Sponsored by..

Thursday, 18 April 2013

Malware sites to block 18/4/13, revisited

Quite late last night I posted some malicious IP address that I recommend blocking. I've had a chance to look at these more deeply, and some of them are in known bad IP ranges that you should consider blocking.

Most of these IP ranges are in Russia, blocking them will probably block some legitimate sites. If you don't do much business with Russia then it will probably not be an issue, if you do then you should exercise caution. There's a plain list at the bottom if you simply want to copy-and-paste.


Detected IP Recommended block Owner
5.9.191.179 5.9.191.160/26 (CyberTech LLC, Russia / Hetzner, Germany)
5.45.183.91 5.45.183.91 (Bradler & Krantz, Germany)
5.135.67.215 5.135.67.208/28 (MMuskatov-IE / OVH, France)
5.135.67.217

23.19.87.38 23.19.87.32/29 (Di & Omano Ltd, Germany / Nobis Technology, US)
37.230.112.83 37.230.112.0/23 (TheFirst-RU, Russia)
46.4.179.127 46.4.179.64/26 (Viacheslav Krivosheev, Russia / Hetzner Germany)
46.4.179.129

46.4.179.130

46.4.179.135

46.37.165.71 46.37.165.71 (BurstNET, UK)
46.37.165.104 46.37.165.104 (BurstNET, UK)
46.105.162.112 46.105.162.112/26 (Shah Sidharth, US / OVH, France)
62.109.24.144 62.109.24.0/22 (TheFirst-RU, Russia)
62.109.26.62

62.109.27.27

80.67.3.124 80.67.3.124 (Portlane Networks, Sweden)
80.78.245.100 80.78.245.0/24 (Agava JSC, Russia)
91.220.131.175 91.220.131.0/24 (teterin Igor Ahmatovich, Russia)
91.220.131.178

91.220.163.24 91.220.163.0/24 (Olevan plus, Ukraine)
94.250.248.225 94.250.248.0/23 (TheFirst-RU, Russia)
108.170.4.46 108.170.4.46 (Secured Servers, US)
109.235.50.213 109.235.50.213 (xenEurope, Netherlands)
146.185.255.97 146.185.255.0/24 (Petersburg Internet Network, Russia)
146.185.255.207

149.154.64.161 149.154.64.0/23 (TheFirst-RU, Russia)
149.154.65.56

149.154.68.145 149.154.68.0/23 (TheFirst-RU, Russia)
173.208.164.38 173.208.164.38 (Wholesale Internet, US)
173.234.239.168 173.234.239.160/27 (End of Reality LLC, US / Nobis, US)
176.31.191.138 176.31.191.138 (OVH, France)
176.31.216.137 176.31.216.137 (OVH, France)
184.82.27.12 184.82.27.12 (Prime Directive LLC, US)
188.93.211.57 188.93.210.0/23 (Logol.ru, Russia)
188.120.238.230 188.120.224.0/20 (TheFirst-RU, Russia)
188.120.239.132

188.165.95.112 188.165.95.112/28 (Shah Sidharth, US / OVH France)
188.225.33.62 188.225.33.0/24 (Transit Telecom, Russia)
188.225.33.117

192.210.223.101 192.210.223.101 (VPS Ace, US / ColoCrossing, US)
193.106.28.242 193.106.28.242 (Centr Informacionnyh Technologii Online, Ukraine)
193.169.52.144 193.169.52.0/23 (Promobit, Russia)
195.3.145.99 195.3.145.99 (RN Data, Latvia)
195.3.147.150 195.3.147.150 (RN Data, Latvia)
198.23.250.142 198.23.250.142 (LiquidSolutions, Bulgaria / ColoCrossing, US)
198.46.157.174 198.46.157.174 (Warfront Cafe LLC, US / ColoCrossing, US)
205.234.204.151 205.234.204.151 (HostForWeb, US)
205.234.204.190 205.234.204.190 (HostForWeb, US)
205.234.253.218 205.234.253.218 (HostForWeb, US)
213.229.69.40 213.229.69.40 (Poundhost, UK / Simply Transit, UK)

5.9.191.160/26
5.45.183.91
5.135.67.208/28
23.19.87.32/29
37.230.112.0/23
46.4.179.64/26
46.37.165.71
46.37.165.104
46.105.162.112/26
62.109.24.0/22
80.67.3.124
80.78.245.0/24
91.220.131.0/24
91.220.163.0/24
94.250.248.0/23
108.170.4.46
109.235.50.213
146.185.255.0/24
149.154.64.0/23
149.154.68.0/23
173.208.164.38
173.234.239.160/27
176.31.191.138
176.31.216.137
184.82.27.12
188.93.210.0/23
188.120.224.0/20
188.165.95.112/28
188.225.33.0/24
192.210.223.101
193.106.28.242
193.169.52.0/23
195.3.145.99
195.3.147.150
198.23.250.142
198.46.157.174
205.234.204.151
205.234.204.190
205.234.253.218
213.229.69.40

West, Texas explosion: be on the lookout for malware spam

It took just a day or so for the bad guys to start sending out malware spam about the Boston Marathon, I strongly suspect that we will see the same for the West, Texas explosion within the next 48 hours or so. It's probably worth keeping an eye out for any such spam coming into your organisation and taking the appropriate countermeasures.

Incidentally, the following is the only actual video I have seen so far. I'm sure everybody's thoughts are with the citizens of West and the emergency services who are trying to deal with this awful catastrophe.

Malware sites to block 18/4/13

These malicious domains and IPs are associated with this malware spam run. Block 'em if you can.

