Xerox WorkCentre (or is it HP Digital Device?) spam / SCAN_129_07082013_18911.zip

This fake printer spam has a malicious attachment:

Date:      Mon, 8 Jul 2013 12:20:24 -0500 [07/08/13 13:20:24 EDT]
From:      HP Digital Device [HP.Digital8@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [victimdomain]
Number of Images: 8
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: OM7IEQ4M22

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

In this case there is an attachment SCAN_129_07082013_18911.zip containing an executable file SCAN_129_07082013_18911.exe (note that the date is encoded into the file). VirusTotal detections are 26/47 and identify it as a generic downloader, Comodo CAMAS reports that it is a Pony downloader that attempts to contact 2ndtimearoundweddingphotography.com which appears to be a hijacked GoDaddy domain.

As is common at the moment, there are a bunch of related hacked GoDaddy domains on a random (non-GoDaddy) server, in this case 64.94.100.116 (the somewhat notorious Nuclear Fallout Enterprises). All these domains should be treated as malicious according to reports from URLquery and VirusTotal.

gfpmenusonline.com
gfponlineordering.com
solarrec-auction.com
chapter2weddings.com
pecoprocurement.com
2brothersdelimenu.com
2ndtimearoundweddingphotography.com

The ThreatTrack report reveals more details [pdf] including the subsequent download locations as does the ThreatExpert report.

[donotclick]lacasadelmovilusado.com/bts1.exe
[donotclick]common.karsak.com.tr/FzPfH6.exe
[donotclick]ftp.vickibettger.com/oEoASW64.exe
[donotclick]qualitydoorblog.com/qbSTq.exe

This second file has a much lower detection rate at VirusTotal of just 3/47 (and they are all generic at that). The ThreatExpert report [pdf] gives more details of the malware plus some connection attempts, and Anubis reports something similar. They all appear to be dynamic ADSL addresses and probably not worth trying to block.

64.136.115.72
66.63.204.26
68.7.103.29
76.226.114.217
77.30.83.91
78.131.54.252
84.59.131.0
85.107.90.53
87.18.47.40
90.189.37.85
94.240.240.106
95.246.170.150
107.217.117.139
108.234.133.110
180.247.156.110
181.67.52.88
190.202.83.105
200.91.49.183
201.209.58.176
212.71.16.46
217.132.249.173
221.215.31.50

Recommended blocklist:
gfpmenusonline.com
gfponlineordering.com
solarrec-auction.com
chapter2weddings.com
pecoprocurement.com
2brothersdelimenu.com
2ndtimearoundweddingphotography.com
bobkahnvideo.com
lacasadelmovilusado.com
common.karsak.com.tr
ftp.vickibettger.com
qualitydoorblog.com
64.94.100.116
198.173.93.218
212.58.2.22

Something evil on 205.234.139.169

205.234.139.169 (Hostforweb, US) appears to be hosting a bunch of Java exploits being served up on subdomains of hacked GoDaddy domains. The malware looks like it is being served up in some sort of injection attack. Here are some example URLs of badness:

[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/applet.jnlp
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/contact.php
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe.class
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/xXsdYVRQe/class.class
[donotclick]blog2.stefuraassociatesinc.com:6842/ServerAdministrator/keys/pairs/jfygZbFu

URLquery and VirusTotal are not very conclusive, but if it walks like a duck and quacks like a duck.. well, you know the rest.

The following domains appear to be hosted on the server. You should assume that they are all malicious, ones already flagged by Google are marked in  red .

blog2.4glenview.com
blog2.bigciti.com
blog2.bonitajoe.com
blog2.dnbmedia.com
blog2.dynamomedia.com
blog2.equityblueprintmn.com
blog2.floridawaterfrontpro.com
blog2.flsearchmls.com
blog2.fmbcribs.com
blog2.fmbjoe.tv
blog2.fortmyersbeachrealestatejoe.com
blog2.joe22.com
blog2.joemoves.com
blog2.joeorlandini.com
blog2.joesrealtygroup.com
blog2.joey1.com
blog2.joeyou.com
blog2.kitejunkys.com
blog2.loan2have.com
blog2.mailjoe.com
blog2.mlsfloridasearch.com
blog2.mysportnovelties.ca
blog2.mysportnovelties.com
blog2.naplezjoe.com
blog2.orlandinifamily.com
blog2.parkshorejoe.com
blog2.portroyaljoe.com
blog2.stefura.com
blog2.stefura-associates.com
blog2.stefuraassociatesinc.com
blog3.augustacampoli.com
blog3.bhs.com.pk
blog3.buckinghamsports.ca
blog3.itcspakistan.com
blog3.sindclub.org
blog3.sindclub.org.pk

(And yes, apparently you can get .pk domains through GoDaddy!)

"Scan from a HP ScanJet" spam / humaniopa.ru

This fake printer spam leads to malware on humaniopa.ru:

Date:      Mon, 25 Mar 2013 03:57:54 -0500
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Scan from a HP ScanJet #928909620
Attachments:     Scanned_Document.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP Officejet 98278P.

Sent by: CHANG
Images : 5
Attachment Type: .HTM [INTERNET EXPLORER]

Hewlett-Packard Officejet Location: machine location not set

The attachment Scanned_Document.htm leads to malware on [donotclick]humaniopa.ru:8080/forum/links/column.php (report here) hosted on:
66.249.23.64 (Endurance International Group, US)
72.11.155.182 (OC3 Networks, US)
72.167.254.194 (GoDaddy, US)
95.211.154.196 (Leaseweb, Netherlands)

Blocklist:
66.249.23.64
72.11.155.182
72.167.254.194
95.211.154.196
hohohomaza.ru
hillaryklinton.ru
hinakinioo.ru
hillairusbomges.ru
humaniopa.ru
humarikanec.ru

getyourbet.org injection attack

There seems to be an injection attack doing the rounds, the injected domain is getyourbet.org hosted on 31.184.192.237. The domain registration details are:

Registrant ID:TOD-42842658
Registrant Name:ChinSec
Registrant Organization:ChinSec
Registrant Street1:Beijing
Registrant Street2:
Registrant Street3:
Registrant City:Beijing
Registrant State/Province:BJ
Registrant Postal Code:519000
Registrant Country:CN
Registrant Phone:+86.5264337745
Registrant Phone Ext.:
Registrant FAX:+86.5264337745
Registrant FAX Ext.:
Registrant Email:chinseccdomains@yahoo.com

The domain was created on 12th October. The IP address is in Russia (PIN-DEDICATEDSERVERS-NET).

This is a two stage attack, if  getyourbet.org is called with the correct referrer parameters then the victim ends up at another server at 64.202.123.3 (Hostforweb, US) that tries to serve up a malicious payload. This server contains a bunch of subdomains from a hacked GoDaddy account.

pin.panacheswimwear.co.uk
physical.oneandonlykanuhura.com
pig.onmailorder.com
picture.onlyplussizes.com
person.nypersonaltrainers.com
pipe.payday-loanstoday.com

I've seen this sort of abuse of GoDaddy domains before, the main "www" domain resolves OK, but the subdomains get pointed elsewhere. There's either a problem with GoDaddy or this is done through a phish.

Anyway, block 64.202.123.3 and 31.184.192.237 if you can to prevent further attacks.

IRS spam / 1.howtobecomeabostonian.com and mortal-records.net

Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian.com and the other with a malicious payload on mortal-records.net.

Date:      Wed, 26 Sep 2012 20:44:47 +0530
From:      "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Hello,

Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.





For detail information, please refer to:

https://www.irs.gov/Login.aspx?u=E8710D9E9

    Email address: [redacted]

Sincerely yours,

Barry Griffin

IRS Customer Service representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535

==========


Date:      Wed, 26 Sep 2012 11:09:45 -0400
From:      "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Dear business owners,

Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.



For the details please refer to:

https://www.irs.gov/ClientArea.aspx?u=1CBD0FC829256C

    Email address: [redacted]

Sincerely yours,

Damon Abbott

Internal Revenue Service Representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535


==========

Date:      Wed, 26 Sep 2012 19:53:28 +0400
From:      Internal Revenue Service [weirdpr6@polysto.com]
To:      [[redacted]]
Subject:      IRS report of not approved tax bank transfer

Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.

Rejected Tax transaction
Tax Transaction ID:     52007291963155
Reason ID     See details in the report below
State Tax Transaction Report     tax_report_52007291963155.doc (Microsoft Word Document)

Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV  

Payload one is at [donotclick]1.howtobecomeabostonian.com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a hacked GoDaddy domain. Payload two is at [donotclick]mortal-records.net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal.

