Sponsored by..

Showing posts with label logol.ru. Show all posts
Showing posts with label logol.ru. Show all posts

Thursday, 18 April 2013

Malware sites to block 18/4/13, revisited

Quite late last night I posted some malicious IP address that I recommend blocking. I've had a chance to look at these more deeply, and some of them are in known bad IP ranges that you should consider blocking.

Most of these IP ranges are in Russia, blocking them will probably block some legitimate sites. If you don't do much business with Russia then it will probably not be an issue, if you do then you should exercise caution. There's a plain list at the bottom if you simply want to copy-and-paste.


Detected IP Recommended block Owner
5.9.191.179 5.9.191.160/26 (CyberTech LLC, Russia / Hetzner, Germany)
5.45.183.91 5.45.183.91 (Bradler & Krantz, Germany)
5.135.67.215 5.135.67.208/28 (MMuskatov-IE / OVH, France)
5.135.67.217

23.19.87.38 23.19.87.32/29 (Di & Omano Ltd, Germany / Nobis Technology, US)
37.230.112.83 37.230.112.0/23 (TheFirst-RU, Russia)
46.4.179.127 46.4.179.64/26 (Viacheslav Krivosheev, Russia / Hetzner Germany)
46.4.179.129

46.4.179.130

46.4.179.135

46.37.165.71 46.37.165.71 (BurstNET, UK)
46.37.165.104 46.37.165.104 (BurstNET, UK)
46.105.162.112 46.105.162.112/26 (Shah Sidharth, US / OVH, France)
62.109.24.144 62.109.24.0/22 (TheFirst-RU, Russia)
62.109.26.62

62.109.27.27

80.67.3.124 80.67.3.124 (Portlane Networks, Sweden)
80.78.245.100 80.78.245.0/24 (Agava JSC, Russia)
91.220.131.175 91.220.131.0/24 (teterin Igor Ahmatovich, Russia)
91.220.131.178

91.220.163.24 91.220.163.0/24 (Olevan plus, Ukraine)
94.250.248.225 94.250.248.0/23 (TheFirst-RU, Russia)
108.170.4.46 108.170.4.46 (Secured Servers, US)
109.235.50.213 109.235.50.213 (xenEurope, Netherlands)
146.185.255.97 146.185.255.0/24 (Petersburg Internet Network, Russia)
146.185.255.207

149.154.64.161 149.154.64.0/23 (TheFirst-RU, Russia)
149.154.65.56

149.154.68.145 149.154.68.0/23 (TheFirst-RU, Russia)
173.208.164.38 173.208.164.38 (Wholesale Internet, US)
173.234.239.168 173.234.239.160/27 (End of Reality LLC, US / Nobis, US)
176.31.191.138 176.31.191.138 (OVH, France)
176.31.216.137 176.31.216.137 (OVH, France)
184.82.27.12 184.82.27.12 (Prime Directive LLC, US)
188.93.211.57 188.93.210.0/23 (Logol.ru, Russia)
188.120.238.230 188.120.224.0/20 (TheFirst-RU, Russia)
188.120.239.132

188.165.95.112 188.165.95.112/28 (Shah Sidharth, US / OVH France)
188.225.33.62 188.225.33.0/24 (Transit Telecom, Russia)
188.225.33.117

192.210.223.101 192.210.223.101 (VPS Ace, US / ColoCrossing, US)
193.106.28.242 193.106.28.242 (Centr Informacionnyh Technologii Online, Ukraine)
193.169.52.144 193.169.52.0/23 (Promobit, Russia)
195.3.145.99 195.3.145.99 (RN Data, Latvia)
195.3.147.150 195.3.147.150 (RN Data, Latvia)
198.23.250.142 198.23.250.142 (LiquidSolutions, Bulgaria / ColoCrossing, US)
198.46.157.174 198.46.157.174 (Warfront Cafe LLC, US / ColoCrossing, US)
205.234.204.151 205.234.204.151 (HostForWeb, US)
205.234.204.190 205.234.204.190 (HostForWeb, US)
205.234.253.218 205.234.253.218 (HostForWeb, US)
213.229.69.40 213.229.69.40 (Poundhost, UK / Simply Transit, UK)

5.9.191.160/26
5.45.183.91
5.135.67.208/28
23.19.87.32/29
37.230.112.0/23
46.4.179.64/26
46.37.165.71
46.37.165.104
46.105.162.112/26
62.109.24.0/22
80.67.3.124
80.78.245.0/24
91.220.131.0/24
91.220.163.0/24
94.250.248.0/23
108.170.4.46
109.235.50.213
146.185.255.0/24
149.154.64.0/23
149.154.68.0/23
173.208.164.38
173.234.239.160/27
176.31.191.138
176.31.216.137
184.82.27.12
188.93.210.0/23
188.120.224.0/20
188.165.95.112/28
188.225.33.0/24
192.210.223.101
193.106.28.242
193.169.52.0/23
195.3.145.99
195.3.147.150
198.23.250.142
198.46.157.174
205.234.204.151
205.234.204.190
205.234.253.218
213.229.69.40

Monday, 4 March 2013

Delta Airlines spam / inanimateweaknesses.net and complainpaywall.net

This fake Delta Airlines spam leads to malware on inanimateweaknesses.net and complainpaywall.net:

From: DELTA CONFIRMATION [mailto:cggQozvOc@sutaffu.co.jp]
Sent: 04 March 2013 14:27
Subject: Your Receipt and Itinerary

Thank you for choosing Delta. We encourage you to review this information before your trip.
If you need to contact Delta or check on your flight information, go to delta.com/itineraries

Now, managing your travel plans just got easier. You can exchange, reissue and refund electronic tickets at delta.com/itineraries.

Take control and make changes to your itineraries at delta.com/itineraries.

Speed through the airport. Check-in online for your flight.

