These domains are pushing some sort of malware or other (possibly fake antivirus). It's hard to tell exactly what nastiness is here, but given that these are all recently registered domains with fake WHOIS details then it's certainly not going to be anything good.
Whatever it is, it seems to be promoted via spam and requires the correct User Agents and Referrer data to trigger. Sites are hosted on 195.225.55.130 (Dako Systems, Netherlands)
spokanesimplified.org
safetygold.org
businsideessfolowinggate.org
reservetri.org
cardreform.org
swapopen.org
businessfolowingdoor.org
smokersinsurancelinesguns.org
smokerslifeonlinesguns.org
smokerslifeoverlinesguns.org
livesstorytiderss.org
wiredesert.org
mylittallbeizz.org
gunslinzmouses.info
criticstocks.info
largusliananumbers.info
livesstorytiders.info
mailhostsboot.info
Wednesday, 5 September 2012
Something evil on 195.225.55.130
Labels:
Evil Network
Tuesday, 4 September 2012
LinkedIn spam / 108.178.59.26 and myasuslaptop.com
This fake LinkedIn spam leads to malware on 108.178.59.26 and myasuslaptop.com:
The malicious payload (report here) is at [donotclick]108.178.59.26/bv6rcs3v1ithi.php?w=6de4412e62fd13be (Singlehop, US) in a block 108.178.59.0/26 suballocated to a person in Italy. A further malicious download is attempted from [donotclick]myasuslaptop.com/updateflashplayer.exe which appears to be a legitimate (but hacked site).
My personal preference with any emails purporting to be from LinkedIn is to block them at the perimeter. As far as most businesses are concerned it is simply a playground for recruiters trying to poach your staff..
Date: Tue, 04 Sep 2012 10:43:03 +0100
From: "noreply" [noreply@linkedin.com]
Subject: Link LinkedIn Mail
REMINDERS
Invitation reminders:
• From Charlie Alexander (Mexico Key Account Director at Quanta)
PENDING MESSAGES
• There are a total of 5 messages awaiting your response. Visit your InBox now.
Don't want to receive email notifications? Adjust your message settings.
LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.
The malicious payload (report here) is at [donotclick]108.178.59.26/bv6rcs3v1ithi.php?w=6de4412e62fd13be (Singlehop, US) in a block 108.178.59.0/26 suballocated to a person in Italy. A further malicious download is attempted from [donotclick]myasuslaptop.com/updateflashplayer.exe which appears to be a legitimate (but hacked site).
My personal preference with any emails purporting to be from LinkedIn is to block them at the perimeter. As far as most businesses are concerned it is simply a playground for recruiters trying to poach your staff..
Tuesday, 28 August 2012
"QuickBooks Security Update" spam / roadmateremove.org
This fake Intuit spam leads to malware on roadmateremove.org:
The malicious payload is at [donotclick]roadmateremove.org/main.php?page=9bb4aab85fa703f5 (report here) hosted on 89.248.231.122 (Mastak Telecom / JSC Quickline, Russia) along with these other malicious sites:
roadmateremove.org
restoreairpowered.net
allhugedeals.net
classic-poems.net
You can pretty safely assume that 89.248.231.122 is a bad server and should be blocked.
Date: Tue, 28 Aug 2012 11:04:30 -0400
From: "Intuit Payroll Services" [intuitpayroll@e.payroll.intuit.com]
Subject: QuickBooks Security Update
You will not be able to access your Intuit QuickBooks without updated Intuit Security Tool (IST™) after 31th of August, 2012.
You can update Intuit Security Tool here.
After a successful download please run the setup for an automatic installation, then login to Intuit Quickbooks online to check that it is working properly.
This email was sent from an auto-notification system that can't accept incoming email. Please don't reply to this message.
You have received this business communication as part of our efforts to fulfill your request or service your account.
You may receive this and other business communications from us even if you have opted out of marketing messages.
Terms, conditions, pricing, features, and service options are subject to change. View our complete Terms of Service.
The malicious payload is at [donotclick]roadmateremove.org/main.php?page=9bb4aab85fa703f5 (report here) hosted on 89.248.231.122 (Mastak Telecom / JSC Quickline, Russia) along with these other malicious sites:
roadmateremove.org
restoreairpowered.net
allhugedeals.net
classic-poems.net
You can pretty safely assume that 89.248.231.122 is a bad server and should be blocked.
Monday, 27 August 2012
"Federal Tax Payment" spam / videomanipulationccflbacklit.pro
This spam attempts to load malware from videomanipulationccflbacklit.pro although at the moment the domain is not resolving:
I've seen a few .pro domains in spam recently, but they seem to get shut down quite quickly. I thought this TLD was meant to have more careful vetting?
