Sponsored by..

Saturday, 29 December 2012

"How Fatima Started Islam" spam

This nasty anti-Islam email has been doing the rounds recently, I've received it several times over the past few months and decided that it was worth a closer look..

From:     Laurel Pettit [kqmdy@agenta.de]
Date:     27 December 2012 22:39
Subject:     Re: more infomation about islam

How Fatima Started Islam

A book like no other on this earth.  Not a few cartoons or an infantile movie trailer but 234 page novel which insults Islam like no other.  A parody of the always drunk proprietor of "Mohammad's Saloon & Brothel" with his completely ridiculous life exposed.  This moronic child molestating coward and fool who bumps his way through life oblivious to his manipulation as the figurehead of another new religion.  Learn about his adopted son and heir Ali, the biggest swish ever to sashay across Arabia while sadistically running Mecca's largest boy's brothel.  Only $9.99 to laugh at, mock, and ridicule those fanatics who do not enjoy being ridiculed.  A well written and extremely funny parody at Amazon.com.

http://www.amazon.com/How-Fatima-Started-Islam-Mohammads/dp/0578032902/ref=sr_1_1?ie=UTF8&qid=1339884134&sr=8-1&keywords=how+fatima+started+islam
 link to Amazon.com
https://www.amazon.com/How-Fatima-Started-Islam-Mohammads/dp/0578032902/ref
Observe the never sober Mohammad having sex with camels, pre-adolescent girls and boys, the mutilations, murders, terrorism, sneak attacks, back stabbings and mental illnesses.  Absolutely no other novel is similar.  Stick up for America by sticking it to Radical Islam.

Also: There is a subtle effort to dissuade Americans from buying or reading this parody.  The Mullahs of Radical Islam HATE the fact that we in the West can still purchase this book.  They are pressuring and threatening Amazon to stop offering the novel for sale.  They demand a world wide ban with criminal penalties under Sharia Law.  Out of 6,000,000 Amazon books "How Fatima Started Islam" has the second lowest review rating, why, because Amazon has been flooded with well over 100 negative reviews with the lowest possible rating, reviewers who openly state that they would never ever buy or read a book insulting The Prophet, yet they take the time to tell you not to read it.  The second lowest rating is a badge of honor, it shows how much the Ayatollahs of BAGHDAD and DAMASCUS and the murderous terrorist who killed our ambassador and burned our embassy in BENGHAZI  do not want you to buy HFSI. Do not let these radical tin pot madmen, who think they rule the world and everyone in it, dictate to you what you may or may not read; purchase this important, well written, and extremely funny book.

Well, they're right about one thing.. the reviews are terrible. And they're terrible because this has been spammed out on a regular basis.

But where does this spam come from? Here is the key part of the mail header:

Received: from [183.131.24.233] (port=1249 helo=mailbook.simalbok9v.com)
    by [redacted] with smtp (Exim 4.80)
    (envelope-from <kqmdy@agenta.de>)
    id 1ToM6k-0001GW-12
    for [redacted]; Thu, 27 Dec 2012 22:39:22 +0000
Received: from cpe-184-56-141-86.neo.res.rr.com (HELO cpe-184-56-141-86.neo.res.rr.com) ([184.56.141.86])
From: "Laurel Pettit" <kqmdy@agenta.de>


183.131.24.233 is an IP address in China (Zhejiang Telecom). The domain simalbok9v.com doesn't actually exist though, the mail relay was spoofing it. But it's the email address before it that gives a least a little clue as to the sender. 184.56.141.86 is a Road Runner subscriber in Cleveland, in the US.

Alas, it doesn't tell us who it is, but it DOES tell us that it originates from within the US, and this spam is illegal under the CAN-SPAM act.

Now, I'm quite curious as to who else has looked at the headers to see what pattern there is. And I'm open to the possibility that this could be a Joe Job. But I certainly ain't gonna buy that book..

Update: the spam is still doing the rounds and is still originating from a Road Runner subscriber at 184.56.141.86, but now there is a new Chinese mail relay at 122.240.59.40.

Received: from [122.240.59.40] (port=2892 helo=mailbook.simalbok9v.com)
    by [redacted] with smtp (Exim 4.80)
    (envelope-from <crvll@fresnosheriff.org>)
    id 1Tp6dX-00071A-Qk
    for [redacted]; Sun, 30 Dec 2012 00:20:20 +0000
Received: from cpe-184-56-141-86.neo.res.rr.com (HELO cpe-184-56-141-86.neo.res.rr.com) ([184.56.141.86])
From: "Brianna Collins" <crvll@fresnosheriff.org>

FedACH Announcement spam / incinteractive.net

This fake whatever-the-heck-it-is spam leads to malware on incinteractive.net:
Date:      Fri, 28 Dec 2012 22:45:28 +0900
From:      "Federal Reserve Banking Services@sys.frb.org" [ACHR_58976105@FedMail.frb.org]
Subject:      FedMail (R): FedACH Announcement - End of Day - 12/27/12

Please overview the ACH Advice Statement from the Federal Reserve System by clicking here.
The malicious payload is at [donotclick]incinteractive.net/detects/wishs_continually.php hosted on the well-known IP of 59.57.247.185 in China which also hosts these following malicious domains:

sessionid0147239047829578349578239077.pl
tv-usib.com
atsushitani.com
proxfied.net
incinteractive.net
timesofnorth.net
latticesoft.net
incinteractive.net


Friday, 28 December 2012

IRS Spam / tv-usib.com

This fake IRS spam leads to malware on tv-usib.com:
Date:      Thu, 27 Dec 2012 22:14:44 +0400
From:      Internal Revenue Service [information@irs.gov]
Subject:      Your transaction is not approved

Your Income Tax outstanding transaction (ID: 3870703170305), recently ordered for processing from your checking account was rejected by Internal Revenue Service payment processing unit.

Canceled Tax transfer
Tax Transaction ID:     3870703170305
Rejection ID     See details in the report below
Federal Tax Transaction Report     tax_report_3870703170305.pdf (Adobe Acrobat Document)

Internal Revenue Service 3192 Aliquam Rd. Edmond 65332 Oregon
The malicious payload is at [donotclick]tv-usib.com/detects/property-mass-dollar_figure.php hosted on the well-known IP of 59.57.247.185 in China. The following malicious domains appear to be on that IP:


sessionid0147239047829578349578239077.pl
tv-usib.com
proxfied.net
timesofnorth.net
latticesoft.net

Wednesday, 26 December 2012

NACHA spam / bunakaranka.ru:

This fake ACH / NACHA spam leads to malware on bunakaranka.ru:

Date:      Wed, 26 Dec 2012 06:48:11 +0100
From:      Tagged [Tagged@taggedmail.com]
Subject:      Re: Fwd: Banking security update.

Dear Online Account Operator,

Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department
The malicious payload is on [donotclick]bunakaranka.ru:8080/forum/links/column.php hosted on the following well-known IPs:

91.224.135.20 (Proservis UAB, Lithuania)
187.85.160.106 (Ksys Soluções Web, Brazil)
210.71.250.131 (Chunghwa Telecom, Taiwan)


Plain list:
91.224.135.20
187.85.160.106
210.71.250.131

Associated domains:
bunakaranka.ru
afjdoospf.ru
angelaonfl.ru
akionokao.ru
apendiksator.ru
bilainkos.ru

E-billing spam / proxfied.net

There are various e-billing spam emails circulating today, pointing to malware on proxfied.net:


Date:      Wed, 26 Dec 2012 18:49:37 +0300
From:      alets-no-reply@customercenter.citibank.com
Subject:      Your Further eBill from Citibank Credit Card


       
Member: [redacted]

Add alerts@serviceemail2.citibank.com to your address book to ensure delivery.

Your Account: Important Warning
   
New eBill Available

   
Account Number: **************8
Due Date: 12/28/2012
Amount Due: 175.36
Minimum Amount Due: 175.36

How do I view this bill?
1. Sign on to Citibank Online using this link.
2. Use the Payments Menu to find the bill mentioned in this message.
3. Select View Bill to review your bill details. Select the icon to see your bill summary.

Please don't reply to this message.

If you have any questions about your bill, please contact Citibank Credit Card directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you examine that the e-mail was actually sent by Citibank. If you have questions, please visit our help center. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on by clicking this link and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

If you want to communicate with us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care Service
P. O. Box 6200
Sioux Hills, SD 57870

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at by clicking this link and clicking on "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

3843054050826645

1/LO/439463/221/1I/6H/EH/7126/SYSTEF1 /E5225514741628064/2187

====================


Date:      Wed, 26 Dec 2012 10:50:38 -0500
From:      alerts@serviceemail6.citibank.com
To:      [redacted]
Subject:      Your got Renewed eBill Available from AT&T Bill


       
Member: [redacted]

Add citibankonline@customercenter.citibank.com to your address book to ensure delivery.

Your Account: Important Warning
   
Fresh eBill Available

   
Account Number: **************4
Due Date: 12/28/2012
Amount Due: 74.93
Minimum Amount Due: 74.93

How do I view this bill?
1. Sign on to Citibank Online clicking this link.
2. Use the Payments Menu to find the bill pointed in this message.
3. Select View Bill to overview your bill details. Select the icon to see your bill summary.

Please don't reply to this message.

If you have any questions about your bill, please contact AT&T Bill directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its objective is to help you check that the e-mail was real sent by Citibank. If you have questions, please click "Contact Us" link at the nottom of this message. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on clicking here and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

Should you going to communicate with us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care
P. O. Box 9000
Sioux Falls, SD 57897

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at this link and browsing section "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

7835212473101882

8/6J/472774/910/JM/TK/XD/9078/SYSTE2T /GI793670607303856/5644

====================


Date:      Wed, 26 Dec 2012 17:37:12 +0200
From:      alerts@customercenter.citibank.com
To:      <[redacted]>
Subject:      Your just received Fresh eBill Ready for review from Citibank Credit Card


       
Member: [redacted]

Add customerservice@serviceemail9.citibank.com to your address book to ensure delivery.

Your Account: Important Warning
   
Fresh eBill Should Be Complete

   
Account Number: **************0
Due Date: 28/22/2012
Amount Due: 529.80
Minimum Amount Due: 529.80

How do I view this bill?
1. Sign on to Citibank Online by clicking here.
2. Use the Payments Menu to find the bill mentioned in this message.
3. Select View Bill to see your bill details. Select the icon to get your bill summary.

Please don't reply to this message.

If you have any questions about your bill, please contact Citibank Credit Card directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its aim is to help you check that the e-mail was actually sent by Citibank. If you have questions, please visit our Contact Us page. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on clicking here and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

If you want to communicate with us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care
P. O. Box 9000
Sioux Falls, SD 30415

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at click here and clicking on "Contact Us" from the "Help / Contact Us" menu.

