Sponsored by..

Showing posts with label Nuclear Fallout Enterprises. Show all posts
Showing posts with label Nuclear Fallout Enterprises. Show all posts

Friday, 4 October 2013

Fake Dropbox spam leads to malware on adelect.com

This fake Dropbox spam leads to malware:

Date:      Fri, 4 Oct 2013 16:24:30 +0330 [08:54:30 EDT]
From:      Dropbox [no-reply@dropboxmail.com]
Subject:      Please update your Expired Dropbox Password

Hi [redacted].

We noticed that you recently tried to login in to Dropbox with a password that you haven't changed more than 90 days. Your old password has expired and you'll need to create a new one to log in.

Please visit the page to update your password

Reset Password

Thanks!
- The Dropbox Team

The link in the email goes through a legitimate hacked site and then on to a set of three scripts:

[donotclick]12.158.190.75/molls/smudgier.js
[donotclick]freetraffic2yourweb.com/palermo/uneconomic.js
[donotclick]www.bathroomchoice.com/huntsmen/bestsellers.js

From there the victim is delivered to a malware landing page at [donotclick]adelect.com/topic/latest-blog-news.php which follows a predictable pattern of being a hijacked GoDaddy domain hosted on 66.150.155.210 (Nuclear Fallout Enterprises, US). There are some other hijacked domains on this same server listed below in italics.

Recommended blocklist:
66.150.155.210
wrightleasing.com
renewalbyandersendayton.com
adelect.com

12.158.190.75
freetraffic2yourweb.com
www.bathroomchoice.com

Thursday, 22 August 2013

"Remittance Docs 2982780" spam / Docs_08222013_218.exe

This fake Chase spam has a malicious attachment:

Date:      Thu, 22 Aug 2013 10:00:33 -0600 [12:00:33 EDT]
From:      Jed_Gregory [Jed_Gregory@chase.com]
Subject:      Remittance Docs 2982780

Please find attached the remittance 2982780.                                             
                                                            If you are unable to open the
attached file, please reply to this email        with a contact telephone number. The
Finance Dept will be in touch in          due course. Jed_Gregory
Chase Private Banking      Level III Officer
3 Times Square
New York, NY 10036
T. 212.525.8865
F. 212.884.2034
The attachment is in the format Docs_victimdomain.com.zip which contains an executable Docs_08222013_218.exe (note that the date is encoded into the file). The VirusTotal detection rate for this is a moderate 16/46. The Malwr analysis shows that this is a Pony/Gate downloader which attempts to connect to the following URLs:
[donotclick]watch-fp.ca/ponyb/gate.php
[donotclick]www.jatw.pacificsocial.com/VSMpZX.exe
[donotclick]richardsonlookoutcottages.nb.ca/Q5Vf.exe
[donotclick]idyno.com.au/kvdhx2.exe

The downloader then downloads a second part with a much lower detection rate of 6/46. This appears to be a Zbot variant, and the Malwr analysis for that component is here.

The Pony/Gate component is hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) and is a hijacked GoDaddy domain, one of several on that server and listed below in italics.

Recommended blocklist:
72.5.102.146
dennissellsgateway.com
justinreid.us
successchamp.com
thenatemiller.biz
thenatemiller.co
thenatemiller.info
thenatemiller.net
thenatemiller.org
watch-fp.biz
watch-fp.ca
watch-fp.com
watch-fp.info
watch-fp.mobi
waterwayrealtyteam.us

jatw.pacificsocial.com
richardsonlookoutcottages.nb.ca
idyno.com.au



Wednesday, 21 August 2013

Facebook spam / thenatemiller.co

This fake Facebook spam leads to malware on thenatemiller.co:

Date:      Wed, 21 Aug 2013 22:05:38 +0530 [12:35:38 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
Nothing good will come from clicking the link. First victims go to a legitimate but hacked site that attempts to load the following three scripts:
[donotclick]gemclinicstore.com/admitted/tintinnabulations.js
[donotclick]mathenyadvisorygroup.com/toffies/ceiling.js
[donotclick]www.it-planet.gr/schlepped/suitor.js

From there the victim is directed to a malware landing page at [donotclick]thenatemiller.co/topic/able_disturb_planning.php (.co, not .com) which is a hijacked GoDaddy domain hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with several other hijacked domains (listed below in italics).

