Dynamoo's Blog

Wednesday, 5 December 2012

Zbot sites to block 5/12/12

These domains and IPs are involved in malware distribution, especially the Zbot trojan. Most are using the nameservers in the dnsnum10.com domain, or are co-hosted on the same server and have malicious characteristics.

I've come up with a recommended blocklist based on the characteristics on the netblocks in question. If you are based in Russia, Ukraine, Poland or Iran then you may want to review these carefully.

IP addresses and hosts
31.184.244.73 (TOEN Incorporated, UAE)
62.122.74.47 (Leksim, Poland)
77.72.133.69 (Colobridge, Germany)
78.46.205.130 (Hetzner, Germany)
78.140.135.211 (Webazilla, Gibraltar)
85.143.166.132 (PIRIX, Russia)
87.107.121.131 (Soroush Rasanheh Company Ltd, Iran)
91.211.119.56 (Zharkov Mukola Mukolayovuch, Ukraine)
91.231.156.25 (Sevzapkanat-Unimars, Russia)
91.238.83.56 (Standart LLC, Moldova)
146.185.255.161 (Sergeev Sergei Yurievich PE, Russia)
178.162.132.202 (Tower Marketing, Belize)
178.162.134.176 (Silin Vitaly Petrovich, Belarus)
188.93.210.28 (Hosting Service, Russia)
195.88.74.110 (Info Data Center, Bulgaria)
198.144.183.227 (Colocrossing, US)

Single IP list for copy and pasting:
31.184.244.73
62.122.74.47
77.72.133.69
78.46.205.130
78.140.135.211
85.143.166.132
87.107.121.131
91.211.119.56
91.231.156.25
91.238.83.56
146.185.255.161
178.162.132.202
178.162.134.176
188.93.210.28
195.88.74.110
198.144.183.227

Recommended blocklist:
31.184.244.73
62.122.72.0/21
77.72.133.69
78.46.5.128/29
78.140.135.211
85.143.166.0/24
87.107.96.0/19
91.211.119.56
91.231.156.0/24
91.238.83.0/24
146.185.255.0/24
178.162.132.0/24
178.162.134.128/26
188.93.210.28
195.88.74.110
198.144.183.227

Domains:
001dulpieafry.changeip.org
001lrrldtavol.changeip.org
002tkbhqhlsvt.changeip.org
004ppfpcbvctd.changeip.org
004quzisdueai.changeip.org
020jbxsgqwpse.changeip.org
022btrarqcfuk.changeip.org
026kordzsydup.changeip.org
4nfyfj.info
6j5jjek.info
accelerationarrangement.info
aderto.cu.cc
adertos.cu.cc
adx.empowersspanish.info
all1.lflinkup.com
all10.lflinkup.com
all3.lflinkup.com
all8.lflinkup.com
all9.lflinkup.com
alpha.spice-forum.in.ua
apple-free.uni.me
arizonaunintelligible.pro
avast.formsbasedscreeners.asia
avira.formsbasedscreeners.asia
barracoon.org
bicyclingsecondfastest.pro
bigprobivbig.net
bilitys.cu.cc
bilityss.cu.cc
brainiacdatingcomothers.pro
bringingaward.asia
broadlytrap.net
bulkmolosiz.com
bulkyards.com
bulkyards.net
charitablesecurities.asia
clearcubeinterviews.pro
clinquant.org
collatesphotoworks.org
confusingfunctionality.info
coreldrawscratch.asia
dangerstriangle.info
deephole.info
derusliman.org
dialectskew.info
dnsnum10.com
docspittance.asia
dracodatas.info
empowersspanish.info
energyefficientpermonth.pro
ergyefficient.asia
eset.formsbasedscreeners.asia
f4lhhd.com
f56yk.com
fapitorgtube.cu.cc
faxesworry.asia
finestaccompanying.info
fkyjyj.cu.cc
flashrssfeedlike.asia
formsbasedscreeners.asia
foundationfourtrack.asia
g4nj389.net
g6aews.com
gdgt54hdfg5y6d.hopto.org
get-it-free.flu.cc
goldenmail.in
helicograph.com
helicograph.net
helicograph.org
highflyingmotivates.info
hry24h.com
img.coldstoragemn.com
img.floodace.com
img.heritagedaysfestival.org
img.mnrealestatehome.com
iptcbolts.net
isiftheoretically.pro
jacklighter.org
jfoih347.net
jkrsryk.info
js.casio-11.com
js.casio-ok.com
kasadi.cu.cc
kazbec.info
kiklamas.cu.cc
krestybx.cu.cc
lasazar.cu.cc
lessexpensiveprototypes.asia
lisagaxu.tk
logs.clearcubeinterviews.pro
mailtypical.net
meprovidinggiggle.net
mergingvisisafe.info
minimoogsmerits.info
mobilewalmartcom.pro
mokingbirdgives.org
mytouchcoediting.net
nomadtoys.pro
nuf78784f.com
nuvfhruf.com
openearedinclusive.net
opticshoc.pro
packingdebug.asia
partnerssitesnonauthorized.asia
pasteszerou.pro
patiencerevolution.asia
phalange.net
phalange.org
pitchessuppress.org
platformindependentviz.pro
powerquesttrivial.net
primemasterswitch.asia
proofingsloth.info
pulldownnextag.info
qorayot.tk
ranikslall.biz
ranikslall.com
ranikslall.info
ranikslall.org
ratevoicemail.asia
repurposedsmtppop.asia
rightfullyretina.org
ringtonesprevent.asia
rushcreaking.net
sensibilitiesdolls.org
shareself.info
siteadvisorejector.info
slimmingedirol.pro
soundtrackoh.org
surviveoutpace.info
syenial.com
t5rgddfth67rdfgd.hopto.org
terminaloften.pro
toolbarpcmag.info
tutaqasi.tk
tutorialmediumsize.asia
udneriww.com
uikojyurfersw.homelinux.net
uninstallerthumbtack.asia
unprotectedepicture.info
usozureq.isasecret.com
vmailtalkguideone.net
vn3vrr.com
www.all15.lflinkup.com
www.all16.lflinkup.com
xovgnbxdvzsc.dyndns-remote.com
xubodaqi.tk
y8jdo.info
yardinjuries.info
zawejame.tk
zazaebuk.cu.cc
zks5k.com
zwedaseeqqs.homelinux.com

Tuesday, 4 December 2012

Facebook "You have notifications pending" spam / francese.ru

This fake Facebook spam leads to malware on francese.ru:

Date:     Tue, 4 Dec 2012 03:38:42 +0000
From:     KaseyElleman@victimdomain.com
Subject:     You have notifications pending

facebook
Hi,
Here's some activity you may have missed on Facebook.
SALLIE FELIX has posted statuses, photos and more on Facebook.
Go To Facebook

See All Notifications
This message was sent to postinialerts@[redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

The malicious payload is at [donotclick]francese.ru:8080/forum/links/column.php hosted on the following IP addresses:

42.121.116.38 (Aliyun Computing Co, China)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks , US)
219.255.134.110 (SK Broadband, Korea)

Plain list for copy-and-pasting:
42.121.116.38
202.180.221.186
203.80.16.81
208.87.243.131
219.255.134.110

US Airways spam / attachedsignup.pro

This fake US Airways spam leads to malware on attachedsignup.pro:

From:    US Airways - Booking [reservations@myusairways.com][
Date:    4 December 2012 14:30
Subject:    US Airways online check-in.

You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). After that, all you have to do is print your boarding pass and go to the gate.

Purchase code: 183303

Check-in online: Online booking details

Payment method: Credit card
Money will be withdrawn in next 3 days

Voyage

5990
Departure city and time

Massachusets MA (DCA) 10:10 AM

Depart date: 12/05/2012

We takes care to protect your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 145 W. Rio Salado Pkwy, Tempe, AK 93426 , Copyright US Airways , All rights reserved.

The payload and IP addresses are identical to this spam doing the rounds today.

"Most recent events on Facebook" spam / attachedsignup.pro

This fake Facebook spam leads to malware on Most recent events on attachedsignup.pro:

Date:     Tue, 4 Dec 2012 15:19:16 +0100
From:     " Facebook Security Team" [fractionallyb9@hendrickauto.com]
Subject:     Most recent events on Facebook

facebook

Hi [redacted],

You have closed your Facebook account. You can rebuild your account whenever you wish by logging into Facebook using your current login email address and password. Subsequently you will be able to take advantage of the site as usually.
Please use the link below to reactivate :
http://www.facebook.com/home.php
If this was you, please pass over this informer. If this wasn't you, please secure your account, as some outlaw person may be explore it.
Best regards, The FaceBook Team
Please note: Facebook will never ask for your personal data through email.

This message was sent to [redacted] from your profile details. Facebook, Inc., Attention: Department 437, PO Box 20000, Palo Alto, CA 96906

The malicious payload is at [donotclick]attachedsignup.pro/detects/links-neck.php (report here) hosted on 41.215.225.202 (Essar Wireless Kenya Ltd) which also hosts the probably malicious domain sessionid0147239047829578349578239077.pl

"ARK Bureau" (arkbureau.com) fake job offer

~~The ARK Architecture Bureau is a genuine company. This fake job offer is not from ARK Bureau, but is some sort of illegal activity such as money laundering.~~

Update: I didn't look closely enough at the site, I discovered that arkbureau.com is also fake, as is this email. See more below. This is still trying to recruit people for money laundering though.

From: Odette Holcomb [mailto:nbnian@esonchem.co.kr]
Sent: 03 December 2012 12:32
Subject: Help wanted.

POSITION: Customer Assistant

ABOUT COMPANY:
ARK Bureau has served hundreds of clients in the United Kingdom, Poland, France and Germany since 1998.

The firm was created by Lorinda Rogers, a young architect of Canadian origin. From its inception, ARK Bureau.s vision for design and construction was based on system approach, incorporating both building and landscape design. That philosophy has always meant the highest quality for our clients. That.s probably why ARK Bureau enjoys a strong loyalty from the past customers.

Now we have open vacancy in the U.S.: Customer Assistant

RESPONSIBILITIES:
- Process payments from customers;
- Filing invoices, statements and associated documents;
- Meet and exceed performance and time management goals;
- Other duties as required.

GENERAL SKILLS:
- High communication skills;
- Strong problem solving and planning skills;
- Experienced computer & internet user.

APPLY:
To apply please: arkbureaumanager@nokiamail.com

An alternative version uses the email address of arkbureau_manager@nokiamail.com. The two samples that I have seen have originating IP addresses of 174.52.171.8 (Comcast, US) and 109.173.54.245 (NCNET, Russia).

You should give this fake company a wide berth unless you want to end up in serious trouble with law enforcement.

Update: I had originally assumed from the amateurish spam email that arkbureau.com belonged to a genuine company. However, a search of UK company records shows no such company, the domain was only registered a month ago to an address which is actually consistent with the one on the site:

Domain Name: ARKBUREAU.COM

Registrant:
     N/A
    Allen Hart        (arkbureau@aol.com)
    108 Broadwick Street
    London
    London,W1F 8MT
    GB
    Tel. +44.448715283620

Creation Date: 16-Nov-2012
Expiration Date: 16-Nov-2013

Their site is full of stock images (like the one below) which can be found in many other places, most of which appear to be in the US (where they don't have an office).

Fundamentally, the whole thing is a fake. A good-looking fake, but a fake nonetheless.

These contact details are presumably also bogus:

Int'l Customer Care: +1 646 583 0506

Our head office is located in London, UK:

108 Broadwick Street, London, W1F 8MT, UK
Phone: +44(0) 20 3290 1280
Fax: +44(0) 871 528 3620
Email: info@arkbureau.com

Since 2010 we also run a branch in Warsaw, Poland:

Pl. Pilsudskiego 3, 00-078 Warszawa, Poland
Phone: +48 22 208 4722
E-mail: info@arkbureau.com

Well, a quick Google of "108 Broadwick Street" indicates that it probably doesn't exist. If we get down on the ground with Google Streetview we can see that Broadwick Street only goes up to number 76 which is a bank of cash machines. Also, the quoted postcode of W1F 8MT is wrong, that belongs to somewhere which is quite a walk from Broadwick Street.

Emails to info@arkbureau.com bounce, there is no such user configured on the server.

arkbureau.com itself is hosted on 64.191.88.71 (HostNOC, US). There are several other sites on the same server that look dedicated to either fraud or fake pharma. I would recommend that all of these sites are avoided:

abcforwarding.com
actualcard.net
afpeasttexas.org
agea-usa.com
arkbureau.com
armorebeauty.com
autosales.com.do
beauty-wish-list.info
bestdesignstudios.ru
bestdietpillsreviews.org
buycanadianviagraonline.com
byabovegroundpools.com
canada-cialis.net
canadian-viagra.org
cialis-40-mg.com
cialis-5-mg.org
cialisprofessionals.com
cr-goods.com
ctrlpack.com
curiote.com
debtcptl.com
dioxidesoftware.com
discount-levitra.com
diybeautifulbody.com
encom-fg.com
engagement-rings-gallery.com
executivehomeswaco.com
executivehomeswacotexas.com
fantastic-male-size.com
firstransfer.com
getmattresswarehouse.com
getusedhorsetrailers.com
globalmg.org
godrop.biz
hallgg.pl
happychickengrill.com
heidtgroup.com
hiphopsongs.us
iceraysfancard.com
ixcongroup.com
jaffe-inc.com
livesecurity.pro
livesecuritypro.org
magnitogorsk.ws
myparcelforwarding.com
newboxcenter.com
nhsgroup.net
nowamarket.com
parcelunited.net
paydayloan-assistant.com
plate-flipper.com
politcenter.org
power-meds.com
pragueprivate.com
preventpainnow.org
prolivesecurity.org
propackage.biz
provenlovetabs.com
purchase-tadalafil.com
releasebg.com
rezzonans.net
rezzonans.org
ruskombat.info
rxtabsworld.com
securitylive.pro
shengfangtex.com
stafer.pro
starbuckscorp.com
sterece.com
stuffarea.biz
thefce.com
top-email-software.com
travelscom.net
traversestate.com
trustedmensmeds.com
uniteddigitalmedia.com
usheadway.com
usstyle.org
vendconsulting.com
viacton.com
viagra-super-force.org
virodex.com
virtualizare.net
wedding-bouquets-gallery.com
weddingshoesbridalonline.com
your-drug-blog.com

Monday, 3 December 2012

"Scan from a Hewlett-Packard ScanJet" spam / somaliaonfloor.ru

This fake printer spam leads to malware on somaliaonfloor.ru:

Date:     Mon, 3 Dec 2012 09:25:59 -0600
From:     Bebo Service [service@noreply.bebo.com]
Subject:     Fwd: Re: Scan from a Hewlett-Packard ScanJet #3838

A document was scanned and sent to you using a Hewlett-Packard HP15310290

Sent to you by: ROSIO
Pages : 8
Filetype(s): Images (.jpeg) View

==========

Date:     Mon, 3 Dec 2012 11:06:22 -0500
From:     "service@paypal.com" [service@paypal.com]
Subject:     Re: Fwd: Scan from a Hewlett-Packard ScanJet 33712789

A document was scanned and sent to you using a Hewlett-Packard HP8220647

Sent to you by: CLAUDIA
Pages : 7
Filetype(s): Images (.jpeg) View

The malicious payload is at [donotclick]somaliaonfloor.ru:8080/forum/links/public_version.php hosted on the same IPs used in this attack.

113.197.88.226 (ULNetworks, Korea)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)

ADP spam / fsblimitedrun.pro

This fake ADP spam leads to malware on fsblimitedrun.pro:

From:    ADP Transaction Status
Date:    3 December 2012 17:55
Subject:    ADP Major Accounts Processed Case

Valued customer:

James lately covered Transaction at your account. Event # 433933082.

     Case Caption: 6CO7

      Incident Substantiation: Download

We at ADP obtain to create a personalized and client focused experience with every client interaction.
Please view transaction changed by
visiting the link below.

Click here - ADP Major Accounts Operation Progress mentioned above

Best Wishes,

     James Brooks

     Vice President of Customer Care Department ADP

     ADP Major Accounts

***Reminder***

Please remember to complete your Semi-Annual Service Quality Survey!

Our Goal is to ensure you are VERY SATISFIED with each interaction you have with our Service Associates and we ask that you consider your overall experience in the 6 months preceding your receipt of the survey. We strive to provide WORLD CLASS SERVICE and determine our success by your satisfaction with ADP's services.

**********

This e-mail was delivered from an robot account.

Please don't reply to this message. auomatic informational system unable to accept incoming email.

**********

The malicious payload is at [donotclick]fsblimitedrun.pro/detects/survey_success-complete.php hosted on 41.215.225.202 (Essar Wireless Kenya Ltd) along with the following malicious domain: fdic-update-install.info

Blocking access to this IP address would probably be prudent.

Wire Transfer spam / panamechkis.ru

This fake wire transfer spam leads to malware on panamechkis.ru:

Date:     Mon, 3 Dec 2012 11:34:38 +0330
From:     HarrisonCrumm@mail.com
Subject:     RE: Wire Transfer cancelled

Dear Customers,

Wire transfer was canceled.

Rejected transfer:

FED NUMBER: 1704196955WIRE580676

Transaction Report: View

Federal Reserve Wire Network

The malicious payload is at [donotclick]panamechkis.ru:8080/forum/links/column.php hosted on:

113.197.88.226 (ULNetworks, Korea)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)

Of these, 113.197.88.226 seems to be a new one which should be added to your blocklists.

Friday, 30 November 2012

"Copies of Policies" spam / podarunoki.ru

This spam leads to malware on podarunoki.ru:

Date:     Fri, 30 Nov 2012 04:54:30 -0300
From:     Jone Castaneda via LinkedIn [member@linkedin.com]
Subject:     RE: Leonie - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Leonie Doyle,

==========

Date:     Fri, 30 Nov 2012 02:32:21 -0400
From:     sales1@[victimdomain].com
Subject:     RE: Samson - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Samson Henry,

The malicious payload is at [donotclick]podarunoki.ru:8080/forum/links/column.php hosted on some familiar IP addresses which should be blocked if you can:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)

The following domains are also on the same servers:
gurmanikia.ru
ganiopatia.ru
ganalionomka.ru
genevaonline.ru
podarunoki.ru
binaminatori.ru
ganadeion.ru
dimarikanko.ru
delemiator.ru

iTunes spam / mokingbirdgives.org

This fake iTunes spam leads to malware on mokingbirdgives.org:

From:    iTunes itunes@new.itunes.com
To:    purchasing [purchasing@victimdomain.com]
Date:    30 November 2012 17:02
Subject:    Your receipt #16201509085048

Billed To:
%email%

Order Number: M1V008146011
Receipt Date: 30/11/2012

Order Total: $699.99
Billed To: Credit card

Item Number     Description     Unit Price
1     Postcard (View\Download )
Cancel order Not your order?Report a Problem     $699.99
Subtotal:     $699.99
Tax:     $0.00
Order Total:     $699.99

Please retain for your records.
Please See Below For Terms And Conditions Pertaining To This Order.

Apple Inc.
You can find the iTunes Store Terms of Sale and Sales Policies by launching your iTunes application and clicking on Terms of Sale or Sales Policies

FBI ANTI-PIRACY WARNING
UNAUTHORIZED COPYING IS PUNISHABLE UNDER FEDERAL LAW.

Answers to frequently asked questions regarding the iTunes Store can be found at http://www.apple.com/support/itunes/store/

Apple ID Summary ГѓВўГўвЂљВ¬Г‚Вў Detailed invoice

Apple respects your privacy.

Copyright ГѓвЂљГ‚В© 2011 Apple Inc. All rights reserved

The malicious payload is at [donotclick]mokingbirdgives.org/less/demands-probably.php (report here) hosted on 184.82.100.201 (HostNOC, US) along with the following domains which also appear to be malicious:

jokolet5.cu.cc
revreka.cu.cc
kretaf.cu.cc
hoyerrr.cu.cc
xecomas.cu.cc
serawers.cu.cc
spaswers.cu.cc
retainedthumb.uni.me
safemessageassimilated.uni.me
fullblowntie.uni.me
confusetelltale.uni.me
fulltouchabandoning.uni.me
cuingdisinfecting.uni.me
mobilesitedisplaydizzying.uni.me
deadlinesorganizing.uni.me
consequencesaolcom.uni.me
areascompareran.uni.me
trusteunplugs.uni.me
rightsideconcoctions.uni.me
rearfacingisight.uni.me
starearnernot.uni.me
mokingbirdgives.org
germannewslinks.org
likoawdsdfzgage.dyndns-remote.com
syenial.com
amusicman.com
germannewslinks.com
fusioncaters.com
uqakanyd.ocry.com
u96s.info
germannewslinks.info
beardwithgofus.info
demonstrateddesktoplike.pro
thcenturysplitting.pro
stub.appartamentofirenze.net
germannewslinks.net
advert.apps-myups.net

Thursday, 29 November 2012

"Wire Transfer" spam / dimarikanko.ru

This fake "Wire Transfer" spam leads to spam on dimarikanko.ru:

Date:     Thu, 29 Nov 2012 06:01:55 +0700
From:     LinkedIn Connections [connections@linkedin.com]
Subject:     Re: Fwd: Wire Transfer (75631MU030)

Dear Bank Account Operator,

WIRE TRANSFER: FED675249061747420

CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]dimarikanko.ru:8080/forum/links/column.php hosted on a bunch of familiar looking IP addresses which have been used in several recent attacks:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)

Dynamic DNS sites you might want to block II

These Dynamic DNS domains belong to a mystery outfit called dnsdynamic.org, and several of them seem to be in the process of being abused by third parties (for example). The registrations seem to be anonymised, some poking around at the recent WHOIS history of one of these domains (freedynamicdns.com) reveals ownership details of:

      Manager, Domain  manager@invertebrateisp.com
      Invertebrate ISP
      PO Box 405
      Glenmont, New York 12077
      United States
      +1.2623946781

More digging at invertabrateisp.com comes up with a real name:

      Wilde, Tim  [redacted]
      [redacted]
      Glenmont, New York 12077
      United States
      [redacted]      Fax --

Anyway, Mr Wilde is not connected with the malicious activity going on with these domains, but he is providing a service that is being abused. Interestingly he founded DynDNS before selling it on.

Dynamic DNS services can be useful, but my personal recommendation is that you should consider blocking them as the bad guys are very good at abusing them. Overall, these are not as bad as the ones run by ChangeIP.com (see here).

There are two versions of this list, one links through to the Google Safe Browsing diagnostics report in case you want to review them on a case-by-case basis before blocking them (yellow highlighted ones have some malware, red highlighted ones are blocked by Google). The second one is a plain list of everything in case you want to block them completely.

adultdns.net [report]
andrewhaberman.com [report]
ddns01.eu [report]
ddnsd.eu [report]
dns53.biz [report]
dnsapi.info [report]
dnsd.info [report]
dnsd.me [report]
dnsdynamic.com [report]
dnsdynamic.net [report]
dnsdynamic.org [report]
fe100.net [report]
freedynamicdns.com [report]
ftp21.net [report]
http80.info [report]
https443.com [report]
imap01.com [report]
ns360.info [report]
ole32.com [report]
ssh01.com [report]
ssh22.net [report]
tftpd.net [report]
ttl60.com [report]
ttl60.org [report]
user32.com [report]
voip01.com [report]
wow64.net [report]

Plain list for copy-and-pasting:
adultdns.net
andrewhaberman.com
ddns01.eu
ddnsd.eu
dns53.biz
dnsapi.info
dnsd.info
dnsd.me
dnsdynamic.com
dnsdynamic.net
dnsdynamic.org
fe100.net
freedynamicdns.com
ftp21.net
http80.info
https443.com
imap01.com
ns360.info
ole32.com
ssh01.com
ssh22.net
tftpd.net
ttl60.com
ttl60.org
user32.com
voip01.com
wow64.net

Vobfus sites to block

These domains and sites appear to be connected to the Vobfus worm, hosted on 222.186.36.108 (Chinanet Jiangsu Province Network). There seems to be quite a bit of this worm about at the moment (auto translated).

This is a short list of domains to block (scroll down to the bottom for more details) all of which appear to be directly connected to the Vobfus worm:

222.186.36.108
chopbell.net
chopstickers.org
chopsuwey.org
chopzones.org
ddns1.eu
helpchecks.net
helpupdated.com
helpupdated.net
helpupdated.org
helpupdatek.at
helpupdater.net
helpupdates.biz
helpupdates.com
mediashares.org
mysearchhere.net
paris-hack.com
zdns.eu

zdns.eu and ddns1.eu are Dynamic DNS services provided by another party not directly connected to the worm. I recommend you block access to them anyway (more on this at a later date)

The following list is of domains that share nameservers with the Vobfus domains. You can make a decision if you want to do anything about these on your own network.

62.109.2.225
artishok.ru

78.46.22.15
alfataxi.info
pronash.com
smspay4.com
youmult.com

78.46.109.155
hitroe.com

84.45.76.100
ddns1.eu

159.253.142.40
adult-sms.com

159.253.142.44
mobilcent.com
mobilcent.ru

174.37.204.89
xlget.com

176.9.36.18
nikapro.com

178.63.65.11
couchness.com

208.43.108.100
smscoin.com

208.43.108.101
smscoin.net

208.43.251.58
userend.info

Not resolving
chopbell.net
helpchecks.net
helpupdated.net
helpupdater.net
helpupdates.biz
musicmixa.net
musicmixa.org
musicmixc.com
musiczipz.com
(Yes, some of these are listed elsewhere. The spreadsheet below will make it a little more clear, I hope)

An expanded list of sites with WOT ratings can be found here if you want to poke around at them.

Wednesday, 28 November 2012

Gary McNeish, Christopher Niebel fined £440k for SMS spams

I've covered Gary McNeish and his SMS spamming outfit before, they are quite possibly behind the majority of financial SMS spam messages that have been doing the rounds lately.

Well, it seems the ICO finally caught up with him and his business partner Christopher Niebel and have hit the pair with a whopping £440,000. The Daily Telegraph reports that they were pumping out up to 840,000 spam SMS messages per day. The BBC has more details about the pair.

It looks like Mr Neibel has suffered the bulk of the fine, with £300,000 ordered to be paid by the ICO. Mr McNeish lives in Thailand (but owns the spamming company Tetrus Telecom) and has been fined £140,000. Mr Neibel seems a bit upset by this according to reports. Tough shit, I say.

Anyway, this is the guy who probably won't be coming back to the UK any time soon..

Check out some of his semi-naked photos here. Classy!

Changelog spam / ganadeion.ru

This fake changelog spam leads to malware at ganadeion.ru:

Date:     Wed, 28 Nov 2012 05:21:35 -0500
From:     LinkedIn Password [password@linkedin.com]
Subject:     Re: Changelog as promised (upd.)

Hello,

as prmised updated changelog - View

C. BERGMAN

The malicious payload is at [donotclick]ganadeion.ru:8080/forum/links/column.php hosted on some familiar looking IP addresses that you should block if you can:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)

Tuesday, 27 November 2012

Wire transfer spam / gurmanikia.ru

This fake wire transfer spam leads to malware on gurmanikia.ru:

Date:     Tue, 27 Nov 2012 01:14:15 -0500
From:     Emerita Ayers via LinkedIn [member@linkedin.com]
Subject:     RE: Your Wire Transfer N27172774

Dear Customers,

Wire debit transfer was canceled.

Canceled transfer:

FED NUMBER: 6946432301WIRE298280

Transaction Report: View

Federal Reserve Wire Network

The malicious payload is at [donotclick]gurmanikia.ru:8080/forum/links/column.php hosted on the following well-known malicious IPs:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)

FedEx spam / PostalReceipt.zip

A slightly new take on the malicious FedEx spam we've seen recently. This time, the link in the email goes to a hacked domain to download an attachment called PostalReceipt.zip

Date:     Tue, 27 Nov 2012 13:04:37 -0400
From:     "Office Mail" [no_replyFRL@cleveland.com]
Subject:     ID (I)JI74 384 428 2295 7492

FedEx

Order: AX-7608-99659670234
Order Date: Sunday, 25 November 2012, 10:35 AM

Dear Customer,

Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

GET POSTAL RECEIPT

Best Regards, The FedEx Team.

� FedEx 1995-2012

In this case the download site was [donotclick]amsterdam.cathedralsoft.com/TFOIATVZVT.html hosted on 46.105.140.157 (OVH, Spain). www.cathedralsoft.com is hosted on 94.23.187.176 (also OVH, Spain). It looks like cathedralsoft.com have been compromised in this attack.

VirusTotal detection rates are very low. I don't currently have an analysis of the malicious payload.

Update: here is another variant, downloading from [donotclick]brandandreputation.net/NOHDPQWPJJ.html (195.249.40.193, TeamInternet Denmark)

Date:     Wed, 28 Nov 2012 A.D. 07:34:52 -0400
From:     "First-Class UPS logistics" [no.reply-FG@houston.com]
Subject:     Tracking Number (A)PSO79 089 360 1947 4933

FedEx

Order: MN-8474-09876452234
Order Date: Sunday, 24 November 2012, 11:36 AM

Dear Customer,

Your parcel has arrived at the post office at November 26.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT
Best Regards, The FedEx Team.

� FedEx 1995-2012

Detection rates are pretty miserable for this one too. It looks like a Bredolab variant.

Update 2: another variant of the malware, this time downloading via [donotclick]www.cantoncityutah.com/OXSJOVVYOE.html (this tries to open PostalReceipt.zip in a window). Again, VirusTotal detection is not good.

Date:     Thu, 29 Nov 2012 A.D. 14:29:38 +0200
From:     "Office Mail" [NoReply@baltimore.com]
Subject:     Tracking Number (K)IR46 545 922 5276 0059

FedEx

Order: HD-5468-483254683
Order Date: Monday, 25 November 2012, 03:41 PM

Dear Customer,

Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT
Best Regards, The FedEx Team.

� FedEx 1995-2012

Update 3: yet another variant.. the payload wasn't working on this one though.

Date:     Fri, 30 Nov 2012 A.D. 07:57:38 -0400
From:     "First-Class logistics" [NoReply.368@tucson.com]
Subject:     Number (N)GDE82 422 446 0527 6243

FedEx

Order: HD-5468-483254683
Order Date: Tuesday, 26 November 2012, 10:17 AM

Dear Customer,

Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT
Best Regards, The FedEx Team.

� FedEx 1995-2012

Update 4: this variant attempts to download [donotclick]catercut.ie/Postal-Receipt.zip (VirusTotal results here) via [donotclick]catercut.ie/KANHEPGVVM.html:

Date:     Fri, 30 Nov 2012 A.D. 14:33:35 -0400
From:     "UPS Mail" [NOreplyEAY@baltimore.com]
Subject:     ID (P)NRB90 564 295 9947 6165

FedEx

Order: HD-5468-483254683
Order Date: Tuesday, 26 November 2012, 10:17 AM

Dear Customer,

Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT
Best Regards, The FedEx Team.

� FedEx 1995-2012

Update 5: another spam run, same payload as last time (updated VirusTotal results here). Link leads to [donotreply]drillsaw.com.au/VYWFBRIUBU.html which leads to a payload at [donotreply]drillsaw.com.au/Postal-Receipt.zip

Date:     Fri, 30 Nov 2012 A.D. 22:47:44 -0700
From:     "logistics UPS" [no.reply-UAC@losangeles.com]
Subject:     Tracking Detail (L)OK73 487 973 8524 5206

FedEx

Order: HD-5468-483254683
Order Date: Tuesday, 26 November 2012, 10:17 AM

Dear Customer,

Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT
Best Regards, The FedEx Team.

� FedEx 1995-2012

Update 6: yet another variant, this time downloading from [donotclick]exodionline.com/job.php?php=receipt (VirusTotal results here).

Date:     Sun, 02 Dec 2012 A.D. 15:13:18 -0400
From:     "UPS Receipt" [NOreply.815@irvine.com]
Subject:     Tracking ID (T)SB58 793 555 5502 9056

FedEx

Order: RM-8723-2307345234
Order Date: Monday, 19 November 2012, 09:32 AM

Dear Customer,

Your parcel has arrived at the post office at November 29.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT
Best Regards, The FedEx Team.

� FedEx 1995-2012

Update 7: this variant downloads from [donotclick]www.850spider.de/TYKXVHIFQH.html (report here):

Date:     Sat, 01 Dec 2012 A.D. 19:50:18 -0500
From:     "First-Class logistics" [NoReply-QEP@baltimore.com]
Subject:     Tracking Detail (K)HW33 625 799 6339 9731

FedEx

Order: RM-8723-2307345234
Order Date: Monday, 19 November 2012, 09:32 AM

Dear Customer,

Your parcel has arrived at the post office at November 29.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT
Best Regards, The FedEx Team.

� FedEx 1995-2012

Update 8: this one attempts (and fails) to download the payload from [donotclick]aucs.de/job.php?php=receipt - I haven't seen the payload for this yet.

Date:     Tue, 04 Dec 2012 05:13:30 -0600
From:     "U.P.S.Service" [no_replyQQW@tampa.com]
Subject:     Tracking Number (X)SO21 772 224 4605 7903

FedEx

Order: SD-5468-482485468
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT
Best Regards, The FedEx Team.

� FedEx 1995-2012

Update 9: another slightly different version, this one 404s:

Date:     Wed, 05 Dec 2012 A.D. 06:52:19 -0400
From:     "U.P.S.Service" [NOreplyPCP@birmingham.com]
Subject:     ID (I)PFP44 818 840 9369 1257

FedEx

Order: SD-5468-482485468
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT
Best Regards, The FedEx Team.

� FedEx 1995-2012

Update 10: another version, this downloads from [donotclick]gaffashion.de/KUHZNRQXSG.php?php=receipt , VirusTotal results are patchy.

Date:     Wed, 05 Dec 2012 13:21:13 -0400
From:     "logistics UPS" [no.replyDD@cincinnati.com]
Subject:     Tracking Number (O)UBF96 497 677 7945 1347

FedEx

Order: SD-5468-482485468
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT
Best Regards, The FedEx Team.

� FedEx 1995-2012

Update 11: even more of these today, the volumes seem to be ramping up. Detection rates are pretty miserable.

Subjects spotted:
Tracking Detail (S)AR71 347 275 0953 6096
Number (H)OY68 102 257 0143 6263
Tracking Number (A)WF09 061 710 9662 3209
Tracking Detail (Y)XEY08 661 121 7788 5937
ID (T)TU26 454 839 5856 0273
Number (651)36-651-651-7313-7313
Number (N)QGW24 822 128 6967 5066
Tracking Detail (J)RD66 396 145 5017 2968
Tracking ID (G)EQI40 177 581 4008 9333

Dowload sites:
[donotclick]www.andovar.de/LNYYNMZAMK.php?php=receipt
[donotclick]biggis-musiktruhe.de/PQRZPJPCBG.php?php=receipt
[donotclick]threesolution.org/OGIKYWHWNJ.php?php=receipt
[donotclick]s375670599.online.de/RTJQIUZQOJ.php?php=receipt
[donotclick]Joeyscafeok.com/PHLNPDFSRV.php?php=receipt
[donotclick]www.edibaer.at/CPDWHUDQDM.php?php=receipt
[donotclick]architetturapc.altervista.org/VOWORTEUWM.php?php=receipt
[donotclick]myinci.net/XIGTTUBPNV.php?php=receipt

Update 12: another version with a tweaked malicious binary:

Date:     Fri, 07 Dec 2012 08:33:17 -0400
From:     "UPS Receipt" [NOreply.IDH@riverside.com]
Subject:     ID (D)RH64 621 035 9749 7042

FedEx

Order: SD-5468-482485468
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT
Best Regards, The FedEx Team.

� FedEx 1995-2012

In this case, the link goes to [donotclick]www.dol2day.com/QGYAMKOOBH.php?php=receipt which downloads Postal-Receipt.zip containing Postal-Receipt.exe. The VirusTotal results are not good. Another version uses the subject Number (A)CV88 683 994 7812 3447

Update 13: another couple of variants, the payload has morphed again and VirusTotal results are predictably very poor.

Date:     Sun, 09 Dec 2012 A.D. 12:20:15 -0400
From:     "Priority Mail Postal Service" [GJX_308@neworleans.com]
Subject:     Tracking Detail (Y)VH30 307 516 2676 5647

FedEx
Order: SGH-3818-3779326179
Order Date: Monday, 2 December 2012, 12:32 AM

Dear Customer,

Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT
Best Regards, The FedEx Team.

� FedEx 1995-2012

====================

Date:     Sat, 08 Dec 2012 14:11:29 -0700
From:     "UPS Receipt" [NOreply.094@shreveport.com]
Subject:     Number (X)UJ39 079 034 0694 8327

FedEx

Order: SGH-0987-4616781861
Order Date: Monday, 2 December 2012, 12:32 AM

Dear Customer,

Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT
Best Regards, The FedEx Team.

� FedEx 1995-2012

Some other subject lines:
Number (A)CFV63 149 496 9260 0620
Tracking Detail (S)ESQ89 729 953 7596 6283

Some download sites (don't visit these unless you know what you are doing)
www.musikschule-nvp.de/SNDDAAWTBR.php?php=receipt
www.mcfcdonegal.com/OPMUYUCCIV.php?php=receipt
www.beller-das.de/NWAPXATXVT.php?php=receipt
www.trude-hau-rein.de/UWQNZZWFXZ.php?php=receipt

Update 14: just in time for Christmas..

Date:     Tue, 25 Dec 2012 00:07:07 +0200
From:     "Office 852" [mu-852@orlando.com]
Subject:     Tracking Detail (193)92-193-193-9477-9477

FedEx

Order: VGH-4658-1148074435
Order Date: Friday, 14 December 2012, 01:21 PM

Dear Customer,

Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this receipt.
DOWNLOAD POSTAL RECEIPT

Best Regards, The FedEx Team.

The binary has changed again, detection rates are patchy. Anubis reports that the malware calls home to 74.80.220.148:60000 which would make it a Zbot variant.

Update 15: this one loads via [donotclick]www.eurogleuf.nl/DERZRCUKKY.php?php=receipt , VitusTotal detection rates are just 7/46.

From:    Express Mail Service [user-989@louisville.com]
date:    26 December 2012 10:46
subject:    Tracking ID (580)53-580-580-3103-3103

FedEx

Order: VGH-2024-9642451224
Order Date: Friday, 14 December 2012, 01:21 PM

Dear Customer,

Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this receipt.

DOWNLOAD POSTAL RECEIPT

Best Regards, The FedEx Team.

Update 16: just in time for New Year's day, this one loads via [donotclick]www.subclix.com/QJXBJWUUEJ.php?php=receipt. VT detections are again patchy.

Date:     Sun, 06 Jan 2013 A.D. 05:11:30 -0500
From:     "Worldwide Express Mail Service" <support_489@coloradosprings.com>
To:     [redacted]
Subject:     Tracking Number (I)FG03 107 566 0859 2689

FedEx

Order: HJF-8295-96674032
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.



DOWNLOAD POSTAL RECEIPT

Best Regards, The FedEx Team.

� FedEx 1995-2012

================

Date:     Sat, 05 Jan 2013 19:25:48 -0400
From:     "Worldwide Express Mail" <support.800@portland.com>
To:     [redacted]
Subject:     Number (M)EG25 627 586 0611 4432

*+++
FedEx

Order: HJF-9667-27583280
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.



DOWNLOAD POSTAL RECEIPT

Best Regards, The FedEx Team.

� FedEx 1995-2012

================

Date:     Sat, 05 Jan 2013 A.D. 13:57:18 -0400
From:     "First-Class Mail Postal Service" <support.813@baltimore.com>
To:     [redacted]
Subject:     Number (V)TGS29 427 081 6880 9243

FedEx

Order: HJF-3918-81582364
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.



DOWNLOAD POSTAL RECEIPT

Best Regards, The FedEx Team.

� FedEx 1995-2012

================

Date:     Sat, 05 Jan 2013 09:05:00 -0400
From:     "First-Class Mail Service" <DTU.160@baltimore.com>
To:     [redacted]
Subject:     Tracking Detail (S)JYD60 835 496 0448 5921

FedEx

Order: HJF-8882-94725648
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.



DOWNLOAD POSTAL RECEIPT

Best Regards, The FedEx Team.

� FedEx 1995-2012

Example download sites:
[donotclick]omahadisability.com/UWOJIEUBLS.php?php=receipt
[donotclick]p-g-maintenance.co.uk/YLFDRZWNJP.php?php=receipt
[donotclick]cctvsecuritysystemshouston.com/XUAJAIPISI.php?php=receipt
[donotclick]itiyam.com/WEQOHWFEAK.php?php=receipt

Note the these URLs seem to be hardened against analysis, if you can't access them check your user agent and referrer strings.

Update 17: and more, this time with the following details:

Tracking Number (B)TXP55 992 494 4822 1645
Number (N)DD46 790 881 6344 2460

Order: HJF-4121-39707012
Order: HJF-2424-11089225

[donotclick]jcpub.com/SXYUXBKFQF.php?php=receipt
[donotclick]travelclinicsswansea.com/INJIETKYXV.php?php=receipt

Update 18: another spam run, detection rates are a bit better for this one:

Date:     Wed, 09 Jan 2013 06:35:16 +0200
From:     "Shipping Service" [IAL_792@chesapeake.com]
Subject:     Tracking Detail (V)QT48 601 848 0556 8882

FedEx

Order: JN-3254-98757378
Order Date: Thursday, 3 January 2013, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at January 6.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.



GET & PRINT RECEIPT

Best Regards, The FedEx Team.

� FedEx 1995-2012

Variants:
Tracking ID (R)EBE08 923 976 4800 2506
Tracking ID (Y)OKX60 559 414 2225 0045
Order: JN-8274-10502299
Order: JN-9593-93771591

Sample download sites:
[donotclick]fibam.be/CMNVTXINXV.php?php=receipt
[donotclick]sofa-session.ch/PRRVWKCUQJ.php?php=receipt

Update 19: another spam run with the following characteristics:

Subject: Tracking Number (E)KA09 359 952 5829 0864
Order: JN-9160-75660784
Download site: [donotclick]endlich-ein-dsl-anschluss.de/HUPAHPNHTC.php?receipt=ss00_323
VirusTotal report

Update 20: another one, this time downloading from [donotclick]businesscoaching24.com/BWMIZNPQAT.php?receipt=802_195210783

Date:     Sun, 27 Jan 2013 13:09:22 +0100
From:     "Priority Mail Postal Service" [clients-669@columbus.com]
Subject:     Number (L)BVT74 159 159 2182 2182

Fed Ex

Order: HCD-7626-14749451
Order Date: Thursday, 17 January 2013, 11:10 AM

Dear Customer,

Your parcel has arrived at the post office at January 21.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.



GET & PRINT RECEIPT

Best Regards, The FedEx Team.

FedEx 1995-2012

Detection rates are patchy according to VirusTotal. The ThreatExpert report is here.

Update 21: another sample, this time from [donotclick]mydrugstoreus.net/get_file.php?print_receipt=ss00_323, VirusTotal results are 16/46.

Date:     Tue, 05 Feb 2013 19:20:36 -0400
From:     "Manager David Riddle" [manager@tampa.us]
Subject:     Order Detail

FedEx

Tracking ID: 4013-85911016
Date: Monday, 28 January 2013, 09:22 AM

Dear Client,

Your parcel has arrived at February 1.Courier was unable to deliver the parcel to you at 1 February 05:54 PM.

To receive your parcel, please, print this receipt and go to the nearest office.



Print Receipt

Best Regards, The FedEx Team.

FedEx 1995-2013

Update 22: this one downloads from [donotclick]zdsw.net/get_file.php?receipt_print=ss00_323 with VirusTotal detections at 12/46.

Date:     Wed, 06 Feb 2013 18:29:28 -0400
From:     "Manager William Burt" [service@greensboro.us]
Subject:     Shipping Info

FedEx

Tracking ID: 5739-64600336
Date: Monday, 28 January 2013, 09:22 AM

Dear Client,

Your parcel has arrived at February 1.Courier was unable to deliver the parcel to you at 1 February 05:54 PM.

To receive your parcel, please, print this receipt and go to the nearest office.



Print Receipt

Best Regards, The FedEx Team.

FedEx 1995-2013

According to ThreatExpert, this version attempts to connect to the following IP addresses which may be worth blocking:

46.4.178.174
66.84.10.68
66.232.145.174
77.79.81.166
80.90.198.43
81.93.248.152
84.38.159.166
85.186.22.146
85.214.50.161
89.19.20.202
94.101.86.146
173.255.203.178
190.111.176.13
202.153.132.24
202.169.224.202
217.11.63.194

Update 23: this variant downloads from [donotclick]www.ocadaval.com/tmp/vsgnpg.php?receipt_print=ss00_323 with VirusTotal detections of 16/46:

From: Manager Jayden Dickson [support@santaana.us]
Date: 8 February 2013 03:33:48 CET
Subject: Tracking Info
FedEx

7475-42208096     Monday, 4 January 2013, 08:24 AM

Your parcel has arrived at February 6.Courier was unable to deliver the parcel to you at 6 February 05:51 PM.
To receive your parcel, please, print this receipt and go to the nearest office.
          Print Receipt

Best Regards, The FedEx Team.

FedEx 1995-2013

Update 24: downloading from [donotclick]www.olmuccio.com/tmp/0iuziv.php?receipt_print=ss00_323 and with VirusTotal detections of just 10/46.

Date:     Mon, 11 Feb 2013 A.D. 13:35:56 -0500
From:     "Manager Daniel Acevedo" [manager@lexington.us]
Subject:     Order Information

FedEx

Tracking ID: 2803-20131928
Date: Monday, 4 January 2013, 09:42 AM

Dear Client,

Your parcel has arrived at February 8.Courier was unable to deliver the parcel to you at 8 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.



Print Receipt

Best Regards, The FedEx Team.

FedEx 1995-2013

Update 25: downloading from [donotclick]www.onzeklus.com/tmp/gnnvyg.php?receipt_print=ss00_323 with VirusTotal detections at just 7/44.

Date:     Wed, 13 Feb 2013 A.D. 16:28:00 -0400
From:     "Manager William Burt" [client@wichita.us]
Subject:     Shipping Service

FedEx

Tracking ID: 2890-49318193
Date: Monday, 4 January 2013, 09:42 AM

Dear Client,

Your parcel has arrived at February 8.Courier was unable to deliver the parcel to you at 8 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

Print Receipt

Best Regards, The FedEx Team.

FedEx 1995-2013

Update 26: downloading from [donotclick]www.assembleserver.net/clients/comp/mirror.php?receipt_print=ss00_323 with VirusTotal detections of just 5/46.

Date:     Fri, 15 Feb 2013 10:44:44 -0400
From:     "Manager Jayden Soto" [manager@norfolk.us]
Subject:     Shipping Info

FedEx

Tracking ID: 4374-23102840
Date: Monday, 11 February 2013, 10:22 AM

Dear Client,

Your parcel has arrived at February 14.Courier was unable to deliver the parcel to you at 14 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.



Print Receipt

Best Regards, The FedEx Team.

FedEx 1995-2013

According to Anubis, the malware attempts to call home to the following IPs:
66.84.10.68
72.29.84.159
87.118.122.19
94.101.86.146
173.255.203.178

Update 27: downloading from[donotclick]/phillipsflorist.co.uk/wp-content/plugins/akismet/mirror.php?receipt=ss00_323 with a detection rate of 4/45.

Date:     Wed, 20 Feb 2013 10:00:38 -0400
From:     "Manager Mason Marsh" [service@anaheim.us]
Subject:     Order Shipped

FedEx

Tracking ID: 9702-66479247
Date: Monday, 11 February 2013, 10:22 AM

Dear Client,

Your parcel has arrived at February 18.Courier was unable to deliver the parcel to you at 18 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

Print Receipt

Best Regards, The FedEx Team.

FedEx 1995-2013

According to Anubis, this malware tries to call home to:
50.115.116.201
81.93.248.152
87.118.122.19
94.23.193.229
190.111.176.13
213.229.106.32

Update 28: another version, with a download site of [donotclick]www.2handhome.com/components/.ebgv3m.php?receipt=838_129704313 and a VirusTotal score of just 6/45.

Date:     Wed, 13 Mar 2013 05:54:18 -0700
From:     "Manager Liam Ortega" [support@lincoln.us]
Subject:     Tracking Information

FedEx

Tracking ID: 6673-95490112
Date: Monday, 4 March 2013, 10:22 AM

Dear Client,

Your parcel has arrived at March 7.Courier was unable to deliver the parcel to you at 7 March 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

Print Receipt

Best Regards, The FedEx Team.

FedEx 1995-2013

According to Anubis, the malware calls home to:
87.106.51.52:8080
91.121.156.162:8080
80.67.6.226:8080
93.125.30.232:8080
174.120.225.57:8080
91.121.28.146:8080
193.23.226.15:8080

BeyondTek IT / Beyond Tek IT / beyondtekit.com spam

Here's an annoying spammer.. but who are they exactly?

From:    Nick Snow ---- BeyondTekIT Nick@beyondtekit.com
Date:    27 November 2012 10:24
Subject:    Your IT Jobs - HR

Hello:

The IT market is extremely HOT right now and there is no doubt that, there is a severe shortage of qualified, experienced IT candidates and an over-abundance of IT jobs being advertised by companies all over the country. It seems, most qualified candidates are in such high demand that they are getting multiple offers, which is making it difficult for companies to fill certain positions.

That being said please let me know if you currently have any hard-to-fill IT positions at that we could provide candidates for. We can assist with contract, contract-to-hire/temp-to-perm, or permanent positions.

We have candidates available across all technologies and skill-sets, including (this is only a partial list):
Programmers/Developers - Java, C++, .Net, Ruby, Web, Perl, Python, PHP, ColdFusion, etc
Systems Analysts / Business Analysts
QA Engineers/Analysts/Testers
DBA's - SQL Server, Oracle, MySQL, etc
SAP Consultants - Technical, Functional, Techno-Functional, Analysts, Developers
Oracle Consultants - Technical, Functional, Techno-Functional, Analysts, Developers
Data Warehouse/Business Intelligence Developers/Engineers - ETL, SSIS, SSAS, SSRS, Cognos, etc
Project Managers
Systems Administrators - Linux, Window, etc
Executive - CIO, CTO, VP of IT, etc

PS - We have just started offering our clients a business model of hiring off-site developers, who can be your employees but working from our office in India. Please ask me for more details, and I can send you our PowerPoint presentation.

Thank you.

Nick Snow
BeyondTek IT
Tel: 714-572-1544
nick@beyondtekit.com
www.BeyondTekIT.com

The spam (and it is spam) originates from a server on 216.14.62.75 (Telepacific Communications, Los Angeles) which also hosts the beyondtekit.com and beyondtechit.com domains.

So who are BeyondTekIT? (They also spell their name Beyond Tek IT and BeyondTek IT). The WHOIS details for the beyondtekit.com (and beyondtechit.com) are no help because they are anonymised. So, perhaps their website gives a clue.. and indeed they give the following contact details:

BeyondTek IT
1057 E. Imperial Highway, Suite 509
Placentia, CA 92870

Phone: 714-572-1544
Fax: 714-364-9705

General Inquiries: info@beyondtekit.com
Candidate Resume Submittals: resume@beyondtekit.com

So, this is a California company. So it must be registered in the State of California? Err.. no. There is no business entity of this name. So let's check out the address.. well, that turns out to be a store called Postal Max that rents out mailboxes.

A bit of hard searching around shows that this is not a US based company at all, but is actually based in India (the email mentions an Indian connection). Their real website is at beyondtech.in and clearly mentions the maildrop address on their contact page.

The WHOIS details for this domain are:

Registrant ID:SB23414228
Registrant Name:Nishant Rastogi
Registrant Organization:One MG
Registrant Street1:23, North Boag Road, TNagar
Registrant Street2:
Registrant Street3:
Registrant City:Chennai
Registrant State/Province:Tamil Nadu
Registrant Postal Code:600017
Registrant Country:IN
Registrant Phone:+91.9444034408
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:mail@onemg.in

I personally wouldn't recommend giving any personal details to spammers, and I certainly wouldn't recommend giving details to a company that seems to spend some effort to conceal who they really are. But, bear in mind that there are no anti-spam laws in India which explains the high level of Indian spam messages (think SEO spam) that we see, so under Indian law they are probably not doing anything wrong, but surely if they are trading as a California entity then they need to be registered?