Sponsored by..

Thursday, 16 May 2013

Walmart.com spam / bestunallowable.com

This fake Walmart spam leads to malware on bestunallowable.com:

From:     Wallmart.com [deviledm978@news.wallmart.com]
Date:     16 May 2013 14:02
Subject:     Thanks for your Walmart.com Order 3795695-976140

Walmart    
Visit Walmartcom  |     Help  |     My Account  |     Track My Orders

[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping

• You'll receive another email, with tracking information, when your order ships.

• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
      Ship to Home    
   

Hannah Johnson
1961 12 Rd
Orange, NC 68025-3157
USA
   

Walmart.com     Order Number: 3795695-976140
Ship to Home - Standard
Items     Qty     Arrival Date     Price
Philips UN65EH9060 50" 1080p 60Hz Class LED (Internet Connected) 3D HDTV     1     Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home.     $898.00
Subtotal:     $898.00
Shipping:     Free
Tax:     $62.86
See our Returns Policy or
contact Customer Service     Walmart.com Total:     $960.86
Order Summary
Order Date:     05/15/2013
Subtotal:     $898.00
Shipping:     Free
Tax:     $62.86
Order Total:     $960.86
Credit card:     $960.86
       
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,

Your Walmart.com Customer Service Team
www.walmart.com


Rollbacks     Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!
   
©Walmart.com USA, LLC, All Rights Reserved.

 The link goes through a legitimate hacked site and ends up on a malware page at [donotclick]bestunallowable.com/news/ask-index.php (report here) hosted on:

108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)

The WHOIS details are characterstic of the Amerika gang:
   Administrative Contact:
   McDonough, Tara  ukcastlee@mail.com
   38 Wee Burn Lane
   DARIEN, CO 06820
   US
   2036566697

Blocklist (including nameservers):
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
bestunallowable.com
biati.net
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
icensol.net
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
recorderbooks.net
smartsecurity-app.com
twintrade.net
virgin-altantic.net
zonebar.net

HMRC spam / VAT Returns Repot 517794350.doc

This fake HMRC (UK tax authority) spam contains a malicious attachment:

From: noreply@hmrc.gov.uk [mailto:noreply@hmrc.gov.uk]
Sent: 16 May 2013 10:48
Subject: Successful Receipt of Online Submission for Reference 517794350


Thank you for sending your VAT Return online. The submission for reference 517794350 was successfully received on 2013-05-16 T10:45:27 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

The attachment is VAT Returns Repot 517794350.doc which contains an exploit which is currently being analysed. It is likely to use the same vulnerability as this attack. VirusTotal results are just 1/46, so either this is something completely new or it is a corrupt sample.

UPDATE: ThreatTrack reports that the malware sample appears to make contact with the following IPs which are all dynamic IP addresses, indicating perhaps a P2P version of Zeus:
62.103.27.242
76.245.44.216
86.124.111.218
92.241.139.165
122.179.128.38
189.223.139.172
190.42.161.35

"Invoice Copy" spam / invoice copy.zip

This fake invoice email contains a malicious attachment:

Date:      Thu, 16 May 2013 00:27:41 -0500 [01:27:41 EDT]
From:      Karen Parker [Kk.parker@tiffany.com]
Subject:      invoice copy

Kindly open to see export License and payment invoice attached,meanwhile we sent the balance payment yesterday.Please confirm if it has settled in your account or you can call ifthere is any problem.ThanksKaren parker
The attachment is invoice copy.zip which in turn contains an executable invoice copy.exe which has an icon to make it look like a spreadsheet. VirusTotal results are a pretty poor 7/45 and indicate that this is a Zbot variant.

The Comodo CAMAS report indicates that the malware seems to be rummaging though address books and gives the following characteristics:

Size331776
MD5ebdcd7b8468f28932f235dc7e0cd8bcd
SHA1a3d251b8f488ef1602e7016cb1f51ffe116d7917
SHA2564b15971cf928a42d44afdf87a517d229e4aabbb5967cb9230a19592d2b939fe6

The ThreatExpert report and Anubis report are pretty inconclusive. The ThreatTrack report is nicely detailed and gives some details about network connections which I haven't had a chance to analyse yet.

As ever, blocking EXE-in-ZIP files at the perimeter is the best way to guard against this type of threat.



Wednesday, 15 May 2013

ADP spam / outlookexpres.net

This fake ADP spam leads to malware on outlookexpres.net:


Date:      Wed, 15 May 2013 22:39:26 +0400
From:      "donotreply@adp.com" [phrasingr6@news.adpmail.org]
Subject:      adp_subj


ADP Instant Warning

Report #: 55233

Respected ADP Client May, 15 2013

Your Processed Transaction Report(s) have been uploaded to the website:

Sign In here

Please see the following information:

• Please note that your bank account will be charged within 1 business banking day for the sum shown on the Statement(s).

• Please don't try to reply to this message. automative notification system not configured to accept incoming email. Please Contact your ADP Benefits Expert.

This email was sent to existing users in your company that access ADP Netsecure.

As every time, thank you for using ADP as your business affiliate!

Rep: 55233 [redacted]

The link in the spam email goes through a legitimate but hacked site and ends up on a malware landing page at [donotclick]outlookexpres.net/news/estimate_promising.php (report here) hosted on the same IPs found in this attack:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)

Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
smartsecurity-app.com
twintrade.net
zonebar.net

Something evil on 184.95.51.123

184.95.51.123 (Secured Servers LLC, US / Jolly Works Hosting, Philippines) appears to be trying to serve the Blackhole Exploit kit through an injection attack (for example). The payload appears to be 404ing when viewed in the automated tools I am using, but indications are that the malware on this site is still very much live.

The domains on this server belong to a legitimate company, Lifestyle exterior Products, Inc. of Florida who are probably completely unaware of the issue.

These following domains are all flagged by Google as being malicious, and are all based on  184.95.51.123. I would recommend blocking the IP if you can, else the domains I can find are listed below:

exteriorbylifestyle.com
hurricanesafecard.com
hurricanesavingsgift.com
hurricaneshuttersdiscount.com
hurricaneshuttersgift.com
hurricaneshuttersrebate.com
hurricanestormsavings.com
hurricanestrength.com
hurricanestrengthsavings.com
lifelinewindows.com
lifestylebonita.com
lifestyleestero.com
lifestyleexcellence.com
lifestyleexterior.com
lifestyleexteriorstrong.com
lifestyleexteriorwindows.com


Facebook spam / otophone.net

This fake Facebook spam leads to malware on otophone.net:

Date:      Tue, 14 May 2013 15:29:24 -0500 [05/14/13 16:29:24 EDT]
From:      Facebook [notification+LTFS15RDTR@facebookmail.com]
Subject:      Jonathan Rogers wants to be friends on Facebook

facebook
Jonathan Rogers wants to be friends with you on Facebook Facebook.
   
Jonathan Rogers
1083 friends · 497 photos · 2 notes · 1535 Wall posts
Confirm Friend Request
   
See All Requests
This message was sent to dynamoo@spamcop.net. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 417 P.O Box 10005 Palo Alto CA 96303
The link in the email goes through a legitimate hacked site and then ends up on a malware landing page at [donotclick]otophone.net/news/appreciate_trick_hanging.php (report here) hosted on the following IPs:

36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)


The WHOIS details are characteristic of the "Amerika" series of malware spams.
    MURNANE, LARRY  samyidea@yahoo.com
    690 West B
    SAN DIEGO, CA 92101
    US
    +1.8588695411


Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
peertag.com
pinformer.net
priorityclub.pl
smartsecurity-app.com
zonebar.net

Tuesday, 14 May 2013

Something evil on 94.242.198.16

I'm not entirely sure what this is, I think it's an injection attack leading to a malware server on 94.242.198.16 (Root SA, Luxemburg) which is using various stealth techniques to avoid detection.

