Sponsored by..

Tuesday, 26 February 2013

Facebook spam / lazaro-sosa.com

This fake Facebook spam leads to malware on lazaro-sosa.com:

Date:      Tue, 26 Feb 2013 14:26:20 +0200
From:      "Facebook" [twiddlingv29@informer.facebook.com]
Subject:      Brian Parker commented your photo.

facebook
   
Brian Parker commented on Your photo.
Reply to this email to comment on this photo.
See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.

Facebook, Inc., Attention: Department 415, PO Box 10001, Palo Alto, CA 90307
The malicious payload is at [donotclick]lazaro-sosa.com/detects/queue-breaks-many_suffering.php (report here) hosted on:

118.97.77.122 (PT Telkom, Indonesia)
147.91.83.31 (AMRES, Serbia)

Blocking these IPs is probably prudent.

Monday, 25 February 2013

"TrustKeeper Vulnerabilities Scan Information" spam / saberdelvino.net

Well this is new.. this "TrustKeeper Vulnerabilities Scan Information" spam leads to an exploit kit on saberdelvino.net:

From: Trustwave [porosity@e.trustwave.com]
Date: 25 February 2013 17:09
Subject: TrustKeeper Vulnerabilities Scan Information

To view this email as a web page, go here.

view email in a web browser
[redacted]
 

This is an auto-generated report to notice you that the scheduled TrustKeeper vulnerability scan of YOUR NETWORK SYSTEMS has completed and is not compliant.

IMPORTANT: During the scan, TrustKeeper Identified  some Vulnerabilities. Trustwave strongly recommends you review these findings as your overall PCI DSS compliance status may be affected.

TrustKeeper generated a vulnerability scan report. You may view these results by accessing TrustKeeper at:

    https://secure.trustwave.com
    User Name:[redacted]

You will receive an e-mail confirmation when the scan completes and your results are available.   Please note that this can take up to three days.

Note: If you monitor your network for activity, note that the TrustKeeper scan may originate from IP addresses in these ranges:

206.10.209.0/24
62.36.233.0/24

TrustKeeper is a certified remote assessment and compliance solution created by Trustwave and designed to help merchants meet the PCI DSS and achieve compliance with the associated programs of Visa®, MasterCard®, American Express®, Discover®, and other credit card associations. The TrustKeeper solution is an integrated easy-to-use tool that removes the challenge of navigating the complex PCI DSS requirements and provides a "one stop shop" for merchants to certify compliance.    

PLEASE DON'T REPLY TO THIS MESSAGE VIA EMAIL.
This mail is sent by an automated message system and the reply will not be received. Thank you for using TrustKeeper.

This email was sent to: [redacted]

This email was sent by: Trustwave
80 West Madison Street, Suite 1080, Chicago, IL, 60707, USA

We respect your right to privacy - view our policy
   

MANAGE SUBSCRIPTIONS           |            UPDATE PROFILE              |          ONE-CLICK UNSUBSCRIBE


The malicious payload is at [donotclick]saberdelvino.net/detects/random-ship-members-daily.php (report here) hosted on the following IPs:

118.97.77.122 (PT Telekon, Indonesia)
176.120.38.238 (Langate, Ukraine)

Blocklist:
118.97.77.122
176.120.38.238
greatfallsma.com
yoga-thegame.net
dekolink.net
saberdelvino.net
betheroot.net


Friday, 22 February 2013

LinkedIn spam / greatfallsma.com and yoga-thegame.net

This "accidental" LinkedIn spam is a fake and leads to malware on greatfallsma.com:

From: LinkedIn [mailto:papersv@informer.linkedin.com]
Sent: 22 February 2013 15:58
Subject: Reminder about link requests pending

See who connected with you this week on LinkedIn
Now it's easy to connect with people you email
Continue
 
This is an accidental LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
 
© 2013, LinkedIn Corporation. 2089 Stierlin Ct, Mountain View, CA 99063
Another example:

Date:      Fri, 22 Feb 2013 18:21:25 +0200
From:      "LinkedIn" [noblest00@info.linkedin.com]
Subject:      Reminder about link requests pending

�����

[redacted]
See who requested link with you on LinkedIn

Now it's easy to connect with people you email
Continue
   
This is an casual LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
� 2013, LinkedIn Corporation. 2073 Stierlin Ct, Mountain View, CA 98043


The malicious payload is at [donotclick]greatfallsma.com/detects/impossible_appearing_timing.php (report here) hosted on:

50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine)

These are the same two servers used in this attack, blocking them would probably be a good idea.

UPDATE: the malicious domain yoga-thegame.net is also on the same servers (report here)

"Data Processing" spam / dekolink.net

This fake "Data Processing" spam leads to malware on dekolink.net:


Date:      Fri, 22 Feb 2013 08:06:43 -0500
From:      "Data Processing Service" [customersupport@dataprocessingservice.com]
Subject:      ACH file ID '768.579

Files Processing Service

SUCCESS Note
We have successfully handled ACH file 'ACH2013-02-20-5.txt' (id '768.579') submitted by user '[redacted]' on '2013-02-20 1:14:30.7'.
FILE SUMMARY:

Item count: 79

Total debits: $28,544.53

Total credits: $28,544.53

For more info click here

The malicious payload is at [donotclick]dekolink.net/detects/when-weird-contrast.php (report here) hosted on the following servers:

50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine)

"End of Aug. Stat." spam / forummersedec.ru

This fake invoice email leads to malware on forummersedec.ru:

Date:      Fri, 22 Feb 2013 11:33:38 +0530
From:      AlissonNistler@[victimdomain]
Subject:      Re: FW: End of Aug. Stat.
Attachments:     Invoices-1207-2012.htm

Hallo,

as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer/Mozilla Firefox file)

Regards


The attachment attempts to redirect the victim to a malicious payload at [donotclick]forummersedec.ru:8080/forum/links/column.php (report here) hosted on

84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)

The following IPs and domains are related and should be blocked:
84.23.66.74
122.160.168.219
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
familanar.ru
faneroomk.ru
filialkas.ru
finalions.ru
forummersedec.ru
fuigadosi.ru
fulinaohps.ru
fzukungda.ru

Thursday, 21 February 2013

"Scan from a Xerox WorkCentre Pro" spam / familanar.ru

This familiar printer spam leads to malware on the familanar.ru domain:

Date:      Thu, 21 Feb 2013 09:22:25 -0500 [09:22:25 EST]
From:      Tagged [Tagged@taggedmail.com]
Subject:      Fwd: Re:  Scan from a Xerox WorkCentre Pro #800304

A Document was sent to you using a XEROX WorkJet PRO 760820.

SENT BY : BRYNN
IMAGES : 5
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]familanar.ru:8080/forum/links/column.php (report here) hosted on:

84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)

Which are the same IPs found in this attack and several others. Block 'em if you can.

ACH transaction spam / payment receipt - 884993762994.zip

This fake ACH transaction spam comes with a malicous attachment:

Date:      Thu, 21 Feb 2013 14:32:08 -0500 [14:32:08 EST]
From:      Payment notification system [homebodiesga38@gmail.com]
Subject:      Automatic transfer notification

ACH transaction is completed. $443 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt on payment is attached.

*** This is an automatically generated email, please do not reply *** 
Attached is a file called payment receipt - 884993762994.zip which unzips to payment receipt - 884993762994.exe which has a disappointing VirusTotal detection count of just 14/46. Automated analysis tools are inconclusive.

Blocking EXE-in-ZIP files at the perimeter generally causes very little trouble, assuming you can do it..

"Efax Corporate" spam / fuigadosi.ru

This fake eFax spam leads to malware on fuigadosi.ru:

Date:      Thu, 21 Feb 2013 -05:24:35 -0800
From:      LinkedIn Password [password@linkedin.com]
Subject:      Efax Corporate
Attachments:     EFAX_Corporate.htm



Fax Message [Caller-ID: 705646877]

You have received a 29 pages fax at Thu, 21 Feb 2013 -05:24:35 -0800, (913)-809-4198.

