Seriously.. when does it stop being a phone? This Galaxy S4 thing has a 5" HD display, a processor with up to eight cores, and it even watches you watching it. Just remember that last point while you are perusing your favourite rubber midget lesbian vore collection.
What I hadn't heard of before is the Samsung HomeSync server which is basically a 1TB appliance you put in your home and store all your stuff on, which you can then access from the GS4 or apparently a wide range of other devices. Just don't lose your smartphone..
Of course, the thing with smartphones is that there's always something better just around the corner. The Google / Motorola Xphone that is rumoured could be a GS4 beater.
Anyway.. in the meantime your old smartphone just got a bit more obsolete..
Friday, 15 March 2013
Thursday, 14 March 2013
Brian Krebs gets SWATted
It looks like Brian Krebs got a visit from a SWAT team today, after having his site DDOSed and served with a fake takedown notice, possibly in retaliation for this article. Nasty.
It reminds me a little of the "suicide note" incident with the operator of abuse.ch a few years back. You know when you have pissed off the bad guys when they arrange for armed police to come calling..
It reminds me a little of the "suicide note" incident with the operator of abuse.ch a few years back. You know when you have pissed off the bad guys when they arrange for armed police to come calling..
LinkedIn spam / teenlocal.net
This fake LinkedIn spam leads to malware on teenlocal.net:
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (Telekom Malaysia, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247
buyersusaremote.net
cyberage-poker.net
hotels-guru.net
teenlocal.net
bbb-complaint.org
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
bbb-accredited.net
metalcrew.net
roadix.net
gatovskiedelishki.ru
From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedInThe malicious payload is at [donotclick]teenlocal.net/kill/force-vision.php (report here) hosted on:
Sent: 14 March 2013 16:32
Subject: Frank and Len have endorsed you!
Congratulations! Your connections Frank Garcia and Len Rosenthal have endorsed you for the following skills and expertise:
Program Management
Strategic Planning
Continue
You are receiving Endorsements emails. Unsubscribe.
This email was intended for Paul Stevens (Chief Financial Officer, Vice President and General Manager, Aerospace/Defense, Pacific Consolidated Industries). Learn why we included this. 2013, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA
24.111.157.113 (Midcontinent Media, US)
58.26.233.175 (Telekom Malaysia, Malaysia)
155.239.247.247 (Centurion Telkom, South Africa)
Blocklist:
24.111.157.113
58.26.233.175
155.239.247.247
buyersusaremote.net
cyberage-poker.net
hotels-guru.net
teenlocal.net
bbb-complaint.org
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
bbb-accredited.net
metalcrew.net
roadix.net
gatovskiedelishki.ru
"Efax Corporate" spam / gimiinfinfal.ru
This eFax-themed spam leads to malware on gimiinfinfal.ru:
94.102.14.239 (Netinternet, Turkey)
50.116.23.204 (Linode, US)
213.215.240.24 (COLT, Italy)
Blocklist:
50.116.23.204
94.102.14.239
213.215.240.24
giimiiifo.ru
Date: Thu, 14 Mar 2013 07:39:23 +0300There's an attachment called Efax_Corporate.htm which leads to malware on [donotclick]gimiinfinfal.ru:8080/forum/links/column.php (report here) hosted on:
From: SarahPoncio@mail.com
Subject: Efax Corporate
Attachments: Efax_Corporate.htm
Fax Message [Caller-ID: 449555234]
You have received a 44 pages fax at Thu, 14 Mar 2013 07:39:23 +0300, (751)-674-3105.
* The reference number for this fax is [eFAX-263482326].
View attached fax using your Internet Browser.
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax ® Customer Agreement.
94.102.14.239 (Netinternet, Turkey)
50.116.23.204 (Linode, US)
213.215.240.24 (COLT, Italy)
Blocklist:
50.116.23.204
94.102.14.239
213.215.240.24
giimiiifo.ru
Wednesday, 13 March 2013
"Copies of policies" spam / giimiiifo.ru
This spam leads to malware on giimiiifo.ru:
The malicious payload is at [donotclick]giimiiifo.ru:8080/forum/links/column.php hosted on two IPs we saw earlier:
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)
Date: Wed, 13 Mar 2013 06:49:25 +0100
From: LinkedIn Email Confirmation [emailconfirm@linkedin.com]
Subject: RE: Alonso - Copies of Policies.
Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,
and a copy of the most recent schedule.
Alonso SAMS,
The malicious payload is at [donotclick]giimiiifo.ru:8080/forum/links/column.php hosted on two IPs we saw earlier:
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)
"Wapiti Lease Corporation" spam / giminaaaao.ru
A fairly bizarre spam leading to malware on giminaaaao.ru:
93.174.138.48 (Cloud Next / Node4, UK)
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
93.174.138.48
94.102.14.239
213.215.240.24
giminaaaao.ru
giminkfjol.ru
giminanvok.ru
From: IESHA WILLEY [mailto:AtticusRambo@tui-infotec.com]This comes with an attachment called WLC-A0064.htm although I have another sample "from" a DEANNE AMOS with an attachment of WLC-A5779.htm. In any case, the attachment tries to direct the victim to a malware landing page at [donotclick]giminaaaao.ru:8080/forum/links/column.php (report here) hosted on:
Sent: 13 March 2013 11:22
To: Sara Smith
Subject: Fwd: Wapiti Land Corporation Guiding Principles attached
Hello,
Attached is a draft of the Guiding Principles that the Wapiti Lease Corporation (“W.L.C”) would like to publish. Prior to doing that, WLC would like you to have an opportunity for a preview and to provide any
comments that you would like to make. Please let me know that you have reviewed it and what comments you might have.
