151.248.123.170 (Reg.Ru, Russia) is currently hosting a number of malicious sites being used in injection attacks (example 1, example 2). These domains appear to be almost all dynamic DNS domains which I would recommend blocking, I also recommend blocking the IP address. Trying to block individual domains would probably be ineffective.
Recommended blocklist:
151.248.123.170
ns3.name
zapto.org
hopto.org
no-ip.org
changeip.org
myftp.org
servemp3.com
dns04.com
itemdb.com
ikwb.com
myvnc.com
mefound.com
servehalflife.com
servequake.com
servecounterstrike.com
servegame.com
youdontcare.com
4mydomain.com
otzo.com
organiccrap.com
serveftp.com
dsmtp.com
servehttp.com
servebeer.com
servepics.com
3utilities.com
freeddns.com
mysecondarydns.com
jetos.com
serveusers.com
4pu.com
ocry.com
xxuz.com
ns01.info
mypicture.info
no-ip.info
ddns.ms
ns02.us
ddns.us
myfw.us
redirectme.net
serveblog.net
lflinkup.net
sytes.net
dynamic-dns.net
no-ip.biz
Detected domains (almost all of these are marked as unsafe by Google)
1aj1l2.redirectme.net
2l9cy2.myftp.org
3lejjwtbog.no-ip.info
4g8v7cg.no-ip.org
598l7qdz.3utilities.com
71dalp61hx.servequake.com
78mudv.redirectme.net
7fht7r.redirectme.net
81jtjlit.3utilities.com
8bqve7sn.servebeer.com
8mau1o8kl7.servepics.com
93rpglw.servequake.com
agapcpaa.ns01.info
ahbedbxyo.myfw.us
aivcdizhr.myfw.us
akkly1t.servemp3.com
aqbpswfpj.myfw.us
arhecexdij.mypicture.info
aturlejd.dns04.com
aupmbeutcbr.myfw.us
azxbxx.organiccrap.com
bdkvtjss.mysecondarydns.com
bdtrehpi.dsmtp.com
bfmkeke.servebeer.com
bgmya4t.no-ip.biz
bietzhsh.mefound.com
biirnrxhz.mypicture.info
bksthi5.servegame.com
briirddzbn.myfw.us
bzyphcsjcrhs.myfw.us
ckbqvlouqe.serveusers.com
ckowva.mypicture.info
clwjaqmz.ocry.com
ctgqrapvt.4pu.com
cxubqrtqv.dynamic-dns.net
cybaqwzoai.jetos.com
cyt4n83.zapto.org
djrarpcpp.organiccrap.com
dousvpd.mysecondarydns.com
dwsfdgem.mysecondarydns.com
ecrbtc.mefound.com
efterbiwkc.freeddns.com
ehvrwxyev.ns3.name
elxvpf6prq.myvnc.com
eojriwvpt.serveusers.com
esmiqsq.mysecondarydns.com
exrjzleph.myfw.us
fgcnxamjp.ddns.us
fm7vxw.serveblog.net
fmdetqh.dsmtp.com
fqguhzwcasmj.myfw.us
fxbjpg.itemdb.com
fyuccxbvon.jetos.com
fz1a9crr7i.no-ip.info
gbeonh.servehttp.com
gclpzkt.mefound.com
gcojpbiwb.mefound.com
getbwoedccls.myfw.us
gipjuqnyp.mysecondarydns.com
gpbqicpq.ns01.info
gpqhomgo.ocry.com
gtpjrnkte.itemdb.com
gwhwyvf.ocry.com
gykobwnn.ddns.ms
gyxjclzy.dsmtp.com
hbjadoipd.mefound.com
hdbbzvxejqn.myfw.us
hdygywog.youdontcare.com
hidzgz.otzo.com
hiweya.lflinkup.net
hmkdmjn.ikwb.com
hsqyvzz.ddns.ms
iolwnr.freeddns.com
iuvrmzszjx.ns02.us
j7h9c34fip.servehalflife.com
jayrkypqxx.ns02.us
jkjehvt4k6.servegame.com
jnsvbykd.ns02.us
joukprhng.ocry.com
jpwhgfrc.dynamic-dns.net
jwufzame.youdontcare.com
jxrxuuqs.ddns.ms
jxxaoeufjs.serveusers.com
k05c1jx3lm.sytes.net
k23901iiv.no-ip.org
k40q5bx.servemp3.com
k6fgu8.hopto.org
klmgaqrtem.jetos.com
kmxxvdey.dsmtp.com
krnwhhhtwvh.myfw.us
kuebyfoh.ddns.us
kukxizdui.4mydomain.com
kunwxont.ikwb.com
kzbeyyvkl.jetos.com
kzfxvrz.ns02.us
ladmbbwxmm.no-ip.info
lrymhkrah.dsmtp.com
m938c18.no-ip.info
meaymayetx.organiccrap.com
meuquma.ddns.us
mfbovxps.serveftp.com
mgz0bf6g46.servehttp.com
mpqeydocoiq.myfw.us
mpwtwer.ns01.info
mrnmqdsxfyze.myfw.us
mvdqmecbf.myfw.us
mztlzbd.dynamic-dns.net
ncopbisrmn.xxuz.com
ndmvpgslci.itemdb.com
ngyuwfpaa.dsmtp.com
nmwikbwrxia.myfw.us
nngbpjevv.mefound.com
nuzmis.itemdb.com
nxcgynyedfs.myfw.us
odybreg.ikwb.com
ojew5yj.servecounterstrike.com
okbriapkfb.mefound.com
opxphpg.dns04.com
oqpslwchym.ns3.name
ortqptto.organiccrap.com
ou5hiad9.redirectme.net
owljtjpwb.myfw.us
ozyiivww.youdontcare.com
pbsezsidc.ns01.info
peifdnc.4pu.com
pmjqkxgxz.ddns.us
pmkihqq.mypicture.info
ppmdbwqxcrv.myfw.us
pwemctzvq.ns02.us
pwkwxztpaj.myfw.us
pzcbqmnxv.ddns.ms
qfnisv1h.servehttp.com
qgfs3q0.redirectme.net
qntfwt.changeip.org
qnwycifjfl.myfw.us
qsbmgof.ns3.name
qtbxjkot.ocry.com
quludwdcaq.mypicture.info
qzlkluald.myfw.us
r6x4yz.no-ip.org
rbnumsmbygqb.myfw.us
rcezlgb.ns3.name
rcumgx.jetos.com
rkaseooypl.myfw.us
rkhcyhk4o3.servecounterstrike.com
rnrbdynkblyb.myfw.us
rpbdqzdemsu.myfw.us
seronwzic.myfw.us
sgcdujudgzm.myfw.us
sglrpbgnvl.freeddns.com
sjsw9ne.servecounterstrike.com
slcvzheogxph.myfw.us
sozsybvook.myfw.us
sppbfcemw.jetos.com
synvmclp.dynamic-dns.net
tfqvhdg.otzo.com
tgckjiq.mysecondarydns.com
tin57d1.sytes.net
tlq8aw7lxc.servequake.com
tlvayh.4mydomain.com
tmipoitnfj.myfw.us
tnfzfdd.mypicture.info
trgcrumzlo.xxuz.com
tuewfxrwos.xxuz.com
uegnytqslcm.myfw.us
uftmrikaydi.myfw.us
umhlefsfo.dynamic-dns.net
uniomlciyi.otzo.com
uttptbyvgr.organiccrap.com
uucnwdbptssb.myfw.us
uureflcf.lflinkup.net
vbhxqbwpt.myfw.us
vesooyzw.serveusers.com
vewvfb.ikwb.com
vgyxuawyxb.myfw.us
voskghrg.ns3.name
vpogbb.ns01.info
vpxnbn.organiccrap.com
wdpyffpv.dsmtp.com
whaumhrm.organiccrap.com
whpiiimwpodx.myfw.us
wmnrrskry.myfw.us
wobxsdlv5r.no-ip.info
wrnkzkxjea.servemp3.com
wtriylabiccu.myfw.us
wucsutja.servecounterstrike.com
wwrhxrrvx2.serveftp.com
wywiapwvh.dns04.com
xkfrazfa.changeip.org
xlumergew.ns02.us
xugjnwfw.dsmtp.com
xxyneb.4pu.com
xygvilyksie.myfw.us
xzbqujbaj.ocry.com
ybdrgilms.4pu.com
ybywobw.mysecondarydns.com
yywgvpqrpeym.myfw.us
zakiie.ocry.com
zhudyeczk.myfw.us
zihoqd.ns3.name
zkgctmm4h.myftp.org
znhkad.xxuz.com
zqieuqgwt.ns3.name
zylzvbn.ns02.us
zyzniusdlq.ns01.info
Wednesday, 24 April 2013
Something evil on 151.248.123.170
Labels:
Dynamic DNS,
Injection Attacks,
Russia
Tuesday, 23 April 2013
"CareerBuilder Notification" spam / CB_Offer_04232013_8817391.zip
Date: Tue, 23 Apr 2013 11:13:54 -0700 [14:13:54 EDT]
From: CareerBuilder [Herman_Gallagher@careerbuilder.com]
Subject: CareerBuilder Notification
Hello,
I am a customer service employee at CareerBuilder. I found a vacant position that you may be interested in based on information from your resume or a recent online submission you made on our site.
You can review the position on the CareerBuilder by downloading the attached PDF file.
Attached file is scanned in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com
Best wishes in your job search !
Hal_Shields
Careerbuilder Customer Service Team
CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092
The attachment CB_Offer_04232013_8817391.zip contains a file called CB_Offer_04232013_8817391.exe with an icon designed to look like a PDF file. Note that the date is encoded into the file and future variants will have a different filename.
VirusTotal detections are patchy at 18/46. I'm still waiting for some sort of analysis..
MD5 | 924310716fee707db1ea019c3b4eca56 |
SHA1 | 2d0d9c7da13f9ec9e4f49918ae99e9f17505a9cd |
SHA256 | e66a9c463e3f4eb4ca2994a29ec34e0a021ff2541f6a9647dfd3b9131ba38dd5 |
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Something evil on 173.246.104.104
173.246.104.104 (Gandi, US) popped up on my radar after a malvertising attack apparently utilising a hacked OpenX server (I'm not 100% which one so I won't name names) and leading to a payload on [donotclick]laserlipoplasticsurgeon.com/news/pint_excluded.php (report here).
