Dynamoo's Blog

Monday, 13 August 2012

Even more malware sites to block on 194.28.115.150

More evil sites to block on 194.28.115.150 (Specialist ISP) following on from these:

idi42nga.rr.nu
kprud89entia.rr.nu
hin66gof.rr.nu
iste03dengi.rr.nu
hing30emplo.rr.nu
ize84dso.rr.nu
ind42icat.rr.nu
lack33andw.rr.nu

"Scan from a Xerox WorkCentre Pro" spam / mirdymas.ru

This spam leads to malware on mirdymas.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 13 August 2012 08:59
Subject: Fwd: Re: Re: Scan from a Xerox WorkCentre Pro #9484820

A Document was sent to you using a XEROX WorkJet OP578636.

SENT BY : JIN
IMAGES : 1
FORMAT (.JPEG) DOWNLOAD

DEVICE: 109A62DS953L

The malicious payload is at [donotclick]mirdymas.ru:8080/forum/showthread.php?page=5fa58bce769e5c2 (report here) hosted on the following familiar IP addresses:

46.51.218.71 (Amazon, Ireland)
71.89.140.153 (Cloudaccess.net, US)
203.80.16.81 (Myren, Malaysia)

Blocking access to these IPs will prevent other malicious sites on the same servers from being a problem.

Something evil on 178.63.195.128/26

The IP address range 178.63.195.128/26 nominally belongs to grey hat host Hetzner in Germany, although it has been reallocated to a registrant in Israel. This block recently came up as the source for a ZeroAccess infection picked up from 178.63.195.170.

A look at the 178.63.195.128/26 range (178.63.195.128 - 178.63.195.191) shows several suspicious websites with domains apparently generated by DoItQuick (more info here). Most of the domains are too new to have any reputation, although given the live distribution of malware and the randomly chosen names then they are unlikely to be doing anything nice.

Also, I notice that quite a lot of suspect sites have recently been moved from this range to point at 127.0.0.1 instead, a common trick when malcious domains needs to be pointed somewhere else quickly.

The registrant for this block is:

 inetnum:         178.63.195.128 - 178.63.195.191

netname:         R5X

descr:           r5x

country:         DE

admin-c:         TG3863-RIPE

tech-c:          TG3863-RIPE

status:          ASSIGNED PA

mnt-by:          HOS-GUN

source:          RIPE # Filtered

person:          Tomas Gailiavicius

address:         r5x

address:         Kalinina 47-71

address:         188760 Priozersk

address:         RUSSIAN FEDERATION

phone:           +79876960550

nic-hdl:         TG3863-RIPE

mnt-by:          HOS-GUN

source:          RIPE # Filtered

178.63.195.163
altspanning.org
atherosplaylists.org
betasreceivable.org
bringsgrade.org
contenderfilesplitting.org
csidisengage.org
designercomcast.org
encouragesprosuite.org
excellentinvolving.org
firefoxorbitz.org
harvardhqv.org
journalcleanup.org
musicmakingranging.org
ndascontinuum.org
netbiosmediocre.org
originatingcomplicated.org
outlinedpart.org
pantspool.org
preciselycolormatching.org
rantcloned.org
sciencehearted.org
splitnearparent.org
threeparagraphrequirements.org
undeniableblues.org
upscalingfinalproduction.org
vhsintellectual.org
violationsmazes.org
weekendshadows.org
wellthoughtoutestablish.org
workforcefortunately.org

178.63.195.167
builtvaults.org
crystaljacket.org
photomanagementheadhunternet.org
spywareonlyadept.org
starshapedoutstanding.org
static-globe.info

178.63.195.168
bentowe.org
catchespayoff.org
connect4free.in
dvstitems.com
eeechock.org
flyeralone.info
flyersregard.com
free2connect.org
free4connect.org
hatssystem.org
internalpackaged.info
interviewsyamaha.org
operateriot.org
packageswml.info
playerhill.info
successfulmpfs.org
tetrisbroaden.com
zippedjump.com

178.63.195.170
abroad.name
cloud18.name
crimson25.name
dr4ms.name
du5t.name
fakejoke.name
fastservice.name
hlops.name
r0cket.name
ramaro.name
sameday.name
strongalc.name

178.63.195.171
bedtimeblues.org
book-placed.info
bookpart.info
bookpedias.info
bookposters.info
bookposts.info
builderviral.org
jeat-services.info
jeatservices.info
jeatstore.info
jetpremiums.info
jetsbookings.info
krym-house.info
krym-invest.info
krym4x4.info
krymvip-avto.info
krymzakupka.info
netledgerstumblrs.org
teatr-benefis.info
teatrbilet.info
teatrflowers.info
teatrglas.info
teatrgroup.info
trust-spb.info
truthbearers.info
trutrance.info
trworkshop.info
tryfxdata.info

Also these domains appear to be deactivated by pointing them to 127.0.0.1, but you might want to block them just in case:
addonsthoughultrasharp.info
adjustmentsmarginal.info
affectingmacrobiotics.org
alternatelylaughs.info
amalgamie.org
androidstwothirds.info
appleawardwinningstarshaped.info
attractionintrusive.org
aufdeal.info
blurbswatermarks.org
boltsmaking.info
caligarisflipboard.org
circlekidlandias.org
citegologo.org
cleanerspreview.info
collagesenjoyed.info
compensateversamail.info
computercontrolledtelsurf.info
conducivesnag.org
createasimfreemium.info
criesvendor.info
csspoets.info
curiousrebuilding.info
deletingpricelinecom.org
dependentssecond.org
desksorganize.org
didcontinuous.org
discoveredshuts.info
discussioncommentingmonths.info
disqushomepremier.info
embracedpreset.info
endurancescream.info
enforcesfinetune.org
epublishingtodays.info
exploredestabilized.info
extendscrosscountry.org
feedsproxystyle.org
filesyncingenigmatic.org
founderslogin.info
friendshipinterrupt.org
grandmasterpre.org
gunsgml.info
heftyends.info
idlpatterns.org
inboxtie.org
inputsecho.info
invoicedimplementations.info
javacentricunencumbered.org
kevinverizon.info
legalzoomspeak.org
licensedcrispest.org
likingmodule.info
lingeriegiftgiving.org
lodebombermonster.org
machinesruns.info
merchandiseorderingcommerce.org
mixedprone.info
mobileslockeddown.org
mouthmindmanager.org
mydocumentsredirected.info
myspaceatsale.org
namepasswordcobble.info
nanimatedpaperclip.info
notificationloose.org
obihaiwebfriendly.org
omissioncurve.info
onboardstougher.info
onchipimpressively.info
oneoffsynched.info
outshineresearcher.info
ownorcleared.info
pairautoupdate.info
permittighter.org
pimsluernarrating.info
programundo.org
realarcadeextranet.org
reallifeinformation.org
referjustifies.org
relinquishfloated.org
removersitevalidation.info
resettingeyeopening.info
ripoffsfliers.info
roadtripearlier.info
rocfloating.org
sanknowledge.info
selfemployedspeed.info
sierrastorms.org
silenceshalls.info
softpedalswav.info
solitaryorions.org
southmouse.org
specimenfortunate.info
spellingsurfinshield.info
sportsbare.info
stateforbid.org
staticmarkets.org
steveapprovals.org
stumbledunrooted.info
stylizeawarded.info
submenusonlineoriented.info
supplantbriefly.org
suspendersnine.org
textuallythrifty.org
tiabberation.info
touchtypinglower.org
treasuregiftgiving.org
turningcustomized.info
underlinedavira.org
uniquenesstrademarks.info
visibilityprerecorded.info
wavernewlyminted.org
wellasideallotted.org

Sunday, 12 August 2012

More malware sites to block on 184.82.162.163 and 184.22.103.202

These domains are on 184.82.162.163 and 184.22.103.202, recently used in some injection attacks.

local-dns.org
lertionk15.be

More malware sites to block on 54.245.115.106

More bad stuff in Amazon's cloud, this time on 54.245.115.106 which already hosts these other malware sites. Block the IP if you can, else block these news domains in addition to these.

