Sponsored by..

Showing posts with label Redret. Show all posts
Showing posts with label Redret. Show all posts

Friday, 9 December 2011

"The variant of the contract you've offered has been delcined."

The recent spam avalanche continues:

Date:      Fri, 9 Dec 2011 -01:35:13 -0800
From:      "Josie Carlson" [TateAlmgren@concentric.net]
Subject:      The variant of the contract you've offered has been delcined.

After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
Contract.doc 64kb

With respect to you
Josie Carlson

SHA512 check sum: [redacted]

This leads to a malicious payload on ciredret.ru/main.php, hosted on (as with this other spam/virus run), so blocking (UkrStar ISP, Ukraine) is a very good idea at the moment.

Thursday, 8 December 2011

Malware: "Your new contract" / coredret.ru

Spam season continues with this fake "contract" email with a link that leads to a malicious payload on coredret.ru/main.php.

Date:      Thu, 8 Dec 2011 01:58:25 +0700
From:      "Daisy Newby" [CadenHolmgren@hanmail.net]
Subject:      Your new contract

As we arranged the day before yesterday in the in your place we've got the contract ready, plase study it carefully and let us know whether you accept all the issues.
We've attached the copy of the contract below
Contract.doc 36kb

Best Wishes
Daisy Newby

Fingerprint: bfe69dcc-ccc03723

coredret.ru is hosted on (UkrStar ISP, Ukraine). is very sparsely populated, so blocking access to it should cause no problems.

Wednesday, 7 December 2011

Pizza spam / ciredret.ru

Another installment in the tsunami of malware-laden spam doing the rounds.. this time it is for pizza!

From: Pizza by ATTILIO [mailto:Russo@victimdomain.com]
Sent: 06 December 2011 18:25
Subject: Re: Fwd: Order confirmation

You’ve just ordered pizza from our site
Pizza Italian Trio with extras:
- Ham
- Jalapenos
- Green Peppers
- Jalapenos
- No Cheese
- No Sauce
Pizza Veggie Lover's with extras:
- Italian Sausage
- Jalapenos
- Pineapple
- Black Olives
- Easy On Cheese
- No Sauce
Pizza Supreme with extras:
- Chicken
- Jalapenos
- Extra Cheese
- Extra Sauce
- Bacardi x 2
- Dr. Pepper x 5
- Cherry Coke x 2
- Coca-Cola x 2
- Mirinda x 4
- Limonade x 5
- Carling x 5
________________________________________Total Due:    187.31$

If you haven’t made the order and it’s a fraud case, please follow the link and cancel the order.

If you don’t do that shortly, the order will be confirmed and delivered to you.

Best wishes
Pizza by ATTILIO

Fingerprint: a50c3e6f-8a5c87de 

The link goes through a legitimate hacked site to a malicious payload on ciredret.ru/main.php, hosted on Unsuprisingly this is Digital Network JSC in Moscow (aka DINETHOSTING) who are involved in much of the recent malware spam runs. Blocking is highly recommended.

Update 23/12/11: Another pizza malware run, this time leading to cgredret.ru hosted on , no surprise to find that it is Digital Network JSC again..

Date:      Fri, 23 Dec 2011 -06:10:36 -0800
From:      "ANTONINO`s Pizzeria"
Subject:      Re: Fwd: Order confirmation

You’ve just ordered pizza from our site

Pizza Hawaiian Luau with extras:
- Bacon Pieces
- Pepperoni
- Pepperoni
- Diced Tomatoes
- No Cheese
- Extra Sauce
Pizza Meat Lover's with extras:
- Pepperoni
- Bacon Pieces
- Pineapple
- Easy On Cheese
- Easy On Sauce
Pizza Hawaiian Luau with extras:
- Pork
- Black Olives
- Onions
- No Cheese
- Easy On Sauce
- Sprite x 2
- Hancock x 6
- White wine x 6
- Carling x 3
Total Charge:    207.31$

If you haven’t made the order and it’s a fraud case, please follow the link and cancel the order.

If you don’t do that shortly, the order will be confirmed and delivered to you.

Best Regards
ANTONINO`s Pizzeria

Tuesday, 6 December 2011

"Epidemic in Guinea" spam / curedret.ru

An interesting twist on malware spam:

Date:      Tue, 6 Dec 2011 10:19:25 +0530
From:      "MARIE Grover" [victimname@hotmail.com]
Subject:      Re: Epidemic in Guinea

The government is hiding this fact, but there is a new epidemic in Guinea

I got to know it from friends of mine, they are there right now. Here you can find the instruction what to do not get infected

Read it! 

Perhaps the spammers have a sense of irony, because if you click the link you get directed to a legitimate but hacked site and then bounced to curedret.ru on which attempts to load the Blackhole Exploit kit. This belongs to Digital Networks CJSC (aka DINETHOSTING) in Russia.. blocking the entire range is probably a very good idea as this block is full of malicious sites. The Wepawet report for this page is here.

