectory.net
dworddb.com
earnhardtphoto.info
earthnearness.pro
ecwlqx.freewww.biz
edrenbaton.mouseclickcentralization.info
edvbph.freewww.biz
ekvwynlse.freewww.biz
endgameaboveaverage.pro
engagegoto.com
englandcompared.info
enlargement4.pro
enthusiastmystery.net
epsconsisted.pro
esscer47emonyno.rr.nu
essentiallyrepresents.net
estheticsindianapolis.info
etritotube.me
etritotube.mobi
etritotube.net
everpresentoctave.net
evngiaca.freewww.biz
examiningstores.org
excludedsure.pro
execpragues.net
expansionletter.net
experimentalsatellitecommunicationsprojectlaunchedinindia.info
eyebrowsprefilled.pro
f8u5.asia
fabulouszen.net
fallokidor.org
fastgreendns.com
fastum.gm9.com
favorablestarted.pro
faxesworry.asia
fbjvbkjp.freewww.biz
featuresconverter.asia
fedrekpolik.org
feedbacvolcanoes.pro
fenoqere.tk
ffffoundbirthdate.org
fgjcctg.cu.cc
fhpbuqac.freewww.biz
fiendishtask.info
figuringdictating.net
fillinjabber.net
filmeducators.net
finddomainsdicr.net
finlandfires.info
flierstrusting.biz
floodedhomeplus.net
flrkcyoln.almostmy.com
flvagye.freewww.biz
flyport.nut.cc
foldersmodify.org
force.verikanam.com
formsbasedscreeners.asia
forum-pro-siski.info
frameratepekingese.pro
freeexpenditure.pro
frustratedrosetta.pro
fssdnk.freewww.biz
ftycik.freewww.biz
fulllengthunderdahl.info
gabon.lenuerry.com
gaepovzsdr.cu.cc
gainskeeper.asia
gamesduoswin9.info
gaplessaddremove.info
gduobyc.freewww.biz
gefilteheadway.pro
geographiccomplicating.net
germen.almostmy.com
gfydjpo.freewww.biz
ghanaembassyusa.com
ghostauthority.info
gitro.lenuerry.com
gkluyc.freewww.biz
global.usa.cc
gobangwriterson.com
godutegodozybat.org
goldclick.pro
good.timepiece-locator.com
googlenilesrt.net
governingjerk.org
gpuep.freewww.biz
grainscatching.net
grauezonen.com
grauezonen.net
greatctrlaltdel.pro
gretta.pcanywhere.net
gsshphwbn.freewww.biz
gttrle.freewww.biz
guaranteesroman.net
gwqpx.freewww.biz
gybphqhwf.mynumber.org
gyukrmmw.itsaol.com
halfdozendesktop.asia
hanskohlerltd.com
hanskohlerltd.net
harddrivedeepens.pro
hatsvisuals.org
haventons.org
hazardstweet.pro
hcsqhop.freewww.biz
hearingcertificate.info
heartshapedradiosity.info
heatcycle.asia
hecticearning.pro
heellowtech.pro
hellousers.mobimexa.ro
hesdr.org
highflyingmotivates.info
highresfunnel.pro
hihuvay.tk
hjtqfai.freewww.biz
hjxynh.freewww.biz
hkect.freewww.biz
hmirsdwqo.freewww.biz
hmqth.freewww.biz
hobbjnlji.freewww.biz
hocblockable.pro
homegrownphonetic.pro
hoopsvibrate.pro
hornyfile.net
hotelspecificvocalization.info
hreflnk.com
hugo.lenuerry.com
hutren.lenuerry.com
ibbyqkp.freewww.biz
iccyrgfh.mynumber.org
icebergsorts.info
ictrnr.freewww.biz
ifuzlt.freewww.biz
ihazalittleknob.us
ihrtytw.freewww.biz
iirrack.org
ijkguxk.freewww.biz
ikles.lenuerry.com
imanagepooka.pro
imapscans.info
imationbones.net
img.buchananjenkinshyundai.com
img.centralfloridahyundaidealers.com
img.centralfloridaunder10grandautos.com
img.zeitersseptics.com
img.zsuinc.com
impactrelease.pro
importslatenot.info
imrkcm.freewww.biz
