There has been a slight shift in tactics by the Asprox gang in their SQL Injection Attacks in that they are now using a packer on their javascript. This doesn't seem to be for obfuscation reasons, as the script is relatively easy to decode. Presumably it's a way to get around virus and link scanners. (Click the image below for an example)
You can decode it easily enough by adding eval=alert; to the start of the script (follow the instructions here), but never mess around with malware scripts on a vulnerable production system because it is very easy to get infected.
mnicbre.ru and vtg43.ru seem to be two active domains, although perhaps check for all the ones on this list to be safe.
Packing tools are an easy way to avoid detection.. at least temporarily. But given the prevalence
of Javascript-based malware and the ever-increasing availability of bandwidth, Javascript packing is becoming an increasingly bad practice. There have been a couple of high-profile cases where a packing tool has effectively been blacklisted by anti-virus products (here and here), so perhaps if you use Javascript extensive and use a packing tool you might want to reconsider how you deploy Javascript on your site.
Thursday, 25 September 2008
Asprox: "eval(function(p,a,c,k,e,r)"
Labels:
Asprox,
SQL Injection,
Viruses
Wednesday, 24 September 2008
Asprox: h3x.info
Briefly popping up on the Asprox SQL Injection radar yesterday was h3x.info, specifically a call to h3x.info/index.php [dangerous site, do not visit].
h3x.info doesn't fit the normal pattern, perhaps it has been rotated in as a test. What's certain is that this is a malware distribution site.. and a pretty scary one at that.
Let's look at the domain details first of all. As you might expect, they're mostly bogus:
Visiting the top level of the h3x.info site (or the index.php page) reveals a very impressive bit of obfuscated scripting (a copy is here - h3x-info.zip - ZIP password is virus). There are some recognisable references to Outlook Express, Snapshot (probably MS08-041), Apple QuickTime (take your pick), plus an infected PDF (from hxxp:||h3x.info|cache|doc.pdf) variously identified as Exploit.HTML.Agent.AO [BitDefender] and Mal/JSShell-B [Sophos] (full VirusTotal report here) but otherwise detection rates are very poor.
Looking at the WHOIS history, it's quite possible that the h3x.info domain has been hijacked, so perhaps it will be cleaned up in the future. At the moment it does seem to be an interesting repository of malware if you're a researcher.
It was only active for a short while at about 1000 UTC (1100 BST, 1200 CET) on 23rd September before reverting to the same .ru domains that have been active for a few days.
h3x.info doesn't fit the normal pattern, perhaps it has been rotated in as a test. What's certain is that this is a malware distribution site.. and a pretty scary one at that.
Let's look at the domain details first of all. As you might expect, they're mostly bogus:
Domain IDThe domain itself is on 80.90.114.13 which appears to be a general purpose server belonging to Smartlogic Ltd in Moscow. There's no evidence to connect Smartlogic to this site, other than it belongs to a customer.. overall they seem to be a pretty clean outfit.
D23859712-LRMS
Domain Name
H3X.INFO
Created On
19-Feb-2008 22:04:56 UTC
Last Updated On
27-Aug-2008 12:38:06 UTC
Expiration Date
19-Feb-2009 22:04:56 UTC
Sponsoring Registrar
Registrar Company, INC (R315-LRMS)
Status
OK
Registrant ID
DI_7764637
Registrant Name
Alex
Registrant Organization
Vteam
Registrant Street1
vol. str. 221-122, 12
Registrant Street2
Registrant Street3
Registrant City
Novie
Registrant State/Province
Aveiro
Registrant Postal Code
19923
Registrant Country
PT
Registrant Phone
+12.56231321
Registrant Phone Ext.
Registrant FAX
Registrant FAX Ext.
Registrant Email
cy@bk.ru
[..snip..]
Name Server
ns1.mbhost.ru
Name Server
ns2.mbhost.ru
Visiting the top level of the h3x.info site (or the index.php page) reveals a very impressive bit of obfuscated scripting (a copy is here - h3x-info.zip - ZIP password is virus). There are some recognisable references to Outlook Express, Snapshot (probably MS08-041), Apple QuickTime (take your pick), plus an infected PDF (from hxxp:||h3x.info|cache|doc.pdf) variously identified as Exploit.HTML.Agent.AO [BitDefender] and Mal/JSShell-B [Sophos] (full VirusTotal report here) but otherwise detection rates are very poor.
Looking at the WHOIS history, it's quite possible that the h3x.info domain has been hijacked, so perhaps it will be cleaned up in the future. At the moment it does seem to be an interesting repository of malware if you're a researcher.
It was only active for a short while at about 1000 UTC (1100 BST, 1200 CET) on 23rd September before reverting to the same .ru domains that have been active for a few days.
Labels:
Asprox,
PDFs,
SQL Injection,
Viruses
Tuesday, 23 September 2008
T-Mobile G1
It's kind of hard to tell if the T-Mobile G1 is the next big thing or just some sort of damp squib. It may not look as impressive as the iPhone on the top, but underneath the G1's Android operating system looks promising.
Oddly enough, it got me thinking about how I use my own phone.. and I tend to use web access more than anything else, but make only a couple of phone calls on it a week, sometimes I will listed to music or snap a photograph. I think I tried video calling once. So perhaps this G1 thingie is actually more in line with what a lot of sad geeky people like me actually want.
Anyway, this comes out in October in the US, November in the UK and early next year for other T-Mobile customers. Some more pictures are here.
Oddly enough, it got me thinking about how I use my own phone.. and I tend to use web access more than anything else, but make only a couple of phone calls on it a week, sometimes I will listed to music or snap a photograph. I think I tried video calling once. So perhaps this G1 thingie is actually more in line with what a lot of sad geeky people like me actually want.
Anyway, this comes out in October in the US, November in the UK and early next year for other T-Mobile customers. Some more pictures are here.
Thursday, 18 September 2008
Asprox: mnbenio.ru
mnbenio.ru is a new Asprox SQL injection domain that has been active in the past 24 hours, the following four domains are the most active:
- mnbenio.ru
- mnicbre.ru
- pkseio.ru
- vtg43.ru
Labels:
Asprox,
SQL Injection,
Viruses
Wednesday, 17 September 2008
Asprox: mnicbre.ru, pkseio.ru and vtg43.ru
The domains used in the Asprox SQL Injection attacks have been stable for a few days now, but yesterday some new .ru domains appeared: mnicbre.ru, pkseio.ru and vtg43.ru. The domains are registered through NAUNET again with the following registation details:
domain: MNICBRE.RUThe following domains have been active over the past 24 hours. Block these or check your logs for them (new ones are in bold):
type: CORPORATE
nserver: ns2.mnicbre.ru. 75.181.3.122
nserver: ns3.mnicbre.ru. 68.197.137.239
nserver: ns1.mnicbre.ru. 76.240.151.177
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 772 7727091
fax-no: +7 772 7727091
e-mail: retyi1111@yahoo.com
registrar: NAUNET-REG-RIPN
created: 2008.09.16
paid-till: 2009.09.16
source: TC-RIPN
- 22net.ru
- 64asp.ru
- 92prt.ru
- acr34.ru
- asl39.ru
- fst9.ru
- mnicbre.ru
- pkseio.ru
- sel92.ru
- vtg43.ru
Labels:
Asprox,
SQL Injection,
Viruses
Saturday, 13 September 2008
Doug Stanhope
I first stumbled across US stand-up comic Doug Stanhope [link probably NSFW] some years ago and was in equal parts horrified and amused by his work. By chance, I found out that he was in the UK (at the Leicester Square Theatre) so Mrs Dynamoo and myself booked some tickets to go and see him live.
You have to understand that Stanhope is pretty much the definition of "edgy". He seems to have no taboos and no fear.. as long as he's had some beer. Understand that some of his topics include suicide, gynaecology, death, drug abuse, overpopulation, abortion and Sarah Palin. Sometimes combined (don't click if you are offended by.. well, offensive stuff).
Even people who aren't easily offended are likely to be offended by something he will say. But on the other hand, perhaps some of those observations on the human condition are more profound than you would think.
So, Stanhope was on form and really, really funny. And yes.. there were several times when I thought "no.. he can't be saying that!". I could go into details, but if you like this kind of thing then it would spoil the surprise... I think it's the first time I've ever had to watch a gig like this from between my fingers.
Anyway, Stanhope is in London and Manchester for most of September, and then back in the US doing a tour for October and November (itinerary here). Or you could purvey yourself one of his fine DVDs on Amazon.
You have to understand that Stanhope is pretty much the definition of "edgy". He seems to have no taboos and no fear.. as long as he's had some beer. Understand that some of his topics include suicide, gynaecology, death, drug abuse, overpopulation, abortion and Sarah Palin. Sometimes combined (don't click if you are offended by.. well, offensive stuff).
Even people who aren't easily offended are likely to be offended by something he will say. But on the other hand, perhaps some of those observations on the human condition are more profound than you would think.
So, Stanhope was on form and really, really funny. And yes.. there were several times when I thought "no.. he can't be saying that!". I could go into details, but if you like this kind of thing then it would spoil the surprise... I think it's the first time I've ever had to watch a gig like this from between my fingers.
Anyway, Stanhope is in London and Manchester for most of September, and then back in the US doing a tour for October and November (itinerary here). Or you could purvey yourself one of his fine DVDs on Amazon.
Labels:
Humour
Thursday, 11 September 2008
Dating scams
Dating scams are usually a variant of the advanced fee fraud - some pretty girl (probably some ugly bloke in reality) sends you some random photos and explains that they want to move to your country and move in with you.. but can they have some money first? The basic operation of these scams is described here. To make it look more credible, sometimes fake dating sites are set up to give the whole thing an air of legitimacy.
This current batch of fake sites is being advertised with an email similar to the following:
The domain lam2you.com has a corresponding web site on 79.135.167.51 calling itself "Online sexiest dating site". As it happens, there are a whole bunch of other domains on the same server, also describing themselves as "Online sexiest dating site", all best avoided.
This current batch of fake sites is being advertised with an email similar to the following:
i need you
i am Nice Girl good looking girl who is looking to chat with you.
e-mail me back at UcWkS@lam2you.com
i will reply back with some really nice pictures.
The domain lam2you.com has a corresponding web site on 79.135.167.51 calling itself "Online sexiest dating site". As it happens, there are a whole bunch of other domains on the same server, also describing themselves as "Online sexiest dating site", all best avoided.
- Amnocx.com
- Anandaperumal.com
- Bardline.com
- Benrd.com
- Bestdre.info
- Cardrealc.com
- Centralrd.com
- Cowarddean.com
- Direktmal.com
- Dracingsite.info
- Dracingworld.info
- Draic.info
- Dreguide.info
- Drkin.info
- Drmarksite.info
- Drmarkworld.info
- Drseusssite.info
- Equipyard.com
- Evram.info
- Ezelive.info
- Ezrdhome.com
- Firstlam.com
- Fordhx.com
- Frcis.info
- Freegbl.info
- Freeksite.info
- Freeldp.info
- Friguide.info
- Frutis-basket.info
- Gardevin.com
- Gbbed.info
- Gbizc.info
- Gbladx.info
- Gblhome.info
- Gblwizard.info
- Gbowrxx.info
- Glocentral.info
- Gloplanet.info
- Gobobrom.com
- Gocarthq.com
- Gocartutah.com
- Goldpug.info
- Gosfordw.com
- Greatrom.com
- Guyvr.info
- Hardjam.com
- Hote2youx.info
- Hyperlam.com
- Imalonline.com
- Justgbl.info
- Justrd.com
- Justvre.info
- Ldphome.info
- Ldpwizard.info
- Lesdv.com
- Lesjr.com
- Letsgocart.com
- Lgbidxx.info
- Maldirekt.com
- Malkostenlos.com
- Malplatz.com
- Malprojekt.com
- Malwelt.com
- Malzentrale.com
- Mediagocart.com
- Medmallist.com
- Meinmal.com
- Menziesmalvern.com
- Moonboardm.com
- Morerd.com
- Mygbl.info
- Nitgbx.info
- Nvromx.info
- Officialgbl.info
- Officialldp.info
- Officialrd.com
- Oldpee.info
- Onlinegbl.info
- Ovrom.info
- Pacanimal.com
- Phillymedicalmal.com
- Qualitaetmal.com
- Razales.com
- Rd2you.com
- Rdnation.com
- Rdplanet.com
- Saravanaperumal.com
- Searchesrom.com
- Shemalglobal.com
- Supergbl.info
- Superldp.info
- Superrd.com
- Superromics.com
- Tomalonline.com
- Topeguidex.info
- Virtualgbl.info
- Virtualglo.info
- Virtualldp.info
- Virtuellmal.com
- Vrehome.info
- Warmalonline.com
- Wildpin.info
- Wirelesamerica.com
- Wizardrd.com
- Worldpivot.info
- Worldplayservices.info
- Yourfr.info
- Yourgbl.info
- Yourldp.info
- Capvr.info
- Davidre.info
- Virtualvre.info
- Vreproject.info
- Vrewizard.info
Labels:
Dating Scams,
Scams,
Spam
Asprox: 22net.ru, 4net9.ru, 64asp.ru, 92prt.ru and fst9.ru
These are the domains active in the Asprox SQL Injection attack in the past 24 hours, new ones are in bold. Block these and/or check your logs for them.
