Sponsored by..

Friday 12 April 2013

MS13-036 buggy, withdrawn

Uh-oh.. looks like the reports of problems with MS13-036 were correct.



********************************************************************
Title: Microsoft Security Bulletin Re-Releases
Issued: April 11, 2013
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS13-036 - Important
  * MS13-apr


Bulletin Information:
=====================

* MS13-036 - Important

 - Reason for Revision: V2.0 (April 11, 2013): Added links to
   Microsoft Knowledge Base Article 2823324 and Microsoft Knowledge
   Base Article 2839011 under Known Issues. Removed Download Center
   links for Microsoft security update 2823324. Microsoft recommends
   that customers uninstall this update. See the Update FAQ for
   details.
 - Originally posted: April 9, 2013
 - Updated: April 11, 2013
 - Bulletin Severity Rating: Important
 - Version: 2.0

* MS13-apr

 - Reason for Revision: V2.0 (April 11, 2013): For MS13-036,
   removed the links to security update 2823324 due to a known
   installation issue. See bulletin for details.
 - Originally posted: April 9, 2013
 - Updated: April 11, 2013
 - Version: 2.0


Other Information
=================

Follow us on Twitter for the latest information and updates:

Recognize and avoid fraudulent email to Microsoft customers:
=============================================================
If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email.

The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, it is not required to read security notifications, security bulletins, security advisories, or install security updates. You can obtain the MSRC public PGP key at https://technet.microsoft.com/security/bulletin/pgp.

To receive automatic notifications whenever Microsoft Security Bulletins and Microsoft Security Advisories are issued or revised, subscribe to Microsoft Technical Security Notifications on http://technet.microsoft.com/security/dd252948.


********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
********************************************************************

To manage or cancel your subscription to this newsletter, visit the Microsoft.com Profile Center at <http://go.microsoft.com/fwlink/?LinkId=245953> and then click Manage Communications under My Subscriptions in the Quicklinks section.

For more information, see the Communications Preferences section of the Microsoft Online Privacy Statement at:

For the complete Microsoft Online Privacy Statement, see:

For legal Information, see:

This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052

Thursday 11 April 2013

UPS spam / juliamanako.ru

This fake UPS spam leads to malware on juliamanako.ru:

Date:      Thu, 11 Apr 2013 11:58:33 -0300 [10:58:33 EDT]
From:      Aida Tackett via LinkedIn [member@linkedin.com]
Subject:      United Postal Service Tracking Nr. H9544862721

Your USPS CUSTOMER SERVICES for big savings! Can't see images? CLICK HERE.
UPS - UPS Customer Services
UPS UPS SUPPORT 56
UPS - UPS MANAGER 67 >>
UPS - UPS SUPPORT 501

Already Have
an Account?

Enjoy all UPS has to offer by linking your My UPS profile to your account.
Link Your
Account Now >>

UPS - UPS Customer Services
Good day, [redacted].

DEAR CONSUMER , We were not able to delivery the postal package

Track your Shipment now!

Pack it. Ship ip. No calculating , UPS .com Customer Services.


Shipping Tracking Calculate Time & Cost Open an Account

@ 2011 United Parcel Service of America, Inc. USPS Customer Services, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.

This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
USPS .COM marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.

USPS Services, 04 Glenlake Parkway, NE - Atlanta, GA 30324
Attn: Customer Communications Department
The link goes through a legitimate hacked site to a malicious landing page at [donotclick]juliamanako.ru:8080/forum/links/column.php hosted on:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)

Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jamtientop.ru
janasika.ru
jonahgkio.ru
judianko.ru
juhajuhaa.ru
juliamanako.ru
jundaio.ru

"Spotlite Radio" / spotliteradio2013.com spam

This spam email is promoting an apparent Whos' Who scam hosted on a site called spotliteradio2013.com which purports to be an organisation called "Spotlite Radio". The email is sent to a role account, not a real human being.. marking it out clearly as spam.

From:     Patricia Wu [darin@contacteagle.info]
Reply-Ro:     databaseemailergroup@gmail.com
Date:     11 April 2013 03:42
Subject:     SUPERCHARGE YOUR ONLINE LIFE WITH SPOTLITE RADIO!

Hello,

You were recently chosen as a potential candidate interviewee to represent your professional social media community in the 2013-2014 Spotlite Radio.