Both VirusTotal and URLquery detect multiple malicious domains on this IP. It appears that the domains were originally legitimate, but it looks like they have been hijacked by the bad guys somehow. Domains that are flagged by Google as being malicious are marked in red (which is most of them!). I recommend that you apply the following blocklist for the time being:
173.246.104.104
kneetite.com
labodysculpt.com
lacellulaze.com
laserabs.com
laserbod.com
laserbodycontour.com
laserbodyfit.com
laserbodysculpt.com
laserbodysculpt.info
laserbodysculpt.net
laserbodysculpt.org
laserbodyshape.com
laserbodytight.com
laserfigure.com
laserlipobanking.com
laserlipofirm.com
laserlipomanhattan.com
laserlipoplasticsurgeon.com
laserlipo-plasticsurgeon.com
laserlipoplasticsurgeons.com
laserlipo-plasticsurgeons.com
laserlipopro.com
laserliposolution.com
laser-sculpt.com
laser-sculpting.com
Update:
I really do recommend blocking all the domains on this IP, including kneetite.com (see report) and these following ones which have also been discovered on the same server.
laserlipotight.com
laserlipotopdocs.com
laserniptuck.com
Both VirusTotal and URLquery detect multiple malicious domains on this IP. It appears that the domains were originally legitimate, but it looks like they have been hijacked by the bad guys somehow. Domains that are flagged by Google as being malicious are marked in red (which is most of them!). I recommend that you apply the following blocklist for the time being:
173.246.104.104
kneetite.com
labodysculpt.com
lacellulaze.com
laserabs.com
laserbod.com
laserbodycontour.com
laserbodyfit.com
laserbodysculpt.com
laserbodysculpt.info
laserbodysculpt.net
laserbodysculpt.org
laserbodyshape.com
laserbodytight.com
laserfigure.com
laserlipobanking.com
laserlipofirm.com
laserlipomanhattan.com
laserlipoplasticsurgeon.com
laserlipo-plasticsurgeon.com
laserlipoplasticsurgeons.com
laserlipo-plasticsurgeons.com
laserlipopro.com
laserliposolution.com
laser-sculpt.com
laser-sculpting.com
Update:
I really do recommend blocking all the domains on this IP, including kneetite.com (see report) and these following ones which have also been discovered on the same server.
laserlipotight.com
laserlipotopdocs.com
laserniptuck.com
DHL Spam / DHL-LABEL-ID-2456-8344-5362-5466.zip
Date: Tue, 23 Apr 2013 12:21:40 +0800 [00:21:40 EDT]
From: Ramon Brewer - DHL regional manager [reports@dhl.com]
Subject: DHL DELIVERY REPORT NY73377
Web Version | Update preferences | Unsubscribe
DHL notification
Our company’s courier couldn’t make the delivery of parcel.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information:
If the parcel isn’t received within 15 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
DHL Global
Edit your subscription | Unsubscribe
Attached is a ZIP file called DHL-LABEL-ID-2456-8344-5362-5466.zip which contains an executable DHL-LABEL-ID-2456-8344-5362-5466.exe. VirusTotal detections are patchy at 22/45.
Checksums are as follows:
MD5 | 85f908a5bd0ada2d72d138e038aecc7d |
SHA1 | 017e82b1074dd210c0c41c8129d81e577d3c121b |
SHA256 | bb60e72387030c957226e173de173a97241dec0a46c1d4aa3194ecd0257d185b |
Whatever this is, it seems to be hard to analyse with automated tools. Comodo CAMAS does report the following registry key being created, which may help to clean up any infections.
Name | Type | Size | Value |
---|---|---|---|
LM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched | REG_SZ | 96 | "C:\Documents and Settings\All Users\svchost.exe" |
Labels:
DHL,
EXE-in-ZIP,
Malware,
Spam,
Viruses
Monday, 22 April 2013
"Loss Avoidance Alerts" spam / tempandhost.com
I haven't seen this particular spam before. It leads to malware on tempandhost.com:
The link in the email appears to point to www.lossavoidancealert.org but actually goes through a legitimate hacked site (in this case [donotclick]samadaan.com/wp-content/plugins/akismet/swacha.html) to a landing page of [donotclick]tempandhost.com/news/done-heavy_hall_meant.php or [donotclick]tempandhost.com/news/done-meant.php (sample report here and here) which is.. err.. some sort of exploit kit or other. It doesn't seem to be responding well to analysis tools, which could either indicate overloading or some trickery, most likely something very like this. Anyway, tempandhost.com is hosted on the following servers:
1.235.183.241 (SK Broadband Co Ltd, Korea)
46.183.147.116 (Serverclub.com, Netherlands)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)
The WHOIS details indicate that this is the Amerika crew:
Administrative Contact:
clark, emily twinetourt@aol.com
38b butman st
beverly, MA 01915
US
9784734033
Blocklist:
1.235.183.241
46.183.147.116
155.239.247.247
202.31.139.173
airtrantran.com
antidoterskief.net
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko5.ru
conficinskiy.ru
contonskovkiys.ru
cormoviesutki.ru
curilkofskie.ru
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
excuticoble.ru
fenvid.com
fenvid.com
gatareykahera.ru
hurienothing.ru
independinsy.net
klosotro9.net
libertyusadist.info
mortalsrichers.info
peertag.com
ricepad.net
securitysmartsystem.com
tempandhost.com
thesecondincomee.com
zonebar.net
Date: Tue, 23 Apr 2013 05:41:32 +0900 [16:41:32 EDT]
From: personableop641@swacha.org
Subject: 4/22/13 The Loss Avoidance Alerts that you requested are now available on the internet
Loss Avoidance Alert System
April 22, 2013
Loss Avoidance Report:
The Loss Avoidance Alerts that was processed are now available on a secure website at:
www.lossavoidancealert.org
http://www.lossavoidancealert.org
Alerts:
CL0017279 – Sham Checks (ALL)
Note: If the Alert Number does not appear on the Home Page - just go to the top left Search Box,
enter the Alert Number and hit Go.
Thank you for your participation!
Loss Avoidance Alert System Administrator
This email is confidential and intended for the use of the individual to whom it is addressed. Any views or opinions presented are solely
those of the author and do not necessarily represent those of SWACHA-The Electronic Payments Resource. SWACHA will not be held
responsible for the information contained in this email if it is not used for its original intent. Before taking action on any information contained
in this email, please consult legal counsel. If you are not the intended recipient, be advised that you have received this email in error and that any use,
dissemination, forwarding, printing or copying of this email is strictly prohibited.
If you received this email in error, please contact the sender.
The link in the email appears to point to www.lossavoidancealert.org but actually goes through a legitimate hacked site (in this case [donotclick]samadaan.com/wp-content/plugins/akismet/swacha.html) to a landing page of [donotclick]tempandhost.com/news/done-heavy_hall_meant.php or [donotclick]tempandhost.com/news/done-meant.php (sample report here and here) which is.. err.. some sort of exploit kit or other. It doesn't seem to be responding well to analysis tools, which could either indicate overloading or some trickery, most likely something very like this. Anyway, tempandhost.com is hosted on the following servers:
1.235.183.241 (SK Broadband Co Ltd, Korea)
46.183.147.116 (Serverclub.com, Netherlands)
155.239.247.247 (Centurion Telkom, South Africa)
202.31.139.173 (Kum oh National University of Technology, Korea)
The WHOIS details indicate that this is the Amerika crew:
Administrative Contact:
clark, emily twinetourt@aol.com
38b butman st
beverly, MA 01915
US
9784734033
Blocklist:
1.235.183.241
46.183.147.116
155.239.247.247
202.31.139.173
airtrantran.com
antidoterskief.net
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko5.ru
conficinskiy.ru
contonskovkiys.ru
cormoviesutki.ru
curilkofskie.ru
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
excuticoble.ru
fenvid.com
fenvid.com
gatareykahera.ru
hurienothing.ru
independinsy.net
klosotro9.net
libertyusadist.info
mortalsrichers.info
peertag.com
ricepad.net
securitysmartsystem.com
tempandhost.com
thesecondincomee.com
zonebar.net
Malware sites to block 22/4/13
These domains form part of a large Kelihos botnet described over at Malware Must Die and which is related to the recent Boston Marathon and Texas Fertilizer Plant spam runs. There are probably thousands of IP addresses, but so far I have identified just 76 domains that seem to be active (there are a large number of subdomains). Monitoring for these may reveal Kelihos activity on your network.
Update: a list of associated IPs can be found here. There are too many to analyze, but the majority seem to be hacked PCs in Ukraine, Russia, Bulgaria and Poland.
agrybnyd.ru
akafneyd.ru
aqloqsis.ru
bajidmed.ru
butlesuh.ru
ciwefbod.ru
conrozof.ru
dapxonuq.ru
derdepan.ru
dijxohqa.ru
dydebmek.ru
dypuhtiw.ru
emysgual.ru
ewhynwox.ru
fadanres.ru
fubkimab.ru
funkabyv.ru
fuqiwriv.ru
gojzawde.ru
howoggoc.ru
ickyrjum.ru
ivsykifa.ru
jabfetiq.ru
jakyskyf.ru
jehbuqri.ru
jigzilys.ru
jujeblob.ru
juqhasri.ru
jykoamny.ru
kezamzoq.ru
kolasoeg.ru
kuiffaam.ru
lohdyrpa.ru
melijfes.ru
meuhwycu.ru
migyxluk.ru
mujosdim.ru
needhed.com
nudegnuc.ru
nurwiwur.ru
nyhhakfi.ru
okxusout.ru
ovxurxom.ru
poretget.ru
qeqgomha.ru
qevihnit.ru
qyxpucaf.ru
rezselix.ru
rigyhdyq.ru
rithakip.ru
sagucqyp.ru
sahiwten.ru
siajxenu.ru
sigkeqvi.ru
soljasek.ru
taurbael.ru
tuhoxkyt.ru
tuklicit.ru
tuswusah.ru
ubhyfnyz.ru
ufqinweb.ru
ulvojfol.ru
vezylgys.ru
wirxopiz.ru
wylovpuc.ru
xikgygga.ru
xujxiwli.ru
yddivvev.ru
yhwursyn.ru
yhzewguv.ru
ymvuchyq.ru
yskicfuw.ru
ytliywax.ru
zahebfox.ru
zaszigic.ru
zurgeqyr.ru
Update: a list of associated IPs can be found here. There are too many to analyze, but the majority seem to be hacked PCs in Ukraine, Russia, Bulgaria and Poland.