This is what I'm seeing.. code is getting injected into sites referring to [donotclick]fryzjer.me/hpoxqnj.php (report) or [donotclick]stempelxpress.nl/vechoix.php (report) which (if called in the correct way) tries to forward the victim to
[donotclick]ice.zoloni-kemis.info/lyxtp?ftqvixid=94764 or [donotclick]ice.zoloni-kemis.info/lifym?ftypyok=947645 hosted on 94.242.198.16.

VirusTotal reports this as a bad IP, and out of several domains associated with this IP, almost all are red-flagged by Google for malware. The site contains several subdomains of the following domains.. I would recommend the following blocklist:
94.242.198.16
integrate-koleiko.com
integrate-koleiko.org
integrate-koleiko.net
muroi-uroi-loi.info
muroi-uroi-loi.org
muroi-uroi-loi.net
zoloni-kemis.info

Subdomains spotted include:
dde.integrate-koleiko.com
drom.muroi-uroi-loi.info
helm.muroi-uroi-loi.org
ice.zoloni-kemis.info
lopre.integrate-koleiko.org
maj.muroi-uroi-loi.net
nop.integrate-koleiko.org
oi.integrate-koleiko.net
vyo.integrate-koleiko.net
xs.integrate-koleiko.com

Bank of America spam / RECEIPT428-586.doc

This fake Bank of America message has a malicious Word document attached:

Date:      Tue, 14 May 2013 10:16:05 +0500 [01:16:05 EDT]
Subject:      Your transaction is completed

Transaction is completed. $51317477 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt of payment is attached.

*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved 

The attached document is RECEIPT428-586.doc which contains a CVE-2012-0158 / MS12-027 exploit, so a fully patched Windows system should be immune. Further analysis is pending, but the payload is likely to be P2P / Gameover Zeus as found in this attack. VirusTotal detections stand at just 11/46. Further analysis is pending.

Monday, 13 May 2013

"Confidential - Secure Message from AMEX" spam / SecureMail.zip

This fake Amex email has a malicious attachment:

Date:      Tue, 14 May 2013 01:34:36 +0600 [15:34:36 EDT]
From:      American Express [Jarvis_Randall@aexp.com]
Subject:      Confidential - Secure Message from AMEX    

Secure Message
                   
The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.

Note: The attached file contains encrypted data.

If you have any questions, please call us at 800-748-8515, option 0. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.

Thank you,
American Express

2012 American Express Company. All rights reserved.

There is an attachment SecureMail.zip which in turn contains an executable file SecureMail.exe which has an icon designed to look like a PDF file. VirusTotal results for the malware are just 15/46.

Comodo CAMAS reports the following characteristics and also a connection to a known malware C&C server mail.yaklasim.com on 212.58.4.13 (DorukNet, Turkey).

Size137216
MD520de8bad8bf8279e4084e9db461bd140
SHA1caacc00d68f41dad9b1abb02f9e243911f897852
SHA25618e2fc0b9386cadc31fb15cb38d9fa5d274f42b8127b349a14c962329b691ee7

The ThreatTrack report also shows a connection to 212.58.4.13 as well as 62.233.104.156 (IOMART, UK) and several other IPs that may form part of a botnet. Blocking EXE-in-ZIP files at the perimeter is a good move if you can do it. Update: the ThreatExpert report also shows a connection to 116.122.158.195 (Hanaro Telecom, Korea) which is probably also worth blocking.

Blocklist:
mail.yaklasim.com
212.58.4.13
62.233.104.156
116.122.158.195

Something evil on 188.241.86.33

188.241.86.33 (Megahost, Romania) is a malware server currently involved in injection attacks, serving up the Blackhole exploit kit, Zbot and a side order of Cdorked [1] [2].

This IP hosts a variety of domains, some of which are purely malicious, some of which are hijacked subdomains of legitimate ones. Blocking the IP address is the easiest approach, else I would recommend blocking all the domains that are being abused:

01libertynet.fr.fo
0-film.com
100girlsfree.com
365conseils.net
4unblock.info
5becquet.fr.fo
6x0.fr
7eebr.com
8-cents.com
8cents.fr.fo
a2smadagascar.mg
abc-maroc.com
abcm-jeanpetit.eu
aberkane.org
abjworld.com
abkari.fr
abkaribrahem.com
abousajid.net
abshore.com
acabimport.fr
acajb.org
acgl-congo.com
acgl-congo.fr
achacunsoncartable.com
acl-africa.com
actionalternance.fr
activbold.com
acts42.fr
actu-assurance.com
actubuntu.fr.fo
actu-minecraft.com
garmonyoy.eu
gmzuwr.ru
harmonyoy.eu
hrgvrl.ru
kinyng.ru
luiwmt.ru
ntdsapi.com
ntimage.net
ntmsapi.net
olpnso.ru
pastaoyto.eu
piparse.com
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru
tpxhpz.ru
trlnps.ru
zuihwg.ru
zuknsr.ru

The full list of malicious domains that I can find are below, although I would not expect these to be comprehensive:
040071c6fea7a5bb.365conseils.net
040071c6fea7a5bb01510713050515418167059c09c0824647b0d28469f9a86.365conseils.net
0433a1152ec475d801921313051101474089711298c7e6a1fd7545bc5552d41.achacunsoncartable.com
0433a1152ec475d811601613051104237096368adea8ce55a82f4544fbc01c0.achacunsoncartable.com
0488a1ee2eff75e301425213050201233048184bab90de52abca095e43c0e9e.0-film.com
04bb718dfefca5e0.5becquet.fr.fo
04bb718dfefca5e001607913050610062053256cc4d0ecce785bc8e30493292.5becquet.fr.fo
04cc71bafe5ba5470150421305111855518829847e724828b3c53aec8153583.acts42.fr
157790811f40445c.acajb.org
157790811f40445c01601013051008229123947a4ec000bad7503601a8b8345.acajb.org
157790811f40445c016138130510070780741784317a42a2bccfff6c9b9b979.acajb.org
157790811f40445c019162130510065681946385f315786814d0cea69ce8664.acajb.org
15bba06d2f1c7400.6x0.fr
15bba06d2f1c740001620213050615286119192adfefaf19e4e8a5586a6dd7e.6x0.fr
15ff3069bf78e464.01libertynet.fr.fo
15ff3069bf78e4640110311305011655920288060206a1a1261478459ff3e75.01libertynet.fr.fo
15ff3069bf78e4640142371305011633812870254adfea351ba45ccd84b6ed9.01libertynet.fr.fo
15ffa0792ff874e4.8-cents.com
15ffa0e92f18740401401013051215157128702d9606903880327e698feccbe.actu-minecraft.com
15ffa0e92f1874040141021305121800510682957d930ed7606e94e5678e741.actu-minecraft.com
15ffa0e92f187404014185130512171461299704fdc6792b87c632c2dc8ea0b.actu-minecraft.com
260093561ce747fb.abousajid.net
260093561ce747fb0140101305091529613535950ae91792a9d74ca508e99ad.abousajid.net
260093561ce747fb01603113050915274112535b852cc96df15044d0c5bab97.abousajid.net
26bb633dec4cb75001620213050607357124264d8f6315b9f394ea624df9b66.4unblock.info
26bb633dec4cb75011613913050607052045014adf4c310b3e0bdc47f2861d7.4unblock.info
26bb633dec4cb750116139130506075451302874ade020351e0c39fd5a78c27.4unblock.info
26cc33cabc2be737.actionalternance.fr
26cc33cabc2be73701612213051111086088443c09a6c2cac05c63f7129fe6a.actionalternance.fr
26cc33cabc2be73711601013051110582102074d8f6315c81c1d1cdcd96f60e.actionalternance.fr
26ff93b91cb847a4.100girlsfree.com
26ffa3892c787764019185130512123091695955dc240716cf6878a05b14ee3.actu-minecraft.com
378852cedd4f8653015013130507031910377234406e79b09f6cd6bc3f531b4.8-cents.com
3788a28e2d1f760301404913050802257090662bc33361ff65bce2fa3130839.8cents.fr.fo
40bb751dfa9ca180.8-cents.com
517794411bd040cc.100girlsfree.com
620007168887d39b0141851305072124915913454b8c0a26fb88da3bde7a868.8-cents.com
620007168887d39b01918513050722262103342525b024b1b95bf7573a67195.8-cents.com
623307c58864d378.abc-maroc.com
62333795a894f38801400913051305512080201a47fe7464fbbe561520e01bc.actu-minecraft.com
62333795a894f38801603113051303131041527adf4c310ff3253949005312c.actu-minecraft.com
62446762e8c3b3df.a2smadagascar.mg
62ff57f9c8f893e4.actu-minecraft.com
7344966219c342df.aberkane.org
73cca65a29eb72f7.abshore.com
73cca65a29eb72f701512413050919272107463ccba6e6189fc6986eb8f2d7c.abshore.com
73cca65a29eb72f701601013050919063097002c09c2522cddbf7f407171835.abshore.com
73ff2629a9d8f2c4.actu-minecraft.com
73ff2629a9d8f2c4014010130512092430878098d3a2e5e755dff1f2afa2bf8.actu-minecraft.com
73ffc65949981284.100girlsfree.com
8c443932b693ed8f11601013050822381104927d18d35b903767ba446417aca.aberkane.org
8cffe9c966783d64.abkaribrahem.com
8cffe9c966783d6401401013050909354101757b20d50dc4a53c3f60028ce42.abkaribrahem.com
8cffe9c966783d64015129130509101070859078f510042f6ec44d7e433dae2.abkaribrahem.com
9d3358f5d7848c98.7eebr.com
9d3358f5d7848c9801120213050617401078933d8645f3e106c2cfc1598a843.7eebr.com
9d7718418740dc5c.actu-minecraft.com
9d77b8b137606c7c.acgl-congo.fr
9d77b8b137606c7c01512913051017572124898c056644eb855f5a4b166d2b9.acgl-congo.fr
9d88a81e27af7cb3.abkaribrahem.com
9dbb984d17cc4cd01160101305062232917783743db39d1cf46f37b436dd266.8-cents.com
9dbbb80d37ac6cb0015186130508121671023918f51f80188036111f6dc1f72.a2smadagascar.mg
aeff6b49e4a8bfb4015258130512004781489908ea4b42446e65516bff5ab95.actu-assurance.com
aeff6b49e4a8bfb411601613051200491038674c7b4814aa786570ce3c5098f.actu-assurance.com
bf008a6605f75eeb014010130507173520947835ffc0f0fb081b68065c7e066.8-cents.com
bf008a6605f75eeb01412613050720045090345594f60a636367054ee54e604.8-cents.com
bf33fa7575d42ec8.abc-maroc.com
bf33fa7575d42ec801401013050814009075129bad428136689be7a7da2e9cb.abc-maroc.com
bf33fa7575d42ec8014086130508152020843224d40b5b7505fae9f56aea685.abc-maroc.com
bf33fa7575d42ec801510713050813215101440d61264b31e2cab4662a78b84.abc-maroc.com
bf33fa7575d42ec8016010130508150860906628cb9bce1fcee0c3f22846b31.abc-maroc.com
bf77da9155000e1c.100girlsfree.com
bfbbfaed65ec3ef0.100girlsfree.com
bfccba4a359b6e87.acgl-congo.com
bfccba4a359b6e87014075130510163331172904d4082d81aa81553b5898a2f.acgl-congo.com
bfccba9a259b7e87014010130512212151534285c4d64918e520db9a4a99c7a.actu-minecraft.com
c833cdf542641978.8-cents.com
c833cdf54264197801423713050716106092564c3e2cfb86aac81596dd164e8.8-cents.com
c833cdf542641978019037130507161140855905a1d39c59b9e2e19868866db.8-cents.com
c833fd7572942988014075130511135972133414d40dcf123ee454bb96f2478.activbold.com
c8777de1f220a93c.acajb.org
c8777de1f220a93c014237130510094241134864ffcf0d244b3e0d591c517c2.acajb.org
c8777de1f220a93c114181130510110690897115be0c137c3bfca9956675ebe.acajb.org
c8778d3102a059bc.100girlsfree.com
c8bbfd5d72ec29f0.100girlsfree.com
c8cc1d7a928bc997.actu-minecraft.com
c8cc1d7a928bc9970160931305121954723299543db39d15a4534253bd539f9.actu-minecraft.com
c8cc2deaa26bf977.8-cents.com
c8cc2deaa26bf97701112913050712338147722412926bcc5c4907c1308b240.8-cents.com
c8cc2deaa26bf9770140251305071408106561954a1b95da26542af79a4589c.8-cents.com
c8cc2deaa26bf977016185130507134131011234162579342dbc1f47b4f7fd2.8-cents.com
c8ff1d1992d8c9c4.acgl-congo.com
c8ff1d1992d8c9c401410113051011536170546863d58f33f68331b59ea7c90.acgl-congo.com
c8ff1d1992d8c9c401502213051013158117290d619001d01efd2a3e1b3f29b.acgl-congo.com
d900ac1623d778cb.acabimport.fr
d9442c22a383f89f01408613050902089060547bb26d67892ae078d34f997c1.abjworld.com
d9772c61a390f88c.100girlsfree.com
d9777cd1f360a87c.abkari.fr
d9bb3cfdb36ce870.8cents.fr.fo
d9cc9c8a137b4867.actubuntu.fr.fo
ea003fc6b017eb0b.acl-africa.com
ea003fc6b017eb0b0140551305110632611348655c9f49488e5a4ecb8292208.acl-africa.com
ea33af4520847b9811601013051002514098270cc4d0ed8f39b52f8e725fadc.acabimport.fr
ea776f71e0c0bbdc.abkari.fr
ea776f71e0c0bbdc01401013050912097090662863d2ab4a57e7f0a96b25cf1.abkari.fr
ea776f71e0c0bbdc01920213050913332090345d02caa653dae6865511b8036.abkari.fr
ea885f2ed0bf8ba301620213050804177079250c7c38ecdab30e8e836a60be8.8cents.fr.fo
ea885f2ed0bf8ba301620213050804285084005d073cf45420d7a00dd3d73a2.8cents.fr.fo
ea885f2ed0bf8ba311601013050802399148356d812e2a73d403f9c106d463c.8cents.fr.fo
ea886f6ee0efbbf3.8-cents.com
eacc6f4ae0ebbbf7.abcm-jeanpetit.eu
eacc6f4ae0ebbbf701401013050819143098587bcc05684f8eaabdbf34aacb5.abcm-jeanpetit.eu
eacc6f4ae0ebbbf7014098130508182081375786dd748438ddc6d700470919b.abcm-jeanpetit.eu
eacc6f4ae0ebbbf711601013050818299170546cc4d0ecc24766a4257413c24.abcm-jeanpetit.eu
fbbb6e6de11cba00.5becquet.fr.fo
fbbb6e6de11cba0011601013050614153074812c6661d86385ba30356756c7e.5becquet.fr.fo
garmonyoy.eu
gmzuwr.ru
harmonyoy.eu
hrgvrl.ru
kinyng.ru
luiwmt.ru
ntdsapi.com
ntimage.net
ntmsapi.net
olpnso.ru
pastaoyto.eu
piparse.com
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru
tpxhpz.ru
trlnps.ru
zuihwg.ru
zuknsr.ru

