Sponsored by..

Showing posts with label Serbia. Show all posts
Showing posts with label Serbia. Show all posts

Tuesday 26 February 2013

Facebook spam / lazaro-sosa.com

This fake Facebook spam leads to malware on lazaro-sosa.com:

Date:      Tue, 26 Feb 2013 14:26:20 +0200
From:      "Facebook" [twiddlingv29@informer.facebook.com]
Subject:      Brian Parker commented your photo.

facebook
   
Brian Parker commented on Your photo.
Reply to this email to comment on this photo.
See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.

Facebook, Inc., Attention: Department 415, PO Box 10001, Palo Alto, CA 90307
The malicious payload is at [donotclick]lazaro-sosa.com/detects/queue-breaks-many_suffering.php (report here) hosted on:

118.97.77.122 (PT Telkom, Indonesia)
147.91.83.31 (AMRES, Serbia)

Blocking these IPs is probably prudent.

Posted by at No comments:
Labels: , , , , ,

Thursday 16 February 2012

Something evil on 212.95.54.22 (inferno.name)

Something evil is lurking on 212.95.54.22, a server belonging to black hat host inferno.name (mentioned here before).

I've never seen a legitimate site hosted by inferno.name, and I recommend that you block their IP ranges.. I ideidentified the following list last August, I haven't had the change to go back and check it again.

46.22.211.0/25
80.79.124.128/26
92.48.122.32/28
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
188.143.232.0/23
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

These are the some of malicious sites hosted on that server, it appears to be some sort of injection attack although it is still being analysed.

