Sponsored by..

Showing posts with label Redret. Show all posts
Showing posts with label Redret. Show all posts

Monday, 23 January 2012

Virus: "I'm in trouble!" spam (again)

This is an email with a link leading to malware. We've seen this pitch before:

Subject: Re: I'm in trouble!

I was at a party yesterday, got drunk, couldn't drive the car, somebody gave me a lift on my car, and crossed on the red light!
I've just got the pictures, maybe you know him???
Here is the photo

I need to find him urgently!

Thank you
Belita
The link goes to a legitimate hacked site, then to a multihomed .ru site on the following IPs:
  125.214.74.8
  129.67.100.11
  173.201.187.225
  173.230.137.129
  173.255.229.33
  174.122.121.154
  209.59.222.145
  211.44.250.173
  213.193.231.210
  24.37.34.163
  46.105.28.61
  50.57.77.119
  50.57.118.247
  74.208.205.185
  78.47.135.105
  78.129.233.8
  80.90.199.196
  81.31.43.43
  82.165.197.58
  83.170.91.152
  84.246.210.87
  85.214.204.32
  87.106.201.119
  93.189.88.198
  97.74.87.3

This is pretty much the same IP list as seen last week (new IPs highlighted). It's unclear at the moment which domains are on the  IPs (though there are some Redret domains here), so blocking the addresses is the safest bet.

Wednesday, 18 January 2012

Something evil on 95.211.115.228 and 46.249.37.22.

A set of malicious sites, linked to the Redret gang, hosted on 95.211.115.228 (Leaseweb, Netherlands). Blocking the IP rather than the individual domains will also protect against other malicious sites on the same server.

child-re-ninth-ebusiness.com
childregardingninthebusiness.com
childreninthebusiness.com
childsubjectninthcompany.com
childsubjectninthebiz.com
childsubjectninthebusiness.com
custom-t-shirtsfromhansen.com
extentthahansen.com
freeholidaynew.com
hirtsfromhansen.com
holidaygreat.com
holidaynewsite.com
myholidaynew.com
range-the-hansen.com


Another server in this same network is 46.249.37.22 (Serverius Holding, Netherlands)

1o345.info
1op45.info
2012-my-happy.com
2012myownhappy.com
543oh.info
54mo1.info
54po1.info
akvitea.com
alurbrilance.com
arowipes.com
avangeit.com
bitcast.in
bitcube.in
bitechnica.in
bitfire.in
bitware.in
bitwire.in
businessnfamily.com
companynfamily.com
companynpeople.com
customtshirtsfromhansen.com
domtrixsov.com
drinki.in
familycommercial.com
freeautomag.info
funnytshirtsfromhansen.com
glad-year.com
globaltracking02234.info
great-happy.com
happy-period.com
happy-term.com
happychock.biz
happytwelvemonths.com
ho345.info
iflos.com
ivairiu.com
joyful-year.com
jsijdewhg.com
kalalog-testov.com
latest-happy.com
makdacs00.com
makiajdleavseh.com
merry-year.com
modern-happy.com
muravied222.com
odnonoshnicy.com
plsk3mme.com
q234.info
s00n.in
safe-t-shirtsfromhansen.com
safetshirtsfromhansen.com
serdjuchka.biz
stop-prysham.com
timetracking02234.info
uskoriteliinterneta.biz
xxxtubedirty.com


The third server in the group is 203.170.193.102, which has already been identified here.

doofyonmycolg.ru / coolwebzuzuzu.ru now on 203.170.193.102

The malicious domains doofyonmycolg.ru and coolwebzuzuzu.ru have now shifted IPs since yesterday. The new address is 203.170.193.102 (IDC Cyberworld, Thailand). This server also hosts two "Redret" domains, also as identified yesterday, so these malicious emails are presumably from the same crew.

