DINETHOSTING aka Digital Network JSC are a large Russian host that regularly hosts malware sites. Yesterday I came across the domain curvecheese.com (85.192.45.83) being used in a malicious spam run. This is in a block 85.192.32.0/20 allocated to this host.
I tend to block DINETHOSTING ranges as soon as I see malware on them. If you are blocking this host, I would recommend you add 85.192.32.0/20 to your blocklist.
Showing posts with label DINETHOSTING. Show all posts
Showing posts with label DINETHOSTING. Show all posts
Thursday, 1 March 2012
DINETHOSTING / curvecheese.com
Labels:
DINETHOSTING,
Russia
Tuesday, 10 January 2012
Redret domains to block 10/1/12
After a quite couple of weeks, the Redret spam has started again using the domains and IPs listed below. Some are familiar, some are new. In some cases blocking whole IP ranges is the best idea.
46.249.37.22 (Serverius Holdings, Netherlands)
clredret.ru
46.249.37.109 (Serverius Holdings, Netherlands)
cpredret.ru
67.215.3.153 (GloboTech Communications, California)
ckredret.ru
79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru
79.137.237.67 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
ciredret.ru
coredret.ru
79.137.237.68 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
caredret.ru
cdredret.ru
cfredret.ru
cgredret.ru
csredret.ru
89.208.34.116 (Digital Network JSC aka DINETHOSTING, Russia. Block 89.208.32.0/19)
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
aredirect.ru
arredret.ru
asredret.ru
baredret.ru
biredret.ru
bvredret.ru
91.220.35.38 (Zamanhost, Ukraine/Russia. Block 91.220.35.0/24)
aaredret.ru
abredret.ru
acredret.ru
adredret.ru
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru
91.222.137.170 (Delta-X Ltd, Ukraine. Consider blocking 91.222.136.0/22)
chredret.ru
cjredret.ru
94.199.51.108 (23VNet, Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru
95.163.89.193 (Digital Network JSC aka DINETHOSTING, Russia. Block 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru
95.163.89.200 (Digital Network JSC aka DINETHOSTING, Russia)
bwredret.ru
bzredret.ru
109.70.26.36 (Parked at RU-SERVICE Ltd ISP)
iredirect.ru
No IP at present
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
cbredret.ru
ccredret.ru
ceredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru
46.249.37.22 (Serverius Holdings, Netherlands)
clredret.ru
46.249.37.109 (Serverius Holdings, Netherlands)
cpredret.ru
67.215.3.153 (GloboTech Communications, California)
ckredret.ru
79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru
79.137.237.67 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
ciredret.ru
coredret.ru
79.137.237.68 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
caredret.ru
cdredret.ru
cfredret.ru
cgredret.ru
csredret.ru
89.208.34.116 (Digital Network JSC aka DINETHOSTING, Russia. Block 89.208.32.0/19)
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
aredirect.ru
arredret.ru
asredret.ru
baredret.ru
biredret.ru
bvredret.ru
91.220.35.38 (Zamanhost, Ukraine/Russia. Block 91.220.35.0/24)
aaredret.ru
abredret.ru
acredret.ru
adredret.ru
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru
91.222.137.170 (Delta-X Ltd, Ukraine. Consider blocking 91.222.136.0/22)
chredret.ru
cjredret.ru
94.199.51.108 (23VNet, Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru
95.163.89.193 (Digital Network JSC aka DINETHOSTING, Russia. Block 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru
95.163.89.200 (Digital Network JSC aka DINETHOSTING, Russia)
bwredret.ru
bzredret.ru
109.70.26.36 (Parked at RU-SERVICE Ltd ISP)
iredirect.ru
No IP at present
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
cbredret.ru
ccredret.ru
ceredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru
Thursday, 22 December 2011
NACHA Spam / cgredret.ru
More NACHA spam, this time pointing to cgredret.ru (which we've seen before) which delivers a malicious payload.
cgredret.ru has moved since yesterday and is now on 79.137.237.68. Unsurprisingly, it is now on Digital Network JSC in Russia (aka DINETHOSTING). Block access to 79.137.224.0/20 if you can.
Date: Thu, 22 Dec 2011 03:37:35 +0530
From: "NACHA"
Subject: ACH Transfer rejected
ACH transaction, initiated from your checking account, was canceled.