agrybnyd.ru
akafneyd.ru
aqloqsis.ru
bajidmed.ru
butlesuh.ru
ciwefbod.ru
conrozof.ru
dapxonuq.ru
derdepan.ru
dijxohqa.ru
dydebmek.ru
dypuhtiw.ru
emysgual.ru
ewhynwox.ru
fadanres.ru
fubkimab.ru
funkabyv.ru
fuqiwriv.ru
gojzawde.ru
howoggoc.ru
ickyrjum.ru
ivsykifa.ru
jabfetiq.ru
jakyskyf.ru
jehbuqri.ru
jigzilys.ru
jujeblob.ru
juqhasri.ru
jykoamny.ru
kezamzoq.ru
kolasoeg.ru
kuiffaam.ru
lohdyrpa.ru
melijfes.ru
meuhwycu.ru
migyxluk.ru
mujosdim.ru
needhed.com
nudegnuc.ru
nurwiwur.ru
nyhhakfi.ru
okxusout.ru
ovxurxom.ru
poretget.ru
qeqgomha.ru
qevihnit.ru
qyxpucaf.ru
rezselix.ru
rigyhdyq.ru
rithakip.ru
sagucqyp.ru
sahiwten.ru
siajxenu.ru
sigkeqvi.ru
soljasek.ru
taurbael.ru
tuhoxkyt.ru
tuklicit.ru
tuswusah.ru
ubhyfnyz.ru
ufqinweb.ru
ulvojfol.ru
vezylgys.ru
wirxopiz.ru
wylovpuc.ru
xikgygga.ru
xujxiwli.ru
yddivvev.ru
yhwursyn.ru
yhzewguv.ru
ymvuchyq.ru
yskicfuw.ru
ytliywax.ru
zahebfox.ru
zaszigic.ru
zurgeqyr.ru
Labels:
Botnet,
Evil Network,
Kelihos,
Malware
Friday, 19 April 2013
OVH WTF
If you work in the anti-spam or anti-malware business then you've probably come across OVH. It's a company with a shockingly bad reputation in these fields, tolerating malware and spammers to an extent that no other major host does. It even has a special tag in this blog to keep track of all the crap it hosts.
One particularly bad part of the network is the "MMuskatov" block 5.135.67.128/25 (5.135.67.128 to 5.135.67.255). I covered this back in February, but the situation has become even worse since that. This entire /25 hosts apparently zero legitimate sites and one of the highest concentrations of malware sites that I have seen for some time.
Out of 456 sites that I have identified in this block, 84 (18%) have been flagged as being dangerous by Google. 106 (23%) have a WOT trustworthiness score of 10 or less, and only 2 (0.4%) manage more than 40%.. and that's probably by accident.
A full list of the sites I can find and their ratings can be found here. And this isn't the only large scale black hat customer that OVH host, because there is Sidharth Shah as well. One can only speculate about the type of financial arrangements that these customers have in order to keep going.
I would recommend blocking the entire 5.135.67.128/25 range and implementing a zero-tolerance approach for OVH blocks that might appear on your radar for spamming and malware
These following sites are flagged by Google as being malicious:
The sites are flagged by WOT as being untrustworthy (less than 20):
basteln5.de
ktxstat240.info
charterd4.de
freepokee1.info
lozytose2.de
natrium7.de
spannend3.de
tj6e8k.com
fastmovekko.net
vertigozone.net
babynicefreelove.org
federewf.org
fuchsduhastdiegansgestohlen.info
mojojojo.info
powerpuffgirls.ru
1aumir.biz
dfhiod.biz
seghiv.biz
sfgjjj.biz
sjbmb.biz
srghoop.biz
wdgwber.biz
wergxcb.biz
wryeuy.biz
daimlerfidelity.info
perstversion.info
provertymegastore.info
thewholespend.info
versetaility.info
emporiomurmani.info
fakeferarri.info
frankmousepo.com
gussi.info
mapplestory.info
mybestprojextmm.com
supermegaextragood.info
analytics-djmusic-online.info
analytics-djmusic-site.at
analytics-djmusic-site.com
analytics-djmusic-site.de
apeld.biz
bederg.biz
dhajbg.biz
hernn.biz
heronew.biz
lokoier.biz
mdopk.biz
mederf.biz
medoew.biz
neregda.biz
nerero.biz
oploug.biz
perokil.biz
polocz.biz
reseder.biz
trenere.biz
tydfghk.biz
ufrere.biz
vededd.biz
yherem.biz
zaderf.biz
basicsensorcomfort.info
brasenetworks.info
complexesuluation.info
creamvisitiorfinder.info
daisychellenge.info
dasuycompletesuluation.info
allrisor.com
anarebrelleee.me
my-res-to.com
myrisor.com
newrisor.com
res-to.com
resscience.com
risorgroup.com
risoronline.com
saledomainornott.biz
saledomainornott.co
saledomainornott.com
saledomainornott.in
saledomainornott.info
saledomainornott.me
saledomainornott.mobi
saledomainornott.net
scienceto.com
therisor.com
fbuniverse.net
carambala.com
freepokee2.info
freepokee3.info
monoxy3.de
natural9.de
shuttle4.de
sunari9.de
swedpuikavrot.info
jagsertowns.com
pendingtransfer.info
vertigoz0ne.info
vertigoz0ne.net
vertigoz0ne.org
loveplanetfr.org
sexcamsfreenow.org
analytics-djmusic-online.de
justifymanually.biz
stagesidebars.biz
virusspywareparents.biz
groholding.ru
traffffff.biz
trafffffff.biz
traffffffff.biz
invertingiharvest.biz
mobilityblurb.biz
rpostsmounting.biz
webcompatibleelect.net
calderamagicjack.com
touringassists.com
gymscertified.biz
savingdropboxs.biz
starwoodsignal.biz
touchpadequalizer.biz
depletedpermalink.biz
super8jdkwdkw.org
superversiya31337.com
One particularly bad part of the network is the "MMuskatov" block 5.135.67.128/25 (5.135.67.128 to 5.135.67.255). I covered this back in February, but the situation has become even worse since that. This entire /25 hosts apparently zero legitimate sites and one of the highest concentrations of malware sites that I have seen for some time.
Out of 456 sites that I have identified in this block, 84 (18%) have been flagged as being dangerous by Google. 106 (23%) have a WOT trustworthiness score of 10 or less, and only 2 (0.4%) manage more than 40%.. and that's probably by accident.
A full list of the sites I can find and their ratings can be found here. And this isn't the only large scale black hat customer that OVH host, because there is Sidharth Shah as well. One can only speculate about the type of financial arrangements that these customers have in order to keep going.
I would recommend blocking the entire 5.135.67.128/25 range and implementing a zero-tolerance approach for OVH blocks that might appear on your radar for spamming and malware
These following sites are flagged by Google as being malicious:
basteln5.de |
ktxstat240.info |
charterd4.de |
freepokee1.info |
lozytose2.de |
natrium7.de |
spannend3.de |
tj6e8k.com |
fastmovekko.net |
vertigozone.net |
babynicefreelove.org |
federewf.org |
justifymanually.biz |
stagesidebars.biz |
virusspywareparents.biz |
avivariva2.info |
avivariva3.info |
bbumpers.com |
christmasmemot.com |
cocojambo.info |
cocojambo2.info |
miniexchange.at |
standard14.net |
standard15.net |
asnosnubmu.org |
mronetcomgroup.com |
qwertium.com |
standard14.com |
standard14.de |
standard15.com |
gofathermotherborns.com |
iamtyredforblockdomins.com |
mydnssa.com |
visit-my-web-site.eu |
visit-my-web-site.info |
visit-my-web-site.net |
as-bar.info |
as-catch.info |
as-closure.info |
as-lock.info |
asbolt.info |
ascatch.info |
asclasp.info |
asfastener.info |
aslatch.info |
aslock.info |
center-city-home.info |
center-city.info |
center-urban.info |
centercitydental.info |
centercityhome.info |
centertown.info |
centerurban.info |
data-sales.info |
freeinfosales.info |
homeinfosales.info |
hub-city.info |
huburban.info |
info-sales.info |
information-sales.info |
informationsales.info |
infosalesonline.info |
infosalestraining.info |
istanbultransfer.info |
my-first-blog.info |
my-food-blog.info |
my-life-blog.info |
my-money-blog.info |
mybeautyblog.info |
myfoodblog.info |
mygolfblog.info |
myhomeblog.info |
mylifeblog.info |
myonlineblog.info |
news-sales.info |
newssales.info |
thermaltransfer.info |
transfer-domain.info |
transferaccount.info |
transferauthorization.info |
transfercode.info |
transfercredit.info |
transferownership.info |
transferservices.info |
The sites are flagged by WOT as being untrustworthy (less than 20):
basteln5.de
ktxstat240.info
charterd4.de
freepokee1.info
lozytose2.de
natrium7.de
spannend3.de
tj6e8k.com
fastmovekko.net
vertigozone.net
babynicefreelove.org
federewf.org
fuchsduhastdiegansgestohlen.info
mojojojo.info
powerpuffgirls.ru
1aumir.biz
dfhiod.biz
seghiv.biz
sfgjjj.biz
sjbmb.biz
srghoop.biz
wdgwber.biz
wergxcb.biz
wryeuy.biz
daimlerfidelity.info
perstversion.info
provertymegastore.info
thewholespend.info
versetaility.info
emporiomurmani.info
fakeferarri.info
frankmousepo.com
gussi.info
mapplestory.info
mybestprojextmm.com
supermegaextragood.info
analytics-djmusic-online.info
analytics-djmusic-site.at
analytics-djmusic-site.com
analytics-djmusic-site.de
apeld.biz
bederg.biz
dhajbg.biz
hernn.biz
heronew.biz
lokoier.biz
mdopk.biz
mederf.biz
medoew.biz
neregda.biz
nerero.biz
oploug.biz
perokil.biz
polocz.biz
reseder.biz
trenere.biz
tydfghk.biz
ufrere.biz
vededd.biz
yherem.biz
zaderf.biz
basicsensorcomfort.info
brasenetworks.info
complexesuluation.info
creamvisitiorfinder.info
daisychellenge.info
dasuycompletesuluation.info
allrisor.com
anarebrelleee.me
my-res-to.com
myrisor.com
newrisor.com
res-to.com
resscience.com
risorgroup.com
risoronline.com
saledomainornott.biz
saledomainornott.co
saledomainornott.com
saledomainornott.in
saledomainornott.info
saledomainornott.me
saledomainornott.mobi
saledomainornott.net
scienceto.com
therisor.com
fbuniverse.net
carambala.com
freepokee2.info
freepokee3.info
monoxy3.de
natural9.de
shuttle4.de
sunari9.de
swedpuikavrot.info
jagsertowns.com
pendingtransfer.info
vertigoz0ne.info
vertigoz0ne.net
vertigoz0ne.org
loveplanetfr.org
sexcamsfreenow.org
analytics-djmusic-online.de
justifymanually.biz
stagesidebars.biz
virusspywareparents.biz
groholding.ru
traffffff.biz
trafffffff.biz
traffffffff.biz
invertingiharvest.biz
mobilityblurb.biz
rpostsmounting.biz
webcompatibleelect.net
calderamagicjack.com
touringassists.com
gymscertified.biz
savingdropboxs.biz
starwoodsignal.biz
touchpadequalizer.biz
depletedpermalink.biz
super8jdkwdkw.org
superversiya31337.com
Labels:
Evil Network,
OVH
American Express spam / CD0199381.434469398992.zip
Date: Fri, 19 Apr 2013 08:29:52 -0500 [09:29:52 EDT]The is an attachment CD0199381.434469398992.zip containing a file CD0199381-04192013.exe [note the date is encoded in the file]. VirusTotal results for that file are just 6/46. ThreatExpert reports that the malware communicates with the following servers:
From: "PAYVESUPPORT@AEXP.COM" [PAYVESUPPORT@AEXP.COM]
Subject: PAYVE - Remit file
Part(s): 2 CD0199381.434469398992.zip [application/zip]
A payment(s) to your company has been processed through the American Express Payment
Network.
The remittance details for the payment(s) are attached (CD0199381.434469398992.zip).
- The remittance file contains invoice information passed by your buyer. Please
contact your buyer
for additional information not available in the file.
- The funds associated with this payment will be deposited into your bank account
according to the
terms of your American Express merchant agreement and may be combined with other
American Express deposits.
For additional information about Deposits, Fees, or your American Express merchant
agreement:
Contact American Express Merchant Services at 1-800-528-8782 Monday to Friday,
8:00 AM to 8:00 PM ET. - You can also view PAYVE payment and invoice level details
using My Merchant Account/Online Merchant Services.
If you are not enrolled in My Merchant Account/OMS, you can do so at
www.americanexpress.com/mymerchantaccount
or call us at 1-866-220-6634, Monday - Friday between 9:00 AM-7:30 PM ET, and we'll
be glad to help you.
For quick and easy enrollment, please have your American Express Merchant Number,
bank account ABA (routing number)
and DDA (account number) on hand.
This customer service e-mail was sent to you by American Express. You may receive
customer service e-mails even if you have unsubscribed from marketing e-mails from
American Express.
Copyright 2013 American Express Company. All rights reserved Contact Customer Service:
https://www.americanexpress.com/messagecenter
******************************************************************************
"This message and any attachments are solely for the intended recipient and may contain
confidential or privileged information. If you are not the intended recipient, any
disclosure, copying, use, or distribution of the information included in this message and
any attachments is prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this message and any
attachments. Thank you."
******************************************************************************
mail.yaklasim.com (212.58.4.13: Doruknet, Turkey)
autoservicegreeley.com (198.100.45.44: A2 Hosting, US)
This malware shares some characteristics with this attack.
Blocklist:
198.100.45.44
212.58.4.13
aapros.info
aapros.mobi
aapros.net
aapros.org
automaintenancegreeley.com
autorepairevans.com
autorepairgreeley.info
autorepairgreeley.mobi
autorepairgreeley.net
autorepairgreeley.org
autorepairgreeley.us
autoservicegreeley.com
brakesgreeley.com
mail.yaklasim.com
Labels:
EXE-in-ZIP,
Malware,
Spam,
Turkey,
Viruses
Thursday, 18 April 2013
"Fertilizer Plant Explosion Near Waco, Texas" spam
As I suspected, this didn't take long. This spam is a retread of yesterday's Boston Marathon spam.
If you click through you get five genuine embedded YouTube videos plus a malware IFRAME that looks a bit like this:
The Boston Marathon spam lead to a RedKit exploit kit, this probably does too. Given the ever-changing nature of the malware landing page, this one is rather difficult to stop. Advising your user population of the risk may be prudent.
Sample subjects:
CAUGHT ON CAMERA: Fertilizer Plant Explosion
CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
Raw: Texas Explosion Injures Dozens
Texas Explosion Injures Dozens
From: Maria Numbers [mailto:tjm7@deco-club.ru]At the moment the payload site is [donotclick]bigmovies777.sweans.org/aoiq.html (report here but site appears b0rked) but it seems to rotate every hour of so to a new domain. Almost all the domains I have seen are hacked legitimate sites hosted by WebsiteWelcome.
Sent: 18 April 2013 11:51
To: UK HPEA 3
Subject: CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
hxxp:||83.170.192.154/news.html
If you click through you get five genuine embedded YouTube videos plus a malware IFRAME that looks a bit like this:
The Boston Marathon spam lead to a RedKit exploit kit, this probably does too. Given the ever-changing nature of the malware landing page, this one is rather difficult to stop. Advising your user population of the risk may be prudent.
Sample subjects:
CAUGHT ON CAMERA: Fertilizer Plant Explosion
CAUGHT ON CAMERA: Fertilizer Plant Explosion Near Waco, Texas
Raw: Texas Explosion Injures Dozens
Texas Explosion Injures Dozens
Malware sites to block 18/4/13, revisited
Quite late last night I posted some malicious IP address that I recommend blocking. I've had a chance to look at these more deeply, and some of them are in known bad IP ranges that you should consider blocking.
Most of these IP ranges are in Russia, blocking them will probably block some legitimate sites. If you don't do much business with Russia then it will probably not be an issue, if you do then you should exercise caution. There's a plain list at the bottom if you simply want to copy-and-paste.
5.9.191.160/26
5.45.183.91
5.135.67.208/28
23.19.87.32/29
37.230.112.0/23
46.4.179.64/26
46.37.165.71
46.37.165.104
46.105.162.112/26
62.109.24.0/22
80.67.3.124
80.78.245.0/24
91.220.131.0/24
91.220.163.0/24
94.250.248.0/23
108.170.4.46
109.235.50.213
146.185.255.0/24
149.154.64.0/23
149.154.68.0/23
173.208.164.38
173.234.239.160/27
176.31.191.138
176.31.216.137
184.82.27.12
188.93.210.0/23
188.120.224.0/20
188.165.95.112/28
188.225.33.0/24
192.210.223.101
193.106.28.242
193.169.52.0/23
195.3.145.99
195.3.147.150
198.23.250.142
198.46.157.174
205.234.204.151
205.234.204.190
205.234.253.218
213.229.69.40
Most of these IP ranges are in Russia, blocking them will probably block some legitimate sites. If you don't do much business with Russia then it will probably not be an issue, if you do then you should exercise caution. There's a plain list at the bottom if you simply want to copy-and-paste.
Detected IP | Recommended block | Owner |
5.9.191.179 | 5.9.191.160/26 | (CyberTech LLC, Russia / Hetzner, Germany) |
5.45.183.91 | 5.45.183.91 | (Bradler & Krantz, Germany) |
5.135.67.215 | 5.135.67.208/28 | (MMuskatov-IE / OVH, France) |
5.135.67.217 | ||
23.19.87.38 | 23.19.87.32/29 | (Di & Omano Ltd, Germany / Nobis Technology, US) |
37.230.112.83 | 37.230.112.0/23 | (TheFirst-RU, Russia) |
46.4.179.127 | 46.4.179.64/26 | (Viacheslav Krivosheev, Russia / Hetzner Germany) |
46.4.179.129 | ||
46.4.179.130 | ||
46.4.179.135 | ||
46.37.165.71 | 46.37.165.71 | (BurstNET, UK) |
46.37.165.104 | 46.37.165.104 | (BurstNET, UK) |
46.105.162.112 | 46.105.162.112/26 | (Shah Sidharth, US / OVH, France) |
62.109.24.144 | 62.109.24.0/22 | (TheFirst-RU, Russia) |
62.109.26.62 | ||
62.109.27.27 | ||
80.67.3.124 | 80.67.3.124 | (Portlane Networks, Sweden) |
80.78.245.100 | 80.78.245.0/24 | (Agava JSC, Russia) |
91.220.131.175 | 91.220.131.0/24 | (teterin Igor Ahmatovich, Russia) |
91.220.131.178 | ||
91.220.163.24 | 91.220.163.0/24 | (Olevan plus, Ukraine) |
94.250.248.225 | 94.250.248.0/23 | (TheFirst-RU, Russia) |
108.170.4.46 | 108.170.4.46 | (Secured Servers, US) |
109.235.50.213 | 109.235.50.213 | (xenEurope, Netherlands) |
146.185.255.97 | 146.185.255.0/24 | (Petersburg Internet Network, Russia) |
146.185.255.207 | ||
149.154.64.161 | 149.154.64.0/23 | (TheFirst-RU, Russia) |
149.154.65.56 | ||
149.154.68.145 | 149.154.68.0/23 | (TheFirst-RU, Russia) |
173.208.164.38 | 173.208.164.38 | (Wholesale Internet, US) |
173.234.239.168 | 173.234.239.160/27 | (End of Reality LLC, US / Nobis, US) |
176.31.191.138 | 176.31.191.138 | (OVH, France) |
176.31.216.137 | 176.31.216.137 | (OVH, France) |
184.82.27.12 | 184.82.27.12 | (Prime Directive LLC, US) |
188.93.211.57 | 188.93.210.0/23 | (Logol.ru, Russia) |
188.120.238.230 | 188.120.224.0/20 | (TheFirst-RU, Russia) |
188.120.239.132 | ||
188.165.95.112 | 188.165.95.112/28 | (Shah Sidharth, US / OVH France) |
188.225.33.62 | 188.225.33.0/24 | (Transit Telecom, Russia) |
188.225.33.117 | ||
192.210.223.101 | 192.210.223.101 | (VPS Ace, US / ColoCrossing, US) |
193.106.28.242 | 193.106.28.242 | (Centr Informacionnyh Technologii Online, Ukraine) |
193.169.52.144 | 193.169.52.0/23 | (Promobit, Russia) |
195.3.145.99 | 195.3.145.99 | (RN Data, Latvia) |
195.3.147.150 | 195.3.147.150 | (RN Data, Latvia) |
198.23.250.142 | 198.23.250.142 | (LiquidSolutions, Bulgaria / ColoCrossing, US) |
198.46.157.174 | 198.46.157.174 | (Warfront Cafe LLC, US / ColoCrossing, US) |
205.234.204.151 | 205.234.204.151 | (HostForWeb, US) |
205.234.204.190 | 205.234.204.190 | (HostForWeb, US) |
205.234.253.218 | 205.234.253.218 | (HostForWeb, US) |
213.229.69.40 | 213.229.69.40 | (Poundhost, UK / Simply Transit, UK) |
5.9.191.160/26
5.45.183.91
5.135.67.208/28
23.19.87.32/29
37.230.112.0/23
46.4.179.64/26
46.37.165.71
46.37.165.104
46.105.162.112/26
62.109.24.0/22
80.67.3.124
80.78.245.0/24
91.220.131.0/24
91.220.163.0/24
94.250.248.0/23
108.170.4.46
109.235.50.213
146.185.255.0/24
149.154.64.0/23
149.154.68.0/23
173.208.164.38
173.234.239.160/27
176.31.191.138
176.31.216.137
184.82.27.12
188.93.210.0/23
188.120.224.0/20
188.165.95.112/28
188.225.33.0/24
192.210.223.101
193.106.28.242
193.169.52.0/23
195.3.145.99
195.3.147.150
198.23.250.142
198.46.157.174
205.234.204.151
205.234.204.190
205.234.253.218
213.229.69.40
Labels:
Hetzner,
Latvia,
logol.ru,
Malware,
OVH,
Russia,
Sidharth Shah,
Simply Transit,
TheFirst-RU,
Ukraine,
Viruses
West, Texas explosion: be on the lookout for malware spam
It took just a day or so for the bad guys to start sending out malware spam about the Boston Marathon, I strongly suspect that we will see the same for the West, Texas explosion within the next 48 hours or so. It's probably worth keeping an eye out for any such spam coming into your organisation and taking the appropriate countermeasures.
