Sponsored by..

Showing posts with label Korea. Show all posts
Showing posts with label Korea. Show all posts

Monday 30 November 2015

Malware spam: "INTUIT QB" / "QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]" leads to ransomware

This fake Intuit QuickBooks spam leads to malware:

From:    QUICKBOOKS ONLINE [qbservices@customersupport.intuit.com]
Date:    30 November 2015 at 10:42
Subject:    INTUIT QB


As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!

InTuIT. | simplify the business of life

© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice. 
The spam is almost identical to this one which led to Nymaim ransomware.

In this particular spam, the email went to a landing page at updates.intuitdataserver-1.com/sessionid-7ec395d0628d6799669584f04027c7f6 which then attempts to download a fake Firefox update

This executable has a VirusTotal detection rate of 3/55, the MD5 is 592899e0eb3c06fb9fda59d03e4b5b53. The Hybrid Analysis report shows the malware attempting to POST to mlewipzrm.in which is multihomed on:

89.163.249.75 (myLoc managed IT AG, Germany)
188.209.52.228 (BlazingFast LLC, Ukraine / NForce Entertainment, Romania)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)


The nameservers for mlewipzrm.in are NS1.REBELLECLUB.NET and NS2.REBELLECLUB.NET which are hosted on the following IPs:

210.110.198.10 (KISTI, Korea)
52.61.88.21 (Amazon AWS, US)


These nameservers support the following malicious domains:

exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net

The download location uses a pair of nameservers, NS1.MOMEDEFER.PW and NS1.PRIZEBROCK.PW. If we factor in the NS2 servers as well, we get a set of malicious IPs:

5.135.237.209 (OVH, France)
196.52.21.11 (LogicWeb, US / South Africa)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)


These nameservers support the following malicious domains:

browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com

As far as I can tell, these domains are hosted on the following IPs:

52.91.28.199 (Amazon AWS, US)
213.238.170.217 (Eksen Bilisim, Turkey)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)


I recommend that you block the following IPs and/or domains:

52.91.28.199
213.238.170.217
5.135.237.209
196.52.21.11
75.127.2.116
210.110.198.10
52.61.88.21
89.163.249.75
188.209.52.228
95.173.164.212

mlewipzrm.in
exstiosgen.com
ecestioneng.com
densetsystem.com
deseondefend.com
xonstensetsat.com
dledisysteming.com
thecertisendes.com
georgino.net
tangsburan.net
rebelleclub.net
helpagregator.net
browsersecurityupdates.com
intuit-browsersecurity.com
intuit-browserupdate.com
intuitdataserver.com
intuitdataserver1.com
intuitdataserver-1.com
intuitinstruments.com
intuit-security.com
intuitsecuritycenter.com
intuitsecurityupdates.com
intuit-securityupdates.com
intuit-updates.com
intuitupdates-1.com
security-center1.com
securitycentral1.com
securitycentral-1.com
securityserver-2.com
securityupdateserver-1.com
updates-1.com
updateserver-1.com
momedefer.pw
prizebrock.pw


Wednesday 8 April 2015

Malware spam: "Invoice from COMPANY NAME" / 31.24.30.12 / 46.30.43.102

This Dridex spam takes a slightly different approach from other recent ones. Instead of attaching a malicious Office document, it downloads it from a compromised server instead.

The example I saw read:
From:    Mitchel Levy
Date:    8 April 2015 at 13:45
Subject:    Invoice from MOTHERCARE

Your latest invoice is now available for download. We kindly advise you to pay the invoice in time.

Download your invoice here.

Thanks for attention. We appreciate your business.
If you have any queries, please do not hesitate to contact us.

Mitchel Levy, MOTHERCARE
The link in the email has an address using the domain afinanceei.com plus a subdomain based on the recipients email address. It also has the recipients email address embedded in the URL, for example:

http://victimbfe.afinanceei.com/victim@victim.domain/

This is hosted on 31.24.30.12 (Granat Studio / Tomgate LLC, Russia) and it leads to a landing page that looks like this:

I guess perhaps the bad guys didn't notice "Califonia Institute of Technology" written behind "Information Management Systems & Services". The link in the email downloads a file from:

http://31.24.30.12/api/Invoice.xls

At the moment the download server seems very unstable and is generating a lot of 500 errors. Incidentally, http://31.24.30.12/api/ shows a fake page pretending to be from Australian retailer Kogan.



As you might guess, Invoice.xls contains a malicious macro [pastebin] but the real action is some data hidden in the spreadsheet itself:


That's pretty easy to decode, and it instructs the computer to download a malicious binary from:

http://46.30.43.102/cves/kase.jpg

This is saved as %TEMP%\dfsdfff.exe. Unsurprisingly, 46.30.43.102 is another Russian IP, this time EuroByte LLC.

This binary has a VirusTotal detection rate of 6/57. Automated analysis tools [1] [2] [3] [4] show it communicating with the following IPs:

109.74.146.18 (VNET a.s., Bulgaria)
176.81.92.142 (Telefonica, Spain)
147.96.6.154 (Universidad Complutense De Madrid, Spain)
199.201.121.169 (Synaptica, Canada)
210.205.126.189 (Nowonwoman, Korea)
37.58.49.37 (Leaseweb, Germany)
87.117.229.29 (iomart, UK)
108.61.189.99 (Choopa LLC, US)
116.75.106.118 (Hathway, India)
107.191.46.222 (Choopa LLC, Canada)

In addition there are some Akamai IPs which look benign:

184.25.56.212
184.25.56.205
2.22.234.90

According to this Malwr report it drops several files including a malicious Dridex DLL which is the same one found in this attack.

Recommended blocklist:
109.74.146.18
176.81.92.142
147.96.6.154
199.201.121.169
210.205.126.189
37.58.49.37
87.117.229.29
108.61.189.99
116.75.106.118
107.191.46.222
46.30.43.102
31.24.30.12

MD5s:
e8cd8be37e30c9ad869136534f358fc5
671c65cedc8642adf70ada3f74d5da19
a4af11437798b7de5a0884623ed42478

UPDATE 1:

There is at least one other server at  95.163.121.22 (Digital Networks CJSC aka DINETHOSTING, Russia) being used as a location to click through to (I recommend you block the entire 95.163.121.0/24 range). Between those two servers I can see the domains listed below in use. I suspect that there are others given the limited alphabetic range

abiliingfinance.com
abilingffinance.com
abilingfienance.com
abilingfinaance.com
abilingfinancee.com
abilingfinancey.com
abilingfinnance.com
abilingggfinance.com
abilinngfinance.com
afinanccebifling.com
afinanccebiling.com
afinanceas.com
afinancebbi.com
afinancebill.com
afinancecc.com
afinanceebb.com
afinanceei.com
afinancei.com
afinanceobilhing.com
afinanceobiling.com
afinanceqbilzing.com
afinancesh.com
afinancewbidling.com
afinanceyer.com
afinancrebiling.com
afinancrebixling.com
afinandebiling.com
afinangebiling.com
afinangebilqing.com
afinanrebileing.com
afinanrebiling.com
afinansebiling.com
afinansebilling.com
afinanwebiling.com
afinanwebilsing.com
asfinancebbi.com
asfinancebill.com
asfinancecc.com
asfinancee.com
asfinanceebb.com
asfinanceei.com
asfinancei.com
asfinancesh.com
asfinanceyer.com
assfinanceas.com
bbbilingfinancee.com
bbiliingfinance.com
bbilingffinance.com
bbilingfienance.com
bbilingfinaance.com
bbilingfinancee.com
bbilingfinancey.com
bbilingfinnance.com
bbilingggfinance.com
bbilinngfinance.com
bbillingfinance.com
biliingfinance.com
bilingffinance.com
bilingfienance.com
bilingfinaance.com
bilingfinancee.com
bilingfinancey.com
bilingfinnance.com
bilingggfinance.com
bilinngfinance.com
cfinanccebifling.com
cfinanceobilhing.com
cfinanceqbilzing.com
cfinancewbidling.com
cfinancrebixling.com
cfinandebilping.com
cfinangebilqing.com
cfinansebilling.com
cfinanwebilsing.com
financcebifling.com
financcebiling.com
financeobilhing.com
financeobiling.com
financeqbilzing.com
financewbidling.com
financewbiling.com
financrebiling.com
financrebixling.com
finandebilping.com
finangebiling.com
finangebilqing.com
finanrebileing.com
finanrebiling.com
finansebiling.com
finansebilling.com
finanwebiling.com
finanwebilsing.com

Thursday 2 April 2015

Malware spam: "Scanned document from HP/Brother/Epson Scanner [87654321]"

These fake scanner emails follow a well-established pattern. Instead of containing a scanned document they have a malicious attachment.

