Sponsored by..

Friday, 21 March 2014

"Companies House" spam and 50.116.4.71 (again)

This fake Companies House spam comes with a malicious attachment:

Date:      Fri, 21 Mar 2014 11:05:35 +0100 [06:05:35 EDT]
From:      Companies House [WebFiling@companieshouse.gov.uk]
Subject:      Incident 8435407 - Companies House

The submission number is: 8435407

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500

Attached is an archive file CH_Case_8435407.zip which in turn contains the malicious executable CH_Case_21032014.scr which has a VirusTotal detection rate of 3/49.

The Malwr analysis again shows an attempted connection to a Linode IP at 50.116.4.71 using the domain aulbbiwslxpvvphxnjij.biz.

The malware also downloads a config file from a hacked WordPress installation at [donotclick]premiercrufinewine.co.uk/wp-content/uploads/2014/03/2103UKp.qta plus a number of other domains that are not resolving (listed below).

I would recommend that you the following blocklist in combination with this one.

50.116.4.71
aulbbiwslxpvvphxnjij.biz
rovlvhixgqcelzlxheonpfxy.info
hybytqwscguvowbbgwgxijdq.com
jryxtbujvdmceodbegyofrkkr.ru
lncuhmnvlytwsuceijaifaqjrpz.com
mrdlormvvotimfhecueminydrs.info
fytwsqkgindatoahtnbnrzhe.org
tqsdudemkfrcrcutdmvpbuzd.net
doskgacutmvbeztmrirlc.biz
rgolcuhgqsqkgivckfbud.ru
auldivpzxeahilvcyvckrzpbepv.com
hegersdihurwwsdqxkdatclbmryd.net
qwrgldhqtcifymnfyhimjhqdbmir.org
ljxaededaljnrytonhzkzsg.biz
wgtfauchlnhmvskblhiovxwpvh.com
ifwbxfylaimzuwgdyeqgiupl.ru
premiercrufinewine.co.uk

Amazon.co.uk spam, something evil on 50.116.4.71

This fake Amazon.co.uk spam comes with a malicious attachment:

Date:      Fri, 21 Mar 2014 13:40:05 +0530 [04:10:05 EDT]
From:      "AMAZON.CO.UK" [SALES@AMAZON.CO.UK]
Cc:      ; Fri, 21 Mar 2014 13:40:05 +0530
Subject:      Your Amazon.co.uk order ID841-6379889-7781077

Hello,  Thanks for your order. We’ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.  

  
Order Details
Order #799-5059801-3688207  Placed on March 21, 2014 Order details and invoice in attached file.
  
Need to make changes to your order? Visit our Help page for more information and video guides.  
  
We hope to see you again soon.   Amazon.co.uk 

There is an attachment Order details 21.04.2014 Amazon 19-1101.zip which contains a quite large 596Kb malicious executable Order details 21.04.2014 Amazon 19-1101.exe which only has a VirusTotal detection rate of 2/51.

The Malwr analysisis the most comprehensive, and shows that it attempts to phone home to the following domains:

aulbbiwslxpvvphxnjij.biz
hxlbjvgmfzwcbyijzxojcugizd.info
mneudhugiorkbhtpaiuoemydzll.org
mfcyqgeupknhqrwljrprotufm.net
jzfetwydrfachqwgnylbu.com
eqtvtspngaeixdizhhiqckrged.ru
fqyxcinvcfkfxnltsghahrmn.com
pbzdofdxwokbnrvodiirzqshaem.net
hyvoydfadyxfmjnhmzjbxkgurcbu.org
dacahylpzylydlbgujruzxxrseyt.info
knpzqcaygabuxkcynjaidudceu.biz
soinlzhxohtcazlqkgegtcvxkr.ru
fuzllbxkzhqgrbaonivkzjjzdmjn.com
thicazjzxtxhknyeusx.info
afaxdlrnjdevgddqrcvkdmvemwo.org
kfmfpxtcmrnjgeusirylhrcqfe.biz
hmbcyromzibkpuxfiaetx.com
qoluciztogagugergdqqclxwkaekr.ru
payypdmhxcxxvgvsojdqs.com
pscxwztdudidivhixksrrduda.net
wgpztgpxgonhalcjrpxkau.biz
nrdiqotuoxcbaxokrfqcilcal.info
fycquworzhlmhqthixphq.com
uqgheqtozhrsjqfiaizci.ru
zdeiswsdqnvhleijfzltvwdxc.com