Friday, 10 May 2013

Something evil on 151.248.123.170, Part IV

Here are some additional malicious domains from a very evil malware server on 151.248.123.170 (Reg.ru, Russia) are below. Previous lists (and background details) can be found here, here and here or you can download a full list of everything that I can find here [.txt]. This server is currently being used as the payload for injection attacks. Blocking the IP address is the obvious solution, or you could block the Dynamic DNS domains listed here.

3yt0jehx.servegame.com
6lmzegl7jj.servehttp.com
adxavajjss.myfw.us
ardemk.ns01.info
atiptpl.youdontcare.com
aystezsbvv.ns3.name
azukkxsrhm.dns04.com
bfgnjgjh.youdontcare.com
bnleiuyl.ddns.ms
btdclrl.mypicture.info
btsuqbkqoe.dsmtp.com
btzifwhflrzb.myfw.us
butgkyij.otzo.com
bxtqsq.organiccrap.com
camajdawmue.myfw.us
cggkfma.youdontcare.com
cmmwdypmy.port25.biz
csanogftz.myfw.us
ctrdsxpssh.youdontcare.com
d8kcyl0.no-ip.org
dhslkorcd.xxuz.com
edbtet.serveusers.com
eiqimwf.dns04.com
enndcddwjm.myfw.us
eqdjbeayx.ocry.com
esqiuut.jetos.com
etfozjyin.ikwb.com
fiwhqxobce.mypicture.info
fkmfvunrg.ocry.com
foibgxnhdt.4pu.com
fpybosb.ikwb.com
ftrlndi.ddns.us
gbhccehuj.otzo.com
gjkfowknws.mefound.com
gjqviesu.ftpserver.biz
gmxpdggub.mypicture.info
gqqwww.ftpserver.biz
gsddwknxgy.port25.biz
hhzodla.mefound.com
hizkpthkgf.xxuz.com
hjywvtg.ddns.us
hm193zqtcj.servebeer.com
hwybsmavbo.serveusers.com
itblzdut.ns01.info
itqzzww.dynamicdns.biz
iwtppvsfp.dynamic-dns.net
ixpoohstcli.myfw.us
jpistkhteo.dns04.com
jqeseobut.myfw.us
jrlqjz.ikwb.com
jviwdlsku.4mydomain.com
jxgpwnesm.ddns.us
knltqeeg.freeddns.com
korvrno.organiccrap.com
kozdeh.freeddns.com
ljpeornds.otzo.com
lqsbwfyzmw.myddns.com
lwfmuxq.ns3.name
mfvfcpcpw.ns3.name
miqejhn.mysecondarydns.com
mnlabo.myddns.com
nfzpmqnl.freeddns.com
nmxnyb.jetos.com
nqhddxtcq.dynamicdns.biz
nqzyjpe.freeddns.com
nzzts4z.serveftp.com
oejaysgvlk.4mydomain.com
omupisrv.changeip.org
opbipfxgni.xxuz.com
orypbk.xxuz.com
pceqiij.jetos.com
pdfdahhm.youdontcare.com
pghdqfaoqnpp.myfw.us
pjxkfgps.myddns.com
ptwnvmxgwd.lflinkup.net
puhwzk.mysecondarydns.com
qbcbhwk.jetos.com
qezmcexxws.myddns.com
qzjrom.otzo.com
r5nejrnp.no-ip.org
rccvuohpolsv.myfw.us
rfpixnn.4mydomain.com
rjwixpi.4mydomain.com
rqfqjt.ikwb.com
rsswzmvu.ns02.us
sfaabl.ftpserver.biz
slpeeasssq.ns01.info
sp71jz.myvnc.com
sqwlqgtoh.ns02.us
svoqg5.servehttp.com
tandpmh.organiccrap.com
tfrjskfdc.4pu.com
thiwckoba.ns3.name
tkugnsl.ns3.name
tnbfgoejiu.itemdb.com
udaxsafajq.mysecondarydns.com
udesetsuzpw.myfw.us
uesltoru.lflinkup.net
uiyxxb.dsmtp.com
uqqkechgc.xxuz.com
uvhshmzndy.mefound.com
uycwvwvkh.mefound.com
uyieev.ddns.us
v9obnjp76.3utilities.com
veiamew.4pu.com
vghvghtlrd.dns04.com
vhgnxpjm.organiccrap.com
vhrikjzccavv.myfw.us
vszwte.otzo.com
waimkiuvkn.dsmtp.com
wfjpjammn.ftpserver.biz
wjweiv.itemdb.com
wmjaar.ns01.biz
wmlxuylh.changeip.org
wndjsagu.4mydomain.com
woltpys.ddns.us
wpdnbsnc.xxuz.com
wsuzzrvwvqte.myfw.us
wyohroerl.dsmtp.com
xtphpm.ninth.biz
yhuqgylpyrl.myfw.us
ynghww.changeip.org
yqmfxylyoo.mysecondarydns.com
yqrhrd.port25.biz
yyelgsss.freeddns.com
zborhzxkvk.myfw.us
zemqzpslt.ninth.biz
zlkhlz.organiccrap.com
zyxzfwosnyu.myfw.us

Thursday, 9 May 2013

Experiment: There may be confidential content in your search results. Please do not share outside Google.

Well.. this is a weird thing to see when searching YouTube..


"Experiment: There may be confidential content in your search results. Please do not share outside Google." Yeah, I think something went a bit wrong there..

Citibank spam / Statement ID 64775-4985.doc

This fake Citibank spam contains a malicious Word document that leads to malware.

Date:      Thu, 9 May 2013 01:22:21 +0200 [05/08/13 19:22:21 EDT]
From:      CITIBANK [noreply@citybank.com]
Subject:      Merchant Statement

Enclosed DOC is your Citibank Paymentech electronic Merchant Billing Statement. If you need help, please contact your Account Executive or call Merchant Services at the telephone number listed on your statement. PLEASE DO NOT RESPOND BY USING REPLY. This email is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech. Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly. ---------- Learn more about Citibank Paymentech Solutions, LLC payment processing services at Citibank. ---------- THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. 
The attached document Statement ID 64775-4985.doc contains an exploit (analysis pending) with a VirusTotal detection rate of just 10/46. It appears to exploit a flaw in the RTF converter. I'm not all together sure which flaw it is, but making sure that your copy of Microsoft Office is up-to-date and fully patched will help to mitigate against this sort of threat.

