Sponsored by..

Showing posts with label Injection Attacks. Show all posts
Showing posts with label Injection Attacks. Show all posts

Thursday 3 November 2011

Something evil on 95.163.66.209

There are a bunch of domains being used in injection attacks on 95.163.66.209 (Digital Network JSC, Russia). recently Armorize covered attacks using this particular site. The problem seems to be ongoing, and 95.163.66.209 is a good IP to block. In fact, blocking 95.163.64.0/19 is probably a good idea too as there are a whole load of nasties there too. Google is pretty damning:

Safe Browsing
Diagnostic page for 95.163.66.0

What is the current listing status for 95.163.66.0?

    This site is not currently listed as suspicious.

    Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?

    Of the 21 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-10-05, and the last time suspicious content was found on this site was on 2011-10-05.

    Malicious software includes 330 trojan(s), 276 scripting exploit(s).

    This site was hosted on 1 network(s) including AS12695 (DINET).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, 95.163.66.0 appeared to function as an intermediary for the infection of 19 site(s) including manualeofficina.altervista.org/, ua90.com/, phelpsweb.com/.

Has this site hosted malware?

    Yes, this site has hosted malicious software over the past 90 days. It infected 107 domain(s), including manualeofficina.altervista.org/, settatonchat.com/, zktoot.com/.

The sites on 95.163.66.209 are listed at the end of the post. However, most of them seem to be pretty odd subdomains (probably free) and blocking access to domains ending as follows could be a good general idea.

cz.cc
nl.ai
xe.cx
c0m.li
coom.in
l2x.eu
myddns.com
mx.am
ce.ms
mywww.biz
4dq.com
88n.eu
jesais.fr
qpoe.com
25u.com
dnset.com

Full list:
badcake.cz.cc
bdf.nl.ai
bent-pastry.xe.cx
bfsghsf.c0m.li
bgdh.coom.in
bgfdsbd.nl.ai
bghfxdh.nl.ai
bhdgzh.nl.ai
bluecloakroom.l2x.eu
boiling-fish.myddns.com
boilingpasta.xe.cx
boleklelek.nl.ai
care.appliancesraleighnc.com
chem.bluesky2010.com
chief-bagel.xe.cx
dark-veal.xe.cx
dead.carboneconstruction.info
dfhdf.nl.ai
diplomadog.mx.am
dsadas.coom.in
dwrewr.c0m.li
eeerr.ce.ms
elastic-venison.xe.cx
electrical.xe.cx
electric-meal.xe.cx
equal-pomegranate.aelita.fr
false-fig.xe.cx
fasdf.coom.in
fczxfczx.coom.in
fdasfsa.nl.ai
fdsfds.coom.in
feeble-cereal.lacheun.com
fertileroast.nl.ai
first-peanuts.l2x.eu
fixedbread.xe.cx
flat-fork.mx.am
flat-vegetables.xe.cx
frequentglass.xe.cx
gdgfdd.nl.ai
gdsg.nl.ai
gdsggdag.nl.ai
gershlagen.nl.ai
gfdgdf.nl.ai
gfsdgfds.coom.in
gfsdgsd.coom.in
gfsgfds.coom.in
ghdfhd.nl.ai
gjgfj.coom.in
gocheating.nl.ai
good-meal.l2x.eu
goodorange.xe.cx
goodrice.xe.cx
gsdgd.nl.ai
gsdgs.coom.in
gsfgs.nl.ai
gsgssd.coom.in
habdf.coom.in
hbgdh.nl.ai
hdggd.nl.ai
hdgh.nl.ai
hdgjd.coom.in
hdgsh.nl.ai
hgdhfg.nl.ai
hgf.nl.ai
high-hotdog.mywww.biz
hist.benjamin-moore.info
hjdgjhdg.coom.in
hkjjl.nl.ai
holybutter.lflinkup.org
homeimprovement.nl.ai
honor-for-you.mx.am
jaguaro.4dq.com
jdgjdg.coom.in
jgfjg.coom.in
jgjg.nl.ai
jobcracker.nl.ai
jvhkgh.coom.in
kghg.coom.in
kripple.88n.eu
leaveme.nl.ai
light.designerfloors.info
lihlhk.nl.ai
listen.c0m.li
loose-f.lacheun.com
loveme.88n.eu
lovewill.sellclassics.com
loveyoulike.c0m.li
lucky-force.mx.am
make.budgetblindsraleigh.info
mangle.blueskyresort.us
maniacmansion.88n.eu
med.designerfloors.info
medicalgrill.jesais.fr
mfhjmfh.coom.in
myrabbit.sixth.biz
negativecreep.mywww.biz
newbread.xe.cx
nhdgjhnd.nl.ai
normal-bagel.xe.cx
nownownow.l2x.eu
obsess.crawlspacecleaning.org
old-grapefruit.xe.cx
poorgrapes.c0m.li
pref.bluesky2011.com
promise.demartinocompanies.info
quiet-orange.qpoe.com
quietsoup.xe.cx
right-pomegranate.xe.cx
roberre.ftpserver.biz
roughslices.xe.cx
round-chicken.moneyhome.biz
sad-pineapple.lacheun.com
samerice.nl.ai
same-waitress.xe.cx
separate-buffet.25u.com
short-spoon.itemdb.com
shutham.ns01.biz
slewincom.com
smoothturkey.xe.cx
specialcookies.88n.eu
sport.designerfloorfashions.com
sticky-bacon.88n.eu
strangecooking.mynetav.net
strangesalad.xe.cx
strongkumquat.c0m.li
suckmydiscoball.oueb.eu
told.aeheatingandair.info
uytdujg.nl.ai
vcnvbhjmfgvj.coom.in
vfjhfj.nl.ai
vjh.coom.in
vzsfd.coom.in
wallex.l2x.eu
wannabe.c0m.li
webelieve.nl.ai
wehaveadeal.nl.ai
wet-toast.dnset.com
wise-crackers.xe.cx
workfree.nl.ai
youngmutton.mynetav.org

Tuesday 11 October 2011

Cyanogenmod.com compromised with warlikedisobey.org injection

Cyanogenmod.com is a site offering legitmate custom firmware for Android devices. It's a popular site, pulling in about 100,000 unique US users per day according to compete.com and it has an Alexa rank of 6728.

Unfortunately, the site has been compromised in an injection attack with a hard-to-diagnose piece of malware attempting to load code from warlikedisobey.org/coehegzxw8xgahtrb on 66.197.158.102. The code seems resistant to several common analysis tools. The injection attack is hidden on the very first line of HTML on the home page.. you have to scroll a long way right to see it.

Update 12/10: it looks like the site is currently clean, but it might get re-infected if the core problem hasn't been fixed.

Update 20/10:  it turns out that it isn't clean at all, but the exploit code is not present all the time. It could be that something is going on at Cloudflare who provide load balancing for the site, but I've never seen that sort of issue with Cloudflare before.

I haven't been able to analyse the payload yet. There is a possibility that it might target Android devices.

The domain is registered through Bizcn.com in China to the following registrant:

Registrant ID:orgff14354361081
Registrant Name:Henry Nguyen Gong
Registrant Organization:Privacy-Protect.cn
Registrant Street1:Rue la produit 34
Registrant Street2:
Registrant Street3:
Registrant City:Nimes
Registrant State/Province:Languedoc-Roussillon
Registrant Postal Code:30189
Registrant Country:FR
Registrant Phone:+33.466583875
Registrant Phone Ext.:
Registrant FAX:+33.466583875
Registrant FAX Ext.:
Registrant Email:contact@privacy-protect.cn


privacy-protect.cn is very commonly used by criminals to cover their tracks.A Google search for 66.197.158.102 indicates that the IP address is in use by several malicious domains (listed below).

A look at the Cyanogenmod.com forums indicates that similar attacks have been happening since September 25th:


Does anyone know what this is? I got a warning from Norton with High severity saying I was attacked by sloughsputter.org and warlikedisobey.org from 66.197.158.102:80 when I entered into the touchpad forum for this website. The IPS alert name is: web attack malicious exploit kit website at High risk 

Blocking traffic to 66.197.158.102 is probably a good idea. It looks like there may be other problems in 66.197.158.0/24 so you could block the whole range as a precaution.

The following domains are hosted on 66.197.158.102:


acclaimpump.org
acreafloat.org
aeroadore.org
affairmedley.org
afraiddown.org
againindorse.org
alertworsted.org
analyseshort.org
ardorloathe.org
arraigngarment.org
assortsetto.org
bakedemure.org
balloontroops.org
baskettubular.org
beandown.org
bedridpollute.org
benttopple.org
bequestramble.org
blazefiddle.org
blisswilds.org
boardbutts.org
bringgreed.org
bunkscamp.org
burntbrought.org
butchermeetm.org
bywordtoll.org
cackleshaggy.org
capsuletrapeze.org
carptheirs.org
cellarprank.org
cellchin.org
cementshout.org
choreuphold.org
clamourunion.org
classiclily.org
clerkinure.org
comechirp.org
crafttexture.org
damaskslab.org
declaimtaunt.org
decreecattle.org
delayabrige.org
desisthateful.org
deskoccur.org
devoidshed.org
dimsadden.org
dirttouchy.org
discernpitcher.org
divingpeddle.org
dotingbouquet.org
eclipsedensity.org
economyjersey.org
elateexample.org
elkrecline.org
embraceniece.org
enigmaflutter.org
enjoyocean.org
enrolcaw.org
estril.org
eventliving.org
evermist.org
eyescanty.org
facingsinvade.org
factionchurch.org
fallacypour.org
fangwrath.org
fiancesardine.org
fishingbeet.org
flaxnap.org
foggystudent.org
foresttruck.org
fuzzoffal.org
gailyflounce.org
gazettesay.org
ghatlend.org
ghatreds.org
gibbetshook.org
gladespilt.org
godliketourist.org
goodantics.org
grandetidings.org
grenadeabove.org
gruver.org
gulpillegal.org
halcyonet.com
hamcadet.org
heronuntrue.org
hideousmindful.org
hillocksaunter.org
horntreason.org
hotspurequal.org
hourmesh.org
hulknutmeg.org
hungermouth.org
hymnrough.org
idearevel.org
ignservice.com
inclosegem.org
incurhealth.org
inducttrunk.org
innentry.org
innersoloist.org
inroadperish.org
installherb.org
intentbell.org
ironingonset.org
itemizefir.org
jarabroad.org
javarequest.com
javatooltip.com
jewishdin.org
jocularputrefy.org
jstooltip.com
juicecaulk.org
justlysubtle.org
kalmup.org
kinoutlaw.org
lambkinclad.org
laundrysudden.org
leanspeck.org
letconsul.org
libelconvoy.org
lieweld.org
likesfetter.org
linseedpaste.org
lodgersow.org
loitercash.org
longingashamed.org
lowlymeaty.org
lowsnooze.org
maniashow.org
mashscamp.org
maximumnone.org
memoirsmatrix.org
milletavoid.org
miserytenure.org
modernbin.org
morphiaseaside.org
movingsnip.org
mummeryscales.org
musterydecoy.org
muzzleastute.org
nationearn.org
naughtgrubby.org
nestjolt.org
netllookup.com
nightlyseeds.org
nodeconvert.org
noisomechicane.org
nominalunwary.org
nullcandy.org
numbuse.org
oatmealfrisk.org
oatmealshatter.org
opticmoving.org
orationyou.org
orderdid.org
orhanhundred.org
otspark.org
overrunwooden.org
pactcelery.org
pastrydug.org
pedalslacken.org
pentfinite.org
pentmull.org
phantombecame.org
phantomsell.org
pigskinturn.org
pilgrimstrut.org
plentyvicious.org
plumtreacle.org
pompousdenial.org
ponderbelong.org
popestrict.org
portionchagrin.org
posyhatch.org
potseclude.org
prancecontour.org
praysad.org
precededynamic.org
primacyresin.org
prosaiccube.org
provereject.org
puristar.org
purposestupid.org
quartpliancy.org
racialfreshe.org
rashcrowd.org
readerocular.org
rebirthfalcon.org
rectoryfeign.org
refereeshe.org
reflexpan.org
refundwine.org
remissdeceive.org
repentavow.org
repulsemaximum.org
riddensoot.org
rsstooltip.com
runletlanky.org
saintlunatic.org
sapammonia.org
savourotter.org
scumwoollen.org
seniormilage.org
shouldfasten.org
sinnerreflex.org
sirsize.org
skimlyrical.org
slopestipend.org
sorrelramble.org
sprutnetwork.com
squealflirt.org
staideconomy.org
starryplank.org
stowgranary.org
stripescud.org
studentfairly.org
stuffwrestle.org
stuntedvote.org
subdueshone.org
suctionbanking.org
suitebillion.org
sunnyscythe.org
superbhotbed.org
taintfurl.org
talkerrun.org
tasteleg.org
tensionwarble.org
testradiant.org
timelymaze.org
titledrutty.org
toiletarchway.org
torturetactful.org
totaltwelfth.org
trafficgarland.org
trashnote.org
trickleivy.org
trivialappears.org
tunebask.org
turbidworship.org
undoingperfect.org
unduedome.org
unitepulpit.org
unshipreckon.org
usheronce.org
vacancyagainst.org
veinassert.org
vileisolate.org
visapeer.org
votegroggy.org
voyagebud.org
vultureoffer.org
waivertouch.org
warlikedisobey.org
waspad.org
wastefuzz.org
wedanthem.org
wettrend.org
whimperchart.org
widowerfeeble.org
wivestemple.org
woecake.org
woverecruit.org
wretchninny.org
zippuny.org

Friday 23 September 2011

dfrgcc.com injection attack in progress

Thousands of sites are currently being hit by an injection attack pointing to dfrgcc.com/ur.php a domain registered to someone using the infamous hotmailbox.com domain for email.

   JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

The site is hosted on 188.229.88.103 which is the equally infamous Netserv Consult SRL in Romania. 188.229.88.103 hosts the following sites:

bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
booknunu.com
bookvila.com
bookzula.com
dfrgcc.com
file-dl.com
xxxtubes8.com


These domains are pretty familiar, having previously been hosted in Lithuania. This marks them out as the same people behind the infamous LizaMoon attack.

Netserv Consult SRL host a wide variety of bad sites. Blocking 188.229.0.0/17 (188.229.0.0 - 188.229.127.255) will probably do you no harm.

Tuesday 13 September 2011

Injection attack: cbchhuacyus.com, ibccmsuiyus.com and wbccmquwyus.com

There is currently a Sinowal injection attack doing the rounds, redirecting traffic to the following domains on 46.165.192.97:

cbchhuacyus.com
ibccmsuiyus.com
wbccmquwyus.com

There may well be other domains on the same server, blocking traffic to 46.165.192.97 would probably be prudent. The payload is being analysed (I will post an update later), but detection rates are not good.

