IRS spam / 1.howtobecomeabostonian.com and mortal-records.net

Three different versions of fake IRS spam today, two leading to malware on 1.howtobecomeabostonian.com and the other with a malicious payload on mortal-records.net.

Date:      Wed, 26 Sep 2012 20:44:47 +0530
From:      "Internal Revenue Service (IRS)" [58D1F47@guyzzer.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Hello,

Due to the system error the EIN of your company has been accidently erased from the online database, please validate your EIN to reaffirm your current status of taxpayer. Certain indulgences will be applied to the next audit report for your company. IRS is sorry to cause inconvenience.





For detail information, please refer to:

https://www.irs.gov/Login.aspx?u=E8710D9E9

    Email address: [redacted]

Sincerely yours,

Barry Griffin

IRS Customer Service representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535

==========


Date:      Wed, 26 Sep 2012 11:09:45 -0400
From:      "Internal Revenue Service (IRS)" [90A75BC@etherplay.com]
To:      [redacted]
Subject:      Internal Revenue Service: For the attention of enterpreneurs

Internal Revenue Service (IRS)

Dear business owners,

Due to the corrections in the taxation policies that have been recently applied, IRS informs that LLC, C-Corporations and S-Corporations have to validate their EIN in order to reaffirm their actual status. You have 14-day period in order to examine all the changes and make necessary amendments. We are sorry for the inconvenience caused.



For the details please refer to:

https://www.irs.gov/ClientArea.aspx?u=1CBD0FC829256C

    Email address: [redacted]

Sincerely yours,

Damon Abbott

Internal Revenue Service Representative

Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.

You will need to use your email address to log in.

This service is provided to you at no charge by the Internal Revenue Service (IRS).
This email was sent to [redacted] by: Internal Revenue Service (IRS) � Internal Revenue Service � 1111 Constitution Ave. N.W. � Washington DC 20535


==========

Date:      Wed, 26 Sep 2012 19:53:28 +0400
From:      Internal Revenue Service [weirdpr6@polysto.com]
To:      [[redacted]]
Subject:      IRS report of not approved tax bank transfer

Your Federal Tax pending transaction (ID: 52007291963155), recently ordered for processing from your checking account was rejected by your Bank.

Rejected Tax transaction
Tax Transaction ID:     52007291963155
Reason ID     See details in the report below
State Tax Transaction Report     tax_report_52007291963155.doc (Microsoft Word Document)

Internal Revenue Service 9611 Tellus. Av. Augusta 38209 MV  

Payload one is at [donotclick]1.howtobecomeabostonian.com/links/marked-alter.php hosted on 74.207.232.13 (Linode, US) which looks like a hacked GoDaddy domain. Payload two is at [donotclick]mortal-records.net/detects/processing-successfully.php hosted on 203.91.113.6 (G-Mobile, Mongolia) which is an IP address that has been used a LOT for this type of attack. Blocking those IPs would be ideal.

These other bad domains are associated with the Mongolian IP address:
allmn-leicncester.net
amsnxn.com
bowerystore.net
cahgmt.com
cahmncm.com
casxmn.com
catmngn.com
chgmnm.com
myinfn.com
nitor-solutions.net
ntanwolb.com
penel-opessong.com
sncahmn.com
stafffire.net

LinkedIn spam / 50.116.23.176 and 64.244.61.40

Another LinkedIn spam leading to malware, this time on 50.116.23.176 and 64.244.61.40:

Date:      Fri, 27 Apr 2012 16:19:17 +0800
From:      "LinkedIn reminder" [reminder@linkedin.com]
Subject:      LInkedin pending messages

LinkedIn
REMINDERS

Invitation reminders:
• From Scott Burwell (Colleague at Nortel)


PENDING MESSAGES

• There are a total of 50 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2010, LinkedIn Corporation.

The malicious payload is on 50.116.23.176/showthread.php?t=9d77a9163cda8dbe (report here) hosted by Linode in the US. There is a subsequent download attempted from 64.244.61.40/rUPYeVt0.exe which appears to be a legitimate hacked server belonging to cheekyshare.com.