Thank you,
IESHA WILLEY
WLC
93.174.138.48 (Cloud Next / Node4, UK)
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
93.174.138.48
94.102.14.239
213.215.240.24
giminaaaao.ru
giminkfjol.ru
giminanvok.ru
Zbot sites to block 13/3/13
These domains and IPs seem to be active as Zbot C&C servers. The obsolete .su (Soviet Union) domain is usually a tell-tale sign of.. something.
76.185.101.239
77.74.197.190
89.202.183.27
89.253.234.247
201.236.78.182
218.249.154.140
aesssbacktrack.pl
beveragerefine.su
dinitrolkalor.com
dugsextremesda.su
establishingwi.su
eurasianpolicy.net
euroscientists.at
ewebbcst.info
fireinthesgae.pl
girdiocolocai.com
machinelikeleb.su
mixedstorybase.su
satisfactorily.su
smurfberrieswd.su
sputtersmorele.pl
suggestedlean.com
trashinesscro.com
upkeepfilesyst.su
URLs seen:
[donotclick]beveragerefine.su/hjz/file.php
[donotclick]euroscientists.at/hjz/file.php
[donotclick]machinelikeleb.su/fiv/gfhk.php
[donotclick]mixedstorybase.su/hjz/file.php
[donotclick]satisfactorily.su/hjz/file.php
[donotclick]smurfberrieswd.su/hjz/file.php
And for the record, those IPs belong to:
76.185.101.239 (Road Runner, US)
77.74.197.190 (UK Dedicated Servers, UK)
89.202.183.27 (Interoute / PSI, UK)
89.253.234.247 (Rusonyx, Russia)
201.236.78.182 (Municipalidad De Quillota, Chile)
218.249.154.140 (Beijing Zhongbangyatong Telecom, China)
76.185.101.239
77.74.197.190
89.202.183.27
89.253.234.247
201.236.78.182
218.249.154.140
aesssbacktrack.pl
beveragerefine.su
dinitrolkalor.com
dugsextremesda.su
establishingwi.su
eurasianpolicy.net
euroscientists.at
ewebbcst.info
fireinthesgae.pl
girdiocolocai.com
machinelikeleb.su
mixedstorybase.su
satisfactorily.su
smurfberrieswd.su
sputtersmorele.pl
suggestedlean.com
trashinesscro.com
upkeepfilesyst.su
URLs seen:
[donotclick]beveragerefine.su/hjz/file.php
[donotclick]euroscientists.at/hjz/file.php
[donotclick]machinelikeleb.su/fiv/gfhk.php
[donotclick]mixedstorybase.su/hjz/file.php
[donotclick]satisfactorily.su/hjz/file.php
[donotclick]smurfberrieswd.su/hjz/file.php
And for the record, those IPs belong to:
76.185.101.239 (Road Runner, US)
77.74.197.190 (UK Dedicated Servers, UK)
89.202.183.27 (Interoute / PSI, UK)
89.253.234.247 (Rusonyx, Russia)
201.236.78.182 (Municipalidad De Quillota, Chile)
218.249.154.140 (Beijing Zhongbangyatong Telecom, China)
Tuesday, 12 March 2013
"End of Aug. Stat. Required" spam / giminkfjol.ru
This spam leads to malware on giminkfjol.ru:
The attachment Invoices-ATX993823.htm attempts to redirect the victim to [donotclick]giminkfjol.ru:8080/forum/links/column.php (report here) hosted on:
5.9.40.136 (Hetzner, Germany)
94.102.14.239 (Netinternet, Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
5.9.40.136
94.102.14.239
213.215.240.24
giminkfjol.ru
From: user@victimdomain.com
Sent: 12 March 2013 04:19
Subject: Re: End of Aug. Stat. Required
Good morning,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)
Regards
The attachment Invoices-ATX993823.htm attempts to redirect the victim to [donotclick]giminkfjol.ru:8080/forum/links/column.php (report here) hosted on:
5.9.40.136 (Hetzner, Germany)
94.102.14.239 (Netinternet, Turkey)
213.215.240.24 (COLT, Italy)
Blocklist:
5.9.40.136
94.102.14.239
213.215.240.24
giminkfjol.ru
Monday, 11 March 2013
Wire Transfer spam / giminanvok.ru
Another wire transfer spam, this time leading to malware on giminanvok.ru:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
I strongly recommend that you block access to these IPs if you can.
Date: Mon, 11 Mar 2013 02:46:19 -0300 [01:46:19 EDT]The malicious payload is at [donotclick]giminanvok.ru:8080/forum/links/column.php (report pending) hosted on the same IPs used earlier today:
From: LinkedIn Connections [connections@linkedin.com]
Subject: Fwd: Wire Transfer (5600LJ65)
Dear Bank Account Operator,
WIRE TRANSFER: FED694760330367340
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
I strongly recommend that you block access to these IPs if you can.