* The reference number for this fax is [eFAX-806896385].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.

The malicious payload is at [donotclick]fuigadosi.ru:8080/forum/links/column.php (report here) hosted on:

84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)

The following domains and IPs are malicious and should be blocked:
84.23.66.74
122.160.168.219
210.71.250.131
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
faneroomk.ru
finalions.ru
fuigadosi.ru
fulinaohps.ru
fzukungda.ru

ADP Spam / faneroomk.ru

This fake ADP spam tries (and fails) to lead to malware on faneroomk.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 20 February 2013 20:02
Subject: ADP Immediate Notification

ADP Immediate Notification
Reference #: 001737199

Thu, 21 Feb 2013 02:01:39 +0600
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:
•    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
•    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.

This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 890911798


HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious payload is meant to be [donotclick]faneroomk.ru:8080/forum/links/column.php but right at the moment it is not resolving.

We can perhaps do a little digging around to see what's going on here. The WHOIS details show the notorious Russian "Private Person".

whois -h whois.ripn.net faneroomk.ru ...
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain:        FANEROOMK.RU
nserver:       ns1.faneroomk.ru. 41.168.5.140
nserver:       ns2.faneroomk.ru. 110.164.58.250
nserver:       ns3.faneroomk.ru. 210.71.250.131
nserver:       ns4.faneroomk.ru. 203.171.234.53
nserver:       ns5.faneroomk.ru. 184.106.195.200
state:         REGISTERED, NOT DELEGATED, UNVERIFIED
person:        Private Person
registrar:     NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created:       2013.02.17
paid-till:     2014.02.17
free-date:     2014.03.20
source:        TCI

Last updated on 2013.02.21 17:16:40 MSK

Anyway. it's probably a good idea to block the domain and those NS IPs. The following IPs and domains are all related:


41.168.5.140
110.164.58.250
184.106.195.200
210.71.250.131
203.171.234.53
faneroomk.ru
fzukungda.ru
famagatra.ru
emmmhhh.ru
errriiiijjjj.ru
faneroomk.ru
ejjiipprr.ru
finalions.ru
fulinaohps.ru
eiiiioovvv.ru


Wednesday, 20 February 2013

Verizon Wireless spam / participamoz.com

This fake Verizon Wireless spam leads to malware on participamoz.com:


Date:      Wed, 20 Feb 2013 23:24:49 +0400
From:      "AccountNotify@verizonwireless.com" [cupcakenc0@irs.gov]
Subject:      Verizon wireless online bill.
Important account information from Verizon Wireless
Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
Total Balance Due: $48.15
Scheduled Automatic Payment Date: 02/25/2012
Mind that payments and/or adjustments made to your account after your bill was generated will be deducted from your automatic payment amount.

> Review and Pay Your Bill

Thank you for choosing Verizon Wireless.

My Verizon is also available 24/7 to assist you with:
Vrowsing your usage
Updating your plan
Adding Account Members
Paying your bill
Finding accessories for your devices
And much, much more...

2011 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 190WVB | Basking Ridge, NJ 07990
We respect your privacy. Please review our privacy policy for more information

If you are not the intended recipient and feel you have received this email in error; or if you
would like to update your customer notification preferences, please click here.
The malicious payload is at [donotclick]participamoz.com/detects/holds_edge.php (report here) hosted on:
161.200.156.200 (Chulanet, Thailand)
173.251.62.46 (MSP Digital / Cablevision, US)

The following IPs and domains are connected should be treated as malicious:
161.200.156.200
173.251.62.46
prosctermobile.com
aftandilosmacerati.com
pardontemabelos.com
participamoz.com

   

SendSecure Support spam / secure_message_02202013_01590106757637303.zip

This fake SendSecure Support / Bank of America spam comes with a malicious attachment called secure_message_02202013_01590106757637303.zip:

Date:      Wed, 20 Feb 2013 11:23:43 -0400 [10:23:43 EST]
From:      SendSecure Support [SendSecure.Support@bankofamerica.com]
Subject:      You have received a secure message from Bank Of America

You have received a secure message.

Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly.

First time users - will need to register after opening the attachment.
Help - https://securemail.bankofamerica.com/websafe/help?topic=Envelope
The zip file secure_message_02202013_01590106757637303.zip unzips into secure_message_02202013_01590106757637303.exe with a VirusTotal detection rate of 6/46. According to ThreatExpert, the malware installs a keylogger and also tries to phone home to:

blog.ritual.ca
dontgetcaught.ca

These sites are hosted on 74.208.148.35 which I posted about yesterday. Blocking access to this IP might mitigate against this particular threat somewhat.



"Wire transfer" spam / fulinaohps.ru

This fake wire transfer spam leads to malware on fulinaohps.ru:

Date:      Wed, 20 Feb 2013 04:28:14 +0600
From:      accounting@[victimdomain]
Subject:      Fwd: ACH and Wire transfers disabled.

Dear Online Account Operator,

Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department
The malicious payload is at [donotclick]fulinaohps.ru:8080/forum/links/column.php (report here) hosted om the following IPs:

84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Internet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)

These are the same IPs as used in this attack, you should block them if you can.

famagatra.ru injection attack in progress

There seems to be an injection attack in progress, leading visitors to hacked website to a malicious page on the server famagatra.ru.

The payload is at [donotclick]famagatra.ru:8080/forum/links/public_version.php?atd=1n:33:2v:1l:1h&qav=3j&yvxhqg=1j:33:32:1l:1g:1i:1o:1n:1o:1i&jehmppj=1n:1d:1f:1d:1f:1d:1j:1k:1l (report here) which is basically a nasty dose of Blackhole.


84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Inernet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)

The following domains are IPs are all part of the same evil circus:
84.23.66.74
195.210.47.208
210.71.250.131
efjjdopkam.ru
eiiiioovvv.ru
eipuonam.ru
ejiposhhgio.ru
ejjiipprr.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
emmmhhh.ru
enakinukia.ru
epilarikko.ru
epionkalom.ru
errriiiijjjj.ru
esigbsoahd.ru
estipaindo.ru
ewinhdutik.ru
exiansik.ru
exibonapa.ru
famagatra.ru
finalions.ru

Something evil on 62.212.130.115

Something evil seems to be lurking on 62.212.130.115 (Xenosite, Netherlands) - a collection of sites connected with the Blackhole exploit kit, plus indications of evil subdomains of legitimate hacked sites. All-in-all, this IP is probably worth avoiding.

Firstly, there are the evil subomains that have a format like 104648746540365e.familyholidayaccommodation.co.za - these are mostly hijacked .co.za and .cl domains.

The following list contains the legitimate domains and IPs that appear to have been hijacked. Ones marked in  red   have been flagged as malicious by Google. Remember, these IPs are not evil, it is just the subdomains that are (on a different IP).

190.196.23.231 (clean)
sanjoselosandes.cl
liceomixto.cl
servicioseximia.cl
siitec.cl
sictral.cl
specialdetail.cl
sycabogados.cl

199.34.228.100 (clean)
delfinos.co.za

208.70.149.57 (clean)
cafehavana.co.za
destinationsunlimited.co.za
firearmlicence.co.za
dolceluce.co.za

firearmsafe.co.za
firearmlicense.co.za
familysuite.co.za
bolandparkhotel.co.za
gamesmodels.com
onthebeachjbay.com
disc-deals.com

The second bunch of domains appear to be connected with the Blackhole Exploit kit (according to this report) and can be assumed to be malicious, and are hosted on 62.212.130.115:

google-statistic.in
libola.com
minizip.org
msdbug.com
msrst.com
nlsdl.org
ntdsapi.com
ntmsdba.com
pifmgr.org
piparse.com
spam-rep-service.in

This third group are almost definitely malicious and are on the same server:

garmonyoy.eu
harmonyoy.eu
kinyng.ru
ntimage.net
ntmsapi.net
ntmsmgr.net
pastaoyto.eu
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru

The final group is where it gets messy. These are malicious subdomains that either are on (or have recently been on)  62.212.130.115. It looks like they are hardened against analysis, but they certainly shouldn't be here and can be assumed to be malicious too,

54fd8c9fa1abf2b5.firearmsafe.co.za
32464a746740345e.familysuite.co.za
fece86cc9b68c8761151711302121857a5da12fce1b0b.sanjoselosandes.cl
ba7562877f032c1d0160451302111347717339942fd25832980fc947bbaab6e.liceomixto.cl    104698f48570d66e01910213021108078ff41b00051a92fb8f.liceomixto.cl
897581b79c33cf2d016045130210212851378959885060ea5995f416222722b.liceomixto.cl
cd028570a864fb7a01402413021722022144552c318ce7cab9e09a0d2a6a8b5.cafehavana.co.za
23753bc716e345fd114110130218141121065128682695243c3a6e68eaa454c.destinationsunlimited.co.za
23753bc716e345fd119181130218123421084144fafd9a8a2ecee7c9e8a813d.destinationsunlimited.co.za
23753bc716e345fd.destinationsunlimited.co.za
fefd56cf7bfb28e501402413021916372140748bad59371eb615c227bcf6494.firearmlicence.co.za
fefd56cf7bfb28e50191851302191616816357255aa3a775d33e0e87031dabd.firearmlicence.co.za
efce974cba68e97601902413021819141134725bc512d95c3a3367364f60e7f.dolceluce.co.za
54fd8c9fa1abf2b50152021302192150218227543eacf3e65962cfa456e6742.firearmsafe.co.za
54fd8c9fa1abf2b50190551302192029115216056c76db44aa04bf200b3dd64.firearmsafe.co.za
54fd8c9fa1abf2b501511113021919479278009323500c592bf3b0a3e0e48b8.firearmsafe.co.za
54fd8c9fa1abf2b5115023130219202841813244c0634fe85c4f0d28b6001ac.firearmsafe.co.za
54fd8c9fa1abf2b511511113021920019153428450b973995f121f87d07597d.firearmsafe.co.za
54fd8c9fa1abf2b5019003130219205011588175e845eee9fba56981ef9762f.firearmsafe.co.za
54fd8c9fa1abf2b5019184130219200951610365d41a651918d996c2262265f.firearmsafe.co.za
1002a8108524d63a01411013021917377210805bc813254f0b52ddadc7a4fb6.firearmlicense.co.za
1002a8108524d63a0190861302191834518734754e1569db098dc04657268c7.firearmlicense.co.za
1002a8108524d63a015135130219171541448694b4a5ad611740bce908b41e9.firearmlicense.co.za
1002a8108524d63a01608613021918067148673452fc4f3b25e4a92991e388c.firearmlicense.co.za
32464a746740345e0140861302191352721746257b791a8cb29212692450169.familysuite.co.za
ab02b3809e94cd8a0141851302171831719273654b106add758c4d1ea448054.bolandparkhotel.co.za
fe3116d33bd768c9014185130217152321157054e238a5d15e6899e06b4a256.bolandparkhotel.co.za
ab02b3809e94cd8a014014130217181671594515d6908be7ac815a5c8aec9bd.bolandparkhotel.co.za
104648746540365e.familyholidayaccommodation.co.za
2375dba7f6b3a5ad01900313021810166108414bc5043b30fcbf6df10ac0d36.delfinos.co.za
2375dba7f6b3a5ad.delfinos.co.za
2375dba7f6b3a5ad1141101302181050617308286822211b6e41c16bae4a8ad.delfinos.co.za
104618a40570566e0190861302141716512521554e01e13647caa0d7585e0a2.servicioseximia.cl
104618a40570566e01608613021416261099221452fc4f3fddf44bf19ce67a3.servicioseximia.cl
cd46f5c4e810bb0e014029130214200431169736dd938489c7b1b51af4b6f74.servicioseximia.cl
cd46f5c4e810bb0e0142031302142008713472502551149f67b7bdb45a92f07.servicioseximia.cl
104618a40570566e019096130214190761242645133a051309afb24913257bb.servicioseximia.cl
104618a40570566e01900713021417086116022bad56157e487133b8039b0fb.servicioseximia.cl
104618a40570566e.servicioseximia.cl
dc8a5458498c1a92019024130215034191505755a15eef17404dfc7a914c407.siitec.cl
fe7596178bc3d8dd01515913021423367212073189eb0ffdcfd7bc050f5cc84.sictral.cl
fe7596178bc3d8dd01612913021501048032017adf505b4a51493df8d7e7e8b.sictral.cl
01ce199c04785766.specialdetail.cl
01ce199c047857661140151302151103607956789e2ef312e860b4529ed0fdc.specialdetail.cl
76fdbedfa36bf075014025130213175772228515fdfce25de6ebd91bd067892.sanjoselosandes.cl
23fdcb3fd68b859511416113021320291114120d5436e9454395fe51a4f8bd4.sanjoselosandes.cl
32fd2a6f37db64c501613813021307218103025988506029ed2c2b5c8df9915.sanjoselosandes.cl
5431bca3a167f27901604513021414306142650adf4cf112a9c89769565e055.sanjoselosandes.cl
45fdad0fb0abe3b5.sanjoselosandes.cl
54fdec0ff1cba2d5.sanjoselosandes.cl
23fdcb3fd68b859501612913021321298189883d812e2a7244210d47d2832e5.sanjoselosandes.cl
fece86cc9b68c876.sanjoselosandes.cl
dcceb41ca9a8fab6.sanjoselosandes.cl
98fd50bf4d1b1e05019086130212235552028805ddb0cd40d31dd927eda2037.sanjoselosandes.cl
76fdbedfa36bf07501916613021318165124581972ac37159baca15f93b3b48.sanjoselosandes.cl
23fdcb3fd68b859501916113021320155132506020b16ab30472c9a28008598.sanjoselosandes.cl
76fdbedfa36bf07501612913021318103106829d074104b45444a6bd90368bb.sanjoselosandes.cl
76fdbedfa36bf07501902413021317264126483b1287cb246f1c65418b6a03c.sanjoselosandes.cl
cd8a85e8984ccb5211409913021215378176886b2072dbee3d87f6b240713fd.sanjoselosandes.cl
ef46f7f4ea10b90e.sycabogados.cl
45b90ddb20ff73e1.disc-deals.com
89fd717f5c4b0f5511511113021922528294810b80d17e6193d54e6faa102d8.gamesmodels.com
89fd717f5c4b0f55014185130219223852203155b41df139190d76dfce35e2c.gamesmodels.com
89fd717f5c4b0f550151311302192250727293718c48e6c9eab856d51453cbe.gamesmodels.com
0102d920f434a72a.chinese.onthebeachjbay.com





USPS spam / USPS delivery failure report.zip

This fake USPS spam contains malware in an attachment called USPS delivery failure report.zip.

Date:      Wed, 20 Feb 2013 06:40:39 +0200 [02/19/13 23:40:39 EST]
From:      USPS client manager Michael Brewer [reports@usps.com]
Subject:      USPS delivery failure report

USPS notification

Our company’s courier couldn’t make the delivery of package.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: KnoxvilleFort
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: M1PZN6BI4F
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
USPS Global.
The attachment is double-zipped, presumably to try to evade virus and content scanners. Opening it extracts another ZIP file called USPS report id 943577924988734.zip which contains another file called USPS report id 943577924988734.exe.

The VirusTotal detections for this are patchy and fairly generic. Automated analysis tools are pretty inconclusive when it comes to the payload, although if you are trying to clean it up then starting with HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched (which is set to "C:\Documents and Settings\All Users\svchost.exe") is probably a good start.

Tuesday, 19 February 2013

Cyberbunker fake pharma spam / 84.22.104.123

Crime-friendly host Cyberbunker strikes again, this time hosting more fake pharma sites on 84.22.104.123, being promoted through this suspicious looking spam:

Date:      Tue, 19 Feb 2013 22:58:26 +0000 (GMT)
From:      Apple [noreply@bellona.wg.saar.de]
To:      [redacted]
Subject:      Your Apple ID was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5

   
Dear Customer,
Your Apple ID ([redacted]) was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5.
If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn More.
   
Privacy Policy
Copyright 2013 Apple Inc. 1 Infinite Loop, Cupertino CA 95014 - All Rights Reserved.
The spam has a link to an illegally hacked legitimate site that then bounces to drugstorepillstablets.ru hosted on 84.22.104.123 along with these following spammy sites:

medicalhealthcaretab.com
washealthcare.com
presenthiring.com
prescriptionfiscal.com
salelindahl.com
pillcarney.com
healthviagraobesity.com
sdewyuvze.net
lxie.ru
ongy.ru
drugstorepillstablets.ru

Cyberbunker is nothing but bad news. Blocking 84.22.96.0/19 is an exceptionally good idea.

Something evil on 74.208.148.35

Spotted by the good folks at GFI Labs here, here and here are several Canadian domains on the same server, 74.208.148.35 (1&1, US):

justcateringfoodservices.com
dontgetcaught.ca
blog.ritual.ca
lumberlandnorth.com

Obviously, there's some sort of server-level compromise here. Blocking access to 74.208.148.35 will give some protection against several very active malicious spam campaigns.

UPS Spam / emmmhhh.ru

The spammers sending this stuff out always confuse UPS with USPS, this one is not exception although on balance it is more UPS than USPS.. anyway, it leads to malware on emmmhhh.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Valda Gill via LinkedIn
Sent: 19 February 2013 10:00
Subject: United Postal Service Tracking Nr. H9878032462

You can use UPS .COM to:
 Ship Online
 Schedule a Pickup
 Open a UPS .COM Account


   
Welcome to UPS Team
Hi, [redacted].

DEAR CUSTOMER , We were not able to delivery the post package

PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.

With best regards , UPS Customer Services.    


    ________________________________________
Copyright 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the Your USPS Team brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
Please do not reply directly to this e-mail. USPS .us Customer Services will not receive any reply message. For questions or comments, visit Contact UPS.
We understand the importance of privacy to our customers. For more information, please consult the Your USPS Customer Services Privacy Policy.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.    
There is an attachment UPS_ID5408466.htm which attempts to direct visitors to [donotclick]emmmhhh.ru:8080/forum/links/column.php hosted on:

50.31.1.104 (Steadfast Networks, US)
66.249.23.64 (Endurance International, US)
195.210.47.208 (PS Internet Company, Kazakhstan)

The following IPs and domains are all malicious and should be blocked:
50.31.1.104
66.249.23.64
195.210.47.208
efjjdopkam.ru
eipuonam.ru
ejiposhhgio.ru
ejjiipprr.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
emmmhhh.ru
enakinukia.ru
epilarikko.ru
epionkalom.ru
esigbsoahd.ru
estipaindo.ru
ewinhdutik.ru
exiansik.ru
exibonapa.ru


Something evil on 67.208.74.71

67.208.74.71 (Inforelay, US) is a parking IP with several thousand IPs hosted on it. However, it also includes a large number of malicious sites using Dynamic DNS servces. Some of these sites have recently moved from the server mentioned here.

Probably most of the sites on this server are legitimate and blocking access to it might cause some problems. However, you can block most of these malicious domains by targeting the Dynamic DNS domain, the bulk of which are as follows:

assexyas.com
athersite.com
byinter.net
findhere.org
isgre.at
isthebe.st
kwik.to
lookin.at
lowestprices.at
myfw.us
myredirect.us
onmypc.info
onmypc.org
onthenetas.com
ontheweb.nu
passinggas.net
rr.nu

You can find a copy of the domains, IPs, WOT ratings and Google prognosis here [csv].

These following domains are hosted on 67.208.74.71 and are listed as malicious by Google's Safe Browsing Diagnostics:

govgrantstodays.assexyas.com
kqenc.assexyas.com
tesyf.assexyas.com
athersite.com
qezwdz.athersite.com
tdbnsc.athersite.com
www1.safeqwcleanerdm.athersite.com
www1.simple-ozfgsecurity.athersite.com
dnwswurowz.byinter.net
kcshhdvqzmte.byinter.net
mhlswzmqpe.byinter.net
oorkaibadtb.byinter.net
wonfhujmel.byinter.net
ztmgyzknjpf.byinter.net
cmvwixzxhl.findhere.org
dhyaugqmbgwm.findhere.org
gkqqujqsd.findhere.org
lvindkiys.findhere.org
lyfxhiyza.findhere.org
pvhetiozstg.findhere.org
tdtxohbjbvzx.findhere.org
thgdtujicjtq.findhere.org
ueuvjqhvao.findhere.org
wcnnrcjgb.findhere.org
free-ddddsex-ddddpasswords.isthebe.st
free-dsex-dpasswords.isthebe.st
index.isthebe.st
radiomangalia.isthebe.st
asfqphphk.kwik.to
gebofuoautl.kwik.to
lqlonqihgkco.kwik.to
mowkespvffn.kwik.to
nbnezaszei.kwik.to
qmgplmfyibh.kwik.to
ydsjveyfjr.kwik.to
rrmoymcqskq.lookin.at
htrxcytvfmhg.lowestprices.at
aadhvxiftw.myfw.us
abtqgybicghr.myfw.us
ameyznosvam.myfw.us
amvgvvyasde.myfw.us
aokeufvoci.myfw.us
azddoalylxsn.myfw.us
azojgzmnj.myfw.us
bkhrwvxblnm.myfw.us
caedvkkimck.myfw.us
cbqlthvefhv.myfw.us
ckvwoajjjg.myfw.us
crmnfeeooft.myfw.us
csllshncxdu.myfw.us
cudthmeyl.myfw.us
cwvmtudybwvr.myfw.us
dfredwpcun.myfw.us
dnbdjddrvwl.myfw.us
dsublegejzg.myfw.us
ebgilaznkcxa.myfw.us
ebhiacfkaddk.myfw.us
eepyofqzl.myfw.us
eivxprpbemv.myfw.us
ejyffxuookfi.myfw.us
eldttmawnvt.myfw.us
elfncrfubk.myfw.us
eprlccywb.myfw.us
erlsgwzbgwl.myfw.us
eslwbgkgyqhm.myfw.us
esuifzeipsz.myfw.us
euhhmufug.myfw.us
ewvwzpiqw.myfw.us
eyefvnzwoyg.myfw.us
ezphudgyyjy.myfw.us
femtpvrvr.myfw.us
feutgqoyxc.myfw.us
fowgvslqqvgf.myfw.us
fugqgxxuiwe.myfw.us
gbptzyqhoc.myfw.us
gmnmwmuhf.myfw.us
gohvjgbrplkm.myfw.us
gvbxwmicjvq.myfw.us
gyuaowfnlrw.myfw.us
hcdazkdqlvci.myfw.us
hcwryplhc.myfw.us
hfkfeuqfvzf.myfw.us
hhifsoine.myfw.us
hhzlhizlbil.myfw.us
hqzgrwmorws.myfw.us
hvdkdcgae.myfw.us
hwmhlbscbs.myfw.us
hxlxxaqntaxb.myfw.us
idjgpnkmaj.myfw.us
isdrjerrd.myfw.us
itzpsmkbyabo.myfw.us
jebrglmzye.myfw.us
jeyqstlybz.myfw.us
jjfzmzfkoky.myfw.us
jjxhjygwcnln.myfw.us
jmmbspisw.myfw.us
jspyaaqfuj.myfw.us
jugfzxlitus.myfw.us
jumzijibbh.myfw.us
jybvhfvfhwu.myfw.us
kbahixlxpe.myfw.us
kqpaxhumj.myfw.us
ktxxlgwgze.myfw.us
kwjgjnmmcu.myfw.us
ljszveihhqb.myfw.us
lswgpbvvkukx.myfw.us
lsxswsgka.myfw.us
lwztritpzuvl.myfw.us
mibgbbbwioml.myfw.us
miptvfzufwal.myfw.us
mldtdbsoko.myfw.us
mqqpwxjlf.myfw.us
mrqmsbqrdkvk.myfw.us
mydvonyeagt.myfw.us
ngcfuanjtm.myfw.us
nsnybecste.myfw.us
nvkdyjhplpo.myfw.us
okctxkxny.myfw.us
ookzctlfazdl.myfw.us
oqlupounl.myfw.us
orownhbgn.myfw.us
oxegwgflld.myfw.us
pbvmirnwk.myfw.us
phibmvaqsap.myfw.us
phvcbflqrsbo.myfw.us
qeavazuugk.myfw.us
qhbkyfehpbzi.myfw.us
qivtnqqxjnp.myfw.us
qlhkccfosm.myfw.us
qyjkiuopo.myfw.us
rexewmyxgl.myfw.us
rjrzcrswqhl.myfw.us
rjytkixbfjxkk.myfw.us
rqjghacecazb.myfw.us
rwdpuifin.myfw.us
rynucqapeinv.myfw.us
sqazmgapz.myfw.us
sqqqrsnozlgj.myfw.us
srutebmduoh.myfw.us
sslqlwitv.myfw.us
tevrntjkrl.myfw.us
tsxwbywjwdm.myfw.us
tuobdghfp.myfw.us
tvodqreyyyh.myfw.us
ujzkfdpdf.myfw.us
ukwwwhkamh.myfw.us
wbynflhapl.myfw.us
weapwihjpu.myfw.us
whxszkeaot.myfw.us
wigfdfuvps.myfw.us
wpddnjknrn.myfw.us
wpvhiedhnzxs.myfw.us
wtgylzokmsyd.myfw.us
xiudvllnl.myfw.us
ybzwfyvadq.myfw.us
yowbgyyykemw.myfw.us
yrhamrfrzk.myfw.us
ywzjvqssv.myfw.us
yxbbvktub.myfw.us
yxkgtyqmz.myfw.us
yznafipqmd.myfw.us
zqruajfsgir.myfw.us
zwzfvpxksyx.myfw.us
zzjsujpstcsx.myfw.us
ryeyymburbyr.myredirect.us
twenbrmndfui.myredirect.us
zfhbsvcererr.myredirect.us
btwosfunny.onthenetas.com
xfinity-dddddddddddddddddddddddddddddddzimbra.onthenetas.com
xfinity-dddddddddddddddddddzimbra.onthenetas.com
forehmailywt.ontheweb.nu
hahasfunnyfb.ontheweb.nu
lhixjcdtgypr.ontheweb.nu
pornogratis.ontheweb.nu
pwvmochqwb.ontheweb.nu
qlphivcmm.ontheweb.nu
uhjqzvcjfmb.ontheweb.nu
ohchr.passas.us
mysignin-ddddddddddddddddddddddddddddddddddddddddddcomcast.passinggas.net
passinggas.net
andsto57cksstar.rr.nu
cha39nce.rr.nu
chelpo94landsa.rr.nu
dahfugwhsmzi.rr.nu
deunce68rtaint.rr.nu
its53new.rr.nu
jarujtltg.rr.nu
lasimp04risoned.rr.nu
nabwpjdola.rr.nu
nytndbssyrtkjuykiryu7.rr.nu
ssbo98omin.rr.nu
tenin58gaccel.rr.nu
tentsf05luxfig.rr.nu
jsngupdwxeoa.uglyas.com

These domains are hosted on 67.208.74.71 and are not flagged by Google, but almost all have a poor WOT reputation and are very likely to be malicious:

skidka-ddddd90.bestdeals.at
ensac.byinter.net
safe-defensehrm.byinter.net
combo-dddddddddddddddddddd04-ddddddddddddddddddddkarla.findhere.org
daphne-d52full.findhere.org
mabjdawzaqw.findhere.org
netnummers.findhere.org
nqonet.findhere.org
odiwmklhah.findhere.org
www2.first-ozsoft.findhere.org
xcnyyj7973.findhere.org
ycqtxsac62.findhere.org
215.isgre.at
power-dddfiarmy.isgre.at
ab-din.kwik.to
ag-in.kwik.to
confirm.content.files.internet.secure.access.go.kwik.to
confirm.content.files.internet.secure.access.goto.kwik.to
ksarefunny.kwik.to
media.secure.sites.acc.portal00.kwik.to
media.secure.sites.acc.portal0002.kwik.to
media.secure.sites.acc.portal001.kwik.to
media.secure.sites.acc.portal003.kwik.to
newess.kwik.to
portal00.kwik.to
www2.safeyg-sentinel.kwik.to
www2.strongsoftyc.kwik.to
ebzryeaba.lookin.at
game.lookin.at
gdz-dddddddatanasyan.lookin.at
ru-drabota.lookin.at
skidka-dvsem.lookin.at
teiinxdpe.lookin.at
wett-dddwendy.lookin.at
what.are-you.lookin.at
wyoqdaeru.lookin.at
iuntrbtyvstbn.lowestprices.at
mof-ddddddddddddddddddddddddddweb.lowestprices.at
mof-ddweb.lowestprices.at
aggwgeskrby.myfw.us
htawhcgamvq.myfw.us
jtzxmudxtno.myfw.us
mexico.activa.myfw.us
michelemontas.myfw.us
pjkcyvzcyz.myfw.us
savejtxv-sentinel.myfw.us
secure4.lac.enroll.mexico.myfw.us
umbbwtcler.myfw.us
www2.simplehircantivir.myfw.us
xglzbowlmuco.myfw.us
9999992099.rr.nu
asin54grepl.rr.nu
mila.kat.sexyphoto.athersite.comkede.rr.nu
ossnyfpkag.rr.nu
ourae.rr.nu
pcnews.rr.nu
personalhvrsecurity.rr.nu
pimping.gangsta-paradise.rr.nu
rrrrrrrrrr.rr.nu
save-antivirchecker.rr.nu
topsentinelet.rr.nu
vpnfx-d001.rr.nu
www1.mystemguard.rr.nu
www1.personal-antivirgwg.rr.nu
www3.netsurfingprotectionwe.rr.nu

These sites appear to have been hosted recently on 67.208.74.71 and are flagged as malware by Google, but are not resolving at present:

aotztod.almostmy.com
ueizqnm.changeip.name
jakrcr.changeip.org
fgzsnergle.compress.to
fmmrlp.ddns.name
gyomtcnzc.dhcp.biz
gifqravi.dnsrd.com
ydrehhvgjz.ezua.com
rawvgbygj.gr8name.biz
sspmrwli.jkub.com
slnpqel.lflinkup.org
ywtxkebtx.ns01.info
wjbluj.ns01.us
hurocozr.onedumb.com
rmvpfdg.onmypc.info
qhtqqtxqua.onmypc.org
cejkopsbv.port25.biz
efdghpug.sexxxy.biz
ttenmxqq.vizvaz.com
iselktnfo.xxxy.info

These domains appear to have been recently hosted on 67.208.74.71, are not flagged as malicious by Google but are nonetheless suspect.

uzdknpz.4dq.com
zzxvxyi.mydad.info
blur.rr.nu
org.rr.nu
axyaqb.xxuz.com

Friday, 15 February 2013

Wire transfer spam / 202.72.245.146

This fake wire transfer spam leads to malware on 202.72.245.146:

Date:      Fri, 15 Feb 2013 07:24:40 -0500
From:      Tasha Rosenthal via LinkedIn [member@linkedin.com]
Subject:      RE: Wire transfer cancelled

Good day,

Wire Transfer was canceled by the other bank.