The following domains appear to be hosted on 203.170.193.102, all of which appear to be malicious in some way:

1god.in
aerostrips.com
arrayhansen.com
available78.de.ms
backozifice.net
betbits.com
boeingmiles.com
ccredret.ru
chronvofu.dlinkddns.com
ckredret.ru
collection-hansen.com
companyandfamily.com
ease.breastedchestedboobiestits.com
familyownedcompany.com
family-ownedcompany.com
filkso.in
freemmsservice.com
freetracking02234.info
greatglad.com
krasivayfigura.com
latestglad.com
libraryhansen.com
lkskjje43d.com
mc-3.in
metropannolike.in
mobiletracking02234.info
myskyinfo.in
oeit.in
olanuc.dlinkddns.com
onlinetelephonika.info
orfasde.dlinkddns.com
p38-adsrv.nl.ai
p66-adservices.nl.ai
pedastera.cu.cc
portfoliohansen.com
rifalogs.com
saldo7.us
schenledi.dlinkddns.com
seifancold.dlinkddns.com
sgsk43tgsdlflfbcbg.uni.me
skyinfo.in
tanildirtystories.com
tshirtsfromhansen.com
usaloaosns.com
zadpol.cu.cc
zareqah.cu.cc
zverovod.in

Tuesday, 17 January 2012

Redret domains to block 17/1/12

The Redret domains have shifted around a little since last week, indicating perhaps more malicious activity to come.

Of note, cvredret.ru and cxredret.ru are both multihomed on several IP addresses (both domains are on the same set of addresses). Those domains can be found on 91.208.181.205, 93.189.88.198, 213.193.231.210, 78.47.135.105, 78.129.233.8, 85.214.204.32, and 87.106.201.119.

Changes since last time are highlighted.

46.249.37.109 (Serverius Holdings, Netherlands)
cpredret.ru

67.215.3.153 (GloboTech Communications, California)
ckredret.ru
clredret.ru

78.47.135.105 (Hetzner Online, Germany)
cvredret.ru
cxredret.ru

78.129.233.8 (Rapidswitch, UK)
cvredret.ru
cxredret.ru

79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
ciredret.ru
coredret.ru

79.137.237.68 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
caredret.ru
cdredret.ru
cfredret.ru
cgredret.ru
csredret.ru

85.214.204.32 (Strato AG, Germany)
cvredret.ru
cxredret.ru

87.106.201.119 (1&1, Spain)
cvredret.ru
cxredret.ru

89.208.34.116  (Digital Network JSC aka DINETHOSTING, Russia. Block 89.208.32.0/19)
aredirect.ru
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
arredret.ru
asredret.ru
baredret.ru
biredret.ru
bvredret.ru

91.208.181.205 (Oxalide, France)
cvredret.ru
cxredret.ru

91.220.35.38 (Zamanhost, Ukraine/Russia. Block 91.220.35.0/24)
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru
aaredret.ru
abredret.ru
acredret.ru
adredret.ru

91.222.137.170 (Delta-X Ltd, Ukraine. Consider blocking 91.222.136.0/22)
chredret.ru
cjredret.ru

93.189.88.198 (Silicontower, Spain)
cvredret.ru
cxredret.ru

94.199.51.108 (23VNet, Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC aka DINETHOSTING, Russia. Block 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC aka DINETHOSTING, Russia)
bwredret.ru
bzredret.ru

109.70.26.36 (Parked at RU-SERVICE Ltd ISP)
iredirect.ru

203.170.193.102 (IDC Cyberworld, Thailand)
cbredret.ru
ccredret.ru

213.193.213.210 (Trueserver, Netherlands)
cvredret.ru
cxredret.ru

No IP at present
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
ceredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cwredret.ru
cyredret.ru

Friday, 13 January 2012

"Your order for helicopter for the weekend" / ccredret.ru

Another Redret spam leading to a malicious payload..


Date:      Fri, 12 Jan 2012 04:53:25 +0100
From:      "Keila Farley" [HannaMarcelino@ameritrade.com]
Subject:      Your order for helicopter for the weekend

Your order for our air carriage services has been received and processed. The chopper will be at your disposal from 3.30 a.m. sunday to 16.00 wednesday. Once again, the rates are as follows:
1 hour in the air: 794$
Takeoff / Landing: 163$
1 hour idle time on the ground: 166$
Longest flight is 3 hours.
When flying for longer distances, a co-pilot is needed, and the cost accordingly grows by 114$ per hour.