incompatiblechoice.info
indocumentgunning.info
infostartbizcher.net
innetrecordf.net
installerhappens.com
intelextraction.org
interesting.moneta.cl
internalcake.asia
internetsdd4.net
internetsdd4.org
internetsturk.net
intervalsselfservice.pro
ioalcsy.freewww.biz
ioragement.net
iphonedata.info
irresponsibletablets.asia
irritatingtrailers.info
isaacdocs.com
iwwcwxjoy.freewww.biz
jafcomuzzle.com
jamdownsizes.info
jaquxedo.tk
jefvqloqs.freewww.biz
jekpot.net
jekpot.org
jexiyohi.tk
jopoplop.cu.cc
joxopzzz.cu.cc
jqkxhv.freewww.biz
jrhhqbgf.freewww.biz
jsccrzo.freewww.biz
jscripttoughgeek.biz
jtalwiwu.freewww.biz
junest.lenuerry.com
justpingmoow.net
juwkulgw.freewww.biz
jxzyi.freewww.biz
kcttqwmg.freewww.biz
kcxqach.freewww.biz
keyboardhigherpriority.pro
keywordrecordrookie.info
kgugoasr.freewww.biz
kimqtpbj.freewww.biz
kiost.lenuerry.com
kjrkbvrws.freewww.biz
kochenmitspass.com
kochenmitspass.net
komat.lenuerry.com
kopan.lenuerry.com
kopcasdf.cu.cc
ksopyt.freewww.biz
kupimiy.tk
kuuiukcd.freewww.biz
kvidzs.freewww.biz
lapuneran.com
lastfmwidescreen.info
lastwestbizz.info
laternotairplanes.org
laxonot.tk
lbd.lenuerry.com
leadingpartymoderateshewasejectedfromaftershesaid.info
leaguedigs.pro
legendpairing.info
lenskuog.freewww.biz
lesgpda.freewww.biz
letterpresssketching.info
levanto-poker.com
levanto-poker.info
levanto-poker.net
levanto-poker.org
lglsuo.freewww.biz
libertybigestnoob.org
linestrate.biz
linusrival.info
lipor.afkepock.com
lipsbylines.pro
listingsnonexecutable.org
litebizzchersearch.org
liteklick.com
litenames.com
littleknobnsack.us
ljbsll.freewww.biz
llsoftness.info
llxtyzh.freewww.biz
loadsgamescraft.org
locatorrotten.net
lollipoporno.org
longnikdb.com
lops.verikanam.com
lopxaert.cu.cc
lowkeytonights.pro
lpbjscrsa.freewww.biz
lpnkbwx.freewww.biz
lqbiyic.freewww.biz
lwwpmfw.freewww.biz
lynwau.freewww.biz
m6j2.info
macbookxed.net
macdonaldsfast.net
mangosautomated.info
manibackbestbizz.net
marxloha.com
marxloha.net
mastercarddialog.pro
masterxz.cu.cc
mayhemavz.pro
mazdak.cu.cc
mdrphfri.freewww.biz
mechanicalagenda.asia
membersnetsgunss.info
membersnetsgunss.org
memoryhddmonitor.org
memossingleuser.info
mentscommence.net
merstengrown.com
mesburtterpe.ddns.name
metaizosulfatmetanol.com
metasearchexcessively.net
mexicomongo.com
mexodini.tk
mhpuya.freewww.biz
mikesnutssner.net
mikesnutssner.org
minisiteshassle.info
minker.lenuerry.com
mitest.lenuerry.com
mitre.verikanam.com
mixed.verikanam.com
mjhcymist.freewww.biz
mmwap.freewww.biz
mnroemawa.freewww.biz
mnszyhxgp.freewww.biz
mobilefriendlysingledisk.info
modemgamers.info
modesicompared.org
modesiscenes.info
mofiozesbzcom.net
mokas.lenuerry.com
mondayswizardnet.info
moneysdialogs.net
monikaheinold.net
monitorsystemsdep.net
monitorsystemsdep.org
mopiserb.cu.cc
morrisgussmir.biz
mouseclickcentralization.info
mqtqjkyo.all-emoticons.com
multidimensionalpersisted.org
multilevelclass.net
museumsnimble.net
mwmfue.freewww.biz
mxssweeten.pro
mydreamnewone.com
mydreamnewone.me
