Sponsored by..

Showing posts with label UkrStar ISP. Show all posts
Showing posts with label UkrStar ISP. Show all posts

Tuesday 20 December 2011

c*redret.ru sites to block (updated)

These "Redret" domains serve up malware and are promoted by spam, some of them have moved around since last week so consider this an updated list.

46.249.37.109 [Serverius Holding B.V, Netherlands]
cpredret.ru

79.137.237.63 [Digital Network JSC, Russia aka DINETHOSTING. Recommend blocking 79.137.224.0/20]
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 [Digital Network JSC, Russia]
ciredret.ru
coredret.ru

79.137.237.68 [Digital Network JSC, Russia]
caredret.ru
csredret.ru

91.195.11.42 [UkrStar ISP, Ukraine. Recommend blocking 91.195.10.0/23]


206.72.207.156 [Interserver Inc, United States]
cdredret.ru
cfredret.ru

Not hosted at present
cbredret.ru
ccredret.ru
ceredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru

Monday 12 December 2011

Evil network: UkrStar ISP / UKRSTAR-NET AS43473 (91.195.10.0/23)

I've seen a lot of 91.195.10.0/23 in recent days, a range of addresses belonging to UkrStar ISP in the Ukraine. It's a sparsely occupied block, but there appear to be no legitimate sites here and blocking the whole lot could save you some grief.

A list of domains and IP addresses can be found at the end of the post. The WHOIS details for the block as as follows:

inetnum:        91.195.10.0 - 91.195.11.255
netname:        UKRSTAR-NET
descr:          UkrStar ISP
descr:          www.ukrstar.com
country:        UA
org:            ORG-UA98-RIPE
admin-c:        SER50-RIPE
tech-c:         WIRE88-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-lower:      RIPE-NCC-END-MNT
mnt-by:         UKRNIC-MNT
mnt-routes:     UKRNIC-MNT
mnt-domains:    UKRNIC-MNT
source:         RIPE #Filtered

organisation:   ORG-UA98-RIPE
org-name:       UkrStar
org-type:       OTHER
descr:          www.ukrstar.com
address:        Dal'nitskaya 46, room 404
address:        Odessa 65005
address:        Ukraine
phone:          +380482390190
fax-no:         +380482324245
e-mail:         noc@ukrstar.com
admin-c:        SER50-RIPE
tech-c:         WIRE88-RIPE
mnt-ref:        GLOBALNETWORKS-MNT
mnt-by:         GLOBALNETWORKS-MNT
source:         RIPE #Filtered

person:         Sanin Sergey Victorovich
address:        Deribasovskaya str., 12
address:        Odessa 65027
address:        Ukraine
phone:          +380487771551
e-mail:         ser-0@clan-0.com
nic-hdl:        SER50-RIPE
mnt-by:         GLOBALNETWORKS-MNT
source:         RIPE #Filtered

person:         Grigoretskiy Sergey Aalexandrovich
org:            ORG-UA98-RIPE
address:        Dal'nitskaya str., 46, room 404
address:        Odessa 65005
address:        Ukraine
phone:          +380482390190
e-mail:         sg@ukrstar.com
nic-hdl:        WIRE88-RIPE
mnt-by:         GLOBALNETWORKS-MNT
source:         RIPE #Filtered

route:          91.195.10.0/23
descr:          UKRNIC-IP-BLOCK
origin:         AS43479
mnt-by:         UKRNIC-MNT
source:         RIPE #Filtered

91.195.11.35
ns-free.org
ofpics.com
91.195.11.37
vocporn6.ru
videoxcx-onlina5g.ru
91.195.11.38
pornoxxx-onlina1a.ru
pornoxnx-onlinee1a.ru
porkaxnx-freex1a.ru
pornoxxx-onlinee4a.ru
porkaxcx-onlina2c.ru
pornoxcx-freex4c.ru
pornoxnx-onlina1e.ru
pornoxxx-conline3e.ru
pornoxcx-onlinee4g.ru
porkaxxx-conline3h.ru
91.195.11.39
minimart20.com
biggerthanvoland.com
boysandgirlsforever.com
whatwasinyourheart.com
91.195.11.41
yaxexzg.1dumb.com
costumeuniformporn.net
prettylatinatube.com
schoolgirluniformpics.net
skyinfo.in
streamretro.in
xoticpc.biz
91.195.11.42
curedret.ru
wrghghkfwerhdfghqwhtq.c0m.li
srvads.c0m.li
aangfan.in
floreli.info
certerpen.info
ageoloft.info
zndemstrnctwznskdsw-tsmcyuwaxldenctypzmb.ru
gdhordvl653hklyg.biz
wonderfulwriggle.com

c*redret.ru sites to block

Another bunch of "redret" sites to block, either by domain name or IP. These domains are being used as the payloads for spam emails and leave to a malicious web page.