We are pleased to inform you that your candidacy was formally approved on April 10th, 2013. Congratulations.

The Social Broadcasting Committee selects potential candidates based not only upon their current standing, but focusing as well on criteria from executive and professional directories, associations, and trade journals. Given your background, the Director believes your profile makes a fitting addition to be featured.

There is no fee or obligation to be included. We must receive verification from you that your profile is accurate. After receiving verification, we will validate your candidate listing within seven business days.

Once finalized, your broadcast radio interview will share prominent media space with thousands of fellow accomplished individuals across the globe like yourself, each representing accomplishments within their own specialized area.

To verify your profile and accept the candidacy, please visit here

Our registration deadline for this year's candidates is April 30th. To ensure you are included, we must receive your verification on or before this date. On behalf of our Committee, I salute your achievements this year and look forward to welcoming you to our broadcast social network.

Click here to verify your profile.

Warm Regards,

Patricia Wu
Chief of Broadcasting

Spotlite Radio

-----------------------------------------

This email is intended only for the recipient(s) and is private.
If you receive our invitation in error please reply with unsubscribe in the subject line

It isn't clear if the "Spotlite Radio" hosted at spotliteradio.com (currently down) and spotliteradio2013.com are actually related. spotliteradio.com was only registered a few months ago in September 2012 and according to New York State is owned by:

Selected Entity Name: SPOTLITE RADIO LLC
Selected Entity Status Information
Current Entity Name: SPOTLITE RADIO LLC
DOS ID #: 4306578
Initial DOS Filing Date: OCTOBER 11, 2012
County: NEW YORK
Jurisdiction: NEW YORK
Entity Type: DOMESTIC LIMITED LIABILITY COMPANY
Current Entity Status: ACTIVE

Selected Entity Address Information
DOS Process (Address to which DOS will mail process if accepted on behalf of the entity)
SPOTLITE RADIO LLC
14 WALL STREET 20TH FL
NEW YORK, NEW YORK, 10005
Registered Agent
NONE

So this "Spotlite Radio" is properly registered in the state of New York, and it appears to be a sort of social radio site where people can make and broadcast their own shows.  There's nothing obvious on the spotliteradio.com website that makes it look suspicious, although judging by the dormant Twitter account the whole thing ground to a halt in February.

So what can we tell about the spam? Well, spotliteradio2013.com contains Google Analytics code for UA-3676294-22 which belongs to a New York web design company called Webnbeyond (webandbeyond.com / webnbeyond.com) but they may simply be the web designers. All these domains are on the same server of 66.11.129.87.

The email originates from the IP address 70.126.247.237 which appears to be in Tampa, Florida via 192.217.124.43 which is also contacteagle.info (mentioned in the spam email above), registered to:
Registrant ID:CR121682219
Registrant Name:Darin Delia
Registrant Organization:
Registrant Street1:1321 Henry Ave
Registrant Street2:
Registrant Street3:
Registrant City:Spring Hill
Registrant State/Province:Florida
Registrant Postal Code:34608
Registrant Country:US
Registrant Phone:+1.5615964330
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:


Spring Hill is about 40 miles north of Tampa, so there's a good chance that the originating IP and domain belong to one and the same person.

Darin Delia runs a Florida-based company called Contact Page Media, Inc and this is described on his LinkedIn page thusly:
We use Google Search Technology to reach Contact Pages on your Business Targeted Market. We reach thousand of websites per hour using our software, and we have the capabilitity to reach the unique target you just cannot find with email
What this means is that they scrape the email addresses off the web and spam the hell out of them. You'll note that the spam email lacks a contact address (for example) which breaks the CAN-SPAM act. Note also the email address of  Patricia Wu [darin@contacteagle.info] which is either somewhat deceptive, or perhaps Mr Delia likes to be Ms Wu at the weekends. But then probably Mr Delia is only sending promotional emails rather than running the scam.

The privacy policy page on spotliteradio2013.com leads to another site called mywhoswhonetwork.com registered to an address in Texas:

   Whos Who Network
   John Williams (webmaster@mywhoswhonetwork.com)
   +1.8084524561
   Fax:
   2172 Willshire
   College Station, TX 77845
   US

This same company also owns the following domains:
  • americanleadersmagazine.com
  • globalregistryonline.com
  • mywhoswhonetwork.com
  • professionalnetwork2012.com
  • professionalnetwork2013.com
  • pronetwork2012.com
  • taxadvice2day.com
But a hyperlink from one domain to another does not prove ownership, and the privacy policy could simply have been ripped off a competitor's site. So no smoking gun there. In fact, there's no actual evidence of who is responsible for this spam, and probably all we have are some innocent bit part actors.

I can't vouch for the trustworthiness of the actual Spotlite Radio (spotliteradio.com) site one way or another. One the surface it appeared to be a public-access web radio service, and there's nothing wrong with that. As I said, this spam may not even be from them. But it clearly is a spam because the domain role account is not an actual person and the claims made in the spam email are clearly rubbish.

So what does happen if you sign up for this. Well, according to this report they charge you $850 for a worthless plaque and an entry in a pseudo-who's-who guide,:
It was a pleasure speaking with you this morning. Confirming your show date is on January 9th at 3pm EDT. Attached is the invoice for your purchase of the Spotlite Radio Show,Distinguished professional of the year plaque and a half page biography in our 2013 book. If you could sign and send back to us, but make sure you keep a copy for your records as well. This is just confirming that you made a partial payment and were going forward with the program. Once we have your pre interview done for your upcoming show I will be sending you the links to the website. Hope you have a great week and I look forward to speaking with you soon. Call in number is XXXXX -Amanda Lynn 
In other words.. here's some crap. If you record your show then well send you the URL for spotliteradio.com and you can upload it yourself. Best avoided in my opinion.





Changelog spam / juliaroberzs.ru

This spam leads to malware on juliaroberzs.ru:

Date:      Thu, 11 Apr 2013 02:46:13 +0100
From:      Mayola Phipps via LinkedIn [member@linkedin.com]
Subject:      Re: changelog UPD.
Attachments:     changelog.htm

Good morning,

as promised changelog is attached (Internet Explorer format)



The attachment changelog.htm leads to a malicious landing page at [donotclick]juliaroberzs.ru:8080/forum/links/column.php  (report here) hosted on some familiar IPs:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)

Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jamiliean.ru
jamtientop.ru
janasika.ru
jonahgkio.ru
judianko.ru
judianko.ru
juhajuhaa.ru
juhajuhaa.ru
juliaroberzs.ru
jundaio.ru

Wednesday 10 April 2013

"Verizon Wireless" spam / jamtientop.ru

This fake Verizon Wireless spam leads to malware on jamtientop.ru:

Date:      Wed, 10 Apr 2013 01:14:51 +0100 [04/09/13 20:14:51 EDT]
From:      DorianBottom@hotmail.com
Subject:      Verizon Wireless

IMPORTANT ACCOUNT NOTE FROM VERIZON WIRELESS.
Your acknowledgment message is issued.

Your account No. ending in 1332

Dear Client

For your accommodation, your confirmation letter can be found in the Account Documentation desk of My Verizon.

Please browse your informational message for more details relating to your new transaction.


Open Information Message

In addition, in My Verizon you will find links to information about your device & services that may be helpfull if you looking for answers.

Thank you for joining us.     My Verizon is laso works 24 hours 7 days a week to assist you with:

    Viewing your utilization
    Upgrade your tariff
    Manage Account Members
    Pay for your bill
    And much, much more...


© 2013 Verizon Wireless
Verizon Wireless | One Verizon Way Mail Code: 113WVC | Basking Ridge, MI 87325

We respect your privacy. Please browse our policy for more information

The link goes to a hacked legitimate site to a malicious landing page at [donotclick]jamtientop.ru:8080/forum/links/column.php (report here) hosted on:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)

Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jamiliean.ru
jamtientop.ru
jonahgkio.ru
judianko.ru
juhajuhaa.ru
jundaio.ru

Congratulations! You are the one millionth visitor to this blog!

Congratulations, you are the one millionth visitor to this blog.. well, almost. Here's a pretty flashing banner for the retro touch.


Actually, the blog hit one million recorded pageviews slightly earlier. Blogger only started recording pageviews in July 2008 by which time the blog had been online for 18 months or so. And I know a pageview isn't a visitor. Anyway, here's the chart just at the moment that the one million mark was hit (click to enlarge).


The was a bit of an unexpected traffic bump today because of a mention on the BBC News site and some other media outlets too. In fact, the story about top porn sites leading to malware is actually the number one most read story currently on the BBC News site which is pretty surprising.


Anyway, it's been a blast and I'd like to say "thank you" to the bad guys who keep me busy, else this blog would just be about cars and the weather. Here's to the next million :)

Malware sites to block 10/4/13 - part II

With a hat tip to a correspondent, here are some more domains connected with this and this. Enjoy.

adamseasytoimplement.org
perfectlylikeness.org
detailingfiletransfer.com
safeguardingencarta.org
netdocumentsidl.org
bluraysphotographers.org
cathedralati.org
diasly.org
trelixwebprice.org
chaptersthegorilla.org
facilitiesbrrrr.org
idyllictoptier.org
fullscalemethod.org
deviceasciences.org
realizewhole.org
sdbbefvw.com
cwfviwgg.com
ddskcwdk.com
groupcycle.biz
kousrytcbqdids.org
uamawhyfonwofua.org
bgdnmbapnahteul.net
hgalevwtwmba.biz
apbojfsktijjhek.org
alreadysnorkeling.biz
xibfwucletrc.biz
rgngsdqwcemxbn.biz
sposwrsbswlynqc.biz
twiytmbbusrktys.org
blkwjoqfmhftd.org
combatthemednexus.biz
rankprediction.biz
artlogistic.net
textingavz.biz
lmlgqnxdjuyis.biz
wcsgdvxlhmxhd.org
syqdvpsmmpvq.biz
dwjlypydywlt.biz
iriengyhgadgt.org
aisjpqgemanskow.org
uspofnlqbyugv.org
cfkuptmplgrqh.biz
bjhwkbkqhbmq.biz
ulkbhsxywwnua.org
oksolomonprices.biz
hitandwillow.biz
randomwireless.biz
demandthings.biz
sitebandweathers.biz
nonadministrativematerial.biz
gamblerspayroll.biz
jfkshaken.biz
fullduplexioss.biz
sgijdxds.com
localcommittee.biz
vialigthroom.biz
limocoupons.biz
bikeplease.biz
fanaticsbuzz.biz
gnawamama.net
metrodemand.biz
headsync.biz
huntershindrance.biz
b7cb9b6e9.org
forecastssystemworks.biz
skillblissfully.biz
amazondarken.biz
foruminsert.biz
toofrequentextraneous.biz
protectoremail.biz
pinoyexchange.biz
concernsvideocentric.biz
toneadvertising.biz
rainbowsfilmstriplike.biz
franciscodish.biz
catastrophicautobiography.biz
fruitdicingsitting.org
monotoneswift.biz
braineravast.biz
metaphorsuite.biz
navigationalsignup.biz
seekerreporter.biz
uploaderaddressa.biz
dedicatedgerm.biz
blendingdiversity.biz
motivationrevenues.biz
nodeswordpresscom.biz
rdiocruises.biz
paymentground.biz
topiwebbased.biz
sharpspool.biz
directtime.biz
purportswarping.biz
diesulead.biz
mailedspokesperson.biz


BBB Spam / jamiliean.ru

This fake BBB spam leads to malware on jamiliean.ru:

From: Habbo Hotel [mailto:auto-contact@habbo.com]
Sent: 10 April 2013 00:17
Subject: Re: Better Business Bureau Complaint

Good afternoon,

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 24941954)
from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT attached to this email (Internet Exlporer file)

to view the details on this issue and suggest us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

CHRISTI REAGAN


Dispute Counselor
Better Business Bureau

There is an attachment BBB-Complaint-US39824.htm with a malicious payload is at [donotclick]jamiliean.ru:8080/forum/links/column.php. Associated payload, IPs and domains are the same as this attack also running today.

"Your credit line percent was changed" spam / judianko.ru

I haven't seen this one before. It leads to malware on judianko.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 10 April 2013 14:24
Subject: Re: Your credit line percent was changed.

We apologize, but we must raise percent of your credit line up to 22,5%. We would be like to make it lower, but the situation on the market today is not so good, because of it we can not handle other way.

Under this link you can view a details about changing of contract
The link goes through a legitimate but hacked site to [donotclick]judianko.ru:8080/forum/links/column.php (report here) hosted on:
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)

Blocklist:
185.5.185.129
188.65.178.27
judianko.ru
juhajuhaa.ru
imanraiodl.ru
jamiliean.ru

Malware sites to block 10/4/13

These domains and IPs are associated with the Amerika gang and are related to this spam run. Blocking them would be prudent.

46.4.150.96/27
46.161.0.235
93.170.130.241
1thyntyny.itemdb.com
accelerationshrinkwrapped.net
advancementshardofhearing.org
affectingdesktoplevel.net
airplanesreleases.org
androidenabledprivacyx.net
andthisisthird.com
automatedversion.biz
awokeierelated.net
bernardsunhelpful.net
bigstepspinpointing.net
blogsobjectslets.biz
blogsobjectslets.net
blogsobjectslets.org
bruceengaging.org
bustappmosphere.biz
campgroundsdays.org
chappellsuites.org
characteristicsmarking.com
chromewarm.biz
citrixsgp.biz
claimedbizarre.biz
cleanedtravel.biz
clouditcomplaintsome.net
cmsstatements.net
commentstimelimited.biz
couplesubway.biz
courselastused.net
crhazards.org
deactivatingtga.org
denotenag.biz
diesulead.biz
dogsiir.net
dozenmymagicjackcom.net
druidwwwlinux.net
eccentricitiessweep.biz
editdvsmyfitnesspal.biz
editionsglow.net
editorssave.org
educationnonfullscreen.net
eggtasteful.org
enhancementssuunto.biz
exegeneral.net
filedclassics.org
fournightanswering.net
geographicadjustments.net
givegrownups.biz
givesexact.net
hintstrust.org
illinoisnets.net
inaptlyinterviews.org
insightsclout.org
interactivesforensics.org
invoicedaredevil.net
ipodsbegun.biz
lawinsight.biz
limitedwar.net
lionsfusionones.biz
locatestiming.biz
mailedspokesperson.biz
mashedindescribing.net
midtieralmost.org
mtvintrigued.net
multistorypublishers.net
mydruidwwwlinux.biz
occurrelocates.com
ogghunt.org
ogghuntonline.net
ogghunt-shop.net
onstreamdifficulty.biz
outrightclever.net
overkillwhile.net
pageturnneedless.biz
pndclifford.biz
priorteacher.net
quizmfp.biz
rookiedatapad.org
shouldinvoice.org
shranksafetyweb.net
sloppynetbooks.net
snippetscompleted.org
studioinaboxlayer.org
subdividedstripped.org
sweepersigdrs.net
tageditingaction.net
terrainmodeling.net
theatersbears.biz
themadministration.net
thisisspartaaa.com
threesignaling.biz
thresholdingmultiaccount.biz
topiwebbased.biz
totalmediamaking.biz
toutedhints.org
transformedmontana.org
tryingrefers.org
tweetdecksigns.com
uninspiredperspectives.org
uninterruptedlightbox.org
upperrighthandpartner.net

ICANN: thanks for the malware spam / mailedspokesperson.biz

This is a pretty straightforward LinkedIn themed spam that leads to malware on mailedspokesperson.biz:

From:     Leonide Saad - LinkedIn [dreamland@beutelschneiderhamburg.de]
Date:     10 April 2013 15:19
Subject:     Join my network on LinkedIn

LinkedIn
REMINDERS

Invitation reminders:
 From Leonide Saad (Developer at Perot Systems)



PENDING MESSAGES

 There are a total of 8 messages awaiting your response. Go to InBox now.


This message was sent to username@domain.com. Don't want to receive email notifications? Login to your LinkedIn account to Unsubscribe.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. c 2013, LinkedIn Corporation.
The catch with this is that the email address being used is one used only to file WHOIS Compliance Reports with ICANN. If you file reports of inaccurate WHOIS data, then you need to be aware that by default ICANN will forward your contact details to the bad guys.. you can request that this be suppressed, but using an alias is (ironically) probably the best bet. So in this case, the bad guys have presumably just added the email in the complaint to their spam list..