Recommended blocklist:
72.5.102.146
successchamp.com
dennissellsgateway.com
thenatemiller.co
thenatemiller.info
justinreid.us
waterwayrealtyteam.us
thenatemiller.biz

gemclinicstore.com
mathenyadvisorygroup.com
www.it-planet.gr

Facebook spam / dennissellsgateway.com

This fake Facebook spam leads to malware on dennissellsgateway.com:

Date:      Tue, 20 Aug 2013 15:28:11 -0500 [16:28:11 EDT]
From:      Facebook [no-reply@facebook.com]
Subject:      Gene Maynard wants to be friends with you on Facebook.

facebook
   
Gene Maynard wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
       
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

This is a "ThreeScripts" attack, with the link first going to a legitimate hacked site and then through one of the following three scripts:
[donotclick]ftp.crimestoppersofpinellas.org/jonson/tried.js
[donotclick]italiangardensomaha.com/moocher/pawned.js
[donotclick]www.it-planet.gr/schlepped/suitor.js

From there, the victim ends up on a hijacked GoDaddy domain with a malicious payload at [donotclick]dennissellsgateway.com/topic/able_disturb_planning.php on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with some other hijacked domains (listed in italics below).

Recommended blocklist:
72.5.102.146
dennissellsgateway.com
justinreid.us
waterwayrealtyteam.us

www.it-planet.gr
italiangardensomaha.com
ftp.crimestoppersofpinellas.org

Update:
Another spam is circulating with a different pitch, but the same malicious payload:

Dear Customer,

The following is your Credit Card settlement report for Monday, August 19, 2013.
Transaction Volume Statistics for Settlement Batch dated 19-Aug-2013
Batch ID: 108837538
Business Day: 19-Aug-2013
Net Batch Total: 3704.75 (USD)
Number of Charge Transactions: 1
Amount of Charge Transactions: 3704.75
Number of Refund Transactions: 5
Amount of Refund Transactions: 315.74
You can download your full report at https://account.authorize.net/login/protected/download/settlementreport/

To view details for a specific transaction, please log into the Merchant Interface.

1.Click "Reports" from the main menu
2.Select "Transaction Details by Settlement Date"
3.Select "Settled Transactions" from the Item Type drop-down box.
4.Select the Settlement Date for the batch you would like to view from the "Date" drop-down box
5.Click "Run Report"
6.In the results, click on any transaction ID to view specific details for that transaction.

If you have any questions regarding this settlement report, please contact us by Secure Mail or you can call Customer Support at 1-877-447-3938.

Thank You,
Authorize.Net
*** You received this email because you chose to be a Credit Card Report
recipient. You may change your email options by logging into the Merchant
Interface. Click on Settings and Profile in the Main Menu, and select
Manage Contacts from the General section. To edit a contact, click the
Edit link next to the contact that you would like to edit. Under Email
Types, select or deselect the Email types you would like to receive. Click
Submit to save any changes. Please do not reply to this email.



Monday, 19 August 2013

Facebook spam / hubbywifewines.com

This fake Facebook spam leads to malware on hubbywifewines.com:

Date:      Mon, 19 Aug 2013 16:20:06 +0200 [10:20:06 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password


facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted].net at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes to a legitimate hacked site and then loads one or more of these three scripts:
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js

The victim is then forwarded to a malware landing page using a hijacked GoDaddy domain at [donotclick]hubbywifewines.com/topic/able_disturb_planning.php hosted on 72.5.102.192 (Nuclear Fallout Enterprises, US) along with another hijacked domain of hubbywifefoods.com.

Recommended blocklist:
72.5.102.192
hubbywifewines.com
hubbywifefoods.com
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it



Friday, 16 August 2013

"CEO Portal Statements & Notices Event" spam / report_{DIGIT[12]}.exe

This fake Wells Fargo email has a malicious attachment:

Date:      Fri, 16 Aug 2013 09:51:17 -0500 [10:51:17 EDT]
From:      Wells Fargo Event Messaging Admin [ofsrep.ceosmuigw@wellsfargo.com]
Subject:      CEO Portal Statements & Notices Event


Wells Fargo

Commercial Electronic Office (CEO) Portal Statements & Notices Event: Multiple Download Request Available

Your Deposit Adjustment Notices is now available. To access your information please download attached report and open Statements & Notices file.
Date/Time Stamp:    Fri, 16 Aug 2013 09:51:17 -0500
Request Name:    MM3P85NRLOXLOFJ
Event Message ID:    S045-77988311

Please do not reply to this email.

The email has an attachment called report_625859705821.zip which in turn contains an exectuable report_{DIGIT[12]}.exe (which presumably is an error) which has a VirusTotal detection rate of 9/46. The Malwr report shows that this malware does various things, inclding an HTTP request to a hijacked GoDaddy domain at [donotclick]hubbywifeco.com/forum/viewtopic.php hosted on 66.151.138.80 (Nuclear Fallout Enterprises, US) which is shared with another hijacked domain, hubbywifecakes.com.

From there, another executable is downloaded from one of the following locations:
[donotclick]208.106.130.52/39UvZmv.exe
[donotclick]demoscreactivo.com/DKM9.exe
[donotclick]roundaboutcellars.com/Utuw1.exe
[donotclick]bbsmfg.biz/VKPqrms.exe

This executable has an even lower detection rate of just 5/46. You can see the Malwr report for that here.

