Dynamoo's Blog

Thursday, 28 April 2011

infernomag.com / gtracking.org nastiness

Some sort of .htaccess hack is going on, redirecting users to infernomag.com and then on to a malicious site that looks like it's downloading a Zbot variant. It only seems to work with Internet Explorer, and only when the page is accessed from a search engine (like Google). infernomag.com is hosted on 85.17.132.194 (Leaseweb) which is the same server as gtracking.org which alters the .htaccess file as described here.

infernomag.com then redirects users to one of at least two Leaseweb-hosted servers at 85.17.19.201 and 85.17.19.203 (possibly others). These servers have a number of domains on them that appear to belong to legitimate domains registered at GoDaddy by (mostly) UK users - it is likely that their domain control panels have been compromised. Examples are:

actually2.weddingphotographersurrey.net
amount9.gwdempseyjr.com
are5.gwdempseyjr.com
background1.photographbcn.com
brought0.gwdempseyjr.com
captain5.photographbcn.com
captain6.gwdempseyjr.com
charge7.photographbcn.com
signal6.photographbcn.com
completely8.gwdempseyjr.com
congress1.airduct-ventcleaning-mn.com
hard9.photographbcn.com
leading1.airduct-ventcleaning-mn.com
party4.gwdempseyjr.com
providence5.gwdempseyjr.com
safe1.gwdempseyjr.com
she1.weddingphotographerkent.net
tax6.weddingphotographersurrey.net
theory7.weddingphotographerkent.net
am1.theimperialsuspects.com
area6.bettyjaneware.com
belief7.theimperialsuspects.com
contact2.theimperialsuspects.com
cultural5.boneki.com
direct2.theimperialsuspects.com
enemy2.theimperialsuspects.com
baby3.trycue.com
liberal6.trycue.com
most0.ladyofvirtuestore.com
professional0.ladyofvirtuestore.com

Two domains on those servers that do not fit the pattern are:
gfaster.net
fortreecom.net

The WHOIS details are probably fake, for infernomag.com and gtracking.org they are:

   Felix Maurer 

   sherman66@ymail.com

   Waldowstr. 61

   Gschwend   Gschwend

   74417   DE

   +49 98466101

fortreecom.net uses the same email address but a different name:

    Bernd Austerlit        (sherman66@ymail.com)

    Alt Reinickendorf 94

    Ziemetshausen

    Bayern,86471

    DE

    Tel. +82.84991251

Detection rates are rubbish. AntiVir detects the payload as TR/Dropper.Gen, BitDefender as Gen:Variant.Zbot.34, Ikarus as Trojan.Win32.Pirminay and Sophos as Mal/Ponmocup-A. Other products do not seem to detect anything at all.

Blocking those IPs of 85.17.132.194, 85.17.19.201 and 85.17.19.203 is safer than trying to block the domains. Blocking the whole /24s instead would probably cause very little inconvenience.

Fake "Lapatasker" job domains 28/4/11

This particular scam has been around for a couple of years and is so common now that I've christened this group of scam domains "Lapatasker" after the email address used in some of the older WHOIS details.

New domains for this scam (all registered on 26/4/11) are:

1job-europ.com
consult-europ.com
middle-consult.com
westconsult-eu.com

The (probably fake) contact details on the domains are:

    Vilechka Pelka

    Email: rewerta12@yahoo.com

    Organization: Nord Atlantic.

    Address: 15 Av Albert Ier 143

    City: Braine l'Alleud

    State: Braine l'Alleud

    ZIP: 1420

    Country: BE

    Phone: +3.3223874153 

    Fax: +3.3223874152

As ever, avoid.

Tuesday, 26 April 2011

Some German scam sites

These are allegedly German companies, but:

They are all very recently registered (4th and 17th April 2011)
The registrar is in China (BIZCN.COM)
The web host is in Romania
In each case a Yahoo email address has been used

The host is "Enter Net Team" / "Power Host" in Romania. Blocking 86.55.96.0/23 is a quick win if you can do it.

blocher-finance.com
dxxm-group.com
eg-finanzen.com
eseira-finanzen.com
eseira-gruppe.com
esse-gruppe.com
fil-finanzen.com
frost-finanzen.com
geissler-finance.com
geld-group.com
genser-group.com
grueneberg-and-partners.com
hanza-gruppe.com
hod-group.com
horst-finanzen.com
jix-finance.com
koeppl-finanzen.com
krenosz-finance.com
nitte-gruppe.com
nogl-group.com
pius-group.com
puemmler-and-partners.com
schem-group.com
somex-gruppe.com
temi-group.com
volkse-finanzen.com
wedi-group.com
werx-finanzen.com
werx-gruppe.com
wolgast-and-partners.com

More details:
jix-finance.com
86.55.96.11
Guenter Frost guenterfrost@yahoo.com
+49.1745053607 fax: +49.1745053607
Frauenlobstr.32
Berlin Berlin 12437
de

frost-finanzen.com
86.55.96.13
Georgios Mavridis georgiosmavridis50@yahoo.com
+49.1773305251 fax: +49.1773305251
Gerolsteiner Str. 119
Cologne Nordrhein-Westfalen 50937
de

puemmler-and-partners.com
86.55.96.15
Tanja Geissler geisslertanja@yahoo.com
+49.1776444216 fax: +49.1776444216
Lindenstr.38
Kreuzau Nordrhein-Westfalen 52372
de

eseira-finanzen.com
86.55.96.17
Christos Papachristou papachristou.christos@yahoo.com
+49.15202603534 fax: +49.15202603534
Haubersbronnerstr. 6
Urbach Thueringen 73660
de

wolgast-and-partners.com
86.55.96.19
Mike Grueneberg gruenebergmike@yahoo.com
+49.15223628764 fax: +49.15223628764
Walter friedrich str.56
Berlin Berlin 13125
de

somex-gruppe.com
86.55.96.21
Heidrun Lorenz heidrunlorenz@yahoo.com
+49.16099222185 fax: +49.16099222185
Flutgrabenweg 1a
Neumarkt Bayern 92318
de

schem-group.com
86.55.96.23
Ludwig Detlef ludwigdetlef@ymail.com
+49.15203113478 fax: +49.15203113478
Kalk-Muelheimerstr.210
Koeln Nordrhein-Westfalen 51103
de

werx-finanzen.com
86.55.96.25
Daniel Koeppl daniel.koeppl@yahoo.com
+49.15111521688 fax: +49.15111521688
Reinhardsleiten 8
Pielenhofen Bayern 93188
de

nitte-gruppe.com
86.55.96.27
Hans Mausolff hansmausolff@yahoo.com
+49.17649615986 fax: +49.17649615986
Potsdamer Str. 41
Berlin Berlin 14163
de

eseira-gruppe.com
86.55.96.29
Juliane Mausolff julianemausolff@yahoo.com
+49.3031808844 fax: +49.3031808844
Potsdamer Str. 41
Berlin Berlin 14163
de

hanza-gruppe.com
86.55.96.31
Denis Wolgast deniswolgast@yahoo.com
+49.16098119639 fax: +49.16098119639
Am Heidberg 34
Henstedt-Ulzburg Schleswig-Holstein 24558
de

nogl-group.com
86.55.96.33
Lena Puemmler lenapuemmler@yahoo.com
+49.17663727804 fax: +49.17663727804
Neuer Kamp 2
Drebber Niedersachsen 49457
de

dxxm-group.com
86.55.96.35
Bianka Sturhahn biankasturhahn@ymail.com
+49.1723276172 fax: +49.1723276172
Plass 3
Doerentrup Nordrhein-Westfalen 32694
de

geld-group.com
86.55.96.37
Frank Swoboda polskeswine@yahoo.com
+49.15776817588 fax: +49.15776817588
Otto-Hahn-Str. 7a
Alsdorf Nordrhein-Westfalen 52477
de

krenosz-finance.com
86.55.96.39
Olaf Sedello olafsedello@yahoo.com
+49.2254847434 fax: +49.2254847434
Triftstrasse 42
Weilerswist Nordrhein-Westfalen 53919
de

werx-gruppe.com
86.55.96.41
Andreas Kubasik andreaskubasik@ymail.com
+49.15229234145 fax: +49.15229234145
Gartenstrasse 24a
Pleinfeld Bayern 91785
de

grueneberg-and-partners.com
86.55.96.43
Josef Schedlbauer josefschedlbauer@yahoo.com
+49.1712755823 fax: +49.1712755823
Bergstrasse 21a
Regen Bayern 94209
de

geissler-finance.com
86.55.96.45
Vadim Kruglov vadimkruglov@rocketmail.com
+49.1629098777 fax: +49.1629098777
Schuetzenstrasse 23
Friesoythe Niedersachsen 26169
de

esse-gruppe.com
86.55.96.47
Gerhard Krenosz gerhardkrenosz@yahoo.com
+49.21117806832 fax: +49.21117806832
Ludolf Strasse 15
Duesseldorf Nordrhein-Westfalen 40597
de

koeppl-finanzen.com
86.55.96.49
Holm Mrazek holmmrazek@yahoo.com
+49.17685370230 fax: +49.17685370230
Sonnenstrasse 222
Dortmund Nordrhein-Westfalen 44137
de

hod-group.com
86.55.96.51
Gisela Huber ghuber56@yahoo.com
+49.17666649956 fax: +49.17666649956
Althoehensteigstr. 7
Stephanskirchen Hessen 83071
de

volkse-finanzen.com
86.55.96.53
Denis Goertz denis.goertz@yahoo.com
+49.1639836914 fax: +49.1639836914
hochstr. 61
Nettetal Lobberich Sachsenanhalt 41334
de

blocher-finance.com
86.55.96.55
Helmut Koenig koenighelmut@yahoo.com
+49.1733201046 fax: +49.1733201046
Oberhofer Str. 26
Zella-Mehlis Thuringen 98544
de

fil-finanzen.com
86.55.96.57
Bernecker Josef berneckerjosef@yahoo.com
+49.9422859853 fax: +49.9422859853
Stadtplatz 42
Bogen Bayern 94327
de

eg-finanzen.com
86.55.96.59
Pius Walleser walleser32@yahoo.com
+49.1754218358 fax: +49.1754218358
Kesslerstrasse 5
Breisach Sachsen-Anhalt 79206
de

temi-group.com
86.55.96.61
Horst Werner woerner963@yahoo.com
+49.1728189733 fax: +49.1728189733
Rilkestrasse 3
Bad Schussenried Rheinland-Pfalz 88427
de

horst-finanzen.com
86.55.96.63
Kai Hermann hkaihermann@yahoo.com
+49.9942808801 fax: +49.9942808801
Tafertsbergstrasse 12
Prackenbach Rheinland-Pfalz 94267
de

wedi-group.com
86.55.96.65
Joseph Bauer bauer.joseph81@yahoo.com
+49.8555941395 fax: +49.8555941395
Hofaecker 4
Grafenau Hamburg 94481
de

pius-group.com
86.55.96.67
Daniela Habermann habermann_d@yahoo.com
+49.17694209180 fax: +49.17694209180
tecklenburgerstrasse 29
Ladbergen Bayern 49549
de

genser-group.com
86.55.96.69
Armin Blocher arminblocher@rocketmail.com
+49.02771801325 fax: +49.02771801325
Langgasse 1
Dillenburg Niedersachsen 35685
de

Evil network: Leksim Ltd / RELNET-NET AS5577 (62.122.72.0/21)

Implicated in malware distribution, botnet C&Cs and spam, the network range 62.122.72.0/21 (62.122.72.0 - 62.122.79.255) is currently quite active in evil activities (you can find examples here and here and the SiteVet report here).

There aren't many sites in this block, and they are almost all either in 62.122.73.0/24 and 62.122.75.0/24 (but blocking the /21 is safer).. but the vast majority of sites are rated deep red at MyWOT (a full list of sites and ratings can be downloaded here).

Who owns the block? The RIPE WHOIS details are:

inetnum:         62.122.72.0 - 62.122.79.255
netname:         RELNET-NET
descr:           "Leksim" Ltd.
country:         EU
remarks:         trouble: spam/scam/abuse issues send *ONLY* to: abuse@rel-net.eu
org:             ORG-TA388-RIPE
admin-c:         JT384-RIPE
tech-c:          BS594-RIPE
tech-c:          MR10655-RIPE
status:          ASSIGNED PI
mnt-by:          RELNET
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-routes:      RELNET
mnt-domains:     RELNET
source:          RIPE # Filtered
mnt-routes:      ROOT-MNT

organisation:    ORG-TA388-RIPE
org-name:        "Leksim" Ltd.
org-type:        OTHER
address:         Stationsplein 30, 2910 MJ Capelle aan den IJssel, The Netherlands
phone:           +31 10 2391391
fax-no:          +31 10 2391392
admin-c:         JT384-RIPE
tech-c:          BS594-RIPE
mnt-ref:         RELNET
mnt-by:          RELNET
source:          RIPE # Filtered

person:          Justin Thomson
address:         Stationsplein 30
address:         2910 MJ Capelle aan den IJssel
address:         THE NETHERLANDS
abuse-mailbox:   abuse@rel-net.eu
mnt-by:          RELNET
phone:           +31 10 2391391
nic-hdl:         JT384-RIPE
source:          RIPE # Filtered

person:          Bernd Spiess
address:         Gabelsberger Strasse 15
address:         9021 Klagenfurt
address:         AUSTRIA
mnt-by:          RELNET
phone:           +43 46 3223501
nic-hdl:         BS594-RIPE
source:          RIPE # Filtered

person:          Marcel Russo
address:         31, z.a. am Bann
address:         L-3375 Leudelange
address:         LUXEMBURG
mnt-by:          RELNET
phone:           + 352 2551301
nic-hdl:         MR10655-RIPE
source:          RIPE # Filtered

But is this "Leksim Ltd" or Relnet? Relnet's contact details (for rel-net.eu, relnet.eu, relnet.hu) are very different:

domain:        relnet.hu

registrant:    Relnet Technologia Ltd.

registrant:    Relnet Technológia Kft.

tech-c:    Dávid András

address:   Véső 7

address:   1133 Budapest

address:   HU

phone:     06-70-452-4603

fax-no:    06-1-350-1355

e-mail:    hostmaster@relnet.hu

hun-id:    2000466058

If you Google the first three names you get some very telling results.

Blocking the /21 is probably the best idea. I can identify the following domains in this block in case you want to block by domain name, or for more detail download the CSV version.

abussgf.com
adnologi.com
apicurl.com
asherhiftn.com
banner-count.com
belliali.com
best-figure.com
biznage.com
blank-record.com
cahodofo.com
chethole.com
clckil.com
clckli.com
cr0zybaner.com
cr0zybanner.com
croozybannir.com
crozybannir.com
data-saver.org
denizab.com
dhfodminmont.com
eleophy.com
fathone.com
fr0udsafetycheck0n.com
goodse.org
gredigns.com
gulderpoin.com
ineloitond.com
kicksho.com
krasivoe-telo.com
lineacount.info
lineweather.com
livesecpayment.com
livesecsuite.com
live-sec-suite.com
live-security-suite.com
liveslicense.com
livespayment.com
livessupport.com
lkckclckli1i.com
lsspayment.com
lsssupport.com
luffer.info
majusef.com
maketh.info
minteddi.com
mizaterp.com
monitor-info.com
mypersonalhttp.com
nonepersonal.com
nuensmidts.com
onlinedietolog.net
osago-msk.com
perleme.com
pinokolder.com
sileeber.com
spy-soft.org
tangoing.info
telemarker.ru
thestopbadware.com
thyrogl.com
tinnily.info
uatwdminmont.com
umogultvon.com
unmarine.info
virtepgulm.com
vkontacte.org
vkontakle.net
warwork.info
w-opay.com
w-optim.com
wovens.info
yafraudcheckonline.com
yledmanager.com
zblvdminmont.com
zumugolter.com

Friday, 22 April 2011

Fake job domains 22/4/11

Another list of fake job domains relating to this long running scam and in addition to these recent ones. Solicitations are sent by spam are are attempting to recruit people for money laundering etc, so best avoided.

australia-union.com
europ-hire.com
europ-union.com
next-jobb.com
usa-1job.com

Registrant details (no doubt fake) are:

    Vilechka Pelka

    Email: rewerta12@yahoo.com

    Organization: Nord Atlantic.

    Address: 15 Av Albert Ier 143

    City: Braine l'Alleud

    State: Braine l'Alleud

    ZIP: 1420

    Country: BE

    Phone: +3.3223874153 

    Fax: +3.3223874152

ygnetwork-ltd.com domain scam

This scam has been around for years - basically, you get an unsolicited email from a company claiming to be a domain registrar in China (it is usually China) that says that someone is trying to register a domain similar to one that you already own. The idea is that the recipient will panic and buy an overpriced and basically worthless domain from them.

If you are worried about domain poaching, then usually the best place to start is your own domain registrar or another well-known reliable vendor, rather than responding to this unsolicited approach.

From: John <john.chen@ygnetwork-ltd.com>
Date: 22 April 2011 06:26
Subject: Urgent notice of Intellectual Property protection

Dear Manager:

This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China and Asia.
On April 21st 2011. We received HAITONG company's application, they want to register " dynamoo" as its Internet keyword and CN/Asia domain names. It is china and Asia domain names. But after checking we find this domain name conflict with your company, in order to deal with this matter better, so we send you email, and want to confirm whether this company is your distributor or business partner in China?

I'm looking forward to hearing from you!

Best Regards,

John
Oversea marketing manager
Office: +86(0)21 6191 8696
Mobile: +86 1366152 9704
Fax: +86(0)21 6191 8697
web: www.ygnetwork-ltd.com

Friday, 15 April 2011

"Cake Decoration Lesson" spam

I can only assume that this is some sort of strange scam. The email originates from 74.55.158.162 which is flagged as being quite spammy.

Subject: CAKE DECORATION LESSON::::::::::::::::::
From: Omiky Aneke <omikychartin@blumail.org>
Reply-To: omiky1aneke@yahoo.co.uk

Hello,
How are you doing today ? My name is OMIKY ANEKE I want to book for CAKE DECORATION LESSON Workshops Classes with you while on a 2weeks holidays in your
country.We are a group of 10 people seeking for CAKE DECORATION LESSON: Workshops
training while on holidays and as part of our plans we need CAKE DECORATION LESSON for the whole 2weeks in
your area.
I would like to book for 2weeks classes for 3 hours each day Monday to
Saturday (morning hours) for a group of 10. We are asking for 3 hours per
day for 2weeks - Monday - Saturday. A total of 36 hrs
Do you have a training facility where you conduct classes? We can arrange
for this,if not available. Do you have rooms or is there any hotel close
to your facility?
DATE: 7TH JUNE 2011 TO 21 JUNE 2011
I would love to know the possibility of working with you during this
period.Kindly get back to me with your proposals so that we can make booking
asap.
The group would be performing for a group of family members over there. I
would love to get the total cost or a quote/estate. What are your payment
options? Do you accept credit cards? I would be grateful if you will be
willing to do the work to teach quality classes and make us happy

Regards
OMIKY

Beats the heck outta me.

Sunday, 10 April 2011

More fake job domains

Another list of fake job domains, almost identical to this one. Avoid.

1best-position.com
1consulting-online.com
allweb-consulting.com
besteuro-hire.com
consult-wugposition.com
first-newoffer.com
world-hire.com
wug-hire.com
wug-myoffer.com

wug-hire.com fake job offer

Yet another installment in this endless series of fake job offers, the domain wug-hire.com is being used as a reply-to address for this particular scam. The "wug" name has been used before in this spam run.

Subject: We have vacancies to be filled by Europe residents only

Good afternoon!

I am writing to you in the name of the corporation the Human Resources department of which I represent.

Our enterprise has a lot of different lines of business.
-real property
-business support
-company dissolution
-private firm service
-etc

We propose the opportunity for jobseekers in Europe:
-compansation 2.600 euro + bonus
-taskwork
- flexible hours

If our offer kindled your interest, please feel free to contact us. Brooks@wug-hire.com
First Name:
Country of living
City
mail address:
Contact telephone number

Attn! You can apply for this vacancy if you have a permission to work in Europe!

Please e-mail your name and phone number and we will invite you for interview.

Usually these fake jobs involve laundering stolen money via wire transfer, but sometimes they involve other "back office" functions such as registering fake businesses, identity theft, auction fraud and many other things which are best avoided unless you really want to spend time in jail.

The WHOIS details are almost definitely fake, but for the record they are:

    Vilechka Pelka

    Email: rewerta12@yahoo.com

    Organization: Nord Atlantic.

    Address: 15 Av Albert Ier 143

    City: Braine l'Alleud

    State: Braine l'Alleud

    ZIP: 1420

    Country: BE

    Phone: +3.3223874153 

    Fax: +3.3223874152

Saturday, 2 April 2011

alisa-carter.com, lizamoon.com and worid-of-books.com

The injection attacks from lizamoon.com and other domains continue.. and they link back to a popular blog post about a very different attack site at worid-of-books.com because at the moment, all these sites appear to be on the same server at 95.64.9.18 belonging to Intermedia TOP SRL.

The following sites are on that malicious server:
alexblane.com
alisa-carter.com
lizamoon.com
t6ryt56.info
tadygus.com
worid-of-books.com

Right now the safest thing to do is block traffic to 95.64.8.0/23 (95.64.8.0 - 95.64.9.255) at the very least. But given that there are several bad networks now within the mostly Romanian 95.64.0.0/16, there's very little to lose in blocking the whole /16 for now if you don't have dealings with Romania.

If you need to block by domain, then the list below is everything that I can identify in this block.

abrogatesdv.info
antiviric.net
atlaty.com
atydut.com
bancard.cc
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
buroti.com
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fileac.com
financeprogramm.com
fop22.info
fre94.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
itapos.com
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
lsrato.com
machmit.cc
mag20.info
memhys.com
mia16.info
mineral-beauty.net
morafu.com
mupoga.com
muposs.com
nlosaf.com
nuzzlefgf.info
nwolbcom.cc
nyb90.info
obduratexv.info
obfuscate98y.info
onfiro.com
online-security.cc
opa63.info
ova22.info
pes89.info
plauditaz.info
plethoradtb.info
podyme.com
poisor.com
posjuc.com
posunn.com
prettyharp.ru
qertys.com
reprieve8mf.info
scoolq.com
ser55.info
servat.cc
serwaz.com
testaz.cc
tmwars.com
usudom.com
xxxpornteensex.com
advancedwebanalytic.com
alexblane.com
alisa-carter.com
alternative-art-ltd.net
alternativeart-ltd.com
artmarket-llc.net
artsolveltd.cc
artsolveltdco.at
astech-groupde.cc
blitznet-de.eu
chelpgroup-llc.net
chepl-groupllc.biz
competitor-uk-group.net
competitorgroup-ltd.com
ddk100.com
ddk2200.com
deemno.com
drakulaworld.net
drysdale-antcorp.at
drysdale-group-inc.cc
findsubstantial.org
foto-album-mnck.tk
fotoshare-2dknc.com
google-1aa.com
googlesite.ws
joomlaext.org
kunde.ws
lizamoon.com
mailwbg6.com
micr0updates.com
myblog-search.com
ocservice-de.net
oregon-ltd-uk.net
qead-llc.biz
saleoke.com
squit-group-llc.biz
surprise-knsma.tk
surprise-knsmd.tk
surprise-knsmf.tk
surprise-knsmo.tk
surprise-knsmp.tk
surprise-knsmq.tk
surprise-knsmr.tk
surprise-knsms.tk
surprise-knsmt.tk
surprise-knsmu.tk
surprise-knsmw.tk
t6ryt56.info
tadygus.com
worid-of-books.com

Thursday, 31 March 2011

alleurope-consult.com job scam

Another fake job offer in this long running job scam, alleurope-consult.com is probably another money mule operation. The email is pretty terse and doesn't allude to much:

Subject: Work for specialists!

Good day.

Our company would like to offer you a Good day part-time job.

Location: the Europe Union

If you are interested, please reply to : Ladonna@alleurope-consult.com

All the best.
HR department,
LadonnaGore

WHOIS details don't tell you much either as the could be fake, they're the same as for west-ugroup.net:

    Aleksej Iliin
    Email: abolan@mail.org
    Organization: Private person
    Address: Okruzhnaya ul. d.5 kv.4
    City: Moskva
    State: Moskovskaya obl.
    ZIP: 183124
    Country: RU
    Phone: +7.4959424617
    Fax: +7.4959424617

Avoid, basically.

Monday, 28 March 2011

Wanna buy an aircraft carrier?

Because we British have decided that we don't need to have aircraft carriers, because we're not bombing anywhere in particular at the moment.. apart from Libya.. and maybe a few other countries that we noticed along the way, then we've put the ex-flagship Ark Royal up on an auction site.

What cracks me up is the "Add to Wishlist" and "Add to Cart" buttons on the bottom.

Before you get over excited, these pocket aircraft carriers are mostly suitable for helicopters or V/STOL jets which aren't included in the price.

Saturday, 26 March 2011

Mango Ideas / gsid.net is now clean

Just a quick note to say that Mango Ideas cleaned up their network from this incident which was possibly due to a reseller or perhaps a compromised server which is excellent news.

Thursday, 24 March 2011

west-ugroup.net (and other) fake job offers

Another fake job offer in this very long running scam, the job involved is actually in support of organised crime and may involve such things as money laundering and fraudulent parcel reshipping, in addition to being the "front" person for various fraudulent activities.. and the first person the police will drag in when it all goes wrong.

Date: 24 March 2011 04:34
Subject: We need employees in Europe

Good day!

I am writing to you in the name of the corporation the Human Resources department of which I represent.

Our corporation has a great scope of business activities.
-real property
-business support
-company dissolution
-private firm service
-etc

There is a vacancy of a Regional manager in Europe:
-compansation 2.600 euro + bonus
-bonus-job
- no fixed office hours

If you have an intention to cooperate with our company, please send your contact information on our e-mail: Josiah@west-ugroup.net
Name
Surname
Counrty
City
E-mail
Sell phone number

Remark! Applicants with the permission to work in Netherlands & Portugal only!

Please inform your name and phone number so that we can find you for further communication.

The domains will vary, but these are all closely related:

west-ugroup.net
cl-ugroup.com
resume-eur.com
au-vacancy.com
usa-vacancy.com
wugconsult.com
wug-consulting.com
wug-myvacancy.com
wug-cv.com
wug-consult.com
wug-offer.com
wug-position.com
wug-vacancy.com
us-myvacancy.com
center-position.com
east-european.net

The (possibly fake) domain registration details are:

    Aleksej Iliin

    Email: abolan@mail.org

    Organization: Private person

    Address: Okruzhnaya ul. d.5 kv.4

    City: Moskva

    State: Moskovskaya obl.

    ZIP: 183124

    Country: RU

    Phone: +7.4959424617 

    Fax: +7.4959424617

There are some other fraudulent and/or malicious domains connected with the registrant:

109.196.134.18 - VLine Ltd, Moscow
bestandxast.com
besternax.com
joprestons.net
russian-post.net
trafallbest.com
xalentarna.net
(Incidentally, pretty much all of Vline is evil so blocking 109.196.128.0 - 109.196.143.255 is an excellent idea)

195.170.178.76 - allocation unclear
abolzaka.com
allnettraf.com
basletboll.com
bests-tracks.com
climersnet.com
nonstopsen.com

Monday, 21 March 2011

Evil network: Intermedia Top SRL / INTERMEDIA-TOP AS49873 (95.64.8.0/24)

Intermedia Top SRL is a Romanian host operating a network in the 95.64.8.0/24 range. This range appears to contain nothing but malicious sites, including malware distribution, fake news sites (designed to help sell fake products), and fake anti-virus and utility applications.

Update 2/4/11: you should also block 95.64.9.0/24 which is allocated to the same people.

AS49873 is flagged as having Zeus C&C servers, and has a pretty bad reputation at SiteVet which shows that badness shot up at the beginning of March.

Google says:

Safe Browsing
Diagnostic page for AS49873 (TELECOMPO)

What happened when Google visited sites hosted on this network?

    Of the 640 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example, absolutiovbf2n.info/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-03-19, and the last time suspicious content was found was on 2011-03-19.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 17 site(s) on this network, including, for example, zelwwu4kk.info/, tawdry4d.info/, gru12.info/, that appeared to function as intermediaries for the infection of 33 other site(s) including, for example, nowatermark.net/, itanil.com/, itcomputerservers.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 611 site(s), including, for example, sasae.co.cc/, slumbes.tk/, clemowceer.cz.cc/, that infected 1143 other site(s), including, for example, iwilltellyouhow.com/, saatihajj.com/, icabbies.org/.

Contact details for the block are:

inetnum:        95.64.8.0 - 95.64.8.255

netname:        INTERMEDIA-TOP

descr:          INTERMEDIA TOP SRL

descr:          BDUL. 1 DECEMBRIE 1918 nr. 105

descr:          Alba Iulia, Jud. Alba

country:        RO

admin-c:        AP13061-RIPE

tech-c:         AP13061-RIPE

status:         ASSIGNED PA

mnt-by:         NETSERV-MNT

mnt-routes:     MNT-TELECOMPO

mnt-domains:    MNT-TELECOMPO

source:         RIPE # Filtered

person:         Adrian Popa

remarks:        INTERMEDIA TOP SRL

address:        BDUL. 1 DECEMBRIE 1918 nr. 105

address:        Alba Iulia, Jud. Alba

phone:          +40214302223

abuse-mailbox:  imintermediatop90@gmail.com

mnt-by:         NETSERV-MNT

nic-hdl:        AP13061-RIPE

source:         RIPE # Filtered

route:          95.64.8.0/24

descr:          INTERMEDIA TOP SRL

origin:         AS49873

mnt-by:         MNT-TELECOMPO

source:         RIPE # Filtered

Below is a partial list of sites found on this network, although there are a lot of others not listed here. Blocking the whole 95.64.8.0/24 is probably the best approach. A CSV of the list plus MyWOT ratings can be downloaded from here.

machmit.cc
servat.cc
serwaz.com
testaz.cc
financeprogramm.com
localnews47.com
localnews69.com
mmtrx.com
newslocal64.com
newslocal74.com
newslocal89.com
nwolbcom.cc
atlaty.com
atydut.com
buroti.com
fileac.com
itapos.com
lsrato.com
memhys.com
morafu.com
mupoga.com
muposs.com
nlosaf.com
onfiro.com
podyme.com
poisor.com
posjuc.com
posunn.com
qertys.com
scoolq.com
tmwars.com
usudom.com
abrogatesdv.info
absolutiovbf2n.info
blasphemysfhs.info
blatant8jh.info
blightedgf5.info
bru67.info
cra76.info
cre12.info
crediblegfj.info
creditablef8.info
credulousaw99d.info
der93.info
enigmafhdd.info
enscond4xc.info
enshroudgf32b.info
fif49.info
fop22.info
fre94.info
gez20.info
gru12.info
harbingersytu.info
hastenr55a.info
haughtinessd2f.info
her33.info
ivo17.info
jer77.info
jev41.info
kia31.info
kie14.info
laby5nehfs.info
laceration24.info
lachrymose78n.info
lev66.info
mag20.info
mia16.info
mineral-beauty.net
nuzzlefgf.info
nyb90.info
obduratexv.info
obfuscate98y.info
opa63.info
ova22.info
plauditaz.info
plethoradtb.info
reprieve8mf.info
tedium34n.info
xxxpornteensex.com

Tuesday, 8 March 2011

"Debt Advice UK" Sussex

You know when you are dealing with a dodgy outfit when they robo-call your mobile from a supressed number with a recorded message that starts "Please do not hangup" and then blabbers on about debt management, inviting you to press "2" to talk to an adviser.

The dodginess continued when the "adviser" at the other end could not confirm the name of the company he worked for (he claimed not to know!) except for a name of "Debt Advice UK" and didn't give any address other than "Sussex". There is no company in the UK of this name, and since I'm TPS registered then they should not even have been calling.

The hidden phone number, blatant disregard of TPS and refusal to give a company name or address definitely has all the hallmarks of something highly unethical.

If anyone has details of these scumbags, please feel free to add a comment!

Monday, 7 March 2011

Evil network: Sagade Latvia AS52055 (46.252.130.0/23) and traff4you.info

I've covered Sagade before, which appears to be a completely black hat web host with no legitimate domains at all. Sagade appear to have a new IP range in the 46.252.130.0 - 46.252.131.255 range which are completely full of toxic sites that should be blocked.

This IP range forms AS52055, of which Google says:

Safe Browsing
Diagnostic page for AS52055 (RELIKT)

What happened when Google visited sites hosted on this network?

    Of the 159 site(s) we tested on this network over the past 90 days, 9 site(s), including, for example, opanaw.com/, videospartyh.info/, galleryhotf.info/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-02-23, and the last time suspicious content was found was on 2011-02-23.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 16 site(s) on this network, including, for example, welcometotheglobalisnet.com/, 46.252.129.0/, welcometotheglobaliscom.com/, that appeared to function as intermediaries for the infection of 507 other site(s) including, for example, ctwatchdog.com/, deewanapan.com/, thedailyherald.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 55 site(s), including, for example, 46.252.129.0/, sontollones.co.cc/, toney.co.cc/, that infected 2312 other site(s), including, for example, cmsocial.com/, mediafire.com/, aotsargentina.org.ar/.

SiteVet oddly shows the AS as being offline, but the accompanying "badness" chart shows a big leap in evilness since the beginning of the year, so perhaps the block was reallocated.

As well as .com domains and the like, the block hosts several hard-to-spot .cz.cc and .vv.cc domains which host malware, much of which is being distributed through an apparently bogus ad network at traff4you.info.

So far, I can see see the following domains in the block (a list with IP addresses and MyWOT ratings can be downloaded from here):

ertmovs.com
lkjsnfs.com
antivirussystem2011get.com
bbuydelivery.com
berrydush.net
brewtonconsult.net
collach.com
ddk2200.com
enter-way.net
euro2012corp.com
facebook-surprise-njwo.tk
facebook-surprise-njww.tk
fire6495ksd.com
fotoshare-2dknc.com
gigomark.com
grapndet.com
htss.su
hyipl.info
ibifit.com
lokia.info
lost-pass.ru
lostpass.ru
mailx.su
mittmax.com
nanosearchpro.net
novasystemutils2011.com
sentex10zx.in
shabgdr.com
softstoreinc.com
spy4.net
stylus2641fm.com
trabniyd.com
turb-o-search.com
x-pass.ru
xaker.me
nalmeron.cz.cc
agamaris.vv.cc
dalalore.vv.cc
thetakus.vv.cc
maribandis.vv.cc
mogrinn.vv.cc

Registration details for this block are:

inetnum:        46.252.130.0 - 46.252.131.255

netname:        Sagade

descr:          users

country:        LV

admin-c:        AK6804-RIPE

tech-c:         AK6804-RIPE

status:         ASSIGNED PA

mnt-by:         andrejskaminskis-mnt

source:         RIPE # Filtered

person:         Andrejs Kaminskis

address:        Latgales 32/34, Rezekne, Latvia

phone:          +37127580487

e-mail:         reliktbvk@gmail.com

nic-hdl:        AK6804-RIPE

mnt-by:         andrejskaminskis-mnt

source:         RIPE # Filtered

route:          46.252.130.0/23

descr:          users

origin:         AS52055

mnt-by:         andrejskaminskis-mnt

source:         RIPE # Filtered

As I said, traffic seems to be fed through traff4you.info, registered on 10th Decemeber 2010 with anonymous registration details and currently hosted on a dedicated server at 206.161.200.11, but until recently it was on a shared server on 69.65.48.218. This is probably a good domain to block, and I can't see much harm in blocking access to 206.161.200.0/24 and 69.95.48.0/24 while you're at it too.

Tuesday, 15 February 2011

Scam: "North American Program Planning and Policy Academy (NAPPPA)"

NOTE: You can find out who was operating NAPPPA here

Fake seminars are an unusual way of scamming money from people, but this one appears to be such a pitch.

Using the domains napppa.org, napppaweb.com, napppanetwork.com, napppanetwork.org and napppa.com the "North American Program Planning and Policy Academy (NAPPPA)" claims to have been around for 50 years, but it only seems to have gotten around to registering its domains in the past two months with anonymous registrations. A Google search comes up with nothing but these recently registered websites and some spam, so it certainly appears that this is a wholly bogus outfit.

In this case the email is routed via 96.43.142.170 in the US, which also hosts napppanetwork.com.

Update: these emails appear to be originating from 173.55.115.38, a Verizon customer in Hacienda Heights, California (near Los Angeles).

From: NAPPPA Announcements <announcements@napppanetwork.com>
Date: 15 February 2011 14:40
Subject: Strategy Session: Academic Research Funding (April 25-26, 2011: Seattle University, Seattle, WA)
Signed by: napppanetwork.com

The North American Program Planning and Policy Academy (NAPPPA) will be sponsoring an Academic Research Funding Strategy Session at Seattle University in Seattle, WA on April 25-26, 2011. Interested science, technology, and medical professionals, researchers, faculty, and graduate students should register as soon as possible, as demand means that seats will fill up quickly. Please forward, post, and distribute this e-mail to your colleagues and listservs.

For more information call (800) 649-6522 or visit The NAPPPA website at http://www.napppaweb.com.

Please find the program description below:

As a response to increased demand and competition for academic research funding support and training, as well as the high cost of many programs, we offer this two day strategy session through the proposal writing and development process. This strategy features two modules: 1) Practicum I: Focusing on the format and structure of the successful research funding proposal, this module provides attendees with an overview of each part of the research funding proposal, avenues for researching available grant programs, and concludes with fundamental proposal writing techniques. 2) Practicum II: Drawing from practical exercises and techniques developed in Practicum I and the Pre-Session coursework, participants are guided through the completion of a Research Funding Dossier, which acts as the culminating work product of the session.
This session is ideal for the researcher with a targeted program, but is equally effective for those who can identify their research interests. Completion of the Pre-Session Interview and Assignments is essential to program success and value.

Academic Research Funding Strategy Session will cover the following topics:

* Fundamentals of the Research Funding Proposal Process
* Basic Elements of the Standard Research Proposal
* Essentials of Researching Funding Opportunities
* Types of Research Funding Opportunities
* Online Tools and Traditional Publications for Research
* Successful Proposal Writing Techniques
* The Do's and Don'ts of Proposal Writing
* The Strategic Grant Acquisition Effort

Tuition for this two day strategy session is $398.00.

    Strategy Session Registration

    1. Participants tentatively reserve a seat online at www.napppaweb.com, by calling the Program Office toll-free at (800) 649-6522, or by sending their name and contact information via email to registrar@napppaweb.com.

    2. A confirmation email is sent to registrants that includes session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements. An invoice and agency W9 is also included.

    3. Upon attendance confirmation, registrants will receive (usually via email) a Pre-Session packet that will include 1) a Pre-Session Interview, 2) A Pre-Session Reading Packet, 3) Three exercises to be completed, 4) a Session Agenda and Schedule, and 5) a receipt.

You have received this invitation due to specific educational affiliation. We respect your privacy and want to ensure that interested parties are made aware of NAPPPA strategy sessions and schedules. This is intended to be a one-time announcement. In any event, you should not receive any more announcements unless there is a program next year in your area. To be unlisted from next year's announcement, send an email to remove@napppaweb.com and write "Unlist" in the subject line.

The (800) 649-6522 number comes up on Google quite often, and should probably serve as a warning if you ever see it in an email. Avoid.

Update 17/5/11: there's been a lot of interest in this "Academy", so here are some more details

The napppa.org domain is registered to a presumably rented box at "Mailboxes & More" in Los Angeles.

Registrant Name:Program Director
Registrant Organization:NAPPPA
Registrant Street1:655 S Flower Street
Registrant Street2:
Registrant Street3:
Registrant City:Los Angeles
Registrant State/Province:CA
Registrant Postal Code:90017
Registrant Country:US
Registrant Phone:+1.7602023597
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:cadiyadvisor@gmail.com

You can see the store here (note the "655" number on the left door)

View Larger Map

Most of the other domains are anonymised, apart from napppa.com which is also registered to what appears to be a box in at Wilshire Mailbox in LA.

Programs, NPPPA  cadiyadvisor@gmail.com
    5042 Wilshire Boulevard Ste 15699
    Los Angeles, CA 90017
    US
    +1.7602023597

There is also a new anonymised domain called napppaprograms.org that is in use.

Update: two new anonymous domains have emerged, napppanet1.org (212.38.176.159) and napppanet2.org (69.57.166.88). These appear to be used for sending spam mail.

Update: as of August 2011, these spam emails are still continuing:

From: NAPPPA Announcements idaho@napppanet1.org
Date: 7 August 2011 22:15
Subject: Strategy Session: Program Planning, Evaluation, and Proposals (August 18 - 19, 2011: University of Idaho - Boise)

The North American Program Planning and Policy Academy will be conducting the Program Planning, Evaluation, and Proposals Strategy Session at University of Idaho - Boise in Boise, Idaho on August 18 - 19, 2011. Interested development professionals, researchers, faculty, and graduate students should register as soon as possible, as demand means that seats will fill up quickly. Please forward, post, and distribute this e-mail to your colleagues and listservs.
For more information call (800) 649-6522 or visit The NAPPPA website at http://napppaPROGRAMS.org. Please find the program description below:
The Program Planning, Evaluation, and Proposals Strategy Session is a hands-on, intensive session that leads participants through the entire grant proposal and funding research processes. Through an intense two day practicum, participants will receive an overview of program planning concepts along with advanced writing techniques to develop successful proposals. This results-based session combines individual exercises with group collaboration to allow each participant to leave the session with a Program Planning and Funding Dossier. Exercises leading up to the dossier and organization narrative include a thorough proposal outline, completed worksheets necessary for proposal submissions, and a starting collection of publications and resources to build a development library. Strategy Sessions is designed to provide your organization with the competitive advantage necessary in our modern grants award environment.
This session is ideal for those with a targeted program, but is equally effective for those who can identify their program and funding interests. Completion of the Pre-Session Interview and Assignments is essential to program success and value. Each participant will receive a selection of funding programs tailored to their program and/or areas of interest. Participants without a program will be provided a working example during Pre-Session.

The Program Planning, Evaluation, and Proposals Strategy Session will cover the following during the two day session:

(1) Fundamentals of Program Planning

This session will teach professional program development essentials and program evaluation. While most grantsmanship "workshops" treat program development and evaluation as separate from the writing of a proposal, this will teach students the relationship between overall program planning and proposal writing.

(2) Strategic Funding Research

At its foundation, this session will address the basics of foundation, corporation, and government grant research. However, this course will emphasize a strategic funding research approach that encourages writers to see research not as something they do before they write a proposal, but as an integrated part of the grant seeking process. Students will be exposed to online database research tools, as well as publications and directories that contain information about foundation, corporation, and government grant opportunities. Focusing on funding sources and basic social science research, this course teaches students how to use research as part of a strategic grant acquisition effort.
(3) Professional Proposal Writing

Designed to obtain tangible results, this session will make each student an overall proposal writing specialist. In addition to teaching the basic components of a grant proposal, successful approaches, and the do's and don'ts of grant writing, this session is infused with expert principles that will lead to a mastery of the process. Strategy resides at the forefront of this session's intent to illustrate grant writing as an integrated, multidimensional, and dynamic endeavor. Each student will learn to stop writing the grant and to start writing the story. Ultimately, this session will conclude with a completed proposal outline.

Tuition for this two day strategy session is $398.00.
Strategy Session Registration
1. Participants tentatively reserve a seat online at http://napppaPROGRAMS.org, by calling the Program Office toll-free at (800) 649-6522, or by sending their name and contact information via email to registrar@napppaprograms.org.
2. A confirmation email is sent to registrants that includes session site information, travel information, program description, and details on how to confirm attendance and make payment arrangements. An invoice and agency W9 is also included.
3.Upon attendance confirmation, registrants will receive (usually via email) a Pre-Session packet that will include 1) a Pre-Session Interview, 2) A Pre- Session Reading Packet, 3) Three exercises to be completed, 4) a Session Agenda and Schedule, and 5) a receipt.

You have received this invitation due to specific educational affiliation. We respect your privacy and want to ensure that interested parties are made aware of NAPPPA strategy sessions and schedules. This is intended to be a one-time announcement. In any event, you should not receive any more announcements unless there is a program next year in your area. To be unlisted from next year's announcement, send an email to remove@napppaprograms.org and write "Unlist" in the subject line.

Mail routed via 173.254.208.137, but appears to originate from 173.55.115.38 in Hacienda_Heights, California. This is consistent with the first email

Update: 26th September 2011
ABC15 in Arizona have picked up the story. Text transcript is here, or you can see the video below.

Update: 6th October 2011:
NAPPPA has now renamed itself as NA3PA but is still pumping out the same spam.

Please share your experiences by clicking the "comments" link near the bottom of the post.

NOTE: You can find out who was operating NAPPPA here

Thursday, 10 February 2011

Evil network: Voejkova Nadezhda / VOEJNA-NET AS51441 (91.217.162.0/24) aka tirexhost.com

Voejkova Nadezhda, aka VOEJNA-NET and also known as tirexhost.com is a netblock allegedly based in the Ukraine, but apparently operated out of St Petersburg, Russia.

The block 91.217.162.0/24 is quite small, but one of the nastiest that I have seen in a while (and it's the new home of worid-of-books.com) with a selection of fake security updates, bogus companies and malware sites and apparently no legitimate sites at all.

Google's safe browsing diagnostics report for AS51441 gives an idea of how nasty it is:

Safe Browsing
Diagnostic page for AS51441 (VOEJNA)

What happened when Google visited sites hosted on this network?

    Of the 755 site(s) we tested on this network over the past 90 days, 295 site(s), including, for example, takofep.co.cc/, camesom.co.cc/, tiruvov.co.cc/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-02-10, and the last time suspicious content was found was on 2011-02-10.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 63 site(s) on this network, including, for example, bali-planet.com/, zxstats.com/, adsensestat.com/, that appeared to function as intermediaries for the infection of 2642 other site(s) including, for example, walhi.or.id/, protagonistasdelacultura.cl/, uvfx.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 318 site(s), including, for example, paimiru.tk/, ua968089679.co.cc/, fenkaololo.com/, that infected 2943 other site(s), including, for example, veryripe.com/, sketchiest.com/, coneofignorance.net/.

Registration details for the netblock are:

inetnum:        91.217.162.0 - 91.217.162.255

netname:        VOEJNA-NET

descr:          Voejkova Nadezhda

country:        UA

org:            ORG-VN12-RIPE

admin-c:        BT1959-RIPE

tech-c:         BT1959-RIPE

status:         ASSIGNED PI

mnt-by:         RIPE-NCC-END-MNT

mnt-lower:      RIPE-NCC-END-MNT

mnt-by:         VOEJNA-MNT

mnt-routes:     VOEJNA-MNT

mnt-domains:    VOEJNA-MNT

source:         RIPE # Filtered

organisation:   ORG-VN12-RIPE

org-name:       Voejkova Nadezhda

org-type:       OTHER

descr:          Voejkova Nadezhda

address:        Russia, St.Pitersburb

address:        Kupchinskaya 29/1, ap.90

phone:          +7 (812) 7359264

e-mail:         

admin-c:        BT1959-RIPE

tech-c:         BT1959-RIPE

mnt-ref:        VOEJNA-MNT

mnt-by:         VOEJNA-MNT

source:         RIPE # Filtered

person:         Berkevich Taras

address:        Ukraine, Lviv

address:        Povitryana 94, ap. 47

phone:          +38 (032) 7302345

nic-hdl:        BT1959-RIPE

mnt-by:         VOEJNA-MNT

source:         RIPE # Filtered

route:          91.217.162.0/24

descr:          TIREXHOST.COM

origin:         AS51441

mnt-by:         VOEJNA-MNT

source:         RIPE # Filtered

This also fingers the domain tirexhost.com which is protected with an anonymous registration.. but behind that it is actually one Boris Umitbaev:

Umitbaev, Boris  larinkamil@googlemail.com
      Bolshaya Zelenina, 13-80
      St-Petersburg, Leningradskaya Oblast 103008
      Russian Federation
      78127736549      Fax --

There's a list of domains, IP addresses and myWOT ratings here, alternatively block the entire 91.217.162.0/24 (91.217.162.0 to 91.217.162.255) range or use the list below:

Tirexhost.com
Np-comp.com
Lee2ip.com
Leemka.com
Company777.com
Traff-shop.net
Zaebalihostingi.com
Funglobal.net
Going-wide.net
Myvafpt.com
Easyiptracker.info
Hscr.info
Ipcounter.info
Soxabi.info
Vecite.info
Benelulz.com
Belikoff.info
Da0s.info
Swindling.info
Termogaz.info
Glhkghjfhhfklffr.com
Drollkenga.com
Fuckzebra.com
Drollcats.com
Drollpinguins.com
Drollumbat.com
Drollzebra.com
Firastbill.com
Funnybarsshow.com
Funnybearsshow.com
Funnymarmotshow.com
Funnypinguinshow.com
Online-network-solution.com
Microsoftwindowssecurity184.com
Microsoftwindowssecurity185.com
Microsoftwindowssecurity199.com
Microsoftwindowssecurity200.com
Microsoftwindowssecurity2011.com
Kdddaber.com
Newprojectbrain.com
Bftop.ru
Rezip.ru
Havephun.org
Molotora.com
Molotorasolutions.com
Turbostat.org
Zaebalikakdolgopizdec.com
98ghwe5p98gh.net
Gwk5ghwo.net
Jok7.com
Xp-scaner.com
Truegeneralporn.com
Mostporntube.com
Lightporntube.com
Xp-scan.com
Xppclapgirl.com
Handbag-review-2010.com
Googlerr.com
Gtrafx.com
Optimumconsult.net
Romanchuk.net
Statsnets.com
Celebsclips.net
Celebsvideos.net
Celebsvidz.net
Fruitvideos.net
Goodpetrovich.com
Rogervideos.net
8fd30g.net
Gsa8f3.net
General-st.info
Worid-of-books.com
Agasi-story.info
New-looking.net
Slowpoke.in
Em-stat.com
Updatewincenter.com
Getacc.net
My-loads.com
Top-ups.net
Getacc2.com
My-loads2.net
Worldstatsgate.com
Zaparena.biz
Rmkstore.us
Lotos2.com
Bog77.com
Dor77.com
Gol77.com
Dangerboom.com
Dangerboom.net
Dangerthree.com
Dangertwo.com
Dangertwo.net
Bgnt.net
Gentix77.net
Googleadstat.com
Halyot.net
Girtac.ru
Protection-pc.org
Berrianguz.com
Irompas.com
Mirotag.com
Mizanticonif.com
Mollotojub.com
Vikanzubik.com
Volgansuk.com
Ruvipxxxa.ru
Mysnom.net
Ejewels.ca
Santa77.com
Bali-planet.com
Sailingaccommodations.com
Zxstats.com
Ntstats.com
Stxstats.com
Excellentcat.com
Golovanerabotaet.com
Groupmind.in
Picheta.net
Pinout.in
Restrovids.net
Toplesson.in
External-top-domains.ru
Justnewleft.ru
Newsdfg.com
Repoiury.com
Rerererererere.com

Monday, 7 February 2011

Evil network: Didjief LLC / DIGIEF-NET AS48709 (91.200.242.0/23)

Didjief LLC - or to give its full (and presumably fake) name "Didjief Internation Kulinari Koncept LLC" - runs a wholly malicious netblock in the 91.200.242.0/23 (91.200.240.0 - 91.200.243.255) range which includes a variety of malware sites, fake businesses, fake software and other malicious sites that should be blocked.

Many of these sites have wholly ficticious WHOIS entries or are registered through known black hat registrars. Some examples and references are:

A simple Google search bring up lots of matches that indicate malicious activity, for example 91.200.240 and 91.200.242. There are also fake business sites such as Adclickmarket.com which gives WHOIS contact details as:

    Ad Click Market Ltd.

    AdClickMarket        (info@adclickmarket.com)

    PO Box 279

    Alderley Edge

    Cheshire,SK9 7UQ

    GB

    Tel. +44.2854327

There is no company in the UK with the name Ad Click Market Ltd according to Companies House.

There is also another group of fake businesses using the "Advertising German Group" name, such as traveleshop.biz (also implicated in malware distribution here):

    Advertising German Group (AGG)

    Niclas Kappel        (niclas.kappel@yahoo.com)

    Kurt-Schumacher-Str. 5

    Bonn

    Nordrhein-Westfalen,D-53110

    DE

    Tel. +490.2284290

According to SiteVet, the AS48709 block has been bad ever since it was allocated late last year. The digief.eu domain associated with it is currently suspended, and it isn't clear if the WHOIS details for the netblock are accurate (they are probably not).

inetnum:        91.200.240.0 - 91.200.243.255

netname:        DIGIEF-NET

descr:          Didjief internation kulinari koncept LLC

address:        112 Kifissias Ave & Sina Str.Marousi

address:        Athens, Greece

phone:          +30 210 6159812

fax-no:         +30 210 6159812

person:         Adonis Mozanakis

abuse-mailbox:  abuse@digief.eu 

On the subject of reputation, Google's safe browsing diagnostics for this block are pretty horrible:

Safe Browsing
Diagnostic page for AS48709 (XISOFT)

What happened when Google visited sites hosted on this network?

    Of the 114 site(s) we tested on this network over the past 90 days, 2 site(s), including, for example, waistor.com/, 91.200.240.0/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-02-05, and the last time suspicious content was found was on 2011-02-05.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 21 site(s) on this network, including, for example, geodemy.com/, waistor.com/, 91.200.240.0/, that appeared to function as intermediaries for the infection of 2096 other site(s) including, for example, marchex.com/, semettreauvert.com/, fcolimpi.ge/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 58 site(s), including, for example, waistor.com/, searchalthough.org/, pushot.com/, that infected 4866 other site(s), including, for example, fcolimpi.ge/, interhosting.kr/, schoenweb.nl/.

This is the full list of sites that I have found in this block (or are associated with it) , or you can download a more complete list with MyWOT ratings from here.

49oo.info
Abouthealth.name
Adclickmarket.com
Adobesoft.net
Adobesoftware.net
Allrequestsallowed.com
Allrequestsallowed.net
Animegarrett.com
Arinstasche.com
Avsk.ws
Bubendotcom.com
Chyoexte.com
Clickabundant.org
Clickcareless.org
Clickclumsy.org
Coffeescorer.com
Disdarred.info
Dontess.com
Easyregcleaner.net
Easysellerguide.net
Findcopper.org
Findcousin.org
Findfight.org
Findwild.org
Flashupdates.net
Gampbel.biz
Gnarenyawr.com
Guglionesi.net
Iaqhuberschewis.com
Juiceamount.com
Jukdoout0.com
Julianoserhio.com
Ltc-center.com
Montanessi.com
Negnsrevers.com
Nemotired.org
Offpaymentbiz.com
Olarkstats.com
Pipisutka.com
Qgceneuknash.com
Rammjyuke.com
Ranmjyuke.com
Result-lookup.info
Rinderwayr.com
Searchaddition.org
Searchadvertisement.org
Searchaffect.org
Searchafrica.org
Searchafter.org
Searchalthough.org
Searcharound.org
Searchcold.org
Searchdefeated.org
Searchfindaggressive.org
Searchjewel.org
Searchquiet.org
Searchrainy.org
Searchraspy.org
Selinect.ru
Superbulkmanager.com
Swltcho0.com
Teameter.net
Traveleshop.biz
Turbochange.com
Turboprotect.com
Vvps.ws
Xylylon.ru
Zoness.biz