Out of these, aulbbiwslxpvvphxnjij.biz seems to be active on 50.116.4.71 (Linode, US)

Combining the "phone home" domains with the other malicious domains hosted on that IP gives the following recommended blocklist:
50.116.4.71
afaxdlrnjdevgddqrcvkdmvemwo.org
aqllbfahiivcelzqcfmdmoqhwc.com
aulbbiwslxpvvphxnjij.biz
balodcmzlqtcjbhllfwcmmb.biz
batlrintscnbytinqsqgbyvs.info
bqpwkxwsaudhehjzpwsvowcobqk.com
dacahylpzylydlbgujruzxxrseyt.info
dahzlwskgileyplljlhq.org
ddxwnbusvwtwtcfizdmskxso.biz
dgqzkzxsmzqggiwccattorwobfu.ru
duonxdivrwbahpxdpmbzdhm.org
dwsirwclqopforlqkjrdpncqkr.net
eqtvtspngaeixdizhhiqckrged.ru
fqyxcinvcfkfxnltsghahrmn.com
fuzllbxkzhqgrbaonivkzjjzdmjn.com
fycquworzhlmhqthixphq.com
gefifqtwgydaivpjbubuaiwglsrg.org
gqvwwcgqnjrkteyqacrkthfmxk.org
hmbcyromzibkpuxfiaetx.com
hxlbjvgmfzwcbyijzxojcugizd.info
hyvoydfadyxfmjnhmzjbxkgurcbu.org
jzfetwydrfachqwgnylbu.com
kblfxnrltorstolxcgqugbyyl.com
kfmfpxtcmrnjgeusirylhrcqfe.biz
knpzqcaygabuxkcynjaidudceu.biz
li430-71.members.linode.com
lxpvyhnbbmvkkfpbayuomnaqzx.org
lzrrgfmeuucvtpzpvhxdaqcbyay.info
mfcyqgeupknhqrwljrprotufm.net
mneudhugiorkbhtpaiuoemydzll.org
nrdiqotuoxcbaxokrfqcilcal.info
payypdmhxcxxvgvsojdqs.com
pbzdofdxwokbnrvodiirzqshaem.net
pscxwztdudidivhixksrrduda.net
pvgrkzdcidybihtsqweqnbgztjb.com
pypfyinnfhyvxkujlfbmkbdq.com
qmrowchvdejfaauclrfqhx.org
qoluciztogagugergdqqclxwkaekr.ru
rgvoxwhtamqwbuhdvonbnjhytuo.org
rsaspfpzmzrobonylxp.biz
soinlzhxohtcazlqkgegtcvxkr.ru
tceeaaetvgcypqfysqctam.com
thicazjzxtxhknyeusx.info
twdepffvwpxxnbqyhgmtcx.org
uqgheqtozhrsjqfiaizci.ru
wgpztgpxgonhalcjrpxkau.biz
www.aulbbiwslxpvvphxnjij.biz
xaqfmfzxvoxglzofedmjskhatwsw.net
xfmheaqdepbyinkfjbnztemhmvkvk.com
xmjdjbucxwztqoojordmfmzfexc.com
xoxllplffmaknofjbjnkbdisw.com
xpjrvoddmfempuwbymwhejbt.com
zdeiswsdqnvhleijfzltvwdxc.com


Porn site beeg.com hacked, aadserver.com and malware sites to block

This summary is not available. Please click here to view the post.

Thursday, 20 March 2014

Something evil on 66.96.195.32/27

Another bad bunch of IPs hosted by Network Operations Center in Scranton following on from yesterday, this time 66.96.195.32/27 which seems to be more of the same thing.

The exploit kit in question is the Goon EK, as shown in this URLquery report. It seems that it spreads by malicious SWF files being injected into legitimate websites (I think this one, for example).

The easiest thing to do would be to block traffic to 66.96.195.32/27, but I can see the following malicious websites active in that range (all on 66.96.195.49):

uvz.akovikisk.com
ovfvr.akovikisk.com
qn65l.akovikisk.com
ac1e0.alessakyndraenho.com
8dyh.akovikisk.net
y6aoj.akovikisk.net
0hzl.akovikisk.info
cx6n.akovikisk.info
xdxr2.akovikisk.info
where.hotspotingtram.org

Experience with this particular type of exploit kit shows that the bad guys will rotate IPs in the block, so blocking the entire /27 is advised.

At present that consists of just three domains to block, although I suspect there will be more:

akovikisk.com
alessakyndraenho.com
hotspotingtram.org

prospectlist.com / prospectlist.co.uk spam

Never buy email marketing services from spammers.. unless you want your website suspended and reputation trashed. Here's a grubby little spammer using the domains prospectlist.co.uk and prospectlist.com to drive traffic to their grubby little business.

From:     Prospectlist prospectlist@cardwellmarketing.ctml2.com
Reply-To:     sarah.brazier@cardwellmarketing.co.uk
Date:     20 March 2014 10:00
Subject:     Here's the Deal!
Signed by:     ctml2.com

! DOUBLE YOUR TOP 50 CLIENTS!

*Give us the details of your best clients and we will find an additional 50*

ProspectList is the best business partner to supply up to date and accurate data, for you to use on direct mailing or telemarketing campaigns. PLUS, as we are now part of the Cardwell Group, we can even carry out your campaigns for you– offering a One Stop service.

WHY CHOOSE PROSPECTLIST?

With a database of over 2.6 million UK businesses, along with senior decision maker contacts, telephone numbers and emails, we can offer a comprehensive database on many business sectors. Our file is fully compliant to DMA guidelines, is tele-researched, has an update cycle of just 12 months and is ready for you to access TODAY!

CALL US NOW ON 01926 462 917 TO FIND OUT HOW YOU CAN BENEFIT FROM:

Direct Mail | Telemarketing  |  Email Lists  | International Data  |  Consumer Data

Bespoke Researched Data  |  Email Broadcasting  |  Mailing Fulfilment  |  Telemarketing

CONTACT US BY EMAIL
   

REQUEST A CALLBACK

2.6 million trading UK businesses                      Senior decision makers

Fully compliant with MPS/TPS/CTPS                 900k emails

12 months update cycle on 98% of our file       2.1 million contacts

If this email doesn't display properly, you can view it in your web browser

ProspectList | One Athena Court | Athena Drive | Warwick | CV34 6RT
If you no longer wish to receive emails from us, please follow this link

ProspectList claim to be compliant with DMA guidelines, but I certainly never opted-in to this crap. However the DMA is a prime example of why self-regulation fails.. it is run by the direct marketers themselves and in my opinion their regulations don't go far enough to protect people from this sort of unsolicited bulk email.

I've never heard of ProspectList or the Cardwell Group, and they would probably argue that everything they are doing is legal and above board yadayada. I certainly won't be sending any business their way though.

The domain in use for the spam is email.prospectlist.co.uk which forwards to prospectlist.com.
Let's have a look at the WHOIS details to see who exactly is responsible for this domain:

Registrant Name: Ian Merriman
Registrant Organization: Cardwell Intelligence Limited
Registrant Street: Cardwell House, Hook Norton Road
Registrant City: Chipping Norton
Registrant State/Province:
Registrant Postal Code: OX7 5SB
Registrant Country: GB
Registrant Phone: +44.8451306634
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: ian.merriman@cardwellmarketing.co.uk


The site is hosted on 176.32.230.28 (Heart Internet, UK). The email is sent through mail132.sgml3.com (37.221.219.132).




Evil network: OVH Canada / r5x.org / Penziatki (updated)

I've covered OVH Canada and their black hat customer r5x.org aka "Penziatki" before. They consistently host exploit kits, and the way that the bad hosts are spread over OVH's network looks like a deliberate attempt at snowshoeing.

The following blocks in the OVH range have hosted malware from this customer. Some of the IPs are identified through my own research, others through OSINT from others, notably Frank Denis, @ReverseChris and .