Canceled transaction:

FED NR: 94813904RE5666838

Transfer Report: View



The Federal Reserve Wire Network
The malicious payload is on [donotclick]202.72.245.146:8080/forum/links/public_version.php (Railcom, Mongolia) (report here) which is a well-known malicious IP that you should definitely block if you can.

Update: there is also a "Scan from a HP ScanJet  #841548" spam for the same IP, sending victims to [donotclick]202.72.245.146:8080/forum/links/column.php

"Cum Avenue" IRS Spam / azsocseclawyer.net

This fake IRS spam (from an office on "Cum Avenue"!) actually leads to malware on azsocseclawyer.net:

Date:      Fri, 15 Feb 2013 09:47:25 -0500
From:      Internal Revenue Service [ahabfya196@etax.irs.gov]
Subject:      pecuniary penalty for delay of tax return filling

Herewith we are informing you that you are required to pay a surcharge for not filling the income tax return prior to January 31.

Please note that IRS Section 7117-F-8 specifies a money penalty of $2.000 for each Form 479 that is filled later than deadline for filling the income tax return or does not contain the exhaustive information described in 7117-F-8.

You will be released from the pecuniary penalty when the taxpayer shows that the failure to file was caused by substantial reason.

Please visit official website for more information


Internal Revenue Services United States, Department of Treasury
Ap #822-9450 Cum Avenue
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.
The malicious payload is at [donotclick]azsocseclawyer.net/detects/necessary_documenting_broadcasts-sensitive.php (report here) hosted on:

77.241.192.47 (VPSNET, Lithunia)
175.121.229.209 (Hanaro Telecom, Korea)

The following domains are currently visible on those IPs are should be regarded as malicious:
albaperu.net
azsocseclawyer.net
derdondetes.com
dressaytam.net
estudienteyo.com
extuderbest.com
madcambodia.net
micropowerboating.net
mochentopen.com
theatreli.net
thedigidares.net


Malware sites to block 15/2/13

A set of malware sites.. or I think two sets of malware sites that you might want to block. The .ru domains are connected with this botnet, a second set of sites seem to be something else malicious. Both groups of sites are connected by a server at 142.0.45.27 (Volumedrive, US) which may be a C&C server. Interested parties might want to poke at the server a bit..

As a bonus, these are the IPs that I can find connected with the .ru botnet that I have collected over the past few days. Some of them are dynamic, but it might be a starting point if anyone wants to poke at that botnet a bit more.

actuallywebdav.biz
adoptionarchive.org
adscard.net
adsknoll.net
adsmonsterslda.me
adsmonsterslda.net
adspolis.net
adsspark.com
adstimes.net
adstown.net
akon342.info
apolonq3.info
arenthis.org
bigtimetcpip.org
booksdesk.org
bounceeleven.biz
carambala.com
casesswooshpretty.net
classifyipchains.biz
columnheavyhanded.org
competingopts.biz
conaninefficiently.biz
confickerclones.com
cuxystaf.ru
dlnabeta.org
efisamil.ru
enjoycapacious.org
exciifun.ru
extcg.org
eyefulconcern.com
fan.ysb3.net
fesdrtfgfddsadsa.homelinux.com
filesforretail.org
gazzuxiz.ru
greatville.org
huaxydpa.ru
hudsfjfdsueofakl.homelinux.com
ifdependable.org
ifkyxdys.ru
img.handyworksfl.com
img.sppta.org
iqkibbuz.ru
ivqojsaj.ru
kamisca.com
kejfhtee.cu.cc
kemalxun.ru
koldpsaofdkdlsa.homelinux.com
kopsakfdsasew.homelinux.com
languageinads.com
languageinads.net
lebowskiappcentric.org
libertynetsgums.info
limminglory.net
lisybsij.ru
live.28356365.com
lowerqualitydocstac.in
milioneer.com
missiledongle.biz
modesthalfempty.org
moneysfilegon.net
navaten.tk
netingsixform.net
nobuaudiophile.org
offensivesimple.biz
ohvelzym.ru
partyharddns.com
performingspinoffs.org
pipelivemotion.biz
pyncegok.ru
resendfold.biz
safelyplayback.biz
sedikivu.tk
startstracker.info
syllablesshrinkwrap.org
syrjikhe.ru
techntitus.com
touristdefinitions.biz
tracktighter.biz
upicampaign.com
usingthisxploreing.org
velvetnoret.com
vowakabo.tk
wontlogics.biz
wpw.bestgoodshop.info
www.aanoownsw.tld.cc
ybavwego.ru
ykmeffyw.ru
ylgoaxle.ru
yvxaghod.ru
zypvynas.ru

Thursday, 14 February 2013

Intuit spam / epionkalom.ru

This fake Intuit spam leads to malware on epionkalom.ru:

Date:      Thu, 14 Feb 2013 09:05:48 -0500
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Thu, 14 Feb 2013 09:05:48 -0500.

    Finances would be gone away from below account # ending in 2317 on Thu, 14 Feb 2013 09:05:48 -0500
    amount to be seceded: 2246 USD
    Paychecks would be procrastinated to your personnel accounts on: Thu, 14 Feb 2013 09:05:48 -0500
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services
The malicious payload is at [donotclick]epionkalom.ru:8080/forum/links/column.php hosted on a bunch of IP addresses that we have seen many, many times before:

91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

HP ScanJet spam / 202.72.245.146

This fake printer spam leads to malware on 202.72.245.146:

Date:      Thu, 14 Feb 2013 10:10:56 +0000
From:      AntonioShapard@hotmail.com
Subject:      Fwd: Re: Scan from a Hewlett-Packard ScanJet #6293
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-32347P.

SENT BY : TRISH
PAGES : 3
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

=================

Date:      Thu, 14 Feb 2013 06:07:00 -0800
From:      LinkedIn Password [password@linkedin.com]
Subject:      Fwd: Scan from a Hewlett-Packard ScanJet 83097855
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-775861P.

SENT BY : CARLINE
PAGES : 4
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]
The malicious payload is on [donotclick]202.72.245.146:8080/forum/links/column.php (report here) which is a familiar IP address belonging to Railcom in Mongolia. The following malicious websites are also active on the same server:
enakinukia.ru
dekamerionka.ru
evskindarka.ru
exibonapa.ru
esigbsoahd.ru
dmssmgf.ru
epianokif.ru
elistof.ru
dmpsonthh.ru
esekundi.ru
egihurinak.ru
exiansik.ru
ewinhdutik.ru
efjjdopkam.ru
eipuonam.ru
emaianem.ru
disownon.ru
estipaindo.ru
ejiposhhgio.ru
epilarikko.ru
damagalko.ru
emalenoko.ru
epiratko.ru
evujalo.ru
bananamamor.ru
eminakotpr.ru
dfudont.ru

"Copies of policies" spam / ewinhdutik.ru

This spam leads to malware on ewinhdutik.ru:
Date:      Thu, 14 Feb 2013 07:16:28 -0500
From:      "Korbin BERG" [ConnorAlmeida@telia.com]
Subject:      RE: Korbin - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Korbin BERG,

======================


Date:      Thu, 14 Feb 2013 03:30:52 +0530
From:      Tagged [Tagged@taggedmail.com]
Subject:      RE: KESHIA - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

KESHIA LEVINE,

The malicious payload is at [donotclick]ewinhdutik.ru:8080/forum/links/column.php (report here) hosted on the same IP addresses as this attack we saw earlier.

