Sponsored by..

Tuesday, 10 December 2013

"EUROPOL" scareware / something evil on 193.169.87.247

193.169.87.247 ("PE Ivanov Vitaliy Sergeevich", Ukraine) is currently serving up scareware claiming that the victim's PC is locked, using the following domains:

a1751.com
b4326.com
d2178.com
f1207.com
h5841.com
k6369.com

The scareware is multilingual and detects the country that the visitor is calling from. In this case I visited from the UK and got the following:


Europol   EUROPEAN CYBERCRIME CENTRE    Europol EC3

All activities of this computer have been recorded. All your files are encrypted.

ATTENTION!

All your files are encrypted to prevent their distribution and use.
Due to violations of the law, your browser has been blocked
because of at least one of the reasons below.

1. You have been subjected to violation of Copyright and Related Rights Law and illegally using or distributing copyrighted contents such as Video, Music or\and Software (files were found in your browser's temporary files and your documents), thus conflicting with Article 1, Section 8, Clause 8 of the Criminal Code of the United Kingdom.
Article 1, Section 8, Cause 8 of the Criminal Code states a fine or two hundred minimal wages or a deprivation of liberty of two to eight years.
2. You have been viewing or distributing prohibited Pornographic contents: Child Porno photos and such, were found in browser's temporary files and your documents.
Thus, you are violating article 202 of the Criminal Code of the United Kingdom. Article 202 of the Criminal Code states a deprivation of liberty of four to twelve years.
3. Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected with malware, thus you are violating the law of Neglectful Use of your Personal Computer. Article 210 of the Criminal Code declares a fine of up to £50,000 and/or deprivation of liberty of four to nine years.
Pursuant to the amendment of the Criminal Code of the United Kingdom of May 28, 2011, this law infringement (if it is a first time offence) may be considered as conditional in case you pay the fine.

To unlock your computer and avoid other legal consequences, you are obliged to pay a release fee of £200, payable through Ukash (you must purchase the Ukash card and enter the code). You can buy the card at any store or gas station, payzone or paypoint.

Find the nearest epay or payzone location.
Go to any location with a PayPoint or Payzone terminal.
Ask for Ukash: £200.00 (one voucher code).

Please note: Fine can only be paid within 12 hours. As soon as 12 hours expire, the possibility to pay the fine is lost forever. All your PC data will be detained and criminal's procedure will be initiated against you if the fine will not be paid!

The text varies depending on the country the visitor is in, for example URLquery displays the text in Norwegian.

 The bad guys use subdomains to obfuscate the domain somewhat, so instead of just getting f1207.com (for example), you get europol.europe.eu.id176630100-8047697129.f1207.com instead which looks a little more official. You can see some more examples here.

All the domains in use are registered through scam-friendly registrar BIZCN to:

Registrant Name: Zhong Si
Registrant Organization: Xicheng Co.
Registrant Street: Huixindongjie 15  2
Registrant City: Beijing
Registrant State/Province: Chaoyang
Registrant Postal Code: 101402
Registrant Country: cn
Registrant Phone: 01066569215
Registrant Phone Ext:
Registrant Fax: 01066549216
Registrant Fax Ext:
Registrant Email: zhongguancun@yahoo.com


Now, I would normally suggest that the WHOIS details were fake but a Google search for the email address shows that it has been active for over two years including this injection attack I documented in September 2011. It is possible therefore that Zhong Si and Xicheng Co are actually responsible.

193.169.87.247 is regiesterd to "PE Ivanov Vitaliy Sergeevich" (i.e. Vitaliy Ivanov or Виталий Сергеевич Иванов) as follows:

organisation:   ORG-IV2-RIPE
org-name:       PE Ivanov Vitaliy Sergeevich
org-type:       OTHER
address:        42-A Tobolskaya street, office 230, Kharkov, Ukraine
mnt-ref:        MNT-IV25
mnt-by:         MNT-IV25
source:         RIPE # Filtered


193.169.87.247 forms part of 193.169.86.0/23 AS48031 which has a so-so reputation according to Google, it does look like there are a lot of legitimate sites in the neighbourhood as well as these malicious ones.

Recommended blocklist:
193.169.87.247
a1751.com
b4326.com
d2178.com
f1207.com
h5841.com
k6369.com

Update: a similar attack has also taken place on 193.169.86.250 on the same netblock.

Monday, 9 December 2013

Malware sites to block 9/12/2013

These malicious sites and IPs are related to this attack (thanks to the folks at ThreatTrack Security for the tip). Although a lot of the sites are not currently resolving, those that are up are hosted on 37.59.254.224 and 37.59.232.208 which are a pair of OVH IPs suballocated to:

organisation:   ORG-RL152-RIPE
org-name:       R5X.org ltd
org-type:       OTHER
address:        Krasnoselskaja 15-219
address:        346579 Moscow
address:        RU
abuse-mailbox:  abuse@r5x.org
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
source:         RIPE # Filtered


R5X.org IPs have featured a couple of times before here [1] [2] so I would suggest blocking any that you find. I'll do some research on those soon, but in the meantime I would recommend blocking the following IPs and domains. Domains that are already flagged by Google are highlighted.