192.95.6.24/29
192.95.6.92/30
192.95.6.196/30
192.95.7.8/30
192.95.7.224/28
192.95.10.16/29
192.95.10.208/28
192.95.12.56/30
192.95.40.240/30
192.95.41.88/29
192.95.43.160/28
192.95.44.0/27
192.95.46.56/30
192.95.46.60/30
192.95.46.132/30
192.95.47.232/30
192.95.47.236/30
192.95.51.164/30
192.95.58.176/30

198.27.96.132/30
198.27.103.204/30
198.27.114.16/30
198.27.114.64/27

198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.177.120/30
198.50.185.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.204.240/30
198.50.204.244/30
198.50.212.116/30
198.50.212.172/30
198.50.216.144/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.231.204/30
198.50.235.196/30
198.50.241.120/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30

Given the large number of exploits, you might want to consider a larger pre-emptive block on the OVH Canada ranges if you are in a security-sensitive environment and can live with blocking some of the legitimate sites that OVH also host.

192.95.0.0/16
198.27.0.0/16
198.50.0.0/16


I'll try to keep this blog post updated with more bad OVH Canada ranges as they are brought to my attention. Please consider adding any new information to the Comments if you have some. Thanks!

Wednesday, 19 March 2014

NatWest "You have received a secure message" spam

This fake NatWest spam has a malicious attachment:

Date:      Wed, 19 Mar 2014 15:14:02 +0100 [10:14:02 EDT]
From:      NatWest [secure.message@natwest.co.uk]
Subject:      You have received a secure message

You have received a secure message

Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4226.
First time users - will need to register after opening the attachment.

About Email Encryption - http://www.natwest.com/content/global_options/terms/Email_Encryption.pdf
Attached to the message is an archive file SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has a VirusTotal detection rate of 8/51.

Automated analysis tools [1] [2] [3] show attempted downloads from the following domains, both hosted on servers that appear to be completely compromised and should be blocked.

199.193.115.111 (NOC4Hosts, US)
droidroots.com
development.pboxhost.com

184.107.149.74 (iWeb, Canada)
2m-it.com
3houd.com

50.116.4.71 (Linode, US)
aulbbiwslxpvvphxnjij.biz
pwoovaijfrsryxeqtgojbuvsvsovkj.com    
ugfmnjojpinembyyprkoptjbtij.info    
nrhpfongapozhpfwkprxohofhq.biz    
byeqdaufqeujvugwczrocihqb.net    
geugypibqsfqirsogeovqwovvgqsfucm.com    
nvyxbmdfiguizcexgluoyxkjsw.ru    
xcvshidqgwotvfetvcydfajnof.com


Recommended blocklist:
199.193.115.111
184.107.149.74
50.116.4.71
droidroots.com
development.pboxhost.com
2m-it.com
3houd.com
aulbbiwslxpvvphxnjij.biz
pwoovaijfrsryxeqtgojbuvsvsovkj.com    
ugfmnjojpinembyyprkoptjbtij.info    
nrhpfongapozhpfwkprxohofhq.biz    
byeqdaufqeujvugwczrocihqb.net    
geugypibqsfqirsogeovqwovvgqsfucm.com    
nvyxbmdfiguizcexgluoyxkjsw.ru    
xcvshidqgwotvfetvcydfajnof.com




Something evil on 64.120.242.160/27

64.120.242.160/27 (Network Operations Center, US) is hosting a number of exploit domains (see this example report at VirusTotal). There appears to be a variety of badness involved, and many of the domains hosted in the range are flagged as malicious by Google or SURBL (report here [csv]).

There appears to be nothing legitimate in this whole range. Domains flagged as malicious by Google are highlighted, ones marked as malicious by SURBL are in italics. I would recommend you block the entire lot.

64.120.242.160/27
asifctuenefcioroxa.net
hukelmshiesuy.net
asifctuenefcioroxa.com
asifctuenefcioroxa.info
bmyahymenylag.com
bmyahymenylag.info
bmyahymenylag.net
briejttobaintwank.com
briejttobaintwank.net
cethadendalbuof.com
cethadendalbuof.info
cethadendalbuof.net
chebuecanuoc.com
chebuecanuoc.info
damaumrloiazsste.com
damaumrloiazsste.info
damaumrloiazsste.net
edjadehegile.com
edjadehegile.info
estebapenghiossewla.com
estebapenghiossewla.info
estebapenghiossewla.net
georgxoianeqnafoni.com
julynoonicl.com
 
blejythecounyful.com
blejythecounyful.net
hanogaveleoy.com
lalaghoaujrnu.info

blejythecounyful.info
briejttobaintwank.info
bychemarlottelan.com
bychemarlottelan.info
bychemarlottelan.net
cunideaflphiae.com
cunideaflphiae.info
cunideaflphiae.net
edjadehegile.net
exyniosehyn.com
exyniosehyn.info
exyniosehyn.net
govlawsdepartment.com
griceumilldevake.com
hanogaveleoy.info
hanogaveleoy.net
harihbisovynangel.com
harihbisovynangel.info
harihbisovynangel.net
hukelmshiesuy.com
hukelmshiesuy.info
kpiaroleeom.com
kpiaroleeom.info
kpiaroleeom.net
lalaghoaujrnu.com
lalaghoaujrnu.net
lawsdepartment.com
lawsdepartmentgov.com
lawsdepartmentgov.net
lawsdepartmentlog.net
lawsdepartmentlogs.net
lawsgovdepartment.com
lawsgovdepartment.net
loryneanlauwvev.com
loryneanlauwvev.info
loryneanlauwvev.net
musxiiccharinbul.com
musxiiccharinbul.info
musxiiccharinbul.net
odtoidcatcarat.com
onivbyeylaxyver.com
onivbyeylaxyver.info
onivbyeylaxyver.net
uxsiekebergatki.com
uxsiekebergatki.info
uxsiekebergatki.net
westemarqannoriw.com
westemarqannoriw.info
westemarqannoriw.net

More OVH Canada hosted exploit kits

I've been a bit tardy with this look at the new OVH Canada ranges exposed by Frank Denis so some of these domains may already been dead.

Yesterday Frank identified three new OVH Canada ranges being used to host the Nuclear EK, again the customer is "r5x.org / Penziatki"

198.50.212.116/30
198.50.131.220/30
192.95.40.240/30


Update: also 192.95.51.164/30 according to this Tweet.

A full list of everything I can find is here [pastebin] but the abused domains that I have identified are:

shallowsvent.ru
riastrait.ru
chasmdell.ru
bararete.ru
overlooktableland.ru
volcanogully.ru
oceanhollow.ru
lavaisthmus.ru
overhangcoastline.ru
archipelagoriver.ru
coralreeflagoon.ru
rivermainland.ru
latitudebayou.ru
playacaldera.ru
morainegulch.ru
loesslakebed.ru
landformvale.ru
domehillside.ru
arroyogulch.ru
firthswamp.ru
coastmound.ru
atolllava.ru
passcove.ru


At a mininum I recommend that you block those IP ranges and/or domains.

Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
192.95.0.0/16

Monday, 17 March 2014

Something evil on 192.95.6.196/30

Another useful tip by Frank Denis on evil in the OVH Canada IP ranges, suballocated to their black hat customer "r5x.org / Penziatki", this time on 192.95.6.196/30.

The following domains should be considered as dangerous and I would recommend blocking them as soon as possible:
shoalfault.ru
addrela.eu
backinl.org


A full list of the domains I can find in this /30 can be found here [pastebin].

Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
192.95.0.0/16

Salesforce.com "Please respond - overdue payment" spam

This fake Salesforce spam comes with a malicious attachment. Well, actually two malicious attachments..

Date:      Mon, 17 Mar 2014 16:12:20 +0100 [11:12:20 EDT]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      Please respond - overdue payment
Priority:      High Priority 2

Please find attached your invoices for the past months. Remit the payment by 01/9/2013 as outlines under our "Payment Terms" agreement.

Thank you for your business,

Sincerely,
Alvaro Rocha

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you. 
Attached are two archive files quickbook_invoice_89853654.rar and quickbook_invoice_8988561346654.zip which in turn contain the same malicious executable quickbook_invoice.scr which has a VirusTotal detection rate of 8/49. Automated analysis tools [1] [2] [3] don't give much of a clue as to what is going on here, although you can assume that it is nothing good..