These other bad domains are associated with the Mongolian IP address:
allmn-leicncester.net
amsnxn.com
bowerystore.net
cahgmt.com
cahmncm.com
casxmn.com
catmngn.com
chgmnm.com
myinfn.com
nitor-solutions.net
ntanwolb.com
penel-opessong.com
sncahmn.com
stafffire.net

Something evil on 82.211.45.81 and 82.211.45.82

82.211.45.81 (Accelerated IT Services GmbH, Germany) is another server with a bunch of subdomains of hacked GoDaddy accounts, apparently being used to deliver payloads from other sites that have a hacked .htaccess file.

82.211.45.0/24 doesn't appear to host anything at all apart from these malicious sites and is a good candidate to block.

The hacked GoDaddy accounts have been set to point everything except www. to the server on 82.211.45.81. Hacked domains on this server appear to be:

revolution-clan.com
banknewsdirectories.com
psychicwireless.com
greenbankingemagazine.com
greenbankingemag.com

Many of these hijacked domains are registered to:

   BankNews Publications
   5115 Roe Blvd, Ste 200
   Shawnee Mission, Kansas 66205
   United States

It appears that BankNews Publications have lost control of their GoDaddy account.

82.211.45.81 will actually resolve for any subdomain at all for these hacked domains, but these are a sample of malicious subdomains hosted on this server:

jiqjmiglxjmedma.greenbankingemagazine.com
xihjpxpomxfjra.greenbankingemagazine.com
eqokikmxjmivxhb.greenbankingemagazine.com
xhfbjaimtcxmymb.greenbankingemagazine.com
hrxjxmesskisnxb.greenbankingemagazine.com
icmiiycxxfmevhxdc.greenbankingemagazine.com
imliismmsfdxtld.greenbankingemagazine.com
iayxdmbrqsmue.greenbankingemagazine.com
frbiptiuimxsmwe.greenbankingemagazine.com
xhbixmhmmipxsnkye.greenbankingemagazine.com
ibimuijzrxqlgmf.greenbankingemagazine.com
eimxgjruxpf.greenbankingemagazine.com
xgbgpuicyxmcsf.greenbankingemagazine.com
ixmfisqirydauf.greenbankingemagazine.com
bmnufhoixlg.greenbankingemagazine.com
hqvqbwmqqimxxmg.greenbankingemagazine.com
axvsiqiyminyug.greenbankingemagazine.com
gfmeivxnpiizfh.greenbankingemagazine.com
cxvrqiorimxgh.greenbankingemagazine.com
emkksximxuwiglh.greenbankingemagazine.com
mxmgohioxwexnyh.greenbankingemagazine.com
ijxeowhxemiumuij.greenbankingemagazine.com
gizhpirtxlmxmmkrj.greenbankingemagazine.com
exvmxopmispfwj.greenbankingemagazine.com
jmisxvxyxkymymsk.greenbankingemagazine.com
mipboqmkhxk.greenbankingemagazine.com
hlxgpiwhmemkmxk.greenbankingemagazine.com
gnmmbuoikxphiml.greenbankingemagazine.com
wehherixammvmsl.greenbankingemagazine.com
mxesvvmjvrmipixl.greenbankingemagazine.com
gmxsgedclvimin.greenbankingemagazine.com
mhvhfxixmauoun.greenbankingemagazine.com
xmltmwnixunvjo.greenbankingemagazine.com
xiegvmslxpqxiicp.greenbankingemagazine.com
miexxiivpfrcstmp.greenbankingemagazine.com
ixxevkmeipurmnp.greenbankingemagazine.com
emhxxjikflnimyp.greenbankingemagazine.com
ixicqgodvmisgq.greenbankingemagazine.com
gxcoximiwdidyjhq.greenbankingemagazine.com
exhymgkixnilbr.greenbankingemagazine.com
gcjnigxxmgvkir.greenbankingemagazine.com
hbjpmjfwmvidmxir.greenbankingemagazine.com
xeftvrmijbjr.greenbankingemagazine.com
imgximffxnzhhemr.greenbankingemagazine.com
cqimhvmrxrmbnr.greenbankingemagazine.com
xifmcxfairyuymt.greenbankingemagazine.com
mxhlieitefmkpt.greenbankingemagazine.com
xmfxiignkgefzlu.greenbankingemagazine.com
mmfimxggguihjxyu.greenbankingemagazine.com
thiqxxtgisqobmiv.greenbankingemagazine.com
dmxinxeoesimxivmjpv.greenbankingemagazine.com
foxfqgqaimkrv.greenbankingemagazine.com
mcbhxyxnikwrhw.greenbankingemagazine.com
bjetxchegicmiy.greenbankingemagazine.com
xfxpizijvmmsrqiy.greenbankingemagazine.com
gxrimhyukcxmiujy.greenbankingemagazine.com
mhmxjnpincxqly.greenbankingemagazine.com
iesqabdoumximz.greenbankingemagazine.com
ihmmlxgpyykvmz.greenbankingemagazine.com
hncrpmvdxibixmxa.greenbankingemag.com
cjkximmyjmgixvbza.greenbankingemag.com
himrnxxzwoiumza.greenbankingemag.com
gumiivcoiexfvmc.greenbankingemag.com
iihxmxrlyizympzc.greenbankingemag.com
mgifxrmvjmid.greenbankingemag.com
fimbigxycwibfme.greenbankingemag.com
hrxijizjivtjcmf.greenbankingemag.com
mmgobixyixhemqyig.greenbankingemag.com
lkqjimmimxgng.greenbankingemag.com
gsnxmimxixfsqihymkh.greenbankingemag.com
bjaxieuamimvxvph.greenbankingemag.com
mesxxlhiosh.greenbankingemag.com
ihjuxbmfkxznixh.greenbankingemag.com
mfhkcifavyxxh.greenbankingemag.com
hsmxmmndvxigxsidij.greenbankingemag.com
zsmbdqvbimbxrik.greenbankingemag.com
jxumeqpvhipixk.greenbankingemag.com
jyzxmxktxipl.greenbankingemag.com
mhupgmtgixkbn.greenbankingemag.com
zexrmixhxqvtsrin.greenbankingemag.com
goxixmggdxrdmpn.greenbankingemag.com
meirqvmmxjjxqkio.greenbankingemag.com
hirqrexuxixadmo.greenbankingemag.com
bxlfiszdqdxmixrip.greenbankingemag.com
hqucyipjmoxmp.greenbankingemag.com
ixhrhjmvllifxgmr.greenbankingemag.com
alvpvmboxixgsu.greenbankingemag.com
immhrnjpomieijxu.greenbankingemag.com
eailofxsmlwxaw.greenbankingemag.com
hrbfigxmkgy.greenbankingemag.com
mihskdifqfnxmcxy.greenbankingemag.com
mehjuxipsnbib.revolution-clan.com
hmjujigmkxfgxb.revolution-clan.com
gxqemihgmxfmtec.revolution-clan.com
mailbfhqcxqnc.revolution-clan.com
hxlilulrxmmqvc.revolution-clan.com
xeiaocohgixjme.revolution-clan.com
ltmxmjpxrmopioe.revolution-clan.com
idbkkgmjxymkipf.revolution-clan.com
cixvitmkguocxf.revolution-clan.com
hxpmvviqqpixiag.revolution-clan.com
fmxrxvmwimnzhiyig.revolution-clan.com