37.59.232.208/28
37.59.254.224/28
activresa.biz
adskills.biz
aircoach.biz
alertnovel.biz
alertsieve.biz
allba.biz
allbat.biz
alldental.biz
analyzebroil.biz
appcars.biz
appgather.biz
appraisecore.biz
artgauther.biz
artgolf.biz
assaythink.biz
assessimprovise.biz
assessinspire.biz
assessjell.biz
atvilla.biz
auditform.biz
auditinnovation.biz
autosquare.biz
bighype.biz
biovote.biz
bizspiecial.biz
blackconstruction.biz
blackla.biz
booktv.biz
brandprinting.biz
briefsearch.biz
celectgenuine.biz
checkcan.biz
checkimprovise.biz
checklead.biz
checkoriginal.biz
checkouthash.biz
checkoutimprovise.biz
checkoutinnovation.biz
checkoutmint.biz
choiceoil.biz
choiceprogress.biz
choiceshell.biz
citycomputer.biz
classicbon.biz
clickresearch.biz
codeway.biz
commentfocus.biz
comwin.biz
coolcraft.biz
cosong.biz
creativegeo.biz
critiqueoriginal.biz
critiquepreserve.biz
dailyaqua.biz
dailyteach.biz
dailyyaqua.biz
datasoccer.biz
degreeaerate.biz
degreedream.biz
degreeforward.biz
degreefresh.biz
degreeimage.biz
designdating.biz
diagnosethink.biz
diagnoseturn.biz
digitalquant.biz
digitalra.biz
directtiny.biz
discussexplore.biz
discussinspire.biz
djmeta.biz
drcoupon.biz
eurosync.biz
evaluatebrown.biz
evaluatefresh.biz
examinesearch.biz
experptware.biz
expertsurvey.biz
eyenovel.biz
eyerise.biz
eyethink.biz
facequant.biz
feedbackfresh.biz
feedbackmove.biz
firstozip.biz
firststudy.biz
flypanda.biz
flyradio.biz
foodneo.biz
freebill.biz
funelectronics.biz
gaugefuture.biz
gaugegenuine.biz
gaugeimage.biz
globalhoneydo.biz
gotpuppy.biz
gradefocus.biz
gradeimagine.biz
gradeschange.biz
gradesdesign.biz
gradesfresh.biz
gradesimagine.biz
gradewhisk.biz
hexvox.biz
ideatablet.biz
ideawatches.biz
imagepop.biz
inspectionprogress.biz
inspectstrategy.biz
instantconsulting.biz
instaontent.biz
interbpixo.biz
interfx.biz
interloan.biz
interpixo.biz
jobgrow.biz
judgebegins.biz
judgelab.biz
judgelabzs.biz
learinatlas.biz
learnatlas.biz
lifehuman.biz
lightcasa.biz
likecore.biz
localbuddy.biz
lookbackcreate.biz
lookbackgenuine.biz
lookbackidea.biz
lookdevelop.biz
macresume.biz
magicse.biz
mapchawalit.biz
mapmchawalit.biz
mapmove.biz
mapsport.biz
markforge.biz
maxliberty.biz
mccolor.biz
measurefocus.biz
measurewedge.biz
medialiving.biz
mediavliving.biz
megalittle.biz
megasi.biz
micromicro.biz
microtheme.biz
miniint.biz
morecrm.biz
moreve.biz
moviehello.biz
movielegal.biz
movieprice.biz
neodating.biz
netknowledge.biz
newsnice.biz
newtellypioneet.biz
nextsuccess.biz
notesee.biz
noticechange.biz
noticedream.biz
noticegenuine.biz
observebrown.biz
observewedge.biz
okmagazine.biz
onbytce.biz
onbyte.biz
onlincerobo.biz
onlinerobo.biz
openphotography.biz
optioncoddle.biz
optionescallop.biz
optionstrategy.biz
ournext.biz
ourrecipe.biz
overvieworiginal.biz
perfectcore.biz
peterqwwhite.biz
petfaast.biz
petwhite.biz
petzen.biz
photosuper.biz
pickmarinate.biz
planetbright.biz
planextbright.biz
playgraphics.biz
playlittle.biz
pointname.biz
pointtraining.biz
polypink.biz
popmom.biz
popmotm.biz
powerrtie.biz
probediscover.biz
profilechange.biz
profilepioneer.biz
profreelance.biz
profrqeelance.biz
projectcharity.biz
provote.biz
qualitybegin.biz
qualitycan.biz
qualityconcept.biz
qualitydebone.biz
qualityschirr.biz
questnew.biz
rangeinspire.biz
rangerender.biz
rangetop.biz
rankmodern.biz
ratebigdata.biz
ratedream.biz
rateimagine.biz
ratewish.biz
readdiscover.biz
readstrategy.biz
readvisionary.biz
recapgenuine.biz
recapimagination.biz
redbike.biz
redbiqke.biz
remarkdevelop.biz
remarkinstitute.biz
reviewmint.biz
reviewstyle.biz
revuewhisk.biz
runfair.biz
safemeta.biz
savedash.biz
savedecor.biz
saydeglaze.biz
sayinstitute.biz
sayzest.biz
scanbeat.biz
scanskewer.biz
scoringfocus.biz
scoringsprinkle.biz
scoutforward.biz
scoutinstitute.biz
scoutsearch.biz
scoutskewer.biz
screenthink.biz
searchcars.biz
seekbodybuilding.biz
seekdiet.biz
seekimg.biz
seekiumg.biz
seelabs.biz
selectexplore.biz
selectjell.biz
sentrymeasure.biz
sentrymodern.biz
shakedownconcept.biz
shakedowngrease.biz
sharework.biz
sharpice.biz
silvekrkitchen.biz
silverkitchen.biz
simplegeo.biz
simpllegeo.biz
simplyportal.biz
simplyvintage.biz
skycrnedit.biz
socialtrain.biz
sociaulmicro.biz
softanimal.biz
softflex.biz
spaceshow.biz
star123.biz
startprinting.biz
studibothe.biz
studiothe.biz
surveyskim.biz
surveywedge.biz
tecepimeginetion.biz
tectideel.biz
televintage.biz
testmash.biz
testthink.biz
tettocpenewctmove.biz
thinkisoftware.biz
thinkmetal.biz
thinkurban.biz
tickersweeten.biz
ticketdnewevelop.biz
tierovercook.biz
tierwarm.biz
tnewecepcteete.biz
true3d.biz
truetrack.biz
trydiscover.biz
tryforward.biz
ttyvicionety.biz
urbanyour.biz
usaab.biz
usafuture.biz
usalion.biz
usana.biz
usanat.biz
usatrvack.biz
videoleo.biz
vipscan.biz
vipwicsh.biz
virtualpush.biz
virtuqalspark.biz
watchgel.biz
webbipolar.biz
winarc.biz
worlddigest.biz
wwwems.biz
youcoqnsultant.biz
yourform.biz
yourglaze.biz
youtgenuine.biz
zenweight.biz

