Sponsored by..

Tuesday, 10 September 2013

Are top porn sites still riddled with malware?

This summary is not available. Please click here to view the post.

BBB Spam / Case_0938818_2818.exe

This fake BBB spam has a malicious attachment:

Date:      Tue, 10 Sep 2013 15:07:14 +0100 [10:07:14 EDT]
From:      Better Business Bureau [Aldo_Austin@newyork.bbb.org]
Subject:      FW: Case IN11A44X2WCP44M

The Better Business Bureau has received the above-referenced complaint from one of your
customers regarding their dealings with you. The details of the consumer's concern are
included on the reverse. Please review this matter and advise us of your position.

As a neutral third party, the Better Business Bureau can help to resolve the matter.
Often complaints are a result of misunderstandings a company wants to know about and
correct.

In the interest of time and good customer relations, please provide the BBB with written
verification of your position in this matter by September 13, 2013. Your prompt response
will allow BBB to be of service to you and your customer in reaching a mutually agreeable
resolution. Please inform us if you have contacted your customer directly and already
resolved this matter.

The Better Business Bureau develops and maintains Reliability Reports on companies across
the United States and Canada . This information is available to the public and is
frequently used by potential customers. Your cooperation in responding to this complaint
becomes a permanent part of your file with the Better Business Bureau. Failure to
promptly give attention to this matter may be reflected in the report we give to
consumers about your company.

We encourage you to print this complaint (attached file - Case_IN11A44X2WCP44M), answer
the questions and respond to us.

We look forward to your prompt attention to this matter.

Sincerely,
Aldo_Austin
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201 
Attached to the message is a ZIP file Case_IN11A44X2WCP44M.zip which in turn contains an executable Case_0938818_2818.exe which has a shockingly low detection rate of just 1/46 at VirusTotal.

Automated analysis of the malware is inconclusive [1] [2] [3] [4], but it does generate outbound traffic to kwaggle.com port 443 on 64.50.166.122 (Lunar Pages, US). The domain thisisyourwife.co.uk on the same server is also hosting malware, I would therefore be suspicious about some of the other sites on the same box.

Recommended blocklist:
64.50.166.122
kwaggle.com
thisisyourwife.co.uk

Monday, 9 September 2013

ygregistry.org domain scam

This Chinese domain scammers never give up, this scam has been seen several times before [1] [2] [3] [4].

From:     Jim Bing [jim.bing@ygregistry.org]
Date:     9 September 2013 14:32
Subject:     Regarding "[redacted]" Cn domain name and Internet Keyword

Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China.
We received an application from Huaxiang Ltd on September 7, 2013. They want to register " [redacted] " as their Internet Keyword and " [redacted] .cn "、" [redacted] .com.cn " 、" [redacted] .net.cn "、" [redacted] .org.cn " domain names etc.., they are in China domain names. But after checking it, we find " [redacted] " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim
General Manager
Shanghai Office (Head Office)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.ygregistry.org
The whole thing is a fraud. Nobody in China is trying to register your domain name, and in any case registrars are not responsible for checking. They are simply trying to make you panic and buy an overpriced domain that you do not need and will never use.

Malware sites to block 9/9/13, part II

Another set of IPs and domains related to this attack detailed by Sophos, and overlapping slightly with the malicious servers documented here.

I've just listed the main domains, but the attack itself uses thousands of subdomains (e.g. zwgaf72d4erv7g.www5.tohk5ja.cc) to do evil things.

46.20.36.9 (Syslayer.com, Germany)
74.63.229.252 (Limestone Networks / 123systems Solutions, US)
77.81.244.226 (Elvsoft SRL, Netherlands)
173.243.118.198 (Continuum Data Centers, US)
198.52.243.229 (Centarra Networks, US)
199.188.206.183 (Namecheap Inc, US)
206.72.192.31 (Interserver Inc, US)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)

Blocklist:
46.20.36.9
74.63.229.252
77.81.244.226
173.243.118.198
198.52.243.229
199.188.206.183
206.72.192.31
213.156.91.110
ahthuvuz.cc
bo0keego.cc
but-kluczit.net
datsbull.net
eevootii.su
ezootoo.su
oogagh.su
oonucoog.cc
queiries.su
thepohzi.su
tohk5ja.cc
wahemah.cc
xigizubu.cc

Malware sites to block 9/9/13

These domains and IPs are associated with this gang, this list supersedes (or complements) the one I made last week.