Update: another version is using the filename Statement ID 4657-345-347-0332.doc. It looks like it is exploiting CVE-2012-0158 aka MS12-027.


Wednesday, 8 May 2013

Amazon.com spam / ehrap.net

This fake Amazon spam leads to malware on ehrap.net:

Date:      Tue, 7 May 2013 22:54:26 +0100 [05/07/13 17:54:26 EDT]
From:      "Amazon.com" [drudgingb50@m.amazonmail.com]
Subject:      Your Amazon.com order confirmation.

Thanks for your order, [redacted]!

Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.

Order Information:

E-mail Address:  [redacted]
Billing Address:
216 CROSSING CRK N
GAHANNA
United States
Phone: 1-747-289-5672

Order Grand Total: $ 53.99
   
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More

Order Summary:
Details:
Order #:     I12-4392835-6098844
Subtotal of items:     $ 53.99
    ------
Total before tax:     $ 53.99
Tax Collected:     $0.00
    ------
Grand Total:     $ 50.00
Gift Certificates:     $ 3.99
    ------
Total for this Order:     $ 53.99

The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
Mockingjay (The Final Book of The Hunger Games) [Kindle Edition] $ 53.99
Sold By: Random House Digital, Inc.
Give Kindle books to anyone with an e-mail address - no Kindle required!

You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.

Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.

Thanks again for shopping with us.

Amazon.com
Earth's Biggest Selection

Prefer not to receive HTML mail? Click here
The link in the email goes through a legitimate hacked site and ends up on [donotclick]ehrap.net/news/days_electric-sources.php (report here) hosted on (or with nameservers on) the following IPs:
85.41.88.24 (Telecom Italia, Italy)
98.210.212.79 (Comcast, US)
140.121.140.92 (TANet, Taiwan)
178.175.140.185 (Trabia-Network, Moldova)
197.246.3.196 (The Noor Group, Egypt)
216.70.110.21 (Media Temple, US)

The domains involved indicate that this is the gang behind what I call the Amerika series of spam emails.

Blocklist:
85.41.88.24
98.210.212.79
140.121.140.92
178.175.140.185
197.246.3.196
216.70.110.21
airticketscanada.net
contonskovkiys.ru
curilkofskie.ru
ehrap.net
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
mortolkr4.com
peertag.com
smartsecurity-app.com
zonebar.net

Tuesday, 7 May 2013

Something evil on 151.248.123.170, Part III

I've covered 151.248.123.170 (Reg.ru, Russia) a couple of times in the past month [1] [2], and it's still actively pushing out malware via dynamic DNS domains, many of which are injection attacks on hacked sites.

There are hundreds or possibly thousands of malicious domains on this IP. Blocking them individually is likely to be problematic, the best approach is to block all traffic to 151.248.123.170 or to the Dynamic DNS domains involved.. although this might potentially block access to some legitimate sites.

These are the Dynamic DNS domains being abused (you should consider blocking them in my opinion):
3utilities.com
4mydomain.com
4pu.com
changeip.org
ddns.ms
ddns.us
dns04.com
dsmtp.com
dynamicdns.biz
dynamic-dns.net
freeddns.com
ftpserver.biz
ikwb.com
itemdb.com
jetos.com
lflinkup.net
mefound.com
myddns.com
myftp.org
myfw.us
mypicture.info
mysecondarydns.com
myvnc.com
ninth.biz
no-ip.biz
no-ip.info
no-ip.org
ns01.biz
ns01.info
ns02.us
ns3.name
ocry.com
organiccrap.com
otzo.com
port25.biz
redirectme.net
servebeer.com
serveblog.net
servecounterstrike.com
serveftp.com
servegame.com
servehalflife.com
servehttp.com
servemp3.com
servepics.com
servequake.com
serveusers.com
xxuz.com
youdontcare.com