1stnerd.biz
activesa.biz
aerofinance.biz
airlead.biz
airmicro.biz
alertcaramelize.biz
alertimagine.biz
alertpulp.biz
alerttenderize.biz
analyzeidea.biz
analyzeknead.biz
analyzesteep.biz
appraisesliver.biz
appwebdesign.biz
artgather.biz
artimpact.biz
assayinspire.biz
assayseparate.biz
assessfocus.biz
assessoil.biz
assessscore.biz
assesssoak.biz
assesssteam.biz
assessstir.biz
assessturn.biz
assesswhisk.biz
auditbarbecue.biz
auditcut.biz
auditgel.biz
auditserve.biz
autoglam.biz
besttechnology.biz
bizspecial.biz
blackhoneydo.biz
briefjell.biz
browsegarnish.biz
browsejell.biz
browsezest.biz
checkoutmeasure.biz
checkoutroll.biz
checkoutsnip.biz
checkparboil.biz
checkpercolate.biz
choicesear.biz
cityju.biz
clickdiscover.biz
commentbarbecue.biz
commentbrown.biz
commentdevil.biz
commentpeel.biz
commentpress.biz
commentseason.biz
considerbaste.biz
considerclarify.biz
considerscramble.biz
considershuck.biz
coolcv.biz
coolno.biz
cosmogift.biz
criticalescallop.biz
criticalmeasure.biz
criticalsear.biz
criticizebaste.biz
criticizeoil.biz
criticizesouse.biz
critiquechurn.biz
critiquemint.biz
critiquesoak.biz
critiquestrain.biz
critiquesweeten.biz
cybervirtual.biz
cynopcnewicleb.biz
datasearch.biz
decadiet.biz
decaintel.biz
decavo.biz
degreeinnovate.biz
degreeshuck.biz
diagnosegrind.biz
diagnoseimagine.biz
diagnosemicrowave.biz
diagnosethin.biz
diagnosetruss.biz
digiedu.biz
digitoalquant.biz
discussblend.biz
discussdesign.biz
djcraft.biz
djposot.biz
djpost.biz
djzen.biz
dot123.biz
drimpact.biz
ecoemail.biz
ecoify.biz
ecotrans.biz
eduwi.biz
euroalt.biz
evaluatebaste.biz
evaluatejell.biz
evaluatemix.biz
expertware.biz
explorelab.biz
explorepeel.biz
eyeflambe.biz
eyefreeze.biz
eyemold.biz
feedbackbroil.biz
feedbackgrate.biz
feedbackserve.biz
feedbackskin.biz
feelinnovate.biz
feellayer.biz
feelroll.biz
feelseason.biz
feelstir.biz
firstzip.biz
freepush.biz
freshcloud.biz
funrealty.biz
futureaqua.biz
futurecake.biz
futuregeo.biz
gamemon.biz
gaugebeat.biz
gaugegrease.biz
gaugeice.biz
gaugerender.biz
getventure.biz
goking.biz
gotus.biz
gradeaerate.biz
gradeaerateq.biz
gradefreeze.biz
gradesbatter.biz
gradescallop.biz
gradesfold.biz
gradesinnovation.biz
gradesmash.biz
greatsimply.biz
healthvintage.biz
higifts.biz
homecomputer.biz
ideascript.biz
ideasurf.biz
ideawwatches.biz
imagemag.biz
imdinrectory.biz
imdirectory.biz
infoobesity.biz
inspectglaze.biz
inspectinstitute.biz
inspectoriginal.biz
inspectsnip.biz
inspecttoast.biz
instantdevelopment.biz
instantent.biz
interloanz.biz
internetcrea.biz
ithealthcare.biz
iwantfilm.biz
iwantmega.biz
judgecaramelize.biz
judgecured.biz
judgeresearch.biz
learnsolutions.biz
levitin.biz
lifelocal.biz
lightfund.biz
likebutterfly.biz
likegel.biz
likehash.biz
likescramble.biz
lookbackskim.biz
lookbackvisionary.biz
lookbackwhip.biz
lookmicrowave.biz
lookpoach.biz
lookrefrigerate.biz
lookshred.biz
looktoast.biz
lovedo.biz
mackids.biz
mapviral.biz
markbegin.biz
markchop.biz
markcut.biz
markjell.biz
marksaute.biz
markskewer.biz
measurefry.biz
measurelabs.biz
measurerefrigerate.biz
measuresaute.biz
megaperformance.biz
metahitech.biz
metartri.biz
metatri.biz
microelastic.biz
minidelivery.biz
moreycrm.biz
mrhits.biz
mrhiuts.biz
mrroom.biz
mychurn.biz
myfroth.biz
mypioneer.biz
mypoach.biz
myseparate.biz
neopan.biz
neosource.biz
netveri.biz
nextsolid.biz
nextvoice.biz
notebeat.biz
notebraise.biz
notebread.biz
notebutterfly.biz
notegrease.biz
notequarter.biz
noterender.biz
noteresearch.biz
noticebake.biz
noticefry.biz
observemodern.biz
observemold.biz
okimmo.biz
onsweet.biz
optionpoach.biz
ourbooks.biz
overviewbind.biz
overviewform.biz
overviewoil.biz
oxyhelp.biz
pcincome.biz
petfast.biz
pickheat.biz
pickquarter.biz
picksearch.biz
picksweeten.biz
pickvision.biz
pointsdevelop.biz
pointsgrate.biz
pointsnovel.biz
pointsstyle.biz
pointswarm.biz
powertie.biz
probebrush.biz
probedrain.biz
probemint.biz
probeshred.biz
profilebarbecue.biz
profilefrost.biz
profileprocess.biz
profilesmoke.biz
qualitydough.biz
qualitymeasure.biz
qualityroast.biz
qualityscald.biz
questdebone.biz
questdeglaze.biz
questflavor.biz
questflip.biz
questimprovise.biz
questmodern.biz
questsee.biz
questthin.biz
questtoast.biz
rangebutterfly.biz
rangedice.biz
rangedough.biz
rangeglaze.biz
rangeinnovation.biz
rangemash.biz
rangetopz.biz
rankbeat.biz
rankjulienne.biz
rankshred.biz
rateescallop.biz
rateidea.biz
rateideal.biz
rateschirr.biz
readfrost.biz
readinstitute.biz
readroll.biz
readthicken.biz
recapblacken.biz
recapbread.biz
recapcream.biz
redcoffee.biz
redopginion.biz
redopinion.biz
remarkage.biz
remarkblanche.biz
remarkboil.biz
remarkdip.biz
remarkferment.biz
remarkgenuine.biz
remarkheat.biz
remarkjell.biz
remarkpreserve.biz
remarktruss.biz
retrospectblend.biz
retrospectcreate.biz
retrospectdeglaze.biz
retrospectferment.biz
retrospectfuture.biz
retrospectquarter.biz
retrospectschange.biz
reviewimprovise.biz
reviewsear.biz
reviewunmold.biz
revuecream.biz
revuedevelop.biz
revuegrate.biz
revueimage.biz
revuelayer.biz
revuepuree.biz
rungeek.biz
runpoker.biz
runrank.biz
safeconsult.biz
saverobot.biz
sayfilter.biz
saygarnish.biz
sayglaze.biz
sayheat.biz
scangrease.biz
scanimagination.biz
scannew.biz
scanpress.biz
scansmoke.biz
scoredecorate.biz
scoredescale.biz
scoreferment.biz
scoremacerate.biz
scoresliver.biz
scorevision.biz
scoringbatter.biz
scoringboil.biz
scoringchange.biz
scoringdiscover.biz
scoringleaven.biz
scoringoriginal.biz
scoringsimmer.biz
scoringthin.biz
scoutdescale.biz
scoutnovel.biz
screenchop.biz
screenpreserve.biz
screentemper.biz
searchbe.biz
seepercolate.biz
seepoach.biz
selectdiscover.biz
sentryprepare.biz
sentrysnip.biz
sentrytoss.biz
sentrywedge.biz
shakedownclarify.biz
shakedowncreate.biz
shakedowndry.biz
shakedowngel.biz
shakedowngenuine.biz
shakedownpoach.biz
shakedownpress.biz
shakedownprocess.biz
shakedownzest.biz
sharerebel.biz
sharpmy.biz
silversuccess.biz
silversurvival.biz
simplefreelance.biz
skycredit.biz
skyipad.biz
socialmicro.biz
sosecure.biz
spyjuice.biz
spymac.biz
spyslice.biz
studioroom.biz
studygarnish.biz
summarychar.biz
summarycut.biz
summaryfold.biz
sunmagazine.biz
surveygarnish.biz
surveyinfuse.biz
surveythink.biz
synopsisrender.biz
synopsiswhisk.biz
tallydough.biz
tallydrain.biz
tallyglaze.biz
tallymicrowave.biz
tallyoil.biz
tallysaute.biz
tallystyle.biz
testchop.biz
testdice.biz
testdrizzle.biz
testmelt.biz
testresearch1.biz
testrub.biz
thinkgame.biz
thinksoftware.biz
tickercaramelize.biz
tickerfrost.biz
tickerseason.biz
tierchurn.biz
tierdesign.biz
tierpreserve.biz
timequality.biz
tradeenergy.biz
truehotels.biz
trybeat.biz
tryblacken.biz
trybrown.biz
trybutterfly.biz
ultrafa.biz
usatrack.biz
valuesoak.biz
videocoffee.biz
viewbind.biz
viewbroil.biz
viewform.biz
viewmold.biz
viewresearch.biz
viewseason.biz
vipwish.biz
virtualspark.biz
watchflavor.biz
watchimprovise.biz
watchsteam.biz
worldfish.biz
worldninja.biz
youconsultant.biz
yourcore.biz
yourdeglaze.biz
yourdip.biz
yourflavor.biz
yourflip.biz
yourmint.biz
yourmodern.biz
yoursear.biz
yourtheme.biz
yourthink.biz

"TNT UK Limited Self Billing Invoice" malware spam

This fairly terse spam email comes with a malicious attachment:

Date:      Mon, 9 Dec 2013 20:32:19 +0800 [07:32:19 EST]
From:      Accounts Payable TNT [accounts.payable@tnt.co.uk]
Subject:      TNT UK Limited Self Billing Invoice 5321378841

Download the attachment. Invoice will be automatically shown by double click. 
Attached is an archive file called TNT UK Self Billing Invoice.zip (VirusTotal detection rate 6/49) which in turn contains a malicious executable TNT UK Self Billing Invoice.exe (detection rate 6/47) which has an icon that make it look like a PDF file.

Automated analysis tools [1] [2] [3] show an attempted connection to 2dlife.com on 5.9.182.220 (JoneSolutions.Com, Philippines). I can see only two domains on this server, the other one being 2dlife.fr so I would assume that both are compromised and blocking access to this IP address is the way to go.


Thursday, 5 December 2013

Something evil on 192.95.1.190

It looks like there is some sort of exploit kit on 192.95.1.190 (OVH, Canada) [example] spreading through injection attacks although at the moment I can't reproduce the issue. In any case, I would recommend blocking that IP plus these domains that are in use to spread nastiness:

digitalra.biz
drcoupon.biz
eurosync.biz
expertsurvey.biz
flypanda.biz
funelectronics.biz
interfx.biz
interloanz.biz
learinatlas.biz
mapmchawalit.biz
mapsport.biz
metartri.biz
moreycrm.biz
mrhiuts.biz
perfectcore.biz
safemeta.biz
searchcars.biz
sharpice.biz
softanimal.biz

Some of the subdomains in use are listed here

Something unpleasant on 89.248.164.219 and 217.23.2.233

The IPs 89.248.164.219 (Ecatel, Netherlands) and 217.23.2.233 and (Worldstream, Netherlands) appear to be hosting some sort of bogus Firefox and Media Player downloads. (You can see the VirusTotal reports here and here).

