Sponsored by..

Showing posts with label Brazil. Show all posts
Showing posts with label Brazil. Show all posts

Friday, 10 June 2016

Malware spam: ". CARTÓRIO POSTAL. Apontamento de Protesto. 10/06/2016 17:42:46"

This Portuguese-language spam leads to malware:

From:    formacion@salesianos-madrid.com
Date:    10 June 2016 at 21:42
Subject:    . CARTÓRIO POSTAL. Apontamento de Protesto. 10/06/2016 17:42:46

Levamos ao conhecimento de V. Sa. que se acha devidamente protocolado neste Tabelionato, para ser protestado, o título abaixo anexado.

Lei nº 9.492 de 10 setembro de 1997.
Art. 12. O protesto será registrado dentro de três dias úteis contados da protocolização do título ou documento de dívida.
§ 1º Na contagem do prazo a que se refere o caput exclui-se o dia da protocolização e inclui-se o do vencimento.

Favor comparecer munido deta intimação, no horário das 8:00h às 17:00h


Atenciosamente,Liliane peixoto.

The link in the email message in this case goes to:

www.sugarsync.com/pf/D3259546_878_449109824?directDownload=3Dtrue

This downloads an executable PROTESTO.exe with a VirusTotal detection rate of 15/56. Automated analysis [1] [2] [3] shows it dropping a further executable OViLQKDS.exe which has a detection rate of 16/56. Analysis of that is inconclusive [4] [5] [6] is inconclusive, but it looks like some kind of information stealer.

Friday, 22 April 2016

Malware spam: Your Amazon.co.uk order has dispatched (#525-2814418-9619799)

This fake Amazon email leads to malware. On some mail clients there may be no body text:

From: auto-shipping@amazon.co.uk Amazon.co.uk
To
Date: Fri, 22 Apr 2016 10:50:56 +0100
Subject: Your Amazon.co.uk order has dispatched (#525-2814418-9619799)

Dear Customer,

Greetings from Amazon.co.uk,

We are writing to let you know that the following item has been sent using  Royal Mail.

For more information about delivery estimates and any open orders, please visit: http://www.amazon.co.uk/your-account

Your order #525-2814418-9619799 (received April 22, 2016)


Your right to cancel:
At Amazon.co.uk we want you to be delighted every time you shop with us.  Occasionally though, we know you may want to return items. Read more about our Returns Policy at:  http://www.amazon.co.uk/returns-policy/

Further, under the United Kingdom's Distance Selling Regulations, you have the right to cancel the contract for the purchase of any of these items within a period of 7 working days, beginning with the day after the day on which the item is delivered. This applies to all of our products. However, we regret that we cannot accept cancellations of contracts for the purchase of video, DVD, audio, video games and software products where the item has been unsealed. Please note that we are unable to accept cancellation of, or returns for, digital items once downloading has commenced. Otherwise, we can accept returns of complete product, which is unused and in an "as new" condition.

Our Returns Support Centre will guide you through our Returns Policy and, where relevant, provide you with a printable personalised return label.  Please go to http://www.amazon.co.uk/returns-support to use our Returns Support Centre.

To cancel this contract, please pack the relevant item securely, attach your personalised return label and send it to us with the delivery slip so that we receive it within 7 working days after the day of the date that the item was delivered to you or, in the case of large items delivered by our specialist couriers, contact Amazon.co.uk customer services using the link below within 7 working days after the date that the item was delivered to you to discuss the return.

https://www.amazon.co.uk/gp/css/returns/homepage.html

For your protection, where you are returning an item to us, we recommend that you use a recorded-delivery service. Please note that you will be responsible for the costs of returning the goods to us unless we delivered the item to you in error or the item is faulty. If we do not receive the item back from you, we may arrange for collection of the item from your residence at your cost. You should be aware that, once we begin the delivery process, you will not be able to cancel any contract you have with us for services carried out by us (e.g. gift wrapping).

Please also note that you will be responsible for the costs of collection in the event that our specialist courier service collect a large item from you to return to us.

As soon as we receive notice of your cancellation of this order, we will refund the relevant part of the purchase price for that item.

Should you have any questions, feel free to visit our online Help Desk at:
http://www.amazon.co.uk/help

If you've explored the above links but still need to get in touch with us, you will find more contact details at the online Help Desk.

Note: this e-mail was sent from a notification-only e-mail address that cannot accept incoming e-mail. Please do not reply to this message.

Thank you for shopping at Amazon.co.uk

-------------------------------------------------
Amazon EU S.=C3=A0.r.L.
c/o Marston Gate
Ridgmont, BEDFORD MK43 0XP
United Kingdom
-------------------------------------------------

Attached is a file with a name that matches the randomly-generated order (in this case, ORDER-525-2814418-9619799.docm). According to analysis by a couple of other trusted parties, the various versions of the malicious document download a binary from:

www.smileybins.com.au/0u8ggf5f5
kpmanish.com/0u8ggf5f5
neoventtechnologies.com/0u8ggf5f5
itronsecurity.com/0u8ggf5f5
bnacoffees.com/0u8ggf5f5
ambikaonline.com/0u8ggf5f5
usacarsimportsac.com/0u8ggf5f5
giftsandbaskets.co.th/0u8ggf5f5


This dropped executable has a detection rate of 6/56. The Hybrid Analysis and DeepViz Analysis plus some data sourced from other parties (thank you) indicates that the malware calls back to the following IPs:

186.250.48.10 (Redfox Telecomunicações Ltda., Brazil)
193.90.12.221 (MultiNet AS, Norway)
194.116.73.71 (Topix, Italy)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload here appears to be the Dridex banking trojan.

Recommended blocklist:
186.250.48.10
193.90.12.221
194.116.73.71
200.159.128.144


UPDATE 2016-04-26

Another identical round of this spam is being sent out, complete with the formatting error that prevents the body text being displayed on some email clients. VirusTotal detection rates for the two samples I have seen are 5/57 [1] [2]. Hybrid Analysis of the attachments [3] [4] shows download locations at:

shagunproperty.com/987gby8nn8
aysanatorganizasyon.com/987gby8nn8


A trusted source tells me there are other download locations at:

cubasedersi.com/987gby8nn8
denizlikinaorganizasyon.com/987gby8nn8
factumtech.com/987gby8nn8
kurudomatesci.com/987gby8nn8
nuevomomento.com/987gby8nn8
seahawkexports.com/987gby8nn8
solucionhumana.mx/987gby8nn8
tipsforall.in/987gby8nn8


From here a binary is dropped on the system with a detection rate of 3/56. Those Hybrid analyses plus this DeepViz report show network traffic to:

176.9.113.216 (Hetzner, Germany)

Apparently there are C2 servers here:

186.250.48.10 (Redfox Telecomunicações Ltda, Brazil)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload still appears to be Dridex.

Recommended blocklist:
176.9.113.216
186.250.48.10
200.159.128.144


Thursday, 21 April 2016

Malware spam: "Dispatched Purchase Order" / FSPRD@covance.com

This fake financial spam does not come from Covance but is instead a simple forgery with a malicious attachment:

From:    FSPRD@covance.com
Reply-To:    donotreply@covance.com
Date:    21 April 2016 at 12:03
Subject:    Dispatched Purchase Order

Purchase Order, 11300 / 0006432242,  has been Dispatched.  Please detach and print the attached Purchase Order.

***Please do not respond to this e-mail as the mailbox is not monitored.
________________________________
Confidentiality Notice: In accordance with Covance's Data Classification Policy, this email, including attachment(s), is classified as Confidential or Highly Confidential. This e-mail transmission may contain confidential or legally privileged information that is intended only for the individual or entity named in the e-mail address. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or dissemination of the content of this e-mail is strictly prohibited.

If you have received this e-mail transmission in error or this email is not intended for you, please delete or destroy all copies of this message in your possession and inform the sender. Thank you.

