Sponsored by..

Friday, 21 February 2014

PRFC (Epcylon Technologies, Inc) pump-and-dump spam

This pump-and-dump spam run happened last night, which would have been Thursday afternoon in the US. Usually spam runs of this type happen over the weekend, but this P&D run is not quite like others.
From:     Zelma Williams
Date:     20 February 2014 19:04
Subject:     Very important information. Please read

Hi [redacted]

I know you were expecting to hear back from me much earlier but I didn't want to get back to you empty-handed. I finally found the perfect stock for you and I am confident that it will make you some serious profit. Remember the one I told you about in November of last year right? You did very well on it and I think this PRFC stock will do the same for your portfolio again.
I have to let you know though that I'm not the only one who found out about PRFC today. A few of my colleagues are aware as well and they are telling their friends and family about it so I must advise you to move fast if you want to buy it. I think it's trading at just around 15 cents right now, if you wait too long it might be at 30 or even higher and at that time I won't be able to safely advise you to buy it. You can buy as many shares as you can first thing at market open on Friday or worst case scenario buy it on Monday but move fast.
I know you don't care about what the company does because you know I've done all the due diligence for you already but PRFC is actually amazing and I think it will do much better than even the one I told you about a few months ago.
One of the company's divisions offers mobile software solutions for the gaming industry. The mobile apps allow customers to play lottery and other games of chance and skill on their smartphones. The software is extremely advanced and could be the backbone of all mobile casinos in the future. It is expected that the US will legalize online gaming in the near future and this could catapult PRFC to new highs however even without that the company's software is extremely valuable in the rest of the world and could become extremely profitable.  Something big is definitely brewing at the company. I heard something about buy out rumors but I don't have all the details yet I will keep you posted over the coming days or weeks.
Anyway I won't bore you with much more blabber, but if you have a second do check out PRFC. By the way I will be expecting a nice gift from you once you make fat bank on this one and a nice dinner with the wives is in order. It's been too long since we last spent a good evening over a bottle of wine. I was going to call you to tell you about PRFC but I figured youre probably asleep now with those crazy shifts you've been working. Take care and call me if there's anything.

Talk soon
Your favorite friend and only broker :)
Appended to the spam is some random text to try to fool spam filters.

According to stock charts, this spam has been successful and has pushed up the Epcylon Technologies, Inc / PRFC price by about 40% in afternoon trading.


The chart shows that 72885 shares were traded in this period, moving stock up from $0.14 to $0.20, the highest value for this stock since August. Trading is normally pretty thin for this stock at between 0 to 10,000 shares per day, but it does sometimes peak higher.

Usually with pump-and-dump scams somebody buys a large quantity of a few days before the spam run. This doesn't appear to be the case here, which leads to the possibility that the spam run is being pushed by an existing stockholder (it is unlikely to be anything to do with Epcylon though). Another thing that differentiates this pump-and-dump run from others is that there does seem to be some mildly positive news about this company.

However, I would urge you not to buy these stocks. The usual pattern is that the stock price collapses shortly after the initial spam run when the party responsible for the spam cashes out.

The spam itself was sent to scraped email addresses and addresses taken from various data breaches, although there does appear to have been some basic listwashing done to evade detection.

Update: a second version is doing the rounds..

From:     Rowena Rasmussen caroline@ordernowapp.com
To:     caroline [caroline@victimdomain]
Date:     22 February 2014 14:48
Subject:     This is the best stock tip of the year

Dear Investor,

If you're tired of playing the market for mediocre gains then you should read on. I'm Mike Statler. Some of you may know me from my last good stock tip (WPWR) which more than tripled within a short period of time (feel free to check it out). Now I have a brand new tip and I will think you will be pleased. This one should go up more than 6 times from current levels.
If you are interested in making a quick gain overnight, this is not for you, but if you're serious about buying my new tip PRFC and you are willing to hold a few weeks and see magic happen then you're definitely at the right place.
If you remember correctly I told you a few days ago about PRFC. I advised you to add it to your watch list but at the time I could not recommend that you buy it as I had not completed my due diligence.
I have good news and bad news for you. The bad news is that it is already up about 60% since I told you to add it to your watch list but the good news is that I think it still has a lot of room to go up and I expect to see PRFC trading at over 2 dollars before the end of the month or by the end of the 1st week of march at the absolute latest.
The company makes indispensable software that powers the backend of mobile gambling platforms. You can buy lottery on your smartphone, spin the roulette, enjoy blackjack or even play a game of poker. All this from your iphone or android phone. This is absolutely revolutionary and as we get closer to complete legalization of online gambling in America this little gem that is PRFC could soar dramatically.
PRFC (or Epcylon Technologies if you prefer) is going to work wonders for my subscribers' portfolios. I even bought $15,000 of it myself today. THAT'S how confident I am in it. I'm putting my money where my mouth is and I am telling you to BUY PRFC too if you believe in me, and if you don't it's too bad. You will be sending me an email two weeks from now saying how you regret not buying when I told you to do so.

Happy Trading,
I'm Mike Statler.

Update 24/2/14: new versions replace the text with an image in an attempt to bypass spam filters.



Update 25/2/14: a slightly different image this time, presumably in an attempt to evade scanners


Thursday, 20 February 2014

Suspect Cushion redirect on 62.212.128.22

I'm not entirely sure of what the payload is, but there is an apparent cushion redirect running on 62.212.128.22 (XenoSite, Netherlands) using hijacked GoDaddy domains (which is never a good sign). An example can be found with this URLquery report but in this case it seems to end up at a wallpaper site (picture here). VirusTotal sees the IP as being somewhat suspect.

Given that this is abusing subdomains of legitimate GoDaddy domains then on balance I would regard this as being malicious. All the subdomains I can find are listed here [pastebin], but they are all covered by this recommended blocklist:
46.231.87.57
310casting.com
analacrobatsfree.com
dovizpiyasa.net
dovmeara.com
dovmebakirkoy.com
dovmeblog.com
dovmeci.co
dovmeciadresleri.com
dovmecibul.com
dovme-resimlerim.com

Wednesday, 19 February 2014

Somnath Bharti - porn site operator?

I seem to have written a lot about Somnath Bharti lately, and he's certainly a topic of interest in Indian politics. I'm not going to go on about his links to TopSites LLC (watch the video if you are interested), but I wanted to look at these persistent comments that Somnath Bharti was some sort of porn site operator.

If you want the really short version it's this - I've never seen any evidence that Mr Bharti has owned or operated a porn site. That's it.