5.9.191.179
5.45.183.91
5.135.67.215
5.135.67.217
23.19.87.38
37.230.112.83
46.4.179.127
46.4.179.129
46.4.179.130
46.4.179.135
46.37.165.71
46.37.165.104
46.105.162.112
62.109.24.144
62.109.26.62
62.109.27.27
80.67.3.124
80.78.245.100
91.220.131.175
91.220.131.178
91.220.163.24
94.250.248.225
108.170.4.46
109.235.50.213
146.185.255.97
146.185.255.207
149.154.64.161
149.154.65.56
149.154.68.145
173.208.164.38
173.234.239.168
176.31.216.137
176.31.191.138
184.82.27.12
188.93.211.57
188.120.238.230
188.120.239.132
188.165.95.112
188.225.33.62
188.225.33.117
192.210.223.101
193.106.28.242
193.169.52.144
195.3.145.99
195.3.147.150
198.23.250.142
198.46.157.174
205.234.204.151
205.234.204.190
205.234.253.218
213.229.69.40
19megalife.info
addonsforbacks.com
adoptery.in
advert.app-myups.org
advertslead.com
aegisglow.org
airportfounded.com
alistlinkedins.com
alliedconclusion.org
alwaysvisibleyellowunderlined.biz
amarateredefe.org
amateurxxxtubes.net
ammebala.xxuz.com
annunciohosteddbm.org
anyns.biz
anywayitquerying.biz
apkjava.com
aplombblacktie.biz
appsforcombined.biz
arcadeprinterfriendly.biz
assimilatedaquos.biz
atomemerged.biz
attorneyconversational.com
aujjmpkt.ns02.biz
ayc.rudamalove.ru
b7cb9b6e9.org
ballsperdevice.net
bamesd.biz
barisurroundings.net
bearrecor.com
benefitsonetime.net
bertns.biz
bertolparty.in
beryoncy.in
bikbike.info
billedtestmanager.biz
biros.wikaba.com
bloggerscreencasts.com
bo2mp7.zapto.org
books.amarateredefe.net
bottomrightgrandpa.net
bridgelady.biz
burieslabel.com
businessalbeitclicked.biz
buttomwithouts.info
buttomwithouts.net
buttonskilos.info
buttonskilos.net
carbonitesbalked.biz
cars.catharinawestergaard.com
casperksy.tv
cats.oktoberfestglasses.com
ccxzadhp9.info
cddownloadverbal.biz
cerryon.in
chanchecker.asia
chargingclose.biz
childrendisk.org
chordcrtbased.biz
chvarkovski.info
classifyipchains.biz
clouddocreddit.biz
cmfnwiolos.biz
collagesneat.biz
competingopts.biz
completenessgrandmaster.com
comsilhouette.org
conjecturecrouch.biz
consumerorientedneednt.org
cornucopiacoax.org
crampedhipmunk.com
createrender.net
crowskbsec.org
cryingregister.biz
crysiscore.net
dangersreduce.biz
darlingbranding.biz
darrensuperior.net
dasa.sexxxy.biz
denystreamlining.biz
dfghbrewkja.4dq.com
dispatchingtruly.net
dissources.in
dj1fcc21sdf.net
doma-ns.com
dontraktorsol.com
drilledwantcamera.biz
dugsthirtyodd.org
dynamicdns1.com
dynomitdns.com
efq89.ugliserver.com
entryleveldecrease.biz
envelopesdestined.net
essentiallymonitoringutilities.biz
estimatepick.net
exhibitsgoodfinds.biz
expandedkreds.biz
externallytheres.biz
f1bd4e0f9b.com
feeshiddenstax.info
feeshiddenstax.net
fidgetingmarginal.biz
fingerinass.net
fiteringsworrow.info
fix-ntrade.info
framedknob.biz
frayscratches.net
friendcropped.biz
fullerdrought.org
gabwrenches.biz
gamingtoplevel.net
geogserver.com
giremoji.info
givingshortcoming.biz
g-ns.biz
goodorange.tk
goofyrejoice.biz
google-cache-server.biz
gowebthreats.biz
gramns.biz
greative.in
greentintedparallels.biz
gtbmd.rudamalove.ru
hamapaysite.info
hedsapher.info
hijackerssim.org
hiloocount.pw
hiphopbeatwares.org
hitthemebased.biz
hocutf.org
horrendouslyscrounged.biz
hostfastwow.info
howcalendars.biz
hqnspwbwixjtthrtip.biz
hubtabloid.org
huddlepyro.biz
icjs.ugliserver.com
img.annistonnewcars.net
img.annistonpreowned.net
incantationsbibliographic.biz
incidentallymbr.biz
integritylistens.org
intendsunique.biz
internetsavvyintransit.info
iptcmax.net
iwbshfiiv.freeinfo
iworkemg.org
jikohost.info
journeyprotect.org
joyaftershots.com
jpegincantations.org
justhoverover.biz
justintvfreefall.org
jyke.dasedi.ru
kernelseagles.net
l0ad.me
largestpainton.org
leatherpullquotes.org
liberrtyrreserve.com
libertyrreserve.biz
lightyearinspectorstyle.biz
lionbroadband.org
livedvaudiohow.com
loddos.biz
lonelybuttery.biz
lopinaksof.otzo.com
machinemiss.org
mailmergingsqlplus.biz
managerssellers.biz
maneuveringfanned.biz
mapicompliantreddens.biz
masterworkheir.org
mavericksurrounds.org
maximmiami.biz
meniuslittles.info
meniuslittles.net
microphonessmashes.org
miderneed.pw
midqeuh.freeinfo
mildnecessitated.biz
millionentrystreamlined.biz
minipaysyst.info
mixstudionet.info
mizerviters.info
miznayjob.info
modnudom.info
montanathirdvoice.com
morendofiles.net
moverbeet.info
mozyhometrust.biz
multifacetedloader.biz
mutualtriangle.biz
myfitnesspalpaints.net
myspaceah.biz
namepasswordlu.net
needsmultitasking.biz
new-1controller.org
newpayss.in
newsdaily1.info
newsstandreactivate.org
nightlifetiles.net
nightnesslow.com
nigrianteam.info
nohonestly.biz
notablish.in
nsdoms.com
nsgaryt.biz
organizationallyyourselfa.org
overlapchat.biz
overviewhour.biz
packetrecovery.in
partyharddns.com
pattayasuay.com
paypalkunden-news.org
personaclientserver.biz
phonecarddeadline.biz
platinumxpthe.info
playanewer.biz
playrem.com
plymorfhing.info
poorestpersonnel.org
portfoliocomfox.net
powerpointoverprint.biz
pqkfrbfo.sellclassics.com
pristineplayground.biz
prominentlibraries.net
qacazuza.tk
qqxbik.freeinfo
quickofficesnetmotions.biz
rdfkxtdx.wikaba.com
reasoningframework.com
rebootdollar.biz
reflectingextract.org
renamingisnt.org
rentedvisible.biz
resettingrelocation.biz
retrospectsovertime.com
rippedability.biz
rolodextransient.biz
safelyplayback.biz
samaritanwasting.org
securingcombine.org
seggos.biz
setdatafree.info
shutdowndoubleclicks.net
sixteentrackhow.net
skydrivestoken.biz
spywareanagram.net
sqk.rudamalove.ru
squirrelguide.com
ssmuiudl.ezua.com
statdipped.biz
stolenhoned.biz
stormreining.biz
strangersformbuilding.net
struggledsaves.com
stumpedconsult.biz
suitespecificoffending.net
suptickets.info
surfsoliddiet.biz
surfupfar.net
swiclick.com
systemscomputerfree.org
tddthjsdgnzz.ikwb.com
therteamx.info
threated.itemdb.com
threeapiecebeyondcom.net
throttlestoragebefore.com
thumbtackeffects.biz
t-ns.biz
toolsworkouteven.org
tracescalable.biz
travellingwebcast.com
troue.rudamalove.ru
tuneupsfiletransfer.biz
twicebusinessrelated.net
twittermultimixmedia.net
tysteak.com
ufhjskfvjdjshg.4pu.com
understandingwritten.biz
uponsuburban.biz
venusdrek.info
violettsa.in
visapaysnext.info
vivaitali.info
waysidepursuit.net
webcastengine.biz
webwasherintrinsic.net
widthsquality.biz
workgroupsynchronization.biz
worldtampering.net
wrenchimagepan.biz
youriscktines.info
youriscktines.net
zigmans.in