Attached is a file with a name matching the reference in the email, e.g. 0006432242.tgz which is a compressed archive file, containing in turn another archive file with a name like 5611205-19.04.2016.tar and it that archive is a malicious script named in an almost identical format the the TAR file (e.g. 5611205-19.04.2016.js). This script has a typical detection rate of 8/56.

So far I have seen two versions of this script, downloading from:

mountainworldtreks.com/9uhg5vd3
secondary36.obec.go.th/9uhg5vd3


The downloaded binary is the same in both cases. This Hybrid Analysis and DeepViz Analysis indicate network traffic to:

193.90.12.221 (MultiNet AS, Norway)
194.116.73.71 (Topix, Italy)
64.76.19.251 (Impsat, Argentina)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload appears to be the Dridex banking trojan.

Recommended blocklist:
193.90.12.221
194.116.73.71
64.76.19.251
200.159.128.144

Malware spam: "BalanceUK_INVOICE_X002380_1127878" / adminservices@grouphomesafe.com

This fake financial spam does not come from BalanceUK Limited but is instead a simple forgery with a malicious attachment:

From:    adminservices@grouphomesafe.com
Date:    21 April 2016 at 10:33
Subject:    "BalanceUK_INVOICE_X002380_1127878"

Thank you for placing your order with BalanceUK Ltd

Please find attached your document.

BalanceUK Limited,
30-32 Martock Business Park,
Great Western Road,
Martock,
Somerset,
TA12 6HB

Email: Balanceuk.orders@erahomesecurity.com
Tel: 01935 826 960
Fax: 01935 829 215


***  Please do not reply to this email address  ***

Attached is a ZIP file with a name that matches the reference in the subject field (e.g. BalanceUK_X271897_1127878.zip). Although I have seen a few samples with different names, they are all the same attachment. Inside that ZIP file is another ZIP file named 4812610-20.04.2016.zip and in there is a malicious script named 4812610-20.04.2016.js with a VirusTotal detection rate of 6/56.

This malicious script [pastebin] downloads an executable from:

dd.ub.ac.id/9uhg5vd3

There are usually different download locations, but so far I have only seen the one. This has a detection rate of 5/56. The Hybrid Analysis of the dropped binary shows network traffic to:

193.90.12.221 (MultiNet AS, Norway)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)


The payload is not clear, but is probably the Dridex banking trojan.

Recommeded blocklist:
193.90.12.221
200.159.128.144


Wednesday, 17 February 2016

Malware spam: Fwd:Accumsan Neque LLC Updated Invoice / Please turn on the Edit mode and Macroses!

This malware spam may come from several different companies, but I have only a single sample. It is notable for the mis-spelling of "Macros" as "Macroses" in the document.

From:    Fletcher Oliver [angel@jiahuan.com.tw]
Date:    17 February 2016 at 06:23
Subject:    Fwd:Accumsan Neque LLC Updated Invoice

Good morning

Please check the bill in attachment. In order to avoid fine  you have to pay in 12 hours.

Best regards

Fletcher Oliver
Accumsan Neque LLC

Attached is a document Q7FX9ZH.doc with the distinctive text Attention! To view this document, please turn on the Edit mode and Macroses!

Needless to say, enabling Edit mode and Macroses is a Very Bad Idea. The VirusTotal detection rate for this file is just 2/54. Hybrid Analysis [1] [2] shows that the macro first downloads from:

www.design-i-do.com/mgs.jpg?OOUxs4smZLQtUBK=54

This looks to be an unremarkable JPEG file..

(Note that I have munged the JPEG slightly to stop virus scanners triggering). As far as I can tell, the JPEG actually contains data that is decrypted by the macro (a technique called steganography). A malicious VBS is created [pastebin] and a malicious EXE file is dropped with a VirusTotal result of 7/54.

Automated analysis of the dropped binary [1] [2] shows that it phones home to:

216.59.16.25 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)

I strongly recommend that you block traffic to that IP. Payload is uncertain, but possibly the Dridex banking trojan.

Tuesday, 19 January 2016

Malware spam: "Thank you for purchasing from Cheaper Travel Insurance - 14068156"





This fake financial spam comes with a malicious attachment:


From     info17@Resellers.insureandgo.com
Date     Tue, 19 Jan 2016 14:27:06 +0530
Subject     Thank you for purchasing from Cheaper Travel Insurance - 14068156


Your policy number: MF/CP/205121/14068156


Dear customer, Thank you for buying your travel insurance from Cheaper.
Your policy documents are attached.
Date: 18/01/2016
Amount: £849.29
Quote number: 21272810
Policy number: MF/CP/205121/14068156



Insurance is arranged by Insure & Go Insurance Services Ltd who are authorised and regulated by the Financial Conduct Authority. Insure & Go Insurance Services Ltd Registered Address: 10th Floor Maitland House, Warrior Square, Southend-on-Sea, Essex SS1 2JY. Registered in England and Wales (Company Number: 04056769). Calls may be recorded and monitored.

The sender appears to be from info[some-random-number]@Resellers.insureandgo.com, but it is just a simple forgery. Attached is a malicious Word document that I have seen five different versions of (VirusTotal results [1] [2] [3] [4] [5]).

The Malwr reports on the samples [1] [2] [3] [4] [5] show download locations as:

www.cnbhgy.com/786585d/08g7g6r56r.exe
seaclocks.co.uk/786585d/08g7g6r56r.exe
mosaicambrosia.com/786585d/08g7g6r56r.exe

This has a VirusTotal result of 3/54. The Malwr and VirusTotal reports combined with this Hybrid Analysis show traffic to:

216.59.16.175 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)
195.96.228.199 (Bulgarian Academy Of Sciences, Bulgaria)
200.57.183.176 (Triara.com, S.A. de C.V., Mexico)
62.109.133.248 (Ignum s.r.o, Czech Republic)
103.23.154.184 (Ozhosting.com Pty Ltd, Australia)
41.38.18.230 (TE Data, Egypt)
202.137.31.219 (Linknet, Indonesia)
176.53.0.103 (Network Devices, Turkey)


The payload is the Dridex banking trojan, and this activity is consistent with the botnet 220 campaign.

Dropped file MD5:
bbb091c44cb44dd348b8745590b2d9dd
4f272b8af966ccd73880888015d87e40

Attachment MD5s:
a36aa1d188f8b318401fe9c839a9d2c6
cd4d922487cf5da4348456d2695fbc56
9bbf47dac1ad712fa5d6109fc58d450f
79a854e552c992c1d3d5e838467da856
17d80dde11feb558216c8c04b4aa0494

Recommended blocklist:
216.59.16.175
195.96.228.199
200.57.183.176
62.109.133.248
103.23.154.184
41.38.18.230
202.137.31.219
176.53.0.103


UPDATE

The payload has now changed to one with an MD5 of 4f272b8af966ccd73880888015d87e40 and a detection rate of 2/54. The Malwr report indicates that the network behaviour is pretty much the same.

Tuesday, 15 December 2015

Malware spam: "Invoice Attached" / "Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp."

This fake financial spam has a malicious attachment:

From:    Ernestine Harvey
Date:    15 December 2015 at 11:34
Subject:    Invoice Attached

Good morning,

Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.

Thank you!

Mr. Ernestine Harvey
Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp.
The sender name varies randomly, except in the email they are all signed "Mr." even if they have female names, for example:

Mr. Colleen Sheppard
Mr. Joel Small
Mr. Esther Gates
Mr. Devin Joyce
Mr. Todd Robertson

The attachments are named in the format invoice_12345678_scan.doc - the filenames are randomly-generated and indeed every attachment seems to be unique. Typical VirusTotal detection rates are around 3/54, and the macro looks something like this.

