"Your Apple ID has been disabled" phish

I've never seen one quite like this before, although it's not the first time I've seen Apple-themed scam email (this one, for example).

From:     Apple no_reply@macapple.com
Reply-To:     no_reply@macapple.com
Date:     31 October 2012 06:08
Subject:     Your Apple ID has been disabled
    
Apple ID Support

Dear [redacted] ,

This Apple ID has been disabled!


For your protection, your Apple ID ([redacted]) is automatically disabled. We detect unauthorized Login Attempts to your Apple ID from other IP Location. Please verify your identity today or your account will be disabled due to concerns we have for the safety and integrity of the Apple Community.


To verify your Apple ID, we recommend that you go to:
       
Verify Now >

The phish is hosted at [donotclick]app.apple.com.proiectmaxim.ro/id2/sign_in/login_ID&=/?&=?reactivate=[redacted] and it looks pretty convincing if you haven't spotted the Romanian domain name..

It just goes to show that the bad guys will try to phish anything these days..

Scam: "CareerQuick Staffing" / careermanagement.com.ua

This is another take on RockSmith Management scam, linked to these dodgy work-at-home sites, apparently with an Australian connection.

Date:      Mon, 26 Sep 2011 05:48:19 +0530
From:      "Terence Mooney" [terence.mooney@voicecom.co.za]
Subject:      Reminder: Employment Opportunity Followup

Hello

Thank you for submitting your information for potential employment opportunities.
We look forward to reviewing your application, but can not do so until you complete our
internal application.

The pay range for available positions range from $35.77 per hour to $57.62 per hour.
Prior to begin able to be considered, you will first need you to formally apply.
Please go here to begin the process:

http://careermanagement.com.ua/

Also, the following perks are potentially available:

- Paid Time Off
- Health Benefits Package
- Higher than average salaries
- Tuition Reimbursement
- Extensive 401(k)program

Please take the time to follow the directions and complete the entire
application process.


Best Regards,

Rock Smith Management

careermanagement.com.ua is a Ukrainian domain, it is hosted on 85.121.39.3, which is a known black-hat host in Romania (Monyson Grup S.A), although as we said before this appears to be an Australian crew running the scam. The layout of the site echoes careerquickstaffing.com, a site that has already been suspended for spamming.

Spammers are stupid

What's wrong with this spam?

Date:      Thu, 1 Dec 2011 17:55:30 +0900
From:      "LinkedIn" [linkedin@em.linkedin.com]
To:      Victim
Subject:      So now you're on LinkedIn: What's next?

The ACH transaction (ID: 730771521612), recently sent from your checking account (by you or any other person), was canceled by the other financial institution.
Rejected transfer
Transaction ID:     730771521612
Reason of rejection     See details in the report below
Transaction Report     report_730771521612.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

Yup.. the headers are for a LinkedIn themed spam, the body is a NACHA themed one with a link to a malicious file. The bad guys are sending out so many of these that they must be getting confused.

The link goes through a number of legitimate hacked sites and eventually ends up at biggestamigo.com on 92.55.144.82 in Romania (I would recommend blocking the whole 92.55.144.0/24 block at least, or even 92.55.144.0/21 if you want to be on the safe side). The payload looks like a typical exploit kit.

NACHA / Wire Transfer malicious emails

I'm not sure if these three incidents are all related or are just using the same approach, but here goes.

Date:      Mon, 14 Nov 2011 17:53:54 +0100
Subject:      Disallowed Direct Deposit payment

Dear Sirs,

Herewith we are notifying you, that your latest Direct Deposit transaction (No. 60795715105) was disallowed, because of your business software package being out of date. The detailed information about this matter is available in the secure section of our web site:

hxxp://astola.com.au/93oj63/index.html

Please apply to your financial institution to obtain the new version of the software.

Kind regards,
Sidney Gross
ACH Network Rules Department
NACHA - The Electronic Payments Association

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996

and then

Date:      Mon, 14 Nov 2011 02:42:02 +0530
From:      accounting@victimdomain.com
Subject:      Fwd: Wire Transfer Confirmation (FED 5697WN59)

Dear Bank Account Operator,

I regret to inform you that Wire transfer initiated by you or on your behalf was hold by us.

Transaction ID: 85802292158295165

Current status of transaction: under review

Please review transaction details as soon as possible.

Bernadette Dickinson
Payments Administration

and finally

Date:      Mon, 14 Nov 2011 10:56:29 +0530
From:      "HARMONY URBAN" support@federalreserve.gov
Subject:      Your Wire Transfer

Good day,

Account: Business Account XXX

Amount: $ 93,056.63

Wire Transfer Report: View

The wire transfer will be processed within 2 hours.

Please make sure that everything is as you requested.

HARMONY URBAN,
Federal Reserve Wire Network 

The first spam leads to a hacked site in Australia (there are probably many others). In turn, this tries to load four scripts to install malware though an HCP attack (Wepawet report here). The scripts are:

lallygag.com/js.js
www.miracleshappenrr.com/images/js.js
kyare.net/js.js
allmemoryram.com/js.js

In all cases, those scripts appear to be on legitimate (but hacked) websites. The final step for that attack is to try to install a malicious Java application from colobird.com/content/import.jar - a domain that is hosted on 216.250.120.100 but one that was only registered very recently.


The second and third emails take a different approach, loading a page at www.btredret.ru/main.php hosted on 93.187.142.38 (S.C. Profisol Telecom S.R.L., Romania). This attemps a Java exploit (Wepawet report here). This IP is part of a small netblock of 93.187.142.32 - 93.187.142.63 (93.187.142.32/27) and can probably safely be blocked, or you could just block the whole /24 if you wanted,

This is an old approach that has been doing the rounds for two years. It must still work though..

Some TDL/TDSS rootkit sites to block

The following IPs are related to the TDL/TDSS rootkit. 212.36.9.52 / gic-kbmtu0zkvwylf.com appears to be a C&C server.

94.63.149.10
94.63.149.11
94.63.149.12
94.63.149.13
94.63.149.14
94.63.149.15
146.185.250.140
146.185.250.141
195.3.145.251
195.3.145.252
195.3.145.253
212.36.9.52

94.63.149.0/24 is a Romanian host called Eurolan Solutions SRL, I've had this blocked for months with no ill-effects. 146.185.0.0/16 is Petersburg Internet Network Ltd in Russia, the whole /16 is sparsely populated and blocking that would probably do no harm. 195.3.144.0/22 is Latvia host RN Data SIA, given that Latvia hosts are such a sewer then blocking the /22 is probably also a good idea.

As for 212.36.9.52 (OTEL, Bulgaria), there appear to be a few malware servers in 212.36.8.0/23 mixed with several legitimate sites. 212.36.9.60, 212.36.9.52 and 212.36.9.52 also appear to be malicious. Blocking 212.36.0.48/28 should filter out the bad sites without blocking good ones.

The following domains are associated with these IPs, if you can't block by IP then blocking these might be a good idea,

bejb883-njm.com
bxwqxlkp4ajt.com
feeew0r-geek.com
gic-kbmtu0zkvwylf.com
gv47numkmkmfub8790.com
hhnnbtcnotcf3ohtxt.com
j5dlz7rxoto8g1fubb.com
jblextyhsfqttkz.com
jhv684ybknjkm.com
keter-jankinsome.com
q9-e52wjh7cz.com
retgen-rasch12.com
retno-uhb3.com
rzncgorop-yvpx.com
serch-iteration.com
tylt9avnpfl-zdk.com
uh-i99ur3qa9t3ssw.com
upsbkschmajhlxs6.com
vbhw53jnjjn00o.com
x24l0jpdhtccng-ojw.com
xcxmjb2joopypo.com
zhfg0l5eijw4tjxc.com
zw5kfhmujx024saj2.com

dfrgcc.com injection attack in progress

Thousands of sites are currently being hit by an injection attack pointing to dfrgcc.com/ur.php a domain registered to someone using the infamous hotmailbox.com domain for email.

   JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

The site is hosted on 188.229.88.103 which is the equally infamous Netserv Consult SRL in Romania. 188.229.88.103 hosts the following sites:

bookfula.com
bookgusa.com
bookmonn.com
bookmono.com
booknunu.com
bookvila.com
bookzula.com
dfrgcc.com
file-dl.com
xxxtubes8.com

These domains are pretty familiar, having previously been hosted in Lithuania. This marks them out as the same people behind the infamous LizaMoon attack.

Netserv Consult SRL host a wide variety of bad sites. Blocking 188.229.0.0/17 (188.229.0.0 - 188.229.127.255) will probably do you no harm.

Evil network: RONET / ro-net.eu (91.229.90.0/23)

RONET (aka. ro-net.eu) seems to be a new netblock occupying the 91.229.90.0/23 (91.229.90.0 - 91.229.91.255) range. This block has several sites recently moved from Netserv Consult SRL (who have a very bad reputation), all of which appear to be involved in criminal activity.

Although the number of sites is very low at present (just 30), the use of a /23 block indicates the perhaps this will be used for more sites very soon. Blocking 91.229.90.0/23 preemptively would probably be an excellent idea.

Here are some examples of evilness:

bywordelectronics.com [91.229.90.11]
Money mule scam / fake jobs [1] [2] [3] [4]

admagnet1.com [91.229.90.35]
Malware distribution [5] [6] [7]

eyebluster-sv1.com [91.229.90.37]
Malware distribution [8]  [9]

Other domains are registered with fake WHOIS details which is never a good sign.

The 91.229.90.0/23 range is registered to:

inetnum:         91.229.90.0 - 91.229.91.255
netname:         RONET
descr:           FOP Varovaev Leonid Gennadevich
country:         EU
org:             ORG-VARO1-RIPE
admin-c:         AV6418-RIPE
tech-c:          AV6418-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          VAROVAEV-MNT
mnt-routes:      VAROVAEV-MNT
mnt-domains:     VAROVAEV-MNT
source:          RIPE # Filtered

organisation:    ORG-VARO1-RIPE
org-name:        FOP Varovaev Leonid Gennadevich
org-type:        OTHER
address:         H-1120 Budapest,  Street Gabor Denes, 4, Hungary
mnt-ref:         VAROVAEV-MNT
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

person:          Anton Varnai
address:         H-1120 Budapest
address:         Street Gabor Denes, 4
address:         Hungary
abuse-mailbox:   abuse@ro-net.eu
phone:           +3614585544
nic-hdl:         AV6418-RIPE
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

% Information related to '91.229.90.0/23AS6753'

route:           91.229.90.0/23
descr:           RONET
origin:          AS6753
mnt-by:          VAROVAEV-MNT
source:          RIPE # Filtered

Of note is the fact that ro-net.eu was only registered two weeks ago with anonymous registration details. Also, note that although the address is in Hungary, the RONET name would indicate that it still has a ROmanian connection.

Another oddity is that the network announces itself as part of AS17088 which is allocated to Currenex, Inc. There seems to be no connection at all between Currenex, Inc and RONET, so perhaps this is an error or some kind of forgery.

You can find a full list of domains and MyWOT ratings in this CSV file. Alternatively, the currently hosted domains are listed below.

admagnet1.com
adopsassistant.com
amaltheiatech.com
arctosinbrasilia.com
bestpccleaners.org
bywordelectronics.com
combo-parts.com
easycleaners.org
eyebluster-stat.com
eyebluster-sv1.com
fixpcexperts.com
hidedns.org
jjoor.com
mediamindcal.com
mediamind-tech.com
mediatechadvice.com
mr-srv.com
newco-op.com
newsecsolutions.com
pc-syscleaner.com
pc-syscleaner.net
pc-syscleaner.org
proton-micro.com
quickwebsupport.net
ro-net.eu
searchelcome.org
softsecsolutions.net
supportnetmail.com
trackingpxl.com
vi-hosts.com

Injection attack: malavasso.com, migraviro.com and montenegrorio.com

Three more domains being used in injection attacks today:

malavasso.com
migraviro.com
montenegrorio.com

The payload is the Sinowal trojan. Malicious software is hosted on 95.64.45.43 which is well-known very dark grey hat host Netserv Consult SRL of Romania. Blocking 95.64.0.0/17 (95.64.0.0 - 95.64.127.255) will probably do no harm.

The (possibly fake) registrant for these domains is:

Registrant Contact:
   Xicheng Co.
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

Administrative Contact:
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

Technical Contact:
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

Billing Contact:
   Zhong Si Zhongguancun@yahoo.com
   01066569215 fax: 01066549216
   Huixindongjie 15  2
   Beijing Chaoyang 101402
   cn

virtualmapping.org redirect

The domain name virtualmapping.org sounds legitimate, but isn't.. it's a redirector used on hacked websites. The first time you visit one of these hacked sites via a Google search, you get redirected to a URL at virtualmapping.org/cgi-bin/r.cgi. Subsequent visits don't seem to trigger this, nor does visiting the site directly. It could be an altered .htaccess file.

virtualmapping.org is hosted on 94.63.149.246 which is unsurprisingly enough in Romania, in a Cobalt IT SRL block suballocated to SC Coral IT Office SRL / xnetworkings.com also in Romania. Sites in these Cobalt ranges are either all evil or are of interest to Romanian visitors only, so one quick and easy way to secure your network is to block the entire 94.60.0.0/14 range.. at the very least, block 94.63.149.0/24, 94.63.244.0/24 and 94.60.123.0/24 which are especially toxic.

After hitting virtualmapping.org, visitors are then redirected to one of the following sites on 95.168.178.206, hosted at Netdirekt in Frankfurt but actually allocated to a host called inferno.name (Sogreev Anton, Serbia). 95.168.178.0/24 is full of Russian porn sites, so probably a good thing to block in any case.

Some of the domains that are loading the malware are:
could0.nc-9.com
gets1.nc-9.com
realized2.nc-9.com
summer3.nc-9.com
principle4.nc-9.com
watching4.nc-9.com
and5.nc-9.com
electric6.nc-9.com
plane6.nc-9.com
show7.nc-9.com
fig8.nc-9.com
ever8.nc-9.com
feet8.nc-9.com
league9.nc-9.com
event9.nc-9.com
became0.nc-9.com
sense4.nc-9.com

Basically, anything in the nc-9.com domain apart from nc-9.com and www.nc-9.com has been hijacked and is pointing to the IP address in Frankfurt. It's not a surprise to see that nc-9.com is actually a legitimate domain registered at GoDaddy that appears to have been hijacked.

The payload is a nasty trojan according to various analysis tools (ThreatExpert, Comodo, Anubis). Detection rates are very low. The analysis tools might help you to clean up your PC if you have somehow become infected.

Of some interest, the trojan alters the HOSTS file to block access to popular torrent sites such as the Pirate Bay. It also calls home to two domains, assistancebeside.com (78.159.100.32) and imagehut4.cn which was actually deleted last year, but was registered to the scumbags at Real Host Ltd.

There's quite a lot to block here, the highest priorities are:
94.63.149.246
95.168.178.206
78.159.100.32
*.nc-9.com
assistancebeside.com
virtualmapping.org

I see no harm in blocking the following /24s:
94.63.149.0/24
95.168.178.0/24

And if you're not afraid to block really quite large address ranges:
94.60.0.0/14

yahlink.php / DreamHost hack

Almost identical in every way to this injection attack, several Dreamhost sites have been compromised with a page called yahlink.php (it was yahoolink.php before), which is being spammed out through compromised AOL accounts.

It isn't just Dreamhost hosted sites that are being spammed out in this way, but it does appear that well over half the sites are on Dreamhost. It looks like some GoDaddy customers might have been hit too.

In this case, the spammed link directs to krokodilius8.com/gosem11.php which is hosted on 78.129.132.26 which appears to be iomart Hosting Ltd in the UK. All the sites on that server appear to have have fake registrant details, so you can assume that they are bogus:

bepfinance.com
brentnallfg.com
estatediary.com
forfreeblog.net
freeblogpro.org
freetrialmail.com
krokodilius8.com
lucky-bet.in
pubertavad.com
russwoman.ru
superblogonline.org
thebloggin.net
vedrozhuk7.com
yourtraveldiary.net

Users are then directed to another host in Romania, 188.229.89.230 which belongs to Netserv Consult SRL. It is my opinion that there is nothing of value in the entire 188.229.0.0/17 range and you can safely block access to the entire lot.

The final step is to a host called drugstorehealthrisks.net hosted on 90.182.175.232 which looks like a broadband connection in the Czech Republic. The site isn't loading for me, but I guess it's just pharma spam. These other sites are hosted on the same server:

fatdrugstoremeds.net
healthrxinsurance.net
healthrxpharmacyinsurance.com
healthtabletsnook.net

Dreamhost have been informed of the issue but don't appear to have done anything to secure their users. Blocking Dreamhost IPs might be something worth considering depending on what kind of shop you run. I have spotted malicious activity in the following IP ranges:

67.205.0.0/18
69.163.128.0/17
75.119.192.0/19
208.97.128.0/18

..although blocking access to the Romanian 188.229.0.0/17 block would also pretty much acheive the same thing without blocking access to any legitimate sites that might be on Dreamhost.

Evil network: hotmailbox.com

The domain hotmailbox.com often comes up when looking at malicious domains, it's a domain used to provide a bulletproof email address for domain registration. The registrar for hotmailbox.com is the scammer's favourite, BIZCN which probably explains why it has lingered for so long.

There are several hundred domains registered through email accounts at hotmailbox.com, all of them are bogus and follow a similar pattern with bogus US addresses. Most of the domains with active websites are hosted in Romania, in netblocks that have a known bad reputation.

You can download a list of domains, IPs and MyWOT ratings for at least some of these domains here [CSV], or if you just want a plain list then keep scrolling down.

Because the hotmailbox.com domains are all in bad blocks or dedicated servers, then it is possible to block access to these IP ranges or individual boxes to prevent infection. I would recommend blocking the following:

84.247.61.0/24 (Sistem Soft Network, Romania)
91.217.162.0/24 (Voejkova Nadezhda, Russia)
94.63.149.0/24 (SC CORAL IT OFFICE SRL, Romania)
94.244.80.7 (Uab Kauno Interneto Sistemos, Lithunia)
95.64.55.0/24 (Netserv Consult SRL, Romania)
96.9.139.208/28 (UAB "Dominant Plius", c/o HOSTNOC, US)
141.136.16.14 (MORE SECURE SRL, Romania)
173.236.34.238 (Inferno Solutions, UK)
184.105.178.85 (Hurricane Electric, US [parked])
188.138.90.110 (Intergenia AG, Germany)
188.138.116.223 (Intergenia AG, Germany)
188.229.0.0/17 (Netserv Consult SRL, Romania)
202.75.41.42 (TM VADS DC Hosting, Malaysia)
209.212.157.208/29 (BONHOST, Ukraine)
212.117.164.39 (root SA, Luxembourg)
217.23.9.247 (Worldstream, Netherlands)
220.112.0.0/18 (Guangzhou For Great Wall Broadband Network, China)

Not every site in those ranges is part of this group, and indeed there may be a few legitimate sites, but you are much more likely to come into contact with a malware site on these IP addresses than a real one, so treat them as "high risk".

If you have any examples of domains using hotmailbox.com that are not listed, then please consider adding them to the Comments.

8nm2.com

aaaholic.com

aaoutfit.com

aarocket.com

abcartel.com

abminute.com

abutable.com

acgoblin.com

aemodern.com

afchalet.com

agfiesta.com

alexblane.com

alisa-carter.com

analitycscredit.com

asweds.com

automaticsecurityscan.com

awesomepornofree.com

awfulice.com

bcrocket.com

bdcartel.com

bestipdns.com

bookaros.com

bookarra.com

bookavio.com

bookdolo.com

bookfula.com

bookgusa.com

bookmonn.com

bookmono.com

bookmylo.com

booknunu.com

bookpolo.com

booksgou.com

booksoco.com

booksolo.com

booktuba.com

bookvila.com

bookvivi.com

bookvoxy.com

bookzoul.com

bookzula.com

caldnsserver.com

calmsearch.org

cbhammer.com

cblender.com

cebistro.com

cfaholic.com

clickabundant.org

clickaccept.org

clickadvice.org

clickahead.org

clickalmost.org

clickan.org

clickancient.org

clickany.org

clickanybody.org

clickanybody.org

clickarrogant.org

clickarvada.org

clickattempt.org

clickautomatic.org

clickbad.org

clickbatonrouge.org

clickber.org

clickboa.org

clickbored.org

clickbrake.org

clickbury.org

clickcharleston.org

clickclear.org

clickclever.org

clickdesmoines.org

clickdowe.org

clickdrea.org

clickdreadful.org

clickfer.org

clickflat.org

clickfortlauderdale.org

clickfremont.org

clickhartford.org

clickicy.org

clickill.org

clickjacksonville.org

clickmesquite.org

clicknorman.org

clickodd.org

clickolathe.org

clicksalem.org

clickshy.org

clicksyracuse.org

clickwet.org

comasians.com

comchemicalsns.com

daily-basis.com

daletter.com

darksecurityscan.com

dateoncount.com

dbchalet.com

dnseasy.ru

dnsforwebuse.com

dns-good-you.com

dnshot.ru

dnssuperb.com

dnsundservice.com

dnsvip.ru

domainforuse.com

dowpolenas.org

dynamicip-dns.com

e48i.com

easysecurityscan.com

edsawake.org

edsawake.org

edsback.org

edsbang.org

edsbang.org

edsbeautiful.com

edsbent.com

edsbent.com

edsbid.com

edsblew.com

edscold.com

edsfull.com

edsfull.com

edswoken.org

emptywin.com

engduates.com

excellentdnshost.com

fastsapere.com

fastsofgeld.com

findacid.org

findaddition.org

findadvertisem.org

findalert.org

findangry.org

findattack.org

findawful.org

findbitter.org

findblow.org

findbrake.org

findbrave.org

findcaret.org

findchalk.org

findchance.org

findcheeks.org

findclumsy.org

findcolorful.org

findconsonant.org

findcopper.org

findcurly.org

finddamaged.org

finddistribution.org

finddrawer.org

finddriving.org

finddrop.org

findear.org

findearly.org

findears.org

findearth.org

findeast.org

findexperie.org

findeyes.org

findfertile.org

findfierce.org

findforeign.org

findforget.org

findfort.org

findforth.org

findharsh.org

findinexpensive.org

findinnocent.org

findjolly.org

findjoyous.org

findjuicy.org

findlate.org

findsister.org

findsize.org

findsky.org

findsour.org

findstage.org

findstart.org

findstation.org

findstem.org

findstep.org

findstitch.org

findstone.org

findstraight.org

findstrange.org

finduneven.org

findunsightly.org

findvoiceless.org

findwandering.org

findwet.org

findwicked.org

fixtracker.com

forumaccept.org

forumadd.org

forumadmire.org

forumadmit.org

forumadvise.org

forumafford.org

forumallow.org

forumamuse.org

forumanalyze.org

forumbusy.org

forumcalm.org

forumcold.org

forumcute.org

forumdamp.org

frailwin.com

frequentwin.com

gcocgle.com

goodworkdns.com

goodworkdns.com

googletrackgeo.com

hotmailbox.com

ibtable.com

ibtable.com

imageacid.org

imagebad.org

imagebent.org

imagefipe.org

imagelue.org

install-internet.com

ipbestdns.com

IpCodesNet.com

IpInternetExplorer.com

ipmagicnet.com

ipnetworklegal.com

ipsecurityuse.com

ip-tracing.com

IpWebDirectory.com

koxtable.com

lizamoon.com

m0o0.com

malineip.com

milapop.com

netlinksgo.com

networkdnstrust.com

nondeip.com

op0o.com

ottomip.com

ottomip.com

phlorip.com

pornootrada.com

portalkey.org

s0po.com

searchabout.org

searchact.org

searchadorable.org

searchadvice.org

searchaffect.org

searchafternoon.org

searchago.org

searchairplane.org

searchalaska.org

searchalice.org

searchalike.org

searchallow.org

searchaloud.org

searchalphabet.org

searchalready.org

searchalready.org

searchalso.org

searchalso.org

searchalthough.org

searcham.org

searchamount.org

searchamusement.org

searchand.org

searchangle.org

searchanimal.org

searchanswer.org

searchant.org

searchapparatus.org

searcharound.org

searcharrange.org

searcharrow.org

searchas.org

searchaside.org

searchask.org

searchasleep.org

searchaswe.org

searchat.org

searchate.org

searchatlantic.org

searchatmosphere.org

searchatom.org

searchatomic.org

searchattached.org

searchattention.org

searchbad.org

searchbase.org

searchbat.org

searchbattery.org

searchbattle.org

searchbegan.org

searchbeginning.org

searchbegun.org

searchbehavior.org

searchbehind.org

searchbet.org

searchbetsy.org

searchbeyond.org

searchbigger.org

searchbiggest.org

searchbilly.org

searchbirth.org

searchborn.org

searchbottle.org

searchbound.org

searchbow.org

searchbowl.org

searchbread.org

searchbreak.org

searchbreathe.org

searchbreathing.org

searchbreeze.org

searchbreeze.org

searchbrick.org

searchbrick.org

searchbrief.org

searchclumsy.com

searchcruel.org

searchdead.com

searchdear.org

searchdepressed.org

searchdrab.com

searchdrab.org

searchdull.com

searchelated.org

searchfertile.org

searchfindestablish.org

searchfindfix.org

searchfindfund.org

searchfoggy.org

searchgrieving.org

searchhuge.org

searchhumid.org

searchhushed.org

searchjewel.org

searchlarge.org

searchlazy.org

searchmany.org

searchmeat.org

searchmedical.org

searchmemory.org

searchmetal.org

searchmilk.org

searchminiature.org

searchmisty.org

searchmixed.org

searchmodern.org

searchnumber.org

searchodd.org

searchof.org

searchplant.org

searchrelieved.org

searchways.org

seardall.org

static-ipdns.com

t02j.com

tadygus.com

trafficjoyous.com

u98i.com

ultradnshost.com

yahoolink.php / DreamHost hack

It appears that a lot of DreamHost (New Dream Network LLC) sites have been hacked with malicious pages added to them. The issue impacts multiple servers at different DreamHost datacenters. Some sample IPs with infected sites include:

67.205.1.63
67.205.3.51
67.205.3.230
69.163.168.135
69.163.169.247
69.163.181.205
69.163.184.86
75.119.217.8

Given that the hacked pages all contain the string yahoolink.php then it is possible that these attacks are using a PHP vulnerability. The pages are then promoted through spam email. You can simply (carefully) search for  "yahoolink.php" in your favourite search engine to see the scope of the problem.

People who click on the link get redirected through several steps:

vedrozhuk7.com
63.226.210.102
NETPOINT, Utah

(no domain)
188.229.90.71
Securvera SRL, Romania

www.medi-corp24-7.com
94.60.121.34
Cover Sun Design SRL, Romania

The endpoint appears to be a standard fake pharmacy site, I couldn't see any malicious code but that could always change.

With Romanians hosts I recommend a one-strike policy.. i.e. block the whole lot as soon as you come across a netblock with malicious activity. Unless you have business dealings with Romania, then any traffic to a Romanian host is likely to be malware or spam related. So in this case, blocking 188.229.90.0/23 and 94.60.120.0/22 will probably do no harm.

Some German scam sites

These are allegedly German companies, but:

• They are all very recently registered (4th and 17th April 2011)
• The registrar is in China (BIZCN.COM)
• The web host is in Romania
• In each case a Yahoo email address has been used

The host is "Enter Net Team" / "Power Host" in Romania. Blocking 86.55.96.0/23 is a quick win if you can do it.

blocher-finance.com
dxxm-group.com
eg-finanzen.com
eseira-finanzen.com
eseira-gruppe.com
esse-gruppe.com
fil-finanzen.com
frost-finanzen.com
geissler-finance.com
geld-group.com
genser-group.com
grueneberg-and-partners.com
hanza-gruppe.com
hod-group.com
horst-finanzen.com
jix-finance.com
koeppl-finanzen.com
krenosz-finance.com
nitte-gruppe.com
nogl-group.com
pius-group.com
puemmler-and-partners.com
schem-group.com
somex-gruppe.com
temi-group.com
volkse-finanzen.com
wedi-group.com
werx-finanzen.com
werx-gruppe.com
wolgast-and-partners.com

More details:
jix-finance.com
86.55.96.11
Guenter Frost guenterfrost@yahoo.com
+49.1745053607 fax: +49.1745053607
Frauenlobstr.32
Berlin Berlin 12437
de

frost-finanzen.com
86.55.96.13
Georgios Mavridis georgiosmavridis50@yahoo.com
+49.1773305251 fax: +49.1773305251
Gerolsteiner Str. 119
Cologne Nordrhein-Westfalen 50937
de

puemmler-and-partners.com
86.55.96.15
Tanja Geissler geisslertanja@yahoo.com
+49.1776444216 fax: +49.1776444216
Lindenstr.38
Kreuzau Nordrhein-Westfalen 52372
de

eseira-finanzen.com
86.55.96.17
Christos Papachristou papachristou.christos@yahoo.com
+49.15202603534 fax: +49.15202603534
Haubersbronnerstr. 6
Urbach Thueringen 73660
de

wolgast-and-partners.com
86.55.96.19
Mike Grueneberg gruenebergmike@yahoo.com
+49.15223628764 fax: +49.15223628764
Walter friedrich str.56
Berlin Berlin 13125
de

somex-gruppe.com
86.55.96.21
Heidrun Lorenz heidrunlorenz@yahoo.com
+49.16099222185 fax: +49.16099222185
Flutgrabenweg 1a
Neumarkt Bayern 92318
de

schem-group.com
86.55.96.23
Ludwig Detlef ludwigdetlef@ymail.com
+49.15203113478 fax: +49.15203113478
Kalk-Muelheimerstr.210
Koeln Nordrhein-Westfalen 51103
de

werx-finanzen.com
86.55.96.25
Daniel Koeppl daniel.koeppl@yahoo.com
+49.15111521688 fax: +49.15111521688
Reinhardsleiten 8
Pielenhofen Bayern 93188
de

nitte-gruppe.com
86.55.96.27
Hans Mausolff hansmausolff@yahoo.com
+49.17649615986 fax: +49.17649615986
Potsdamer Str. 41
Berlin Berlin 14163
de

eseira-gruppe.com
86.55.96.29
Juliane Mausolff julianemausolff@yahoo.com
+49.3031808844 fax: +49.3031808844
Potsdamer Str. 41
Berlin Berlin 14163
de

hanza-gruppe.com
86.55.96.31
Denis Wolgast deniswolgast@yahoo.com
+49.16098119639 fax: +49.16098119639
Am Heidberg 34
Henstedt-Ulzburg Schleswig-Holstein 24558
de

nogl-group.com
86.55.96.33
Lena Puemmler lenapuemmler@yahoo.com
+49.17663727804 fax: +49.17663727804
Neuer Kamp 2
Drebber Niedersachsen 49457
de

dxxm-group.com
86.55.96.35
Bianka Sturhahn biankasturhahn@ymail.com
+49.1723276172 fax: +49.1723276172
Plass 3
Doerentrup Nordrhein-Westfalen 32694
de

geld-group.com
86.55.96.37
Frank Swoboda polskeswine@yahoo.com
+49.15776817588 fax: +49.15776817588
Otto-Hahn-Str. 7a
Alsdorf Nordrhein-Westfalen 52477
de

krenosz-finance.com
86.55.96.39
Olaf Sedello olafsedello@yahoo.com
+49.2254847434 fax: +49.2254847434
Triftstrasse 42
Weilerswist Nordrhein-Westfalen 53919
de

werx-gruppe.com
86.55.96.41
Andreas Kubasik andreaskubasik@ymail.com
+49.15229234145 fax: +49.15229234145
Gartenstrasse 24a
Pleinfeld Bayern 91785
de

grueneberg-and-partners.com
86.55.96.43
Josef Schedlbauer josefschedlbauer@yahoo.com
+49.1712755823 fax: +49.1712755823
Bergstrasse 21a
Regen Bayern 94209
de

geissler-finance.com
86.55.96.45
Vadim Kruglov vadimkruglov@rocketmail.com
+49.1629098777 fax: +49.1629098777
Schuetzenstrasse 23
Friesoythe Niedersachsen 26169
de

esse-gruppe.com
86.55.96.47
Gerhard Krenosz gerhardkrenosz@yahoo.com
+49.21117806832 fax: +49.21117806832
Ludolf Strasse 15
Duesseldorf Nordrhein-Westfalen 40597
de

koeppl-finanzen.com
86.55.96.49
Holm Mrazek holmmrazek@yahoo.com
+49.17685370230 fax: +49.17685370230
Sonnenstrasse 222
Dortmund Nordrhein-Westfalen 44137
de

hod-group.com
86.55.96.51
Gisela Huber ghuber56@yahoo.com
+49.17666649956 fax: +49.17666649956
Althoehensteigstr. 7
Stephanskirchen Hessen 83071
de

volkse-finanzen.com
86.55.96.53
Denis Goertz denis.goertz@yahoo.com
+49.1639836914 fax: +49.1639836914
hochstr. 61
Nettetal Lobberich Sachsenanhalt 41334
de

blocher-finance.com
86.55.96.55
Helmut Koenig koenighelmut@yahoo.com
+49.1733201046 fax: +49.1733201046
Oberhofer Str. 26
Zella-Mehlis Thuringen 98544
de

fil-finanzen.com
86.55.96.57
Bernecker Josef berneckerjosef@yahoo.com
+49.9422859853 fax: +49.9422859853
Stadtplatz 42
Bogen Bayern 94327
de

eg-finanzen.com
86.55.96.59
Pius Walleser walleser32@yahoo.com
+49.1754218358 fax: +49.1754218358
Kesslerstrasse 5
Breisach Sachsen-Anhalt 79206
de

temi-group.com
86.55.96.61
Horst Werner woerner963@yahoo.com
+49.1728189733 fax: +49.1728189733
Rilkestrasse 3
Bad Schussenried Rheinland-Pfalz 88427
de

horst-finanzen.com
86.55.96.63
Kai Hermann hkaihermann@yahoo.com
+49.9942808801 fax: +49.9942808801
Tafertsbergstrasse 12
Prackenbach Rheinland-Pfalz 94267
de

wedi-group.com
86.55.96.65
Joseph Bauer bauer.joseph81@yahoo.com
+49.8555941395 fax: +49.8555941395
Hofaecker 4
Grafenau Hamburg 94481
de

pius-group.com
86.55.96.67
Daniela Habermann habermann_d@yahoo.com
+49.17694209180 fax: +49.17694209180
tecklenburgerstrasse 29
Ladbergen Bayern 49549
de

genser-group.com
86.55.96.69
Armin Blocher arminblocher@rocketmail.com
+49.02771801325 fax: +49.02771801325
Langgasse 1
Dillenburg Niedersachsen 35685
de

alisa-carter.com, lizamoon.com and worid-of-books.com

The injection attacks from lizamoon.com and other domains continue.. and they link back to a popular blog post about a very different attack site at worid-of-books.com because at the moment, all these sites appear to be on the same server at 95.64.9.18 belonging to Intermedia TOP SRL.

The following sites are on that malicious server:
alexblane.com
alisa-carter.com
lizamoon.com
t6ryt56.info
tadygus.com
worid-of-books.com

Right now the safest thing to do is block traffic to 95.64.8.0/23 (95.64.8.0 - 95.64.9.255) at the very least. But given that there are several bad networks now within the mostly Romanian 95.64.0.0/16, there's very little to lose in blocking the whole /16 for now if you don't have dealings with Romania.

If you need to block by domain, then the list below is everything that I can identify in this block.

abrogatesdv.info
antiviric.net
atlaty.com
atydut.com
bancard.cc
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
buroti.com
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fileac.com
financeprogramm.com
fop22.info
fre94.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
itapos.com
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
lsrato.com
machmit.cc
mag20.info
memhys.com
mia16.info
mineral-beauty.net
morafu.com
mupoga.com
muposs.com
nlosaf.com
nuzzlefgf.info
nwolbcom.cc
nyb90.info
obduratexv.info
obfuscate98y.info
onfiro.com
online-security.cc
opa63.info
ova22.info
pes89.info
plauditaz.info
plethoradtb.info
podyme.com
poisor.com
posjuc.com
posunn.com
prettyharp.ru
qertys.com
reprieve8mf.info
scoolq.com
ser55.info
servat.cc
serwaz.com
testaz.cc
tmwars.com
usudom.com
xxxpornteensex.com
advancedwebanalytic.com
alexblane.com
alisa-carter.com
alternative-art-ltd.net
alternativeart-ltd.com
artmarket-llc.net
artsolveltd.cc
artsolveltdco.at
astech-groupde.cc
blitznet-de.eu
chelpgroup-llc.net
chepl-groupllc.biz
competitor-uk-group.net
competitorgroup-ltd.com
ddk100.com
ddk2200.com
deemno.com
drakulaworld.net
drysdale-antcorp.at
drysdale-group-inc.cc
findsubstantial.org
foto-album-mnck.tk
fotoshare-2dknc.com
google-1aa.com
googlesite.ws
joomlaext.org
kunde.ws
lizamoon.com
mailwbg6.com
micr0updates.com
myblog-search.com
ocservice-de.net
oregon-ltd-uk.net
qead-llc.biz
saleoke.com
squit-group-llc.biz
surprise-knsma.tk
surprise-knsmd.tk
surprise-knsmf.tk
surprise-knsmo.tk
surprise-knsmp.tk
surprise-knsmq.tk
surprise-knsmr.tk
surprise-knsms.tk
surprise-knsmt.tk
surprise-knsmu.tk
surprise-knsmw.tk
t6ryt56.info
tadygus.com
worid-of-books.com

Evil network: Intermedia Top SRL / INTERMEDIA-TOP AS49873 (95.64.8.0/24)

Intermedia Top SRL is a Romanian host operating a network in the 95.64.8.0/24 range. This range appears to contain nothing but malicious sites, including malware distribution, fake news sites (designed to help sell fake products), and fake anti-virus and utility applications.

Update 2/4/11: you should also block  95.64.9.0/24 which is allocated to the same people.

AS49873 is flagged as having Zeus C&C servers, and has a pretty bad reputation at SiteVet which shows that badness shot up at the beginning of March.

Google says:

Safe Browsing
Diagnostic page for AS49873 (TELECOMPO)

What happened when Google visited sites hosted on this network?

    Of the 640 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example, absolutiovbf2n.info/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-03-19, and the last time suspicious content was found was on 2011-03-19.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 17 site(s) on this network, including, for example, zelwwu4kk.info/, tawdry4d.info/, gru12.info/, that appeared to function as intermediaries for the infection of 33 other site(s) including, for example, nowatermark.net/, itanil.com/, itcomputerservers.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 611 site(s), including, for example, sasae.co.cc/, slumbes.tk/, clemowceer.cz.cc/, that infected 1143 other site(s), including, for example, iwilltellyouhow.com/, saatihajj.com/, icabbies.org/.