Thursday 11 August 2011

Something evil on 95.168.177.144: reddingtaxcm.com and inferno.name

reddingtaxcm.com is a legitimate domain that is registered at GoDaddy and has been hijacked to serve up malware, hosted on 95.168.177.144 (NetDirekt, Germany but more below..).

The malware appears to be a variant of Vundo / Virtumundo, the infection mechanism looks to be some sort of injection attack on third party sites.

Although the IP 95.168.177.144 is allocated to NetDirekt (now Leaseweb Germany), it belongs to part of a range suballocated to inferno.name of Serbia (apparently also known as v3Servers.net). Inferno featured recently in this blog with another similar malware attack, that time on 95.168.178.206. 95.168.177.0/4 seems to be full of (possibly fake) pharma sites.

A lot of other IP addresses associated with this company are implicated with forum spamming.

Just in case you want to block traffic to/from inferno.name (although there may well be legitimate sites and servers in these ranges) then I have identified the following IP ranges, although there may well be more:

46.22.211.0/25
80.79.124.128/26
92.48.122.32/28
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
188.143.232.0/23
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

As for 95.168.177.144, watch for traffic going to subdomains of reddingtaxcm.com, for example:

command0.reddingtaxcm.com
danger0.reddingtaxcm.com
costs0.reddingtaxcm.com
fifteen1.reddingtaxcm.com
countries1.reddingtaxcm.com
evil3.reddingtaxcm.com
placed4.reddingtaxcm.com
itself4.reddingtaxcm.com
democratic5.reddingtaxcm.com
dark5.reddingtaxcm.com
original5.reddingtaxcm.com
tuesday5.reddingtaxcm.com
source6.reddingtaxcm.com
cover6.reddingtaxcm.com
highest6.reddingtaxcm.com
college7.reddingtaxcm.com
during9.reddingtaxcm.com
condition9.reddingtaxcm.com
complex9.reddingtaxcm.com
headed0.reddingtaxcm.com

Thursday 4 August 2011

Something evil on 79.133.196.124

I don't quite have the full picture on this, but it looks like some Scandinavian sites have been compromised in some way and are redirecting to a malware server on 79.133.196.124 in Poland which is serving up fake AV applications.

Blocking access to 79.133.196.124 is probably a very good idea. The following sites appear to be hosted on that server and should be blocked if you can't do so by IP address, alternatively just block access to all .co.cc and .rr.nu domains if you can.


www1.aideray.in
www1.bestrusprotect.rr.nu
www1.bestshprotect.rr.nu
www1.besturprotect.rr.nu
www1.bestzoprotect.rr.nu
www1.bestzyprotect.rr.nu
www1.fastcowsecure.rr.nu
www1.fastengsecure.rr.nu
www1.fastjeasecure.in
www1.firstytholder.in
www1.mystedguard.rr.nu
www1.novirotall.rr.nu
www1.novirtyall.rr.nu
www1.personal-wantivir.com
www1.savefslf-holder.co.cc
www1.simpleermaster.com
www1.test.thebest-poscaner.in
www1.thebestarmydhec.co.cc
www2.bestshchecker.rr.nu
www2.firstlrnetwork.rr.nu
www2.hardobcleaner.rr.nu
www2.hard-sentineluuu.rr.nu
www2.harduvscaner.rr.nu
www2.powerab-army.rr.nu
www2.powerarmycv.rr.nu
www2.safeholderbp.rr.nu
www2.safeholdergv.rr.nu
www2.safeichecker.rr.nu
www2.safe-softgr.rr.nu
www2.savednscaner.rr.nu
www2.saveojnetwork.rr.nu
www2.simplejnsoft.rr.nu
www2.smartsentinelmc.rr.nu
www2.strongckguard.rr.nu
www2.strongnetworkcj.rr.nu
www2.strongyhcleaner.rr.nu
www2.topdefensehg.rr.nu
www2.topiy-security.rr.nu
www2.top-suitele.rr.nu

Tuesday 2 August 2011

virtualmapping.org redirect

The domain name virtualmapping.org sounds legitimate, but isn't.. it's a redirector used on hacked websites. The first time you visit one of these hacked sites via a Google search, you get redirected to a URL at virtualmapping.org/cgi-bin/r.cgi. Subsequent visits don't seem to trigger this, nor does visiting the site directly. It could be an altered .htaccess file.

virtualmapping.org is hosted on 94.63.149.246 which is unsurprisingly enough in Romania, in a Cobalt IT SRL block suballocated to SC Coral IT Office SRL / xnetworkings.com also in Romania. Sites in these Cobalt ranges are either all evil or are of interest to Romanian visitors only, so one quick and easy way to secure your network is to block the entire 94.60.0.0/14 range.. at the very least, block 94.63.149.0/24, 94.63.244.0/24 and 94.60.123.0/24 which are especially toxic.