An analysis of five of the attachments [1] [2] [3] [4] [5] shows attempted downloads from:

modern7technologiesx0.tk/x1656/dfiubgh5.exe
forbiddentextmate58.tk/x1656/ctruiovy.exe
temporary777winner777.tk/x1656/fdgbh44b.exe
former12futuristik888.tk/x1656/fdgjbhis75.exe


Note that these are all .TK domains.. and they are all hosted on exactly the same server of 31.184.234.5 (GTO Ltd, Montenegro). A look at VirusTotal's report for that IP gives another malicious domain of:

servicexmonitoring899.tk

I would suggest that the entire 31.184.234.0/24 range looks pretty questionable.

Anyway, the downloaded binary has a VirusTotal detection rate of 4/55 and the comments indicate that rather surprisingly this is the Nymaim ransomware. The Hybrid Analysis indicates network traffic to xnkhfbc.in on 200.195.138.156 (Szabo & Buhnemann, Brazil). But in fact that domain seems to move around a lot and has recently been seen on the following IPs:

41.224.12.178 (Orange Tunisie Internet, Tunisia)
51.255.59.248 (OVH, France)
78.107.46.8 (Corbina Telecom, Russia)
95.173.163.211 (Netinternet, Turkey)
118.102.239.53 (Dishnet, India)
140.116.161.33 (TANET, Taiwan)
185.114.22.214 (Osbil Technology Ltd., Turkey)
192.200.220.42 (Global Frag Networks, US)
200.195.138.156 (Szabo & Buhnemann Ltda, Brazil)
210.150.126.225 (HOSTING-NET, Japan)


There are a bunch of bad domains associated with this malware but the only other one that seems to be active is oxrdmfdis.in.

MD5s:
4CADF61E96C2D62292320C556FD34FE6
BBAAAB1245D7EDD40EE501233162110E
6B6C7430D33FE16FAE94162D61AF35DD
79A10791B1690A22AB4D098B9725C5E0
D148440E07434E4823524A03DE3EB12F
79A10791B1690A22AB4D098B9725C5E0
B41205F6AEEEB1AA1FD8E0DCBDDF270E



Recommended blocklist:
31.184.234.5
41.224.12.178
51.255.59.248
78.107.46.8
95.173.163.211
118.102.239.53
140.116.161.33
185.114.22.214
192.200.220.42
200.195.138.156
210.150.126.225
xnkhfbc.in
oxrdmfdis.in


UPDATE

A source tells me (thank you) that  servicexmonitoring899.tk  is now resolving to 78.129.252.19 (iomart, UK) that has also recently hosted these following domains:

google-apsm.in
specre.com
ganduxerdesign.com
www.ganduxerdesign.com
upmisterfliremsnk.net
tornishineynarkkek.org
tornishineynarkkek2.org

Some of these domains are associated with Rovnix.

Thursday, 18 June 2015

Malware spam: "NOTA FISCAL ELETRÔNICA COD. 6Uhrae.088693" / "sac.contact4e74974737@bol.com.br"

These Portuguese-language spam pretends to be some sort of banking invoice aim, but instead leads to malware hosted on Google Drive. The target appears to be users in Brazil.

From:    sac.contact4e74974737@bol.com.br
To:    mariomarinho@uol.com.br
Date:    18 June 2015 at 08:46
Subject:    NOTA FISCAL ELETRÔNICA COD. 6Uhrae.088693
Signed by:    bol.com.br

Olá.
Estamos encaminhando o LINK para download da nota fiscal eletrônica.
https://cfb53a79c1679ed75e40a391fa21b9b359784781.googledrive.com/host/[redacted]

Caso tenha alguns dos dados errados favor nos retorne no email nfe@jmcomercio.com.br.

 ATT, DANI AIRES DP.FINANCEIRO

18/06/15 :
04:46:18.161 :
''8636055042''WTg9R9cng3hYUD''RYkSkcFpJs''
Por favor, não "responda" esta mensagem.

The reference numbers and sender change slightly in each version.

I've seen three samples before, each one with a different download location [a list is here] which leads to a ZIP file named NFe_0185189710250029301785.zip which in turn contains a malicious executable NFe_0185189710250029301785.exe which has a VirusTotal detection rate of 8/57. Comments in that report indicate that this may be the Spy.Banker trojan.

The Malwr report indicates that it downloads components from the following locations:

http://donwup2015.com.br/arq/point.php
http://tynly2015.com.br/upt/ext.zlib

The Hybrid Analysis report  also has some other details.

These sites are hosted on:

108.167.188.249 (WebsiteWelcome, US)
187.17.111.104 (Universo Online, Brazil)

The VirusTotal report for both these IPs [1] [2] indicates a high level of badness, indicating that they should be blocked.

Furthermore, Malwr shows that it drops a file with a detection rate of 2/57. As yet, I have only tested this on Malwr and it fails to run.

Recommended blocklist:
108.167.188.249
187.17.111.104

MD5s:
71070bc5e6b5c03c2e1d1ef4563c7b94
b969376c85d4e7f1a94ca3a2e416792e

Monday, 11 August 2014

"Ministerio Publico federal 11 08 2014 07:35" spam / informativoministeriopublico.info

This Portuguese-language spam originates from a Brazilian-IP address and has a somewhat convincing domain of informativoministeriopublico.info - but in fact it simply leads to a  malicious attachment.

From:     [victim]
To:     [victim]
Date:     11 August 2014 14:33
Subject:     Ministerio Publico federal 11 08 2014 07:35



VISUALIZAR-PROCESSO-MPF
Scan Security Avast, NOD 100% Seguro.
The link in the email goes to a bit.ly address that forwards to [donotclick]informativoministeriopublico.info/2014-20090717094507AAtpljuX&ei=sVblU7RHpd-wBKbhgZgG&ved=0CBsQvwUoAAqid=20090717094507AAtpljuX&ei=sVblU7RHpd-wBKbhgZgG&ved=0CBsQvwUoAA.html which has garnered a fair number of clicks according to the bit.ly statistics:

From there the victim goes to a download page (it tries to start automatically) which downloads MPF-747-53.2014.5.01.0466.pdf.zip which contains a malicious executable MPF-747-53.2014.5.01.0466.pdf.cpl which has a VirusTotal detection rate of 16/54.

This trojan downloads other components, although at the moment I am not sure what (you can guarantee it will be nothing good).

The malware site informativoministeriopublico.info has been created specifically for this purpose with anonymous registration details, and is hosted on 192.3.129.10 (ClearVPS / ColoCrossing, US). This IP address has been used for a number of other similar sites:

informativoministeriopublico.info
spc-cobrancas.net
ministeriopublico.net
serasaexperian.biz

The 192.3.129.0/25 range has some questionable sites in it, and you might want to block the whole lot as a precaution. You should definitely block 192.3.129.10 though. 

The originating IP is 200.219.245.194 (Alog-02 Solucoes De Tecnologia Em Informatica S.a., Brazil). The presence of a Brazilian IP address as the sender is interesting, because it does make the email look more legitimate if the headers are examined.


Sunday, 2 March 2014

Malware sites to block 2/3/14

These domains and IPs are all connected with this gang, some of it appears to be involved in malware distribution, fraud or other illegal activities. I recommend that you block these IPs and domains.

