Malware sites to block 12/6/13

This is a refresh of this list of domains and IPs controlled by what I call the "Amerika" gang, and it follows on from this BBB spam run earlier. Note that IPs included in this list show recent malicious activity, but it could be that they have now been fixed. I also noticed that a couple of the domains may have been sinkholed, but it will do you no harm to block them anyway.

Hosts involved:
5.175.157.110 (GHOSTnet, Germany)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal Communication Tech. Co., China)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
46.165.248.117 (Leaseweb, Germany)
49.212.221.29 (Sakura Internet Inc., Japan)
50.56.216.124 (Rackspace, US)
50.57.166.222 (Slicehost, US)
59.42.10.172 (Guangdong Tuosi Software Science Garden, China)
67.159.12.94 (FDCservers, US)
67.202.109.141 (Steadfast Networks, US)
67.215.2.251 (Colo-Serv Communications, Canada)
77.237.190.22 (Parsun Network Solutions, Iran)
81.252.120.250 (Collectivit Locale , France)
83.136.249.108 (Sigmatic Oy, Finland)
85.17.178.56 (Leaseweb, Netherlands)
85.26.31.60 (Brutele SC, Belgium)
85.201.12.244 (Brutele SC, Belgium)
86.84.0.11 (Planet Technologies, Netherlands)
88.80.222.73 (Alfahosting, Germany)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
95.143.41.16 (Inline Internet / VPS4less, Germany)
95.170.95.142 (TransIP, Netherlands)
109.95.23.4 (Kvartal Plus Ltd, Russia)
109.129.225.68 (Belgacom / Skynet, Belgium)
110.78.147.173 (CAT Telecom, Thailand)
111.93.156.171 (Tata Teleservices, India)
112.170.169.56 (Korea Telecom, Korea)
114.4.27.219 (IDIA Kantor Arsip MKS, Indonesia)
116.3.3.200 (China Unicom, China)
119.147.137.31 (China Telecom, China)
141.28.126.201 (Hochschule Furtwangen, Germany)
143.107.220.160 (Universidade De Sao Paulo, Brazil)
151.1.224.118 (ITnet, Italy)
159.90.91.179 (Universidad Simon Bolivar, Venezuela)
159.253.18.253 (FastVPS, Estonia)
160.75.169.49 (Istanbul Technical University, Turkey)
164.77.149.237 (Isapre Banmedica, Chile)
172.8.24.9 (Angela Curtolo DBA / AT&T, US)
172.246.16.27 (Enzu Inc, US)
177.84.128.54 (Informática Ltda, Brazil)
177.86.131.18 (Prime Telecomunicacoes Ltda, Brazil)
177.124.195.202 (Mundivox Do Brasil Ltda, Brazil)
178.16.216.66 (Gabrielson Invest AB, Sweden)
181.52.237.17 (Telmex, Colombia)
183.82.221.13 (Hitech / Beam Telecom, India)
184.82.115.37 (HostNOC, US)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
187.33.48.12 (GTi Telecomunicacoes Ltda, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
192.64.80.143 (Interserver, US)
192.210.216.90 (ColoCrossing, US)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
196.1.95.44 (Ensut-Computer Department, Senegal)
198.199.93.55 (Digital Ocean, US)
200.3.153.91 (Pontificia Universidad Javeriana, Colombia)
200.87.177.124 (EntelNet, Bolivia)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
202.29.242.249 (UniNet, Thailand)
202.31.139.173 (Kum Oh National University Of Technology, Korea)
203.64.69.52 (Taiwan Academic Network, Taiwan)
203.157.216.77 (Information Technology Office, Thailand)
208.68.36.11 (Digital Ocean, US)
210.42.103.141 (Wuhan Urban Construction Institute, China)
213.74.79.236 (Superonline, Turkey)
216.172.102.230 (EBL Global Networks, US)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)