Incidentally, the following is the only actual video I have seen so far. I'm sure everybody's thoughts are with the citizens of West and the emergency services who are trying to deal with this awful catastrophe.
Incidentally, the following is the only actual video I have seen so far. I'm sure everybody's thoughts are with the citizens of West and the emergency services who are trying to deal with this awful catastrophe.
Labels:
Spam
Malware sites to block 18/4/13
These malicious domains and IPs are associated with this malware spam run. Block 'em if you can.
5.9.191.179
5.45.183.91
5.135.67.215
5.135.67.217
23.19.87.38
37.230.112.83
46.4.179.127
46.4.179.129
46.4.179.130
46.4.179.135
46.37.165.71
46.37.165.104
46.105.162.112
62.109.24.144
62.109.26.62
62.109.27.27
80.67.3.124
80.78.245.100
91.220.131.175
91.220.131.178
91.220.163.24
94.250.248.225
108.170.4.46
109.235.50.213
146.185.255.97
146.185.255.207
149.154.64.161
149.154.65.56
149.154.68.145
173.208.164.38
173.234.239.168
176.31.216.137
176.31.191.138
184.82.27.12
188.93.211.57
188.120.238.230
188.120.239.132
188.165.95.112
188.225.33.62
188.225.33.117
192.210.223.101
193.106.28.242
193.169.52.144
195.3.145.99
195.3.147.150
198.23.250.142
198.46.157.174
205.234.204.151
205.234.204.190
205.234.253.218
213.229.69.40
19megalife.info
addonsforbacks.com
adoptery.in
advert.app-myups.org
advertslead.com
aegisglow.org
airportfounded.com
alistlinkedins.com
alliedconclusion.org
alwaysvisibleyellowunderlined.biz
amarateredefe.org
amateurxxxtubes.net
ammebala.xxuz.com
annunciohosteddbm.org
anyns.biz
anywayitquerying.biz
apkjava.com
aplombblacktie.biz
appsforcombined.biz
arcadeprinterfriendly.biz
assimilatedaquos.biz
atomemerged.biz
attorneyconversational.com
aujjmpkt.ns02.biz
ayc.rudamalove.ru
b7cb9b6e9.org
ballsperdevice.net
bamesd.biz
barisurroundings.net
bearrecor.com
benefitsonetime.net
bertns.biz
bertolparty.in
beryoncy.in
bikbike.info
billedtestmanager.biz
biros.wikaba.com
bloggerscreencasts.com
bo2mp7.zapto.org
books.amarateredefe.net
bottomrightgrandpa.net
bridgelady.biz
burieslabel.com
businessalbeitclicked.biz
buttomwithouts.info
buttomwithouts.net
buttonskilos.info
buttonskilos.net
carbonitesbalked.biz
cars.catharinawestergaard.com
casperksy.tv
cats.oktoberfestglasses.com
ccxzadhp9.info
cddownloadverbal.biz
cerryon.in
chanchecker.asia
chargingclose.biz
childrendisk.org
chordcrtbased.biz
chvarkovski.info
classifyipchains.biz
clouddocreddit.biz
cmfnwiolos.biz
collagesneat.biz
competingopts.biz
completenessgrandmaster.com
comsilhouette.org
conjecturecrouch.biz
consumerorientedneednt.org
cornucopiacoax.org
crampedhipmunk.com
createrender.net
crowskbsec.org
cryingregister.biz
crysiscore.net
dangersreduce.biz
darlingbranding.biz
darrensuperior.net
dasa.sexxxy.biz
denystreamlining.biz
dfghbrewkja.4dq.com
dispatchingtruly.net
dissources.in
dj1fcc21sdf.net
doma-ns.com
dontraktorsol.com
drilledwantcamera.biz
dugsthirtyodd.org
dynamicdns1.com
dynomitdns.com
efq89.ugliserver.com
entryleveldecrease.biz
envelopesdestined.net
essentiallymonitoringutilities.biz
estimatepick.net
exhibitsgoodfinds.biz
expandedkreds.biz
externallytheres.biz
f1bd4e0f9b.com
feeshiddenstax.info
feeshiddenstax.net
fidgetingmarginal.biz
fingerinass.net
fiteringsworrow.info
fix-ntrade.info
framedknob.biz
frayscratches.net
friendcropped.biz
fullerdrought.org
gabwrenches.biz
gamingtoplevel.net
geogserver.com
giremoji.info
givingshortcoming.biz
g-ns.biz
goodorange.tk
goofyrejoice.biz
google-cache-server.biz
gowebthreats.biz
gramns.biz
greative.in
greentintedparallels.biz
gtbmd.rudamalove.ru
hamapaysite.info
hedsapher.info
hijackerssim.org
hiloocount.pw
hiphopbeatwares.org
hitthemebased.biz
hocutf.org
horrendouslyscrounged.biz
hostfastwow.info
howcalendars.biz
hqnspwbwixjtthrtip.biz
hubtabloid.org
huddlepyro.biz
icjs.ugliserver.com
img.annistonnewcars.net
img.annistonpreowned.net
incantationsbibliographic.biz
incidentallymbr.biz
integritylistens.org
intendsunique.biz
internetsavvyintransit.info
iptcmax.net
iwbshfiiv.freeinfo
iworkemg.org
jikohost.info
journeyprotect.org
joyaftershots.com
jpegincantations.org
justhoverover.biz
justintvfreefall.org
jyke.dasedi.ru
kernelseagles.net
l0ad.me
largestpainton.org
leatherpullquotes.org
liberrtyrreserve.com
libertyrreserve.biz
lightyearinspectorstyle.biz
lionbroadband.org
livedvaudiohow.com
loddos.biz
lonelybuttery.biz
lopinaksof.otzo.com
machinemiss.org
mailmergingsqlplus.biz
managerssellers.biz
maneuveringfanned.biz
mapicompliantreddens.biz
masterworkheir.org
mavericksurrounds.org
maximmiami.biz
meniuslittles.info
meniuslittles.net
microphonessmashes.org
miderneed.pw
midqeuh.freeinfo
mildnecessitated.biz
millionentrystreamlined.biz
minipaysyst.info
mixstudionet.info
mizerviters.info
miznayjob.info
modnudom.info
montanathirdvoice.com
morendofiles.net
moverbeet.info
mozyhometrust.biz
multifacetedloader.biz
mutualtriangle.biz
myfitnesspalpaints.net
myspaceah.biz
namepasswordlu.net
needsmultitasking.biz
new-1controller.org
newpayss.in
newsdaily1.info
newsstandreactivate.org
nightlifetiles.net
nightnesslow.com
nigrianteam.info
nohonestly.biz
notablish.in
nsdoms.com
nsgaryt.biz
organizationallyyourselfa.org
overlapchat.biz
overviewhour.biz
packetrecovery.in
partyharddns.com
pattayasuay.com
paypalkunden-news.org
personaclientserver.biz
phonecarddeadline.biz
platinumxpthe.info
playanewer.biz
playrem.com
plymorfhing.info
poorestpersonnel.org
portfoliocomfox.net
powerpointoverprint.biz
pqkfrbfo.sellclassics.com
pristineplayground.biz
prominentlibraries.net
qacazuza.tk
qqxbik.freeinfo
quickofficesnetmotions.biz
rdfkxtdx.wikaba.com
reasoningframework.com
rebootdollar.biz
reflectingextract.org
renamingisnt.org
rentedvisible.biz
resettingrelocation.biz
retrospectsovertime.com
rippedability.biz
rolodextransient.biz
safelyplayback.biz
samaritanwasting.org
securingcombine.org
seggos.biz
setdatafree.info
shutdowndoubleclicks.net
sixteentrackhow.net
skydrivestoken.biz
spywareanagram.net
sqk.rudamalove.ru
squirrelguide.com
ssmuiudl.ezua.com
statdipped.biz
stolenhoned.biz
stormreining.biz
strangersformbuilding.net
struggledsaves.com
stumpedconsult.biz
suitespecificoffending.net
suptickets.info
surfsoliddiet.biz
surfupfar.net
swiclick.com
systemscomputerfree.org
tddthjsdgnzz.ikwb.com
therteamx.info
threated.itemdb.com
threeapiecebeyondcom.net
throttlestoragebefore.com
thumbtackeffects.biz
t-ns.biz
toolsworkouteven.org
tracescalable.biz
travellingwebcast.com
troue.rudamalove.ru
tuneupsfiletransfer.biz
twicebusinessrelated.net
twittermultimixmedia.net
tysteak.com
ufhjskfvjdjshg.4pu.com
understandingwritten.biz
uponsuburban.biz
venusdrek.info
violettsa.in
visapaysnext.info
vivaitali.info
waysidepursuit.net
webcastengine.biz
webwasherintrinsic.net
widthsquality.biz
workgroupsynchronization.biz
worldtampering.net
wrenchimagepan.biz
youriscktines.info
youriscktines.net
zigmans.in
5.9.191.179
5.45.183.91
5.135.67.215
5.135.67.217
23.19.87.38
37.230.112.83
46.4.179.127
46.4.179.129
46.4.179.130
46.4.179.135
46.37.165.71
46.37.165.104
46.105.162.112
62.109.24.144
62.109.26.62
62.109.27.27
80.67.3.124
80.78.245.100
91.220.131.175
91.220.131.178
91.220.163.24
94.250.248.225
108.170.4.46
109.235.50.213
146.185.255.97
146.185.255.207
149.154.64.161
149.154.65.56
149.154.68.145
173.208.164.38
173.234.239.168
176.31.216.137
176.31.191.138
184.82.27.12
188.93.211.57
188.120.238.230
188.120.239.132
188.165.95.112
188.225.33.62
188.225.33.117
192.210.223.101
193.106.28.242
193.169.52.144
195.3.145.99
195.3.147.150
198.23.250.142
198.46.157.174
205.234.204.151
205.234.204.190
205.234.253.218
213.229.69.40
19megalife.info
addonsforbacks.com
adoptery.in
advert.app-myups.org
advertslead.com
aegisglow.org
airportfounded.com
alistlinkedins.com
alliedconclusion.org
alwaysvisibleyellowunderlined.biz
amarateredefe.org
amateurxxxtubes.net
ammebala.xxuz.com
annunciohosteddbm.org
anyns.biz
anywayitquerying.biz
apkjava.com
aplombblacktie.biz
appsforcombined.biz
arcadeprinterfriendly.biz
assimilatedaquos.biz
atomemerged.biz
attorneyconversational.com
aujjmpkt.ns02.biz
ayc.rudamalove.ru
b7cb9b6e9.org
ballsperdevice.net
bamesd.biz
barisurroundings.net
bearrecor.com
benefitsonetime.net
bertns.biz
bertolparty.in
beryoncy.in
bikbike.info