© 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

3612654275931761

2/IC/009813/854/GU/7J/5F/0102/SYSTE0T /J4044525669689549/3261

====================


Date:      Wed, 26 Dec 2012 09:04:44 -0600
From:      alets-no-reply@serviceemail6.citibank.com
To:      <[redacted]>
Subject:      New eBill is Now Available. From: AT&T Bill


       
Member: [redacted]

Add customerservice@citibank.com to your address book to ensure delivery.

Your Account: Important Notification
   
Fresh eBill Ready for review

   
Account Number: **************4
Due Date: 12/28/2012
Amount Due: 232.34
Minimum Amount Due: 232.34

How do I view this bill?
1. Sign on to Citibank Online by clicking here.
2. Use the Payments Menu to find the bill pointed in this message.
3. Select View Bill to see your bill details. Select the icon to get your bill summary.

Please not try to reply to this message.

If you have any questions about your bill, please contact AT&T Bill directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its purpose is to help you be sure that the e-mail was in reality sent by Citibank. If you have questions, please visit our Contact Us page. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign in using this link and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

If you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care Service
P. O. Box 5800
Sioux Hills, NC 52846

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at click to open and browsing section "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

5252192738554872

8/B8/851199/374/4J/PL/0Y/1754/SYSTEYZ /S7493944434265957/9990

====================


Date:      Wed, 26 Dec 2012 09:54:12 -0500
From:      customerservice@citibank.com
To:      <[redacted]>
Subject:      Your Further eBill from American Express


       
Member: [redacted]

Add customerservice@serviceemail8.citibank.com to your address book to ensure delivery.

Your Account: Important Note
   
Fresh eBill Available

   
Account Number: **************8
Due Date: 12/28/2012
Amount Due: 56.92
Minimum Amount Due: 56.92

How do I view this bill?
1. Sign on to Citibank Online clicking this link.
2. Use the Payments Menu to find the bill pointed in this message.
3. Select View Bill to overview your bill details. Select the icon to show your bill summary.

Please do not reply to this message.

If you have any questions about your bill, please contact American Express directly. For online payment questions, please choose Bill Payment from the menu.

E-mail Security Zone
At the top of this message, you'll see an E-mail Security Zone. Its target is to help you check that the e-mail was really sent by Citibank. If you have questions, please click "Contact Us" link at the nottom of this message. To learn more about fraud, click "Security" at the bottom of the screen.

To set up alerts sign on with this link and go to Account Profile.

I prefer not to have this email contain specific information from my statement. Please send me just the announcement that my statement is ready to view online.

   
   
View Your Account         Pay Your Bill         Contact Us
   

Privacy | Security
Email Preferences

Should you want to contact us in writing concerning this email, please direct your correspondence to:

Citibank Customer Care
P. O. Box 6000
Sioux Wheels, NC 56012

Help / Contact Us
If you have questions about your account, please use our secure message center by signing on at this link and browsing section "Contact Us" from the "Help / Contact Us" menu.

� 2012 Citibank, N.A.
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citigroup Inc.

4530267461705664

6/2P/193057/917/70/O0/HE/0121/SYSTER5 /9I438409026123046/3702
The malicious payload is at [donotclick]proxfied.net/detects/inform_rates.php hosted on 59.57.247.185 in China (a well-known malware IP address) along with these following malicious domains:

sessionid0147239047829578349578239077.pl
latticesoft.net
proxfied.net

Tuesday, 25 December 2012

Godless Eastern bloc commie athiests

Honestly, who sends this sort of crap out on Christmas day? Umm.. equally, who checks their spam filter on Christmas day. Anyway, this is what the godless eastern bloc pinko commies athiests spammers are sending out today.

Date:      Tue, 25 Dec 2012 22:56:51 -0700
From:      "Ticket Support"
Subject:      Password Assistance

Thank you for your letter of Dec 25, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Regards, Yuonne Ferro, Support Team manager.
Some variants of the body text:
"Thank you for contacting us, your information arrived today."
"Thank you for your letter regarding our products and services, your information arrived today."
"Thank you for considering our products and services, your information arrived today."

Some alternative sender names:
"Jonie Gunther", "Noreen Macklin", "Bonny Oconnell"

The spamvertised site is hosted on 84.22.104.123, which is Cyberbunker. Given their awful reputation, I am surprised that they haven't been de-peered. Yet.

There's certainly nothing of value at all in the 84.22.96.0/19 range, blocking the whole lot will cause you no harm. These are the other spammy domains on the same IP:

bloodgenerics.com
canadapharmcanadian.net
canadawelnesscent.com
comprisingmeds.pl
dietwelness.com
drugherbalpills.com
drugstorebp.com
drugtoretabletsfitness.ru
eijmnssh.net
ewggesaj.net
garciniaherbal.com
healthcaremedprescription.com
herbalwelgarcinia.net
isvlhnvo.com
jozejhyqn.com
kbcbhgdw.com
kidneyprescriptiondiet.com
labwydehyj.com
levitrakbw.com
medsbp.com
medsmedicinedisease.com
medsprotein.com
mydrugstorerx.com
outlooklnessasale.com
patientswelnesshealthcare.com
pharmacycialismeningitis.net
pharmacydrugstablets.ru
pharmacyhealthpharmacy.ru
pillmedshealth.ru
pillscarehealthcare.com
pillsdrugstoredrugs.ru
pillsdrugstorepills.ru
pillspharmacyrx.ru
pillstabletshealthdrugstore.ru
pilltabletsfitness.ru
reliablerxpillstablets.ru
remedycutrxpills.ru
retailersmeds.com
romneyrx.net
rxcatholic.com
rxdiscounttabletspharmacy.ru
rxdrugstoremedicines.ru
rxdrugstoretreatments.ru
rxpharmacycaremeds.ru
rxpharmacytabletspharmacy.ru
rxpharmacytechmeds.ru
rxpharmacytreatments.ru
rxwellbeing.ru
sabonatabmed.com
swissrxpharmacy.ru
tabdisease.nl
tabletdropsrx.ru
tabletdrugsfitness.ru
tabletdrugstorehealth.ru
tabletgenerics.com
tablethealthphysicians.net
tabletlevitripad.com
tabletpillsdrugs.ru
tabletpillspills.ru
tabletrxdrugs.ru
tabletrxtreatments.ru
tsunamipill.com
viagraherbaltea.com

Sunday, 23 December 2012

"SecureMessage" spam / infiesdirekt.asia, pacesetting.asia and siteswillsrockf.net

Another fake "SecureMessage" spam leading to malware, the same in principle to this spam run and again hosted on the same Serverius-owned IPs of 46.249.42.161 and 46.249.42.168.

There are several variants of the spam, but they are all very similar and look something like this:

Date:      Sun, 23 Dec 2012 14:26:32 +0530
From:      "Secure.Message"
Subject:      Alert: New message

Click here to view the online version.

Hello [redacted],

You have 4 new messages.

Read now
� Copyright 2012 SecureMessage. All rights reserved.

If you would like to update your profile or unsubscribe, please click here.

PLEASE DO NOT REPLY TO THIS MESSAGE.

If you require Technical Support, please check Support Center for information.
I suspect that there is more malicious activity in the 46.249.42.0/24 range and blocking access to it would be a very good thing to do.

These are the malicious domains that I can currently identify on those IPs:

46.249.42.161
new-dating-2010.asia
bestdating-2010.asia
datingcool-2010.asia
great-dating2010.asia
freshdating2010.asia
moderndating2010.asia
newmeeting2010.asia
newdatingafter2010.asia
datingbest2010.asia
datingcool2011.asia
datingbest2011.asia
site-dating-2012.asia
great-dating-2012.asia
best-dating-2012.asia
greatdating-2012.asia
newdatingworld2012.asia
site-dating2012.asia
great-dating2012.asia
best-dating2012.asia
freshdating2012.asia
cooldating2012.asia
moderndating2012.asia
greatdating2012.asia
bestdating2012.asia
latestdating2012.asia
newmeeting2012.asia
datingcool2012.asia
newdatingafter2012.asia
datingbest2012.asia
dating-2013.asia
new-dating2013.asia
x-dating2013.asia
my-dating2013.asia
mydating2013.asia
matic.asia
puzdoc.asia
cattified.asia
feebled.asia
jugated.asia
collected.asia
urrected.asia
bested.asia
mail.bested.asia
www.bested.asia
huckleland.asia
softlywood.asia
offiable.asia
quisible.asia
juggle.asia
tactiate.asia
evasive.asia
braging.asia
coppinging.asia
dishing.asia
skylarking.asia
fooling.asia
banning.asia
honing.asia
appearing.asia
undering.asia
muleteering.asia
mail.muleteering.asia
www.muleteering.asia
genering.asia
abjecting.asia
concreting.asia
comfiting.asia
retorting.asia
overcasting.asia
pacesetting.asia
purveying.asia
kenlying.asia
opennessman.asia
legmen.asia
worsen.asia
disten.asia
lusion.asia
firmation.asia
audration.asia
putation.asia
sequestion.asia
outgo.asia
irrito.asia
gentleship.asia
fastender.asia
linger.asia
rapier.asia
emulsier.asia
safekeeper.asia
sourer.asia
bosser.asia
dencies.asia
in-fies.asia
infies.asia
topinfies.asia
superinfies.asia
terlies.asia
mities.asia
mail.mities.asia
www.mities.asia
mangles.asia
wangles.asia
samenesses.asia
pyxes.asia
lickings.asia
versionless.asia
deodorless.asia
pulsiveness.asia
centiveness.asia
infiesdirekt.asia
infiessofort.asia
initialist.asia
malcy.asia
belably.asia
whimsibly.asia
spacingly.asia
eningly.asia
toningly.asia
campingly.asia
wimpingly.asia
gueringly.asia
playingly.asia
monly.asia
distantly.asia
grottory.asia
eagerry.asia
mail.eagerry.asia
www.eagerry.asia
tipsy.asia
fresh-dating-2010.info
new-dating-2010.info
greatdating-2010.info
bestdating-2010.info
datingcool-2010.info
datingbest-2010.info
site-dating2010.info
great-dating2010.info
best-dating2010.info
sitedating2010.info
fresh-dating-2013.ru
new-dating-2013.ru
greatdating-2013.ru
bestdating-2013.ru
datingcool-2013.ru
datingbest-2013.ru
site-dating2013.ru
great-dating2013.ru
best-dating2013.ru
sitedating2013.ru

46.249.42.168
stelspendingswow.name
siteswillsrockf.com
moniretsstates.info
stelspendingswow.info
monicats5b.net
siteswillsrockf.net
audiodevelop.net
organizationmeens.net
libstringnets.net
finderpolicy.net



Saturday, 22 December 2012

"New message received" spam / siteswillsrockf.com and undering.asia

This malicious spam run is part of this large cluster of malicious sites that I wrote about yesterday.


