Some malware sites to block

These domains are associated with the Win32/FakeRean "Fake anti-virus" trojan, and are worth blocking.

Domain	IP
laxesepaweno.com	50.23.83.40
fugegewulevu.com	50.23.83.41
tepucazij.com	50.23.83.42
cuhucupivu.com	50.23.84.216
sirakapofeti.com	50.23.84.217
zenevakyfa.com	50.23.84.218
tuwynaropotit.com	50.23.193.236
cikipihigilani.com	50.23.193.237
pifajeniwyt.com	50.23.193.238
wumytaxuboly.com	50.23.200.56
tevisuwapucumu.com	76.73.85.251
jicylegavade.com	76.73.85.252
dolagomosu.com	85.17.239.191
bumucewafypevy.com	85.17.239.192
xaqygacatewuk.com	85.17.239.198
mysupigaqyme.com	173.193.196.178
zypomamuzosa.com	173.249.145.53
nylujusofo.com	173.249.145.54
qajivehucewupo.com	173.249.145.55
wyduzylys.com	174.36.220.136
vyqivaneh.com	174.36.220.136
litubibam.com	174.36.220.138
pykolujij.com	188.240.32.162
gyravatimak.com	188.240.32.163
dubacobimude.com	188.240.32.164
waliwetixybuk.com	204.45.41.82
tixirukemosa.com	204.45.41.83
sumuryvynuh.com	204.45.41.84
dazixydecamur.com
cadyfahirecyci.com
myfofeviqilo.com

The Comodo report for this bit of nastiness is here.

"Thank you for scheduling your online payment" email leads to malware

The spammers seem to be busy today, using an old trick of embedded a spam in a template lifted from a legitimate business. This particular one is from Chase bank in the US, they key "hook" they use to get people to click is:

Thank you for scheduling your recent credit card payment online. Your ($USD) $117.00 payment will post to your credit card account (CREDIT CARD) on 08/06/2010. 

This seems to be exactly the same attack as used here and here, although in this case the intermediate site had already been cleaned up and the malicious payload could not be delivered.

Best Buy "Thank You, Your Anti-Virus Protection Plan has been renewed" email leads to malware

To prove that the Bad Guys have a sense of humour at least, this fake email claims to be a renewal subscription for Webroot:

From: Best Buy Subscription Software [mailto:noresponse@softwaresubscription.bestbuy.com]
Sent: 06 August 2010 11:23
Subject: Thank You, Your Anti-Virus Protection Plan has been renewed

Dear [victim]

Your Webroot Spysweeper with AntiVirus Product Protection Plan has been successfully renewed and charged to the credit card you have on file with us. With this automatic renewal, you will continue to have uninterrupted anti-virus software protection on your PC for another year plus these great benefits:

òÀâ Best in Class Security Software
òÀâ No hassle automatic renewals makes sure that you will never go unprotected
òÀâ Receive all version updates free of charge
òÀâ Cancel at any time and received a refund for any unused months of protection
òÀâ Simple Customer Support, Call 1-888-BESTBUY with any questions

-------------------------------------------------------------
Here are the details of your renewed Protection Plan:
-------------------------------------------------------------
Product: Webroot Spysweeper with AntiVirus Product
Protection Plan: Annual
Best Buy Serial Number: WBR00AV000044180817
Transaction Date: 7/19/2010
Renewal Price: $43.54


If you have any questions about your protection plan or your recent renewal, please contact our Customer Support Team at 1-888-BESTBUY (1-888-237-8289), and ask for the Subscription Software Team.

Thank you again for your business, and being a Best Buy Customer.

Sincerely,

Best Buy Stores, L.P.

ddd

Payload and approach seem to be exactly the same as this one, with a Bredolab dropper. Again, it routes through yummyeyes.ru and you should look for the same log entries of .ru:8080 and /x.html to make sure you are clean.

In this case the intermediate step is a hacked site at peninsula.co.nz/x.html but it probably varies.

If you are not in the US, then blocking bestbuy.com at your mail perimeter will do no harm.

"Thanks for planning your event with Evite" mail leads to malware

This summary is not available. Please click here to view the post.

Welcome to "Joomla!" email links to malware

A variant on this malware-laden email, this particular approach pretends to be from Joomla and even goes as far as to fake some of the headers to avoid detection.

From: no_reply_forum@joomla.org [mailto:no_reply_forum@joomla.org]
Sent: 26 July 2010 15:57
Subject: Welcome to "Joomla!"

Welcome to Joomla! forums

Please keep this e-mail for your records. Your account information is as
follows:

----------------------------
Username: haymixer

Board URL: http://cambridge-narrows.ca/
----------------------------

Please visit the following link in order to activate your account:

http://cambridge-narrows.ca/

Your password has been securely stored in our database and cannot be
retrieved. In the event that it is forgotten, you will be able to reset it
using the email address associated with your account.