91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

HP ScanJet spam / eipuonam.ru

This fake printer spam leads to malware on eipuonam.ru:

Date:      Thu, 14 Feb 2013 -02:00:50 -0800
From:      "Xanga" [noreply@xanga.com]
Subject:      Fwd: Scan from a HP ScanJet #72551
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-39329P.

SENT BY : Ingrid
PAGES : 0
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The attachment HP_Document.htm contains a script that attempts to direct visitors to [donotclick]eipuonam.ru:8080/forum/links/column.php (report here) hosted on:


91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

The following IPs and sites should be blocked:
91.121.57.231
195.210.47.208
202.72.245.146
bananamamor.ru
damagalko.ru
dekamerionka.ru
dfudont.ru
disownon.ru
dmpsonthh.ru
dmssmgf.ru
efjjdopkam.ru
egihurinak.ru
eipuonam.ru
ejiposhhgio.ru
elistof.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
enakinukia.ru
epianokif.ru
epilarikko.ru
epiratko.ru
esekundi.ru
esigbsoahd.ru
estipaindo.ru
evskindarka.ru
evujalo.ru
exiansik.ru
exibonapa.ru

Something evil on 92.63.105.23

Looks like a nasty infestion of Blackhole is lurking on 92.63.105.23 (TheFirst-RU, Russia) - see an example of the nastiness here (this link is safe to click!). The following domains are present on this address, although there are probably more.

ueizqnm.changeip.name
fmmrlp.ddns.name
qhtqqtxqua.onmypc.org
jakrcr.changeip.org
slnpqel.lflinkup.org
ydrehhvgjz.ezua.com
hurocozr.onedumb.com
sspmrwli.jkub.com
gifqravi.dnsrd.com
uzdknpz.4dq.com
aotztod.almostmy.com
ttenmxqq.vizvaz.com
axyaqb.xxuz.com
ywtxkebtx.ns01.info
rmvpfdg.onmypc.info
zzxvxyi.mydad.info
iselktnfo.xxxy.info
fgzsnergle.compress.to
wjbluj.ns01.us
yxbbvktub.myfw.us
hxlxxaqntaxb.myfw.us
rqjghacecazb.myfw.us
oxegwgflld.myfw.us
hvdkdcgae.myfw.us
hhifsoine.myfw.us
nsnybecste.myfw.us
jebrglmzye.myfw.us
fowgvslqqvgf.myfw.us
mqqpwxjlf.myfw.us
hfkfeuqfvzf.myfw.us
ukwwwhkamh.myfw.us
tvodqreyyyh.myfw.us
aokeufvoci.myfw.us
ejyffxuookfi.myfw.us
qhbkyfehpbzi.myfw.us
idjgpnkmaj.myfw.us
sqqqrsnozlgj.myfw.us
kqpaxhumj.myfw.us
elfncrfubk.myfw.us
qeavazuugk.myfw.us
pbvmirnwk.myfw.us
miptvfzufwal.myfw.us
ookzctlfazdl.myfw.us
rjrzcrswqhl.myfw.us
hhzlhizlbil.myfw.us
lwztritpzuvl.myfw.us
erlsgwzbgwl.myfw.us
eslwbgkgyqhm.myfw.us
bkhrwvxblnm.myfw.us
ngcfuanjtm.myfw.us
orownhbgn.myfw.us
rwdpuifin.myfw.us
jjxhjygwcnln.myfw.us
azddoalylxsn.myfw.us
dfredwpcun.myfw.us
xglzbowlmuco.myfw.us
jtzxmudxtno.myfw.us
phibmvaqsap.myfw.us
tuobdghfp.myfw.us
ybzwfyvadq.myfw.us
gvbxwmicjvq.myfw.us
abtqgybicghr.myfw.us
hqzgrwmorws.myfw.us
kwjgjnmmcu.myfw.us
csllshncxdu.myfw.us
cbqlthvefhv.myfw.us
eivxprpbemv.myfw.us
yowbgyyykemw.myfw.us
jmmbspisw.myfw.us
aadhvxiftw.myfw.us
lswgpbvvkukx.myfw.us
zwzfvpxksyx.myfw.us
aggwgeskrby.myfw.us
jjfzmzfkoky.myfw.us
okctxkxny.myfw.us
jeyqstlybz.myfw.us
yxkgtyqmz.myfw.us
sqazmgapz.myfw.us
esuifzeipsz.myfw.us
pjkcyvzcyz.myfw.us
cejkopsbv.port25.biz
rawvgbygj.gr8name.biz
gyomtcnzc.dhcp.biz
efdghpug.sexxxy.biz

Wednesday, 13 February 2013

"First Foundation Bank Secure Email Notification" spam

It looks a bit like a phish, but this "First Foundation Bank Secure Email Notification" spam has a ZIP file that leads to malware:

Date:      Wed, 13 Feb 2013 20:08:46 +0200 [13:08:46 EST]
From:      FF-inc Secure Notification [secure.notification@ff-inc.com]
Subject:      First Foundation Bank Secure Email Notification - 94JIMEEQ

You have received a secure message

Read your secure message by opening the attachment, secure_mail_94JIMEEQ. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.ff-inc.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.795.7643.

2000-2013 First Foundation Inc. All rights reserved. 

Attached is a file called secure_mail_94JIMEEQ.zip which expands into.. well, nothing good.. a file called secure_mail_{_Case_DIG}.exe with an icon that is meant to disguise it as an Acrobat file.

VirusTotal detection rates are just 15/45 and the malware is resistant to analysis. Incidentally, emailing mobile@res.ff-inc.com just generates a failure message. Avoid.

NACHA spam / eminakotpr.ru

More fake NACHA spam, this time leading to malware on eminakotpr.ru:


Date:      Wed, 13 Feb 2013 05:24:26 +0530
From:      "ACH Network" [risk-management@nacha.org]
Subject:      Re: Fwd: ACH Transfer rejected

The ACH transaction, initiated from your checking acc., was canceled.

Canceled transfer:

Transfer ID: FE-65426265630US

Transaction Report: View

August BLUE

NACHA - The National Automated Clearing House Association
The malicious payload is at [donotclick]eminakotpr.ru:8080/forum/links/column.php hosted on:

46.175.224.21 (MAXNET Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)

The following IPs and domains are all related and should be blocked:
46.175.224.21
91.121.57.231
202.72.245.146
bananamamor.ru
damagalko.ru
dekamerionka.ru
dfudont.ru
disownon.ru
dmpsonthh.ru
dmssmgf.ru
dumarianoko.ru
egihurinak.ru
elistof.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
enakinukia.ru
epianokif.ru
epilarikko.ru
epiratko.ru
esekundi.ru
esigbsoahd.ru
estipaindo.ru
evskindarka.ru
evujalo.ru
exiansik.ru
exibonapa.ru

Malware sites to block 13/2/13

These malicious sites appear to be part of a Waledac botnet. I haven't had much time to analyse what exactly what it going on, but here is one example from [donotclick]merwiqca.ru/nothing.exe: URLquery, VirusTotal, Comodo CAMAS, ThreatExpert.