Date:      Sat, 22 Dec 2012 16:55:38 +0300
From:      "Secure.Message" [FAA55EEEE@valencianadeparketts.es]
Subject:      New message received

Click here to view the online version.

Hello [redacted],



You have 5 new messages.

Read now
� Copyright 2012 SecurePrivateMessage. All rights reserved.



If you would like to update your profile or unsubscribe, please click here.



PLEASE DO NOT REPLY TO THIS MESSAGE.

If you require Technical Support, please check Support Center for information.


Unlike most recent campaigns where the first link in the email is a legitimate but hacked site, this one links directly to a malware server at [donotclick]undering.asia/link.php?login.aspx=[emailaddress]&id=[redacted]  with a link that features the email address as part of the URL (presumably to confirm that the address is live). The next step is a redirector link at [donotclick]undering.asia/?affid=00110&promo_type=5&promo_opt=1 which loads a fake anti-virus page, and then it attempts to download a Java exploit from [donotclick]siteswillsrockf.com/?a=YWZmaWQ9MDAxMTA=

undering.asia is hosted on 46.249.42.161, and siteswillsrockf.com on 46.249.42.168. Seeing two malicious sites so closely together indicates that there is a problem with the netblock, so having a closer look at those IPs shows:

inetnum:        46.249.42.0 - 46.249.42.255
netname:        CUST339-170918-147
descr:          Customer ip range
remarks:        Please send email to "cust339@serverius.eu" for complaints
remarks:        regarding portscans, DoS attacks and spam.
country:        NL
admin-c:        CUST339
tech-c:         CUST339
status:         ASSIGNED PA
mnt-by:         serverius-mnt
source:         RIPE # Filtered

person:         Customer No339
remarks:        This IP space is used by a Serverius datacenter customer.
address:        www.serverius.com
phone:          +31 (0)88 73 78 374
nic-hdl:        CUST339
mnt-by:         SERVERIUS-mnt
source:         RIPE # Filtered

route:          46.249.32.0/19
descr:          Serverius Route Object
origin:         AS50673
mnt-by:         SERVERIUS-MNT
source:         RIPE # Filtered


The block 46.249.42.0/24 seems to have been suballocated to an unidentified customer of Serverius who have a long history of badness in their IP ranges. Based on this, I would suggest that you add the 46.249.42.0/24 range to your blocklist to prevent other unidentified malicious servers in this block from being a problem.

There are lots of other suspect domains on these two IPs as well:
46.249.42.161
new-dating-2010.asia
bestdating-2010.asia
datingcool-2010.asia
great-dating2010.asia
freshdating2010.asia
moderndating2010.asia
newmeeting2010.asia
newdatingafter2010.asia
datingbest2010.asia
datingcool2011.asia
datingbest2011.asia
site-dating-2012.asia
great-dating-2012.asia
best-dating-2012.asia
greatdating-2012.asia
newdatingworld2012.asia
site-dating2012.asia
great-dating2012.asia
best-dating2012.asia
freshdating2012.asia
cooldating2012.asia
moderndating2012.asia
greatdating2012.asia
bestdating2012.asia
latestdating2012.asia
newmeeting2012.asia
datingcool2012.asia
newdatingafter2012.asia
datingbest2012.asia
dating-2013.asia
new-dating2013.asia
x-dating2013.asia
my-dating2013.asia
mydating2013.asia
matic.asia
puzdoc.asia
feebled.asia
collected.asia
huckleland.asia
quisible.asia
juggle.asia
evasive.asia
dishing.asia
skylarking.asia
fooling.asia
banning.asia
honing.asia
undering.asia
muleteering.asia
genering.asia
abjecting.asia
concreting.asia
retorting.asia
legmen.asia
disten.asia
firmation.asia
audration.asia
outgo.asia
irrito.asia
gentleship.asia
fastender.asia
rapier.asia
safekeeper.asia
sourer.asia
mangles.asia
samenesses.asia
deodorless.asia
pulsiveness.asia
initialist.asia
malcy.asia
belably.asia
spacingly.asia
campingly.asia
wimpingly.asia
playingly.asia
grottory.asia
tipsy.asia
fresh-dating-2010.info
new-dating-2010.info
greatdating-2010.info
bestdating-2010.info
datingcool-2010.info
datingbest-2010.info
site-dating2010.info
great-dating2010.info
best-dating2010.info
sitedating2010.info
fresh-dating-2013.ru
new-dating-2013.ru
greatdating-2013.ru
bestdating-2013.ru
datingcool-2013.ru
datingbest-2013.ru
site-dating2013.ru
great-dating2013.ru
best-dating2013.ru
sitedating2013.ru

46.249.42.168
siteswillsrockf.com
moniretsstates.info
monicats5b.net
audiodevelop.net
organizationmeens.net
finderpolicy.net

Friday, 21 December 2012

Malware sites to block 21/12/12

There are a series of malware domains on 91.201.215.173 apparently using a Java and PDF exploit to infect visitors. The infection machanism appears to be coming from an unidentifiedad running on the centerblog.net blogging system (I think specifically [donotclick]zezete2.centerblog.net/i-247-136-1356095651.html)

The malware URLs are quite lengthy and appear to be resistant to analysis, in the attack I have seen the following URLs were in use (don't visit these sites, obviously)

[donotclick]svwlekwtaign.avigorstats.pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/
[donotclick]mcruxdufxwnp.avigorstats.pro/nfzU990ANRE02JVS0Qk7s0jYN40nDNx0dbn217t
[break]Yy0jp8q0NKcl0kgxI0L8Gt15rue0vRer0M2Lr0fIED/

[break]indicated where I've added a linebreak to get it to fit on the page, remove that and the linebreak for a valid URL.

avigorstats.pro and its subdomains are hosted on 91.201.215.173 (PS Internet Company Ltd, Kazakhstan, but this is just the tip of a huge iceberg of malicious IPs and domains that are all interconnected.

Let's start with my personal recommended blockist. If you are in Russia or Ukraine then you might want to be a bit more conservative with the Russian netblocks and refer to the raw IP list below (there's one list with ISPs listed, one plain for for copy and pasting)..

Recommended blockist (annotated):

5.39.121.18 (OVH, Ireland)
5.135.20.2 (OVH, France)
5.135.67.144/28 (MMuskatov / OVH, Belgium)
5.135.67.192/28 (MMuskatov / OVH, Czech Republic)
5.135.97.6 (OVH, Ireland)
5.135.204.16/28 (Shah Sidharth / OVH, Ireland)
5.135.218.32/27 (Shah Sidharth / OVH, France)
5.135.223.96/27 (Shah Sidharth / OVH, France)
5.199.172.0/22 (BALTICSERVERS, Lithunia)
37.9.53.0/24 (Sheludyak-NET, Russia)
37.221.170.88 (Voxility, Romania)
46.28.71.68 (UA Servers, Ukraine)
46.105.102.18 (OVH, France)
46.235.8.175 (Teknik Data Internet Teknolojileri San.Tic.Ltd. Sti., Turkey)
46.249.42.0/24 (Serverius Holding, Netherlands)
62.76.40.0/21 (Rosniiros, Russia)
62.76.176.0/22 (Rosniiros, Russia)
62.76.180.0/24 (Rosniiros, Russia)
62.76.184.0/21 (Rosniiros, Russia)
62.109.0.0/21 (The First, Russia)
62.122.74.0/23 (Leksim, Poland)
63.247.91.188 (Global Net Access, US)
64.120.193.0/24 (HostNOC, US)
78.140.135.128/25 (Webazilla, Gibraltar)
84.200.77.204 (Misterhost, Germany)
85.17.92.146 (Leaseweb, Netherlands)
85.143.166.0/24 (Pirix, Russia)
88.198.30.19 (Hetzner, Germany)
91.201.214.0/23 (PS Internet, Kazakhstan)
91.211.116.0/22 (Zharkov Mukola Mukolayovuch, Ukraine)
91.220.131.0/24 (teterin Igor Ahmatovich, Russia)
91.231.156.0/24 (Sevzapkanat-Unimars, Russia)
91.232.29.70 (Realon Service LLC, Ukraine)
91.235.128.0/23 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
91.238.83.0/24 (Standart LLC, Moldova)
91.243.115.0/24 (Aztec, Russia)
92.46.62.128/25 (Shevchenko Sergey, Kazakhstan)
93.170.13.4 (Alfa Telecom, Czech Republic)
93.170.128.253 (Alfra Telecom, Russia)
95.211.199.34 (Leaseweb, Netherlands)
108.163.188.250 (iWeb, Canada)
142.0.37.60 (VolumeDrive, US)
142.54.183.96/27 (Datashack, US)
146.185.255.0/24 (Petersburg Internet Network Ltd, Russia)
151.248.116.54 (Reg.ru, Russia)
178.162.134.128/26 (Silin-Vitaly-Petrovich, Belarus)
178.162.147.111 (Leaseweb, Germany)
184.82.222.126 (HostNOC, US)
184.82.222.127 (HostNOC, US)
185.4.227.42 (Sayfa.NET, Turkey)
188.93.211.114 (Logol, Russia)
188.190.127.118 (Infium LTD, Ukraine)
188.208.32.0/23 (Ch-net Srl, Romania)
193.107.16.0/22 (Ideal Solution Ltd, Seychelles)
194.62.233.0/24 (Stils Grupp, Russia)
195.3.145.45 (RN Data, Latvia)
195.3.145.51 (RN Data, Latvia)
195.20.141.0/24 (Sigma Ltd, Russia)
195.138.240.0/21 (Creative Telematics & Trade s.r.o., Czech Republic)
198.49.66.159 (Hostdime, US)
198.147.22.69 (Front Range Hosting, US)
199.231.210.231 (Enzu Inc, US)
206.212.240.202 (Colostore, US)
206.212.240.206 (Colostore, US)
206.222.17.136/29 (XLHost, US)
208.88.226.230 (WZ Communitions, US)
208.88.226.231 (WZ Communitions, US)
217.23.11.103 (Worldstream, Netherlands)
217.23.15.110 (Worldstream, Netherlands)

Recommended blockist (Plain list):