US Airways Spam / 50.116.5.41 and 174.140.165.197

This fake US Airways spam leads to malware on 50.116.5.41

Date:      Tue, 10 Apr 2012 19:18:16 +0530
From:      "US Airways - Reservations" [usair@myusairways.com]
Subject:      Confirm your US airways online reservation.

   
   
You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying abroad). Then, all you have to do is print your boarding pass and proceed to the gate.

Confirmation code: 956153

Check-in online: Online reservation details



   
Flight

1396    
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 4/5/2012    


�
We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.

The payload is on 50.116.5.41/showthread.php?t=73a07bcb51f4be71 (report here) which is hosted by Linode in the US.

Update: a similar spam is also doing the rounds with a payload on 174.140.165.197 (Directspace, US)

USPS Spam / 50.116.19.155

Yet another USPS spam is doing the rounds, this time leading to a malicious payload on 50.116.19.155.

Date:      Fri, 30 Mar 2012 13:47:28 +0200
From:      "Danielle Connor" [USPS_Shipping_Services@usps.com]
Subject:      Your USPS shipment postage labels receipt.


Acct #: 7112220

Dear client:

This is an email confirmation for your order of 2 online shipping label(s) with postage. We will charge you the following amount:

Transaction Number: #2056017
Print Date/Time: 03/14/2012 02:30 AM CST
Postage Amount: $25.69
Credit Card Number: XXXX XXXX XXXX XXXX

Priority Mail Regional Rate Box B # 4065 2488 7608 7525 8269 (Sequence Number 1 of 1)

   

If you need further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

You can refund your unused postage labels up to 14 days after the issue date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is a post-only message

The malicious payload is on 50.116.19.155/data/ap2.php?f=4203d and 50.116.19.155/showthread.php?t=73a07bcb51f4be71 (report here) hosted by Linode.

USPS Spam / clearschooner.com

Another USPS spam leading to malware on clearschooner.com:

Date:      Thu, 29 Mar 2012 09:02:35 -0300
From:      "Leonardo Randolph" [USPS_Shipping_Services@usps.com]
Subject:      Your USPS shipment postage labels receipt.


Acct #: 8481973

Dear client:

This is an email confirmation for your order of 1 online shipping label(s) with postage. Your credit card will be charged the following amount:

Transaction ID: #2392415
Print Date/Time: 03/13/2012 02:30 AM CST
Postage Amount: $41.63
Credit Card Number: XXXX XXXX XXXX XXXX

Priority Mail Regional Rate Box B # 0354 0258 5729 7186 4971 (Sequence Number 1 of 1)

   

For further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

You can refund your unused postage labels up to 14 days after the issue date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is an automatically generated message. Please do not respond

The malware is on clearschooner.com/showthread.php?t=73a07bcb51f4be71 (report here), hosted on 50.116.50.82 (Linode, US). Blocking the IP will prevent other malcious sites on the same IP from being a problem.

LinkedIn Spam / bluecellular.com

The second LinkedIn spam of the day is underway, which is almost exactly identical to this one. In this case, the malicious payload is on bluecellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 96.126.122.240 (Linode, US)

"LinkedIn Invitation from your co-worker" spam / slickcurve.com and bluecellular.com

Another malicious fake email from LinkedIn leading to malware hosted on slickcurve.com.

Date:      Thu, 22 Mar 2012 13:35:48 +0200
From:      "Dominique Benitez" [peripherals698@linkedin.com]
Subject:      LinkedIn Invitation from your co-worker


LinkedIn
REMINDERS

Invitation reminders:
? From Timothy Vega (Your classmate)


PENDING MESSAGES

? There are a total of 1 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

The malware payload is on slickcurve.com/showthread.php?t=73a07bcb51f4be71 (report here) hosted on 173.255.195.167 (Linode, US). Blocking that IP address will block any other malicious sites on the same server.

BBB Spam / 72.14.187.169

This is the second malicious spam run of the day, leading to a malware payload on 72.14.187.169

Date:      Tue, 6 Mar 2012 14:00:18 +0200
From:      "Tom Santana"
Subject:      Better Business Bureau needs your urgent attention.
 