Plain IPlist for copy-and-pasting:
5.175.157.110
41.89.6.179
42.62.29.4
46.18.160.86
46.165.248.117
49.212.221.29
50.56.216.124
50.57.166.222
59.42.10.172
67.159.12.94
67.202.109.141
67.215.2.251
77.237.190.22
81.252.120.250
83.136.249.108
85.17.178.56
85.26.31.60
85.201.12.244
86.84.0.11
88.80.222.73
93.89.235.13
95.143.41.16
95.170.95.142
109.95.23.4
109.129.225.68
110.78.147.173
111.93.156.171
112.170.169.56
114.4.27.219
116.3.3.200
119.147.137.31
141.28.126.201
143.107.220.160
151.1.224.118
159.90.91.179
159.253.18.253
160.75.169.49
164.77.149.237
172.8.24.9
172.246.16.27
177.84.128.54
177.86.131.18
177.124.195.202
178.16.216.66
181.52.237.17
183.82.221.13
184.82.115.37
186.215.126.52
188.32.153.31
187.33.48.12
190.93.23.10
192.64.80.143
192.210.216.90
193.254.231.51
196.1.95.44
198.199.93.55
200.3.153.91
200.87.177.124
201.65.23.153
202.29.242.249
202.31.139.173
203.64.69.52
203.157.216.77
208.68.36.11
210.42.103.141
213.74.79.236
216.172.102.230
217.174.211.1
222.200.187.83

Identified malicious domains:
abacs.pl
autotradeguide.net
avastsurveyor.com
balckanweb.com
biati.net
bnamecorni.com
businessdocu.net
buyparrots.net
citysubway.net
cocainism.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
diodmobilered.com
docudat.ru
ehchernomorskihu.ru
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
enway.pl
ergopets.com
fastkrug.ru
federal-credit-union.com
freemart.pl
freenico.net
genown.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gstoryofmygame.ru
haicut.com
hiddenhacks.com
historuronded.com
icensol.net
ingrestrained.com
inutesnetworks.su
janefgort.net
jetaqua.com
kirki.pl
klosotro9.net
lorganizedcue.com
ludena.ru
mantuma.pl
marvelfilms.net
mortolkr4.com
mslatearrival.com
multipliedfor.com
myhispress.com
nipiel.com
nvufvwieg.com
onlinedatingblueprint.net
otoperhone.com
oydahrenlitutskazata.ru
ozonatorz.com
pleak.pl
pnpnews.net
privat-tor-service.com
proxy-tor-service.com
relectsdispla.com
relectsdispla.net
reportingglan.com
safe-browser.biz
safe-time.net
salesplaytime.net
secondfiddleu.com
securepro7.ru
shopkeepersne.net
sludgekeychai.net
smartsecurityapp2013.com
smurfberrieswd.su
sngroup.pl
solarmiracles.net
techno5room.ru
televisionhunter.com
testerpro5.ru
thinkindi.net
tor-connect-secure.com
trleaart.net
twinkniche.net
twintrade.net
ukbarbers.net
unixawards.net
usergateproxy.net
usforclosedhomes.net
vip-proxy-to-tor.com
well-tailored.net
wmlawoffice.net
yelpwapphoned.com

NatPay "Transmission Confirmation" spam / usforclosedhomes.net

This fake NatPay spam leads to malware on usforclosedhomes.net.

Version 1:

Date:      Thu, 6 Jun 2013 20:53:08 +0600 [10:53:08 EDT]
From:      National Payment Automated Reports System [dunks@services.natpaymail.net]
Subject:      Transmission Confirmation ~26306682~N25BHHL1~

Transmission Verification    
Contact Us
To:    
NPC Account # 26306682
Xavier Reed
   
Re:    
NPC Account # 26306682
D & - D5
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.

Batch Number       408
Batch Description       VENDOR PAY
Number of Dollar Entries       2
Number of Prenotes       0
Total Deposit Amount       $3,848.19
Total Withdraw Amount      $3,848.19
Batch Confirmation Number      50983
   
Date Transmitted      Thursday, June 06, 2013
Date Processed       Thursday, June 06, 2013
Call Start Time       4:06 PM
Call End Time       4:07 PM
Funding Method       2 Day Funding
Cycle       AM
Effective
Entry Date

Transaction Type
   
Entry
Identification

Routing/Transit

Bank Account
Entry Amount
06/08/2013     Checking - Deposit     XXXXXXXX     XXXXXXXXX     XXXXXXXXXX     $3,848.19
06/06/2013     Checking - Withdraw     Offset Entry     XXXXXXXXX     XXXXXXXXXX     -$3,848.19
Totals     $0.00
Report reference ID # N25BHHL1     Created on Thursday, June 06, 2013
Have a question about this report?  Please click here to send us an email with your question.