5.39.121.18
5.135.20.2
5.135.67.144/28
5.135.67.192/28
5.135.97.6
5.135.204.16/28
5.135.218.32/27
5.135.223.96/27
5.199.172.0/22
37.9.53.0/24
37.221.170.88
46.28.71.68
46.105.102.18
46.235.8.175
46.249.42.10/24
62.76.40.0/21
62.76.176.0/22
62.76.180.0/24
62.76.184.0/21
62.109.0.0/21
62.122.74.0/23
63.247.91.188
64.120.193.0/24
78.140.135.128/25
84.200.77.204
85.17.92.146
85.143.166.0/24
88.198.30.19
91.201.214.0/23
91.211.116.0/22
91.220.131.0/24
91.231.156.0/24
91.232.29.70
91.235.128.0/23
91.238.83.0/24
91.243.115.0/24
92.46.62.128/25
93.170.13.4
93.170.128.253
95.211.199.34
108.163.188.250
142.0.37.60
142.54.183.96/27
146.185.255.0/24
151.248.116.54
178.162.134.128/26
178.162.147.111
185.4.227.42
188.93.211.114
188.190.127.118
188.208.32.0/23
193.107.16.0/22
194.62.233.0/24
195.3.145.45
195.3.145.51
195.20.141.0/24
195.138.240.0/21
198.49.66.159
198.147.22.69
199.231.210.231
206.212.240.202
206.212.240.206
206.222.17.136/29
208.88.226.230
208.88.226.231
217.23.11.103
217.23.15.110

Raw list of malicious IPs:
5.39.121.18
5.135.20.2
5.135.67.145
5.135.67.198
5.135.97.6
5.135.204.19
5.135.204.20
5.135.218.33
5.135.223.127
5.199.174.99
5.199.175.36
5.199.175.59
5.199.175.60
37.9.53.71
37.221.170.88
46.28.71.68
46.105.102.18
46.235.8.175
46.249.42.161
46.249.42.168
62.76.41.75
62.76.41.208
62.76.178.9
62.76.180.191
62.76.184.246
62.76.185.206
62.76.185.211
62.76.186.109
62.109.2.239
62.109.12.166
62.109.16.94
62.122.74.45
63.247.91.188
64.120.193.144
64.120.193.177
64.120.193.218
64.120.193.219
78.140.135.194
78.140.135.195
84.200.77.204
85.17.92.146
85.143.166.87
85.143.166.202
85.143.166.219
88.198.30.19
91.201.215.173
91.211.119.56
91.211.119.63
91.211.119.66
91.211.119.67
91.220.131.67
91.231.156.50
91.231.156.98
91.231.156.188
91.232.29.70
91.235.129.35
91.238.83.46
91.238.83.56
91.243.115.28
92.46.62.252
93.170.13.4
93.189.40.223
93.170.128.253
94.242.219.3
94.242.219.6
95.211.199.34
108.163.188.250
142.0.37.60
142.54.183.110
146.185.255.66
151.248.116.54
178.162.134.138
178.162.134.139
178.162.132.202
178.162.134.198
178.162.134.200
178.162.134.201
178.162.134.202
178.162.134.212
178.162.147.111
178.162.134.141
184.82.222.126
184.82.222.127
185.4.227.42
188.93.211.114
188.190.127.118
188.208.33.10
193.107.17.105
193.107.19.76
194.62.233.26
194.62.233.31
194.62.233.63
194.62.233.79
194.62.233.137
194.62.233.146
194.62.233.171
194.62.233.173
194.62.233.183
194.62.233.242
195.3.145.45
195.3.145.51
195.20.141.22
195.20.141.23
195.20.141.85
195.20.141.86
195.138.241.79
195.138.241.88
195.138.241.92
195.138.241.93
195.138.241.95
198.49.66.159
198.147.22.69
199.231.210.231
206.212.240.202
206.212.240.206
206.222.17.138
208.88.226.230
208.88.226.231
217.23.11.103
217.23.15.110