Business Owner/Manager,
One of your recent customers has submitted a complaint with The Better Business Bureau regarding the negative experience he had with your company. The consumer report is attached below. Please submit your feedback to this matter as within 14 days. The fastest way to provide your response is via the Online Complaint system. Please follow the following Internet address to evaluate the above-mentioned customer complaint and provide your response to it:
BBB complaint center

Use the following data to login:

Case ID: #1422518
Password: 41964

The Better Business Bureau provides an efficient third-party role, and helps you resolve your customer disputes impartially and on mutually beneficial terms. We develop and maintain online Reliability reports on American companies, available to the Public and used by millions of business customers. A good customer report can have a distinctly positive impact on your business.

We hope for your immediate attention to this matter.

Sincerely,
Honorato Cobb
Dispute Counselor

Better Business Bureau Serving Metropolitan New York, Inc.
30 East 33rd St., 12th Floor
New York, NY 10016
Office Hours: 9-5 Monday through Friday
212.533.6200
Fax: 212.477.4912
Inquiry@newyork.bbb.org

The malicious payload is on 72.14.187.169/q.php?f=e4a98&e=4 and 72.14.187.169/q.php?f=e4a98&e=1  which is a Linode IP (no surprises there!) Blocking access to the IP would be prudent.

Linode blamed for Bitcoin theft

Linode feature so often on this blog that they have their own tag. OK, they're not the worst hosting company in terms of malicious sites on their network, but at the moment they come up regularly.

Now, sometimes a web host is purely black hat - they know exactly what their customers are up to and they don't care. Sometimes a legitimate web host gets duped into renting servers out to the bad guys, but usually they react eventually. Then there's a third possibility - the the servers have been hacked and are running malicious sites without the host's knowledge.

The thing is that over recent weeks, it seems that many servers hosting malware for those BBB / NACHA / IRS / etc emails that many people have been bombarded with look like legitimate servers that have been taken over. Of course, no web host wants to admit that they have insecure management systems, but then sometimes everything comes out in the open.

It turns out that deficiencies in Linode's security has led to the apparent theft of hundreds of thousands of bitcoins (an online currency). As detailed, the attack shows that the attacker appeared to mount the attack with very little trouble, leaving very little evidence behind them except that the bitcoins were missing.

Linode itself acknowledges the problem:

Manager Security Incident

Ensuring the security of our platform is our top priority. We maintain a strong security policy and aim to communicate openly should it ever be compromised. Thus, we are posting to describe a recent incident affecting the Linode Manager.

Here are the facts:

This morning, an intruder accessed a web-based Linode customer service portal. Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted.  All activity via the web portal is logged, and an exhaustive audit has provided the following:

All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin".  The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins.  Those customers affected have been notified.  If you have not received a notification then your account is unaffected.  Again, only eight accounts were affected.

The portal does not have access to credit card information or Linode Manager user passwords.  Only those eight accounts were viewed or manipulated -- no other accounts were viewed or accessed.

Security is our number one priority and has been for over eight years. We depend on and value the trust our customers have placed in us. Now, more than ever, we remain committed to ensuring the safety and security of our customers' accounts, and will be reviewing our policies and procedures to prevent this from ever recurring.

The thing is, this server compromise was immediately obvious because of the loss of bitcoins. But where servers are being used for the Blackhole Exploit Kit or other malware, it's a lot more subtle. I suspect that this isn't the first time recently that Linode has been compromised like this.. and it's probably not the only host with the problem. In recent months, the bad guys have moved their exploit servers from Eastern European cesspits to well-known hosts, many of which are based in the US. Is this all part of the same thing?

Malware sites to block 2/3/12

The Spam Analysis blog has an excellent post analysing what is happening behind the scenes in the malware from some recent spam runs. I've taken their hard work and have broken out the domains and IP addresses that you may want to block.

Note that some of these sites may be legitimate hacked sites. Also 66.96.160.133 is a parking IP,, so there are several thousand other sites on the same address.