1.209.108.29 (BORANET, Korea)
24.173.170.230 (Time Warner Cable, US)
37.153.192.72 (Routit BV, Netherlands)
42.121.84.12 (Aliyun Computing Co, China)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime, US)
74.63.233.79 (Limestone Networks Inc / 123Systems Solutions, US)
74.207.231.42 (Linode, US)
95.87.1.19 (Trakia Kabel, Bulgaria)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
95.242.252.26 (Telecom Italia, Italy)103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
111.93.115.216 (Tata Teleservices, India)
115.78.233.220 (Vietel Corporation, Vietnam)
115.160.146.142 (Wharf T&T Ltd, Hong Kong)
130.63.110.159 (York University, Canada)
140.116.72.75 (TANET, Taiwan)
141.20.102.73 (Humboldt-Universitaet zu Berlin, Germany)
148.204.64.107 (Instituto Politecnico Nacional, Mexico)
173.254.250.218 (OC3 Networks, US)
184.23.8.7 (Sonic.net, US)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
190.145.25.126 (Telmex Colombia, Colombia)
190.152.149.85 (Consejo De Participacion Ciudadana Y Control Soci, Ecuador)
192.241.199.191 (Digital Ocean, US)
194.42.83.60 (Interoute Communications, UK)
194.158.4.42 (Interoute Communications, France)
198.224.81.54 (AT&T, US)
199.115.228.213 (VolumeDrive, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.69.42.50 (Bay Area Video Coalition, US)
208.180.134.20 (Suddenlink Communications, US)
212.169.49.234 (Claranet, UK)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)
222.35.102.133 (China TieTong Telecommunications Corporation, China)
223.30.27.251 (Sify Limited, India)

1.209.108.29
24.173.170.230
37.153.192.72
42.121.84.12
58.68.228.148
58.246.240.122
61.36.178.236
66.230.163.86
66.230.190.249
74.63.233.79
74.207.231.42
95.87.1.19
95.111.32.249
95.242.252.26
103.20.166.67
111.93.115.216
115.78.233.220
115.160.146.142
130.63.110.159
140.116.72.75
141.20.102.73
148.204.64.107
173.254.250.218
184.23.8.7
186.251.180.205
187.60.172.18
190.145.25.126
190.152.149.85
192.241.199.191
194.42.83.60
194.158.4.42
198.224.81.54
199.115.228.213
208.52.185.178
208.69.42.50
208.180.134.20
212.169.49.234
213.156.91.110
222.35.102.133
223.30.27.251
achrezervations.com
agence-moret.net
altertraveldream.com
amimeseason.net
bnamecorni.com
boardsxmeta.com
brasilmatics.net
bundle.su
casualcare.net
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
certierskieanyofthe23.net
chairsantique.net
checklistsseesmics.su
chernigovskievojninua55.net
controlsalthoug.com
credit-find.net
crovliivseoslniepodmore83.net
deepsealinks.com
dotier.net
dvdramrautosel.su
ehnihujasebenahujchtoza27.net
ehnynewyortenotbaber.net
ehtiebanishkeobprienrt25.net
elvisalive4ever.com
email.pinterest.com.lacave-enlignes.com
ergopets.com
ermitajniedelaincityof40.net
explic.net
facebook.com.achrezervations.com
favar.net
fender.su
ffupdate.pw
fulty.net
gaphotoid.net
gemochlenoftheierarhia23.net
germaniavampizdanahuj.net
germetikovskievremie29.net
gggrecheskiysala99.net
giabit.net
gonulpalace.net
gormonigraetnapovalahule26.net
gormoshkeniation68.net
gormovskieafrterskioepr30.net
grannyhair.ru
higherpricedan.com
hobox.net
hotbitscan.com
icentis-finance.net
insectiore.net
invoices.ulsmart.net
istatsking.ru
jessesautobody.net.rcom-dns.eu
kpsart.net
lacave-enlignes.com
lights-awake.net
liliputttt9999.info
lindoliveryct.net
macache.net
maxichip.com
medusascream.net
micnetwork100.com
mobile-unlocked.net
molul.com
multiachprocessor.com
myaxioms.com
mywebsitetips.net
nacha-ach-processor.com
namastelearning.net
ns1.namastelearning.net
ns2.namastelearning.net
nvufvwieg.com
oadims.net
ordersdeluxe.com
oversearadios.net
paypal.com.us.cmd.stjamesang.net
perkindomname.com
photos.walmart.com.orders.stjamesang.net
porschetr-ml.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
redsox.com.tickets-service.lindoliveryct.net
relectsdispla.net
rentipod.ru
saucancafe.net
scoutmoor.net
secureprotection5.com
soberimages.com
stjamesang.net
stonewallspwt.net
strutterradio.net
taltondark.net
templateswell.net
thefastor.com
thegalaxyatwork.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
trans-staronline.net
treesmustdownload.su
u-janusa.net
ulsmart.net
uprisingquicks.net
video-withtext.com
vineostat.ru
viperestats.ru
vip-proxy-to-tor.com
virginiarealtyonline.net
weekings.com
wildgames-orb.net
wow-included.com
www.facebook.com.achrezervations.com
www.linkedin.com.achrezervations.com
www.nacha.org.multiachprocessor.com
www.nacha-ach-processor.com
www.redsox.com.tickets-service.lindoliveryct.net
zinvolarstikel.com

Saturday, 7 September 2013

Dealerbid.co.uk "Quotation.zip" spam with malicious VBS script

The website dealerbid.co.uk has been compromised and their servers hacked in order to send spam to their customer list. Something similar has happened before a few months ago.