Blocking EXE-in-ZIP files like this at your perimeter is an excellent idea if you can do it.

Recommended blocklist:
66.151.138.80
hubbywifeco.com
hubbywifecakes.com
208.106.130.52
demoscreactivo.com
roundaboutcellars.com
bbsmfg.biz


Friday, 2 August 2013

MoneyGram "Payment notification email" spam / drstephenlwolman.com

This fake MoneyGram spam leads to malware on drstephenlwolman.com:

Date:      Fri, 2 Aug 2013 22:23:53 +0330 [14:53:53 EDT]
From:      "Moneygram Inc." [infusionnbb3@gmail.com]
Subject:      Payment notification email
Revenues notification email
This is an automated email - please do not reply!

Dear customer!

You are receiving this notification because of you have been received the payment.
It may take a some time for this transaction to appear in the Recent Activity list on your account page.


Transaction details

Transaction sum: 110 USD
Transaction date: 2013/08/02

View the details of this transaction online

Thank you for using MoneyGram services!

MoneyGram ® 2013
Payload is on [donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php via [donotclick]new.hotelniles.com/xd2iqku.html  and some intermediate scripts.

More analysis later..

Part II

OK, I have a little more time to look at this. Here is the screenshot:

Clicking the link takes you to a "ThreeScripts" page, but subtly different from previous ones, leading to scripts at:
[donotclick]nutnet.ir/dl/nnnew.txt
[donotclick]www.emotiontag.net/cp/nnnew.txt
[donotclick]aurummulier.pl/nnnew.txt

These scripts use a ".txt" extenstion, presumably to fool AV scanners.

The next step is a kind of weird Javascript leading to a malware page at [donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php hosted on 74.91.118.212 (Nuclear Fallout Enterprises, US).


The domain in question is a hijacked GoDaddy domain.The payload is hardened against analysis. There will almost definitely be other hijacked domains hosted on this server, blocking access to it might be a good idea.

Tuesday, 9 July 2013

Xerox WorkCentre (or is it HP Digital Device?) spam / SCAN_129_07082013_18911.zip

This fake printer spam has a malicious attachment:

Date:      Mon, 8 Jul 2013 12:20:24 -0500 [07/08/13 13:20:24 EDT]
From:      HP Digital Device [HP.Digital8@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [victimdomain]
Number of Images: 8
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: OM7IEQ4M22

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/
In this case there is an attachment SCAN_129_07082013_18911.zip containing an executable file SCAN_129_07082013_18911.exe (note that the date is encoded into the file). VirusTotal detections are 26/47 and identify it as a generic downloader, Comodo CAMAS reports that it is a Pony downloader that attempts to contact 2ndtimearoundweddingphotography.com which appears to be a hijacked GoDaddy domain.

As is common at the moment, there are a bunch of related hacked GoDaddy domains on a random (non-GoDaddy) server, in this case 64.94.100.116 (the somewhat notorious Nuclear Fallout Enterprises). All these domains should be treated as malicious according to reports from URLquery and VirusTotal.

gfpmenusonline.com
gfponlineordering.com
solarrec-auction.com
chapter2weddings.com
pecoprocurement.com
2brothersdelimenu.com
2ndtimearoundweddingphotography.com

The ThreatTrack report reveals more details [pdf] including the subsequent download locations as does the ThreatExpert report.

[donotclick]lacasadelmovilusado.com/bts1.exe
[donotclick]common.karsak.com.tr/FzPfH6.exe
[donotclick]ftp.vickibettger.com/oEoASW64.exe
[donotclick]qualitydoorblog.com/qbSTq.exe

This second file has a much lower detection rate at VirusTotal of just 3/47 (and they are all generic at that). The ThreatExpert report [pdf] gives more details of the malware plus some connection attempts, and Anubis reports something similar. They all appear to be dynamic ADSL addresses and probably not worth trying to block.

64.136.115.72
66.63.204.26
68.7.103.29
76.226.114.217
77.30.83.91
78.131.54.252
84.59.131.0
85.107.90.53
87.18.47.40
90.189.37.85
94.240.240.106
95.246.170.150
107.217.117.139
108.234.133.110
180.247.156.110
181.67.52.88
190.202.83.105
200.91.49.183
201.209.58.176
212.71.16.46
217.132.249.173
221.215.31.50

Recommended blocklist:
gfpmenusonline.com
gfponlineordering.com
solarrec-auction.com
chapter2weddings.com
pecoprocurement.com
2brothersdelimenu.com
2ndtimearoundweddingphotography.com
bobkahnvideo.com
lacasadelmovilusado.com
common.karsak.com.tr
ftp.vickibettger.com
qualitydoorblog.com
64.94.100.116
198.173.93.218
212.58.2.22

Wednesday, 23 January 2013

Corporate eFax spam / 13.carnovirious.net

This spam is leading to malware on 13.carnovirious.net, a domain spotted earlier today.. but one that has switched server to 74.91.117.49 since then.