Note that some of the IPs listed below are compromised nameservers (marked [ns]) which look like they are insufficiently well locked down. There is a plain list of IPs at the end for copy-and-pasting.

accounting-kent.net
aerostat-adventures.net
aim-darts.net
airnavrace.net
amia.cc
aqu.su
artplat.com
binfile.net
brigadiramoon170.com
ccl.su
clubkindergarten.net
combonicer200.com
ehk.su
flatroom.net
gefesosexwithjimmy.org
iceselinsgrove.com
kartaby.com
keksnownikolle.biz
kirr.cc
lollipollyboobs.org
lostpetutah.net
macdegredo.com
mecheti.com
megemind.com
onetimedns.com
orimylife.net
pcg.su
quarter.su
sandwars.net
sec-one-dns.com
security-apps24.com
securityappsmart.com
security-safedomains.com
security-trust.com
smis.cc
stepnitres.ru
studio-sands.net
unicttaskforce.com
usgunlavs.net
webercountyfairr.net
wildscot-tv.com
world-motorhome.net

12.42.61.221    (AT&T, US)   
19.214.121.54    (Ford Motor Company, US)    [ns]
22.15.199.21    (DOD, US)    [ns]
23.253.75.234    (Rackspace, US)   
31.210.107.33    (Radore Veri Merkezi Hizmetleri, Turkey)   
32.21.129.43    (AT&T, US)    [ns]
32.90.65.25    (AT&T, US)    [ns]
37.255.241.29    (TCE, Iran)   
41.66.55.3    (Cote d'Ivoire Telecom, Cote d'Ivoire)    [ns]
41.106.3.132    (FTTH, Algeria)    [ns]
42.96.195.183    (Alibaba, China)    [ns]
54.81.32.208    (Amazon AWS, US)   
65.27.155.176    (Time Warner Cable, US)   
79.88.112.206    (Societe Francaise du Radiotelephone, France)   
83.239.90.244    (OJSC Rostelecom Macroregional Branch South, Russia)   
89.39.83.177    (C&A Connect SRL, Romania)   
89.69.138.91    (UPC, Poland)   
92.84.13.131    (Romtelecom, Romania)    [ns]
93.190.137.5    (Worldstream, Netherlands)   
95.57.118.56    (Dmitry Davydenko / Goldhost LLC, Kazakhstan)   
96.44.143.179    (Quadranet Inc, US)   
103.31.251.202    (Argon Data Communication, Indonesia)   
108.81.248.139    (William Allard / AT&T, US)   
109.24.255.129    (Societe Francaise du Radiotelephone, France)   
112.222.201.43    (LG DACOM Corporation, Korea)   
115.28.39.216    (Hichina Web Solutions, China)   
128.101.154.25    (University of Minnesota, US)    [ns]
128.199.235.196    (DigitialOcean Cloud, Singapore)   
130.255.185.19    (Bradler & Krantz, Germany)   
147.249.171.10    (IDD Information Services, US)    [ns]
152.46.17.236    (North Carolina Research and Education Network, US)   
162.243.39.118    (Digital Ocean, US)   
167.15.26.219    (Munich Reinsurance America Inc, US)    [ns]
167.120.25.43    (The Dow Chemical Company, US)    [ns]
171.76.101.11    (Bharti Cellular Ltd, India)    [ns]
175.107.192.56    (Cyber Internet Services Pakistan, Pakistan)   
176.53.125.6    (Radore Veri Merkezi Hizmetleri, Turkey)   
181.41.194.253    (HOST1FREE at Brazil, Brazil)   
184.154.170.10    (SingleHop, US)    [ns]
185.9.159.205    (Salay Telekomunikasyon Ticaret Limited Sirketi, Turkey)   
186.194.39.139    (FMG Macabuense com serv distrib ltda-me, Brazil)    [ns]
186.202.184.178    (Locaweb Serviços de Internet S/A, Brazil)   
186.214.212.64    (Global Village Telecom, Brazil)   
188.165.91.216    (OVH, France / DoHost, Egypt)    [ns]
188.168.142.57    (Transtelecom CJSC, Russia)   
193.17.184.247    (Biznes-Host.pl, Poland)   
194.209.82.222    (blue-infinity, Switzerland)    [ns]
203.235.181.138    (KRNIC, Korea)   
208.167.238.115    (Choopa LLC, US)   
209.203.50.200    (Vox Telecom, South Africa)   
222.218.13.91    (Chinanet Guangxi Province Network , China)    [ns]


12.42.61.221
19.214.121.54
22.15.199.21
23.253.75.234
31.210.107.33
32.21.129.43
32.90.65.25
37.255.241.29
41.66.55.3
41.106.3.132
42.96.195.183
54.81.32.208
65.27.155.176
79.88.112.206
83.239.90.244
89.39.83.177
89.69.138.91
92.84.13.131
93.190.137.5
95.57.118.56
96.44.143.179
103.31.251.202
108.81.248.139
109.24.255.129
112.222.201.43
115.28.39.216
128.101.154.25
128.199.235.196
130.255.185.19
147.249.171.10
152.46.17.236
162.243.39.118
167.15.26.219
167.120.25.43
171.76.101.11
175.107.192.56
176.53.125.6
181.41.194.253
184.154.170.10
185.9.159.205
186.194.39.139
186.202.184.178
186.214.212.64
188.165.91.216
188.168.142.57
193.17.184.247
194.209.82.222
203.235.181.138
208.167.238.115
209.203.50.200
222.218.13.91

Friday, 25 October 2013

Malware sites to block 25/10/2013

This list replaces this one, and mostly contains domains and IPs connected with this gang. The list starts with IPs and web hosts, followed by plain IPs and domains for copy-and-pasting.

5.175.171.89 (GHOSTnet, Germany)
5.231.40.197 (GHOSTnet, Germany)
5.231.47.92 (GHOSTnet, Germany)
31.210.112.28 (Veri Merkezi Hizmetleri, Turkey)
42.121.84.12 (Aliyun Computing Co, China)
60.199.253.165 (Taiwan Fixed Network Co, Taiwan)
63.251.135.19 (Internap, US)
78.100.140.171 (Qatar Telecom, Qatar)
81.91.159.212 (Datak Internet Engineering, Iran)
103.28.255.207 (Ani Network Pvt Ltd, India)
112.124.27.158 (Alibaba Advertising Co, China)
146.185.147.26 (Digital Ocean, Netherlands)
161.24.16.127 (Centro Tecnico Aeroespacial, Brazil)
181.41.200.191 (Host1plus Brazil, Brazil)
186.3.101.235 (Clientes Quito, Ecuador)
186.151.240.197 (Municipalidad De Zaragoza, Guatemala)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
189.1.169.28 (Maxihost Hospedagem de Sites Ltda, Brazil)
196.40.9.113 (Terminales Santamaria, Costa Rica)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
223.30.27.251 (Sify Limited, India)

5.175.171.89
5.231.40.197
5.231.47.92
31.210.112.28
42.121.84.12
60.199.253.165
63.251.135.19
78.100.140.171
81.91.159.212
103.28.255.207
112.124.27.158
146.185.147.26
161.24.16.127
181.41.200.191
186.3.101.235
186.151.240.197
186.251.180.205
189.1.169.28
196.40.9.113
211.71.99.66
223.30.27.251
acondorwoonkary120.com
avasdayspa.net
blackbox-e.net
bonds.su
carefordying.net
carrykeyboard.net
ceravdilicheskinevoz76.net
consumersshow.net
cormushkaneplohatak300.com
cronshtainymorenah55.net
derivatiexchange.com
dotier.net
dropdistri-butions.net
dulethcentury.net
ermeentroper110.com
ermirovaniedoom153.com
ermirovanievood152.com
ermxxrtroper210.com
eventlogselfn.net
excelledblast.net
foi.su
gormonnsnter105.net
gromydoonye250.com
groove.su
gumatexx.net
hdmltextvoice.net
idersnonvirus.com
introlinkage.com
introlinkage.su
jurassic-spa.net
kotzebuepolice.net
leedsprobate.net
lyvegetarians.net
mesmultimedia.com
milkdriver.com
mymulejams.net
nacase.net
ny-headsets.org
ordersdeluxe.com
pro-senioren.net
rojecttalkway.com
sandlord.com
stabilitymess.net
thetokion.com
uprisingquicks.net
zigbeejournal.net



Monday, 14 October 2013

Malware sites to block 14/10/2013

It's been a while since I trawled around the activities of the "Amerika" gang, but here is a new set of malicious domains and IPs to block, replacing this list.