After hitting virtualmapping.org, visitors are then redirected to one of the following sites on 95.168.178.206, hosted at Netdirekt in Frankfurt but actually allocated to a host called inferno.name (Sogreev Anton, Serbia). 95.168.178.0/24 is full of Russian porn sites, so probably a good thing to block in any case.

Some of the domains that are loading the malware are:
could0.nc-9.com
gets1.nc-9.com
realized2.nc-9.com
summer3.nc-9.com
principle4.nc-9.com
watching4.nc-9.com
and5.nc-9.com
electric6.nc-9.com
plane6.nc-9.com
show7.nc-9.com
fig8.nc-9.com
ever8.nc-9.com
feet8.nc-9.com
league9.nc-9.com
event9.nc-9.com
became0.nc-9.com
sense4.nc-9.com

Basically, anything in the nc-9.com domain apart from nc-9.com and www.nc-9.com has been hijacked and is pointing to the IP address in Frankfurt. It's not a surprise to see that nc-9.com is actually a legitimate domain registered at GoDaddy that appears to have been hijacked.

The payload is a nasty trojan according to various analysis tools (ThreatExpert, Comodo, Anubis). Detection rates are very low. The analysis tools might help you to clean up your PC if you have somehow become infected.

Of some interest, the trojan alters the HOSTS file to block access to popular torrent sites such as the Pirate Bay. It also calls home to two domains, assistancebeside.com (78.159.100.32) and imagehut4.cn which was actually deleted last year, but was registered to the scumbags at Real Host Ltd.

There's quite a lot to block here, the highest priorities are:
94.63.149.246
95.168.178.206
78.159.100.32
*.nc-9.com
assistancebeside.com
virtualmapping.org

I see no harm in blocking the following /24s:
94.63.149.0/24
95.168.178.0/24

And if you're not afraid to block really quite large address ranges:
94.60.0.0/14

Thursday 14 July 2011

yahlink.php / DreamHost hack

Almost identical in every way to this injection attack, several Dreamhost sites have been compromised with a page called yahlink.php (it was yahoolink.php before), which is being spammed out through compromised AOL accounts.

It isn't just Dreamhost hosted sites that are being spammed out in this way, but it does appear that well over half the sites are on Dreamhost. It looks like some GoDaddy customers might have been hit too.

In this case, the spammed link directs to krokodilius8.com/gosem11.php which is hosted on 78.129.132.26 which appears to be iomart Hosting Ltd in the UK. All the sites on that server appear to have have fake registrant details, so you can assume that they are bogus:

bepfinance.com
brentnallfg.com
estatediary.com
forfreeblog.net
freeblogpro.org
freetrialmail.com
krokodilius8.com
lucky-bet.in
pubertavad.com
russwoman.ru
superblogonline.org
thebloggin.net
vedrozhuk7.com
yourtraveldiary.net

Users are then directed to another host in Romania, 188.229.89.230 which belongs to Netserv Consult SRL. It is my opinion that there is nothing of value in the entire 188.229.0.0/17 range and you can safely block access to the entire lot.

The final step is to a host called drugstorehealthrisks.net hosted on 90.182.175.232 which looks like a broadband connection in the Czech Republic. The site isn't loading for me, but I guess it's just pharma spam. These other sites are hosted on the same server:

fatdrugstoremeds.net
healthrxinsurance.net
healthrxpharmacyinsurance.com
healthtabletsnook.net


Dreamhost have been informed of the issue but don't appear to have done anything to secure their users. Blocking Dreamhost IPs might be something worth considering depending on what kind of shop you run. I have spotted malicious activity in the following IP ranges:

67.205.0.0/18
69.163.128.0/17
75.119.192.0/19

208.97.128.0/18

..although blocking access to the Romanian 188.229.0.0/17 block would also pretty much acheive the same thing without blocking access to any legitimate sites that might be on Dreamhost.

Sunday 26 June 2011

yahoolink.php / DreamHost hack

It appears that a lot of DreamHost (New Dream Network LLC) sites have been hacked with malicious pages added to them. The issue impacts multiple servers at different DreamHost datacenters. Some sample IPs with infected sites include:

67.205.1.63
67.205.3.51
67.205.3.230
69.163.168.135
69.163.169.247
69.163.181.205
69.163.184.86
75.119.217.8

Given that the hacked pages all contain the string yahoolink.php then it is possible that these attacks are using a PHP vulnerability. The pages are then promoted through spam email. You can simply (carefully) search for  "yahoolink.php" in your favourite search engine to see the scope of the problem.

People who click on the link get redirected through several steps:

vedrozhuk7.com
63.226.210.102
NETPOINT, Utah

(no domain)
188.229.90.71
Securvera SRL, Romania

www.medi-corp24-7.com
94.60.121.34
Cover Sun Design SRL, Romania

The endpoint appears to be a standard fake pharmacy site, I couldn't see any malicious code but that could always change.

With Romanians hosts I recommend a one-strike policy.. i.e. block the whole lot as soon as you come across a netblock with malicious activity. Unless you have business dealings with Romania, then any traffic to a Romanian host is likely to be malware or spam related. So in this case, blocking 188.229.90.0/23 and 94.60.120.0/22 will probably do no harm.

Wednesday 8 June 2011

94.244.80.7 / bookpolo.com / booksolo.com / bookgusa.com injection attacks

The crew responsible for the LizaMoon and Worid-Of-Books.com are back with a new set of injection attacks, this time hosted on 94.244.80.7 in Lithuania.

The following domains are currently in use:
bookaros.com
bookarra.com
bookavio.com
bookdolo.com
bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
bookmylo.com
booknunu.com
bookpolo.com
booksgou.com
booksoco.com
booksolo.com
booktuba.com
bookvila.com
bookvivi.com
bookvoxy.com
bookzoul.com
bookzula.com


Registrant details are familiar and fake:

JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 1180
us

Injection attacks seem to be either trying to insert an anchor with the word "book" pointing to one of the bad sites, presumably as a "Worid of Books"-type SEO campaign, or alternatively they are using the ur.php approach the LizaMoon used.

The whole 94.244.64.0/18 block looks toxic and is worth blocking. I'll post more details on that when I get the time.

Saturday 2 April 2011

alisa-carter.com, lizamoon.com and worid-of-books.com

The injection attacks from lizamoon.com and other domains continue.. and they link back to a popular blog post about a very different attack site at worid-of-books.com because at the moment, all these sites appear to be on the same server at 95.64.9.18 belonging to Intermedia TOP SRL.

The following sites are on that malicious server:
alexblane.com
alisa-carter.com
lizamoon.com
t6ryt56.info
tadygus.com
worid-of-books.com


Right now the safest thing to do is block traffic to 95.64.8.0/23 (95.64.8.0 - 95.64.9.255) at the very least. But given that there are several bad networks now within the mostly Romanian 95.64.0.0/16, there's very little to lose in blocking the whole /16 for now if you don't have dealings with Romania.

If you need to block by domain, then the list below is everything that I can identify in this block.

abrogatesdv.info
antiviric.net
atlaty.com
atydut.com
bancard.cc
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
buroti.com
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fileac.com
financeprogramm.com
fop22.info
fre94.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
itapos.com
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
lsrato.com
machmit.cc
mag20.info
memhys.com
mia16.info
mineral-beauty.net
morafu.com
mupoga.com
muposs.com
nlosaf.com
nuzzlefgf.info
nwolbcom.cc
nyb90.info
obduratexv.info
obfuscate98y.info
onfiro.com
online-security.cc
opa63.info
ova22.info
pes89.info
plauditaz.info
plethoradtb.info
podyme.com
poisor.com
posjuc.com
posunn.com
prettyharp.ru
qertys.com
reprieve8mf.info
scoolq.com
ser55.info
servat.cc
serwaz.com
testaz.cc
tmwars.com
usudom.com
xxxpornteensex.com
advancedwebanalytic.com
alexblane.com
alisa-carter.com
alternative-art-ltd.net
alternativeart-ltd.com
artmarket-llc.net
artsolveltd.cc
artsolveltdco.at
astech-groupde.cc
blitznet-de.eu
chelpgroup-llc.net
chepl-groupllc.biz
competitor-uk-group.net
competitorgroup-ltd.com
ddk100.com
ddk2200.com
deemno.com
drakulaworld.net
drysdale-antcorp.at
drysdale-group-inc.cc
findsubstantial.org
foto-album-mnck.tk
fotoshare-2dknc.com
google-1aa.com
googlesite.ws
joomlaext.org
kunde.ws
lizamoon.com
mailwbg6.com
micr0updates.com
myblog-search.com
ocservice-de.net
oregon-ltd-uk.net
qead-llc.biz
saleoke.com
squit-group-llc.biz
surprise-knsma.tk
surprise-knsmd.tk
surprise-knsmf.tk
surprise-knsmo.tk
surprise-knsmp.tk
surprise-knsmq.tk
surprise-knsmr.tk
surprise-knsms.tk
surprise-knsmt.tk
surprise-knsmu.tk
surprise-knsmw.tk
t6ryt56.info
tadygus.com
worid-of-books.com

Thursday 29 July 2010

freead.name / mybar.us / toolbarcom.org / adsnet.biz

A slightly novel attack, found injected into a Javascript library and using freshly-registered domains. The attack uses obfuscated Javascript to send visitors to one of the following domains: myads.name, adsnet.biz, toolbarcom.org, mybar.us, freead.name, and to the front of this is appended a subdomain of vagi., vain., vale., vars., vary., vasa., vaut., vavs., viny., viol., vrow., vugs., vuln.

Despite all the combinations (a list is at the bottom of the post if you want to paste it in somewhere), there are only a small number of IP addresses involved:

66.221.212.92
66.221.212.94
66.221.212.96
66.221.212.98
66.221.212.99
69.13.73.203
69.13.73.205
69.13.73.248
69.13.73.250
69.13.154.250
69.13.154.251

All of those IPs belong to C I Host, some seem to have legitimate sites hosted on them.

One one domain (mybar.us) is not anonymised:

Registrar URL (registration services):       www.publicdomainregistry.com
Domain Status:                               clientTransferProhibited
Registrant ID:                               DI_11638984
Registrant Name:                             Andrew Black
Registrant Organization:                     N/A
Registrant Address1:                         555 Taylor Rd.
Registrant City:                             Enfield
Registrant State/Province:                   Connecticut
Registrant Postal Code:                      06082
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +860.7492291
Registrant Email:                            dday.rabbit@gmail.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11


Although the address and phone number are no doubt fake, the email address of dday.rabbit@gmail.com is known.

The next hop uses a subdomain of a legitimate domain registered at GoDaddy that appears to have been phished: out.outdoorkitchendistributors.com - this site is hosted on 94.75.243.31.. it's just worth pausing to note that the legitimate domain specchart.com also appears to have been hijacked via a GoDaddy phish and moved to this server.

The endpoint is a Java exploit on a server at 79.135.152.194 belonging to microlines.lv (AS2588 / 79.135.128.0/19) which appears to be a pretty evil network. How the hell they got a /19 is a mystery when I can't see any verifiably legitimate sites.

If you want to block the intermediate domains, they are:
vagi.adsnet.biz
vain.adsnet.biz
vale.adsnet.biz
vars.adsnet.biz
vary.adsnet.biz
vasa.adsnet.biz
vaut.adsnet.biz
vavs.adsnet.biz
viny.adsnet.biz
viol.adsnet.biz
vrow.adsnet.biz
vugs.adsnet.biz
vuln.adsnet.biz
vagi.toolbarcom.org
vain.toolbarcom.org
vale.toolbarcom.org
vars.toolbarcom.org
vary.toolbarcom.org
vasa.toolbarcom.org
vaut.toolbarcom.org
vavs.toolbarcom.org
viny.toolbarcom.org
viol.toolbarcom.org
vrow.toolbarcom.org
vugs.toolbarcom.org
vuln.toolbarcom.org
vagi.mybar.us
vain.mybar.us
vale.mybar.us
vars.mybar.us
vary.mybar.us
vasa.mybar.us
vaut.mybar.us
vavs.mybar.us
viny.mybar.us
viol.mybar.us
vrow.mybar.us
vugs.mybar.us
vuln.mybar.us
vagi.freead.name
vain.freead.name
vale.freead.name
vars.freead.name
vary.freead.name
vasa.freead.name
vaut.freead.name
vavs.freead.name
viny.freead.name
viol.freead.name
vrow.freead.name
vugs.freead.name
vuln.freead.name

Tuesday 22 June 2010

Virus / Malware on Nokia.com / miisolutions.net

Nokia.com appears to have been compromised through a third-party script:


europe.nokia.com (e.g. hxxp:||europe.nokia.com/support/download-software/nokia-pc-suite) ->
nokia.tt.omtrdc.net ->
omniture-nokia.secure.miisolutions.net ->
oploya.fancountblogger.com:8080

Details on the general attack can be found here. It appears that miisolutions.net has had malicious code injected into the script, rather than it being Nokia.com itself that has been hacked.At the time of writing the malicious code is still present.

Update: the infected page at miisolutions.net has been taken down.

Thursday 4 February 2010

Sergey Ryabov / director@climbing-games.com strikes again

There's a somewhat unusual spate of injection attacks doing the rounds, code is being injected into the middle of victim pages through an unknown flaw, starting document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D and then going on for a bit.. deobfuscating the code actually leads to a second layer of obfuscation, but once that is decoded it becomes clearer.

The injected code points to itsallbreaksoft.net


This then bounces through paymoneysystem.info/in.cgi?michaeleknowlton before hitting a seemingly random PPC search engine site hosted on 95.211.27.154, for example sdeh.net/iframe.html. Sophos have an excellent write-up of the anatomyof the injection attack here, and it's pretty clear that somebody is ripping somebody else off for PPC traffic.. its hard to say who the victims actually are.

The domains itsallbreaksoft.net and paymoneysystem.info belong to the same person, these are interesting because of the registration details:

Nexton Limited
Ryabov Sergey (director@climbing-games.com)
+79219270961
Fax: +79219270961
Scherbakova st., 6-38
Saint-Petersburg, 197375
RU
These contact details are very well known for very bad things. Incidentally, the registrar is ruler-domains.com, also an enterprise registered to "Sergey Ryabov" (if that's a real person).

It's all kind of strange as there doesn't appear to be a malware payload, which is good. But because of the way click arbitrage works, finding the real victims and villains is tricky, although interested researchers may want to have a poke around.