"Your private photos are there for anyone to see. why??" spam

This spam email has a malicious attachment:

Date:      Mon, 17 Mar 2014 13:08:42 +0100 [08:08:42 EDT]
Subject:      Your private photos are there for anyone to see. why??

Sorry to disturb you.Someone sent me thee pictures they seem to be from you and your
boyfriend I'm really troubled by this why do you send your private naked photos around??
this is beyound my understanding. It's in attachment 

The attachment is IMG000003342.zip which somewhat predictably has a malicious executable inside, IMG000003342.exe which has a VirusTotal detection rate of 12/48. Automated analysis tools [1] [2] show that it makes various changes to the system but do not detect any remote hosts contacted.

Injection attack in progress 17/3/14

A couple of injection attacks seem to be in progress, I haven't quite got to the bottom of them yet.. but you might want to block the following domains:

fsv-hoopte-winsen.de
grupocbi.com

These are hosted on 82.165.77.21 and 72.47.228.162 respectively.

The malware is resistant to automated tools and redirects improperly-formed attempt to analyse it to Bing [1] [2]. The malware is appended to hacked .js files on target sites and looks similar to this:


This sort of attack has been used to push fake software updates in the past. Even though I can't quite get to the bottom of this at the moment, you can be pretty sure that this is Nothing Good and I would recommend blocking these domains.

Something evil on 198.50.140.64/27

Thanks again to Frank Denis (@jedisct1) for this heads up involving grubby web host OVH Canada and their black hat customer "r5x.org / Penziatki" hosting the Nuclear EK in 198.50.140.64/27.

A full list of all the web sites I can find associated with this range can be found here, but the simplest thing to do is block 198.50.140.64/27 completely (or if you are paranoid about security and don't mind some collateral damage block 198.27.0.0/16 and 198.50.0.0/16).

Domains in use that I can identify are listed below. I recommend you block all of them. Domains listed as malicious by Google are in red, those listed as suspect by SURBL are in italics.

Recommended blocklist:

198.50.140.64/27
ingsat.eu
kingro.biz

allnew-overstocked-items.us
auto-policy-june.us
creditscorerangeadvice.com
endenergy-bills.us
endundereyedarkcircles.us
getmatch-on-line.us
godating-thurs.us
gomarine-nows.us
neweyehealth-now.us
new-omeganew.us
nowreverse-new.us
topomegafi-x.us
calculated1.us
advisoracct.us
auto9spec.us
autocquotes.us
brightmangroup.us
car04212.us
dailytips4health.us
estrexpe.eu
facts4burningfat.us
fallspecials1.us
freereview.us
fsaccounting.us
homes1research.us
homesavngs.us
hometactics.us
ieligible.us
imusiche.biz
kleycast.biz
kunstar.eu
maoride.eu
micklet.com
my3newscores.us
myreport3card.us
newdaily-health-tip.us
new-healthtip-today.us
newomegaheartfix.us
newoverstock-now.us
newproprate.us
newvisionsummer.us
note018271.us
rate-changes1.us
ratedropps.us
ratenotice09182.us
renew-autoprotection.us
reportcenter3.us
repostcc.us
sandersonhomes.us
spauto1.us
theactivity3.us
unifiedregister1.us
updateon3report.us
updateratehr.us
updscore03.us
uptodate-records3.us

Thursday, 13 March 2014

Malware sites to block 13/3/14

These IPs and domains seem to be involved in injection attacks today. I recommend you block them.

64.120.242.178
188.226.132.70
93.189.46.90
tzut.asifctuenefcioroxa.net
0dr5ah.edjadehegile.com
2ch.asifctuenefcioroxa.net
qwenty.lazarmihail.net
qwenty.onlystream.com.ar
aderfas.miltonsvideo.com.br
aderfas.porwisz.eu
traster.buddysoftware.com.au
qwenty.abundiaorganico.com.ar
qwenty.loishconsulting.com.au
qwenty.scottgotyourspot.com
qwenty.liveoakit.com
qwenty.pfsensefirewall.com
qwenty.tongfangtechnology.com
qwenty.sappa.com.au
aderfas.mypagecreator.com
needrast.dundemworld.com
soon.caelux.es
soon.wezel.info
asifctuenefcioroxa.com
asifctuenefcioroxa.info
asifctuenefcioroxa.net
edjadehegile.com
ekpmpb.asifctuenefcioroxa.net
j4qk.asifctuenefcioroxa.com
jgqke.asifctuenefcioroxa.com
np59s.asifctuenefcioroxa.info