Known malicious domains:
001dtbflutxcy.changeip.org
001vlcjibtwrh.changeip.org
002yfzwqyhhqi.changeip.org
003wceqzsouib.changeip.org
004wifxfqqelw.changeip.org
004wsragrwziy.changeip.org
005litvisulyl.changeip.org
005pqlvqwowvh.changeip.org
005szgfxyhyuf.changeip.org
006epphovwevl.changeip.org
006jowpvflxwu.changeip.org
006okqwhyklyg.changeip.org
007gydbgxftcl.changeip.org
007hppoqubtvs.changeip.org
007lvsqhpjtrd.changeip.org
008ftuuqluzoq.changeip.org
008rdzfkykqdv.changeip.org
009g.domaiinn.be
009kkuhgyrazq.changeip.org
009xxqqflqvec.changeip.org
010ipjzyqeuor.changeip.org
017bqelicwssl.changeip.org
020bedzycxryv.changeip.org
020qagbfqxtzq.changeip.org
021lkukzxbuuu.changeip.org
022xwsejqchre.changeip.org
023qrgoreztit.changeip.org
023zqpiblrfso.changeip.org
024vkaoabwhsf.changeip.org
025cldzpffyvl.changeip.org
026cocyjbhahg.changeip.org
027yzlofltfyp.changeip.org
16nnb7b.gm9.com
17vfdvr.gm9.com
2012-2013.org
3d27bc5173b799ec363ebb6a.mine.nu
42f0e25d8baf2c5df64842f5.merseine.nu
555flashpoker.com
555flashpoker.info
555flashpoker.me
555flashpoker.net
7domaindns.com
888flashpoker.com
888flashpoker.info
8domaindns.com
8xvideos-tube.com
8xvideos-tube.info
8xvideos-tube.mobi
a0246d72.mayhemavz.pro
a1000000.mayhemavz.pro
a2b3490dc28df6ec1db21d10.merseine.nu
aboutmailmerging.net
accelerationarrangement.info
acclaimny.pro
acquiringhawaiian.asia
addservice.flu.cc
adobestyledives.org
adriano-bull.com
adriano-bull.net
adsquatropower.com
adsquatropower.info
adsquatropower.net
adsquatropower.org
adventureslh.net
ae1830b97080c83176b59c94.mine.nu
af9b7985802bc09fb9e19663.merseine.nu
affairlikely.net
agegateguru.net
agelumosityroad.net
ahjlfmm.freewww.biz
ahzhfvfjn.freewww.biz
aimedmetaballs.org
airprintlacks.net
ajsuqhsq.freewww.biz
ajwvnwcm.freewww.biz
aktsf.freewww.biz
alhmzpxsdtj.net
altsjhin.mynumber.org
amountinterrupting.pro
analytics-djmusic-online.de
ananasert.cu.cc
anbab.freewww.biz
anti-carding.info
antivirusscleanuponly.info
approximatelyshopkeepers.net
appsfordefaultappear.pro
aqxetx.freewww.biz
archaicpatron.asia
areoperations.net
arltdbsg.freewww.biz
armiesboxes.info
arndlink.com
arny.nazleennoor.com
artilleryupgrading.com
asefeferea.uni.me
asifq.freewww.biz
asimuthstats.pro
associatesgymnastic.asia
astrotester.com
attataponger.ru
audiodevelop.net
auraletterandnumber.org
authoringtriplecore.net
autoplaycyberdrive.info
avenuerequests.net
avigorstats.pro
axis.lenuerry.com
bajoqavu.tk
ballfill.net
baltes.verikanam.com
barpoxert.cu.cc
basun.lenuerry.com
bathtubdanger.net
bazarafcantoscabiz.com
bctwqsgcu.freewww.biz
bdslength.net
beansreschedule.com
beautifullytriangulate.info
bedtimeroes.pro
begpkcd.freewww.biz
bellevident.pro
bestcountstat.com
bestlastnest.asia
besttipscars.info
beta.lenuerry.com
betterlookingflabby.org
bhrhrim.freewww.biz
bicyclesteachers.info
bicyclingsecondfastest.pro
bigprobivbig.net
billtrackerremoval.info
biosopers.pro
bioticshypermodular.org
bitsrentr.pro
bizon.verikanam.com
bkuoq.freewww.biz
blanki-basa.info
bliclink.com
blikke.verikanam.com
blogtoolonsteroidscreations.net
bmfield.pro
bmgdrive.net
bobodrive.info
bobson7ka.pro
bomba.bonocchio.com
brandnewtransfer.pro
brandsanalog.info
breakingretouching.net
bregfxul.mynumber.org
brighterintuitiveness.info
browsecomplaints.org
brtrampolines.biz
brustramestra.org
buenos-varilias.com
bufferlumia.info
bunat.verikanam.com
buttonjp.org
c446fe861bdb8a2bbea44022.merseine.nu
cakuxeco.tk
calderatextletting.net
campaignmanagementmoneys.info
candyruns.pro
cantothemebased.pro
canyoninstructed.net
capricioussample.info
carswhilestaff.biz
cassettesbeauty.org
caubqj.freewww.biz
cdsbandwidthsaving.info
cejinayu.tk
centurylogmeinnow.net
cfarcto.freewww.biz
cheapbiotics.info
cheche.jrm-enterprises.com
checklistearpiercing.net
chidedpointofinterest.pro
cilidep.tk
cityscaperollbacks.net
ciwabiha.tk
clackt.freewww.biz
clarificationspackages.info
classbasecamp.pro
clckllink.com
clean-service.info
clearlydefinedjr.net
click2click.pro
click4click.org
clipboardbarely.pro
closedeasy.net
cloudtalkepicture.info
cloutremote.asia
cmesrearranged.pro
cogsfeet.net
cohostedpareddown.pro
coincidentlyreduce.net
collaborativerationals.info
collectingtabletfriendly.info
collectionsbleeding.pro
combinedbecause.org
common.thebattleroyal.com
conductinability.net
consciousnessmobileoptimized.info
constructionverified.org
contentdeliveryworldwide.pro
contentnomasterwork.net
convenienceconclusions.org
conversionitlegendary.info
convertervocal.net
corantipursue.info
correspondingpchoused.net
counterattackaltercast.asia
courseworktitanium.net
coxmxvku.freewww.biz
creast.afkepock.com
crosscountrypertinent.info
crossingpivot.info
crustwatch.com
crytprodom.net
cullinghenry.pro
curmudgeonlowerquality.net
cutlongurls.com
cwnddazt.freewww.biz
czxsazzz.cu.cc
dapuyok.tk
darkroomimageport.info
data.fossilflour.org
datcikas.co.uk
dazzlingthirst.info
dbzptwxhm.freewww.biz
dc21.asia
dckikyas.1dumb.com
dcrriklc.freewww.biz
ddbnbmpt.freewww.biz
dealingcas.pro
delawareriveromainssinglwwerx.com
delivercdn.com
demonstratepowerfully.net
denialdeduplication.net
densepromissory.info
deomainssinglwwerx.net
departuresheettogo.asia
dependenciesusers.net
deraman.cu.cc
dereteweret.org
desreappear.pro
devicetantalized.pro
dialerseasoned.org
digitalbrio.net
digitalspointsstorys.net
disappointsultra.net
discoverleaving.net
disperseconceptdraw.net
districtagenda.net
dixoxupo.tk
diysweeper.net
dkpjumouz.mynumber.org
dns20number.org
dnsnum10.com
dnsnum11.com
dnsnum12.pro
dnsnum9.com
dnsnumber1.com
dnsnumber14.pro
dnsnumber15.pro
dnsnumber2.com
dnsnumber3.com
docktoolsthe.org
docstogolists.info
docxlassos.net
doggedmask.pro
domaincreations.info
domainjustmails.net
domainscingapurs.net
domainsgweate.net
domainsjinniks.net
domainsnetstatts.net
domainsplaylgtaxes.com
domainsplaylgtaxes.net
domainsrighbind.net
domainssinglargetaxes.net
domainssinglgirs.net
domainssinglsnet.info
domainssinglssin.info
domainssmiles43.net
domainsstressadd.com
domssingomangos.net
downloaderchippers.org
dqytgefar.freewww.biz
dragonocerusfluidity.info
dramaticmacromedia.info
drumspeedthrottled.pro
dunfe.lenuerry.com
durhamdirectory.net
dworddb.com
earnhardtphoto.info
earthnearness.pro
ecwlqx.freewww.biz
edrenbaton.mouseclickcentralization.info
edvbph.freewww.biz
ekvwynlse.freewww.biz
endgameaboveaverage.pro
engagegoto.com
englandcompared.info
enlargement4.pro
enthusiastmystery.net
epsconsisted.pro
esscer47emonyno.rr.nu
essentiallyrepresents.net
estheticsindianapolis.info
etritotube.me
etritotube.mobi
etritotube.net
everpresentoctave.net
evngiaca.freewww.biz
examiningstores.org
excludedsure.pro
execpragues.net
expansionletter.net
experimentalsatellitecommunicationsprojectlaunchedinindia.info
eyebrowsprefilled.pro
f8u5.asia
fabulouszen.net
fallokidor.org
fastgreendns.com
fastum.gm9.com
favorablestarted.pro
faxesworry.asia
fbjvbkjp.freewww.biz
featuresconverter.asia
fedrekpolik.org
feedbacvolcanoes.pro
fenoqere.tk
ffffoundbirthdate.org
fgjcctg.cu.cc
fhpbuqac.freewww.biz
fiendishtask.info
figuringdictating.net
fillinjabber.net
filmeducators.net
finddomainsdicr.net
finlandfires.info
flierstrusting.biz
floodedhomeplus.net
flrkcyoln.almostmy.com
flvagye.freewww.biz
flyport.nut.cc
foldersmodify.org
force.verikanam.com
formsbasedscreeners.asia
forum-pro-siski.info
frameratepekingese.pro
freeexpenditure.pro
frustratedrosetta.pro
fssdnk.freewww.biz
ftycik.freewww.biz
fulllengthunderdahl.info
gabon.lenuerry.com
gaepovzsdr.cu.cc
gainskeeper.asia
gamesduoswin9.info
gaplessaddremove.info
gduobyc.freewww.biz
gefilteheadway.pro
geographiccomplicating.net
germen.almostmy.com
gfydjpo.freewww.biz
ghanaembassyusa.com
ghostauthority.info
gitro.lenuerry.com
gkluyc.freewww.biz
global.usa.cc
gobangwriterson.com
godutegodozybat.org
goldclick.pro
good.timepiece-locator.com
googlenilesrt.net
governingjerk.org
gpuep.freewww.biz
grainscatching.net
grauezonen.com
grauezonen.net
greatctrlaltdel.pro
gretta.pcanywhere.net
gsshphwbn.freewww.biz
gttrle.freewww.biz
guaranteesroman.net
gwqpx.freewww.biz
gybphqhwf.mynumber.org
gyukrmmw.itsaol.com
halfdozendesktop.asia
hanskohlerltd.com
hanskohlerltd.net
harddrivedeepens.pro
hatsvisuals.org
haventons.org
hazardstweet.pro
hcsqhop.freewww.biz
hearingcertificate.info
heartshapedradiosity.info
heatcycle.asia
hecticearning.pro
heellowtech.pro
hellousers.mobimexa.ro
hesdr.org
highflyingmotivates.info
highresfunnel.pro
hihuvay.tk
hjtqfai.freewww.biz
hjxynh.freewww.biz
hkect.freewww.biz
hmirsdwqo.freewww.biz
hmqth.freewww.biz
hobbjnlji.freewww.biz
hocblockable.pro
homegrownphonetic.pro
hoopsvibrate.pro
hornyfile.net
hotelspecificvocalization.info
hreflnk.com
hugo.lenuerry.com
hutren.lenuerry.com
ibbyqkp.freewww.biz
iccyrgfh.mynumber.org
icebergsorts.info
ictrnr.freewww.biz
ifuzlt.freewww.biz
ihazalittleknob.us
ihrtytw.freewww.biz
iirrack.org
ijkguxk.freewww.biz
ikles.lenuerry.com
imanagepooka.pro
imapscans.info
imationbones.net
img.buchananjenkinshyundai.com
img.centralfloridahyundaidealers.com
img.centralfloridaunder10grandautos.com
img.zeitersseptics.com
img.zsuinc.com
impactrelease.pro
importslatenot.info
imrkcm.freewww.biz
incompatiblechoice.info
indocumentgunning.info
infostartbizcher.net
innetrecordf.net
installerhappens.com
intelextraction.org
interesting.moneta.cl
internalcake.asia
internetsdd4.net
internetsdd4.org
internetsturk.net
intervalsselfservice.pro
ioalcsy.freewww.biz
ioragement.net
iphonedata.info
irresponsibletablets.asia
irritatingtrailers.info
isaacdocs.com
iwwcwxjoy.freewww.biz
jafcomuzzle.com
jamdownsizes.info
jaquxedo.tk
jefvqloqs.freewww.biz
jekpot.net
jekpot.org
jexiyohi.tk
jopoplop.cu.cc
joxopzzz.cu.cc
jqkxhv.freewww.biz
jrhhqbgf.freewww.biz
jsccrzo.freewww.biz
jscripttoughgeek.biz
jtalwiwu.freewww.biz
junest.lenuerry.com
justpingmoow.net
juwkulgw.freewww.biz
jxzyi.freewww.biz
kcttqwmg.freewww.biz
kcxqach.freewww.biz
keyboardhigherpriority.pro
keywordrecordrookie.info
kgugoasr.freewww.biz
kimqtpbj.freewww.biz
kiost.lenuerry.com
kjrkbvrws.freewww.biz
kochenmitspass.com
kochenmitspass.net
komat.lenuerry.com
kopan.lenuerry.com
kopcasdf.cu.cc
ksopyt.freewww.biz
kupimiy.tk
kuuiukcd.freewww.biz
kvidzs.freewww.biz
lapuneran.com
lastfmwidescreen.info
lastwestbizz.info
laternotairplanes.org
laxonot.tk
lbd.lenuerry.com
leadingpartymoderateshewasejectedfromaftershesaid.info
leaguedigs.pro
legendpairing.info
lenskuog.freewww.biz
lesgpda.freewww.biz
letterpresssketching.info
levanto-poker.com
levanto-poker.info
levanto-poker.net
levanto-poker.org
lglsuo.freewww.biz
libertybigestnoob.org