All the domains in use appear at first glance to be genuine but are basically some sort of typosquatting. A full list of all the subdomains I can find are at the end of the blog, but in the meantime I recommend using the following blocklist:
89.248.164.219
217.23.2.233
antivirous.co.uk
archictecture.com
bacharat.com
bankrupcyloans.com
beadedjewlry.com
blog-skin.com
buisinessplan.com
camgirslive.com
catalag.com
cheatscoads.com
cheepplaneticket.com
deadbeatmom.com
detroitresturants.com
diabeticreciepies.com
dictionairy.co.uk
dieselgeneraters.com
florenceaccomodation.com
forclosedhomelistings.com
franshising.com
freemagzine.com
freerngtones.com
freesudukogames.com
freexxxvideodownloads.com
genology.co.uk
gitaretab.com
guatars.com
itallianfood.com
ladyring.com
lesons.com
magneticjewlry.com
medicalpaymentsolutions.com
milffiles.com
monstercooks.com
mygirly.com
noebook.com
olineauction.com
pacmangames.co.uk
photogallary.co.uk
pokerstatergy.com
proverts.com
rentalaccomodation.com
songlyrices.com
swappingwifes.com
timehare.com
violn.com
wwwmotorcycleparts.com
wwwqwikster.com

I can see these following subdomains in use, although it is probably easier just to block the main domains:
exclusiverewards.antivirous.co.uk
exclusiverewards.genology.co.uk
ny4zz.exclusiverewards.itallianfood.com
xo9zz.exclusiverewards.itallianfood.com
jsazz.exclusiverewards.itallianfood.com
xabzz.exclusiverewards.itallianfood.com
tfdzz.exclusiverewards.itallianfood.com
vkizz.exclusiverewards.itallianfood.com
ibmzz.exclusiverewards.itallianfood.com
jtozz.exclusiverewards.itallianfood.com
ntvzz.exclusiverewards.itallianfood.com
ytyzz.exclusiverewards.itallianfood.com
porn-tube.ladyring.com
popularprizes.florenceaccomodation.com
portube.freexxxvideodownloads.com
2h2zz.exclusiverewards.songlyrices.com
hnezz.exclusiverewards.songlyrices.com
kwizz.exclusiverewards.songlyrices.com
o6mzz.exclusiverewards.songlyrices.com
6ppzz.exclusiverewards.songlyrices.com
wrqzz.exclusiverewards.songlyrices.com
3xszz.exclusiverewards.songlyrices.com
tnyzz.exclusiverewards.songlyrices.com
7yyzz.exclusiverewards.songlyrices.com
tszzz.exclusiverewards.songlyrices.com
md2zz.popularprizes.songlyrices.com
4f2zz.popularprizes.songlyrices.com
t43zz.popularprizes.songlyrices.com
rbazz.popularprizes.songlyrices.com
eqazz.popularprizes.songlyrices.com
iwazz.popularprizes.songlyrices.com
vdfzz.popularprizes.songlyrices.com
6kfzz.popularprizes.songlyrices.com
gfhzz.popularprizes.songlyrices.com
zyhzz.popularprizes.songlyrices.com
ukrzz.popularprizes.songlyrices.com
dorzz.popularprizes.songlyrices.com
2aszz.popularprizes.songlyrices.com
6hszz.popularprizes.songlyrices.com
qgtzz.popularprizes.songlyrices.com
3lwzz.popularprizes.songlyrices.com
bfzzz.popularprizes.songlyrices.com
5hzzz.popularprizes.songlyrices.com
bjzzz.popularprizes.songlyrices.com
aqzzz.popularprizes.songlyrices.com
txt-hotties.swappingwifes.com
rewardzone.monstercooks.com
exclusiverewards.guatars.com
popularprizes.dieselgeneraters.com
popularprizes.bacharat.com
popularprizes.beadedjewlry.com
www.exclusiverewards.dictionairy.co.uk
www1.exclusiverewards.dictionairy.co.uk
prizecentral.noebook.com
www.popularprizes.bacharat.com
ecig.timehare.com
cloud.timehare.com
popularprizes.blog-skin.com
pornvids.milffiles.com
porn-tube.camgirslive.com
rewardzone.cheatscoads.com
agentix.deadbeatmom.com
cleanse.deadbeatmom.com
442zz.popularprizes.songlyrices.com
4btzz.popularprizes.songlyrices.com
7yhzz.popularprizes.songlyrices.com
cfzzz.popularprizes.songlyrices.com
hmdzz.popularprizes.songlyrices.com
mpazz.popularprizes.songlyrices.com
nokzz.popularprizes.songlyrices.com
povzz.popularprizes.songlyrices.com
psmzz.popularprizes.songlyrices.com
u4wzz.popularprizes.songlyrices.com
vufzz.popularprizes.songlyrices.com
xehzz.popularprizes.songlyrices.com
rauzz.exclusiverewards.songlyrices.com
sywzz.exclusiverewards.songlyrices.com
wwbzz.exclusiverewards.songlyrices.com
download.wwwqwikster.com
www.download.wwwqwikster.com
www1.download.wwwqwikster.com
watchnow.freerngtones.com
watch-now.freerngtones.com
playingnow.freerngtones.com
watching-now.freerngtones.com
0ozzz.exclusiverewards.itallianfood.com
3o9zz.exclusiverewards.itallianfood.com
bcvzz.exclusiverewards.itallianfood.com
n9vzz.exclusiverewards.itallianfood.com
oxwzz.exclusiverewards.itallianfood.com
yt5zz.exclusiverewards.itallianfood.com
www1.rewardzone.monstercooks.com
exclusive-rewards.dieselgeneraters.com
weightloss.diabeticreciepies.com
popularprizes.wwwmotorcycleparts.com
exclusiverewards.florenceaccomodation.com
www.securessl.forclosedhomelistings.com
congratulations.medicalpaymentsolutions.com
0eizz.exclusiverewards.songlyrices.com
3dxzz.exclusiverewards.songlyrices.com
6lzzz.exclusiverewards.songlyrices.com
7nrzz.exclusiverewards.songlyrices.com
watch-now.magneticjewlry.com
rewardzone.dieselgeneraters.com
popularprizes.pacmangames.co.uk
rewardzone.genology.co.uk
popularprizes.photogallary.co.uk
uh5zz.exclusiverewards.itallianfood.com
jd7zz.exclusiverewards.itallianfood.com
fe7zz.exclusiverewards.itallianfood.com
xxazz.exclusiverewards.itallianfood.com
tqdzz.exclusiverewards.itallianfood.com
mudzz.exclusiverewards.itallianfood.com
p8hzz.exclusiverewards.itallianfood.com
soizz.exclusiverewards.itallianfood.com
2hkzz.exclusiverewards.itallianfood.com
qpvzz.exclusiverewards.itallianfood.com
rewardzone.archictecture.com
rewardzone.florenceaccomodation.com
rewardzone.rentalaccomodation.com
uj8zz.exclusiverewards.songlyrices.com
usdzz.exclusiverewards.songlyrices.com
ashzz.exclusiverewards.songlyrices.com
cmkzz.exclusiverewards.songlyrices.com
6omzz.exclusiverewards.songlyrices.com
agqzz.exclusiverewards.songlyrices.com
vjszz.exclusiverewards.songlyrices.com
42wzz.exclusiverewards.songlyrices.com
sbxzz.exclusiverewards.songlyrices.com
ouxzz.exclusiverewards.songlyrices.com
gh0zz.popularprizes.songlyrices.com
oh3zz.popularprizes.songlyrices.com
vy3zz.popularprizes.songlyrices.com
nd4zz.popularprizes.songlyrices.com
zj8zz.popularprizes.songlyrices.com
jf9zz.popularprizes.songlyrices.com
knbzz.popularprizes.songlyrices.com
dtczz.popularprizes.songlyrices.com
ffdzz.popularprizes.songlyrices.com
xjezz.popularprizes.songlyrices.com
fofzz.popularprizes.songlyrices.com
dljzz.popularprizes.songlyrices.com
5wkzz.popularprizes.songlyrices.com
9zlzz.popularprizes.songlyrices.com
dxmzz.popularprizes.songlyrices.com
plnzz.popularprizes.songlyrices.com
xsozz.popularprizes.songlyrices.com
zwozz.popularprizes.songlyrices.com
gzozz.popularprizes.songlyrices.com
vrszz.popularprizes.songlyrices.com
t4tzz.popularprizes.songlyrices.com
99wzz.popularprizes.songlyrices.com
9swzz.popularprizes.songlyrices.com
ycxzz.popularprizes.songlyrices.com
securessl.forclosedhomelistings.com
news-alert.bankrupcyloans.com
exclusiverewards.medicalpaymentsolutions.com
popularprizes.medicalpaymentsolutions.com
surveycentral.pokerstatergy.com
popularprizes.genology.co.uk
exclusiverewards.dictionairy.co.uk
exclusiverewards.pacmangames.co.uk
rewardzone.violn.com
playgames.lesons.com
nowplay.catalag.com
txtpussy.mygirly.com
fucknow.proverts.com
xxxtube.proverts.com
win.timehare.com
agentixs.timehare.com
mensfitness.timehare.com
rewardzone.blog-skin.com
globalrewards.blog-skin.com
exclusive-rewards.blog-skin.com
exclusive-rewards.gitaretab.com
www.rewardzone.cheatscoads.com
download.franshising.com
nowplay.freemagzine.com
4cpzz.rewardzone.songlyrices.com
ehrzz.rewardzone.songlyrices.com
43uzz.popularprizes.songlyrices.com
a73zz.popularprizes.songlyrices.com
bnkzz.popularprizes.songlyrices.com
kvxzz.popularprizes.songlyrices.com
n5zzz.popularprizes.songlyrices.com
ntlzz.popularprizes.songlyrices.com
nx9zz.popularprizes.songlyrices.com
nzazz.popularprizes.songlyrices.com
obzzz.popularprizes.songlyrices.com
oyxzz.popularprizes.songlyrices.com
somzz.popularprizes.songlyrices.com
teizz.popularprizes.songlyrices.com
xjnzz.popularprizes.songlyrices.com
yt3zz.popularprizes.songlyrices.com
3z4zz.exclusiverewards.songlyrices.com
855zz.exclusiverewards.songlyrices.com
cqfzz.exclusiverewards.songlyrices.com
phjzz.exclusiverewards.songlyrices.com
q7gzz.exclusiverewards.songlyrices.com
tyvzz.exclusiverewards.songlyrices.com
z3nzz.exclusiverewards.songlyrices.com
hotmail.download.wwwqwikster.com
www1.watch-now.freerngtones.com
a5vzz.exclusiverewards.itallianfood.com
c7rzz.exclusiverewards.itallianfood.com
gnszz.exclusiverewards.itallianfood.com
hbjzz.exclusiverewards.itallianfood.com
i6jzz.exclusiverewards.itallianfood.com
okbzz.exclusiverewards.itallianfood.com
owozz.exclusiverewards.itallianfood.com
ucqzz.exclusiverewards.itallianfood.com
popularprizes.olineauction.com
rewardzone.buisinessplan.com
www1.surveycentral.pokerstatergy.com
globalpromotions.pokerstatergy.com
www1.news-alert.bankrupcyloans.com
www1.watch-now.magneticjewlry.com
congratulations.freesudukogames.com
exclusiverewards.freesudukogames.com
exclusive-rewards.cheepplaneticket.com
www1.rewardzone.dieselgeneraters.com
globalrewards.dieselgeneraters.com
exclusiverewards.dieselgeneraters.com
rewardzone.detroitresturants.com
www1.securessl.forclosedhomelistings.com
axizz.exclusiverewards.songlyrices.com
cqdzz.exclusiverewards.songlyrices.com