Wednesday, 17 April 2013

PayPal spam / dialupwily.org

This fake PayPal spam leads to malware on dialupwily.org:

From: service@paypal.com [mailto:criticizea@seneseassociates.com]
Sent: Wed 17/04/2013 18:49
Subject: Receipt for your PayPal payment to Konrad Rotuski

Feb 18, 2013 10:54:32 PDT
Transaction ID: 4F1UGYHLFMRAG1AVY

Hello,

You sent a payment of $149.49 USD to Konrad Rotuski (criticizea@seneseassociates.com)
Thanks for using PayPal. To see all the transaction details, log in to your PayPal account.

It may take a few moments for this transaction to appear in your account.

--------------------------------------------------------------------------------

Seller
Konrad Rotuski
criticizea@seneseassociates.com Note to seller
You haven't included a note.
Shipping address - unconfirmed
218 E CHURCH ST
FAYETTEVILLE, TX 09557-2446
United States
 Shipping details
USPS Priority Mail
Description Unit price Qty Amount
TAG Heuer Men's WAU6277.BA3900 Formula 1 White Dial Stainless Steel Watch
Item# 566741455709 $149.49 USD 1 $149.49 USD
 Shipping and handling $0.00 USD
Insurance - not offered ----
Total $149.49 USD
Payment $149.49 USD
Charge will appear on your credit card statement as PAYPAL Konrad Rotuski
Payment sent to criticizea@seneseassociates.com 


Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

To receive email notifications in plain text instead of HTML, log in to your PayPal account, go to your Profile, and click Notifications.


PayPal Email ID PP387

The link in the email goes through a hacked Wordpress site to a malicious landing page at [donotclick]dialupwily.org/closest/incomming_message.php (report here) hosted on 188.225.34.36 (Transit Telecom, Russia). More malware domains to come..

CNN.com Boston Marathon spam / thesecondincomee.com

This Boston Marathon themed spam leads to malware on thesecondincomee.com:

Example 1:

Date:      Wed, 17 Apr 2013 10:32:18 -0600 [12:32:18 EDT]
From:      CNN Breaking News [BreakingNews@mail.cnn.com]
Subject:      Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com   
     
CNN.com    
Powered by    
* Please note, the sender's email address has not been verified.
            
You have received the following link from BreakingNews@mail.cnn.com:    
           
Click the following to access the sent link:
            
Boston Marathon Explosions - Obama Benefits? - CNN.com*
                 
SAVE THIS link     FORWARD THIS link
           
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
     
     
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here

Example 2:

Date:      Wed, 17 Apr 2013 22:32:56 +0600
From:      behring401@mail.cnn.com
Subject:      Opinion: Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com
   
Powered by    
* Please note, the sender's email address has not been verified.
   
You have received the following link from BreakingNews@mail.cnn.com:    
   
Click the following to access the sent link:
   
Boston Marathon Explosions - North Korea trail or Osama Legacy? - CNN.com*
   
Get your EMAIL THIS Browser Button and use it to email content from any Web site. Click here for more information.
       
*This article can also be accessed if you copy and paste the entire address below into your web browser.
by clicking here


The malicious payload is at [donotclick]thesecondincomee.com/news/agency_row_fixed.php hosted on:
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)

The recommended blocklist is the same as used in this earlier attack.
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60
airtrantran.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko.ru
conficinskiy.ru
confideracia.ru
coretec.pl
cormoviesutki.ru
dailypost.pl
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
elmara.ru
excuticoble.ru
fenvid.com
freedblacks.net
fxtv.pl
gardeningexplains.biz
gatoversignie.ru
hurienothing.ru
independinsy.net
janefgort.net
klosotro9.net
miniscule.pl
nulio.ru
programcam.ru
ricepad.net
seantit.ru
securitysmartsystem.com
techzoom.pl
thesecondincomee.com

BBB Spam / freedblacks.net

Another BBB spam run today, although this time not an RU:8080 spam we saw earlier but an "Amerika" spam run instead. Interestingly, both mis-spell "Beareau" which indicates they are using the same software, even if they are different gangs. The link in the email leads to malware on freedblacks.net.

Date:      Wed, 17 Apr 2013 21:20:20 +0800 [09:20:20 EDT]
From:      BBB [bridegroomc@m.bbb.org]
Subject:      Better Business Beareau accreditation Cancelled P5088819
Case No. P5088819

Respective Owner/Responsive Person:

The Better Business Bureau has been registered the above said claim letter from one of your users as regards their business contacts with you. The information about the consumer's worry are available for review at a link below. Please pay attention to this issue and inform us about your sight as soon as possible.

We amiably ask you to click and review the APPEAL REPORT to respond on this claim letter. Click here to be taken directly to your report today:
http://www.bbb.org/business-claims/customercare/report-02111671

If you think you recieved this email by mistake - please forward this message to your principal or accountant

We are looking forward to your prompt answer.

Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.
Sincerely,

Ian Wilson - Online Communication Specialist

bbb.org - Start With Trust

The link goes to a legitimate hacked site and then to a malicious landing page at [donotclick]freedblacks.net/news/agency_row_fixed.php (report here) hosted on the following IPs:


65.34.160.10 (Comcast, US)
94.249.206.117 (GHOSTnet, Germany)
155.239.247.247 (Centurion Telkom, South Africa)
173.234.239.60 (Nobis Technology Group, US)

Blocklist:
65.34.160.10
94.249.206.117
155.239.247.247
173.234.239.60
airtrantran.com
basic-printers.com
bbb-complaint.org
buyersusaremote.net
condalinaradushko.ru
conficinskiy.ru
confideracia.ru
coretec.pl
cormoviesutki.ru
dailypost.pl
dataprocessingservice-alerts.com
dataprocessingservice-reports.com
dyntic.com
elmara.ru
excuticoble.ru
fenvid.com
freedblacks.net
fxtv.pl
gardeningexplains.biz
gatoversignie.ru
hurienothing.ru
independinsy.net
janefgort.net
klosotro9.net
miniscule.pl
nulio.ru
programcam.ru
ricepad.net
seantit.ru
securitysmartsystem.com
techzoom.pl
thesecondincomee.com



BBB Spam / janariamko.ru

After a few quiet days on the RU:8080 spam front it has started again..

Date:      Wed, 17 Apr 2013 20:18:14 +0800
From:      "Better Business Bureau" [guttersnipeg792@ema1lsv100249121.bbb.org]
Subject:      Better Business Beareau accreditation Terminated 64A488W04

    Case N. 64A488W04

Respective Owner/Responsive Person:

The Better Business Bureau has been filed the above said reclamation from one of your clients with reference to their business relations with you. The information about the consumer's trouble are available at the link below. Please give attention to this matter and communicate with us about your opinion as soon as possible.

We graciously ask you to visit the COMPLAINT REPORT to respond on this reclamation. Click here to be taken directly to your report today:
http://www.bbb.org/business-claims/customercare/report-65896564

If you think you got this email by mistake - please forward this message to your principal or accountant

We are looking forward to your prompt answer.

Looking for info on additional ways your BBB Accreditation can boost your business? Visit the BBB SmartGuide.

Sincerely,

Gabriel Reyes - Online Communication Specialist

bbb.org - Start With Trust
The malicious payload is at [donotclick]janariamko.ru:8080/forum/links/public_version.php (report here) hosted on the following IPs:
91.191.170.26 (Netdirekt, Turkey)
93.187.200.250 (Netdirekt, Turkey)
208.94.108.238 (Fibrenoire, Canada)

Blocklist:
91.191.170.26
93.187.200.250
208.94.108.238
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
ixxtigang.ru
izjianokr.ru
iztakor.ru
jamtientop.ru
janariamko.ru
janasika.ru
jindiank.ru
jubakupra.ru
judianko.ru
juhajuhaa.ru
juliamanako.ru
juliaroberzs.ru
jundaio.ru

"Boston Marathon" spam / askmeaboutcctv.com

This pretty shameful Boston marathon themed spam leads to malware on askmeaboutcctv.com:

Sample 1:

From: Graham Jarvis [mailto:alejandro.alfonzo-larrain@tctwest.net]
Sent: 17 April 2013 09:49
Subject: Video of Explosion at the Boston Marathon 2013

hxxp:||61.63.123.44/news.html
Sample 2:

From: Sally Rasmussen [mailto:artek33@risd.edu]
Sent: 17 April 2013 09:49
To: UK HPEA 2
Subject: Aftermath to explosion at Boston Marathon

hxxp:||190.245.177.248/news.html
(Note that the payload links have been lightly obfuscated, don't click them).