Canceled transaction:
Transfer ID: B2793447923US
Transfer Report: View
GALINA Gunter
NACHA - The Electronic Payment Association
cgredret.ru has moved since yesterday and is now on 79.137.237.68. Unsurprisingly, it is now on Digital Network JSC in Russia (aka DINETHOSTING). Block access to 79.137.224.0/20 if you can.
Wednesday, 21 December 2011
*redirect.ru sites to block
These are another part of the "redret" series of malware sites being promoted by spam, and are worth blocking proactively.
109.70.26.36 (Parked)
iredirect.ru
89.208.34.116 (Digital Network JSC aka DINETHOSTING Russia, block 89.208.32.0/19)
aredirect.ru
91.220.35.38 (Zamanhost Ukraine, block 91.220.35.0/24)
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru
No IP allocated
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru
109.70.26.36 (Parked)
iredirect.ru
89.208.34.116 (Digital Network JSC aka DINETHOSTING Russia, block 89.208.32.0/19)
aredirect.ru
91.220.35.38 (Zamanhost Ukraine, block 91.220.35.0/24)
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru
No IP allocated
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru
Labels:
BBB,
DINETHOSTING,
Redret,
Russia,
Ukraine
a*redret.ru domains to block
More malware domains to block, being promoted through malicious spam emails:
89.208.34.116 (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
arredret.ru
asredret.ru
91.220.35.38 (Zamanhost, Ukraine. Block 91.220.35.0/24)
aaredret.ru
abredret.ru
acredret.ru
adredret.ru
95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
No IP allocated
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
89.208.34.116 (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
arredret.ru
asredret.ru
91.220.35.38 (Zamanhost, Ukraine. Block 91.220.35.0/24)
aaredret.ru
abredret.ru
acredret.ru
adredret.ru
95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
No IP allocated
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
Labels:
DINETHOSTING,
Malware,
Russia,
Ukraine,
Viruses
b*redret.ru domains to block (updated)
Another set of "Redret" domains, the b*redret.ru series is used in malware distribution. It has some new IP addresses since the last time.
89.208.34.116 (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
baredret.ru
biredret.ru
bvredret.ru
91.228.133.120 (Inter-Treyd LLC, Russia. Recommend blocking 91.228.133.0/24)
blredret.ru
bsredret.ru
94.199.51.108 (23VNet Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru
95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru
95.163.89.200 (Digital Network JSC Russia)
bwredret.ru
bzredret.ru
No IP at present
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
89.208.34.116 (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
baredret.ru
biredret.ru
bvredret.ru
91.228.133.120 (Inter-Treyd LLC, Russia. Recommend blocking 91.228.133.0/24)
blredret.ru
bsredret.ru
94.199.51.108 (23VNet Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru
95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru
95.163.89.200 (Digital Network JSC Russia)
bwredret.ru
bzredret.ru
No IP at present
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
Labels:
Bulgaria,
DINETHOSTING,
Redret,
Russia
Tuesday, 20 December 2011
c*redret.ru sites to block (updated)
These "Redret" domains serve up malware and are promoted by spam, some of them have moved around since last week so consider this an updated list.
46.249.37.109 [Serverius Holding B.V, Netherlands]
cpredret.ru
79.137.237.63 [Digital Network JSC, Russia aka DINETHOSTING. Recommend blocking 79.137.224.0/20]
crredret.ru
ctredret.ru
czredret.ru
79.137.237.67 [Digital Network JSC, Russia]
ciredret.ru
coredret.ru
79.137.237.68 [Digital Network JSC, Russia]
caredret.ru
csredret.ru
91.195.11.42 [UkrStar ISP, Ukraine. Recommend blocking 91.195.10.0/23]
206.72.207.156 [Interserver Inc, United States]
cdredret.ru
cfredret.ru
Not hosted at present
cbredret.ru
ccredret.ru
ceredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru
46.249.37.109 [Serverius Holding B.V, Netherlands]
cpredret.ru
79.137.237.63 [Digital Network JSC, Russia aka DINETHOSTING. Recommend blocking 79.137.224.0/20]
crredret.ru
ctredret.ru
czredret.ru
79.137.237.67 [Digital Network JSC, Russia]
ciredret.ru
coredret.ru
79.137.237.68 [Digital Network JSC, Russia]
caredret.ru
csredret.ru
91.195.11.42 [UkrStar ISP, Ukraine. Recommend blocking 91.195.10.0/23]
206.72.207.156 [Interserver Inc, United States]
cdredret.ru
cfredret.ru
Not hosted at present
cbredret.ru
ccredret.ru
ceredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru
Labels:
DINETHOSTING,
Redret,
Russia,
Serverius,
Ukraine,
UkrStar ISP
Thursday, 15 December 2011
Fake Facebook spam / caredret.ru
More toxic spam.
