This is one of those ephemeral traces of malware you sometimes see, like a will-o'-the-wisp. Something seems to be there, but on closer examination it has vanished. But this isn't an illusion, it seems to be a cleverly constructed way of distributing malware which pops up and then vanishes before anyone can analyse it.
The source of the infection seems to be a malvertisement on one of those sites with an immensely complicated set of scripts running on all sort of different sites, including those low-grade ad networks that have a reputation for not giving a damn about what their advertisers are doing.
In this case, the visitor gets directed to a page at 12ljeot1.wdelab.com/ijvdg2k/2 which got picked up with a generic malware detection.. but by the time anyone gets to investigate the domain it is mysteriously not resolving.
What appears to be happening is that the bad guys are publishing the malicious subdomains only for a very short time, then they stop it resolving and they publish another one. And one thing all these domains have in common is that they are using afraid.org for nameserver services.
A bit of investigation shows that this malware is hosted on a pair of servers at 64.202.123.43 and 64.202.123.44 (HostForWeb, US), and despite that bad guys efforts they do leave a trace on services such as VirusTotal [1] [2] and URLquery [3]. This particular URLquery report shows indications of the Fiesta EK.
The attackers are covering their traces by using legitimate hijacked domains, the owners of which may not even be aware of the problem. Despite there being a large number of subdomains, I can only spot sixdomains being abused:
theholdens.org
denytech.com
jonmills.org
wdelab.com
dimatur.pt
hebel.ch
A full list of the subdomains that I have found so far can be found here [pastebin].
A look at the 64.202.123.0/24 block shows a mix of legitimate sites, plus some spammy ones and quite a lot that look malicious. If you are running a high-security environment then you might want to block this who range. Else, I would recommend the following minimum blocklist:
64.202.123.43
64.202.123.44
theholdens.org
denytech.com
jonmills.org
wdelab.com
dimatur.pt
hebel.ch
Showing posts with label HostForWeb. Show all posts
Showing posts with label HostForWeb. Show all posts
Friday, 13 June 2014
Something evil on 64.202.123.43 and 64.202.123.44
Labels:
HostForWeb,
Malvertising,
Malware,
Viruses
Tuesday, 17 January 2012
Scan from a Xerox W. Pro spam / coolwebzuzuzu.ru
Another malicious spam, this time leading to an exploit page on coolwebzuzuzu.ru/main.php.
coolwebzuzuzu.ru is hosted on 66.225.237.222, HostForWeb in Chicago. There is another malware site on an adjacent IP. You might want to block both IPs or even the whole /24 to be on the safe side.
Date: Tue, 16 Jan 2012 02:50:00 +0000
From: officejet@victimdomain.com
Subject: Fwd: Fwd: Scan from a Xerox W. Pro #9522304
A Document was sent to you using a XEROX OFFICE N220337423.
SENT BY: LAURA
IMAGES : 6
FORMAT (.JPG) DOWNLOAD
DEVICE: PD55695SK7AO559107L
coolwebzuzuzu.ru is hosted on 66.225.237.222, HostForWeb in Chicago. There is another malware site on an adjacent IP. You might want to block both IPs or even the whole /24 to be on the safe side.
Labels:
HostForWeb,
Malware,
Printer Spam,
Spam,
Viruses
UPS Spam / doofyonmycolg.ru
This UPS (or is it USPS?) spam is attempting to direct visitors to a malicious web page at doofyonmycolg.ru/main.php. This looks like a variant of the Redret campaign we have seen recently.
doofyonmycolg.ru is hosted on 66.225.237.223. There is another malicious site on 66.225.237.222, there may be others. This IP is allocated to HostForWeb Inc, Chicago. Blocking the IP rather than the domain may help protect against other malicious sites on the same server.
Date: Tue, 16 Jan 2012 02:16:45 -0300
From: "UPS TEAM 121" [support.350@ups.com]
Subject: UPS Tracking Number H4825887305
Your USPS .US for big savings! Can't see images? CLICK HERE.
UPS UPS TEAM 477
UPS - UPS MANAGER 559 >>
Not Ready to Open an Account?
The UPS Store® can help with full service packing and shipping.
Learn More >>
UPS - Your UPS Customer Services
DEAR, victim@victimdomain.com.
DEAR CLIENT , Delivery Confirmation: Failed
Track your Shipment now!
With best regards , Your UPS Services.
Shipping Tracking Calculate Time & Cost Open an Account
@ 2011 United Parcel Service of America, Inc. USPS CUSTOMER SERVICES, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.
This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
Your USPS .US marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.
Your USPS .US, 1 Glenlake Parkway, NE - Atlanta, GA 30331
Attn: Customer Communications Department
doofyonmycolg.ru is hosted on 66.225.237.223. There is another malicious site on 66.225.237.222, there may be others. This IP is allocated to HostForWeb Inc, Chicago. Blocking the IP rather than the domain may help protect against other malicious sites on the same server.
Labels:
HostForWeb,
Malware,
Spam,
USPS,
Viruses
Subscribe to:
Posts (Atom)