If you click the link you see a set of genuine YouTube videos. However, the last one seems blank because it is in fact a malicious IFRAME to [donotclick]askmeaboutcctv.com/wmiq.html  (report here) which appears to be on a legitimate but hacked site. The server seems to be overloaded at the moment which is a good thing I suppose.



Some more sample subjects and links:
Subject: Video of Explosion at the Boston Marathon 2013
Subject: Aftermath to explosion at Boston Marathon
Subject: Explosion at Boston Marathon
Subject: Explosions at the Boston Marathon
Subject: 2 Explosions at Boston Marathon

[donotclick]46.233.4.113/boston.html
[donotclick]37.229.92.116/boston.html
[donotclick]188.2.164.112/news.html
[donotclick]109.87.205.222/news.html

I would advise blocking these IPs and domains. Be vigilant against this kind of attack, also bear in mind that the bad guys might try to exploit Margaret Thatcher's funeral and the London Marathon in the same way.

Tuesday, 16 April 2013

Disgraceful Arif Khan / Mak Media spam

For some time now I've been plagued with spam that looks like this:

Date:      Tue, 16 Apr 2013 09:11:37 -0400
From:      "Mesothelioma"
To:      [redacted]
Subject:      Learn The Link Between Asbestos and Mesothelioma

5670242064119134040....02158166418942886316dc91aae549f7.02158166418942886316dc91aae549f7.5670242064119134040..02158166418942886316dc91aae549f7.. 33100457.5670242064119134040..02158166418942886316dc91aae549f7.5670242064119134040..

Learn The Link Between Asbestos and Mesothelioma

Rebosiet riwan ducufaf. 02158166418942886316dc91aae549f7 Rire ti 5670242064119134040 sasah 33100457 totetes 33100457 tela. 33100457 Woc 02158166418942886316dc91aae549f7 esic 02158166418942886316dc91aae549f7 sew 02158166418942886316dc91aae549f7 se 02158166418942886316dc91aae549f7 icin 02158166418942886316dc91aae549f7 icat 33100457 worag 33100457 ne 02158166418942886316dc91aae549f7 tedit 33100457 kodu. 02158166418942886316dc91aae549f7 Eca cehag 33100457 kose. 02158166418942886316dc91aae549f7 Adodiner 5670242064119134040 nure 33100457 bebose aleri ira 02158166418942886316dc91aae549f7 malitu noharie ituror [this crap goes on and on to try to get past spam filters]
The spam is on a variety of topics, but one thing that makes me cross is seeing spam on this particular topic. Why? Well, this particular illness is linked to many high-paying lawsuits, and as a result advertisers can pay out a surprising amount of cash per click estimated here to be worth over $80 for some individual clicks. But in this case, they will be essentially worthless clicks to the advertiser. And who ends up paying for these worthless clicks? Well, ultimately the costs get extracted from the sufferers of this illness from their settlements.

There are three parties involved in this scam. Working backwards, the ads displayed on the landing page are run by Google, the landing page itself is owned by an outfit called Adilizer.com who claim to be based in Texas. But the spamming itself seems to be the work of one Arif Khan who is the CEO of an Indian company called Mak Media.

Let's look at when clicking on the link on that spam gets us..
hxxp:||rng172.fuldbate.us/2437a38863ab64aa3397118536dc91aae549f7
leads to
hxxp:||rng172.fuldbate.us/98F22437a38863ab64aa3397118536dc91aae549f7
leads to
hxxp:||rk3231.com/m/ec.php?k=651&kc=78236&ks=0&pc=547&tt=1&t1=yogesh&t2=&t3=&t4=&u=&u2=
leads to
hxxp:||obmedia.com/m/ec.php?k=651&kc=78236&ks=0&pc=547&tt=1&t1=yogesh&t2=&t3=&t4=&u=&u2=
leads to
hxxp:||www.myown-big-find-tool.com/

The domains myown-big-find-tool.com, obmedia.com and rk3231.com belong to Adilizer and look like they could be some sort of affiliate link. So, we can perhaps assume that Adilizer are not directly responsible for the spam.

The domain fuldbate.us is owned by Arif Khan, and rng172.fuldbate.us is hosted on 198.84.76.172 which is where this spam originates. These are the pertinent WHOIS details for the domain:

Registrant ID:                               FF70EC5B09E3DC10
Registrant Name:                             Arif Khan
Registrant Organization:                     Gravity Media
Registrant Address1:                         Bhopal
Registrant Address2:                         Bhopal
Registrant City:                             Bhopal
Registrant State/Province:                   MP
Registrant Postal Code:                      462001
Registrant Country:                          India
Registrant Country Code:                     IN
Registrant Phone Number:                     +91.9425677527
Registrant Email:                            praveen.shukla4015@gmail.com
Registrant Application Purpose:              P1


"Gravity Media" may or may not exist, but domain WHOIS details are easy to fake. But if we look at who the IP address is allocated to then we can see a bit more information.

%rwhois V-1.5:003fff:00 rwhois.hostwinds.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:Hostwinds Block-198.84.76.172/32
network:Auth-Area:198.84.76.172/32
network:Network-Name:Mak Media Network
network:IP-Network:198.84.76.172/32
network:IP-Network-Block:198.84.76.172 - 198.84.76.172
network:Customer Organization:Mak Media
network:Customer Address;I:Plot N0 4 , Kerma Tower
network:Customer City;I:BHopal
network:Customer State/Province;I:Madhya Pradesh
network:Customer Postal Code;I:462001
network:Customer Country Code;I:IN
network:Organization;I:Hostwinds LLC
network:Tech-Contact;I:abuse@hostwinds.com
network:Admin-Contact;I:abuse@hostwinds.com
network:Abuse-Contact;I:abuse@hostwinds.com


This reveals the apparently genuine organisation of Mak Media, of which Arif Khan is CEO according to his LinkedIn page. Note that there are several companies of a similar name, but this one seems to be based in Bhopal.


