Dynamoo's Blog

Wednesday, 14 December 2011

NACHA Spam / financeportal.sytes.net

More NACHA spam this morning, this time the payload is at financeportal.sytes.net/main.php?page=111d937ec38dd17e on 174.140.165.90. Blocking the IP address rather than the domain is probably best as there may be other malicious sites on that server.

174.140.165.90 is on Directspace LLC in Oregon who seem to have a significant problem with malware at the moment, I have seen malicious sites on:

147.140.163.116
147.140.163.118
147.140.165.90
147.140.165.195

You might want to consider blocking Directspace LLC more widely if you are worried.

Tuesday, 13 December 2011

"PAYROLL LOGS" Spam

This spam is obviously trying to do something evil, but I'm not quite sure what.

Date:     Tue, 13 Dec 2011 15:23:00 -0600
From:     "Helen Oconnell" [terminationsm@migtel.ru]

Subject:     11122011 PAYROLL INDICES

http://jazzon.nl/YK4VUSWQ.html Please access the URL below to reveal PAYROLL LOGS. It was submitted to you using a Xerox WorkCentre. Pro

==================================================================================================================

Confidential E-Mail: This e-Mail is proposed only for the username to that it is addressed and may be composed data that is intimate or otherwise preserved from exposal.If you have take this email in confusion, please notify the support by respond the present e-Mail and erase the original e-Mail and each copy..

The email is a piece of social engineering that relies on you wanting to know how much your colleagues are earning. Click the link and you get redirected to cms-wideopendns.com (a DSL subscriber in Span) then trackorder.commercialday-net.com (in China). It doesn't seem to work properly, but then it might just be resisting the tools I am throwing at it.

In any case.. avoid this one.

NACHA Spam / badthen.com

More NACHA spam, this time leading to a malicious payload on badthen.com. Stupidly (again) the NACHA email appears to come from linkedin.com.

Date:     Wed, 14 Dec 2011 05:36:48 +0900
From:     "LinkedIn" [linkedin@em.linkedin.com]
Subject:     ACH transfer suspended

The ACH transaction (ID: 137297301664), recently initiated from your bank account (by you or any other person), was rejected by the Electronic Payments Association.
Rejected transfer
Transaction ID:     137297301664
Rejection Reason     See details in the report below
Transaction Report     report_137297301664.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

The malware is on badthen.com/main.php?page=977334ca118fcb8c hosted on 173.230.130.158 (Linode, US). Blocking the IP address will block any other malware domains on the same server.

Spam: "I found your pictures on my camera yesterday, remember me?" / csredret.ru

Another spam run leading to a malicious payload on csredret.ru (as here)

Date:     Tue, 13 Dec 2011 10:19:58 +0200
From:     "Tomi Mcrae"
Subject:     Hi! This is Tomi

Finally I found your e-mail, I?m not sure whether you remember me, we?ve got terribly drunk, I found your pictures on my camera yesterday, remember me? Party14.jpg 487kb

The "pictures" link loads the malicious script, hosted at black hat hosts Digital Network JSC aka DINETHOSTING in Russia. Avoid.

You can download your Windows Vista License here / csredret.ru

A Windows Vista licence? No.. it's malware from csredret.ru.

From: sales1@victimdomain.com [mailto:sales1@victimdomain.com]
Sent: 13 December 2011 05:14
Subject: Fwd: Order K93883696

Good morning,

You can download your Windows Vista License here -

Microsoft Corporation

The malicious payload is on csredret.ru/main.php hosted on 79.137.237.67 (Digital Network JSC, Russia aka DINETHOSTING). For about the billionth time in the past few days.. block access to 79.137.224.0/20 on your network if you possibly can.

NACHA Spam / sadjumped.com / downloaddatafast.serveftp.com

More fake NACHA spam, this time leading to a malicious payload site on downloaddatafast.serveftp.com/main.php?page=977334ca118fcb8c on 173.230.137.34 (Linode, US).

Date:     Tue, 13 Dec 2011 14:15:51 +0100
From:     "LinkedIn" [linkedin@em.linkedin.com]
Subject:     ACH transaction not accepted

The ACH transfer (ID: 82065701523728), recently initiated from your checking account (by you or any other person), was rejected by the Electronic Payments Association.
Canceled transfer
Transaction ID:     82065701523728
Rejection Reason     See details in the report below
Transaction Report     report_82065701523728.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

serveftp.com is related to no-ip.com, if you block that domain then you should probably block serveftp.com as well. Blocking 173.230.137.34 would protect against any other malicious sites on the same server.

Update: another spam run is in progress using a domain sadjumped.com on the same server.

BBB Spam / wonderfulyard.com

The BBB spam is doing the rounds yet again, this time leading to a malicious payload at wonderfulyard.com/main.php?page=111d937ec38dd17e hosted on 81.17.140.161 (Velton.telecom, Ukraine).

Blocking access to that IP address is probably a good idea, I can't vouch for the /24 that it is in though, but you may want to block that too to be on the safe side.

Malware spam: "Have you seen how much money has Cameron spent on his new movie?"

Here's a terse spam, leading to a malicious payload on cpredret.ru/main.php

From: AlfredoMejiaGXInOZ@aol.com
Date: 13 December 2011 04:20
Subject: I’m shocked!

Have you seen how much money has Cameron spent on his new movie?
What a graphics, check out the trailer!

Apparently, it refers to James Cameron and not David Cameron. Payload site is hosted on 79.137.237.67 which is the now infamous Digital Network JSC in Russia (aka DINETHOSTING). Blocking 79.137.224.0/20 would be good for your health.

Monday, 12 December 2011

Evil network: UkrStar ISP / UKRSTAR-NET AS43473 (91.195.10.0/23)

I've seen a lot of 91.195.10.0/23 in recent days, a range of addresses belonging to UkrStar ISP in the Ukraine. It's a sparsely occupied block, but there appear to be no legitimate sites here and blocking the whole lot could save you some grief.

A list of domains and IP addresses can be found at the end of the post. The WHOIS details for the block as as follows:

inetnum:        91.195.10.0 - 91.195.11.255

netname:        UKRSTAR-NET

descr:          UkrStar ISP

descr:          www.ukrstar.com

country:        UA

org:            ORG-UA98-RIPE

admin-c:        SER50-RIPE

tech-c:         WIRE88-RIPE

status:         ASSIGNED PI

mnt-by:         RIPE-NCC-END-MNT

mnt-lower:      RIPE-NCC-END-MNT

mnt-by:         UKRNIC-MNT

mnt-routes:     UKRNIC-MNT

mnt-domains:    UKRNIC-MNT

source:         RIPE #Filtered

organisation:   ORG-UA98-RIPE

org-name:       UkrStar

org-type:       OTHER

descr:          www.ukrstar.com

address:        Dal'nitskaya 46, room 404

address:        Odessa 65005

address:        Ukraine

phone:          +380482390190

fax-no:         +380482324245

e-mail:         noc@ukrstar.com

admin-c:        SER50-RIPE

tech-c:         WIRE88-RIPE

mnt-ref:        GLOBALNETWORKS-MNT

mnt-by:         GLOBALNETWORKS-MNT

source:         RIPE #Filtered

person:         Sanin Sergey Victorovich

address:        Deribasovskaya str., 12

address:        Odessa 65027

address:        Ukraine

phone:          +380487771551

e-mail:         ser-0@clan-0.com

nic-hdl:        SER50-RIPE

mnt-by:         GLOBALNETWORKS-MNT

source:         RIPE #Filtered

person:         Grigoretskiy Sergey Aalexandrovich

org:            ORG-UA98-RIPE

address:        Dal'nitskaya str., 46, room 404

address:        Odessa 65005

address:        Ukraine

phone:          +380482390190

e-mail:         sg@ukrstar.com

nic-hdl:        WIRE88-RIPE

mnt-by:         GLOBALNETWORKS-MNT

source:         RIPE #Filtered

route:          91.195.10.0/23

descr:          UKRNIC-IP-BLOCK

origin:         AS43479

mnt-by:         UKRNIC-MNT

source:         RIPE #Filtered

91.195.11.35
ns-free.org
ofpics.com
91.195.11.37
vocporn6.ru
videoxcx-onlina5g.ru
91.195.11.38
pornoxxx-onlina1a.ru
pornoxnx-onlinee1a.ru
porkaxnx-freex1a.ru
pornoxxx-onlinee4a.ru
porkaxcx-onlina2c.ru
pornoxcx-freex4c.ru
pornoxnx-onlina1e.ru
pornoxxx-conline3e.ru
pornoxcx-onlinee4g.ru
porkaxxx-conline3h.ru
91.195.11.39
minimart20.com
biggerthanvoland.com
boysandgirlsforever.com
whatwasinyourheart.com
91.195.11.41
yaxexzg.1dumb.com
costumeuniformporn.net
prettylatinatube.com
schoolgirluniformpics.net
skyinfo.in
streamretro.in
xoticpc.biz
91.195.11.42
curedret.ru
wrghghkfwerhdfghqwhtq.c0m.li
srvads.c0m.li
aangfan.in
floreli.info
certerpen.info
ageoloft.info
zndemstrnctwznskdsw-tsmcyuwaxldenctypzmb.ru
gdhordvl653hklyg.biz
wonderfulwriggle.com

c*redret.ru sites to block

Another bunch of "redret" sites to block, either by domain name or IP. These domains are being used as the payloads for spam emails and leave to a malicious web page.

79.137.237.63 (Digital Network JSC aka DINETHOSTING, Russia - recommend blocking 79.137.224.0/20)
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 ((Digital Network JSC again)
ciredret.ru
coredret.ru
cpredret.ru

91.195.11.42 (UkrStar ISP, Ukraine - recommend blocking 91.195.10.0/23)
curedret.ru

Unallocated
caredret.ru
cbredret.ru
ccredret.ru
cdredret.ru
ceredret.ru
cfredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
csredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru

Evil network revisited: Specialist Ltd / Specialist-ISP-PI2 AS48691(194.28.112.0/22)

Specialist Ltd is a small Black Hat hosting company in Transnistria, a breakaway part of the former Soviet Republic of Moldavia. No UN members recognise Transnistria, and effectively it sits beyond the reach of international law enforcement. Quite a handy place for criminals to do business then.

I first wrote about this block last year, but it recently came into my sights again as the host for a very widespread injection attack using the lilupophilupop.com domain.

Since last year the number of malicious sites has dropped, but there is still not a legitimate site in sight. Most of the bad sites are currently on 194.28.114.102 but you should block access to 194.28.112.0/22 (194.28.112.0 - 194.28.115.255) if you can, because this range of IP addresses is nothing but trouble.

A list of sites hosted in this range is at the end of this post, or you can download a CSV with the MyWOT ratings and IP addresses from here.

Google's prognosis of this block is pretty horrible:

Safe Browsing
Diagnostic page for AS48691 (SPECIALIST)

What happened when Google visited sites hosted on this network?

    Of the 44 site(s) we tested on this network over the past 90 days, 1 site(s), including, for example, rthur87seeks.rr.nu/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2011-12-12, and the last time suspicious content was found was on 2011-12-12.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 15 site(s) on this network, including, for example, lilupophilupop.com/, sweepstakesandcontestsinfo.com/, sweepstakesandcontestsnow.com/, that appeared to function as intermediaries for the infection of 190 other site(s) including, for example, teas.com.au/, rogersplus.ca/, cicomra.org.ar/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 30 site(s), including, for example, lilupophilupop.com/, sweepstakesandcontestsinfo.com/, sweepstakesandcontestsnow.com/, that infected 2524 other site(s), including, for example, jri.ir/, psu.ac.th/, longoservice.it/.

The WHOIS details for the bloack are:

inetnum:         194.28.112.0 - 194.28.115.255

netname:         Specialist-ISP-PI2

descr:           Specialist, Ltd.

country:         MD

org:             ORG-SL206-RIPE

admin-c:         VP2841-RIPE

tech-c:          AB16163-RIPE

status:          ASSIGNED PI

mnt-by:          RIPE-NCC-END-MNT

mnt-lower:       RIPE-NCC-END-MNT

mnt-by:          SPECIALIST-MNT

mnt-routes:      SPECIALIST-MNT

mnt-domains:     SPECIALIST-MNT

source:          RIPE # Filtered

organisation:   ORG-SL206-RIPE

org-name:       Specialist, Ltd

org-type:       OTHER

descr:          Specialist, Ltd, Rybnitsa, MD

address:        I. Soltysa 12, Rybnitsa, MD

phone:          +373-777-12921

phone:          +373-693-18189

phone:          +373-777-65071

fax-no:         +373-555-43073

mnt-ref:        MONITORING-MNT

abuse-mailbox:  abuse@lan-rybnitsa.com

mnt-by:         SPECIALIST-MNT

source:         RIPE # Filtered

person:         Vladimir Pilan

address:        I. Soltysa 12, Rybnitsa, MD

phone:          +373-777-12921

fax-no:         +373-555-43073

nic-hdl:        VP2841-RIPE

source:         RIPE # Filtered

mnt-by:         SPECIALIST-MNT

person:         Anatoly Belitsky

address:        I. Soltysa 12, Rybnitsa, MD

phone:          +373-777-65071

fax-no:         +373-555-43073

nic-hdl:        AB16163-RIPE

source:         RIPE # Filtered

mnt-by:         SPECIALIST-MNT

route:          194.28.112.0/22

descr:          Specialst-route2

origin:         AS48691

mnt-by:         SPECIALIST-MNT

source:         RIPE # Filtered

Some domains and sites hosted in this block are:

ation72histor.rr.nu
blogsvk.ru
cliffordtravel.biz
comm98andsp.rr.nu
doutl31inesst.rr.nu
earni61ngunde.rr.nu
ensm60erch.rr.nu
eorge00gamee.rr.nu
ggesti51ngbina.rr.nu
globalpoweringgathering.com
globalpoweringgatheringit.com
globalpoweringgatheringon.com
h102-114.net.lan-rybnitsa.com
hoperjoper.ru
iess70elec.rr.nu
ift72hbot.rr.nu
ilto27nint.rr.nu
infoitpoweringgathering.com
infoitpoweringgatheringit.com
infoitpoweringgatheringon.com
inful07commi.rr.nu
lessthenaminutehandle.com
lessthenaseconddeal.com
lilupophilupop.com
lilypophilypop.com
llowe31dmeth.rr.nu
mail.lilupophilupop.com
mail.sweepstakesandcontestsinfo.com
ns1.hoperjoper.ru
ns2.hoperjoper.ru
root.sweepstakesandcontestsinfo.com
sekurepays.org
sical59lymemo.rr.nu
sokoloperkovuske.com
sokoloperkovuskeci.com
sokoloperkovuskedi.com
sweepstakesandcontestsdo.com
sweepstakesandcontestsinfo.com
sweepstakesandcontestsnow.com
tyco93uplin.rr.nu
wbesnancer.org
welcometotheglobaliscom.com
welcometotheglobalisnet.com
welcometotheglobalisorg.com
zevkblog.ru

BBB Spam / eryirs.com

This is the second BBB malware spam run of the day, with a new domain and IP address.

Date:     Mon, 12 Dec 2011 14:10:59 +0100
From:     "service@bbb.org" [service@bbb.org]
Subject:     BBB assistance Re: Case # 52010425
Attachments:     main_logo.jpg

Attn: Owner/Manager
The Better Business Bureau has been sent the above mentioned complaint from one of your clients on the subject of their business relations with you.
The detailed information about the consumer's concern is contained in attached file.
Please examine this question and let us know about your opinion.
We encourage you to click here to reply this complaint.

We look forward to your urgent response.

Faithfully yours,
Roland Dani
Better Business Bureau

Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

The malicious payload is eryirs.com/main.php?page=69dbd5a1e3ed6ae9 which is hosted on 67.211.195.169 (Arima Networks, Canada). Blocking access to 67.211.195.169 is probably a good idea in case there are other malicious sites on the server.

The no-doubt-fake WHOIS details for the domain are:

Damian Masuicca
Damian Masuicca
damott st
lacona
NY
13083
US
Phone: +1.2022392869
Email Address: stopgop@ymail.com

BBB Spam (again) / lazysit.net and 174.140.163.118

It looks like another BBB themed malware/spam run is on the loose.. there are probably many variations, but here is one that plopped into my spam filter:

Date:     Mon, 12 Dec 2011 10:36:39 +0100
From:     "info@bbb.org" [info@bbb.org]
Subject:     Better Business Bureau Case # 94181989
Attachments:     main_logo.jpg

Attn: Owner/Manager
The Better Business Bureau has got the above-referenced complaint from one of your customers on the subject of their business relations with you.
The details of the consumer's concern are presented in enclosed document.
Please give attention to this issue and advise us of your point of view.
We encourage you to click here to respond this complaint.

We look forward to your urgent attention to this matter.

Yours faithfully,
Stacie Nieves
Better Business Bureau

Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

This link goes via a couple of legitimate hacked sites to a payload site at lazysit.net/main.php?page=abfd0d069b45c17e on 174.140.163.118. The IP address looks like it might be a legitimate but hacked server, blocking the IP address rather than the domain should block any other malicious sites on the same server.

Friday, 9 December 2011

NACHA Spam.. again.. and wonderfulwrench.com

The spammers have been busy today, here's another one leading to malware.

Date:     Fri, 9 Dec 2011 13:28:41 -0300
From:     "The Electronic Payments Association"
Subject:     ACH transaction rejected

The ACH transaction (ID: 870526083755), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.
Rejected transfer
Transaction ID:     870526083755
Reason of rejection     See details in the report below
Transaction Report     report_870526083755.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

The malicious payload is on wonderfulwrench.com/main.php?page=977334ca118fcb8c on 46.45.137.205 (Safya Net, Turkey). We saw the same IP range yesterday, so I recommend blocking access to 46.45.137.0/24 at the least, or 46.45.136.0/21 if you want to be a bit more aggressive in your filtering.

"The variant of the contract you've offered has been delcined."

The recent spam avalanche continues:

Date:     Fri, 9 Dec 2011 -01:35:13 -0800
From:     "Josie Carlson" [TateAlmgren@concentric.net]
Subject:     The variant of the contract you've offered has been delcined.

After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
Contract.doc 64kb

With respect to you
Josie Carlson

SHA512 check sum: [redacted]

This leads to a malicious payload on ciredret.ru/main.php, hosted on 91.195.11.42 (as with this other spam/virus run), so blocking 91.195.10.0/23 (UkrStar ISP, Ukraine) is a very good idea at the moment.

Malware: Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped! / ageoloft.info, floreli.info and certerpen.info

This malware spam leads via a legitimate hacked site to floreli.info or ageoloft.info or certerpen.info, although there are probably more. If you have the names of other payload domains please consider add ingthem in the Comments. Both these sites are hosted on 91.195.11.42.

From: Issac Britt [mailto:delphiniumsfte62@retela.co.jp]
Sent: 09 December 2011 14:05
Subject: Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped!

Hello,

Shipping Confirmation
Order # 649-2723315-2651369

Your estimated delivery date is:
Tuesday, December 13, 2011

Track your package Thank you for shopping with us. We thought you'd like to know that we shipped this portion of your order separately to give you quicker service. You won't be charged any extra shipping fees, and the remainder of your order will follow as soon as those items become available. If you need to return an item from this shipment or manage other orders, please visit Your Orders on Amazon.com.

Shipment Details

Omron FXB-414M Fat Loss Monitor, Black $149.95
Item Subtotal: $149.95
Shipping & Handling: $0.00
Total Before Tax: $149.95
Shipment Total: $149.95
Paid by Visa: $149.95

You have only been charged for the items sent in this shipment. Per our policy, you only pay for items when we ship them to you.

Returns are easy. Visit our .
If you need further assistance with your order, please visit Customer Service.

We hope to see you again soon!
Amazon.com

The payload is on floreli.info/main.php?page=525447c096f8efbf or ageoloft.info/main.php?page=525447c096f8efbf and consists of the blackhole exploit kit leading to the Cridex Trojan.

Blocking the range 91.195.10.0/23 (UkrStar ISP, Ukraine) a good proactive move as several malware attacks have been hosted there in the past few days.

Domains spotted so far:
ageoloft.info
floreli.info
certerpen.info

Some sample email subjects:
Your Amazon.com order of "Omron BTS-829C Fat Loss ..." has shipped!
Your Amazon.com order of "Omron DRM-151A Fat Loss ..." has shipped!
Your Amazon.com order of "Omron FXB-414M Fat Loss ..." has shipped!
Your Amazon.com order of "Omron KGZ-387E Fat Loss ..." has shipped!
Your Amazon.com order of "Omron PNB-885D Fat Loss ..." has shipped!
Your Amazon.com order of "Omron PNH-875H Fat Loss ..." has shipped!
Your Amazon.com order of "Omron REM-787E Fat Loss ..." has shipped!
Your Amazon.com order of "Omron QYM-632R Fat Loss ..." has shipped!
Your Amazon.com order of "Omron UHA-584I Fat Loss ..." has shipped!

BBB Spam / combiplease.com

The BBB spam run is back today, with a malicious payload on combiplease.com (174.140.165.194), pretty much the same pattern as yesterday and earlier in the week.

This example is from this morning:

Date:     Fri, 9 Dec 2011 09:39:28 +0200
From:     "risk@bbb.org" [alerts@bbb.org]
Subject:     Re: Case # 48783457
Attachments:     main_logo.jpg

Attn: Owner/Manager
The Better Business Bureau has got the above-referenced complaint from one of your associates in respect of their business relations with you.
The detailed information about the consumer's concern is contained in enclosed file.
Please give attention to this question and inform us about your standpoint.
Please click here to reply this complaint.

We look forward to your prompt response.

Yours faithfully,
Anita Emil
Better Business Bureau

Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Blocking 174.140.165.194 may be a good idea as other malicious domains may crop up on the same IP address.

Thursday, 8 December 2011

Malware: "Your new contract" / coredret.ru

Spam season continues with this fake "contract" email with a link that leads to a malicious payload on coredret.ru/main.php.

Date:     Thu, 8 Dec 2011 01:58:25 +0700
From:     "Daisy Newby" [CadenHolmgren@hanmail.net]
Subject:     Your new contract

As we arranged the day before yesterday in the in your place we've got the contract ready, plase study it carefully and let us know whether you accept all the issues.
We've attached the copy of the contract below
Contract.doc 36kb

Best Wishes
Daisy Newby

Fingerprint: bfe69dcc-ccc03723

coredret.ru is hosted on 91.195.11.41 (UkrStar ISP, Ukraine). 91.195.10.0/23 is very sparsely populated, so blocking access to it should cause no problems.

BBB Spam / combijump.com / combimyself.com / combigave.com

A new version of yesterday's spam, this current crop of "BBB Complaint" emails lead to a malicious payload on combijump.com on 46.45.137.206. combimyself.com and combigave.com is on the same server and can also be assumed to be malicious.

VirusTotal detection on the target page is poor. 46.45.137.206 is on a Turkish network called Safya Net, I cannot vouch for its reputation however and it might be worth blocking the /24.

Wednesday, 7 December 2011

Pizza spam / ciredret.ru

Another installment in the tsunami of malware-laden spam doing the rounds.. this time it is for pizza!

From: Pizza by ATTILIO [mailto:Russo@victimdomain.com]
Sent: 06 December 2011 18:25
Subject: Re: Fwd: Order confirmation

You’ve just ordered pizza from our site
Pizza Italian Trio with extras:
- Ham
- Jalapenos
- Green Peppers
- Jalapenos
- No Cheese
- No Sauce
________________________________________
Pizza Veggie Lover's with extras:
- Italian Sausage
- Jalapenos
- Pineapple
- Black Olives
- Easy On Cheese
- No Sauce
________________________________________
Pizza Supreme with extras:
- Chicken
- Jalapenos
- Extra Cheese
- Extra Sauce
________________________________________
Drinks
- Bacardi x 2
- Dr. Pepper x 5
- Cherry Coke x 2
- Coca-Cola x 2
- Mirinda x 4
- Limonade x 5
- Carling x 5
________________________________________Total Due: 187.31$

If you haven’t made the order and it’s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!

If you don’t do that shortly, the order will be confirmed and delivered to you.

Best wishes
Pizza by ATTILIO

Fingerprint: a50c3e6f-8a5c87de

The link goes through a legitimate hacked site to a malicious payload on ciredret.ru/main.php, hosted on 79.137.237.63. Unsuprisingly this is Digital Network JSC in Moscow (aka DINETHOSTING) who are involved in much of the recent malware spam runs. Blocking 79.137.224.0/20 is highly recommended.

Update 23/12/11: Another pizza malware run, this time leading to cgredret.ru hosted on 79.137.237.68 , no surprise to find that it is Digital Network JSC again..

Date:     Fri, 23 Dec 2011 -06:10:36 -0800
From:     "ANTONINO`s Pizzeria"
Subject:     Re: Fwd: Order confirmation

Youâ€™ve just ordered pizza from our site

Pizza Hawaiian Luau with extras:
- Bacon Pieces
- Pepperoni
- Pepperoni
- Diced Tomatoes
- No Cheese
- Extra Sauce
Pizza Meat Lover's with extras:
- Pepperoni
- Bacon Pieces
- Pineapple
- Easy On Cheese
- Easy On Sauce
Pizza Hawaiian Luau with extras:
- Pork
- Black Olives
- Onions
- No Cheese
- Easy On Sauce
Drinks
- Sprite x 2
- Hancock x 6
- White wine x 6
- Carling x 3
Total Charge:    207.31$

If you havenâ€™t made the order and itâ€™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!

If you donâ€™t do that shortly, the order will be confirmed and delivered to you.

Best Regards
ANTONINO`s Pizzeria