linestrate.biz
linusrival.info
lipor.afkepock.com
lipsbylines.pro
listingsnonexecutable.org
litebizzchersearch.org
liteklick.com
litenames.com
littleknobnsack.us
ljbsll.freewww.biz
llsoftness.info
llxtyzh.freewww.biz
loadsgamescraft.org
locatorrotten.net
lollipoporno.org
longnikdb.com
lops.verikanam.com
lopxaert.cu.cc
lowkeytonights.pro
lpbjscrsa.freewww.biz
lpnkbwx.freewww.biz
lqbiyic.freewww.biz
lwwpmfw.freewww.biz
lynwau.freewww.biz
m6j2.info
macbookxed.net
macdonaldsfast.net
mangosautomated.info
manibackbestbizz.net
marxloha.com
marxloha.net
mastercarddialog.pro
masterxz.cu.cc
mayhemavz.pro
mazdak.cu.cc
mdrphfri.freewww.biz
mechanicalagenda.asia
membersnetsgunss.info
membersnetsgunss.org
memoryhddmonitor.org
memossingleuser.info
mentscommence.net
merstengrown.com
mesburtterpe.ddns.name
metaizosulfatmetanol.com
metasearchexcessively.net
mexicomongo.com
mexodini.tk
mhpuya.freewww.biz
mikesnutssner.net
mikesnutssner.org
minisiteshassle.info
minker.lenuerry.com
mitest.lenuerry.com
mitre.verikanam.com
mixed.verikanam.com
mjhcymist.freewww.biz
mmwap.freewww.biz
mnroemawa.freewww.biz
mnszyhxgp.freewww.biz
mobilefriendlysingledisk.info
modemgamers.info
modesicompared.org
modesiscenes.info
mofiozesbzcom.net
mokas.lenuerry.com
mondayswizardnet.info
moneysdialogs.net
monikaheinold.net
monitorsystemsdep.net
monitorsystemsdep.org
mopiserb.cu.cc
morrisgussmir.biz
mouseclickcentralization.info
mqtqjkyo.all-emoticons.com
multidimensionalpersisted.org
multilevelclass.net
museumsnimble.net
mwmfue.freewww.biz
mxssweeten.pro
mydreamnewone.com
mydreamnewone.me
mydreamnewone.org
mydreamnewone.us
naejadxge.freewww.biz
namesstressadd.net
ndengine.com
nedra.ddns.infoc
neos.lenuerry.com
nerest.ddns.info
nerfaserty.fondinfocenters.info
netdocumentsinaccessible.info
new-generation-affiliate.net
new-generation-affiliate.org
new-generation-affiliateonline.co
newyorkcarrent.com
ngfyt.freewww.biz
nicert.afkepock.com
njgblmlg.freewww.biz
nlbdiv.freewww.biz
nnczl.freewww.biz
noacmvbg.gr8name.biz
nospaceforced.pro
ns1.collectionsbleeding.pro
ns1.haventons.org
nsc.hornyfile.net
nuert.lenuerry.com
nvelqxkt.freewww.biz
nzhewnvi.freewww.biz
nzuqojkf.freewww.biz
oboobx.freewww.biz
oevcrn.freewww.biz
oferts.net
ohnjckgo.freewww.biz
okles.lenuerry.com
oltpspeakers.pro
oneiricinfocenters.info
ones.myservicecomments.com
onlineadvertclick.eu
onlineadvertclick.info
onlineadvertclick.org
oovmmb.freewww.biz
operationseverlearn.pro
opticshoc.pro
originalchristopher.net
originatingpixelize.pro
ortide.afkepock.com
otscfr.com
overseassouth.net
ow42.org
ownorreverting.org
ownprice.net
paggpuvv.freewww.biz
palacio-casino.com
palacio-casino.in
palacio-casino.info
palacio-casino.me
palacio-casino.mobi
palermopoker.asia
palermopoker.biz
palermopoker.co
palermopoker.info
palermopoker.me
palermopoker.net
palermopoker.org
pamaetyd.cu.cc
panasoniccatnap.net
panasoniclibs4.biz
panasoniclibs4.net
paneheftier.info
parlorlimitsforemost.org
participaterevisions.info
pasrewder.cu.cc
passedtwitpic.pro
paszerqef.cu.cc
pawertyse.cu.cc
pbhukx.freewww.biz
pejot.freewww.biz
pfannengericht.com
pfvfsi.freewww.biz
photoemailingbrethren.pro
physicallyoffer.asia
picniksdistrict.info
pigrona5.com
piicentrally.org
pikkolorgy.org
pistolop.cu.cc
pityr.verikanam.com
plannerspressed.net
pmquggb.freewww.biz
pmxlzumf.freewww.biz
pnppz.freewww.biz
pocasredr.cu.cc
polaroidstylesaved.info
pomertax.cu.cc
pornooncar.pro
pornoseccasgirls.info
pornoseccasgirlss.net
pornostroycenters5v.net
portallnk.com
postprepminimize.pro
potar.lenuerry.com
potentlatency.net
povertzag.cu.cc
powertnoii.cu.cc
prettydik.net
privacyxslegacy.info
producercheesy.net
progresseddrilled.net
promoitaliane.tv
prosperplug.info
psgva.freewww.biz
pvsblues.info
pzdupny.freewww.biz
qadosiwixe4.pro
qadosiwixe45.pro
qadosiwixe5.pro
qgwbhqthc.freewww.biz
qiksmotorcycles.pro
qojnwkp.freewww.biz
qoyuhiwe.tk
qpxibesp.freewww.biz
quellesimple.com
quellesimple.info
quickcamsassembled.net
quickofficemosaic.info
quincypuublicschools.com
quittsfasaf14.net
quqzpzfwr.freewww.biz
qxwhucsruaifu.pro
radarholga.pro
ratzeputze.com
rayoperu.tk
rbeqj.freewww.biz
rcjdnesni.freewww.biz
receivesagillions.info
recklessblacklisting.net
recoffsets.net
redirestoodersfin.info
redownloadingraucously.info
redspeed.asia
redundantblockskew.pro
redut.is-leet.com
reinventsciti.pro
relatedfarsi.info
releasedoutofbox.info
reliabilitytedium.info
reliantscrambled.org
remissimpediments.net
rentalhummers.pro
rentedtransactions.info
repinvoiceover.info
reportingautomatingoutliners.info
repurposedsmtppop.asia
re-served.com
respectsprosuite.info
restoronsafe.info
reusemorepersonalized.org
revolutioncodehinting.pro
rewardbounces.info
rhacsy.freewww.biz
riatiapafor.dnset.com
rizapizda.com
rojoxal.tk
roomyqualysguard.info
rootkitsprintready.pro
roudroadersnetliker.com
roxjd.freewww.biz
rozohudu.tk
rubilonk.biz
rubilonk.com
rubilonk.info
rutes.lenuerry.com
rxkpd.freewww.biz
safaristereos.biz
safetywebclassifies.net
samcrop.info
santnhzg.freewww.biz
saucesensorlys.info
savedordernumbers.net
sbyaiqvpm.freewww.biz
scarcecookiecutter.pro
schirkaal.com
schneemen.info
schoolsreading.asia
scrot-um.biz
securemanagerspecialcollectlinesite.info
security-checking.info
sedukimozzaik4net.info
seewild.net
seinfeldwlpg.pro
selamoitoipour.com
selamoitoipour.net
selamoitoipour.org
selmoipourtoi.com
selmoipourtoi.net
separatedsurprises.com
sequentialbiotics.info
sexclub4h.net
sexgirlsmembers4g.net
sexmurenagirlssex.info
sexsexporno.info
sexxxstaz.org
sfhnvvs.freewww.biz
shareself.info
sharingdelays.pro
sharpeyedresizable.net
shepardforests.info
shizzledizle.com
shortlonglinks.com
siamanfocont.ddns.name
sidhpuwtvkwrtv.flu.cc
signingsample.pro
signupdestinations.org
similaritiesinverting.net
singlecolumnhalloween.asia
sitesstressadd.com
sitesstressadd.net
sjryycwpl.freewww.biz
ska9.info
skitchrestaurants.net
skjaqowjtr.all-emoticons.com
slackmultiline.info
slnhtkqu.freewww.biz
smoothlyexit.net
snailmailupdater.net
snamedb.com
snoopscooperate.pro
sometimescroogle.asia
sorryintellicookie.net
soulplacing.pro
speedanymore.net
speedyfraction.pro
stampedetarget.info
stat.sportspirate.net
stathemliberiy.com
stationscannons.net
statistic.kodiakwireline.ca
stereoobjects.info
stetomoney.org
stinglnk.com
stlpartnership.asia
stoppedcam.info
storagemediumfoolish.pro
streetpiloteffortlessly.biz
strnglink.com
stumbleuponbutlowerpriced.info
subjectslicing.net
sublistsvirus.info
suckro.lenuerry.com
sufopati.tk
sugad.afkepock.com
sunbeltinverting.pro
suncurrentlytransitstheconstellationoflibrafromoctober.info
superbrustramestraonline.org
supportflashoutlookstyle.pro
susssurrounds.info
suxoyad.tk
swallowsreenable.pro
sydzslq.freewww.biz
syenial.com
system0001.pro
taipeirazor.pro
talliedclassit.info
tares.verikanam.com
tauscansenders.info
tavawf.freewww.biz
tcpipbyfiletype.info
teddyderhund.com
teddyderhund.net
tekqswas.freewww.biz
tellementads.net
tenscrub.net
testr.pcanywhere.net
textingnode.info
thewirelesscaalog.com
theydlauncher.net
thrillededward.pro
thundercatsimplications.net
tibukns.freewww.biz
timingwaste.net
tisla.lenuerry.com
togglesengines.info
toolbarpcmag.info
totalethreetabbed.net
toypourtoy.info
toypourtoy.net
toyticket.info
tracklessactivedisk.info
trading-consult.info
trafficstock.net
transformspace.pro
trnio.lenuerry.com
troopersresided.info
truesamuraidns.com
tufbu.freewww.biz
turnkeynew.pro
twesst.afkepock.com
twitteresqueingenious.info
txdfldh.freewww.biz
txtbznqia.freewww.biz
tzhone.freewww.biz
uadwfj.freewww.biz
uatogspme.freewww.biz
ubiuzkfw.freewww.biz
uidlikmcr.freewww.biz
ujergbcfcskuxvd.dyndns-remote.com
unhuzrtje.freewww.biz
uninstallerthumbtack.asia
unprotectedepicture.info
unuere.freewww.biz
update-cdn.com
uptel.afkepock.com
ureqedaz.mrbasic.com
usdaqpl.freewww.biz
user2.lenuerry.com
usnet.lenuerry.com
usomainssinglwwerx.com
uszefhy.freewww.biz
uukdktlc.onmypc.us
uvvtscte.biz
uwndet.freewww.biz
uybeor.freewww.biz
uyfea.freewww.biz
uzvxb.freewww.biz
vabnoynua.freewww.biz
vabosaho.tk
validatorbasses.net
validfacts.info
vchysb.freewww.biz
veraconference.info
verghavinias.com
verisimilitudeguidelines.pro
viewsbootup.net
viiju.freewww.biz
viqrzfvi.freewww.biz
virginiacompanyron.com
visasunspot.net
vitres.verikanam.com
vjhgd.freewww.biz
vmteuayfi.freewww.biz
voltsdragandselect.net
voniucka.co.uk
vsddbm.freewww.biz
vvsgoqe.freewww.biz
vzfascinating.info
wallmountedsubprojects.info
watisawarosydok.org
waybunch.org
webcheckfinalizing.net
webdavinfluential.pro
webmasteraolcom.asia
websearchsite.net
weekdaysaccountif.org
wefirefoxs.info
wellreceivedrug.pro
wentovergomountain.net
wereworkstationlike.org
westlnk.com
wfslwzbmj.freewww.biz
whpdn.freewww.biz
wildcarddigest.org
wimipol.tk
winproducersdisks.asia
wirmsnetsreg.org
wizikohu.tk
wjtuvxr.freewww.biz
wlklayju.freewww.biz
wlvgkym.freewww.biz
womukul.tk
wordreg.com
worksheetrating.info
woteucv.freewww.biz
wouldstats.com
wpvrq.freewww.biz
wqolljp.freewww.biz
writexrealtek.pro
www.hornyfile.net
www.jscripttoughgeek.biz
www.livecamsxxxnow.com
www.schneemen.info
www.sexsexporno.info
wwwlogmeincomafflicts.net
xasnc.freewww.biz
xberfdpfo.freewww.biz
xcwalwbwg.freewww.biz
xerta.lenuerry.com
xfulu.freewww.biz
xgrvj.freewww.biz
xicajevi.tk
xkaceln.freewww.biz
xmlstructurednewegg-affiliate.asia
xmmtry.freewww.biz
xokildrgfht.dyndns-remote.com
xokildrggjy.dyndns-remote.com
xokildrghkuy.dyndns-remote.com
xptyhuob.serveusers.com
xrtecjq.freewww.biz
xvideotubehq.net
xvideotubehq.org
xvidious.co
xvidious.info
xvidious.net
xvidious.org
xvidstubes.asia
xvidstubes.biz
xvidstubes.co
xvidstubes.com
xvidstubes.info
xvidstubes.me
xvidstubes.mobi
xvuxl.freewww.biz
yabalvate.freewww.biz
yale.verikanam.com
ycwmpwmh.freewww.biz
ycwvoad.freewww.biz
ycxbecdci.freewww.biz
yfajapit.americanunfinished.com
yhejzgsc.freewww.biz
yhgqw.freewww.biz
yjihtguzr.freewww.biz
ykasszk.freewww.biz
ynerfklpgjazsc.servebbs.com
ynybaduv.itemdb.com
yourxvideos.asia
yuokmyxhk.freewww.biz
yuppiebatchmode.info
yvngzms.freewww.biz
ywtytciqr.freewww.biz
yyvpdr.almostmy.com
yzhhn.freewww.biz
yzmek.mynumber.org
yzociz.freewww.biz
z8s0.info
zawejame.tk
zegejic.tk
zenuxozo.tk
zenworksencourages.pro
zeroknowledgealwil.asia
zhnmnjtm.freewww.biz
zikertlijgyhku.dyndns-remote.com
zikertlzcsyvdx.dyndns-remote.com
zikertydhwegawd.dyndns-remote.com
zikertydhwegsd.dyndns-remote.com
zikrftgbaefas.dyndns-remote.com
zikrfvdeccsxw.dyndns-remote.com
ziniospdfs.org
zkpys.freewww.biz
zoom.verikanam.com
zoomedpentiumequipped.info
zvxct.freewww.biz
zywyr.freewww.biz

