Pharma sites to block 30/7/13

This IPs host (fake) pharma sites which seem to be associated with this gang and share some of their infrastructure. As far as I can tell, none of them host malware.. but the IPs involved could be repurposed as malware servers and blocking them might be prudent.

88.190.218.27 (PROXAD Free SAS, France)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.200.13.15 (SKS-Lugan, Ukraine)
91.204.162.81 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
94.152.188.165 (KEI, Poland)
94.242.239.4 (root SA, Luxemburg)
109.107.203.45 (Vodafone, Czech Republic)
192.162.19.196 (FOP Budko Dmutro Pavlovuch, Ukraine)
198.23.59.79 (LiquidNet US LLC, US)

Recommended blocklist:
88.190.218.27
91.199.149.0/24
91.200.13.0/24
91.204.162.81
91.204.162.96
94.152.188.165
94.242.239.4
109.107.203.45
192.162.19.0/24
198.23.59.79
1bqmv6ir.tabletmedicinert.com
3hpd38kt.tabletmedicinert.com
3j2ilmza.tabletmedicinert.com
3taa0484.tabletmedicinert.com
54djq7gs.tabletmedicinert.com
6tpvvfwl.mediastoreplus.com
6w8vrnw1.tabletmedicinert.com
9351s3cc.tabletmedicinert.com
a1nyffx.mediastoreplus.com
a6g9whoe.tabletmedicinert.com
androidsaletablet.com
bbji3ka1.tabletmedicinert.com
biotechpharmhealthcare.com
boschtrameds.com
caloriesviagra.com
canadaipad.com
canadamedsopioid.com
canadapharmcanadian.com
canadaviagracent.com
canadiancanada.com
carerxpatient.com
chof.ru
d5pz5c35.tabletmedicinert.com
dacl3uy1.tabletmedicinert.com
deii.ru
dispensariesrx.com
drugenericswelness.com
druggenericspharmacy.com
drugmedsgenerics.com
drugsdrugstorepills.com
drugstorepillwalgreens.com
e66y531e.tabletmedicinert.com
familymedicinerx.com
flefdukt.com
gied.ru
healthcarebiotechnology.net
herbalburdette.com
iald.ru
in.taxwelnesslevitra.com
innovatory.vitaminnutritionherbal.com
isoe.ru
jaid.ru
jx5nqjzf.tabletmedicinert.com
knr78b16.tabletmedicinert.com
laug.ru
m62i5x7e.tabletmedicinert.com
marijuanadispensariesmedical.com
marijuanamedicalviagra.com
mediastoreplus.com
medicaltabgroup.com
medicarewiqi.pl
medicinetabletsurface.com
medopioid.pl
medsherbalbosch.nl
mentalevitrapill.com
mymedicaretablet.com
mypharmacyherbal.com
myviagragenerics.pl
newpharmacyherbal.com
nmvwta.mediastoreplus.com
nrytgyxvom.com
nureri.ru
oc597g5g.tabletmedicinert.com
opioidpill.com
p6vxdhiu.tabletmedicinert.com
paracanada.com
paub.ru
pepras.ru
phof.ru
pillgenericsgroup.com
pillscialistorture.com
pillssmartrend.com
pillsstreetinsider.com
ptnh86kk.tabletmedicinert.com
qatt.ru
qkwc1s52.tabletmedicinert.com
ro3dk20p.tabletmedicinert.com
ruld.ru
rxsmartrend.com
satishmeds.pl
siew.ru
skah.ru
sugh.ru
tabbosch.com
tabletmedicaid.pl
tabletmedicinert.com
taxwelnesslevitra.com
tlar.ru
tmdtmnv5.tabletmedicinert.com
ttds2eew.tabletmedicinert.com
u0s3oqf6.tabletmedicinert.com
uney.ru
vitaminnutritionherbal.com
vomise.ru
yesydzevr.com
yn72ov2j.tabletmedicinert.com
zwig.ru

Zbot sites to block 5/12/12

These domains and IPs are involved in malware distribution, especially the Zbot trojan. Most are using the nameservers in the dnsnum10.com domain, or are co-hosted on the same server and have malicious characteristics.

I've come up with a recommended blocklist based on the characteristics on the netblocks in question. If you are based in Russia, Ukraine, Poland or Iran then you may want to review these carefully.