Invoice.doc 581kb
With Best Regards
Keila Farley
The malicious payload is delivered via a legitimate hacked site which redirects to ccredret.ru/main.php, hosted on 67.215.3.153 (GloboTech, California). That same IP was seen recently with another Redret domain, and you should block access to it if you can.

fff

Tuesday, 10 January 2012

"Our chances to win an action are higher than ever" spam / clredret.ru

A weird spam, leading to a malicious download at clredret.ru/main.php via a random hacked site.
Date:      Tue, 9 Jan 2012 08:39:05 +0300
From:      victimname@gmail.com
Subject:      Re: Our chances to win an action are higher than ever.

We discussed it with the administration representatives, and if we confess our non-essential faults to improve their statistics, the key cause will be closed due to the lack of the government interest to the action We have prepared your declaratory text for the court. Please read it carefully and if anything in it dissatisfies you, inform us.

Speech.doc 489kb


With Respect To You
Jeramiah Cohen

As mentioned earlier, clredret.ru is on 46.249.37.22 (Serverius Holdings, Netherlands) and that IP is well worth blocking.

Redret domains to block 10/1/12

After a quite couple of weeks, the Redret spam has started again using the domains and IPs listed below. Some are familiar, some are new. In some cases blocking whole IP ranges is the best idea.

46.249.37.22 (Serverius Holdings, Netherlands)
clredret.ru

46.249.37.109 (Serverius Holdings, Netherlands)
cpredret.ru

67.215.3.153 (GloboTech Communications, California)
ckredret.ru

79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
ciredret.ru
coredret.ru

79.137.237.68 (Digital Network JSC aka DINETHOSTING, Russia. Block 79.137.224.0/20)
caredret.ru
cdredret.ru
cfredret.ru
cgredret.ru
csredret.ru

89.208.34.116  (Digital Network JSC aka DINETHOSTING, Russia. Block 89.208.32.0/19)
ajredret.ru
akredret.ru
alredret.ru
amredret.ru
apredret.ru
aredirect.ru
arredret.ru
asredret.ru
baredret.ru
biredret.ru
bvredret.ru

91.220.35.38 (Zamanhost, Ukraine/Russia. Block 91.220.35.0/24)
aaredret.ru
abredret.ru
acredret.ru
adredret.ru
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru

91.222.137.170 (Delta-X Ltd, Ukraine. Consider blocking 91.222.136.0/22)
chredret.ru
cjredret.ru

94.199.51.108 (23VNet, Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC aka DINETHOSTING, Russia. Block 95.163.64.0/19)
aeredret.ru
afredret.ru
agredret.ru
ahredret.ru
airedret.ru
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC aka DINETHOSTING, Russia)
bwredret.ru
bzredret.ru

109.70.26.36 (Parked at RU-SERVICE Ltd ISP)
iredirect.ru

No IP at present
anredret.ru
aoredret.ru
aqredret.ru
atredret.ru
auredret.ru
avredret.ru
awredret.ru
axredret.ru
ayredret.ru
azredret.ru
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru
cbredret.ru
ccredret.ru
ceredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru

Airline ticket spam / ckredret.ru

Despite a whole pile of Redret malware spam at the end of the year, the past couple of weeks have been very quiet. However, a new campaign has started up directing visitors via a hacked legitimate site to ckredret.ru/main.php which is hosted on 203.170.193.102 (IDC Cyberworld, Thailand).

Date:      Tue, 9 Jan 2012 08:33:24 +0700
From:      sales1@victimdomain.com
Subject:      Re: Your Flight N US966-282315527

Dear Customer,



FLIGHT NUMBER 5821-5704164

DATE/TIME : JANUARY 23, 2011, 16:12 PM

ARRIVING AIRPORT: WASHINGTON DC INT. AIRPORT

PRICE : 552.06 USD



Download your ticket here:

VIEW



KAYCEE Ramirez,

American Airlines

Right at the moment the site is failing to resolve, but that could simply be a loading issue. Blocking the 203.170.193.102 IP address would be a good idea as it will stop any other malicious sites on the same server.

Thursday, 29 December 2011

"Your Changelog UPDATED" / cjredret.ru

Another spam, another "redret" domain. This time the spam is a "changelog" one, the malicious payload is on cjredret.ru/main.php.