Domains:
almeconstruction.com
ampndesignclients.com
buddysbarbq.com
chovattuvt.com
curchamp.com
curcharge.com
curchart.com
ftp.intervene.com.br
impressiveclimate.com
indianwildlifetourism.com
mixestudio.com
pollypaw.com
pollypeaceful.com
ragsnipe.com
sadropped.com
splatstep.com
top59serv.ro
trucktumble.com
truckturtle.com
wonderfulwriggle.com

IPs and hosts:
50.2.7.120 (Infinitie, US)
64.150.166.137 (iPower, US)
66.96.160.133 (Endurance International, US) [parked]
66.232.108.46 (Kevin Shick, US)
74.207.245.244 (Linode, US)
78.47.211.154 (Hetzner, Germany)
85.9.26.253 (GTS, Romania)
112.78.2.141 (Online Data Services JSC, Vietnam)
173.213.90.237 (Serverhub, US)
173.213.90.238 (Serverhub, US)
174.123.39.34 (ThePlanet, US)
174.136.0.68 (Colo4, US)
184.173.192.173 (ThePlanet, US)
200.58.124.129 (Dattatec.com, Argentina)
200.98.197.68 (UOL, Brazil)
209.140.16.128 (Landis Holdings, US)
216.251.43.98 (InternetNamesForBusiness.com, US)

Plain IP list:
50.2.7.120
64.150.166.137
66.96.160.133
66.232.108.46
74.207.245.244
78.47.211.154
85.9.26.253
112.78.2.141
173.213.90.237
173.213.90.238
174.123.39.34
174.136.0.68
184.173.192.173
200.58.124.129
200.98.197.68
209.140.16.128
216.251.43.98

"Your intuit.com order confirmation" spam / curchamp.com (74.207.245.244)

This fake "Intuit order" spam leads to malware. Apparently it was sent from Careerbuilder (which is kind of odd). Also note the "spoofing" warning near the bottom!

From: INTUIT INC. [mailto:noreply@careerbuilder.com]
Sent: 01 March 2012 14:30
Subject: Your intuit.com order confirmation.

  Dear Customer:

Thank you for purchasing your software Intuit Market. We are processing and will message you when your order is processed. If you ordered multiple items, we may process them in more than one shipment (at no extra cost to you) to ensure quicker delivery.

If you have questions about your order, please call 1-800-955-8890.

ORDER INFORMATION

Please download your complete order
id #443475245229 information at Intuit small business website.

NEED HELP?

•    Email us at mktplace_customerservice@intuit.com.
•    Call us at 1-800-955-8890.
•    Reorder Intuit Checks Quickly and Easily starting with
the information from your previous order.
To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.
   
Thanks again for your order,

Intuit Market Customer Service


Privacy , Legal , Contact Us , About Us


You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.

Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.

If you receive an email message that appears to come from Intuit but that you suspect is a phishing e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.


©2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.

The link goes through two legitimate hacked sites and ends up on curchamp.com/search.php?page=73a07bcb51f4be71 (report here) which is hosted on 74.207.245.244 (Linode, US). This attempts to use a variety of exploits to take over the user's PC.

Blocking the IP rather than the domain will also stop any other malicious domains on the same server.

"Scan from a Hewlett-Packard Officejet" malicious spam / cserimankra.ru and samaragotodokns.ru

Another spam run with a malicious attachment:

Date:      Fri, 16 Feb 2012 11:24:56 +0700
From:      "VICTOR TALLEY"
Subject:      Scan from a Hewlett-Packard Officejet 3906171
Attachments:     HP_Scan-02.16_N05556.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP Officejet 97687P.

Sent by: VICTOR
Images : 9
Attachment Type: .HTML [Internet Explorer]

Hewlett-Packard Location: machine location not set
Device: PFJ722DS0IDJ4996064

The attachment attempts to download malicious code from cserimankra.ru:8080/images/aublbzdni.php  which is multihomed (report here) and then attempts to download more malcode from samaragotodokns.ru:8080/images/jw.php?i=8

These .ru sites are hosted on a familiar set of IP addresses, very similar to the ones found here.

46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.76.184.100 (Comcast, US)
69.60.117.183 (Colopronto, US)
87.120.41.155 (Neterra, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
111.93.161.226 (Tata Teleservices, India)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
184.106.151.78 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.81.107.70 (Telemax, Peru)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband Co Ltd, South Korea)

If you need a bare set of IP addresses for pasting into a blocklist:

46.137.251.11
50.31.1.105
50.57.77.119
50.76.184.100
69.60.117.183
87.120.41.155
88.191.97.108
111.93.161.226
173.203.51.174
173.255.229.33
184.106.151.78
184.106.237.210
190.81.107.70
190.106.129.43
200.169.13.84
204.12.252.82
210.56.23.100
211.44.250.173

Update: cgolidaofghjtr.ru is being used in a similar spam run and is on the same servers.