IP addresses and hosts
31.184.244.73 (TOEN Incorporated, UAE)
62.122.74.47 (Leksim, Poland)
77.72.133.69 (Colobridge, Germany)
78.46.205.130 (Hetzner, Germany)
78.140.135.211 (Webazilla, Gibraltar)
85.143.166.132 (PIRIX, Russia)
87.107.121.131 (Soroush Rasanheh Company Ltd, Iran)
91.211.119.56 (Zharkov Mukola Mukolayovuch, Ukraine)
91.231.156.25 (Sevzapkanat-Unimars, Russia)
91.238.83.56 (Standart LLC, Moldova)
146.185.255.161 (Sergeev Sergei Yurievich PE, Russia)
178.162.132.202 (Tower Marketing, Belize)
178.162.134.176 (Silin Vitaly Petrovich, Belarus)
188.93.210.28 (Hosting Service, Russia)
195.88.74.110 (Info Data Center, Bulgaria)
198.144.183.227 (Colocrossing, US)

Single IP list for copy and pasting:
31.184.244.73
62.122.74.47
77.72.133.69
78.46.205.130
78.140.135.211
85.143.166.132
87.107.121.131
91.211.119.56
91.231.156.25
91.238.83.56
146.185.255.161
178.162.132.202
178.162.134.176
188.93.210.28
195.88.74.110
198.144.183.227

Recommended blocklist:
31.184.244.73
62.122.72.0/21
77.72.133.69
78.46.5.128/29
78.140.135.211
85.143.166.0/24
87.107.96.0/19
91.211.119.56
91.231.156.0/24
91.238.83.0/24
146.185.255.0/24
178.162.132.0/24
178.162.134.128/26
188.93.210.28
195.88.74.110
198.144.183.227

Domains:
001dulpieafry.changeip.org
001lrrldtavol.changeip.org
002tkbhqhlsvt.changeip.org
004ppfpcbvctd.changeip.org
004quzisdueai.changeip.org
020jbxsgqwpse.changeip.org
022btrarqcfuk.changeip.org
026kordzsydup.changeip.org
4nfyfj.info
6j5jjek.info
accelerationarrangement.info
aderto.cu.cc
adertos.cu.cc
adx.empowersspanish.info
all1.lflinkup.com
all10.lflinkup.com
all3.lflinkup.com
all8.lflinkup.com
all9.lflinkup.com
alpha.spice-forum.in.ua
apple-free.uni.me
arizonaunintelligible.pro
avast.formsbasedscreeners.asia
avira.formsbasedscreeners.asia
barracoon.org
bicyclingsecondfastest.pro
bigprobivbig.net
bilitys.cu.cc
bilityss.cu.cc
brainiacdatingcomothers.pro
bringingaward.asia
broadlytrap.net
bulkmolosiz.com
bulkyards.com
bulkyards.net
charitablesecurities.asia
clearcubeinterviews.pro
clinquant.org
collatesphotoworks.org
confusingfunctionality.info
coreldrawscratch.asia
dangerstriangle.info
deephole.info
derusliman.org
dialectskew.info
dnsnum10.com
docspittance.asia
dracodatas.info
empowersspanish.info
energyefficientpermonth.pro
ergyefficient.asia
eset.formsbasedscreeners.asia
f4lhhd.com
f56yk.com
fapitorgtube.cu.cc
faxesworry.asia
finestaccompanying.info
fkyjyj.cu.cc
flashrssfeedlike.asia
formsbasedscreeners.asia
foundationfourtrack.asia
g4nj389.net
g6aews.com
gdgt54hdfg5y6d.hopto.org
get-it-free.flu.cc
goldenmail.in
helicograph.com
helicograph.net
helicograph.org
highflyingmotivates.info
hry24h.com
img.coldstoragemn.com
img.floodace.com
img.heritagedaysfestival.org
img.mnrealestatehome.com
iptcbolts.net
isiftheoretically.pro
jacklighter.org
jfoih347.net
jkrsryk.info
js.casio-11.com
js.casio-ok.com
kasadi.cu.cc
kazbec.info
kiklamas.cu.cc
krestybx.cu.cc
lasazar.cu.cc
lessexpensiveprototypes.asia
lisagaxu.tk
logs.clearcubeinterviews.pro
mailtypical.net
meprovidinggiggle.net
mergingvisisafe.info
minimoogsmerits.info
mobilewalmartcom.pro
mokingbirdgives.org
mytouchcoediting.net
nomadtoys.pro
nuf78784f.com
nuvfhruf.com
openearedinclusive.net
opticshoc.pro
packingdebug.asia
partnerssitesnonauthorized.asia
pasteszerou.pro
patiencerevolution.asia
phalange.net
phalange.org
pitchessuppress.org
platformindependentviz.pro
powerquesttrivial.net
primemasterswitch.asia
proofingsloth.info
pulldownnextag.info
qorayot.tk
ranikslall.biz
ranikslall.com
ranikslall.info
ranikslall.org
ratevoicemail.asia
repurposedsmtppop.asia
rightfullyretina.org
ringtonesprevent.asia
rushcreaking.net
sensibilitiesdolls.org
shareself.info
siteadvisorejector.info
slimmingedirol.pro
soundtrackoh.org
surviveoutpace.info
syenial.com
t5rgddfth67rdfgd.hopto.org
terminaloften.pro
toolbarpcmag.info
tutaqasi.tk
tutorialmediumsize.asia
udneriww.com
uikojyurfersw.homelinux.net
uninstallerthumbtack.asia
unprotectedepicture.info
usozureq.isasecret.com
vmailtalkguideone.net
vn3vrr.com
www.all15.lflinkup.com
www.all16.lflinkup.com
xovgnbxdvzsc.dyndns-remote.com
xubodaqi.tk
y8jdo.info
yardinjuries.info
zawejame.tk
zazaebuk.cu.cc
zks5k.com
zwedaseeqqs.homelinux.com