Now.. if you are reading this then you are probably not the sort of person who would open an unsolicited message of this sort. Would you?

From:    Cindy Pate [Caroline.dfd@flexmail.eu]
Date:    2 April 2015 at 11:09
Subject:    Scanned document from HP Scanner [66684798]

Reply to: HP-Scanner@flexmail.eu
Model:KX-240NGZDC
Location: 1st Floor Office

File Format: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

----------

From:    Sterling Hoffman [Lara.dc4@astroexports.com]
Date:    2 April 2015 at 11:00
Subject:    Scanned document from Brother Scanner [07623989]

Reply to: Brother-Scanner@astroexports.com
Model:CG-240NWDUL
Location: 1st Floor Office

File Extension: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

----------

From:    Manuel Velez [Yesenia.10@acv.nl]
Date:    2 April 2015 at 12:04
Subject:    Scanned document from Epson Scanner [81829722]

Reply to: Epson-Scanner@acv.nl
Model:JS-240NRZYV
Location: 1st Floor Office

File Format: DOC (Medium)
Resolution: 300dpi x 300dpi

Attached file is scanned document in DOC format.
Use Microsoft Office Word  of Microsoft Corporation to view the document.

I have seen three different malicious attachments with low detection rates [1] [2] [3] which appear to contain one of two macros [1] [2] which download a further component from one of the following locations:

http://93.158.117.163:8080/bz1gs9/kansp.jpg
http://78.47.87.131:8080/bz1gs9/kansp.jpg


Those servers are almost definitely malicious in other ways, the IPs are allocated to:

93.158.117.163 (Aitos Svenska / Port80 , Sweden)
78.47.87.131 (Hetzner, Germany)

This is then saved as %TEMP%\sdfsdffff.exe which has a VirusTotal detection rate of just 1/56. Automated analysis [1] [2] [3] indicates that it calls home to:

188.120.225.17 (TheFirst-RU, Russia)
92.63.88.83 (MWTV, Latvia)
121.50.43.175 (Tsukaeru.net, Japan)
95.163.121.33 (Digital Networks CJSC aka DINETHOSTING, Russia)
82.151.131.129 (Doruknet, Turkey)
46.19.143.151 (Private Layer Inc, Switzerland)
45.55.154.235 (Digital Ocean, US)
195.130.118.92 (University Of Ioannina, Greece)
199.201.121.169 (Synaptica, Canada)
95.211.168.10 (Leaseweb, Netherlands)
222.234.230.239 (Hanaro Telecom, Korea)

Although the automated tools indicate that no files were dropped, the payload for this is almost definitely Dridex.

Recommended blocklist:
188.120.225.17
92.63.88.0/24
121.50.43.175
95.163.121.0/24
82.151.131.129
46.19.143.151
45.55.154.235
195.130.118.92
199.201.121.169
95.211.168.10
222.234.230.239
93.158.117.163
78.47.87.131

MD5s:
96f3aa2402daf9093ef0b47943361231
cff4b8b7f9adf1f5964b495a8116d196
68fb9aadda63d18f1b085d5bd8815223
64fa6501bd4d32b2958922598008ca96


Thursday 19 March 2015

Malware spam: "sales@marflow.co.uk" / "Your Sales Order"

This spam run pretends to come from Marflow Engineering but it doesn't, instead it is a simple forgery. Marflow are not sending out this email, nor have their systems been compromised in any way.

From:    sales@marflow.co.uk
Date:    19 March 2015 at 09:13
Subject:    Your Sales Order

Your order acknowledgment is attached.

Please check carefully and advise us of any issues.

Best regards

Marflow
Attached is a file 611866.xls which appears to come in at least three different versions. But due to an error in the way the spam has been created, the attachment is actually corrupt and (depending on your version of Excel) attempting to open it gives this error:


The file you are trying to open, '611866.xls', is in a different format than specified by the file extension. Verify that the file is not corrupted and is from a trusted source before opening the file. Do you want to open the file now?
Clicking OK loads up what looks like gobbledegook.


If you see this, then you have had a lucky escape because the attachment is in the wrong format and is Base 64 encoded. If you manually run a Base 64 decoder against it then you end up with a malicious XLS file, in one of three different flavours with low detection rates [1] [2] [3] which in turn each contain a slightly different malicious macro [1] [2] [3] which then attempt to download from the following locations:

http://www.lenhausen.de/js/bin.exe
http://meostore.net/js/bin.exe
http://mvw1919.de/js/bin.exe

This is saved in the %TEMP% folder under the filenames pirit86.exe, tikapom64.exe and Trekaldo51.exe (although the binary is the same in each case). This malicious binary has a detection rate of just 2/57 and according to the Malwr report, it phone home to the following IPs:

37.139.47.81 (Pirix, Russia)
5.100.249.215 (OMC Computers & Communications, Israel)
195.162.107.7 (Gamma Telecom, UK)
131.111.37.221 (University of Cambridge, UK)
198.245.70.182 (Deniz Toprak, Turkey / B2 Net Solutions, US)
210.205.74.43 (DAEMINCUSTOM, Korea)
46.228.193.201 (Aqua Networks Ltd, Germany)

It also drops another version of the downloader, edg1.exe which has a detection rate of 1/56 and a DLL with a detection rate of also of 1/57. The payload is the Dridex banking trojan.

Recommended blocklist:
37.139.47.0/24
5.100.249.215
195.162.107.7
131.111.37.221
198.245.70.182
210.205.74.43
46.228.193.201


Sunday 2 March 2014

Malware sites to block 2/3/14

These domains and IPs are all connected with this gang, some of it appears to be involved in malware distribution, fraud or other illegal activities. I recommend that you block these IPs and domains.

Note that some of the IPs listed below are compromised nameservers (marked [ns]) which look like they are insufficiently well locked down. There is a plain list of IPs at the end for copy-and-pasting.

accounting-kent.net
aerostat-adventures.net
aim-darts.net
airnavrace.net
amia.cc
aqu.su
artplat.com
binfile.net
brigadiramoon170.com
ccl.su
clubkindergarten.net
combonicer200.com
ehk.su
flatroom.net
gefesosexwithjimmy.org
iceselinsgrove.com
kartaby.com
keksnownikolle.biz
kirr.cc
lollipollyboobs.org
lostpetutah.net
macdegredo.com
mecheti.com
megemind.com
onetimedns.com
orimylife.net
pcg.su
quarter.su
sandwars.net
sec-one-dns.com
security-apps24.com
securityappsmart.com
security-safedomains.com
security-trust.com
smis.cc
stepnitres.ru
studio-sands.net
unicttaskforce.com
usgunlavs.net
webercountyfairr.net
wildscot-tv.com
world-motorhome.net

12.42.61.221    (AT&T, US)   
19.214.121.54    (Ford Motor Company, US)    [ns]
22.15.199.21    (DOD, US)    [ns]
23.253.75.234    (Rackspace, US)   
31.210.107.33    (Radore Veri Merkezi Hizmetleri, Turkey)   
32.21.129.43    (AT&T, US)    [ns]
32.90.65.25    (AT&T, US)    [ns]
37.255.241.29    (TCE, Iran)   
41.66.55.3    (Cote d'Ivoire Telecom, Cote d'Ivoire)    [ns]
41.106.3.132    (FTTH, Algeria)    [ns]
42.96.195.183    (Alibaba, China)    [ns]
54.81.32.208    (Amazon AWS, US)   
65.27.155.176    (Time Warner Cable, US)   
79.88.112.206    (Societe Francaise du Radiotelephone, France)   
83.239.90.244    (OJSC Rostelecom Macroregional Branch South, Russia)   
89.39.83.177    (C&A Connect SRL, Romania)   
89.69.138.91    (UPC, Poland)   
92.84.13.131    (Romtelecom, Romania)    [ns]
93.190.137.5    (Worldstream, Netherlands)   
95.57.118.56    (Dmitry Davydenko / Goldhost LLC, Kazakhstan)   
96.44.143.179    (Quadranet Inc, US)   
103.31.251.202    (Argon Data Communication, Indonesia)   
108.81.248.139    (William Allard / AT&T, US)   
109.24.255.129    (Societe Francaise du Radiotelephone, France)   
112.222.201.43    (LG DACOM Corporation, Korea)   
115.28.39.216    (Hichina Web Solutions, China)   
128.101.154.25    (University of Minnesota, US)    [ns]
128.199.235.196    (DigitialOcean Cloud, Singapore)   
130.255.185.19    (Bradler & Krantz, Germany)   
147.249.171.10    (IDD Information Services, US)    [ns]
152.46.17.236    (North Carolina Research and Education Network, US)   
162.243.39.118    (Digital Ocean, US)   
167.15.26.219    (Munich Reinsurance America Inc, US)    [ns]
167.120.25.43    (The Dow Chemical Company, US)    [ns]
171.76.101.11    (Bharti Cellular Ltd, India)    [ns]
175.107.192.56    (Cyber Internet Services Pakistan, Pakistan)   
176.53.125.6    (Radore Veri Merkezi Hizmetleri, Turkey)   
181.41.194.253    (HOST1FREE at Brazil, Brazil)   
184.154.170.10    (SingleHop, US)    [ns]
185.9.159.205    (Salay Telekomunikasyon Ticaret Limited Sirketi, Turkey)   
186.194.39.139    (FMG Macabuense com serv distrib ltda-me, Brazil)    [ns]
186.202.184.178    (Locaweb Serviços de Internet S/A, Brazil)   
186.214.212.64    (Global Village Telecom, Brazil)   
188.165.91.216    (OVH, France / DoHost, Egypt)    [ns]
188.168.142.57    (Transtelecom CJSC, Russia)   
193.17.184.247    (Biznes-Host.pl, Poland)   
194.209.82.222    (blue-infinity, Switzerland)    [ns]
203.235.181.138    (KRNIC, Korea)   
208.167.238.115    (Choopa LLC, US)   
209.203.50.200    (Vox Telecom, South Africa)   
222.218.13.91    (Chinanet Guangxi Province Network , China)    [ns]