These are the domains that I can detect on the IP, but there are probably many, many more.
0j6nlxx1.myftp.org
0x0ipb74i.myvnc.com
162u8ugl.servehttp.com
1wupkdyz.no-ip.org
2fwujpyj78.servehttp.com
2j9smce4.myvnc.com
3b51lly0.serveftp.com
3lejjwtbog.no-ip.info
3s5c4v.no-ip.org
3xdt4ejh6.servegame.com
4ur8266w.servebeer.com
6a3wfiznv.servepics.com
6lb311je7.servegame.com
6r69m9b5.serveftp.com
6vdsce2.myvnc.com
7rhw1bpqw.redirectme.net
8dcfv6ba.servepics.com
8f3rkuz.servehttp.com
8k4y6s14g.servequake.com
8kli99kzom.servehalflife.com
8vf9eijal.servehttp.com
9jss9fkfz.servebeer.com
9t2ok1w.servehttp.com
9trcul.3utilities.com
acqdpoqlhtlt.myfw.us
acydtk.itemdb.com
ae6s7iq.servemp3.com
aeqxvegity.changeip.org
agbrtjbdmn.dsmtp.com
ah8d1itwz4.servehalflife.com
ahbedbxyo.myfw.us
aivcdizhr.myfw.us
alspyjnx.serveusers.com
anghootuveg.myfw.us
aqbpswfpj.myfw.us
aqmcuaegy.mefound.com
aqydiv.mefound.com
arziphhrov.dsmtp.com
ass6j8glsg.servehalflife.com
astvrbbad.4pu.com
ataiyhhx.xxuz.com
attxrhs.ns3.name
auhjlwn.ftpserver.biz
aupmbeutcbr.myfw.us
awuddyedd.myfw.us
awxtfktz.youdontcare.com
ayfmlz.changeip.org
aywejlbwn.4pu.com
azxbxx.organiccrap.com
bamwkq.ikwb.com
bawhla.otzo.com
bemtknoufs.4pu.com
bfatsqv.organiccrap.com
bfvidbvewl.mypicture.info
bgmya4t.no-ip.biz
biwqqkzcsa.dynamic-dns.net
bkgeepguwu.youdontcare.com
bnnpvmf.4pu.com
bofapqngse.ddns.us
briirddzbn.myfw.us
btpqyb1p7a.servebeer.com
bzyphcsjcrhs.myfw.us
chlcsqnh.myddns.com
ckbqvlouqe.serveusers.com
cnsycrdv.organiccrap.com
cqunky.xxuz.com
csggbzz.ikwb.com
cttjhki.dynamicdns.biz
cuhadjcnyl.myfw.us
cuimcgv.dns04.com
cundqzpc.youdontcare.com
cuupggih.4pu.com
cvgjzgjabfzz.myfw.us
cwabkfjsh.organiccrap.com
cwfbslqwj.organiccrap.com
cymkwqz.ftpserver.biz
cysbagz.mysecondarydns.com
czbzcx.jetos.com
czjgxkcbf.freeddns.com
czyllsokwi.dynamic-dns.net
ddamrkgie.mypicture.info
ddmvubybx.myfw.us
ddzcvtvglpgb.myfw.us
detnqgkbjahg.myfw.us
dgdgfs.dynamicdns.biz
djgoaf.mysecondarydns.com
dkpdfe.port25.biz
dmfqtxoqvmbe.myfw.us
dnvkizwemfmy.myfw.us
dpwmvwqa.ftpserver.biz
dqmbhghc.itemdb.com
drxjqr.serveusers.com
drzvmd.ns3.name
dtjkin.ns01.info
dukr7abe6.serveftp.com
dumqgfkodvko.myfw.us
dxexzx.port25.biz
eajwozhkn.myfw.us
ecqhffsix.youdontcare.com
edbjaepjg.myfw.us
edefwbh.ftpserver.biz
eeerrtnzii.ftpserver.biz
ehaxoe.mysecondarydns.com
eifmydan.organiccrap.com
ekmlvqvc.dns04.com
emhkyc.ns3.name
encrtggml.youdontcare.com
eogxekpdtcvb.myfw.us
epllsmxckoo.myfw.us
erygtbkshcz.myfw.us
esmiqsq.mysecondarydns.com
eufdldv.mypicture.info
evbntlv.dynamicdns.biz
evkhegeue.myftp.org
exrjzleph.myfw.us
ezbbhtfo.freeddns.com
ezrzmcnmwkl.myfw.us
ezzbnjwtz.changeip.org
fbwlwfnboll.myfw.us
ferzds.ns01.info
fhlswqcai.4pu.com
fitiioenutsp.myfw.us
fjbcsk.otzo.com
fkvqztwwitsm.myfw.us
fmdetqh.dsmtp.com
fntqexnwhjdz.myfw.us
fqbiankg.ikwb.com
fqguhzwcasmj.myfw.us
fqzbwstxyypa.myfw.us
fryjpao.myddns.com
frzfhndxw.itemdb.com
fum22fhpi.servegame.com
fxkooknk.itemdb.com
fxxpnp.itemdb.com
fyuccxbvon.jetos.com
fzeypa.ns3.name
g5fm891.3utilities.com
gaaemoaa.itemdb.com
gaolppjyq.myfw.us
gblfhdwbegow.myfw.us
gdlvqfak.4pu.com
getbwoedccls.myfw.us
gexurmmntx.changeip.org
gfdwowolvt.myfw.us
gfwmxzpvnp.myfw.us
ggpmov.ddns.us
gidnmygaum.ddns.us
gjsqbsqawb.myfw.us
gnbaamarlyit.myfw.us
gpqfskqe.lflinkup.net
gtvqed.organiccrap.com
gtyvjhvw.port25.biz
gumyfsjo.itemdb.com
gwgz8nz7bu.servepics.com
gwhwyvf.ocry.com
gxdcjg.dynamic-dns.net
gzfbhckcddl.myfw.us
h898k9wo.serveftp.com
hbvqaddxz.myfw.us
hdbbzvxejqn.myfw.us
hdowbe.servehttp.com
hdskfrel.ninth.biz
hdwuuvr.ddns.us
hdzfbnlenp.ninth.biz
hefqgipiv.myfw.us
hfltusb.ocry.com
hgibkcayvxc.myfw.us
hgqsiruxft.myfw.us
hgykiuwwh.organiccrap.com
hopucovetkbn.myfw.us
hpnfoqes.ftpserver.biz
hqvjpdsqa.organiccrap.com
hrwouxktkt.ftpserver.biz
hszdvlv.mefound.com
htensj.xxuz.com
hvdqroibk.port25.biz
hvjmsvfdmeab.myfw.us
hvmkidxvr.dynamic-dns.net
hvywhncmn.itemdb.com
hxqvvy.changeip.org
i74hiyo2y.no-ip.org
iappjftw.itemdb.com
iavvgjkk.ftpserver.biz
idjwfvk.dynamicdns.biz
iftewoyvwpob.myfw.us
ijccqljgr.myfw.us
ilugmefnc.freeddns.com
iqyqszqf.lflinkup.net
iriqvotyaz.ns01.biz
irszbliskh.myddns.com
iskiyiha.ninth.biz
iszibayuer.myddns.com
ithnqo.4pu.com
ituevs.xxuz.com
iub483p4.servegame.com
ivkpydtby.no-ip.org
iwhabdyn.serveusers.com
iypjnpcqw.myfw.us
izdzccr.xxuz.com
jacqvk.lflinkup.net
jaiftyxs.mysecondarydns.com
jaqmastga.itemdb.com
jbtcinyjv.4pu.com
jdfoggkzh.serveusers.com
jeaalexymm.myfw.us
jeldtld.organiccrap.com
jenzxchy.ns01.biz
jflhcqv.ikwb.com
jgbkbtyz.freeddns.com
jirshkrgu.youdontcare.com
jjjpbhx.4pu.com
jlbabnosva.otzo.com
jmiqcslfum.ns01.info
jnpknqp.lflinkup.net
jonaybvvy.itemdb.com
jpqtaqvaln.myfw.us
jpvjaujch.myfw.us
jqkaywyy.myddns.com
jupdsuhoh.youdontcare.com
jw5w8658z.redirectme.net
jxxemgpdyqk.myfw.us
kaavrqisc.myfw.us
kamxaip.mypicture.info
kchergnrxp.myfw.us
kcjbeu.ocry.com
kdeftpvpng.dynamic-dns.net
kejzxgh.4pu.com
knmbrnexxh.mysecondarydns.com
knvspjvyz.itemdb.com
koqlwnbku.serveusers.com
kplfuxjzy.myfw.us
kpvshgdss.ns3.name
krnwhhhtwvh.myfw.us
krwwhoehyl.myfw.us
kukxizdui.4mydomain.com
kycwuhgvc.serveusers.com
kyfmidqmh.4pu.com
kzklrwv.serveusers.com
l1y3o4o.serveblog.net
l2z0i6s1.servehttp.com
lajbbeqj.jetos.com
laqsaui.ns01.info
lclcnkhccdl.myfw.us
ldvdfx.ikwb.com
lhbqxfuvy.ocry.com
ljnanlpatrwd.myfw.us
llbguuda.ikwb.com
llotmdufz.dns04.com
lozbalothmc.myfw.us
lrnqgxgoa.ikwb.com
lsjqlbo.port25.biz
lusvrj.dsmtp.com
luyyyd.mysecondarydns.com
lwnplgpton.dsmtp.com
lwtujojereoi.myfw.us
lxpilprs.myddns.com
lyleqfeq.4pu.com
meuquma.ddns.us
mfdteohcrc.youdontcare.com
mfksblicgi.ocry.com
mfyxqutszl.otzo.com
mikxwsfmj.changeip.org