But what are the links to porn, and where is there confusion?

allwebhunt.com links to porn and pro-pedophilia sites

It is beyond all reasonable doubt that allwebhunt.com is connected to Somnath Bharti. This was a directory of sites that was rapidly taken offline when the Times of India exposed the connection. Some of the more unsavoury contents of that site include a set links to pro-pedophilia sites which had been copied from the Open Directory Project (which had deleted them years ago). That's a pretty poor sense of judgement in this case, but it is really down to sloppiness rather than actual malice in my opinion.

But allwebhunt.com also linked to more regular porn sites, including the examples pictured below.

These entries appeared to be paid or sponsored ones, but the sites themselves are not Mr Bharti's and it does amuse me that some of the India news outlets criticising Mr Bharti for this do exactly the same things themselves.

Ultimately, allwebhut.com (and its predecessor topsites.us) directories are simply a catalogue of available sites, some of those links may be questionable but they do not imply ownership or mean that anything illegal is happening.

Ownership of teens-boy.net

One of the sites that Mr Bharti owned was teens-boy.net, according to historical WHOS records from 2005:

Domain:        teens-boy.net
Record Date:     2005-01-08
Registrar:     GOTNAMES.CA INC.
Server:     whois.gotnames.ca
Created:     2004-11-26
Updated:    
Expires:     2005-11-26

Domain teens-boy.net

  Date Registered: 2004-11-26
    Date Modified: 2004-11-30
      Expiry Date: 2005-11-26
             DNS1: ns1.www--search.com
             DNS2: ns2.www--search.com

  Registrant

                   My Directory LLC
                   PO Box 7334 - 101591
                   San Francisco, CA (US)
                   94120-73

  Administrative Contact

                   My Directory LLC
                   Somnath Bharti
                   PO Box 7334 - 101591
                   San Francisco
                   CA
                   US
                   94120-73
                   415-462-3044
                   530-504-8433
                   listings@mydir.org

  Technical Contact

                   My Directory LLC
                   Somnath Bharti
                   PO Box 7334 - 101591
                   San Francisco
                   CA
                   US
                   94120-73
                   415-462-3044
                   530-504-8433
                   listings@mydir.org

        Registrar: GotNames.ca
teens-boy.net had been a gay porn site until late 2004 as it appears in the Internet Archive [link is probably not safe for work]. The Internet Archive does not have any pictures on it in this case, but it is clear what the site is about by looking at the text.


It's an odd site for Mr Bharti to have in his name. But what did it actually look like after he bought it? The Internet Archive gives the answer again [this link is OK]. We can see that it just acts as a redirector to dirs.org which is yet another clone of the TopSites directory.




I guess this might have been an attempt at SEO, the domain was bought with a lot of other non-porn domains which also forwarded in this way. As far as I can tell, when the domain registration was up the domain simply expired at the end of 2005, it was re-registered by an unrelated party in 2007.

DVLPMNT MARKETING, INC and www-goto.com confusion

Webnewswire.com ran a story looking at the WHOIS details of www-goto.com, a site that had been registered to Mr Bharti in 2005:

Domain:        www-goto.com
Record Date:     2005-05-18
Registrar:     INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Server:     whois.directnic.com
Created:     2004-12-08
Updated:    
Expires:     2005-12-08

Registrant:
 Media  LLC
 1158 26th Street #528
 Santa Monica, CA 90403
 US
 310-857-6666
Fax:530-504-8433

Domain Name: WWW-GOTO.COM

Administrative Contact:
 Bharti, Somnath sales@dirs.org
 1158 26th Street #528
 Santa Monica, CA 90403
 US
 310-857-6666
Fax:530-504-8433

Technical Contact:
 Bharti, Somnath sales@dirs.org
 1158 26th Street #528
 Santa Monica, CA 90403
 US
 310-857-6666
Fax:530-504-8433

Record last updated 05-17-2005 03:09:40 PM
Record expires on 12-08-2005
Record created on 12-08-2004

Domain servers in listed order:
    NS1.WWW-GOTO.COM    202.14.69.2
    NS2.WWW-GOTO.COM    202.14.69.117
They then looked at the current WHOIS details which are:
Domain:        www-goto.com
Record Date:     2014-02-06
Registrar:     DNC HOLDINGS, INC.
Server:     whois.directnic.com
Created:     2004-12-08
Updated:     2013-06-12
Expires:     2014-12-08 

Domain Name: WWW-GOTO.COM
Registry Domain ID:
Registrar WHOIS Server: whois.directnic.com
Registrar URL: http://www.directnic.com
Updated Date: -001-11-30T00:00:00-06:00
Creation Date: 2004-12-08T11:03:22-06:00
Registrar Registration Expiration Date: 2014-12-08T17:03:22-06:00
Registrar: DNC Holdings, Inc.
Registrar IANA ID: 291
Registrar Abuse Contact Email: abuse@directnic.com
Registrar Abuse Contact Phone: +1.8668569598
Domain Status: ok
Registrant Name: Domain Administrator
Registrant Organization: DVLPMNT MARKETING, INC.
Registrant Street: Hunkins Plaza
Registrant City: Charlestown
Registrant State/Province: Nevis
Registrant Postal Code: NA
Registrant Country: KN
Registrant Phone: 011-869-765-4496
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dvlpmntltd@gmail.com
Admin Name: Domain Administrator
Admin Organization: DVLPMNT MARKETING, INC.
Admin Street: Hunkins Plaza
Admin City: Charlestown
Admin State/Province: Nevis
Admin Postal Code: NA
Admin Country: KN
Admin Phone: 011-869-765-4496
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: dvlpmntltd@gmail.com
Tech Name: Domain Administrator
Tech Organization: DVLPMNT MARKETING, INC.
Tech Street: Hunkins Plaza
Tech City: Charlestown
Tech State/Province: Nevis
Tech Postal Code: NA
Tech Country: KN
Tech Phone: 011-869-765-4496
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: dvlpmntltd@gmail.com
Name Server: NS1.VOODOO.COM
Name Server: NS2.VOODOO.COM
URL of the ICANN WHOIS Data Problem Reporting System
http://wdprs.internic.net
The creation date for the domain is still 2004, so the domain has never dropped and been reregistered, it has been in continual existence since that date. The rather mysterious DVLPMNT MARKETING, INC certainly does seem to be connected with porn domains, but is this company controlled by Mr Bharti? No.