In this case the spam email was somewhat mangled, but I am assuming that the spammers know how to fix this. The spam email is as follows:

From:     Christopher Rawson [christopher.r@kema.com]
Date:     7 September 2013 14:04
Subject:     Quotation

Hello,

We have prepared a quotation, please see attached

With Kind Regards,
Christopher Rawson,
DNV KEMA Energy & Sustainability,

DNV KEMA is a real, legitimate company in the energy sector. But they did not send the spam, an examination of the headers shows that the sending IP is 213.171.204.75 which is the same IP as www.dealerbid.co.uk and mail.dealerbid.co.uk. The email is sent to an address ONLY used to register at dealerbid.co.uk. So, the upshot is that this domain is compromised and it is compromised right now.

The email is meant to have an attachment called Quotation.zip but in my sample the email was mis-formatted and instead the Base 64 encoded ZIP file was in the main body text, starting thus:

UEsDBBQAAAAIAGiQJENXc/
KQmRoAACj9AQANAAAAUXVvdGF0aW9uLnZic+1dS3PcOJK+K0L/QeHD
Some copy-and-pasting and work with a Base 64 decoder ended up with a valid ZIP file, containing a somewhat obfuscated VBS script Quotation.vbs  with a low VirusTotal detection rate of 4/46.

I really don't know a lot about VBScript, but it's an interpreted language (like Javascript), so with some care you can get it do decode itself for you. The payload of the scripts was delivered by a line
execute (lqkxATqgKvblFIwSvnvFaUHynrslFbmIziWPjzin)
Changing "execute" to a a series of commands to write a file out.txt can get the script to decode itself and present the deobfuscated code for you.

Set objFSO=CreateObject("Scripting.FileSystemObject")
outFile="out.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write execute (lqkxATqgKvblFIwSvnvFaUHynrslFbmIziWPjzin) & vbCrLf
objFile.Close
Obviously, great care should be taken to do this and a throwaway virtual machine is advised in case of errors.

I haven't had time to do much analysis of the malicious script, except that it attempts to download further components from klonkino.no-ip.org (port 1804) which is hosted on 146.185.24.207 (Hosting Services Inc, UK). I strongly recommend blocking no-ip.org domains in any case, but I certainly recommend the following blocklist:
klonkino.no-ip.org
146.185.24.207

I haven't had time to analyse the second script further, but it has a VirusTotal detection rate of 21/47 which isn't too bad. If you want to have a look yourself, you can download the script from here (zip file, password = virus).. but obviously you need to know what you are doing!

Friday, 6 September 2013

"Scanned Document Attached" spam / FSEMC.06092013.exe

This fake financial spam contains an encrypted attachment with a malicious file in it.

Date:      Fri, 6 Sep 2013 15:19:37 +0000 [11:19:37 EDT]
From:      Fiserv [Lawanda_Underwood@fiserv.com]
Subject:      FW: Scanned Document Attached

Dear Business Associate:

Protecting the privacy and security of client, company, and employee
information is one of our highest priorities. That is why Fiserv has
introduced the Fiserv Secure E-mail Message Center - a protected e-mail
environment designed to keep sensitive and confidential information
safe. In this new environment, Fiserv will be able to send e-mail
messages that you retrieve on a secured encrypted file.

You have an important message from Adam_Paul@fiserv.com.
To see your message, use the following password to decrypt attached file: JkSIbsJPPai

If this is your first time receiving a secure file from the
Fiserv Secure E-mail Message Center, you will be prompted to set up a
user name and password.

This message will be available until  Saturday Sep 07, 2013 at 17:50:42
EDT4

If you have any questions, please contact your Fiserv representative.

Sincerely,
Your Associates at Fiserv

Additional information about Fiserv Secure E-mail is available by
entering http://www.fiserv.com/secureemail/ into your Web browser and
pressing Enter.


The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.
Attached is an encrypted ZIP file which contains part of the victim's email address (or somebody else in the same domain) that has to be decrypted with the password JkSIbsJPPai. This in turn contains a malicious executable FSEMC.06092013.exe (note the date is encoded into the filename). The VirusTotal detection rate for this malware is only 6/47.

The malware then phones home to a site ce-cloud.com:443 hosted on 84.22.177.37 (ioMart, UK) and then uploads some data [1] [2] [3] [4] . What happens next is unclear, but you can guarantee that it is nothing good.

Blocking access to ce-cloud.com or 84.22.177.37 may provide some protection. Blocking EXE-in-ZIP files is an even more effective approach if you can do it.