- 22net.ru
- 4net9.ru
- 51com.ru
- 64asp.ru
- 92prt.ru
- acr34.ru
- fst9.ru
- sel92.ru
Wednesday, 10 September 2008
SpamCop phish
Some people will phish for anything - in this case they are trying to get access to SpamCop accounts. Go figure. Reply to address is 2020sarah@live.com.
Subject: UPDATE YOUR ACCOUNT / SPAMCOP.NET
From: "Admin@spamcop.net"
Date: Wed, September 10, 2008 4:54 pm
Cc: recipient list not shown:;
Priority: Normal
This is a WebNews Email Account Update
Please see the bottom of this mailing on this information.
-----------------------------------------------------------
SPAMCOP.NET WEBMAIL
INTERNET SERVICE WEBSITE WISH TO INFORM YOU THAT WE HAVE
SOME PROBLEMS ABOUT EACH CUSTOMER ACCOUNT EMAIL. DUE TO
ERROR CODE 334409.
WE DISCOVERD THAT IN FEW DAYS FROM NOW EACH CUSTOMER WILL
NOT BE ABLE TO ACCESS HIS OR HER EMAIL ACCOUNT. IN THAT
REGARD,YOU ARE REQUIRED TO SEND YOUR EMAIL ADDRESS AND
PASSWORD FOR A NEW ACCOUNT UPDATE.
YOU ARE ADVISED TO IMMEDIATELY SEND US THE REQUIRED
INFORMATION SO AS TO ENABLE US IMMEDIATELY UPDATE YOUR
ACCOUNT.
Note:You have to understand that the reason why we are not
sending this message from our own private account.This is
due to some technical problem we are having right now.
BELOW THE INFORMATION RQRUIRED FOR ACCOUT UPDATE
1)Full Email Address:
2)password:
3)date of birth:
Thanks for your understanding.
SPAMCOP.NET WEBMAIL INTERNET SERVICE
Subject: UPDATE YOUR ACCOUNT / SPAMCOP.NET
From: "Admin@spamcop.net"
Date: Wed, September 10, 2008 4:54 pm
Cc: recipient list not shown:;
Priority: Normal
This is a WebNews Email Account Update
Please see the bottom of this mailing on this information.
-----------------------------------------------------------
SPAMCOP.NET WEBMAIL
INTERNET SERVICE WEBSITE WISH TO INFORM YOU THAT WE HAVE
SOME PROBLEMS ABOUT EACH CUSTOMER ACCOUNT EMAIL. DUE TO
ERROR CODE 334409.
WE DISCOVERD THAT IN FEW DAYS FROM NOW EACH CUSTOMER WILL
NOT BE ABLE TO ACCESS HIS OR HER EMAIL ACCOUNT. IN THAT
REGARD,YOU ARE REQUIRED TO SEND YOUR EMAIL ADDRESS AND
PASSWORD FOR A NEW ACCOUNT UPDATE.
YOU ARE ADVISED TO IMMEDIATELY SEND US THE REQUIRED
INFORMATION SO AS TO ENABLE US IMMEDIATELY UPDATE YOUR
ACCOUNT.
Note:You have to understand that the reason why we are not
sending this message from our own private account.This is
due to some technical problem we are having right now.
BELOW THE INFORMATION RQRUIRED FOR ACCOUT UPDATE
1)Full Email Address:
2)password:
3)date of birth:
Thanks for your understanding.
SPAMCOP.NET WEBMAIL INTERNET SERVICE
PestPatrol: SillyDl FFL in wuauclt.exe
It looks like CA PestPatrol might have a false positive, detecting SillyDl FFL in C:\windows\system32\wuauclt.exe. This is a component of Windows Update, and in the case of the false positive it is a 124,184 byte file with an internal version number of 5.8.0.2469.
PestPatrol does not appear to be trying to delete the file, it is merely blocking access to it. Updating your Windows Update components should clear the problem. CA usually fix these false positives in a day or so.
The current signature version is 2008.9.9.15. Note that the PestPatrol engine is used in some other products, not all of which have the CA name on them.
PestPatrol does not appear to be trying to delete the file, it is merely blocking access to it. Updating your Windows Update components should clear the problem. CA usually fix these false positives in a day or so.
The current signature version is 2008.9.9.15. Note that the PestPatrol engine is used in some other products, not all of which have the CA name on them.
Labels:
CA,
False Positive,
PestPatrol
Asprox: net83.ru, acr34.ru, asl39.ru and net83.ru
Another bunch of very fresh Asprox domains being used in the Asprox SQL Injection attack, registered at Naunet to email address retyi111@yahoo.com. Check your logs or block access to these sites.
- 51com.ru
- acr34.ru
- asl39.ru
- net83.ru
Labels:
Asprox,
SQL Injection,
Viruses
Tuesday, 9 September 2008
SQL Injection: ave2.cn / %61%76%65%32%2E%63%6E
This SQL Injection attack seems to be aimed at Chinese language sites. The code injected points to http://%61%76%65%32%2E%63%6E which is trivially encoded and is a reference to ave2.cn hosted on 219.129.239.251.
ave2.cn then calls asp-18.cn, asp-12.cn and www.hxg006.cn (all hosted on 219.129.239.251).
Between them, these sites carry a VERY wide variety of exploits, including MS06-014, GLIEDown (for the Baofeng Storm StormPlayer), MS snpvw.Snapshot viewer (Outlook Express), DPClient.Vod (Xunlei Thunder DapPlayer), Flash Player and RealPlayer. There are possibly other exploits mixed in, so I would regard ave2.cn as being VERY dangerous.
Robtex reports the following domains on 219.129.239.251, all of which are probably worth avoiding:
ave2.cn then calls asp-18.cn, asp-12.cn and www.hxg006.cn (all hosted on 219.129.239.251).
Between them, these sites carry a VERY wide variety of exploits, including MS06-014, GLIEDown (for the Baofeng Storm StormPlayer), MS snpvw.Snapshot viewer (Outlook Express), DPClient.Vod (Xunlei Thunder DapPlayer), Flash Player and RealPlayer. There are possibly other exploits mixed in, so I would regard ave2.cn as being VERY dangerous.
Robtex reports the following domains on 219.129.239.251, all of which are probably worth avoiding:
- hs7yue.cn
- hxg008.cn
- jzm015.cn
- doups.cn
- hxg008.cn
- jzm013.cn
- jzm014.cn
- jzm015.cn
- qingfeng01.cn
Labels:
SQL Injection,
Viruses
Monday, 8 September 2008
Asprox: 64do.com
Possibly the final Asprox domain on the day in 64do.com - add this to your block or scan list.
Labels:
Asprox,
SQL Injection,
Viruses
Asprox: "aspx" domains
Keep an eye out for these following Asprox domains, all recently registered to the email address druid00091@aol.com. Block them or scan your logs for them.
- 24aspx.com
- 2aspx.net
- 6aspx.com
- 9aspx.net
- aspx46.com
Labels:
Asprox,
Domains,
SQL Injection
Asprox: 19ssl.net
Another "druid00091@aol.com" domain (following on from this one and this one) , this type 19ssl.net, which is being actively used as part of the SQL injection attacks. The top level of this domain also has a copy of the (presumably legitimate) nescodirect.com site (this behavious is noted elsewhere).
Domain name: 19ssl.net
Registrant Contact:
City22 llc
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us
Administrative Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us
Technical Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us
Billing Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us
DNS:
ns1.19ssl.net
ns2.19ssl.net
ns3.19ssl.net
Labels:
Asprox,
SQL Injection,
Viruses
Asprox: 24aspx.com
The latest domain name used in the recent Asprox SQL Injection attacks appears to be 24aspx.com. Perhaps the Asprox guys are boasting a little with the domain name? Certainly these SQL injection attacks still seem to serve a useful purpose for them, although the number of vulnerable servers keeps dropping. Anyway, block this one or check your logs for it.
The email addressed used to register this domain is identical to the one used for the "Luksus Jobs" scam email. No big news here, the Asprox botnet is used for a wide variety of things, it's just odd to see druid00091@aol.com come up twice in such a short period.
It's also notable that they've switched back to .com from .ru, but this time registered through Chinese registrar BIZCN.COM.
The email addressed used to register this domain is identical to the one used for the "Luksus Jobs" scam email. No big news here, the Asprox botnet is used for a wide variety of things, it's just odd to see druid00091@aol.com come up twice in such a short period.
It's also notable that they've switched back to .com from .ru, but this time registered through Chinese registrar BIZCN.COM.
Domain name: 24aspx.com
Registrant Contact:
City22 llc
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us
Administrative Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us
Technical Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us
Billing Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us
DNS:
ns1.24aspx.com
ns2.24aspx.com
ns3.24aspx.com
Created: 2008-09-06
Expires: 2009-09-06
Labels:
Asprox,
SQL Injection,
Viruses
"Job Opportunity at Luksus" / luksus-jobs.org scam
Luksus Media is a wholly legitimate Finnish company, but this attempt to recruit a money mule does not come from Luksus, just from a company trying to trade on its name.
This scam is being run by the same people behind the Asprox SQL injection attacks that have been doing to rounds (more information after the email).
Subject: Job Opportunity at Luksus
We have reviewed your resume and would like to introduce you to our
current vacancy.
Luksus, with headquarters in Helsinki, Finland, serves the luxury
lifestyle and offers unparalleled access to the finest luxury
goods. We offer a unique mix of brands, partnerships, and product
expertise. We are currently hiring, work at home positions, to
provide administrative assistance with sales in North America.
Candidates for the job should possess excellent organizational
skills as well as the ability to efficiently multi-task. Ideal
candidates have a strong focus on day-to-day operational
excellence. The candidate should be motivated, proactive, be able
to learn and adapt quickly.
Other duties include, but are not limited to:
* Incorporating effective priorities for the virtual office function
* Administer day-to-day financial responsibilities for clients
* Reporting online daily
* Preparing brief summary reports, and weekly financial reports
Salary part-time (3 hours per day, Monday-Friday): $1,200/month,
plus commission.
If you are interested in this position please send us an email to
Sandra.Collins@luksus-jobs.org expressing your interest and we will
forward you the detailed job description and the working agreement.
Thank You,
Luksus Team
Normally, WHOIS data is pretty useless, but sometimes the email address can give a clue:
druid00091@aol.com is an address being used to register today's latest SQL injection domains too, proving that they are linked. releasebpb.com is a set of name servers which are only associated with malware domains, ns1.releasebpb.com is on 194.150.120.47 on ns2.releasebpb.com is on 20.31.85.15.
This type of fraud doesn't use a website to entice people, but it is looking for an email response. In this case, email is delivered to mx.luksus-jobs.org on 12.192.82.225 which is on the AT&T network.
It's hard to tell which of these IPs are part of the Asprox botnet and which ones are rented (usually with fake credit card details). Nonetheless, it gives a glimpse into just how large and efficient these operations can be.
This scam is being run by the same people behind the Asprox SQL injection attacks that have been doing to rounds (more information after the email).
Subject: Job Opportunity at Luksus
We have reviewed your resume and would like to introduce you to our
current vacancy.
Luksus, with headquarters in Helsinki, Finland, serves the luxury
lifestyle and offers unparalleled access to the finest luxury
goods. We offer a unique mix of brands, partnerships, and product
expertise. We are currently hiring, work at home positions, to
provide administrative assistance with sales in North America.
Candidates for the job should possess excellent organizational
skills as well as the ability to efficiently multi-task. Ideal
candidates have a strong focus on day-to-day operational
excellence. The candidate should be motivated, proactive, be able
to learn and adapt quickly.
Other duties include, but are not limited to:
* Incorporating effective priorities for the virtual office function
* Administer day-to-day financial responsibilities for clients
* Reporting online daily
* Preparing brief summary reports, and weekly financial reports
Salary part-time (3 hours per day, Monday-Friday): $1,200/month,
plus commission.
If you are interested in this position please send us an email to
Sandra.Collins@luksus-jobs.org expressing your interest and we will
forward you the detailed job description and the working agreement.
Thank You,
Luksus Team
Normally, WHOIS data is pretty useless, but sometimes the email address can give a clue:
Domain ID: D153950800-LROR
Domain Name: LUKSUS-JOBS.ORG
Created On: 28-Aug-2008 11: 34: 57 UTC
Last Updated On: 28-Aug-2008 14: 23: 25 UTC
Expiration Date: 28-Aug-2009 11: 34: 57 UTC
Sponsoring Registrar: Bizcn.com, Inc. (R1248-LROR)
Status: CLIENT TRANSFER PROHIBITED
Status: TRANSFER PROHIBITED
Registrant ID: orgfm19923291709
Registrant Name: Fero Muia
Registrant Organization: Fero Muia
Registrant Street1: 3213 po box
Registrant Street2:
Registrant Street3:
Registrant City: New York
Registrant State/Province: NY
Registrant Postal Code: 12310
Registrant Country: US
Registrant Phone: +1.9917721121
Registrant Phone Ext.:
Registrant FAX: +1.9917721121
Registrant FAX Ext.:
Registrant Email: druid00091@aol.com
Admin ID: orgfm19923292728
Admin Name: Fero Muia
Admin Organization: Fero Muia
Admin Street1: 3213 po box
Admin Street2:
Admin Street3:
Admin City: New York
Admin State/Province: NY
Admin Postal Code: 12310
Admin Country: US
Admin Phone: +1.9917721121
Admin Phone Ext.:
Admin FAX: +1.9917721121
Admin FAX Ext.:
Admin Email: druid00091@aol.com
Tech ID: orgfm19923293349
Tech Name: Fero Muia
Tech Organization: Fero Muia
Tech Street1: 3213 po box
Tech Street2:
Tech Street3:
Tech City: New York
Tech State/Province: NY
Tech Postal Code: 12310
Tech Country: US
Tech Phone: +1.9917721121
Tech Phone Ext.:
Tech FAX: +1.9917721121
Tech FAX Ext.:
Tech Email: druid00091@aol.com
Name Server: NS1.RELEASEBPB.COM
Name Server: NS2.RELEASEBPB.COM
druid00091@aol.com is an address being used to register today's latest SQL injection domains too, proving that they are linked. releasebpb.com is a set of name servers which are only associated with malware domains, ns1.releasebpb.com is on 194.150.120.47 on ns2.releasebpb.com is on 20.31.85.15.
This type of fraud doesn't use a website to entice people, but it is looking for an email response. In this case, email is delivered to mx.luksus-jobs.org on 12.192.82.225 which is on the AT&T network.
It's hard to tell which of these IPs are part of the Asprox botnet and which ones are rented (usually with fake credit card details). Nonetheless, it gives a glimpse into just how large and efficient these operations can be.
Labels:
Asprox,
Money Mule,
Scams
Thursday, 4 September 2008
CNOOC (www.cnooc.com.cn) scam
CNOOC (www.cnooc.com.cn) are a legitimate oil exploration and petrochemicals firm in China. The following job offer is a money mule scam, NOT from CNOOC but from someone pretending to be them. Don't be tempted.
CNOOC Oil Base Group Ltd.
Address:6 Dongzhimenwai Xiaojie,
Dongcheng District, Beijing, China 100027
Telephone:010-8452101, 010-8453198
Fax:010-6460250
EMail:cnooccorporation@yahoo.com.hk
Website:www.cnooc.com.cn
Good Day,
JOB OPPORTUNITY
We are exporters base in China , we deal on Oilexploitation, technical
service, chemicals, fertilizar production, refining,natural gas, power
generation,financial services, logistic services and new energies
development. Visit our corporate website: www.cnooc.com.cn
We have costumers in Asia, Europe, America , Australia , Canada and
Africa.
Our company (CNOOC) was established in 1982. We are interested in
employing
company services, to work with us as our payment agent our north America
customers will make payment to you on our behalf for goods and raw
materials we supplied to our customers in North America.
If your company is interested in working with us,we will be
very glad, Subject to your satisfaction, your company reward of
working with us as a Payment Officer is 5% of any Payment
your company receive from our costumers.
Most payment ranges from $300,000.00 to $3.3 Million US Dollars
Please if you are interested forward the following info to us:
1. Your Full Name:
2. Payment should be made to: Company?s Name:
3. Your Full Contact Address:
4. Phone/Fax Number:
5. Occupation:
Thanks for your corporations.
Yours Sincerely,
Mr. Wu Mengfei
Chief Financial Officer.
CNOOC Oil Base Group Ltd.
Address:6 Dongzhimenwai Xiaojie,
Dongcheng District, Beijing, China 100027
Telephone:010-8452101, 010-8453198
Fax:010-6460250
EMail:cnooccorporation@yahoo.com.hk
Website:www.cnooc.com.cn
Good Day,
JOB OPPORTUNITY
We are exporters base in China , we deal on Oilexploitation, technical
service, chemicals, fertilizar production, refining,natural gas, power
generation,financial services, logistic services and new energies
development. Visit our corporate website: www.cnooc.com.cn
We have costumers in Asia, Europe, America , Australia , Canada and
Africa.
Our company (CNOOC) was established in 1982. We are interested in
employing
company services, to work with us as our payment agent our north America
customers will make payment to you on our behalf for goods and raw
materials we supplied to our customers in North America.
If your company is interested in working with us,we will be
very glad, Subject to your satisfaction, your company reward of
working with us as a Payment Officer is 5% of any Payment
your company receive from our costumers.
Most payment ranges from $300,000.00 to $3.3 Million US Dollars
Please if you are interested forward the following info to us:
1. Your Full Name:
2. Payment should be made to: Company?s Name:
3. Your Full Contact Address:
4. Phone/Fax Number:
5. Occupation:
Thanks for your corporations.
Yours Sincerely,
Mr. Wu Mengfei
Chief Financial Officer.
Labels:
Money Mule,
Scams,
Spam
Asprox: jic2.ru
Another new addition to the list of Asprox domains is jic2.ru, again registered via Naunet, so block this or check your logs for access. Again, searching your logs for ".ru/script.js"will help locate suspect activity.
Labels:
Asprox,
SQL Injection,
Viruses
Wednesday, 3 September 2008
"Bangui" malware domains
A whole set of domains distributing malware, currently based on 206.53.51.119 and allegedly registered to someone in Bangui (although most likely it is the RBN again). These domains are being used in blog spam and also what appears to be PHP and ASP injection attacks.
Unlike some injection attacks, the pages carry some scraped text that's relevant to the URL. Combine this with the inbound links created through spam and injection attacks and you have a very black hat SEO campaign. Yahoo! seems to be more prone to this type of SEO than Google.
The pages on these domains use a javascript redirector (menu.js) to end up at a set of fake video and rogue anti-malware sites that install all sorts of nasty things.. again, these endpoints have the hallmark of the RBN.
Unlike some injection attacks, the pages carry some scraped text that's relevant to the URL. Combine this with the inbound links created through spam and injection attacks and you have a very black hat SEO campaign. Yahoo! seems to be more prone to this type of SEO than Google.
The pages on these domains use a javascript redirector (menu.js) to end up at a set of fake video and rogue anti-malware sites that install all sorts of nasty things.. again, these endpoints have the hallmark of the RBN.
- Afwwwf.info
- Apostit.info
- Bcuioc.info
- Bglkhg.org
- Bihuru.org
- Biiwhw.info
- Bikgfjr.info
- Bioblor.info
- Bioqw.info
- Biowfr.info
- Bkjksl.org
- Bkssdoue.info
- Bloiw.org
- Bocaca.org
- Cascaa.info
- Cbasoa.info
- Cbr1000rrxx.info
- Csccons.org
- Cskaa.org
- Eomnb.info
- Fasca.info
- Fasfw555.info
- Fasw.org
- Fbkshk.org
- Fdsaa.org
- Firstnax.org
- Fjkjfjoi.info
- Fjwiojnc.info
- Flsab.info
- Foeww.org
- Foxrat.info
- Fsaff.org
- Fsafvn.info
- Fsancao.info
- Fsanp.org
- Fsaqq.info
- Fsaw.org
- Fsfa22rr.info
- Fsfkg.info
- Fsfworg
- Fsgkle.org
- Fsjklhg.info
- Fskjhgkb.info
- Fullmediabase.net
- Fwe75r4fyf65.cn
- Fwfds.org
- Fwfisow.org
- Fwjijc.org
- Fwoijwh.org
- Gcoigkm.org
- Gewop.info
- Gjgkgjhew.org
- Golodnijya.org
- Gucwd.org
- Hellodolly5k.net
- Hellodomy5k.net
- Hhkjj.org
- Hkljccc.info
- Hodnejgreat.info
- Hofhwbc.info
- Hohotv.org
- Homosapien5k.net
- Hrr553.info
- Hudinarjiii.cn
- Itgfbn.org
- Jfldsh.org
- Jflhg.info
- Jlbyuo.org
- Jnbq.info
- Jowely.org
- Jplhnh.info
- Juiok.org
- Jumpsert.org
- Jwionw.info
- Kiwedox.org
- Kjhiofw.org
- Kjhlfsh.org
- Knwponc.org
- Madnes.info
- Mazafaker.com
- Mfpwjmc.org
- Mkmcsss.org
- Mpfwmcs.org
- Mpkcmzz.org
- Mpmccz.org
- Mybestz5k.net
- Nado1000traffa.info
- Nfeow.org
- Nfwojw.org
- Nfwon.org
- Nhphpkj.info
- Nifa422.info
- Njpaw.info
- Nosdsh.org
- Pokoder.org
- Sonvfs.org
- Werbin.org
- Wfwcn.org
- Wn59whgp3w.cn
- Workfox.info
- Yzfr1yamahad.info
Subscribe to:
Posts (Atom)