To quote Mr Khan, his background is of:
Intense drive and overachieving mentality with a track record of consistently meeting and exceeding goals. Dedicated work ethic, and intense desire to succeed in achieving an aggressive career and financial growth.

Specialties: Email Marketing, lead generation,database management, email marketing, list management, Email Monetization, Affiliate Marketer!!
In other words, he takes advantage of India's non-existent spam laws and blasts as many mailboxes as he can with crappy affiliate links.

But the spam doesn't come from just one domain and IP. Arif Khan uses hundreds of throwaway .us addresses and multiple IPs. These are the ones I have seen in the past week:
fuldbate.us
excrep.us
buidep.us
xlitisew.us
trunalk.us
ryismeth.us
fjouck.us
duptous.us
certious.us
grembing.us
bablump.us
ghtchity.us
fluitice.us
fjoutte.us
cabatki.us
asatuary.us
echead.us
brooto.us
falert.us
eurness.us
djasynt.us
abubcum.us
emenger.us
ograst.us
hapric.us

Each one comes from a different IP address in the 198.84.76.0/24 range suballocated from Hostwinds to Mak Media. But there's something weird, because Hostwinds haven't allocated a 256-address /24 block at all.. they've allocated 256 /32 blocks of a single IP address each. This is presumably a trick to make sure that the whole /24 range doesn't get blacklisted at once.

If you are plagued with this spam and have the capability to do so, block all incoming email from and web traffic to 198.84.76.0/24 and it should effectively block it for now. And reporting any spam to abuse -at- hostwinds.com will probably do no harm.. although I suspect it will do little good.


"Fiserv Secure Email Notification" spam

This spam has an encrypted ZIP file attached that contains malware. The passwords and filenames will vary.


From: Fiserv Secure Notification [mailto:secure.notification@fiserv.com]
Sent: Tue 16/04/2013 14:02
Subject: [WARNING : MESSAGE ENCRYPTED] Fiserv Secure Email Notification - CC3DK9WJW8IG0F5


You have received a secure message

Read your secure message by opening the attachment, Case_CC3DK9WJW8IG0F5.zip.

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password -  KsUs3Z921mA

To read the encrypted message, complete the following steps:

 -  Double-click the encrypted message file attachment to download the file to your computer.
 -  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
 -  The message is password-protected, enter your password to open it.

To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.979.7673.

2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

In the case of the sample I have seen, there is an attachment Case_CC3DK9WJW8IG0F5.zip which unzips using the supplied password to Case_Fiserv_04162013.exe (note the date is encoded into the filename).

At the time of writing, VirusTotal results are just 5/46. The Comodo CAMAS report is here, the ThreatExpert report here and the ThreatTrack sandbox report can be downloaded from here (this is the most detailed one). This seems to be a Zbot variant.


The bad IPs involved are:
50.116.15.209 (Linode, US)
62.103.27.242 (OTEnet, Greece)
78.139.187.6 (Caucasus Online Ltd, Georgia)
87.106.3.129 (1&1, Germany)
108.94.154.77 (AT&T, US)
117.212.83.248 (BSNL Internet, India)
120.61.212.73 (MTNL, India)
122.165.219.71 (ABTS Tamilnadu, India)
123.237.187.126 (Reliance Communications, India)
176.73.145.22 (Caucasus Online Ltd, Georgia)
186.134.148.36 (Telefonica de Argentina, Argentina)
190.39.197.150 (CANTV Servicios, Venezuela)
195.77.194.130 (Telefonica, Spain)
199.59.157.124 (Kyvon, US)
201.211.224.46 (CANTV Servicios, Venezuela)
212.58.4.13 (Doruknet, Turkey)

Recommended blocklist:
korbi.va-techniker.de
mail.yaklasim.com
phdsurvey.org
vbzmiami.com
user1557864.sites.myregisteredsite.com
50.116.15.209
62.103.27.242
78.139.187.6
87.106.3.129
108.94.154.77
117.212.83.248
120.61.212.73
122.165.219.71
123.237.187.126
176.73.145.22
186.134.148.36
190.39.197.150
195.77.194.130
199.59.157.124
201.211.224.46
212.58.4.13

Friday, 12 April 2013

MS13-036 buggy, withdrawn

Uh-oh.. looks like the reports of problems with MS13-036 were correct.



********************************************************************
Title: Microsoft Security Bulletin Re-Releases
Issued: April 11, 2013
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS13-036 - Important
  * MS13-apr


Bulletin Information:
=====================

* MS13-036 - Important

 - Reason for Revision: V2.0 (April 11, 2013): Added links to
   Microsoft Knowledge Base Article 2823324 and Microsoft Knowledge
   Base Article 2839011 under Known Issues. Removed Download Center
   links for Microsoft security update 2823324. Microsoft recommends
   that customers uninstall this update. See the Update FAQ for
   details.
 - Originally posted: April 9, 2013
 - Updated: April 11, 2013
 - Bulletin Severity Rating: Important
 - Version: 2.0

* MS13-apr

 - Reason for Revision: V2.0 (April 11, 2013): For MS13-036,
   removed the links to security update 2823324 due to a known
   installation issue. See bulletin for details.
 - Originally posted: April 9, 2013
 - Updated: April 11, 2013
 - Version: 2.0


Other Information
=================

Follow us on Twitter for the latest information and updates:

Recognize and avoid fraudulent email to Microsoft customers:
=============================================================
If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email.

The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, it is not required to read security notifications, security bulletins, security advisories, or install security updates. You can obtain the MSRC public PGP key at https://technet.microsoft.com/security/bulletin/pgp.