In this case, the link goes via a hacked legitimate site and gets redirected to a malicious page on caredret.ru/main.php hosted on 79.137.237.67 (Digital Network JSC, Russia aka DINETHOSTING). Block access to 79.137.224.0/20 if you can, there is nothing legitimate hosted here.
Date: Thu, 15 Dec 2011 11:52:56 +0700
From: Facebook [notification+VGNDUO7NQM4R@facebookmail.com]
Subject: LUCY Snow wants to be friends on Facebook.
LUCY Snow wants to be friends with you on Facebook.
LUCY Snow
Confirm Friend Request
See All Requests
This message was sent to victim@victimdomain.com. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
In this case, the link goes via a hacked legitimate site and gets redirected to a malicious page on caredret.ru/main.php hosted on 79.137.237.67 (Digital Network JSC, Russia aka DINETHOSTING). Block access to 79.137.224.0/20 if you can, there is nothing legitimate hosted here.
Labels:
DINETHOSTING,
Facebook,
Malware,
Spam,
Viruses
Wednesday, 14 December 2011
Spam: "Cuban car sale rise after law change" / csredret.ru
A weird spam, leading to a malicious payload on csredret.ru
csredret.ru is hosted on 79.137.237.67 at Digital Network JSC in Russia (aka DINETHOSTING). Blocking access to 79.137.224.0/20 is essential if you can do it.
Date: Wed, 14 Dec 2011 03:50:19 +0900
Subject: Fwd: VIDEO: Cuban car sale rise after law change
Hi, look in.
VIDEO: Cuban car sale rise after law change
csredret.ru is hosted on 79.137.237.67 at Digital Network JSC in Russia (aka DINETHOSTING). Blocking access to 79.137.224.0/20 is essential if you can do it.
Labels:
DINETHOSTING,
Malware,
Russia,
Spam,
Viruses
Tuesday, 13 December 2011
Spam: "I found your pictures on my camera yesterday, remember me?" / csredret.ru
Another spam run leading to a malicious payload on csredret.ru (as here)
The "pictures" link loads the malicious script, hosted at black hat hosts Digital Network JSC aka DINETHOSTING in Russia. Avoid.
Date: Tue, 13 Dec 2011 10:19:58 +0200
From: "Tomi Mcrae"
Subject: Hi! This is Tomi
Finally I found your e-mail, I?m not sure whether you remember me, we?ve got terribly drunk, I found your pictures on my camera yesterday, remember me? Party14.jpg 487kb
The "pictures" link loads the malicious script, hosted at black hat hosts Digital Network JSC aka DINETHOSTING in Russia. Avoid.
You can download your Windows Vista License here / csredret.ru
A Windows Vista licence? No.. it's malware from csredret.ru.
The malicious payload is on csredret.ru/main.php hosted on 79.137.237.67 (Digital Network JSC, Russia aka DINETHOSTING). For about the billionth time in the past few days.. block access to 79.137.224.0/20 on your network if you possibly can.
From: sales1@victimdomain.com [mailto:sales1@victimdomain.com]
Sent: 13 December 2011 05:14
Subject: Fwd: Order K93883696
Good morning,
You can download your Windows Vista License here -
Microsoft Corporation
The malicious payload is on csredret.ru/main.php hosted on 79.137.237.67 (Digital Network JSC, Russia aka DINETHOSTING). For about the billionth time in the past few days.. block access to 79.137.224.0/20 on your network if you possibly can.
Malware spam: "Have you seen how much money has Cameron spent on his new movie?"
Here's a terse spam, leading to a malicious payload on cpredret.ru/main.php
Apparently, it refers to James Cameron and not David Cameron. Payload site is hosted on 79.137.237.67 which is the now infamous Digital Network JSC in Russia (aka DINETHOSTING). Blocking 79.137.224.0/20 would be good for your health.
From: AlfredoMejiaGXInOZ@aol.com
Date: 13 December 2011 04:20
Subject: I’m shocked!
Have you seen how much money has Cameron spent on his new movie?
What a graphics, check out the trailer!