mydreamnewone.org
mydreamnewone.us
naejadxge.freewww.biz
namesstressadd.net
ndengine.com
nedra.ddns.infoc
neos.lenuerry.com
nerest.ddns.info
nerfaserty.fondinfocenters.info
netdocumentsinaccessible.info
new-generation-affiliate.net
new-generation-affiliate.org
new-generation-affiliateonline.co
newyorkcarrent.com
ngfyt.freewww.biz
nicert.afkepock.com
njgblmlg.freewww.biz
nlbdiv.freewww.biz
nnczl.freewww.biz
noacmvbg.gr8name.biz
nospaceforced.pro
ns1.collectionsbleeding.pro
ns1.haventons.org
nsc.hornyfile.net
nuert.lenuerry.com
nvelqxkt.freewww.biz
nzhewnvi.freewww.biz
nzuqojkf.freewww.biz
oboobx.freewww.biz
oevcrn.freewww.biz
oferts.net
ohnjckgo.freewww.biz
okles.lenuerry.com
oltpspeakers.pro
oneiricinfocenters.info
ones.myservicecomments.com
onlineadvertclick.eu
onlineadvertclick.info
onlineadvertclick.org
oovmmb.freewww.biz
operationseverlearn.pro
opticshoc.pro
originalchristopher.net
originatingpixelize.pro
ortide.afkepock.com
otscfr.com
overseassouth.net
ow42.org
ownorreverting.org
ownprice.net
paggpuvv.freewww.biz
palacio-casino.com
palacio-casino.in
palacio-casino.info
palacio-casino.me
palacio-casino.mobi
palermopoker.asia
palermopoker.biz
palermopoker.co
palermopoker.info
palermopoker.me
palermopoker.net
palermopoker.org
pamaetyd.cu.cc
panasoniccatnap.net
panasoniclibs4.biz
panasoniclibs4.net
paneheftier.info
parlorlimitsforemost.org
participaterevisions.info
pasrewder.cu.cc
passedtwitpic.pro
paszerqef.cu.cc
pawertyse.cu.cc
pbhukx.freewww.biz
pejot.freewww.biz
pfannengericht.com
pfvfsi.freewww.biz
photoemailingbrethren.pro
physicallyoffer.asia
picniksdistrict.info
pigrona5.com
piicentrally.org
pikkolorgy.org
pistolop.cu.cc
pityr.verikanam.com
plannerspressed.net
pmquggb.freewww.biz
pmxlzumf.freewww.biz
pnppz.freewww.biz
pocasredr.cu.cc
polaroidstylesaved.info
pomertax.cu.cc
pornooncar.pro
pornoseccasgirls.info
pornoseccasgirlss.net
pornostroycenters5v.net
portallnk.com
postprepminimize.pro
potar.lenuerry.com
potentlatency.net
povertzag.cu.cc
powertnoii.cu.cc
prettydik.net
privacyxslegacy.info
producercheesy.net
progresseddrilled.net
promoitaliane.tv
prosperplug.info
psgva.freewww.biz
pvsblues.info
pzdupny.freewww.biz
qadosiwixe4.pro
qadosiwixe45.pro
qadosiwixe5.pro
qgwbhqthc.freewww.biz
qiksmotorcycles.pro
qojnwkp.freewww.biz
qoyuhiwe.tk
qpxibesp.freewww.biz
quellesimple.com
quellesimple.info
quickcamsassembled.net
quickofficemosaic.info
quincypuublicschools.com
quittsfasaf14.net
quqzpzfwr.freewww.biz
qxwhucsruaifu.pro
radarholga.pro
ratzeputze.com
rayoperu.tk
rbeqj.freewww.biz
rcjdnesni.freewww.biz
receivesagillions.info
recklessblacklisting.net
recoffsets.net
redirestoodersfin.info
redownloadingraucously.info
redspeed.asia
redundantblockskew.pro
redut.is-leet.com
reinventsciti.pro
relatedfarsi.info
releasedoutofbox.info
reliabilitytedium.info
reliantscrambled.org
remissimpediments.net
rentalhummers.pro
rentedtransactions.info
repinvoiceover.info
reportingautomatingoutliners.info
repurposedsmtppop.asia