Date: Mon, 27 Aug 2012 18:15:37 +0300
From: "Internal Revenue Service" [irs@service.govdelivery.com]
Subject: Federal Tax transaction canceled
Your Tax transaction (ID: 849395748011), recently sent from your checking account was canceled by the your financial institution.
Rejected Tax transfer
Tax Transaction ID: 849395748011
Return Reason See details in the report below
FederalTax Transaction Report tax_report_849395748011.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
==========
Date: Mon, 27 Aug 2012 16:41:45 +0200
From: "Internal Revenue Service" [irs@service.govdelivery.com]
Subject: Rejected Federal Tax payment
Your Tax transaction (ID: 13394702616857), recently initiated from your bank account was returned by the your Bank.
Rejected Tax transfer
Tax Transaction ID: 13394702616857
Reason for rejection See details in the report below
Tax Transaction Report tax_report_13394702616857.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
==========
Date: Mon, 27 Aug 2012 16:41:35 +0200
From: "Internal Revenue Service" [support@govdelivery.com]
Subject: Federal Tax payment canceled
Your Tax transaction (ID: 7227784606474), recently initiated from your bank account was returned by the The Electronic Federal Tax Payment System.
Rejected Tax transfer
Tax Transaction ID: 7227784606474
Reason for rejection See details in the report below
FederalTax Transaction Report tax_report_7227784606474.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
I've seen a few .pro domains in spam recently, but they seem to get shut down quite quickly. I thought this TLD was meant to have more careful vetting?
Malware sites to block 27/8/12
A small bunch of IPs and domains spotted in recent malicious spam campaigns that you might want to block..
24.171.200.91
50.116.38.138
89.248.231.122
109.164.221.176
173.234.9.17
184.107.119.39
199.167.138.113
200.29.107.84
allbooksbest.com
allhugedeals.net
basicsmarkeddown.pro
bikeslam.net
classic-poems.net
markelink.net
market-panel.net
24.171.200.91
50.116.38.138
89.248.231.122
109.164.221.176
173.234.9.17
184.107.119.39
199.167.138.113
200.29.107.84
allbooksbest.com
allhugedeals.net
basicsmarkeddown.pro
bikeslam.net
classic-poems.net
markelink.net
market-panel.net
Friday, 17 August 2012
UPS "End of Aug. Stat. Required" Spam / panalki.ru
This fake UPS spam leads to malware on panalki.ru:
The malicious payload is at [donotclick]panalki.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on a bunch of familiar looking IP addresses which should be blocked if you can.
50.56.92.47 (Slicehost, US)
190.120.228.92 (Infolink, Panama)
203.80.16.81 (Myren, Malaysia)
Date: Fri, 17 Aug 2012 06:50:08 -0400
From: "Global Express" [ups-services@ups.com]
Subject: Re: FW: End of Aug. Stat. Required
Attachments: Invoices-26-2012.htm
Hallo,
as reqeusted I give you inovices issued to you per july.
Regards
The malicious payload is at [donotclick]panalki.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on a bunch of familiar looking IP addresses which should be blocked if you can.
50.56.92.47 (Slicehost, US)
190.120.228.92 (Infolink, Panama)
203.80.16.81 (Myren, Malaysia)
Thursday, 16 August 2012
"Scan from a Hewlett-Packard ScanJet" spam / anapoli.ru
More fake printer spam, this time leading to malware on anapoli.ru:
50.56.92.47 (Slicehost, US)
190.120.228.92 (Infolink, Panama)
203.80.16.81 (Myren, Malaysia)
Date: Thu, 16 Aug 2012 12:20:25 +0500The malicious payload is on [donotclick]anapoli.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on a bunch of familiar looking IP addresses:
From: Mariah Gunn via LinkedIn [member@linkedin.com]
Subject: Fwd: Scan from a Hewlett-Packard ScanJet #88682504
Attachments: HP_scanDoc.htm
Attached document was scanned and sent
to you using a Hewlett-Packard HP 90027P.
SENT BY : SAVANNAH
PAGES : 1
FILETYPE: .HTML [Internet Explorer File]
50.56.92.47 (Slicehost, US)
190.120.228.92 (Infolink, Panama)
203.80.16.81 (Myren, Malaysia)
Labels:
Malware,
Printer Spam,
RU:8080,
Spam,
Viruses
Wednesday, 15 August 2012
mskoblastionline.ru - malicious spam goes nuts
Date: Wed, 15 Aug 2012 01:20:05 -0400
From: CarinaRue@mail.com
Subject: Fwd: Wire Transfer (1408EA58)
Attachments: Wire_Transfer_N839.htm
Dear Operator,
WIRE TRANSACTION: AC-961141236714971
STATUS: CANCELLED
You can find details in the attached file.
