These domains are used for dynamic DNS and are operated by a company called Dyn who offer a legitimate service, but unfortunately it is abuse by malware writers. If you are the sort of organisation that blocks dynamic DNS IPs then I recommend that you consider blocking the following.
Dyn are pretty good at dealing with abuse complaints (you can contact them here). Blocking these domains will block some legitimate sites, primarily webcams and access to home PCs.. so bear this in mind if you choose to do so.
Sites below listed in yellow have been identified as having some malware by Google, ones listed in red are blocked by Google. Ones listed in italics are flagged as malicious by SURBL. The links go to the Google diagnostic page.
at-band-camp.net
barrel-of-knowledge.info
barrell-of-knowledge.info
besteverydns.com
better-than.tv
bitferret.com
bitferret.net
bitferret.org
blogdns.com
blogdns.net
blogdns.org
blogsite.org
boldlygoingnowhere.org
broke-it.net
buyshouses.net
cechire.com
certaindns.com
certaindns.net
certaindns.org
damnserver.org
ddns-example-1.com
ddns-example-2.com
ddns-example-3.com
depower2go.com
dinedns.com
dinedns.net
dinedns.org
dns-gateway.net
dnsalias.com
dnsalias.net
dnsalias.org
dnscog.org
dnsdojo.com
dnsdojo.net
dnsdojo.org
dnsforall.net
dnsforall.org
dnsinc.org
dnssettings.com
dnssettings.info
dnssettings.net
dnssettings.org
dnssetup.info
does-it.net
doesntexist.com
doesntexist.org
dontexist.com
dontexist.net
dontexist.org
doomdns.com
doomdns.org
dvrdns.org
dyn-o-saur.com
dynalias.com
dynalias.net
dynalias.org
dynamic-dns-server.org
dynathome.net
dyndn.org
dyndns.biz
dyndns.cn
dyndns.info
dyndns.tv
dyndns.ws
dynds.org
dyndsn.net
dyndsn.org
editdns.net
edudns.org
est-a-la-maison.com
est-a-la-masion.com
est-le-patron.com
est-mon-blogueur.com
everydns.com
everydns.net
for-better.biz
for-more.biz
for-our.info
for-some.biz
for-the.biz
from-ak.com
from-al.com
from-ar.com
from-az.net
from-ca.com
from-co.net
from-ct.com
from-dc.com
from-de.com
from-fl.com
from-ga.com
from-hi.com
from-ia.com
from-id.com
from-il.com
from-in.com
from-ks.com
from-ky.com
from-la.net
from-ma.com
from-md.com
from-me.org
from-mi.com
from-mn.com
from-mo.com
from-ms.com
from-mt.com
from-nc.com
from-nd.com
from-ne.com
from-nh.com
from-nj.com
from-nm.com
from-nv.com
from-ny.net
from-oh.com
from-ok.com
from-or.com
from-pa.com
from-pr.com
from-ri.com
from-sc.com
from-sd.com
from-tn.com
from-tx.com
from-ut.com
from-va.com
from-vt.com
from-wa.com
from-wi.com
from-wv.com
from-wy.com
ftpaccess.cc
fuettertdasnetz.de
game-host.org
game-server.cc
getmyip.com
gets-it.net
gotdns.co.uk
gotdns.com
gotdns.org
groks-the.info
groks-this.info
guilded.org
ham-radio-op.net
here-for-more.info
hobby-site.com
hobby-site.org
homedns.org
homeftp.net
homeftp.org
homeip.net
homelinux.com
homelinux.net
homelinux.org
homeunix.com
homeunix.net
homeunix.org
in-the-band.net
invaliddns.com
ipupdate.org
is-a-anarchist.com
is-a-blogger.com
is-a-bookkeeper.com
is-a-bruinsfan.org
is-a-candidate.org
is-a-caterer.com
is-a-celticsfan.org
is-a-chef.com
is-a-chef.net
is-a-chef.org
is-a-conservative.com
is-a-cpa.com
is-a-cubicle-slave.com
is-a-democrat.com
is-a-designer.com
is-a-doctor.com
is-a-financialadvisor.com
is-a-geek.com
is-a-geek.net
is-a-geek.org
is-a-green.com
is-a-guru.com
is-a-hard-worker.com
is-a-hunter.com
is-a-knight.org
is-a-landscaper.com
is-a-lawyer.com
is-a-liberal.com
is-a-libertarian.com
is-a-linux-user.org
is-a-llama.com
is-a-musician.com
is-a-nascarfan.com
is-a-nurse.com
is-a-painter.com
is-a-patsfan.org
is-a-personaltrainer.com
is-a-photographer.com
is-a-player.com
is-a-republican.com
is-a-rockstar.com
is-a-socialist.com
is-a-soxfan.org
is-a-student.com
is-a-teacher.com
is-a-techie.com
is-a-therapist.com
is-an-accountant.com
is-an-actor.com
is-an-actress.com
is-an-anarchist.com
is-an-artist.com
is-an-engineer.com
is-an-entertainer.com
is-by.us
is-certified.com
is-found.org
is-gone.com
is-into-anime.com
is-into-cars.com
is-into-cartoons.com
is-into-games.com
is-leet.com
is-lost.org
is-not-certified.com
is-saved.org
is-slick.com
is-uberleet.com
is-very-bad.org
is-very-evil.org
is-very-good.org
is-very-nice.org
is-very-sweet.org
is-with-theband.com
isa-geek.com
isa-geek.net
isa-geek.org
isa-hockeynut.com
issmarterthanyou.com
isteingeek.de
istmein.de
it-geek.net
kicks-ass.net
kicks-ass.org
knowsitall.info
land-4-sale.us
lebtimnetz.de
leitungsen.de
likes-pie.com
likescandy.com
listhop.com
listhop.net
listhop.org
merseine.nu
mine.nu
misconfused.org
mydyndns.biz
mydyndns.com
mydyndns.info
mydyndns.net
mydyndns.org
mypets.ws
myphotos.cc
neat-url.com
no-ip.tv
office-on-the.net
on-the-web.tv
podzone.net
podzone.org
readmyblog.org
revyxorp.com
saves-the-whales.com
scrapper-site.net
scrapping.cc
scriptkiddie.net
sec-dns.net
secondary.net
selfip.biz
selfip.com
selfip.info
selfip.net
selfip.org
sells-for-less.com
sells-for-u.com
sells-it.net
sellsyourhome.org
servebbs.com
servebbs.net
servebbs.org
serveftp.net
serveftp.org
servegame.org
shacknet.nu
simple-url.com
smallbizdns.com
smallbizdns.net
smallbizdns.org
space-to-rent.com
stuff-4-sale.org
stuff-4-sale.us
teaches-yoga.com
thruhere.net
tomdaly.org
traeumtgerade.de
webhop.biz
webhop.info
webhop.net
webhop.org
worse-than.tv
writesthisblog.com
Tuesday, 12 November 2013
Dynamic DNS sites you might want to block, 12/11/13
Labels:
Dynamic DNS,
Malware
Monday, 11 November 2013
"Consumer Benefit Ltd" adware sites to block
A couple of network blocks came to my attention after investigating some adware ntlanmbn.exe (VirusTotal report) and GFilterSvc.exe (report) both in C:\WINDOWS\SYSTEM32.
The blocks are 212.19.36.192/27 and 82.98.97.192/28 and are allocated to:
netname: Consumer-Benefit-AV-NET
descr: Consumer Benefit LTD
descr: Suite F 1st floor, New City Chambers
descr: 36 Wood Street
descr: WF1 2HB Wakefield
country: GB
admin-c: KH2166-RIPE
tech-c: PLN
status: ASSIGNED PA
mnt-by: PLUSLINE-MNT
source: RIPE # Filtered
The problem is that there is no active company in the UK called Consumer Benefit Ltd.. there was a short-lived Manchester company number 06505446 which was dissolved in 2011, but I can't find any evidence that they are connected other than the similar name.
Many of the domains currently or recently hosted in these IP ranges are clearly deceptive in nature (e.g. awsmazon.com, tradesdoubler.com, ebayrt.com, zanox-afiliate.com) and these use pseudo-anonymous WHOIS details also using the Wakefield address:
Registry Registrant ID:
Registrant Name: whois Protect Service
Registrant Organization:
Registrant Street: Suite F 1st floor, New City,
Registrant Street: Chambers, 36 Wood Street
Registrant City: Wakefield
Registrant State/Province: GB
Registrant Postal Code: WF1 2HB
Registrant Country: GB
Registrant Phone: +44.7077087721
Registrant Phone Ext:
Registrant Fax: +44.7077087502
Registrant Fax Ext:
Registrant Email: whois@sl.to
One .com using services in this range with apparently genuine details is ns-lookups.com:
Registry Registrant ID:
Registrant Name: Andrea Bégerová
Registrant Organization: BA Market Slovakia s. r. o.
Registrant Street: Klincová 37/B
Registrant City: Bratislava
Registrant State/Province: Slovenská Republika
Registrant Postal Code: 821 08
Registrant Country: SK
Registrant Phone: +421.259348122
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@bam-sk.com
Also hosted are some .to domains with anonymous registration, plus some German domains the only one of which with reliable WHOIS details seems to be gutscheinfilter.de registered to:
Type: PERSON
Name: Frank Dümpelmann
Organisation: Domport GmbH & Co KG
Address: Markt 32
PostalCode: 18273
City: Güstrow
CountryCode: DE
Phone: +49-9001-118840
Fax: +49-9001-118860
Email: adminc@domport.de
Domport seem to be invovled in domain parking and they have their own range of 212.19.39.192/28 that they use for this.