billedtestmanager.biz
biros.wikaba.com
bloggerscreencasts.com
bo2mp7.zapto.org
books.amarateredefe.net
bottomrightgrandpa.net
bridgelady.biz
burieslabel.com
businessalbeitclicked.biz
buttomwithouts.info
buttomwithouts.net
buttonskilos.info
buttonskilos.net
carbonitesbalked.biz
cars.catharinawestergaard.com
casperksy.tv
cats.oktoberfestglasses.com
ccxzadhp9.info
cddownloadverbal.biz
cerryon.in
chanchecker.asia
chargingclose.biz
childrendisk.org
chordcrtbased.biz
chvarkovski.info
classifyipchains.biz
clouddocreddit.biz
cmfnwiolos.biz
collagesneat.biz
competingopts.biz
completenessgrandmaster.com
comsilhouette.org
conjecturecrouch.biz
consumerorientedneednt.org
cornucopiacoax.org
crampedhipmunk.com
createrender.net
crowskbsec.org
cryingregister.biz
crysiscore.net
dangersreduce.biz
darlingbranding.biz
darrensuperior.net
dasa.sexxxy.biz
denystreamlining.biz
dfghbrewkja.4dq.com
dispatchingtruly.net
dissources.in
dj1fcc21sdf.net
doma-ns.com
dontraktorsol.com
drilledwantcamera.biz
dugsthirtyodd.org
dynamicdns1.com
dynomitdns.com
efq89.ugliserver.com
entryleveldecrease.biz
envelopesdestined.net
essentiallymonitoringutilities.biz
estimatepick.net
exhibitsgoodfinds.biz
expandedkreds.biz
externallytheres.biz
f1bd4e0f9b.com
feeshiddenstax.info
feeshiddenstax.net
fidgetingmarginal.biz
fingerinass.net
fiteringsworrow.info
fix-ntrade.info
framedknob.biz
frayscratches.net
friendcropped.biz
fullerdrought.org
gabwrenches.biz
gamingtoplevel.net
geogserver.com
giremoji.info
givingshortcoming.biz
g-ns.biz
goodorange.tk
goofyrejoice.biz
google-cache-server.biz
gowebthreats.biz
gramns.biz
greative.in
greentintedparallels.biz
gtbmd.rudamalove.ru
hamapaysite.info
hedsapher.info
hijackerssim.org
hiloocount.pw
hiphopbeatwares.org
hitthemebased.biz
hocutf.org
horrendouslyscrounged.biz
hostfastwow.info
howcalendars.biz
hqnspwbwixjtthrtip.biz
hubtabloid.org
huddlepyro.biz
icjs.ugliserver.com
img.annistonnewcars.net
img.annistonpreowned.net
incantationsbibliographic.biz
incidentallymbr.biz
integritylistens.org
intendsunique.biz
internetsavvyintransit.info
iptcmax.net
iwbshfiiv.freeinfo
iworkemg.org
jikohost.info
journeyprotect.org
joyaftershots.com
jpegincantations.org
justhoverover.biz
justintvfreefall.org
jyke.dasedi.ru
kernelseagles.net
l0ad.me
largestpainton.org
leatherpullquotes.org
liberrtyrreserve.com
libertyrreserve.biz
lightyearinspectorstyle.biz
lionbroadband.org
livedvaudiohow.com
loddos.biz
lonelybuttery.biz
lopinaksof.otzo.com
machinemiss.org
mailmergingsqlplus.biz
managerssellers.biz
maneuveringfanned.biz
mapicompliantreddens.biz
masterworkheir.org
mavericksurrounds.org
maximmiami.biz
meniuslittles.info
meniuslittles.net
microphonessmashes.org
miderneed.pw
midqeuh.freeinfo
mildnecessitated.biz
millionentrystreamlined.biz
minipaysyst.info
mixstudionet.info
mizerviters.info
miznayjob.info
modnudom.info
montanathirdvoice.com
morendofiles.net
moverbeet.info
mozyhometrust.biz
multifacetedloader.biz
mutualtriangle.biz
myfitnesspalpaints.net
myspaceah.biz
namepasswordlu.net
needsmultitasking.biz
new-1controller.org
newpayss.in
newsdaily1.info
newsstandreactivate.org
nightlifetiles.net
nightnesslow.com
nigrianteam.info
nohonestly.biz
notablish.in
nsdoms.com
nsgaryt.biz
organizationallyyourselfa.org
overlapchat.biz
overviewhour.biz
packetrecovery.in
partyharddns.com
pattayasuay.com
paypalkunden-news.org
personaclientserver.biz
phonecarddeadline.biz
platinumxpthe.info
playanewer.biz
playrem.com
plymorfhing.info
poorestpersonnel.org
portfoliocomfox.net
powerpointoverprint.biz
pqkfrbfo.sellclassics.com
pristineplayground.biz
prominentlibraries.net
qacazuza.tk
qqxbik.freeinfo
quickofficesnetmotions.biz
rdfkxtdx.wikaba.com
reasoningframework.com
rebootdollar.biz
reflectingextract.org
renamingisnt.org
rentedvisible.biz
resettingrelocation.biz
retrospectsovertime.com
rippedability.biz
rolodextransient.biz
safelyplayback.biz
samaritanwasting.org
securingcombine.org
seggos.biz
setdatafree.info
shutdowndoubleclicks.net
sixteentrackhow.net
skydrivestoken.biz
spywareanagram.net
sqk.rudamalove.ru
squirrelguide.com
ssmuiudl.ezua.com
statdipped.biz
stolenhoned.biz
stormreining.biz
strangersformbuilding.net
struggledsaves.com
stumpedconsult.biz
suitespecificoffending.net
suptickets.info
surfsoliddiet.biz
surfupfar.net
swiclick.com
systemscomputerfree.org
tddthjsdgnzz.ikwb.com
therteamx.info
threated.itemdb.com
threeapiecebeyondcom.net
throttlestoragebefore.com
thumbtackeffects.biz
t-ns.biz
toolsworkouteven.org
tracescalable.biz
travellingwebcast.com
troue.rudamalove.ru
tuneupsfiletransfer.biz
twicebusinessrelated.net
twittermultimixmedia.net
tysteak.com
ufhjskfvjdjshg.4pu.com
understandingwritten.biz
uponsuburban.biz
venusdrek.info
violettsa.in
visapaysnext.info
vivaitali.info
waysidepursuit.net
webcastengine.biz
webwasherintrinsic.net
widthsquality.biz
workgroupsynchronization.biz
worldtampering.net
wrenchimagepan.biz
youriscktines.info
youriscktines.net
zigmans.in
Labels:
Evil Network,
Malware,
Spam,
Viruses
Wednesday, 17 April 2013
PayPal spam / dialupwily.org
This fake PayPal spam leads to malware on dialupwily.org:
The link in the email goes through a hacked Wordpress site to a malicious landing page at [donotclick]dialupwily.org/closest/incomming_message.php (report here) hosted on 188.225.34.36 (Transit Telecom, Russia). More malware domains to come..
From: service@paypal.com [mailto:criticizea@seneseassociates.com]
Sent: Wed 17/04/2013 18:49
Subject: Receipt for your PayPal payment to Konrad Rotuski
Feb 18, 2013 10:54:32 PDT
Transaction ID: 4F1UGYHLFMRAG1AVY
Hello,
You sent a payment of $149.49 USD to Konrad Rotuski (criticizea@seneseassociates.com)
Thanks for using PayPal. To see all the transaction details, log in to your PayPal account.
It may take a few moments for this transaction to appear in your account.
--------------------------------------------------------------------------------
Seller
Konrad Rotuski
criticizea@seneseassociates.com Note to seller
You haven't included a note.
Shipping address - unconfirmed
218 E CHURCH ST
FAYETTEVILLE, TX 09557-2446
United States
Shipping details
USPS Priority Mail
Description Unit price Qty Amount
TAG Heuer Men's WAU6277.BA3900 Formula 1 White Dial Stainless Steel Watch
Item# 566741455709 $149.49 USD 1 $149.49 USD
Shipping and handling $0.00 USD
Insurance - not offered ----
Total $149.49 USD
Payment $149.49 USD
Charge will appear on your credit card statement as PAYPAL Konrad Rotuski
Payment sent to criticizea@seneseassociates.com
Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.
Questions? Go to the Help Center at: www.paypal.com/help.
Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.
To receive email notifications in plain text instead of HTML, log in to your PayPal account, go to your Profile, and click Notifications.
PayPal Email ID PP387
The link in the email goes through a hacked Wordpress site to a malicious landing page at [donotclick]dialupwily.org/closest/incomming_message.php (report here) hosted on 188.225.34.36 (Transit Telecom, Russia). More malware domains to come..
CNN.com Boston Marathon spam / thesecondincomee.com
This Boston Marathon themed spam leads to malware on thesecondincomee.com:
Example 1:
Example 2:
The malicious payload is at [donotclick]thesecondincomee.com/news/agency_row_fixed.php hosted on:
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)
The recommended blocklist is the same as used in this earlier attack.
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60
airtrantran.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko.ru
conficinskiy.ru
confideracia.ru
coretec.pl
cormoviesutki.ru
dailypost.pl
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
elmara.ru
excuticoble.ru
fenvid.com
freedblacks.net
fxtv.pl
gardeningexplains.biz
gatoversignie.ru
hurienothing.ru
independinsy.net
janefgort.net
klosotro9.net
miniscule.pl
nulio.ru
programcam.ru
ricepad.net
seantit.ru
securitysmartsystem.com
techzoom.pl
thesecondincomee.com
Example 1:
Date: Wed, 17 Apr 2013 10:32:18 -0600 [12:32:18 EDT]
From: CNN Breaking News [BreakingNews@mail.cnn.com]
Subject: Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com
CNN.com
Powered by
* Please note, the sender's email address has not been verified.