Thank you for registering.

--
Thanks,
Joomla! Community Forum

cambridge-narrows.ca has been compromised and attempts to load malware from cambridge-narrows.ca/adobe_flash_install.exe

The infected page then also tries to load from thewatches-discount.com:8080/index.php?pid=10 and thecoca-colacompany.com/images/noflash_singlevideo.gif (yes, it really is The Coca-Cola Company).

thewatches-discount.com is multihomed on:
Addresses:  84.16.230.27 [Netdirekt, Germany], 87.106.179.206 [1&1, Germany], 91.121.162.65 [OVH, France], 94.23.224.221 [OVH, France] and 62.212.132.226 [Xenosite, Netherlands]. This gives us a whole batch of dodgy looking sites worth blocking:

84.16.230.27
Applecorn.com
Areadrum.com
Bittag.ru
Blackpr.biz
Bookdisk.ru
Boozelight.ru
Busyspade.com
Chertenok.name
Galneed.ru
Galslime.com
Gigasofa.com
Hillchart.com
Horsedoctor.ru
Jarpub.ru
Lockerz-invite.ru
Marketholiday.ru
Oilrule.ru
Pressurespa.ru
Problemdollars.ru
Raceobject.ru
Roundstorm.com
Sadute.com
Sheepbody.com
Spacememory.ru
Tanspice.com
Tanyear.com
Technaxx.pl
Technaxx.ru
Thecheapviagra.com
Themysite.net
Theviagrapills.com
Tightsales.com
Validplan.com
Waxyblock.com
Yaktrack.ru

87.106.179.206
Ballanteam.com
Splatspa.com
Valbou.com

91.121.162.65
Aionitalian.net
Aionitalian.org
Ashsoftware.ru
Bakedship.ru
Hugejar.com
Inktime.ru
Momhand.ru
Politicalpoets.ru
Taxshelf.ru
Yoursoap.ru
Ashdog.ru
Cornerrat.ru
Mondayring.ru
Relaxedgrape.ru
Warydrunk.ru

62.212.132.226
Bail.nl
Bigeventsbooker.nl
Bouwinkopen.nl
Buyviagraworld.com
Cafemack.com
Cvens.nl
Dateforbusiness.nl
Dealyak.ru
Dekroonvanemmeloord.nl
Diamonddoctor.ru
Directorschaircompany.com
Drunkjeans.com
Earlymale.com
Eventdirectory.nl
Famerule.ru
Familywater.ru
Flevoland-weddingevent.nl
Forum4events.com
Forum4events.nl
Hollandgaatuit.com
Kroonvanemmeloord.nl
Lasteye.com
Liplead.ru
Manamina.nl
Nibourgproductions.nl
Outerrush.com
Prominent-vastgoed.nl
Realgg.nl
Sexysushi.nl
Silencepill.ru
Silencewindow.ru
Sisterqueen.ru
Slaveday.ru
Superjoke.nl
Tintie.ru
Tipbear.ru
Treecorn.ru
Urkinwintersferen.nl
Urkopdeplanken.nl
Vandijk-ict.eu
Zooneed.ru

The other sites on 94.23.224.221 seem to be legitimate.

Sunbelt has a write-up of the last attack with some analysis here.

"Thank you for registering with ImageShack." mail leads to virus

A fairly crude attempt to get clickthroughs to a virus infected site:

From: ImageShack Registration <noreply@yfrog.com>
Date: 23 July 2010 15:46
Subject: Thank you for registering with ImageShack.
   
---------------------------------------------------
Thank you for registering with ImageShack.
---------------------------------------------------

Your username: confidingjc
Your password: 09088066
Your registration link: http://financial-independence.co.za/

Please read this email carefully, it contains important information about your ImageShack account.

Please do not reply to this email, this mailbox is not checked. To report problems use support section of the web site.

---------------------------------------------------
HOW DO I LOGIN?
---------------------------------------------------

Click the 'Login' button located at the top of ImageShack pages in order to login.
Type here your username and password located in this email.

Once you are logged in, you will be presented with your Image Panel.