Tuesday 10 November 2009

media-servers.net hit bu superkahn.ru injection attack

media-servers.net is some sort of advertising agency that doesn't advertise who it belongs to and hides its WHOIS details behind privacy protection. A look at the historical WHOIS records show the following contact details:

Registrant:
Netposition Ltd.
POB 16041
Tel Aviv 61160
Israel

Domain Name: MEDIA-SERVERS.NET
Created on: 19-Sep-04
Expires on: 19-Sep-13
Last Updated on: 17-Feb-09

Administrative Contact:
Administrator, Domain domadmin@netposition.com
Netposition Ltd.
POB 16041
Tel Aviv 61160
Israel
+972.9723928600 Fax --

Technical Contact:
Administrator, Domain domadmin@netposition.com
Netposition Ltd.
POB 16041
Tel Aviv 61160
Israel
+972.9723928600 Fax --
Their site is infected with injected code pointing to superkahn.ru:8080/index.php - probably the people who own media-servers.net know nothing about it, but they don't make it easy to be contacted.

superkahn.ru is registered to:

domain: SUPERKAHN.RU
type: CORPORATE
nserver: ns1.freeonlinednshost.com.
nserver: ns2.freeonlinednshost.com.
nserver: ns3.freeonlinednshost.com.
nserver: ns4.freeonlinednshost.com.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
phone: +7 4912 219900
e-mail: dibs@freemailbox.ru
registrar: NAUNET-REG-RIPN
created: 2009.10.28
paid-till: 2010.10.28
source: TC-RIPN

This is multihomed on:
91.121.88.218 (OVH, Paris)
91.121.108.53 (OVH, Paris)
94.23.211.214 (OVH, Paris)
94.75.198.241 (Leaseweb, Amsterdam)
82.192.88.35 (Leaseweb, Amsterdam)

Websense report that this runs a variety of exploit attempts against unpatched Microsoft and Abode products. Quantcast figures say that almost a million US visitors access this site per month, so a lot more worldwide.

Wednesday 3 June 2009

mediahousenamemartmovie.cn / nonfathighestlocate.cn injection attack

Another set of injection attacks seem to be doing the rounds, possibly related to the recent Gumblar attack.

In this case, the injected code is an IFRAME pointing to hxxp:||mediahousenamemartmovie.cn:8080/ts/in.cgi?pepsi27 and redirecting to hxxp:||nonfathighestlocate.cn:8080/index.php which attempts to load a Flash exploit (VirusTotal results) and PDF exploit (VirusTotal results). The payload includes a DLL (perhaps C:\WindowsSystem32\1028T.DLL although it may vary) that offers some sort of backdoor functionality (VirusTotal results).

The malware domains are on 89.149.240.64 in Germany, all domains on that server seem to be malware related and should be blocked. The server identifies itself via RDNS as "fuckingl33t.eu" although that proves nothing.
  • Autobestwestern.cn
  • Bestlitediscover.cn
  • Bestwebfind.cn
  • Bigbestfind.cn
  • Bigtopartists.cn
  • Giantnonfat.cn
  • Greatbethere.cn
  • Homenameworld.cn
  • Hugebest.cn
  • Hugebestbuys.cn
  • Hugepremium.cn
  • Hugetopdiscover.cn
  • Litepremium.cn
  • Litetopfinddirect.cn
  • Litetopseeksite.cn
  • Lotbetsite.cn
  • Mediahomenameshoppicture.cn
  • Mediahousenamemartmovie.cn
  • Nameforshop.cn
  • Nanotopdiscover.cn
  • Nonfathighestlocate.cn
  • Thebestyoucanfind.cn
  • Topfindworld.cn
  • Toplitesite.cn
  • Tvnameshop.cn
  • Yourlitetopfind.cn
Nonfathighestlocate.cn was on 89.149.240.64, but then pointed at to 82.208.58.199 in the Czech Republic.

If this is related to Gumblar, then the problem could be down to compromised FTP passwords. If your site has been infected with this attack, then you need to carefully check each machine that has FTP access to your website, clean them up and then change your FTP password to something secure.

Sunday 11 May 2008

Mass phpBB attack free.hostpinoy.info and xprmn4u.info

Another injection attack reported by the ISC, and this time it appears to be using one of many potential flaws in phpBB. Injected code points to free.hostpinoy.info/f.js and xprmn4u.info/f.js, and a Google search of these two terms currently comes up with 858,000 matches between them indicating that this is a very large scale attack.

phpBB is a great bit of software, but sadly it is riddled with security holes and requires constant updating. If you're running a phpBB forum then you need to patch it as a matter or urgency. If you don't run phpBB and are looking at running a forum then I've got to say.. try something else.

It looks like some version of the Zlob trojan is being served up, see here and here for more details. (Thanks sowhatx). Detection rates seem to be patchy. It's possible that the injected code is using some sort of geotargetting as the destination sites are not consistent.

free.hostpinoy.info is 209.51.196.254 (XLHost.com)
xprmn4u.info is 217.199.217.9 (Mastak.ru)

Updated: A brief analysis of some of the impacted sites shows a mix of high traffic forums and long-dead ones. Some of these forums are hit with multiple exploits and massive amounts of spam, which indicates that they are running a very out of date version of phpBB.. so folks, if you have a forum which you don't use any more, do everyone a favour and delete it.