You have received the following link from BreakingNews@mail.cnn.com:
Click the following to access the sent link:
Boston Marathon Explosions - Obama Benefits? - CNN.com*
SAVE THIS link FORWARD THIS link
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here
Example 2:
Date: Wed, 17 Apr 2013 22:32:56 +0600
From: behring401@mail.cnn.com
Subject: Opinion: Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com
Powered by
* Please note, the sender's email address has not been verified.
You have received the following link from BreakingNews@mail.cnn.com:
Click the following to access the sent link:
Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com*
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here
The malicious payload is at [donotclick]thesecondincomee.com/news/agency_row_fixed.php hosted on:
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)
The recommended blocklist is the same as used in this earlier attack.
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60
airtrantran.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko.ru
conficinskiy.ru
confideracia.ru
coretec.pl
cormoviesutki.ru
dailypost.pl
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
elmara.ru
excuticoble.ru
fenvid.com
freedblacks.net
fxtv.pl
gardeningexplains.biz
gatoversignie.ru
hurienothing.ru
independinsy.net
janefgort.net
klosotro9.net
miniscule.pl
nulio.ru
programcam.ru
ricepad.net
seantit.ru
securitysmartsystem.com
techzoom.pl
thesecondincomee.com
BBB Spam / freedblacks.net
Another BBB spam run today, although this time not an RU:8080 spam we saw earlier but an "Amerika" spam run instead. Interestingly, both mis-spell "Beareau" which indicates they are using the same software, even if they are different gangs. The link in the email leads to malware on freedblacks.net.
The link goes to a legitimate hacked site and then to a malicious landing page at [donotclick]freedblacks.net/news/agency_row_fixed.php (report here) hosted on the following IPs:
65.34.160.10 (Comcast, US)
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)
Blocklist:
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60
airtrantran.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko.ru
conficinskiy.ru
confideracia.ru
coretec.pl
cormoviesutki.ru
dailypost.pl
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
elmara.ru
excuticoble.ru
fenvid.com
freedblacks.net
fxtv.pl
gardeningexplains.biz
gatoversignie.ru
hurienothing.ru
independinsy.net
janefgort.net
klosotro9.net
miniscule.pl
nulio.ru
programcam.ru
ricepad.net
seantit.ru
securitysmartsystem.com
techzoom.pl
thesecondincomee.com
Date: Wed, 17 Apr 2013 21:20:20 +0800 [09:20:20 EDT]
From: BBB [bridegroomc@m.bbb.org]
Subject: Better Business Beareau accreditation Cancelled P5088819
Case No. P5088819
Respective Owner/Responsive Person:
The Better Business Bureau has been registered the above said claim letter from one of your users as regards their business contacts with you. The information about the consumer's worry are available for review at a link below. Please pay attention to this issue and inform us about your sight as soon as possible.
We amiably ask you to click and review the APPEAL REPORT to respond on this claim letter. Click here to be taken directly to your report today:
http://www.bbb.org/business-claims/customercare/report-02111671
If you think you recieved this email by mistake - please forward this message to your principal or accountant
We are looking forward to your prompt answer.
Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.
Sincerely,
Ian Wilson - Online Communication Specialist
bbb.org - Start With Trust
The link goes to a legitimate hacked site and then to a malicious landing page at [donotclick]freedblacks.net/news/agency_row_fixed.php (report here) hosted on the following IPs:
65.34.160.10 (Comcast, US)
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)
Blocklist:
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60
airtrantran.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko.ru
conficinskiy.ru
confideracia.ru
coretec.pl
cormoviesutki.ru
dailypost.pl
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
elmara.ru
excuticoble.ru
fenvid.com
freedblacks.net
fxtv.pl
gardeningexplains.biz
gatoversignie.ru
hurienothing.ru
independinsy.net
janefgort.net
klosotro9.net
miniscule.pl
nulio.ru
programcam.ru
ricepad.net
seantit.ru
securitysmartsystem.com
techzoom.pl
thesecondincomee.com
BBB Spam / janariamko.ru
After a few quiet days on the RU:8080 spam front it has started again..
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izjianokr.ru
iztakor.ru
jamtientop.ru
janariamko.ru
janasika.ru
jindiank.ru
jubakupra.ru
judianko.ru
juhajuhaa.ru
juliamanako.ru
juliaroberzs.ru
jundaio.ru
Date: Wed, 17 Apr 2013 20:18:14 +0800The malicious payload is at [donotclick]janariamko.ru:8080/forum/links/public_version.php (report here) hosted on the following IPs:
From: "Better Business Bureau" [guttersnipeg792@ema1lsv100249121.bbb.org]
Subject: Better Business Beareau accreditation Terminated 64A488W04
Case N. 64A488W04
Respective Owner/Responsive Person:
The Better Business Bureau has been filed the above said reclamation from one of your clients with reference to their business relations with you. The information about the consumer's trouble are available at the link below. Please give attention to this matter and communicate with us about your opinion as soon as possible.
We graciously ask you to visit the COMPLAINT REPORT to respond on this reclamation. Click here to be taken directly to your report today:
http://www.bbb.org/business-claims/customercare/report-65896564
If you think you got this email by mistake - please forward this message to your principal or accountant
We are looking forward to your prompt answer.
Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.
Sincerely,
Gabriel Reyes - Online Communication Specialist
bbb.org - Start With Trust
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)
Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izjianokr.ru
iztakor.ru
jamtientop.ru
janariamko.ru
janasika.ru
jindiank.ru
jubakupra.ru
judianko.ru
juhajuhaa.ru
juliamanako.ru
juliaroberzs.ru
jundaio.ru
"Boston Marathon" spam / askmeaboutcctv.com
This pretty shameful Boston marathon themed spam leads to malware on askmeaboutcctv.com:
Sample 1:
If you click the link you see a set of genuine YouTube videos. However, the last one seems blank because it is in fact a malicious IFRAME to [donotclick]askmeaboutcctv.com/wmiq.html (report here) which appears to be on a legitimate but hacked site. The server seems to be overloaded at the moment which is a good thing I suppose.
Some more sample subjects and links:
Subject: Video of Explosion at the Boston Marathon 2013
Subject: Aftermath to explosion at Boston Marathon
Subject: Explosion at Boston Marathon
Subject: Explosions at the Boston Marathon
Subject: 2 Explosions at Boston Marathon
[donotclick]46.233.4.113/boston.html
[donotclick]37.229.92.116/boston.html
[donotclick]188.2.164.112/news.html
[donotclick]109.87.205.222/news.html
I would advise blocking these IPs and domains. Be vigilant against this kind of attack, also bear in mind that the bad guys might try to exploit Margaret Thatcher's funeral and the London Marathon in the same way.
Sample 1:
From: Graham Jarvis [mailto:alejandro.alfonzo-larrain@tctwest.net]Sample 2:
Sent: 17 April 2013 09:49
Subject: Video of Explosion at the Boston Marathon 2013
hxxp:||61.63.123.44/news.html
From: Sally Rasmussen [mailto:artek33@risd.edu](Note that the payload links have been lightly obfuscated, don't click them).
Sent: 17 April 2013 09:49
To: UK HPEA 2
Subject: Aftermath to explosion at Boston Marathon
hxxp:||190.245.177.248/news.html
If you click the link you see a set of genuine YouTube videos. However, the last one seems blank because it is in fact a malicious IFRAME to [donotclick]askmeaboutcctv.com/wmiq.html (report here) which appears to be on a legitimate but hacked site. The server seems to be overloaded at the moment which is a good thing I suppose.
Some more sample subjects and links:
Subject: Video of Explosion at the Boston Marathon 2013
Subject: Aftermath to explosion at Boston Marathon
Subject: Explosion at Boston Marathon
Subject: Explosions at the Boston Marathon
Subject: 2 Explosions at Boston Marathon
[donotclick]46.233.4.113/boston.html
[donotclick]37.229.92.116/boston.html
[donotclick]188.2.164.112/news.html
[donotclick]109.87.205.222/news.html
I would advise blocking these IPs and domains. Be vigilant against this kind of attack, also bear in mind that the bad guys might try to exploit Margaret Thatcher's funeral and the London Marathon in the same way.
Tuesday, 16 April 2013
Disgraceful Arif Khan / Mak Media spam
For some time now I've been plagued with spam that looks like this:
There are three parties involved in this scam. Working backwards, the ads displayed on the landing page are run by Google, the landing page itself is owned by an outfit called Adilizer.com who claim to be based in Texas. But the spamming itself seems to be the work of one Arif Khan who is the CEO of an Indian company called Mak Media.
Let's look at when clicking on the link on that spam gets us..
hxxp:||rng172.fuldbate.us/2437a38863ab64aa3397118536dc91aae549f7
leads to
hxxp:||rng172.fuldbate.us/98F22437a38863ab64aa3397118536dc91aae549f7
leads to
hxxp:||rk3231.com/m/ec.php?k=651&kc=78236&ks=0&pc=547&tt=1&t1=yogesh&t2=&t3=&t4=&u=&u2=
leads to
hxxp:||obmedia.com/m/ec.php?k=651&kc=78236&ks=0&pc=547&tt=1&t1=yogesh&t2=&t3=&t4=&u=&u2=
leads to
hxxp:||www.myown-big-find-tool.com/
The domains myown-big-find-tool.com, obmedia.com and rk3231.com belong to Adilizer and look like they could be some sort of affiliate link. So, we can perhaps assume that Adilizer are not directly responsible for the spam.
The domain fuldbate.us is owned by Arif Khan, and rng172.fuldbate.us is hosted on 198.84.76.172 which is where this spam originates. These are the pertinent WHOIS details for the domain:
Registrant ID: FF70EC5B09E3DC10
Registrant Name: Arif Khan
Registrant Organization: Gravity Media
Registrant Address1: Bhopal
Registrant Address2: Bhopal
Registrant City: Bhopal
Registrant State/Province: MP
Registrant Postal Code: 462001
Registrant Country: India
Registrant Country Code: IN
Registrant Phone Number: +91.9425677527
Registrant Email: praveen.shukla4015@gmail.com
Registrant Application Purpose: P1
"Gravity Media" may or may not exist, but domain WHOIS details are easy to fake. But if we look at who the IP address is allocated to then we can see a bit more information.