"Scan from a Hewlett-Packard Officejet 745065" and 94.23.116.30

These fake "Scan from a Hewlett-Packard Officejet" emails have been around for a little while now. Here's a slightly new verson:

From: hp@victimdomain.com
Date: 11 October 2011 23:41
Subject: Scan from a Hewlett-Packard Officejet 745065
   
A document was scanned and sent

to you using a Hewlett-Packard HP Officejet 63639D.
Sent by: SINA
Images : 2
Attachment Type: Image (.jpg) Download

Hewlett-Packard Officejet Location: machine location not set
Device: CRP272SO4SLM3917752

The link goes through to one of several sites on 94.23.116.30 (OVH, Poland). Blocking access to that IP should protect against this spam run.

The following domains appear to be hosted on that site:
agudo9871.info
alpers82c0.info
amybfd0.info
anselmo0661.info
antitrap.in
apperson6613.info
applee9a1.info
arkless6d92.info
arreza330.info
asley2ee0.info
aytes7191.info
banome2cb0.info
beckerman08b2.info
beneger50e2.info
bergfelde7c0.info
bestel2810.info
beuchatb280.info
binesc5d2.info
blincow4480.info
boaler2ab1.info
bonge06b0.info
boschier0930.info
bowrah1591.info
bramante66f2.info
brentsonc1d0.info
bridenstine1211.info
brodellabc2.info
burpee66f2.info
byczek5822.info
cable9b12.info
calleycd62.info
careford3a12.info
carver3102.info
casserley4d52.info
cavrotti42b0.info
clerkley2120.info
cluleyade1.info
cooney9712.info
corporationsweb.info
corvi3532.info
cottrillcb01.info
crate4361.info
creasey8b42.info
cristescu00ca.info
curtsinger8ad2.info
cusatis8b91.info
czyrnik74c1.info
dagley1e91.info
dallmand932.info
davidoviczc8d2.info
davydenko99d1.info
degand5e0.info
delancyfc71.info
delross6813.info
denver84e6.info
derefoner.in
desso9b20.info
deyak34c2.info
dilksf841.info
drewettf160.info
dutschmannc651.info
eavensonc190.info
edstrom6952.info
ehlicca1.info
elmoaf71.info
espenscheid2711.info
federal-domesticwires.com
fever01e1.info
firzkun.in
fissell39c0.info
flemming0dc1.info
frascaf6d0.info
frericks7582.info
friedberg3cc0.info
fuger1511.info
fulmerfdb2.info
fund4nothing.in
gadzinski1180.info
galassi9103.info
gange4742.info
gbur8c20.info
gegenheimer4bf0.info
glinkerman9380.info
gordenffb0.info
grygorwicz2191.info
guiles8570.info
guthorn9b60.info
hadselle732.info
hamiss4460.info
hartmannbf21.info
hartsook7391.info
hauben5930.info
henrettaa3c2.info
herzerb931.info
hodoa689.info
holliead00.info
horimotodb21.info
hornick0e30.info
houghtelling2355.info
hova.in
hugues1990.info
hultond5a0.info
husky9212.info
itzchakeb90.info
jauron24d0.info
jeskieff30.info
kaufmann2542.info
kellywoodf4d2.info
kintighb491.info
klinge9641.info
knauff5c60.info
koltz0341.info
kralicekcdc0.info
kramarczyk5681.info
kuns0a30.info
kurodaeb72.info
kurtisfe10.info
larssone1d2.info
lartiguef572.info
lawrey9052.info
leinbach91b0.info
lezab966.info
lidstone5a13.info
lirette3470.info
londonsbug.com
loshbaughd3b0.info
lough3572.info
mahlman67a1.info
maisenbacher5cf2.info