CNN "The United States began bombing" spam / luggagepreview.com

This fake CNN spam leads to malware on luggagepreview.com:

Date:      Fri, 6 Sep 2013 11:30:57 -0600 [13:30:57 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: "The United States began bombing"

The United States began bombing!
By Casey Wian, CNN
updated 9:01 AM EDT, Wed August 14, 2013


(CNN) -- Pentagon officials said that the United States launched the first strikes against Syria. It was dropped about 15 bomn on stalitsu syria Damascus.  Full story >>
Rescuing Hannah Anderson

    Sushmita Banerjee was kidnapped and killed in Afghanistan, police say
    No one has claimed responsibility for her death, but police suspect militants
    Banerjee wrote "A Kabuliwala's Bengali Wife" about her escape from the Taliban

The link in the email is meant to go to [donotclick]senior-tek.com/tenth/index.html but the "Full story" link has a typo in and goes to senior-tekcom/tenth/index.html (without the dot) instead which obviously fails. This site then tries to load these three scripts:
[donotclick]crediamo.it/disburse/ringmaster.js
[donotclick]stages2saturn.com/scrub/reproof.js
[donotclick]www.rundherum.at/rabbiting/irritate.js

From there the visitor is sent to a malicious payload at  [donotclick]luggagepreview.com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 174.140.171.207 (DirectSpace LLC, US) along with several other hijacked domains listed below in italics.

Recommended blocklist:
174.140.171.207
luggagepoint.de
luggagewalla.com
londonleatherusa.com
luggagejc.com
londonleatheronline.com
luggagecast.com
luggage-tv.com
luggagepreview.com
dyweb.info
yesrgood.info
dai-li.info
expopro.info
crediamo.it
stages2saturn.com
www.rundherum.at

Something evil on 37.59.164.209 (OVH)

37.59.164.209 is a server operated by OVH in France. It has many malicious domains hosted on it, indeed almost everything on it is flagged by Google as being malicious (highlighted in the list below). Blocking access to that IP address is the simplest approach as the malicious sites do seem to be in some flux.

Recommended blocklist:
fat-jaguar.info
amazingfingerprint.pingpong-shop.info
androidexclusiveaccepted.soda-waters.info
annesindecisive.ru
antilostprivacystar.soda-waters.info
arrayschamp.pingpong-shop.info
atomicexcelled.pingpong-shop.info
bisnothings.picture-editorsplus.com
bumpyrogue.pingpong-shop.info
cheerskasperskys.get-well-now.info
compilingresolved.get-well-now.info
compositingupfront.soda-waters.info
couponexposes.pingpong-shop.info
defraggingentire.soda-waters.info
designationrim.pingpong-shop.info
dipsisolated.ru
distortstrand.picture-editorsplus.com
droidsreceiver.pingpong-shop.info
errorannouncement.get-well-now.info
experttouserhome.picture-editorsplus.com
fdrsitelets.picture-editorsplus.com
flauntmalwarefighting.ru
fsecurevitas.picture-editorsplus.com
get-well-now.info
jfaxbike.get-well-now.info
karmic-koala.info
kudosphilly.picture-editorsplus.com
laguardiaduly.soda-waters.info
maoctopus.get-well-now.info
meaningsvisor.get-well-now.info
middletierpreventionandcleanup.picture-editorsplus.com
mtvmick.get-well-now.info
mypalmbehaviors.picture-editorsplus.com
nicesoundingextracting.soda-waters.info
noncopyrightprotectedfipscertified.soda-waters.info
nonstopeverconnected.soda-waters.info
offlineclosets.soda-waters.info
pbsearns.get-well-now.info
performgenre.soda-waters.info
pingpong-shop.info
plannerwaiter.get-well-now.info
reopeningphenomenal.pingpong-shop.info
retainedamazoncom.soda-waters.info
satiategb.get-well-now.info
savedtranscodes.soda-waters.info
soda-waters.info
treestructurezeroes.pingpong-shop.info
turbotwisttristate.get-well-now.info
wavelinkswing.pingpong-shop.info
webcontentfaces.ru
www.fat-jaguar.info
xmlbasedautomaticupdate.pingpong-shop.info

certificationthumbtack.job-orders.info
club-sandwich.info
datver.job-orders.info
job-orders.info
mirrorskitschy.job-orders.info
mountain-lion.biz
onion-sauce.com
openglkinectd.job-orders.info
poolseeming.job-orders.info
smallerwebspecific.job-orders.info
trendmicroaddfiletobackup.ru
tweakshunting.job-orders.info

Thursday, 5 September 2013

Facebook spam / kapcotool.com

This fake Facebook spam leads to malware on kapcotool.com:

From:     Facebook [no-reply@facebook.com]
Date:     5 September 2013 15:21
Subject:     Michele Murdock wants to be friends with you on Facebook.

facebook
   
Michele Murdock wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
         
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The link in the email uses an obscure URL shortening serving to go first to [donotclick]fenixa.com/97855 and then to [donotclick]magic-crystal.ch/normalized/index.html, and at this point it attempts to load the following three scripts:

[donotclick]00398d0.netsolhost.com/mcguire/forgiveness.js
[donotclick]202.212.131.8/ruses/nonsmokers.js
[donotclick]japanesevehicles.us/vector/internees.js

The final step is a malware landing page at [donotclick]kapcotool.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.227.154 (Linode, US) along with some other hijacked domains listed in italics below.