Wire Transfer spam / gimikalno.ru
This fake wire transfer spam leads to malware on gimikalno.ru:
The malicious payload is at [donotclick]gimikalno.ru:8080/forum/links/column.php (report here) hosted on:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
Blocklist:
5.9.40.136
66.249.23.64
94.102.14.239
212.180.176.4
117.104.150.170
41.72.150.100
gimikalno.ru
guuderia.ru
forum-la.ru
forumla.ru
gimalayad.ru
gosbfosod.ru
ginagion.ru
giliaonso.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
forumkianko.ru
Date: Mon, 11 Mar 2013 04:00:22 +0000 [00:00:22 EDT]
From: Xanga [noreply@xanga.com]
Subject: Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 16442CU385)
Dear Bank Account Operator,
WIRE TRANSFER: FED62403611378975648
CURRENT STATUS: PENDING
Please REVIEW YOUR TRANSACTION as soon as possible.
The malicious payload is at [donotclick]gimikalno.ru:8080/forum/links/column.php (report here) hosted on:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
Blocklist:
5.9.40.136
66.249.23.64
94.102.14.239
212.180.176.4
117.104.150.170
41.72.150.100
gimikalno.ru
guuderia.ru
forum-la.ru
forumla.ru
gimalayad.ru
gosbfosod.ru
ginagion.ru
giliaonso.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
forumkianko.ru
Sidharth Shah / OVH / itechline.com
I have now come across several incidents of malware hosted in an OVH IP address range suballocated to Sidharth Shah. The blocks that I can identify so far are:
5.135.20.0/27
5.135.27.128/27
5.135.204.0/27
5.135.218.32/27
5.135.223.96/27
37.59.93.128/27
37.59.214.0/28
46.105.183.48/28
91.121.228.176/28
94.23.106.224/28
176.31.106.96/27
176.31.140.64/28
178.32.186.0/27
178.32.199.24/29
188.165.180.224/27
These IPs are mostly malware or fake goods. Legitimate sites seem to be nonexistant, although these IP ranges have hosted legitimate sites in the past. I would personally recommend blocking them all, but if you want to see a fuller analysis of WOT ratings and Google Safe Browsing diagnostics see here.
So, what do we know about Mr Shah? Well, the IPs have the following contact details:
organisation: ORG-SS252-RIPE
org-name: Shah Sidharth
org-type: OTHER
address: 12218 Skylark Rd
address: 20871 Clarksburg
address: US
abuse-mailbox: ovhresell@gmail.com
phone: +1.5407378283
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
This is presumably the same Mr Shah who owns sidharthshah.com:
Technical Contact:
Shah, Sidharth sidharth134@gmail.com
12128 Skylark Rd
Clarksburg, Maryland 20871
United States
(240) 535-2204
These contact details are
The email address sidharth134@gmail.com is also associated with itechline.com which is a company with an unenviable F rating from the BBB, who list the principal as being Sidharth Shah.
BBB rating is based on 16 factors.
ITechline.com has garnered some very negative consumer reviews [1] [2] [3] [4] . It appears to advertise on search engines for phrases like mcafee support and then charges to look at the computer, with "fixes" that some have reported to be of variable quality. You should make your own mind up as to the veracity of these negative claims.
Whether or no the OVH IP addresses are managed by Mr Shah directly or theourh ITechline is not known. Looking at the malicious domains, I cannot find a direct connection to Mr Shah other than the fact that they are a customer. However, I would not expect a well-managed network to have so many malicious domains and other spammy sites, I would recommend blocking access to all the listed IPs if you can.
5.135.20.0/27
5.135.27.128/27
5.135.204.0/27
5.135.218.32/27
5.135.223.96/27
37.59.93.128/27
37.59.214.0/28
46.105.183.48/28
91.121.228.176/28
94.23.106.224/28
176.31.106.96/27
176.31.140.64/28
178.32.186.0/27
178.32.199.24/29
188.165.180.224/27
These IPs are mostly malware or fake goods. Legitimate sites seem to be nonexistant, although these IP ranges have hosted legitimate sites in the past. I would personally recommend blocking them all, but if you want to see a fuller analysis of WOT ratings and Google Safe Browsing diagnostics see here.
So, what do we know about Mr Shah? Well, the IPs have the following contact details:
organisation: ORG-SS252-RIPE
org-name: Shah Sidharth
org-type: OTHER
address: 12218 Skylark Rd
address: 20871 Clarksburg
address: US
abuse-mailbox: ovhresell@gmail.com
phone: +1.5407378283
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
This is presumably the same Mr Shah who owns sidharthshah.com:
Technical Contact:
Shah, Sidharth sidharth134@gmail.com
12128 Skylark Rd
Clarksburg, Maryland 20871
United States
(240) 535-2204
These contact details are
The email address sidharth134@gmail.com is also associated with itechline.com which is a company with an unenviable F rating from the BBB, who list the principal as being Sidharth Shah.
BBB rating is based on 16 factors.
Factors that lowered the rating for ITechline.com include:
Length of time business has been operating
8 complaints filed against business
Failure to respond to 7 complaints filed against business
ITechline.com has garnered some very negative consumer reviews [1] [2] [3] [4] . It appears to advertise on search engines for phrases like mcafee support and then charges to look at the computer, with "fixes" that some have reported to be of variable quality. You should make your own mind up as to the veracity of these negative claims.
Whether or no the OVH IP addresses are managed by Mr Shah directly or theourh ITechline is not known. Looking at the malicious domains, I cannot find a direct connection to Mr Shah other than the fact that they are a customer. However, I would not expect a well-managed network to have so many malicious domains and other spammy sites, I would recommend blocking access to all the listed IPs if you can.
Labels:
Evil Network,
Malware,
OVH,
Sidharth Shah,
Viruses
Something evil on 176.31.140.64/28
176.31.140.64/28 is an OVH block suballocated to Sidharth Shah (mentioned in this earlier post). It contains a a small number of malicious domains flagged by Google (in red), most of the rest of the sites have a very poor WOT rating (in yellow). I'll post more details later. You can safely assume that everything in this block is malicious, and I note that some of the domains are refugees from this malware site.
Malware is hosted on 176.31.140.64, 176.31.140.65, 176.31.140.66 and 176.31.140.67. There appear to be no legitimate sites in this block.
a50055.info
a6066.info
a70077.info
a80088.info
add5005.info
any303.info
apple2001.info
apple2002.info
apple2003.info
apt707.info
art808.info
article404.info
admin645.info
adscard.net
adscoast.com
adscoast.net
adsknoll.com
adsknoll.net
adsmonsterslda.me
adsmonsterslda.net
adspolis.net
adsregarding.com
adsregarding.net
adsset.net
adsspark.com
adsspark.net
adstimes.net
adstown.net
adsvoice.net
akon342.info
alfa763.info
allknowingredscale.org
apolonq3.info
belligerentperformance.biz
booksdesk.org
bymailunstandard.org
cameraandspidermans.org
compatiblesohoos.biz
compellingseven.org
convertingsupply.org
deactivatelens.org
deletionaffordably.org
dlnabeta.org
draggingdownbreakdown.biz
enjoycapacious.org
entertainingsubpoenaed.org
fantasyactv.org
flipsendnow.org
graphicaluseby.org
hardwareturkish.org
ifdependable.org
ignoreorion.biz
imapnearing.org
indeliblefeaturewise.org
inexplicablysitespring.biz
initiatingslatenot.org
innovationfifth.org
inquiryunintuitively.org
interviewsmartcolumns.org
ipartitiontroublesome.org
irresponsibledefrag.biz
jeffalwaysrunning.org
languageinads.com
languageinads.net
leaveinteracted.biz
lowriskremembers.org
machinemargins.biz
madeenergy.biz
materialhencefullfeatured.org
minilabsdetailed.org
modesorganizecontentbased.org
multipledocumentthe.org
museumsinterest.org
nettalksdlsr.biz
nontechnicalcrossdisciplinary.org
notracessurfers.org
offensivesimple.biz
onyxlost.biz
operatingshorter.biz
overloadhell.org
playlistshears.biz
pointandshootfortunately.org
pushedcddb.org
recipesmailings.org
reconfigureboundaries.org
redorewards.biz
remarkablyracer.biz
retrievingevidently.biz
rummaginglistenandrepeats.org
seldomsnailmail.org
selfhealingduo.org
skimmingmanys.org
slideshareempower.org
sorryenters.biz
stretchedtool.org
superdatscalable.biz
taxactsfacebook.org
tonegrapple.biz
tonguesweetening.biz
transformingprofessional.org
transparencymonitoring.org
upsellmediathe.org
usingthisxploreing.org
visualbeesdaemon.org
vpmediastudios.org
westsidespiderman.biz
whocompatible.biz
wpcbots.org
zipsstorms.org
aapp202.info
accon101.info
after121.info
agg7574.info
all9009.info
amigosunspot.biz
bureaubasic.biz
checkinsbr.org
curateeyeballs.biz
efficacycull.biz
inappmovies.biz
menudrivenexternal.biz
moveoutgunned.biz
multitrackonew.net
palmnetstories.biz
predictkillersounding.biz
prohibitingbod.info
redirectionvx.org
selfdefensealphabetical.biz
syncopationhaving.biz
trimmingshyamalan.biz
versustempo.info
altirismotodv.net
bullzipskewing.biz
distortionexperts.net
inteloutdone.biz
opinedvdrw.net
peachtreesauto.net
snowfallsought.net
Malware is hosted on 176.31.140.64, 176.31.140.65, 176.31.140.66 and 176.31.140.67. There appear to be no legitimate sites in this block.