From:     Corporate eFax [message@inbound.efax.com] via luther.k12.wi.us
Date:     23 January 2013 15:52
Subject:     Corporate eFax message - 4 pages
Mailed-by:     luther.k12.wi.us


Fax Message [Caller-ID: 607-652-2962]
You have received a 4 pages fax at 2013-01-23 12:00:13 GMT.

* The reference number for this fax is min1_did27-5667781893-3154150936-31.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home Contact Login
Powered by j2
2013 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax Customer Agreement.

The spam leads to an exploit kit on [donotclick]13.carnovirious.net/read/persons_jobs.php hosted on 74.91.117.49 by Nuclear Fallout Enterprises. You should probably block 74.91.117.50 as well.


The following domains are on these two IPs:
13.jonemnominik.net
13.lomerdaster.net
13.zabakarvester.net
13.carnovirious.net
13.blumotorada.net

Something evil on 74.91.117.50

OK, I can see just two malicious domains on 74.91.117.50 but they are currently spreading an exploit kit through this spam run.

The domain is allocated to Nuclear Fallout Enterprises who often seem to host malware sites like this, so there's a good chance that more evil will turn up on this IP.

These are the domains that I can see right now:
13.blumotorada.net
13.carnovirious.net

The domains are registered wit these apparently fake details:
Glen Drobney office@glenarrinera.com
1118 hagler dr
neptune bch
FL
32266
US
Phone: +1.9044019773


Since there will almost definitely be more malicious domains coming up on this IP, it is well worth blocking.

Friday, 23 November 2012

Malware sites to block 23/11/12

This bunch of IPs and domains are being used in a series of fairly well-targeted attacks involving malicious spam messages that look like they come from real financial organisations (such as this one).  The payload is apparently "Ponyloader".

The domains seem to be legitimate but hacked, and in some cases the server infrastructure also looks like it is something legitimate that has been taken over by the bad guys. However, the chances are that you are more likely to see these sites as the result of a malicious spam run rather than anything else, and you should consider blocking them.

Malware servers:
50.116.16.118 (Bluehost, US)
64.94.101.200 (Nuclear Fallout Enterprises, US)
69.194.194.216 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
94.76.235.199 (Simply Transit, UK)
173.246.103.59 (Gandi, US)
173.246.103.112 (Gandi, US)
173.246.103.124 (Gandi, US)
173.246.103.184 (Gandi, US)
173.246.104.21 (Gandi, US)
174.140.168.143 (DirectSpace Networks, US)
198.74.52.86 (Linode, US)
209.188.0.118 (Secured Servers, US / Jolly Works Hosting, Philippines)

Plain list of IPs for copy-and-pasting:
50.116.16.118
64.94.101.200
69.194.194.216
70.42.74.152
94.76.235.199
173.246.103.59
173.246.103.112
173.246.103.124
173.246.103.184
173.246.104.21
174.140.168.143
198.74.52.86
209.188.0.118

Apparently malicious domains and subdomains:
50.116.16.118 (Bluehost, US)
64.94.101.200 (Nuclear Fallout Enterprises, US)
69.194.194.216 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
94.76.235.199 (Simply Transit, UK)
173.246.103.59 (Gandi, US)
173.246.103.112 (Gandi, US)
173.246.103.124 (Gandi, US)
173.246.103.184 (Gandi, US)
173.246.104.21 (Gandi, US)
174.140.168.143 (Gandi, US)
198.74.52.86 (Linode, US)
209.188.0.118 (Secured Servers, US)