---------------------------------------------------
HOW CAN I CHANGE MY PASSWORD?
---------------------------------------------------

If you want to change your password, use the following link:
http://financial-independence.co.za/
If you have forgot your password, use the following link:
http://financial-independence.co.za/

---------------------------------------------------
HOMEPAGE
---------------------------------------------------

Your friends can access your public images and slideshows at http://financial-independence.co.za/

---------------------------------------------------
COMMON QUESTIONS
---------------------------------------------------
Answers to common questions: http://financial-independence.co.za/

Sincerely,
The ImageShack Team

financial-independence.co.za might well be a hijacked site, it's hard to tell who owns it as the .CO.ZA WHOIS server isn't working. The site is hosted at 207.45.186.34 [Acenet Inc, Michigan]

This leads to a fake Adobe Flash installed (adobe_flash_install.exe) and an exploit site on diamonddoctor.ru:8080 which does some other nasties. diamonddoctor.ru has minimal WHOIS details:

domain:     DIAMONDDOCTOR.RU
nserver:    ns1.dnsofthost.com.
nserver:    ns2.dnsofthost.com.
nserver:    ns3.dnsofthost.com.
nserver:    ns4.dnsofthost.com.
state:      REGISTERED, DELEGATED, VERIFIED
person:     Private Person
phone:      +7 495 7284001
e-mail:     hop@fastermail.ru
registrar:  NAUNET-REG-RIPN
created:    2010.07.13
paid-till:  2011.07.13
source:     TCI

It's no real suprise to see that it is hosted by Netdirekt on  84.16.230.27, along with these other sites which are good candidates to block:

Blackpr.biz
Chertenok.name
Lockerz-invite.ru
Nemerova.name
Technaxx.pl
Technaxx.ru
Tequieroputa.net
Themysite.net

Of note is that again we're seeing support services going through the dnsofthost.com domain that seems to be only used by the bad guys.

Administrator:
  Dmitriy Ilin depot@infotorrent.ru +7.8127047272
  Dmitriy Ilin
  Yuriya Gagarina pr-kt d.24-1 lit.A
  Sankt-Peterburg,Sankt-Peterburg,RUSSIAN FEDERATION 196211

infotorrent.ru seems to be pretty common to this kind of malware attack.

Anyway, a quick fix for corporate administrators is to block messages with "Thank you for registering with ImageShack." for the time being.

Added: forsight.com.au is also a domain being used in the attack, looks to be another hijacked legitimate domain.

Evil network: AS29106 (91.213.174.0/24) / VOLGAHOST

This summary is not available. Please click here to view the post.

Evil network: AS49544 (195.78.108.0/23) / GlobalRouting.eu

AS49544 is a network with IP addresses ranging from 195.78.108.1 - 195.78.109.255 which claims to be in the Netherlands, but may actually be in the Ukraine. The WHOIS details for the range are suspect as they refer to a domain globalrouting.eu which actually appears to be a legitimate weather forecasting service. Everything about the domain registration details smells of a hijack.. I would strongly suggest that contacting ipadmin@globalrouting.eu would be counter-productive in this instance, it may even be dangerous.

Out of the /23 there seem to be exactly zero legitimate sites, many of them are involved in malware distribution. It is probably worth blocking the entire IP address range. Google's safe browsing diagnostic for the AS is damning:

What happened when Google visited sites hosted on this network?

Of the 4157 site(s) we tested on this network over the past 90 days, 96 site(s), including, for example, stimulus.nu/, turisticki-aranzmani.com/, webconsulenti.net/, served content that resulted in malicious software being downloaded and installed without user consent.

The last time Google tested a site on this network was on 2010-07-05, and the last time suspicious content was found was on 2010-07-05.

Has this network hosted sites acting as intermediaries for further malware distribution?

Over the past 90 days, we found 73 site(s) on this network, including, for example, skottles.com/, baidustatz.com/, pinalbal.com/, that appeared to function as intermediaries for the infection of 9529 other site(s) including, for example, managerz.nl/, 189ppc.com/, czonline.net/.

Has this network hosted sites that have distributed malware?

Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 182 site(s), including, for example, convart.com/, skottles.com/, augami.net/, that infected 11610 other site(s), including, for example, managerz.nl/, forosdz.com/, 189ppc.com/.

The suspect WHOIS details for the range are:

inetnum:        195.78.108.0 - 195.78.109.255
netname:        GlobalRouting-NL-NET
mnt-routes:     SERVERBOOST-MNT
remarks:        Global Routing
remarks:        i3d rotterdam route
remarks:        for abuse please contact ipadmin@globalrouting.eu
org:            ORG-POIS1-RIPE
country:        EU
admin-c:        greu
tech-c:         greu
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-by:         globalrouting
mnt-lower:      RIPE-NCC-END-MNT
mnt-routes:     globalrouting
mnt-domains:    globalrouting
source:         RIPE # Filtered
descr:          PI Obodovsky Ivan Sergeevich

organisation:   ORG-POIS1-RIPE
org-name:       Global Routing
org-type:       OTHER
address:        Piet Paaltjensplein 70, 3030 TZ Rotterdam, The Netherlands
e-mail:         ipadmin@globalrouting.eu
mnt-ref:        globalrouting
mnt-by:         globalrouting
source:         RIPE # Filtered

role:           GlobalRouting contact role
address:        Piet Paaltjensplein 70, 3030 TZ Rotterdam, The Netherlands
mnt-by:         globalrouting
e-mail:         ipadmin@globalrouting.eu
admin-c:        rkgr
tech-c:         rkgr
nic-hdl:        greu
source:         RIPE # Filtered

route:          195.78.108.0/23
descr:          GLOBALROUTING
origin:         AS49544
mnt-by:         SERVERBOOST-MNT
source:         RIPE # Filtered

Sites hosted on the range include:

8porn-tube-free.info
All-tube-porn.biz
All-tube-porn.com
All-tube-porn.info
All-tube-porn.net
All-tube-porn.org
Free-checker-spyware.com
Free-checker-spyware.net
Free-checker-spyware.org
Free-download-host.info
Free-porn-tube8.biz
Free-spyware-checker.biz
Free-tube-adult.com
Free-tube-porn.net
Hot-porn-online.com
Hot-porn-tube.biz
Hot-porn-tube.info
Hot-porn-tube.net
Hot-porn-tube.org
Hot-tube-porn.com
Jeasoftware.info
My-adult-tube.com
My-free-tube.com
Now-download-host.com
Now-download-host.info
Now-download-host.net
Now-download-host.org
Now-download-hosting.biz
Now-download-hosting.com
Now-download-hosting.info
Now-download-hosting.net
Now-download-hosting.org
Online-porn-tube.com
Online-tube-porn.com
Pohsoft.info
Porn-tube-adult.com
Porn-tube-free.com
Porn-tube-free.info
Porn-tube-free.net
Porn-tube-free.org
Porn-tube8-free.biz
Porn-tube8-free.com
Porn-tube8-free.info
Porn-tube8-free.net
Porn-tube8-free.org
Retdownload.info
Riupdate.info
Spyware-checker.org
Spyware-free-checker.biz
Spyware-free-checker.com
Spyware-free-checker.info
Spyware-free-checker.net
Spyware-free-checker.org
Tmclean.info
Turboshare.biz
Goodelizrl.info
Kenyeiiaiqmyrick.info
Ligiaglrrandi.info
Milionarybook.info
Mynewgf.biz
Newgetpayday.com
Nyrmurrayriaci.info
Peierqqvangelena.info
Shopiping.com
Thissdomainwassoldd.com
Enrierrarell.info
Ath8net.com
Messorg.com
Adskape.biz
Adskape.com
Adskape.info
Adskape.net
Adskape.ru
Iner.kz
Misa.kz
Zragore.info
Afran.org
Augami.net
Otilard.com
Btgwert.net
Download-host-free.biz
Download-host-free.com
Download-host-free.org
Download-host-now.biz
Free-checker-malware.com
Free-checker-malware.net
Free-checker-malware.org
Free-checker-spyware.biz
Free-checker-spyware.info
Free-malware-checker.info
Free-malware-checker.net
Free-porn-tube8.info
Free-porn-tube8.net
Free-tube8-porn.com
Free-tube8-porn.info
Jkeowq.in
Kterot.in
Ktoewp.in
Kyjoer.in
Kypync.in
Kyuorr.in
Kyuwew.in
Leotpu.in
Lkctjo.in
Malware-checker-free.org
Malware-free-checker.com
Malware-free-checker.net
Malware-free-checker.org
Uwfjti.in
Myitunesclub.com
Mytunesclubs.com
Camption.com
Icpa-network.com
Matsion.com
Newitunesclub.com
Bogleanalytics.net
Pop-under.ru
Popunder.ru
4vodka.ru
Bastion.in
Bestgoldshow.com
Favarote.com
Freeodnoklassniki.info
Fullgsmcontrol.com
Goldsdirect.com
Homeinteriorview.com
Lastingviewestates.com
Mobiread.info
Myodnoklassniki.info
Odspy.com
Odspy.net
Odspy.org
Oknolens.info
Phonereader.ru
Proguard.in
Secretodnoklassniki.com
Sexsekret.com
Shpionodnoklassniki.com
Shpionvkontakte.com
Spy-odnoklassniki.com
Spy-vkontakte.com
Spyod.com
Spyvkontakte.info
Syserror.ru
Theodnoklassniki.info
V2kontakte.info
Viewbarworld.com
Vkontaktespy.info
Vkontaktus.ru
1000-ga.ru
1000-gektar.ru
1000g.ru
1001-ga.ru
1designs.ru
5vn.ru
B2b-site.ru
Chudomira.ru
Diplom-vam.ru
G1000.ru
Gek1000.ru
Gotovki77.ru
Hombrus.ru
Images-web.ru
Imagesweb.ru
Karkas-2900.ru
Karkas4dom.ru
Kredit-russia.info
Logvian.ru
M505.net
Mnogo-vakansii.ru
Mnogvak.ru
Netpost.su
Nsvp.ru
Prdomen.mobi
Prestiged.ru
Rabota-dlya-vas.ru
Royalmall.ru
Seminartut.ru
Uznaiseo.ru
Vam-pismo.su
Vip-osobnyak.ru
Yandex-top10.ru
Yandextop10.com
Z303.net
Liveinjamaika.info
Looking4reserve.com
Antivirus-on-line.net
Updates-online.net
Widnow-scanning-online.net
Golivnik.com
Ndnsgw.net
2u-panama.com
Big-push2010.com
Digitalway10.net
Drain-brain2.com
Foxcox555.com
Grainstudy.com
Kexpex123.com
Realdream4me.com
Admikasdom.com
Formgrabb.com
Kislota2010.com
Msmsmm.com
Noloader.com
Nowm32.com
Se-code.net
Secbanking.com
The-goodlike.com
Wstat.cn

Your best bet is to block the entire IP range and/or monitor for client traffic going to it.

Virus / Malware on Nokia.com / miisolutions.net

Nokia.com appears to have been compromised through a third-party script:


europe.nokia.com (e.g. hxxp:||europe.nokia.com/support/download-software/nokia-pc-suite) ->
nokia.tt.omtrdc.net ->
omniture-nokia.secure.miisolutions.net ->
oploya.fancountblogger.com:8080

Details on the general attack can be found here. It appears that miisolutions.net has had malicious code injected into the script, rather than it being Nokia.com itself that has been hacked.At the time of writing the malicious code is still present.

Update: the infected page at miisolutions.net has been taken down.

"IMPORTANT: Royal Mail Delivery Invoice #1092817" Virus / Trojan

The wording may vary, but this is a PDF exploit currently doing the rounds pretending to be from Royal Mail. Sophos, F-Secure and Avast detect it along with some other products (VT results here) but otherwise detection is patchy.

Subject: IMPORTANT: Royal Mail Delivery Invoice #1092817
From: "Royal Mail" <delivery@royalmail.com>
Date: Wed, April 14, 2010 11:28 am

We missed you, when trying to deliver.

Please view the invoice and contact us with any questions.

We will try to deliver again the following business day.

Royal Mail.

Attachments:
Royal_Mail_Delivery_Invoice_1092817.pdf

The bad PDF file looks like some sort of calendar, I have not yet been able to analyse exactly what sort of evil things it does.

If you still use Adobe Acrobat then you should make sure that you update to the latest version which is 9.3.2, or use an alternative like Sumatra.

zoombanner.com / YieldManager malvertisement on ebuddy.com

ebuddy.com is running a malicious ad on the zoombanner.com domain, apparently managed by Yieldmanager.

First, the "legitimate" end of the malware chain loads at ad.zoombanner.com/content?campaign=1171557&sz=6
This forwards to deliver.commismanderakis.com/rotate?m=2;b=6;c=1;z=585778
Which goes to content.fishpotboutademalled.com/track/3388182/S_IT?[snip]
Then img.commismanderakis.com/img?XAhIPWtICDkJX0FVHXUDKFoRYhYlRxFCNlsBGEhLBEtVdRdiCRYKBA8kKV9RHBEaXFJfXFMHAQ
Followed by the payload domain at jduvazuc.info/cgi-bin/dep
then jduvazuc.info/cgi-bin/dep/j006102Hd793447cR55e239b8T9cc338b5V0100f060203L69740000000000000000
then jduvazuc.info/cgi-bin/dep/o006102203317l0010Hd793447cR55e239b8T9cc338b6V0100f060
Finally jduvazuc.info/cgi-bin/dep/e006102203318l0010Hd793447cJ0d000601R55e239b8T9cc338a4U0ec2fc77V0100f0600

This last hop tries to load an executable (and probably some other crap I haven't spotted), not very well detected according to VirusTotal. Oh yes, there's a PDF exploit too.

The malicious ad is an Italian language vacation banner in this case.


Most of the domains have anonymous registration details, except zoombanner.com which has the same details that were used in the malicous ads featured here and here.

zoombanner.com

Registrant:
Domain Owner
15156 SW 5th
Scottsdale, Arizona 85260
United States

Domain Name: ZOOMBANNER.COM
Created on: 24-Jul-09
Expires on: 24-Jul-10
Last Updated on: 24-Jul-09

Administrative Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --

Technical Contact:
Owner, Domain trafficbuyer@gmail.com
15156 SW 5th
Scottsdale, Arizona 85260
United States
+1.8005551212 Fax --

Domain servers in listed order:
NS45.DOMAINCONTROL.COM
NS46.DOMAINCONTROL.COM

A search for the IP addresses show Linode is providing most of the infrastructure (again) with ezzi.net providing the payload server.

ad.zoombanner.com
69.164.215.205, 69.164.215.204 [Linode]

deliver.commismanderakis.com
74.207.232.205, 74.207.232.206, 74.207.232.248, 74.207.232.249, 74.207.232.250, 74.207.232.25, 74.207.232.30, 74.207.232.31, 74.207.232.35, 74.207.232.39, 74.207.232.202, 74.207.232.203 [Linode]

content.fishpotboutademalled.com
69.164.196.55 [Linode]

jduvazuc.info
216.150.79.74 [AccessIT / ezzi.net]

Incidentally, 69.164.196.55 also hosts a bunch of domains which are probably malicious:

• Aspoutceringlapham.com
• Baalcootymalachi.com
• Bangywhoaswaikiki.com
• Bertbleepedupsurge.com
• Bluegumgodfulfrowzly.com
• Bookletjigsawsenam.com
• Boursesdeployporomas.com
• Cabullacoexertstephen.com
• Camastuthbroomer.com
• Camocaexcidealaric.com
• Cursarophitkamass.com
• Dunnishbribesteen.com
• Dusaexsurgeenzed.com
• Eelfishminibusdaniel.com
• Enyopensilflux.com
• Fishpotboutademalled.com
• Galasynjingkoendoss.com
• Gombayuranidetripper.com
• Haileschoralephydra.com
• Haredjuvenalalkyds.com
• Hoofishsmutsdela.com
• Jigmenbrasschaves.com
• Jumnamontanodillon.com
• Limanadernaggly.com
• Malabarvoiotiahsln.com
• Mashlampeasewahima.com
• Miauwbustianraynold.com
• Mowewindsortejo.com
• Nahshufrosterpappus.com
• Negreetflurtagma.com
• Nitrotowelvidovic.com
• Oaterhabeasroyalet.com
• Ospswraxledfummel.com
• Oundycelticrecomb.com
• Pcdosbahnerdalea.com
• Pealedlupulicdunker.com
• Polarlyfoetiskart.com
• Potwareabipondeana.com
• Psatchargeehewart.com
• Puddyolderrippon.com
• Sallierdiaushawed.com
• Sarddieterchuted.com
• Scullogmooerslarking.com
• Siwardupttorntrib.com
• Skouthlazordurning.com
• Suttenbnetifla.com
• Tacomanheathsdisodic.com
• Temperabiceswayaka.com
• Teughlyhesperegerek.com
• Toterterrenobrasero.com
• Vaccarykakkakcaddoan.com
• Viperanmeatsoths.com
• Viznomyboohoorigs.com
• Voluntyseventechny.com
• Wartedbiterhunter.com
• Woodardvirgetoruli.com
• Yawybottlersuccahs.com
• Zirklehalavahhaunchy.com

I suspect that you probably wouldn't miss much by null-routing Linode completely at the moment.

More malvertisment domains

The malicious ads were running through (and I understand now terminated by) bootcampmedia.com, related to this post, according to commenter cerdo:

Blogger cerdo said...

bootcampmedia.com was also likely hosting a malicious campaign yesterday afternoon, and perhaps still ongoing. I'd contact you Jamie, but I don't have contact info for you. This all is clearly closely related to Dynamoo's post...

traffic.worldseescolor.com is an obvious bad actor. The other related domains:
deliver.bailagequinismregrow.com
img.bailagequinismregrow.com
content.cabullacoexertstephen.com

as well as:
aanserver88.com
bonnapet.com
afkenai.com
bfskul.com

14 January 2010 18:40

Blogger cerdo said...

Yep - saw traffic.worldseescolor.com via bootcamp again less than 30 minutes ago.

Related sites, accessed immediately after traffic.worldseescolor.com:

deliver.boaterdunnagechicot.com
img.boaterdunnagechicot.com

14 January 2010 18:45

Worth checking your logs for and blocking in case they turn up on another network. Checking IPs comes up with:

traffic.worldseescolor.com
69.164.215.208, 69.164.215.210, 69.164.215.205, 69.164.215.207, 69.164.215.204 [Linode]

deliver.bailagequinismregrow.com
74.207.232.205, 74.207.232.250, 74.207.232.249, 74.207.232.248, 74.207.232.203, 74.207.232.30, 74.207.232.206, 74.207.232.31, 74.207.232.39, 74.207.232.25, 74.207.232.202, 74.207.232.35 [Linode]

img.bailagequinismregrow.com
174.143.243.220, 98.129.238.102, 98.129.238.106, 98.129.236.239, 174.143.245.236, 98.129.237.14, 174.143.242.109, 174.143.243.90, 98.129.236.154, 98.129.238.101, 98.129.238.112, 98.129.236.254, 174.143.241.174, 98.129.238.105, 98.129.238.103, 174.143.243.162, 174.143.242.58, 98.129.238.99
[Slicehost / Rackspace]

content.cabullacoexertstephen.com
69.164.196.55 [Linode]

aanserver88.com
67.225.149.152 [Liquid Web]

bonnapet.com
Was 217.20.114.40 [Netdirekt / internetserviceteam.com] now appears to be down.

afkenai.com
195.2.253.93 [Madet Ltd, Moscow]

bfskul.com
195.2.253.93 [Madet Ltd, Moscow]

I don't have the full trace of these, so it's not exactly clear what these domains are doing in the reported chain.