Anyway, this has a link to a legitimate hacked site and thence on to [donotclick]mailedspokesperson.biz/closest/f2ihoiwegjowiejf230hfaj.php (report here) hosted on 46.4.150.117 (Siteko Ltd / Hetzner Online, Germany). The WHOIS details are characteristic of the Amerika gang:


Registrant ID:            INTEUMYC18TPLDWG
Registrant Name:          Hunter Afkham
Registrant Address1:      181 Sullivan St #4
Registrant City:          New York
Registrant Postal Code:   10012
Registrant Country:       United States
Registrant Country Code:  US
Registrant Phone Number:  +1.7914260046
Registrant Email:         hunter_afkham8428@aristotle.org


There are a couple of other bad looking sites on the same server, so this is my recommended blocklist:
46.4.150.117
1thyntyny.itemdb.com
diesulead.biz
mailedspokesperson.biz

Tuesday 9 April 2013

Top porn sites lead to malware

This summary is not available. Please click here to view the post.

Intuit spam / juhajuhaa.ru

This fake Intuit spam leads to malware on juhajuhaa.ru:

Date:      Tue, 9 Apr 2013 11:21:18 -0430 [11:51:18 EDT]
From:      Tagged [Tagged@taggedmail.com]
Subject:      Payroll Account Holded by Intuit

Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Tue, 9 Apr 2013 11:21:18 -0430.

    Finances would be gone away from below account # ending in 6780 on Tue, 9 Apr 2013 11:21:18 -0430
    amount to be seceded: 4053 USD
    Paychecks would be procrastinated to your personnel accounts on: Tue, 9 Apr 2013 11:21:18 -0430
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services 

The link in the email goes through a legitimate but hacked site to a malware landing page at [donotclick]juhajuhaa.ru:8080/forum/links/column.php (report here) hosted on some familiar-looking IP addresses that we saw earlier:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jonahgkio.ru
juhajuhaa.ru
jundaio.ru

LinkedIn spam / jonahgkio.ru

This fake LinkedIn spam leads to malware on jonahgkio.ru:

Date:      Tue, 9 Apr 2013 10:03:31 -0300
From:      "service@paypal.com" [service@paypal.com]
Subject:      Join my network on LinkedIn

LinkedIn
Marcelene Bruno has indicated you are a Friend

I'd like to add you to my professional network on LinkedIn.



- Marcelene Bruno
Accept
    View invitation from Marcelene Bruno


WHY MIGHT CONNECTING WITH Marcelene Bruno BE A GOOD IDEA?

Marcelene Bruno's connections could be useful to you

After accepting Marcelene Bruno's invitation, check Marcelene Bruno's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.

© 2012, LinkedIn Corporation
The link leads to a malicious payload on [donotclick]jonahgkio.ru:8080/forum/links/column.php which doesn't seem to be working at the moment. However, it is multihomed on some familiar looking IPs:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
itriopea.ru
illuminataf.ru
izamalok.ru
imanraiodl.ru
ifinaksiao.ru
jonahgkio.ru
ivanikako.ru
igionkialo.ru
ijsiokolo.ru
ifikangloo.ru
izjianokr.ru
iztakor.ru
ighjaooru.ru
jundaio.ru

"Unable to process your most recent Bill Payment" spam / BILL_04092013_Fail.exe

This spam contains a attachment 04092013.zip which in turn contains a malicious file BILL_04092013_Fail.exe

Date:      Tue, 9 Apr 2013 10:44:03 -0500 [11:44:03 EDT]
From:      Bank of America [bill.payment@bankofamerica.com]
Subject:      Unable to process your most recent Bill Payment

You have a new e-Message from Bank of America

This e-mail has been sent to you to inform you that we were unable to process your most recent payment of bill.

Please check attached file for more detailed information on this transaction.



Pay To Account Number:     **********3454
Due Date:     05/01/2013
Amount Due:     $ 508.60
Statement Balance:     $ 2,986.26

IMPORTANT: The actual delivery date may vary from the Delivery By date estimate. Please make sure that there are sufficient available funds in your account to cover your payment beginning a few days before Delivery By date estimate and keep such funds available until the payment is deducted from your account.

If we fail to process a payment in accordance with your properly completed instructions, we will reimburse you any late-payment-related fees.

We apologize for any inconvenience this may cause. .
Please do not reply to this message. If you have any questions about the information in this e-Bill , please contact your Bill Pay customer support . For all other questions, call us at 800-887-5749.