a50055.info
a6066.info
a70077.info
a80088.info
add5005.info
any303.info
apple2001.info
apple2002.info
apple2003.info
apt707.info
art808.info
article404.info
admin645.info
adscard.net
adscoast.com
adscoast.net
adsknoll.com
adsknoll.net
adsmonsterslda.me
adsmonsterslda.net
adspolis.net
adsregarding.com
adsregarding.net
adsset.net
adsspark.com
adsspark.net
adstimes.net
adstown.net
adsvoice.net
akon342.info
alfa763.info
allknowingredscale.org
apolonq3.info
belligerentperformance.biz
booksdesk.org
bymailunstandard.org
cameraandspidermans.org
compatiblesohoos.biz
compellingseven.org
convertingsupply.org
deactivatelens.org
deletionaffordably.org
dlnabeta.org
draggingdownbreakdown.biz
enjoycapacious.org
entertainingsubpoenaed.org
fantasyactv.org
flipsendnow.org
graphicaluseby.org
hardwareturkish.org
ifdependable.org
ignoreorion.biz
imapnearing.org
indeliblefeaturewise.org
inexplicablysitespring.biz
initiatingslatenot.org
innovationfifth.org
inquiryunintuitively.org
interviewsmartcolumns.org
ipartitiontroublesome.org
irresponsibledefrag.biz
jeffalwaysrunning.org
languageinads.com
languageinads.net
leaveinteracted.biz
lowriskremembers.org
machinemargins.biz
madeenergy.biz
materialhencefullfeatured.org
minilabsdetailed.org
modesorganizecontentbased.org
multipledocumentthe.org
museumsinterest.org
nettalksdlsr.biz
nontechnicalcrossdisciplinary.org
notracessurfers.org
offensivesimple.biz
onyxlost.biz
operatingshorter.biz
overloadhell.org
playlistshears.biz
pointandshootfortunately.org
pushedcddb.org
recipesmailings.org
reconfigureboundaries.org
redorewards.biz
remarkablyracer.biz
retrievingevidently.biz
rummaginglistenandrepeats.org
seldomsnailmail.org
selfhealingduo.org
skimmingmanys.org
slideshareempower.org
sorryenters.biz
stretchedtool.org
superdatscalable.biz
taxactsfacebook.org
tonegrapple.biz
tonguesweetening.biz
transformingprofessional.org
transparencymonitoring.org
upsellmediathe.org
usingthisxploreing.org
visualbeesdaemon.org
vpmediastudios.org
westsidespiderman.biz
whocompatible.biz
wpcbots.org
zipsstorms.org
aapp202.info
accon101.info
after121.info
agg7574.info
all9009.info
amigosunspot.biz
bureaubasic.biz
checkinsbr.org
curateeyeballs.biz
efficacycull.biz
inappmovies.biz
menudrivenexternal.biz
moveoutgunned.biz
multitrackonew.net
palmnetstories.biz
predictkillersounding.biz
prohibitingbod.info
redirectionvx.org
selfdefensealphabetical.biz
syncopationhaving.biz
trimmingshyamalan.biz
versustempo.info
altirismotodv.net
bullzipskewing.biz
distortionexperts.net
inteloutdone.biz
opinedvdrw.net
peachtreesauto.net
snowfallsought.net
Labels:
Evil Network,
Malware,
OVH,
Sidharth Shah,
Spam,
Viruses
Something evil on 37.59.214.0/28
37.59.214.0/28 is an OVH IP range suballocated to a person called Sidharth Shah in Maryland (more of whom later). At the moment it is hosting a number of malware sites with a hard-to-determine payload such as [donotclick]55voolith.info:89/forum/had.php which is evading automated analysis.
The owner of this block is as follows:
organisation: ORG-SS252-RIPE
org-name: Shah Sidharth
org-type: OTHER
address: 12218 Skylark Rd
address: 20871 Clarksburg
address: US
abuse-mailbox: ovhresell@gmail.com
phone: +1.5407378283
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
Malware is hosted on 37.59.214.0, 37.59.214.1 and 37.59.214.0. There do not appears to be any legitimate sites in this range. Google has already flagged some of these as malicious (marked in red), so you can safely assume that they are all malicious:
1dabify.info
1linktube.info
1myloo.info
1trilium.info
2drill.info
2mars.info
2scrool.info
2skills.info
2walls.info
abubblespot.info
achatterjam.info
athoughtpedia.info
atwitterdrive.info
ayakilith.info
alivexs.info
arealster.info
arealtune.info
atopjam.info
ayombu.info
bbrightbridge.info
bdabdog.info
bfatri.info
bmyva.info
11chattervine.info
11fandu.info
11ncat.info
11tanix.info
22chatset.info
22cogizio.info
22jalium.info
22jaxworks.info
22ooyo.info
22thoughtspace.info
33demilium.info
33digipad.info
33skire.info
3digiset.info
3edgeblab.info
3linkshots.info
3livelounge.info
3meenix.info
3viva.info
5ailium.info
5flashster.info
5gabwire.info
5lalium.info
5skyzu.info
7demiboo.info
7gedeo.info
7jumpbean.info
7jumplist.info
7zambu.info
8abagen.info
8bubbledog.info
8cogitz.info
8plamba.info
8tajo.info
8twitterbox.info
The owner of this block is as follows:
organisation: ORG-SS252-RIPE
org-name: Shah Sidharth
org-type: OTHER
address: 12218 Skylark Rd
address: 20871 Clarksburg
address: US
abuse-mailbox: ovhresell@gmail.com
phone: +1.5407378283
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
Malware is hosted on 37.59.214.0, 37.59.214.1 and 37.59.214.0. There do not appears to be any legitimate sites in this range. Google has already flagged some of these as malicious (marked in red), so you can safely assume that they are all malicious:
1dabify.info
1linktube.info
1myloo.info
1trilium.info
2drill.info
2mars.info
2scrool.info
2skills.info
2walls.info
abubblespot.info
achatterjam.info
athoughtpedia.info
atwitterdrive.info
ayakilith.info
alivexs.info
arealster.info
arealtune.info
atopjam.info
ayombu.info
bbrightbridge.info
bdabdog.info
bfatri.info
bmyva.info
11chattervine.info
11fandu.info
11ncat.info
11tanix.info
22chatset.info
22cogizio.info
22jalium.info
22jaxworks.info
22ooyo.info
22thoughtspace.info
33demilium.info
33digipad.info
33skire.info
3digiset.info
3edgeblab.info
3linkshots.info
3livelounge.info
3meenix.info
3viva.info
5ailium.info
5flashster.info
5gabwire.info
5lalium.info
5skyzu.info
7demiboo.info
7gedeo.info
7jumpbean.info
7jumplist.info
7zambu.info
8abagen.info
8bubbledog.info
8cogitz.info
8plamba.info
8tajo.info
8twitterbox.info
Labels:
Evil Network,
Malware,
OVH,
Sidharth Shah,
Spam,
Viruses
Friday, 8 March 2013
RU:8080 and Amerika spam runs
For about the past year I have seen two very persistent spam runs leading to malware, typically themed along the lines of fake emails from the BBB, LinkedIn, NACHA, USPS and ADP.
The most obvious characteristic of one of the spam runs in the use of a malware landing page containing .ru:8080, registered through NAUNET to the infamous "private person". In order to aid researchers, I have labelled this series as RU:8080. You can see some current nastiness in action at Malware Must Die.
But there's a second spam run as well, which appears to be similarly themed but using different servers. In this case, the domains registered are typically .net, .org and .com emails (with .pro and .biz used from time-to-time). These domains are registered with fake names and addresses purporting to be in the US, but indicators show that this spam may well originate from within Russia.
I've labelled this series as Amerika (yes, there was a TV show of the same name) because frankly the domains are about as American asapple pie sharlotka. The Amerika spam run is a little harder to identify, so there may be some errors in it.
I don't have any deep insight into either spam run or the payloads they deliver, but if you are interested in looking more deeply at the patterns then hopefully this will be of some use!
The most obvious characteristic of one of the spam runs in the use of a malware landing page containing .ru:8080, registered through NAUNET to the infamous "private person". In order to aid researchers, I have labelled this series as RU:8080. You can see some current nastiness in action at Malware Must Die.
But there's a second spam run as well, which appears to be similarly themed but using different servers. In this case, the domains registered are typically .net, .org and .com emails (with .pro and .biz used from time-to-time). These domains are registered with fake names and addresses purporting to be in the US, but indicators show that this spam may well originate from within Russia.
I've labelled this series as Amerika (yes, there was a TV show of the same name) because frankly the domains are about as American as
I don't have any deep insight into either spam run or the payloads they deliver, but if you are interested in looking more deeply at the patterns then hopefully this will be of some use!
AT&T spam (again)
This fake AT&T spam leads to malware on.. well, in this case nothing at all.
In this case the link goes to a redirector page at [donotclick]vtcrm.update.se/eben/index.html hosted 62.109.34.50 in Sweden. It looks like someone has speedily removed the redirector page so I can't tell you much about the malicious landing page. Kudos to Ilait AB or whoever fixed the problem!
Date: Fri, 8 Mar 2013 10:37:24 -0500 [10:37:24 EST]
From: AT&T Customer Care [icare7@amcustomercare.att-mail.com]
Subject: Your AT&T wireless bill is ready to view
att.com | Support | My AT&T Account Rethink Possible
Your wireless bill is ready to view
Dear Customer,
Your monthly wireless bill for your account is now available online.
Total Balance Due: $1695.64
Log in to myAT&T to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment - it's free.
Smartphone users: download the free app to manage your account anywhere, anytime.
Thank you,
AT&T Online Services
att.com
Contact Us
AT&T Support - quick & easy support is available 24/7.
Find us on Facebook Talk to us on twitter AT&T Community
Get Peace of Mind
Set up secure AutoPay from your checking account.
Learn more
Go Paperless
Save time, money and the environment.
Learn more
Online Deals!
Shop the Best Deals in your area for Phone, TV, Internet and Wireless.
Learn more
Device Tutorials
Information specific about your phone Smart Controls
Block calls, set mobile purchase limits, manage usage, and more Payment Arrangements
Explore your options for arranging a payment plan
PLEASE DO NOT REPLY TO THIS MESSAGE
©2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. Subsidiaries and affiliates of AT&T Inc. provide products and services under the AT&T brand.
Privacy Policy
In this case the link goes to a redirector page at [donotclick]vtcrm.update.se/eben/index.html hosted 62.109.34.50 in Sweden. It looks like someone has speedily removed the redirector page so I can't tell you much about the malicious landing page. Kudos to Ilait AB or whoever fixed the problem!
LinkedIn spam / giminalso.ru
This fake LinkedIn spam leads to malware on giminalso.ru:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)
From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn PasswordThe malicious payload is at [donotclick]giminalso.ru:8080/forum/links/column.php (report here) hosted on the same IPs as in this other attack today:
Sent: 08 March 2013 10:24
Subject: Aylin is now part of your network. Keep connecting...
[redacted], Congratulations!
You and Aylin are now connected.
Aylin Welsh
--
Tajikistan
2012, LinkedIn Corporation
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)
"Your tax return appeal is declined" / gimilako.ru
This following fake IRS spam leads to malware on gimilako.ru:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
89.107.184.167
212.180.176.4
gimilako.ru
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
gosbfosod.ru
From: Myspace [mailto:noreply@message.myspace.com]The malicious payload is at [donotclick]gimilako.ru:8080/forum/links/column.php (reported here) hosted on:
Sent: 07 March 2013 20:55
Subject: Your tax return appeal is declined.
Dear Chief Account Officer,
Hereby you are notified that your Income Tax Refund Appeal id#9518045 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit your appeal by using the instructions in the attachment.
Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday Friday, 7:00 a.m. 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
89.107.184.167
212.180.176.4
gimilako.ru
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
gosbfosod.ru
Adobe CS4 spam / guuderia.ru
This fake Adobe spam leads to malware on guuderia.ru:
41.72.150.100 (Hetzner, South Africa)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
212.180.176.4
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
guuderia.ru
gosbfosod.ru
From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Donnie Cherry via LinkedInThe malicious payload is at [donotclick]guuderia.ru:8080/forum/links/column.php (report here) hosted on:
Sent: 07 March 2013 12:39
Subject: Order N40898
Good afternoon,
You can download your Adobe CS4 License here -
We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.
Adobe Systems Incorporated
41.72.150.100 (Hetzner, South Africa)
212.180.176.4 (Supermedia, Poland)
Blocklist:
41.72.150.100
212.180.176.4
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
guuderia.ru
gosbfosod.ru
Thursday, 7 March 2013
Malware sites to block 7/3/13
Some Cridex-based nastiness here. These are the malicious domains that I can find on the IPs mentioned, alternatively you can just block:
173.246.102.2 (Gandi, US)
173.255.215.242 (Linode, US)
64.13.172.42 (Silicon Valley Colocation, US)
Blocklist:
173.246.102.2
173.255.215.242
64.13.172.42
17.247nycr.com
17.optimax-fuel-saver.us
17.grantmassie.org
17.seniorgazette.org
17.scottbarr.org
17.kingdom-mystery.org
17.landvirginia.com
17.schnoescpa.com
17.rbasa.com
17.thinkgreensa.com
17.hogwashiniowa.com
17.ledbymmhd.com
17.ultimateserviceexperience.com
17.yourbrokerforlife.com
17.grantmassie.com
17.lascrittore.com
17.bearfoothouse.com
17.setapartcreative.com
17.sanantoniosiding.com
17.webezmarketing.com
17.iowahogwash.com
17.avbapi.com
17.sanantoniohardiplank.com
17.apielectrical.com
17.lwrbeerfestival.com
17.kathybissell.com
17.cpadahm.com
17.doorssanantoniocom.com
17.deborahramanathan.com
17.drdeborahramanathan.com
17.foodypon.com
17.renewalanderson.com
17.rbasanantonio.com
17.renewalsanantonio.com
17.thetelecomgroup.com
17.247nycr.com
17.mmholidaydecor.com
17.quakertownfamilydoctor.com
17.dmmbs.com
17.dmmmbs.com
17.kbgolfcoursesales.com
17.seniorgolfrankings.com
17.redtreebookings.com
17.southwest-referrals.com
17.texcoteproblems.com
17.taberydesigns.com
17.moffdomains.com
17.thebusiness-solutions.com
17.dchealthcaresolutions.com
17.deadbeatcustomers.com
17.docholidaybanners.com
17.worldclassexteriors.com
17.southwestexteriors.com
17.productpurveyors.com
17.valuationwidgets.com
17.profitzplus.com
17.culliganwaternet.com
17.soonerflight.com
17.bradentons-finest.com
17.opti-max.com
17.meccandivinity.com
17.247nycrealty.com
17.foodypon.info
17.brightdirection.us
17.optimaxmagnetics.us
17.optimax.us
17.ir-c.net
17.grantmassie.net
17.americanseniorgazette.net
17.sanantoniosiding.net
17.sanantoniodoors.net
17.sanantoniowindows.net
17.culliganwaternet.net
17.bestbysouthwest.net
17.brightdirection.biz
20.anythinginternational.biz
20.anythinginternational.com
20.chelsiamd.com
kfz-youngtimerservice.de
mtmedia.net
cinemacityhu.iq.pl
173.246.102.2 (Gandi, US)
173.255.215.242 (Linode, US)
64.13.172.42 (Silicon Valley Colocation, US)
Blocklist:
173.246.102.2
173.255.215.242
64.13.172.42
17.247nycr.com
17.optimax-fuel-saver.us
17.grantmassie.org
17.seniorgazette.org
17.scottbarr.org
17.kingdom-mystery.org
17.landvirginia.com
17.schnoescpa.com
17.rbasa.com
17.thinkgreensa.com
17.hogwashiniowa.com
17.ledbymmhd.com
17.ultimateserviceexperience.com
17.yourbrokerforlife.com
17.grantmassie.com
17.lascrittore.com
17.bearfoothouse.com
17.setapartcreative.com
17.sanantoniosiding.com
17.webezmarketing.com
17.iowahogwash.com
17.avbapi.com
17.sanantoniohardiplank.com
17.apielectrical.com
17.lwrbeerfestival.com
17.kathybissell.com
17.cpadahm.com
17.doorssanantoniocom.com
17.deborahramanathan.com
17.drdeborahramanathan.com
17.foodypon.com
17.renewalanderson.com
17.rbasanantonio.com
17.renewalsanantonio.com
17.thetelecomgroup.com
17.247nycr.com
17.mmholidaydecor.com
17.quakertownfamilydoctor.com
17.dmmbs.com
17.dmmmbs.com
17.kbgolfcoursesales.com
17.seniorgolfrankings.com
17.redtreebookings.com
17.southwest-referrals.com
17.texcoteproblems.com
17.taberydesigns.com
17.moffdomains.com
17.thebusiness-solutions.com
17.dchealthcaresolutions.com
17.deadbeatcustomers.com
17.docholidaybanners.com
17.worldclassexteriors.com
17.southwestexteriors.com
17.productpurveyors.com
17.valuationwidgets.com
17.profitzplus.com
17.culliganwaternet.com
17.soonerflight.com
17.bradentons-finest.com
17.opti-max.com
17.meccandivinity.com
17.247nycrealty.com
17.foodypon.info
17.brightdirection.us
17.optimaxmagnetics.us
17.optimax.us
17.ir-c.net
17.grantmassie.net
17.americanseniorgazette.net
17.sanantoniosiding.net
17.sanantoniodoors.net
17.sanantoniowindows.net
17.culliganwaternet.net
17.bestbysouthwest.net
17.brightdirection.biz
20.anythinginternational.biz
20.anythinginternational.com
20.chelsiamd.com
kfz-youngtimerservice.de
mtmedia.net
cinemacityhu.iq.pl
BBB Spam / alteshotel.net and bbb-accredited.net
This fake BBB spam leads to malware onalteshotel.net and bbb-accredited.net:
One potentially malicious payload is at [donotclick]alteshotel.net/detects/review_complain.php (looks like it might be broken - report here) hosted on:
69.43.161.176 (Parked at Castle Access Inc, US)
The other is at [donotclick]bbb-accredited.net/kill/enjoy-laws-partially-unwanted.php (definitely malicious - report here) hosted on:
64.207.236.198 (EasyTEL, US)
142.11.195.204 (Hostwinds LLC, US)
149.154.68.214 (TheFirst.RU, Russia)
These other domains can be seen on those IPs:
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru
Recommended blocklist:
64.207.236.198
142.11.195.204
149.154.68.214
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru
alteshotel.net
bbb-accredited.net
Date: Thu, 7 Mar 2013 06:23:12 -0700
From: "Better Business Bureau Warnings" [hurriese3@bbb.com]
Subject: BBB details regarding your claim No.
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©
Thu, 6 March 2013
Your Accreditation Suspended
[redacted]
The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to temporal Abort your accreditation with Better Business Beaureau. The details of the our decision are available for review at a link below. Please pay attention to this issue and inform us about your glance as soon as possible.
We graciously ask you to overview the TERMINATION REPORT to meet on this claim
We awaits to your prompt rebound.
If you think you got this email by mistake - please forward this message to your principal or accountant
Yours respectfully
Hunter Ross
Dispute Advisor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 25501
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This information was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
=========================
Date: Thu, 7 Mar 2013 21:19:18 +0800
From: "Better Business Bureau Warnings" [prettifyingde7@transfers.americanpayroll.org]
Subject: BBB details about your pretense No.
Sorry, your e-mail does not support HTML format. Your messages can be viewed in your browser
Better Business Bureau ©
Start With Trust ©
Thu, 6 March 2013
Your Accreditation Suspended
[redacted]
The Better Business Bureau has been temporary Aborted Your Accreditation
A number of latest complains on you / your company motivated us to transient Cancell your accreditation with Better Business Beaureau. The details of the our decision are available visiting a link below. Please pay attention to this question and notify us about your belief as soon as possible.
We graciously ask you to visit the ABUSE REPORT to answer on this appeal
We awaits to your prompt answer.
If you think you got this email by mistake - please forward this message to your principal or accountant
Faithfully yours
Benjamin Cox
Dispute Councilor
Better Business Bureau
Better Business Bureau
3053 Wilson Blvd, Suite 600 Arlington, VA 24401
Phone: 1 (703) 276.0100 Fax: 1 (703) 525.8277
This letter was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe
One potentially malicious payload is at [donotclick]alteshotel.net/detects/review_complain.php (looks like it might be broken - report here) hosted on:
69.43.161.176 (Parked at Castle Access Inc, US)
The other is at [donotclick]bbb-accredited.net/kill/enjoy-laws-partially-unwanted.php (definitely malicious - report here) hosted on:
64.207.236.198 (EasyTEL, US)
142.11.195.204 (Hostwinds LLC, US)
149.154.68.214 (TheFirst.RU, Russia)
These other domains can be seen on those IPs:
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru
Recommended blocklist:
64.207.236.198
142.11.195.204
149.154.68.214
secureaction120.com
secureaction150.com
iberiti.com
notsk.com
metalcrew.net
roadix.net
gatovskiedelishki.ru
conbicormiks.ru
alteshotel.net
bbb-accredited.net
Subscribe to:
Posts (Atom)