The adware in question attempted to call home to the following URLs:
f05e0362515f5125.srv.gutscheinfilter.de
dce645501bc1af9f.srv.ns-lookups.com
a.ns-lookups.com/updatecheck
Anyway, the following domains and IPs are all part of these "Consumer Benefit Ltd ranges and appear to be adware-related and have unclear ownership details. If you block adware sites on your network then I would recommend using the following blocklist:
212.19.36.192/27
82.98.97.192/28
awsmazon.com
beelboon.com
htmladserver.com
tradesdoubler.com
ad-googlelinks.com
zanox-afiliate.com
linktrackingnet.com
googlesyntication.com
ns-lookups.com
download-web-shield.com
linkvista.de
adcall.de
gutscheinfilter.de
ebayrt.com
score.to
uses.to
vill.to
howto.to
setup.to
thats.to
trans.to
public.to
public-load.com
goal.to
vree.to
64-up.to
feeds.to
stopp.to
64-bit.to
hunter.to
trends.to
win-64.to
maps-24.to
The blocks are 212.19.36.192/27 and 82.98.97.192/28 and are allocated to:
netname: Consumer-Benefit-AV-NET
descr: Consumer Benefit LTD
descr: Suite F 1st floor, New City Chambers
descr: 36 Wood Street
descr: WF1 2HB Wakefield
country: GB
admin-c: KH2166-RIPE
tech-c: PLN
status: ASSIGNED PA
mnt-by: PLUSLINE-MNT
source: RIPE # Filtered
The problem is that there is no active company in the UK called Consumer Benefit Ltd.. there was a short-lived Manchester company number 06505446 which was dissolved in 2011, but I can't find any evidence that they are connected other than the similar name.
Many of the domains currently or recently hosted in these IP ranges are clearly deceptive in nature (e.g. awsmazon.com, tradesdoubler.com, ebayrt.com, zanox-afiliate.com) and these use pseudo-anonymous WHOIS details also using the Wakefield address:
Registry Registrant ID:
Registrant Name: whois Protect Service
Registrant Organization:
Registrant Street: Suite F 1st floor, New City,
Registrant Street: Chambers, 36 Wood Street
Registrant City: Wakefield
Registrant State/Province: GB
Registrant Postal Code: WF1 2HB
Registrant Country: GB
Registrant Phone: +44.7077087721
Registrant Phone Ext:
Registrant Fax: +44.7077087502
Registrant Fax Ext:
Registrant Email: whois@sl.to
One .com using services in this range with apparently genuine details is ns-lookups.com:
Registry Registrant ID:
Registrant Name: Andrea Bégerová
Registrant Organization: BA Market Slovakia s. r. o.
Registrant Street: Klincová 37/B
Registrant City: Bratislava
Registrant State/Province: Slovenská Republika
Registrant Postal Code: 821 08
Registrant Country: SK
Registrant Phone: +421.259348122
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@bam-sk.com
Also hosted are some .to domains with anonymous registration, plus some German domains the only one of which with reliable WHOIS details seems to be gutscheinfilter.de registered to:
Type: PERSON
Name: Frank Dümpelmann
Organisation: Domport GmbH & Co KG
Address: Markt 32
PostalCode: 18273
City: Güstrow
CountryCode: DE
Phone: +49-9001-118840
Fax: +49-9001-118860
Email: adminc@domport.de
Domport seem to be invovled in domain parking and they have their own range of 212.19.39.192/28 that they use for this.
The adware in question attempted to call home to the following URLs:
f05e0362515f5125.srv.gutscheinfilter.de
dce645501bc1af9f.srv.ns-lookups.com
a.ns-lookups.com/updatecheck
Anyway, the following domains and IPs are all part of these "Consumer Benefit Ltd ranges and appear to be adware-related and have unclear ownership details. If you block adware sites on your network then I would recommend using the following blocklist:
212.19.36.192/27
82.98.97.192/28
awsmazon.com
beelboon.com
htmladserver.com
tradesdoubler.com
ad-googlelinks.com
zanox-afiliate.com
linktrackingnet.com
googlesyntication.com
ns-lookups.com
download-web-shield.com
linkvista.de
adcall.de
gutscheinfilter.de
ebayrt.com
score.to
uses.to
vill.to
howto.to
setup.to
thats.to
trans.to
public.to
public-load.com
goal.to
vree.to
64-up.to
feeds.to
stopp.to
64-bit.to
hunter.to
trends.to
win-64.to
maps-24.to
Labels:
Adware
Sunday, 10 November 2013
"African Development Humanitarian Council" (adhcouncil.org) scam
This spam promotes the non-existent African Development Humanitarian Council purportedly with a web address of adhcouncil.org:
It's hard to say exactly what the scam is. Probably some sort of advanced fee fraud, but in any case you should ignore this particular solicitation.
From: camara amadu [camaraamadu9@gmail.com]The email solicits replies to camaraamadu9@gmail.com and was sent to a spam trap. The "African Development Humanitarian Council" does not exist (although there are many agencies with similar names) and the domain adhcouncil.org was registered in April with fake WHOIS details. Of course, the spammer might not be associated with the domain name, but in any case the whole lot is some sort of scam and should be avoided.
To: davisaentltd@rediffmail.com
Date: 10 November 2013 14:23
Subject: FOOD STUFF NEEDED URGENTLY
Signed by: gmail.com
African Development Humanitarian Council
http://www.rediffmail.com/cgi-bin/red.cgi?account_type=1&red=http://www.adhcouncil.org.
Is ready to purchase the listed bellow foodstuffs.
1.Rice
2. Beans
3. Milk
4. Sugar
5. Vegetable Oil
6. Onion
7. Cement
As an authorised foodstuffs agent. This is 2013 foodstuffs supply
contract project from African Development Humanitarian Council
http://www.rediffmail.com/cgi-bin/red.cgi?account_type=1&red=http://www.adhcouncil.org.
The foodstuffs is for the sustenance of refugees of war affected
countries, Like Côte d'Ivoire, Somalia, Sudan, Liberia and others.
Payment has been made to be 100% full payment by Telegraphic swift
Transfer (T/T) after signing of the contract agreement with the
contract awarding board of directors in Mali.
If your Company can supply any of these products please reply me, then
I will help you to get the contract through my office. You will
receive the complete payment of the contract value before shipping
your goods. Port of destination is TOGO LOME Sea Port.
Best Regards,
Mr. Camara
Tel..........+223 71878900
Skype......amadu.camara36
It's hard to say exactly what the scam is. Probably some sort of advanced fee fraud, but in any case you should ignore this particular solicitation.
Labels:
Advanced Fee Fraud,
Scam,
Spam
Friday, 8 November 2013
"Voicemail Message" spam / MSG00049.zip and MSG00090.exe
Another day, yet another fake voicemail message spam with a malicious attachment:
Date: Fri, 8 Nov 2013 15:15:20 +0000 [10:15:20 EST]Attached is a file MSG00049.zip which in turn contains a malicious executable MSG00090.exe. Virus detection on VirusTotal is a so-so 12/47. Automated analysis [1] [2] shows an attempted connection to seminyak-italian.com on 198.1.84.99 (Unified Layer / Websitewelcome, US). There are 7 or so legitimate sites on that server, I cannot vouch for them being safe or not.
From: Voicemail [user@victimdomain.com]
Subject: Voicemail Message
IP Office Voicemail redirected message
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
Malware sites to block 8/11/2013 (Nuclear EK)
The IPs and domains listed below are currently in use to distribute the Nuclear exploit kit (example). I strongly recommend blocking them or the 142.4.194.0/30 range in which these reside. Many (but not all) of them are already flagged as being malicious by SURBL and Google.
The domains are being used with subdomains, so they don't resolve directly. I have identified 3768 domains in this OVH range, allocated to:
CustName: Private Customer
Address: Private Residence
City: Penziatki
StateProv:
PostalCode: 430000
Country: RU
RegDate: 2013-08-12
Updated: 2013-08-12
Ref: http://whois.arin.net/rest/customer/C04668267
(Hat tip to a contact who originally flagged the infection up, I just added a bit more research. If you're reading this you know who you are)
The subdomains can found in this file [csv] but as it is almost definitely incomplete it is simpler to use the blocklist below:
142.4.194.0/30
alertoriginal.biz
ardaymarvl.biz
assayimagination.biz
assessdiscover.biz
atrlook.biz
atrprinc.biz
batillbicdaylook.biz
bombepear.biz
briefthink.biz
browseimagine.biz
canadadayglamorou.biz
checkimagine.biz
chinesenewyearglamorous.biz
chinnwyarlook.biz
cincodmayogold.biz
clipalarm.biz
columbusdaygold.biz
comonautham.biz
comthytria.biz
comtwary.biz
cratranticipation.biz
custardpeach.biz
electiondaypretty.biz
examinevisionary.biz
flagdayfahionabl.biz
fluagdaychic.biz
grandparntdaycharming.biz
guyfawkdayfahionabl.biz
guyfawkdaylganc.biz
hallowbicndram.biz
inspectionimagination.biz
judgebegin.biz
lctiondaycoutur.biz
lctiondayfabulou.biz
lctiondayglamour.biz
likeinspire.biz
likeinvent.biz
lincolnbirthdaydazzl.biz
lookbackstrategy.biz
magicbizic.biz
mardigrapopular.biz
markstrategy.biz
martinlutherkingdaycharm.biz
maydayheavenly.biz
maydaylganc.biz
meringuebreadfruit.biz
mmorialdayattractiv.biz
mmorialdaychic.biz
mothrdayglamour.biz
muttnikcontntmnt.biz
newyearsevefashion.biz
newyearsevemagical.biz
nwyardayclay.biz
pacincurity.biz
plantabicrycontntmnt.biz
pridntdaynchant.biz
purimcharming.biz
radiationamumnt.biz
randayflar.biz
rangeinvent.biz
rangelab.biz
reviewimagination.biz
ringupn.biz
rohhahanahfabulou.biz
rohhahanahway.biz
scanbegin.biz
sundaebanana.biz
tlmtrygrumpy.biz
tortekiwi.biz
valentinesdaypearl.biz
valntincharming.biz
valntindaycoutur.biz
valntintrnd.biz
waxqgturumph.biz
yomkippurdashing.biz
yvanity.biz
zabicoconut.biz
The domains are being used with subdomains, so they don't resolve directly. I have identified 3768 domains in this OVH range, allocated to:
CustName: Private Customer
Address: Private Residence
City: Penziatki
StateProv:
PostalCode: 430000
Country: RU
RegDate: 2013-08-12
Updated: 2013-08-12
Ref: http://whois.arin.net/rest/customer/C04668267
(Hat tip to a contact who originally flagged the infection up, I just added a bit more research. If you're reading this you know who you are)
The subdomains can found in this file [csv] but as it is almost definitely incomplete it is simpler to use the blocklist below:
142.4.194.0/30
alertoriginal.biz
ardaymarvl.biz
assayimagination.biz
assessdiscover.biz
atrlook.biz
atrprinc.biz
batillbicdaylook.biz
bombepear.biz
briefthink.biz
browseimagine.biz
canadadayglamorou.biz
checkimagine.biz
chinesenewyearglamorous.biz
chinnwyarlook.biz
cincodmayogold.biz
clipalarm.biz
columbusdaygold.biz
comonautham.biz
comthytria.biz
comtwary.biz
cratranticipation.biz
custardpeach.biz
electiondaypretty.biz
examinevisionary.biz
flagdayfahionabl.biz
fluagdaychic.biz
grandparntdaycharming.biz
guyfawkdayfahionabl.biz
guyfawkdaylganc.biz
hallowbicndram.biz
inspectionimagination.biz
judgebegin.biz
lctiondaycoutur.biz
lctiondayfabulou.biz
lctiondayglamour.biz
likeinspire.biz
likeinvent.biz
lincolnbirthdaydazzl.biz
lookbackstrategy.biz
magicbizic.biz
mardigrapopular.biz
markstrategy.biz
martinlutherkingdaycharm.biz
maydayheavenly.biz
maydaylganc.biz
meringuebreadfruit.biz
mmorialdayattractiv.biz
mmorialdaychic.biz
mothrdayglamour.biz
muttnikcontntmnt.biz
newyearsevefashion.biz
newyearsevemagical.biz
nwyardayclay.biz
pacincurity.biz
plantabicrycontntmnt.biz
pridntdaynchant.biz
purimcharming.biz
radiationamumnt.biz
randayflar.biz
rangeinvent.biz
rangelab.biz
reviewimagination.biz
ringupn.biz
rohhahanahfabulou.biz
rohhahanahway.biz
scanbegin.biz
sundaebanana.biz
tlmtrygrumpy.biz
tortekiwi.biz
valentinesdaypearl.biz
valntincharming.biz
valntindaycoutur.biz
valntintrnd.biz
waxqgturumph.biz
yomkippurdashing.biz
yvanity.biz
zabicoconut.biz
Labels:
Evil Network,
Malware,
Viruses
Thursday, 7 November 2013
Fake "Financial Times Survey Team" spam / ft-survey.com and AlfainHost
This fake Financial Times spam is a bit of a mystery:
So, what's wrong with this email? Let's start by looking at the domain ft-survey.com which was registered just one day ago on 6th November to a registrant using the Panamanian privatewhois.net service to hide their details. The real Financial Times site at ft.com clearly identifies its owner. If you visit ft-survey.com (not recommended) then you get a 302 redirect to the legitimate ft.com website.
Next, ft-survey.com is hosted and receives mail on 204.188.238.143 which nominally belongs to some outfit called Sharktech in Las Vegas, but is actually suballocated to a customer in Pakistan:
%rwhois V-1.5:003eff:00 rwhois.sharktech.net (by Network Solutions, Inc. V-1.5.9.6)
network:Auth-Area:204.188.192.0/18
network:Class-Name:network
network:OrgName:AlfainHost
network:OrgID;I:MADIH-ULLAH-RIAZ
network:Address:Clifton Court #16
network:City:Karachi
network:StateProv:Sindh
network:PostalCode:74400
network:Country:PK
network:NetRange:204.188.238.140 - 204.188.238.143
network:CIDR:204.188.238.140/30
network:NetName:AlfainHost-204.188.238.140
network:OrgAbuseHandle:MADIH-ULLAH-RIAZ
network:OrgAbuseName:ABUSE department
network:OrgAbusePhone:923218913810
network:OrgAbuseEmail:madihrb@alfainhost.com
network:OrgNOCHandle:NOC2002-ARIN
network:OrgNOCName:Network Operations Center
network:OrgNOCPhone:+1-312-846-7642
network:OrgNOCEmail:abuse@sharktech.net
network:OrgTechHandle:TMT-ARIN
network:OrgTechName:Tim Timrawi
network:OrgTechPhone:+1-312-846-7642
network:OrgTechEmail:timt@sharktech.net
network:RegDate:20130723
network:Updated:20131106
It would be unlikely that the Financial Times would be using such a small outfit. Furthermore, 204.188.238.143 appears to contain a number of scam domains that look like phishing or money mule recruitment sites, as indeed does the entire 204.188.238.140/30 block.. more of which below.
The email headers are also suspect, and appear to show an originating IP of 94.21.75.226 (A Digi Ltd Customer in Hungary) mis-using a PHP script on rockyourworldsummit.com 66.147.242.87 (Unified Layer, US) which then bounces mail through a mailserver on 67.222.51.224 (also Unified Layer).
Received: from oproxy14-pub.mail.unifiedlayer.com (HELO oproxy14-pub.mail.unifiedlayer.com) (67.222.51.224)
by [redacted] with SMTP; 7 Nov 2013 18:59:02 -0000
Received: (qmail 24735 invoked by uid 0); 7 Nov 2013 18:59:00 -0000
Received: from unknown (HELO box487.bluehost.com) (66.147.242.87)
by oproxy14.mail.unifiedlayer.com with SMTP; 7 Nov 2013 18:59:00 -0000
Received: from localhost ([127.0.0.1]:41772 helo=box487.bluehost.com)
by box487.bluehost.com with esmtp (Exim 4.80)
(envelope-from <bigspark@box487.bluehost.com>)
id 1VeUnD-0006y7-Se
for [redacted]; Thu, 07 Nov 2013 11:58:59 -0700
Date: Thu, 07 Nov 2013 11:58:59 -0700
To: [redacted]
Subject: We value your opinion and we need your help
X-PHP-Script: www.rockyourworldsummit.com/wp-content/editor/help-text.php for 94.21.75.226
From: The Financial Times <ft448516@surveymonkey.com>
Reply-To: <ft448516@surveymonkey.com>
Message-ID: <c06381c27d6d17e9f0e266ea45bae788@live.com>
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Identified-User: {:box487.bluehost.com:bigspark:box487.bluehost.com} {sentby:program running on server}
X-OriginalArrivalTime: 07 Nov 2013 19:03:53.0922 (UTC) FILETIME=[1A3BE220:01CEDBEC]
The domains hosted on 204.188.238.140/30 look rather phishy and spammy, download the report here in a CSV file. WOT ratings indicate low trustworthiness, Google has identified a number of malware and phishing sites and the SURBL codes also indicate some spam and malware. However, a look at some of the domains in use will lead you in no doubt that there are a large number of phishing domains hosted in this block. I would strongly recommend that you block it.
Quite what the point of this spam is I do not know, however I suspect that answering the so-called survery will open you up to other attacks including spear phishing.
From: The Financial Times [mailto:ft448516@surveymonkey.com]There are no links in the email apart from a mailto: for the email address, and there are no attachments. The email was sent to a UK user and concerns a matter specific to people in the UK, so it appears to be targeted in some way.
Sent: Thu 07/11/2013 18:58
Subject: We value your opinion and we need your help
Dear British businessman,
We at the Financial Times are doing a survey among British business owners and managers regarding Euroscepticism.
As you are currently aware David Cameron on Monday confronted critics in his party who want to withdraw from the EU and close Britains borders, arguing there was no use hiding away from the world. And a lot more will follow.
We are contacting as many subscribers and people who commented on our business related articles to ask for their own opinion.
If you would like to be heard and help us build an article that will be on the first page in the next few weeks please help us.
Send us an E-mail at eu@ft-survey.com with the following information:
If your business is connected by import or export with the European Union, if it is Export please add us a few more details like what do you sell, or the services you provide;
What countries do you trade within the European Union;
Your opinion on Euroscepticism and the effect it has on your business;
Thank you so much for your help and contribution.
The Financial Times Survey Team,
eu@ft-survey.com
So, what's wrong with this email? Let's start by looking at the domain ft-survey.com which was registered just one day ago on 6th November to a registrant using the Panamanian privatewhois.net service to hide their details. The real Financial Times site at ft.com clearly identifies its owner. If you visit ft-survey.com (not recommended) then you get a 302 redirect to the legitimate ft.com website.
Next, ft-survey.com is hosted and receives mail on 204.188.238.143 which nominally belongs to some outfit called Sharktech in Las Vegas, but is actually suballocated to a customer in Pakistan:
%rwhois V-1.5:003eff:00 rwhois.sharktech.net (by Network Solutions, Inc. V-1.5.9.6)
network:Auth-Area:204.188.192.0/18
network:Class-Name:network
network:OrgName:AlfainHost
network:OrgID;I:MADIH-ULLAH-RIAZ
network:Address:Clifton Court #16
network:City:Karachi
network:StateProv:Sindh
network:PostalCode:74400
network:Country:PK
network:NetRange:204.188.238.140 - 204.188.238.143
network:CIDR:204.188.238.140/30
network:NetName:AlfainHost-204.188.238.140
network:OrgAbuseHandle:MADIH-ULLAH-RIAZ
network:OrgAbuseName:ABUSE department
network:OrgAbusePhone:923218913810
network:OrgAbuseEmail:madihrb@alfainhost.com
network:OrgNOCHandle:NOC2002-ARIN
network:OrgNOCName:Network Operations Center
network:OrgNOCPhone:+1-312-846-7642
network:OrgNOCEmail:abuse@sharktech.net
network:OrgTechHandle:TMT-ARIN
network:OrgTechName:Tim Timrawi
network:OrgTechPhone:+1-312-846-7642
network:OrgTechEmail:timt@sharktech.net
network:RegDate:20130723
network:Updated:20131106
It would be unlikely that the Financial Times would be using such a small outfit. Furthermore, 204.188.238.143 appears to contain a number of scam domains that look like phishing or money mule recruitment sites, as indeed does the entire 204.188.238.140/30 block.. more of which below.
The email headers are also suspect, and appear to show an originating IP of 94.21.75.226 (A Digi Ltd Customer in Hungary) mis-using a PHP script on rockyourworldsummit.com 66.147.242.87 (Unified Layer, US) which then bounces mail through a mailserver on 67.222.51.224 (also Unified Layer).
Received: from oproxy14-pub.mail.unifiedlayer.com (HELO oproxy14-pub.mail.unifiedlayer.com) (67.222.51.224)
by [redacted] with SMTP; 7 Nov 2013 18:59:02 -0000
Received: (qmail 24735 invoked by uid 0); 7 Nov 2013 18:59:00 -0000
Received: from unknown (HELO box487.bluehost.com) (66.147.242.87)
by oproxy14.mail.unifiedlayer.com with SMTP; 7 Nov 2013 18:59:00 -0000
Received: from localhost ([127.0.0.1]:41772 helo=box487.bluehost.com)
by box487.bluehost.com with esmtp (Exim 4.80)
(envelope-from <bigspark@box487.bluehost.com>)
id 1VeUnD-0006y7-Se
for [redacted]; Thu, 07 Nov 2013 11:58:59 -0700
Date: Thu, 07 Nov 2013 11:58:59 -0700
To: [redacted]
Subject: We value your opinion and we need your help
X-PHP-Script: www.rockyourworldsummit.com/wp-content/editor/help-text.php for 94.21.75.226
From: The Financial Times <ft448516@surveymonkey.com>
Reply-To: <ft448516@surveymonkey.com>
Message-ID: <c06381c27d6d17e9f0e266ea45bae788@live.com>
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Identified-User: {:box487.bluehost.com:bigspark:box487.bluehost.com} {sentby:program running on server}
X-OriginalArrivalTime: 07 Nov 2013 19:03:53.0922 (UTC) FILETIME=[1A3BE220:01CEDBEC]
The domains hosted on 204.188.238.140/30 look rather phishy and spammy, download the report here in a CSV file. WOT ratings indicate low trustworthiness, Google has identified a number of malware and phishing sites and the SURBL codes also indicate some spam and malware. However, a look at some of the domains in use will lead you in no doubt that there are a large number of phishing domains hosted in this block. I would strongly recommend that you block it.
Quite what the point of this spam is I do not know, however I suspect that answering the so-called survery will open you up to other attacks including spear phishing.
"You received a voice mail" spam / Voice_Mail.exe
This fake voice mail spam has a malicious attachment:
Attached is a zip file in the format Voice_Mail_recipientname.zip which in turn contains a malicious file Voice_Mail.exe which has an icon to make it look like an audio file. VirusTotal detection for that is 7/47 and automated analysis tools [1] [2] show an attempted connection to amazingfloorrestoration.com on 202.150.215.66 (NewMedia Express, Singapore). Note that sometimes other sites on these servers have also been compromised, so if you see any odd traffic to this IP then it could well be malicious.
Date: Thu, 7 Nov 2013 15:58:15 +0100 [09:58:15 EST]
From: Microsoft Outlook [no-reply@victimdomain.net]
Subject: You received a voice mail
You received a voice mail : N_58Q-ILM-94XZ.WAV (182 KB)
Caller-Id:
698-333-5643
Message-Id:
80956-84B-12XGU
Email-Id:
[redacted]
This e-mail contains a voice message.
Double click on the link to listen the message.
Sent by Microsoft Exchange Server
Attached is a zip file in the format Voice_Mail_recipientname.zip which in turn contains a malicious file Voice_Mail.exe which has an icon to make it look like an audio file. VirusTotal detection for that is 7/47 and automated analysis tools [1] [2] show an attempted connection to amazingfloorrestoration.com on 202.150.215.66 (NewMedia Express, Singapore). Note that sometimes other sites on these servers have also been compromised, so if you see any odd traffic to this IP then it could well be malicious.
Labels:
EXE-in-ZIP,
Malware,
Singapore,
Spam,
Viruses
Wednesday, 6 November 2013
"Voice Message from Unknown" spam / VoiceMail.zip
This fake voice mail spam comes with a malicious attachment:
This malware file has a detection rate of 3/47 at VirusTotal. Automated analysis tools [1] [2] show an attempted connection to twitterbacklinks.com on 216.151.138.243 (Xeex, US) which is a web host that has been seen before in this type of attack.
Xeex seems to divide up its network into /28 blocks, which would mean that the likely compromised block would be 216.151.138.240/28 which contains the following domains:
twitterbacklinks.com
saferankbacklinks.com
youtubebacklinks.com
vubby.com
abc3k.com
pinterestbacklinks.com
Those domains are consistent with the ones compromised here and it it likely that they have all also been compromised.
Recommended blocklist:
69.26.171.176/28
216.151.138.240/28
twitterbacklinks.com
saferankbacklinks.com
youtubebacklinks.com
vubby.com
abc3k.com
pinterestbacklinks.com
bookmarkingbeast.com
antonseo.com
allisontravels.com
robotvacuumhut.com
glenburnlaw.com
timinteriorsystems.com
bulkbacklinks.com
prblogcomments.com
highprlinks.com
facebookadsppc.com
Date: Wed, 6 Nov 2013 22:22:28 +0800 [09:22:28 EST]The email appears to come from an email address on the victim's own domain and the body text contains a list of recipients within that same domain. Attached to the email is a file VoiceMail.zip which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file.
From: Administrator [voice9@victimdomain]
Subject: Voice Message from Unknown (886-966-4698)
- - -Original Message- - -
From: 886-966-4698
Sent: Wed, 6 Nov 2013 22:22:28 +0800
To: recipients@victimdomain
Subject: Private Message
This malware file has a detection rate of 3/47 at VirusTotal. Automated analysis tools [1] [2] show an attempted connection to twitterbacklinks.com on 216.151.138.243 (Xeex, US) which is a web host that has been seen before in this type of attack.
Xeex seems to divide up its network into /28 blocks, which would mean that the likely compromised block would be 216.151.138.240/28 which contains the following domains:
twitterbacklinks.com
saferankbacklinks.com
youtubebacklinks.com
vubby.com
abc3k.com
pinterestbacklinks.com
Those domains are consistent with the ones compromised here and it it likely that they have all also been compromised.
Recommended blocklist:
69.26.171.176/28
216.151.138.240/28
twitterbacklinks.com
saferankbacklinks.com
youtubebacklinks.com
vubby.com
abc3k.com
pinterestbacklinks.com
bookmarkingbeast.com
antonseo.com
allisontravels.com
robotvacuumhut.com
glenburnlaw.com
timinteriorsystems.com
bulkbacklinks.com
prblogcomments.com
highprlinks.com
facebookadsppc.com
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses,
Xeex
"Invoice 17731 from Victoria Commercial Ltd" spam leads to DOC exploit
This fake invoice email leads to a malicious Word document:
Detection rates have continued to improve throughout the day and currently stand at 10/47. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.
A sandbox analysis confirms that it is malicious, in particular it connects to 158.255.2.60 (Mir Telematiki Ltd, Russia) and the following domains:
feed404.dnsquerys.com
feeds.nsupdatedns.com
It is the same attack as described by Blaze's Security Blog and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist:
118.67.250.91
158.255.2.60
feed404.dnsquerys.com
feeds.nsupdatedns.com
customer.invoice-appmy.com
customers.invoice-appmy.org
customer.appmys-ups.orgfeed404.dnsquerys.org
feed.queryzdnsz.org
static.invoice-appmy.com
vantageone.co.uk
From: Dave Porter [mailto:dave.porter@blueyonder.co.uk]The email originates from bosmailout13.eigbox.net [66.96.186.13] which belongs the Endurance International Group in the US. The malicious .DOC file is hosted at [donotclick]www.vantageone.co.uk/invoice17731.doc which appears to be a hacked legitimate web site.
Sent: 06 November 2013 12:06
To: [redacted]
Subject: Invoice 17731 from Victoria Commercial Ltd
Dear Customer :
Your invoice is attached to the link below:
[donotclick]http://www.vantageone.co.uk/invoice17731.doc
Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Victoria Commercial Ltd
Detection rates have continued to improve throughout the day and currently stand at 10/47. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.
A sandbox analysis confirms that it is malicious, in particular it connects to 158.255.2.60 (Mir Telematiki Ltd, Russia) and the following domains:
feed404.dnsquerys.com
feeds.nsupdatedns.com
It is the same attack as described by Blaze's Security Blog and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist:
118.67.250.91
158.255.2.60
feed404.dnsquerys.com
feeds.nsupdatedns.com
customer.invoice-appmy.com
customers.invoice-appmy.org
customer.appmys-ups.orgfeed404.dnsquerys.org
feed.queryzdnsz.org
static.invoice-appmy.com
vantageone.co.uk
Labels:
Endurance International Group,
Malware,
Microsoft,
Spam,
Viruses
Tuesday, 5 November 2013
USPS spam / Label_442493822628.zip
This fake USPS spam has a malicious attachment:
Date: Tue, 5 Nov 2013 14:24:45 +0000 [09:24:45 EST]The attachment is Label_442493822628.zip which in turn contains a malicious executable Label_11052013.exe which has a VirusTotal detection rate of 6/46. Automated analysis [1] [2] shows an attempted connection to sellmakers.com on 192.64.115.140 (Namecheap, US). Note that there may be legitimate sites on that IP address, however it is possible that the whole server has been compromised.
From: USPS Express Services [service-notification@usps.gov]
Subject: USPS - Missed package delivery
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
Label: 442493822628
Print this label to get this package at our post office.
Please attention!
For mode details and shipping label please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
USPS Logistics Services.
CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (UPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You
Labels:
EXE-in-ZIP,
Malware,
Spam,
USPS,
Viruses
"ACH Notification : ACH Process End of Day Report" spam / ACAS1104201336289204PARA7747.zip
This fake ACH (or is it Paychex?) email has a malicious attachment:
The malware drops several files, including this one with a detection rate of 4/46 that also calls home to the same domain [1] [2] and a payload file with another low detection rate of 5/46 that rummages through the system [1] [2]. The payload appears to be a Zbot variant.
Date: Tue, 5 Nov 2013 08:28:30 -0500 [08:28:30 EST]Attached is a file ACAS1104201336289204PARA7747.zip which in turn contains an executable ACAS11042013.exe which has a VirusTotal detection rate of 7/46. Automated analysis [1] [2] shows an attempted connection to slowdating.ca on 69.64.39.215 (Hosting Solutions International, US). There are several legitimate sites on this server, however it is possible that the server itself is compromised.
From: "Paychex, Inc" [paychexemail@paychex.com]
Subject: ACH Notification : ACH Process End of Day Report
Attached is a summary of Origination activity for 11/04/2013 If you need assistance
please contact us via e-mail at paychexemail@paychex.com during regular business hours.
Thank you for your cooperation.
The malware drops several files, including this one with a detection rate of 4/46 that also calls home to the same domain [1] [2] and a payload file with another low detection rate of 5/46 that rummages through the system [1] [2]. The payload appears to be a Zbot variant.
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses,
Zbot
Monday, 4 November 2013
"Payment Overdue - Please respond" spam / Payroll_Report-PaymentOverdue.exe
This fake SAGE spam has a malicious attachment:
This malware has a VirusTotal detection rate of just 4/47, and automated analysis tools [1] [2] [3] shows an attempted connect to goyhenetche.com on 184.154.15.188 (Singlehop, US), a server that contains many legitimate domains but some more questionable ones too.
Date: Mon, 4 Nov 2013 21:00:59 +0600 [10:00:59 EST]Attached is a file PaymentOverdue.zip which in turn contains a malicious executable Payroll_Report-PaymentOverdue.exe with a icon that makes it look like an Excel spreadsheet.
From: Payroll Reports [payroll@sage.co.uk]
Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.
Sincerely,
Bernice Swanson
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.
This malware has a VirusTotal detection rate of just 4/47, and automated analysis tools [1] [2] [3] shows an attempted connect to goyhenetche.com on 184.154.15.188 (Singlehop, US), a server that contains many legitimate domains but some more questionable ones too.
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses
CCDCOE.org "Information Security Audit" spam
Here's a weird spam email..
The email was sent to a target in Estonia, and the CCDCOE is a genuine NATO facility, also located in Estonia. The domain, telephone and fax number all appear genuine, and there are no attachments to the email nor are there any links.
However, the email is not genuine as it comes from 213.157.216.139 which is a Caucasus Online LLC ASDL subscriber in Georgia. Caucasus Online IPs are often seen in conjunction with botnets, so this is almost definitely a botnet node. The CCDCOE logo used in the email is also out of date.
A close examination of the mail headers shows that some of them have been faked in order to spoof an originating IP of 217.146.66.99 in Estonia.
Received: from dvb35.srv.it.ge (HELO dvb35.srv.it.ge) (213.157.216.139)
by [redacted] with SMTP; 4 Nov 2013 10:15:35 -0000
Received: mx1.zone.ee (HELO ccdcoe.org) ([217.146.66.99]) by
dvb35.srv.it.geL with ESMTP; Mon, 4 Nov 2013 12:01:08 +0200
Received: by ccdcoe.org (Postfix, from userid 309) id fu73vb6de6220; Mon, 4 Nov
2013 12:00:45 +0200
Received: from 10.1.1.218 (10.1.1.218:35781) by ccdcoe.org (Postfix) with SMTP
id gkuuqe31b7s45.9.2013.11.04.59.56; Mon, 4 Nov 2013 11:59:06 +0200
Message-ID: <20130e3f74d2.4353bd02@user>
From: "CCDCOE" <ccdcoe@ccdcoe.org>
To: [redacted]
Subject: Information Security Audit
Organization: CCDCOE
I can't figure out the purpose of this message, but it is almost definitely malicious. Perhaps there is a second part to this why has not been seen yet?
From: CCDCOE [mailto:ccdcoe@ccdcoe.org]
Sent: Monday, November 04, 2013 12:16 PM
Subject: Information Security Audit
Dear Sir,
I am writing to inform you that NATO Cooperative Cyber Defence Centre of Excellence
conducted an information security audit of the network infrastructureof your organization. It
was carried out as part of exercise Steadfast Jazz 2013.
Our specialists have obtained access to theprivate network and the administration panel of the
website of your organization.
The level of information security of your organization does not meet the requirements of
NATO cyber security guidelines.
It is strongly recommended that you pay attention to this fact.
For more information you should contact NATO Cooperative Cyber Defence Centre of
Excellence.
Sincerely,
Col. Artur Suzik
Director,NATO Cooperative Cyber Defence Centre of Excellence
E-mail: ccdcoe@ccdcoe.org
Phone: +3727176800
Fax: +3727176308
Adress: Filtri tee 12, Tallinn 10132, Estonia
The email was sent to a target in Estonia, and the CCDCOE is a genuine NATO facility, also located in Estonia. The domain, telephone and fax number all appear genuine, and there are no attachments to the email nor are there any links.
However, the email is not genuine as it comes from 213.157.216.139 which is a Caucasus Online LLC ASDL subscriber in Georgia. Caucasus Online IPs are often seen in conjunction with botnets, so this is almost definitely a botnet node. The CCDCOE logo used in the email is also out of date.
A close examination of the mail headers shows that some of them have been faked in order to spoof an originating IP of 217.146.66.99 in Estonia.
Received: from dvb35.srv.it.ge (HELO dvb35.srv.it.ge) (213.157.216.139)
by [redacted] with SMTP; 4 Nov 2013 10:15:35 -0000
Received: mx1.zone.ee (HELO ccdcoe.org) ([217.146.66.99]) by
dvb35.srv.it.geL with ESMTP; Mon, 4 Nov 2013 12:01:08 +0200
Received: by ccdcoe.org (Postfix, from userid 309) id fu73vb6de6220; Mon, 4 Nov
2013 12:00:45 +0200
Received: from 10.1.1.218 (10.1.1.218:35781) by ccdcoe.org (Postfix) with SMTP
id gkuuqe31b7s45.9.2013.11.04.59.56; Mon, 4 Nov 2013 11:59:06 +0200
Message-ID: <20130e3f74d2.4353bd02@user>
From: "CCDCOE" <ccdcoe@ccdcoe.org>
To: [redacted]
Subject: Information Security Audit
Organization: CCDCOE
I can't figure out the purpose of this message, but it is almost definitely malicious. Perhaps there is a second part to this why has not been seen yet?
Wednesday, 30 October 2013
"Corporate eFax message" spam / bulkbacklinks[.]com and Xeex.com
Date: Wed, 30 Oct 2013 23:33:23 +0900 [10:33:23 EDT]Attached to the message is a file FAX_10302013_1013.zip which in turn contains FAX_10302013_1013.exe (although the date is encoded into the filename so your version may be different) which has an icon that makes it look like a PDF file.
From: eFax Corporate [message@inbound.efax.com]
Subject: Corporate eFax message from "673-776-6455" - 2 pages
Fax Message [Caller-ID: 673-776-6455] You have received a 2 pages fax at 2013-30-10
02:22:22 CST.* The reference number for this fax is
latf1_did11-1995781774-8924188505-39.View this fax using your PDF reader.Please visit
www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service!Home | Contact | Login | 2013 j2 Global
Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global
Communications, Inc.This account is subject to the terms listed in the eFax Customer
Agreement.
-----------------------
Date: Wed, 30 Oct 2013 10:04:50 -0500 [11:04:50 EDT]
From: eFax Corporate [message@inbound.efax.com]
Subject: Corporate eFax message from "877-579-4466" - 5 pages
Fax Message [Caller-ID: 877-579-4466] You have received a 5 pages fax at 2013-30-10
05:55:55 EST.* The reference number for this fax is
latf1_did11-1224528296-8910171724-72.View this fax using your PDF reader.Please visit
www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service!Home | Contact | Login | 2013 j2 Global
Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global
Communications, Inc.This account is subject to the terms listed in the eFax Customer
Agreement.
This has a very low detection rate at VirusTotal of just 1/46. Automated analysis tools [1] [2] [3] show an attempted connection to a domain bulkbacklinks.com on 69.26.171.187. This is part of the same compromised Xeex address range as seen here and here.
Xeex have not responded to notifications of a problem (apart from an AutoNACK). I recommend that you treat the entire 69.26.171.176/28 range as being malicious and you should block according to this list.
Something evil on 144.76.207.224/28
The network block 144.76.207.224/28 is currently hosting the Magnitude exploit kit (example report) [hat tip to Malekal.com judging from the report].