24.111.103.183 (Midcontinent Media, US)
42.121.84.12 (Aliyun Computing Co, China)
59.99.226.17 (BB-Multiplay, India)
60.199.253.165 (Taiwan Fixed Network Co, Taiwan)
62.141.46.8 (fast IT, Germany)
65.189.35.129 (Time Warner Cable, US)
67.207.155.24 (Rackspace, US)
69.163.40.39 (DirectSpace LLC, US)
71.91.8.200 (Charter Communications , US)
78.100.140.171 (Qatar Telecom, Qatar)
81.91.159.212 (Datak Internet Engineering, Iran)
103.28.255.207 (Ani Network Pvt Ltd, India)
108.206.235.75 (AT&T, US)
109.71.136.140 (OpWan, France)
112.124.27.158 (Alibaba Advertising Co, China)
125.20.14.222 (Price Water House Cooperation, India)
146.185.147.26 (Digital Ocean, Netherlands)
165.132.27.59 (Yonsei, Korea)
176.56.228.134 (Routelabel / WeservIT, Netherlands)
186.3.101.235 (Clientes Quito, Ecuador)
186.151.240.197 (Municipalidad De Zaragoza, Guatemala)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
195.225.58.43 (C&A Connect SRL, Romania)
198.71.82.48 (Enzu Inc, US)
208.115.114.69 (Wowrack, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
222.127.21.35 (Network IP, Philippines)
223.30.27.251 (Sify Limited, India)

24.111.103.183
42.121.84.12
59.99.226.17
60.199.253.165
62.141.46.8
65.189.35.129
67.207.155.24
69.163.40.39
71.91.8.200
78.100.140.171
81.91.159.212
103.28.255.207
108.206.235.75
109.71.136.140
112.124.27.158
125.20.14.222
146.185.147.26
165.132.27.59
176.56.228.134
186.3.101.235
186.151.240.197
186.251.180.205
195.225.58.43
198.71.82.48
208.115.114.69
211.71.99.66
222.127.21.35
223.30.27.251
acomboramboarmiab722.net
acormushkivsenamizv992.net
altertraveldream.com
ampala.net
attitude.su
autodlakobiety.net
avasdayspa.net
beo.su
bnamecorni.com
catdigest.net
cormoviedobavkikemm200.com
cormoviedobavkitenn100.com
cremoviedobavkimoj53.net
cronshtainymorenah55.net
crovlianemoyaahule52.net
diggingentert.com
dotier.net
dropdistri-butions.net
dulethcentury.net
eeemoskoymany560.com
ejanormalteene250.com
enanisgotttornee564.com
ermirovaniedoom153.com
ermirovanienony151.com
ermirovanievood152.com
excelledblast.net
fertsonline.net
gjoonalitikeer310.com
glums.net
gormonigraetnapovalahule26.net
grndstyle.ru
groove.su
hdmltextvoice.net
idersnonvirus.com
instotsvin.ru
introlinkage.com
lodanart.net
micnetwork100.com
mobile-unlocked.net
mymulejams.net
nokiasharethelove.net
nvufvwieg.com
ollerblogging.net
ordersdeluxe.com
primthaispa.net
pro-senioren.net
rentimpress.com
robberypolice.net
rojecttalkway.com
rolotto.net
scoutmoor.net
securesmartconnect.net
servidorestable.net
simplesso.com
skather.net
smartsecureconnect.net
smdserver.net
spottingculde.com
streetgreenlj.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
tumble.su
u-janusa.net
uprisingquicks.net
vip-proxy-to-tor.com
whosedigitize.net
wingsawards.net
workathomeuk.net

Tuesday, 24 September 2013

Malware sites to block 24/9/2013

The malicious IPs and domains on this list are operated by this gang, and it replaces the list last week.

5.135.42.104 (OVH, Netherlands)
24.111.103.183 (Midcontinent Media, US)
24.173.170.230 (Time Warner Cable, US)
32.64.143.79 (AT&T, US)
37.153.192.72 (Routit BV, Netherlands)
37.221.163.174 (Voxility SRL, Romania)
42.121.84.12 (Aliyun Computing Co, China)
46.32.47.24 (Syd Energi, Denmark)
46.246.111.159 (Portlane Networks, Sweden)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
62.141.46.8 (fast IT, Germany)
69.94.163.22 (Region 18 Education Service Center, US)
69.163.40.39 (DirectSpace LLC, US)
77.123.54.28 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
79.190.173.125 (TPNET, Poland)
81.28.199.18 (KNET, France)
84.52.66.244 (West Call Ltd, Russia)
85.246.142.214 (PT Comunicacoes, Portugal)
91.220.77.83 (NTH Media, Switzerland)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
109.71.136.140 (OpWan, France)
123.183.210.42 (China Telecom, China)
125.20.14.222 (Price Water House Cooperation, India)
153.127.243.80 (Kagoya Japan Corporation, Japan)
163.32.78.2 (TANET, Taiwan)
174.142.186.89 (iWeb, Canada)
184.82.233.29 (Network Operations Center, US)
186.3.101.235 (Clientes Quito, Ecuador)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
194.44.93.219 (UARNet, Ukraine)
194.158.4.42 (Interoute Communications, France)
198.71.90.239 (Enzu Inc, US)
199.175.49.118 (VPS Cheap, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.115.114.69 (Wowrack, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
216.218.208.55 (Hurricane Electric, US)
223.30.27.251 (Sify Limited, India)
220.68.231.30 (Hansei University, Korea)

5.135.42.104
24.111.103.183
24.173.170.230
32.64.143.79
37.153.192.72
37.221.163.174
42.121.84.12
46.32.47.24
46.246.111.159
58.68.228.148
58.246.240.122
61.36.178.236
62.141.46.8
69.94.163.22
69.163.40.39
77.123.54.28
79.190.173.125
81.28.199.18
84.52.66.244
85.246.142.214
91.220.77.83
95.111.32.249
103.20.166.67
109.71.136.140
123.183.210.42
125.20.14.222
153.127.243.80
163.32.78.2
174.142.186.89
184.82.233.29
186.3.101.235
186.251.180.205
187.60.172.18
194.44.93.219
194.158.4.42
198.71.90.239
199.175.49.118
208.52.185.178
208.115.114.69
211.71.99.66
216.218.208.55
223.30.27.251
220.68.231.30
24kstudio.net
achrezervations.com
acomboramboarmiab722.net
aconsturcioneoftherive677.net
acormushkivsenamizv992.net
airfare-ticketscheap.com
aristonmontecarlo.net
bnamecorni.com
bundle.su
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
consistingsec.net
cremenatthemomenter56.net
crovvirnskieertater55.net
crovviyyyyyyuutater90.net
curse.su
deepsealinks.com
demuronline.net
diggingentert.com
dropdistri-butions.net
dulethcentury.net
ehtiebanishkeobprienrt25.net
ejanormalteene250.com
ejanormatoone240.com
elvisalive4ever.com
euteus.com
evreisorinejsopgmrjnet28.net
excelledblast.net
exeteenofthemid74.com
explorerlikem.com
fdic.gov.horse-mails.net
gigiandrose-sf.net
gjoonalitikeer310.com
gjoonanalitik300.com
glums.net
goodnoontoon11.net
gormonigraetnapovalahule26.net
grannyhair.ru
gromovierashodyna73.net
hdmltextvoice.net
higherpricedan.com
horse-mails.net
hotsuperfilms.com
infomashe.com
instotsvin.ru
isightbiowares.su
joyrideengend.net
kolopeto.net
lights-awake.net
loreddiverting.su
macache.net
maxichip.com
micnetwork100.com
mobile-unlocked.net
mssoft.in.net
multiachprocessor.com
myaxioms.com
nacha.org.smscente.net
nacha-ach-processor.com
namastelearning.net
nvufvwieg.com
oadims.net
ollerblogging.net
ordersdeluxe.com
outcastii.com
oversearadios.net
pardus-wiki.com
picturesoftdeath.com
pidrillospeeder.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
smartsecureconnect.com
smscente.net
softwareup.pw
spottingculde.com
stjamesang.net
techno-arena.net
thefastor.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
treesmustdownload.su
u-janusa.net
uprisingquicks.net
video-withtext.com
vip-proxy-to-tor.com
virginiarealtyonline.net
whosedigitize.net
wow-included.com
www.ejanormalteene250.com
www.fdic.gov.horse-mails.net
www.gjoonalitikeer310.com
www.nacha.org.demuronline.net
www.nacha.org.smscente.net



Tuesday, 17 September 2013

Malware sites to block 17/9/13

This set of malicious IPs and domains is associate with this gang, and the list replaces the last one published here.