More malicious OWA domains

In addition to these and these.

• yht30.net.pl
• yht36.com.pl
• yht37.com.pl
• yht38.com.pl
• yht39.net.pl
• yht3e.net.pl
• yht3q.net.pl
• yht3r.pl
• yht3t.pl
• yht3w.net.pl

Convincing look OWA fake leads to PDF exploit

There are getting spammed out at the moment:

From: automailer@blahblah.blah [mailto:automailer@blahblah.blah]
Sent: 13 January 2010 11:08
To: Victim Username
Subject: The settings for the username@blahblah.blah mailbox were changed

Dear user of the blahblah.blah mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (username@blahblah.blah) settings were changed. In order to apply the new set of settings click on the following link:

http://blahblah.blah/owa/service_directory/settings.php?email=username@blahblah.blah&from=blahblah.blah&fromname=username

Best regards, blahblah.blah Technical Support.

Letter ID#NGTS7OTY8XPZX8FEUYTTTZ1PF

The displayed link isn't the actual link, underneath it points to something like:
http://blahblah.blah.vcrtp21.eu/owa/service_directory/settings.php?email=username@blahblah.bah&from=blahblah.blah&fromname=username

Clicking through the link takes you to a convincing looking OWA (Outlook Web Access) forgery page, populated with the victim's domain name and email address.

There are two exploits on the page, the first one is a drive-by download of an infected PDF file called pdf.pdf for which VirusTotal detection is only 10/41, detected by McAfee as Exploit-PDF.ac and various others. The executable file you are directed to download is also a bit patchy on detections.

Sender names include:

• operator@
• support@
• notifications@
• no-reply@
• system@
• alert@
• info@

..all on your local domain, obviously.

Subjects include:

• The settings for the blah@blah.blah mailbox were changed
• The settings for the blah@blah.blah were changed
• A new settings file for the blah@blah.blah mailbox
• A new settings file for the blah@blah.blah has just been released
• For the owner of the blah@blah.blah e-mail account
• For the owner of the blah@blah.blah mailbox

Some domains in use on this are:

• vcrtp1.eu
• vcrtp21.eu
• vcrtprsa21.eu
• vcrtpsa21.eu
• vcrtrsa21.eu
• vcrtrsr21.eu
• vcrtrsrp2.eu
• vcrtrsrp21.eu

..there are probably many more of a similar pattern.

WHOIS details are fake:

Name:
Quezada, Ramon
Address:
1800 N. Bayshore Drive
33132 Roma
Roma
Italy
Email:
wawddhaepny@yahoo.com

Domains are on a fast flux botnet, so there's no point listing IPs. However, nameservers are as follows:
ns1.raddoor.com
84.243.201.159 [Netrouting Data Facilities, Amsterdam]
ns2.raddoor.com
71.123.51.158 [Verizon Internet Services Inc, Aston]
ns1.elkins-realty.net
84.243.201.159 [Netrouting Data Facilities, Amsterdam]
ns2.elkins-realty.net
71.123.17.61 [Verizon Internet Services Inc, Whitesboro]

Registrant details for raddoor.com are probably bogus:

edmund pang figarro77@gmail.com
751 kinau st. #30
honolulu
HI
96813
US
Phone: +1.8085362450

Registration details for elkins-realty.net are DEFINITELY bogus:

Name : B O
Organization : B O
Address : 123 elm str.
City : Los Angeles
Province/State : beijing
Country :
Postal Code : 23456
Phone Number : 86--8586104812
Fax : 86--8586104819
Email : BO.la@yahoo.com

Once your machine is infected, it probably gets infected with a Zbot variant as in these two previous examples.

"Congratulations!! You have won todays Macbook Air.".

Another day, another badly detected trojan:

Subject: Congratulations
From: "Media Service"

Congratulations!! You have won todays Macbook Air.
Please open attached file and see datails.

Attachments:
winner.zip 21 k [ application/zip ]

winner.zip contains winner.exe detected by some products as the Sasfis Trojan.

ThreatExpert report is here, malware phones home to 193.104.27.4 and 193.104.27.91 in the Ukraine.

"Facebook Password Reset Confirmation" trojan

This trojan claims to be something to do with a Facebook password reset, but it's a plain old EXE-in-ZIP trojan attack.