Recommended blocklist:
74.207.227.154
jgburgerlounge.ca
jngburgerjoint.ca
jngburgerjoint.com
johnmejalli.com
justcreature.com
justmonster.com
kalcodistributors.com
kapcotool.com
00398d0.netsolhost.com
japanesevehicles.us
202.212.131.8

Wednesday, 4 September 2013

HSBC spam / Original Copy (Edited).zip

This fake HSBC spam links to a malicious ZIP file:

Date:      Wed, 4 Sep 2013 01:45:17 -0700 [04:45:17 EDT]
From:      HSBC Wire Advising service [wireservice@hsbc.com.hk]
Reply-To:      hsbcadviceref@mail.com
Subject:      HSBC Payment Advice Ref: [H6789000] / ACH Credits / Customer Ref: [PO780090] (Edited)


Dear Sir/Madam,

The attached payment advice is issued at the request of our customer. The advice is for your reference only.

Kindly Accept Our apology On the copy we sent earlier.

1 attachments (total 586 KB)
View slide show (1)
Download all as zip

Yours faithfully,
Global Payments and Cash Management
HSBC


Copyright © HSBC Group 2013. All rights reserved.Copyright/IP Policy | Terms of Service
NOTICE: We collect personal information on this site. To learn more about how we use your information, see our Privacy Policy.

"SAVE PAPER - THINK BEFORE YOU PRINT!"


The link in the email goes to a file sharing site at [donotclick]ge.tt/api/1/files/1AFpS3r/0/blob?download and then downloads a file Original Copy (Edited).zip which contains a malicious executable Original Copy (Edited).scr (actually a renamed .EXE file, not a screensaver). The VirusTotal detection rate is 14/16.

The malware uses various techniques to prevent being analysed in a sandbox, but the ThreatExpert report shows some network activity including a suspect connection to ftp.advice.yzi.me (185.28.21.26, Hostinger International US) which might be worth blocking.

PayPal spam / dshapovalov.info

This fake (and badly formatted) fake PayPal spam email leads to malware on dshapovalov.info:

Date:      Wed, 4 Sep 2013 08:33:25 -0500 [09:33:25 EDT]
From:      PayPal [service@int.paypal.com]
Subject:      History of transactions #PP-011-538-446-067

ID

Transaction: { figure } {SYMBOL }

On your account malicious activity , for 1 hour was filmed around $ 100 , in small amounts In order to avoid blocking the account you need to go in. Authenticate Now

Sincerely, Services for protection

Department

PayPal does not tolerate fraud or illegal activities. Your complaint It was noted in the minutes of PayPal user you reported . If we find that This user has violated our policies , we will investigate and take appropriate action. In this case , you can contact in the future status this complaint.

To ensure that future transactions proceed smoothly, we suggest you visit PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid scammers " Fraud Prevention Tips for Buyers " section.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance , log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.

Copyright © 1999-2013 PayPal. All rights reserved.

PPID PP {DIGIT } The history of monetary transactions 

The link in the email goes through a URL shortening service at [donotclick]url7.org/KRh - one annoying feature with this service is that you have to click through a form to get the link, so it isn't easy to see where you are going to land. In this case it is [donotclick]184.168.56.23/observatories/index.html and then it runs one of the following three scripts:
[donotclick]81.143.33.169/garrotting/rumples.js
[donotclick]northeastestateagency.co.uk/queues/relaxes.js
[donotclick]mineralmizer.webpublishpro,com/peps/dortmund.js

From there, the victim is sent to a hijacked GoDaddy domain at [donotclick]dshapovalov.info/topic/able_disturb_planning.php hosted on 192.81.134.241 (Linode, US) which is the same server used in this attack. There are other hijacked GoDaddy domains on the same domain (listed below in italics).

Recommended blocklist:
192.81.134.241
watchfp.org
watchfp.mobi
journeyacrossthesky.com
dshapovalov.info
watchfp.net
dshapovalov.info

mineralmizer.webpublishpro.com
northeastestateagency.co.uk
81.143.33.169

Something is very wrong with Gandi US (AS29169 / 173.246.96.0/20)

Recently I have been suggesting reader block quite a few individual IPs at Gandi in the US, but I hadn't noticed exactly how many IPs I had been suggesting until a couple of days ago.