Wednesday, 4 December 2013

"Department of Treasury Notice of Outstanding Obligation" spam / FMS-Case.exe

This spam says Salesforce.com at the top but the rest is allegedly from some US Government department or other (pay attention people!). Anyway, it has a malicious attachment.

Date:      Wed, 4 Dec 2013 08:24:02 -0500 [08:24:02 EST]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      Department of Treasury Notice of Outstanding Obligation - Case CWK8SSU4K6CN852

Important  please review and sign the attached document!

We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.

In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue.  Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.

Questions should be directed to the Federal Service Desk at:

http://www.bpn.gov/ccr/Help.aspx
Phone : 1-866-606-6762
Int. Phone 1-344-206-6275 for international calls
For DSN, dial 809-463-9774. Wait for a dial tone, and then dial 866-606-4580.
Attached is a file FMS-Case-CWK8SSU4K6CN852.zip which in turn contains a malicious executable FMS-Case.exe which has a VirusTotal detection rate of 7/49. Automated analysis tools [1] [2] show an attempted connection to worldofchamps.com on 198.1.78.171 (Websitewelcome, US) and a download from [donotclick]deshapran.com/img/deshp.exe on 182.18.143.140 (Pioneer eLabs, India). This second part has a VirusTotal detection rate of 6/47, although automated analysis tools are inconclusive. I recommend blocking both those domains.

Fake Amazon.co.uk spam / Order details.zip

This fake Amazon spam comes with a malicious attachment:

Date:      Wed, 4 Dec 2013 11:07:00 +0200 [04:07:00 EST]
From:      "AMAZON.CO.UK" [SALES@AMAZON.CO.UK]
Subject:      order ID718-4116431-2424056

      Good evening,  Thanks for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.  

  
   Order Details
      Order ID757-7743075-1612424  Placed on December 1, 2013 Order details and invoice in attached file.
  
       Need to make changes to your order? Visit our Help page for more information and video guides.  
  
       We hope to see you again soon.   Amazon.co.uk 
Attached is a ZIP file Order details.zip which in turn contains a malicious executable Order details.exe which has a VirusTotal detection rate of 15/49. Automated analysis tools [1] [2] are fairly inconclusive, but do show some apparent traffic to 79.187.164.155 (TP, Poland) plus the creation of a key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Start WingMan Profiler to run the malware at startup.

"british-googleapps.com" (and other googleapps.com domains) job scam

This following spam email is attempting to recruit money mules:

From:     arwildcbrender@victimdomain.com
to:     arwildcbrender@victimdomain.com
date:     4 December 2013 07:49
subject:     Employment you've been searching!

Hello, We have an excellent opportunity for an apprentice applicant to join a rapidly expanding company.

An at home Key Account Manager Position is a great opportunity for stay at home parents
or anyone who wants to work in the comfort of their own home.

This is a part time job / flexible hrs for European citizens only,This is in view of our not having a branch office presently in Europe,
also becouse of paypal and ebay policies wich is prohibit to work directly with residents of some countries.

Requirements: computer with Internet access, valid email address, good typing skills.
If you fit the above description and meet the requirements, please apply to this ad stating your location.

You will be processing orders from your computer. How much you earn is up to you.
The average is in the region of 750-1000 GBP per week, depending on whether you work full or part time.

Region: United Kingdom only.

If you would like more information, please contact us stating where you are located and our job reference number - 42701-759/3HR.
Please only SERIOUS applicants.

If you are interested, please reply to: Gene@british-googleapps.com
Sample subjects include:
Employment you've been searching!
Career opportunity inside
Job ad - see details! Sent through Search engine


Other "reply-to" addresses spotted:
Gene@british-googleapps.com
Dewitt@british-googleapps.com
Robbie@british-googleapps.com
Leila@british-googleapps.com


british-googleapps.com is registered with completely fake details and uses a mail server on 50.194.47.186 (Comcast Business, US) to process mail. There are several other similar domain names being used for the same scam:

british-googleapps.com
germany-googleapps.com
consulting-googleapps.com
usa-googleapps.com
us-googleapps.com
canada-googleapps.com
consult-googleapps.com
arbeit-googleapps.com
consulting-googleapps.com
job-googleapps.com


In addition to those, all these following IPs and domains are in use by the scammers either now or recently. All the domains are registered through scam-friendly Chinese registrar BIZCN to ficticious registrants.

