Sponsored by..

Saturday 26 July 2014

"PLEASE SEND PI" spam / something evil on

"PI" in this case seems to refer to a Proforma Invoice rather than Π - but in fact the attachment is malware.

Date:      Fri, 25 Jul 2014 22:50:14 -0700 [01:50:14 EDT]
Subject:      PLEASE SEND PI


Regarding our previous conversation about our urgent purchase, kindly
find attached PI and let us know if the quantity can fit in 40ft
kindly revise the Proforma invoice so that we can proceed with an
advance payment as agreed.

We look forward to your urgent response with revised proforma invoice.

Thks & Rgds,
Tel : 0097143205171
Fax : 0097143377150 
It sounds like a fiendish maths question from an obscure exam. How much Π can you fit in a 40ft container? Anyway, the attachment Order.zip contains a malicious executable klopppp890.exe which has a VirusTotal detection rate of 18/53. The ThreatExpert report [pdf] and ThreatTrack report [pdf] show that the malware phones home to walex2.ddob.us/sddob/gate.php on (OVH Canada reassigned to Big Kesh, LLC, US).

Looking at the domains registered on and the surrounding IPs there do seem to be a lot of malicious ones being used as malware C&Cs:

walex.ddob.us [1]
dino.ddob.us [2] [3]
walex2.ddob.us [4]
robert.xiga.us [5]
daniel.ddob.us [6]
robert.ddob.us [7]
frannky.ddob.us [9]
sayee.ddob.us [10]
dino.ddob.us [11] [12]

I think this is enough evidence to block the entire as a precaution (although there do appear to be a small number of legitimate sites too). For the record, this is suballocated to:

NetRange: -
OriginAS:       AS16276
NetName:        OVH-CUST-445017
NetHandle:      NET-198-27-110-192-1
Parent:         NET-198-27-64-0-1
NetType:        Reassigned
RegDate:        2014-03-07
Updated:        2014-03-07
Ref:            http://whois.arin.net/rest/net/NET-198-27-110-192-1

CustName:       Big Kesh, LLC
Address:        1077 Jearsey ln ne
City:           Palm Bay
StateProv:      FL
PostalCode:     32905
Country:        US
RegDate:        2014-03-07
Updated:        2014-03-07
Ref:            http://whois.arin.net/rest/customer/C04889220

In the case of Big Kesh LLC I will be charitable and assume that this behaviour is happening without their consent.

The domains xiga.us and ddob.us appear to be used for purely malicious purposes, so I recommend that you block them. The registrant details are probably fake but here they are:

Registrant ID:                               06BFAFB5641FA567
Registrant Name:                             Xieng Hyua
Registrant Address1:                         Red Bulevard
Registrant City:                             North Bergen
Registrant State/Province:                   NJ
Registrant Postal Code:                      07047
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.6874598745
Registrant Email:                            xiga@fbi.al
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11

Registrant ID:                               0121C76442E2ED55
Registrant Name:                             Jackson Togan
Registrant Address1:                         Zhongzeng District 100
Registrant City:                             Zhongzeng District
Registrant State/Province:                   Zhongzeng District
Registrant Postal Code:                      100
Registrant Country:                          TAIWAN, PROVINCE OF CHINA
Registrant Country Code:                     TW
Registrant Phone Number:                     +92.68974568
Registrant Email:                            jackson.togan@yahoo.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11

Recommended blocklist:

No comments: