Sponsored by..

Showing posts with label Sweden. Show all posts
Showing posts with label Sweden. Show all posts

Thursday 27 April 2017

Malware spam: Scotiabank / "Secure email communication" / Secure.Mail@scotiabankmail.com

This fake financial spam leads to malware:

From:    ScotiaBank [Secure.Mail@scotiabankmail.com]
Date:    27 April 2017 at 14:13
Subject:    Secure email communication
Signed by:    scotiabankmail.com


Scotia Secure Email Logo
Secure mail waiting: (Secure)
Scotiabank has sent you a secure, encrypted e-mail message. To view this e-mail, please visit "Scotiabank Secure Email Service" or check attach file. For further information on how to use this service please reffer to "the Secure Email User Guide".
The email you receive from Scotiabank, including any attachments, may contain confidential and/or privileged information for the intended recipient(s) only and the sender does not waive any related legal rights or privilege. Any use or disclosure of the information by an unintended recipient is unauthorized and prohibited. If you have received an email message in error, please delete the entire message, including attachments if any, and inform us by return email. 

Opening the attached document SecureMail.doc leads to a simple page that tries to get you to enable Active Content (not recommended!).

Hybrid Analysis shows a download from elevationstairs.ca/fonts/dde60c5776c175c54d23d2b0c.png [70.33.246.140 - Host Papa, US] leading to a dropped file Pscou.exe which has a detection rate of 11/61 and appears to be Upatre.

Malwr Analysis of the downloaded file shows attempted communications to:

82.146.94.86 (Ringnett, Norway)
8.254.243.46 (Level 3, US)
217.31.111.153 (Ringnett, Norway)


scotiabankmail.com has been registered specifically for this attack, or you can block the sending IP of 89.40.216.186 (City Network Hosting AB, Sweden)

Recommended blocklist:
scotiabankmail.com [email]
89.40.216.186 [email]
70.33.246.140
82.146.94.86
8.254.243.46
217.31.111.153

Tuesday 12 July 2016

Malware spam: "Here's that excel file (latest invoices) that you wanted." leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Benita Clayton
Date:    12 July 2016 at 15:04
Subject:    Fw:

hi [redacted],

Here's that excel file (latest invoices) that you wanted.


Best regards,
Benita Clayton
Vice President US Risk Management
Sender details vary from message to message. Attached is a ZIP file containing part of the recipient's email address plus some other elements, within which is a malicious. js script beginning with -SWIFT-.

Trusted external analysis (thank you again) shows the scripts download an obfuscated binary from one of the following locations:

acepipesdeli.com.br/tffx7
aerosfera.ru/h5vkp87
agbiz.co.za/x2evw01
choogo.net/qi7j7f
control3.com.br/57nhtzkv
dealsbro.com/4qtc20
diablitos.no/ogmrgs
doisirmaosturismo-rj.com.br/jxdlzcf
eskuvotervezo.hu/3kbgy9a
eusekkei.co.jp/tdts0
ferozsons-labs.com/52sf0l
games4games.com.br/ubabtp
globaldveri.ru/i4a3l0
hanaweb.xsrv.jp/be6o4g6
heonybaby.synology.me/41sx3e
ialri.net/tughk
jsbaden.jemk.ch/xyn8moxt
jstudio.com.my/5mkejwj4
kveldeil.no/opca2v2
maihama.2jikai-p.net/5mkejwj4
mcpf.co.za/ffq1mq
mphooseitutu.com/tfq5e5d2
mywebhost.nichost.ru/g53y7
nicesound.biz/42did
omnitask.ba/ac5f6
ostrovokkrasoty.ru/x7lcd
ppf.com.pk/5z2sk
quaint.com.br/divme5d
repair-service.london/uywgi7v
revengeofsultans.com/9cu7bsw
richard-scissors.com/wife8eaf
rigoberto.com.br/nqum54t
samaju.se/fsqrtgrm
sindsul.com/h02sujs
sirimba.com.br/qiovtl
stylespiritdubai.com/be1id
tvernedra.ru/lob9x
valsystem.cl/v4db1wd
wacker-etm.ru/jfbmxlhy
wineroutes.ru/hrzl8dw5
www.cristaleriadominguez.com/fxcx6ep
www.inextenso.hu/xc3739l
www.ital.com.mx/xswj9
zachphoto.7u.cz/0jyhh
zakagimebel.ru/krcsvf
zoomwalls.com/zghpzv2f


Locky then phones home to one of the following locations:

5.196.189.37 (Just Hosting, Russia / OVH, Ireland)
77.222.54.202 (SpaceWeb CJSC, Russia)
109.234.34.146 (McHost.Ru, Russia)
192.71.249.220 (EDIS, Sweden)


Recommended blocklist:
5.196.189.37
77.222.54.202
109.234.34.0/24
192.71.249.220


Tuesday 8 March 2016

Malware spam: "Compensation - Reference Number #368380" leads to Locky

This fake financial spam comes with a malicious attachment:

From:    Orval Burgess
Date:    8 March 2016 at 11:10
Subject:    Compensation - Reference Number #368380

Dear Customer,

The mistake made will be compensated promptly, please do not worry.
Please take a look at the file attached (scanned document) as it contains all the information.


Sincerely,
Orval Burgess
Account Manager

Attached is a file named in a similar format to SCAN_00_368380.zip which contains TWO malicious scripts named in a format similar to email.864036956.js (VirusTotal results [1] [2] [3] [4]) and automated analysis tools [5] [6] [7] [8] [9] [10] [11] [12] show binary download locations at:

ministerepuissancejesus.com/o097jhg4g5
ozono.org.es/k7j6h5gf


Those same reports indicate the malware attempts to phone home to the following IPs:

89.108.85.163 (Agava Ltd, Russia)
151.236.14.51 (EDIS, Netherlands)
149.154.157.14 (EDIS, Italy)
37.235.53.18 (EDIS, Spain)
192.121.16.196 (EDIS, Sweden)


Those automated reports all indicate that this is the Locky ransomware.

UPDATE

A trusted source also informs me of these additional download locations;

51457642.de.strato-hosting.eu/980k7j6h5
besttec-cg.com/89ok8jhg
cyberbuh.pp.ua/97kh65gh5
fkaouane.free.fr/67uh54gb4
het-havenhuis.nl/099oj6hg
kokoko.himegimi.jp/54g4
lahmar.choukri.perso.neuf.fr/78hg4wg
surfcash.7u.cz/0o9k7jh55
www.vtipnetriko.cz/9oi86j5hg4


In addition, there is another IP address the malware phones home to:

212.47.223.19 (Web Hosting Solutions Oy, Estonia)



Recommended blocklist:
89.108.85.163
151.236.14.51
149.154.157.14
37.235.53.18
192.121.16.196

212.47.223.19

Tuesday 7 April 2015

Malware spam: "EBOLA INFORMATION" / "noreply@ggc-ooh.net"

This fake medical email contains a malicious attachment. It's a novel approach by the bad guys, but I doubt that many people will find it believable enough to click.

From:    noreply@ggc-ooh.net
Reply-To:    noreply@ggc-ooh.net
Date:    7 April 2015 at 08:58
Subject:    EBOLA INFORMATION

This email is generated from an unmanned mailbox. Dr N J Gaw can be contacted via noreply@ggc-ooh.net

PLEASE SEE THE ATTACHED CORRESPONDENCE FOR YOUR INFORMATION.

THANK YOU.
Attached is a file 30.03.15 Ebola Virus (2).doc which contains this malicious macro [pastebin] which is contains a lot of girls names as variables (which makes a nice change from the randomly-generated stuff I suppose).

When decoded the macro downloads a component from:

http://deosiibude.de/deosiibude.de/220/68.exe

VirusTotal submissions seem to be down at the moment, so I can't tell you what the detection rate is. Automated analysis tools [1] [2] [3] show it phoning home to the following IPs (ones in bold are most likely static, the others look to be dynamic):

37.140.199.100 (Reg.Ru Hosting, Russia)
46.228.193.201 (Aqua Networks Ltd, Germany)
130.241.92.141 (Goteborgs Universitet, Sweden)
46.101.49.125 (Digital Ocean Inc, UK)
122.167.6.68 (ABTS, India)
5.100.249.215 (O.M.C. Computers & Communications Ltd, Israel)

85.255.173.109 (Satnet Ltd, Bulgaria)
217.37.39.235 (BT Broadband, UK)
81.190.50.232 (Multimedia Polska S. A., Poland)
89.228.15.18 (Multimedia Polska S. A., Poland)

According to the Malwr report it drops a whole load of files including what is probably a Dridex DLL.

Recommended blocklist:
37.140.199.100
46.228.193.201
130.241.92.141
46.101.49.125
122.167.6.68
85.255.173.109
5.100.249.215
217.37.39.235
81.190.50.232
46.228.193.201
89.228.15.18


MD5s:
E4CC002A95CAAF4481CB7140BBE96C58
C86A9D012E372D0C3A82B14978FFA1F0
F98A674A5FA473AC9BF738636FF6374E



Thursday 2 April 2015

Malware spam: "Copy invoices Snap on Tools Ltd" / "Allen, Claire [Claire.Allen@snapon.com]"

This fake invoice does not come from Snap On Tools, but is instead a simple forgery.

From:    Allen, Claire [Claire.Allen@snapon.com]
Date:    24 February 2015 at 14:41
Subject:    Copy invoices Snap on Tools Ltd

Good Afternoon

Attached are the copy invoices that you requested.

Regards

Claire

Your message is ready to be sent with the following file or link attachments:

SKETTDCCSMF14122514571


Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments.  Check your e-mail security settings to determine how attachments are handled.
I have only seen one copy of this with an attachment SKETTDCCSMF14122514571.doc which contains this malicious macro [pastebin], which downloads a further component from:

http://ws6btg41m.homepage.t-online.de/025/42.exe

This executable has a detection rate of 5/57. Various automated analyses [1] [2] [3] [4] show attempted communications to the following IPs:

91.242.163.70 (OOO Sysmedia, Russia)
72.167.62.27 (GoDaddy, US)
62.113.219.35 (23Media GmbH, Germany)
46.101.49.125 (Digital Ocean, UK)
130.241.92.141 (Goteborgs Universitet, Sweden)
198.245.70.182 (Deniz Toprak / B2 Net Solutions Inc., US)
94.23.173.233 (OVH, Czech Republic)
14.98.243.243 (Tata Indicom, India)
5.100.249.215 (O.M.C. Computers & Communications, Israel)
62.113.223.227 (23Media GmbH, Germany)

According to this Malwr report  it drops another version of the downloader called edg1.exe [VT 4/57] and a malicious Dridex DLL [VT 2/57].

Recommended blocklist:
91.242.163.70
72.167.62.27
62.113.219.35
46.101.49.125
130.241.92.141
198.245.70.182
94.23.173.233
14.98.243.243
5.100.249.215
62.113.223.227

MD5s:
dc92858693f62add2eb4696abce11d62
6fb2f86986e074cf44bd4c9f68e9822e
9565b17a4f1221fee473d0d8660dc26d
62e780a6237c6f9fd0a8e16a2823562d





Wednesday 1 April 2015

Malware spam: "Your Remittance Advice COMPANY NAME"

Yet another malware spam run today, this time from randomly-named but legitimate companies, for example:

From:    Kate Coffey
Date:    1 April 2015 at 15:00
Subject:    Your Remittance Advice PEEL SOUTH EAST

Dear sir or Madam,

Please find attached a remittance advice (JT934IYIP.doc) for your information.
Should you need any further information, please do not hesitate to contact us.

Best regards
PEEL SOUTH EAST

Attached is a Word document with a filename matching the body one in the text. Every email attachment we have seen so far is slightly different, but there seem to be just two different malicious macros [1] [2] [pastebin] which download a component from one of the following locations:

http://31.41.45.175/sqwere/casma.gif
http://91.242.163.78/sqwere/casma.gif


Those servers are almost certainly entirely malicious, with IPs assigned to:

31.41.45.175 (Relink Ltd, Russia)
91.242.163.78 (Sysmedia, Russia)

This file is saved as %TEMP%\DOWUIAAFQTA.exe and has a VirusTotal detection rate of 4/49. Automated analysis tools [1] [2] [3] show attempted connections to:

188.120.225.17 (TheFirst-RU, Russia)
45.55.154.235 (Digital Ocean, US)
188.126.72.179 (Portlane AB, Sweden)
1.164.114.195 (Data Communication Business Group, Taiwan)
46.19.143.151 (Private Layer Inc, Switzerland)
79.149.162.117 (Telefonica Moviles Espana, Spain)
5.135.28.104 (OVH / Simpace.com, UK)

According to this Malwr report it downloads the same Dridex DLL as seen in this spam run plus another variant of the downloader with a detection rate of 3/56.

Recommended blocklist:
188.120.225.17
45.55.154.235
188.126.72.179
1.164.114.195
46.19.143.151
79.149.162.117
5.135.28.104/29
31.41.45.175
91.242.163.78

MD5s:
b4be0bb41af791004ae3502c5531773b
7bede7cc84388fb7bfa2895dba183a20
564597fd05a31456350bac5e6c075fc9

Friday 21 February 2014

Something evil on 74.50.122.8, 5.61.36.231 and 94.185.85.131

Thanks to @Techhelplistcom for the heads up on this little mystery..



It all starts with a spam evil (described here)..

The link goes to a URLquery report that seems pretty inconclusive,  mentioning a URL of [donotclick]overcomingthefearofbeingfabulous.com/xjvnsqk/fbktojkxbxp.php [an apparently poorly secured server at 74.50.122.8, Total Internet Solutions Pvt. Ltd in India] that just does a redirect to a spammy diet pill site at thefxs.com [94.177.128.10, Linkzone Media Romania] if you have a Windows User Agent set.

As Techhelplist says, set the UA to an Android one and you get a very different result. In this case you get bounced to a site hosted on 5.61.36.231 (3NT Solutions / Inferno.name)
[donotclick]mobile.downloadadobecentral.ru/FLVupdate.php  then to
[donotclick]mobile.downloadadobecentral.ru/FLVupdate2.php from where it attempts to download a file FlashUpdate.apk

3NT Solutions / inferno.name is a known bad actor and you should block all their IPs on sight, in this case they have a netblock 5.61.32.0/20 which I strongly recommend that you route to the bitbucket.

FlashUpdate.apk has a VirusTotal detection rate of 22/47, but most Android users are probably not running anti-virus software. The Andrubis analysis of that .apk shows a network connection to 94.185.85.131 (Netrouting Telecom, Sweden) plus (oddly) some pages loaded from ticketmaster.com.

It just goes to show that what you think might be harmless spam can actually be something very, very different if you access it on a mobile device.

Recommended blocklist:
5.61.32.0/20
94.177.128.10
74.50.122.8
94.185.85.131
downloadadobecentral.ru
jariaku.ru
350600700200.ru
overcomingthefearofbeingfabulous.com

UPDATE 2014-05-25: Note that overcomingthefearofbeingfabulous.com has been cleaned up and appears to be no longer compromised.

Tuesday 24 September 2013

Malware sites to block 24/9/2013

The malicious IPs and domains on this list are operated by this gang, and it replaces the list last week.

5.135.42.104 (OVH, Netherlands)
24.111.103.183 (Midcontinent Media, US)
24.173.170.230 (Time Warner Cable, US)
32.64.143.79 (AT&T, US)
37.153.192.72 (Routit BV, Netherlands)
37.221.163.174 (Voxility SRL, Romania)
42.121.84.12 (Aliyun Computing Co, China)
46.32.47.24 (Syd Energi, Denmark)
46.246.111.159 (Portlane Networks, Sweden)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
62.141.46.8 (fast IT, Germany)
69.94.163.22 (Region 18 Education Service Center, US)
69.163.40.39 (DirectSpace LLC, US)
77.123.54.28 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
79.190.173.125 (TPNET, Poland)
81.28.199.18 (KNET, France)
84.52.66.244 (West Call Ltd, Russia)
85.246.142.214 (PT Comunicacoes, Portugal)
91.220.77.83 (NTH Media, Switzerland)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
109.71.136.140 (OpWan, France)
123.183.210.42 (China Telecom, China)
125.20.14.222 (Price Water House Cooperation, India)
153.127.243.80 (Kagoya Japan Corporation, Japan)
163.32.78.2 (TANET, Taiwan)
174.142.186.89 (iWeb, Canada)
184.82.233.29 (Network Operations Center, US)
186.3.101.235 (Clientes Quito, Ecuador)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
194.44.93.219 (UARNet, Ukraine)
194.158.4.42 (Interoute Communications, France)
198.71.90.239 (Enzu Inc, US)
199.175.49.118 (VPS Cheap, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.115.114.69 (Wowrack, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
216.218.208.55 (Hurricane Electric, US)
223.30.27.251 (Sify Limited, India)
220.68.231.30 (Hansei University, Korea)

5.135.42.104
24.111.103.183
24.173.170.230
32.64.143.79
37.153.192.72
37.221.163.174
42.121.84.12
46.32.47.24
46.246.111.159
58.68.228.148
58.246.240.122
61.36.178.236
62.141.46.8
69.94.163.22
69.163.40.39
77.123.54.28
79.190.173.125
81.28.199.18
84.52.66.244
85.246.142.214
91.220.77.83
95.111.32.249
103.20.166.67
109.71.136.140
123.183.210.42
125.20.14.222
153.127.243.80
163.32.78.2
174.142.186.89
184.82.233.29
186.3.101.235
186.251.180.205
187.60.172.18
194.44.93.219
194.158.4.42
198.71.90.239
199.175.49.118
208.52.185.178
208.115.114.69
211.71.99.66
216.218.208.55
223.30.27.251
220.68.231.30
24kstudio.net
achrezervations.com
acomboramboarmiab722.net
aconsturcioneoftherive677.net
acormushkivsenamizv992.net
airfare-ticketscheap.com
aristonmontecarlo.net
bnamecorni.com
bundle.su
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
consistingsec.net
cremenatthemomenter56.net
crovvirnskieertater55.net
crovviyyyyyyuutater90.net
curse.su
deepsealinks.com
demuronline.net
diggingentert.com
dropdistri-butions.net
dulethcentury.net
ehtiebanishkeobprienrt25.net
ejanormalteene250.com
ejanormatoone240.com
elvisalive4ever.com
euteus.com
evreisorinejsopgmrjnet28.net
excelledblast.net
exeteenofthemid74.com
explorerlikem.com
fdic.gov.horse-mails.net
gigiandrose-sf.net
gjoonalitikeer310.com
gjoonanalitik300.com
glums.net
goodnoontoon11.net
gormonigraetnapovalahule26.net
grannyhair.ru
gromovierashodyna73.net
hdmltextvoice.net
higherpricedan.com
horse-mails.net
hotsuperfilms.com
infomashe.com
instotsvin.ru
isightbiowares.su
joyrideengend.net
kolopeto.net
lights-awake.net
loreddiverting.su
macache.net
maxichip.com
micnetwork100.com
mobile-unlocked.net
mssoft.in.net
multiachprocessor.com
myaxioms.com
nacha.org.smscente.net
nacha-ach-processor.com
namastelearning.net
nvufvwieg.com
oadims.net
ollerblogging.net
ordersdeluxe.com
outcastii.com
oversearadios.net
pardus-wiki.com
picturesoftdeath.com
pidrillospeeder.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
smartsecureconnect.com
smscente.net
softwareup.pw
spottingculde.com
stjamesang.net
techno-arena.net
thefastor.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
treesmustdownload.su
u-janusa.net
uprisingquicks.net
video-withtext.com
vip-proxy-to-tor.com
virginiarealtyonline.net
whosedigitize.net
wow-included.com
www.ejanormalteene250.com
www.fdic.gov.horse-mails.net
www.gjoonalitikeer310.com
www.nacha.org.demuronline.net
www.nacha.org.smscente.net



Tuesday 17 September 2013

Malware sites to block 17/9/13

This set of malicious IPs and domains is associate with this gang, and the list replaces the last one published here.

24.173.170.230 (Time Warner Cable, US)
32.64.143.79 (AT&T, US)
37.153.192.72 (Routit BV, Netherlands)
42.121.84.12 (Aliyun Computing Co, China)
46.246.111.159 (Portlane Networks, Sweden)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
62.141.46.8 (fast IT, Germany)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime, US)
77.123.54.28 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
83.148.208.151 (Salon Seudun Puhelin Oy, Finland)
84.52.66.244 (West Call Ltd, Russia)
95.87.1.19 (Trakia Kabel, Bulgaria)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
112.124.55.133 (Hangzhou Alibaba Advertising Co.,Ltd., China)
115.78.233.220 (Vietel Corporation, Vietnam)
115.160.146.142 (Wharf T&T Ltd, Hong Kong)
119.78.243.74 (CSTNET, China)
125.20.14.222 (Price Water House Cooperation, India)
141.20.102.73 (Humboldt-Universitaet zu Berlin, Germany)
153.127.243.80 (Kagoya Japan Corporation, Japan)
159.226.51.161 (CSTNET, China)
172.245.62.181 (Colocrossing, US)
173.230.130.69 (Linode, US)
174.142.186.89 (iWeb Technologies, Canada)
178.33.132.103 (OVH, France)
178.239.180.211 (Enter S.r.l., Italy)
184.82.233.29 (Network Operations Center, US)
185.19.95.170 (TTNETDC, Turkey)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
192.210.198.198 (Valley Host, US)
192.237.186.71 (Rackspace, US)
194.158.4.42 (Interoute Communications, France)
198.71.90.239 (Enzu Inc, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.180.134.20 (Suddenlink Communications, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
212.169.49.234 (Claranet, UK)
216.218.208.55 (Hurricane Electric, US)
220.68.231.30 (Hansei University, Korea)
223.30.27.251 (Sify Limited, India)

Blocklist:
24.173.170.230
32.64.143.79
37.153.192.72
42.121.84.12
46.246.111.159
58.68.228.148
58.246.240.122
61.36.178.236
62.141.46.8
66.230.163.86
66.230.190.249
77.123.54.28
83.148.208.151
84.52.66.244
95.87.1.19
95.111.32.249
103.20.166.67
112.124.55.133
115.78.233.220
115.160.146.142
119.78.243.74
125.20.14.222
141.20.102.73
153.127.243.80
159.226.51.161
172.245.62.181
173.230.130.69
174.142.186.89
178.33.132.103
178.239.180.211
184.82.233.29
185.19.95.170
186.251.180.205
187.60.172.18
192.210.198.198
192.237.186.71
194.158.4.42
198.71.90.239
208.52.185.178
208.180.134.20
211.71.99.66
212.169.49.234
216.218.208.55
220.68.231.30
223.30.27.251
achrezervations.com
aconsturcioneoftherive677.net
airfare-ticketscheap.com
aristonmontecarlo.net
berylhowell.net
bnamecorni.com
bundle.su
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
clothestaxact.com
consistingsec.net
crovliivseoslniepodmore83.net
crovniedelamjdusaboye73.net
crovvirnskieertater55.net
deepsealinks.com
demuronline.net
diggingentert.com
dotier.net
dulethcentury.net
ehnihjrkenpj.ru
ehnynewyortenotbaber.net
ehtiebanishkeobprienrt25.net
elvisalive4ever.com
ermiarmirovanieyye46.net
ermitajnierisunkiane45.net
euteus.com
evreisorinejsopgmrjnet28.net
excelledblast.net
fiscdp.com.airfare-ticketscheap.com
gemochlenoftheierarhia23.net
germaniavampizdanahuj.net
germoshanyofthesity72.net
gormonigraetnapovalahule26.net
gormoshkeniation68.net
grannyhair.ru
gromovierashodyna73.net
gstarstats.ru
hdmltextvoice.net
higherpricedan.com
imagoindia.net
infomashe.com
irs.gov.successsaturday.net
isightbiowares.su
joyrideengend.net
kneeslapperz.net
lacave-enlignes.com
lights-awake.net
lindoliveryct.net
macache.net
maxichip.com
medusascream.net
micnetwork100.com
mirrorsupply.com
mobile-unlocked.net
multiachprocessor.com
myaxioms.com
nacha.org.samsung-galaxy-games.net
nacha-ach-processor.com
namastelearning.net
nvufvwieg.com
oadims.net
onsayoga.net
ordersdeluxe.com
oversearadios.net
perkindomname.com
picturesoftdeath.com
pidrillospeeder.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
samsung-galaxy-games.net
smartolen.com
smartsecureconnect.com
softwareup.pw
spottingculde.com
stjamesang.net
successsaturday.net
taltondark.net
theamberroomct.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
treesmustdownload.su
u-janusa.net
uprisingquicks.net
video-withtext.com
vineostat.ru
vip-proxy-to-tor.com
virginiarealtyonline.net
whosedigitize.net
wow-included.com
www.fiscdp.com.airfare-ticketscheap.com
www.irs.gov.successsaturday.net
www.nacha.org.demuronline.net
www.nacha.org.multiachprocessor.com
www.nacha.org.samsung-galaxy-games.net



Tuesday 30 July 2013

Malware sites to block 30/7/13

These sites and IPs are associated with this gang, and are either currently in use or they have been in use recently. The list has individual IPs and web hosts first, followed by a plain list of recommended items to block.

5.175.191.106 (GHOSTnet, Germany)
5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
24.188.19.227 (Optimum Online, US)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)
50.97.253.162 (Softlayer Networks, US / ucvhost.com, India)
54.225.124.116 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA Communications, India)
68.174.239.70 (Time Warner Cable, US)
69.60.115.92 (Colopronto, US)
75.147.133.49 (Comcast Business Communications, US)
78.47.248.101 (Hetzner, Germany)
88.86.100.2 (Supernetwork, Czech Republic)
88.150.191.194 (Redstation, UK)
89.145.185.121 (Yeni Telekom Internet Hizmetleri, Turkey)
89.163.170.134 (Unitedcolo, Germany)
91.200.13.16 (SKS-Lugan, Ukraine)
91.210.189.157 (Eqvia LLC, Ukraine)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Megalan EAD, Bulgaria)
108.170.32.179 (Secured Servers, US / tudohost, Spain)
109.123.125.68 (UK2.NET, UK)
114.112.172.34 (Worldcom Teda Networks Technology Co. Ltd, China)
120.124.132.123 (TANET, Taiwan)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
162.209.80.221 (Rackspace, US)
166.78.124.4 (Rackspace, US)
182.72.216.173 (Cusdelight Consultancy SE, India)
185.4.252.124 (Eaglenet, Lebanon)
185.10.200.89 (GBServers Ltd, UK)
188.132.213.115 (Mars Global Datacenter Services LLC, Turkey)
190.85.249.159 (Telmex Colombia, Colombia)
192.162.100.225 (MediaServicePlus Ltd, Russia)
192.162.102.225 (MediaServicePlus Ltd, Russia)
193.105.210.211 (FOP Budko Dmutro Pavlovuch, Ukraine)
193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine)
193.239.242.83 (TRN Telecom, Russia)
196.1.95.44 (Ensut-Computer Department, Senegal)
198.61.213.12 (Rackspace, US)
198.98.102.165 (Enzu Inc, US)
202.197.127.42 (CERNET, China)
208.115.114.68 (Wowrack, US)
208.115.237.88 (Limestone Networks / 123Systems Solutions, US)
209.222.67.251 (Razor Inc, US)
211.224.204.141 (Korea Telecom, Korea)

Recommended blocklist:
5.175.191.106
5.175.191.124
24.173.170.230
24.188.19.227
41.196.17.252
46.246.41.68
50.97.253.160/27
54.225.124.116
59.124.33.215
59.160.69.74
68.174.239.70
69.60.115.92
75.147.133.49
78.47.248.101
88.86.100.2
88.150.191.194
89.145.185.121
89.163.170.134
91.200.13.0/24
91.210.189.157
95.87.1.19
95.111.32.249
108.170.32.176/29
109.123.125.68
114.112.172.34
120.124.132.123
122.128.109.46
162.209.80.221
166.78.124.4
182.72.216.173
185.4.252.124
185.10.200.89
188.132.213.115
190.85.249.159
192.162.100.225
192.162.102.225
193.105.210.0/24
193.239.242.83
196.1.95.44
198.61.213.12
198.98.102.165
202.197.127.42
208.115.114.68
208.115.237.88
209.222.67.251
211.224.204.141
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
acehheadline.net
aldenizturizm.com
allgstat.ru
annot.pl
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
aurakeep.net
beachfiretald.com
bebomsn.net
blindsay-law.net
bnamecorni.com
boats-sale.net
buffalonyroofers.net
businessdocu.net
businessua.com
buycushion.net
casinocnn.net
cbstechcorp.net
centow.ru
chromeupd.pw
cirriantisationsansidd79.net
condaleunvjdlp55.net
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu37.net
condalnua745746.ru
condrskajaumaksa66.net
crossplatformcons.com
doorandstoned.com
dulethcentury.net
duzybiust.net
ehnihjrkenpj.ru
eliroots.ru
erminwanbuernantion20.net
ermitirationifyouwau30.net
evenyouseemeinmin49.net
explicitlyred.com
facebook.com.n.find-friends.oncologistoncology.net
firerice.com
foremostorgand.su
fulty.net
generationpasswaua40.net
goingtothestreetofive59.net
gormoshkeniation68.net
gotoraininthecharefare88.net
greenleaf-investment.net
gromovieotvodidiejj40.net
hdmltextvoice.net
heidipinks.com
hotkoyou.net
housesales.pl
independinsy.net
info-for-health.net
jessesautobody.net
jonkrut.ru
kennebunkauto.net
klermont.net
klwines.com.order.complete.prysmm.net
kneeslapperz.net
linkedin.com.e.v2.kennebunkauto.net
links.emails.bmwusa.com.open.pagebuoy.net
locavoresfood.net
lsstats.ru
made-bali.net
medusascream.net
metanoiaonline.com
microsoftnotification.net
mifiesta.ru
mobile-unlocked.net
modshows.net
moonopenomy.com
motobrio.net
neplohsec.com
ns3.ozyurtdesign.com
ns4.ozyurtdesign.com
nvufvwieg.com
oncologistoncology.net
onemessage.verizonwireless.com.verizonwirelessreports.com
ontria.ru
organizerrescui.pl
oydahrenlitu346357.ru
pagebuoy.net
paypal.com.us.planetherl.net
playtimepixelating.su
prgpowertoolse.su
privat-tor-service.com
prothericsplk.com
prysmm.net
quill.com.account.settings.managemyaccount.moonopenomy.com
quipbox.com
relectsdispla.net
renouveaugatinois.com
saberig.net
sai-uka-sai.com
scourswarriors.su
secureprotection5.com
sendkick.com
sensetegej100.com
sludgekeychai.net
templateswell.net
thegalaxyatwork.com
thosetemperat.net
thybrothers.net
tintencenter.net
tor-connect-secure.com
tvblips.net
u-janusa.net
usergateproxy.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net
vivendacalangute.net
whitegocteenviet.com
wow-included.com
zestrecommend.com
zinvolarstikel.com
zukkoholsresv.pl

Wednesday 12 June 2013

Malware sites to block 12/6/13

This is a refresh of this list of domains and IPs controlled by what I call the "Amerika" gang, and it follows on from this BBB spam run earlier. Note that IPs included in this list show recent malicious activity, but it could be that they have now been fixed. I also noticed that a couple of the domains may have been sinkholed, but it will do you no harm to block them anyway.

Hosts involved:
5.175.157.110 (GHOSTnet, Germany)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal Communication Tech. Co., China)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
46.165.248.117 (Leaseweb, Germany)
49.212.221.29 (Sakura Internet Inc., Japan)
50.56.216.124 (Rackspace, US)
50.57.166.222 (Slicehost, US)
59.42.10.172 (Guangdong Tuosi Software Science Garden, China)
67.159.12.94 (FDCservers, US)
67.202.109.141 (Steadfast Networks, US)
67.215.2.251 (Colo-Serv Communications, Canada)
77.237.190.22 (Parsun Network Solutions, Iran)
81.252.120.250 (Collectivit Locale , France)
83.136.249.108 (Sigmatic Oy, Finland)
85.17.178.56 (Leaseweb, Netherlands)
85.26.31.60 (Brutele SC, Belgium)
85.201.12.244 (Brutele SC, Belgium)
86.84.0.11 (Planet Technologies, Netherlands)
88.80.222.73 (Alfahosting, Germany)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
95.143.41.16 (Inline Internet / VPS4less, Germany)
95.170.95.142 (TransIP, Netherlands)
109.95.23.4 (Kvartal Plus Ltd, Russia)
109.129.225.68 (Belgacom / Skynet, Belgium)
110.78.147.173 (CAT Telecom, Thailand)
111.93.156.171 (Tata Teleservices, India)
112.170.169.56 (Korea Telecom, Korea)
114.4.27.219 (IDIA Kantor Arsip MKS, Indonesia)
116.3.3.200 (China Unicom, China)
119.147.137.31 (China Telecom, China)
141.28.126.201 (Hochschule Furtwangen, Germany)
143.107.220.160 (Universidade De Sao Paulo, Brazil)
151.1.224.118 (ITnet, Italy)
159.90.91.179 (Universidad Simon Bolivar, Venezuela)
159.253.18.253 (FastVPS, Estonia)
160.75.169.49 (Istanbul Technical University, Turkey)
164.77.149.237 (Isapre Banmedica, Chile)
172.8.24.9 (Angela Curtolo DBA / AT&T, US)
172.246.16.27 (Enzu Inc, US)
177.84.128.54 (Informática Ltda, Brazil)
177.86.131.18 (Prime Telecomunicacoes Ltda, Brazil)
177.124.195.202 (Mundivox Do Brasil Ltda, Brazil)
178.16.216.66 (Gabrielson Invest AB, Sweden)
181.52.237.17 (Telmex, Colombia)
183.82.221.13 (Hitech / Beam Telecom, India)
184.82.115.37 (HostNOC, US)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
187.33.48.12 (GTi Telecomunicacoes Ltda, Brazil)
190.93.23.10 (Greendot, Trinidad and Tobago)
192.64.80.143 (Interserver, US)
192.210.216.90 (ColoCrossing, US)
193.254.231.51 (Universitatea Transilvania Brasov, Romania)
196.1.95.44 (Ensut-Computer Department, Senegal)
198.199.93.55 (Digital Ocean, US)
200.3.153.91 (Pontificia Universidad Javeriana, Colombia)
200.87.177.124 (EntelNet, Bolivia)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
202.29.242.249 (UniNet, Thailand)
202.31.139.173 (Kum Oh National University Of Technology, Korea)
203.64.69.52 (Taiwan Academic Network, Taiwan)
203.157.216.77 (Information Technology Office, Thailand)
208.68.36.11 (Digital Ocean, US)
210.42.103.141 (Wuhan Urban Construction Institute, China)
213.74.79.236 (Superonline, Turkey)
216.172.102.230 (EBL Global Networks, US)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)

Plain IPlist for copy-and-pasting:
5.175.157.110
41.89.6.179
42.62.29.4
46.18.160.86
46.165.248.117
49.212.221.29
50.56.216.124
50.57.166.222
59.42.10.172
67.159.12.94
67.202.109.141
67.215.2.251
77.237.190.22
81.252.120.250
83.136.249.108
85.17.178.56
85.26.31.60
85.201.12.244
86.84.0.11
88.80.222.73
93.89.235.13
95.143.41.16
95.170.95.142
109.95.23.4
109.129.225.68
110.78.147.173
111.93.156.171
112.170.169.56
114.4.27.219
116.3.3.200
119.147.137.31
141.28.126.201
143.107.220.160
151.1.224.118
159.90.91.179
159.253.18.253
160.75.169.49
164.77.149.237
172.8.24.9
172.246.16.27
177.84.128.54
177.86.131.18
177.124.195.202
178.16.216.66
181.52.237.17
183.82.221.13
184.82.115.37
186.215.126.52
188.32.153.31
187.33.48.12
190.93.23.10
192.64.80.143
192.210.216.90
193.254.231.51
196.1.95.44
198.199.93.55
200.3.153.91
200.87.177.124
201.65.23.153
202.29.242.249
202.31.139.173
203.64.69.52
203.157.216.77
208.68.36.11
210.42.103.141
213.74.79.236
216.172.102.230
217.174.211.1
222.200.187.83

Identified malicious domains:
abacs.pl
autotradeguide.net
avastsurveyor.com
balckanweb.com
biati.net
bnamecorni.com
businessdocu.net
buyparrots.net
citysubway.net
cocainism.net
condalinarad72234652.ru
condalinneuwu5.ru
condalinra2735.ru
condalnuas34637.ru
condalnuashyochetto.ru
cunitarsiksepj.ru
diodmobilered.com
docudat.ru
ehchernomorskihu.ru
eheranskietpj.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
enway.pl
ergopets.com
fastkrug.ru
federal-credit-union.com
freemart.pl
freenico.net
genown.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
gnunirotniviepj.ru
gondatskenbiehu.ru
gstoryofmygame.ru
haicut.com
hiddenhacks.com
historuronded.com
icensol.net
ingrestrained.com
inutesnetworks.su
janefgort.net
jetaqua.com
kirki.pl
klosotro9.net
lorganizedcue.com
ludena.ru
mantuma.pl
marvelfilms.net
mortolkr4.com
mslatearrival.com
multipliedfor.com
myhispress.com
nipiel.com
nvufvwieg.com
onlinedatingblueprint.net
otoperhone.com
oydahrenlitutskazata.ru
ozonatorz.com
pleak.pl
pnpnews.net
privat-tor-service.com
proxy-tor-service.com
relectsdispla.com
relectsdispla.net
reportingglan.com
safe-browser.biz
safe-time.net
salesplaytime.net
secondfiddleu.com
securepro7.ru
shopkeepersne.net
sludgekeychai.net
smartsecurityapp2013.com
smurfberrieswd.su
sngroup.pl
solarmiracles.net
techno5room.ru
televisionhunter.com
testerpro5.ru
thinkindi.net
tor-connect-secure.com
trleaart.net
twinkniche.net
twintrade.net
ukbarbers.net
unixawards.net
usergateproxy.net
usforclosedhomes.net
vip-proxy-to-tor.com
well-tailored.net
wmlawoffice.net
yelpwapphoned.com

Friday 7 June 2013

BBB spam / pnpnews.net

This fake BBB spam leads to malware on pnpnews.net:

From: Better Business Bureau [mailto:standoffzwk68@clients.bbb.com]
Sent: 07 June 2013 15:08
Subject: BBB information regarding your customer's pretension No. 00167486

Better Business Bureau ©
Start With Trust ©
Fri, 7 Jun 2013
RE: Complaint No. 00167486
[redacted]
The Better Business Bureau has been entered the above said grievance from one of your users in regard to their business relations with you. The information about the consumer's trouble are available visiting a link below. Please pay attention to this matter and notify us about your sight as soon as possible.
We kindly ask you to overview the CLAIM LETTER REPORT to meet on this claim.
We awaits to your prompt answer.
Faithfully yours
Jonathan Edwards
Dispute Advisor
Better Business Bureau
________________________________________
________________________________________
Better Business Bureau
3093  Wilson Blvd, Suite 600   Arlington, VA 29701
Phone: 1 (703) 276.0100  Fax: 1 (703) 525.8277
 
This letter was delivered to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The link in the email goes through a legitimate hacked site and then to a payload at [donotclick]pnpnews.net/news/readers-sections.php (report here) hosted on:

46.18.160.86 - Saudi Electronic Info Exchange Company (Tabadul) JSC
93.89.235.13 - FBS Bilisim Cozumleri, Cyprus
178.16.216.66 - Gabrielson Invest AB, Sweden
186.215.126.52 - Global Village Telecom, Brazil
190.93.23.10 - Greendot, Trinidad and Tobago

Blocklist:
46.18.160.86
93.89.235.13
178.16.216.66
186.215.126.52
190.93.23.10
abacs.pl
balckanweb.com
biati.net
buyparrots.net
citysubway.net
condalnuashyochetto.ru
cunitarsiksepj.ru
eheranskietpj.ru
ejoingrespubldpl.ru
enway.pl
federal-credit-union.com
giwmmasnieuhe.ru
gnunirotniviepj.ru
gstoryofmygame.ru
icensol.net
janefgort.net
myhispress.com
onlinedatingblueprint.net
oydahrenlitutskazata.ru
ozonatorz.com
pnpnews.net
smartsecurityapp2013.com
sngroup.pl
twintrade.net
usforclosedhomes.net


Monday 29 April 2013

"Requested Reset of Yoyr PayPal Password" spam / frustrationpostcards.biz

This fake PayPal spam leads to malware on frustrationpostcards.biz:

 Date:      Mon, 29 Apr 2013 13:22:03 -0500
From:      "service@paypalmail.com" [chichisaq0@emlreq.paypalmail.com]
Subject:      Requested Reset of Yoyr PayPal Password
  
Your account will stay on hold untill password reset.
How to reset your PayPal password

Hello [redacted],

To get back into your PayPal account, you'll have to create a new password.

It's easy:

    Click the link below to open a secure browser window.
    Confirm that you're the owner of the account, and then follow the instructions.

  Reset your password now

If you didn't requested help with your password, let us know immediately. Reporting it is important because it helps us prevent fraudsters from stealing your information.

  
Help Center | Security Center

Please don't reply to this email. It'll just confuse the computer that sent it and you won't get a response.

Copyright © 2013 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95132.

PayPal Email ID 2A7X1
The link goes through a legitimate but hacked site to land on a malicious payload at [donotclick]frustrationpostcards.biz/news/institutions-trusted.php (report here) hosted on the following IPs:

82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)


TheWHOIS details identify this domain as belonging to the Amerika gang:

Registrant ID:                          INTEGOY3JBV8IIHG
Registrant Name:                        Shouli Cowper
Registrant Address1:                    40 W 17th St
Registrant City:                        New York
Registrant Postal Code:                 10011
Registrant Country:                     United States
Registrant Country Code:                US
Registrant Phone Number:                +1.4682697453
Registrant Email:                       shouli_cowper563@bikeracer.com

 
Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
app-smart-system.com
contonskovkiys.ru
curilkofskie.ru
egetraktovony.ru
exrexycheck.ru
fenvid.com
frustrationpostcards.biz
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
miniscule.pl
mortalsrichers.info
mortolkr4.com
peertag.com
pricesgettos.info
priorityclub.pl
smartsecurity-app.com
zonebar.net

Wednesday 24 April 2013

"New Secure Message" spam / pricesgettos.info

This spam leads to malware on pricesgettos.info:

Date:      Wed, 24 Apr 2013 16:41:50 +0100 [11:41:50 EDT]
From:      Cooper.Anderson@csiweb.com
Subject:      New Secure Message Received from Cooper.Anderson@csiweb.com

New Secure Message
Respective [redacted],

You have received a new secure message from Cooper.Anderson@csiweb.com.

If you are using the Secure Message Plugin in Lotus Notes this message will be in your SecureMessages Inbox.

If you are NOT using the Secure Message Plugin, you are able to view it by clicking https://www.csiweb.com/5890424-13QZUR797870/?inbox_idf3795430A7NO9 to retrieve your secure message or to begin using the convenient Lotus Notes Plugin.


Sincerely Yours,

CSIe
The link displayed in the email is fake and actually goes to a legitimate (but hacked) site and is then forwarded to the Blackhole payload site at [donotclick]pricesgettos.info/news/done-heavy_hall_meant.php (report here) hosted on the following IPs:

1.235.183.241 (SK Broadband, Korea)
130.239.163.24 (Umea University, Sweden)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)
203.64.101.145 (Taiwan Academic Network, Taiwan)

Blocklist:
1.235.183.241
130.239.163.24
155.239.247.247
202.31.139.173
203.64.101.145
airtrantran.com
antidoterskief.net
app-smartsystem.com
app-smart-system.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko5.ru
conficinskiy.ru
contonskovkiys.ru
cormoviesutki.ru
curilkofskie.ru
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
docudat.ru
dyntic.com
egetraktovony.ru
excuticoble.ru
exrexycheck.ru
fenvid.com
freedblacks.net
gangrenablin.ru
gatareykahera.ru
independinsy.net
janefgort.net
klosotro9.net
libertyusadist.info
mortalsrichers.info
mortolkr4.com
peertag.com
pricesgettos.info
ricepad.net
securitysmartsystem.com
tempandhost.com
thesecondincomee.com
zonebar.net



Friday 26 October 2012

ADP Spam / steamedboasting.info

This fake ADP spam leads to malware on steamedboasting.info:

From: ClientService@adp.com [mailto:ClientService@adp.com]
Sent: 26 October 2012 12:03
Subject: ADP Instant Notification


ADP Urgent Warning
Reference #: 31344
Dear ADP Client October, 25 2012
Your Transfer Summary(s) have been uploaded to the web site:
https://www.flexdirect.adp.com/client/login.aspx
Please take a look at the following information:
• Please note that your bank account will be charged within 1 banking day for the amount(s) specified on the Statement(s).
•Please DO NOT reply to this message. automative notification system cannot accept incoming messages. Please Contact your ADP Benefits Specialist.
This note was sent to existing users in your company that approach ADP Netsecure.
As always, thank you for choosing ADP as your business companion!
Ref: 31344
The malicious payload is at [donotclick]steamedboasting.info/detects/burying_releases-degree.php, the initial redirection page has some Cloudflare elements on it which is a bit disturbing. steamedboasting.info is hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden).

This is an alternative variant with the same malicious payload:


Date:      Fri, 26 Oct 2012 16:32:10 +0530
From:      "noreply@adp.com" [noreply@adp.com]
Subject:      ADP Prompt Communication


ADP Speedy Notification

Reference #: 27585

Dear ADP Client October, 25 2012

Your Transaction Statement(s) have been put onto the web site:

Web site link

Please see the following notes:

• Please note that your bank account will be charged-off within 1 banking business day for the amount(s) specified on the Protocol(s).

?Please do not reply to this message. automative notification system can't accept incoming mail. Please Contact your ADP Benefits Specialist.

This message was sent to operating users in your company that approach ADP Netsecure.

As always, thank you for choosing ADP as your business partner!

Ref: 27585 [redacted]



Monday 1 October 2012

Intuit Shipment spam / art-london.net

This terminally confused Intuit / USPS / Amazon-style spam leads to malware at art-london.net:


Date:      Mon, 1 Oct 2012 21:31:57 +0430
From:      "Intuit Customer Service" [battingiy760@clickz.com]
To:      [redacted]
Subject:      Intuit Shipment Confirmation

   

Dear [redacted],

Great News! Your order, ID859560, was shipped today (see info below) and will complete shortly. We hope that you will find that it exceeds your expectations. If you ordered not one products, we may send them in separate boxes (at no additional cost to you) to ensure the fastest possible delivery. We will also provide you with the ability to track your shipments via the information below.

Thank you for your interest.
   
    ORDER DETAILS    
    Order #: ID859560
Order Date: Sep 25, 2012

Item(s) In Your Order

Shipping Date: October, 1 2012
Shipping Method: USPS Express Mail
Estimated Delivery Date: October, 3 2012 - October 05, 2012
Tracking No.: 5182072894288348304217

Quantity     Item
1     Intuit Card Reader Device - Gray

Please be informed that shipping status details may be not available yet online. Check the Website Status link above for details update.

Shipment Information:

We sent your item(s) to the next address:

065 S Paolo Ave, App. 5A
S Maria, FL

Email: [redacted]   
       
       
       
    Questions about your order? Please visit Customer Service.

Return Policy and Instructions
   
       
       


Privacy | Legal Disclaimer | Contact Us | About

You have received this business note as part of our efforts to fulfill your request and service your account. You may receive more email notifications from us even if you have previously selected out of marketing notifications.



Please note: This email was sent from an automative notification system that not configured to accept incoming mail. Please don't reply to this message.



�2008-2012 Intuit Llc. or its affiliates. All rights reserved.
The malicious payload is at [donotclick]art-london.net/detects/stones-instruction_think.php  hosted on 195.198.124.60 (Skand Meteorologi och Miljoinstr AB, Sweden), a site which also hosts the presumably malicious domains buzziskin.net and  indice-acores.net. Presumably this IP is a hacked server belonging to some legitimate Swedish organisation, but you should block it nonetheless.

Tuesday 12 June 2012

partyysoon.info injection attack in progress

I haven't had much time to analyse this yet, but there seems to be some sort of injection attack using the domain partyysoon.info. It may be targeting sites in Sweden.

Malicious URLs (don't click these, obviously):
hxxp:||partyysoon.info/index.php
hxxp:||partyysoon.info/js_pa/F.class
hxxp:||partyysoon.info/Set.jar
hxxp:||gotchasworkspaces.in/duquduqu1/font.php
hxxp:||beards.christianmomsgetaways.com/index.php?p=b2e04035f7b91e43

These IPs and domains are all related to the attack:

5.10.65.142 (Spinor J Ltd / Ulrik Sjafalander, Sweden)
partyysoon.info
(Part of a small block of 5.10.65.136 - 5.10.65.143)

141.101.239.97 (Leadertelecom, Russia)
beards.christianmomsgetaways.com
volumea.offerscrate.com
wagea.hcop.com
sexof2a0b5.serveusers.com
sexo41e92f.serveusers.com
beds.fivedollarprogram.info
visitora.legitimatepaidsurveystips.info

69.65.42.35 (Gigenet, US)
gotchasworkspaces.in
kopachrats.info

Blocking access to these IPs might be prudent.