The problem seems to exist in the 173.246.96.0/20 block of AS29169 (173.246.96.0 - 173.246.111.255), a range of IP addresses that houses very many legitimate domains. Unfortunately, it also houses several malicious servers in the 173.246.102.0/24, 173.246.103.0/24 and 173.246.104.0/24 ranges, alongside legitimate sites.

First of all, let's look at the warnings I have given about this IP range just in this blog alone (ignoring all external sources):


173.246.101.146
CNN "Harrison Ford" spam / 173.246.101.146 and fragrancewalla.com
173.246.102.2
Malware sites to block 7/3/13
173.246.102.223
Citi Cards spam / 6.bbnface.com and 6.mamaswishes.com
173.246.102.246
Something evil on 173.246.102.246
173.246.103.26
ADP spam / 14.sofacomplete.com
173.246.103.59
Malware sites to block 23/11/12
173.246.103.112
Malware sites to block 22/11/12
173.246.103.124
Malware sites to block 23/11/12
173.246.103.184
Malware sites to block 23/11/12
173.246.104.104
Something evil on 173.246.104.104
173.246.104.136
CNN "Angelina Jolie tops list of highest-paid actresses" spam / deltadazeresort.net
173.246.104.154
Something evil on 173.246.104.154
173.246.104.184
PayPal spam / londonleatheronline.com
173.246.104.21
Malware sites to block 23/11/12
173.246.104.55
"INCOMING FAX REPORT" spam / chellebelledesigns.com
173.246.105.15
eFax / jConnect spam and eliehabib.com
173.246.106.150
"Scan from a Xerox WorkCentre" spam / Scan_06122013_29911.zip


So, curious about how bad the situation was I went off to identify servers currently hosting malware, and the list I came up with was:


173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185


That's quite a concentration of badness. You can see a full list of the malicious domains, WOT ratings, Google prognosis and SURBL codes here [csv]. There's a plain list of domains at the end of the post for copy-and-pasting.


Now, normally I would recommend blocking at least a /24 when dealing with this sort of level badness, but as this overview of the /20 shows [csv] there are a load of legitimate sites interspersed with the malware. Of course, you may want to block chunks of this IP range anyway and live with the collateral damage.. if you are hosted in this range then I suggest it is time to look for a new host.



Over the past 12 months there have been at least 25 malware servers in this block, with 173.246.102.0/24 hosting 5, 173.246.103.0/24 hosting 8 and 173.246.104.0 hosting 9. Something must be seriously wrong at Gandi to allow this to happen.