Check-in

Flight Information
DELTA CONFIRMATION #: D0514B3
TICKET #: 00920195845933
Bkng Meals/ Seat/
Day Date Flight Status Class City Time Other Cabin
--- ----- --------------- ------ ----- ---------------- ------ ------ -------
Mon 11MAR DELTA 372 OK H LV NYC-KENNEDY 820P F 19C
AR SAN FRANCISCO 8211P COACH

Fri 15MAR DELTA 1721 OK H LV LOS ANGELES 1145P V 29A
AR NYC-KENNEDY 812A# COACH

Check your flight information online at delta.com/itineraries
The email contains several links to different hacked sites, which then forward to [donotclick]inanimateweaknesses.net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report  here) or [donotclick]complainpaywall.net/closest/c93jfi2jf92ifj39ugh2jfo3g.php (report here) both of which are hosted on 188.93.211.156 (Logol.ru, Russia). In my opinion 188.93.210.0/23 is a bit of a sewer and should be blocked if you can, as there are probably many other malicious sites nearby.


Of note is that the links in the email only seem to work with a correct referrer and user agent. If those are not set, then you will not end up at the malware page.


Thursday, 28 February 2013

"Follow this link" spam / sidesgenealogist.org

This rather terse spam appears to leads to an exploit kit on sidesgenealogist.org:

From: Josefina Underwood [mailto:hdFQe@heathrowexpress.com]
Sent: 27 February 2013 16:43
Subject: Follow this link

I have found it http://www.eurosaudi.com/templates/beez/wps.php?v20120226

Sincerely yours,
Sara Walton
The link is to a legitimate hacked site, and in this case it attempts to bounce to [donotclick]sidesgenealogist.org/closest/c93jfi2jf92ifj39ugh2jfo3g.php but at the time of writing the malware site appears to be overloaded. However, we can find an earlier report for the same sever here that indicates an exploit kit.

The malware is hosted on 188.93.210.226 (Logol.ru, Russia). I would recommend blocking the entire 188.93.210.0/23 range to be on the safe side. These other two domains are in the same AS and are currently active:

reinstalltwomonthold.org
nephewremovalonly.org
scriptselse.org
everflowinggopayment.net

Friday, 21 December 2012

Malware sites to block 21/12/12

There are a series of malware domains on 91.201.215.173 apparently using a Java and PDF exploit to infect visitors. The infection machanism appears to be coming from an unidentifiedad running on the centerblog.net blogging system (I think specifically [donotclick]zezete2.centerblog.net/i-247-136-1356095651.html)

The malware URLs are quite lengthy and appear to be resistant to analysis, in the attack I have seen the following URLs were in use (don't visit these sites, obviously)

[donotclick]svwlekwtaign.avigorstats.pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/
[donotclick]mcruxdufxwnp.avigorstats.pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/

[break]indicated where I've added a linebreak to get it to fit on the page, remove that and the linebreak for a valid URL.

avigorstats.pro and its subdomains are hosted on 91.201.215.173 (PS Internet Company Ltd, Kazakhstan, but this is just the tip of a huge iceberg of malicious IPs and domains that are all interconnected.

Let's start with my personal recommended blockist. If you are in Russia or Ukraine then you might want to be a bit more conservative with the Russian netblocks and refer to the raw IP list below (there's one list with ISPs listed, one plain for for copy and pasting)..

Recommended blockist (annotated):

5.39.121.18 (OVH, Ireland)
5.135.20.2 (OVH, France)
5.135.67.144/28 (MMuskatov / OVH, Belgium)
5.135.67.192/28 (MMuskatov / OVH, Czech Republic)
5.135.97.6 (OVH, Ireland)
5.135.204.16/28 (Shah Sidharth / OVH, Ireland)
5.135.218.32/27 (Shah Sidharth / OVH, France)
5.135.223.96/27 (Shah Sidharth / OVH, France)
5.199.172.0/22 (BALTICSERVERS, Lithunia)
37.9.53.0/24 (Sheludyak-NET, Russia)
37.221.170.88 (Voxility, Romania)
46.28.71.68 (UA Servers, Ukraine)
46.105.102.18 (OVH, France)
46.235.8.175 (Teknik Data Internet Teknolojileri San.Tic.Ltd. Sti., Turkey)
46.249.42.0/24 (Serverius Holding, Netherlands)
62.76.40.0/21 (Rosniiros, Russia)
62.76.176.0/22 (Rosniiros, Russia)
62.76.180.0/24 (Rosniiros, Russia)
62.76.184.0/21 (Rosniiros, Russia)
62.109.0.0/21 (The First, Russia)
62.122.74.0/23 (Leksim, Poland)
63.247.91.188 (Global Net Access, US)
64.120.193.0/24 (HostNOC, US)
78.140.135.128/25 (Webazilla, Gibraltar)
84.200.77.204 (Misterhost, Germany)
85.17.92.146 (Leaseweb, Netherlands)
85.143.166.0/24 (Pirix, Russia)
88.198.30.19 (Hetzner, Germany)
91.201.214.0/23 (PS Internet, Kazakhstan)
91.211.116.0/22 (Zharkov Mukola Mukolayovuch, Ukraine)
91.220.131.0/24 (teterin Igor Ahmatovich, Russia)
91.231.156.0/24 (Sevzapkanat-Unimars, Russia)
91.232.29.70 (Realon Service LLC, Ukraine)
91.235.128.0/23 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
91.238.83.0/24 (Standart LLC, Moldova)
91.243.115.0/24 (Aztec, Russia)
92.46.62.128/25 (Shevchenko Sergey, Kazakhstan)
93.170.13.4 (Alfa Telecom, Czech Republic)
93.170.128.253 (Alfra Telecom, Russia)
95.211.199.34 (Leaseweb, Netherlands)
108.163.188.250 (iWeb, Canada)
142.0.37.60 (VolumeDrive, US)
142.54.183.96/27 (Datashack, US)
146.185.255.0/24 (Petersburg Internet Network Ltd, Russia)
151.248.116.54 (Reg.ru, Russia)
178.162.134.128/26 (Silin-Vitaly-Petrovich, Belarus)
178.162.147.111 (Leaseweb, Germany)
184.82.222.126 (HostNOC, US)
184.82.222.127 (HostNOC, US)
185.4.227.42 (Sayfa.NET, Turkey)
188.93.211.114 (Logol, Russia)
188.190.127.118 (Infium LTD, Ukraine)
188.208.32.0/23 (Ch-net Srl, Romania)
193.107.16.0/22 (Ideal Solution Ltd, Seychelles)
194.62.233.0/24 (Stils Grupp, Russia)
195.3.145.45 (RN Data, Latvia)
195.3.145.51 (RN Data, Latvia)
195.20.141.0/24 (Sigma Ltd, Russia)
195.138.240.0/21 (Creative Telematics & Trade s.r.o., Czech Republic)
198.49.66.159 (Hostdime, US)
198.147.22.69 (Front Range Hosting, US)
199.231.210.231 (Enzu Inc, US)
206.212.240.202 (Colostore, US)
206.212.240.206 (Colostore, US)
206.222.17.136/29 (XLHost, US)
208.88.226.230 (WZ Communitions, US)
208.88.226.231 (WZ Communitions, US)
217.23.11.103 (Worldstream, Netherlands)
217.23.15.110 (Worldstream, Netherlands)