mkgwgjgwci.ddns.us
mrfltmzyeseg.myfw.us
mrnmqdsxfyze.myfw.us
muqvwvf.freeddns.com
mvdqmecbf.myfw.us
mvjlxlyjp.myfw.us
mvuqao.myddns.com
mwqgxlttg.ns01.biz
mx0t2z.servecounterstrike.com
myhnzszkoe.myfw.us
myijyjux.organiccrap.com
mzikrrzf.jetos.com
mzxkmjmquo.myfw.us
naxfpmhw.ninth.biz
ncywhwofn.dsmtp.com
nczgqdlrys.myfw.us
negkht.changeip.org
nhzgjm.dynamic-dns.net
nmwikbwrxia.myfw.us
nnufbc.dynamicdns.biz
npfhqlsm.dynamic-dns.net
npphmnxy.ddns.us
nqusbcphiby.myfw.us
nrpfyekqlk.dynamic-dns.net
nrqmusuueb.serveusers.com
ntbdeedkj.dsmtp.com
nuzmis.itemdb.com
nxcgynyedfs.myfw.us
oatg31.servehalflife.com
ocrrwieqzlha.myfw.us
ohustyl.mysecondarydns.com
okbriapkfb.mefound.com
okeqqnzcge.myfw.us
oliwkndvyxw.myfw.us
omuiekhqjg.myfw.us
oonfrqcocu.myfw.us
oonqydmt.ikwb.com
opaalghwxqlt.myfw.us
opsypzduo.myfw.us
oqccjqk.ikwb.com
oreywhh.serveusers.com
otcdaq.ns02.us
otnblbzjo.serveusers.com
otrshugxco.dynamic-dns.net
otsgcgz.servehttp.com
outwlswin.4mydomain.com
ouurcv.4mydomain.com
ovamujvhsa.dsmtp.com
owljtjpwb.myfw.us
ownowavbfj.ns01.info
oykqbk5bqf.servemp3.com
oywwrii.organiccrap.com
ozgaoshpd.mefound.com
ozxvjdyz.changeip.org
p9kc1ha4.servemp3.com
panvscen.ddns.us
pcafwnm.ikwb.com
pddcmcvof.mysecondarydns.com
peusfapdz.myfw.us
pjhzlriy.ninth.biz
pjrkvghqg.ocry.com
pjvcoazluq.dsmtp.com
pkyowjrjycw.myfw.us
pluowrgpl.myfw.us
pmkihqq.mypicture.info
ppakfotxhpy.myfw.us
ppmdbwqxcrv.myfw.us
ppsjpvzmjg.serveusers.com
prdjva.otzo.com
ptyxbmzkz.itemdb.com
pwkbuuor.xxuz.com
pwkwxztpaj.myfw.us
pyyxiapoxv.myfw.us
qcwkznq.dsmtp.com
qdfjptc.ns01.info
qfawknwtl.myfw.us
qfvrlt.4pu.com
qhfxww.dns04.com
qiwxwwy.dns04.com
qjhdnvjrn.changeip.org
qmnouatnlelp.myfw.us
qmnrup.mysecondarydns.com
qnljeztgg.changeip.org
qnwycifjfl.myfw.us
qplgaurnspl.myfw.us
qtbxjkot.ocry.com
qvvefzzj.ocry.com
qwwxtgojc.ninth.biz
qxp9xez9.3utilities.com
qzlkluald.myfw.us
qzsoegkp.dsmtp.com
r4g6m2.servehttp.com
ramtaky.4pu.com
rbnumsmbygqb.myfw.us
rcezlgb.ns3.name
rclmhzj.mefound.com
rdhrrxlyu.port25.biz
rebcdbgzic.ftpserver.biz
reoenqybu.myfw.us
rgtyavgys.freeddns.com
rhxiepm.ns3.name
ricznb.port25.biz
rjolnrlnpn.serveusers.com
rkaseooypl.myfw.us
rnordfancw.mefound.com
rnrbdynkblyb.myfw.us
rpbdqzdemsu.myfw.us
rtxektc.xxuz.com
rujaafdzwq.xxuz.com
rutqjnsex.myfw.us
rwscdhnhn.4mydomain.com
rxnirgmhsgwv.myfw.us
rxuvkq.mefound.com
rygsjmlss.dsmtp.com
rzreau.myddns.com
sb0y2h.myftp.org
sbjbuclp.dns04.com
seronwzic.myfw.us
serszgynbi.mysecondarydns.com
sgcdujudgzm.myfw.us
simiawbsilu.myfw.us
sjjcmisyd.mysecondarydns.com
skfynaq.serveusers.com
slcnxx.dynamic-dns.net
slcvzheogxph.myfw.us
smjyq1vm.serveftp.com
snediezzlsq.myfw.us
snozgi.organiccrap.com
sopnxhpyjb.port25.biz
sozsybvook.myfw.us
sozuzt.ddns.us
sqdgixmrki.dynamicdns.biz
sqqttryu.itemdb.com
swvgvgldodz.myfw.us
swxxruj.dynamicdns.biz
szsitxy.4pu.com
taokofzze.dynamic-dns.net
tbpsuzdk.port25.biz
tbrfrz.lflinkup.net
tcdcyjxit.ddns.ms
tcutixej.ikwb.com
tfqvhdg.otzo.com
tfywivnfc.myfw.us
tlasuq.itemdb.com
tlggqcgx.ftpserver.biz
tmipoitnfj.myfw.us
tq5wmetanb.servecounterstrike.com
tqzhbfaoy.ns02.us
tsxkxilw.ikwb.com
tufslzazbs.mypicture.info
tuvyov.changeip.org
uegnytqslcm.myfw.us
uelrmywt.ddns.us
uftmrikaydi.myfw.us
ugrhad.dynamic-dns.net
umogoraqz.myfw.us
unkcwjcrmh.otzo.com
utcdmox.dynamic-dns.net
uttptbyvgr.organiccrap.com
uucnwdbptssb.myfw.us
uufqumjr.youdontcare.com
uw35u18.servemp3.com
uwivsj.mefound.com
uwoyvvwvz.myfw.us
uyblrr.dsmtp.com
uyubmke.ns02.us
uzaqlbvvw.ninth.biz
vajoznzefrpt.myfw.us
vawhnrazl.organiccrap.com
vbgbbbjkr.mefound.com
vbhxqbwpt.myfw.us
vdbcdlmwie.port25.biz
ve57fs4.no-ip.org
vgyxuawyxb.myfw.us
vhfemrmovaiq.myfw.us
viptao.ddns.us
viqvti.ns01.info
vktlhllldxz.myfw.us
vpogbb.ns01.info
vpxnbn.organiccrap.com
vtzetcj.ftpserver.biz
vyjhuhol.ftpserver.biz
vysanjugba.changeip.org
wbgavjt.port25.biz
wbhglzsnqe.mypicture.info
wbjnmudcekl.myfw.us
wcxqvknrd.myfw.us
wenrtsjzbc.myfw.us
wfgjxiai.jetos.com
wfjktwnlfx.4mydomain.com
wgolucqns.myfw.us
whaumhrm.organiccrap.com
whpiiimwpodx.myfw.us
whsdoygqm.myfw.us
wilompgsaf.myfw.us
wjdakob.serveusers.com
wkbmaebigy.xxuz.com
wlrdvucbw.myfw.us
wmfqnjimufe.myfw.us
wmhvxsyex.dynamic-dns.net
wmjjdhqfev.myfw.us
wmnrrskry.myfw.us
wnxran.itemdb.com
wpjbcs.ns3.name
wtaumavodr.mysecondarydns.com
wthsard.dsmtp.com
wtriylabiccu.myfw.us
wuamrecon.myfw.us
wzjaaohoigzj.myfw.us
wzkjljfhfx.myfw.us
xcltzwbpmf.4mydomain.com
xfhhefpp.ns01.info
xicrkcb.dynamic-dns.net
xjtkbawsfc.ninth.biz
xkfrazfa.changeip.org
xkxbhbnc.organiccrap.com
xlhppgpktfrq.myfw.us
xosjtax.itemdb.com
xrjwwo.dsmtp.com
xtjypuoa.ftpserver.biz
xtkwuntrv.organiccrap.com
xufntdrj.ns01.info
xujepnjhas.dns04.com
xvsfuixww.organiccrap.com
xwnnmn.ns01.info
xygvilyksie.myfw.us
xzbqujbaj.ocry.com
xzphozmjxqsd.myfw.us
ybcpncmnea.ddns.ms
ydadyu.serveusers.com
yffrfdbkaq.myfw.us
yirlmqgnl.ns3.name
yjrpzzveovi.myfw.us
ynoljubnwos.myfw.us
ynskejsvl.myfw.us
ypccsuwr.ns3.name
yqkdkhqlei.ns01.info
yrtbvvytij.myfw.us
ys9hh20i.servehttp.com
yupbgt.4pu.com
yvwyrbgaji.serveusers.com
yxkudyzfnuv.myfw.us
yywgvpqrpeym.myfw.us
yzmgroem.changeip.org
yzytnygb.ftpserver.biz
yzzihzpo.mysecondarydns.com
zbauqs.ns01.info
zbirjhbbwb.ocry.com
zc287xl.servepics.com
zcauzvzqm.ftpserver.biz
zenxdduid.myfw.us
zhdlzrwzlw.myfw.us
zhudyeczk.myfw.us
zixxjxpc.mefound.com
zjbihpktdn.myfw.us
zkaowad.ddns.ms
zklseo.ddns.us
zmrycmomb.jetos.com
znfrriscgl.myfw.us
zphazatgvuob.myfw.us
zqt4wnw.myftp.org
zrizzrhxcmy.myfw.us
zrqkczmec.dynamic-dns.net
ztvbimxeq.myddns.com
zviwqprs.dynamic-dns.net
zwnovqmrquml.myfw.us
zxjczhjvq.otzo.com
zyttqhhvc.ns3.name
zzifxrfob.dynamicdns.biz
zznbfpbjpqpm.myfw.us