A look at the historical WHOIS details again yield some clues. The domain expired in 2008 and ended up being controlled by the registrar DirectNIC..
Domain:        www-goto.com
Record Date:     2008-12-19
Registrar:     INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Server:     whois.directnic.com
Created:     2004-12-08
Updated:     2008-12-09
Expires:     2009-12-08
Previous Screenshots
2008-12-18 screenshot
Reverse Whois:

Registrant:
 directNIC.com
 Expired Domain Name
 650 Poydras Street
 Suite 1150
 New Orleans, LA 70130
 US
 504-679-5170

Domain Name: WWW-GOTO.COM

Administrative Contact:
 Domain, Expired expireddomain@directnic.com
 Expired Domain Name
 650 Poydras Street
 Suite 1150
 New Orleans, LA 70130
 US
 504-679-5170

Technical Contact:
 Domain, Expired expireddomain@directnic.com
 Expired Domain Name
 650 Poydras Street
 Suite 1150
 New Orleans, LA 70130
 US
 504-679-5170

Record last updated 12-09-2008 06:13:27 PM
Record expires on 12-08-2008
Record created on 12-08-2004

Domain servers in listed order:
    NS0.EXPIREDDOMAINSERVICES.COM    69.46.228.236
    NS1.EXPIREDDOMAINSERVICES.COM    69.46.228.237

DirectNIC reserve the right to auction off expired domains and the next WHOIS entry sees the domain being controlled by a domain parking company. It is unlikely that Mr Bharti or any of his associates received anything for this domain, it was essentially scrapped.

Is there any other evidence linking Somnath Bharti to porn?

Over the past couple of weeks I have re-examined the TopSites LLC business plus Mr Bharti's own Madgen Solutions from my own records and other public sources. These revealed all sort of interesting facts and allegations about Mr Bharti's activities.. but absolutely nothing that suggest that he owned or operated porn sites.

Of course, perhaps there is evidence that I am not aware of, but I would be very surprised if there is.. you can always send me an email if you have anything that will prove me wrong.


Tuesday, 18 February 2014

Eisenburg, Whitman & Associates LLC (eisenburgwhitmancca.com) fake testimonial

Eisenburg, Whitman & Associates LLC is meant to be some sort of Florida-based debt collector, although their website at eisenburgwhitmancca.com appears to have been designed by a semi-literate teenager back in the late 1990s. Assuming that it is their website of course, and not someone trading on their name.

Their "testimonies" (sic) page at www.eisenburgwhitmancca.com/testimonies has a couple of testimonials, with photographs.


Let's look a little closer at the first testimonal that says:
To Whom it may concern;

       My Name is Albert Wells Ref # 13A-***86, I am writing this letter today to personally thank Eisenburg,Whitman & Associates. For all their help and support with helping me getting my credit repair and getting me headed, back on the path of financial independence, special thanks to James Norman. Sincerley Albert Wells. 

Let's have a closer look at "Albert Wells"..

Who is that?

Oh look... it is actually John Dramani Mahama who is president of Ghana, and can be seen an the identical photograph on Wikipeda.


https://en.wikipedia.org/w/index.php?title=John_Dramani_Mahama&oldid=551035462
Oh dear.

You can read whatever conclusions you like into that.

"Please look my CV" spam

This spam comes with a malicious payload:

Date:      Mon, 17 Feb 2014 13:31:32 -0500 [02/17/14 13:31:32 EST]
From:      My CV [arina6720@rvyleater.com]
Subject:      Please look my CV

Hello,

Let me introduce myself.
I am the winner of various beauty contests
and the most beautiful girl on the coast.

And I really want to get a job from you.
I attach my CV where you can find links to my accounts
in social networks and see my photos.

Kisses,
Alena Tailor
Attached is a ZIP file My_CV_document_social networks_ photos_6103.zip which in my sample was corrupt. A bit of work with a Base64 decoder revealed that the payload file is My_CV_document________________________.exe which would be malicious if it actually worked.

Monday, 17 February 2014

Fake Evernote "Image has been sent" spam with RU:8080 payload

I've know that the RU:8080 gang appears to have been back for a while, but I haven't had a lot of samples.. here's a new one however.

Date:      Mon, 17 Feb 2014 16:19:40 -0700 [18:19:40 EST]
From:      accounts@pcfa.co.in
Subject:      Image has been sent

Image has been sent.
DSC_990341.jpg 33 Kbytes
Go To Evernote

Copyright 2014 Evernote Corporation. All rights reserved
The links in the email go to:
[donotclick]www.aka-im.org/1.html
[donotclick]bluebuddha.us/1.html

Which in turn loads a script from:
[donotclick]merdekapalace.com/1.txt
[donotclick]www.shivammehta.com/1.txt

That in turn attempts to load a script from [donotclick]opheevipshoopsimemu.ru:8080/dp2w4dvhe2 which is multihomed on the following IPs:
31.222.178.84 (Rackspace, UK)
37.59.36.223 (OVH, France)
54.254.203.163 (Amazon Data Services, Singapore)
78.108.93.186 (Majordomo LLC, Russia)
78.129.184.4 (Iomart Hosting, UK)
140.112.31.129 (TANET, Taiwan)
180.244.28.149 (PT Telkom Indonesia, Indonesia)
202.22.156.178 (Broadband ADSL, New Caledonia)

The URLquery report on the landing site indicates a possible Angler Exploit Kit, although the code itself is hardened against analysis.

There are a number of other hostile sites on those same IPs (listed below in Italics). I would recommend blocking the following IPs and domains:
31.222.178.84
37.59.36.223
54.254.203.163
78.108.93.186
78.129.184.4
140.112.31.129
180.244.28.149
202.22.156.178
afrikanajirafselefant.biz
bakrymseeculsoxeju.ru
boadoohygoowhoononopee.biz
bydseekampoojopoopuboo.biz
jolygoestobeinvester.ru
noaphoapofoashike.biz
opheevipshoopsimemu.ru
ozimtickugryssytchook.org
telaceeroatsorgoatchel.biz
ypawhygrawhorsemto.ru

aka-im.org
bluebuddha.us
merdekapalace.com
shivammehta.com



Sunday, 16 February 2014

"Account Credited" / TTCOPY.jar spam

This spam email comes with a malicious .JAR attachment:

From:     Tariq Bashir muimran@giki.edu.pk
Reply-To:     Tariq Bashir [ta.ba@hot-shot.com]
Date:     15 February 2014 11:03
Subject:     Account Credited

Dear Sir,

I am sorry for my late response; our bank has credited 50% of Total amount on invoice to your bank account, the balance will be paid against BOL.

Find attached Bank TT  and update us on delivery schedule.

Regards,

Tariq Bashir
Remal Al Emarat Travel & Tourism L.L.C.
Al Muteena Street, Salsabeel Building, 103
P.O. Box 56260, Dubai, UAE
Tel: +971 4 271 54 06
Fax: +971 4 271 50 65
Mobile: +971 50 624 62 05
e-mail: ta.ba@hot-shot.com

The spam email originates from 121.52.146.226 (mail.giki.edu.pk) and comes with a malicious attachment TTCOPY.jar which is a Java application. This has a VirusTotal detection rate of 12/50 and the Malwr analysis reports an attempted connection to clintiny.no-ip.biz on 67.215.4.123 (GloboTech, Canada / MaXX Ltd, Germany).

Although this is an unusual threat, Java attacks are one of the  main ways that an attacker will gain access to your system. I strongly recommend deinstalling Java if you have it installed.

I can find two highly suspect IP blocks belonging to MaXX Ltd which I recommend blocking, along with the domains specified below:

67.215.4.64/28
67.215.4.120/29
u558801.nvpn.so
jagajaga.no-ip.org
jazibaba.no-ip.org
cyberx2013.no-ip.org
deltonfarmhouse.no-ip.biz
deltoncowstalls.no-ip.org
can2-pool-1194.nvpn.so
jazibaba1.no-ip.biz
ns2.rayaprodserver.com
kl0w.no-ip.org
jajajaja22.no-ip.org
mozillaproxy.zapto.org

Friday, 14 February 2014

Malware sites to block 14/2/14

This bunch of OVH Canada hosted nameserver and IP ranges are supporting malware distribution via the Nuclear Exploit Kit (as described here by Umbrella Labs).

OVH Canada have a long history with this bad actor (who I believe to be r5x.org), and these /29 and /30 blocks spread throughout OVH's range make it more difficult to block the IPs. Are OVH providing snowshoe malware distribution services? It does look like it. Perhaps OVH can prove me wrong by banishing this bad customer once and for all.

First of all, we have a set of nameservers being used to support mostly .pw domains hosting the Nuclear EK. The nameservers I can see that are active are:

dns1.alcogylogyc.com
dns2.alcogylogyc.com

dns1.bedroklow.com
dns2.bedroklow.com

dns1.boobledns.com
dns2.boobledns.com

dns1.dedains.com
dns2.dedains.com

dns1.dnshelpers.com
dns2.dnshelpers.com

dns1.eleziks.info
dns2.eleziks.info

dns1.europinghome.com
dns2.europinghome.com

dns1.flouwping.com
dns2.flouwping.com

dns1.geovipns.com
dns2.geovipns.com

dns1.glousby.com
dns2.glousby.com

dns1.goldrushns.net
dns2.goldrushns.net

dns1.goupfaster.info
dns2.goupfaster.info

dns1.grephipst.com
dns2.grephipst.com

dns1.hazahaza.net
dns2.hazahaza.net

dns1.highlinerservices.com
dns2.highlinerservices.com

dns1.hiporq.com
dns2.hiporq.com

dns1.hopsups.com
dns2.hopsups.com

dns1.hyperbola.info
dns2.hyperbola.info

dns1.kakzumi.com
dns2.kakzumi.com

dns1.masscarete.com
dns2.masscarete.com

dns1.koljong.com
dns2.koljong.com

dns1.masssilk.com
dns2.masssilk.com

dns1.mifthme.net
dns2.mifthme.net

dns1.mitilean.net
dns2.mitilean.net

dns1.muslibusli.org
dns2.muslibusli.org

dns1.neitronefx.org
dns2.neitronefx.org

dns1.nutizk.org
dns2.nutizk.org

dns1.performanced.net
dns2.performanced.net

dns1.platusinplatus.org
dns2.platusinplatus.org

dns1.plemians.org
dns2.plemians.org

dns1.poeglu.net
dns2.poeglu.net

dns1.popkirko.com
dns2.popkirko.com

dns1.portfoliorealtors.com
dns2.portfoliorealtors.com

dns1.seburingo.net
dns2.seburingo.net

dns1.sretunset.net
dns2.sretunset.net

dns1.timverbahdd.net
dns2.timverbahdd.net

dns1.telalcobuh.info
dns2.telalcobuh.info

dns1.vinigretov.net
dns2.vinigretov.net

dns1.yakuns.net
dns2.yakuns.net

Those nameservers are hosted in the following ranges, exclusively supplied by OVH Canada. If you are in a security-sensitive environment then I would recommend using larger blocks.

142.4.194.0/29
192.95.6.24/29
192.95.10.16/29
192.95.46.56/30
192.95.46.60/30
192.95.47.232/30
192.95.47.236/30
198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.204.240/30
198.50.204.244/30
198.50.212.172/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.235.196/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30

I can see the following domains being actively supported by these nameservers, all of which should be considered hostile:

activresa.biz
airlead.biz
allbat.biz
battingkayaking.pw
bikinghighs.pw
blackconstruction.biz
blizzardfielder.pw
bowpollutant.pw
bronzefoger.pw
cardiologistfastlane.pw
choiceshell.biz
clubdewef.pw
coachmacroburst.pw
competitordownburst.pw
competitormist.pw
competitormoisture.pw
cookray.pw
creativegeo.biz
cricketslush.pw
cricketsmoke.pw
curlingdefense.pw
dailyaqua.biz
decemberboxer.pw
digitalra.biz
drummerballerina.pw
epeeradar.pw
evergreenplay.pw
exercisebreeze.pw
experptware.biz
expertsurvey.biz
eyefreeze.biz
fieldingboxer.pw
fieldingdrizzle.pw
fieldingrainbands.pw
firstozip.biz
fitnessrafting.pw
flypanda.biz
furnacerace.pw
galekarate.pw
gamecoldfront.pw
glacierfootball.pw
glacierhelmet.pw
goalsnowstorm.pw
goldhailey.pw
heaterboxing.pw
hibernatebatting.pw
hibernateguard.pw
homesteamz.pw
hotchocolatefield.pw
hotchocolateplayoffs.pw
icebergcatcher.pw
icecaprace.pw
icehockeyair.pw
jacketcyclist.pw
januarygame.pw
javelinmicroburst.pw
jockeycustodian.pw
judodegreeo.pw
kayakermacroburst.pw
kayakingleeward.pw
kickballeyer.pw
lacrossebarometer.pw
lightcasa.biz
magicse.biz
manufacturerpresto.pw
mapmove.biz
mittensrafting.pw
movieprice.biz
negotiatorsecond.pw
netfogert.pw
novelistflutist.pw
onbytce.biz
onlincerobo.biz
playingsnowflake.pw
polarkayaking.pw
poolridgeq.pw
quiltcanoe.pw
quiltquarter.pw
racketforecast.pw
ridingmacroburst.pw
safemeta.biz
scanbeat.biz
snowflakereferee.pw
snowyboules.pw
stovecricket.pw
stovegolfer.pw
thermometerequipment.pw
thinkisoftware.biz
winterdefense.pw
zerocompetition.pw



Wednesday, 12 February 2014

"Track shipments/FedEx" spam

This fake FedEx spam leads to malware:

Date:      Wed, 12 Feb 2014 07:53:36 -0700 [09:53:36 EST]
From:      FedEx [yama@rickyz.jp]
Subject:      Track shipments/FedEx 7487214609167750150131 results: Delivered

Track shipments/FedEx Office orders summary results:
-----------------------------------------------------------------------
Tracking number        Status              Date/Time
7487214609167750150131  Delivered           Feb 11, 2014     
                                           11:20 AM     

Track shipments/FedEx Office orders detailed results:
-----------------------------------------------------------------------
Tracking number       7487214609167750150131

Reference             304562545939440100902500000000
Ship date             Feb 03, 2014
Ship From           NEW YORK, NY
Delivery date         Feb 11, 2014 11:20 AM
Service type          FedEx SmartPost

Tracking results as of Feb 11, 2014 3:37 PM CST


Click Here and get Travel History
-----------------------------------------------------------------------


Disclaimer
-----------------------------------------------------------------------

FedEx has not validated the authenticity of any email address.

In this case, the link in the email goes to [donotclick]pceninternet.net/tracking.php?id_7487214609167750150131 which downloads an archive file track_shipments_FedEx.zip.


In turn, this ZIP file contains the malicious executable with the lovely name of Track_shipments_FedEx_Office_orders_summary_results_Delivered_tracking_number_9384758293431234834312_idju2f83f9hjv78fh7899382r7f9sdh8wf.doc.exe
which has an icon that makes it look like a Word document. This has a VirusTotal detection rate of 15/49, but automated analysis tools are inconclusive as to its payload [1] [2] [3].




Malware (Neutrino EK?) sites to block 12/2/14

The following IPs and domains appear to be in use for spreading exploit kits via injection attacks - 108.178.7.118 (Singlehop, US) [1] [2] and 212.83.164.87 (Online SAS, France) [3] [4]. The payload isn't clear, but some of the URLquery reports indicate Neutrino.

In the case I saw, the victim was directed to the EK from a compromised site at greetingstext.com. I cannot reproduce the problem with URLquery or any other tool, but log files do not lie.

I would recommend that you block these following IPs and domains as a precaution:

108.178.7.118
212.83.164.87
jakiewebs.com
sheethoo.com
chaefooh.com
goldnclouds.com
nofledno.com
zeuriele.com
wqywdo.xip.io
glindeb.com

Video: Somnath Bharti's links to TopSites LLC

Articles on Somnath Bharti and TopSites LLC

You can find some of the history about TopSites LLC and Mr Bharti's involvement in my old "diary" articles written between 2003 and 2007.
Later articles can be found by looking for the Somnath Bharti tag on this blog.

Monday, 10 February 2014

81.4.106.132 / oochooch.com / 10qnbkh.xip.io

I don't like the look of this [urlquery], seems to be the payload site for some sort of injection attack. Might be worth blocklisting 81.4.106.132.




Evil .pw domains on 31.41.221.131 to 31.41.221.135

Thanks to Malekal for the heads up, the current batch of evil .pw domains that have been distributing malware appear to have shifted to the following IP addresses:

31.41.221.131
31.41.221.132
31.41.221.133
31.41.221.134
31.41.221.135

These IP addresses belong to Besthosting in Ukraine. A typical payload of one of these malicious sites looks like this URLquery report.

The evil .pw domains in use all use a subdomain of one of the following:
arrowjogger.pw
athleticsarchery.pw
athleticsjudo.pw
ballkayaker.pw
baseballcompetition.pw
basketballplaying.pw
batongoal.pw
battingfield.pw
battinggymnast.pw
boulesplaying.pw
boxerfielder.pw
boxerplay.pw
canoeingbaton.pw
canoekarate.pw
competearena.pw
competitiongolfer.pw
crewjumping.pw
dartgym.pw
defensebicycle.pw
diamondracer.pw
discushurdle.pw
divemedal.pw
diverbiking.pw
diverracket.pw
dodgeballkayaker.pw
fielddefense.pw
gearcompetitor.pw
golfbow.pw
golfercyclist.pw
golfingchampionship.pw
golfingorienteering.pw
halftimedecathlon.pw
handballdart.pw
huddledart.pw
huddledartboard.pw
javelinbaton.pw
leaguedart.pw
medaljogger.pw
medaljogger.pw
movementarchery.pw
pitchbiathlon.pw
pitchexercise.pw
playbunt.pw
playmove.pw
playoffschampion.pw
polediver.pw
polofencing.pw
pooljump.pw
racketrunning.pw
relaycompete.pw
rungymnastics.pw

 I would recommend blocking those domains and the above-listed IPs (or alternatively 31.41.221.128/29 or 31.41.221.128/25). A full list of all the subdomains I can find is here [pastebin]

Saturday, 8 February 2014

Somnath Bharti's allwebhunt.com linked to pro-pedophilia sites

Delhi minister Somnath Bharti's allwebhunt.com site was linking to pro-pedophilia sites as late as 31st December 2013, according to Google [warning: I do not advise that you click on the links in that page]. Here is a screenshot (some descriptions may offend) (if you have difficulty with seeing the text, try this version). The ownership link between allwebhunt.com and Mr Bharti is described here.

That content was most likely taken from a controversial category at The Open Directory Project which no longer exists.

The Open Directory Project does try to be all-inclusive in what it catalogues, but I suspect that pro-paedophile sites were something that it felt it could not condone.

Friday, 7 February 2014

Headlines Today (India): Somnath Bharti's spammer connection

I'm not sure what all this fascination is with Mr Bharti's alleged connections to porn.. I've never found any evidence that he has hosted or owned sites with pornographic content. But there's certainly a great deal of evidence linking him with spam outfit TopSites LLC.

Somnath Bharti denies link to TopSites LLC in 2004

This is Somnath Bharti's denial of any involvement in TopSites LLC (explored here and in other posts). I believe that the evidence of Mr Bharti's involvement is overwhelming. However, here is a copy of the original email he sent me complete with mail headers so that independent individuals can look into its authenticity.

Return-Path: <somnath.bharti@gmail.com>
Received: from unknown (HELO blade5.cesmail.net) (192.168.1.215)
  by c60.cesmail.net with SMTP; 14 Nov 2004 13:43:23 -0500
Received: (qmail 5069 invoked by uid 1010); 14 Nov 2004 18:43:22 -0000
Delivered-To: spamcop-net-dynamoo@spamcop.net
Received: (qmail 5045 invoked from network); 14 Nov 2004 18:43:21 -0000
Received: from unknown (192.168.1.101)
  by blade5.cesmail.net with QMQP; 14 Nov 2004 18:43:21 -0000
Received: from rproxy.gmail.com (64.233.170.197)
  by mailgate.cesmail.net with SMTP; 14 Nov 2004 18:43:21 -0000
Received: by rproxy.gmail.com with SMTP id r35so540853rna
        for <dynamoo@spamcop.net>; Sun, 14 Nov 2004 10:43:20 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding;
        b=AItQWQnfUOPREzb2USZ1AAdfuMy54ME4VonsHz7VdB93Wd8apOkFSOrdqjkbLLFqI6nUaFy2cKrbLXTrFSLC0p5Kj2ZdwK0Qb6CFZjbS24HecjymNLUahhMUBp3AbEb0M/t/EXhC4N0HZeCD06YP/TK7XF0dZaqNweevm4cXL4E=
Received: by 10.38.102.45 with SMTP id z45mr1019046rnb;
        Sun, 14 Nov 2004 10:43:20 -0800 (PST)
Received: by 10.38.151.16 with HTTP; Sun, 14 Nov 2004 10:43:20 -0800 (PST)
Message-ID: <4e0e2d5304111410431d08a7bb@mail.gmail.com>
Date: Sun, 14 Nov 2004 10:43:20 -0800
From: Somnath <somnath.bharti@gmail.com>
Reply-To: Somnath <somnath.bharti@gmail.com>
To: dynamoo@spamcop.net
Subject: surprising and serious
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade5
X-Spam-Level:
X-Spam-Status: hits=0.0 tests=RCVD_BY_IP version=3.0.0
X-SpamCop-Checked: 192.168.1.101 64.233.170.197 10.38.102.45 10.38.151.16

Hi Conrad,

I was taken by surprise to find you listing my name, one of my
properties address and my picture in an article on a company named
"TopSites LLC" on your site. I don't know on what basis you have been
talking so emphatic without cross verifying with the person you are
talking about. To my utter surprise, you have been having this article
on your site accusing me of being related to a company I have heard
only through your article. Please have the same removed ASAP and
explain to me what made you write all this about a person, not even
remotely attached to any such company.
Please acknowledge of this email and have any and everything related
my name, my pic and c-28 address removed. I am available at
+91-9891819893, if you have anything to talk about. Also, post on the
same page an apology for this grievous mistake on your part.


--
Regards,
Somnath Bharti

Something evil on 69.64.39.166

69.64.39.166 (Hosting Solutions International, US) appears to be hosting an exploit kit (possibly Fiesta) according to URLquery reports such as this one.

The code is being injected into target websites, possibly through a malvertising campaign. I would recommend blocking the IP address as the simplest option, although I can identify the following domains on that same IP, all of which are likely to be malicious.


advrzc.myftp.org
amyoau.myftp.biz
aokljwwsap.serveftp.com
bgocodwsiu.myftp.org
bpknbvmc.serveftp.com
cjhkxfpdw.serveftp.com
cvxeitw.serveftp.com
cxrhtcau.myftp.biz
czwaiys.myftp.org
dhdwjwve.myftp.org
djqlcce.myftp.org
drituglgjh.serveftp.com
drpmsmt.serveftp.com
ehetlmna.myftp.biz
euimho.serveftp.com
fvyzhy.serveftp.com
hljozqutc.myftp.org
hlwswbaap.serveftp.com
hwtlzdxic.serveftp.com
idoplhj.serveftp.com
iyrseedlt.myftp.biz
lkuvivr.myftp.biz
lxeoic.myftp.org
orrlnypdvz.myftp.biz
osuqlc.myftp.org
plwxycxij.myftp.org
pmkawqgvob.myftp.org
puifnjav.myftp.biz
sbrckuod.serveftp.com
thtnuj.myftp.biz
ucuqgd.myftp.org
uqqyscgq.myftp.org
uuzkpb.myftp.biz
welfcsuybw.serveftp.com
ykypxoub.myftp.org
yrziqui.serveftp.com
yxoiyjbjt.myftp.biz

"Authorization to Use Privately Owned Vehicle on State Business" spam

We've seen this particular type of malware-laden spam before..

Date:      Fri, 7 Feb 2014 17:08:16 +0700 [05:08:16 EST]
From:      Callie Figueroa [Callie@victimdomain]
Subject:      Annual Form - Authorization to Use Privately Owned Vehicle on State Business

All employees need to have on file this form STD 261 (attached).  The original is
retained by supervisor and copy goes to Accounting. Accounting need this form to approve
mileage reimbursement.

The form can be used for multiple years, however it needs to re-signed annually by
employee and supervisor.

Please confirm all employees that may travel using their private car on state business
(including training) has a current STD 261 on file.  Not having a current copy of this
form on file in Accounting may delay a travel reimbursement claim. 
The email appears to originate from within the victim's own domain but doesn't. Attached is an archive file Form_STD261.zip which in turn contains a malicious executable Form_STD261.scr which has a VirusTotal detection rate of just 3/51.

Anubis reports an attempted connection to faneema.com on 198.38.82.223 (Mochahost, US). I recommend blocking both the domain and IP address in this case.

rbs.co.uk "Important Docs" spam

This fake spam claiming to be from the Royal Bank of Scotland has a malicious attachment:

Date:      Fri, 7 Feb 2014 15:44:19 +0530 [05:14:19 EST]
From:      Doris Clay [Doris@rbs.co.uk]
Subject:      Important Docs

Account report.

Tel:  01322 589422
Fax: 01322 296116
email: Doris@rbs.co.uk

This information is classified as Confidential unless otherwise stated.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
Attached is a file AccountReport.zip which in turn contains a malicious executable AccountReport.scr which has a VirusTotal detection rate of 4/50.

Automated analysis tools [1] [2] show a downlad of en encrypted file from the following locations:
[donotclick]professionalonlineediting.com/theme/cc/images/07UKex.enc
[donotclick]mararu.ro/Media/07UKex.enc

Both those sites are hosted by Mochanin Corp in the US, indicating perhaps a wider problem with that host.

Recommended blocklist:
204.93.165.33
50.31.147.54
professionalonlineediting.com
mararu.ro

I love Google's home page..

I love Google's home page today..


Thursday, 6 February 2014

Trouble at CtrlS?

CtrlS is a large Indian hosting provider who seldom feature in this blog which is always a positive sign. However, the last two Zeus spam smail runs exclusively use CtrlS servers to host encrypted malware.

Three of the four domains are easy to spot:
wahidexpress.com is on 182.18.188.191
bsitacademy.com is on 103.8.127.189
oilwellme.com is on 182.18.151.160

The last one of the four domains is hosted on a Cloudflare IP.. but Cloudflare is only a reverse proxy and a bit of digging at IP records show that newz24x.com appears to be hosted on another CtrlS IP of 182.18.189.71.

So, four out of four IPs belong to CtrlS. It could be a coincidence, but I wonder if anybody else is seeing traffic (especially for downloads of .enc files) in CtrlS IP ranges?

Fake HMRC "VAT Return" spam

This fake HMRC spam comes with a malicious attachment:

Date:      Thu, 6 Feb 2014 20:32:34 +0100 [14:32:34 EST]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      Successful Receipt of Online Submission for Reference 3608005

Thank you for sending your VAT Return online. The submission for reference 3608005 was
successfully received on Thu, 6 Feb 2014 20:32:34 +0100  and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes.
I love the "certified virus-free" bit, because of course this thing comes with a malicious payload. Attached to the message is an archive Reference.zip which in turn contains a malicious executable Reference.scr (a plain old executable, not a screensaver). This has a VirusTotal detection rate of 2/50.

Automated analysis tools [1] [2] [3] [4] show an encrypted file being downloaded from:
[donotclick]wahidexpress.com/scripts/ie.enc[donotclick]bsitacademy.com/img/events/ie.enc

Recommended blocklist:
182.18.188.191
wahidexpress.com
bsitacademy.com

Update:
second version of the email is circulating with the following body text:

The submission for reference 485/GB1392709 was successfully received and was not
processed.

Check attached copy for more information.

This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.

Fake "TNT UK Limited " spam with zero detections


This fake TNT spam comes with a malicious attachment that is currently not detected by any AV vendors.

Date:      Thu, 6 Feb 2014 11:48:18 +0100 [05:48:18 EST]
From:      TNT COURIER SERVICE [tracking@tnt.co.uk]
Subject:      TNT UK Limited - Package tracking 798950432737

Your package have been picked up and is ready for dispatch.

Connote #    :    798950432737
Service Type    :    Export Non Documents - Intl
Shipped on    :    05 Feb 14 00:00
Order No            :    2819122
Status            :       Driver's Return Description      :       Wrong Address
Service Options: You are required to select a service option below.

TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.

DETAILS OF PACKAGE
Reg order no: 798950432737

The options, together with their associated conditions
Attached is a file Label_798950432737.zip which contains a malicious executable Label02062014.scr (an executable despite the .scr extension) with a VirusTotal detection rate of 0/41.

Despite the zero detection rate, there is plenty of badness going on [1] [2] [3] [4] including downloads of an encrypted file from the following locations:

[donotclick]newz24x.com/wp-content/uploads/2014/02/pdf.enc
[donotclick]oilwellme.com/images/banners/pdf.enc

The Malwr report indicates lots of IPs being communicated with, some of these look like Cloudflare addresses where newz24x.com is hosted. Take care with these if you are thinking about blocking them.

Recommended blocklist:
182.18.151.160
newz24x.com
oilwellme.com

Wednesday, 5 February 2014

"Payment Fund" spam with Wire.Transfer.rar attachment

It's rare to see malware with a .RAR attachment, but this is one of those unusual beasts..

From:     Alison George allison.george@transferduc.nl
Date:     5 February 2014 22:41
Subject:     Payment Fund

ALERT! A bank Wire transaction, Has just been rejected from checking 656778*** account.
to your bank confirmed by the FedWire.
Transaction ID: 99076900
Date: 2/3/2014
Transfer Origination: Fedline

Please review the attached copy of transaction report,
Federal Reserve Financial Services
Creating Nationwide Solutions for Your Payment Needs
20th Street and Constitution Avenue N.W.
Washington, D.C. 20551
Attached is a file Wire.Transfer.rar which you will need to unpack with a suitable application. In turn this creates a file Wire-Report which is actually an executable, but missing the .exe extension.. so you have to add that to get infected. Hmmm.. the phrase "some assembly required" springs to mind.

The VirusTotal detection rate is 7/50 but most automated analysis tools seem to be having problems with the executable, so perhaps it is hardened against analysis or is simply corrupt. The ThreatExpert report (for some reason not showing in their database right now) has the following details:


Submission Summary:

  • Submission details:
    • Submission received: 5 February 2014, 04:39:38 PM
    • Processing time: 6 min 0 sec
    • Submitted sample:
      • File MD5: 0x12F1265162AAD712C271DAC6A9B5E564
      • Filesize: 248,320 bytes
  • Summary of the findings:
What's been found Severity Level
Creates a startup registry entry.

Technical Details:


Memory Modifications
  • There was a new process created in the system:
Process Name Process Filename Main Module Size
server.exe %Temp%\server.exe 57,344 bytes

Registry Modifications
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."

      so that %Temp%\server.exe runs every time Windows starts
    • [HKEY_CURRENT_USER\Environment]
      • SEE_MASK_NOZONECHECKS = "1"
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • 5PmM1jWi05 = "%AppData%\y183imD2\java.exe.lnk"
      • babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."

      so that %Temp%\server.exe runs every time Windows starts

Other details
  • To mark the presence in the system, the following Mutex object was created:
    • babe8364d0b44de2ea6e4bcccd70281e



"LloydsLink reference" spam comes with a malicious attachment

This fake Lloyds TSB spam comes with a malicous payload:

Date:      Wed, 5 Feb 2014 20:38:29 +0100 [14:38:29 EST]
From:      GRP Lloydslink Tech [GRPLloydslinkTech@LLOYDSBANKING.COM]
Subject:      LloydsLink reference: 8255820 follow up email and actions to be taken


Lloyds TSB    
    Help

(New users may need to verify their email address)

If you do not see or cannot click / tap the Download attachment button:
Desktop Users:
   

You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
Mobile Users:
   

Install the mobile application.

Protected by the Voltage SecureMail Cloud

SecureMail has a NEW LOOK to better support mobile devices!

Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.

Email Security Powered by Voltage IBE™

Copyright 2002-2014 Voltage Security, Inc. All rights reserved.

Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500

Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000.  Telephone: 08457 21 31 41

Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales  2299428. Telephone: 0845 603 1637

Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813.

Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555

This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it  (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments.

Telephone calls may be monitored or recorded.

The attachment is SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has an icon that looks like Internet Explorer. Despire the .scr suffix, this file is a plain old .exe file and will execute if you double-click it (don't!).

VirusTotal detections are 11/51, and automated analysis between ThreatExpert, Malwr and Anubis show an attempted download from [donotclick]asianfarm.org/images/pdf.enc and [donotclick]ideasempurna.com.my/wp-content/uploads/2014/02/pdf.enc with the following IPs being involved:

108.90.186.161 (AT&T, US)
111.90.133.246 (Piradius Net, Malaysia)
121.117.209.51 (NTT, Japan)
124.217.241.34 (Piradius Net, Malaysia)
174.103.25.199 (Time Warner Cable, US)

The .enc file is an encoded executable, explained in detail here. I haven't tried to decode it but obviously that too will be malicious.

Recommended blocklist:
asianfarm.org
ideasempurna.com.my
108.90.186.161
111.90.133.246
121.117.209.51
124.217.241.34
174.103.25.199

"Barclays transaction notification" spam

This fake Barclays spam comes with a malicious payload:

Date:      Wed, 5 Feb 2014 03:02:52 -0500 [03:02:52 EST]
From:      Barclays Bank [support@barclays.net]
Subject:      Barclays transaction notification #002601

Transaction is completed. £9685 has been successfully transfered.
If the transaction was made by mistake please contact our customer service.
Receipt of payment is attached.

Barclays is a trading name of Barclays Bank PLC and its subsidiaries. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702). Registered in England. Registered Number is 1026167 with registered office at 1 Churchill Place, London E14 5HP.
Attached is a file Payment receipt Barclays PA77392733.zip which is turn contains a malicious executable Payment receipt Barclays PA77392733.exe with a surprisingly poor VirusTotal detection rate of just 1/51 (only Sophos detects it). Automated analysis tools are pretty inconclusive about the payload [1] [2] [3] with only the Malwr report having any real detail.

Tuesday, 4 February 2014

WTF? WFP.org spam? Or is it emailciti.com?

This spam is promoting the UN's World Food Programme. I'm surprised the the WFP should sink so low, but perhaps they engaged the services of spammers without realising.

From:     World Food Programme newsletter@newsletter.loyaltyciti.com
Reply-To:     newsletter@newsletter.loyaltyciti.com
Date:     4 February 2014 09:58
Subject:     60% of people here don't have food
Signed by:     newsletter.loyaltyciti.com

If you are unable to see the message below, click here to view.

Share:     Delicious    Digg    Facebook    LinkedIn    Twitter   

world food programme
There’s a common link between a mother in Central African Republic, a father in South Sudan, and a child in Syria. Hunger. Fortunately, there’s also a common solution – The World Food Programme (WFP)..
WFP provides food assistance so families can break the cycle of poverty and hunger. Our goal? Zero hunger. We rely on the support of our online community to make this a reality.
Will you join us? Sign up at wfp.org/join to receive monthly updates and info about how you can help achieve a zero hunger world.
When conflict erupts, hunger soon follows. In CAR, South Sudan, and Syria, WFP is fighting for families who are being pushed to the brink. Find out how we’re responding to ensure families have the security that comes with a daily meal.
central african republic
level 3 emergency
See where we’re sounding the alarm.
remembering what matters         delivering despite
WFP’s Rasmus Egendal reflects on what really matters in Syria: The People.         Thanks to our supporters like you, WFP has been able to deliver food in South Sudan rom the start.
starting stars from car         reporting from damascus
Get the facts & figures you should know: 60% of families in Central African Republic have no food.         Watch an update from WFP’s Executive Director who met Syrian families relying on WFP assistance.
follow wfp     facebook     twitter

You have received this email message from EmailCiti, the leading Email Behavior and Lead Generation Company in the GCC & Middle East. Your email address has been recorded because you have subscribed to one of our email &newsletters services or are registered with one of our Partner and affiliate sites. For more information, visit www.emailciti.com
If you don't wish to receive these emails anymore please click here.
The email originates from 208.95.135.84 [mail3345.emailciti.mkt3942.com] (Silverpop Systems, US) and spamvertises an intermediate site at links.emailciti.mkt3941.com on 74.112.69.20 (Silverpop again) and then forwards to www.wfp.org/hunger-hot-spots if you click through.

The email itself is digitally signed, so we can be reasonable assure that it originates from loyaltyciti.com who are in Dubai:

Registry Registrant ID:
Registrant Name: mohammad Lahlouh
Registrant Organization: Emailciti
Registrant Street: Dubai Media City, Building #8
Registrant City: Dubai
Registrant State/Province: Dubai
Registrant Postal Code: 502382
Registrant Country: United Arab Emirates
Registrant Phone: +971.507735717
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: mlahlouh@emailciti.com
Registry Admin ID: 


These people are persistent spammers who usually send through some unsolicited crap several times a week, using an email address that is effectively a spamtrap. What is really annoying is the the WFP is paying these spammers to run a campaign of dubious value when they could be helping to fee starving people.

Monday, 3 February 2014

Something evil on 192.95.43.160/28

More badness hosted by OVH Canada, this time 192.95.43.160/28 which contains pretty much the same set of evil described here. Here is a typical IP flagged by VirusTotal and a failed resolution by URLquery which frankly gives enough information to make it suspicious.

However, the key thing is the registrant details which have been used in many malware attacks before.

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859116


I can see the following .pw domains active in this range:
basecoach.pw
crewcloud.pw
boomerangfair.pw
kickballmonsoon.pw
martialartsclub.pw
runningracer.pw


All those domains are flagged by Google as malicious and I recommend that you block them along with 192.95.43.160/28.

(Hat tip to my source, you know who you are!)