Recommended blockist (Plain list):

5.39.121.18
5.135.20.2
5.135.67.144/28
5.135.67.192/28
5.135.97.6
5.135.204.16/28
5.135.218.32/27
5.135.223.96/27
5.199.172.0/22
37.9.53.0/24
37.221.170.88
46.28.71.68
46.105.102.18
46.235.8.175
46.249.42.10/24
62.76.40.0/21
62.76.176.0/22
62.76.180.0/24
62.76.184.0/21
62.109.0.0/21
62.122.74.0/23
63.247.91.188
64.120.193.0/24
78.140.135.128/25
84.200.77.204
85.17.92.146
85.143.166.0/24
88.198.30.19
91.201.214.0/23
91.211.116.0/22
91.220.131.0/24
91.231.156.0/24
91.232.29.70
91.235.128.0/23
91.238.83.0/24
91.243.115.0/24
92.46.62.128/25
93.170.13.4
93.170.128.253
95.211.199.34
108.163.188.250
142.0.37.60
142.54.183.96/27
146.185.255.0/24
151.248.116.54
178.162.134.128/26
178.162.147.111
185.4.227.42
188.93.211.114
188.190.127.118
188.208.32.0/23
193.107.16.0/22
194.62.233.0/24
195.3.145.45
195.3.145.51
195.20.141.0/24
195.138.240.0/21
198.49.66.159
198.147.22.69
199.231.210.231
206.212.240.202
206.212.240.206
206.222.17.136/29
208.88.226.230
208.88.226.231
217.23.11.103
217.23.15.110

Raw list of malicious IPs:
5.39.121.18
5.135.20.2
5.135.67.145
5.135.67.198
5.135.97.6
5.135.204.19
5.135.204.20
5.135.218.33
5.135.223.127
5.199.174.99
5.199.175.36
5.199.175.59
5.199.175.60
37.9.53.71
37.221.170.88
46.28.71.68
46.105.102.18
46.235.8.175
46.249.42.161
46.249.42.168
62.76.41.75
62.76.41.208
62.76.178.9
62.76.180.191
62.76.184.246
62.76.185.206
62.76.185.211
62.76.186.109
62.109.2.239
62.109.12.166
62.109.16.94
62.122.74.45
63.247.91.188
64.120.193.144
64.120.193.177
64.120.193.218
64.120.193.219
78.140.135.194
78.140.135.195
84.200.77.204
85.17.92.146
85.143.166.87
85.143.166.202
85.143.166.219
88.198.30.19
91.201.215.173
91.211.119.56
91.211.119.63
91.211.119.66
91.211.119.67
91.220.131.67
91.231.156.50
91.231.156.98
91.231.156.188
91.232.29.70
91.235.129.35
91.238.83.46
91.238.83.56
91.243.115.28
92.46.62.252
93.170.13.4
93.189.40.223
93.170.128.253
94.242.219.3
94.242.219.6
95.211.199.34
108.163.188.250
142.0.37.60
142.54.183.110
146.185.255.66
151.248.116.54
178.162.134.138
178.162.134.139
178.162.132.202
178.162.134.198
178.162.134.200
178.162.134.201
178.162.134.202
178.162.134.212
178.162.147.111
178.162.134.141
184.82.222.126
184.82.222.127
185.4.227.42
188.93.211.114
188.190.127.118
188.208.33.10
193.107.17.105
193.107.19.76
194.62.233.26
194.62.233.31
194.62.233.63
194.62.233.79
194.62.233.137
194.62.233.146
194.62.233.171
194.62.233.173
194.62.233.183
194.62.233.242
195.3.145.45
195.3.145.51
195.20.141.22
195.20.141.23
195.20.141.85
195.20.141.86
195.138.241.79
195.138.241.88
195.138.241.92
195.138.241.93
195.138.241.95
198.49.66.159
198.147.22.69
199.231.210.231
206.212.240.202
206.212.240.206
206.222.17.138
208.88.226.230
208.88.226.231
217.23.11.103
217.23.15.110