Apparently, it refers to James Cameron and not David Cameron. Payload site is hosted on 79.137.237.67 which is the now infamous Digital Network JSC in Russia (aka DINETHOSTING). Blocking 79.137.224.0/20 would be good for your health.
Monday, 12 December 2011
c*redret.ru sites to block
Another bunch of "redret" sites to block, either by domain name or IP. These domains are being used as the payloads for spam emails and leave to a malicious web page.
79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia - recommend blocking 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru
79.137.237.67 ((Digital Network JSC again)
ciredret.ru
coredret.ru
cpredret.ru
91.195.11.42 (UkrStar ISP, Ukraine - recommend blocking 91.195.10.0/23)
curedret.ru
Unallocated
caredret.ru
cbredret.ru
ccredret.ru
cdredret.ru
ceredret.ru
cfredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
csredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru
79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia - recommend blocking 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru
79.137.237.67 ((Digital Network JSC again)
ciredret.ru
coredret.ru
cpredret.ru
91.195.11.42 (UkrStar ISP, Ukraine - recommend blocking 91.195.10.0/23)
curedret.ru
Unallocated
caredret.ru
cbredret.ru
ccredret.ru
cdredret.ru
ceredret.ru
cfredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
csredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru
Labels:
DINETHOSTING,
Redret,
Russia,
Ukraine,
UkrStar ISP
Wednesday, 7 December 2011
Pizza spam / ciredret.ru
Another installment in the tsunami of malware-laden spam doing the rounds.. this time it is for pizza!
The link goes through a legitimate hacked site to a malicious payload on ciredret.ru/main.php, hosted on 79.137.237.63. Unsuprisingly this is Digital Network JSC in Moscow (aka DINETHOSTING) who are involved in much of the recent malware spam runs. Blocking 79.137.224.0/20 is highly recommended.
Update 23/12/11: Another pizza malware run, this time leading to cgredret.ru hosted on 79.137.237.68 , no surprise to find that it is Digital Network JSC again..
From: Pizza by ATTILIO [mailto:Russo@victimdomain.com]
Sent: 06 December 2011 18:25
Subject: Re: Fwd: Order confirmation
You’ve just ordered pizza from our site
Pizza Italian Trio with extras:
- Ham
- Jalapenos
- Green Peppers
- Jalapenos
- No Cheese
- No Sauce
________________________________________
Pizza Veggie Lover's with extras:
- Italian Sausage
- Jalapenos
- Pineapple
- Black Olives
- Easy On Cheese
- No Sauce
________________________________________
Pizza Supreme with extras:
- Chicken
- Jalapenos
- Extra Cheese
- Extra Sauce
________________________________________
Drinks
- Bacardi x 2
- Dr. Pepper x 5
- Cherry Coke x 2
- Coca-Cola x 2
- Mirinda x 4
- Limonade x 5
- Carling x 5
________________________________________Total Due: 187.31$
If you haven’t made the order and it’s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don’t do that shortly, the order will be confirmed and delivered to you.
Best wishes
Pizza by ATTILIO
Fingerprint: a50c3e6f-8a5c87de
The link goes through a legitimate hacked site to a malicious payload on ciredret.ru/main.php, hosted on 79.137.237.63. Unsuprisingly this is Digital Network JSC in Moscow (aka DINETHOSTING) who are involved in much of the recent malware spam runs. Blocking 79.137.224.0/20 is highly recommended.
Update 23/12/11: Another pizza malware run, this time leading to cgredret.ru hosted on 79.137.237.68 , no surprise to find that it is Digital Network JSC again..
Date: Fri, 23 Dec 2011 -06:10:36 -0800
From: "ANTONINO`s Pizzeria"
Subject: Re: Fwd: Order confirmation
You̢۪ve just ordered pizza from our site
Pizza Hawaiian Luau with extras:
- Bacon Pieces
- Pepperoni
- Pepperoni
- Diced Tomatoes
- No Cheese
- Extra Sauce
Pizza Meat Lover's with extras:
- Pepperoni
- Bacon Pieces
- Pineapple
- Easy On Cheese
- Easy On Sauce
Pizza Hawaiian Luau with extras:
- Pork
- Black Olives
- Onions
- No Cheese
- Easy On Sauce
Drinks
- Sprite x 2
- Hancock x 6
- White wine x 6
- Carling x 3
Total Charge: 207.31$
If you haven̢۪t made the order and it̢۪s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!