Date:      Thu, 29 Dec 2011 07:59:51 +0200
From:      accounting@victimdomain.com
Subject:      Re: Fwd: Your Changelog UPDATED

Hello,

as promised chnglog updated -: View Changelog

Carey CATHERINE

The site is hosted on 91.222.137.170 (Delta-X, Ukraine), the same IP address as yesterday. If you don't have any reason to send traffic to the Ukraine, blocking access to 91.222.136.0/22 might be prudent.

Wednesday, 28 December 2011

"HP Officejet" spam / chredret.ru

More spam pointing to a malicious web page at chredret.ru/main.php (after redirecting through a legitimate but hacked site), but this time using the old "HP Officejet" approach.


Date:      Wed, 28 Dec 2011 05:32:16 +0700
From:      VG2EBrady@gmail.com
Subject:      Re: Fwd: Re: Scan from a HP Officejet #8056528

A document was scanned and sent to you using a Hewlett-Packard JET SK868691M



Sent to you by: SHEA
Pages : 3
Filetype: Image (.jpeg) View

Location: GDOSO.1.3TH
Device: OP685S9OD6236672

The domain chredret.ru  was used in this spam run yesterday, but now the server has moved from 46.249.37.22 to 91.222.137.170 (Delta-X, Ukraine). I don't know Delta-X at all, but the SiteVet and Google reports are not good, so you might want to consider blocking the entire range 91.222.136.0/22.

Tuesday, 27 December 2011

Contract spam / chredret.ru

Another fake "contract" spam leading to malware, hosted on chredret.ru .

Date:      Tue, 27 Dec 2011 06:06:18 +0700
From:      "Destinee Mills"
Subject:      The variant of the contract you've offered has been delcined.

After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
NEW_Contract.doc 44kb


With best wishes
Destinee Mills
Another name used on the spam is "Ramiro Howell", although there are probably hundreds of fake names. The malicious payload is at chredret.ru/main.php, hosted on 46.249.37.22 (Serverius Holding BV, Netherlands). This is the second "redret" domain in this /24, so blocking 46.249.37.0/24 might be prudent.

Wednesday, 21 December 2011

"Hello! Look, I've received an unfamiliar bill.." / cgredret.ru

The spam tsunami continues, this one is a reworking of one seen last month, but with a new payload site.

Date:      Wed, 21 Dec 2011 06:43:07 +0700
From:      "MERLYN Spicer" [sales1@victimdomain.com]
To:     
Subject:      Need your help!

Hello! Look, I've received an unfamiliar bill, have you ordered anything?
Here is the bill

Please reply as soon as possible, because the amount is large and they demand the payment urgently.

Looking forward to your answer



Fingerprint: 2ccc03a5-e19549f7

The malicious payload is on cgredret.ru which I catalogued yesterday (although it didn't have an IP address then). The IP is now 206.72.207.156 (Interserver Inc, USA) along with some other malicious sites. Block the IP rather than the domain if you can.

*redirect.ru sites to block

These are another part of the "redret" series of malware sites being promoted by spam, and are worth blocking proactively.

109.70.26.36 (Parked)
iredirect.ru

89.208.34.116 (Digital Network JSC aka DINETHOSTING Russia, block 89.208.32.0/19)
aredirect.ru

91.220.35.38 (Zamanhost Ukraine, block 91.220.35.0/24)
bredirect.ru
credirect.ru
dredirect.ru
eredirect.ru

No IP allocated
fredirect.ru
gredirect.ru
hredirect.ru
jredirect.ru
kredirect.ru
lredirect.ru
mredirect.ru
nredirect.ru
oredirect.ru
predirect.ru
qredirect.ru
rredirect.ru
sredirect.ru
tredirect.ru
uredirect.ru
vredirect.ru
wredirect.ru
xredirect.ru
yredirect.ru
zredirect.ru

b*redret.ru domains to block (updated)

Another set of "Redret" domains, the b*redret.ru series is used in malware distribution. It has some new IP addresses since the last time.