fbqdazvojhyc.info
mrqfxznhke.info
wcgqelbpvdn.info
hbiewmkjdytr.info

More malware sites to block on 81.17.24.69

A follow up to this post, 81.17.24.69 (Private Layer Inc, Switzerland) now hosts some additional malware domains that you should block if you can't block the IP address:

ose-para-tek-ines.org
oseparatekines.org
ose-para-tek-ines.net

Friday, 10 August 2012

Intuit.com spam / ashanrestaurant.ru

This fake Intuit spam leads to malware on ashanrestaurant.ru:

Date:     Fri, 10 Aug 2012 09:03:06 -0300
From:     Ashley Madison [donotreply@ashleymadison.com]
Subject:     Your Intuit.com software order.
Attachments:     Intuit_Order-N15090.htm

Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-364-2935 ($1.29/min).
ORDER INFORMATION
Please download your complete order id #3262340 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.

The malicious payload is at [donotclick]shanrestaurant.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following familiar-looking IPs that should be blocked if you can:

203.80.16.81
190.120.228.92

"Verify your order" / yrikdhxzwo.org

This spam leads to malware on yrikdhxzwo.org:

Date:     Fri, 10 Aug 2012 13:43:57 +0200
From:     "New order" [8A4EDCFB@williamsvilla.com]
To:     [redacted]
Subject:     Verify your order

Dear [redacted],

please verify your order #809910 at http://simplythebestevents.com/wp-content/plugins/mm-forms-community/upload/temp/tracking17948.php?user_id=[redacted]&order_id=8D17821C359

We hope to see you again soon!

The malicious payload is at [donotclick]yrikdhxzwo.org/main.php?page=3f19233d6515cd5d (the payload is defying analysis at the moment), hosted on 54.245.115.156 (Amazon, US). The domain btgjoulrys.info is also on the same server and can be safely assumed to be malicious.

Fake job domains 10/8/12

A bit of an oddity here - I noticed a marked uptick in people searching for very old fake job domains that had expired. It turns out that the scammers are back (probably the Lapatasker crew), and lazily they have just re-registered their old domains. Current ones doing that rounds that you should avoid are:

americafindjob.com
arbetase.com
career-depart.com
careerin-finance.com
espanajob.com
eurojobbnet.com
eurojobcouk.com
eurojobscouk.com
europ-consult.com
jobbankinusa.com
readycarts.com
top10jobbs.com
ukitcareer.com
usaitcareers.com

wetter.com compromised? oseparatekines.net and 81.17.24.69

The weather site wetter.com is the 25th most popular site in Germany (and nukber 602 in the world) according to Alexa.

Right at the moment there appears to be a compromised ad being served up by billabong3.wetter.com redirecting to a exploit kit on [donotclick]oseparatekines.net/forum/index.php?showtopic=903878 hosted on 81.17.24.69 which is apparently hosted in Switzerland, belonging to a small netblock as follows:

inetnum:         81.17.24.64 - 81.17.24.95

netname:         CLIENT2391

descr:           CLIENT2391

country:         CH

admin-c:         JP5315-RIPE

tech-c:          JP5315-RIPE

status:          ASSIGNED PA

mnt-by:          KP73900-MNT

source:          RIPE # Filtered

person:          James Prado

address:         Torres De Las Americas Torre C Floor 29 Suite 2901 Panama City, Panama

phone:           +5078365602

nic-hdl:         JP5315-RIPE

mnt-by:          KP73900-MNT

source:          RIPE # Filtered

route:           81.17.16.0/20

descr:           Ripe Allocation

origin:          AS51852

mnt-by:          KP73900-MNT

source:          RIPE # Filtered

The following domains are hosted on that IP address and you should assume they are malicious:
pilotjobsingrash.org
oseparatekines.org
onlineswotchers.org
fishersmansslow.org
oseparatekines.com
swstockhers.com
pilotjobsingrash.in
pilotjobsingrash.info
webswedish.info
oseparatekines.net
onlineswotchers.net

The entire 81.17.24.64/27 range looks suspicious in my opinion. Blocking that range would probably be prudent.

You can see the full script that is being used in the attack here - http://pastebin.com/CMuUm05f

Yet more malware sites to block on 194.28.115.150

Another batch of malware sites to block on 194.28.115.150 following on from these.. although to be franking, blocking access to 91.211.200.0/22 and 194.28.112.0/22 (Specialist ISP) plus all .rr.nu domains would be even better.

uresre17covered.rr.nu
ented89cable.rr.nu
erstor69msconse.rr.nu
gph46ili.rr.nu
nsu83lti.rr.nu
entl77ymail.rr.nu
rren48tlyvo.rr.nu
ersinq54uiries.rr.nu
sgradu88atevis.rr.nu
arrayt78emperat.rr.nu
ieddis18tribut.rr.nu

Thursday, 9 August 2012

"Verify your order" spam / qapskhnxlfuc.info

This spam leads to malware on qapskhnxlfuc.info:

Date:     Thu, 09 Aug 2012 21:25:41 +0200
From:     "New order" [30F5DC6@tendbeyond.com]
To:     [redacted]
Subject:     Verify your order

Dear [redacted],

please verify your order #447256 at http://mailnegnu.com/FlashSoundNew/welcome19205.php?user_id=[redacted]&order_id=1EDDB29B4E

We hope to see you again soon!

The malicious payload is at [donotclick]qapskhnxlfuc.info/main.php?page=3f19233d6515cd5d (http://wepawet.iseclab.org/view.php?hash=0192c837b292369c4205be3b8fbd34b9&t=1344548568&type=jshttp://wepawet.iseclab.org/view.php?hash=0192c837b292369c4205be3b8fbd34b9&t=1344548568&type=js) hosted on 54.245.115.106 (Amazon.com, US) along with the following domains that you can also assume are malicious:

keopsyc.org
ydxmzbrnjoqc.info
pjldxysgnfh.info
bfkepzvscyjh.info
drogiyfwan.info
vkycwjqdrn.info
zutacxsyiq.info
dnytximqszfr.info
wexnfvciumr.info
wfzijmubdgtv.info
nkcxlmgzuhw.info
fzblvmwoix.info
diocqvenmxz.info

"Your Photos" spam / gorysevera.ru

Another round of "Your photos" spam is in the offing, with a malicious payload on [donotclick]gorysevera.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs that have been seen several times before lately:

190.120.228.92 (Infolink, Panama)
203.80.16.81 (Myren, Malaysia)

Malware sites to block 9/8/12

Something nasty doing the rounds..you might want to block:

184.82.162.163
184.22.103.202

reslove-dns.com
10ba.com
dns-local.org
wesaf341.org
windows-update-server.com
wsef32asd1.org

Malware on panamamoskow.ru

I'm not sure of the particular nature of the spam run involved (it is possibly a UPS themed attack), but there's a campaign underway with a malicious payload on [donotclick]panamamoskow.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:

178.33.106.254 (OVH, France)
190.120.228.92 (Infolink, Panama)

Blocking access to those IPs will prevent other malicious domains on the same server from being a threat.

Wednesday, 8 August 2012

More malware sites to block on 194.28.115.150

Yet more malware sites hosted on the same IP of 194.28.115.150 address from black hat host Specialist ISP in Transnistria, in addition to these and these. Blocking their entire ranges of 91.211.200.0/22 and 194.28.112.0/22 could save you a lot of grief.

vat19ica.rr.nu
rtr83eaga.rr.nu
utur33esma.rr.nu
rho99dena.rr.nu
sori10gina.rr.nu
spons91orapa.rr.nu
stingh58ousedra.rr.nu
rpci22nsta.rr.nu
slat80edeb.rr.nu
rmil91annob.rr.nu
ttedbr13oadplac.rr.nu
stric59tionac.rr.nu
rsob51stac.rr.nu
tssi48lenc.rr.nu
rned93airc.rr.nu
wishp97roduc.rr.nu
rop67ded.rr.nu
velysu88pported.rr.nu
tow03ard.rr.nu
urist44anford.rr.nu
stim49atesd.rr.nu
ting41peace.rr.nu
reser76veacce.rr.nu
stenn82essee.rr.nu
tro50lle.rr.nu
urech03rysle.rr.nu
rpl51ane.rr.nu
tsre36fere.rr.nu
rsgua98rante.rr.nu
sac11tive.rr.nu
rssol40elyhig.rr.nu
rmee55ting.rr.nu
sdoo02rdaug.rr.nu
rsqbsi32mplersh.rr.nu
ilsa05mpli.rr.nu
tfun34dedmi.rr.nu
rizat57ionmi.rr.nu
rov75isi.rr.nu
topse63curiti.rr.nu
tingsi83llegal.rr.nu
tid69rugm.rr.nu
robert62sultim.rr.nu
tion96gamm.rr.nu
tigato91rsonesm.rr.nu
teract53borlan.rr.nu
teb84ran.rr.nu
turere98presen.rr.nu
ssent69encin.rr.nu
rtro39ommin.rr.nu
ydet43ermin.rr.nu
ute37drin.rr.nu
tadve42rtisin.rr.nu
rre52nwin.rr.nu
ston80esco.rr.nu
shel27lsco.rr.nu
tton77stheo.rr.nu
sgill34ettewo.rr.nu
yield83ingap.rr.nu
wind89scomp.rr.nu
yin78gsp.rr.nu
ssdel12iversp.rr.nu
ustg99ener.rr.nu
steal73gener.rr.nu
sea12tfr.rr.nu
rgye90xpor.rr.nu
urroun55dingpr.rr.nu
riv58erpr.rr.nu
tici69ansr.rr.nu
uncert96aintyr.rr.nu
reque26ncies.rr.nu
ylor83cons.rr.nu
sframe80scarlos.rr.nu
zar00dous.rr.nu
tpro52duct.rr.nu
saryho39pingit.rr.nu
siveu11nlimit.rr.nu
striki53ngbent.rr.nu
state60potent.rr.nu
uff84erst.rr.nu
veacce31ssedrev.rr.nu
tandin81gfairv.rr.nu
ushed29isdrex.rr.nu
sre80pay.rr.nu

Update: a couple of new ones via the ISC:
tentsf05luxfig.rr.nu
ksstar.rr.nu

Tuesday, 7 August 2012

Malware sites to block on 194.28.115.150

This is an updated list of evil domains on 194.28.115.150 (Specialist ISP in Transnistria). Blocking all of 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) is the best idea, and blocking traffic to .rr.nu ain't a bad one either. But if you can only block by domains names then this is the latest list of malware-laden sites to avoid:

xinthesidersdown.com
sweepstakesandcontestsdo.com
ens122zzzddazz.com
ssi11fica.rr.nu
ari55nea.rr.nu
sre13vea.rr.nu
tartis78tscolla.rr.nu
djust16scotla.rr.nu
courie90rhydra.rr.nu
idaysc65artera.rr.nu
x1010thta.rr.nu
ealis86ticeva.rr.nu
sfl20ewwa.rr.nu
rece76iptsb.rr.nu
xvarfo29urdayec.rr.nu
res11tric.rr.nu
ake60rsc.rr.nu
like90varyc.rr.nu
popre01versed.rr.nu
atr56aid.rr.nu
mentme03talsind.rr.nu
rasvi52llage.rr.nu
inglon03grange.rr.nu
senior78custome.rr.nu
sbandb46aninve.rr.nu
surpr54iseove.rr.nu
tes364rdaf.rr.nu
seamer47icadiff.rr.nu
veryt17hingof.rr.nu
ailway42staging.rr.nu
didat35egraph.rr.nu
nals02south.rr.nu
tampas71overei.rr.nu
ekendd69espitei.rr.nu
funct78ionali.rr.nu
artyi03nflati.rr.nu
ofess10ional.rr.nu
ful26qual.rr.nu
var64iabl.rr.nu
ins62ail.rr.nu
orig10inall.rr.nu
ulty75cream.rr.nu
lco16mpan.rr.nu
refi88nedn.rr.nu
ariney05aleteen.rr.nu
ital10namen.rr.nu
ymi87nin.rr.nu
olddo85esgoin.rr.nu
reque83ntlyin.rr.nu
atchp64ension.rr.nu
ional93phaco.rr.nu
eathin54gcashdo.rr.nu
ati31ngpo.rr.nu
atsda53ngero.rr.nu
ein77gyo.rr.nu
getth82rowapp.rr.nu
tsoc11ketp.rr.nu
vin04gup.rr.nu
tsroy47alpar.rr.nu
eri56orar.rr.nu
andsto57cksstar.rr.nu
train59tsafer.rr.nu
ariae54ither.rr.nu
eighbo02rsbarr.rr.nu
ing80entr.rr.nu
brown74emphas.rr.nu
sto32rybs.rr.nu
ncom24pares.rr.nu
ctab59uwes.rr.nu
spr71ings.rr.nu
ssig49nals.rr.nu
ght91ers.rr.nu
elop28ments.rr.nu
acons09olidat.rr.nu
omp25let.rr.nu
tinc31omeu.rr.nu
cello11rassu.rr.nu
pre86view.rr.nu
ns1.hoperjoper.ru
ns2.hoperjoper.ru

123Greetings.com spam / remindingwands.org

This fake 123Greetings.com spam actually delivers malware instead, hosted on remindingwands.org:

Date:     Tue, 7 Aug 2012 16:34:21 +0200
From:     "123Greetings.com" [ecards@123greetings.com]
Subject:     New e-card for you.

Vanna amet.diam.eu@lorem.ca has just sent you an ecard from 123Greetings.com

You can view it by clicking here:
http://www.123greetings.com/send/view/999095:

Thanks to our new tracking feature, you can now access all the ecards received by you in the last 14 days.

Use the link below or copy & paste the link into your browser's address bar.
http://www.123greetings.com/connect/track

Or if you prefer you can go to http://www.123greetings.com/ and type your ecard number (0090593007) in the "Search Box" at the top right of the page.

Your ecard can be downloaded for the next 30 days.

Based on user feedback, 123Greetings.com has launched 6 new pages with the best ecards in the Most Popular/ Most Viewed/ Highest Rated/ Latest Additions/ Popular Now and Always There Sections listed on the homepage.

http://www.123greetings.com/top/most_popular.html
http://www.123greetings.com/top/most_viewed.html
http://www.123greetings.com/top/highest_rated.html
http://www.123greetings.com/top/latest.html
http://www.123greetings.com/top/popular_now.html
http://www.123greetings.com/top/always_there.html

If you need any help in viewing your ecard or any other assistance,
please visit our Help/ FAQ section at: http://help.123greetings.com/

We hope you enjoy your ecard,

Your friends at 123Greetings.com
http://www.123greetings.com

We respect your privacy. You will not be receiving any promotional emails from us
because of this ecard. To view our privacy policy, click on the link below:
http://info.123greetings.com/company/privacy_policy.html

Note: This is an auto generated mail. Please do not reply.

If you have any other problem please contact us by clicking on the following link:
http://help.123greetings.com/contact_us.html

This email was sent by 123Greetings.com, Inc., 1674 Broadway, New York, NY 10019.

The malicious payload is at [donotclick]remindingwands.org/main.php?page=861097b084221fd although at the moment it is not responding. This site is hosted on 78.87.123.114 (CYTA, Greece) which is a particularly evil IP that has been seen a lot of lately and can safely be blocked.

"Your Photos" spam / pussyriotss.ru

There's not much to the recurring "Your Photos" spam apart from some terse text and a link. In this case the spam leads to a malicious payload at [donotclick]pussyriotss.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here).

pussyriotss.ru? Well, if you follow the news in Russia at all then you will have heard of the Pussy Riot case. The IP addresses for pussyriotss.ru are:

190.120.228.92 (Infolink, Panama)
116.12.49.68 (Usonyx , Singapore)

These IPs are also associated with spb-koalitia.ru and a whole bunch of other badness, blocking them would be prudent.

Malware sites to block 7/8/12

A small selection of malicious domains to add to your blocklist this morning:

advancementwowcom.org
headtoheadblaster.org
searchlesswebwasher.info
voicecontroldevotes.info
swetadeline.com
threeffect.net