If you don̢۪t do that shortly, the order will be confirmed and delivered to you.
Best Regards
ANTONINO`s Pizzeria
Malware: BBB "Complaint from your customers" and billycharge.com
Another day, another spam campaign leading to the Blackhole Exploit Kit.
A link in the email goes to a legitimate but hacked site, users are forwarded to billycharge.com on 79.137.237.63. This IP is on Digital Networks CJSC in Russia (aka DINETHOSTING), a wholly black hat operation - you should block access to 79.137.224.0/20 if you haven't already done so. The Wepawet report is here , VT shows 0/43 detections for the exploit page although the download malware should tickle at least some scanners.
Some other subjects and senders being used in this spam:
Date: Wed, 7 Dec 2011 08:33:03 +0000
From: "::Better Business Bureau::" [risk.manager@bbb.org]
Subject: Complaint from your customers
Attachments: bbb_logo.jpg
Attn: Owner/Manager
The Better Business Bureau has been sent the above mentioned complaint from one of your customers on the subject of their dealings with you.
The detailed information about the consumer's concern is explained in enclosed document.
Please review this matter and notify us of your position.
Please click here to reply this complaint.
We look forward to your prompt reply.
Yours faithfully,
Shawna Dennis
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
A link in the email goes to a legitimate but hacked site, users are forwarded to billycharge.com on 79.137.237.63. This IP is on Digital Networks CJSC in Russia (aka DINETHOSTING), a wholly black hat operation - you should block access to 79.137.224.0/20 if you haven't already done so. The Wepawet report is here , VT shows 0/43 detections for the exploit page although the download malware should tickle at least some scanners.
Some other subjects and senders being used in this spam:
- BBB assistance Re: Case # [random number]
- BBB Complaint activity report
- BBB processing
- BBB service Re: Case # [random number]
- Better Business Bureau Case # [random number]
- Complaint from your customers
- Please review your customer's complaint
- Re: BBB Case # [random number]
- Re: Case # [random number]
- Your customer's complaint
- Your customer's concern
- admin@bbb.org
- alert@bbb.org
- alerts@bbb.org
- info@bbb.org
- manager@bbb.org
- risk.manager@bbb.org
- risk@bbb.org
- service@bbb.org
- support@bbb.org
Tuesday, 6 December 2011
"Epidemic in Guinea" spam / curedret.ru
An interesting twist on malware spam:
Perhaps the spammers have a sense of irony, because if you click the link you get directed to a legitimate but hacked site and then bounced to curedret.ru on 79.137.237.63 which attempts to load the Blackhole Exploit kit. This belongs to Digital Networks CJSC (aka DINETHOSTING) in Russia.. blocking the entire 79.137.224.0/20 range is probably a very good idea as this block is full of malicious sites. The Wepawet report for this page is here.
There are a whole bunch of these c*redret.ru sites, at the moment the following are active on this IP address:
crredret.ru
ctredret.ru
curedret.ru
czredret.ru
Update: these are coming in for several different countries, payload appears to be the same:
Epidemic in Alabama
Epidemic in Austria
Epidemic in Bangladesh
Epidemic in Belgium
Epidemic in Bermuda
Epidemic in Burkina Faso
Epidemic in Canada
Epidemic in Cape Verde
Epidemic in Chad
Epidemic in Chile
Epidemic in Costa Rica
Epidemic in Croatia
Epidemic in Gambia
Epidemic in Germany
Epidemic in Guam
Epidemic in Guinea
Epidemic in Hong Kong (China)
Epidemic in Indonesia
Epidemic in Iran
Epidemic in Ireland
Epidemic in Israel
Epidemic in Kazakhstan
Epidemic in Kentucky
Epidemic in Kuwait
Epidemic in Maine
Epidemic in Mali
Epidemic in Mayotte
Epidemic in Mexico
Epidemic in Monaco
Epidemic in Montana
Epidemic in Montserrat
Epidemic in New Mexico
Epidemic in Ohio
Epidemic in Oman
Epidemic in Pakistan
Epidemic in Pennsylvania
Epidemic in Russia
Epidemic in Saint Vincent and the Grenadines
Epidemic in Tokelau
Epidemic in Tunisia
Epidemic in Turkey
Epidemic in United Kingdom
Epidemic in United States
Epidemic in United States Virgin Islands
Epidemic in Utah
Epidemic in Wallis and Futuna
Epidemic in Wisconsin
Epidemic in Zimbabwe
Date: Tue, 6 Dec 2011 10:19:25 +0530
From: "MARIE Grover" [victimname@hotmail.com]
Subject: Re: Epidemic in Guinea
The government is hiding this fact, but there is a new epidemic in Guinea
I got to know it from friends of mine, they are there right now. Here you can find the instruction what to do not get infected
Read it!