1.alikeword.com
1.basicwheel.com
1.bigbroshark.net
1.blueseadolphin.net
1.callteamverve.com
1.connectedwheel.com
1.forrest-lake.info
1.killerwheel.com
1.lake-forrest.com
1.lake-forrest.info
1.lake-forrest.net
1.lowcowroller.com
1.lowcowroller.net
1.metallbeaar.net
1.rabbitharky.com
1.rabbitharky.net
1.roboxanger.net
2.5900bracknell.info
2.alikeword.com
2.allenpremierhomes.com
2.aloeups.com
2.alohevera.com
2.basicwheel.com
2.bigbroshark.net
2.blueseadolphin.net
2.boxanh.com
2.callteamverve.com
2.carrollton-realestate.com
2.connectedwheel.com
2.forrest-lake.info
2.frommyhousetoyours.com
2.killerwheel.com
2.lake-forrest.com
2.lake-forrest.info
2.lake-forrest.net
2.lowcowroller.com
2.lowcowroller.net
2.metallbeaar.net
2.pacbancwholesale.com
2.pacificbancwholesale.com
2.rabbitharky.com
2.rabbitharky.net
2.refiinc.com
2.roboxanger.net
2.taxreliefofamerica.com
2.webdedang.com
2.webdedang.net
2.wholesalepbm.com
2.zerocostfha.com
2.zfhaloan.com
3.alikeword.com
3.amandahuynh.com
3.basicwheel.com
3.bigbroshark.net
3.bluepointmortgage.com
3.blueseadolphin.net
3.callteamverve.com
3.connectedwheel.com
3.coolerpillow.com
3.directfhafunding.com
3.forrest-lake.info
3.gutterkings.biz
3.helpmemodify.com
3.insulkings.com
3.killerwheel.com
3.lake-forrest.com
3.lake-forrest.info
3.lake-forrest.net
3.lowcowroller.com
3.lowcowroller.net
3.markmatta.com
3.metallbeaar.net
3.rabbitharky.com
3.rabbitharky.net
3.roboxanger.net
4.alikeword.com
4.androidislamic.com
4.basicwheel.com
4.bigbroshark.net
4.blueseadolphin.net
4.callteamverve.com
4.collecorvino.org
4.connectedwheel.com
4.dlevo.com
4.forrest-lake.info
4.habitacoesferiasacores.com
4.icedambusters.net
4.icedambusters.org
4.insul-king.com
4.insulking.org
4.insul-king.org
4.insul-kings.org
4.islamicandroid.com
4.islamicmid.com
4.islamictab.com
4.killerwheel.com
4.lake-forrest.com
4.lake-forrest.info
4.lake-forrest.net
4.lowcowroller.com
4.lowcowroller.net
4.lowellgeneralcarjacking.com
4.lowellgeneralhospitalcarjacking.com
4.lowellgeneralhospitalcarjacking.net
4.metallbeaar.net
4.rabbitharky.com
4.rabbitharky.net
4.roboxanger.net
5.alikeword.com
5.attilacrm.com
5.basicwheel.com
5.bigbroshark.net
5.bitwin.com
5.blueseadolphin.net
5.callteamverve.com
5.connectedwheel.com
5.forrest-lake.info
5.killerwheel.com
5.lake-forrest.com
5.lake-forrest.info
5.lake-forrest.net
5.lowcowroller.com
5.lowcowroller.net
5.metallbeaar.net
5.rabbitharky.com
5.rabbitharky.net
5.roboxanger.net
6.alikeword.com
6.alohevera.com
6.basicwheel.com
6.bigbroshark.net
6.blueseadolphin.net
6.callteamverve.com
6.connectedwheel.com
6.fionabuchanan.com
6.forevergreen.us.com
6.forrest-lake.info
6.grapafood.com
6.hotels-rooms.com
6.incidentalrecruitment.com
6.killerwheel.com
6.lake-forrest.com
6.lake-forrest.info
6.lake-forrest.net
6.lowcowroller.com
6.lowcowroller.net
6.metallbeaar.net
6.negutterking.org
6.negutterkings.biz
6.negutterkings.info
6.negutterkings.net
6.negutterkings.org
6.nomoreicedams.com
6.nomoreicedams.net
6.rabbitharky.com
6.rabbitharky.net
6.roboxanger.net
7.alikeword.com
7.basicwheel.com
7.bigbroshark.net
7.blueseadolphin.net
7.callteamverve.com
7.connectedwheel.com
7.forrest-lake.info
7.killerwheel.com
7.lake-forrest.com
7.lake-forrest.info
7.lake-forrest.net
7.lowcowroller.com
7.lowcowroller.net
7.metallbeaar.net
7.rabbitharky.com
7.rabbitharky.net
7.roboxanger.net
8.alikeword.com
8.aloeventures.com
8.aloeverasoftdrinks.com
8.aloevirgin.com
8.basicwheel.com
8.bigbroshark.net
8.blueseadolphin.net
8.cafesexcelentes.com
8.callteamverve.com
8.connectedwheel.com
8.corporatemodeler.com
8.elbancodelospobres.com
8.foodex.us
8.forrest-lake.info
8.joanvaldez.com
8.killerwheel.com
8.klipette.com
8.koguis.com
8.lake-forrest.com
8.lake-forrest.info
8.lake-forrest.net
8.lowcowroller.com
8.lowcowroller.net
8.metallbeaar.net
8.rabbitharky.com
8.rabbitharky.net
8.roboxanger.net
9.alikeword.com
9.basicwheel.com
9.bigbroshark.net
9.blueseadolphin.net
9.bohmamei.com
9.boondocksdistillery.com
9.callteamverve.com
9.connectedwheel.com
9.forrest-lake.info
9.hclinstitute.com
9.i-am-a-pussy.com
9.killerwheel.com
9.lake-forrest.com
9.lake-forrest.info
9.lake-forrest.net
9.lowcowroller.com
9.lowcowroller.net
9.metallbeaar.net
9.rabbitharky.com
9.rabbitharky.net
9.roboxanger.net
alikeword.com
app-market.it
basicwheel.com
bigbroshark.com
bigbroshark.net
blueseadolphin.com
blueseadolphin.net
callteamverve.com
connectedwheel.com
forrest-lake.info
killerwheel.com
lake-forrest.com
lake-forrest.info
lake-forrest.net
lowcowroller.com
lowcowroller.net
maxiwheel.com
metallbeaar.com
metallbeaar.net
rabbitharky.com
rabbitharky.net
roboxanger.net
selfwheel.com
subwheel.com

Or if you just want to block domains rather than subdomains:
alikeword.com
app-market.it
basicwheel.com
bigbroshark.com
bigbroshark.net
blueseadolphin.com
blueseadolphin.net
callteamverve.com
connectedwheel.com
forrest-lake.info
killerwheel.com
lake-forrest.com
lake-forrest.info
lake-forrest.net
lowcowroller.com
lowcowroller.net
maxiwheel.com
metallbeaar.com
metallbeaar.net
rabbitharky.com
rabbitharky.net
roboxanger.net
selfwheel.com
subwheel.com

Friday, 19 October 2012

LinkedIn spam / cowonhorse.co

This fake LinkedIn spam leads to malware on cowonhorse.co:

From: LinkedIn.Invitations [mailto:4843D050@pes.sau48.org]
Sent: Fri 19/10/2012 10:29
Subject: Invitation

Hi [redacted], 

User sent you an invitation to connect 6 days ago. How would you like to respond? 

Accept  Ignore Privately

Estelle Garrison 
Interpublic Group (Executive Director Marketing PPS)

You are receiving Invitation emails. Unsubscribe. 
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

==========

From: LinkedIn.Invitations [mailto:43DD0F0@cankopy.com]
Sent: Fri 19/10/2012 11:39
Subject: New invitation

Hi [redacted], 

User sent you an invitation to connect 14 days ago. How would you like to respond? 

Accept  Ignore Privately
  
Carol Parks 
Automatic Data Processing (Divisional Finance Director)

You are receiving Invitation emails. Unsubscribe. 
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

==========

From: LinkedIn.Invitations [mailto:3A1665D92@leosanches.com]
Sent: Fri 19/10/2012 12:28
Subject: Invitation

Hi [redacted], 

User sent you an invitation to connect 6 days ago. How would you like to respond? 

Accept  Ignore Privately

Rupert Nielsen 
O'Reilly Automotive (Head of Non-Processing Infrastructure)

You are receiving Invitation emails. Unsubscribe. 
This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA 

The malicious payload is on [donotclick]cowonhorse.co/links/observe_resources-film.php hosted on 74.91.118.239 (Nuclearfallout Enterprises, US). Nuclearfallout have hosted sites like this several times before. In my opinion, blocking ALL emails that appear to be from LinkedIn would probably benefit your business.

Tuesday, 16 October 2012

LinkedIn spam / 74.91.112.86

This fake LinkedIn spam leads to malware on 74.91.112.86:

From: LinkedIn.Invitations [mailto:1F31A2F6B@delraybeachhomesales.com]
Sent: 16 October 2012 13:50
To: [redacted]
Subject: New invitation is waiting for your response

Hi [redacted],


David sent you an invitation to connect 13 days ago. How would you like to respond?

       
Accept    Ignore Privately


Hilton Suarez

Precision Castparts (Distributor Sales Manager EMEA)

You are receiving Invitation emails. Unsubscribe.

This email was intended for [redacted].
Learn why we included this.
2012, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
The malicious payload is on [donotclick]74.91.112.86/links/assure_numb_engineers.php hosted by Nuclearfallout Enterprises in the US (no surprises there).


Wednesday, 13 June 2012

LinkedIn spam / 74.91.112.248

This fake LinkedIn spam appears to lead to a malicious payload on 74.91.112.248:

Date:      Wed, 13 Jun 2012 14:58:15 +0200
From:      "LinkedIn©" [mvclient@mediavisions.net]
Subject:      Express LinkedIn Mail

LinkedIn
REMINDERS

Invitation reminders:
• From kristen redshaw (Country General Manager at Toshiba)


PENDING MESSAGES

• There are a total of 3 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.

The malicious payload is on [donotclick]74.91.112.248/page.php?p=88fe38de which is hosted on Nuclear Fallout Enterprises in the US.

Monday, 30 April 2012

LinkedIn spam / 74.91.120.210

This fake LinkedIn spam leads to malware on 74.91.120.210:

Date:      Mon, 30 Apr 2012 17:51:37 +0530
From:      "LinkedIn reminder" [reminder@linkedin.com]
Subject:      LInkedin pending messages

LinkedIn
REMINDERS

Invitation reminders:
• From Scott Burwell (Colleague at Nortel)


PENDING MESSAGES

• There are a total of 36 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2010, LinkedIn Corporation.