24.173.170.230 (Time Warner Cable, US)
32.64.143.79 (AT&T, US)
37.153.192.72 (Routit BV, Netherlands)
42.121.84.12 (Aliyun Computing Co, China)
46.246.111.159 (Portlane Networks, Sweden)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
62.141.46.8 (fast IT, Germany)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime, US)
77.123.54.28 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
83.148.208.151 (Salon Seudun Puhelin Oy, Finland)
84.52.66.244 (West Call Ltd, Russia)
95.87.1.19 (Trakia Kabel, Bulgaria)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
112.124.55.133 (Hangzhou Alibaba Advertising Co.,Ltd., China)
115.78.233.220 (Vietel Corporation, Vietnam)
115.160.146.142 (Wharf T&T Ltd, Hong Kong)
119.78.243.74 (CSTNET, China)
125.20.14.222 (Price Water House Cooperation, India)
141.20.102.73 (Humboldt-Universitaet zu Berlin, Germany)
153.127.243.80 (Kagoya Japan Corporation, Japan)
159.226.51.161 (CSTNET, China)
172.245.62.181 (Colocrossing, US)
173.230.130.69 (Linode, US)
174.142.186.89 (iWeb Technologies, Canada)
178.33.132.103 (OVH, France)
178.239.180.211 (Enter S.r.l., Italy)
184.82.233.29 (Network Operations Center, US)
185.19.95.170 (TTNETDC, Turkey)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
192.210.198.198 (Valley Host, US)
192.237.186.71 (Rackspace, US)
194.158.4.42 (Interoute Communications, France)
198.71.90.239 (Enzu Inc, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.180.134.20 (Suddenlink Communications, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
212.169.49.234 (Claranet, UK)
216.218.208.55 (Hurricane Electric, US)
220.68.231.30 (Hansei University, Korea)
223.30.27.251 (Sify Limited, India)

Blocklist:
24.173.170.230
32.64.143.79
37.153.192.72
42.121.84.12
46.246.111.159
58.68.228.148
58.246.240.122
61.36.178.236
62.141.46.8
66.230.163.86
66.230.190.249
77.123.54.28
83.148.208.151
84.52.66.244
95.87.1.19
95.111.32.249
103.20.166.67
112.124.55.133
115.78.233.220
115.160.146.142
119.78.243.74
125.20.14.222
141.20.102.73
153.127.243.80
159.226.51.161
172.245.62.181
173.230.130.69
174.142.186.89
178.33.132.103
178.239.180.211
184.82.233.29
185.19.95.170
186.251.180.205
187.60.172.18
192.210.198.198
192.237.186.71
194.158.4.42
198.71.90.239
208.52.185.178
208.180.134.20
211.71.99.66
212.169.49.234
216.218.208.55
220.68.231.30
223.30.27.251
achrezervations.com
aconsturcioneoftherive677.net
airfare-ticketscheap.com
aristonmontecarlo.net
berylhowell.net
bnamecorni.com
bundle.su
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
clothestaxact.com
consistingsec.net
crovliivseoslniepodmore83.net
crovniedelamjdusaboye73.net
crovvirnskieertater55.net
deepsealinks.com
demuronline.net
diggingentert.com
dotier.net
dulethcentury.net
ehnihjrkenpj.ru
ehnynewyortenotbaber.net
ehtiebanishkeobprienrt25.net
elvisalive4ever.com
ermiarmirovanieyye46.net
ermitajnierisunkiane45.net
euteus.com
evreisorinejsopgmrjnet28.net
excelledblast.net
fiscdp.com.airfare-ticketscheap.com
gemochlenoftheierarhia23.net
germaniavampizdanahuj.net
germoshanyofthesity72.net
gormonigraetnapovalahule26.net
gormoshkeniation68.net
grannyhair.ru
gromovierashodyna73.net
gstarstats.ru
hdmltextvoice.net
higherpricedan.com
imagoindia.net
infomashe.com
irs.gov.successsaturday.net
isightbiowares.su
joyrideengend.net
kneeslapperz.net
lacave-enlignes.com
lights-awake.net
lindoliveryct.net
macache.net
maxichip.com
medusascream.net
micnetwork100.com
mirrorsupply.com
mobile-unlocked.net
multiachprocessor.com
myaxioms.com
nacha.org.samsung-galaxy-games.net
nacha-ach-processor.com
namastelearning.net
nvufvwieg.com
oadims.net
onsayoga.net
ordersdeluxe.com
oversearadios.net
perkindomname.com
picturesoftdeath.com
pidrillospeeder.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
samsung-galaxy-games.net
smartolen.com
smartsecureconnect.com
softwareup.pw
spottingculde.com
stjamesang.net
successsaturday.net
taltondark.net
theamberroomct.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
treesmustdownload.su
u-janusa.net
uprisingquicks.net
video-withtext.com
vineostat.ru
vip-proxy-to-tor.com
virginiarealtyonline.net
whosedigitize.net
wow-included.com
www.fiscdp.com.airfare-ticketscheap.com
www.irs.gov.successsaturday.net
www.nacha.org.demuronline.net
www.nacha.org.multiachprocessor.com
www.nacha.org.samsung-galaxy-games.net



Monday, 9 September 2013

Malware sites to block 9/9/13

These domains and IPs are associated with this gang, this list supersedes (or complements) the one I made last week.

1.209.108.29 (BORANET, Korea)
24.173.170.230 (Time Warner Cable, US)
37.153.192.72 (Routit BV, Netherlands)
42.121.84.12 (Aliyun Computing Co, China)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime, US)
74.63.233.79 (Limestone Networks Inc / 123Systems Solutions, US)
74.207.231.42 (Linode, US)
95.87.1.19 (Trakia Kabel, Bulgaria)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
95.242.252.26 (Telecom Italia, Italy)103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
111.93.115.216 (Tata Teleservices, India)
115.78.233.220 (Vietel Corporation, Vietnam)
115.160.146.142 (Wharf T&T Ltd, Hong Kong)
130.63.110.159 (York University, Canada)
140.116.72.75 (TANET, Taiwan)
141.20.102.73 (Humboldt-Universitaet zu Berlin, Germany)
148.204.64.107 (Instituto Politecnico Nacional, Mexico)
173.254.250.218 (OC3 Networks, US)
184.23.8.7 (Sonic.net, US)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
190.145.25.126 (Telmex Colombia, Colombia)
190.152.149.85 (Consejo De Participacion Ciudadana Y Control Soci, Ecuador)
192.241.199.191 (Digital Ocean, US)
194.42.83.60 (Interoute Communications, UK)
194.158.4.42 (Interoute Communications, France)
198.224.81.54 (AT&T, US)
199.115.228.213 (VolumeDrive, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.69.42.50 (Bay Area Video Coalition, US)
208.180.134.20 (Suddenlink Communications, US)
212.169.49.234 (Claranet, UK)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)
222.35.102.133 (China TieTong Telecommunications Corporation, China)
223.30.27.251 (Sify Limited, India)