*.1905188000.1959caddylimousine.com
*.1959caddylimousine.com
*.2358552833.59caddylimousine.com
*.2851874892.elegantdesign-dfw.org
*.3278164984.elegantdesign-dfw.info
*.59caddylimousine.com
*.alvolo.co.uk.process.1905188000.1959caddylimousine.com
*.ca.redirect.3278164984.elegantdesign-dfw.info
*.co.uk.process.1905188000.1959caddylimousine.com
*.com.process.2851874892.elegantdesign-dfw.org
*.elegantdesign-dfw.info
*.elegantdesign-dfw.org
*.google.ca.redirect.3278164984.elegantdesign-dfw.info
*.google.com.process.2851874892.elegantdesign-dfw.org
*.google.it.process.2358552833.59caddylimousine.com
*.it.process.2358552833.59caddylimousine.com
*.process.1905188000.1959caddylimousine.com
*.process.2358552833.59caddylimousine.com
*.process.2851874892.elegantdesign-dfw.org
*.redirect.3278164984.elegantdesign-dfw.info
*.uk.process.1905188000.1959caddylimousine.com
1905188000.1959caddylimousine.com
212-95-54-22.local
2358552833.59caddylimousine.com
2851874892.elegantdesign-dfw.org
3278164984.elegantdesign-dfw.info
alvolo.co.uk.process.1905188000.1959caddylimousine.com
ca.redirect.3278164984.elegantdesign-dfw.info
co.uk.process.1905188000.1959caddylimousine.com
com.process.2851874892.elegantdesign-dfw.org
europschool.net.url.2523133614.elegantdesign-dfw.net
flyksa.com.redirect.465141941.59caddylimo.com
google.ca.redirect.3278164984.elegantdesign-dfw.info
google.com.process.2851874892.elegantdesign-dfw.org
google.it.process.2358552833.59caddylimousine.com
it.process.2358552833.59caddylimousine.com
oekb36.at.process.340120129.1959caddylimo.com
oekb36.at.redirect.411115172.59cadillaclimousine.com
process.1905188000.1959caddylimousine.com
process.2358552833.59caddylimousine.com
process.2851874892.elegantdesign-dfw.org
redirect.3278164984.elegantdesign-dfw.info
suche.aol.de.search.410468745.elegantdesign-dfw.org
uk.process.1905188000.1959caddylimousine.com
www.alvolo.co.uk.process.1905188000.1959caddylimousine.com
www.berrywestra.nl.search.43565349.1959caddylimousine.com
www.dianaamft.de.search.413644068.59caddylimo.com
www.feuerwehr-schweiz.ch.redirect.461037769.1959caddylimousine.com
www.frnd.de.query.333082952.1959caddylimo.com
www.frnd.de.url.318686353.elegantdesign-dfw.org
www.gaestehaus-schuett-niendorf.de.redirect.411264880.jennyspecialoffer.info
www.google.at.url.4079944488.59caddylimousine.com
www.google.ca.redirect.3278164984.elegantdesign-dfw.info
www.google.com.process.2851874892.elegantdesign-dfw.org
www.google.com.query.3384746824.elegantdesign-dfw.info
www.google.de.process.314184094.1959cadillaclimo.com
www.google.de.process.3384063282.59caddylimo.com
www.google.de.process.3464400104.elegantdesign-dfw.org
www.google.de.process.36453841.59cadillaclimo.com
www.google.de.process.412658054.59cadillaclimousine.com
www.google.de.query.15292270.elegantdesign-dfw.net
www.google.de.query.332541317.59cadillaclimousine.com
www.google.de.query.335211808.elegantdesign-dfw.org
www.google.de.query.3384406282.jennyspecialoffer.info
www.google.de.query.3464386393.59caddylimousine.com
www.google.de.query.464367892.1959caddylimo.com
www.google.de.redirect.3384265678.elegantdesign-dfw.info
www.google.de.redirect.3384350356.1959cadillaclimousine.com
www.google.de.redirect.3464464836.1959cadillaclimo.com
www.google.de.redirect.464534470.1959cadillaclimo.com
www.google.de.search.3384394923.1959cadillaclimo.com
www.google.de.search.3384492708.elegantdesign-dfw.com
www.google.de.search.382410083.1959cadillaclimousine.com
www.google.de.search.393679898.59caddylimousine.com
www.google.de.search.4082654881.1959caddylimousine.com
www.google.de.search.412756816.59caddylimousine.com
www.google.de.search.462774118.elegantdesign-dfw.info
www.google.de.search.463016893.59cadillaclimousine.com
www.google.de.url.15149077.59caddylimo.com
www.google.de.url.2523853156.elegantdesign-dfw.net
www.google.de.url.2531191013.1959cadillaclimousine.com
www.google.de.url.314298327.1959cadillaclimo.com
www.google.de.url.337083412.1959cadillaclimousine.com
www.google.de.url.3375711067.elegantdesign-dfw.net
www.google.es.process.3254798273.1959cadillaclimo.com
www.google.gr.process.11965077.1959cadillaclimousine.com
www.google.it.process.2358552833.59caddylimousine.com
www.google.nl.redirect.455319947.59caddylimo.com
www.google.nl.search.4251017144.1959cadillaclimousine.com
www.kefalonia-animal-trust.de.url.397020850.59cadillaclimousine.com
www.kgse.de.process.465129127.elegantdesign-dfw.info
www.klassik-in-berlin.de.search.464418679.59cadillaclimo.com
www.landwarenshop.de.search.463324361.59cadillaclimo.com
www.losan.de.redirect.318546405.1959cadillaclimousine.com
www.mein-unterrichtsmaterial.de.query.3254956884.1959cadillaclimousine.com
www.rafoeg.de.process.463558035.59caddylimo.com
www.sportfoto-vogler.de.process.337602454.elegantdesign-dfw.com
www.sportfoto-vogler.de.url.337492263.jennyspecialoffer.info
www.torleute.de.redirect.341391517.59caddylimo.com
www.welte.de.search.397762316.1959cadillaclimo.com

Update 15/11/12:
94.100.17.128/26 (94.100.17.128 - 94.100.17.191) is another inferno.name range that you should probably block.
Posted by at 1 comment:
Labels: , , , ,

Thursday 11 August 2011

Something evil on 95.168.177.144: reddingtaxcm.com and inferno.name

reddingtaxcm.com is a legitimate domain that is registered at GoDaddy and has been hijacked to serve up malware, hosted on 95.168.177.144 (NetDirekt, Germany but more below..).

The malware appears to be a variant of Vundo / Virtumundo, the infection mechanism looks to be some sort of injection attack on third party sites.

Although the IP 95.168.177.144 is allocated to NetDirekt (now Leaseweb Germany), it belongs to part of a range suballocated to inferno.name of Serbia (apparently also known as v3Servers.net). Inferno featured recently in this blog with another similar malware attack, that time on 95.168.178.206. 95.168.177.0/4 seems to be full of (possibly fake) pharma sites.