NACHA Spam / billydimple.com and biggestblazer.com

Here we go again, another NACHA spam leading to a malicious payload..

From:  The Electronic Payments Association risk_manager@nacha.org
Date: 15 February 2012 13:52
Subject: Rejected ACH payment

The ACH transaction (ID: 44103676925895), recently initiated from your bank account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     44103676925895
Rejection Reason     See details in the report below
Transaction Report     report_44103676925895.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The malware is on biggestblazer.com/search.php?page=73a07bcb51f4be71 (report here) which is hosted on 199.30.89.180 (Central Host Inc / Zerigo.. yet again). It attempts to download additional components from billydimple.com/forum/index.php?showtopic=656974  on 69.164.205.122 (Linode.. again).

I've now seen several malicious sites in the 199.30.89.0/24 range, it might be worth considering blocking the whole lot.

"Arch Coal Corp" spam lead to malware / coajsfooioas.ru and tuberkulesneporok.ru

A slightly different spam from the usual Xerox rubbish, but with a similar malicious payload.. this time on the domains coajsfooioas.ru and tuberkulesneporok.ru.

Date:      Tue, 13 Feb 2012 04:59:42 +0900
From:      "DELL AVILES" Arch Coal Corp . [AfinaGuridi@auburn.edu]
Subject:      Re: Intercompany inv. from Arch Coal Corp.
Attachments:     Invoice_02_7_h158329.htm

Good day

Attached the intercompany inv. for the period Dec. 2011 til Jan.. 2012.

Thanks a lot for supporting this process

DELL AVILES

Arch Coal Corp. 

The obfuscated javascript in the attachment attempts to download malicious code from coajsfooioas.ru:8080/images/aublbzdni.php followed by more code from tuberkulesneporok.ru:8080/images/jw.php?i=8 (Wepawet report here).

These domains are multihosted on the same IPs as listed here. Blocking access to those IPs should stop further malware attacks from being successful.

"Scan from a Xerox W. Pro #6999878 " spam / ckolmadiiasf.ru

This spam comes with a malicious attachment that attempts to download malware from ckolmadiiasf.ru:8080/images/aublbzdni.php

Date:      Mon, 12 Feb 2012 07:57:23 +0700
From:      scan@victimdomain.com
Subject:      Fwd: Scan from a Xerox W. Pro #6999878
Attachments:     Xerox_Doc-l1616.htm

Please open the attached document. It was scanned and sent



to you using a Xerox WorkCentre Pro.



Sent by: SUSANNAH
Number of Images: 6
Attachment File Type: .HTML [Internet Explorer Format]

Xerox WorkCentre Location: machine location not set
Device Name: XEROX5427OD9ID86

This is one of those cases where the malicious domain is massively multihomed (there's a plain list at the end of the post if you want to copy and paste):

46.105.97.103 (OVH Systems, France)
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost, US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast Business Communications, US)
69.60.117.183 (Colopronto, US)
72.22.83.93 (iPower, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
87.120.41.155 (Neterra Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
93.189.88.198 (SiliconTower, Spain)
98.158.180.244 (Hosting Services Inc, US)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
174.122.121.154 (ThePlanet, US)
184.106.151.78 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)

Looks familiar? Well, it is almost identical to this list with a few servers taken out of action.

46.105.97.103
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
78.83.233.242
87.120.41.155
88.191.97.108
93.189.88.198
98.158.180.244
173.203.51.174
173.255.229.33
174.122.121.154
184.106.151.78
184.106.237.210
190.106.129.43
200.169.13.84
204.12.252.82

"Scan from a Xerox WorkCentre Pro" spam with malicious attachment / cojsdhfhhlsl.ru

Here's a slightly new twist on a very familiar theme, with an email attachment that contains an HTML page with obfuscated javascript.. leading to malware.