malizia0df1.info
malueg6fa1.info
mandia0d2.info
marlanb610.info
mcconnell1461.info
mcglumphy43c0.info
mclagan8a92.info
mclaughlan6670.info
meisenburg7e20.info
menapace7590.info
moegvubegcwan.in
molbideneoil.com
moneyforfree.in
montagnec802.info
morin4e00.info
mourinoa761.info
mullaly0ca0.info
munden49e2.info
musumeciccf0.info
naisbetta600.info
neoplanritm.in
nestel0321.info
nogueras0ba2.info
nothnagelf5b2.info
obrodderikd370.info
ogaraee50.info
omura6e81.info
oriold040.info
pangburn87e1.info
paolotto86d1.info
pariseau2e50.info
peace7fc1.info
pendextere5e2.info
percellb430.info
pidduck32e2.info
pidgeon9022.info
pinna3942.info
pioske8501.info
qqqe.us.to
quoss3f91.info
ramagano86a0.info
rashdicd02.info
raupache7f1.info
redeniusd503.info
returenget60.net
ricker5462.info
rideaufd40.info
rucci5d51.info
runagles2411.info
sacre86c2.info
sandilandsa5b1.info
sasseville9e91.info
schleppenbachae60.info
schuh9acc.info
scroger65f0.info
shearonafb1.info
shee5632.info
sita6030.info
slovinskye820.info
smard4e2.info
soetncitydyr.com
souvannavong5c90.info
speroe8c0.info
spigelmandca0.info
srnsky8f70.info
steinmiller9ca1.info
stivanson51b0.info
stonhame852.info
stopkad101.info
subera6a01.info
sultani9ef0.info
surrella8e0.info
swigart61f0.info
tabbertbe70.info
tabisulacbb4.info
tickle29c2.info
timko84d0.info
tinaa750.info
tolefreebdd2.info
tunnock0d02.info
twedena141.info
woehl5bb0.info
wolken6da2.info
worsfieldd4d1.info

Something evil on 79.133.196.124

I don't quite have the full picture on this, but it looks like some Scandinavian sites have been compromised in some way and are redirecting to a malware server on 79.133.196.124 in Poland which is serving up fake AV applications.

Blocking access to 79.133.196.124 is probably a very good idea. The following sites appear to be hosted on that server and should be blocked if you can't do so by IP address, alternatively just block access to all .co.cc and .rr.nu domains if you can.


www1.aideray.in
www1.bestrusprotect.rr.nu
www1.bestshprotect.rr.nu
www1.besturprotect.rr.nu
www1.bestzoprotect.rr.nu
www1.bestzyprotect.rr.nu
www1.fastcowsecure.rr.nu
www1.fastengsecure.rr.nu
www1.fastjeasecure.in
www1.firstytholder.in
www1.mystedguard.rr.nu
www1.novirotall.rr.nu
www1.novirtyall.rr.nu
www1.personal-wantivir.com
www1.savefslf-holder.co.cc
www1.simpleermaster.com
www1.test.thebest-poscaner.in
www1.thebestarmydhec.co.cc
www2.bestshchecker.rr.nu
www2.firstlrnetwork.rr.nu
www2.hardobcleaner.rr.nu
www2.hard-sentineluuu.rr.nu
www2.harduvscaner.rr.nu
www2.powerab-army.rr.nu
www2.powerarmycv.rr.nu
www2.safeholderbp.rr.nu
www2.safeholdergv.rr.nu
www2.safeichecker.rr.nu
www2.safe-softgr.rr.nu
www2.savednscaner.rr.nu
www2.saveojnetwork.rr.nu
www2.simplejnsoft.rr.nu
www2.smartsentinelmc.rr.nu
www2.strongckguard.rr.nu
www2.strongnetworkcj.rr.nu
www2.strongyhcleaner.rr.nu
www2.topdefensehg.rr.nu
www2.topiy-security.rr.nu
www2.top-suitele.rr.nu