==========
Date: Wed, 15 Aug 2012 10:51:49 -0500
From: "LEILANI Roe" [RoeRmLEILANI@hotmail.com]
Subject: Fwd: Re: Wire Transfer Confirmation
Attachments: Wire_Transfer_N839.htm
Dear Operator,
WIRE TRANSACTION: AC-6427060719674502
STATUS: CANCELLED
You can find details in the attached file.
==========
Date: Wed, 15 Aug 2012 12:31:44 +0300
From: sales1@victimdomain.com
Subject: Re: Your Flight US 34-4827
Attachments: FLIGHT_TICKET_US1650023.htm
Dear Customer,
FLIGHT NUMBER 42463-8276
DATE/TIME : SEPT 27, 2012, 11:12 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 449.06 USD
Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.
ESMERALDA KNUTSON,
==========
Date: Wed, 15 Aug 2012 08:06:14 +0100
From: Collene Varner via LinkedIn [member@linkedin.com]
Subject: Fwd: Re: Your Flight US 65-46595
Attachments: FLIGHT_TICKET_US284399461.htm
Dear Customer,
FLIGHT NUMBER 4108-2738
DATE/TIME : SEPT 21, 2012, 10:15 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 083.97 USD
Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.
Abeni PINA,
==========
Date: Wed, 15 Aug 2012 00:50:03 -0800
From: LinkedIn [welcome@linkedin.com]
Subject: Fwd: Better Business Bureau Complaint
Attachments: Complaint_ID45JG836043169.htm
Good afternoon,
Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 1630630165) from a customer of yours in regard to their dealership with you.
Please open the COMPLAINT REPORT attached to this email (open with Internet Explorer/Mozilla Firefox) to view the details on this issue and suggest us about your position as soon as possible.
We hope to hear from you shortly.
Regards,
KARRI PENA
Dispute Counselor
Better Business Bureau
==========
Date: Wed, 15 Aug 2012 04:02:26 +0600
From: Ashley Madison [donotreply@ashleymadison.com]
Subject: Re: Better Business Bureau Complaint
Attachments: Complaint_N35XL147712.htm
Good afternoon,
Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 63959031295)
from a customer of yours in regard to their dealership with you.
Please open the COMPLAINT REPORT attached to this email (open with Internet Explorer/Mozilla Firefox) to view the details on this issue and suggest us about your position as soon as possible.
We hope to hear from you shortly.
Regards,
CONNIE DORAN
Dispute Counselor
Better Business Bureau
==========
The malicious payload is at [donotclick]mskoblastionline.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs:
Date: Wed, 15 Aug 2012 05:31:19 -0500
From: LinkedIn Connections [connections@linkedin.com]
Subject: Re: Fwd: Better Business Bureau Complaint
Attachments: Complaint_ID61Zu4932887.htm
Good afternoon,
Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 501379901) from a customer of yours in regard to their dealership with you.
Please open the COMPLAINT REPORT attached to this email (open with Internet Explorer/Mozilla Firefox) to view the details on this issue and suggest us about your position as soon as possible.
We hope to hear from you shortly.
Regards,
Romeo Keyes
Dispute Counselor
Better Business Bureau
50.56.92.47 (Slicehost, US)
190.120.228.92 (Infolink, Panama)
203.80.16.81 (Myren, Malaysia)
The following IPs and domains are all connected and should be blocked:
50.56.92.47
190.120.228.92
203.80.16.81
spb-koalitia.ru
gorysevera.ru
sergikgorec.ru
mskoblastionline.ru
kefrikin.ru
pussyriotss.ru
ashanrestaurant.ru
panamamoskow.ru
mirdymas.ru
Tuesday, 14 August 2012
"Federal Tax" spam / wireframeglee.info
This tax-themed spam leads to malware on wireframeglee.info:
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
The malicious payload is at [donotclick]wireframeglee.info/main.php?page=39630332cf486f5a (report here) hosted on 78.87.123.114 (CYTA, Greece) which has been seen several times lately and should be blocked if you can.
Date: Tue, 14 Aug 2012 15:21:33 +0200
From: "Internal Revenue Service" [alerts@irs.gov]
Subject: Rejected Federal Tax transfer
Your Tax payment (ID: 38969777924999), recently sent from your checking account was returned by the The Electronic Federal Tax Payment System.
Rejected Tax transaction
Tax Transaction ID: 38969777924999
Return Reason See details in the report below
Tax Transaction Report tax_report_38969777924999.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
==========
Date: Tue, 14 Aug 2012 13:31:21 +0000
From: "Internal Revenue Service" [support@irs.gov]
Subject: Federal Tax payment canceled
Your federal Tax payment (ID: 903463682456), recently from your bank account was rejected by the your financial institution.
Rejected Tax transfer
Tax Transaction ID: 903463682456
Reason of rejection See details in the report below
FederalTax Transaction Report tax_report_903463682456.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
==========
Date: Tue, 14 Aug 2012 14:42:19 +0200
From: "Internal Revenue Service" [noreply@irs.gov]
Subject: Your Federal Tax transaction
Your Tax transaction (ID: 80110764248536), recently initiated from your checking account was returned by the your Bank.
Canceled Tax transaction
Tax Transaction ID: 80110764248536
Reason of rejection See details in the report below
FederalTax Transaction Report tax_report_80110764248536.doc (Microsoft Word Document)
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785
The malicious payload is at [donotclick]wireframeglee.info/main.php?page=39630332cf486f5a (report here) hosted on 78.87.123.114 (CYTA, Greece) which has been seen several times lately and should be blocked if you can.
"We can not charge your credit card" spam / kefrikin.ru
Date: Tue, 14 Aug 2012 05:26:05 +0200
From: "ups" [mail@ups.com]
Subject: We can not charge your credit card
Attachments: Amazon_Invoice.htm
Your Account | Help
Your credit card was blocked.
We tried to withdraw money from your credit card, but your bank decline it. In the attachment you will be found a invoice from your last order. Please pay this invoice as soon as possible.
Conditions of Use Privacy Notice � 1996-2012, Amazon.com, Inc. or its affiliates
The attachment Amazon_Invoice.htm is malicious and it attempts to download a malicious script from [donotcick]kefrikin.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IPs (which have all been used for malware distribution several times):
190.120.228.92
199.71.212.78
203.80.16.81
Monday, 13 August 2012
Even more malware sites to block on 194.28.115.150
More evil sites to block on 194.28.115.150 (Specialist ISP) following on from these:
idi42nga.rr.nu
kprud89entia.rr.nu
hin66gof.rr.nu
iste03dengi.rr.nu
hing30emplo.rr.nu
ize84dso.rr.nu
ind42icat.rr.nu
lack33andw.rr.nu
idi42nga.rr.nu
kprud89entia.rr.nu
hin66gof.rr.nu
iste03dengi.rr.nu
hing30emplo.rr.nu
ize84dso.rr.nu
ind42icat.rr.nu
lack33andw.rr.nu
Labels:
Evil Network,
Malware,
Moldova,
Specialist ISP,
Transnistria
"Scan from a Xerox WorkCentre Pro" spam / mirdymas.ru
This spam leads to malware on mirdymas.ru:
The malicious payload is at [donotclick]mirdymas.ru:8080/forum/showthread.php?page=5fa58bce769e5c2 (report here) hosted on the following familiar IP addresses:
46.51.218.71 (Amazon, Ireland)
71.89.140.153 (Cloudaccess.net, US)
203.80.16.81 (Myren, Malaysia)
Blocking access to these IPs will prevent other malicious sites on the same servers from being a problem.
From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 13 August 2012 08:59
Subject: Fwd: Re: Re: Scan from a Xerox WorkCentre Pro #9484820
A Document was sent to you using a XEROX WorkJet OP578636.
SENT BY : JIN
IMAGES : 1
FORMAT (.JPEG) DOWNLOAD
DEVICE: 109A62DS953L
The malicious payload is at [donotclick]mirdymas.ru:8080/forum/showthread.php?page=5fa58bce769e5c2 (report here) hosted on the following familiar IP addresses:
46.51.218.71 (Amazon, Ireland)
71.89.140.153 (Cloudaccess.net, US)
203.80.16.81 (Myren, Malaysia)
Blocking access to these IPs will prevent other malicious sites on the same servers from being a problem.
Labels:
Malware,
Printer Spam,
RU:8080,
Spam,
Viruses
Something evil on 178.63.195.128/26
The IP address range 178.63.195.128/26 nominally belongs to grey hat host Hetzner in Germany, although it has been reallocated to a registrant in Israel. This block recently came up as the source for a ZeroAccess infection picked up from 178.63.195.170.
A look at the 178.63.195.128/26 range (178.63.195.128 - 178.63.195.191) shows several suspicious websites with domains apparently generated by DoItQuick (more info here). Most of the domains are too new to have any reputation, although given the live distribution of malware and the randomly chosen names then they are unlikely to be doing anything nice.
Also, I notice that quite a lot of suspect sites have recently been moved from this range to point at 127.0.0.1 instead, a common trick when malcious domains needs to be pointed somewhere else quickly.
The registrant for this block is:
178.63.195.163
altspanning.org
atherosplaylists.org
betasreceivable.org
bringsgrade.org
contenderfilesplitting.org
csidisengage.org
designercomcast.org
encouragesprosuite.org
excellentinvolving.org
firefoxorbitz.org
harvardhqv.org
journalcleanup.org
musicmakingranging.org
ndascontinuum.org
netbiosmediocre.org
originatingcomplicated.org
outlinedpart.org
pantspool.org
preciselycolormatching.org
rantcloned.org
sciencehearted.org
splitnearparent.org
threeparagraphrequirements.org
undeniableblues.org
upscalingfinalproduction.org
vhsintellectual.org
violationsmazes.org
weekendshadows.org
wellthoughtoutestablish.org
workforcefortunately.org
178.63.195.167
builtvaults.org
crystaljacket.org
photomanagementheadhunternet.org
spywareonlyadept.org
starshapedoutstanding.org
static-globe.info
178.63.195.168
bentowe.org
catchespayoff.org
connect4free.in
dvstitems.com
eeechock.org
flyeralone.info
flyersregard.com
free2connect.org
free4connect.org
hatssystem.org
internalpackaged.info
interviewsyamaha.org
operateriot.org
packageswml.info
playerhill.info
successfulmpfs.org
tetrisbroaden.com
zippedjump.com
178.63.195.170
abroad.name
cloud18.name
crimson25.name
dr4ms.name
du5t.name
fakejoke.name
fastservice.name
hlops.name
r0cket.name
ramaro.name
sameday.name
strongalc.name
178.63.195.171
bedtimeblues.org
book-placed.info
bookpart.info
bookpedias.info
bookposters.info
bookposts.info
builderviral.org
jeat-services.info
jeatservices.info
jeatstore.info
jetpremiums.info
jetsbookings.info
krym-house.info
krym-invest.info
krym4x4.info
krymvip-avto.info
krymzakupka.info
netledgerstumblrs.org
teatr-benefis.info
teatrbilet.info
teatrflowers.info
teatrglas.info
teatrgroup.info
trust-spb.info
truthbearers.info
trutrance.info
trworkshop.info
tryfxdata.info
Also these domains appear to be deactivated by pointing them to 127.0.0.1, but you might want to block them just in case:
addonsthoughultrasharp.info
adjustmentsmarginal.info
affectingmacrobiotics.org
alternatelylaughs.info
amalgamie.org
androidstwothirds.info
appleawardwinningstarshaped.info
attractionintrusive.org
aufdeal.info
blurbswatermarks.org
boltsmaking.info
caligarisflipboard.org
circlekidlandias.org
citegologo.org
cleanerspreview.info
collagesenjoyed.info
compensateversamail.info
computercontrolledtelsurf.info
conducivesnag.org
createasimfreemium.info
criesvendor.info
csspoets.info
curiousrebuilding.info
deletingpricelinecom.org
dependentssecond.org
desksorganize.org
didcontinuous.org
discoveredshuts.info
discussioncommentingmonths.info
disqushomepremier.info
embracedpreset.info
endurancescream.info
enforcesfinetune.org
epublishingtodays.info
exploredestabilized.info
extendscrosscountry.org
feedsproxystyle.org
filesyncingenigmatic.org
founderslogin.info
friendshipinterrupt.org
grandmasterpre.org
gunsgml.info
heftyends.info
idlpatterns.org
inboxtie.org
inputsecho.info
invoicedimplementations.info
javacentricunencumbered.org
kevinverizon.info
legalzoomspeak.org
licensedcrispest.org
likingmodule.info
lingeriegiftgiving.org
lodebombermonster.org
machinesruns.info
merchandiseorderingcommerce.org
mixedprone.info
mobileslockeddown.org
mouthmindmanager.org
mydocumentsredirected.info
myspaceatsale.org
namepasswordcobble.info
nanimatedpaperclip.info
notificationloose.org
obihaiwebfriendly.org
omissioncurve.info
onboardstougher.info
onchipimpressively.info
oneoffsynched.info
outshineresearcher.info
ownorcleared.info
pairautoupdate.info
permittighter.org
pimsluernarrating.info
programundo.org
realarcadeextranet.org
reallifeinformation.org
referjustifies.org
relinquishfloated.org
removersitevalidation.info
resettingeyeopening.info
ripoffsfliers.info
roadtripearlier.info
rocfloating.org
sanknowledge.info
selfemployedspeed.info
sierrastorms.org
silenceshalls.info
softpedalswav.info
solitaryorions.org
southmouse.org
specimenfortunate.info
spellingsurfinshield.info
sportsbare.info
stateforbid.org
staticmarkets.org
steveapprovals.org
stumbledunrooted.info
stylizeawarded.info
submenusonlineoriented.info
supplantbriefly.org
suspendersnine.org
textuallythrifty.org
tiabberation.info
touchtypinglower.org
treasuregiftgiving.org
turningcustomized.info
underlinedavira.org
uniquenesstrademarks.info
visibilityprerecorded.info
wavernewlyminted.org
wellasideallotted.org
A look at the 178.63.195.128/26 range (178.63.195.128 - 178.63.195.191) shows several suspicious websites with domains apparently generated by DoItQuick (more info here). Most of the domains are too new to have any reputation, although given the live distribution of malware and the randomly chosen names then they are unlikely to be doing anything nice.
Also, I notice that quite a lot of suspect sites have recently been moved from this range to point at 127.0.0.1 instead, a common trick when malcious domains needs to be pointed somewhere else quickly.
The registrant for this block is:
inetnum: 178.63.195.128 - 178.63.195.191
netname: R5X
descr: r5x
country: DE
admin-c: TG3863-RIPE
tech-c: TG3863-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE # Filtered
person: Tomas Gailiavicius
address: r5x
address: Kalinina 47-71
address: 188760 Priozersk
address: RUSSIAN FEDERATION
phone: +79876960550
nic-hdl: TG3863-RIPE
mnt-by: HOS-GUN
source: RIPE # Filtered
netname: R5X
descr: r5x
country: DE
admin-c: TG3863-RIPE
tech-c: TG3863-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE # Filtered
person: Tomas Gailiavicius
address: r5x
address: Kalinina 47-71
address: 188760 Priozersk
address: RUSSIAN FEDERATION
phone: +79876960550
nic-hdl: TG3863-RIPE
mnt-by: HOS-GUN
source: RIPE # Filtered
178.63.195.163
altspanning.org
atherosplaylists.org
betasreceivable.org
bringsgrade.org
contenderfilesplitting.org
csidisengage.org
designercomcast.org
encouragesprosuite.org
excellentinvolving.org
firefoxorbitz.org
harvardhqv.org
journalcleanup.org
musicmakingranging.org
ndascontinuum.org
netbiosmediocre.org
originatingcomplicated.org
outlinedpart.org
pantspool.org
preciselycolormatching.org
rantcloned.org
sciencehearted.org
splitnearparent.org
threeparagraphrequirements.org
undeniableblues.org
upscalingfinalproduction.org
vhsintellectual.org
violationsmazes.org
weekendshadows.org
wellthoughtoutestablish.org
workforcefortunately.org
178.63.195.167
builtvaults.org
crystaljacket.org
photomanagementheadhunternet.org
spywareonlyadept.org
starshapedoutstanding.org
static-globe.info
178.63.195.168
bentowe.org
catchespayoff.org
connect4free.in
dvstitems.com
eeechock.org
flyeralone.info
flyersregard.com
free2connect.org
free4connect.org
hatssystem.org
internalpackaged.info
interviewsyamaha.org
operateriot.org
packageswml.info
playerhill.info
successfulmpfs.org
tetrisbroaden.com
zippedjump.com
178.63.195.170
abroad.name
cloud18.name
crimson25.name
dr4ms.name
du5t.name
fakejoke.name
fastservice.name
hlops.name
r0cket.name
ramaro.name
sameday.name
strongalc.name
178.63.195.171
bedtimeblues.org
book-placed.info
bookpart.info
bookpedias.info
bookposters.info
bookposts.info
builderviral.org
jeat-services.info
jeatservices.info
jeatstore.info
jetpremiums.info
jetsbookings.info
krym-house.info
krym-invest.info
krym4x4.info
krymvip-avto.info
krymzakupka.info
netledgerstumblrs.org
teatr-benefis.info
teatrbilet.info
teatrflowers.info
teatrglas.info
teatrgroup.info
trust-spb.info
truthbearers.info
trutrance.info
trworkshop.info
tryfxdata.info
Also these domains appear to be deactivated by pointing them to 127.0.0.1, but you might want to block them just in case:
addonsthoughultrasharp.info
adjustmentsmarginal.info
affectingmacrobiotics.org
alternatelylaughs.info
amalgamie.org
androidstwothirds.info
appleawardwinningstarshaped.info
attractionintrusive.org
aufdeal.info
blurbswatermarks.org
boltsmaking.info
caligarisflipboard.org
circlekidlandias.org
citegologo.org
cleanerspreview.info
collagesenjoyed.info
compensateversamail.info
computercontrolledtelsurf.info
conducivesnag.org
createasimfreemium.info
criesvendor.info
csspoets.info
curiousrebuilding.info
deletingpricelinecom.org
dependentssecond.org
desksorganize.org
didcontinuous.org
discoveredshuts.info
discussioncommentingmonths.info
disqushomepremier.info
embracedpreset.info
endurancescream.info
enforcesfinetune.org
epublishingtodays.info
exploredestabilized.info
extendscrosscountry.org
feedsproxystyle.org
filesyncingenigmatic.org
founderslogin.info
friendshipinterrupt.org
grandmasterpre.org
gunsgml.info
heftyends.info
idlpatterns.org
inboxtie.org
inputsecho.info
invoicedimplementations.info
javacentricunencumbered.org
kevinverizon.info
legalzoomspeak.org
licensedcrispest.org
likingmodule.info
lingeriegiftgiving.org
lodebombermonster.org
machinesruns.info
merchandiseorderingcommerce.org
mixedprone.info
mobileslockeddown.org
mouthmindmanager.org
mydocumentsredirected.info
myspaceatsale.org
namepasswordcobble.info
nanimatedpaperclip.info
notificationloose.org
obihaiwebfriendly.org
omissioncurve.info
onboardstougher.info
onchipimpressively.info
oneoffsynched.info
outshineresearcher.info
ownorcleared.info
pairautoupdate.info
permittighter.org
pimsluernarrating.info
programundo.org
realarcadeextranet.org
reallifeinformation.org
referjustifies.org
relinquishfloated.org
removersitevalidation.info
resettingeyeopening.info
ripoffsfliers.info
roadtripearlier.info
rocfloating.org
sanknowledge.info
selfemployedspeed.info
sierrastorms.org
silenceshalls.info
softpedalswav.info
solitaryorions.org
southmouse.org
specimenfortunate.info
spellingsurfinshield.info
sportsbare.info
stateforbid.org
staticmarkets.org
steveapprovals.org
stumbledunrooted.info
stylizeawarded.info
submenusonlineoriented.info
supplantbriefly.org
suspendersnine.org
textuallythrifty.org
tiabberation.info
touchtypinglower.org
treasuregiftgiving.org
turningcustomized.info
underlinedavira.org
uniquenesstrademarks.info
visibilityprerecorded.info
wavernewlyminted.org
wellasideallotted.org
Labels:
Evil Network,
Hetzner,
R5X.org
Sunday, 12 August 2012
More malware sites to block on 184.82.162.163 and 184.22.103.202
These domains are on 184.82.162.163 and 184.22.103.202, recently used in some injection attacks.
local-dns.org
lertionk15.be
local-dns.org
lertionk15.be
More malware sites to block on 54.245.115.106
More bad stuff in Amazon's cloud, this time on 54.245.115.106 which already hosts these other malware sites. Block the IP if you can, else block these news domains in addition to these.
fbqdazvojhyc.info
mrqfxznhke.info
wcgqelbpvdn.info
hbiewmkjdytr.info
fbqdazvojhyc.info
mrqfxznhke.info
wcgqelbpvdn.info
hbiewmkjdytr.info
More malware sites to block on 81.17.24.69
A follow up to this post, 81.17.24.69 (Private Layer Inc, Switzerland) now hosts some additional malware domains that you should block if you can't block the IP address:
ose-para-tek-ines.org
oseparatekines.org
ose-para-tek-ines.net
ose-para-tek-ines.org
oseparatekines.org
ose-para-tek-ines.net
Friday, 10 August 2012
Intuit.com spam / ashanrestaurant.ru
This fake Intuit spam leads to malware on ashanrestaurant.ru:
The malicious payload is at [donotclick]shanrestaurant.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following familiar-looking IPs that should be blocked if you can:
203.80.16.81
190.120.228.92
Date: Fri, 10 Aug 2012 09:03:06 -0300
From: Ashley Madison [donotreply@ashleymadison.com]
Subject: Your Intuit.com software order.
Attachments: Intuit_Order-N15090.htm
Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-364-2935 ($1.29/min).
ORDER INFORMATION
Please download your complete order id #3262340 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.
The malicious payload is at [donotclick]shanrestaurant.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following familiar-looking IPs that should be blocked if you can:
203.80.16.81
190.120.228.92
"Verify your order" / yrikdhxzwo.org
Date: Fri, 10 Aug 2012 13:43:57 +0200
From: "New order" [8A4EDCFB@williamsvilla.com]
To: [redacted]
Subject: Verify your order
Dear [redacted],
please verify your order #809910 at http://simplythebestevents.com/wp-content/plugins/mm-forms-community/upload/temp/tracking17948.php?user_id=[redacted]&order_id=8D17821C359
We hope to see you again soon!
The malicious payload is at [donotclick]yrikdhxzwo.org/main.php?page=3f19233d6515cd5d (the payload is defying analysis at the moment), hosted on 54.245.115.156 (Amazon, US). The domain btgjoulrys.info is also on the same server and can be safely assumed to be malicious.
Fake job domains 10/8/12
A bit of an oddity here - I noticed a marked uptick in people searching for very old fake job domains that had expired. It turns out that the scammers are back (probably the Lapatasker crew), and lazily they have just re-registered their old domains. Current ones doing that rounds that you should avoid are:
americafindjob.com
arbetase.com
career-depart.com
careerin-finance.com
espanajob.com
eurojobbnet.com
eurojobcouk.com
eurojobscouk.com
europ-consult.com
jobbankinusa.com
readycarts.com
top10jobbs.com
ukitcareer.com
usaitcareers.com
americafindjob.com
arbetase.com
career-depart.com
careerin-finance.com
espanajob.com
eurojobbnet.com
eurojobcouk.com
eurojobscouk.com
europ-consult.com
jobbankinusa.com
readycarts.com
top10jobbs.com
ukitcareer.com
usaitcareers.com
Labels:
Job Offer Scams,
Lapatasker
wetter.com compromised? oseparatekines.net and 81.17.24.69
The weather site wetter.com is the 25th most popular site in Germany (and nukber 602 in the world) according to Alexa.
Right at the moment there appears to be a compromised ad being served up by billabong3.wetter.com redirecting to a exploit kit on [donotclick]oseparatekines.net/forum/index.php?showtopic=903878 hosted on 81.17.24.69 which is apparently hosted in Switzerland, belonging to a small netblock as follows:
The following domains are hosted on that IP address and you should assume they are malicious:
pilotjobsingrash.org
oseparatekines.org
onlineswotchers.org
fishersmansslow.org
oseparatekines.com
swstockhers.com
pilotjobsingrash.in
pilotjobsingrash.info
webswedish.info
oseparatekines.net
onlineswotchers.net
The entire 81.17.24.64/27 range looks suspicious in my opinion. Blocking that range would probably be prudent.
You can see the full script that is being used in the attack here - http://pastebin.com/CMuUm05f
Right at the moment there appears to be a compromised ad being served up by billabong3.wetter.com redirecting to a exploit kit on [donotclick]oseparatekines.net/forum/index.php?showtopic=903878 hosted on 81.17.24.69 which is apparently hosted in Switzerland, belonging to a small netblock as follows:
inetnum: 81.17.24.64 - 81.17.24.95
netname: CLIENT2391
descr: CLIENT2391
country: CH
admin-c: JP5315-RIPE
tech-c: JP5315-RIPE
status: ASSIGNED PA
mnt-by: KP73900-MNT
source: RIPE # Filtered
person: James Prado
address: Torres De Las Americas Torre C Floor 29 Suite 2901 Panama City, Panama
phone: +5078365602
nic-hdl: JP5315-RIPE
mnt-by: KP73900-MNT
source: RIPE # Filtered
route: 81.17.16.0/20
descr: Ripe Allocation
origin: AS51852
mnt-by: KP73900-MNT
source: RIPE # Filtered
netname: CLIENT2391
descr: CLIENT2391
country: CH
admin-c: JP5315-RIPE
tech-c: JP5315-RIPE
status: ASSIGNED PA
mnt-by: KP73900-MNT
source: RIPE # Filtered
person: James Prado
address: Torres De Las Americas Torre C Floor 29 Suite 2901 Panama City, Panama
phone: +5078365602
nic-hdl: JP5315-RIPE
mnt-by: KP73900-MNT
source: RIPE # Filtered
route: 81.17.16.0/20
descr: Ripe Allocation
origin: AS51852
mnt-by: KP73900-MNT
source: RIPE # Filtered
The following domains are hosted on that IP address and you should assume they are malicious:
pilotjobsingrash.org
oseparatekines.org
onlineswotchers.org
fishersmansslow.org
oseparatekines.com
swstockhers.com
pilotjobsingrash.in
pilotjobsingrash.info
webswedish.info
oseparatekines.net
onlineswotchers.net
The entire 81.17.24.64/27 range looks suspicious in my opinion. Blocking that range would probably be prudent.
You can see the full script that is being used in the attack here - http://pastebin.com/CMuUm05f
Labels:
Malvertising,
Malware,
Viruses
Subscribe to:
Posts (Atom)