Monday, 6 May 2013

Wanted: Seer. To work on Ã…land.. wherever that is.

This made me chuckle (click to enlarge):

Ã…land incidentally is a pretty interesting place if you know your history and has it's own internet TLD of .ax despite being part of Finland. Where they all speak Swedish. Frankly, if there's the sort of place you might actually find a seer then Ã…land is it.

Anyway, if living on Swedish-speaking demilitarized neutral island near Finland appeals to you can you can predict the future, then you can find a job application here.


Friday, 3 May 2013

Something evil on 173.255.200.91

173.255.200.91 (Linode, US) is exhibiting the characteristics of the Neutrino Exploit kit [see URLquery and VirusTotal reports). Attempts to analyse the malware seem to be generating 404 errors, but this could simply be a defensive mechanism by the malware on the server.

I can see the following domains on the server, ones flagged by Google for malware are highlighted. I would recommend blocking all domains on this server however, or simply block the IP address.

3dgamess.com
allcityhotels.com
allnewshere.com
anewschannel.com
backlinkfinder.com
backlinkhunter.com
cycling-infos.com
cycling-infos.info
cycling-infos.net
cycling-infos.org
dover-road.com
dover-road.info
dover-road.net
dover-road.org
dubuinc.com
dubuinc.info
dubuinc.net
dubuinc.org

ehotelguide.com
essentiale-water.com
essentiale-water.info
essentiale-water.net
essentiale-water.org

favoritewatches.com
fiveandsixandseven.com
fiveandsixandseven.net
imbiss-directory.com
imbiss-directory.info
imbiss-directory.net
imbiss-directory.org
imbiss-restaurants.com
imbiss-restaurants.info
imbiss-restaurants.net
imbiss-restaurants.org
jab-servers.com
jab-servers.info
jab-servers.net
jab-servers.org

komedidukkani.com
li210-91.members.linode.com
opengolfguide.com
paris-online-guide.com
paris-online-guide.info
paris-online-guide.net
paris-online-guide.org
rome-online-guide.com

rome-online-guide.info
rome-online-guide.org
shinebaby.info
shinebaby.org

toplumailgondermeprogrami.com
whereismysiteongoogle.com
wordpressthemes1.com

The malicious domains appear to be registered to the same person, but as the email address seems to bear no relation to the person's name then they may well be fake:
owner-name: Hans Funfell
owner-address: Mohrenstrasse 55
owner-city: Berlin
owner-state: DE
owner-country: DE
owner-postcode: 10117
owner-telephone: +49.89789200
owner-fax:
owner-email: jowiams779@gmail.com


A quick bit of Googling came up with exactly zero people called "Hans Funfell" (of course if you do it now there will be a match..)

Thursday, 2 May 2013

A look at the wonderful, weird world of retro phones

How many of these do you remember?

Somewhere in my collection I actually have a Motorola ROKR E1, the disastrous result of a joint venture between Apple and Motorola. There's also a Nokia 9300i, Nokia 770, Nokia 7380 and Nokia N91. Yeah.. I own a lot of phones. Quite a lot of them are weird.

These were the days before the iPhone and Android, where the biggest smartphone fight was still between Microsoft and the all-powerful Nokia. But most people had old-fashioned dumbphones instead.. a lot of which were clamshells. Do you remember them?


LinkedIn spam / guessworkcontentprotect.biz

This fake LinkedIn email leads to malware on guessworkcontentprotect.biz:

From:     LinkedIn Invitations [giuseppeah5@mail.paypal.com]
Date:     2 May 2013 16:49
Subject:     LinkedIn inviation notificaltion.
   
LinkedIn
This is a note that on May 2, Lewis Padilla sent you an invitation to join their professional network at LinkedIn.
Accept Lewis Padilla Invitation
   
On May 2, Lewis Padilla wrote:

> To: [redacted]
>
> I'd like to join you to my professional network on LinkedIn.
>
> Lewis Padilla    
   
You are receiving Reminder emails for pending invitations. Unsubscribe.
© 2013 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA. 
The malicious payload is at [donotclick]guessworkcontentprotect.biz/news/pattern-brother.php (report here) hosted on:
82.236.38.147 (PROXAD Free SAS, France)
83.212.110.172 (Greek Research and Technology Network, Greece)
130.239.163.24 (Umea University, Sweden)
203.190.36.201 (Kementerian Pertanian, Indonesia)

Blocklist:
82.236.38.147
83.212.110.172
130.239.163.24
203.190.36.201
app-smart-system.com
contonskovkiys.ru
curilkofskie.ru
egetraktovony.ru
exrexycheck.ru
fenvid.com
frustrationpostcards.biz
gangrenablin.ru
gatareykahera.ru
guessworkcontentprotect.biz
janefgort.net
klosotro9.net
miniscule.pl
mortolkr4.com
peertag.com
priorityclub.pl
smartsecurity-app.com
zonebar.net

"Your Wire Transfer 07532312 canceled" spam / Receipt on payment ID758-34.exe

This spam message has a malicious attachment:

Date:      Thu, 2 May 2013 03:01:38 +0400 [05/01/13 19:01:38 EDT]
From:      Federal Reserve [alerts@federalreserve.gov]
Subject:      Your Wire Transfer 07532312 canceled

The Wire transfer , recently sent from your bank account , was not processed by the FedWire.
Transfer details attached to the letter.
This service is provided to you by the Federal Reserve Board. Visit us on the web at website
To report this message as spam, offensive, or if you feel you have received this in error, please send e-mail to email address including the entire contents and subject of the message. It will be reviewed by staff and acted upon appropriately 
There is an attachment PAYMENT RECEIPT 01-05-2013.zip which in turn contains the malicious executable Receipt on payment ID758-34.exe which Comodo CAMAS reports has the following checksums:
MD5652d9919b209562bc8bb79b34e3af47d
SHA1cb90c55378366d3e8633ee1ea69f02f9e66da722
SHA2565151bd7722a5fee83edff91b6ff9b32c47ca1ac2eabad87b0639b22851453d62

VirusTotal results are just 18/46.  The Anubis report and ThreatExpert report only give limited information. The ThreatTrack report [pdf] is more detailed and reveals some botnet IPs that the malware calls back to.