50.194.47.186
175.67.90.27
95.94.135.113
220.67.126.175

googleapps-works.com
googleapps-work.com
googleapps-career.com
googleapps-consult.com
googleapps-jobs.com
googleapps-offer.com
googleapps-cz.com
googleapps-espana.com
googleapps-euro.com
googleapps-us.com
googleapps-usa.com
googleapps-pl.com
googleapps-work.com
googleapps-japan.com
googleapps-italy.com
googleapps-ro.com
googleapps-nl.com
googleapps-spain.com
googleapps-gb.com
googleapps-greece.com
googleapps-group.com
googleapps-japan.com
googleapps-nz.com
googleapps-offer.com
googleapp-consult.com

carrer-trade.com
us-trades.com
worlds-trade.com
google-trade.com
trades-consult.com
googletrade-usa.com
google-usatrade.com

careerin-google.com
google-lavorare.com
works-google.com
consult-google.com
consulting-google.com

apple-praca.com
careerin-mac.com‎
apple-euro.com
job-in-apple.com
jobin-apple.com

jobin-usa.com
jobin-za.com
jobin-google.com
jobin-yahoo.com
job-italia.com
job-newzealand.com
job-greece.com

munca-bucuresti.com
romania-work.com
outsourcing-lavoro.com
outsourcing-consult.com
jobs-consult.com
jobmark-eu.com
worlds-diploms.com
italia-lavorare.com
lavoro-it.com
trade-outsource.com
warszawapraca.com
usa-findjob.com

medshorediet.com
hotalibre.com
wickedpl.com
eventlore.net
elcacareo.net
washin-factory.net
australia-attractions.net
conawaystrickler.net



Tuesday, 3 December 2013

Another day, another fake eFax spam

These fake eFax spams are getting a bit dull. As you might expect, this one comes with a malicious attachment.

Date:      Tue, 3 Dec 2013 15:15:03 -0800 [18:15:03 EST]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Fax transmission: -5219616961-5460126761-20130705352854-84905.zip

Please find attached to this email a facsimile transmission we have just received on your behalf

(Do not reply to this email as any reply will not be read by a real person) 
Attached is a ZIP file which in this case is called -2322693863-6422657608-20130705409306-09249.zip (with a VirusTotal detection rate of 6/48) which in turn contains a malicious executable fax-report.exe which has an icon that makes it look like a PDF file and has a VirusTotal detection rate of 4/48.

Automated analysis tools [1] [2] [3] show an attempted communication with tuhostingprofesional.net on 188.121.51.69 (GoDaddy, Netherlands) which contains about 8 legitimate domains which may or may not have been compromised.

Friday, 29 November 2013

Registered Express Corporation (RGTX) pump and dump spam

It's taken me a few days to get around to this due to moving house, but here's a new pump-and-dump spam run promoting a stock Registered Express Corporation (OTC:RGTX).

As ever, there are a massive number of different subjects and random body-texts, for example:

Subject: This Bottom Bouncer has taken off!
Subject: Our analysis right on the MONEY!
Subject: Seven Reasons To Love This Company
Subject: Breakout coming!
Subject: Get Ready for Another Money Making New Trade Idea Tomorrow
Subject: What a HUGE day we had!

Over The Counter Morning Highlight! Land Your Orders In Early
To Gain Big!!!

Registered Express Corporation (RG TX)
Per share price: 0.0148

Safe, Reliable, Secure. Confirmable Shipment of Electronic
Docs.


---
Это сообщение свободно от вирусов и вредоносного ПО благодаря защите от вирусов avast!
http://www.avast.com

=========

Pink Sheet AM Alarm! Obtain Your Orders In Early To Score
Large!!!

Registered Express, Corp. (R_G-T X)
Buy at: $0.0148

Secure, Safe, Reliable. Verifiable Transfer of E-Documents.

=========

Pink Sheet Daily Signal! Pull Your Buy Order In Soon To Rack Up
Huge.

REGISTERED EXPRESS, CORP. (R-G T X)
Latest Pricing: .0148

Safe, Reliable, Secure!!! Verifiable Delivery of Electronic
Documents.

=========

Exchange Morning Signal! Pull Your Buy Order In Beforehand To Rack Up
Massive.

Registered Express Corporation (R_G T X)
Priced at: .0148

Secure, Safe, Reliable! Correct Delivery of E-Documents.

=========

Happy Turkey Day

Exchange Morning Alert! Score Your Buy Order In Quick To Gain
Massive!!!

Registered Express Corp (RG_TX)
Last Trade: $0.0148

Safe, Secure, Reliable!!! Confirmable Transmission of E-Docs.

=========

Pink Sheet AM Alarm!!! Grab Your Buy Order In Quick To Gain Big!!!

Registered Express Corporation (R-G-T X)
Now: .0148

Secure, Safe, Reliable. Confirmable Consignment of E-Docs.
The spam volumes are not as high as some previous pump-and-dump runs, and the first incident that I can see is on Saturday 23rd November, a typical approach to try to pump the market when it opens on Monday morning.

RGTX has been through a few incarnations, most recently as a firm specialising the the secure transmission of electronics documents. According to its own reports [1] [2] this firm has never had an income, holds no notable cash reserves and basically borrows cash against its own intellectual property and business value. Registered Express says that it is a business in development, it is not clear if and when it will ever start to make an income.

A look at the stock charts show that shares are traded in moderate volumes. On the 21st and 22nd November (before the spam run) a total of 849,477 shares were traded, about ten times the volume of the previous two days.


We know from past experience that either the spammers or another involved part will move in and buy stock before the spam run. I estimate that about 750,000 shares were bought in this way at between $0.012 and $0.020.  Since then about three million shares have been traded, presumably people being motivated by the spam run or who are simply following the increase in volume with a speculative buy.

The folks at RGTX are probably not involved in the spam run. My previous analysis on these stocks indicates that these stocks are usually in terminal decline. Buying stocks on the basis of a spammed email would be exceptionally foolish and should be avoided.

Wednesday, 27 November 2013

"ADP - Reference #274135902580" spam / Transaction.exe

Is it Salesforce or ADP? Of course.. it is neither.

Date:      Wed, 27 Nov 2013 11:50:07 +0100 [05:50:07 EST]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      ADP - Reference #274135902580

We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.

Transaction details are shown in the attached file.

Reference #274135902580

This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.
Attached is a file Transaction_274135902580.zip which in turn contains a malicious executable named Transaction.exe which has an icon to make it look like a PDF file and a VirusTotal detection rate of 8/48.
Malwr reports an attempted connection to seribeau.com on 103.6.196.152 (Exa Bytes Network, Malaysia). This IP has several hundred legitimate web sites on it, and it is not possible to determine if these are clean or infected.