This is a Hetzner IP range suballocated to:
inetnum: 144.76.207.224 - 144.76.207.239
netname: SPHERE-LTD
descr: Sphere LTD.
country: DE
admin-c: AR10715-RIPE
tech-c: AR10715-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE # Filtered
person: Alexander Redko
address: Russia, 107031, Moscow, Proezd Dmitrosvkiy 8
phone: +79104407852
nic-hdl: AR10715-RIPE
mnt-by: HOS-GUN
source: RIPE # Filtered
Domains hosted on this range include the following, ones in bold are flagged by Google as being malicious:
1valubin.info
2valubin.info
3valubin.info
4valubin.info
5valubin.info
6valubin.info
7valubin.info
8valubin.info
9valubin.info
10valubin.info
11valubin.info
12valubin.info
13valubin.info
14valubin.info
1togenhaym.info
2togenhaym.info
3togenhaym.info
4togenhaym.info
5togenhaym.info
6togenhaym.info
7togenhaym.info
8togenhaym.info
9togenhaym.info
10togenhaym.info
11togenhaym.info
12togenhaym.info
13togenhaym.info
14togenhaym.info
15togenhaym.info
16togenhaym.info
17togenhaym.info
poovergosa.info
galikvento.info
I would recommend blocking all those domains plus the 144.76.207.224/28 range.
Sphere Ltd seem to have some quite big operations in Russia. For information only, these are the other IP address ranges that I can find.
5.9.217.0/26
5.9.249.112/28
5.9.255.192/27
46.22.212.16/28
78.46.169.160/27
78.47.67.128/29
78.47.217.112/28
80.79.117.168/29
80.79.118.132/30
80.79.118.252/30
88.198.103.96/28
144.76.192.96/27
144.76.207.224/28
195.2.252.0/23
195.88.208.0/23
This is a Hetzner IP range suballocated to:
inetnum: 144.76.207.224 - 144.76.207.239
netname: SPHERE-LTD
descr: Sphere LTD.
country: DE
admin-c: AR10715-RIPE
tech-c: AR10715-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
source: RIPE # Filtered
person: Alexander Redko
address: Russia, 107031, Moscow, Proezd Dmitrosvkiy 8
phone: +79104407852
nic-hdl: AR10715-RIPE
mnt-by: HOS-GUN
source: RIPE # Filtered
Domains hosted on this range include the following, ones in bold are flagged by Google as being malicious:
1valubin.info
2valubin.info
3valubin.info
4valubin.info
5valubin.info
6valubin.info
7valubin.info
8valubin.info
9valubin.info
10valubin.info
11valubin.info
12valubin.info
13valubin.info
14valubin.info
1togenhaym.info
2togenhaym.info
3togenhaym.info
4togenhaym.info
5togenhaym.info
6togenhaym.info
7togenhaym.info
8togenhaym.info
9togenhaym.info
10togenhaym.info
11togenhaym.info
12togenhaym.info
13togenhaym.info
14togenhaym.info
15togenhaym.info
16togenhaym.info
17togenhaym.info
poovergosa.info
galikvento.info
I would recommend blocking all those domains plus the 144.76.207.224/28 range.
Sphere Ltd seem to have some quite big operations in Russia. For information only, these are the other IP address ranges that I can find.
5.9.217.0/26
5.9.249.112/28
5.9.255.192/27
46.22.212.16/28
78.46.169.160/27
78.47.67.128/29
78.47.217.112/28
80.79.117.168/29
80.79.118.132/30
80.79.118.252/30
88.198.103.96/28
144.76.192.96/27
144.76.207.224/28
195.2.252.0/23
195.88.208.0/23
Labels:
Evil Network,
Magnitude,
Malware,
Viruses
Tuesday, 29 October 2013
Suspect network: 69.26.171.176/28
69.26.171.176/28 is a small network range is suballocated from Xeex to the following person or company which appears to have been compromised.
%rwhois V-1.5:0000a0:00 rwhois.xeex.com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@xeex.com
network:class-name:network
There are three very recent Malwr reports involving sites in this range:
69.26.171.179 - bookmarkingbeast.com
69.26.171.181 - allisontravels.com
69.26.171.182 - robotvacuumhut.com
As a precaution, I would recommend temporarily blocking the whole range. These other sites are also hosted in the same block, and if you are seeing unusual traffic going to them then I would suspect that it is a malware infection:
bookmarkingbeast.com
antonseo.com
allisontravels.com
robotvacuumhut.com
glenburnlaw.com
timinteriorsystems.com
bulkbacklinks.com
prblogcomments.com
highprlinks.com
facebookadsppc.com
%rwhois V-1.5:0000a0:00 rwhois.xeex.com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@xeex.com
network:class-name:network
There are three very recent Malwr reports involving sites in this range:
69.26.171.179 - bookmarkingbeast.com
69.26.171.181 - allisontravels.com
69.26.171.182 - robotvacuumhut.com
As a precaution, I would recommend temporarily blocking the whole range. These other sites are also hosted in the same block, and if you are seeing unusual traffic going to them then I would suspect that it is a malware infection:
bookmarkingbeast.com
antonseo.com
allisontravels.com
robotvacuumhut.com
glenburnlaw.com
timinteriorsystems.com
bulkbacklinks.com
prblogcomments.com
highprlinks.com
facebookadsppc.com
Labels:
Hacked sites,
Malware,
Viruses,
Xeex
"Division of Unemployment Assistance" spam / attached_forms.exe
This spam comes with a malicious attachment:
%rwhois V-1.5:0000a0:00 rwhois.xeex.com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@xeex.com
network:class-name:network
Date: Tue, 29 Oct 2013 11:12:18 -0600 [13:12:18 EDT]Attached is a file with the rather long name of case#976179103613297~9392736683167.zip which contains a malicious executable attached_forms.exe with an icon that makes it look like a PDF file. The VirusTotal detections stand at 8/46 and automated analysis [1] [2] shows an attempted connection to bookmarkingbeast.com on 69.26.171.179 (Xeex Communications, US). That's just two IP addresses away from this other Xeex server mentioned here. I strongly suspect that there is a problem with servers in the 69.26.171.176/28 range so you might want to block those temporarily. This range is suballocated from Xeex to:
From: "info@victimdomain" [info@victimdomain]
Subject: [No Subject]
A former employee(s) of your company or organization recently filed a claim for benefits
with the Division of Unemployment Assistance (DUA). In order to process this claim, DUA
needs information about each former employee. You are requested to:
Provide Wage and Separation information (Form 1062/1074)
And/or
Provide Separation Pay Information
If you do not provide this information, you may lose your right to appeal any
determination made on the claim.
To provide this information electronically, <b>please print attached claim (file) and
complete any outstanding forms.
This message may contain privileged and/or confidential information. Unless you are the
addressee (or authorized to receive for the addressee), you may not use, copy,
disseminate, distribute or disclose to anyone the message or any information contained in
the message.
%rwhois V-1.5:0000a0:00 rwhois.xeex.com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@xeex.com
network:class-name:network
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses,
Xeex
Something evil on 82.211.31.147
Still investigating this one, but 82.211.31.147 (IP-Projects, Germany) appears to be a completely rogue server hosting exploit kits and malware [1] [2].
The following domains and subdomains are associated with with IP address. I recommend blocking them, or more easily the IP address itself.
(Note, this is an updated and shorter version that in the original post)
civuxedajijo.biz
civuxedajijo.com
civuxedajijo.info
civuxedajijo.net
civuxedajijo.org
cytisyzahafo.info
cytisyzahafo.org
dedukoxejyki.info
dedukoxejyki.org
dihepopylira.info
dihepopylira.org
fagowemocule.net
ferehehusaro.info
ferehehusaro.org
geqybucubep.biz
geqybucubep.com
geqybucubep.info
geqybucubep.net
geqybucubep.org
herufexejinu.org
hozibojadygu.biz
hozibojadygu.com
hozibojadygu.info
hozibojadygu.net
hozibojadygu.org
kywyjolahoq.info
kywyjolahoq.net
kywyjolahoq.org
lugifosuwap.info
lugifosuwap.org
lunyhoqagotu.biz
lunyhoqagotu.com
lunyhoqagotu.info
lunyhoqagotu.net
lunyhoqagotu.org
nisahybonub.biz
nisahybonub.com
nisahybonub.info
nisahybonub.net
rycarimijoje.biz
rycarimijoje.com
rycarimijoje.info
rycarimijoje.net
rycarimijoje.org
sinigumawup.info
sinigumawup.org
vumytataciza.biz
vumytataciza.com
vumytataciza.info
vumytataciza.net
vumytataciza.org
zepykedaluto.biz
zepykedaluto.com
zepykedaluto.info
zepykedaluto.net
zepykedaluto.org
cassetewrt.biz
cassetewrt.com
cassetewrt.info
cassetewrt.net
cassetewrt.org
childho.com
childho.info
childho.net
childho.org
childhoodhnj.biz
childhoodhnj.com
childhoodhnj.info
childhoodhnj.net
childhoodhnj.org
cytisyzahafo.com
cytisyzahafo.net
delitenaryx.net
delitenaryx.us
dihepopylira.biz
dihepopylira.com
dihepopylira.net
dusixibanej.info
dusixibanej.net
dusixibanej.org
dusixibanej.us
fagowemocule.com
fagowemocule.info
ferehehusaro.biz
ferehehusaro.com
ferehehusaro.net
foqanapybiq.biz
foqanapybiq.com
foqanapybiq.info
foqanapybiq.net
foqanapybiq.org
geqybucube.biz
geqybucube.com
geqybucube.net
gonohulovene.net
guxulekabac.biz
guxulekabac.com
guxulekabac.info
guxulekabac.net
guxulekabac.org
hiluposukux.net
hiluposukux.org
hogyverysopi.biz
hogyverysopi.com
hogyverysopi.info
hogyverysopi.net
hogyverysopi.org
identitysdf.biz
identitysdf.com
identitysdf.info
identitysdf.net
identitysdf.org
kyqozozijugy.com
kyqozozijugy.info
kyqozozijugy.net
kyqozozijugy.org
letecaqawuxa.com
letecaqawuxa.info
letecaqawuxa.net
letecaqawuxa.org
lugifosuwap.biz
lugifosuwap.com
lugifosuwap.net
qegihugob.com
qegihugob.info
qegihugob.net
qegihugob.org
qegihugobag.com
qegihugobag.info
qegihugobag.net
qegihugobag.org
qynekugajyj.com
qynekugajyj.info
qynekugajyj.net
qynekugajyj.org
rekarunezyvi.net
signingnm.biz
signingnm.com
signingnm.info
signingnm.net
signingnm.org
sinigumawup.com
sinigumawup.net
tabletbvn.biz
tabletbvn.com
tabletbvn.net
tabletbvn.org
zobecokiloca.biz
zobecokiloca.com
zobecokiloca.info
efuvwguvoum.mine.nu
brbhogbfxxgu.mine.nu
ydmxkkyiqhiu.mine.nu
cppeklsmuexss.mine.nu
fhqfohlvdihxk.mine.nu
feqbesisuqi.blogdns.net
qhghiflvncq.blogdns.net
tilhuvmdefwu.gotdns.org
xjjfgjljivir.gotdns.org
dohotbiyotfx.blogdns.net
rqbiyiidrcrj.blogdns.net
ulchtvrwuvtnl.gotdns.org
pcowstdlxmd.for-our.info
dbgjkrymwqhgwcrxs.mine.nu
iykhbgluscjlbt.gotdns.org
tpvdjxyneijvwhlpxw.mine.nu
nomojmvmkmloxc.blogdns.net
kvworynoybhmxhv.gotdns.org
kwxlmthghilglps.gotdns.org
yibjilgetfssusp.gotdns.org
wnhsslxbrwtwc.for-our.info
cnlfdlfttgnmgks.blogdns.net
eyrdiygbcwkssld.blogdns.net
syieiqlwijppljs.blogdns.net
qjkmgebqexfgwyhe.gotdns.org
cwxqkwglydvwvnigepnf.mine.nu
kudtgttrrlyxibqhttgv.mine.nu
kxtrkjpihconmvhwfsps.mine.nu
wgsdqrgmpcbxhenujrub.mine.nu
hdledvwqiiyektoq.blogdns.net
huxvcjbdkycohlkg.blogdns.net
jlhyrfjbnwfcuyhd.blogdns.net
rkbyifuckfvgjqqk.blogdns.net
vfnxdwquisqdyxjk.blogdns.net
xhipdqfcvlukkgbj.blogdns.net
eimvggsifelgrmh.for-our.info
swlhtfbvqyjspng.for-our.info
mggkitlimroemebpnxobd.mine.nu
ershitlccewsljyou.blogdns.net
yqvvsfvsiswkjjipq.blogdns.net
gmldxogembxcuftnpo.gotdns.org
sljrowpdwiydhesmtx.gotdns.org
xkykencovusmcgxefn.gotdns.org
fxnbonjidwnsrpwp.for-our.info
puywylsnmkjuculhuo.blogdns.net
ubkdjenlfqiwdrvrmy.blogdns.net
gxtvostqmdlnvdvshmp.gotdns.org
imhsupwkkqcshqtowwd.gotdns.org
ptgssluejuimsnqljtf.gotdns.org
rprylexfclxbfdwffru.gotdns.org
xrffskqnesvosqydnwo.gotdns.org
enbiumecswjwbudrh.for-our.info
jrlqfbdtjppvbdhocjo.blogdns.net
nykqxjyihvcibbdwedp.blogdns.net
sbvhhiqnhxfutfktvet.blogdns.net
tgiglyojdggtsfevfvx.blogdns.net
jcgosegivocugffhhx.for-our.info
ucexdvultugwnnigkt.for-our.info
rhdsenonxuohknxhkrlg.blogdns.net
kxjhuuvdnguhwhxhqkmuk.gotdns.org
msxtfwbcupycminnlfihr.gotdns.org
pwhwjmbdrtummlxwhulxt.gotdns.org
rvfyeqfpgxleppjibyues.gotdns.org
xocxtcgbdujvvlphskrtq.gotdns.org
ffemcdevbudrefxswcx.for-our.info
hqoubobqtbowsceoyyqib.blogdns.net
wsbexuveyriuqurvjpxgg.blogdns.net
kecnbcjdtnirgfsekqrrk.for-our.info
trdhhkkkyjkwmyiqnlwyy.for-our.info
tkjesdouypdw.is-a-personaltrainer.com
cchllttcnxvur.is-a-personaltrainer.com
xxoyqcpvhhjycp.is-a-personaltrainer.com
sbhmdtlxodrnnbsd.is-a-personaltrainer.com
gbhenbnngbsnqggqm.is-a-personaltrainer.com
hurvqrlsoihvmsdge.is-a-personaltrainer.com
thdrugkitlcwbhwhll.is-a-personaltrainer.com
xljgonmwrxntjygnghp.is-a-personaltrainer.com
niflgslwubsdiddjrfdd.is-a-personaltrainer.com
The following domains and subdomains are associated with with IP address. I recommend blocking them, or more easily the IP address itself.
(Note, this is an updated and shorter version that in the original post)
civuxedajijo.biz
civuxedajijo.com
civuxedajijo.info
civuxedajijo.net
civuxedajijo.org
cytisyzahafo.info
cytisyzahafo.org
dedukoxejyki.info
dedukoxejyki.org
dihepopylira.info
dihepopylira.org
fagowemocule.net
ferehehusaro.info
ferehehusaro.org
geqybucubep.biz
geqybucubep.com
geqybucubep.info
geqybucubep.net
geqybucubep.org
herufexejinu.org
hozibojadygu.biz
hozibojadygu.com
hozibojadygu.info
hozibojadygu.net
hozibojadygu.org
kywyjolahoq.info
kywyjolahoq.net
kywyjolahoq.org
lugifosuwap.info
lugifosuwap.org
lunyhoqagotu.biz
lunyhoqagotu.com
lunyhoqagotu.info
lunyhoqagotu.net
lunyhoqagotu.org
nisahybonub.biz
nisahybonub.com
nisahybonub.info
nisahybonub.net
rycarimijoje.biz
rycarimijoje.com
rycarimijoje.info
rycarimijoje.net
rycarimijoje.org
sinigumawup.info
sinigumawup.org
vumytataciza.biz
vumytataciza.com
vumytataciza.info
vumytataciza.net
vumytataciza.org
zepykedaluto.biz
zepykedaluto.com
zepykedaluto.info
zepykedaluto.net
zepykedaluto.org
cassetewrt.biz
cassetewrt.com
cassetewrt.info
cassetewrt.net
cassetewrt.org
childho.com
childho.info
childho.net
childho.org
childhoodhnj.biz
childhoodhnj.com
childhoodhnj.info
childhoodhnj.net
childhoodhnj.org
cytisyzahafo.com
cytisyzahafo.net
delitenaryx.net
delitenaryx.us
dihepopylira.biz
dihepopylira.com
dihepopylira.net
dusixibanej.info
dusixibanej.net
dusixibanej.org
dusixibanej.us
fagowemocule.com
fagowemocule.info
ferehehusaro.biz
ferehehusaro.com
ferehehusaro.net
foqanapybiq.biz
foqanapybiq.com
foqanapybiq.info
foqanapybiq.net
foqanapybiq.org
geqybucube.biz
geqybucube.com
geqybucube.net
gonohulovene.net
guxulekabac.biz
guxulekabac.com
guxulekabac.info
guxulekabac.net
guxulekabac.org
hiluposukux.net
hiluposukux.org
hogyverysopi.biz
hogyverysopi.com
hogyverysopi.info
hogyverysopi.net
hogyverysopi.org
identitysdf.biz
identitysdf.com
identitysdf.info
identitysdf.net
identitysdf.org
kyqozozijugy.com
kyqozozijugy.info
kyqozozijugy.net
kyqozozijugy.org
letecaqawuxa.com
letecaqawuxa.info
letecaqawuxa.net
letecaqawuxa.org
lugifosuwap.biz
lugifosuwap.com
lugifosuwap.net
qegihugob.com
qegihugob.info
qegihugob.net
qegihugob.org
qegihugobag.com
qegihugobag.info
qegihugobag.net
qegihugobag.org
qynekugajyj.com
qynekugajyj.info
qynekugajyj.net
qynekugajyj.org
rekarunezyvi.net
signingnm.biz
signingnm.com
signingnm.info
signingnm.net
signingnm.org
sinigumawup.com
sinigumawup.net
tabletbvn.biz
tabletbvn.com
tabletbvn.net
tabletbvn.org
zobecokiloca.biz
zobecokiloca.com
zobecokiloca.info
efuvwguvoum.mine.nu
brbhogbfxxgu.mine.nu
ydmxkkyiqhiu.mine.nu
cppeklsmuexss.mine.nu
fhqfohlvdihxk.mine.nu
feqbesisuqi.blogdns.net
qhghiflvncq.blogdns.net
tilhuvmdefwu.gotdns.org
xjjfgjljivir.gotdns.org
dohotbiyotfx.blogdns.net
rqbiyiidrcrj.blogdns.net
ulchtvrwuvtnl.gotdns.org
pcowstdlxmd.for-our.info
dbgjkrymwqhgwcrxs.mine.nu
iykhbgluscjlbt.gotdns.org
tpvdjxyneijvwhlpxw.mine.nu
nomojmvmkmloxc.blogdns.net
kvworynoybhmxhv.gotdns.org
kwxlmthghilglps.gotdns.org
yibjilgetfssusp.gotdns.org
wnhsslxbrwtwc.for-our.info
cnlfdlfttgnmgks.blogdns.net
eyrdiygbcwkssld.blogdns.net
syieiqlwijppljs.blogdns.net
qjkmgebqexfgwyhe.gotdns.org
cwxqkwglydvwvnigepnf.mine.nu
kudtgttrrlyxibqhttgv.mine.nu
kxtrkjpihconmvhwfsps.mine.nu
wgsdqrgmpcbxhenujrub.mine.nu
hdledvwqiiyektoq.blogdns.net
huxvcjbdkycohlkg.blogdns.net
jlhyrfjbnwfcuyhd.blogdns.net
rkbyifuckfvgjqqk.blogdns.net
vfnxdwquisqdyxjk.blogdns.net
xhipdqfcvlukkgbj.blogdns.net
eimvggsifelgrmh.for-our.info
swlhtfbvqyjspng.for-our.info
mggkitlimroemebpnxobd.mine.nu
ershitlccewsljyou.blogdns.net
yqvvsfvsiswkjjipq.blogdns.net
gmldxogembxcuftnpo.gotdns.org
sljrowpdwiydhesmtx.gotdns.org
xkykencovusmcgxefn.gotdns.org
fxnbonjidwnsrpwp.for-our.info
puywylsnmkjuculhuo.blogdns.net
ubkdjenlfqiwdrvrmy.blogdns.net
gxtvostqmdlnvdvshmp.gotdns.org
imhsupwkkqcshqtowwd.gotdns.org
ptgssluejuimsnqljtf.gotdns.org