79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia - recommend blocking 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 ((Digital Network JSC again)
ciredret.ru
coredret.ru
cpredret.ru

91.195.11.42 (UkrStar ISP, Ukraine - recommend blocking 91.195.10.0/23)
curedret.ru

Unallocated
caredret.ru
cbredret.ru
ccredret.ru
cdredret.ru
ceredret.ru
cfredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
csredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru

Friday 9 December 2011

"The variant of the contract you've offered has been delcined."

The recent spam avalanche continues:

Date:      Fri, 9 Dec 2011 -01:35:13 -0800
From:      "Josie Carlson" [TateAlmgren@concentric.net]
Subject:      The variant of the contract you've offered has been delcined.

After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
Contract.doc 64kb

With respect to you
Josie Carlson

SHA512 check sum: [redacted]

This leads to a malicious payload on ciredret.ru/main.php, hosted on 91.195.11.42 (as with this other spam/virus run), so blocking 91.195.10.0/23 (UkrStar ISP, Ukraine) is a very good idea at the moment.

Malware: Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped! / ageoloft.info, floreli.info and certerpen.info

This malware spam leads via a legitimate hacked site to floreli.info or ageoloft.info or certerpen.info, although there are probably more. If you have the names of other payload domains please consider add ingthem in the Comments. Both these sites are hosted on 91.195.11.42.

From: Issac Britt [mailto:delphiniumsfte62@retela.co.jp]
Sent: 09 December 2011 14:05
Subject: Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped!

Hello,

Shipping Confirmation
Order # 649-2723315-2651369

Your estimated delivery date is:
Tuesday, December 13, 2011

Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Shipment Details

Omron FXB-414M Fat Loss Monitor, Black $149.95
Item Subtotal: $149.95
Shipping & Handling: $0.00
Total Before Tax: $149.95
Shipment Total: $149.95
Paid by Visa: $149.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com

The payload is on floreli.info/main.php?page=525447c096f8efbf or ageoloft.info/main.php?page=525447c096f8efbf and consists of the blackhole exploit kit leading to the Cridex Trojan.

Blocking the range 91.195.10.0/23 (UkrStar ISP, Ukraine) a good proactive move as several malware attacks have been hosted there in the past few days.

Domains spotted so far:
ageoloft.info
floreli.info
certerpen.info


Some sample email subjects:
Your Amazon.com order of "Omron BTS-829C Fat Loss ..." has shipped!
Your Amazon.com order of "Omron DRM-151A Fat Loss ..." has shipped!
Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped!
Your Amazon.com order of "Omron KGZ-387E Fat Loss ..." has shipped!
Your Amazon.com order of "Omron PNB-885D Fat Loss ..." has shipped!
Your Amazon.com order of "Omron PNH-875H Fat Loss ..." has shipped!
Your Amazon.com order of "Omron REM-787E Fat Loss ..." has shipped!
Your Amazon.com order of "Omron QYM-632R Fat Loss ..." has shipped!
Your Amazon.com order of "Omron UHA-584I Fat Loss ..." has shipped!

Thursday 8 December 2011

Malware: "Your new contract" / coredret.ru

Spam season continues with this fake "contract" email with a link that leads to a malicious payload on coredret.ru/main.php.

Date:      Thu, 8 Dec 2011 01:58:25 +0700
From:      "Daisy Newby" [CadenHolmgren@hanmail.net]
Subject:      Your new contract

As we arranged the day before yesterday in the in your place we've got the contract ready, plase study it carefully and let us know whether you accept all the issues.
We've attached the copy of the contract below
Contract.doc 36kb


Best Wishes
Daisy Newby


Fingerprint: bfe69dcc-ccc03723

coredret.ru is hosted on 91.195.11.41 (UkrStar ISP, Ukraine). 91.195.10.0/23 is very sparsely populated, so blocking access to it should cause no problems.