Tuesday, 26 November 2013

Something evil on 46.19.139.236

46.19.139.236 (Private Layer Inc, Switzerland) seems to be serving up some sort of Java exploit kit via injection attacks which is utilising hijacked legitimate domains, but the domains in use seem to rotate pretty quickly and I haven't got a copy of the payload, but VirusTotal has some examples. These are the domains that I can find running from this IP:

ihavefound.boostprep.com
greedka.byjohnwhitaker.com
green.byjohnwhitaker.com
calc.clermontjumps.com
createmore.clermontjumps.com
freesam.clermontjumps.com
team.clermontjumps.com
breast.ddghost.com
edit.ddghost.com
podkast.ddghost.com
fingerpro.golfrangefinderpro.com
goingup.golfrangefinderpro.com
hksnet.golfrangefinderpro.com
wolfram.golfrangefinderpro.com
bracers.harrismetals.net
cupholder.harrismetals.biz
marriage.harrismetals.biz
materials.harrismetals.biz
stockings.harrismetals.biz
resume.hemorrhoidhometreatmentremedy.com
automatic.herdprogram.com
changed.herdprogram.com
selection.herdprogram.com
variator.herdprogram.com
customers.houston-heights-realtor.com
employee.houston-heights-realtor.com
management.houston-heights-realtor.com
salesmanager.houston-heights-realtor.com
trunam.migweldersforsale.org
demonstration.modelagent.com
promotion.modelagent.com
resume.modelagent.com
servers.modelagent.com
grand.q-host.com
coaches.redbrickplayers.org
concrete.redbrickplayers.org
fiit.redbrickplayers.org
newone.redbrickplayers.org
teams.redbrickplayers.org
button.roadally.org
cars.roadally.org
forums.roadally.org
honest.shattertag.com
server.shattertag.com
service.shattertag.com
tagger.shattertag.com
enter.skillstuff.com
horners.skillstuff.com
sim4you.skillstuff.com
skill.skillstuff.com
urllink.skillstuff.com
servers.sleepets.com
somethingnew.sleepets.com
buddies.southlakehosting.com
goodie.southlakehosting.com
goodluck.southlakehosting.com
honest.southlakehosting.com
namefiest.sugarlandtxhouses.com
soft4you.sugarlandtxhouses.com
blogs.treatmentforeczemaguide.com
disconnected.treatmentforeczemaguide.com
italia.treatmentforeczemaguide.com
template.treatmentforeczemaguide.com
ball.wildbounce.com
savannah.wildbounce.com

These seem to be a mix of GoDaddy, 1&1 and eNom registered domains that have been hijacked. Ones listed in italics have been flagged as malicious by Google:
boostprep.com
byjohnwhitaker.com
clermontjumps.com
ddghost.com

golfrangefinderpro.com
harrismetals.net
harrismetals.biz
hemorrhoidhometreatmentremedy.com

herdprogram.com
houston-heights-realtor.com
migweldersforsale.org

modelagent.com
q-host.com

redbrickplayers.org
roadally.org
shattertag.com
skillstuff.com
sleepets.com
southlakehosting.com

sugarlandtxhouses.com
treatmentforeczemaguide.com
wildbounce.com

"You requested a new Facebook password!" spam / Recoverypassword.zip and Facebook-SecureMessage.exe


This fake Facebook message comes with a malicious attachment:

Date:      Tue, 26 Nov 2013 04:58:18 +0300 [11/25/13 20:58:18 EST]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      You requested a new Facebook password!

facebook
Hello,

You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

Read your secure message by opening the attachment, Facebook-SecureMessage.zip.

Didn't request this change?
If you didn't request a new password, let us know immediately.

This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The attachment is Recoverypassword.zip which in turn contains a malicious executable Facebook-SecureMessage.exe which has a VirusTotal detection rate of 16/42. Automated analysis tools [1] [2] [3] shows attempted connections to developmentinn.com on 38.102.226.252 (Cogent, US) and spotopia.com on 199.229.232.99 (Enzu, US). Note that the servers on those IPs host dozens of legitimate sites and I cannot say for certain if they are all compromised or note.

Monday, 18 November 2013

0844 number scam (08445715179)

This is a particularly insidious scam that relies on mobile phone users in the UK not knowing that an 0844 number is much, much more expensive than a normal phone call. The scam SMS goes something like this:

ATTENTION! We have tried to contact you, It is important we speak to you today. Please call 08445715179 quoting your reference 121190. Thank You.

In this case the sender's number was +447453215347 (owned by Virgin Media Wholesale Ltd, but operated by a third party). The catch is that the calls to an 0844 number can cost up to 40p per minute (see more details here), a large chunk of which goes into the operator's pockets. So what happens when you ring back? You get put on hold.. and left on hold until you have racked up a significant bill.

Sadly, I don't know who is behind this scam, and in this case it was illegally sent to a TPS-registered number.
If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints. You should also send a complaint to the ICO who may be able to take more serious action against these spammers.

Friday, 15 November 2013

RingCentral "Bank of America" fax message spam / 442074293440-1116-084755-242.zip

This fake fax message email has a malicious attachment:

Date:      Fri, 15 Nov 2013 12:05:36 -0500 [12:05:36 EST]
From:      RingCentral [notify-us@ringcentral.com]
Subject:      New Fax Message on 11/15/2013 at 09:51:51 CST

You Have a New Fax Message

From
Bank of America

Received:
11/15/2013 at 09:51:51 CST

Pages:
5
   
To view this message, please open the attachment.

Thank you for using Ring Central .


There is an attachment 442074293440-1116-084755-242.zip which unzips into a malicious exectuable 442074293440-1116-084755-242.exe which has a VirusTotal detection rate of 11/47. Automated analysis tools [1] [2] show an attempted connection to aspenhonda.com on 199.167.40.33 (FAM Info Systems / ServInt, US). The domain in question has been hacked, it is not possible to tell if the entire server is compromised but there are other legitimate sites on that box.

Malware sites to block 15/11/2013 (Caphaw)

Thanks to a tip to investigate 199.68.199.178 I discovered that the Caphaw network I looked at yesterday is much bigger than I thought. The following IPs and domains can all be regarded as malicious (.SU domains are normally a dead giveaway for evil activity).

The recommended blocklist is at the end of the post (highlighted). These are the hosts involved either now or recently with hosting these Caphaw domains:

5.175.173.219 (GHOSTnet, Germany)
5.231.66.192 (GHOSTnet, Germany)
23.90.28.12 (ServerHub Dallas, US)
46.4.47.20 (Hetzner, Germany)
46.4.47.21 (Hetzner, Germany)
46.4.47.22 (Hetzner, Germany)
88.198.57.178 (Hetzner, Germany)
88.200.98.137 (Studentski domovi v Ljubljani, Slovenia)
91.186.19.48 (Simply Transit, UK)
92.48.122.132 (Simply Transit, UK)
108.170.54.251 (eWebGuru, India / Secured Servers, US)
109.200.4.114 (Redstation, UK)
109.123.127.228 (UK2, UK)
141.8.225.5 (Rook Media, Switzerland)
151.236.49.136 (Simply Transit, UK)
153.153.19.23 (Open Computer Network, Japan)
181.41.193.168 (Host1plus Brazil, Chile)
184.22.246.31 (Network Operations Center, US)
184.82.62.95 (Network Operations Center, US)
188.227.161.26 (Redstation, UK)
198.52.243.229 (Centarra Networks, US)
199.68.199.178 (Lightwave Networking, US)
213.229.90.199 (Simply Transit, UK)

The following hosts appear to be hosting nameservers for these domains (note that USAISC has been identified doing this before):

1.165.101.158 (Chunghwa Telecom, Taiwan)
6.79.15.154 (USAISC, US)
31.83.89.143 (Orange PCS, UK)
62.75.232.182 (Eurostream, Lithunia / Intergenia AG, Germany)
78.188.5.201 (Turk Telekom, Turkey)
85.25.152.130 (Intergenia AG, Germany)
87.98.136.239 (OVH, France)
91.121.199.45 (OVH, France)
95.143.32.212 (Inline Internet, Germany)
188.138.10.29 (EvroHoster.ru. Ukraine / Intergenia AG, Germany)
188.138.10.30 (EvroHoster.ru. Ukraine / Intergenia AG, Germany)
188.138.78.229 (Eurostream, Lithunia / Intergenia AG, Germany)
188.138.78.232 (Eurostream, Lithunia / Intergenia AG, Germany)
188.138.78.248 (Stepan Alexander Mereuta, Moldova / Intergenia AG, Germany)
196.44.161.31 (Dar Es Salaam University, Tanzania)
198.52.240.8 (Avante Hosting Services, Canada)
217.172.187.9 (Intergenia AG, Germany)