Version 2:

Date:      Thu, 6 Jun 2013 09:59:06 -0500
From:      National Payment Automated Reports System [lemuel@emalsrv.natpaymail.com]
Subject:      Transmission Confirmation ~10968697~607MPYRC~

Transmission Verification    
Contact Us
To:    
NPC Account # 10968697
Benjamin Turner
   
Re:    
NPC Account # 10968697
D & - MN
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.

Batch Number     219
Batch Description     VENDOR PAY
Number of Dollar Entries     2
Number of Prenotes     0
Total Deposit Amount     $2,549.12
Total Withdraw Amount     $2,549.12
Batch Confirmation Number     24035
   
Date Transmitted     Thursday, June 06, 2013
Date Processed     Thursday, June 06, 2013
Call Start Time     4:06 PM
Call End Time     4:07 PM
Funding Method     2 Day Funding
   
Cycle     AM
Effective

Entry Date

Transaction Type
   
Entry

Identification

Routing/Transit

Bank Account

Entry Amount
06/08/2013     Checking - Deposit     XXXXXXXX     XXXXXXXXX     XXXXXXXXXX     $2,549.12
06/06/2013     Checking - Withdraw     Offset Entry     XXXXXXXXX     XXXXXXXXXX     -$2,549.12
Totals     $0.00
Report reference ID # 607MPYRC     Created on Thursday, June 06, 2013
Have a question about this report? Please click here to send us an email with your question.

The malicious payload is on [donotclick]usforclosedhomes.net/news/walls_autumns-serial.php (report here) hosted on the following IPs:
41.89.6.179 (Kenya Education Network, Kenya)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
112.170.169.56 (Korea Telecom, South Korea)

The cluster of IPs and domains this belongs to identifies it as part of the Amerika spam run.

Blocklist:
41.89.6.179
46.18.160.86
93.89.235.13
112.170.169.56
abacs.pl
biati.net
buyparrots.net
citysubway.net
condalnuashyochetto.ru
cunitarsiksepj.ru
eheranskietpj.ru
ejoingrespubldpl.ru
enway.pl
federal-credit-union.com
gnunirotniviepj.ru
gstoryofmygame.ru
icensol.net
myhispress.com
onlinedatingblueprint.net
oydahrenlitutskazata.ru
ozonatorz.com
smartsecurityapp2013.com
sngroup.pl
twintrade.net
usforclosedhomes.net

Amazon.com 55 inch TV spam / ozonatorz.com

This earlier spam run about various brands of 55 inch TVs from Amazon has been updated and is now directing victims to a malware landing page on the domain ozonatorz.com:

From: auto-confirm@emlreq.amazon.com [mailto:bald4@customercare.amazon.com]
Sent: 29 May 2013 17:06
To: [redacted]
Subject: Amazon.com order of Akai NPK55KR9070 55-Inch

Kindle Store | Your Account | Amazon.com Order Confirmation Order #175-7801666-2934626 [redacted] Thank you for shopping with us. Wed like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com. Your estimated delivery date is: Thursday, May 30, 2013 - Friday, May 31, 2013 Your shipping speed: Next Day Air Your order was sent to: Benjamin Phillips 2724 3rdCotton Avenue Cohoes, CA 62229-6646 United States Order Details Order #175-7801666-2934626 Placed on Wensday, May 29, 2013 Akai NPK55KR9070 55-Inch 1080p 120Hz LED 3D HDTV (Silber) Electronics In Stock Sold by MODIA $979.98 Item Subtotal: $979.98 Shipping & Handling: $0.00 Total Before Tax: $979.98 Estimated Tax: $0.00 Order Total: $979.98 To learn more about ordering, go to Ordering from Amazon.com. If you want more information or need more assistance, go to Help. Thank you for shopping with us. Amazon.com Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information. This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

The malicious payload is on [donotclick]ozonatorz.com/news/basic_dream-goods.php (report here) hosted on:
41.89.6.179 (Kenya Education Network, Kenya)
141.28.126.201 (Hochschule Furtwangen, Germany)
177.5.244.236 (Brasil Telecom, Brazil)
208.68.36.11 (Digital Ocean, US)

These IPs form part of a much larger network of malicious sites listed here, but if we concentrate of these IPs only we get the following blocklist:
41.89.6.179
141.28.126.201
177.5.244.236
208.68.36.11
aviachecki.ru
avtotracki.ru
balckanweb.com
biati.net
buyparrots.net
federal-credit-union.com
giwmmasnieuhe.ru
icensol.net
mydkarsy.com
nvufvwieg.com
ozonatorz.com
rusistema.ru
smartsecurityapp2013.com
techno5room.ru
testerpro5.ru
trackerpro5.ru
twintrade.net
zeouk-gt.com

Kenyan Judiciary (judiciary.go.ke) hacked to serve malware

The Judiciary of the Republic of Kenya has a mission to deliver justice fairly, impartially and expeditiously, promote equal access to justice, and advance local jurispudence by upholding the rule of law. Unfortunately, it has also been hacked to serve up malware.

