Sponsored by..

Thursday, 29 March 2012

USPS Spam / clearschooner.com

Another USPS spam leading to malware on clearschooner.com:

Date:      Thu, 29 Mar 2012 09:02:35 -0300
From:      "Leonardo Randolph" [USPS_Shipping_Services@usps.com]
Subject:      Your USPS shipment postage labels receipt.


Acct #: 8481973

Dear client:

This is an email confirmation for your order of 1 online shipping label(s) with postage. Your credit card will be charged the following amount:

Transaction ID: #2392415
Print Date/Time: 03/13/2012 02:30 AM CST
Postage Amount: $41.63
Credit Card Number: XXXX XXXX XXXX XXXX

Priority Mail Regional Rate Box B # 0354 0258 5729 7186 4971 (Sequence Number 1 of 1)

   

For further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

You can refund your unused postage labels up to 14 days after the issue date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is an automatically generated message. Please do not respond

The malware is on clearschooner.com/showthread.php?t=73a07bcb51f4be71 (report here), hosted on 50.116.50.82 (Linode, US). Blocking the IP will prevent other malcious sites on the same IP from being a problem.

"Scan from a Xerox WorkCentre Pro #25825448" spam / samsonikonyou.ru

Another malicious HTML-in-ZIP attack, this time leading to malware on samsonikonyou.ru

From: ROSALBA Poe [mailto:victimname@hotmail.com]
Sent: 28 March 2012 19:34
Subject: Scan from a Xerox WorkCentre Pro #25825448

Please open the attached document. It was scanned and sent

to you using a Xerox Center Pro .
Sent by: Guest
Number of Images: 8
Attachment File Type: .HTML

Device Name: XR550PDD9SM84547752

In the ZIP is an HTML file called Invoice_NO_Mailen.htm which contains obfuscated javascript leading to a malware site on samsonikonyou.ru:8080/navigator/jueoaritjuir.php (report here). This is hosted on a similar set of IPs to this attack yesterday.

41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
125.19.103.198 (Bharti Infotel Ltd, India)
180.235.150.72 (Ardh Global, Indonesia)
202.143.147.35 (Ministry of Education, Thailand)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
216.24.194.2 (Psychz Networks, US)
219.94.194.138 (Sakura Internet, Japan)

Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
125.19.103.198
180.235.150.72
202.143.147.35
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
216.24.194.2
219.94.194.138

Wednesday, 28 March 2012

"Scan from a Hewlett-Packard ScanJet" with zip attachment / superproomgh.ru

This fake HP email has a ZIP attachment, containing an HTML file that leads to malware. The ZIP format is presumably being used to get past virus scanners.

Subject: Re:  Scan from a Hewlett-Packard ScanJet 20382282 


Attached document was scanned and sent
to you using a Hewlett-Packard NetJet 280904SL.

SENT BY : ETSUKO
PAGES : 9
FILETYPE: .HTM [Internet Explorer File]
(See attached file: HP_Jet_27_P683.zip)

The HTML file leads to malware at superproomgh.ru:8080/navigator/jueoaritjuir.php (report here) which is multihomed on the following IPs:

41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
125.19.103.198 (Bharti Infotel Ltd, India)
202.143.147.35 (Ministry of Education, Thailand)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet, Japan)


Plain list for copy-and-pasting:
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
125.19.103.198
202.143.147.35
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138

Tuesday, 27 March 2012

USPS Spam / 184.82.202.46

From WeAreSpammers:

This link goes to malware via baumanmarketing.com (195.78.33.120, Croatia.. most likely a hacked legitimate site) the it goes to billdirect.jiffyinc.com (184.106.64.60, Slicehost UK) until it hits a malware page on 184.82.202.46 (HOSTNOC, US). Originating IP is 111.242.113.138 (HINET, Taiwan). A Wepawet report is available here.