Recommended blocklist:
173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185
17.247nycr.com
17.247nycrealty.com
17.allianceyouthsports.com
17.americanseniorgazette.net
17.apielectrical.com
17.apipoolservice.com
17.bearfoothouse.com
17.bestbysouthwest.net
17.bradentons-finest.com
17.carlileenrollment.com
17.ccbenroll.com
17.chefsenrollment.com
17.culliganwaternet.com
17.culliganwaternet.net
17.dchealthcaresolutions.com
17.deadbeatcustomers.com
17.deborahramanathan.com
17.docholidaybanners.com
17.doorssanantoniocom.com
17.drdeborahramanathan.com
17.enrollmentforce.com
17.entrepreneursnetworkofmichigan.com
17.foodypon.com
17.foodypon.info
17.grantmassie.com
17.grantmassie.net
17.grantmassie.org
17.heyculliganman.net
17.kathybissell.com
17.kbgolfcoursesales.com
17.kingdom-mystery.org
17.landvirginia.com
17.lascrittore.com
17.ledbymmhd.com
17.lonestarenrollment.com
17.lwrbeerfestival.com
17.meccandivinity.com
17.mmholidaydecor.com
17.moffdomains.com
17.nstarbankenrollment.com
17.opti-max.com
17.optimax.us
17.paperlessenrollment.com
17.paperlessenrollments.com
17.productpurveyors.com
17.quakertownfamilydoctor.com
17.rbasa.com
17.rbasanantonio.com
17.redtreebookings.com
17.renewenrollment.com
17.sanantoniodoors.net
17.sanantoniohardiplank.com
17.sanantoniosiding.com
17.sanantoniosiding.net
17.sanantoniowindows.net
17.scottbarr.org
17.seniorgazette.org
17.seniorgolfrankings.com
17.soonerflight.com
17.southwestexteriors.com
17.texcoteproblems.com
17.thebusiness-solutions.com
17.themarketmakers.org
17.thetelecomgroup.com
17.ultimateserviceexperience.com
17.ultimateserviceguarantee.com
17.valuationwidgets.com
17.vinyl-windows.org
17.webezmarketing.com
17.worldclassexteriors.com
17.yourbrokerforlife.com
1800callabe.com
1866callabe.com
19.accentchicagostore.com
19.advancedweb2solutions.com
19.campaignsusa.com
19.collectiblesminnesota.com
19.diet4usa.org
19.floridafractionalproperty.com
19.floridafractionalrealestate.info
19.floridafractionalrealestate.us
19.giftbasketminnesota.com
19.giftminn.com
19.giftminnesota.com
19.giftmn.com
19.giftsfromminnesota.com
19.giftsminnesota.com
19.icandyliciousshop.com
19.icandyliciousstore.com
19.icandysugarshoppe.com
19.icandysugarshoppe.org
19.kitchenandbathatlanta.com
19.kodiakgaming.com
19.lovefromchicago.com
19.lovefromchicagostore.com
19.lovefromcompanies.com
19.lovefrommn.com
19.minngift.com
19.minnsotagifts.net
19.minnstore.com
19.mngift.com
19.navypierstore.com
19.northwoodscabinstore.com
19.pacifictusk.com
19.pacifictuskbuilders.com
19.souvenirminnesota.com
19.storeminn.com
19.sunburstsouvenirs.com
19.sunburstsouvenirs.info
19.sunburstsouvenirs.net
19.thelovefromcompanies.com
21.3to2converter.com
21.aribadellago.com
21.az55pluscommunity.com
21.baleraatfirerock.com
21.bringmemyleads.biz
21.bringmemyleads.com
21.bringmemyleads.info
21.bringmemyleads.net
21.bringmemyleads.org
21.bringmemyleads.us
21.cedrictherealtor.com
21.cedricthevegasrealtor.com
21.cordilleraatcopperwynd.com
21.crestviewatfountainhills.com
21.customswitchpanel.com
21.homesbythefountain.com
21.liquidstainedglass.com
21.liveinfountainhills.com
21.liveinlassendas.com
21.luxuriousscottsdale.com
21.wow-bottles.com
23.area-plumbing-company.com
23.garryowen.biz
23.goalsettingprogram.biz
23.mdvideoproduction.com
4.whereintuscany.com
4.whereintuscia.com
4.whereinumbria.com
4.whereinvaldaosta.com
4.whereinveneto.com
6.bbnface.com
6.bbnfaces.com
6.bbnfaces.net
6.mamasauction.com
6.mamaswishes.com
6.mamaswishes.net
6.mamaswishes.org
abemoussa.com
abemuggs.com
abes.co
abes.net
abesburger.com
biobcetsozxzxifwchyxxslfcaxws.info
byvcxdydxgyzxqwvnqktgpbfm.com
chellebelledesign.com
chellebelledesigns.com
eaeobxgtsvsjzljwkskvcaegqyay.net
findmynewschool.com
findyourpetcare.info
findyourpetcare.net
findyourpetcare.org
folsomdogplay.com
folsomdogs.com
folsomdogtrainingschool.com
godogresort.com
gottaghost.com
gottagirl.net
greawsome.com
gubmpfypeisctovkgaqghircxsfqlqc.biz
ingeuswghskzddxxlvgmqpvk.net
janetmoss.com
jerseycitybags.com
jerseyluggage.com
jmosswinery.com
jrzlzhmrwomfhaeqclwokvdm.net
kennethcolenyoutlet.com
kiddypals.com
kidswalla.com
kitchenwalla.com
kneetite.com
kzusdyhpypeavgltsjvdljpvojqg.com
labodysculpt.com
lacellulaze.com
laserabs.com
laserbod.com
laserbodycontour.com
laserbodyfit.com
laserbodysculpt.com
laserbodysculpt.info
laserbodysculpt.net
laserbodysculpt.org
laserbodytight.com
laserfigure.com
laserlipobanking.com
laserlipofirm.com
laserlipomanhattan.com
laserlipoplasticsurgeon.com
laserlipo-plasticsurgeon.com
laserlipoplasticsurgeons.com
laserlipo-plasticsurgeons.com
laserlipopro.com
laserliposolution.com
laserlipotight.com
laserlipotopdocs.com
laserniptuck.com
laserpecs.com
laser-sculpt.com
laser-sculpting.com
lasertoned.com
lasertuck.com
lazersculpt.com
lazertite.com
lidlaser.com
lidtight.com
lipo-exatlanta.com
lipo-exbeverlyhills.com
london-leather.com
magnetas.mx
marinedockladders.com
marzenamelby.com
minneapolisareareosales.com
minneapolisforeclosuredeals.com
pciinvbupnxkfatrsuhicuaue.net
prdqjfhwookftucvkwclhyzlyt.biz
premiumrentalproperty.com
remote-recording-mixing.com
rglrlprbayscvwfkqmbqtkj.com
rockvilleautobody.biz
roll-on-bracelets.info
scnrpnqojbaymfvclcdqhtpdi.org
share.afghans.net
shuofrpvcyukzgqnjbykrvkddu.com
stevecozz.com
tgvwvofaamqcciqhiqoutoprwkqwjn.com
theinternetchauffeur.biz
the-internet-chauffeur.com
trippling.com
twbevoabakbrghlnfylbuempvmfmb.org
twincitiesfamilywellness.com
veolux.com
yhlnibrgxwxplfjsoauondhunv.com
ylhqlrgqxgordeytindafukreqjvtw.info

Something evil on 174.140.168.239

The server at 174.140.168.239 (DirectSpace Networks LLC, US) is currently hosting a large number of hijacked GoDaddy domains and is being used to distribute malware [1] [2] [3].