The malicious payload is at 74.91.120.210/showthread.php?t=9d77a9163cda8dbe (report here) hosted by Nuclearfallout Enterprises in the US.

Thursday, 15 March 2012

goo.gl/FP84h link leads to malware

Another malware campaign using the goo.gl redirector leading to a malicious payload, this time on 66.151.138.87.

From:     OP 25939760 Y tuelkv60@yahoo.com
To:     ptofomen@elpuertosm.net
Date:     15 March 2012 08:35
Subject:     LinkedIn Corporation account on Hold Ref78087257
Signed by:     yahoo.com

CaseȌ99-4582982-70209467-8-373
< !--PZ 62188868 V

http://goo.gl/FP84h



XR 28309138 C

The goo.gl redirector goes to shfd19za.roversmolina.ru (multihomed, see below) and then ends up on a malicious page at 66.151.138.87/showthread.php?t=72d268be707a5fb7 (Nuclear Fallout Enterprises, US again).

The intermediate site is multihomed on what looks like a botnet:

1.170.145.188 (HINET, Tawian)
37.99.3.131 (2day Telecom, Kazakhstan)
46.158.89.63 (Rostelecom, Russia)
46.166.89.234 (Sibtranstelecom, Russia)
59.161.112.144 (Tata Communications, India)
61.90.53.87 (True Internet, Thailand)
94.41.81.55 (Ufanet, Russia)
95.28.225.180 (Vimpelcom, Russia)
95.57.1.107 (Kazakhtelecom, Kazakhstan)
95.58.88.151 (Kazakhtelecom, Kazakhstan)
95.58.106.240 (Kazakhtelecom, Kazakhstan)
95.176.193.129 (Telekom Slovenije, Slovenia)
109.194.43.62 (ER-Telecom Holding, Russia)
112.110.219.218 (Pune Mobile Subscriber, India)
114.43.145.75 (HINET, Taiwan)
117.195.168.49 (BSNL Internet, India)
122.179.171.126 (Airtel, India)
123.17.240.127 (VNPT, Vietnam)
123.18.190.230 (VNPT, Vietnam)
178.46.12.159 (Rostelecom, Russia)

Plain list for copy-and-pasting:
1.170.145.188
37.99.3.131
46.158.89.63
46.166.89.234
59.161.112.144
61.90.53.87
94.41.81.55
95.28.225.180
95.57.1.107
95.58.88.151
95.58.106.240
95.176.193.129
109.194.43.62
112.110.219.218
114.43.145.75
117.195.168.49
122.179.171.126
123.17.240.127
123.18.190.230
178.46.12.159
66.151.138.87

Monday, 12 March 2012

goo.gl/C9bsq link leads to malware

A bit of a shift in spammer tactics here:

From:     Mohit Girsh girshmohit1988@yahoo.com
Date:     12 March 2012 11:54
Dubject:     Electronic payments are suspended #08763672
Signed by:     yahoo.com
   
Id 57-8033394-13999809-0-895
< !--ZZ 81490908 C

 hxxp://goo.gl/C9bsq


hxxp://goo.gl/C9bsq redirects to hxxp://2ecdn.barelybowler.ru/ which is multihomed:

31.176.195.196 (BH Telecom, Bosnia)
31.181.92.124 (Rostelecom , Russia)
37.99.67.48 (2DAY Telecom, Kazakhstan)
41.108.45.166 (Algerie Telecom, Algeria)
41.201.113.112 (Unknown network, Algeria)
46.70.226.182 (Armentel, Armenia)
49.145.121.75 (Philippine Long Distance Telephone Company, Philippines)
58.152.217.249 (PCCW, Hong Kong)
77.34.109.74 (Rostelecom , Russia)
77.125.246.251 (012 Smile, Israel)
83.28.56.41 (Neostrada Plus, Poland)
83.31.168.111 (Neostrada Plus, Poland)
85.29.167.135 (2DAY Telecom, Kazakhstan)
89.208.229.196 (Digital Network JSC, Russia)
91.234.24.217 (Evgeniy Kondratyk, Ukraine)
94.41.158.248 (Ufanet, Russia)
94.41.254.115 (Ufanet, Russia)
95.56.208.29 (Kazakhtelecom, Kazakhstan)
114.37.87.205 (Hinet, Taiwan)
119.42.75.15 (CAT Telecom, Thailand)

This redirects to: hxxp://74.91.121.248/showthread.php?t=72d268be707a5fb7

..which is an exploit kit (see this report) hosted by Nuclear Fallout Enterprises in the US (again).