The site has been compromised to serve up an exploit kit being promoted by spam email. There's a redirector at [donotclick]www.judiciary.go.ke/wlc.htm attempting to redirect visitors to [donotclick]dfudont.ru:8080/forum/links/column.php where there's a nasty exploit kit.

Of course, most visitors to the judiciary.go.ke site won't see that particular exploit. But if someone can create an arbitrary HTML page on that server, then they pretty much have the run of the whole thing and they can do what they like. So the question might be.. what else has been compromised? Hmm.

US Airways spam / attachedsignup.pro

This fake US Airways spam leads to malware on attachedsignup.pro:

From:     US Airways - Booking [reservations@myusairways.com][
Date:     4 December 2012 14:30
Subject:     US Airways online check-in.
  
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). After that, all you have to do is print your boarding pass and go to the gate.

Purchase code: 183303

Check-in online:  Online booking details

Payment method:  Credit card
Money will be withdrawn in next 3 days
   
Voyage

5990    
Departure city and time

Massachusets MA (DCA) 10:10 AM

Depart date: 12/05/2012    


We takes care to protect your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 145 W. Rio Salado Pkwy, Tempe, AK 93426 , Copyright US Airways , All rights reserved. 

The payload and IP addresses are identical to this spam doing the rounds today.

"Most recent events on Facebook" spam / attachedsignup.pro

This fake Facebook spam leads to malware on Most recent events on attachedsignup.pro:

Date:      Tue, 4 Dec 2012 15:19:16 +0100
From:      " Facebook Security Team" [fractionallyb9@hendrickauto.com]
Subject:      Most recent events on Facebook

facebook
   
Hi [redacted],

You have closed your Facebook account. You can rebuild your account whenever you wish by logging into Facebook using your current login email address and password. Subsequently you will be able to take advantage of the site as usually.
Please use the link below to reactivate :
http://www.facebook.com/home.php
If this was you, please pass over this informer. If this wasn't you, please secure your account, as some outlaw person may be explore it.
Best regards, The FaceBook Team
Please note: Facebook will never ask for your personal data through email.

This message was sent to [redacted] from your profile details. Facebook, Inc., Attention: Department 437, PO Box 20000, Palo Alto, CA 96906

The malicious payload is at [donotclick]attachedsignup.pro/detects/links-neck.php (report here) hosted on 41.215.225.202 (Essar Wireless Kenya Ltd) which also hosts the probably malicious domain sessionid0147239047829578349578239077.pl

ADP spam / fsblimitedrun.pro

This fake ADP spam leads to malware on fsblimitedrun.pro:

From:     ADP Transaction Status
Date:     3 December 2012 17:55
Subject:     ADP Major Accounts Processed Case

Valued customer:

 

James lately covered Transaction at your account. Event # 433933082.

     Case Caption: 6CO7

      Incident Substantiation: Download



We at ADP obtain to create a personalized and client focused experience with every client interaction.
Please view transaction changed by
visiting the link below.


Click here - ADP Major Accounts Operation Progress mentioned above

Best Wishes,

     James Brooks

     Vice President of Customer Care Department ADP

     ADP Major Accounts

 

 ***Reminder***

Please remember to complete your Semi-Annual Service Quality Survey!

Our Goal is to ensure you are VERY SATISFIED with each interaction you have with our Service Associates and we ask that you consider your overall experience in the 6 months preceding your receipt of the survey. We strive to provide WORLD CLASS SERVICE and determine our success by your satisfaction with ADP's services.

**********

This e-mail was delivered from an robot account.

Please don't reply to this message. auomatic informational system unable to accept incoming email.

**********

The malicious payload is at [donotclick]fsblimitedrun.pro/detects/survey_success-complete.php hosted on 41.215.225.202 (Essar Wireless Kenya Ltd) along with the following malicious domain: fdic-update-install.info

Blocking access to this IP address would probably be prudent.