I'm still working on IP addresses (there are a LOT), but these are the domains that I have managed to identify.. it is probably not an exhaustive list though.

afxeftof.ru
ahtiagge.ru
ajgijuap.ru
amxylkap.ru
apnifosa.ru
aqqajofi.ru
atxembef.ru
awetefid.ru
azvaebyn.ru
bakuzbuq.ru
bangurec.ru
bowbiluk.ru
bugfivin.ru
citpoloj.ru
copapjid.ru
didcufun.ru
dikojnah.ru
diqnawug.ru
diteqciq.ru
dubfoluc.ru
dohjapju.ru
dufyhive.ru
dyrzaqfu.ru
dyxketam.ru
ecrihgep.ru
egygumlo.ru
epejanhi.ru
ewenhugi.ru
fachejyp.ru
fawsilom.ru
fedvojvy.ru
fytfotlo.ru
gegwikaf.ru
guphumsa.ru
gybebeho.ru
gyvolnac.ru
gywquroz.ru
hikutcur.ru
ikbyznod.ru
ixfocgaf.ru
jiwviqpa.ru
jizugqux.ru
joljihuk.ru
junedles.ru
jureetse.ru
lafdamow.ru
linsubby.ru
linyaqor.ru
liwmiccu.ru
liwuwquh.ru
merwiqca.ru
narzoquc.ru
nozwyhvi.ru
nylzudwo.ru
nypmivhy.ru
nyzvelew.ru
ocbiccan.ru
ojvectyk.ru
ophirjih.ru
owideker.ru
papcybop.ru
pegkowoz.ru
picifcym.ru
pypwalve.ru
qiqwoxki.ru
qysmahku.ru
qysriloh.ru
rabpabyr.ru
racapsyq.ru
raguhloc.ru
rehvuwib.ru
rulwusyc.ru
secegbiw.ru
sedfibyr.ru
soduvnec.ru
solhusny.ru
sumjecyg.ru
syofzaim.ru
tijenric.ru
todqenym.ru
towmidar.ru
tubtihiv.ru
tunzovnu.ru
ugnyspyr.ru
vacrajak.ru
vehyfgor.ru
viackipa.ru
vibewpav.ru
voxyqjyc.ru
wowrizep.ru
xitydjeg.ru
xyjiekfe.ru
ypvudhek.ru
zazzeqan.ru
zehyqjol.ru
zempakiv.ru
zyqutfeb.ru
fpyyb.axcakqif.ru
gipwf7i.zempakiv.ru
gkca7nkr.tyryfpix.ru
boomsco.com
larstor.com
newrect.com

NACHA spam / thedigidares.net

This fake NACHA spam leads to malware on thedigidares.net:


Date:      Wed, 13 Feb 2013 12:10:27 +0000
From:      " NACHA" [limbon@direct.nacha.org]
Subject:      Aborted transfer

Canceled transaction
The ACH process (ID: 648919687408), recently sent from your bank account (by you), was canceled by the other financial institution.

Transaction ID:     648919687408
Cancellation Reason     Review additional info in the statement below
Transaction Detailed Report     Report_648919687408.xls (Microsoft/Open Office Word Document)


13150 Sunrise Street, Suite 100 Herndon, VA 20174 (703) 561-1200

� 2013 NACHA - The Electronic Payments Association
The malicious payload is at [donotclick]thedigidares.net/detects/irritating-crashed-registers.php (report here) hosted on:

134.74.14.98 (City College of New York, US)
175.121.229.209 (Hanaro Telecom, Korea)



The following IPs and domains are linked and should be blocked:
134.74.14.98
175.121.229.209
albaperu.net
capeinn.net
thedigidares.net
madcambodia.net
micropowerboating.net
dressaytam.net
acctnmrxm.net
albaperu.net
live-satellite-view.net
dressaytam.net


Tuesday, 12 February 2013

Something evil on 192.81.129.219

It looks like there's a nasty case of the Blackhole Exploit kit on 192.81.129.219 (see example). The IP is controlled by Linode in the US who have been a bit quiet recently. Here are the active domains that I can identify on this IP:

17.soldatna.com
17.coloryourpatiowholesale.com
17.silvascape.com
17.dcnwire.com
17.canyonturf.com
17.kdebug.com
17.soldatnacapital.com
17.swvmail.com
17.drycanyon.com
17.wolfmountaingroup.com
17.designerbiochar.com
17.easygardencolor.com
17.devicelogics.com
17.springwoodventures.com
17.designersoils.com
17.drdos.com
17.wolfmountainproducts.com
17.soldatnainvestments.com
17.themulchpit.com
17.soleradevelopment.com
17.silvasport.com
17.scenicdesign.us
17.dailyexpress.us
17.canyonturf.net
17.southwesttelecom.net
17.wlfmtn.net
17.coloryourpatio.net
17.designersoils.net
17.scenicdesign.biz

Changelog spam / emaianem.ru

This changelog spam leads to malware on emaianem.ru:

Date:      Tue, 12 Feb 2013 09:11:11 +0200
From:      LinkedIn Password [password@linkedin.com]
Subject:      Re: Changlog 10.2011

Good day,

changelog update - View

L. KIRKLAND

=================


Date:      Tue, 12 Feb 2013 05:14:54 -0600
From:      LinkedIn [welcome@linkedin.com]
Subject:      Fwd: Re: Changelog as promised(updated)

Good morning,

as prmised updated changelog - View

L. AGUILAR
The malicious payload is at [donotclick]emaianem.ru:8080/forum/links/column.php and is hosted on the same servers as found here.

IRS spam / micropowerboating.net

This fake IRS spam leads to malware on micropowerboating.net:

Date:      Tue, 12 Feb 2013 22:06:55 +0800
From:      Internal Revenue Service [damonfq43@taxes.irs.gov]
Subject:      Income Tax Refund TURNED DOWN

Hereby we have to note that Your State Tax Refund Appeal ({ID: 796839212518), recently has been RETURNED. If you believe that IRS did not properly estimate your case due to misunderstanding of the fact(s), be prepared to serve additional information. You can obtain refusal to accept details and re-submit your appeal by browsing a link below.

Please enter official website for information

Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
9611 Tellus. Av.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.


==============================


Date:      Tue, 12 Feb 2013 15:00:35 +0100
From:      Internal Revenue Service [zirconiumiag0@irs.gov]
Subject:      Income Tax Refund NOT ACCEPTED

Hereby we hav to inform that Your Income Tax Refund Appeal ({ID: 46303803645929), recently has been CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to equip additional information. You can obtain non-acceptance details and re-submit your appeal by browsing a link below.

Please browse official site for more information

Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
3192 Aliquam Rd.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.


==============================

Date:      Tue, 12 Feb 2013 15:13:37 +0100 [09:13:37 EST]
From:      Internal Revenue Service [idealizesmtz@informer.irs.gov]
Subject:      Income Tax Refund TURNED DOWN

Hereby You notified that Your Income Tax Outstanding transaction Appeal (No: 8984589927661), recently was CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to deliver additional information. You can obtain refusal of acceptance details and re-submit your appeal by using a link below.

Please enter official site for information

Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
P.O. Box 265
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time. 

The malicious payload is on [donotclick]micropowerboating.net/detects/pending_details.php (report here) hosted on:

175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)

The following IPs and domains should be blocked:
175.121.229.209
198.144.191.50
micropowerboating.net 
morepowetradersta.com
asistyapipressta.com
uminteraktifcozumler.com
rebelldagsanet.com
madcambodia.net
acctnmrxm.net
capeinn.net
albaperu.net
live-satellite-view.net

eFax spam / estipaindo.ru

This fake eFax spam leads to malware on estipaindo.ru:

From: messages-noreply@bounce.linkedin.com
Sent: 12 February 2013 04:10
Subject: Efax Corporate

Fax Message [Caller-ID: 181999356]

You have received a 44 pages fax at Tue, 12 Feb 2013 05:10:03 +0100, (944)-095-3172.

* The reference number for this fax is [eFAX-101609258].

View attached fax using your Internet Browser.

________________________________________
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement. 
The malicious payload is at [donotclick]estipaindo.ru:8080/forum/links/column.php (report here) hosted on:

46.175.224.21 (Maxnet Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)

The following IPs and domains can be blocked:
46.175.224.21
91.121.57.231
202.72.245.146
enakinukia.ru
dekamerionka.ru
evskindarka.ru
exibonapa.ru
dmssmgf.ru
epianokif.ru
elistof.ru
dmpsonthh.ru
esekundi.ru
egihurinak.ru
exiansik.ru
disownon.ru
epilarikko.ru
damagalko.ru
dumarianoko.ru
emalenoko.ru
epiratko.ru
evujalo.ru
bananamamor.ru
dfudont.ru
estipaindo.ru
emaianem.ru