A plain list of IPs in case you want to copy and paste into a blocklist:

31.176.195.196
31.181.92.124
37.99.67.48
41.108.45.166
41.201.113.112
46.70.226.182
49.145.121.75
58.152.217.249
77.34.109.74
77.125.246.251
83.28.56.41
83.31.168.111
85.29.167.135
89.208.229.196
91.234.24.217
94.41.158.248
94.41.254.115
95.56.208.29
114.37.87.205
119.42.75.15
74.91.121.248

Thursday, 1 March 2012

"Your tax appeal status" / "Your Intuit.com software order" spam and trucktumble.com

Two different spams with the same payload, the first featuring a massive failure of competency:

Date:      Thu, 1 Mar 2012 18:34:39 +0300
From:      "INTUIT INC."
Subject:      Your Intuit.com software order.

dear {l1}:

thank you for {l2} intuit market. we {l3} and will {l4} when your {l5}. if you ordered {l6} items, we may {l7} them in more than one {l8} (at no extra cost to you) to {l9}.

if you have questions about your order, please call 1-800-955-8890.


order information

please download your {la}
id #{digit} information at intuit small business website.

need help?

    email us at mktplace_customerservice@intuit.com.
    call us at 1-800-955-8890.
    reorder intuit checks quickly and easily starting with
    the information from your previous order.

to help us better serve your needs, please take
a few minutes to let us know how we are doing.
submit your feedback here.

thanks again for your order,

intuit market customer service

privacy , legal , contact us , about us

you have received this business communication as part of our efforts to fulfill your request or service
your account. you may receive this and other business communications from us even if you have opted
out of marketing messages.

please note: this e-mail was sent from an auto-notification system that cannot accept incoming email
please do not reply to this message.

if you receive an email message that appears to come from intuit but that you suspect is a phishing
e-mail, please forward it immediately to spoof@intuit.com. please visit http://security.intuit.com/ for
additional security information.


�2011 intuit, inc. all rights reserved. intuit, the intuit logo, quickbooks, quicken and turbotax,
among others, are registered trademarks of intuit inc.
the second one:

Date:      Thu, 1 Mar 2012 12:33:28 -0300
From:      "Jesus Kendall"
Subject:      Your tax appeal status.

Dear Business owner,
Hereby you are informed that your Tax Return Appeal id#8179621 has been DECLINED. If you consider that the IRS did not properly assess your case due to a misunderstanding of the facts, be prepared to submit additional information. You can download the rejection details and re-submit your appeal under the following link Online Tax Appeal.

Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday � Friday, 7:00 a.m. � 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).

In both cases the payload is trucktumble.com/search.php?page=73a07bcb51f4be71 on 64.94.238.71 (Nuclear Fallout Enterprises, US). Blocking the IP will stop other malware on the server causing you a problem, you may even want to block 64.94.238.0/24 because this host is getting a pretty poor reputation.


fff

Monday, 13 February 2012

NACHA Spam / cooldcloud.com and twistcosm.com

Yet more NACHA spam leading to a malicious payload, this time on cooldcloud.com.

Date:      Mon, 12 Feb 2012 08:16:16 -1100
From:      "The Electronic Payments Association"
Subject:      ACH transfer rejected
Attachments:     nacha_logo.jpg

The ACH transfer (ID: 1366285882700), recently initiated from your bank account (by you or any other person), was rejected by the other financial institution.

Rejected transaction
Transaction ID:     1366285882700
Rejection Reason     See details in the report below
Transaction Report     report_1366285882700.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

==================

Date:      Mon, 12 Feb 2012 19:06:12 +0000
From:      "The Electronic Payments Association"
Subject:      ACH transfer rejected
Attachments:     nacha_logo.jpg

The ACH transaction (ID: 9485030409966), recently sent from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     9485030409966
Rejection Reason     See details in the report below
Transaction Report     report_9485030409966.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The malware is at cooldcloud.com/search.php?page=73a07bcb51f4be71 hosted on 74.91.117.227 (Nuclear Fallout Enterprises... again). Blocking the IP is best as that will protect against other malware, although you may want to block more widely given the problems with this host.

The malware tries to download additional content from twistcosm.com/forum/index.php?showtopic=656974 on 199.30.89.139 (Central Host / Zerigo Inc), another problem hosting company.

You can find a Wepawet report here.

Thursday, 2 February 2012

NACHA Spam / hakkabout.com and kansamentos.com

More NACHA spam with a malicious payload..

Date:      Thu, 1 Feb 2012 13:05:58 +0100
From:      risk@nacha.org
Subject:      Rejected ACH payment

The ACH transfer (ID: 424339813641), recently sent from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transfer
Transaction ID:     424339813641
Reason for rejection     See details in the report below
Transaction Report     report_424339813641.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The link redirects through a couple of legitimate hacked sites and ends up on hakkabout.com/search.php?page=73a07bcb51f4be71 on 96.126.117.251 (Linode, US). According to Wepawet, a subsequent download is attempted from kansamentos.com/forum/index.php?showtopic=192151 on 66.151.138.179  (Nuclear Fallout Enterprises, US). Blocking those two IPs is probably a good idea, although it isn't the first time that Linode or Nuclear Fallout Enterprises have hosted malware recently and it may not be the last.