1.209.108.29
24.173.170.230
37.153.192.72
42.121.84.12
58.68.228.148
58.246.240.122
61.36.178.236
66.230.163.86
66.230.190.249
74.63.233.79
74.207.231.42
95.87.1.19
95.111.32.249
95.242.252.26
103.20.166.67
111.93.115.216
115.78.233.220
115.160.146.142
130.63.110.159
140.116.72.75
141.20.102.73
148.204.64.107
173.254.250.218
184.23.8.7
186.251.180.205
187.60.172.18
190.145.25.126
190.152.149.85
192.241.199.191
194.42.83.60
194.158.4.42
198.224.81.54
199.115.228.213
208.52.185.178
208.69.42.50
208.180.134.20
212.169.49.234
213.156.91.110
222.35.102.133
223.30.27.251
achrezervations.com
agence-moret.net
altertraveldream.com
amimeseason.net
bnamecorni.com
boardsxmeta.com
brasilmatics.net
bundle.su
casualcare.net
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
certierskieanyofthe23.net
chairsantique.net
checklistsseesmics.su
chernigovskievojninua55.net
controlsalthoug.com
credit-find.net
crovliivseoslniepodmore83.net
deepsealinks.com
dotier.net
dvdramrautosel.su
ehnihujasebenahujchtoza27.net
ehnynewyortenotbaber.net
ehtiebanishkeobprienrt25.net
elvisalive4ever.com
email.pinterest.com.lacave-enlignes.com
ergopets.com
ermitajniedelaincityof40.net
explic.net
facebook.com.achrezervations.com
favar.net
fender.su
ffupdate.pw
fulty.net
gaphotoid.net
gemochlenoftheierarhia23.net
germaniavampizdanahuj.net
germetikovskievremie29.net
gggrecheskiysala99.net
giabit.net
gonulpalace.net
gormonigraetnapovalahule26.net
gormoshkeniation68.net
gormovskieafrterskioepr30.net
grannyhair.ru
higherpricedan.com
hobox.net
hotbitscan.com
icentis-finance.net
insectiore.net
invoices.ulsmart.net
istatsking.ru
jessesautobody.net.rcom-dns.eu
kpsart.net
lacave-enlignes.com
lights-awake.net
liliputttt9999.info
lindoliveryct.net
macache.net
maxichip.com
medusascream.net
micnetwork100.com
mobile-unlocked.net
molul.com
multiachprocessor.com
myaxioms.com
mywebsitetips.net
nacha-ach-processor.com
namastelearning.net
ns1.namastelearning.net
ns2.namastelearning.net
nvufvwieg.com
oadims.net
ordersdeluxe.com
oversearadios.net
paypal.com.us.cmd.stjamesang.net
perkindomname.com
photos.walmart.com.orders.stjamesang.net
porschetr-ml.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
redsox.com.tickets-service.lindoliveryct.net
relectsdispla.net
rentipod.ru
saucancafe.net
scoutmoor.net
secureprotection5.com
soberimages.com
stjamesang.net
stonewallspwt.net
strutterradio.net
taltondark.net
templateswell.net
thefastor.com
thegalaxyatwork.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
trans-staronline.net
treesmustdownload.su
u-janusa.net
ulsmart.net
uprisingquicks.net
video-withtext.com
vineostat.ru
viperestats.ru
vip-proxy-to-tor.com
virginiarealtyonline.net
weekings.com
wildgames-orb.net
wow-included.com
www.facebook.com.achrezervations.com
www.linkedin.com.achrezervations.com
www.nacha.org.multiachprocessor.com
www.nacha-ach-processor.com
www.redsox.com.tickets-service.lindoliveryct.net
zinvolarstikel.com

Tuesday, 13 August 2013

Malware sites to block 13/8/13

These IPs and domains belong to this gang and this list follows on from the one I made last week.

5.39.14.148 (OVH, France)
5.231.57.253 (GHOSTnet, Germany)
15.185.121.30 (HP Cloud Services, US)
24.173.170.230 (Time Warner Cable, US)
37.99.18.145 (2day Telecom, Kazakhstan)
42.121.84.12 (Aliyun Computing Co / Alibaba Advertising Co, China)
50.2.109.148 (Eonix Corporation, US)
50.56.172.149 (Rackspace, US)
59.77.36.225 (CERNET, China)
59.124.33.215 (Chunghwa Telecom, Taiwan)
61.36.178.236 (LG DACOM, Korea)
65.190.51.124 (Time Warner Cable, US)
66.230.163.86 (Goykhman And Sons LLC, US)
68.174.239.70 (Time Warner Cable, US)
74.207.251.67 (Linode, US)
75.147.133.49 (Comcast Business Communcations, US)
78.47.248.101 (Hetzner, Germany)
88.86.100.2 (Supernetwork SRO, Czech Republic)
89.163.170.134 (Unitedcolo, Germany)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Mobiltel EAD, Bulgaria)
95.188.76.14 (Sibirtelecom OJSC, Russia)
95.138.165.133 (Rackspace, UK)
109.107.128.13 (The Blue Zone East, Jordan)
114.112.172.34 (Worldcom Teda Networks Technology, China)
123.202.15.170 (Hong Kong Broadband Network, Hong Kong)
140.113.87.153 (TANET, Taiwan)
140.116.72.75 (TANET, Taiwan)
173.224.211.216 (Psychz Networks, US)
177.53.80.39 (Cordeirópolis Ltda, Brazil)
185.5.54.162 (Interneto Vizija UAB, Lithunia)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
188.132.213.115 (Mars Global Datacenter Services, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
190.85.249.159 (Telmex Colombia, Colombia)
190.95.222.196 (Homenet CIA. Ltda / Telconet, Ecuador)
198.211.115.228 (Digital Ocean Inc, US)
199.231.188.226 (Interserver Inc, US)
202.197.127.42 (CERNET, China)
204.124.182.30 (Volumedrive, US)
209.222.67.251 (Razor Inc, US)
212.68.34.88 (Mars Global Datacenter Services, Turkey)
216.158.67.42 (Webnx Inc, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)

Recommended blocklist:
5.39.14.148
5.231.57.253
15.185.121.30
24.173.170.230
37.99.18.145
42.121.84.12
50.2.109.148
50.56.172.149
59.77.36.225
59.124.33.215
61.36.178.236
65.190.51.124
66.230.163.86
68.174.239.70
74.207.251.67
75.147.133.49
78.47.248.101
88.86.100.2
89.163.170.134
95.87.1.19
95.111.32.249
95.188.76.14
95.138.165.133
109.107.128.13
114.112.172.34
123.202.15.170
140.113.87.153
140.116.72.75
173.224.211.216
177.53.80.39
185.5.54.162
186.251.180.205
188.132.213.115
188.134.26.172
190.85.249.159
190.95.222.196
198.211.115.228
199.231.188.226
202.197.127.42
204.124.182.30
209.222.67.251
212.68.34.88
216.158.67.42
217.64.107.108
50plus-login.com
abundanceguys.net
acautotentsale.net
allgstat.ru
amnsreiuojy.ru
amods.net
antidoctorpj.com
askfox.net
astarts.ru
autocompletiondel.net
avini.ru
badstylecorps.com
bbmasterbuilders.net
beachfiretald.com
beldenindcontacts.net
blindsay-law.net
bnamecorni.com
boardsxmeta.com
boats-sale.net
breakingtextediti.com
briltox.com
businessdocu.net
buycushion.net
calenderlabor.net
casinocnn.net
cbstechcorp.net
centow.ru
condalinneuwu37.net
condrskajaumaksa66.net
controlsalthoug.com
creativerods.net
credit-find.net
crossplatformcons.com
culturalasia.net
cyberflorists.su
datapadsinthi.net
devicesta.ru
dulethcentury.net
ehnihjrkenpj.ru
endom.net
evishop.net
exhilaratingwiki.net
exnihujatreetrichmand77.net
exowaps.com
fitstimekeepe.net
fivelinenarro.net
flashedglobetrot.pl
frontrunnings.com
frontsidecash.net
frutpass.ru
gatumi.com
gondorskiedelaahuetebanj88.net
gonulpalace.net
gormoshkeniation68.net
gotoraininthecharefare88.net
hdmltextvoice.net
hotkoyou.net
includedtight.com
info-for-health.net
inningmedicare.pl
intcheck.com
jonkrut.ru
kneeslapperz.net
legalizacionez.com
lhobbyrelated.com
liliputttt9999.info
lucams.net
made-bali.net
magiklovsterd.net
medusascream.net
micnetwork100.com
microsoftnotification.net
mifiesta.ru
mirris.ru
mobile-unlocked.net
moonopenomy.com
motobrio.net
musicstudioseattle.net
namastelearning.net
neplohsec.com
nightclubdisab.su
nvufvwieg.com
onsayoga.net
onsespotlight.net
ordersdeluxe.com
organizerrescui.pl
pacifista.ru
palmer-ford.net
partyspecialty.su
pinterest.com.onsayoga.net
prysmm.net
pure-botanical.net
quill.com.account.settings.musicstudioseattle.net
raekownholida.com
relectsdispla.net
restless.su
ringosfulmobile.com
saberig.net
sai-uka-sai.com
scourswarriors.su
sensetegej100.com
sensing-thefuture.com
seoworkblog.net
suburban.su
tagcentriccent.net
tagcentriccent.pl
taltondark.net
templateswell.net
thegalaxyatwork.com
thesecuritylistfx.net
tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
tor-connect-secure.com
u-janusa.net
viperlair.net
vip-proxy-to-tor.com
wildgames-orb.net
workeschaersecure.net
x-pertwindscreens.net
zestrecommend.com
zukkoholsresv.pl