Thursday, 20 December 2012

"New message" spam, fake dating sites and libertymonings.info

This "New message" themed spam leads to both a fake anti-virus page and a Java exploit on the domains site-dating2012.asia and libertymonings.info. There's some cunning trickery going on here too. First of all, let's start with some spam examples:
Date:      Thu, 20 Dec 2012 20:50:17 -0200
From:      "SecureMessage System" [2F5DEE622@hungter.com]
Subject:      New message

Click here to view the online version.

New private message from Terra Fisher received.

Total unread messages: 5

[ Read now ]
� Copyright 2012 SecureMessage System. All rights reserved.

If you would like to update your profile or unsubscribe, please click here.

PLEASE DO NOT REPLY TO THIS MESSAGE.

If you require Technical Support, please check Support Center for information.

-------------------------

Date:      Thu, 20 Dec 2012 20:36:14 -0200
From:      "Secure Message" [82E8ACBD@lipidpanel.com]
Subject:      New message

Click here to view the online version.

New private message from Josefina Albert received.

Total unread messages: 3

[ Read now ]
� Copyright 2012 SecureMessage System. All rights reserved.

If you would like to update your profile or unsubscribe, please click here.

PLEASE DO NOT REPLY TO THIS MESSAGE.

If you require Technical Support, please check Support Center for information.

In these cases, the targets URLs are [donotclick]site-dating2012.asia/link.php and [donotclick]site-dating2012.asia/link.php both hosted on 46.249.42.161 (Serverius Holding, Netherlands) and  pretty much the same as the ones found a couple of days ago hiding out on 46.249.58.211(also at Serverius Holding).

These look like dating URLs, so you might assume that they are either a) a legitimate dating site or b) just some dating spam rather than malware. In any case, appearances are deceptive and it leads to fake AV site that seems to be very similar to this one. The deception goes a little deeper, because the link.php pages even forward through a fake affiliate-style link such as [donotclick]best-dating2010.info/?affid=00110&promo_type=5&promo_opt=1 before they get to the fake anti-virus page.

The site also contains an apparent Java exploit that loads in from libertymonings.info on 84.200.77.218 (Misterhost, Germany) which was also used in this attack. The malicious code is found at the page [donotclick]libertymonings.info/index/zzz/?a=YWZmaWQ9MDAxMTA=  which attempts to download a Java exploit from [donotclick]libertymonings.info/analizator_data/ztsvgnvlmhe-a.qsypes.jar which is pretty thinly detected according to VirusTotal.

The following IPs and domains are all related and should be blocked if you can:

46.249.42.161
46.249.58.211
84.200.77.218
adeptsponsorlin.info
bestdating2012.asia
bestdating2012.info
best-dating-2012.info
bitnovembersgate.com
bursttsnetsbest.net
carswhilestaff.net
clemationsbloglogs.com
clemationslogs.com
cooldating2012.info
dating-2012.info
dating-2013.asia
datingbest2012.asia
datingbest2012.info
datingcool-2010.asia
datingcool2011.asia
datingcool2012.asia
datingcool2012.info
domainsjinniks.org
domainsqiprnodes.info
domainsreidstable.net
domainssguibulk9r.net
domainssguibulkniner.com
domainssidorsneeds.net
domainssinglgirs.com
domainssinglsdoms.com
domainssinglsnetss.info
domainssinglssunss.net
domainsstressadd.net
domainsstringho5.info
domainsstringho5.org
domainswithhelthhi.info
domainswithhelthhi.net
domssvorastwo.info
domssvorastwo.net
fresh-dating-2010.info
freshdating2012.info
fresh-dating-2013.info
gamesduoswin9.net
great-dating2010.asia
greatdating2012.asia
greatdating-2012.asia
greatdating2012.info
greatdating-2012.info
great-dating-2012.info
greatdating-2013.info
importslatenot.info
innersdomainsinser.com
latestdating2012.asia
latestdating2012.info
latestdating2013.info
left4deadfi3.info
left4deadfi3.net
libertymonings.info
libsgiftnet.info
libsgiftnet.org
loadsgamescraft.info
lomnetingstar.com
lubertylibcenterns.info
mobimemcashnesh.com
mobimemcashnesh.net
moderndating2010.asia
moderndating2012.asia
moderndating2013.info
mombersneftlife.net
monchianolist.info
morrisgussmir.net
my-dating2012.info
mydating2013.asia
mydating2013.asia
namessguibulk.net
namesstressadd.com
netsplacesformss.info
new-dating-2012.info
new-dating2013.asia
newdatingafter2010.asia
newdatingafter2012.info
newdatingafter2013.info
newdatingworld2012.asia
newdatingworld2012.info
newmeeting2010.asia
newmeeting2012.asia
newmeeting2012.info
oldspacesnets.net
omnihiteuropapluss.info
oregonsitynet.net
searchersnextdoms.info
searchersnextdoms.net
searchersstippich.info
shareself.info
site-dating-2012.asia
sitedating2012.info
site-dating2012.info
site-dating-2012.info
stathemliberiy.net
www.datingbest2012.info
x-dating2012.info
x-dating2013.asia


Happy 20:12 20/12 2012

Happy 20:12 20/12 2012!

Yes, I know I've done this before but there's a rumour that it's the end of the world tomorrow.

Sendspace "You have been sent a file" spam / apendiksator.ru

This fake Sendspace spam leads to malware on apendiksator.ru:


Date:      Thu, 20 Dec 2012 09:25:36 -0300
From:      "SHIZUKO Ho"
Subject:      You have been sent a file (Filename: [redacted]-28.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]-6110219.pdf, (286.58 KB) waiting to be downloaded at sendspace.(It was sent by SHIZUKO Ho).

You can use the following link to retrieve your file:

Download Link

The file may be available for a limited time only.

Thank you,

sendspace - The best free file sharing service.

----------------------------------------------------------------------

Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

===============================

Date:      Thu, 20 Dec 2012 05:05:02 +0100
From:      "GENNIE Hensley"
Subject:      You have been sent a file (Filename: [redacted]-7123391.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]-38335.pdf, (282.44 KB) waiting to be downloaded at sendspace.(It was sent by GENNIE Hensley).

You can use the following link to retrieve your file:

Download Link

The file may be available for a limited time only.

Thank you,

sendspace - The best free file sharing service.

---------------------------------------------------------------------

Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]apendiksator.ru:8080/forum/links/column.php hosted on:

91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
210.71.250.131 (Chunghwa Telecom, Taiwan)



These IPs and domains are all related and should be blocked:
91.224.135.20
187.85.160.106
210.71.250.131
afjdoospf.ru
angelaonfl.ru
akionokao.ru
apendiksator.ru

Wednesday, 19 December 2012

Wire Transfer spam / angelaonfl.ru

This fake Wire Transfer spam leads to malware on angelaonfl.ru:

Date:      Wed, 19 Dec 2012 11:26:24 -0500
From:      "Myspace" [noreply@message.myspace.com]
Subject:      Wire Transfer (3014YZ20)

Welcome,

Your Wire Transfer Amount: USD 45,429.29

Transfer Report: View



EULALIA Henry,

The Federal Reserve Wire Network
The malicious payload is at [donotclick]angelaonfl.ru:8080/forum/links/column.php hosted on the following IPs:

91.224.135.20 (Proservis UAB, Lithunia)
210.71.250.131 (Chunghwa Telecom, Taiwan)
217.112.40.69 (Utransit, UK)

The following domains and IPs are all related and should be blocked if you can:
91.224.135.20
210.71.250.131
217.112.40.69
pelamutrika.ru
antariktika.ru
apensiona.ru
aliamognoa.ru
ahiontota.ru
anifkailood.ru
podarunoki.ru
aseniakrol.ru
publicatorian.ru
pitoniamason.ru
aviaonlolsio.ru
dimarikanko.ru
adanagenro.ru
aofngppahgor.ru
apolinaklsit.ru
angelaonfl.ru

Facebook spam / 46.249.58.211 and 84.200.77.218

There are various Facebook spams doing the rounds pointing to a variety of malware sites on 46.249.58.211 and 84.200.77.218, for example:

From: FB.Team
Sent: 19 December 2012 14:30
Subject: Re-activate account

Hi [redacted],
Your account has been blocked due to spam activity.
To verify account, please follow this link:
http://www.facebook.com/confirmemail.php?e=[redacted]

You may be asked to enter this confirmation code: [redacted]
The Facebook Team

Didn't sign up for Facebook? Please let us know. 
46.249.58.211 (Serverius Holding, Netherlands)
newmeeting2012.asia
datingbest2012.asia
dating-2013.asia
new-dating2013.asia
mobimemcashnesh.com
domainssguibulkniner.com
innersdomainsinser.com
domainssinglsdoms.com
site-dating-2012.info
best-dating-2012.info
new-dating-2012.info
greatdating-2012.info
newdatingworld2012.info
site-dating2012.info
sitedating2012.info
freshdating2012.info
cooldating2012.info
greatdating2012.info
latestdating2012.info
datingcool2012.info
newdatingafter2012.info
datingbest2012.info
fresh-dating-2013.info
greatdating-2013.info
moderndating2013.info
latestdating2013.info
newdatingafter2013.info
shareself.info
searchersstippich.info
adeptsponsorlin.info
domssvorastwo.info
domainsqiprnodes.info
searchersnextdoms.info
lubertylibcenterns.info
netsplacesformss.info
domainssinglssunss.info
domainssinglsnetss.info
omnihiteuropapluss.info
domainderight.info
domainsreidstable.net
mobimemcashnesh.net
namessguibulk.net
adeptsponsorlin.net
domssvorastwo.net
domainssguibulk9r.net
domainssidorsneeds.net
searchersnextdoms.net
domainssinglssunss.net
bursttsnetsbest.net

84.200.77.218 (Misterhost, Germany)
namesstressadd.com
bitnovembersgate.com
domainssinglgirs.com
left4deadfi3.info
importslatenot.info
monchianolist.info
left4deadfi3.net
gamesduoswin9.net
domainsstressadd.net
oregonsitynet.net

GFI have some more details on this one here.

Malware sites to block 19/12/12

This group of sites appears to be using a fake AV applications to download a malicious file scandsk.exe (report here) via 79.133.196.103 (eTop, Poland) and 82.103.140.100 (Easyspeedy, Denmark) which then attempts to call home to 46.105.131.126 (OVH, Ireland).