12.42.61.221
19.214.121.54
22.15.199.21
23.253.75.234
31.210.107.33
32.21.129.43
32.90.65.25
37.255.241.29
41.66.55.3
41.106.3.132
42.96.195.183
54.81.32.208
65.27.155.176
79.88.112.206
83.239.90.244
89.39.83.177
89.69.138.91
92.84.13.131
93.190.137.5
95.57.118.56
96.44.143.179
103.31.251.202
108.81.248.139
109.24.255.129
112.222.201.43
115.28.39.216
128.101.154.25
128.199.235.196
130.255.185.19
147.249.171.10
152.46.17.236
162.243.39.118
167.15.26.219
167.120.25.43
171.76.101.11
175.107.192.56
176.53.125.6
181.41.194.253
184.154.170.10
185.9.159.205
186.194.39.139
186.202.184.178
186.214.212.64
188.165.91.216
188.168.142.57
193.17.184.247
194.209.82.222
203.235.181.138
208.167.238.115
209.203.50.200
222.218.13.91

Tuesday 24 September 2013

Malware sites to block 24/9/2013

The malicious IPs and domains on this list are operated by this gang, and it replaces the list last week.

5.135.42.104 (OVH, Netherlands)
24.111.103.183 (Midcontinent Media, US)
24.173.170.230 (Time Warner Cable, US)
32.64.143.79 (AT&T, US)
37.153.192.72 (Routit BV, Netherlands)
37.221.163.174 (Voxility SRL, Romania)
42.121.84.12 (Aliyun Computing Co, China)
46.32.47.24 (Syd Energi, Denmark)
46.246.111.159 (Portlane Networks, Sweden)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
62.141.46.8 (fast IT, Germany)
69.94.163.22 (Region 18 Education Service Center, US)
69.163.40.39 (DirectSpace LLC, US)
77.123.54.28 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
79.190.173.125 (TPNET, Poland)
81.28.199.18 (KNET, France)
84.52.66.244 (West Call Ltd, Russia)
85.246.142.214 (PT Comunicacoes, Portugal)
91.220.77.83 (NTH Media, Switzerland)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
109.71.136.140 (OpWan, France)
123.183.210.42 (China Telecom, China)
125.20.14.222 (Price Water House Cooperation, India)
153.127.243.80 (Kagoya Japan Corporation, Japan)
163.32.78.2 (TANET, Taiwan)
174.142.186.89 (iWeb, Canada)
184.82.233.29 (Network Operations Center, US)
186.3.101.235 (Clientes Quito, Ecuador)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
194.44.93.219 (UARNet, Ukraine)
194.158.4.42 (Interoute Communications, France)
198.71.90.239 (Enzu Inc, US)
199.175.49.118 (VPS Cheap, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.115.114.69 (Wowrack, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
216.218.208.55 (Hurricane Electric, US)
223.30.27.251 (Sify Limited, India)
220.68.231.30 (Hansei University, Korea)

5.135.42.104
24.111.103.183
24.173.170.230
32.64.143.79
37.153.192.72
37.221.163.174
42.121.84.12
46.32.47.24
46.246.111.159
58.68.228.148
58.246.240.122
61.36.178.236
62.141.46.8
69.94.163.22
69.163.40.39
77.123.54.28
79.190.173.125
81.28.199.18
84.52.66.244
85.246.142.214
91.220.77.83
95.111.32.249
103.20.166.67
109.71.136.140
123.183.210.42
125.20.14.222
153.127.243.80
163.32.78.2
174.142.186.89
184.82.233.29
186.3.101.235
186.251.180.205
187.60.172.18
194.44.93.219
194.158.4.42
198.71.90.239
199.175.49.118
208.52.185.178
208.115.114.69
211.71.99.66
216.218.208.55
223.30.27.251
220.68.231.30
24kstudio.net
achrezervations.com
acomboramboarmiab722.net
aconsturcioneoftherive677.net
acormushkivsenamizv992.net
airfare-ticketscheap.com
aristonmontecarlo.net
bnamecorni.com
bundle.su
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
consistingsec.net
cremenatthemomenter56.net
crovvirnskieertater55.net
crovviyyyyyyuutater90.net
curse.su
deepsealinks.com
demuronline.net
diggingentert.com
dropdistri-butions.net
dulethcentury.net
ehtiebanishkeobprienrt25.net
ejanormalteene250.com
ejanormatoone240.com
elvisalive4ever.com
euteus.com
evreisorinejsopgmrjnet28.net
excelledblast.net
exeteenofthemid74.com
explorerlikem.com
fdic.gov.horse-mails.net
gigiandrose-sf.net
gjoonalitikeer310.com
gjoonanalitik300.com
glums.net
goodnoontoon11.net
gormonigraetnapovalahule26.net
grannyhair.ru
gromovierashodyna73.net
hdmltextvoice.net
higherpricedan.com
horse-mails.net
hotsuperfilms.com
infomashe.com
instotsvin.ru
isightbiowares.su
joyrideengend.net
kolopeto.net
lights-awake.net
loreddiverting.su
macache.net
maxichip.com
micnetwork100.com
mobile-unlocked.net
mssoft.in.net
multiachprocessor.com
myaxioms.com
nacha.org.smscente.net
nacha-ach-processor.com
namastelearning.net
nvufvwieg.com
oadims.net
ollerblogging.net
ordersdeluxe.com
outcastii.com
oversearadios.net
pardus-wiki.com
picturesoftdeath.com
pidrillospeeder.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
smartsecureconnect.com
smscente.net
softwareup.pw
spottingculde.com
stjamesang.net
techno-arena.net
thefastor.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
treesmustdownload.su
u-janusa.net
uprisingquicks.net
video-withtext.com
vip-proxy-to-tor.com
virginiarealtyonline.net
whosedigitize.net
wow-included.com
www.ejanormalteene250.com
www.fdic.gov.horse-mails.net
www.gjoonalitikeer310.com
www.nacha.org.demuronline.net
www.nacha.org.smscente.net



Tuesday 17 September 2013

Malware sites to block 17/9/13

This set of malicious IPs and domains is associate with this gang, and the list replaces the last one published here.

24.173.170.230 (Time Warner Cable, US)
32.64.143.79 (AT&T, US)
37.153.192.72 (Routit BV, Netherlands)
42.121.84.12 (Aliyun Computing Co, China)
46.246.111.159 (Portlane Networks, Sweden)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
62.141.46.8 (fast IT, Germany)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime, US)
77.123.54.28 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
83.148.208.151 (Salon Seudun Puhelin Oy, Finland)
84.52.66.244 (West Call Ltd, Russia)
95.87.1.19 (Trakia Kabel, Bulgaria)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
112.124.55.133 (Hangzhou Alibaba Advertising Co.,Ltd., China)
115.78.233.220 (Vietel Corporation, Vietnam)
115.160.146.142 (Wharf T&T Ltd, Hong Kong)
119.78.243.74 (CSTNET, China)
125.20.14.222 (Price Water House Cooperation, India)
141.20.102.73 (Humboldt-Universitaet zu Berlin, Germany)
153.127.243.80 (Kagoya Japan Corporation, Japan)
159.226.51.161 (CSTNET, China)
172.245.62.181 (Colocrossing, US)
173.230.130.69 (Linode, US)
174.142.186.89 (iWeb Technologies, Canada)
178.33.132.103 (OVH, France)
178.239.180.211 (Enter S.r.l., Italy)
184.82.233.29 (Network Operations Center, US)
185.19.95.170 (TTNETDC, Turkey)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
192.210.198.198 (Valley Host, US)
192.237.186.71 (Rackspace, US)
194.158.4.42 (Interoute Communications, France)
198.71.90.239 (Enzu Inc, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.180.134.20 (Suddenlink Communications, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
212.169.49.234 (Claranet, UK)
216.218.208.55 (Hurricane Electric, US)
220.68.231.30 (Hansei University, Korea)
223.30.27.251 (Sify Limited, India)

Blocklist:
24.173.170.230
32.64.143.79
37.153.192.72
42.121.84.12
46.246.111.159
58.68.228.148
58.246.240.122
61.36.178.236
62.141.46.8
66.230.163.86
66.230.190.249
77.123.54.28
83.148.208.151
84.52.66.244
95.87.1.19
95.111.32.249
103.20.166.67
112.124.55.133
115.78.233.220
115.160.146.142
119.78.243.74
125.20.14.222
141.20.102.73
153.127.243.80
159.226.51.161
172.245.62.181
173.230.130.69
174.142.186.89
178.33.132.103
178.239.180.211
184.82.233.29
185.19.95.170
186.251.180.205
187.60.172.18
192.210.198.198
192.237.186.71
194.158.4.42
198.71.90.239
208.52.185.178
208.180.134.20
211.71.99.66
212.169.49.234
216.218.208.55
220.68.231.30
223.30.27.251
achrezervations.com
aconsturcioneoftherive677.net
airfare-ticketscheap.com
aristonmontecarlo.net
berylhowell.net
bnamecorni.com
bundle.su
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
clothestaxact.com
consistingsec.net
crovliivseoslniepodmore83.net
crovniedelamjdusaboye73.net
crovvirnskieertater55.net
deepsealinks.com
demuronline.net
diggingentert.com
dotier.net
dulethcentury.net
ehnihjrkenpj.ru
ehnynewyortenotbaber.net
ehtiebanishkeobprienrt25.net
elvisalive4ever.com
ermiarmirovanieyye46.net
ermitajnierisunkiane45.net
euteus.com
evreisorinejsopgmrjnet28.net
excelledblast.net
fiscdp.com.airfare-ticketscheap.com
gemochlenoftheierarhia23.net
germaniavampizdanahuj.net
germoshanyofthesity72.net
gormonigraetnapovalahule26.net
gormoshkeniation68.net
grannyhair.ru
gromovierashodyna73.net
gstarstats.ru
hdmltextvoice.net
higherpricedan.com
imagoindia.net
infomashe.com
irs.gov.successsaturday.net
isightbiowares.su
joyrideengend.net
kneeslapperz.net
lacave-enlignes.com
lights-awake.net
lindoliveryct.net
macache.net
maxichip.com
medusascream.net
micnetwork100.com
mirrorsupply.com
mobile-unlocked.net
multiachprocessor.com
myaxioms.com
nacha.org.samsung-galaxy-games.net
nacha-ach-processor.com
namastelearning.net
nvufvwieg.com
oadims.net
onsayoga.net
ordersdeluxe.com
oversearadios.net
perkindomname.com
picturesoftdeath.com
pidrillospeeder.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
samsung-galaxy-games.net
smartolen.com
smartsecureconnect.com
softwareup.pw
spottingculde.com
stjamesang.net
successsaturday.net
taltondark.net
theamberroomct.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
treesmustdownload.su
u-janusa.net
uprisingquicks.net
video-withtext.com
vineostat.ru
vip-proxy-to-tor.com
virginiarealtyonline.net
whosedigitize.net
wow-included.com
www.fiscdp.com.airfare-ticketscheap.com
www.irs.gov.successsaturday.net
www.nacha.org.demuronline.net
www.nacha.org.multiachprocessor.com
www.nacha.org.samsung-galaxy-games.net



Monday 9 September 2013

Malware sites to block 9/9/13

These domains and IPs are associated with this gang, this list supersedes (or complements) the one I made last week.

1.209.108.29 (BORANET, Korea)
24.173.170.230 (Time Warner Cable, US)
37.153.192.72 (Routit BV, Netherlands)
42.121.84.12 (Aliyun Computing Co, China)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime, US)
74.63.233.79 (Limestone Networks Inc / 123Systems Solutions, US)
74.207.231.42 (Linode, US)
95.87.1.19 (Trakia Kabel, Bulgaria)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
95.242.252.26 (Telecom Italia, Italy)103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
111.93.115.216 (Tata Teleservices, India)
115.78.233.220 (Vietel Corporation, Vietnam)
115.160.146.142 (Wharf T&T Ltd, Hong Kong)
130.63.110.159 (York University, Canada)
140.116.72.75 (TANET, Taiwan)
141.20.102.73 (Humboldt-Universitaet zu Berlin, Germany)
148.204.64.107 (Instituto Politecnico Nacional, Mexico)
173.254.250.218 (OC3 Networks, US)
184.23.8.7 (Sonic.net, US)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
190.145.25.126 (Telmex Colombia, Colombia)
190.152.149.85 (Consejo De Participacion Ciudadana Y Control Soci, Ecuador)
192.241.199.191 (Digital Ocean, US)
194.42.83.60 (Interoute Communications, UK)
194.158.4.42 (Interoute Communications, France)
198.224.81.54 (AT&T, US)
199.115.228.213 (VolumeDrive, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.69.42.50 (Bay Area Video Coalition, US)
208.180.134.20 (Suddenlink Communications, US)
212.169.49.234 (Claranet, UK)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)
222.35.102.133 (China TieTong Telecommunications Corporation, China)
223.30.27.251 (Sify Limited, India)

1.209.108.29
24.173.170.230
37.153.192.72
42.121.84.12
58.68.228.148
58.246.240.122
61.36.178.236
66.230.163.86
66.230.190.249
74.63.233.79
74.207.231.42
95.87.1.19
95.111.32.249
95.242.252.26
103.20.166.67
111.93.115.216
115.78.233.220
115.160.146.142
130.63.110.159
140.116.72.75
141.20.102.73
148.204.64.107
173.254.250.218
184.23.8.7
186.251.180.205
187.60.172.18
190.145.25.126
190.152.149.85
192.241.199.191
194.42.83.60
194.158.4.42
198.224.81.54
199.115.228.213
208.52.185.178
208.69.42.50
208.180.134.20
212.169.49.234
213.156.91.110
222.35.102.133
223.30.27.251
achrezervations.com
agence-moret.net
altertraveldream.com
amimeseason.net
bnamecorni.com
boardsxmeta.com
brasilmatics.net
bundle.su
casualcare.net
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
certierskieanyofthe23.net
chairsantique.net
checklistsseesmics.su
chernigovskievojninua55.net
controlsalthoug.com
credit-find.net
crovliivseoslniepodmore83.net
deepsealinks.com
dotier.net
dvdramrautosel.su
ehnihujasebenahujchtoza27.net
ehnynewyortenotbaber.net
ehtiebanishkeobprienrt25.net
elvisalive4ever.com
email.pinterest.com.lacave-enlignes.com
ergopets.com
ermitajniedelaincityof40.net
explic.net
facebook.com.achrezervations.com
favar.net
fender.su
ffupdate.pw
fulty.net
gaphotoid.net
gemochlenoftheierarhia23.net
germaniavampizdanahuj.net
germetikovskievremie29.net
gggrecheskiysala99.net
giabit.net
gonulpalace.net
gormonigraetnapovalahule26.net
gormoshkeniation68.net
gormovskieafrterskioepr30.net
grannyhair.ru
higherpricedan.com
hobox.net
hotbitscan.com
icentis-finance.net
insectiore.net
invoices.ulsmart.net
istatsking.ru
jessesautobody.net.rcom-dns.eu
kpsart.net
lacave-enlignes.com
lights-awake.net
liliputttt9999.info
lindoliveryct.net
macache.net
maxichip.com
medusascream.net
micnetwork100.com
mobile-unlocked.net
molul.com
multiachprocessor.com
myaxioms.com
mywebsitetips.net
nacha-ach-processor.com
namastelearning.net
ns1.namastelearning.net
ns2.namastelearning.net
nvufvwieg.com
oadims.net
ordersdeluxe.com
oversearadios.net
paypal.com.us.cmd.stjamesang.net
perkindomname.com
photos.walmart.com.orders.stjamesang.net
porschetr-ml.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
redsox.com.tickets-service.lindoliveryct.net
relectsdispla.net
rentipod.ru
saucancafe.net
scoutmoor.net
secureprotection5.com
soberimages.com
stjamesang.net
stonewallspwt.net
strutterradio.net
taltondark.net
templateswell.net
thefastor.com
thegalaxyatwork.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
trans-staronline.net
treesmustdownload.su
u-janusa.net
ulsmart.net
uprisingquicks.net
video-withtext.com
vineostat.ru
viperestats.ru
vip-proxy-to-tor.com
virginiarealtyonline.net
weekings.com
wildgames-orb.net
wow-included.com
www.facebook.com.achrezervations.com
www.linkedin.com.achrezervations.com
www.nacha.org.multiachprocessor.com
www.nacha-ach-processor.com
www.redsox.com.tickets-service.lindoliveryct.net
zinvolarstikel.com

Tuesday 13 August 2013

Malware sites to block 13/8/13

These IPs and domains belong to this gang and this list follows on from the one I made last week.

5.39.14.148 (OVH, France)
5.231.57.253 (GHOSTnet, Germany)
15.185.121.30 (HP Cloud Services, US)
24.173.170.230 (Time Warner Cable, US)
37.99.18.145 (2day Telecom, Kazakhstan)
42.121.84.12 (Aliyun Computing Co / Alibaba Advertising Co, China)
50.2.109.148 (Eonix Corporation, US)
50.56.172.149 (Rackspace, US)
59.77.36.225 (CERNET, China)
59.124.33.215 (Chunghwa Telecom, Taiwan)
61.36.178.236 (LG DACOM, Korea)
65.190.51.124 (Time Warner Cable, US)
66.230.163.86 (Goykhman And Sons LLC, US)
68.174.239.70 (Time Warner Cable, US)
74.207.251.67 (Linode, US)
75.147.133.49 (Comcast Business Communcations, US)
78.47.248.101 (Hetzner, Germany)
88.86.100.2 (Supernetwork SRO, Czech Republic)
89.163.170.134 (Unitedcolo, Germany)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Mobiltel EAD, Bulgaria)
95.188.76.14 (Sibirtelecom OJSC, Russia)
95.138.165.133 (Rackspace, UK)
109.107.128.13 (The Blue Zone East, Jordan)
114.112.172.34 (Worldcom Teda Networks Technology, China)
123.202.15.170 (Hong Kong Broadband Network, Hong Kong)
140.113.87.153 (TANET, Taiwan)
140.116.72.75 (TANET, Taiwan)
173.224.211.216 (Psychz Networks, US)
177.53.80.39 (Cordeirópolis Ltda, Brazil)
185.5.54.162 (Interneto Vizija UAB, Lithunia)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
188.132.213.115 (Mars Global Datacenter Services, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
190.85.249.159 (Telmex Colombia, Colombia)
190.95.222.196 (Homenet CIA. Ltda / Telconet, Ecuador)
198.211.115.228 (Digital Ocean Inc, US)
199.231.188.226 (Interserver Inc, US)
202.197.127.42 (CERNET, China)
204.124.182.30 (Volumedrive, US)
209.222.67.251 (Razor Inc, US)
212.68.34.88 (Mars Global Datacenter Services, Turkey)
216.158.67.42 (Webnx Inc, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)

Recommended blocklist:
5.39.14.148
5.231.57.253
15.185.121.30
24.173.170.230
37.99.18.145
42.121.84.12
50.2.109.148
50.56.172.149
59.77.36.225
59.124.33.215
61.36.178.236
65.190.51.124
66.230.163.86
68.174.239.70
74.207.251.67
75.147.133.49
78.47.248.101
88.86.100.2
89.163.170.134
95.87.1.19
95.111.32.249
95.188.76.14
95.138.165.133
109.107.128.13
114.112.172.34
123.202.15.170
140.113.87.153
140.116.72.75
173.224.211.216
177.53.80.39
185.5.54.162
186.251.180.205
188.132.213.115
188.134.26.172
190.85.249.159
190.95.222.196
198.211.115.228
199.231.188.226
202.197.127.42
204.124.182.30
209.222.67.251
212.68.34.88
216.158.67.42
217.64.107.108
50plus-login.com
abundanceguys.net
acautotentsale.net
allgstat.ru
amnsreiuojy.ru
amods.net
antidoctorpj.com
askfox.net
astarts.ru
autocompletiondel.net
avini.ru
badstylecorps.com
bbmasterbuilders.net
beachfiretald.com
beldenindcontacts.net
blindsay-law.net
bnamecorni.com
boardsxmeta.com
boats-sale.net
breakingtextediti.com
briltox.com
businessdocu.net
buycushion.net
calenderlabor.net
casinocnn.net
cbstechcorp.net
centow.ru
condalinneuwu37.net
condrskajaumaksa66.net
controlsalthoug.com
creativerods.net
credit-find.net
crossplatformcons.com
culturalasia.net
cyberflorists.su
datapadsinthi.net
devicesta.ru
dulethcentury.net
ehnihjrkenpj.ru
endom.net
evishop.net
exhilaratingwiki.net
exnihujatreetrichmand77.net
exowaps.com
fitstimekeepe.net
fivelinenarro.net
flashedglobetrot.pl
frontrunnings.com
frontsidecash.net
frutpass.ru
gatumi.com
gondorskiedelaahuetebanj88.net
gonulpalace.net
gormoshkeniation68.net
gotoraininthecharefare88.net
hdmltextvoice.net
hotkoyou.net
includedtight.com
info-for-health.net
inningmedicare.pl
intcheck.com
jonkrut.ru
kneeslapperz.net
legalizacionez.com
lhobbyrelated.com
liliputttt9999.info
lucams.net
made-bali.net
magiklovsterd.net
medusascream.net
micnetwork100.com
microsoftnotification.net
mifiesta.ru
mirris.ru
mobile-unlocked.net
moonopenomy.com
motobrio.net
musicstudioseattle.net
namastelearning.net
neplohsec.com
nightclubdisab.su
nvufvwieg.com
onsayoga.net
onsespotlight.net
ordersdeluxe.com
organizerrescui.pl
pacifista.ru
palmer-ford.net
partyspecialty.su
pinterest.com.onsayoga.net
prysmm.net
pure-botanical.net
quill.com.account.settings.musicstudioseattle.net
raekownholida.com
relectsdispla.net
restless.su
ringosfulmobile.com
saberig.net
sai-uka-sai.com
scourswarriors.su
sensetegej100.com
sensing-thefuture.com
seoworkblog.net
suburban.su
tagcentriccent.net
tagcentriccent.pl
taltondark.net
templateswell.net
thegalaxyatwork.com
thesecuritylistfx.net
tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
tor-connect-secure.com
u-janusa.net
viperlair.net
vip-proxy-to-tor.com
wildgames-orb.net
workeschaersecure.net
x-pertwindscreens.net
zestrecommend.com
zukkoholsresv.pl

Tuesday 23 July 2013

Malware sites to block 23/7/13

These malicious domains and IPs are associated with this prolific gang.  As usual, I've listed IPs with hosts first and then a plain list of IPs and domains for copy-and-pasting at the end.

5.175.191.106 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson-NET, Turkey)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)
46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
50.97.253.162 (Softlayer, US)
54.225.124.116 (Amazon AWS, US)
59.77.36.225 (CERNET, China)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.126.142.186 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA Communications, India)
61.28.143.133 (ETPI, Philippines)
62.76.44.105 (IT House / Clodo-Cloud, Russia)
69.60.115.92 (Colopronto, US)
74.62.189.22 (Time Warner Cable, US)
74.93.56.83 (Comcast, US)
74.208.246.145 (1&1, US)
85.17.224.131 (Leaseweb, Netherlands)
85.119.187.145 (UniWeb, Belgium)
88.86.100.2 (Supernetwork / Castlegem, Czech Republic)
88.150.191.194 (Redstation, UK)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Mobitel EAD, Bulgaria)
108.170.32.179 (Secured Servers, US)
108.179.8.103 (Tyco / Cablevision, US)
109.123.125.68 (UK2.net, UK)
114.112.172.34 (Worldcom Teda Networks Technology, China)
119.92.209.120 (Makati  IPG, Philippines)
120.124.132.123 (TANET, Taiwan)
121.83.197.179 (K-Opticom Corporation, Japan)
128.252.158.57 (Washington University, US)
138.80.14.27 (Charles Darwin University, Australia)
140.120.113.18 (TANET, Taiwan)
162.209.80.221 (Rackspace, US)
165.225.149.235 (Joyent, US)
166.78.183.28 (Rackspace, US)
172.245.16.47 (New Wave NetConnect / ColoCrossing, US)
172.255.106.126 (Nobis Technology Group, US)
182.72.216.173 (CusDelight Consultancy Services, India)
188.40.92.12 (Hetzner, Germany)
188.132.213.115 (Mars Global Datacenter Services, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
189.15.96.61 (Companhia De Telecomunicacoes Do Brasil Central , Brazil)
190.85.249.159 (Telmex Colombia, Colombia)
190.238.107.240 (Telefonica del Peru, Peru)
192.95.54.119 (OVH, Canada)
192.241.205.26 (Digital Ocean, US)
195.225.58.122 (C&A Connect SRL, Romania)
198.61.213.12 (Rackspace, US)
198.98.102.165 (Enzu, US)
198.175.124.17 (DNSSLAVE.COM, US)
202.197.127.42 (Hunan Normal University, China)
203.236.232.42 (KINX, Korea)
208.69.42.50 (Bay Area Video Coalition, US)
208.115.114.68 (WOWRACK, US)
209.222.67.251 (Razor Inc, US)
210.200.0.95 (Asia Pacific On-line Services, Taiwan)
211.224.204.141 (KINX, Korea)
212.143.233.159 (013 Netvision Network, Israel)
217.64.107.108 (Society Of Mali's Telecommunications , Mali)

5.175.191.106
24.173.170.230
31.145.19.17
41.196.17.252
46.246.41.68
46.45.182.27
50.97.253.162
54.225.124.116
59.77.36.225
59.124.33.215
59.126.142.186
59.160.69.74
61.28.143.133
62.76.44.105
69.60.115.92
74.62.189.22
74.93.56.83
74.208.246.145
85.17.224.131
85.119.187.145
88.86.100.2
88.150.191.194
95.87.1.19
95.111.32.249
108.170.32.179
108.179.8.103
109.123.125.68
114.112.172.34
119.92.209.120
120.124.132.123
121.83.197.179
128.252.158.57
138.80.14.27
140.120.113.18
162.209.80.221
165.225.149.235
166.78.183.28
172.245.16.47
172.255.106.126
182.72.216.173
188.40.92.12
188.132.213.115
188.134.26.172
189.15.96.61
190.85.249.159
190.238.107.240
192.95.54.119
192.241.205.26
195.225.58.122
198.61.213.12
198.98.102.165
198.175.124.17
202.197.127.42
203.236.232.42
208.69.42.50
208.115.114.68
209.222.67.251
210.200.0.95
211.224.204.141
212.143.233.159
217.64.107.108
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
abundanceguys.net
allgstat.ru
amimeseason.net
annot.pl
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
aurakeep.net
autocompletiondel.net
autorize.net.models-and-kits.net
badstylecorps.com
basedbreakpark.su
beachfiretald.com
bebomsn.net
biati.net
blacklistsvignet.pl
blackragnarok.net
blindsay-law.net
bnamecorni.com
boats-sale.net
brasilmatics.net
buffalonyroofers.net
businessdocu.net
buty24-cool.com
buycushion.net
cbstechcorp.net
centow.ru
chairsantique.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
clik-kids.com
condaleunvjdlp55.net
condalinarad72234652.ru
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu37.net
condalinneuwu5.ru
condalnua745746.ru
cooldeaflympics.com
cpa.state.tx.us.tax-returns.mattwaltererie.net
crossplatformcons.com
cryoroyal.net
datapadsinthi.net
doorandstoned.com
driversupdate.pw
dulethcentury.net
e-citystores.net
e-eleves.net
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
eliroots.ru
epackage.ups.com.shanghaiherald.net
ergopets.com
erminwanbuernantion20.net
ermitirationifyouwau30.net
estateandpropertty.com
etiquetteinsp.net
fastfragcheck.com
feminineperceiv.pl
fenvid.com
filmstripstyl.com
firefoxupd.pw
firerice.com
flashedglobetrot.pl
foremostorgand.su
foremostorgand.suc
fulty.net
gamnnbienwndd70.net
gcoordinatind.com
gebelikokulu.net
generationpasswaua40.net
genie-enterprises.com
germany.no-ip.biz
ghroumingoviede.ru
gnanosnugivnehu.ru
gondamtvibnejnepl.net
goodread.pl
greenleaf-investment.net
gromovieotvodidiejj40.net
handwrittenma.com
hdmltextvoice.net
heavygear.net
heidipinks.com
hemorelief.net
hiddenhacks.com
highsecure155.com
hingpressplay.net
homesforsaleftwaltonbea.com
hotkoyou.net
hotpubblici.com
housesales.pl
iberiti.com
icensol.net
independinsy.net
info-for-health.net
insectiore.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
kistrotilewest.su
klermont.net
klwines.com.order.complete.prysmm.net
kubiwaya.net
ledfordlawoffice.net
letsgofit.net
linguaape.net
linkedin.com-update-report.taltondark.net
links.emails.bmwusa.com.open.pagebuoy.net
locavoresfood.net
mackay-revealed.net
made-bali.net
magiklovsterd.net
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
metalcrew.net
microsoftnotification.net
mifiesta.ru
modshows.net
momotlawfirm.net
morphed.ru
mosher.pl
motobrio.net
mycanoweb.com
myfreecamgirls.net
mywebsitetips.net
neplohsec.com
nipslippage.net
nvufvwieg.com
onemessage.verizonwireless.com.verizonwirelessreports.com
ontria.ru
organizerrescui.pl
outbounduk.net
oydahrenlitu346357.ru
package.ups.com.shanghaiherald.net
pagebuoy.net
pass-hc.com
peertag.com
playtimepixelating.su
pool-inter.com
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
prothericsplk.com
prysmm.net
quipbox.com
ratenames.net
relectsdispla.net
rentipod.ru
restless.su
saberig.net
safebrowse.pw
sai-uka-sai.com
sartorilaw.net
scourswarriors.su
secureaction120.com
securednshooki.com
sendkick.com
sensetegej100.com
seodirect-proxy.com
shanghaiherald.net
sludgekeychai.net
soberimages.com
susubaby.net
tagcentriccent.net
tagcentriccent.pl
tax-returns.gov.cpa.state.us.gebelikokulu.net
teakfromafrica.net
techno5room.ru
thegalaxyatwork.com
thosetemperat.net
tor-connect-secure.com
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
u-janusa.net
ukbash.ru
usergateproxy.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net
vivendacalangute.net
wic-office.com
wordstudio.pl
wow-included.com
zestrecommend.com

Thursday 18 July 2013

K&L Wine Merchants (KLWines.com) spam / prysmm.net

This fake K&L Wine Merchantsm spam email leads to malware on www.klwines.com.order.complete.prysmm.net:


Date:      Thu, 18 Jul 2013 05:57:28 -0800
From:      drowsedl04@inbound.ups.net
CC:     
Subject:      Your K&L order #56920789 is complete

Hello from K&L Wine Merchants -- www.KLWines.com

Just wanted to let you know that your order (#56920789) is complete.

Additional comments for this order: Ship Fri. 7/19

The following items are included in this order:

------------------------------------------------------------------
 Item                               Price Shipped    Subtotal
------------------------------------------------------------------

 2009 Whitehall Lane Napa          $32.99     1        $32.99
     Valley Cabernet Sauvignon

 2007 Friggiali Brunello di        $28.99     2        $57.98
     Montalcino

 2010 Columbia Crest "H3"          $10.99     2        $21.98
     Horse Heaven Hills Washington
     Cabernet Sauvignon

 2010 Seven Hills Columbia         $19.99     1        $19.99
     Valley Cabernet Sauvignon

 2010 Bonaccorsi "Fiddlestix       $44.99     1        $44.99
     Vineyard" Sta. Rita Hills
     Pinot Noir

 2010 Melville "Estate" Santa      $25.99     1        $25.99
     Rita Hills Pinot Noir

 2007 La Fortuna Brunello di       $38.99     1        $38.99
     Montalcino

------------------------------------------------------------------
                Item Subtotal:    $247.91
                          Tax:      $0.00
          Shipping & Handling:     $67.18
                        Total:    $315.09

The shipping method for this order is UPS 2-Day, being sent to:

        Matthew Wright
        4025 sunset city plaza
        garden city, DC 13375 USA
      

The tracking number for this shipment is 1Z474482A140261050.
Please visit the freight carrier's site for exact shipping pickup and dropoff dates, by clicking on the link below. You may have to copy the link and paste it into your browser.
http://wwwapps.ups.com/etracking/tracking.cgi?TypeOfInquiryNumber=T&InquiryNumber1=1Z474482A140261050

To see the latest information about your order, visit "My Account" at http://www.klwines.com/account.asp. "My Account" lets you manage your orders online by giving you the ability to do the following:

* See your order status
* Change your e-mail address or password
* Update your billing and shipping information for future orders

You can also reach "My Account" by clicking on the link on the top of any page on our Web site.

If you need to get in touch with us about your orders, contact us via Contacts page.

Thank you for shopping at klwines.com -- we appreciate your business.

---------------------------------------------------------------------
K&L Wine Merchants
"Internet's Best Wine Site"  -- Money Magazine
questions@klwines.com             http://www.klwines.com/
---------------------------------------------------------------------

The link in the email goes through a legitimate hacked site and ends up on a malware page at [donotclick]www.klwines.com.order.complete.prysmm.net/news/order-information.php (report here) hosted on:


50.97.253.162 (Softlayer, US)
59.126.142.186 (Chungwa Telecom, Taiwan)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)

The fake WHOIS details mark this out as belonging to the Amerika gang.

   Matamoros, Grace  freehotjob@yahoo.com
   6805 Laredo
   Houston, TX 77020
   US
   8322897755

Recommended blocklist:
50.97.253.162
59.126.142.186
203.236.232.42
209.222.67.251
autorize.net.models-and-kits.net
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
ehnihenransivuennd.net
epackage.ups.com.shanghaiherald.net
erawppa.com
ermitirationifyouwau30.net
estateandpropertty.com
firerice.com
fulty.net
gebelikokulu.net
generationpasswaua40.net
gondamtvibnejnepl.net
greenleaf-investment.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
klwines.com.order.complete.prysmm.net
linkedin.com-update-report.taltondark.net
m.krasalco.com
marriott.com.reservation.lookup.motobrio.net
marriott.com.reservation.lookup.viperlair.net
microsoftnotification.net
motobrio.net
mycanoweb.com
pass-hc.com
prysmm.net
quipbox.com
sendkick.com
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
viperlair.net
vitans.net

Friday 12 July 2013

"TAX Return Reminder" / cpa.state.tx.us.tax-returns.mattwaltererie.net

This fake tax return reminder leads to malware on cpa.state.tx.us.tax-returns.mattwaltererie.net:

--- Version 1 --------------------

Date:      Fri, 12 Jul 2013 14:35:31 +0300
From:      DO.NOT.REPLY@REMINDER.STATE.TX.US.GOV
Subject:      TAX Return Reminder

After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $964.17. Please submit the tax refund request and allow us 2-5 business days to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline

Returns can be electronically filed at www.cpa.state.tx.us/returns_caseid=035549412645

For security reasons we will record your IP address, date and time.
Deliberate scam inputs are criminally pursued and indicated.
Please do not reply to this e-mail.

Please disregard this reminder if the return has already been submitted.


--- Version 2 --------------------


Date:      Fri, 12 Jul 2013 17:05:39 +0530 [07:35:39 EDT]
From:      tax.help@STATE.TX.GOV.US
Subject:      TAX Return Reminder

After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $909.70. Please submit the tax refund request and allow us 2-3 business days to process it.

A refund may be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline

Returns can be electronically filed at www.cpa.state.tx.us/returns_caseid=488702484517

For security reasons we will record your IP address, date and time.
Deliberate wrong inputs are criminally pursued and indicated.
Please do not reply to this e-mail.

Please disregard this reminder if the return has already been submitted.
Unusually, the link in the email goes directly to the malware landing page rather than going through a legitimate hacked site, in this case directly to [donotclick]cpa.state.tx.us.tax-returns.mattwaltererie.net/news/tax_refund-caseid7436463593.php?[snip] (example 1, example 2) but I cannot get the malware to reveal itself (there's either a fault or it is resistant to analysis).

cpa.state.tx.us.tax-returns.mattwaltererie.net is hosted on the following IP addresses that are under control of what I call the Amerika gang:
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S., Turkey)
150.244.233.146 (Universidad Autonoma de Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)

The domain mattwaltererie.net also features the fake US WHOIS details that are characteristic of the Amerika gang (which is where they get their name from).

      Marilyn Clark
      13578 Calderon Rd
      SAN DIEGO, CA 92129
      US
      Phone: +1.7143435399
      Email: tekassis@usa.com


Below is a partial blocklist that I would recommened you use in conjunction with this one:
46.45.182.27
150.244.233.146
203.236.232.42
209.222.67.251
americanexpress.com.krasalco.com
astarts.ru
autorize.net.models-and-kits.net
beachfiretald.com
beatenunwield.com
bnamecorni.com
brandeddepend.com
centow.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
datapadsinthi.net
delines.ru
ehnihenransivuennd.net
eliroots.ru
estateandpropertty.com
filmstripstyl.com
fulty.net
gebelikokulu.net
gentonoesleep.com
getstatsp.ru
gondamtvibnejnepl.net
hdmltextvoice.net
hingpressplay.net
joinproportio.com
jonkrut.ru
linkedin.com-update-report.taltondark.net
m.krasalco.com
magiklovsterd.net
mattwaltererie.net
nvufvwieg.com
offeringshowt.com
privat-tor-service.com
quipbox.com
relationshipa.com
relectsdispla.net
sendkick.com
streetgreenlj.com
taltondark.net
tor-connect-secure.com
treehouse-dreams.net
tstatbox.ru
vip-proxy-to-tor.com
zestrecommend.com




Monday 24 June 2013

DanielMcClintic@hotmail.com fake job offer

Another staggeringly crude money mule recruitment spam, like this one. Unless you like prison food I would advise you to leave this fake offer alone.

Date:      Mon, 24 Jun 2013 22:56:39 +0900 [09:56:39 EDT]
From:      Delmar Roark
Subject:      Work in the finance department

We invite you to work in the home assistant offer.

This job takes 2-3 hours a week and requires absolutely no investment.
The essence of this work for incoming client requests in your city.
The starting income is about ~2000 Euro per month + bonuses.

You get paid your money every 2 weeks and your bonuses after finish each task!

We promis work for every person. But we accept applications this week only!
Therefore, you should send email a request right now.
And you will start earning money, starting from next week.

Please write in the request:
Your name:
Your Contact number:
Your email address:
City of residence:

Please send the request to my email DanielMcClintic@hotmail.com, and
I will contact you personally as quickly as possible.

Sincerely,
Delmar Roark 
Originating IP is 211.226.147.218 in Korea.

Wednesday 12 June 2013

Malware sites to block 12/6/13

This is a refresh of this list of domains and IPs controlled by what I call the "Amerika" gang, and it follows on from this BBB spam run earlier. Note that IPs included in this list show recent malicious activity, but it could be that they have now been fixed. I also noticed that a couple of the domains may have been sinkholed, but it will do you no harm to block them anyway.

Hosts involved:
5.175.157.110 (GHOSTnet, Germany)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal Communication Tech. Co., China)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
46.165.248.117 (Leaseweb, Germany)
49.212.221.29 (Sakura Internet Inc., Japan)
50.56.216.124 (Rackspace, US)
50.57.166.222 (Slicehost, US)
59.42.10.172 (Guangdong Tuosi Software Science Garden, China)
67.159.12.94 (FDCservers, US)
67.202.109.141 (Steadfast Networks, US)
67.215.2.251 (Colo-Serv Communications, Canada)
77.237.190.22 (Parsun Network Solutions, Iran)
81.252.120.250 (Collectivit Locale , France)
83.136.249.108 (Sigmatic Oy, Finland)
85.17.178.56 (Leaseweb, Netherlands)
85.26.31.60 (Brutele SC, Belgium)
85.201.12.244 (Brutele SC, Belgium)
86.84.0.11 (Planet Technologies, Netherlands)
88.80.222.73 (Alfahosting, Germany)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
95.143.41.16 (Inline Internet / VPS4less, Germany)
95.170.95.142 (TransIP, Netherlands)
109.95.23.4 (Kvartal Plus Ltd, Russia)
109.129.225.68 (Belgacom / Skynet, Belgium)
110.78.147.173 (CAT Telecom, Thailand)
111.93.156.171 (Tata Teleservices, India)
112.170.169.56 (Korea Telecom, Korea)
114.4.27.219 (IDIA Kantor Arsip MKS, Indonesia)
116.3.3.200 (China Unicom, China)
119.147.137.31 (China Telecom, China)
141.28.126.201 (Hochschule Furtwangen, Germany)
143.107.220.160 (Universidade De Sao Paulo, Brazil)
151.1.224.118 (ITnet, Italy)
159.90.91.179 (Universidad Simon Bolivar, Venezuela)
159.253.18.253 (FastVPS, Estonia)
160.75.169.49 (Istanbul Technical University, Turkey)
164.77.149.237 (Isapre Banmedica, Chile)
172.8.24.9 (Angela Curtolo DBA / AT&T, US)
172.246.16.27 (Enzu Inc, US)
177.84.128.54 (Informática Ltda, Brazil)
177.86.131.18 (Prime Telecomunicacoes Ltda, Brazil)
177.124.195.202 (Mundivox Do Brasil Ltda, Brazil)
178.16.216.66 (Gabrielson Invest AB, Sweden)
181.52.237.17 (Telmex, Colombia)
183.82.221.13 (Hitech / Beam Telecom, India)
184.82.115.37 (HostNOC, US)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
187.33.48.12 (GTi Telecomunicacoes Ltda, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
192.64.80.143 (Interserver, US)
192.210.216.90 (ColoCrossing, US)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
196.1.95.44 (Ensut-Computer Department, Senegal)
198.199.93.55 (Digital Ocean, US)
200.3.153.91 (Pontificia Universidad Javeriana, Colombia)
200.87.177.124 (EntelNet, Bolivia)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
202.29.242.249 (UniNet, Thailand)
202.31.139.173 (Kum Oh National University Of Technology, Korea)
203.64.69.52 (Taiwan Academic Network, Taiwan)
203.157.216.77 (Information Technology Office, Thailand)
208.68.36.11 (Digital Ocean, US)
210.42.103.141 (Wuhan Urban Construction Institute, China)
213.74.79.236 (Superonline, Turkey)
216.172.102.230 (EBL Global Networks, US)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)