Known malicious domains:
001dtbflutxcy.changeip.org
001vlcjibtwrh.changeip.org
002yfzwqyhhqi.changeip.org
003wceqzsouib.changeip.org
004wifxfqqelw.changeip.org
004wsragrwziy.changeip.org
005litvisulyl.changeip.org
005pqlvqwowvh.changeip.org
005szgfxyhyuf.changeip.org
006epphovwevl.changeip.org
006jowpvflxwu.changeip.org
006okqwhyklyg.changeip.org
007gydbgxftcl.changeip.org
007hppoqubtvs.changeip.org
007lvsqhpjtrd.changeip.org
008ftuuqluzoq.changeip.org
008rdzfkykqdv.changeip.org
009g.domaiinn.be
009kkuhgyrazq.changeip.org
009xxqqflqvec.changeip.org
010ipjzyqeuor.changeip.org
017bqelicwssl.changeip.org
020bedzycxryv.changeip.org
020qagbfqxtzq.changeip.org
021lkukzxbuuu.changeip.org
022xwsejqchre.changeip.org
023qrgoreztit.changeip.org
023zqpiblrfso.changeip.org
024vkaoabwhsf.changeip.org
025cldzpffyvl.changeip.org
026cocyjbhahg.changeip.org
027yzlofltfyp.changeip.org
16nnb7b.gm9.com
17vfdvr.gm9.com
2012-2013.org
3d27bc5173b799ec363ebb6a.mine.nu
42f0e25d8baf2c5df64842f5.merseine.nu
555flashpoker.com
555flashpoker.info
555flashpoker.me
555flashpoker.net
7domaindns.com
888flashpoker.com
888flashpoker.info
8domaindns.com
8xvideos-tube.com
8xvideos-tube.info
8xvideos-tube.mobi
a0246d72.mayhemavz.pro
a1000000.mayhemavz.pro
a2b3490dc28df6ec1db21d10.merseine.nu
aboutmailmerging.net
accelerationarrangement.info
acclaimny.pro
acquiringhawaiian.asia
addservice.flu.cc
adobestyledives.org
adriano-bull.com
adriano-bull.net
adsquatropower.com
adsquatropower.info
adsquatropower.net
adsquatropower.org
adventureslh.net
ae1830b97080c83176b59c94.mine.nu
af9b7985802bc09fb9e19663.merseine.nu
affairlikely.net
agegateguru.net
agelumosityroad.net
ahjlfmm.freewww.biz
ahzhfvfjn.freewww.biz
aimedmetaballs.org
airprintlacks.net
ajsuqhsq.freewww.biz
ajwvnwcm.freewww.biz
aktsf.freewww.biz
alhmzpxsdtj.net
altsjhin.mynumber.org
amountinterrupting.pro
analytics-djmusic-online.de
ananasert.cu.cc
anbab.freewww.biz
anti-carding.info
antivirusscleanuponly.info
approximatelyshopkeepers.net
appsfordefaultappear.pro
aqxetx.freewww.biz
archaicpatron.asia
areoperations.net
arltdbsg.freewww.biz
armiesboxes.info
arndlink.com
arny.nazleennoor.com
artilleryupgrading.com
asefeferea.uni.me
asifq.freewww.biz
asimuthstats.pro
associatesgymnastic.asia
astrotester.com
attataponger.ru
audiodevelop.net
auraletterandnumber.org
authoringtriplecore.net
autoplaycyberdrive.info
avenuerequests.net
avigorstats.pro
axis.lenuerry.com
bajoqavu.tk
ballfill.net
baltes.verikanam.com
barpoxert.cu.cc
basun.lenuerry.com
bathtubdanger.net
bazarafcantoscabiz.com
bctwqsgcu.freewww.biz
bdslength.net
beansreschedule.com
beautifullytriangulate.info
bedtimeroes.pro
begpkcd.freewww.biz
bellevident.pro
bestcountstat.com
bestlastnest.asia
besttipscars.info
beta.lenuerry.com
betterlookingflabby.org
bhrhrim.freewww.biz
bicyclesteachers.info
bicyclingsecondfastest.pro
bigprobivbig.net
billtrackerremoval.info
biosopers.pro
bioticshypermodular.org
bitsrentr.pro
bizon.verikanam.com
bkuoq.freewww.biz
blanki-basa.info
bliclink.com
blikke.verikanam.com
blogtoolonsteroidscreations.net
bmfield.pro
bmgdrive.net
bobodrive.info
bobson7ka.pro
bomba.bonocchio.com
brandnewtransfer.pro
brandsanalog.info
breakingretouching.net
bregfxul.mynumber.org
brighterintuitiveness.info
browsecomplaints.org
brtrampolines.biz
brustramestra.org
buenos-varilias.com
bufferlumia.info
bunat.verikanam.com
buttonjp.org
c446fe861bdb8a2bbea44022.merseine.nu
cakuxeco.tk
calderatextletting.net
campaignmanagementmoneys.info
candyruns.pro
cantothemebased.pro
canyoninstructed.net
capricioussample.info
carswhilestaff.biz
cassettesbeauty.org
caubqj.freewww.biz
cdsbandwidthsaving.info
cejinayu.tk
centurylogmeinnow.net
cfarcto.freewww.biz
cheapbiotics.info
cheche.jrm-enterprises.com
checklistearpiercing.net
chidedpointofinterest.pro
cilidep.tk
cityscaperollbacks.net
ciwabiha.tk
clackt.freewww.biz
clarificationspackages.info
classbasecamp.pro
clckllink.com
clean-service.info
clearlydefinedjr.net
click2click.pro
click4click.org
clipboardbarely.pro
closedeasy.net
cloudtalkepicture.info
cloutremote.asia
cmesrearranged.pro
cogsfeet.net
cohostedpareddown.pro
coincidentlyreduce.net
collaborativerationals.info
collectingtabletfriendly.info
collectionsbleeding.pro
combinedbecause.org
common.thebattleroyal.com
conductinability.net
consciousnessmobileoptimized.info
constructionverified.org
contentdeliveryworldwide.pro
contentnomasterwork.net
convenienceconclusions.org
conversionitlegendary.info
convertervocal.net
corantipursue.info
correspondingpchoused.net
counterattackaltercast.asia
courseworktitanium.net
coxmxvku.freewww.biz
creast.afkepock.com
crosscountrypertinent.info
crossingpivot.info
crustwatch.com
crytprodom.net
cullinghenry.pro
curmudgeonlowerquality.net
cutlongurls.com
cwnddazt.freewww.biz
czxsazzz.cu.cc
dapuyok.tk
darkroomimageport.info
data.fossilflour.org
datcikas.co.uk
dazzlingthirst.info
dbzptwxhm.freewww.biz
dc21.asia
dckikyas.1dumb.com
dcrriklc.freewww.biz
ddbnbmpt.freewww.biz
dealingcas.pro
delawareriveromainssinglwwerx.com
delivercdn.com
demonstratepowerfully.net
denialdeduplication.net
densepromissory.info
deomainssinglwwerx.net
departuresheettogo.asia
dependenciesusers.net
deraman.cu.cc
dereteweret.org
desreappear.pro
devicetantalized.pro
dialerseasoned.org