Tuesday, 6 August 2013

Pharma sites to block 6/8/13

A new list of pharma sites and IPs, related to this bunch.

61.150.109.186 (China Telecom, China)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.204.162.81 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
91.216.163.92 (Informacines Sistemos Ir Technologijos UAB, Lithunia)
178.88.64.149 (Kazakh Telecom, Kazakhstan)
185.5.99.145 (Biznes-host.pl, Poland)
185.8.106.161 (HybridServers, Lithunia)
190.55.85.133 (Telecentro S.A., Argentina)
192.162.19.196 (FOP Budko Dmutro Pavlovuch, Ukraine)
200.185.230.32 (Ajato Telecomunicacao Ltda, Brazil)
202.197.127.42 (CERNET, China)
218.92.160.138 (Funing Tianlong Netbar, China)

61.150.109.186
91.199.149.0/24
91.204.162.81
91.204.162.96
91.216.163.92
178.88.64.149
185.5.99.145
185.8.106.161
190.55.85.133
192.162.19.0/24
200.185.230.32
202.197.127.42
218.92.160.138
1bqmv6ir.tabletmedicinert.com
1n77x6up.mediastoreplus.com
54djq7gs.tabletmedicinert.com
5n2f.mediastoreplus.com
6tpvvfwl.mediastoreplus.com
6un8dtnf.mediastoreplus.com
7geh.mediastoreplus.com
8u4lrx6.mediastoreplus.com
a1nyffx.mediastoreplus.com
a6g9whoe.tabletmedicinert.com
avagdezc.net
biotechealthcarepills.pl
boschwelness.com
caloriesviagra.com
canadaipad.com
canadaviagracanadas.com
canadaviagracent.com
canadiancanada.com
canadian-pharmacy-ltd.org
carerxpatient.com
coopaq.ru
d5pz5c35.tabletmedicinert.com
d8chph3.mediastoreplus.com
dacl3uy1.tabletmedicinert.com
deii.ru
dieein.com
dietarymeds.com
dietwelweight.com
drugmedsgenerics.com
drugsdrugstorepills.com
drugstorepillwalgreens.com
eari.ru
familymedicinerx.com
finding.dietpillgenerics.com
genericswelloch.com
ghwfloaf.com
gied.ru
gtyktdli.com
healthcarebiotechnology.net
hece.ru
herbalburdette.com
herbalprescriptiondrugs.com
htta.ru
iald.ru
in.taxwelnesslevitra.com
inningmedicare.pl
isoe.ru
jmwxxvyj.com
joam.ru
judact.ru
jx5nqjzf.tabletmedicinert.com
kindredhealthcaretab.pl
knei.ru
knr78b16.tabletmedicinert.com
korsinskytrarx.com
laug.ru
m62i5x7e.tabletmedicinert.com
marijuanamedicalviagra.com
marl.myherbalpharmacy.com
mbid.ru
mediastoreplus.com
medicaltabgroup.com
medicaresupplementrx.net
medicinetabletsurface.com
medicinevitamin.com
mediterraneanpharmacydiet.com
medopioid.pl
medsherbalbosch.nl
myherbalpharmacy.com
myviagragenerics.pl
newpillcialis.eu
nmvwta.mediastoreplus.com
nrytgyxvom.com
opioidpill.com
p6vxdhiu.tabletmedicinert.com
paracanada.com
paub.ru
pharmedtransplant.com
phof.ru
pillcanadian.com
pillgenericsgroup.com
pillsmedicinepatients.com
pillssmartrend.com
pillsstreetinsider.com
pillstabletspharmacy.ru
ptnh86kk.tabletmedicinert.com
qatt.ru
qkwc1s52.tabletmedicinert.com
rggrjipn.com
ruld.ru
satishmeds.pl
siew.ru
skah.ru
smartrendsale.com
sutasu.ru
tabletcareandroid.nl
tabletmedicaid.pl
tlar.ru
tmedf7c4j.mediastoreplus.com
torontotab.pl
tuo.mediastoreplus.com
tys.mediastoreplus.com
u0s3oqf6.tabletmedicinert.com
uney.ru
virv.ru
vitaminnutritionherbal.com
vomise.ru
welnessnsmt.com
wroo.ru
xior.ru
yesydzevr.com
yn72ov2j.tabletmedicinert.com
zwig.ru



Wednesday, 31 July 2013

"Documento importante : 5039403 !!" spam / Planilha-Documento.docx_.rar

This terse Portuguese language spam has a malicious attachment:

From:     Adriane Camargo. [adriane@yahoo.com.br]
Date:     29 July 2013 20:59
Subject:     Documento importante : 5039403 !!

Arquivo : DC-59KDJF994J3K303940430DJJRI8.rar ( 173,4 KB)

The link in the email downloads goes through a legitimate hacked site and then downloads a RAR file from [donotclick]www.equilibrionutriesportiva.com.br/site/wp-admin/network/icons/equilib/fing3234/Planilha-Documento.docx_.rar which has a VirusTotal detection rate of 17/46 and is identified as a trojan downloader.

According to Anubis, the malware then attempts to download additional components from [donotclick]www.equilibrionutriesportiva.com.br/site/wp-admin/network/icons/equilib/fing3234/ie.exe but this seems to generate a 403 error.

Other analyses are pending. Update: here is an analysis from Comodo CAMAS.

Friday, 5 July 2013

EBC "Password Reset Confirmation" spam / paynotice07.net

This fake password reset spam leads to malware on paynotice07.net:

From: EBC_EBC1961Registration@ebank6.secureaps.com
Sent: 05 July 2013 12:27
Subject: Password Reset Confirmation


Your Online Bankking password was successfully changed on 07/05/2013. If you did not make this change, or if you have any questions, please contact EBC Technical Support using this link.

Support is available Monday - Friday, 8 AM to 8 PM CST.

This is an automated message, please do not reply. Your message will not be received.
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************ 
The link goes through a legitimate hacked site and ends up on a payload at [donotclick]paynotice07.net/news/must-producing.php (report here) hosted on the following IPs:

189.84.25.188 (DataCorpore Serviços e Representações, Brazil)
202.28.69.195 (Walailuk University, Thailand)

Blocklist:
189.84.25.188
202.28.69.195
afabind.com
aniolyfarmacij.com
condalinneuwu5.ru
condalnua745746.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
gnanisienviwjunlp.ru
grivnichesvkisejj50.ru
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com