There are a whole bunch of these c*redret.ru sites, at the moment the following are active on this IP address:


Update: these are coming in for several different countries, payload appears to be the same:

Epidemic in Alabama
Epidemic in Austria
Epidemic in Bangladesh
Epidemic in Belgium
Epidemic in Bermuda
Epidemic in Burkina Faso
Epidemic in Canada
Epidemic in Cape Verde
Epidemic in Chad
Epidemic in Chile
Epidemic in Costa Rica
Epidemic in Croatia
Epidemic in Gambia
Epidemic in Germany
Epidemic in Guam
Epidemic in Guinea
Epidemic in Hong Kong (China)
Epidemic in Indonesia
Epidemic in Iran
Epidemic in Ireland
Epidemic in Israel
Epidemic in Kazakhstan
Epidemic in Kentucky
Epidemic in Kuwait
Epidemic in Maine
Epidemic in Mali
Epidemic in Mayotte
Epidemic in Mexico
Epidemic in Monaco
Epidemic in Montana
Epidemic in Montserrat
Epidemic in New Mexico
Epidemic in Ohio
Epidemic in Oman
Epidemic in Pakistan
Epidemic in Pennsylvania
Epidemic in Russia
Epidemic in Saint Vincent and the Grenadines
Epidemic in Tokelau
Epidemic in Tunisia
Epidemic in Turkey
Epidemic in United Kingdom
Epidemic in United States
Epidemic in United States Virgin Islands
Epidemic in Utah
Epidemic in Wallis and Futuna
Epidemic in Wisconsin
Epidemic in Zimbabwe

Monday, 5 December 2011

czredret.ru is getting on my nerves

I don't know what has been going on with spam for the past couple of weeks, but there has been a tidal wave of the same old spam hammering away at filters over and over again. Today, about half are directing traffic to a Blackhole exploit kit on czredret.ru (see an analysis here).

The spam today is about airline tickets, but it could be on anything.. including the infamous NACHA spam that we keep seeing.

czredret.ru is hosted on in the Ukraine, a block allocated to:

inetnum: -
netname:        INFIUM
descr:          Infium LTD
country:        UA
org:            ORG-INFI1-RIPE
admin-c:        INF20-RIPE
tech-c:         INF20-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-by:         NETASSIST-MNT
mnt-routes:     NETASSIST-MNT
mnt-domains:    NETASSIST-MNT
source:         RIPE #Filtered

organisation:   ORG-INFI1-RIPE
org-name:       Infium Ltd.
org-type:       OTHER
address:        61129, Ukraine, Kharkov, Traktorostroiteley 156/41 ave, office 200
mnt-ref:        INFIUM-MNT
mnt-by:         INFIUM-MNT
source:         RIPE #Filtered

person:         Infium Ltd
address:        61129, Kharkov, Ukraine, Traktorostroiteley 156/41, office 200
abuse-mailbox:  abusemail@infiumhost.com
phone:          +380577632339
phone:          +1425606-33-07
nic-hdl:        INF20-RIPE
mnt-by:         INFIUM-MNT
source:         RIPE #Filtered

Google's prognosis of this block (AS197145) isn't brilliant:

Safe Browsing
Diagnostic page for AS197145 (ASINFIUM)

What happened when Google visited sites hosted on this network?

    Of the 536 site(s) we tested on this network over the past 90 days, 14 site(s), including, for example, myegy.com/, ql3a-soft.com/, irkasoft.ru/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-12-05, and the last time suspicious content was found was on 2011-12-05.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 9 site(s) on this network, including, for example, playingfieldforallstore.com/, immerconsult.com/, seafarers333.co.cc/, that appeared to function as intermediaries for the infection of 15 other site(s) including, for example, alexsandra.ucoz.net/, seafarers.ucoz.ru/, fpbqax.in/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 11 site(s), including, for example, myshop-ideal.com/, retailer-ideal.com/, abrorl.dlinkddns.com/, that infected 74 other site(s), including, for example, carrollmanorathletic.com/, nihadragab.com/, fathyradwan.com/.
SiteVet's report shows that while it isn't a brilliant block, it certain has problems.

If you don't do business in the Ukraine then it could well be worth blocking just to be on the safe side.

Wednesday, 23 November 2011

b*redret.ru domains to block

Some of the recent surge of spam emails going around uses a set of .ru domains with a discernible pattern of b*redret.ru.

Blocking these access to these domains and/or IPs might be a useful proactive step. (Hostnoc, Scranton)
buredret.ru (FastWeb SRL, Romania. Recommend blocking
bzredret.ru (Digital Networks SRL, Russia. Recommend blocking
bvredret.ru (23vnet Kft, Hungary)
bsredret.ru (Digital Networks JSC, Russia. Recommend blocking

Unallocated / invalid IPs

Virus: "Help! I'm in trouble!"

Another virus-laden email, technically very similar to this one yesterday:

Date: Wed, 23 Nov 2011 08:28:46 +0700
From: Saffi@victimdomain.com
To: victim@victimdomain.com
Subject: Help! I'm in trouble!

I was at a party, got drunk, couldn't drive the car, somebody gave me a lift on my car, and crossed on the red light many times, I've just got the pictures, maybe you know him?
Here is the photo

I need to find him urgently!

Thank you
The name of the sender varies, but the approach is to use the same domain as the victim to make it look more believable. In the sample I have, the "Here is the photo" link 404s, but you can guarantee that it is malware.. so don't click that link!

Update: the malicious payload is on blredret.ru  ( at 23vnet Kft in Budapest (again). The Wepawet report is here. Blocking that IP proactively is probably wise.

Update: this spam run is happening again, but with a different set of malicious IPs (read more)