rprylexfclxbfdwffru.gotdns.org
xrffskqnesvosqydnwo.gotdns.org
enbiumecswjwbudrh.for-our.info
jrlqfbdtjppvbdhocjo.blogdns.net
nykqxjyihvcibbdwedp.blogdns.net
sbvhhiqnhxfutfktvet.blogdns.net
tgiglyojdggtsfevfvx.blogdns.net
jcgosegivocugffhhx.for-our.info
ucexdvultugwnnigkt.for-our.info
rhdsenonxuohknxhkrlg.blogdns.net
kxjhuuvdnguhwhxhqkmuk.gotdns.org
msxtfwbcupycminnlfihr.gotdns.org
pwhwjmbdrtummlxwhulxt.gotdns.org
rvfyeqfpgxleppjibyues.gotdns.org
xocxtcgbdujvvlphskrtq.gotdns.org
ffemcdevbudrefxswcx.for-our.info
hqoubobqtbowsceoyyqib.blogdns.net
wsbexuveyriuqurvjpxgg.blogdns.net
kecnbcjdtnirgfsekqrrk.for-our.info
trdhhkkkyjkwmyiqnlwyy.for-our.info
tkjesdouypdw.is-a-personaltrainer.com
cchllttcnxvur.is-a-personaltrainer.com
xxoyqcpvhhjycp.is-a-personaltrainer.com
sbhmdtlxodrnnbsd.is-a-personaltrainer.com
gbhenbnngbsnqggqm.is-a-personaltrainer.com
hurvqrlsoihvmsdge.is-a-personaltrainer.com
thdrugkitlcwbhwhll.is-a-personaltrainer.com
xljgonmwrxntjygnghp.is-a-personaltrainer.com
niflgslwubsdiddjrfdd.is-a-personaltrainer.com
Labels:
Evil Network,
Malware,
Viruses
Wells Fargo "Check copy" spam / Copy_10292013.zip
These fake Wells Fargo spam messages have a malicious attachment:
The VirusTotal detection rate is just 3/47. Automated analysis [1] [2] shows an attempted connection to allisontravels.com on 69.26.171.181 (Xeex Communications, US) which appears to be the only site currently on this server. I would recommend blocking one or both of these.
gg
Date: Tue, 29 Oct 2013 22:34:50 +0800 [10:34:50 EDT]Attached is an executable file Copy_10292013.zip which contains an executable file Copy_10292013.exe which is (of course) malicious. Note that the date is encoded into the filenames, so future versions of this will vary.
From: Wells Fargo [Emilio.Hendrix@wellsfargo.com]
Subject: FW: Check copy
We had problems processing your latest check, attached is a image copy.
Emilio Hendrix
Wells Fargo Check Processing Services
817-576-4067 office
817-192-2390 cell Emilio.Hendrix@wellsfargo.com
Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
--------------------
Date: Tue, 29 Oct 2013 14:41:46 +0000 [10:41:46 EDT]
From: Wells Fargo [Leroy.Dale@wellsfargo.com]
Subject: FW: Check copy
We had problems processing your latest check, attached is a image copy.
Leroy Dale
Wells Fargo Check Processing Services
817-480-3826 office
817-710-4624 cell Leroy.Dale@wellsfargo.com
Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
The VirusTotal detection rate is just 3/47. Automated analysis [1] [2] shows an attempted connection to allisontravels.com on 69.26.171.181 (Xeex Communications, US) which appears to be the only site currently on this server. I would recommend blocking one or both of these.
gg
Labels:
EXE-in-ZIP,
Malware,
Spam,
Viruses,
Xeex
Monday, 28 October 2013
Google Ads and #FFF7ED.. what's wrong with this picture?
So here's a long-standing source of irritation that I decided to have a poke at today.. Google Ads in search results. Now, obviously this is one of the main ways that Google makes money and frankly it's part of the deal in them giving you all those search results for free.
Let's take a look at a typical results page, for the term data recovery software (this is traditionally one of the most expensive search terms to advertise for).
The first three results are advertisements, they are displayed on a very pale pink background with a hex colour of #FFF7ED (compared to #FFFFFF for pure white). Can you see them?
The answer seems to be.. some people can, and some people can't. Now, I am colour blind.. but sometimes I can see the background, but other times it appears to be completely invisible. It really seems to depend on the monitor that I'm using.. it does seem that quite a lot of displays are very poor at displaying that particular colour.
Frankly this sort of thing is poor design, with very similar contrast levels between the two areas that are meant to be distinguishable. The coloured area is about 97% of the brightness of the white area, which isn't enough to make it clear in my opinion.
Just in case you can't see the ads, here's the same screenshot with a histogram equalise function applied.
Here are the two colours side-by-side. You might find that moving your head from side-to-side will make the colour more apparent, but on some monitors it makes no difference.
The pink background is on the left. Can you see it? On some monitors I can, but on others I can't. So, let's take a photo of one of the monitors that seems to be struggling.
Can you see the difference now? Almost definitely not, because the slight red cast has vanished. And it isn't just one monitor either, this seems to be common among many different monitors that I have looked at. By and large, all these monitors are set to their default settings, but some fiddling around can usually make the background more apparent.. usually at the cost of some weird colours elsewhere.
There is of course a security issue here.. many of these ads lead are rather misleading. Do a search for download skype (or any other free download) and check the ads that appear (some of which are on the top rather than the side). Do you really want to click those?
No, you probably don't.. but there's a danger with more obscure software that you could end up downloading something that you don't want because the ads are not always easily distinguishable from the real search results. And I have certainly noticed an uptick in crapware installations for people who thought they were downloading an official version of something, only to discover that they are not.
And yes, I do know that the ads shows "Ads related to.." above them, but how many ads are there? One? Two? Three? If you can't see the colour then it is hard to tell.
Has something changed? Has Google deliberately chosen a colour that is hard to make out on some monitors? Or do some monitors (and these are mostly mainstream Dell units) have very poor colour fidelity? What do people thing?
Let's take a look at a typical results page, for the term data recovery software (this is traditionally one of the most expensive search terms to advertise for).
The first three results are advertisements, they are displayed on a very pale pink background with a hex colour of #FFF7ED (compared to #FFFFFF for pure white). Can you see them?
The answer seems to be.. some people can, and some people can't. Now, I am colour blind.. but sometimes I can see the background, but other times it appears to be completely invisible. It really seems to depend on the monitor that I'm using.. it does seem that quite a lot of displays are very poor at displaying that particular colour.
Frankly this sort of thing is poor design, with very similar contrast levels between the two areas that are meant to be distinguishable. The coloured area is about 97% of the brightness of the white area, which isn't enough to make it clear in my opinion.
Just in case you can't see the ads, here's the same screenshot with a histogram equalise function applied.
Here are the two colours side-by-side. You might find that moving your head from side-to-side will make the colour more apparent, but on some monitors it makes no difference.
The pink background is on the left. Can you see it? On some monitors I can, but on others I can't. So, let's take a photo of one of the monitors that seems to be struggling.
Can you see the difference now? Almost definitely not, because the slight red cast has vanished. And it isn't just one monitor either, this seems to be common among many different monitors that I have looked at. By and large, all these monitors are set to their default settings, but some fiddling around can usually make the background more apparent.. usually at the cost of some weird colours elsewhere.
There is of course a security issue here.. many of these ads lead are rather misleading. Do a search for download skype (or any other free download) and check the ads that appear (some of which are on the top rather than the side). Do you really want to click those?
No, you probably don't.. but there's a danger with more obscure software that you could end up downloading something that you don't want because the ads are not always easily distinguishable from the real search results. And I have certainly noticed an uptick in crapware installations for people who thought they were downloading an official version of something, only to discover that they are not.
And yes, I do know that the ads shows "Ads related to.." above them, but how many ads are there? One? Two? Three? If you can't see the colour then it is hard to tell.
Has something changed? Has Google deliberately chosen a colour that is hard to make out on some monitors? Or do some monitors (and these are mostly mainstream Dell units) have very poor colour fidelity? What do people thing?
Labels:
Advertising,
Google
Subscribe to:
Posts (Atom)