89.208.34.116 (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
baredret.ru
biredret.ru
bvredret.ru

91.228.133.120 (Inter-Treyd LLC, Russia. Recommend blocking 91.228.133.0/24)
blredret.ru
bsredret.ru

94.199.51.108 (23VNet Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC Russia)
bwredret.ru
bzredret.ru

No IP at present
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru

Tuesday, 20 December 2011

c*redret.ru sites to block (updated)

These "Redret" domains serve up malware and are promoted by spam, some of them have moved around since last week so consider this an updated list.

46.249.37.109 [Serverius Holding B.V, Netherlands]
cpredret.ru

79.137.237.63 [Digital Network JSC, Russia aka DINETHOSTING. Recommend blocking 79.137.224.0/20]
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 [Digital Network JSC, Russia]
ciredret.ru
coredret.ru

79.137.237.68 [Digital Network JSC, Russia]
caredret.ru
csredret.ru

91.195.11.42 [UkrStar ISP, Ukraine. Recommend blocking 91.195.10.0/23]


206.72.207.156 [Interserver Inc, United States]
cdredret.ru
cfredret.ru

Not hosted at present
cbredret.ru
ccredret.ru
ceredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru

"Scan from a Xerox WorkCentre Pro" / cfredret.ru

This is a fairly common malware spam, pointing to malicious code on cfredret.ru/main.php.

Date:      Tue, 20 Dec 2011 05:42:20 +0300
From:      victimname@gmail.com
Subject:      Re: Fwd: Re: Scan from a Xerox WorkCentre Pro #2966272

A Document was sent to you using a Xerox WKC1296130.



Sent by: SHIRLEY
Images : 5
Image (.JPEG) Download

Device: UM85256LL6P68270479



bfe116b5-7dcccccc

cfredret.ru is hosted on 78.47.193.36, exactly the same IP address as this BBB themed malware spam. Blocking access to 78.47.198.32/29 is a fabulous idea if you can.

Tuesday, 13 December 2011

Spam: "I found your pictures on my camera yesterday, remember me?" / csredret.ru

Another spam run leading to a malicious payload on csredret.ru (as here)

Date:      Tue, 13 Dec 2011 10:19:58 +0200
From:      "Tomi Mcrae"
Subject:      Hi! This is Tomi

Finally I found your e-mail, I?m not sure whether you remember me, we?ve got terribly drunk, I found your pictures on my camera yesterday, remember me? Party14.jpg 487kb 

The "pictures" link loads the malicious script, hosted at black hat hosts Digital Network JSC aka DINETHOSTING in Russia. Avoid.

You can download your Windows Vista License here / csredret.ru

A Windows Vista licence? No.. it's malware from csredret.ru.

From: sales1@victimdomain.com [mailto:sales1@victimdomain.com]
Sent: 13 December 2011 05:14
Subject: Fwd: Order K93883696


Good morning,


You can download your Windows Vista License here -

Microsoft Corporation

The malicious payload is on csredret.ru/main.php hosted on 79.137.237.67 (Digital Network JSC, Russia aka DINETHOSTING). For about the billionth time in the past few days.. block access to 79.137.224.0/20 on your network if you possibly can.

Malware spam: "Have you seen how much money has Cameron spent on his new movie?"

Here's a terse spam, leading to a malicious payload on cpredret.ru/main.php

From: AlfredoMejiaGXInOZ@aol.com
Date: 13 December 2011 04:20
Subject: I’m shocked!
   
Have you seen how much money has Cameron spent on his new movie?
What a graphics, check out the trailer!

Apparently, it refers to James Cameron and not David Cameron. Payload site is hosted on 79.137.237.67 which is the now infamous Digital Network JSC in Russia (aka DINETHOSTING). Blocking 79.137.224.0/20 would be good for your health.

Monday, 12 December 2011

c*redret.ru sites to block

Another bunch of "redret" sites to block, either by domain name or IP. These domains are being used as the payloads for spam emails and leave to a malicious web page.

79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia - recommend blocking 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 ((Digital Network JSC again)
ciredret.ru
coredret.ru
cpredret.ru

91.195.11.42 (UkrStar ISP, Ukraine - recommend blocking 91.195.10.0/23)
curedret.ru

Unallocated
caredret.ru
cbredret.ru
ccredret.ru
cdredret.ru
ceredret.ru
cfredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
csredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru