Sponsored by..

Wednesday, 21 December 2011

b*redret.ru domains to block (updated)

Another set of "Redret" domains, the b*redret.ru series is used in malware distribution. It has some new IP addresses since the last time.

89.208.34.116 (Digital Network JSC Russia aka DINETHOSTING. Block 89.208.32.0/19 as it is all toxic)
baredret.ru
biredret.ru
bvredret.ru

91.228.133.120 (Inter-Treyd LLC, Russia. Recommend blocking 91.228.133.0/24)
blredret.ru
bsredret.ru

94.199.51.108 (23VNet Hungary)
bkredret.ru
bpredret.ru
bxredret.ru
byredret.ru

95.163.89.193 (Digital Network JSC Russia. Block 95.163.0.0/16 or 95.163.64.0/19)
bbredret.ru
bcredret.ru
bdredret.ru
beredret.ru
bfredret.ru
bgredret.ru
bhredret.ru

95.163.89.200 (Digital Network JSC Russia)
bwredret.ru
bzredret.ru

No IP at present
bjredret.ru
bmredret.ru
bnredret.ru
bqredret.ru
brredret.ru
btredret.ru
buredret.ru

Tuesday, 20 December 2011

c*redret.ru sites to block (updated)

These "Redret" domains serve up malware and are promoted by spam, some of them have moved around since last week so consider this an updated list.

46.249.37.109 [Serverius Holding B.V, Netherlands]
cpredret.ru

79.137.237.63 [Digital Network JSC, Russia aka DINETHOSTING. Recommend blocking 79.137.224.0/20]
crredret.ru
ctredret.ru
czredret.ru

79.137.237.67 [Digital Network JSC, Russia]
ciredret.ru
coredret.ru

79.137.237.68 [Digital Network JSC, Russia]
caredret.ru
csredret.ru

91.195.11.42 [UkrStar ISP, Ukraine. Recommend blocking 91.195.10.0/23]


206.72.207.156 [Interserver Inc, United States]
cdredret.ru
cfredret.ru

Not hosted at present
cbredret.ru
ccredret.ru
ceredret.ru
cgredret.ru
chredret.ru
cjredret.ru
ckredret.ru
clredret.ru
cmredret.ru
cnredret.ru
cqredret.ru
cvredret.ru
cwredret.ru
cxredret.ru
cyredret.ru

BBB Spam / financestuff.serveblog.net

Here's another BBB Spam leading to malware..

Date:      Tue, 20 Dec 2011 11:45:50 +0100
From:      "BBB" [support@bbb.org]
Subject:      BBB complaint processing
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 24673594) from your customer with respect to their dealership with you.

Please open the COMPLAINT REPORT below to find the details on this issue and let us know of your point of view as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Katherine Schulte

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Malware payload in on financestuff.serveblog.net/main.php?page=69dbd5a1e3ed6ae9 on 207.210.65.12 (Global Net Access LLC). Block the IP address if you can.

"Scan from a Xerox WorkCentre Pro" / cfredret.ru

This is a fairly common malware spam, pointing to malicious code on cfredret.ru/main.php.

Date:      Tue, 20 Dec 2011 05:42:20 +0300
From:      victimname@gmail.com
Subject:      Re: Fwd: Re: Scan from a Xerox WorkCentre Pro #2966272

A Document was sent to you using a Xerox WKC1296130.



Sent by: SHIRLEY
Images : 5
Image (.JPEG) Download

Device: UM85256LL6P68270479



bfe116b5-7dcccccc

cfredret.ru is hosted on 78.47.193.36, exactly the same IP address as this BBB themed malware spam. Blocking access to 78.47.198.32/29 is a fabulous idea if you can.

BBB Spam / blumtam.com

More BBB spam, this time attempting to deliver users to a malicious payload on blumtam.com. A couple of samples:

Date:      Tue, 20 Dec 2011 00:34:38 -0800
From:      "BBB" [alerts@bbb.org]
Subject:      Re: your customer�s complaint ID 82235322
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have been sent a complaint (ID 82235322) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this case and let us know of your position as soon as possible.

We hope to hear from you shortly.

Kind regards,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
and
Date:      Tue, 20 Dec 2011 11:09:23 +0200
From:      "BBB" [alerts@bbb.org]
Subject:      BBB case ID 59988329
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau would like to notify you that we have been filed a complaint (ID 59988329) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to view more information on this matter and let us know of your opinion as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Payload is on blumtam.com/main.php?page=69dbd5a1e3ed6ae9 hosted on 78.47.198.36, a Hetzner AG address suballocated to an outfit called QHoster Ltd in Bulgaria. Blocking access to 78.47.198.32/29 would probably be prudent.

Monday, 19 December 2011

DHL malware spam / secure.dhldispatches.com

This DHL themed spam leads to malware:

From: DHL Express
Sent: 19 December 2011 10:03
Subject: DHL Express Dispatch Confirmation

Order number: 9672834463

Your order has now been dispatched and your DHL Express air waybill number is 9672834463.

To follow the progress of your shipment and print invoice for your records, please go to :
http://secure.dhldispatches.com/tracking/

IMPORTANT INFORMATION:
 
DHL Express will deliver your order between 9am-5pm GMT, Monday to Friday. If you are unavailable, DHL Express will leave a card so you can contact them to reschedule.

All orders must be signed for upon delivery.

Please note, we are unable to change the shipping address on your order now it has been dispatched. Your purchase should arrive in perfect condition. If you are unhappy with the quality, please let us know immediately.

Yours sincerely,

Customer Care
www.dhl.com

For assistance email customercare@dhl.com or call 0800 099 27671 from the UK, +44 (0)20 2781 62512 from the rest of the world, 24 hours a day, seven days a week


CONFIDENTIALITY NOTICE
The information in this email is confidential and is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, you must not read, use or disseminate the information. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of DHL Express Deliveries.

secure.dhldispatches.com (hosted on 116.240.194.69, Primus Australia) looks like a DHL page, but it carries a malicious payload which is loads from 118.88.25.36 (Dedicated Servers Australia). Blocking access to both those IPs may be prudent. The Wepawet report for this one is here.

FDIC spam / splatstack.net

More FDIC spam leading to malware, this time at splatstack.net.

Date:      Mon, 19 Dec 2011 05:32:49 -0600
From:      "Greta Bullock"
Subject:      Blockage of your transactions

Attn: Financial Department


By this message we would like to inform you about the latest amendments in the Federal Deposit Insurance Corporation coverage rules. During the period from December 31, 2010 to December 31, 2012 all funds in a "noninterest-bearing transaction account" are provided with a full insurance coverage by the Federal Deposit Insurance Corporation. Please note, that this arrangement is temporary and separate from the Federal Deposit Insurance Corporation's basic insurance rules.

The term "noninterest-bearing transaction account" implies a usual checking account or demand deposit account on which the insured depository institution pays no interest. For more information about this temporary FDIC unlimited coverage, please refer to: http://iimtstudies.com/e3f4e0/index.html

Yours faithfully,
Greta Bullock
Federal Deposit Insurance Corporation


The link goes via a couple of hacked sites to a malicious payload splatstack.net/main.php?page=abfd0d069b45c17e hosted on 173.255.253.115 (Linode). Blocking access to that IP address will probably be prudent.

Scam: "CareerQuick Staffing" / careermanagement.com.ua

This is another take on RockSmith Management scam, linked to these dodgy work-at-home sites, apparently with an Australian connection.

Date:      Mon, 26 Sep 2011 05:48:19 +0530
From:      "Terence Mooney" [terence.mooney@voicecom.co.za]
Subject:      Reminder: Employment Opportunity Followup

Hello

Thank you for submitting your information for potential employment opportunities.
We look forward to reviewing your application, but can not do so until you complete our
internal application.

The pay range for available positions range from $35.77 per hour to $57.62 per hour.
Prior to begin able to be considered, you will first need you to formally apply.
Please go here to begin the process:

http://careermanagement.com.ua/

Also, the following perks are potentially available:

- Paid Time Off
- Health Benefits Package
- Higher than average salaries
- Tuition Reimbursement
- Extensive 401(k)program

Please take the time to follow the directions and complete the entire
application process.


Best Regards,

Rock Smith Management


careermanagement.com.ua is a Ukrainian domain, it is hosted on 85.121.39.3, which is a known black-hat host in Romania (Monyson Grup S.A), although as we said before this appears to be an Australian crew running the scam. The layout of the site echoes careerquickstaffing.com, a site that has already been suspended for spamming.

Friday, 16 December 2011

NACHA Spam/ ragsnip.com

Yet another round of fake NACHA spam leading to malware is doing the rounds, this time the payload is on ragsnip.com/main.php?page=111d937ec38dd17e hosted on 207.210.96.226 (Global Net Access LLC, Atlanta). Blocking access to the IP is preferable to the domain as there may be other malicious domains on the same server.

An example spam email from this run (it seems no different to all the other ones):

Date:      Fri, 16 Dec 2011 16:43:21 +0100
From:      "transactions@nacha.org" [transactions@nacha.org]
Subject:      Information on your pending transaction

Attention: Accounting Department

This message contains a report about the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction #:    007457776956967
Status of the transaction:    pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Faithfully yours,
Kathy Quirk
Accounting Department

NACHA Spam / ragsnub.com

More NACHA spam is doing the rounds, this time redirecting through a legitimate hacked site to ragsnub.com/main.php?page=69dbd5a1e3ed6ae9 on 184.171.248.35 (Hostdime, Florida).

There may be other bad domains on that server, so blocking access to the IP is the safest approach.

Thursday, 15 December 2011

NACHA Spam / evrymonthnighttry.com and glasseseverydaynow.com

More NACHA themed spam this morning that redirects victims through a hacked legitimate site to a malware laden page, this time hosted on evrymonthnighttry.com or glasseseverydaynow.com.

These sites are hosted on 46.183.217.119 (Dataclub, Latvia). I can't see anything at all of value in 46.183.216.0/21 so blocking access to all of that range might be prudent.

It also attempts to load an exploit from a site called bbb-complains.org which is not resolving at present.

A couple of example emails:

Date:      Thu, 15 Dec 2011 07:42:51 +0000
From:      "risk.manager@nacha.org" [risk.manager@nacha.org]
Subject:      Your ACH transaction details

Attention: Accounting Department

This message includes an important information regarding the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction ID:    079788807282357
Transaction status:    pending

In order to resolve this matter, please use the link below to review the transaction details as soon as possible.

Yours faithfully,
Anthony Cooley
Chief Accountant

and

Date:      Thu, 15 Dec 2011 07:30:43 +0000
From:      "alert@nacha.org" [alert@nacha.org]
Subject:      Your pending ACH debit transfer

Dear Sir or Madam,

Please find below a report about the ACH debit transfer sent on your behalf, that was kept back by our bank:
Transaction #:    638798200851317
Status of the transaction:    pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Yours truly,
Kevin Hunt
Chief Accountant

Fake Facebook spam / caredret.ru

More toxic spam.

Date:      Thu, 15 Dec 2011 11:52:56 +0700
From:      Facebook [notification+VGNDUO7NQM4R@facebookmail.com]
Subject:      LUCY Snow wants to be friends on Facebook.

facebook
LUCY Snow wants to be friends with you on Facebook.
   
LUCY Snow

Confirm Friend Request
   
See All Requests
This message was sent to victim@victimdomain.com. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303 

In this case, the link goes via a hacked legitimate site and gets redirected to a malicious page on caredret.ru/main.php hosted on 79.137.237.67 (Digital Network JSC, Russia aka DINETHOSTING). Block access to 79.137.224.0/20 if you can, there is nothing legitimate hosted here.

FDIC spam / sownload.zapto.org and 63.223.78.19

The spam tsunami continues today with a set of new malware URLs to block. This one allegedly comes from the FDIC in the US.

Date:      Fri, 16 Dec 2011 04:12:15 +0400
From:      "Freeman Ballard" [Freeman.Ballard@campioni.info]
Subject:      URGENT! Security system updates

Dear Sirs,

In order to prevent new cases of wire fraud, we have introduced a new security system. In this connection all the account transactions of our customers have been suspended unless the special security requirements are met.. In order to rehabilitate your account, you need to

Install a special security software. Please use the link below to read the instructions for the installation of the latest security version.

We apologize for the inconveniences caused to you by this measure.
Please do not hesitate to contact us if you have any questions.

Sincerely yours,

FDIC Call Center 1-877-275-3342 (1-877-ASKFDIC)
or Email Address: consumer-service@fdic.gov
8:00 am - 8:00 pm ET; Monday-Friday
9:00 am - 5:00 pm ET; Saturday-Sunday
For the Hearing Impaired Toll Free 1-800-925-4618 / Local (VA) 703-562-2289

The link goes through a legitimate hacked site and tries to direct the user to a malicious page at sownload.zapto.org/main.php?page=db3408bf080473cf hosted on 63.223.78.199 (InfraVPS Network Solutions, Philippines). Blocking the IP address is preferable because there may more other malicious domains on that server.

Wednesday, 14 December 2011

Spam: "Cuban car sale rise after law change" / csredret.ru

A weird spam, leading to a malicious payload on csredret.ru

Date:      Wed, 14 Dec 2011 03:50:19 +0900
Subject:      Fwd: VIDEO: Cuban car sale rise after law change

Hi, look in.

VIDEO: Cuban car sale rise after law change

csredret.ru is hosted on 79.137.237.67 at Digital Network JSC in Russia (aka DINETHOSTING). Blocking access to 79.137.224.0/20 is essential if you can do it.

NACHA Spam / financeportal.sytes.net

More NACHA spam this morning, this time the payload is at financeportal.sytes.net/main.php?page=111d937ec38dd17e on 174.140.165.90. Blocking the IP address rather than the domain is probably best as there may be other malicious sites on that server.

174.140.165.90 is on Directspace LLC in Oregon who seem to have a significant problem with malware at the moment, I have seen malicious sites on:

147.140.163.116
147.140.163.118
147.140.165.90
147.140.165.195

You might want to consider blocking Directspace LLC more widely if you are worried.

Tuesday, 13 December 2011

"PAYROLL LOGS" Spam

This spam is obviously trying to do something evil, but I'm not quite sure what.


Date:      Tue, 13 Dec 2011 15:23:00 -0600
From:      "Helen Oconnell" [terminationsm@migtel.ru]

Subject:      11122011 PAYROLL INDICES

http://jazzon.nl/YK4VUSWQ.html Please access the URL below to reveal PAYROLL LOGS. It was submitted to you using a Xerox WorkCentre. Pro

==================================================================================================================

Confidential E-Mail: This e-Mail is proposed only for the username to that it is addressed and may be composed data that is intimate or otherwise preserved from exposal.If you have take this email in confusion, please notify the support by respond the present e-Mail and erase the original e-Mail and each copy..

The email is a piece of social engineering that relies on you wanting to know how much your colleagues are earning. Click the link and you get redirected to cms-wideopendns.com (a DSL subscriber in Span) then trackorder.commercialday-net.com (in China). It doesn't seem to work properly, but then it might just be resisting the tools I am throwing at it.

In any case.. avoid this one.

NACHA Spam / badthen.com

More NACHA spam, this time leading to a malicious payload on badthen.com. Stupidly (again) the NACHA email appears to come from linkedin.com.

Date:      Wed, 14 Dec 2011 05:36:48 +0900
From:      "LinkedIn" [linkedin@em.linkedin.com]
Subject:      ACH transfer suspended

The ACH transaction (ID: 137297301664), recently initiated from your bank account (by you or any other person), was rejected by the Electronic Payments Association.
Rejected transfer
Transaction ID:     137297301664
Rejection Reason     See details in the report below
Transaction Report     report_137297301664.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

The malware is on badthen.com/main.php?page=977334ca118fcb8c  hosted on 173.230.130.158 (Linode, US). Blocking the IP address will block any other malware domains on the same server.

Spam: "I found your pictures on my camera yesterday, remember me?" / csredret.ru

Another spam run leading to a malicious payload on csredret.ru (as here)

Date:      Tue, 13 Dec 2011 10:19:58 +0200
From:      "Tomi Mcrae"
Subject:      Hi! This is Tomi

Finally I found your e-mail, I?m not sure whether you remember me, we?ve got terribly drunk, I found your pictures on my camera yesterday, remember me? Party14.jpg 487kb 

The "pictures" link loads the malicious script, hosted at black hat hosts Digital Network JSC aka DINETHOSTING in Russia. Avoid.

You can download your Windows Vista License here / csredret.ru

A Windows Vista licence? No.. it's malware from csredret.ru.

From: sales1@victimdomain.com [mailto:sales1@victimdomain.com]
Sent: 13 December 2011 05:14
Subject: Fwd: Order K93883696


Good morning,


You can download your Windows Vista License here -

Microsoft Corporation

The malicious payload is on csredret.ru/main.php hosted on 79.137.237.67 (Digital Network JSC, Russia aka DINETHOSTING). For about the billionth time in the past few days.. block access to 79.137.224.0/20 on your network if you possibly can.

NACHA Spam / sadjumped.com / downloaddatafast.serveftp.com

 More fake NACHA spam, this time leading to a malicious payload site on downloaddatafast.serveftp.com/main.php?page=977334ca118fcb8c on 173.230.137.34 (Linode, US).

Date:      Tue, 13 Dec 2011 14:15:51 +0100
From:      "LinkedIn" [linkedin@em.linkedin.com]
Subject:      ACH transaction not accepted

The ACH transfer (ID: 82065701523728), recently initiated from your checking account (by you or any other person), was rejected by the Electronic Payments Association.
Canceled transfer
Transaction ID:     82065701523728
Rejection Reason     See details in the report below
Transaction Report     report_82065701523728.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

© 2011 NACHA - The Electronic Payments Association

serveftp.com is related to no-ip.com, if you block that domain then you should probably block serveftp.com as well. Blocking 173.230.137.34 would protect against any other malicious sites on the same server.

Update: another spam run is in progress using a domain sadjumped.com on the same server.