It looks like this server has been active for a couple of months and has been used for a variety of evil purposes, I strongly recommend blocking the following:

174.140.168.239
50shadesofshades.com
50shadesofsunshades.com
800fragrances.com
aeroliteluggage.com
aerotechluggage.com
babysurplusshop.com
bagcast.com
bagd.us
bagdup.com
baggagereviews.com
bagpreview.com
bagpreviews.com
bagsare.us
bagsr.me
bagsr.us
bagswalla.com
bag-tv.com
bhanoteenterprises.com
carluccileather.com
carluccileathers.com
checkpointbackpacks.com
checkpoint-friendly-backpacks.com
checkpoint-friendly-bag.com
checkpoint-friendly-bags.com
checkpointfriendlybusinesscases.com
checkpointfriendlylaptopcases.com
checkpoint-friendly-laptopcases.com
checkpoint-friendly-luggage.com
checkpointfriendlytravelaccessories.com
checkpoint-friendly-travel-accessories.com
checkpointluggage.com
chimneycapsupply.com
clotheswalla.com
consumerluggage.com
coolstowage.com
copperguttersupply.com
couponwalla.com
dealdin.com
eguttersupply.com
filterflowgutterguard.com
guttersupply.mobi
iguttersupply.com
micromeshguttercover.com
micromeshleafguard.com
ornamentalgutters.com
radiantcarbonheat.com
roofmaterialsupply.com
roofpanelsupply.com
rooftilesupply.com
shinglesupply.com
slatesupply.com
solarroofingsupply.com
thinkgreensupply.com
vidaline.com

Facebook spam / watchfp.net

All this malware-laden Facebook spam is boring. Here's another one, leading to a malicious payload on watchfp.net:

Date: Tue, 3 Sep 2013 11:37:14 -0700 [14:37:14 EDT]
From: Facebook [notification+zrdohvri=vd1@facebookmail.com]
Subject: Blake Miranda tagged 5 photos of you on Facebook

facebook

Blake Miranda added 5 photos of you.
See photos

Go to notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

Blake is pretty feminine looking for a bloke:

The photograph is stolen from the website of Ashot Gevorkyan [some pictures perhaps nsfw] who has quite a nice porfolio. Anyway.. the link in the email uses a shortening service:

[donotclick]u.to/r05nBA which goes to
[donotclick]www.rosenberger-kirwa.de/triassic/index.html which loads one of the following:
[donotclick]safbil.com/stashed/flout.js
[donotclick]ftp.spectrumnutrition.ca/sunscreens/copping.js
[donotclick]schornsteinfeger-helmste.de/covetously/turk.js


The final step is that the victim ends up on a malware landing page at [donotclick]watchfp.net/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 192.81.134.241 (Linode, US) along with some other hijacked domains listed in italics below. The attack is characteristic of the ThreeScripts series of malicious spam emails.

Recommended blocklist:
192.81.134.241
watchfp.org
watchfp.mobi
watchfp.net

safbil.com
ftp.spectrumnutrition.ca
schornsteinfeger-helmste.de

Tuesday, 3 September 2013

PayPal spam / londonleatheronline.com

This fake PayPal spam leads to malware on londonleatheronline.com:

Date:      Tue, 3 Sep 2013 09:43:09 +0400 [01:43:09 EDT]
From:      PayPal [service@int.paypal.com]
Subject:      Identity Issue #PP-716-472-864-836

We are writing you this email in regards to your PayPal account. In accordance with our "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.

Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to verification@paypal.com along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill ).
For more details please see on the page View all details

Your case ID for this reason is PP-U3PR33YIL8AV

For your protection, we might limit your account access. We apologize for any inconvenience this may cause.

Thanks,

PayPal

CONFIDENTIALITY NOTICE:

This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (PayPal , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You

PayPal Email ID PP53161

The link in the email goes to a legitimate hacked site and then loads one of these three scripts:
[donotclick]ftp.casacalderoni.com/liquids/pythias.js
[donotclick]tuviking.com/trillionth/began.js
[donotclick]walegion.comcastbiz.net/wotan/reuses.js

These scripts then try to deliver the victim to a malicious payload at [donotclick]londonleatheronline.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which is the same server as used in this attack, along with a number of other hijacked domains which are listed in italics below.

Recommended blocklist:
173.246.104.184
jerseycitybags.com
jerseyluggage.com
kennethcolenyoutlet.com
kiddypals.com
kidswalla.com
kitchenwalla.com
london-leather.com
londonleatheronline.com

ftp.casacalderoni.com
tuviking.com
walegion.comcastbiz.net