Perhaps the spammers have a sense of irony, because if you click the link you get directed to a legitimate but hacked site and then bounced to curedret.ru on 79.137.237.63 which attempts to load the Blackhole Exploit kit. This belongs to Digital Networks CJSC (aka DINETHOSTING) in Russia.. blocking the entire 79.137.224.0/20 range is probably a very good idea as this block is full of malicious sites. The Wepawet report for this page is here.
There are a whole bunch of these c*redret.ru sites, at the moment the following are active on this IP address:
crredret.ru
ctredret.ru
curedret.ru
czredret.ru
Update: these are coming in for several different countries, payload appears to be the same:
Epidemic in Alabama
Epidemic in Austria
Epidemic in Bangladesh
Epidemic in Belgium
Epidemic in Bermuda
Epidemic in Burkina Faso
Epidemic in Canada
Epidemic in Cape Verde
Epidemic in Chad
Epidemic in Chile
Epidemic in Costa Rica
Epidemic in Croatia
Epidemic in Gambia
Epidemic in Germany
Epidemic in Guam
Epidemic in Guinea
Epidemic in Hong Kong (China)
Epidemic in Indonesia
Epidemic in Iran
Epidemic in Ireland
Epidemic in Israel
Epidemic in Kazakhstan
Epidemic in Kentucky
Epidemic in Kuwait
Epidemic in Maine
Epidemic in Mali
Epidemic in Mayotte
Epidemic in Mexico
Epidemic in Monaco
Epidemic in Montana
Epidemic in Montserrat
Epidemic in New Mexico
Epidemic in Ohio
Epidemic in Oman
Epidemic in Pakistan
Epidemic in Pennsylvania
Epidemic in Russia
Epidemic in Saint Vincent and the Grenadines
Epidemic in Tokelau
Epidemic in Tunisia
Epidemic in Turkey
Epidemic in United Kingdom
Epidemic in United States
Epidemic in United States Virgin Islands
Epidemic in Utah
Epidemic in Wallis and Futuna
Epidemic in Wisconsin
Epidemic in Zimbabwe
Wednesday, 23 November 2011
b*redret.ru domains to block
Some of the recent surge of spam emails going around uses a set of .ru domains with a discernible pattern of b*redret.ru.
Blocking these access to these domains and/or IPs might be a useful proactive step.
173.212.222.54 (Hostnoc, Scranton)
buredret.ru
195.254.135.72 (FastWeb SRL, Romania. Recommend blocking 195.254.134.0/23)
bqredret.ru
btredret.ru
bwredret.ru
bzredret.ru
89.208.34.116 (Digital Networks SRL, Russia. Recommend blocking 89.208.34.0/24)
baredret.ru
biredret.ru
bvredret.ru
94.199.51.108 (23vnet Kft, Hungary)
bkredret.ru
blredret.ru
bpredret.ru
bsredret.ru
95.163.89.193 (Digital Networks JSC, Russia. Recommend blocking 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru
Unallocated / invalid IPs
boredret.ru
brredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bxredret.ru
byredret.ru
Blocking these access to these domains and/or IPs might be a useful proactive step.
173.212.222.54 (Hostnoc, Scranton)
buredret.ru
195.254.135.72 (FastWeb SRL, Romania. Recommend blocking 195.254.134.0/23)
bqredret.ru
btredret.ru
bwredret.ru
bzredret.ru
89.208.34.116 (Digital Networks SRL, Russia. Recommend blocking 89.208.34.0/24)
baredret.ru
biredret.ru
bvredret.ru
94.199.51.108 (23vnet Kft, Hungary)
bkredret.ru
blredret.ru
bpredret.ru
bsredret.ru
95.163.89.193 (Digital Networks JSC, Russia. Recommend blocking 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru
Unallocated / invalid IPs
boredret.ru
brredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bxredret.ru
byredret.ru
Labels:
DINETHOSTING,
Redret,
Russia,
Viruses
Subscribe to:
Posts (Atom)