Subject: Facebook Password Reset Confirmation.
From: "The Facebook Team" <service@facebook.com>

Hey fortunes ,

Because of the measures taken to provide safety to our clients, your password has been changed.

You can find your new password in attached document.

Thanks, The Facebook Team

Attachments: Facebook_Password_6c6eb.zip

The Trojan is widely detected as a version of Bredolab. ThreatExpert report is here.

Remember, if you can block EXE-in-ZIP files at your mail gateway, it is well worth doing.

Injection attacks: adbnr.ru

adbnr.ru seems to be the latest domain to be used by the bad guys in this current round of injection attacks. The injected code to look for is adbnr.ru/ads.js (obviously don't visit that page unless you know what you are doing). That leads to a heavily obfuscated piece of Javascript which I haven't dissected yet.. but really there is no doubt that it is going to try to do something very bad to your computer!

Domain is registered to:
domain: ADBNR.RU
type: CORPORATE
nserver: ns1.adbnr.ru. 75.155.243.39
nserver: ns2.adbnr.ru. 173.93.171.160
nserver: ns3.adbnr.ru. 71.108.37.140
nserver: ns4.adbnr.ru. 67.84.154.208
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private person
phone: +7 812 5706062
e-mail: omit@blogbuddy.ru
registrar: REGRU-REG-RIPN
created: 2009.09.29
paid-till: 2010.09.29
source: TC-RIPN

Both the telephone number and email address have been connected with malware attacks before.

Looks like it is using a fast flux botnet for hosting, but blocking adbnr.ru should be effective.

FAIL: "Microsoft has released an update for Microsoft Outlook"

This email looks like it's from Microsoft, but it is really intended to load a trojan onto your PC:

From: Microsoft Customer Support [mailto:no-reply@microsoft.com]
Sent: 18 June 2009 22:47
Subject: Microsoft has released an update for Microsoft Outlook

Critical Update

Update for Microsoft Outlook / Outlook Express (KB910721)
Brief Description
Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.
Instructions
• To install Update for Microsoft Outlook / Outlook Express (KB910721) please visit Microsoft Update Center:
http://update.microsoft.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
Quick Details
• File Name: officexp-KB910721-FullFile-ENU.exe
• Version: 1.4
• Date Published: Thu, 18 Jun 2009 16:46:55 -0500
• Language: English
• File Size: 81 KB
System Requirements
• Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista
• This update applies to the following product: Microsoft Outlook / Outlook Express
Contact Us
© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement

Although the link appears to be for the Microsoft web site, underneath is a hidden URL which is quite different. From samples I have plus some scraped from teh interwebs, I came up with the following samples:

hxxp:||update.microsoft.com.ijlijji.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijj1hjf.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijjh.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijj1.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.ijlijji.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]
hxxp:||update.microsoft.com.il1if1.com.mx/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=[redacted]

The reason why this is a FAIL? None of the domains are registered apart from the .com.mx one, so clicking the links will do precisely nothing. il1if1.com.mx is hosted on a botnet with presumably fake registration details, but it seems to be quite unreliable.

Even though this attack doesn't work, it might be a good idea to keep an eye out for it and advise any end users you have. Also checking your proxy logs for update.microsoft.com.i may well be useful.

"Western Union Transfer MTCN: 2474153681" trojan

Another EXE-in-ZIP trojan, this time disguised as an Excel spreadsheet. The pitch is:

Subject: Western Union Transfer MTCN: 2474153681
From: "Western Union Support Team" support@westernunion.com
Date: Tue, May 12, 2009 11:00 pm

Dear Customer!

The money transfer you have sent on the 22nd of April was not collected by the
recipient.
According to the Western Union contract the transfers which are not received in 15
days are to be returned to sender.
To collect cash you need to print the invoice attached to this email and visit the
nearest Western Union agency.

Thank you!

In this case there was an attachment called Invoice_8773.zip containing a file named Invoice_8773.exe. Because of the really stupid way that Windows (by default) hides the file extensions and the fact that the bad guys have given this executable a convincing icon, it will look something like this when unzipped:

VirusTotal identifies is as a variant of Zbot, the ThreatExpert prognosis has more details in case you are trying to clean it up.

If you can block EXE-in-ZIP files at your mail perimeter, then that is always the best defence against this kind of attack.

songmeanings.net compromised?

songmeanings.net is a popular and relatively crud-free lyrics site that attracts millions of visitors a year. Alexa ranks it as about the 5000th most popular site in the world (dynamoo.com ranks in at about 290,000).

Unfortunately, the email database at songmeanings.net appears to have been compromised and the email addresses are now receiving "Canadian Pharmacy" spam routed via spaces.live.com. It is unknown if any other details have been taken, in all likelihood this is probably a trojan that has taken email addresses only.

(They are not the only one. Tradedoubler is an advertising network that has been similarly compromised).