Contact details for the block are:

inetnum:        95.64.8.0 - 95.64.8.255
netname:        INTERMEDIA-TOP
descr:          INTERMEDIA TOP SRL
descr:          BDUL. 1 DECEMBRIE 1918 nr. 105
descr:          Alba Iulia, Jud. Alba
country:        RO
admin-c:        AP13061-RIPE
tech-c:         AP13061-RIPE
status:         ASSIGNED PA
mnt-by:         NETSERV-MNT
mnt-routes:     MNT-TELECOMPO
mnt-domains:    MNT-TELECOMPO
source:         RIPE # Filtered

person:         Adrian Popa
remarks:        INTERMEDIA TOP SRL
address:        BDUL. 1 DECEMBRIE 1918 nr. 105
address:        Alba Iulia, Jud. Alba
phone:          +40214302223
abuse-mailbox:  imintermediatop90@gmail.com
mnt-by:         NETSERV-MNT
nic-hdl:        AP13061-RIPE
source:         RIPE # Filtered

route:          95.64.8.0/24
descr:          INTERMEDIA TOP SRL
origin:         AS49873
mnt-by:         MNT-TELECOMPO
source:         RIPE # Filtered

Below is a partial list of sites found on this network, although there are a lot of others not listed here. Blocking the whole 95.64.8.0/24 is probably the best approach. A CSV of the list plus MyWOT ratings can be downloaded from here.

machmit.cc
servat.cc
serwaz.com
testaz.cc
financeprogramm.com
localnews47.com
localnews69.com
mmtrx.com
newslocal64.com
newslocal74.com
newslocal89.com
nwolbcom.cc
atlaty.com
atydut.com
buroti.com
fileac.com
itapos.com
lsrato.com
memhys.com
morafu.com
mupoga.com
muposs.com
nlosaf.com
onfiro.com
podyme.com
poisor.com
posjuc.com
posunn.com
qertys.com
scoolq.com
tmwars.com
usudom.com
abrogatesdv.info
absolutiovbf2n.info
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fop22.info
fre94.info
gez20.info
gru12.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
her33.info
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
mag20.info
mia16.info
mineral-beauty.net
nuzzlefgf.info
nyb90.info
obduratexv.info
obfuscate98y.info
opa63.info
ova22.info
plauditaz.info
plethoradtb.info
reprieve8mf.info
tedium34n.info
xxxpornteensex.com

Beware of worid-of-books.com

worid-of-books.com is a fake book download site punting malicious executables. The strange name can be explained if you substitute the lowercase "i" with an uppercase one, giving worId-of-books.com which is presumably meant to fool people.

The site looks reasonably credible and appears to have about a million downloadable books, but they are not all that they seem to be. If you try to download a book, you get an EXE file instead of a PDF. What's in the EXE file? Well, malware of course! Detection is fairly patchy according to VirusTotal, but this appears to be a Cycbot variant.

Download it a second time and you actually do get a PDF file.. well, an 8 byte file that just says "PDF file" and nothing else. Subsequent attempts seem to fail with an error message of "We are sorry, this book is now being checked. Try to download it later!". It's pretty clear that worid-of-books.com is tracking visitors (perhaps by IP address) to stop them being able to repeat the infection.

The site is hosted on 95.64.111.12 which is Asociatia Family Network Connections / FAMILY-NETWORK in Romania, along with a whole load of other sites. It's worth blocking everything in this IP range.

The ThreatExpert report is here, it might help you clean up your machine if infected.

Evil network: Asociatia Family Network Connections / FAMILY-NETWORK AS49253 (95.64.110.0/23)

Asociatia Family Network Connections / FAMILY-NETWORK is a Romanian network, and their AS49253 netblock seems to have suddenly turned evil.

The SiteVet report for this AS shows a sudden increase in recent weeks, with over 1500 sites that may be malicious included in the 95.64.110.0/23 block. Most of these evil sites are on just one host, 95.64.110.100. There may be some legitimate sites here, but probably too few to worry about.

Most sites registered here appeared to be Russian, some are registered through Chinese registars. The owner of this block is listed as:

inetnum:        95.64.110.0 - 95.64.111.255
netname:        FAMILY-NETWORK
descr:          Asociatia Family Network Connections
country:        RO
admin-c:        CS6903-RIPE
tech-c:         CS6903-RIPE
status:         ASSIGNED PA
mnt-by:         NETSERV-MNT
mnt-routes:     FAMILY-NETWORK-MNT
mnt-domains:    FAMILY-NETWORK-MNT
source:         RIPE # Filtered

person:         Claudiu Sandulescu
remarks:        Asociatia Family Network Connections
address:        Str. Vlahita nr.4, Bl. PM8, Ap. 72
address:        Sector 3, Bucuresti
phone:          +40728188052
mnt-by:         FAMILY-NETWORK-MNT
abuse-mailbox:  claudiusandulescu@gmail.com
nic-hdl:        CS6903-RIPE
source:         RIPE # Filtered

route:          95.64.110.0/23
descr:          FAMILY-NETWORK
origin:         AS49253
mnt-by:         FAMILY-NETWORK-MNT
source:         RIPE # Filtered

Added: the owner of this netblock says that it is no longer in use, so it does appear that it has been hijacked somehow.. that would be consistent with the suddenly bad rankings.

You can see a CSV of domains and MyWOT ratings here, but there are too many domains to list here. Some of the domains have come from MD-ISP-MONITORING in Moldova.

Currently active IPs are:
95.64.110.36
95.64.110.37
95.64.110.43
95.64.110.45
95.64.110.48
95.64.110.50
95.64.110.66
95.64.110.100
95.64.110.105
95.64.111.11
95.64.111.12
95.64.111.14
95.64.111.15
95.64.111.16
..although to be honest, you should just block the lot of them.