Plain IPlist for copy-and-pasting:
5.175.157.110
41.89.6.179
42.62.29.4
46.18.160.86
46.165.248.117
49.212.221.29
50.56.216.124
50.57.166.222
59.42.10.172
67.159.12.94
67.202.109.141
67.215.2.251
77.237.190.22
81.252.120.250
83.136.249.108
85.17.178.56
85.26.31.60
85.201.12.244
86.84.0.11
88.80.222.73
93.89.235.13
95.143.41.16
95.170.95.142
109.95.23.4
109.129.225.68
110.78.147.173
111.93.156.171
112.170.169.56
114.4.27.219
116.3.3.200
119.147.137.31
141.28.126.201
143.107.220.160
151.1.224.118
159.90.91.179
159.253.18.253
160.75.169.49
164.77.149.237
172.8.24.9
172.246.16.27
177.84.128.54
177.86.131.18
177.124.195.202
178.16.216.66
181.52.237.17
183.82.221.13
184.82.115.37
186.215.126.52
188.32.153.31
187.33.48.12
190.93.23.10
192.64.80.143
192.210.216.90
193.254.231.51
196.1.95.44
198.199.93.55
200.3.153.91
200.87.177.124
201.65.23.153
202.29.242.249
202.31.139.173
203.64.69.52
203.157.216.77
208.68.36.11
210.42.103.141
213.74.79.236
216.172.102.230
217.174.211.1
222.200.187.83

Identified malicious domains:
abacs.pl
autotradeguide.net
avastsurveyor.com
balckanweb.com
biati.net
bnamecorni.com
businessdocu.net
buyparrots.net
citysubway.net
cocainism.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
diodmobilered.com
docudat.ru
ehchernomorskihu.ru
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
enway.pl
ergopets.com
fastkrug.ru
federal-credit-union.com
freemart.pl
freenico.net
genown.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gstoryofmygame.ru
haicut.com
hiddenhacks.com
historuronded.com
icensol.net
ingrestrained.com
inutesnetworks.su
janefgort.net
jetaqua.com
kirki.pl
klosotro9.net
lorganizedcue.com
ludena.ru
mantuma.pl
marvelfilms.net
mortolkr4.com
mslatearrival.com
multipliedfor.com
myhispress.com
nipiel.com
nvufvwieg.com
onlinedatingblueprint.net
otoperhone.com
oydahrenlitutskazata.ru
ozonatorz.com
pleak.pl
pnpnews.net
privat-tor-service.com
proxy-tor-service.com
relectsdispla.com
relectsdispla.net
reportingglan.com
safe-browser.biz
safe-time.net
salesplaytime.net
secondfiddleu.com
securepro7.ru
shopkeepersne.net
sludgekeychai.net
smartsecurityapp2013.com
smurfberrieswd.su
sngroup.pl
solarmiracles.net
techno5room.ru
televisionhunter.com
testerpro5.ru
thinkindi.net
tor-connect-secure.com
trleaart.net
twinkniche.net
twintrade.net
ukbarbers.net
unixawards.net
usergateproxy.net
usforclosedhomes.net
vip-proxy-to-tor.com
well-tailored.net
wmlawoffice.net
yelpwapphoned.com

Thursday 6 June 2013

NatPay "Transmission Confirmation" spam / usforclosedhomes.net

This fake NatPay spam leads to malware on usforclosedhomes.net.

Version 1:
Date:      Thu, 6 Jun 2013 20:53:08 +0600 [10:53:08 EDT]
From:      National Payment Automated Reports System [dunks@services.natpaymail.net]
Subject:      Transmission Confirmation ~26306682~N25BHHL1~

Transmission Verification    
Contact Us
To:    
NPC Account # 26306682
Xavier Reed
   
Re:    
NPC Account # 26306682
D & - D5
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.

Batch Number       408
Batch Description       VENDOR PAY
Number of Dollar Entries       2
Number of Prenotes       0
Total Deposit Amount       $3,848.19
Total Withdraw Amount      $3,848.19
Batch Confirmation Number      50983
   
Date Transmitted      Thursday, June 06, 2013
Date Processed       Thursday, June 06, 2013
Call Start Time       4:06 PM
Call End Time       4:07 PM
Funding Method       2 Day Funding
Cycle       AM
Effective
Entry Date

Transaction Type
   
Entry
Identification

Routing/Transit

Bank Account
Entry Amount
06/08/2013     Checking - Deposit     XXXXXXXX     XXXXXXXXX     XXXXXXXXXX     $3,848.19
06/06/2013     Checking - Withdraw     Offset Entry     XXXXXXXXX     XXXXXXXXXX     -$3,848.19
Totals     $0.00
Report reference ID # N25BHHL1     Created on Thursday, June 06, 2013
Have a question about this report?  Please click here to send us an email with your question.

Version 2:

Date:      Thu, 6 Jun 2013 09:59:06 -0500
From:      National Payment Automated Reports System [lemuel@emalsrv.natpaymail.com]
Subject:      Transmission Confirmation ~10968697~607MPYRC~

Transmission Verification    
Contact Us
To:    
NPC Account # 10968697
Benjamin Turner
   
Re:    
NPC Account # 10968697
D & - MN
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.

Batch Number     219
Batch Description     VENDOR PAY
Number of Dollar Entries     2
Number of Prenotes     0
Total Deposit Amount     $2,549.12
Total Withdraw Amount     $2,549.12
Batch Confirmation Number     24035
   
Date Transmitted     Thursday, June 06, 2013
Date Processed     Thursday, June 06, 2013
Call Start Time     4:06 PM
Call End Time     4:07 PM
Funding Method     2 Day Funding
   
Cycle     AM
Effective

Entry Date

Transaction Type
   
Entry

Identification

Routing/Transit

Bank Account

Entry Amount
06/08/2013     Checking - Deposit     XXXXXXXX     XXXXXXXXX     XXXXXXXXXX     $2,549.12
06/06/2013     Checking - Withdraw     Offset Entry     XXXXXXXXX     XXXXXXXXXX     -$2,549.12
Totals     $0.00
Report reference ID # 607MPYRC     Created on Thursday, June 06, 2013
Have a question about this report? Please click here to send us an email with your question.

The malicious payload is on [donotclick]usforclosedhomes.net/news/walls_autumns-serial.php (report here) hosted on the following IPs:
41.89.6.179 (Kenya Education Network, Kenya)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
112.170.169.56 (Korea Telecom, South Korea)

The cluster of IPs and domains this belongs to identifies it as part of the Amerika spam run.

Blocklist:
41.89.6.179
46.18.160.86
93.89.235.13
112.170.169.56
abacs.pl
biati.net
buyparrots.net
citysubway.net
condalnuashyochetto.ru
cunitarsiksepj.ru
eheranskietpj.ru
ejoingrespubldpl.ru
enway.pl
federal-credit-union.com
gnunirotniviepj.ru
gstoryofmygame.ru
icensol.net
myhispress.com
onlinedatingblueprint.net
oydahrenlitutskazata.ru
ozonatorz.com
smartsecurityapp2013.com
sngroup.pl
twintrade.net
usforclosedhomes.net