A lot of other IP addresses associated with this company are implicated with forum spamming.

Just in case you want to block traffic to/from inferno.name (although there may well be legitimate sites and servers in these ranges) then I have identified the following IP ranges, although there may well be more:

46.22.211.0/25
80.79.124.128/26
92.48.122.32/28
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
188.143.232.0/23
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

As for 95.168.177.144, watch for traffic going to subdomains of reddingtaxcm.com, for example:

command0.reddingtaxcm.com
danger0.reddingtaxcm.com
costs0.reddingtaxcm.com
fifteen1.reddingtaxcm.com
countries1.reddingtaxcm.com
evil3.reddingtaxcm.com
placed4.reddingtaxcm.com
itself4.reddingtaxcm.com
democratic5.reddingtaxcm.com
dark5.reddingtaxcm.com
original5.reddingtaxcm.com
tuesday5.reddingtaxcm.com
source6.reddingtaxcm.com
cover6.reddingtaxcm.com
highest6.reddingtaxcm.com
college7.reddingtaxcm.com
during9.reddingtaxcm.com
condition9.reddingtaxcm.com
complex9.reddingtaxcm.com
headed0.reddingtaxcm.com
Posted by at No comments:
Labels: , , , ,

Tuesday 2 August 2011

virtualmapping.org redirect

The domain name virtualmapping.org sounds legitimate, but isn't.. it's a redirector used on hacked websites. The first time you visit one of these hacked sites via a Google search, you get redirected to a URL at virtualmapping.org/cgi-bin/r.cgi. Subsequent visits don't seem to trigger this, nor does visiting the site directly. It could be an altered .htaccess file.

virtualmapping.org is hosted on 94.63.149.246 which is unsurprisingly enough in Romania, in a Cobalt IT SRL block suballocated to SC Coral IT Office SRL / xnetworkings.com also in Romania. Sites in these Cobalt ranges are either all evil or are of interest to Romanian visitors only, so one quick and easy way to secure your network is to block the entire 94.60.0.0/14 range.. at the very least, block 94.63.149.0/24, 94.63.244.0/24 and 94.60.123.0/24 which are especially toxic.

After hitting virtualmapping.org, visitors are then redirected to one of the following sites on 95.168.178.206, hosted at Netdirekt in Frankfurt but actually allocated to a host called inferno.name (Sogreev Anton, Serbia). 95.168.178.0/24 is full of Russian porn sites, so probably a good thing to block in any case.

Some of the domains that are loading the malware are:
could0.nc-9.com
gets1.nc-9.com
realized2.nc-9.com
summer3.nc-9.com
principle4.nc-9.com
watching4.nc-9.com
and5.nc-9.com
electric6.nc-9.com
plane6.nc-9.com
show7.nc-9.com
fig8.nc-9.com
ever8.nc-9.com
feet8.nc-9.com
league9.nc-9.com
event9.nc-9.com
became0.nc-9.com
sense4.nc-9.com

Basically, anything in the nc-9.com domain apart from nc-9.com and www.nc-9.com has been hijacked and is pointing to the IP address in Frankfurt. It's not a surprise to see that nc-9.com is actually a legitimate domain registered at GoDaddy that appears to have been hijacked.

The payload is a nasty trojan according to various analysis tools (ThreatExpert, Comodo, Anubis). Detection rates are very low. The analysis tools might help you to clean up your PC if you have somehow become infected.

Of some interest, the trojan alters the HOSTS file to block access to popular torrent sites such as the Pirate Bay. It also calls home to two domains, assistancebeside.com (78.159.100.32) and imagehut4.cn which was actually deleted last year, but was registered to the scumbags at Real Host Ltd.

There's quite a lot to block here, the highest priorities are:
94.63.149.246
95.168.178.206
78.159.100.32
*.nc-9.com
assistancebeside.com
virtualmapping.org

I see no harm in blocking the following /24s:
94.63.149.0/24
95.168.178.0/24

And if you're not afraid to block really quite large address ranges:
94.60.0.0/14
Posted by at 1 comment:
Labels: , , , , ,
Subscribe to: Posts (Atom)