These are the domains involved (I would strongly recommend blocking them):

afn.cc
akf.cc
alphard-info.net
astats.su
bai.su
blinking-imgs.su
caf.su
careservice.su
ciz.cc
collectserv.su
digital-in-one.cc
dig-services.at
dmf.su
eewuiwiu.cc
eguards.cc
enp.cc
e-statistics.su
estatus.cc
estatus.su
eux.cc
exy.su
fey.su
fooyuo.cc
frnm.su
g4-maxservice.su
giuchito.cc
guodeira.cc
gva.cc
higuards.su
ieguards.cc
iestat.cc
imgscores.cc
inetprotections.cc
infoenv.cc
invisibleski.com
iostat.su
istat.cc
iwebstats.cc
iwebstats.su
klr.su
lbb.su
lbp.cc
lil-web-svcs.su
limited-hsbc.com
llc-services.su
low-rates.su
lrnm.su
main2woo.su
nitecapvideo.net
nmbc.cc
nomorefees.cc
ognelisblog.net
online-verification.su
oprn.su
ormu.su
peguards.cc
pmr.cc
protected-onlinebanking.net
sj148-storage.net
standartextens.net
stat-service.net
sys-img-stores.cc
sysinfo.su
uceebeel.cc
up-stores.cc
veeceefi.cc
visite-mexico.net
webstats.su
wgate.su
wgate.su
wownthing.cc
wsysinfonet.su
zprn.su


Recommend IP blocklist (nameservers are in italics):

5.175.173.219
5.231.66.192
23.90.28.12
46.4.47.0/27
88.198.57.178
88.200.98.137
91.186.19.48
92.48.122.132
108.170.54.251
109.200.4.114
109.123.127.228
141.8.225.5
151.236.49.136
153.153.19.23
181.41.193.168
184.22.246.31
184.82.62.95
188.227.161.26
198.52.243.229
199.68.199.178
213.229.90.199

1.165.101.158
6.79.15.154
31.83.89.143
62.75.232.182
78.188.5.201
85.25.152.130
87.98.136.239
91.121.199.45
95.143.32.212
188.138.10.29
188.138.10.30
188.138.78.229
188.138.78.232
188.138.78.248
196.44.161.31
198.52.240.8
217.172.187.9

Thursday, 14 November 2013

Malware sites to block 14/11/2013 (Caphaw)

These domains and IPs appear to be involved in a Caphaw malware attack, such as this one. All the IPs involved belong to Hetzner in Germany, and although some also host legitimate sites I would strongly recommend blocking them.

Recommended blocklist:
141.8.225.5
46.4.47.20
46.4.47.22
88.198.57.178
astats.su
blinking-imgs.su
careservice.su
collectserv.su
digital-in-one.cc
dig-services.at
eguards.cc
estatus.cc
fooyuo.cc
giuchito.cc
higuards.su
iestat.cc
inetprotections.cc
iostat.su
istat.cc
iwebstats.cc
iwebstats.su
klr.su
lbb.su
limited-hsbc.com
llc-services.su
nomorefees.cc
online-verification.su
peguards.cc
protected-onlinebanking.net
sj148-storage.net
standartextens.net
stat-service.net
sys-img-stores.cc
sysinfo.su
up-stores.cc
veeceefi.cc
webstats.su
wgate.su

Wednesday, 13 November 2013

The EXE-in-ZIP spam storm continues

Two more EXE-in-ZIP spams.. the first is a terse one with a subject "Voice Message from Unknown Caller" or "Voicemail Message from unknown number" not much else with a malicious EXE-in-ZIP (VoiceMessage.zip) attachment with VirusTotal score of 7/46 which calls home [1] [2] [3] to amandas-designs.com on 80.179.141.8 (012 Smile Communications Ltd., Israel)

The second one is a fake Wells Fargo spam similar to this:

We have received this documents from your bank, please review attached documents.

Lela Orozco
Wells Fargo Advisors
817-232-5887 office
817-067-3871 cell Lela.Orozco@wellsfargo.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.  
In this case the EXE-in-ZIP attachment (BankDocs.zip) has a VirusTotal detection rate of 14/47 and calls home [4] [5] [6]  to kidgrandy.com on 184.154.15.190 (Singlehop, US).

Given the massive onslaught of EXE-in-ZIP spam, I would strongly recommend blocking ZIP files with executables in them at the perimeter.

PayPal "Identity Issue" spam / Identity_Form_04182013.zip

This fake PayPal (or is it Quickbooks?) spam has a malicious attachment:

Date:      Wed, 13 Nov 2013 02:27:39 -0800 [05:27:39 EST]
From:      Payroll Reports [payroll@quickbooks.com]
Subject:      Identity Issue #PP-679-223-724-838

We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@paypal.com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )

Your case ID for this reason is PP-TEBY66KNZPMU

For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.

Thanks,

PayPal

CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain
information intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information belonging to the sender (PayPal , Inc.) that is
proprietary, privileged, confidential and/or protected from disclosure under applicable
law. If you are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distributions of this electronic message are violations of federal
law. Please notify the sender of any unintended recipients and delete the original
message without making any copies.  Thank You

PayPal Email ID PP89759 

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which has an icon to make it look like a PDF file.

The detection rate for this at VirusTotal is 9/47, automated analysis tools [1] [2] [3] shows an attempted connection to signsaheadgalway.com on 78.137.113.21 (UKfastnet Ltd, UK) which is the same server used in this attack, so you can safely assume that the whole server is compromised and I recommend that you block that particular IP.

"Rodrigo Sawyer and Associates" fake job offer

This laughable primitive fake job offer is recruiting for money mules, package reshipping or some other scam.

From:     RSA-CAREER! [anthonykather1@gmail.com]
Reply-To:     anthonykather1@gmail.com
Date:     12 November 2013 20:43
Subject:     please read


Hi...
  We Have a PT/job. we pay $250 per job and we want you to participate.
Your job is only to act as a regular customer and conduct normal business, Customer service is valuable.

If interested,send the information below after which we would send you an application form

   1. FuII N4ME :
   2. FullAdress :
   3. Stte | Cty :
   4. CodZ!p :
   5. Phones :
   6.Alternate E-mail:
   7. O.c.c.u.p.a.t.i.o.n :

Your response would be greatly appreciated.

Sincerely,
Rodrigo sawyer and associates.
Originating IP is pro1042.server4you.de [62.75.181.174]. Avoid.

Tuesday, 12 November 2013

"2012 and 2013 Tax Documents; Accountant's Letter" spam / tax 2012-2013.exe

This fake tax spam comes with a malicious attachment:

Date:      Wed, 13 Nov 2013 00:44:46 +0800 [11:44:46 EST]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      FW: 2012 and 2013 Tax Documents; Accountant's Letter

I forward this file to you for review. Please open and view it.
Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant's letter.

This email message may include single or multiple file attachments of varying types.
It has been MIME encoded for Internet e-mail transmission. 
Attached to the file is a ZIP file called dlf2365.zip which contains a malicious executable file tax 2012-2013.exe which has an icon to make it look like a PDF file.

VirusTotal detection rates are 17/47. Automated analysis tools [1] [2] show an attempted connection to nishantmultistate.com on 216.157.85.173 (Peer 1, US). This is the same server as used in this attack, and you can safely assume that the whole server is compromised. Blocking this IP is probably a good idea.




"Important - New Outlook Settings" spam / Outlook.zip

This spam email has a malicious attachment:

Date:      Tue, 12 Nov 2013 16:22:38 +0100 [10:22:38 EST]
From:      Undisclosed Recipients
Subject:      Important - New Outlook Settings

Please carefully read the attached instructions before updating settings.

This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ

This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@victimdomain and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it. 
The body text of the spam contains a faked email address made to look like helpdesk@ the victim's domain. Attached to the email is a password-protected ZIP file Outlook.zip that has to be decoded with the PaSdIaoQ key in the body text of the email (hopefully intelligent people will realise that you wouldn't send the password with the encrypted attachment.. you'd have to be really daft to do that).

Unzipping the file gives a malicious executable Outlook.exe which has an icon designed to look like Microsoft Outlook.

The detection rate at VirusTotal is 5/45. Automated analysis tools [1] [2] show an attempted connection to dchamt.com on 216.157.85.173 (Peer 1 Dedicated Hosting, US). That IP address contains about 70 websites which may or may not be clean.