   
Bank of America, N.A. Member FDIC. Equal Housing Lender
Å 2013 Bank of America Corporation. All rights reserved.
========================================
Please do not delete this section.
Email_ID:#293891058547188172896_
======================================== 
VirusTotal results are only 11/46

MD5: 3cb04da2747769460a7ac09d1be44fc6
SHA256: 141751e9ae18ec55c8cd71e2e464419f3030c21b21e3f0914b0b320adce3bf70

ThreatExpert reports that the malware attempts to phone home to 64.34.70.31 and 64.34.70.32 (iDigital Internet Inc, Canada) and includes a keylogger.
 

HP ScanJet spam / jundaio.ru

This fake printer spam leads to malware on jundaio.ru:

Date:      Tue, 9 Apr 2013 10:07:40 +0500 [01:07:40 EDT]
From:      Scot Crump [ScotCrump@hotmail.com]
Subject: Re: Scan from a Hewlett-Packard ScanJet  #0437
Attachment: HP-ScannedDoc.htm

Attached document was scanned and sent

to you using a HP HPAD-400812P.
SENT BY : Scot S.
PAGES : 9
FILETYPE: .HTM [INTERNET EXPLORER/MOZILLA FIREFOX]
The attachment HP-ScannedDoc.htm leads to malware on [donotclick]jundaio.ru:8080/forum/links/column.php (report here) hosted on:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
91.191.170.26
93.187.200.250
94.103.45.34
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
ilianorkin.ru
illuminataf.ru
imanraiodl.ru
imbrigilia.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jundaio.ru



Monday 8 April 2013

"Kissinger: Thatcher's strong beliefs" spam / ighjaooru.ru

It didn't take long for the Margaret Thatcher themed malware to start after her death. This one leads to malware on ighjaooru.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Josefa Jimenez via LinkedIn
Sent: 08 April 2013 05:41
Subject: Fwd: Re: Kissinger: Thatcher's strong beliefs

Hi, bad news.
Kissinger: Thatcher's strong beliefs

The payload and associated domains and IPs are exactly the same as used in this attack.

"M&I Bank bankruptcy" spam / ighjaooru.ru

I've never heard of M&I Bank but this is quite an old school spam campaign that leads to malware on ighjaooru.ru:

Date:      Mon, 8 Apr 2013 -01:41:06 -0800
From:      Coral Randolph via LinkedIn [member@linkedin.com]
Subject:      Re: Fwd: M&I Bank bankruptcy

Hi, bad news.

M&I Bank bankruptcy
The malicious payload is at [donotclick]ighjaooru.ru:8080/forum/links/column.php (report here) hosted on a whole load of IPs:
72.167.254.194 (GoDaddy, US)
80.246.62.143 (Alfahosting, Germany)
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
94.103.45.34 (ANKARAHOSTING, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
72.167.254.194
80.246.62.143
91.191.170.26
93.187.200.250
94.103.45.34
208.94.108.238
hillaryklinton.ru
hiskinta.ru
humaniopa.ru
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
ilianorkin.ru
illuminataf.ru
imanraiodl.ru
imbrigilia.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izamalok.ru
izjianokr.ru
iztakor.ru

Beware of jonejonesonley.org

One to watch in your logs today is jonejonesonley.org which is being used as a phone-home point for malware being spammed out at the moment.

jonejonesonley.org is hosted on 85.95.236.155 (Inetmar Internet Hizmetleri, Turkey) and is registered to:

Registrant ID:orgzs46077514499
Registrant Name:Zhong Si
Registrant Organization:Xicheng Co.
Registrant Street1:Huixindongjie 15 2
Registrant Street2:
Registrant Street3:
Registrant City:Beijing
Registrant State/Province:Chaoyang
Registrant Postal Code:101402
Registrant Country:CN
Registrant Phone:+86.1066569215
Registrant Phone Ext.:
Registrant FAX:+86.1066549216
Registrant FAX Ext.:
Registrant Email:zhongguancun@yahoo.com


Also connected is a Java exploit at 217.23.11.108 (Worldstream, Netherlands) so this IP is probably worth blocking as well.

Automated malware analysis is pretty patchy: VirusTotal - Comodo CAMAS - Anubis - ThreatExpert.

Blocklist:
85.95.236.155
217.23.11.108
jonejonesonley.org
3-bogatirja-2012-online.ru