Update: I am trying to verify claims that Olborg Ltd are operating a sinkhole (which is a good thing) rather than a malware server (a bad thing).
Last week I pointed out a malware site on 91.233.244.102 hosted by Olborg Ltd / ООО "ОЛЬБОРГ" (AS57636) [1] [2] (website at o1host.net) and made a recommendation that admins block access to the entire 91.233.244.0/23 block.
A polite but concerned email from a customer of Olborg with a legitimate sitein that range asked if I wasn't being rather harsh to Olborg with the recommended /23 block, for just one rogue IP.
First, let me explain my rationale behind recommending larger blocks that just single IP addresses. With many web hosts (and yes, a lot of those are in Eastern Europe) the badness isn't usually restricted to one IP address. This appears to be the case with Olborg, with more than one IP looking suspicious. From the point of view of an administrator, blocking a /24 or /23 displaying these characteristics is often the safest approach.. after all, a /24 only represents 0.000006% of the total address space of the internet, but malware sites do tend to cluster.
So, what exactly is going on with Olborg? Although it has 91.233.244.0/23 allocated to it, it only currently uses 91.233.244.0/24 (i.e. the lower half of the range). Of those IPs there appear to be two main blocks, lower down in the range 91.233.244.20, 91.233.244.22 and 91.233.244.28 all seem to host legitimate sites. But further up, 91.233.244.102, 91.233.244.103 and 91.233.244.106 seem to be malicious. It's hardly the most evil web host in the world though, but these rogue IPs are a concern.
I had a look at all the sites I could find in this address range and analysed their WOT ratings, Google malware prognosis and SURBL status, you can find it here [csv]. The SURBL code takes a little explaining, but basically 127.0.0.16 is malware, 127.0.0.4 is (mostly) spam and 127.0.0.20 is both. There more explanation of that here.
The IP 91.233.244.102 has been an issue for over a year [1] [2] [3] [4] although it may or may not be clean at the moment (anti-analysis techniques mean that it can be hard to be certain). Clean or not, I would certainly advise you not to send traffic to this IP.
OK. So you've read this far and somehow I have still kept you interested in Olborg Ltd. All the badness I can find is concentrated in 91.233.244.96/28 and blocking that should keep you protected from any current potential nastiness. Alternatively, you can block the /23, but do bear in mind that there are some legimate customers in that range too (update: and if they are running a sinkhole then there's no point blocking the /23 anyway)
Thursday, 1 August 2013
Olborg Ltd / ОЛЬБОРГ / o1host.net (AS57636) revisited
Pump and dump spam flogs a dead horse with Biostem U.S. Corporation (HAIR)
About a month-and-a-half ago I had a look at the pump-and-dump spam promoting Biostem U.S. Corporation (HAIR) when it was trading at around $0.30.
Surprisingly, the pump-and-dump spam is still ongoing which will make it nearly two months of spam on one single stock..
So, out of curiosity I schlepped across to look at their stock price and was slightly surprised to see that it has lost around 90% of its value since the spam run started. What happened? Well, on 19th July the stock price fell off a cliff when rather predictably Biostem announced that it was shutting up shop, and looking at news reports there seems to be little chance of recovery.
But now with shares bouncing along at around the 3 to 4 cents mark the pump-and-dump seems to be continuing, and since the collapse it appears that around 9.6 million shares have been traded, which is about 8.4% of the total equity. At today's prices those shares are worth about $336,000. A little over a year ago, on May 28th 2012, Biostem stock peaked at $439 per share, at close of business yesterday they were just 3.5 cents.. a 99.2% drop. Somebody has certainly taken a haircut on these stocks..
Surprisingly, the pump-and-dump spam is still ongoing which will make it nearly two months of spam on one single stock..
This Company Will Make an Impressive Recovery! It is the answer
to your portfolio troubles!
Date: August 1st
Long Term Target: .85
Per share price: .035
Ticker: HAI_R
Name: Biostem Corp.
You might want to sit down before reading this... Stocks To
Look At!
So, out of curiosity I schlepped across to look at their stock price and was slightly surprised to see that it has lost around 90% of its value since the spam run started. What happened? Well, on 19th July the stock price fell off a cliff when rather predictably Biostem announced that it was shutting up shop, and looking at news reports there seems to be little chance of recovery.
But now with shares bouncing along at around the 3 to 4 cents mark the pump-and-dump seems to be continuing, and since the collapse it appears that around 9.6 million shares have been traded, which is about 8.4% of the total equity. At today's prices those shares are worth about $336,000. A little over a year ago, on May 28th 2012, Biostem stock peaked at $439 per share, at close of business yesterday they were just 3.5 cents.. a 99.2% drop. Somebody has certainly taken a haircut on these stocks..
Labels:
Pump and Dump,
Spam
Wednesday, 31 July 2013
"Documento importante : 5039403 !!" spam / Planilha-Documento.docx_.rar
This terse Portuguese language spam has a malicious attachment:
The link in the email downloads goes through a legitimate hacked site and then downloads a RAR file from [donotclick]www.equilibrionutriesportiva.com.br/site/wp-admin/network/icons/equilib/fing3234/Planilha-Documento.docx_.rar which has a VirusTotal detection rate of 17/46 and is identified as a trojan downloader.
According to Anubis, the malware then attempts to download additional components from [donotclick]www.equilibrionutriesportiva.com.br/site/wp-admin/network/icons/equilib/fing3234/ie.exe but this seems to generate a 403 error.
Other analyses are pending. Update: here is an analysis from Comodo CAMAS.
From: Adriane Camargo. [adriane@yahoo.com.br]
Date: 29 July 2013 20:59
Subject: Documento importante : 5039403 !!
Arquivo : DC-59KDJF994J3K303940430DJJRI8.rar ( 173,4 KB)
The link in the email downloads goes through a legitimate hacked site and then downloads a RAR file from [donotclick]www.equilibrionutriesportiva.com.br/site/wp-admin/network/icons/equilib/fing3234/Planilha-Documento.docx_.rar which has a VirusTotal detection rate of 17/46 and is identified as a trojan downloader.
According to Anubis, the malware then attempts to download additional components from [donotclick]www.equilibrionutriesportiva.com.br/site/wp-admin/network/icons/equilib/fing3234/ie.exe but this seems to generate a 403 error.
Other analyses are pending. Update: here is an analysis from Comodo CAMAS.
Tuesday, 30 July 2013
Facebook spam / deltaoutriggercafe.com
These guys are busy. This fake Facebook spam leads to malware on deltaoutriggercafe.com:
Predicatably, clicking on the link in the email leads to a legitimate hacked site and then the same redirector scripts found in this spam run. However, in this case the target has now changed to [donotclick]deltaoutriggercafe.com/topic/able_disturb_planning.php which is hosted on 66.175.217.235 (Linode, US) along with a whole bunch of other similar domains that have been hijacked from GoDaddy.
Recommended blocklist:
66.175.217.235
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltamarineinspections.net
deltaoutriggercafe.com
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net
Date: Tue, 30 Jul 2013 15:05:25 -0500 [16:05:25 EDT]I don't know about you, but I think Isaac looks a bit like a girl.
From: Facebook [no-reply@facebook.com]
Subject: Issac Dyer wants to be friends with you on Facebook.
Issac Dyer wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
Predicatably, clicking on the link in the email leads to a legitimate hacked site and then the same redirector scripts found in this spam run. However, in this case the target has now changed to [donotclick]deltaoutriggercafe.com/topic/able_disturb_planning.php which is hosted on 66.175.217.235 (Linode, US) along with a whole bunch of other similar domains that have been hijacked from GoDaddy.
Recommended blocklist:
66.175.217.235
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltamarineinspections.net
deltaoutriggercafe.com
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net
eBay "ready to get started? Here’s how." spam / deltamarineinspections.net
There is currently an eBay-themed "ready to get started? Here’s how" spam run active, effectively almost the same as this one, except this time there is a new set of intermediate scripts and payload page. The three scripts involved are:
[donotclick]03778d6.namesecurehost.com/meaningful/unsnapping.js
[donotclick]icontractor.org/followings/trolloped.js
[donotclick]tvassist.co.uk/plead/grueled.js
..leading to a payload page at [donotclick]deltamarineinspections.net/topic/able_disturb_planning.php on 66.175.217.235 (Linode, US). The domains in use are hijacked from a GoDaddy account and belong to the same poor sod that last control of the ones here.
Recommended blocklist:
66.175.217.235
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltamarineinspections.net
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net
[donotclick]03778d6.namesecurehost.com/meaningful/unsnapping.js
[donotclick]icontractor.org/followings/trolloped.js
[donotclick]tvassist.co.uk/plead/grueled.js
..leading to a payload page at [donotclick]deltamarineinspections.net/topic/able_disturb_planning.php on 66.175.217.235 (Linode, US). The domains in use are hijacked from a GoDaddy account and belong to the same poor sod that last control of the ones here.
Recommended blocklist:
66.175.217.235
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltamarineinspections.net
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net
"Your password on Pinterest was Successfully modified!" spam / onsayoga.net
This fake Pinterest spam leads to malware on onsayoga.net:
The link goes through a legitimate hacked site and then on to [donotclick]www.pinterest.com.onsayoga.net/news/pinterest-paswword-changes.php (report here) which is hosted on the following IPs:
95.111.32.249 (Megalan EAD, Bulgaria)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
209.222.67.251 (Razor Inc, US)
These IPs are controlled by this gang and form part of this large network of malicious IPs and domains. I recommend you use that list in conjunction with blocking onsayoga.net.
Date: Tue, 30 Jul 2013 11:17:28 -0500 [12:17:28 EDT]
From: Pinterest [caulksf8195@customercare.pinterrest.net]
Subject: Your password on Pinterest was Successfully modified!
A Few Updates...
[redacted]
[redacted]
Changing your password is complete. Please use the link below within 24 hours. reset. Receive New Password to email.
Ask for a New Password
Pinterest is a tool for collecting and organizing things you love.
This email was sent to [redacted].
Don’t want activity notifications? Change your email preferences.
©2013 Pinterest, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions
The link goes through a legitimate hacked site and then on to [donotclick]www.pinterest.com.onsayoga.net/news/pinterest-paswword-changes.php (report here) which is hosted on the following IPs:
95.111.32.249 (Megalan EAD, Bulgaria)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
209.222.67.251 (Razor Inc, US)
These IPs are controlled by this gang and form part of this large network of malicious IPs and domains. I recommend you use that list in conjunction with blocking onsayoga.net.
CNN "Angelina Jolie tops list of highest-paid actresses" spam / deltadazeresort.net
This fake CNN spam leads to malware on deltadazeresort.net:
The link in the email goes to a legitimate hacked site and then to one or more of three scripts:
[donotclick]00002nd.rcomhost.com/immanent/surfeit.js
[donotclick]theplaidfox.com/bulbs/falcon.js
[donotclick]sandbox.infotraxdevdocs.com/afforestation/provosts.js
From there the victim is sent to a landing page at [donotclick]deltadazeresort.net/topic/able_disturb_planning.php. At the time of writing this hijacked GoDaddy domain does not resolve, but it was recently hosted on the following IPs alongside these other hacked GoDaddy domains:
66.175.217.235 (Linode, US)
173.246.104.136 (Gandi, US)
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net
Date: Tue, 30 Jul 2013 17:52:54 +0330 [10:22:54 EDT]
From: CNN [BreakingNews@mail.cnn.com]
Subject: CNN: Forbes: Angelina Jolie tops list of highest-paid actresses
Forbes: Angelina Jolie tops list of highest-paid actresses
By Sheridan Watson, EW.com
July 29, 2013 -- Updated 2014 GMT (0414 HKT)
Angelina Jolie attends a June 2013 premiere of her fiance Brad Pitt's movie,
Angelina Jolie attends a June 2013 premiere of her fiance Brad Pitt's movie, "World War Z."
(EW.com) -- She might not get paid as much as "Iron Man," but there's no doubt that celestial beauty Angelina Jolie is smiling all the way to the bank.
This year, Jolie topped Forbes' annual list of the highest-paid actresses in Hollywood with an incredibly robust $33 million.
The link in the email goes to a legitimate hacked site and then to one or more of three scripts:
[donotclick]00002nd.rcomhost.com/immanent/surfeit.js
[donotclick]theplaidfox.com/bulbs/falcon.js
[donotclick]sandbox.infotraxdevdocs.com/afforestation/provosts.js
From there the victim is sent to a landing page at [donotclick]deltadazeresort.net/topic/able_disturb_planning.php. At the time of writing this hijacked GoDaddy domain does not resolve, but it was recently hosted on the following IPs alongside these other hacked GoDaddy domains:
66.175.217.235 (Linode, US)
173.246.104.136 (Gandi, US)
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net
Pharma sites to block 30/7/13
This IPs host (fake) pharma sites which seem to be associated with this gang and share some of their infrastructure. As far as I can tell, none of them host malware.. but the IPs involved could be repurposed as malware servers and blocking them might be prudent.
88.190.218.27 (PROXAD Free SAS, France)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.200.13.15 (SKS-Lugan, Ukraine)
91.204.162.81 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
94.152.188.165 (KEI, Poland)
94.242.239.4 (root SA, Luxemburg)
109.107.203.45 (Vodafone, Czech Republic)
192.162.19.196 (FOP Budko Dmutro Pavlovuch, Ukraine)
198.23.59.79 (LiquidNet US LLC, US)
Recommended blocklist:
88.190.218.27
91.199.149.0/24
91.200.13.0/24
91.204.162.81
91.204.162.96
94.152.188.165
94.242.239.4
109.107.203.45
192.162.19.0/24
198.23.59.79
1bqmv6ir.tabletmedicinert.com
3hpd38kt.tabletmedicinert.com
3j2ilmza.tabletmedicinert.com
3taa0484.tabletmedicinert.com
54djq7gs.tabletmedicinert.com
6tpvvfwl.mediastoreplus.com
6w8vrnw1.tabletmedicinert.com
9351s3cc.tabletmedicinert.com
a1nyffx.mediastoreplus.com
a6g9whoe.tabletmedicinert.com
androidsaletablet.com
bbji3ka1.tabletmedicinert.com
biotechpharmhealthcare.com
boschtrameds.com
caloriesviagra.com
canadaipad.com
canadamedsopioid.com
canadapharmcanadian.com
canadaviagracent.com
canadiancanada.com
carerxpatient.com
chof.ru
d5pz5c35.tabletmedicinert.com
dacl3uy1.tabletmedicinert.com
deii.ru
dispensariesrx.com
drugenericswelness.com
druggenericspharmacy.com
drugmedsgenerics.com
drugsdrugstorepills.com
drugstorepillwalgreens.com
e66y531e.tabletmedicinert.com
familymedicinerx.com
flefdukt.com
gied.ru
healthcarebiotechnology.net
herbalburdette.com
iald.ru
in.taxwelnesslevitra.com
innovatory.vitaminnutritionherbal.com
isoe.ru
jaid.ru
jx5nqjzf.tabletmedicinert.com
knr78b16.tabletmedicinert.com
laug.ru
m62i5x7e.tabletmedicinert.com
marijuanadispensariesmedical.com
marijuanamedicalviagra.com
mediastoreplus.com
medicaltabgroup.com
medicarewiqi.pl
medicinetabletsurface.com
medopioid.pl
medsherbalbosch.nl
mentalevitrapill.com
mymedicaretablet.com
mypharmacyherbal.com
myviagragenerics.pl
newpharmacyherbal.com
nmvwta.mediastoreplus.com
nrytgyxvom.com
nureri.ru
oc597g5g.tabletmedicinert.com
opioidpill.com
p6vxdhiu.tabletmedicinert.com
paracanada.com
paub.ru
pepras.ru
phof.ru
pillgenericsgroup.com
pillscialistorture.com
pillssmartrend.com
pillsstreetinsider.com
ptnh86kk.tabletmedicinert.com
qatt.ru
qkwc1s52.tabletmedicinert.com
ro3dk20p.tabletmedicinert.com
ruld.ru
rxsmartrend.com
satishmeds.pl
siew.ru
skah.ru
sugh.ru
tabbosch.com
tabletmedicaid.pl
tabletmedicinert.com
taxwelnesslevitra.com
tlar.ru
tmdtmnv5.tabletmedicinert.com
ttds2eew.tabletmedicinert.com
u0s3oqf6.tabletmedicinert.com
uney.ru
vitaminnutritionherbal.com
vomise.ru
yesydzevr.com
yn72ov2j.tabletmedicinert.com
zwig.ru
88.190.218.27 (PROXAD Free SAS, France)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.200.13.15 (SKS-Lugan, Ukraine)
91.204.162.81 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
94.152.188.165 (KEI, Poland)
94.242.239.4 (root SA, Luxemburg)
109.107.203.45 (Vodafone, Czech Republic)
192.162.19.196 (FOP Budko Dmutro Pavlovuch, Ukraine)
198.23.59.79 (LiquidNet US LLC, US)
Recommended blocklist:
88.190.218.27
91.199.149.0/24
91.200.13.0/24
91.204.162.81
91.204.162.96
94.152.188.165
94.242.239.4
109.107.203.45
192.162.19.0/24
198.23.59.79
1bqmv6ir.tabletmedicinert.com
3hpd38kt.tabletmedicinert.com
3j2ilmza.tabletmedicinert.com
3taa0484.tabletmedicinert.com
54djq7gs.tabletmedicinert.com
6tpvvfwl.mediastoreplus.com
6w8vrnw1.tabletmedicinert.com
9351s3cc.tabletmedicinert.com
a1nyffx.mediastoreplus.com
a6g9whoe.tabletmedicinert.com
androidsaletablet.com
bbji3ka1.tabletmedicinert.com
biotechpharmhealthcare.com
boschtrameds.com
caloriesviagra.com
canadaipad.com
canadamedsopioid.com
canadapharmcanadian.com
canadaviagracent.com
canadiancanada.com
carerxpatient.com
chof.ru
d5pz5c35.tabletmedicinert.com
dacl3uy1.tabletmedicinert.com
deii.ru
dispensariesrx.com
drugenericswelness.com
druggenericspharmacy.com
drugmedsgenerics.com
drugsdrugstorepills.com
drugstorepillwalgreens.com
e66y531e.tabletmedicinert.com
familymedicinerx.com
flefdukt.com
gied.ru
healthcarebiotechnology.net
herbalburdette.com
iald.ru
in.taxwelnesslevitra.com
innovatory.vitaminnutritionherbal.com
isoe.ru
jaid.ru
jx5nqjzf.tabletmedicinert.com
knr78b16.tabletmedicinert.com
laug.ru
m62i5x7e.tabletmedicinert.com
marijuanadispensariesmedical.com
marijuanamedicalviagra.com
mediastoreplus.com
medicaltabgroup.com
medicarewiqi.pl
medicinetabletsurface.com
medopioid.pl
medsherbalbosch.nl
mentalevitrapill.com
mymedicaretablet.com
mypharmacyherbal.com
myviagragenerics.pl
newpharmacyherbal.com
nmvwta.mediastoreplus.com
nrytgyxvom.com
nureri.ru
oc597g5g.tabletmedicinert.com
opioidpill.com
p6vxdhiu.tabletmedicinert.com
paracanada.com
paub.ru
pepras.ru
phof.ru
pillgenericsgroup.com
pillscialistorture.com
pillssmartrend.com
pillsstreetinsider.com
ptnh86kk.tabletmedicinert.com
qatt.ru
qkwc1s52.tabletmedicinert.com
ro3dk20p.tabletmedicinert.com
ruld.ru
rxsmartrend.com
satishmeds.pl
siew.ru
skah.ru
sugh.ru
tabbosch.com
tabletmedicaid.pl
tabletmedicinert.com
taxwelnesslevitra.com
tlar.ru
tmdtmnv5.tabletmedicinert.com
ttds2eew.tabletmedicinert.com
u0s3oqf6.tabletmedicinert.com
uney.ru
vitaminnutritionherbal.com
vomise.ru
yesydzevr.com
yn72ov2j.tabletmedicinert.com
zwig.ru
Malware sites to block 30/7/13
These sites and IPs are associated with this gang, and are either currently in use or they have been in use recently. The list has individual IPs and web hosts first, followed by a plain list of recommended items to block.
5.175.191.106 (GHOSTnet, Germany)
5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
24.188.19.227 (Optimum Online, US)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)
50.97.253.162 (Softlayer Networks, US / ucvhost.com, India)
54.225.124.116 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA Communications, India)
68.174.239.70 (Time Warner Cable, US)
69.60.115.92 (Colopronto, US)
75.147.133.49 (Comcast Business Communications, US)
78.47.248.101 (Hetzner, Germany)
88.86.100.2 (Supernetwork, Czech Republic)
88.150.191.194 (Redstation, UK)
89.145.185.121 (Yeni Telekom Internet Hizmetleri, Turkey)
89.163.170.134 (Unitedcolo, Germany)
91.200.13.16 (SKS-Lugan, Ukraine)
91.210.189.157 (Eqvia LLC, Ukraine)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Megalan EAD, Bulgaria)
108.170.32.179 (Secured Servers, US / tudohost, Spain)
109.123.125.68 (UK2.NET, UK)
114.112.172.34 (Worldcom Teda Networks Technology Co. Ltd, China)
120.124.132.123 (TANET, Taiwan)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
162.209.80.221 (Rackspace, US)
166.78.124.4 (Rackspace, US)
182.72.216.173 (Cusdelight Consultancy SE, India)
185.4.252.124 (Eaglenet, Lebanon)
185.10.200.89 (GBServers Ltd, UK)
188.132.213.115 (Mars Global Datacenter Services LLC, Turkey)
190.85.249.159 (Telmex Colombia, Colombia)
192.162.100.225 (MediaServicePlus Ltd, Russia)
192.162.102.225 (MediaServicePlus Ltd, Russia)
193.105.210.211 (FOP Budko Dmutro Pavlovuch, Ukraine)
193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine)
193.239.242.83 (TRN Telecom, Russia)
196.1.95.44 (Ensut-Computer Department, Senegal)
198.61.213.12 (Rackspace, US)
198.98.102.165 (Enzu Inc, US)
202.197.127.42 (CERNET, China)
208.115.114.68 (Wowrack, US)
208.115.237.88 (Limestone Networks / 123Systems Solutions, US)
209.222.67.251 (Razor Inc, US)
211.224.204.141 (Korea Telecom, Korea)
Recommended blocklist:
5.175.191.106
5.175.191.124
24.173.170.230
24.188.19.227
41.196.17.252
46.246.41.68
50.97.253.160/27
54.225.124.116
59.124.33.215
59.160.69.74
68.174.239.70
69.60.115.92
75.147.133.49
78.47.248.101
88.86.100.2
88.150.191.194
89.145.185.121
89.163.170.134
91.200.13.0/24
91.210.189.157
95.87.1.19
95.111.32.249
108.170.32.176/29
109.123.125.68
114.112.172.34
120.124.132.123
122.128.109.46
162.209.80.221
166.78.124.4
182.72.216.173
185.4.252.124
185.10.200.89
188.132.213.115
190.85.249.159
192.162.100.225
192.162.102.225
193.105.210.0/24
193.239.242.83
196.1.95.44
198.61.213.12
198.98.102.165
202.197.127.42
208.115.114.68
208.115.237.88
209.222.67.251
211.224.204.141
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
acehheadline.net
aldenizturizm.com
allgstat.ru
annot.pl
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
aurakeep.net
beachfiretald.com
bebomsn.net
blindsay-law.net
bnamecorni.com
boats-sale.net
buffalonyroofers.net
businessdocu.net
businessua.com
buycushion.net
casinocnn.net
cbstechcorp.net
centow.ru
chromeupd.pw
cirriantisationsansidd79.net
condaleunvjdlp55.net
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu37.net
condalnua745746.ru
condrskajaumaksa66.net
crossplatformcons.com
doorandstoned.com
dulethcentury.net
duzybiust.net
ehnihjrkenpj.ru
eliroots.ru
erminwanbuernantion20.net
ermitirationifyouwau30.net
evenyouseemeinmin49.net
explicitlyred.com
facebook.com.n.find-friends.oncologistoncology.net
firerice.com
foremostorgand.su
fulty.net
generationpasswaua40.net
goingtothestreetofive59.net
gormoshkeniation68.net
gotoraininthecharefare88.net
greenleaf-investment.net
gromovieotvodidiejj40.net
hdmltextvoice.net
heidipinks.com
hotkoyou.net
housesales.pl
independinsy.net
info-for-health.net
jessesautobody.net
jonkrut.ru
kennebunkauto.net
klermont.net
klwines.com.order.complete.prysmm.net
kneeslapperz.net
linkedin.com.e.v2.kennebunkauto.net
links.emails.bmwusa.com.open.pagebuoy.net
locavoresfood.net
lsstats.ru
made-bali.net
medusascream.net
metanoiaonline.com
microsoftnotification.net
mifiesta.ru
mobile-unlocked.net
modshows.net
moonopenomy.com
motobrio.net
neplohsec.com
ns3.ozyurtdesign.com
ns4.ozyurtdesign.com
nvufvwieg.com
oncologistoncology.net
onemessage.verizonwireless.com.verizonwirelessreports.com
ontria.ru
organizerrescui.pl
oydahrenlitu346357.ru
pagebuoy.net
paypal.com.us.planetherl.net
playtimepixelating.su
prgpowertoolse.su
privat-tor-service.com
prothericsplk.com
prysmm.net
quill.com.account.settings.managemyaccount.moonopenomy.com
quipbox.com
relectsdispla.net
renouveaugatinois.com
saberig.net
sai-uka-sai.com
scourswarriors.su
secureprotection5.com
sendkick.com
sensetegej100.com
sludgekeychai.net
templateswell.net
thegalaxyatwork.com
thosetemperat.net
thybrothers.net
tintencenter.net
tor-connect-secure.com
tvblips.net
u-janusa.net
usergateproxy.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net
vivendacalangute.net
whitegocteenviet.com
wow-included.com
zestrecommend.com
zinvolarstikel.com
zukkoholsresv.pl
5.175.191.106 (GHOSTnet, Germany)
5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
24.188.19.227 (Optimum Online, US)
41.196.17.252 (Link Egypt, Egypt)
46.246.41.68 (Portlane Networks, Sweden)
50.97.253.162 (Softlayer Networks, US / ucvhost.com, India)
54.225.124.116 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA Communications, India)
68.174.239.70 (Time Warner Cable, US)
69.60.115.92 (Colopronto, US)
75.147.133.49 (Comcast Business Communications, US)
78.47.248.101 (Hetzner, Germany)
88.86.100.2 (Supernetwork, Czech Republic)
88.150.191.194 (Redstation, UK)
89.145.185.121 (Yeni Telekom Internet Hizmetleri, Turkey)
89.163.170.134 (Unitedcolo, Germany)
91.200.13.16 (SKS-Lugan, Ukraine)
91.210.189.157 (Eqvia LLC, Ukraine)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Megalan EAD, Bulgaria)
108.170.32.179 (Secured Servers, US / tudohost, Spain)
109.123.125.68 (UK2.NET, UK)
114.112.172.34 (Worldcom Teda Networks Technology Co. Ltd, China)
120.124.132.123 (TANET, Taiwan)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
162.209.80.221 (Rackspace, US)
166.78.124.4 (Rackspace, US)
182.72.216.173 (Cusdelight Consultancy SE, India)
185.4.252.124 (Eaglenet, Lebanon)
185.10.200.89 (GBServers Ltd, UK)
188.132.213.115 (Mars Global Datacenter Services LLC, Turkey)
190.85.249.159 (Telmex Colombia, Colombia)
192.162.100.225 (MediaServicePlus Ltd, Russia)
192.162.102.225 (MediaServicePlus Ltd, Russia)
193.105.210.211 (FOP Budko Dmutro Pavlovuch, Ukraine)
193.105.210.212 (FOP Budko Dmutro Pavlovuch, Ukraine)
193.239.242.83 (TRN Telecom, Russia)
196.1.95.44 (Ensut-Computer Department, Senegal)
198.61.213.12 (Rackspace, US)
198.98.102.165 (Enzu Inc, US)
202.197.127.42 (CERNET, China)
208.115.114.68 (Wowrack, US)
208.115.237.88 (Limestone Networks / 123Systems Solutions, US)
209.222.67.251 (Razor Inc, US)
211.224.204.141 (Korea Telecom, Korea)
Recommended blocklist:
5.175.191.106
5.175.191.124
24.173.170.230
24.188.19.227
41.196.17.252
46.246.41.68
50.97.253.160/27
54.225.124.116
59.124.33.215
59.160.69.74
68.174.239.70
69.60.115.92
75.147.133.49
78.47.248.101
88.86.100.2
88.150.191.194
89.145.185.121
89.163.170.134
91.200.13.0/24
91.210.189.157
95.87.1.19
95.111.32.249
108.170.32.176/29
109.123.125.68
114.112.172.34
120.124.132.123
122.128.109.46
162.209.80.221
166.78.124.4
182.72.216.173
185.4.252.124
185.10.200.89
188.132.213.115
190.85.249.159
192.162.100.225
192.162.102.225
193.105.210.0/24
193.239.242.83
196.1.95.44
198.61.213.12
198.98.102.165
202.197.127.42
208.115.114.68
208.115.237.88
209.222.67.251
211.224.204.141
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
acehheadline.net
aldenizturizm.com
allgstat.ru
annot.pl
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
aurakeep.net
beachfiretald.com
bebomsn.net
blindsay-law.net
bnamecorni.com
boats-sale.net
buffalonyroofers.net
businessdocu.net
businessua.com
buycushion.net
casinocnn.net
cbstechcorp.net
centow.ru
chromeupd.pw
cirriantisationsansidd79.net
condaleunvjdlp55.net
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu37.net
condalnua745746.ru
condrskajaumaksa66.net
crossplatformcons.com
doorandstoned.com
dulethcentury.net
duzybiust.net
ehnihjrkenpj.ru
eliroots.ru
erminwanbuernantion20.net
ermitirationifyouwau30.net
evenyouseemeinmin49.net
explicitlyred.com
facebook.com.n.find-friends.oncologistoncology.net
firerice.com
foremostorgand.su
fulty.net
generationpasswaua40.net
goingtothestreetofive59.net
gormoshkeniation68.net
gotoraininthecharefare88.net
greenleaf-investment.net
gromovieotvodidiejj40.net
hdmltextvoice.net
heidipinks.com
hotkoyou.net
housesales.pl
independinsy.net
info-for-health.net
jessesautobody.net
jonkrut.ru
kennebunkauto.net
klermont.net
klwines.com.order.complete.prysmm.net
kneeslapperz.net
linkedin.com.e.v2.kennebunkauto.net
links.emails.bmwusa.com.open.pagebuoy.net
locavoresfood.net
lsstats.ru
made-bali.net
medusascream.net
metanoiaonline.com
microsoftnotification.net
mifiesta.ru
mobile-unlocked.net
modshows.net
moonopenomy.com
motobrio.net
neplohsec.com
ns3.ozyurtdesign.com
ns4.ozyurtdesign.com
nvufvwieg.com
oncologistoncology.net
onemessage.verizonwireless.com.verizonwirelessreports.com
ontria.ru
organizerrescui.pl
oydahrenlitu346357.ru
pagebuoy.net
paypal.com.us.planetherl.net
playtimepixelating.su
prgpowertoolse.su
privat-tor-service.com
prothericsplk.com
prysmm.net
quill.com.account.settings.managemyaccount.moonopenomy.com
quipbox.com
relectsdispla.net
renouveaugatinois.com
saberig.net
sai-uka-sai.com
scourswarriors.su
secureprotection5.com
sendkick.com
sensetegej100.com
sludgekeychai.net
templateswell.net
thegalaxyatwork.com
thosetemperat.net
thybrothers.net
tintencenter.net
tor-connect-secure.com
tvblips.net
u-janusa.net
usergateproxy.net
verizonwirelessreports.com
viperlair.net
vip-proxy-to-tor.com
vitans.net
vivendacalangute.net
whitegocteenviet.com
wow-included.com
zestrecommend.com
zinvolarstikel.com
zukkoholsresv.pl
Monday, 29 July 2013
Facebook spam / happykido.com
This fake Facebook spam leads to malware on
Apparently all these people look alike:
This is a "ThreeScripts" attack, clicking the link goes to a legitimate hacked site which then tries to run one of the following:
[donotclick]system-hostings.info/aphrodisiac/nought.js
[donotclick]gc.sceonline.org/worsens/patronizingly.js
[donotclick]www.kgsindia.org/retell/manson.js
from there, the victim is sent to a malware landing page on a hijacked GoDaddy domain at [donotclick]happykido.com/topic/able_disturb_planning.php hosted on 50.2.138.161 (ServerHub Phoenix, US). There are several other hacked GoDaddy domains on the same server, all of which should be considered to be malicious.
Recommended blocklist:
50.2.138.161
handbagwalla.com
giftwalla.com
happykiddoh.com
happykido.com
system-hostings.info
gc.sceonline.org
www.kgsindia.org
Date: Mon, 29 Jul 2013 09:33:38 -0600 [11:33:38 EDT]
From: Facebook [update+zj4o40c2_aay@facebookmail.com]
Subject: Betsy Wells wants to be friends with you on Facebook.
Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.
�
Betsy Wells
Betsy Wells
Baldric Aguino
Astrid Aggas
Deloris Bransfield
Perdita Brantz
Danelle Erstad
Daphne Escamilla
Giovanna Hadesty
Georgeann Habel
Hugh Campisi
Jake Callas
Find more pages
�
Go to Facebook
The message was sent to [redacted]. If you do not want to receive these e-mail. letters from Facebook, please give up subscription.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
Apparently all these people look alike:
This is a "ThreeScripts" attack, clicking the link goes to a legitimate hacked site which then tries to run one of the following:
[donotclick]system-hostings.info/aphrodisiac/nought.js
[donotclick]gc.sceonline.org/worsens/patronizingly.js
[donotclick]www.kgsindia.org/retell/manson.js
from there, the victim is sent to a malware landing page on a hijacked GoDaddy domain at [donotclick]happykido.com/topic/able_disturb_planning.php hosted on 50.2.138.161 (ServerHub Phoenix, US). There are several other hacked GoDaddy domains on the same server, all of which should be considered to be malicious.
Recommended blocklist:
50.2.138.161
handbagwalla.com
giftwalla.com
happykiddoh.com
happykido.com
system-hostings.info
gc.sceonline.org
www.kgsindia.org
"Key Secured Message" spam / SecureMessage.zip
This spam has a malicious attachment:
The attachment SecureMessage.zip contains an executable SecureMessage.exe which has to be unencrypted with the password supplied in the email (which is kind of stupid for a supposedly secure mail), and this has a VirusTotal detection rate of just 6/46.
The Malwr analysis shows that this is a pony/gate downloader, first downloading from [donotclick]webmail.alsultantravel.com/ponyb/gate.php on 198.57.130.34 (Unified Layer / Bluehost, US) and then downloading one of the following:
[donotclick]a1bridaloutlet.co.uk/aiswY6.exe (5/45)
[donotclick]www.giftedintuitive.com/kQYjoPqY.exe (11/46)
[donotclick]198.61.134.93/MM75.exe (5/45)
[donotclick]paulalfrey.com/guBwFA.exe (5/46)
Recommended blocklist:
198.57.130.34
198.61.134.93
webmail.alsultantravel.com
alsultantravel.com
webmail.alsultantravel.info
a1bridaloutlet.co.uk
giftedintuitive.com
paulalfrey.com
Date: Mon, 29 Jul 2013 06:08:44 -0800 [10:08:44 EDT]
From: "Marcia_Manning@key.com" [Marcia_Manning@key.com]
Subject: Key Secured Message
You have received a Secured Message from:
Marcia_Manning@key.com
The attached file contains the encrypted message that you have received. To decrypt the
message use the following password - nC4WR706
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your
computer.
- Select whether to open the file or save it to your hard drive. Opening the file
displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it. This e-mail and any
attachments are confidential and intended solely for the addressee and may also be
privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have received this
e-mail in error, please notify the sender
immediately, delete it from your system and do not copy, disclose or otherwise act upon
any part of this e-mail or its attachments.
If you have concerns about the validity of this message, please contact the sender
directly. For questions about Key's e-mail encryption service, please contact technical
support at 888.764.5844.
Copyright © 2013 KeyCorp®. All Rights Reserved
The attachment SecureMessage.zip contains an executable SecureMessage.exe which has to be unencrypted with the password supplied in the email (which is kind of stupid for a supposedly secure mail), and this has a VirusTotal detection rate of just 6/46.
The Malwr analysis shows that this is a pony/gate downloader, first downloading from [donotclick]webmail.alsultantravel.com/ponyb/gate.php on 198.57.130.34 (Unified Layer / Bluehost, US) and then downloading one of the following:
[donotclick]a1bridaloutlet.co.uk/aiswY6.exe (5/45)
[donotclick]www.giftedintuitive.com/kQYjoPqY.exe (11/46)
[donotclick]198.61.134.93/MM75.exe (5/45)
[donotclick]paulalfrey.com/guBwFA.exe (5/46)
Recommended blocklist:
198.57.130.34
198.61.134.93
webmail.alsultantravel.com
alsultantravel.com
webmail.alsultantravel.info
a1bridaloutlet.co.uk
giftedintuitive.com
paulalfrey.com
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses,
Zbot
Saturday, 27 July 2013
Jolly Works Hosting.. is it really Jolly?
I was a little curious as to why I kept coming across Jolly Works Hosting from the Philippines when it came to malware hosting. They are a customer of Secured Servers LLC in the US, and when I took a close look at malware reports with Secured Servers IPs addresses it turns out that most of them were actually suballocated to Jolly Works Hosting instead.
Jolly Works has a real website and real customers, but not all of those customers are very desirable. In particular, these following IP addresses are current hotbeds of malware and are definitely worthy of blocking:
108.170.46.130
184.95.37.100
184.95.37.109
184.95.51.123
184.164.136.150
I have enumerated much of their network for research purposes and uploaded it here [csv]. The file contains the domain, IP, decimalised IP, WOT ratings, Google Prognosis and SURBL status. Do with it what you will.
As far as I can tell, these following Secured Servers IP ranges are suballocated to Jolly Works Hosting. There are some real legitimate websites in there, but if you wanted to do some sort of filtering or scoring with them then the ranges are:
66.85.153.160/27
108.170.6.16/28
108.170.7.160/28
108.170.13.192/27
108.170.29.128/27
108.170.46.128/29
174.138.163.176/28
174.138.172.48/28
184.95.37.96/28
184.95.37.144/28
184.95.38.32/29
184.95.51.112/28
184.95.54.208/28
184.164.136.80/28
184.164.136.128/27
184.164.141.32/27
184.164.147.128/27
184.164.151.32/27
184.171.167.192/28
209.188.0.96/27
Jolly Works has a real website and real customers, but not all of those customers are very desirable. In particular, these following IP addresses are current hotbeds of malware and are definitely worthy of blocking:
108.170.46.130
184.95.37.100
184.95.37.109
184.95.51.123
184.164.136.150
I have enumerated much of their network for research purposes and uploaded it here [csv]. The file contains the domain, IP, decimalised IP, WOT ratings, Google Prognosis and SURBL status. Do with it what you will.
As far as I can tell, these following Secured Servers IP ranges are suballocated to Jolly Works Hosting. There are some real legitimate websites in there, but if you wanted to do some sort of filtering or scoring with them then the ranges are:
66.85.153.160/27
108.170.6.16/28
108.170.7.160/28
108.170.13.192/27
108.170.29.128/27
108.170.46.128/29
174.138.163.176/28
174.138.172.48/28
184.95.37.96/28
184.95.37.144/28
184.95.38.32/29
184.95.51.112/28
184.95.54.208/28
184.164.136.80/28
184.164.136.128/27
184.164.141.32/27
184.164.147.128/27
184.164.151.32/27
184.171.167.192/28
209.188.0.96/27
Labels:
Jolly Works Hosting,
Philippines
Friday, 26 July 2013
Bank of America "Your transaction is completed" spam / payment receipt 26-07-2013.zip
Date: Fri, 26 Jul 2013 15:50:32 +0200 [09:50:32 EDT]
From: impairyd04@gmail.com
Subject: Your transaction is completed
Transaction is completed. $09681416 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached.
*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved
There is an attachment payment receipt 26-07-2013.zip which in turn contains the executable file payment receipt 26-07-2013.exe. This appears to be a Zbot variant with a pretty low detection rate of 9/46 at VirusTotal.
The Malwr report is the most detailed for this sample, and Anubis also has some useful information. Of note is that there is network traffic to the following IPs that seem to be pretty common for this Zbot / Zeus variant:
14.97.179.244
46.48.148.147
67.140.85.16
71.43.167.82
77.242.55.214
89.40.177.36
93.126.38.211
99.72.61.142
99.116.158.19
99.120.1.3
107.217.117.139
178.238.233.29
183.11.30.252
184.147.56.198
186.136.173.245
186.59.228.111
187.214.26.20
190.36.95.118
190.239.109.160
194.36.163.54
201.153.236.237
208.115.110.218
210.213.137.50
217.92.30.173
219.92.103.31
220.246.38.109
223.204.40.170
UPDATE:
In the first version of this list I accidentally included the following Google IPs. Don't block these:
173.194.70.94
173.194.70.103
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses,
Zbot
Intellicast.com spam / artimagefrance.com
This fake weather spam leads to malware on artimagefrance.com:
The payload and infection technique is exactly the same as the one used here.
Date: Fri, 26 Jul 2013 02:46:26 -0800 [06:46:26 EDT]
From: "Intellicast.com" [weather@intellicast.com]
Subject: Intellicast.com [weather@intellicast.com]
Intellicast.com Weather E-mail - Thursday, Jul 25, 2013 3:38 AM
For the complete 10-Day forecast and current conditions, visit Intellicast.com:
http://www.intellicast.com/Local/Weather.aspx?location=USNH0164
=================================================
5-Day Forecast for Newfields, New Hampshire
Today: Mostly Cloudy, High: 72 F, Low: 60 F
Tomorrow: Showers, High: 70 F, Low: 60 F
Saturday: Partly Cloudy, High: 84 F, Low: 64 F
Sunday: Scattered Thunderstorms, High: 82 F, Low: 65 F
Monday: Showers, High: 82 F, Low: 61 F
=================================================
Forecast Details
The payload and infection technique is exactly the same as the one used here.
Labels:
Jolly Works Hosting,
Malware,
Spam,
ThreeScripts,
Viruses
"welcome to the eBay community!" spam / artimagefrance.com
This fake eBay email leads to malware on artimagefrance.com:
The link in the email goes to a legitimate hacked site and then runs one or more scripts from the following list of three:
[donotclick]75.126.43.229/deputy/clodhoppers.js
[donotclick]andywinnie.com/guessable/meteor.js
[donotclick]hansesquash.de/wimples/dunning.js
The victim is then sent to a malware landing page at [donotclick]artimagefrance.com/topic/accidentally-results-stay.php hosted on 184.95.37.110 (Secured Servers LLC, US / Jolly Works Hosting, Philippines). I would recommend blocking 184.95.37.96/28 in this case.
The domain is a hijacked GoDaddy domain, and the following hijacked domains appear to be in the neighbourhood. Ones flagged by Google as malware already are highlighted, although all should be considered as malicious.
184.95.37.100
fiberopticcableguy.com
fiberopticguy.com
guysanford.com
guyscards.com
hi-defhooters.com
y2k-usa.com
184.95.37.109
apparelacademy.com
apparelacademy.net
dragoncigars.net
heavenlycigars.net
libertychristianstore.com
michaelscigarbar.com
michaelscigarbar.net
michaelscigars.net
montverdestore.com
montverdestore.net
montverdestore.org
showmysupport.org
184.95.37.110
2013vistakonpresidentsclub.com
amicale-calvel.com
amicale-calvel.eu
artimagefrance.com
atmiaaustraliaconference.com
Date: Fri, 26 Jul 2013 21:40:48 +0900 [08:40:48 EDT]
From: eBay [eBay@reply1.ebay.com]
Subject: [redacted] welcome to the eBay community!
Items selected just for you.
View this message in your browser eBay Buyer Protection
ebay™ Fashion Electionics Collectibles Daily Deals Sell To Buy
Welcome to eBay. The simpler and safer way to shop and save.
You've got options when it comes to paying.
Learn more to protect yourself from spoof (fake) e-mails
eBay Inc. sent this e-mail to you at [redacted] because your Notification Preferences indicate that you want to receive general email promotions.
If you do not wish to receive further communications like this, please click here to unsubscribe. Alternatively, you can change your Notification Preferences in My eBay by Privacy Policy and User Agreement if you have any questions.
Copyright © 2013 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are trademarks of eBay Inc.
eBay Inc. is located at 2145 Hamilton Avenue, San Jose, CA 95125.
The link in the email goes to a legitimate hacked site and then runs one or more scripts from the following list of three:
[donotclick]75.126.43.229/deputy/clodhoppers.js
[donotclick]andywinnie.com/guessable/meteor.js
[donotclick]hansesquash.de/wimples/dunning.js
The victim is then sent to a malware landing page at [donotclick]artimagefrance.com/topic/accidentally-results-stay.php hosted on 184.95.37.110 (Secured Servers LLC, US / Jolly Works Hosting, Philippines). I would recommend blocking 184.95.37.96/28 in this case.
The domain is a hijacked GoDaddy domain, and the following hijacked domains appear to be in the neighbourhood. Ones flagged by Google as malware already are highlighted, although all should be considered as malicious.
184.95.37.100
fiberopticcableguy.com
fiberopticguy.com
guysanford.com
guyscards.com
hi-defhooters.com
y2k-usa.com
184.95.37.109
apparelacademy.com
apparelacademy.net
dragoncigars.net
heavenlycigars.net
libertychristianstore.com
michaelscigarbar.com
michaelscigarbar.net
michaelscigars.net
montverdestore.com
montverdestore.net
montverdestore.org
showmysupport.org
184.95.37.110
2013vistakonpresidentsclub.com
amicale-calvel.com
amicale-calvel.eu
artimagefrance.com
atmiaaustraliaconference.com
Labels:
eBay,
Jolly Works Hosting,
Malware,
Spam,
ThreeScripts,
Viruses
Mobiquant - when IT security goes badly wrong
UPDATE: as of September 2013, this site appears to have been cleaned up.
Mobiquant appears to be a a small French IT security company run by a gentleman called Reda Zitouni that has been reportedly struggling a bit and may have shut up shop earlier in the year. They describe themselves thusly: "Mobiquant Technologies is a leading company provides mobile SECURITY management technology to enterprises & carriers (BYOD, MDM, MSM)"
They have a couple of Twitter accounts, one of which has been switched to protected and the other one has not Tweeted since April. There's very little evidence to indicate any kind of activity (although we'll get to that in a moment) and this site has it marked as "Cessé économiquement" ("Ceased economically") according to INSEE.
The problem is that their website has been serving up a RedKit exploit kit for at least the past ten days. And despite several attempts to contact them via email, Twitter and a variety of other means the exploit kit remains.
It's not a surprise to see an abandoned website being infected like this, but it is embarrassing for an IT security company. But more worryingly, it could be a watering hole attack which is deliberately targeting people involved in IT security. Not that the affiliate domain yesucantechnologies.com also appears to have been compromised.
The plot thickens though. Because it is sometimes nice to let people know that they have been hacked I looked at the WHOIS records for the domain to find the contact details. And this is what I found:
Registrant Contact:
Fortesia
RZ Group ()
Fax:
7
Cheval Place
London, P S6SDJ7
GB
Administrative Contact:
Fortesia
Group (adds31@gmail.com)
+44.20777777777
Fax: +44.20734596895
7
Cheval Place
London, P S6SDJ7
GB
What is wrong with these records? Everything! The WHOIS details claim to be for a UK company, but according to Companies House there is no such entity in the UK as Mobiquant or RZ Group, and no active companies by the name of Fortesia. "P S6SDJ7" is not a valid UK postcode, and the address is actually an East African Restaurant. Although the fax number is potentially valid, the +44.20777777777 telephone number is extremely unlikely. What sort of company fakes its WHOIS records?
Now, when you have invalid WHOIS details for a malware site one of the quickest things to do is file a report with ICANN. I did this, expecting that this apparently zombie site would be shut down. But what happened instead is that the WHOIS details changed:
WhoisGuard, Inc.
WhoisGuard Protected (26ae68e0b9764d38a5d0ca312cc0d367.protect@whoisguard.com)
+507.8365503
Fax: +51.17057182
P.O. Box 0823-03411
Panama, Panama NA
PA
Now, this is kind of odd because it means that someone must be home at Mobiquant, and they were prepared to correct their WHOIS details (or risk losing their site), but are not prepared to clean up the infection. Incidentally, the fake WHOIS details can still be seen at the site mobiquantacademy.com.
Indeed, mobiquantacademy.com (apparently uninfected) was active a few days ago which indicates that something is still happening at the company. But fixing their web site is not one of those somethings..
Strangely too, Mobiquant managed to push out a press release (don't click the Mobiquant link on that page) in the past few days about being invited to a conference (is that really news?).
Now, I don't know exactly what is happening at Mobiquant, but it does seem that they are recklessly ignoring the problems with their web site which is placing customers and visitors at risk. Is that really a good way for an IT security company to behave?
UPDATE: after publishing this post a year ago and noting that the problem has been cleaned up, Mobiquant have responded to my criticism by making personal attacks and making statements that are not true. My personal opinion is that this just shows what an unprofessional organisation they are, I would certainly not recommend doing business with them under any circumstances.
Firstly, Mobiquant did acknowledge there had been an issue with their site:
Mobiquant then decided that instead of engaging in a dialogue, they would launch a personal attack against me in their blog. Their blog got deleted for some reason (I assumed they they had done it), something that happened several months ago.. but now they have decided to blame me for it and have republished it (I suspect that all they did was screw up their own DNS entries, but whatever).
To be clear, I did not request that their blog be removed. The post they made about me was so badly written and petty that it clearly demonstrated what an unprofessional organisation Mobiquant is. And company that would behave in this way does not meet the minimum ethical and professional standards that a business should have. I'm not going to link to their blog, but I will respond to it:
Yes, there's a stuffed reindeer peeking out of my backpack of the photo on my Facebook page. Oh no.
Remember.. I got word of this compromised web site and tried to warn Mobiquant several times (something made more difficult by their fake WHOIS details) but I never got a response. So I instead communicated with the web host and domain registrar to attempt to get the threat removed, and warned the wider community that the Mobiquant site was dangerous. If Mobiquant actually read their emails then they would have know there was a problem, which is entirely their own fault.
Anyway, Mobiquant are entitled to their point of view, but my point of view is that in my personal opinion, this is a deeply unprofessional company that you should avoid doing business with.
Mobiquant appears to be a a small French IT security company run by a gentleman called Reda Zitouni that has been reportedly struggling a bit and may have shut up shop earlier in the year. They describe themselves thusly: "Mobiquant Technologies is a leading company provides mobile SECURITY management technology to enterprises & carriers (BYOD, MDM, MSM)"
They have a couple of Twitter accounts, one of which has been switched to protected and the other one has not Tweeted since April. There's very little evidence to indicate any kind of activity (although we'll get to that in a moment) and this site has it marked as "Cessé économiquement" ("Ceased economically") according to INSEE.
The problem is that their website has been serving up a RedKit exploit kit for at least the past ten days. And despite several attempts to contact them via email, Twitter and a variety of other means the exploit kit remains.
It's not a surprise to see an abandoned website being infected like this, but it is embarrassing for an IT security company. But more worryingly, it could be a watering hole attack which is deliberately targeting people involved in IT security. Not that the affiliate domain yesucantechnologies.com also appears to have been compromised.
The plot thickens though. Because it is sometimes nice to let people know that they have been hacked I looked at the WHOIS records for the domain to find the contact details. And this is what I found:
Registrant Contact:
Fortesia
RZ Group ()
Fax:
7
Cheval Place
London, P S6SDJ7
GB
Administrative Contact:
Fortesia
Group (adds31@gmail.com)
+44.20777777777
Fax: +44.20734596895
7
Cheval Place
London, P S6SDJ7
GB
What is wrong with these records? Everything! The WHOIS details claim to be for a UK company, but according to Companies House there is no such entity in the UK as Mobiquant or RZ Group, and no active companies by the name of Fortesia. "P S6SDJ7" is not a valid UK postcode, and the address is actually an East African Restaurant. Although the fax number is potentially valid, the +44.20777777777 telephone number is extremely unlikely. What sort of company fakes its WHOIS records?
Now, when you have invalid WHOIS details for a malware site one of the quickest things to do is file a report with ICANN. I did this, expecting that this apparently zombie site would be shut down. But what happened instead is that the WHOIS details changed:
WhoisGuard, Inc.
WhoisGuard Protected (26ae68e0b9764d38a5d0ca312cc0d367.protect@whoisguard.com)
+507.8365503
Fax: +51.17057182
P.O. Box 0823-03411
Panama, Panama NA
PA
Now, this is kind of odd because it means that someone must be home at Mobiquant, and they were prepared to correct their WHOIS details (or risk losing their site), but are not prepared to clean up the infection. Incidentally, the fake WHOIS details can still be seen at the site mobiquantacademy.com.
Indeed, mobiquantacademy.com (apparently uninfected) was active a few days ago which indicates that something is still happening at the company. But fixing their web site is not one of those somethings..
Strangely too, Mobiquant managed to push out a press release (don't click the Mobiquant link on that page) in the past few days about being invited to a conference (is that really news?).
Now, I don't know exactly what is happening at Mobiquant, but it does seem that they are recklessly ignoring the problems with their web site which is placing customers and visitors at risk. Is that really a good way for an IT security company to behave?
UPDATE: after publishing this post a year ago and noting that the problem has been cleaned up, Mobiquant have responded to my criticism by making personal attacks and making statements that are not true. My personal opinion is that this just shows what an unprofessional organisation they are, I would certainly not recommend doing business with them under any circumstances.
Firstly, Mobiquant did acknowledge there had been an issue with their site:
From: Grzegorz Tabaka [markcom@mobiquant.com]So, as requested I amended the post to say that the site was clean. But I still had my reservations over a company that did (and still does) rely on fake WHOIS details to protect its domains, and that did not bother responding to multiple reports of an issue with their web site.
Date: 26 August 2013 19:14
Subject: Mobiquant Technology
Dear Mr. Langmore,
My name is Grzegorz Tabaka, I am communication manager at Mobiquant Technology.
Let me first congratulate you for your great blog dynamoo.com. I went through it today, and I saw your post about us regarding the issue we had few weeks ago with some malicious code that infected our website.
I know you sent us messages about it, unfortunately we didn't receive any of them, please accept my apology for that.
I only wanted to inform that our website has been cleaned weeks ago and now is completely safe.
I suppose you wont delete this post about Mobiquant, but would you be so kind and post there a short statement, that the website is now clean and safe to visit? I will be really grateful if you could do that.
If you have any questions don't hesitate to ask,
looking forward to prompt reply.
best regards
Mobiquant then decided that instead of engaging in a dialogue, they would launch a personal attack against me in their blog. Their blog got deleted for some reason (I assumed they they had done it), something that happened several months ago.. but now they have decided to blame me for it and have republished it (I suspect that all they did was screw up their own DNS entries, but whatever).
To be clear, I did not request that their blog be removed. The post they made about me was so badly written and petty that it clearly demonstrated what an unprofessional organisation Mobiquant is. And company that would behave in this way does not meet the minimum ethical and professional standards that a business should have. I'm not going to link to their blog, but I will respond to it:
UPDATE:Sure, I will reveal the details of bad actors when I find them. But I never put in a request to Google to remove the blog, simply because this laughable and pathetic rant from Mobiquant simply shows what kind of an outfit they are.
We learnt (by different security friends) that the CONRAD LONGMORE loves denigrating people, revealing their personal life for free BUT DON T LIKE THIS FOR HIMSELF. ;-) YES ! in fact he asked GOOGLE to remove his post from the results in the Google search. Crazy ! that our White security Knight don t like what he does to (some) honest people and companies to ensure the Buzz and traffic on his eCommerce Blog where he is still selling crap things that Have nothing related about security.
So here we are again guys !!
Earlier, in August we were informed by some partners of a strange post from a guy claiming being a "security expert". This dude called Conrad Longmore from a blog we never heard about (dynamoo), posted an article about Mobiquant Technologies. He maybe got his freeware antivirus warning him about a malicious javascript resulting of an infection on our hoster files. The strange thing here is fully about the behaviour of the guy claiming to belong to the security community. After 20 years in the sec arena we never seen a hacked victim behing blamed and denigrated having its website infected. What about the hackers? sure it requires a real true technical work. Not given to everyone.Actually the truth of what happened is that I attempted to contact them several times with no response. From all the evidence at the time, it appeared that all activity at the company had ceased, which was backed up company reports in France. My criticism is that Mobiquant ignored the problem and had their site infected for several weeks, not the thing that make an IT security company look good. Not that this paragraph does explicitly acknowledge that they were hacked,
We made a quick search about this unknown blogger.Wow.. a dead website parked at a host I don't use and a WordPress tag about me. And your point is....?
[removed to avoid Google removal ]$
He is using a personal blog space on google blogspot, after apparently having tried several corp domain (www.Conrad-longmore.co.uk 404 error, no files) and a wordpress free space (http://en.wordpress.com/tag/conrad-longmore/ 404 error , no files).)
No company, no professional profile. Jobless or Yet another freelancer. Website : dynamoo.com seems to be a fake or outdated (last update 2003) website as many links are broken. Kind of blogsite quickly setup and stopped by this myserious guy.I don't mention the company I work for, for a number of reasons. But bits of my website haven't been updated since 2003? Wrong. There are bits of my website that haven't been updated since the mid-1990s. And actually I blog about stuff most days, but really.. what's is Mobiquant's point. As for the Facebook profile, they are referring to this picture.
We found some related facebook link :https://www.facebook.com/conrad.longmore , with a profile picture of a guy having a walk in the british countryside holding a bag with a kiddy puppet in the back :
Yes, there's a stuffed reindeer peeking out of my backpack of the photo on my Facebook page. Oh no.
and a twitter account with some strange twitts taking position for the [removed to avoid Google removal] community :The original post read:
and a twitter account with some strange twitts taking position for the homosexual community :Basically, Mobiquant went through all my Twitter posts and found something advocating gay rights, which they are using a reason to attack me. Does this make Mobiquant a homophobic company? I'll let you make up your own mind, but given that Mobiquant appears to operate partly from Morocco, then the answer is definitely maybe.
After having contacted the guy , our team did not have any answer from him.Which is not true.
Seems that this guy is using various ways to drive some traffic to his blog by denigrating different websites and people with no reasons claiming they are all hackers or malicious internets users and has already many enemies apparently:Hell, yes.. the bad guys tend not to like you much if you spoil their evil plans. But as for "no reasons".. well, anyone who reads my blog can see that it is very much centered around evidence.
This is clearly to make some business about mobile items sold on his web and by using this technique of degritation to do some buzz ( audience is poor) he is selling mobile accessories. Security ? ecommerce ? mobile accessories ? strange guy ;-). People are complaining on forums about receiving spam email from him to buy mobiles parts : "I have some old (and dead) affiliate links on my personal website promoting all sorts of things. So what? And I was a victim of a Joe Job a long time ago, after exposing this criminal activity. So what?
Conrad Longmore does appear to sell all kinds of things, including mobile phones, and portable air conditioners, so the guy must have read the site and added the PS for shits and giggles" : Forum of victims describing what happened to them.
The malware a classical non critical HH. JS, among thousands variants of this kind, have spreaded thoughout the web since years, and it has infected again this summer up to 252 000 website among which Apple.com and some others which were unavailable for nearly one week for some of them.The malware was Redkit, which was a very dangerous exploit kit. As far as I know, Apple.com was never infected with Redkit. The infection is clear from my original blog post. But in particular, the infection was dangerous because the site was still running with no apparent oversight, and the victims would have been mostly IT administrators and similar which is basically paydirt for the bad guys who had hacked the site.
Our dude find that on our website, which is obviously technically hosted on a distinct independent infrastructure than the corporate one, thought it was a valid and major reason to drive a deep dive study about : the company, its financial status (with French reading bad expertise ;-)) , our management, our domain .... and yes absolutely not about this malware, the security countermeasures etc . In short nothing related with security and IT.
The funny thing is that he did criticize our website about having a temporary non critical js malware and we thought we should find a perfect website on his side. This was aboslutely not the case:This is the non-critical issue that was in fact an exploit kit. And my site is "graphically disgusting"? Oh no! As for vulnerabilities.. well, I'm not aware of any. The site is simply coded, and you'll notice that they don't actually have any supporting evidence.
- broken links(25/70), outdated references( last update is 2003),blogsite is badly designed, coded and graphically disgusting. We even find 5 vulnerabilities and it looks like a beginner web blogger.
By the way we decided not to take any action again this anonymous strange blogger which apparently is using strange techniques to exists and shine on the web to make money on our back.I could turn this paragraph around and use it about Mobiquant myself.
Finnally, after some discussion with famous security real bloggers on the web most of them told us they never heard of him and few who did know him, had some negative feedback about his behaviour. As in any case a security professional will blame a hacked victim for being infect or hacked. Our company never decided to be infected for some days earlier during summer time. This mix of corporate, financial -(he is also a financial expert ;-)) and personal elements in a security analysis demonstrate clearly the guy is somehow not in the security space but just personnally blogging using security as an excuse.Did you really? But notice again, they admit to having been hacked despite denying it in the same post. Internal inconsistencies like this are an easy way to spot a lie.
This is how the web is going nowadays : giving some space to unknown people, having lot of freetime to blog on all and nothing.Perhaps if Mobiquant hired some professionals rather than the kind of idiot that wrote this, then the company might be in better shape.
Remember.. I got word of this compromised web site and tried to warn Mobiquant several times (something made more difficult by their fake WHOIS details) but I never got a response. So I instead communicated with the web host and domain registrar to attempt to get the threat removed, and warned the wider community that the Mobiquant site was dangerous. If Mobiquant actually read their emails then they would have know there was a problem, which is entirely their own fault.
Anyway, Mobiquant are entitled to their point of view, but my point of view is that in my personal opinion, this is a deeply unprofessional company that you should avoid doing business with.
Labels:
France,
Injection Attacks,
Malware,
Mobiquant,
Stupidity
Thursday, 25 July 2013
"INCOMING FAX REPORT" spam / 2013vistakonpresidentsclub.com
Date: Thu, 25 Jul 2013 10:32:10 -0600 [12:32:10 EDT]The link in the spam leads to a legitimate hacked site and then on to one or more of these three intermediary scripts:
From: Administrator [administrator@victimdomain]
Subject: INCOMING FAX REPORT : Remote ID: 1150758119
*********************************************************
INCOMING FAX REPORT
*********************************************************
Date/Time: 07/25/2013 02:15:22 CST
Speed: 23434 bps
Connection time: 09:04
Pages: 8
Resolution: Normal
Remote ID: 1150758119
Line number: 2
DTMF/DID:
Description: June Payroll
Click here to view the file online
*********************************************************
[donotclick]1954f7e942e67bc1.lolipop.jp/denominators/serra.js
[donotclick]internationales-netzwerk-portfolio.de/djakarta/opel.js
[donotclick]www.pep7.at/hampton/riposts.js
From there, the victim is sent to a malware landing page at [donotclick]2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php which was hosted on 162.216.18.169 earlier to day (like this spam) and was presumably a hijacked GoDaddy domain. I can't tell for certain if this site is clean now or not, but it seems to be on 184.95.37.110 which is a Jolly Works Hosting IP, which has been implicated in malware before. I would personally block 184.95.37.96/28 to be on the safe side.
Labels:
Jolly Works Hosting,
Malware,
Spam,
ThreeScripts,
Viruses
CNN "77 dead after train derails" spam / evocarr.net
This spam mismatches two topics, a train crash in Spain and the birth of a royal baby in the UK, but it leads to malware on evocarr.net:
The link in the email goes to a legitimate hacked site which tries to load one or more of the following scripts:
[donotclick]church.main.jp/psychosomatics/rayon.js
[donotclick]video.whatsonstage.com/overstocking/ownership.js
[donotclick]www.fewo-am-speckbusch.de/referees/metacarpals.js
From there the victim is sent to a landing page at [donotclick]evocarr.net/topic/accidentally-results-stay.php hosted on 69.163.34.49 (Directspace LLC, US). The following hijacked GoDaddy domains are on the same IP and can be considered suspect:
evocarr.net
serapius.com
leacomunica.net
mindordny.org
rdinteractiva.com
yanosetratasolodeti.org
Date: Thu, 25 Jul 2013 20:19:44 +0800 [08:19:44 EDT]
From: 77 dead after train derails [BreakingNews@mail.cnn.com>]
Subject: "Perfect gift for royal baby ... a tree?" - BreakingNews CNN
77 dead after train derails, splits apart in Spain
By Al Goodman, Elwyn Lopez, Catherine E. Shoichet, CNN July 25, 2013 -- Updated 0939 GMT (1739 HKT)
iReporter: 'It was a horrific scene'
STORY HIGHLIGHTS
NEW: Train driver told police he entered the bend too fast, public broadcaster reports
NEW: Regional governor declares 7 days of mourning for the victims, broadcaster says
Witness: "The train was broken in half. ... It was quite shocking"
77 people are dead, more bodies may be found, regional judicial official says
Madrid (CNN) -- An express train derailed as it hurtled around a curve in northwestern Spain on Wednesday, killing at least 77 people and injuring more than 100, officials said.� Full Story >>>>
The link in the email goes to a legitimate hacked site which tries to load one or more of the following scripts:
[donotclick]church.main.jp/psychosomatics/rayon.js
[donotclick]video.whatsonstage.com/overstocking/ownership.js
[donotclick]www.fewo-am-speckbusch.de/referees/metacarpals.js
From there the victim is sent to a landing page at [donotclick]evocarr.net/topic/accidentally-results-stay.php hosted on 69.163.34.49 (Directspace LLC, US). The following hijacked GoDaddy domains are on the same IP and can be considered suspect:
evocarr.net
serapius.com
leacomunica.net
mindordny.org
rdinteractiva.com
yanosetratasolodeti.org
Wednesday, 24 July 2013
CNN "Perfect gift for royal baby ... a tree?" spam / nphscards.com
This fake CNN spam leads to malware on nphscards.com:
The payload work in exactly the same way as this fake Facebook spam earlier today and consists of a hacked GoDaddy domain (nphscards.com) hosted on 162.216.18.169 by Linode.
Date: Wed, 24 Jul 2013 19:54:18 +0400 [11:54:18 EDT]
From: "Perfect gift for royal baby ... a tree?" [BreakingNews@mail.cnn.com]
Subject: "Perfect gift for royal baby ... a tree?" - BreakingNews CNN
CNN
U.S. presidents have spotty record on gifts for royal births
By Jessica Yellin, CNN Chief White House Correspondent
July 24, 2013 -- Updated 0151 GMT (0951 HKT)
Watch this video
Perfect gift for royal baby ... a tree?
STORY HIGHLIGHTS
Gifts for William and Catherine's baby must honor special U.S.-UK relationship
William got a gift from Reagans when he was born; brother Harry got nothing
Truman sent telegram for Charles' birth; Coolidge did even less for queen's birth
Protocol expert suggests American-made crafts -- but no silver spoons
Washington (CNN)�-- What will the Obamas get the royal wee one? Sources say it's a topic under discussion in the White House and at the State Department.
No baby buggy will do. The president and first lady must find a special gift to honor the special relationship between the United States and the United Kingdom.
Kate and William bring home royal baby boy
The payload work in exactly the same way as this fake Facebook spam earlier today and consists of a hacked GoDaddy domain (nphscards.com) hosted on 162.216.18.169 by Linode.
"You requested a new Facebook password" spam / nphscards.com
This fake Facebook spam leads to malware on nphscards.com:
[donotclick]ftp.thermovite.de/kurile/teeniest.js
[donotclick]traditionlagoonresort.com/prodded/televised.js
The victim is then directed to [donotclick]nphscards.com/topic/accidentally-results-stay.php (report here) which appears to be 403ing, but this may just be trickery. The site is hosted on 162.216.18.169 (Linode, US) and the domain nphscards.com itself appears to have been hijacked from GoDaddy. The domain nphssoccercards.com is also on the same server and is probably hijacked.
Date: Wed, 24 Jul 2013 11:22:46 -0300 [10:22:46 EDT]The link in the email goes through a legitimate hacked site and then through one or both of these following scripts:
From: Facebook [update+hiehdzge@facebookmail.com]
Subject: You requested a new Facebook password
Hello,
You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
[donotclick]ftp.thermovite.de/kurile/teeniest.js
[donotclick]traditionlagoonresort.com/prodded/televised.js
The victim is then directed to [donotclick]nphscards.com/topic/accidentally-results-stay.php (report here) which appears to be 403ing, but this may just be trickery. The site is hosted on 162.216.18.169 (Linode, US) and the domain nphscards.com itself appears to have been hijacked from GoDaddy. The domain nphssoccercards.com is also on the same server and is probably hijacked.
Subscribe to:
Posts (Atom)