digitalbrio.net
digitalspointsstorys.net
disappointsultra.net
discoverleaving.net
disperseconceptdraw.net
districtagenda.net
dixoxupo.tk
diysweeper.net
dkpjumouz.mynumber.org
dns20number.org
dnsnum10.com
dnsnum11.com
dnsnum12.pro
dnsnum9.com
dnsnumber1.com
dnsnumber14.pro
dnsnumber15.pro
dnsnumber2.com
dnsnumber3.com
docktoolsthe.org
docstogolists.info
docxlassos.net
doggedmask.pro
domaincreations.info
domainjustmails.net
domainscingapurs.net
domainsgweate.net
domainsjinniks.net
domainsnetstatts.net
domainsplaylgtaxes.com
domainsplaylgtaxes.net
domainsrighbind.net
domainssinglargetaxes.net
domainssinglgirs.net
domainssinglsnet.info
domainssinglssin.info
domainssmiles43.net
domainsstressadd.com
domssingomangos.net
downloaderchippers.org
dqytgefar.freewww.biz
dragonocerusfluidity.info
dramaticmacromedia.info
drumspeedthrottled.pro
dunfe.lenuerry.com
durhamdirectory.net
dworddb.com
earnhardtphoto.info
earthnearness.pro
ecwlqx.freewww.biz
edrenbaton.mouseclickcentralization.info
edvbph.freewww.biz
ekvwynlse.freewww.biz
endgameaboveaverage.pro
engagegoto.com
englandcompared.info
enlargement4.pro
enthusiastmystery.net
epsconsisted.pro
esscer47emonyno.rr.nu
essentiallyrepresents.net
estheticsindianapolis.info
etritotube.me
etritotube.mobi
etritotube.net
everpresentoctave.net
evngiaca.freewww.biz
examiningstores.org
excludedsure.pro
execpragues.net
expansionletter.net
experimentalsatellitecommunicationsprojectlaunchedinindia.info
eyebrowsprefilled.pro
f8u5.asia
fabulouszen.net
fallokidor.org
fastgreendns.com
fastum.gm9.com
favorablestarted.pro
faxesworry.asia
fbjvbkjp.freewww.biz
featuresconverter.asia
fedrekpolik.org
feedbacvolcanoes.pro
fenoqere.tk
ffffoundbirthdate.org
fgjcctg.cu.cc
fhpbuqac.freewww.biz
fiendishtask.info
figuringdictating.net
fillinjabber.net
filmeducators.net
finddomainsdicr.net
finlandfires.info
flierstrusting.biz
floodedhomeplus.net
flrkcyoln.almostmy.com
flvagye.freewww.biz
flyport.nut.cc
foldersmodify.org
force.verikanam.com
formsbasedscreeners.asia
forum-pro-siski.info
frameratepekingese.pro
freeexpenditure.pro
frustratedrosetta.pro
fssdnk.freewww.biz
ftycik.freewww.biz
fulllengthunderdahl.info
gabon.lenuerry.com
gaepovzsdr.cu.cc
gainskeeper.asia
gamesduoswin9.info
gaplessaddremove.info
gduobyc.freewww.biz
gefilteheadway.pro
geographiccomplicating.net
germen.almostmy.com
gfydjpo.freewww.biz
ghanaembassyusa.com
ghostauthority.info
gitro.lenuerry.com
gkluyc.freewww.biz
global.usa.cc
gobangwriterson.com
godutegodozybat.org
goldclick.pro
good.timepiece-locator.com
googlenilesrt.net
governingjerk.org
gpuep.freewww.biz
grainscatching.net
grauezonen.com
grauezonen.net
greatctrlaltdel.pro
gretta.pcanywhere.net
gsshphwbn.freewww.biz
gttrle.freewww.biz
guaranteesroman.net
gwqpx.freewww.biz
gybphqhwf.mynumber.org
gyukrmmw.itsaol.com
halfdozendesktop.asia
hanskohlerltd.com
hanskohlerltd.net
harddrivedeepens.pro
hatsvisuals.org
haventons.org
hazardstweet.pro
hcsqhop.freewww.biz
hearingcertificate.info
heartshapedradiosity.info
heatcycle.asia
hecticearning.pro
heellowtech.pro
hellousers.mobimexa.ro
hesdr.org
highflyingmotivates.info
highresfunnel.pro
hihuvay.tk
hjtqfai.freewww.biz
hjxynh.freewww.biz
hkect.freewww.biz
hmirsdwqo.freewww.biz
hmqth.freewww.biz
hobbjnlji.freewww.biz
hocblockable.pro
homegrownphonetic.pro
hoopsvibrate.pro
hornyfile.net
hotelspecificvocalization.info
hreflnk.com
hugo.lenuerry.com
hutren.lenuerry.com
ibbyqkp.freewww.biz
iccyrgfh.mynumber.org
icebergsorts.info
ictrnr.freewww.biz
ifuzlt.freewww.biz
ihazalittleknob.us
ihrtytw.freewww.biz
iirrack.org
ijkguxk.freewww.biz
ikles.lenuerry.com
imanagepooka.pro
imapscans.info
imationbones.net
img.buchananjenkinshyundai.com
img.centralfloridahyundaidealers.com
img.centralfloridaunder10grandautos.com
img.zeitersseptics.com
img.zsuinc.com
impactrelease.pro
importslatenot.info
imrkcm.freewww.biz
incompatiblechoice.info
indocumentgunning.info
infostartbizcher.net
innetrecordf.net
installerhappens.com
intelextraction.org
interesting.moneta.cl
internalcake.asia
internetsdd4.net
internetsdd4.org
internetsturk.net
intervalsselfservice.pro
ioalcsy.freewww.biz
ioragement.net
iphonedata.info
irresponsibletablets.asia
irritatingtrailers.info
isaacdocs.com
iwwcwxjoy.freewww.biz
jafcomuzzle.com
jamdownsizes.info
jaquxedo.tk
jefvqloqs.freewww.biz
jekpot.net
jekpot.org
jexiyohi.tk
jopoplop.cu.cc
joxopzzz.cu.cc
jqkxhv.freewww.biz
jrhhqbgf.freewww.biz
jsccrzo.freewww.biz
jscripttoughgeek.biz
jtalwiwu.freewww.biz
junest.lenuerry.com
justpingmoow.net
juwkulgw.freewww.biz
jxzyi.freewww.biz
kcttqwmg.freewww.biz
kcxqach.freewww.biz
keyboardhigherpriority.pro
keywordrecordrookie.info
kgugoasr.freewww.biz
kimqtpbj.freewww.biz
kiost.lenuerry.com
kjrkbvrws.freewww.biz
kochenmitspass.com
kochenmitspass.net
komat.lenuerry.com
kopan.lenuerry.com
kopcasdf.cu.cc
ksopyt.freewww.biz
kupimiy.tk
kuuiukcd.freewww.biz
kvidzs.freewww.biz
lapuneran.com
lastfmwidescreen.info
lastwestbizz.info
laternotairplanes.org
laxonot.tk
lbd.lenuerry.com
leadingpartymoderateshewasejectedfromaftershesaid.info
leaguedigs.pro
legendpairing.info
lenskuog.freewww.biz
lesgpda.freewww.biz
letterpresssketching.info
levanto-poker.com
levanto-poker.info
levanto-poker.net
levanto-poker.org
lglsuo.freewww.biz
libertybigestnoob.org