To receive automatic notifications whenever Microsoft Security Bulletins and Microsoft Security Advisories are issued or revised, subscribe to Microsoft Technical Security Notifications on http://technet.microsoft.com/security/dd252948.


********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
********************************************************************

To manage or cancel your subscription to this newsletter, visit the Microsoft.com Profile Center at <http://go.microsoft.com/fwlink/?LinkId=245953> and then click Manage Communications under My Subscriptions in the Quicklinks section.

For more information, see the Communications Preferences section of the Microsoft Online Privacy Statement at:

For the complete Microsoft Online Privacy Statement, see:

For legal Information, see:

This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052

Thursday, 11 April 2013

UPS spam / juliamanako.ru

This fake UPS spam leads to malware on juliamanako.ru:

Date:      Thu, 11 Apr 2013 11:58:33 -0300 [10:58:33 EDT]
From:      Aida Tackett via LinkedIn [member@linkedin.com]
Subject:      United Postal Service Tracking Nr. H9544862721

Your USPS CUSTOMER SERVICES for big savings! Can't see images? CLICK HERE.
UPS - UPS Customer Services
UPS UPS SUPPORT 56
UPS - UPS MANAGER 67 >>
UPS - UPS SUPPORT 501

Already Have
an Account?

Enjoy all UPS has to offer by linking your My UPS profile to your account.
Link Your
Account Now >>

UPS - UPS Customer Services
Good day, [redacted].

DEAR CONSUMER , We were not able to delivery the postal package

Track your Shipment now!

Pack it. Ship ip. No calculating , UPS .com Customer Services.


Shipping Tracking Calculate Time & Cost Open an Account

@ 2011 United Parcel Service of America, Inc. USPS Customer Services, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.

This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
USPS .COM marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.

USPS Services, 04 Glenlake Parkway, NE - Atlanta, GA 30324
Attn: Customer Communications Department
The link goes through a legitimate hacked site to a malicious landing page at [donotclick]juliamanako.ru:8080/forum/links/column.php hosted on:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)

Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jamtientop.ru
janasika.ru
jonahgkio.ru
judianko.ru
juhajuhaa.ru
juliamanako.ru
jundaio.ru

"Spotlite Radio" / spotliteradio2013.com spam

This spam email is promoting an apparent Whos' Who scam hosted on a site called spotliteradio2013.com which purports to be an organisation called "Spotlite Radio". The email is sent to a role account, not a real human being.. marking it out clearly as spam.

From:     Patricia Wu [darin@contacteagle.info]
Reply-Ro:     databaseemailergroup@gmail.com
Date:     11 April 2013 03:42
Subject:     SUPERCHARGE YOUR ONLINE LIFE WITH SPOTLITE RADIO!

Hello,

You were recently chosen as a potential candidate interviewee to represent your professional social media community in the 2013-2014 Spotlite Radio.

We are pleased to inform you that your candidacy was formally approved on April 10th, 2013. Congratulations.

The Social Broadcasting Committee selects potential candidates based not only upon their current standing, but focusing as well on criteria from executive and professional directories, associations, and trade journals. Given your background, the Director believes your profile makes a fitting addition to be featured.

There is no fee or obligation to be included. We must receive verification from you that your profile is accurate. After receiving verification, we will validate your candidate listing within seven business days.

Once finalized, your broadcast radio interview will share prominent media space with thousands of fellow accomplished individuals across the globe like yourself, each representing accomplishments within their own specialized area.

To verify your profile and accept the candidacy, please visit here

Our registration deadline for this year's candidates is April 30th. To ensure you are included, we must receive your verification on or before this date. On behalf of our Committee, I salute your achievements this year and look forward to welcoming you to our broadcast social network.

Click here to verify your profile.

Warm Regards,

Patricia Wu
Chief of Broadcasting

Spotlite Radio

-----------------------------------------

This email is intended only for the recipient(s) and is private.
If you receive our invitation in error please reply with unsubscribe in the subject line

It isn't clear if the "Spotlite Radio" hosted at spotliteradio.com (currently down) and spotliteradio2013.com are actually related. spotliteradio.com was only registered a few months ago in September 2012 and according to New York State is owned by:

Selected Entity Name: SPOTLITE RADIO LLC
Selected Entity Status Information
Current Entity Name: SPOTLITE RADIO LLC
DOS ID #: 4306578
Initial DOS Filing Date: OCTOBER 11, 2012
County: NEW YORK
Jurisdiction: NEW YORK
Entity Type: DOMESTIC LIMITED LIABILITY COMPANY
Current Entity Status: ACTIVE

Selected Entity Address Information
DOS Process (Address to which DOS will mail process if accepted on behalf of the entity)
SPOTLITE RADIO LLC
14 WALL STREET 20TH FL
NEW YORK, NEW YORK, 10005
Registered Agent
NONE

So this "Spotlite Radio" is properly registered in the state of New York, and it appears to be a sort of social radio site where people can make and broadcast their own shows.  There's nothing obvious on the spotliteradio.com website that makes it look suspicious, although judging by the dormant Twitter account the whole thing ground to a halt in February.

So what can we tell about the spam? Well, spotliteradio2013.com contains Google Analytics code for UA-3676294-22 which belongs to a New York web design company called Webnbeyond (webandbeyond.com / webnbeyond.com) but they may simply be the web designers. All these domains are on the same server of 66.11.129.87.