---

From: Damon Mcneill USPS_Shipping_Services@usps.com
To: donotemail@wearespammers.com
Date: 27 March 2012 12:06
Subject: USPS postage labels order confirmation.

Your USPS delivery
Acct #: 9869890

Dear client:

This is an email confirmation for your order of 5 online shipping label(s) with postage. We will charge you the following amount:

Transaction Number: #7887095
Print Date/Time: 03/13/2012 02:30 AM CST
Postage Amount: $23.88
Credit Card Number: XXXX XXXX XXXX XXXX

Priority Mail Regional Rate Box B # 1653  4367  1992  2294  3630  (Sequence Number 1 of 1)



If you need further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

Refunds for unused postage-paid labels can be requested online up to 14 days after the issue date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is a post-only message

Monday, 26 March 2012

Evil network: Komplit Plyus LLC / AS56697 (91.226.78.0/24)

I came across Komplit Plyus LLC / AS56697 (91.226.78.0/24) while having a look at this injection attack. At first glance it looked like everything in this /24 was dodgy. After taking a close look, I cannot find a single legitimate site in this range and would strongly recommend that you block it.

A full list of domains and MyWOT scores can be found here.Alternatively, I have highlighted some of the non-pharma sites below, which appear to contain malware sites, money mule sites and other nastiness.

adalbrechtmeier-gmbh.com
alvinconsultingjobs.com
alvinconsulting-jobs.com
autorizacia.ru
baxor-ertagi.com
beeline-mms.net
bee-mms.com
besthottestsites.com
bitrealestate.com
bitrealestate.net
canalcountryartisans.net
careersatalvinconsulting.com
dagoatrapist.com
ddc1000.com
deutschenoote.com
dnd-lawyers.com
dsgc.biz
ebay-sa.com
estsales.com
eucash.biz
fgthyj.com
freejoinsites4u.com
freesites4you.com
gbfhju.com
gertalt-gmbh.com
glich.ru
gomms.ru
goo-log.com
hjfghj.com
id2837627733333.ru
in-auth.com
jobsatalvinconsulting.com
jobs-at-alvinconsulting.com
johanauch-gmbh.com
jokeywagner-gmbh.com
julia-oliver-blog.com
kenlandoverseas.com
kontrolatelefonu.com
korbldalman-gmbh.com
langinform.ru
lost-pass.com
lufthansa-shipper.com
mailboxexchange.net
mdstoreonline.com
mmsmix.com
modelmilfs.com
mts-mms.com
myvideo-4.ru
net-mover.com
orgkomitet.net
proftrans.org
rnailgoogle.com
ru-cgi-bin.in
ru-log.in
skypeinto.com
smhaulage.com
soqqa-topish-kere.com
statmail.ru
stat-mail.ru
statsmy.com
stmyst.com
tg-group.com
thesoftforfree.ru
thesoftfree.ru
tk77.org
useac.net
vzlom-pochty.ru
wimbach-gmbh.com
win-auth.ru
yourpagestat.com
yourpagestats.com
zakaz-xak.com

gbfhju.com/r.php injection attack in progress

I haven't seen much buzz about this injection attack yet, but several hundred thousand pages have been infected with an injection attack pointing to gbfhju.com/r.php.

According to this Google search there are 236,000 hits for the search string "gbfhju.com/r.php". The sites seem to be randomly distributed through the web, although I couldn't spot any infected UK or US Government or University sites.

The domain gbfhju.com is registered with a set of details that should be familiar to IT security researchers:

Domain name: gbfhju.com

Registrant Contact:
   JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

Administrative Contact:
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

Technical Contact:
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

Billing Contact:
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

DNS:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com

Created: 2012-03-17
Expires: 2013-03-17


These details are connected to the LizaMoon gang. The site is hosted on 91.226.78.148 which is Komplit Plyus in Russia.91.226.78.0/24 is a real sewer of malware sites, money mule and phishing sites and fake pharma outlets and is well worth blocking.

The following domains are hosted on 91.226.78.148 and they can all be assumed to be dangerous:

fgthyj.com
gbfhju.com
hjfghj.com
statsmy.com
stmyst.com
yourpagestat.com
yourpagestats.com


These other domains are also being used in injection attacks (usually overlapping each other). Blocking the IP range will stop any other attacks coming from this hosting provider.

Friday, 23 March 2012

"USPS postage labels invoice" spam / indigocellular.com and jadecellular.com

This fake USPS message leads to malware on indigocellular.com:

From:     Elmer Cross USPS_Shipping_Info@usps.com
Date:     23 March 2012 13:42
Subject:     USPS postage labels invoice.

Acct #: 5047483

Dear client:

This is an email confirmation for your order of 1 online shipping label(s) with postage. Your credit card will be charged the following amount:

Transaction ID: #1412337
Print Date/Time: 03/11/2012 02:30 AM CST
Postage Amount: $35.74
Credit Card Number: XXXX XXXX XXXX XXXX

Priority Mail Regional Rate Box B # 0583  1282  5071  3122  8696  (Sequence Number 1 of 1)

   

If you need further assistance, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

Refunds for unused postage-paid labels can be requested online up to 7 days after the print date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is an automatically generated message. Please do not respond 

The malicious payload is on indigocellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 209.59.218.102 (Endurance International, US). Blocking the IP will prevent other malware on the IP from being a threat.

Update: another current version of this spam redirects to jadecellular.com/showthread.php?t=73a07bcb51f4be71 on 72.249.104.75 (Networld Internet, US)

Thursday, 22 March 2012

LinkedIn Spam / cyancellular.com and browncellular.com

Another load of LinkedIn Spam is doing the rounds, this time the payload is at cyancellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 209.59.217.78 (Endurance International, US) and also browncellular.com/showthread.php?t=d7ad916d1c0396ff hosted on 174.140.168.207 (Directspace, US)


Be on the lookout for other domains of a similar pattern, if you known of more then please consider adding a comment.. thanks!

Update: indigocellular.com is also part of this same pattern.

LinkedIn Spam / bluecellular.com

The second LinkedIn spam of the day is underway, which is almost exactly identical to this one. In this case, the malicious payload is on bluecellular.com/showthread.php?t=73a07bcb51f4be71 hosted on 96.126.122.240 (Linode, US)

"LinkedIn Invitation from your co-worker" spam / slickcurve.com and bluecellular.com

Another malicious fake email from LinkedIn leading to malware hosted on slickcurve.com.

Date:      Thu, 22 Mar 2012 13:35:48 +0200
From:      "Dominique Benitez" [peripherals698@linkedin.com]
Subject:      LinkedIn Invitation from your co-worker


LinkedIn
REMINDERS

Invitation reminders:
? From Timothy Vega (Your classmate)


PENDING MESSAGES

? There are a total of 1 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

The malware payload is on slickcurve.com/showthread.php?t=73a07bcb51f4be71 (report here) hosted on 173.255.195.167 (Linode, US). Blocking that IP address will block any other malicious sites on the same server.

Wednesday, 21 March 2012

"LinkedIn Invitation from your colleague" spam / closteage.com

A fake LinkedIn spam leading to malware hosted at closteage.com:

Date:      Wed, 21 Mar 2012 16:24:04 +0200
From:      "Stacy Goss"
Subject:      LinkedIn Invitation from your colleague


LinkedIn
REMINDERS

Invitation notifications:
? From Kadeem Ruiz (Your Colleague)


PENDING MESSAGES

? There are a total of 3 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. Å  2010, LinkedIn Corporation.
The payload is at closteage.com/showthread.php?t=73a07bcb51f4be71 (report here) hosted on 209.59.217.101 (Endurance International, US). Blocking that IP will block any other malicious sites on the same server.

Tuesday, 20 March 2012

Mid Bedfordshire Constituency and Nadine Dorries - time to go

I don't often get to write about politics on this blog, and I know that most of my readers won't really care.. so scroll on :)

There are proposals to abolish the UK parliamentary constituency of mid-Bedfordshire (where I live). The current MP is Nadine Dorries who is fighting a desperate rearguard action to try to get the proposals overturned. However, not everybody supports Ms Dorries and her campaign, and it seems to me that the proposals (outlined here) are a very good thing and should be supported.

The deadline for submissions is 30th March, the email address to send them to is reviews -at- bcommengland.x.gsi.gov.uk - obviously you can send what you like, but this is what I have sent:

Dear Chairman,

I am writing to support the dissolution of the Mid Bedfordshire parliamentary constituency for the following reasons:

1) The current constituency does not represent a cohesive entity. It is merely a rural "filler" between the urban areas to the north and south.

2) The proposed boundaries reflect closely "Travel to Work Areas" and takes into account that the north of the county is more closely affiliated with Bedford, and the south of the county with Luton and Dunstable.

Although there are obviously some compromises in the way the proposed boundaries have been drawn up, it is my belief that the proposals have been made with some care and understanding of the demographics of the area. In my view the proposed arrangements will be much better for the residents of the current Mid Bedfordshire parliamentary constituency, and that the constituency should be abolished and new boundaries should be established based on those proposed.

Monday, 19 March 2012

"Fwd: Your Flight N 76-124339" spam / dnvfodooshdkfhha.ru

Here's a "flight ticket" spam leading to malware:

Date:      Tue, 20 Mar 2012 11:56:41 +0900
From:      "DEDE Rainey"
Subject:      Re: Fwd: Your Flight N 76-124339
Attachments:     FLIGHT_TICKET_N-A7401085.htm

Dear Customer,



FLIGHT NUMBER 162-717

DATE/TIME : MARCH 28, 2011, 14:13 PM

ARRIVING AIRPORT: NEW-YORK AIRPORT

PRICE : 906.20 USD



Your bought ticket is attached to the letter as a scan document (Internet Exlporer File).

To use your ticket you should print it.



DEDE Rainey,

The attachment tries to redirect the victim to a malware site on dnvfodooshdkfhha.ru:8080/images/aublbzdni.php (report here) and as with most of the .ru:8080 attacks we see, this one is multihomed:

62.85.27.129 (Microlink Latvia Ltd, Latvia)
78.83.233.242 (Spectrum, Bulgaria)
83.238.208.55 (Netia, Poland)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
202.149.85.37 (Satata Net, Indonesia)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.56.24.226 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)

Plain list for copy and pasting:
62.85.27.129
78.83.233.242
83.238.208.55
125.19.103.198
173.203.51.174
200.169.13.84
202.149.85.37
209.114.47.158
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138

Friday, 16 March 2012

"Scan from a Hewlett-Packard ScanJet " spam / debiudlasduisioa.ru

Another fake "HP scan" document with a malicious attachment.

Date:      Fri, 16 Mar 2012 10:49:18 -0300
From:      scan@victimdomain.com
Subject:      Fwd: Scan from a Hewlett-Packard ScanJet 684248
Attachments:     HP_Document-16-539.htm

Attached document was scanned and sent



to you using a Hewlett-Packard Scan Jet 57968D.



SENT BY: KAM
PAGES : 4
FILETYPE: .HTML [Internet Explorer File]

The payload is on debiudlasduisioa.ru:8080/images/aublbzdni.php  - the IPs are the same as in this spam run and should be blocked if you can do it.

Intuit.com spam / 173.224.71.132

Yet another round of malicious fake Intuit.com spam is doing the rounds:

Date:      Fri, 16 Mar 2012 11:15:29 -0300
From:      "INTUIT INC."
Subject:      Your Intuit.com order confirmation.




Dear Client:

Thank you for ordering from Intuit Market. We are working on and will send you an e-mail when your order is processed. If you ordered multiple items, we may deliver them in more than one delivery (at no extra cost to you) to provide faster processing time.

If you have questions about your order, please call 1-800-955-8890.


ORDER INFORMATION

Please download your complete order
id #078419178757 information at Intuit small business website.

NEED HELP?

    Email us at mktplace_customerservice@intuit.com.
    Call us at 1-800-955-8890.
    Reorder Intuit Checks Quickly and Easily starting with
    the information from your previous order.

To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.

Thanks again for your order,

Intuit Market Customer Service

Privacy , Legal , Contact Us , About Us

You have received this business communication as part of our efforts to fulfill your request or service
your account. You may receive this and other business communications from us even if you have opted
out of marketing messages.

Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.

If you receive an email message that appears to come from Intuit but that you suspect is a phishing
e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for
additional security information.


�2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax,
among others, are registered trademarks of Intuit Inc.

In this case the link in the email goes through a legitimate hacked site and ends up at 173.224.71.132:8080/showthread.php?t=73a07bcb51f4be71 (Colo5, US). There's a Wepawet report here. Blocking that IP would stop any further malicious sites on the server from being a problem.

"Traffic ticket N250997376 " spam / dkjhfkjsjadsjjfj.ru

This fake traffic ticket (allegedly sent by UPS!) leads to malware at dkjhfkjsjadsjjfj.ru:8080/images/aublbzdni.php

Date:      Fri, 16 Mar 2012 -06:13:46 -0800
From:      UPS Account Services
Subject:      Traffic ticket N250997376
Attachments:     TRAFFIC_TICKET_N75412.htm

This notification is from the Conestoga department, your car has been pictured while crossing on the red light. We're testing the automatical identification system and the system of issuing fines, so please have a look at the picture in attachment and confirm whether this car is yours or no.
This is multihomed on exactly the same IPs as this other attack. Blocking those IPs would be prudent.

fff

Thursday, 15 March 2012

"Scan from a Hewlett-Packard ScanJet " malware / dsakhfgkallsjfd.ru

Another malicious spam campaign, this time with an attachment leading to a malware payload at dsakhfgkallsjfd.ru:8080/images/aublbzdni.php

Date:      Thu, 15 Mar 2012 -01:08:49 -0800
From:      scanner@victimdomain.com
Subject:      Re: Fwd: Scan from a Hewlett-Packard ScanJet 92186094
Attachments:     HP_Document-15-905.htm

Attached document was scanned and sent

to you using a Hewlett-Packard ScanJet 56348K.

SENT BY: LAKITA
PAGES : 2
FILETYPE: .HTML [Internet Explorer File]


There's further malicious code at dsakhfgkallsjfd.ru:8080/images/xlhwhrfvfsxubl.php (report here) - the dsakhfgkallsjfd.ru domain is multihomed on the following IP addresses:


62.85.27.129 (Microlink Latvia Ltd, Latvia)
78.83.233.242 (Spectrum, Bulgaria)
78.107.82.98 (Vimpelcom, Russia)
83.238.208.55 (Netia, Poland)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
95.156.232.102 (Optimate-Server, Germany)
111.93.161.226 (Tata Teleservices, India)
118.97.9.60 (Telekomunikasi, Indonesia)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
173.203.211.157 (Slicehost, US)
190.81.107.70 (Telmex, Peru)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
200.169.13.84 (Century Telecom Ltda, Brazil)
202.149.85.37 (Satata Net, Indonesia)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.56.24.226 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)

Plain list for copy-and-pasting:
62.85.27.129
78.83.233.242
78.107.82.98
83.238.208.55
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
173.203.51.174
173.203.211.157
190.81.107.70
194.85.97.121
200.169.13.84
202.149.85.37
209.114.47.158
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138

goo.gl/FP84h link leads to malware

Another malware campaign using the goo.gl redirector leading to a malicious payload, this time on 66.151.138.87.

From:     OP 25939760 Y tuelkv60@yahoo.com
To:     ptofomen@elpuertosm.net
Date:     15 March 2012 08:35
Subject:     LinkedIn Corporation account on Hold Ref78087257
Signed by:     yahoo.com

CaseȌ99-4582982-70209467-8-373
< !--PZ 62188868 V

http://goo.gl/FP84h



XR 28309138 C

The goo.gl redirector goes to shfd19za.roversmolina.ru (multihomed, see below) and then ends up on a malicious page at 66.151.138.87/showthread.php?t=72d268be707a5fb7 (Nuclear Fallout Enterprises, US again).

The intermediate site is multihomed on what looks like a botnet:

1.170.145.188 (HINET, Tawian)
37.99.3.131 (2day Telecom, Kazakhstan)
46.158.89.63 (Rostelecom, Russia)
46.166.89.234 (Sibtranstelecom, Russia)
59.161.112.144 (Tata Communications, India)
61.90.53.87 (True Internet, Thailand)
94.41.81.55 (Ufanet, Russia)
95.28.225.180 (Vimpelcom, Russia)
95.57.1.107 (Kazakhtelecom, Kazakhstan)
95.58.88.151 (Kazakhtelecom, Kazakhstan)
95.58.106.240 (Kazakhtelecom, Kazakhstan)
95.176.193.129 (Telekom Slovenije, Slovenia)
109.194.43.62 (ER-Telecom Holding, Russia)
112.110.219.218 (Pune Mobile Subscriber, India)
114.43.145.75 (HINET, Taiwan)
117.195.168.49 (BSNL Internet, India)
122.179.171.126 (Airtel, India)
123.17.240.127 (VNPT, Vietnam)
123.18.190.230 (VNPT, Vietnam)
178.46.12.159 (Rostelecom, Russia)

Plain list for copy-and-pasting:
1.170.145.188
37.99.3.131
46.158.89.63
46.166.89.234
59.161.112.144
61.90.53.87
94.41.81.55
95.28.225.180
95.57.1.107
95.58.88.151
95.58.106.240
95.176.193.129
109.194.43.62
112.110.219.218
114.43.145.75
117.195.168.49
122.179.171.126
123.17.240.127
123.18.190.230
178.46.12.159
66.151.138.87

Wednesday, 14 March 2012

INTUIT / IRS malicious spam and georgekinsman.net

There are two parallel spam campaigns running right not, one in the "Intuit.com invoice" form, one in the "IRS Tax Appeal form".

Both spams lead to a malicious page at georgekinsman.net/main.php?page=c9a5e6d306c55c68 (report here) hosted on the very familiar IP address of 41.64.21.71. Block it if you haven't already.

"Scan from a Hewlett-Packard ScanJet" malware / doosdkdkjsjdfo.ru

This old attack again, a malicious email with an attachment leading to doosdkdkjsjdfo.ru

Date:      Wed, 14 Mar 2012 12:31:50 +0530
From:      officejet@victimdomain.com
Subject:      Re: Fwd: Scan from a Hewlett-Packard ScanJet 297552
Attachments:     HP_Scanjet-14-626146.htm

Attached document was scanned and sent



to you using a Hewlett-Packard ScanJet 93988PP.

SENT BY: Teagan
PAGES : 2
FILETYPE: .HTML [Internet Explorer File]

The malware is on doosdkdkjsjdfo.ru:8080/images/aublbzdni.php, which is multihomed on a subset of the IPs in this other recent attack. A Wepawet report can be found here.

62.85.27.129 (Microlink Latvia Ltd, Latvia)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
95.156.232.102 (Optimate-Server, Germany)
111.93.161.226 (Tata Teleservices, India)
118.97.9.60 (Telekomunikasi, Indonesia)
125.19.103.198 (Bharti Infotel, India)
190.81.107.70 (Telmex, Peru)
200.169.13.84 (Century Telecom Ltda, Brazil)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)

Plain list for copy-and-pasting:
62.85.27.129
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
190.81.107.70
200.169.13.84
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138