Sponsored by..

Tuesday 25 November 2014

What the heck is with 104.152.215.0/25?

A contact gave me the heads up to an exploit kit running on 104.152.215.90 [virustotal] which appears to be using MS16-064 among other things [urlquery].

104.152.215.90 belongs to Query Foundry LLC in Wyoming, however they suballocated it to a customer:

NetRange:       104.152.215.0 - 104.152.215.127
CIDR:           104.152.215.0/25
NetName:        QUERYFOUNDRY
NetHandle:      NET-104-152-215-0-1
Parent:         QUERYFOUNDRY-06 (NET-104-152-212-0-1)
NetType:        Reassigned
OriginAS:       AS62638
Customer:       Shanghe Yang (C05354145)
RegDate:        2014-09-30
Updated:        2014-09-30
Ref:            http://whois.arin.net/rest/net/NET-104-152-215-0-1

CustName:       Shanghe Yang
Address:        707 Wilshire Blvd
City:           Los Angeles
StateProv:      CA
PostalCode:     90017
Country:        US
RegDate:        2014-09-30
Updated:        2014-09-30
Ref:            http://whois.arin.net/rest/customer/C05354145
707 Wilshire Boulevard is a massive office block  but I suspect that this is just an accommodation address, so there's no real lead on who this customer is.

A look at the contents of the /25 is puzzling, because I can see almost 1500 sites [csv] on a number of active IPs [txt], almost none of which have any kind of discernible web presence or reputation. 

Drilling down into the domains and registrants [csv] shows a list of either Chinese or US registrants, but in the vast majority of cases they look to be fake. The key indicator is that the email addresses listed are all of a similar format and bear no relationship whatsoever to the name of the registrant.

The random structure of most of the domains is an indicator of possible maliciousness. The few domains that don't meet these pattern seem to be .fr domains which look like they have been hijacked or re-registered.. and oddly they are all registered to different (often obviously fake) people at the same address in France:


address:     13, rue de rohrwiller bischwiller,67240 Bas-Rhin, France 139 a
address:     67240 Bischwiller
address:     Bas-Rhin
country:     FR


It isn't a big place according to Google.  I doubt if there is a Assad Sfdsadsfw, Yfdsjshfk Ynagkjhk, Qewqewq Sfwad or Poiug Pppobflgk living in that location.

Although there is not much data about the range, there are a couple of domains that are also flagged a malicious:

sxzav.xyz [Google diagnostics]
klioz.xyz [Google diagnostics]

Quite why they are flagged as malicious is a puzzle.

My personal opinion is that there is enough evidence to treat 104.152.215.0/25 as a suspect network. It does not appear to have any legitimate sites, the sites that do exist are of an unknown purpose and often have apparently fake WHOIS details for the domains.

Blocking or monitoring for traffic to and from that /25 is the easiest way of doing it, alternatively these are the domains being used in this network block:

izhse.com.cn
nmfcd.com.cn
szeeo.com.cn
trfqg.com.cn
uzwqy.com.cn
ycrlru.cn
yifxu.cn
yivuu.cn
yoezuu.cn
yrmhmu.cn
yszrru.cn
yyknu.cn
bcczrvo.com
bzvod.com
cyhgeqm.com
dgudwco.com
dhidzbo.com
dhwgfub.com
dnzwafr.com
dqlivdc.com
enndmfy.com
eufxdtc.com
eugutxh.com
fprtrsz.com
fytwhsw.com
gwrvwed.com
heghsbq.com
hotkii.com
hsephqf.com
iondydc.com
jeyztjy.com
jjfnshu.com
jpkwin.com
jtgypou.com
jtvkrv.com
kudnzpq.com
lgyudpy.com
mhmzyqf.com
mhxipaw.com
mtqlgko.com
nekclhr.com
ngieznn.com
nwnfbmn.com
okjepel.com
pbqbgkd.com
pcerrxh.com
plqrwgl.com
qebywad.com
qtknjnb.com
ripyiht.com
scauyfs.com
svyqkuu.com
sxfkzgf.com
tfwvtxy.com
ubqyfht.com
uewswa.com
umremdh.com
uuyrvtf.com
vdblrqb.com
vjqmryt.com
wgsunfk.com
wubpcb.com
xjgvtvs.com
xqyvqtx.com
ypnmxpe.com
ysmryfm.com
yyxkaqs.com
zakagps.com
zbecfan.com
mudanguojiyulecheng.eu
feldo-luxury.fr
latable-brasserie.fr
lestudio-orthez.fr
limpid.fr
mariepapier.fr
mobile-prepaye.fr
piscines-spas-95.fr
taxi-saint-medard-de-guizieres.fr
thermoservices.fr
tout-com-magny.fr
vansboutique.fr
fxy101.org
fxy102.org
fxy103.org
fxy105.org
fxy106.org
fxy107.org
fxy108.org
fxy109.org
sz101.org
sz103.org
sz118.org
sz188.org
tz100.org
tz110.org
7381.pw
97897.pw
417700.pw
ccbjz.pw
cdjgey.pw
dfjglr.pw
dfojy.pw
dgkjgy.pw
dlgjt.pw
hljbjz.pw
hrbbz.pw
hzkhj.pw
jlbzj.pw
jsbzj.pw
kdjjt.pw
kjdkg.pw
lnbzj.pw
njkuy.pw
sdbzj.pw
sdjkls.pw
sdljog.pw
sjaux.pw
sldjog.pw
sxbzj.pw
sybzj.pw
szjbzj.pw
tjbyee.pw
whgiut.pw
cmslj.xyz
fdslj.xyz
fjdxz.xyz
hbdxz.xyz
hkdxz.xyz
hljdxz.xyz
hndxz.xyz
klioz.xyz
myslj.xyz
nhslj.xyz
njdxz.xyz
sxzav.xyz
tlslj.xyz
tnslj.xyz
whslj.xyz
wzslj.xyz
ycslj.xyz
yqslj.xyz
yyslj.xyz
zwslj.xyz

Monday 24 November 2014

MyFax message from "unknown" spam leads to poorly-detected malware

Fax spam again. How quaint. This spam appears to come from the person receiving it (which is an old trick).

From: victim@victimdomain.com
Sent: 24 November 2014 15:31
To: norep.c@mefax.com
Subject: MyFax message from "unknown" - 3 page(s)


Fax Message [Caller-ID: 1-407-067-7356]

http://159593.webhosting58.1blu.de/messages/get_message.php

You have received a 3 page fax at Mon, 24 Nov 2014 15:31:23 +0000.

* The reference number for this fax is chd_did11-14186364797-10847113200-628.

View this fax using your PDF reader.
Thank you for using the MyFax service!
The link in the message downloads a file faxmessage_7241_pdf61.zip which in turn contains a malicious executable faxmessage_7241_pdf.exe which has a VirusTotal detection rate of 4/53. The Malwr report shows that it connects to the following URLs:

http://95.211.199.37:16792/2411us3/HOME/0/51-SP3/0/
http://95.211.199.37:16792/2411us3/HOME/1/0/0/
http://lasuruguayas.com/images/refus3.pnk


A file EXE1.EXE is also dropped, with a VirusTotal detection rate of just 1/54. The Malwr report is here.



Saturday 22 November 2014

Oplamo Herbal Root scam

As far as I can tell, there is no such thing as "Oplamo Herbal Root". So, this spam is almost definitely a scam.

From:     Mr. Tom Good Hope [mrtomgood@gmail.com]
Reply-To:     mrtomgoodhope@gmail.com
Date:     22 November 2014 02:24
Subject:     SUPPLY BUSINESS OF OPLAMO

My name is Tom Goodhope i based in Liverpool,UK working with a pharmaceutical company.
I have decided to contact you directly to discuss briefly via email about the ongoing supply that came up in our company.

I think if you can understand English and India Language (Hindi,Tamil etc) you can take up this business proposal to buy out OPLAMO HERBAL ROOT from the local producer in India and make supply to our company as the direct producer to enable our company be buying direct from you on every subsequent order after this first purchase.


OPLAMO ROOT its used for production of Anti-viral drugs & Animal Vaccines.Our company have been purchasing the materials from Pakistan but it is very scarce and expensive now in Pakistan. I've found out the truth that this Pakistan people purchases this product in India at the rate of $210 USD,while they supply to our company at the rate of $430 USD.

Recently i got the contact information of a local producer in India that preserve {OPLAMO} herbal root to the quality our company needs for production and i came to know that this product can be purchase at rate of $280 US dollar per sachet in India.

Note that i can not release the contact information of the local producer easily to anybody that can not follow up with guidelines on how to make this supply on this first supply,because if any mistake occurs and my company finds out that i'm involve in given information to someone to supply this product to them they will consult a legal petition against me and i can not go to India to buy and supply this product to our company because i do not have money to handle this business and i don't want to release this information to our company management.

Our company buys 3000 sachets (each sachet contains 5 grams),but on the first order with any producer they want to give a trial order of 300 or 500 sachets and payment method for this first order is COD- cash on delivery, upon their satisfaction on this first order they would be making payment on T/T in advance.

Please read this business proposal very well before you reply me,if you can not handle this business according to my guideline its better you don't reply me,because i want you and i to be on safer side in this transaction.

Upon your reply i will clarify you more on how to start this business immediately,please drop your contact phone number for me to be able to contact you ASAP.

Thanks,

Mr Tom Goodhope

Company Secretary

mrtomgoodhope@gmail.com
"Tom Goodhope" sounds more Nigerian than British, but the originating IP address is actually 123.239.58.103 in Delhi, sent via 198.20.245.154 [eas.easylhost.com] in the US.

Given that all the search results I can find for "Oplamo Herbal Root" or "Oplamo Root" seem to be similar scams, I would suggest that this doesn't even qualify as snake oil and I would give it a very wide berth.

"Ihr Zahlungsauftrag - 41401236123" spam

This German-language spam leads to malware.

Von: Sparkasse IT AG [mailto:assistant@fourmusic.com]
Gesendet: Freitag, 21. November 2014 15:03
Betreff: Ihr Zahlungsauftrag - 41401236123

Der Auftrag wurde entgegengenommen.
 21. November 2014, 02:02:17 Uhr

 Sie haben eine Zahlung über 2735,15 EUR an Miss Elita Zirne veranlasst.
 Wir haben die Sparkasse über die Versandbereitschaft des Artikels in Kenntnis gesetzt. Weitere Details zu diesem
Vorgang:
2014_11_Sparkasse_details_4543735454333.zip

In this case the link goes to agromark-bimsa.com.ar/VR7wkx13 where it downloads a file 2014_11_transaktions_id_000000039190.zip which in turn contains a malicious executable 2014_11_transaktions_id_000000039190_de_398000283221_0033565020_029389227_92_200001.exe which has a VirusTotal detection rate of 14/55.

Automated analysis tools [1] [2] [3] are not particularly revealing, but similar recent malspam runs have been linked to Geodo.

Friday 21 November 2014

StockTips.com spam.. or Joe Job?

When I saw this StockTips.com spam, I assumed that it was a pump-and-dump scam.

From:     StockTips.com
Date:     21 November 2014 07:58
Subject:     Sign up now

StockTips

Want to make money with stocks?
Sign up at http://www.stocktips.com/ for a small monthly fee only.


© 2001-2012 StockTips.com. All Rights Reserved.

StockTips.com is operated by Amerada Corp


Here is another version of the body text:


Stock
Tips

Stock Tips Delivered to your Inbox!
Stock Tips is the #1 stock alert service... As always membership is 100% FREE!


© 2001-2012 StockTips.com. All Rights Reserved.

StockTips.com is operated by Amerada Corp



The spam was sent to an account that often receives pump-and-dump spam, and it has never signed up for anything like this. The most likely source for the email address in question is from the virus-infected computer of a contact.

So what is this? A virus? There's nothing malicious about this email. A Joe Job? Well, I've had a LOT of these, and even the most stupid email marketer tend not spam the same recipients over and over again. So perhaps it is a Joe Job.

IP address analysis

The IP addresses used to send the spam seem to be a mix of compromised PCs and servers, possibly forming part of a botnet. Legitimate companies don't use this kind of technique (obviously), but even real companies that do send spam tend to find a proper web host somewhere. This is another indicate that it might be a Joe Job.

62.143.125.49 Unitymedia, Germany Project Honeypot shows that it has only been used for spam quite recently.  It looks to be a server rented from a legitimate company, although obviously for illegitimate purposes. Possibly the server has been compromised.
188.66.76.4 Gamma Telecom, UK Project Honeypot shows just how spammy this IP is. And it has been used for stock spam in the past as well, which indicates this is not a one-off. It looks like this may be a compromised server.
80.38.8.21 Telefonica de Espana SAU, Spain Resolves as 21.Red-80-38-8.staticIP.rima-tde.net, so a static IP rather than a DSL connection. Project Honeypot says that it used to be used for spam some time ago but has been clean for a long time.
88.156.185.92 Vectra S.A., Poland Description is "Vectra Broadband Users" which indicates a DSL or cable connection. Project Honeypot has no data.
187.94.214.35 Feliz Acesse Comunicacao Ltda, Brazil No data on this, could be a domestic IP address.
79.180.189.55 Bezeq International Ltd, Israel Appears to be a domestic broadband user.
78.187.242.217 TurkTelekom, Turkey ADSL subscriber
176.94.67.198 Arcor AG, Germany Arcor / Vodafone DE business customer.

What about StockTips.com itself?

StockTips.com is a snazzy looking site..


But there is not one single piece of information that identifies who runs it, except for a reference to Amerada Corp which is also mentioned in the spam email. The WHOIS details for the domain are also hidden, so it is impossible to determine who actually owns the site.

A search for "Amerada Corp" comes up with nothing except that it is a former name of Hess Corporation who are clearly nothing to do with this.

Scrolling down the page gives a clue as to what this might be about..


A $37 signup fee? No thanks.. but it says it is a one time fee but the spam says a monthly fee. That's inconsistent. Another indicator of a Joe Job? Perhaps.

Something else caught me eye.


HAIR was the subject of a massive pump-and-dump spam run last year. After StockTips.com recommended HAIR in May of 2012, the share price basically fell off a cliff.

Hmmm.

A bit of Googling around shows a lot of negative comment about StockTips.com. There are some accusations that I have not been able to verify that they are involved in paid stock promotions for the penny stocks that they list.

The Penny Stock market has a lot of legitimate players, but there are also a lot of people who try to manipulate the market for their own gains. It is possible that StockTips.com has clashed in some way with the sort of people who run pump-and-dump scams, and they have decided to take their revenge by creating this fake spam run.

Perhaps if you have some experience with this outfit, you would like to share it in the comments? Note that all comments are owned by the people posting them.

"Duplicate Payment Received" spam from "Enid Tyson" has a malicious DOC

This fake financial spam has a malicious Word document attached.

From:     Enid Tyson
Date:     21 November 2014 15:36
Subject:     INV209473A Duplicate Payment Received

Good afternoon,

I refer to the above invoice for which we received a bacs payment of £675.74 on 10th November 14.  Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.

I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer.  If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details. 

If you have any queries regarding this matter, please do not hesitate to contact me.

I look forward to hearing from you .

Many thanks

Enid Tyson
Accounts Department
In this case the attachment is De_209473A.doc but it will probably vary with the subject name, the document itself has zero detections at VirusTotal (the Malwr report is inconclusive). This contains a malicious macro [pastebin] which connects to the following URL:

http://79.137.227.123:8080/get1/get1.php

I only have one sample at the moment, there are probably other download locations, the This then downloads a file test.exe which is saved to %TEMP%\VYEJIUNSXLI.exe.

This has a VirusTotal detection rate of just 1/55. The malware is hardened against analysis in a Sandbox so automated results are inconclusive [1] [2] [3] [4].

UPDATE:
A second version is going the rounds, with zero detections  and a download location of

http://61.221.117.205:8080/get1/get1.php

A copy of the malicious macro can be found here.

Something evil on 46.8.14.154

46.8.14.154 (Netart Group S.r.o. / Movenix International Inc) forms part of an exploit chain that starts with compromised OpenX servers and appears to end up with an exploit kit of some sort.

The following subdomains have been active on that server, they are ALL hijacked GoDaddy domains:

band.animagraphic.net
casual.animagraphics.org
emissions.usanicotinebiz.com
family.animagraphics.com
format.animagraphics.net
george.animagraphics.net
hunger.usanicotinenow.com
indictment.animagraphic.net
interest.animagraphics.org
keeps.animagraphics.net
nearest.zeezoarticles.com
overwhelmingly.ecigvv.com
revolt.animagraphics.biz
south.animagraphics.com
tests.animagraphics.net
textile.animagraphics.org
this.animagraphics.net
transplant.madvapor.com
floatingtpoint.vzeliquid.com
delivering.animagraphics.biz
week.animagraphics.biz
speaks.animagraphics.biz
automobile.animagraphics.biz
herself.vvmod.com
obtained.vzmod.com
unixtbased.ecigvv.com
transplant.madvapor.com
metric.animagraphics.com
norway.animagraphics.com
plays.nicotinegiant.com
majority.usanicotinenow.com
underground.usanicotinenow.com
o.animagraphic.net
costs.animagraphic.net
illinois.animagraphic.net
rape.animagraphics.net
usable.animagraphics.net
presents.animagraphics.net
upper.hotzonenow.com

Domains spotted so far with malicious subdomains:

animagraphics.org
usanicotinebiz.com
animagraphics.com
animagraphics.net
usanicotinenow.com
zeezoarticles.com
ecigvv.com
animagraphics.biz
madvapor.com
vzeliquid.com
vvmod.com
vzmod.com
madvapor.com
nicotinegiant.com
hotzonenow.com

The best thing to do is to block traffic to 46.8.14.154 because these domains seem to change every few minutes.

Tuesday 18 November 2014

"INCOMING FAX REPORT" spam, let's party like it's 1999

Hang on, I think I need to load some more papyrus into the facsimile machine, the 1990s are back!

From:     Incoming Fax [no-reply@efax.co.uk]
Date:     18 November 2014 13:16
Subject:     INCOMING FAX REPORT : Remote ID: 766-868-5553

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: Tue, 18 Nov 2014 14:16:58 +0100
Speed: 4222bps
Connection time: 01:09
Pages: 5
Resolution: Normal
Remote ID: 963-864-5728
Line number: 1
DTMF/DID:
Description: Internal report

We have uploaded fax report on dropbox, please use the following link to download your file:

http://mrconsultantpune.com/dropbox/document.php

********************************************************* 
This is (of course) utter bollocks, and the link in the email downloads a ZIP file document_8731_pdf.zip which in turn contains a malicious executable document_8731_pdf.exe which has a VirusTotal detection rate of 4/54. According to the Malwr report it makes these following HTTP requests:

http://108.61.229.224:13861/1811us1/HOME/0/51-SP3/0/
http://108.61.229.224:13861/1811us1/HOME/1/0/0/
http://159593.webhosting58.1blu.de/mandoc/narutus1.pmg

It also drops a file EXE1.EXE onto the target system which has a detection rate of 7/55. You can see the Malwr report for that here.

Recommended blocklist:
108.61.229.224
159593.webhosting58.1blu.de

Monday 17 November 2014

"Test message" spam plague continues..

This plague of spam "test messages" have been going on for two days now, probably sourced from "Botnet 125" which sends most of the spam I get. These messages are annoying but no harmful in themselves, I suspect they are probing mail servers for responses.

If you have a catch-all email address then you will probably see a lot of these. The targets are either completely random or have been harvested from one data breach or another as far as I can see.

From: Hollie <Laurie.17@123goa.com>
Date: 17 November 2014 19:04
Subject: Test 8657443T


test message.

Murphy became a free agent on October 15, after refusing a minor league assignment. Silva implies the last cycle has begun, believing herself to be the host.
Icelandic had been heard. American CIA contract air crews and pilots from the Alabama Air Guard.

----------

From: Bethany <Toney.b0c@tbmeca.pl>
Date: 17 November 2014 20:00
Subject: Test 513081H


test message.

George Washington's existing building was constructed in 1960 and has had many renovations since its opening. His parents ran a restaurant, but his father emigrated to South America and never returned.
From 1971 to 1975, he was head of the Semiconductor Electronics Research Department. AIDS, which marked one of the most painful parts of Blotzer's life.

----------

From: Lilly <Glenn.75@ottcommunications.com>
Date: 17 November 2014 19:18
Subject: Test 547004K


test message.

On its full length, it passes through 14 provinces of Turkey. During the night, Dudu develops a cough and in the morning he is rushed to a local hospital.
The regular season was won by the Sevilla FC Puerto Rico, which became the first team to win two regular season cups. Letter to the World Narcotic Defense Association.

----------

From: Eddie <Darwin.87@satfilm.net.pl>
Date: 17 November 2014 19:20
Subject: Test 769978N


test message.

District 16 in the upper chamber. These allegations were followed by a long investigation of the convent that caused much inner strife amongst the nuns.
The teams alternate turns on who will pick first depending on the night. Bellona's report on RTG lighthouses.

----------

From: Alba <Young.69@discoverwhitewater.org>
Date: 17 November 2014 20:18
Subject: Test 7900710A


test message.

DR B1 and DQ B1 polymorphisms in patients with coronary artery ectasia. The Thames at Brentford.
Chi world GNI percapita. Little known gems are unearthed.

----------

From: Neal <Nichole.23b@business.telecomitalia.it>
Date: 17 November 2014 19:03
Subject: Test 974193J


test message.

It is a very good preparation for further studies in law, literature and linguistics. IPSC and USPSA provide for two power factors, major and minor.
Lake Agassiz can also be seen today. He threatened her, saying that if she told anyone, he would kill her too.

----------

From: Sabrina <Ross.68a@213-5-41-251.bestgo.pl>
Date: 17 November 2014 19:17
Subject: Test 685552L


test message.

The episode starts with girls comments about Alyona's leaving. US 52 leaves the highway here.
Cwmgors Community Centre by Aberdare Blog. Darcy invites Spinner over after she finishes packing for summer camp so they can spend time together before she leaves.

----------

From: Debora <Raquel.6b8@mmgphotographystudio.com>
Date: 17 November 2014 20:22
Subject: Test 409258E


test message.

Combined with manual transmission, these cars were often used as drag racers due to their light weight. A break in his health led to his retirement in 1920.
The company milled lumber and ground flour. Improving the existing headroom under the bridge from 3.

Interfax "Failed Fax Transmission" spam comes with malicious .DOCM file

This fake fax spam comes with a malicious attachment

From:     Interfax [uk@interfax.net]
Date:     13 November 2014 20:29
Subject:     Failed Fax Transmission to 01616133969@fax.tc<00441616133969>

Transmission Results
Destination Fax:  00441616133969
Contact Name:  01616133969@fax.tc
Start Time:  2014/11/13 20:05:27
End Time:  2014/11/13 20:29:00
Transmission Result:  3220 - Communication error
Pages sent:  0
Subject:  140186561.XLS
CSID:
Duration (In Seconds):  103
Message ID:  485646629

Thank you for using Interfax
E-mail: uk@interfax.net
Home page: http://www.interfax.net


Attached is a malicious Word macro file called 00000293.docm which is currently undetected at VirusTotal. The Malwr report doesn't say much (Malwr isn't great at analysis this type of threat). Inside this .DOCM file is a malicious macro [pastebin] which attempts to download a malicious binary from http://agro2000.cba.pl/js/bin.exe

This file is downloaded to %TEMP%\MRSWZZFEYPX.exe and the binary also has zero detections at VirusTotal, and the Malwr report shows that it tries to connect to the following URL:

http://84.40.9.34/lneinn/mo%26af.lipgs%2Bfn%7El%3Fboel%3D%3F+%3Fa%20%3F~pigc_k/ci$slf%2B%20l%3D%7E

It then drops a malicious DLL onto the target system which has a rather better detection rate of 12/53

If you are a corporate email admistrator they you might consider blocking .DOCM files at the perimeter as I can see no valid reason these to be sent by email. You should definitely block 84.40.9.34 (Hostway, Belgium) as this is a known bad server that has been used in several recent attacks.

Friday 14 November 2014

Dear spammers.. alotbqobutarkwqechsdovmzfwa to you too.

Dear spammers,

Sending links out like this to drive people to your fake meds site does not work.

From: Tudu [tudu@tin.it]
Sent: 15 November 2014 03:42
To: bernie@nternet.net
Subject:

https://www.google.com/#&q=alotbqobutarkwqechsdovmzfwa&btnI=qysawyt

Even if you stuff your page with what you think are unique keywords such as:



njhzxtfnpvcqgoyuayuhvtsi
dcyfwfcuiahjrifjmpxwlshj
crulbvxcm
ejerwja
uxsiyulmkggsnwjdsujrq
srpxkpnrzupqgfwzlkqonlhhrsk
fcgfsrlomywpykhasppybuen
svsoyteg
yuezkbmsqyhpsicqslrwhvcru
scveevyvstumdryosftulvn
ocwpikfchbarwqinqdrorqiufsqp
alotbqobutarkwqechsdovmzfwa
esbmoulaj
xfshvrgaeckuzhosymxzccjplpcwg
ywifvjeikl
qfwtytmfeeqzf
aaosxoqtdcduwycjhyannf
ybyqgfztbadtwbrvwhypbdjs
xiitpggczmb
nsjgtbsklpwpldu
zvgpumys
pthnpdo
xaorfzpfgviomnbrcbasmfoormsr
gxascwhwfbjdmpcgdey
ykqlnxzt
tdcgedlfvlleuyqn
mgoozaxm
mlrbtiyhpqdwthpdiqgvwkq
uhcjljmguohkmywgylmin
coxmfzumeftmqfczjvnols
sitlhrcwzueprwfyxv
ntxaawsgvdinzyhiylfdgd
nvhwjvqwcxkovoitkxfkjbttfvr
yimclbkcepmqhiec
ebhnypr
oezgaikkapwzthzkfbrtrowmu
xyejkdaxhc
iixpkiijdgrkvqrkngpmxrfwohwvr
amgfgmedyl
cqqbjakpkepaje
hmibwgcdexsm
rjmiavdxujexjktnmtp
kvqthzutebojwnzpzvzhzbrfcb
saeelzoemfcahrlzyllnugbwze
jvnfagrti
lvdycqtozmiwphqmpa
pufhpiotdvdimlsp
cimbmhkagoxnbaxngvxyfcrtlcnxc
qbnuhspjgqawxrf
jbhbhyqkurdqgktvvs
frcmtegacgvxqshruzeakhxfzxq
dtctnrkgwwvdg
ajtnchnawtnrtnlvkxho
yjyhzpenvqmgibef
masyqrwqslofd
khcldmiexfrrruq
fvqadsbhetodzgqvywuxtowhwa
ungrhogqrabqwzrajtjpomvcirxkfp
nncneijcvcwwnyxxgowjvvm
olwdtxqggnsudjtzhyt
mhxmtdnkzseiiizpzmwjnpwtppp
sihsozhgbpybvanyfrfttlk
tkbjkzpdpyvylkon
mmgaklau
jtenvfqsybmghjcabaeetj
fmjcfqmjzstssznbgdpqwaoc
lhedbliildq
qivwguigzmcwkdpezdds
wllbbhjyrditsxzlunskabhqiedg
niazkntdfyoncfgyzq
ndwbqjjtbaoqgegxo
ahjznanwpcmcpvrnsbmtxrssavfv
gmgxhwptdawtd
abwwkrykctoaywhhwrjofirpjfss
oaxhwkodgnvmtmd
dkligclavpa
nsrquhibivbijwvgutozsh
zhwsicrhehejyxggffcsebodxtpgtf
ckrsugdugtefqlebtixupguhdcnmlx
hitsfbk
dilvysgqresg
uqeguta
xuivhwgnruxgnnyrilaxwkqnfv
xuafdrsacr
rkwxzzrmerkcyllbw
qtvzkfzcfzukksxfnrmp
xhkldsr
clavwtpoujkmtbvmrhvqn
oqszjgojzeqfijbpgvnhuqfck
cuszgksdz
czgukflpmspirlhvejmwwojwzgfhh
zafgbpytcoehgeyfhwktqcwhpk
zboupfxmctek
upmihrmqu
odtiuxpysrcozahkrvcr
rkqfakqcwjwrks
ycxkfqyydheisfwydapfrkraur
wzunqlutibfsrrgxmnlqtevs
vlsealvrrvboe
asglyylkuscbammxtkdxornguidnd
ytkcijrfpvj
qaqjzhlprprjivzyrhpvhmenkzj
ojgtgpajla
lbccjwlyrwxd
rolpcaytfijigoogljgzow
zvclpenmm
owitfuirvwlzz
mitjvykqxhkkxirgzegyiddtj
oabwjyjkrcbqxzzp
auzidohkvsthbpduiakqn
rvthoowlmrpkyvpijbidoamdaonie
rybberhm
rybuxcxehxiardpehok
xwisbggcwxopkjyhpjq
dhnebpfvpmpktdm
nuowacsgolfcqvoohuasktwnyw
ovxzcmcf
ueqakehjhnpdajljlxn
lehmezqstjowkzzykxgnvqzli
kkiwyqlemxuksrbodhnyglijwcoml
yduzveynpyktsewzrpqblaw
flnxsjbelopudwaiuxod
lbpwduzwwcoipfxqsgccnxjaoukgua
rktlnsorbpfjgjqhq
xnyezxt
nqkqmewjrjiqckuaf
vvbmbwfovoff
iogxxkdqq
ftcndjjdx
glbhxwhj
fxjocyuhsedsntabgoo
uokhkuqvwrxrpijbdxfw
 
..it isn't going to stop awkward bastards like me from hijacking your search results.

[FYI.. I did not send out the spam you clicked. Somebody sent out a spam advertising a fake meds site healthshdweb.com - I am merely hijacking their attempts to direct people to the site through superiour search engine optimisation]

Thursday 13 November 2014

"Test mesage" / "hi there" spam

Here's an unusual spam run coming through right now.. it doesn't seem to have a payload at all..

From:     Bryon Jimenez [Eunice.f2a@simaya.net.id]
Date:     13 November 2014 12:09
Subject:     Test mesage 612985B

hi there

Where the valley narrows into the cleft of the mountains, a lake lies surrounded by lush grasses. Putting another image may not reflect the article's subject logo.
Genesee and Flushing Townships where split off on March 6, 1838. French missionary and philosopher.
We did a lot of shows to 20 people in a bar who were more interested in cheap drinks than they were the band. Camps and social works.
Commented out because it's imprecise and contains false information. It is given to those who do not actively seek it. After the transfer period ended, Guerreiro apologised to Bajevic and was given another chance and is now a member of the squad.

================

From:     Ruben Randall [Josef.e9@business.telecomitalia.it]
Date:     13 November 2014 11:06
Subject:     Test mesage 3144664L

hi there

Player 1 then presses any one of the top red phrase buttons and listens to the beginning half of a phrase. Peter Murray on Debrett's website.
Asopus had twenty daughters but he provides no list. It supports a 240 MW power station.
Profilo di architettura italiana del Novecento, Marsilio, Venezia, 1999, pp. Then the teacher posts the assignment.
American born electronic music producer and DJ now residing in Berlin, Germany. The role of Cio Cio San like most other characters she has portrayed is quickly becoming a signature for her. Williamson, Garner and Musgrove Company, and the Cagli and Paoli Opera Company.

================

From:     Selma Carter [Lloyd.525@raisetherock.com]
Date:     13 November 2014 12:11
Subject:     Test mesage 0254082S

hi there

It was Federer's 3rd title of the year and the 3rd of his career. EL to see if your link meets the Wikipedia style guide.
Squadron Leader Pentland in New Guinea, c. Users can stream music directly from ZumoDrive to iPhone, iPod Touch, Android and WebOS devices.
The work received little critical attention. Saura also attempts to strengthen autobiographical themes found in the original story.
Methodists, in the area. Today it is not uncommon to find early Corgi models with such additions still intact. Edmund Sebastian Joseph van der Straeten.
In all cases "Test mesage" is spelled incorrectly and the body is just "hi there". Because there is no malicious payload (such as an attachment or link) and the message lacks the sort of trigger words that might get it blocked then there is a high probability that at least some of these will get through your spam filter/

Vodafone D2 "Ihre Festnetz-Rechnung für November 2014" spam

This fake Vodafone spam seems to be widely distributed, even though it is obviously targeted at German speakers.

From:     Vodafone D2 [2942-MU31406aBM0@kundenservice.vodafone.de] [pm2053em1]
Date:     13 November 2014 09:13
Subject:     Ihre Festnetz-Rechnung für November 2014


Ihre Kundennummer: 883286157

Sehr geehrte Damen und Herren,

anbei erhalten Sie Ihre Rechnung vom 13.11.2014.

13.11.2014_09:11:07_Rechnung_Kundennr_861570000883286157.pdf

Der Rechnungsbetrag in Höhe von 357,26 EUR wird am 23.11.2014 von Ihrem Konto abgebucht.

Ihre Rechnung ist im PDF-Format erstellt worden. Um sich Ihre Rechnung anschauen zu können, klicken Sie auf den Anhang und es öffnet sich automatisch der Acrobat Reader.


Freundliche Grüße
Ihr Vodafone Team

In this case, the link in the email goes to studiarte.com/gFlEyLcSo where it downloads a file 2014_11vodafone_onlinerechnung.zip which contains a malicious binary 2014_11vodafone_onlinerechnung_0020003909_november_3903980009_11_00000000445.exe

This file has a very low detection rate at VirusTotal of 1/53. Most automated analysis tools [1] [2] [3]  don't say much, however the ThreatTrack report [pdf] is more details and apparently shows the malware phoning home to:

46.183.219.78 (DataClub, Latvia)
178.210.167.213 (Markum Bilisim Teknolojileri, Turkey)

Additionally, the following IPs and active domains are queried:

64.27.101.155 (Ken Thomas, US)
109.74.3.6 (GleSYS Internet Services, Sweden)
144.76.59.84 (Hetzner, Germany)
177.73.233.170 (WDI Solucoes Ltda, Brazil)
212.19.62.76 (ANW GmbH, Germany)

5.199.167.197 (Balticservers, Lithunia)
86.124.164.25 (RCS & RDS Business, Romania)
66.172.27.44 (Cyberverse, US)
141.255.165.152 (Privatelayer, Switzerland)
141.255.165.155 (Privatelayer, Switzerland)
173.193.106.11 (Softlayer, US)

qgajlouuhqbikgbd.eu
qrbroaiyynlqluld.eu
tadhvhvdhgtaxnpd.eu
bcqikqgkbiwccmpj.eu
ciomywfqliwtvjft.eu
vgekmcvfuiwrepmm.eu
xqnaiuvgctjdtnmj.eu
eaelgqsjqukhenaq.eu
tejohjlxraqmamnx.eu

Some of these DGA domains have been sinkholed, I have removed obvious ones but not that some of these IP addresses may not actually be malicious. However, if you are a network administrator there is no harm in blocking or monitoring sinkholes from your network, so I would recommend the following blocklist:

46.183.219.78
178.210.167.213

109.74.3.6

177.73.233.170

5.199.167.197
86.124.164.25
66.172.27.44
141.255.165.152
141.255.165.155
173.193.106.11

UPDATE 2014-11-20
I previously recommended blocking the following IPs which it turns out are legitimate, possible added by the malware authors to create false positives. If you have blocked them then I recommend unblocking them.

64.27.101.155
144.76.59.84
212.19.62.76

Wednesday 12 November 2014

"ADP Past Due Invoice#39911564" spam

I haven't seen ADP-themed spam for a very long time, mostly because it gets filtered into a deep dark hole that even I can't see into.

From: billing.address.updates@ADP.com [mailto:billing.address.updates@ADP.com]
Sent: 12 November 2014 16:28
Subject: ADP Past Due Invoice#39911564

 Your ADP past due invoice is ready for your review at ADP Online Invoice Management .

 If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

 Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.

Review your ADP past due invoice here.

 Important: Please do not respond to this message. It comes from an unattended mailbox.
Most of the ones that I have seen are malformed and instead of a link they just say <html> which is one reason that it is getting through the spam filter. I have seen one live one, leading to [donotclick]www.bingemann-buerosysteme.de/services/invoice1211.php

This downloads a ZIP file invoice1211_pdf28.zip which in turn contains a malicious executable invoice1211_pdf.exe which has a VirusTotal detection rate of 6/54.

It then contacts the following URLs according to the Malwr report:
http://188.165.206.208:30083/1211uk1/HOME/0/51-SP3/0/
http://188.165.206.208:30083/1211uk1/HOME/1/0/0/
http://shahlart.com/miniuk1.pmg
http://mboaqpweuhs.com/mhninqiiifrd3ku
http://mboaqpweuhs.com/nt09kq47fv6k0

Recommended blocklist:
188.165.206.208
shahlart.com
mboaqpweuhs.com

Exchange House Fraud (Police Headquaters) / omaniex@investigtion.com spam

I got a lot of these yesterday that I've only just noticed..

From:     omaniex@investigtion.com
Subject:     Exchange House Fraud (Police Headquaters)


please note that your attension is needed in our station, as we got information on this fraud information as transactions detailed in attachment. kindly acknowledge this letter and report to our office as all report and contact details are in attachment. failure to this you will be held responsible.

Note: come along with your report as it will be needed

regards,
Police headquarters.
Investigtion dept. 

Attached is a file EXCH DETAILS PR 7777709.zip which contains two files:

7 TRANSACTION RPPP 00000123-PDF.jar
PR0JECT INVESTIGATI 011111-PDF.jar

This is some sort of malicious application written in Java (top tip - if you have Java installed on your computer, remove it. You probably don't need it). It has a VirusTotal detection rate of 7/55 and the Malwr report has some screenshots of something odd happening, but not much more data.