The email originates from the IP address 70.126.247.237 which appears to be in Tampa, Florida via 192.217.124.43 which is also contacteagle.info (mentioned in the spam email above), registered to:
Registrant ID:CR121682219
Registrant Name:Darin Delia
Registrant Organization:
Registrant Street1:1321 Henry Ave
Registrant Street2:
Registrant Street3:
Registrant City:Spring Hill
Registrant State/Province:Florida
Registrant Postal Code:34608
Registrant Country:US
Registrant Phone:+1.5615964330
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:


Spring Hill is about 40 miles north of Tampa, so there's a good chance that the originating IP and domain belong to one and the same person.

Darin Delia runs a Florida-based company called Contact Page Media, Inc and this is described on his LinkedIn page thusly:
We use Google Search Technology to reach Contact Pages on your Business Targeted Market. We reach thousand of websites per hour using our software, and we have the capabilitity to reach the unique target you just cannot find with email
What this means is that they scrape the email addresses off the web and spam the hell out of them. You'll note that the spam email lacks a contact address (for example) which breaks the CAN-SPAM act. Note also the email address of  Patricia Wu [darin@contacteagle.info] which is either somewhat deceptive, or perhaps Mr Delia likes to be Ms Wu at the weekends. But then probably Mr Delia is only sending promotional emails rather than running the scam.

The privacy policy page on spotliteradio2013.com leads to another site called mywhoswhonetwork.com registered to an address in Texas:

   Whos Who Network
   John Williams (webmaster@mywhoswhonetwork.com)
   +1.8084524561
   Fax:
   2172 Willshire
   College Station, TX 77845
   US

This same company also owns the following domains:
  • americanleadersmagazine.com
  • globalregistryonline.com
  • mywhoswhonetwork.com
  • professionalnetwork2012.com
  • professionalnetwork2013.com
  • pronetwork2012.com
  • taxadvice2day.com
But a hyperlink from one domain to another does not prove ownership, and the privacy policy could simply have been ripped off a competitor's site. So no smoking gun there. In fact, there's no actual evidence of who is responsible for this spam, and probably all we have are some innocent bit part actors.

I can't vouch for the trustworthiness of the actual Spotlite Radio (spotliteradio.com) site one way or another. One the surface it appeared to be a public-access web radio service, and there's nothing wrong with that. As I said, this spam may not even be from them. But it clearly is a spam because the domain role account is not an actual person and the claims made in the spam email are clearly rubbish.

So what does happen if you sign up for this. Well, according to this report they charge you $850 for a worthless plaque and an entry in a pseudo-who's-who guide,:
It was a pleasure speaking with you this morning. Confirming your show date is on January 9th at 3pm EDT. Attached is the invoice for your purchase of the Spotlite Radio Show,Distinguished professional of the year plaque and a half page biography in our 2013 book. If you could sign and send back to us, but make sure you keep a copy for your records as well. This is just confirming that you made a partial payment and were going forward with the program. Once we have your pre interview done for your upcoming show I will be sending you the links to the website. Hope you have a great week and I look forward to speaking with you soon. Call in number is XXXXX -Amanda Lynn 
In other words.. here's some crap. If you record your show then well send you the URL for spotliteradio.com and you can upload it yourself. Best avoided in my opinion.





Changelog spam / juliaroberzs.ru

This spam leads to malware on juliaroberzs.ru:

Date:      Thu, 11 Apr 2013 02:46:13 +0100
From:      Mayola Phipps via LinkedIn [member@linkedin.com]
Subject:      Re: changelog UPD.
Attachments:     changelog.htm

Good morning,

as promised changelog is attached (Internet Explorer format)



The attachment changelog.htm leads to a malicious landing page at [donotclick]juliaroberzs.ru:8080/forum/links/column.php  (report here) hosted on some familiar IPs:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)

Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jamiliean.ru
jamtientop.ru
janasika.ru
jonahgkio.ru
judianko.ru
judianko.ru
juhajuhaa.ru
juhajuhaa.ru
juliaroberzs.ru
jundaio.ru

Wednesday, 10 April 2013

"Verizon Wireless" spam / jamtientop.ru

This fake Verizon Wireless spam leads to malware on jamtientop.ru:

Date:      Wed, 10 Apr 2013 01:14:51 +0100 [04/09/13 20:14:51 EDT]
From:      DorianBottom@hotmail.com
Subject:      Verizon Wireless

IMPORTANT ACCOUNT NOTE FROM VERIZON WIRELESS.
Your acknowledgment message is issued.

Your account No. ending in 1332

Dear Client

For your accommodation, your confirmation letter can be found in the Account Documentation desk of My Verizon.

Please browse your informational message for more details relating to your new transaction.


Open Information Message

In addition, in My Verizon you will find links to information about your device & services that may be helpfull if you looking for answers.

Thank you for joining us.     My Verizon is laso works 24 hours 7 days a week to assist you with:

    Viewing your utilization
    Upgrade your tariff
    Manage Account Members
    Pay for your bill
    And much, much more...


© 2013 Verizon Wireless
Verizon Wireless | One Verizon Way Mail Code: 113WVC | Basking Ridge, MI 87325

We respect your privacy. Please browse our policy for more information

The link goes to a hacked legitimate site to a malicious landing page at [donotclick]jamtientop.ru:8080/forum/links/column.php (report here) hosted on:
91.191.170.26 (Netdirekt, Turkey)
185.5.185.129 (Far-Galaxy Networks, Germany)
188.65.178.27 (Melbourne Server Hosting, UK)

Blocklist:
91.191.170.26
185.5.185.129
188.65.178.27
ifikangloo.ru
ifinaksiao.ru
ighjaooru.ru
igionkialo.ru
ijsiokolo.ru
illuminataf.ru
imanraiodl.ru
itriopea.ru
ivanikako.ru
izamalok.ru
izjianokr.ru
iztakor.ru
jamiliean.ru
jamtientop.ru
jonahgkio.ru
judianko.ru
juhajuhaa.ru
jundaio.ru