linestrate.biz
linusrival.info
lipor.afkepock.com
lipsbylines.pro
listingsnonexecutable.org
litebizzchersearch.org
liteklick.com
litenames.com
littleknobnsack.us
ljbsll.freewww.biz
llsoftness.info
llxtyzh.freewww.biz
loadsgamescraft.org
locatorrotten.net
lollipoporno.org
longnikdb.com
lops.verikanam.com
lopxaert.cu.cc
lowkeytonights.pro
lpbjscrsa.freewww.biz
lpnkbwx.freewww.biz
lqbiyic.freewww.biz
lwwpmfw.freewww.biz
lynwau.freewww.biz
m6j2.info
macbookxed.net
macdonaldsfast.net
mangosautomated.info
manibackbestbizz.net
marxloha.com
marxloha.net
mastercarddialog.pro
masterxz.cu.cc
mayhemavz.pro
mazdak.cu.cc
mdrphfri.freewww.biz
mechanicalagenda.asia
membersnetsgunss.info
membersnetsgunss.org
memoryhddmonitor.org
memossingleuser.info
mentscommence.net
merstengrown.com
mesburtterpe.ddns.name
metaizosulfatmetanol.com
metasearchexcessively.net
mexicomongo.com
mexodini.tk
mhpuya.freewww.biz
mikesnutssner.net
mikesnutssner.org
minisiteshassle.info
minker.lenuerry.com
mitest.lenuerry.com
mitre.verikanam.com
mixed.verikanam.com
mjhcymist.freewww.biz
mmwap.freewww.biz
mnroemawa.freewww.biz
mnszyhxgp.freewww.biz
mobilefriendlysingledisk.info
modemgamers.info
modesicompared.org
modesiscenes.info
mofiozesbzcom.net
mokas.lenuerry.com
mondayswizardnet.info
moneysdialogs.net
monikaheinold.net
monitorsystemsdep.net
monitorsystemsdep.org
mopiserb.cu.cc
morrisgussmir.biz
mouseclickcentralization.info
mqtqjkyo.all-emoticons.com
multidimensionalpersisted.org
multilevelclass.net
museumsnimble.net
mwmfue.freewww.biz
mxssweeten.pro
mydreamnewone.com
mydreamnewone.me
mydreamnewone.org
mydreamnewone.us
naejadxge.freewww.biz
namesstressadd.net
ndengine.com
nedra.ddns.infoc
neos.lenuerry.com
nerest.ddns.info
nerfaserty.fondinfocenters.info
netdocumentsinaccessible.info
new-generation-affiliate.net
new-generation-affiliate.org
new-generation-affiliateonline.co
newyorkcarrent.com
ngfyt.freewww.biz
nicert.afkepock.com
njgblmlg.freewww.biz
nlbdiv.freewww.biz
nnczl.freewww.biz
noacmvbg.gr8name.biz
nospaceforced.pro
ns1.collectionsbleeding.pro
ns1.haventons.org
nsc.hornyfile.net
nuert.lenuerry.com
nvelqxkt.freewww.biz
nzhewnvi.freewww.biz
nzuqojkf.freewww.biz
oboobx.freewww.biz
oevcrn.freewww.biz
oferts.net
ohnjckgo.freewww.biz
okles.lenuerry.com
oltpspeakers.pro
oneiricinfocenters.info
ones.myservicecomments.com
onlineadvertclick.eu
onlineadvertclick.info
onlineadvertclick.org
oovmmb.freewww.biz
operationseverlearn.pro
opticshoc.pro
originalchristopher.net
originatingpixelize.pro
ortide.afkepock.com
otscfr.com
overseassouth.net
ow42.org
ownorreverting.org
ownprice.net
paggpuvv.freewww.biz
palacio-casino.com
palacio-casino.in
palacio-casino.info
palacio-casino.me
palacio-casino.mobi
palermopoker.asia
palermopoker.biz
palermopoker.co
palermopoker.info
palermopoker.me
palermopoker.net
palermopoker.org
pamaetyd.cu.cc
panasoniccatnap.net
panasoniclibs4.biz
panasoniclibs4.net
paneheftier.info
parlorlimitsforemost.org
participaterevisions.info
pasrewder.cu.cc
passedtwitpic.pro
paszerqef.cu.cc
pawertyse.cu.cc
pbhukx.freewww.biz
pejot.freewww.biz
pfannengericht.com
pfvfsi.freewww.biz
photoemailingbrethren.pro
physicallyoffer.asia
picniksdistrict.info
pigrona5.com
piicentrally.org
pikkolorgy.org
pistolop.cu.cc
pityr.verikanam.com
plannerspressed.net
pmquggb.freewww.biz
pmxlzumf.freewww.biz
pnppz.freewww.biz
pocasredr.cu.cc
polaroidstylesaved.info
pomertax.cu.cc
pornooncar.pro
pornoseccasgirls.info
pornoseccasgirlss.net
pornostroycenters5v.net
portallnk.com
postprepminimize.pro
potar.lenuerry.com
potentlatency.net
povertzag.cu.cc
powertnoii.cu.cc
prettydik.net
privacyxslegacy.info
producercheesy.net
progresseddrilled.net
promoitaliane.tv
prosperplug.info
psgva.freewww.biz
pvsblues.info
pzdupny.freewww.biz
qadosiwixe4.pro
qadosiwixe45.pro
qadosiwixe5.pro
qgwbhqthc.freewww.biz
qiksmotorcycles.pro
qojnwkp.freewww.biz
qoyuhiwe.tk
qpxibesp.freewww.biz
quellesimple.com
quellesimple.info
quickcamsassembled.net
quickofficemosaic.info
quincypuublicschools.com
quittsfasaf14.net
quqzpzfwr.freewww.biz
qxwhucsruaifu.pro
radarholga.pro
ratzeputze.com
rayoperu.tk
rbeqj.freewww.biz
rcjdnesni.freewww.biz
receivesagillions.info
recklessblacklisting.net
recoffsets.net
redirestoodersfin.info
redownloadingraucously.info
redspeed.asia
redundantblockskew.pro
redut.is-leet.com
reinventsciti.pro
relatedfarsi.info
releasedoutofbox.info
reliabilitytedium.info
reliantscrambled.org
remissimpediments.net
rentalhummers.pro
rentedtransactions.info
repinvoiceover.info
reportingautomatingoutliners.info
repurposedsmtppop.asia
re-served.com
respectsprosuite.info
restoronsafe.info
reusemorepersonalized.org
revolutioncodehinting.pro
rewardbounces.info
rhacsy.freewww.biz
riatiapafor.dnset.com
rizapizda.com
rojoxal.tk
roomyqualysguard.info
rootkitsprintready.pro
roudroadersnetliker.com
roxjd.freewww.biz
rozohudu.tk
rubilonk.biz
rubilonk.com
rubilonk.info
rutes.lenuerry.com
rxkpd.freewww.biz
safaristereos.biz
safetywebclassifies.net
samcrop.info
santnhzg.freewww.biz
saucesensorlys.info
savedordernumbers.net
sbyaiqvpm.freewww.biz
scarcecookiecutter.pro
schirkaal.com
schneemen.info
schoolsreading.asia
scrot-um.biz
securemanagerspecialcollectlinesite.info
security-checking.info
sedukimozzaik4net.info
seewild.net