Date:      Sun, 11 Feb 2012 12:26:18 +0100
From:      "JANICE Heller" [KailaStuck@engineeringdesign.com]
Subject:      Re: Scan from a Xerox WorkCentre Pro #383806
Attachments:     Xerox_Doc_X30366.htm

Please open the attached document. It was scanned and sent

to you using a Xerox WorkCentre Pro.

Sent by: Guest
Number of Images: 8
Attachment File Type: .HTML [Internet Explorer Format]

WorkCentre Pro Location: machine location not set
Device Name: KDX157PS0MSUDX382782

The file Xerox_Doc_X30366.htm attempts to open a malicious web page at cojsdhfhhlsl.ru:8080/images/aublbzdni.php which contains the Blackhole exploit kit (the Wepawet report is here).

This domain is multihomed on some very familar looking IP addresses.. in fact, they are almost identical to this spam attack. If you have blocked those IPs then you will be protected against this one.

For the record, the IPs and hosts are:
46.105.97.103 (OVH Systems, France)
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost, US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast Business Communications, US)
69.60.117.183 (Colopronto, US)
72.22.83.93 (iPower, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
87.120.41.155 (Neterra Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
93.189.88.198 (SiliconTower, Spain)
98.158.180.244 (Hosting Services Inc, US)
125.214.74.8 (Web24 Pty Ltd, Australia)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
174.122.121.154 (ThePlanet, US)
184.106.151.78 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)
209.114.47.158 (Slicehost, US)

If you need a plain listing for pasting into a blocklist, use:
46.105.97.103
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
78.83.233.242
87.120.41.155
88.191.97.108
93.189.88.198
98.158.180.244
125.214.74.8
173.203.51.174
173.255.229.33
174.122.121.154
184.106.151.78
184.106.200.65
184.106.237.210
190.106.129.43
200.169.13.84
204.12.252.82
209.114.47.158

"End of Aug. Statement" spam / kamarovoskorlovo.ru and serebrokakzoloto.ru

Here's yet more spam with a malicious payload:

Date:      Fri, 9 Feb 2012 09:46:12 +0300
From:      BlandTAINA@gmail.com
Subject:      Re: FW: End of Aug. Statement
Attachments:     Invoice_8W20576.htm

Hi,

as reqeusted I give you inovices issued to you per february (Internet Explorer format).

Regards

TAINA Bland

"Invoice_8W20576.htm" is an HTML attachment containing some obfuscated Javascript that connects to kamarovoskorlovo.ru:8080/images/aublbzdni.php which then attempts to download some malicious components from that domain and also serebrokakzoloto.ru:8080/images/jw.php?i=8 . A Wepawet report can be found here and here.

kamarovoskorlovo.ru and serebrokakzoloto.ru are multihomed on several servers (a raw list can be found at the end of the post). You'll notice that Slicehost figures prominently.

46.105.97.103 (OVH Systems, France)
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost, US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast Business Communications, US)
69.60.117.183 (Colopronto, US)
72.22.83.93 (iPower, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
87.120.41.155 (Neterra Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
93.189.88.198 (SiliconTower, Spain)
98.158.180.244 (Hosting Services Inc, US)
125.214.74.8 (Web24 Pty Ltd, Australia)
173.201.187.225 (GoDaddy, US)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
174.122.121.154 (ThePlanet, US)
184.106.151.78 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)
209.114.47.158 (Slicehost, US)

Blocking access to those IPs will prevent any other malicious sites on the same servers from causing problems. Underneath is a raw list that you can copy and pase.

46.105.97.103
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
78.83.233.242
87.120.41.155
88.191.97.108
93.189.88.198
98.158.180.244
125.214.74.8
173.201.187.225
173.203.51.174
173.255.229.33
174.122.121.154
184.106.151.78
184.106.200.65
184.106.237.210
190.106.129.43
200.169.13.84
204.12.252.82
209.114.47.158

NACHA Spam / bluemator.com, synergyledlighting.net and hakkage.com

There has been a ton of NACHA-themed spam today, here are some examples:

Date:      Wed, 7 Feb 2012 18:17:43 +0200
From:      alert@nacha.org
Subject:      ACH payment canceled

The ACH transaction (ID: 8321348803546), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transaction
Transaction ID:     8321348803546
Reason of rejection     See details in the report below
Transaction Report     report_8321348803546.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