mfaoodswxixiekxg.revolution-clan.com
fmexxnnuiqihmfh.revolution-clan.com
imgjoxmrutfihj.revolution-clan.com
caxilhipuqumhmj.revolution-clan.com
igrjonnqgxximximj.revolution-clan.com
zkziwmijjxhobxmj.revolution-clan.com
mxwyxspkzbjmipk.revolution-clan.com
hxtsvxvtifmvirk.revolution-clan.com
gmsixlmqohxxql.revolution-clan.com
mhsjwmiehbxpiln.revolution-clan.com
emhinyyybqfxo.revolution-clan.com
jsxkmlxbxjreiq.revolution-clan.com
mmjvxexmyiravxnq.revolution-clan.com
xxacnrzimihhxayq.revolution-clan.com
xfhioimkynmltfs.revolution-clan.com
gebdxeivxhmls.revolution-clan.com
amibxpmvxjizqmvht.revolution-clan.com
igevqsxmnxqdmiit.revolution-clan.com
hmxjmiiugnxrhou.revolution-clan.com
meiqpqixrhamxzu.revolution-clan.com
hpiixmflehmmv.revolution-clan.com
xamiyicvhlxmiuov.revolution-clan.com
bshmmvxmvngixv.revolution-clan.com
ximxelmimdariya.banknewsdirectories.com
xihreeumnkkb.banknewsdirectories.com
xfgngivmpinmlb.banknewsdirectories.com
hxmrvtgfivivb.banknewsdirectories.com
eipcnxptdmximc.banknewsdirectories.com
mfrixougkoixmoc.banknewsdirectories.com
lxiqxmckvfe.banknewsdirectories.com
mfimgoexrmxkrliie.banknewsdirectories.com
epijmmqfqorxie.banknewsdirectories.com
fiihgxgeexmdvxme.banknewsdirectories.com
hzdxvktqcimxe.banknewsdirectories.com
fihlysaiajxmf.banknewsdirectories.com
cyismxdeixorrf.banknewsdirectories.com
gmsvijiqpxuxxmsrf.banknewsdirectories.com
migsoowwmrbxf.banknewsdirectories.com
wvixxyqemxf.banknewsdirectories.com
ijraqaymmmixbg.banknewsdirectories.com
migydrxjietrmg.banknewsdirectories.com
maxmiuxynjuiyg.banknewsdirectories.com
gifkkxiejimeah.banknewsdirectories.com
hqymxltxxiymztk.banknewsdirectories.com
lrmbkemoxpumil.banknewsdirectories.com
lmruitlmoxbbxil.banknewsdirectories.com
fievxumflwumnl.banknewsdirectories.com
mgeooxipnimpwl.banknewsdirectories.com
mgsrbgnnmiinixxl.banknewsdirectories.com
ibxevkxnkxvmnyl.banknewsdirectories.com
grmxbxximpomilfizl.banknewsdirectories.com
ihvmqxxmixkmgnqbn.banknewsdirectories.com
eymmnmzoihxnhxn.banknewsdirectories.com
mhpmiyrpciixvmko.banknewsdirectories.com
glxlzxkimizkmilmo.banknewsdirectories.com
xcjuvlmimisuklxo.banknewsdirectories.com
ihqxkiompoixqjp.banknewsdirectories.com
ijpixxmxwokpcipp.banknewsdirectories.com
gqveemmjoiexp.banknewsdirectories.com
fepxmehilsxkgq.banknewsdirectories.com
hpmiuvdxdimiuxbr.banknewsdirectories.com
grprpxmvrmoimr.banknewsdirectories.com
mxomwibexks.banknewsdirectories.com
hxipmtiaxyslxlms.banknewsdirectories.com
xihxjolxstjmits.banknewsdirectories.com
emkkdxmxykfiys.banknewsdirectories.com
maxfvubvisqmmbt.banknewsdirectories.com
eemimqmfgnilsxiju.banknewsdirectories.com
jiswfixzydxmkxv.banknewsdirectories.com
gitxipmcmhbuxmsw.banknewsdirectories.com
imhomjflumixysw.banknewsdirectories.com
icfrmirfynxmay.banknewsdirectories.com
cxiajrmuxugmrhy.banknewsdirectories.com
amlxxkbselyoiy.banknewsdirectories.com
fbomuvlimcjbxxiy.banknewsdirectories.com
hmxoigtxrnifmikmy.banknewsdirectories.com
ifmunqxvmorsa.psychicwireless.com
ibjcxymktdqnmximb.psychicwireless.com
hlliwutmbxmxvb.psychicwireless.com
jbximmiskbxamxqec.psychicwireless.com
xjiaursmvcoixc.psychicwireless.com
idkifjufidxmjfe.psychicwireless.com
idkmrxqkposxtme.psychicwireless.com
efqfxnqjeismif.psychicwireless.com
xxhalhimsxhisvoif.psychicwireless.com
xfmsoppgmijwmxif.psychicwireless.com
frmnxukmcaixlf.psychicwireless.com
hihhxeumtmkamf.psychicwireless.com
bpmxkieeehxyxf.psychicwireless.com
xiihcjhrmoxfndg.psychicwireless.com
xhmmgrkvoqvig.psychicwireless.com
mhrmmxxndxiknntg.psychicwireless.com
xixgvjvlqymwxg.psychicwireless.com
mixxbmvzlhksmzg.psychicwireless.com
imhxbgqgmvgyxidh.psychicwireless.com
ieirocexviomeh.psychicwireless.com
xftiimyeksmrmxaj.psychicwireless.com
xaltixqgmegqhj.psychicwireless.com

Update: it seems that  the adjacent IP, 82.211.45.82, is also hosting a similar set of malicious sites.

xmwyrwhkqlhpm.magasinez-en-vrac.com
fmyyxxhgthyr.magasinez-en-vrac.com
hfiuqgcixyoy.magasinez-en-vrac.com
wqkxgkpxxmiukyr.cashbackdevil.com
fixolsmhiahjs.cashbackdevil.com