seinfeldwlpg.pro
selamoitoipour.com
selamoitoipour.net
selamoitoipour.org
selmoipourtoi.com
selmoipourtoi.net
separatedsurprises.com
sequentialbiotics.info
sexclub4h.net
sexgirlsmembers4g.net
sexmurenagirlssex.info
sexsexporno.info
sexxxstaz.org
sfhnvvs.freewww.biz
shareself.info
sharingdelays.pro
sharpeyedresizable.net
shepardforests.info
shizzledizle.com
shortlonglinks.com
siamanfocont.ddns.name
sidhpuwtvkwrtv.flu.cc
signingsample.pro
signupdestinations.org
similaritiesinverting.net
singlecolumnhalloween.asia
sitesstressadd.com
sitesstressadd.net
sjryycwpl.freewww.biz
ska9.info
skitchrestaurants.net
skjaqowjtr.all-emoticons.com
slackmultiline.info
slnhtkqu.freewww.biz
smoothlyexit.net
snailmailupdater.net
snamedb.com
snoopscooperate.pro
sometimescroogle.asia
sorryintellicookie.net
soulplacing.pro
speedanymore.net
speedyfraction.pro
stampedetarget.info
stat.sportspirate.net
stathemliberiy.com
stationscannons.net
statistic.kodiakwireline.ca
stereoobjects.info
stetomoney.org
stinglnk.com
stlpartnership.asia
stoppedcam.info
storagemediumfoolish.pro
streetpiloteffortlessly.biz
strnglink.com
stumbleuponbutlowerpriced.info
subjectslicing.net
sublistsvirus.info
suckro.lenuerry.com
sufopati.tk
sugad.afkepock.com
sunbeltinverting.pro
suncurrentlytransitstheconstellationoflibrafromoctober.info
superbrustramestraonline.org
supportflashoutlookstyle.pro
susssurrounds.info
suxoyad.tk
swallowsreenable.pro
sydzslq.freewww.biz
syenial.com
system0001.pro
taipeirazor.pro
talliedclassit.info
tares.verikanam.com
tauscansenders.info
tavawf.freewww.biz
tcpipbyfiletype.info
teddyderhund.com
teddyderhund.net
tekqswas.freewww.biz
tellementads.net
tenscrub.net
testr.pcanywhere.net
textingnode.info
thewirelesscaalog.com
theydlauncher.net
thrillededward.pro
thundercatsimplications.net
tibukns.freewww.biz
timingwaste.net
tisla.lenuerry.com
togglesengines.info
toolbarpcmag.info
totalethreetabbed.net
toypourtoy.info
toypourtoy.net
toyticket.info
tracklessactivedisk.info
trading-consult.info
trafficstock.net
transformspace.pro
trnio.lenuerry.com
troopersresided.info
truesamuraidns.com
tufbu.freewww.biz
turnkeynew.pro
twesst.afkepock.com
twitteresqueingenious.info
txdfldh.freewww.biz
txtbznqia.freewww.biz
tzhone.freewww.biz
uadwfj.freewww.biz
uatogspme.freewww.biz
ubiuzkfw.freewww.biz
uidlikmcr.freewww.biz
ujergbcfcskuxvd.dyndns-remote.com
unhuzrtje.freewww.biz
uninstallerthumbtack.asia
unprotectedepicture.info
unuere.freewww.biz
update-cdn.com
uptel.afkepock.com
ureqedaz.mrbasic.com
usdaqpl.freewww.biz
user2.lenuerry.com
usnet.lenuerry.com
usomainssinglwwerx.com
uszefhy.freewww.biz
uukdktlc.onmypc.us
uvvtscte.biz
uwndet.freewww.biz
uybeor.freewww.biz
uyfea.freewww.biz
uzvxb.freewww.biz
vabnoynua.freewww.biz
vabosaho.tk
validatorbasses.net
validfacts.info
vchysb.freewww.biz
veraconference.info
verghavinias.com
verisimilitudeguidelines.pro
viewsbootup.net
viiju.freewww.biz
viqrzfvi.freewww.biz
virginiacompanyron.com
visasunspot.net
vitres.verikanam.com
vjhgd.freewww.biz
vmteuayfi.freewww.biz
voltsdragandselect.net
voniucka.co.uk
vsddbm.freewww.biz
vvsgoqe.freewww.biz
vzfascinating.info
wallmountedsubprojects.info
watisawarosydok.org
waybunch.org
webcheckfinalizing.net
webdavinfluential.pro
webmasteraolcom.asia
websearchsite.net
weekdaysaccountif.org
wefirefoxs.info
wellreceivedrug.pro
wentovergomountain.net
wereworkstationlike.org
westlnk.com
wfslwzbmj.freewww.biz
whpdn.freewww.biz
wildcarddigest.org
wimipol.tk
winproducersdisks.asia
wirmsnetsreg.org
wizikohu.tk
wjtuvxr.freewww.biz
wlklayju.freewww.biz
wlvgkym.freewww.biz
womukul.tk
wordreg.com
worksheetrating.info
woteucv.freewww.biz
wouldstats.com
wpvrq.freewww.biz
wqolljp.freewww.biz
writexrealtek.pro
www.hornyfile.net
www.jscripttoughgeek.biz
www.livecamsxxxnow.com
www.schneemen.info
www.sexsexporno.info
wwwlogmeincomafflicts.net
xasnc.freewww.biz
xberfdpfo.freewww.biz
xcwalwbwg.freewww.biz
xerta.lenuerry.com
xfulu.freewww.biz
xgrvj.freewww.biz
xicajevi.tk
xkaceln.freewww.biz
xmlstructurednewegg-affiliate.asia
xmmtry.freewww.biz
xokildrgfht.dyndns-remote.com
xokildrggjy.dyndns-remote.com
xokildrghkuy.dyndns-remote.com
xptyhuob.serveusers.com
xrtecjq.freewww.biz
xvideotubehq.net
xvideotubehq.org
xvidious.co
xvidious.info
xvidious.net
xvidious.org
xvidstubes.asia
xvidstubes.biz
xvidstubes.co
xvidstubes.com
xvidstubes.info
xvidstubes.me
xvidstubes.mobi
xvuxl.freewww.biz
yabalvate.freewww.biz
yale.verikanam.com
ycwmpwmh.freewww.biz
ycwvoad.freewww.biz
ycxbecdci.freewww.biz
yfajapit.americanunfinished.com
yhejzgsc.freewww.biz
yhgqw.freewww.biz
yjihtguzr.freewww.biz
ykasszk.freewww.biz
ynerfklpgjazsc.servebbs.com
ynybaduv.itemdb.com
yourxvideos.asia
yuokmyxhk.freewww.biz
yuppiebatchmode.info
yvngzms.freewww.biz
ywtytciqr.freewww.biz
yyvpdr.almostmy.com
yzhhn.freewww.biz
yzmek.mynumber.org
yzociz.freewww.biz
z8s0.info
zawejame.tk
zegejic.tk
zenuxozo.tk
zenworksencourages.pro
zeroknowledgealwil.asia
zhnmnjtm.freewww.biz
zikertlijgyhku.dyndns-remote.com
zikertlzcsyvdx.dyndns-remote.com
zikertydhwegawd.dyndns-remote.com
zikertydhwegsd.dyndns-remote.com
zikrftgbaefas.dyndns-remote.com
zikrfvdeccsxw.dyndns-remote.com
ziniospdfs.org
zkpys.freewww.biz
zoom.verikanam.com
zoomedpentiumequipped.info
zvxct.freewww.biz
zywyr.freewww.biz