================

Date:      Wed, 7 Feb 2012 17:13:42 +0100
From:      payment@nacha.org
Subject:      Rejected ACH transaction

The ACH transaction (ID: 5999727582818), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transfer
Transaction ID:     5999727582818
Reason for rejection     See details in the report below
Transaction Report     report_5999727582818.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

================

Date:      Wed, 7 Feb 2012 15:14:00 +0100
From:      transfers@nacha.org
Subject:      Rejected ACH transaction

The ACH transfer (ID: 5896958322102), recently sent from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transaction
Transaction ID:     5896958322102
Reason for rejection     See details in the report below
Transaction Report     report_5896958322102.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

==================

Date:      Wed, 7 Feb 2012 15:58:54 +0200
From:      payments@nacha.org
Subject:      Your ACH transfer

The ACH transfer (ID: 118757985791), recently sent from your bank account (by you or any other person), was rejected by the other financial institution.

Canceled transfer
Transaction ID:     118757985791
Reason for rejection     See details in the report below
Transaction Report     report_118757985791.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

==================

Date:      Wed, 7 Feb 2012 13:15:17 +0200
From:      alert@nacha.org
Subject:      ACH payment canceled

The ACH transaction (ID: 926663997526), recently sent from your bank account (by you or any other person), was rejected by the other financial institution.

Rejected transfer
Transaction ID:     926663997526
Reason for rejection     See details in the report below
Transaction Report     report_926663997526.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

 The bad guys are using very heaving obfuscated javascript to try to hide what they are doing, but there is a malicious payload at the following URLs:

bluemator.com/search.php?page=73a07bcb51f4be71  [199.30.89.135 - Zerigo, US]
bluemator.com/content/adp2.php?f=126
hakkage.com/forum/index.php?showtopic=656974 [173.255.210.86 - Linode, US]
synergyledlighting.net/main.php?page=30e3ec8cd29abd6b [173.236.78.113 - Singlehop, US and 173.212.222.36 - HostNOC, US[
synergyledlighting.net/content/adp2.php?f=50

You can see a sample Wepawet report here and here.

Blocking access to the IPs  199.30.89.135, 173.255.210.86, 173.236.78.113 and 173.212.222.36 is probably a good idea..

"Your tax information needs verification" / hakkacraft.com and hakkayard.com

Another version of this spam leading to a malicious web page..

Date:      Mon, 5 Feb 2012 13:43:16 +0000
From:      "INTUIT INC." [tools@intuit.com]
Subject:      Your tax information needs verification.

Hello,

With intent to assure that correct data is being maintained on our systems, and to be able to grant you better quality of service; INTUIT INC. has partaken in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have found out, that your name and/or Employer Identification Number, that is specified on your account is not in compliance with the information on file with the IRS.

In order to check and update your account, please click here.

Yours truly,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

The link in the email bounces through a couple a hacked legitimate sites and then lands on http://hakkacraft.com/search.php?page=73a07bcb51f4be71 (Wepawet report is here). There is a subsequent download attempted from hakkayard.com/forum/index.php?showtopic=656974

hakkacraft.com is hosted on 173.248.190.192 (Zerigo Inc / wehostwebsites.com, US). hakkayard.com is on 66.228.54.47 (Linode, US). Blocking the IP addresses will block any other malicious sites on the same server.

NACHA Spam / hakkabout.com and kansamentos.com

More NACHA spam with a malicious payload..

Date:      Thu, 1 Feb 2012 13:05:58 +0100
From:      risk@nacha.org
Subject:      Rejected ACH payment

The ACH transfer (ID: 424339813641), recently sent from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transfer
Transaction ID:     424339813641
Reason for rejection     See details in the report below
Transaction Report     report_424339813641.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The link redirects through a couple of legitimate hacked sites and ends up on hakkabout.com/search.php?page=73a07bcb51f4be71 on 96.126.117.251 (Linode, US). According to Wepawet, a subsequent download is attempted from kansamentos.com/forum/index.php?showtopic=192151 on 66.151.138.179  (Nuclear Fallout Enterprises, US). Blocking those two IPs is probably a good idea, although it isn't the first time that Linode or Nuclear Fallout Enterprises have hosted malware recently and it may not be the last.