This is a screenshot of the fake AV in action:


From this point, the scandsk.exe gets download either through an exploit or social engineering. This executable looks like some sort of downloader, which attempt to pull down additional data from these non-responding domains:

report.q7ws17sk1ywsk79g.com
report.7ws17sku7myws931u.com
report.u79i1qgmywskuo9o.com

There's some sort of trickery here, perhaps it requires exactly the right kind of factors to hit a valid URL, the automated analysis tools are inconsistent [1] [2] [3] but seem to indicate a C&C on 46.105.131.126. This IP belongs to OVH (no surprises there) but seems to have been suballocated:

inetnum:        46.105.131.120 - 46.105.131.127
netname:        marysanders1
descr:          marysanders1net
country:        IE
org:            ORG-OH5-RIPE
admin-c:        OTC9-RIPE
tech-c:         OTC9-RIPE
status:         ASSIGNED PA
mnt-by:         OVH-MNT
source:         RIPE # Filtered


I suspect that this whole block is being used for malicious purposes, 46.105.131.123 hosts a site called find-and-go.com registered in China which has been fingered as an attack site before (e.g. here, click at your own risk). I would recommend blocking the entire 46.105.131.120/29 to be on the safe side.

The infection sites are on 82.103.140.100 and 79.133.196.103, they make extensive use of subdomains of mooo.com, ez.lv and zyns.com. There are probably legitimate sites making use of these domains, but blocking them completely should give you few headaches.

79.133.196.103 is part of small block of IPs, 79.133.196.96/27, that I have seen malware on before, specifically 79.133.196.105 and 79.133.196.124. Blocking the entire /27 is probably a good idea.

Recommended blocklist:
46.105.131.120/29
82.103.140.100
79.133.196.97/27
mooo.com
ez.lv
zyns.com

Alternatively, these are some of the subdomains in use.. there are a lot of them, and probably more than I have listed here.

82.103.140.100
www2.x49v36a57puq66.ez.lv
www2.tpzqzg4k2scre0.mooo.com
www2.afc5l4vfohgsz0.mooo.com
www2.f4t9jm7x21.mooo.com
www2.q9iuiwcoq2uvy-2.mooo.com
www2.wwml9bvprhllq2.mooo.com
www2.cjpujub6n0e5u2.mooo.com
www2.t-hih2cnpkpjy2.mooo.com
www2.afbsv8ooj-3.mooo.com
www2.yhqgj6kntn9ru3.mooo.com
www2.q-5f75azo15f214.mooo.com
www2.pbsx2znwccc9a4.mooo.com
www2.wa9bb2z4r3ojz-5.mooo.com
www2.abjbxt7a65.mooo.com
www2.fmrmta0nhmql95.mooo.com
www2.xkpcakk8fnvp95.mooo.com
www2.l6gbfb6l5.mooo.com
www2.ewl91b7p86.mooo.com
www2.uwgsohupxy1de6.mooo.com
www2.g-gq0soprruf5h6.mooo.com
www2.m7yzf62rp6.mooo.com
www2.vov9fsmlyq9257.mooo.com
www2.r2qrxdwo979vj7.mooo.com
www2.j9qm7o00stdyx7.mooo.com
www2.laysltotae8xd8.mooo.com
www2.wp0poz3aq7a7q8.mooo.com
www2.lisbp4cv0v6w09.mooo.com
www2.a50oup6hw0u9c9.mooo.com
www2.pa68ewk9fuqoe9.mooo.com
www2.ohcaob1cffx4l9.mooo.com
www2.g-gysij61cwkkr9.mooo.com
www2.j-8pdx3cfjxgba.mooo.com
www2.h-3aq08aicxn2c.mooo.com
www2.i-7w3rj3j54msmc.mooo.com
www2.j94ysol4em1jd.mooo.com
www2.b5nxk76wnd.mooo.com
www2.r-72i3awaqe.mooo.com
www2.e1k6twcnwqkueh.mooo.com
www2.l00mfws4y9p7ci.mooo.com
www2.l-30w3ulnwvj0qi.mooo.com
www2.z9tbs222g9unk.mooo.com
www2.g-3hww04s0mv5mn.mooo.com
www2.d-9w6t7gvgqm1o.mooo.com
www2.v3sinde9go.mooo.com
www2.l926nykwyj27mo.mooo.com
www2.e8dp78999hr5u.mooo.com
www2.y-8ppqnq8kglsou.mooo.com
www2.k79jcizh268qu.mooo.com
www2.v-9ifaa40v4bu1w.mooo.com
www2.p-2l65dl6w.mooo.com
www2.w15s6udfkhp5ry.mooo.com
www2.jjiqnfn6gj5ht-0.ez.lv
www2.z1jdd6o1e1kss0.ez.lv
www2.h-ccawkohe3qpi3.ez.lv
www2.hzyr7bh8gok2p4.ez.lv
www2.djti1cxaiz9wk5.ez.lv
www2.i-lojtegi396u5.ez.lv
www2.zgurkoad-7.ez.lv
www2.z26df3ueq3j2t7.ez.lv
www2.u263xcu8.ez.lv
www2.kyumtava8e6qv-9.ez.lv
www2.vn6wbwn7abt319.ez.lv
www2.w-5e04vjusiibj9.ez.lv
www2.n9vrk7p00g.ez.lv
www2.t3fjazatb9yov.ez.lv

79.133.196.103
www1.d6kpgdkvrolql3.zyns.com
www1.v7cqv8zdy4pjn5.mooo.com
www1.gno1meqrlspf5-0.zyns.com
www1.ibtu6x7oi3278-0.zyns.com
www1.b95ixcr30.zyns.com
www1.z-xq6xi2p7yx60.zyns.com
www1.p-aijej0.zyns.com
www1.jzyycis0.zyns.com
www1.u1wfjjs0.zyns.com
www1.h7xwv84x1huu0.zyns.com
www1.o-3xvokohw0.zyns.com
www1.fetmg6oukfvvw0.zyns.com
www1.wxe3vgvuk6th-1.zyns.com
www1.nuiq1hvmga2d11.zyns.com
www1.w5ndppqbx3p21.zyns.com
www1.u8r2a5xfb0xp51.zyns.com
www1.gbrl4es5xro4b1.zyns.com
www1.z-gfckpx0nst8c1.zyns.com
www1.ma5x4qfhh1.zyns.com
www1.ps61hen1.zyns.com
www1.cvhc6cr1.zyns.com
www1.ucfjffrizboz1.zyns.com
www1.vlza5kzj32.zyns.com
www1.cutyfk82tkfc52.zyns.com
www1.p3gn08hp62.zyns.com
www1.xa9xfs70sn92.zyns.com
www1.tt4h8odbcfxtq2.zyns.com
www1.j8qi8gl3d5jpv2.zyns.com
www1.iatjl4x2.zyns.com
www1.zqclyyon8-3.zyns.com
www1.c4w46c-3.zyns.com
www1.iu3b7pys9yah23.zyns.com
www1.veduncogo0u683.zyns.com
www1.bq1la1lcr3.zyns.com
www1.sm30hwbrxb5az3.zyns.com
www1.osxzdpb-4.zyns.com
www1.e1xyho-4.zyns.com
www1.h5yqudc184.zyns.com
www1.bctzuagte4.zyns.com
www1.gr56vr5wxvg7n4.zyns.com
www1.m5sfchcmj27cq4.zyns.com
www1.l1rtz0zaj4fnq4.zyns.com
www1.y-4an259ivs7vq4.zyns.com
www1.t8lkv8y4.zyns.com
www1.ycj49f-5.zyns.com
www1.o31omt35.zyns.com
www1.w032ang27l9d55.zyns.com
www1.x-96pxhseft8vo5.zyns.com
www1.p8yzcs8ch-6.zyns.com
www1.dhapuz06.zyns.com
www1.k-1m2fwr1zkha6.zyns.com
www1.rqc6n0zob6.zyns.com
www1.uicqviiewuukp6.zyns.com
www1.y4fyk9kw4e0lu6.zyns.com
www1.nbv4tzxo9452-7.zyns.com
www1.a6f4udb912c49-7.zyns.com
www1.ao3r3psunacd-7.zyns.com
www1.b7k6w2pnmz127.zyns.com
www1.i-vmtcr70kg2up7.zyns.com
www1.j-2qw3j92dq8x7.zyns.com
www1.yhxt4s4j78ry7.zyns.com
www1.frmbxxqc875pj-8.zyns.com
www1.axttts-8.zyns.com
www1.w-5z76xligg58.zyns.com
www1.scowhjo755l6d8.zyns.com
www1.br3u9dxxar5td8.zyns.com
www1.y5nxjxm8.zyns.com
www1.b6bu6gh1zcp8.zyns.com
www1.tnluwilt6mp2-9.zyns.com
www1.nnn17u67qzt219.zyns.com
www1.agdd43g049.zyns.com
www1.bcg6p4ctazktc9.zyns.com
www1.yoioas053gtbe9.zyns.com
www1.a-rra5zgikgcf9.zyns.com
www1.sx5egikt2kmqf9.zyns.com
www1.du3ikfh9.zyns.com
www1.f-5uhlm9.zyns.com
www1.xfrqbmljcp48n9.zyns.com
www1.r-aaqewzo8mp9.zyns.com
www1.jllt99r0v9.zyns.com
www1.uyi3rupgv9pdw9.zyns.com
www1.g8z0v3j7gwd7of.zyns.com
www1.v-1ou2ri1zrg0qf.zyns.com
www1.j02zhivh.zyns.com
www1.m0xqnb0l4j.zyns.com
www1.p5yte9ud3fbxbj.zyns.com
www1.o-2kuc2s8nkirik.zyns.com
www1.c58qlq5xcj0jrl.zyns.com
www1.v6r445h3ffl3m.zyns.com
www1.y-1gh1dkd6m.zyns.com
www1.b5sfmondbm.zyns.com
www1.d0mprkrn.zyns.com
www1.m8gnbsm902rx1p.zyns.com
www1.q-1nvlobckqmv9q.zyns.com
www1.j8o4hnar.zyns.com
www1.a4d2od4p7wyxas.zyns.com
www1.w2up72la0jj4fs.zyns.com
www1.p-7mmwht.zyns.com
www1.b-8zowxdx7c9mt.zyns.com
www1.x6nal9syket14u.zyns.com
www1.q7l2p44v81oyxw.zyns.com
www1.x-1qeru80ijr0yw.zyns.com
www1.k2o7ux378x.zyns.com
www1.y-34sc9n3kutsy.zyns.com
www1.q3nxdktdixzfzy.zyns.com
www1.t7nh3q177z.zyns.com