Thursday, 6 December 2012

iTunes "Christmas gift card" / api.myobfuscate.com / nikolamireasa.com

Here's a malware-laden spam with a twist:

From:     iTunes [shipping@new.itunes.com]
To:     purchasing [purchasing@[redacted]]
Date:     6 December 2012 20:59
Subject:     Christmas gift card

Order Number: M1V7577311
Receipt Date: 06/12/2012
Shipping To: purchasing@[redacted]

Order Total: $500.00
Billed To: Hilary Shandonay, Credit card



Item Number     Description     Unit Price
1     Christmas gift card (View\Download )     $500.00
Subtotal:     $500.00
Tax:     $0.00
Order Total:     $500.00


Please retain for your records.
Please See Below For Terms And Conditions Pertaining To This Order.

Apple Inc.
You can find the iTunes Store Terms of Sale and Sales Policies by launching your iTunes application and clicking on Terms of Sale or Sales Policies

FBI ANTI-PIRACY WARNING
UNAUTHORIZED COPYING IS PUNISHABLE UNDER FEDERAL LAW.

Answers to frequently asked questions regarding the iTunes Store can be found at http://www.apple.com/support/itunes/store/



Apple ID Summary •  Detailed invoice

Apple respects your privacy.

Copyright © 2011 Apple Inc. All rights reserved

In this case the link goes through a free web hosting site at [donotclick]longa-neara.ucoz.org which contains some heavily obfuscated javascript that eventually leads to malicious landing page on [donotclick]nikolamireasa.com/less/demands-probably.php hosted on 188.93.210.133 (logol.ru, Russia). That IP hosts the following toxic domains that you should block:

nikolamireasa.com
portgazza.cu.cc
hopercac.cu.cc
hopercas.cu.cc
ukumuxur.qhigh.com
ymuvyjih.25u.com

Heck, you might just want to cut your losses and block 188.93.210.0/23 too. Anyway, the curious thing is that the malicious javascript uses an intermediary obfuscation site called api.myobfuscate.com which you can see has been used to infect a few sites before.

Now, perhaps myobfuscate.com was created with the best of intentions, but if the bad guys have a use for it then you can bet they are probably about to abuse it in a big way.

Both api.myobfuscate.com and www.myobfuscate.com are hosted on the same IP at 188.64.170.17 (also in Russia) which is part of a tiny netblock of 188.64.170.16/31 which you may as well block too. The 188.64.170.17 IP also contains the following domains which might also be abused in the same way:

htmlobfuscator.com
api.htmlobfuscator.com
htmlobfuscator.info
javascript-obfuscator.info
javascriptcompressor.info
javascriptcrambler.com
javascriptobfuscate.com
javascriptobfuscator.info
myobfuscate.com
api.myobfuscate.com
obfuscatorjavascript.com
api.obfuscatorjavascript.com
js.robotext.com
js.robotext.info
js.robottext.ru

In my opinion, obfuscating javascript is a really bad thing and there is no legitimate reason to use it. Blocking access to free-to-use obfuscation tools like this may run the risk of breaking some legitimate sites. But only if they have been coded by idiots.