re-served.com
respectsprosuite.info
restoronsafe.info
reusemorepersonalized.org
revolutioncodehinting.pro
rewardbounces.info
rhacsy.freewww.biz
riatiapafor.dnset.com
rizapizda.com
rojoxal.tk
roomyqualysguard.info
rootkitsprintready.pro
roudroadersnetliker.com
roxjd.freewww.biz
rozohudu.tk
rubilonk.biz
rubilonk.com
rubilonk.info
rutes.lenuerry.com
rxkpd.freewww.biz
safaristereos.biz
safetywebclassifies.net
samcrop.info
santnhzg.freewww.biz
saucesensorlys.info
savedordernumbers.net
sbyaiqvpm.freewww.biz
scarcecookiecutter.pro
schirkaal.com
schneemen.info
schoolsreading.asia
scrot-um.biz
securemanagerspecialcollectlinesite.info
security-checking.info
sedukimozzaik4net.info
seewild.net
seinfeldwlpg.pro
selamoitoipour.com
selamoitoipour.net
selamoitoipour.org
selmoipourtoi.com
selmoipourtoi.net
separatedsurprises.com
sequentialbiotics.info
sexclub4h.net
sexgirlsmembers4g.net
sexmurenagirlssex.info
sexsexporno.info
sexxxstaz.org
sfhnvvs.freewww.biz
shareself.info
sharingdelays.pro
sharpeyedresizable.net
shepardforests.info
shizzledizle.com
shortlonglinks.com
siamanfocont.ddns.name
sidhpuwtvkwrtv.flu.cc
signingsample.pro
signupdestinations.org
similaritiesinverting.net
singlecolumnhalloween.asia
sitesstressadd.com
sitesstressadd.net
sjryycwpl.freewww.biz
ska9.info
skitchrestaurants.net
skjaqowjtr.all-emoticons.com
slackmultiline.info
slnhtkqu.freewww.biz
smoothlyexit.net
snailmailupdater.net
snamedb.com
snoopscooperate.pro
sometimescroogle.asia
sorryintellicookie.net
soulplacing.pro
speedanymore.net
speedyfraction.pro
stampedetarget.info
stat.sportspirate.net
stathemliberiy.com
stationscannons.net
statistic.kodiakwireline.ca
stereoobjects.info
stetomoney.org
stinglnk.com
stlpartnership.asia
stoppedcam.info
storagemediumfoolish.pro
streetpiloteffortlessly.biz
strnglink.com
stumbleuponbutlowerpriced.info
subjectslicing.net
sublistsvirus.info
suckro.lenuerry.com
sufopati.tk
sugad.afkepock.com
sunbeltinverting.pro
suncurrentlytransitstheconstellationoflibrafromoctober.info
superbrustramestraonline.org
supportflashoutlookstyle.pro
susssurrounds.info
suxoyad.tk
swallowsreenable.pro
sydzslq.freewww.biz
syenial.com
system0001.pro
taipeirazor.pro
talliedclassit.info
tares.verikanam.com
tauscansenders.info
tavawf.freewww.biz
tcpipbyfiletype.info
teddyderhund.com
teddyderhund.net
tekqswas.freewww.biz
tellementads.net
tenscrub.net
testr.pcanywhere.net
textingnode.info
thewirelesscaalog.com
theydlauncher.net
thrillededward.pro
thundercatsimplications.net
tibukns.freewww.biz
timingwaste.net
tisla.lenuerry.com
togglesengines.info
toolbarpcmag.info
totalethreetabbed.net
toypourtoy.info
toypourtoy.net
toyticket.info
tracklessactivedisk.info
trading-consult.info
trafficstock.net
transformspace.pro
trnio.lenuerry.com
troopersresided.info
truesamuraidns.com
tufbu.freewww.biz
turnkeynew.pro
twesst.afkepock.com
twitteresqueingenious.info
txdfldh.freewww.biz
txtbznqia.freewww.biz
tzhone.freewww.biz
uadwfj.freewww.biz
uatogspme.freewww.biz