%rwhois V-1.5:003fff:00 rwhois.hostwinds.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:Hostwinds Block-198.84.76.172/32
network:Auth-Area:198.84.76.172/32
network:Network-Name:Mak Media Network
network:IP-Network:198.84.76.172/32
network:IP-Network-Block:198.84.76.172 - 198.84.76.172
network:Customer Organization:Mak Media
network:Customer Address;I:Plot N0 4 , Kerma Tower
network:Customer City;I:BHopal
network:Customer State/Province;I:Madhya Pradesh
network:Customer Postal Code;I:462001
network:Customer Country Code;I:IN
network:Organization;I:Hostwinds LLC
network:Tech-Contact;I:abuse@hostwinds.com
network:Admin-Contact;I:abuse@hostwinds.com
network:Abuse-Contact;I:abuse@hostwinds.com
This reveals the apparently genuine organisation of Mak Media, of which Arif Khan is CEO according to his LinkedIn page. Note that there are several companies of a similar name, but this one seems to be based in Bhopal.
To quote Mr Khan, his background is of:
But the spam doesn't come from just one domain and IP. Arif Khan uses hundreds of throwaway .us addresses and multiple IPs. These are the ones I have seen in the past week:
fuldbate.us
excrep.us
buidep.us
xlitisew.us
trunalk.us
ryismeth.us
fjouck.us
duptous.us
certious.us
grembing.us
bablump.us
ghtchity.us
fluitice.us
fjoutte.us
cabatki.us
asatuary.us
echead.us
brooto.us
falert.us
eurness.us
djasynt.us
abubcum.us
emenger.us
ograst.us
hapric.us
Each one comes from a different IP address in the 198.84.76.0/24 range suballocated from Hostwinds to Mak Media. But there's something weird, because Hostwinds haven't allocated a 256-address /24 block at all.. they've allocated 256 /32 blocks of a single IP address each. This is presumably a trick to make sure that the whole /24 range doesn't get blacklisted at once.
If you are plagued with this spam and have the capability to do so, block all incoming email from and web traffic to 198.84.76.0/24 and it should effectively block it for now. And reporting any spam to abuse -at- hostwinds.com will probably do no harm.. although I suspect it will do little good.
Date: Tue, 16 Apr 2013 09:11:37 -0400The spam is on a variety of topics, but one thing that makes me cross is seeing spam on this particular topic. Why? Well, this particular illness is linked to many high-paying lawsuits, and as a result advertisers can pay out a surprising amount of cash per click estimated here to be worth over $80 for some individual clicks. But in this case, they will be essentially worthless clicks to the advertiser. And who ends up paying for these worthless clicks? Well, ultimately the costs get extracted from the sufferers of this illness from their settlements.
From: "Mesothelioma"
To: [redacted]
Subject: Learn The Link Between Asbestos and Mesothelioma
5670242064119134040....02158166418942886316dc91aae549f7.02158166418942886316dc91aae549f7.5670242064119134040..02158166418942886316dc91aae549f7.. 33100457.5670242064119134040..02158166418942886316dc91aae549f7.5670242064119134040..
Learn The Link Between Asbestos and Mesothelioma
Rebosiet riwan ducufaf. 02158166418942886316dc91aae549f7 Rire ti 5670242064119134040 sasah 33100457 totetes 33100457 tela. 33100457 Woc 02158166418942886316dc91aae549f7 esic 02158166418942886316dc91aae549f7 sew 02158166418942886316dc91aae549f7 se 02158166418942886316dc91aae549f7 icin 02158166418942886316dc91aae549f7 icat 33100457 worag 33100457 ne 02158166418942886316dc91aae549f7 tedit 33100457 kodu. 02158166418942886316dc91aae549f7 Eca cehag 33100457 kose. 02158166418942886316dc91aae549f7 Adodiner 5670242064119134040 nure 33100457 bebose aleri ira 02158166418942886316dc91aae549f7 malitu noharie ituror [this crap goes on and on to try to get past spam filters]
There are three parties involved in this scam. Working backwards, the ads displayed on the landing page are run by Google, the landing page itself is owned by an outfit called Adilizer.com who claim to be based in Texas. But the spamming itself seems to be the work of one Arif Khan who is the CEO of an Indian company called Mak Media.
Let's look at when clicking on the link on that spam gets us..
hxxp:||rng172.fuldbate.us/2437a38863ab64aa3397118536dc91aae549f7
leads to
hxxp:||rng172.fuldbate.us/98F22437a38863ab64aa3397118536dc91aae549f7
leads to
hxxp:||rk3231.com/m/ec.php?k=651&kc=78236&ks=0&pc=547&tt=1&t1=yogesh&t2=&t3=&t4=&u=&u2=
leads to
hxxp:||obmedia.com/m/ec.php?k=651&kc=78236&ks=0&pc=547&tt=1&t1=yogesh&t2=&t3=&t4=&u=&u2=
leads to
hxxp:||www.myown-big-find-tool.com/
The domains myown-big-find-tool.com, obmedia.com and rk3231.com belong to Adilizer and look like they could be some sort of affiliate link. So, we can perhaps assume that Adilizer are not directly responsible for the spam.
The domain fuldbate.us is owned by Arif Khan, and rng172.fuldbate.us is hosted on 198.84.76.172 which is where this spam originates. These are the pertinent WHOIS details for the domain:
Registrant ID: FF70EC5B09E3DC10
Registrant Name: Arif Khan
Registrant Organization: Gravity Media
Registrant Address1: Bhopal
Registrant Address2: Bhopal
Registrant City: Bhopal
Registrant State/Province: MP
Registrant Postal Code: 462001
Registrant Country: India
Registrant Country Code: IN
Registrant Phone Number: +91.9425677527
Registrant Email: praveen.shukla4015@gmail.com
Registrant Application Purpose: P1
"Gravity Media" may or may not exist, but domain WHOIS details are easy to fake. But if we look at who the IP address is allocated to then we can see a bit more information.
%rwhois V-1.5:003fff:00 rwhois.hostwinds.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:Hostwinds Block-198.84.76.172/32
network:Auth-Area:198.84.76.172/32
network:Network-Name:Mak Media Network
network:IP-Network:198.84.76.172/32
network:IP-Network-Block:198.84.76.172 - 198.84.76.172
network:Customer Organization:Mak Media
network:Customer Address;I:Plot N0 4 , Kerma Tower
network:Customer City;I:BHopal
network:Customer State/Province;I:Madhya Pradesh
network:Customer Postal Code;I:462001
network:Customer Country Code;I:IN
network:Organization;I:Hostwinds LLC
network:Tech-Contact;I:abuse@hostwinds.com
network:Admin-Contact;I:abuse@hostwinds.com
network:Abuse-Contact;I:abuse@hostwinds.com
This reveals the apparently genuine organisation of Mak Media, of which Arif Khan is CEO according to his LinkedIn page. Note that there are several companies of a similar name, but this one seems to be based in Bhopal.
To quote Mr Khan, his background is of:
Intense drive and overachieving mentality with a track record of consistently meeting and exceeding goals. Dedicated work ethic, and intense desire to succeed in achieving an aggressive career and financial growth.In other words, he takes advantage of India's non-existent spam laws and blasts as many mailboxes as he can with crappy affiliate links.
Specialties: Email Marketing, lead generation,database management, email marketing, list management, Email Monetization, Affiliate Marketer!!
But the spam doesn't come from just one domain and IP. Arif Khan uses hundreds of throwaway .us addresses and multiple IPs. These are the ones I have seen in the past week:
fuldbate.us
excrep.us
buidep.us
xlitisew.us
trunalk.us
ryismeth.us
fjouck.us
duptous.us
certious.us
grembing.us
bablump.us
ghtchity.us
fluitice.us
fjoutte.us
cabatki.us
asatuary.us
echead.us
brooto.us
falert.us
eurness.us
djasynt.us
abubcum.us
emenger.us
ograst.us
hapric.us
Each one comes from a different IP address in the 198.84.76.0/24 range suballocated from Hostwinds to Mak Media. But there's something weird, because Hostwinds haven't allocated a 256-address /24 block at all.. they've allocated 256 /32 blocks of a single IP address each. This is presumably a trick to make sure that the whole /24 range doesn't get blacklisted at once.
If you are plagued with this spam and have the capability to do so, block all incoming email from and web traffic to 198.84.76.0/24 and it should effectively block it for now. And reporting any spam to abuse -at- hostwinds.com will probably do no harm.. although I suspect it will do little good.
"Fiserv Secure Email Notification" spam
From: Fiserv Secure Notification [mailto:secure.notification@fiserv.com]
Sent: Tue 16/04/2013 14:02
Subject: [WARNING : MESSAGE ENCRYPTED] Fiserv Secure Email Notification - CC3DK9WJW8IG0F5
You have received a secure message
Read your secure message by opening the attachment, Case_CC3DK9WJW8IG0F5.zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - KsUs3Z921mA
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.979.7673.
2000-2013 Fiserv Secure Systems, Inc. All rights reserved.
In the case of the sample I have seen, there is an attachment Case_CC3DK9WJW8IG0F5.zip which unzips using the supplied password to Case_Fiserv_04162013.exe (note the date is encoded into the filename).
At the time of writing, VirusTotal results are just 5/46. The Comodo CAMAS report is here, the ThreatExpert report here and the ThreatTrack sandbox report can be downloaded from here (this is the most detailed one). This seems to be a Zbot variant.
The bad IPs involved are:
50.116.15.209 (Linode, US)
62.103.27.242 (OTEnet, Greece)
78.139.187.6 (Caucasus Online Ltd, Georgia)
87.106.3.129 (1&1, Germany)
108.94.154.77 (AT&T, US)
117.212.83.248 (BSNL Internet, India)
120.61.212.73 (MTNL, India)
122.165.219.71 (ABTS Tamilnadu, India)
123.237.187.126 (Reliance Communications, India)
176.73.145.22 (Caucasus Online Ltd, Georgia)
186.134.148.36 (Telefonica de Argentina, Argentina)
190.39.197.150 (CANTV Servicios, Venezuela)
195.77.194.130 (Telefonica, Spain)
199.59.157.124 (Kyvon, US)
201.211.224.46 (CANTV Servicios, Venezuela)
212.58.4.13 (Doruknet, Turkey)
Recommended blocklist:
korbi.va-techniker.de
mail.yaklasim.com
phdsurvey.org
vbzmiami.com
user1557864.sites.myregisteredsite.com
50.116.15.209
62.103.27.242
78.139.187.6
87.106.3.129
108.94.154.77
117.212.83.248
120.61.212.73
122.165.219.71
123.237.187.126
176.73.145.22
186.134.148.36
190.39.197.150
195.77.194.130
199.59.157.124
201.211.224.46
212.58.4.13
Subscribe to:
Posts (Atom)