ubiuzkfw.freewww.biz
uidlikmcr.freewww.biz
ujergbcfcskuxvd.dyndns-remote.com
unhuzrtje.freewww.biz
uninstallerthumbtack.asia
unprotectedepicture.info
unuere.freewww.biz
update-cdn.com
uptel.afkepock.com
ureqedaz.mrbasic.com
usdaqpl.freewww.biz
user2.lenuerry.com
usnet.lenuerry.com
usomainssinglwwerx.com
uszefhy.freewww.biz
uukdktlc.onmypc.us
uvvtscte.biz
uwndet.freewww.biz
uybeor.freewww.biz
uyfea.freewww.biz
uzvxb.freewww.biz
vabnoynua.freewww.biz
vabosaho.tk
validatorbasses.net
validfacts.info
vchysb.freewww.biz
veraconference.info
verghavinias.com
verisimilitudeguidelines.pro
viewsbootup.net
viiju.freewww.biz
viqrzfvi.freewww.biz
virginiacompanyron.com
visasunspot.net
vitres.verikanam.com
vjhgd.freewww.biz
vmteuayfi.freewww.biz
voltsdragandselect.net
voniucka.co.uk
vsddbm.freewww.biz
vvsgoqe.freewww.biz
vzfascinating.info
wallmountedsubprojects.info
watisawarosydok.org
waybunch.org
webcheckfinalizing.net
webdavinfluential.pro
webmasteraolcom.asia
websearchsite.net
weekdaysaccountif.org
wefirefoxs.info
wellreceivedrug.pro
wentovergomountain.net
wereworkstationlike.org
westlnk.com
wfslwzbmj.freewww.biz
whpdn.freewww.biz
wildcarddigest.org
wimipol.tk
winproducersdisks.asia
wirmsnetsreg.org
wizikohu.tk
wjtuvxr.freewww.biz
wlklayju.freewww.biz
wlvgkym.freewww.biz
womukul.tk
wordreg.com
worksheetrating.info
woteucv.freewww.biz
wouldstats.com
wpvrq.freewww.biz
wqolljp.freewww.biz
writexrealtek.pro
www.hornyfile.net
www.jscripttoughgeek.biz
www.livecamsxxxnow.com
www.schneemen.info
www.sexsexporno.info
wwwlogmeincomafflicts.net
xasnc.freewww.biz
xberfdpfo.freewww.biz
xcwalwbwg.freewww.biz
xerta.lenuerry.com
xfulu.freewww.biz
xgrvj.freewww.biz
xicajevi.tk
xkaceln.freewww.biz
xmlstructurednewegg-affiliate.asia
xmmtry.freewww.biz
xokildrgfht.dyndns-remote.com
xokildrggjy.dyndns-remote.com
xokildrghkuy.dyndns-remote.com
xptyhuob.serveusers.com
xrtecjq.freewww.biz
xvideotubehq.net
xvideotubehq.org
xvidious.co
xvidious.info
xvidious.net
xvidious.org
xvidstubes.asia
xvidstubes.biz
xvidstubes.co
xvidstubes.com
xvidstubes.info
xvidstubes.me
xvidstubes.mobi
xvuxl.freewww.biz
yabalvate.freewww.biz
yale.verikanam.com
ycwmpwmh.freewww.biz
ycwvoad.freewww.biz
ycxbecdci.freewww.biz
yfajapit.americanunfinished.com
yhejzgsc.freewww.biz
yhgqw.freewww.biz
yjihtguzr.freewww.biz
ykasszk.freewww.biz
ynerfklpgjazsc.servebbs.com
ynybaduv.itemdb.com
yourxvideos.asia
yuokmyxhk.freewww.biz
yuppiebatchmode.info
yvngzms.freewww.biz
ywtytciqr.freewww.biz
yyvpdr.almostmy.com
yzhhn.freewww.biz
yzmek.mynumber.org
yzociz.freewww.biz
z8s0.info
zawejame.tk
zegejic.tk
zenuxozo.tk
zenworksencourages.pro
zeroknowledgealwil.asia
zhnmnjtm.freewww.biz
zikertlijgyhku.dyndns-remote.com
zikertlzcsyvdx.dyndns-remote.com
zikertydhwegawd.dyndns-remote.com
zikertydhwegsd.dyndns-remote.com
zikrftgbaefas.dyndns-remote.com
zikrfvdeccsxw.dyndns-remote.com
ziniospdfs.org
zkpys.freewww.biz
zoom.verikanam.com
zoomedpentiumequipped.info
zvxct.freewww.biz
zywyr.freewww.biz