The domains being abused are as follows.. many of them appear to be hijacked legitimate domains.
abundiaorganico.com.ar
asifctuenefcioroxa.com
asifctuenefcioroxa.info
asifctuenefcioroxa.net
buddysoftware.com.au
caelux.es
dundemworld.com
edjadehegile.com
lazarmihail.net
liveoakit.com
loishconsulting.com.au
miltonsvideo.com.br
mypagecreator.com
onlystream.com.ar
pfsensefirewall.com
porwisz.eu
sappa.com.au
scottgotyourspot.com
tongfangtechnology.com
wezel.info

Sky.com "Statement of account" spam

This fake Sky.com email comes with a malicious attachment:

Date:      Thu, 13 Mar 2014 12:23:09 +0100 [07:23:09 EDT]
From:      "Sky.com" [statement@sky.com]
Subject:      Statement of account

Afternoon,

Please find attached the statement of account.

We look forward to receiving payment for the December invoice as this is now due for
payment.

Regards,
Carmela

This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP.
Attached is an archive Statement.zip which in turn contains a malicious executable Statement.scr which has a VirusTotal detection rate of 6/50. Automated analysis tools [1] [2] [3] show attempted connections to the following domains and IPs:

188.247.130.190 (Prime Telecom SRL, Romania)
gobemall.com
gobehost.info

184.154.11.228 (Singlehop, US)
terenceteo.com

184.154.11.233 (Singlehop, US)
quarkspark.org

The two Singlehop IPs appear to belong to Host The Name (hostthename.com) which perhaps indicates a problem at that reseller.

Recommended blocklist:
184.154.11.228
184.154.11.233
188.247.130.190
gobemall.com
gobehost.info
terenceteo.com
quarkspark.org

Evil network: OVH Canada / r5x.org / Penziatki

Note: a more up-to-date list can be found here.

Hat tip to Frank Denis (@jedisct1) for this report on Nuclear EK's hosted by OVH Canada using their infamous "Penziatki" customer which is linked to black-hat host r5x.org. The blocks have been identified as belonging to that customer and I would recommend that you block them:

198.27.114.16/30
198.27.114.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.231.204/30


OVH Canada have repeatedly hosted exploit kits for this customer to the extent that I am suspicious that either they have been compromised in some way. These following blocks have been identified as serving up malware in the recent past:

192.95.6.24/29
192.95.7.8/30
192.95.7.224/28
192.95.10.16/29
192.95.10.208/28
192.95.41.88/29
192.95.43.160/28
192.95.46.56/30
192.95.46.60/30
192.95.46.132/30
192.95.47.232/30
192.95.47.236/30
198.27.96.132/30
198.27.103.204/30
198.27.114.16/30
198.27.114.64/27
198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.204.240/30
198.50.204.244/30
198.50.212.172/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.231.204/30
198.50.235.196/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30

Obviously there is a problem here. If you are in a security-sensitive environment then you might simply want to block traffic to the following ranges:

198.27.0.0/16
198.50.0.0/16

Of course this will block many legitimate sites, but if stopping exploit kits is a priority over some user inconvenience then you may want to consider it. If you want a slightly more nuanced blocklist then these ranges contain the biggest concentration of malware:

198.27.114.0/24
198.50.172.0/24
198.50.186.0/24
198.50.197.0/24
198.50.231.0/24


OVH must be aware of the reputation of their customer. I wonder why they keep tolerating them on their network?



Monday, 10 March 2014

gateway.confirmation@gateway.gov.uk spam

This fake spam from the UK Government Gateway comes with a malicious payload:

Date:      Mon, 10 Mar 2014 12:04:21 +0100 [07:04:21 EDT]
From:      gateway.confirmation@gateway.gov.uk
Subject:      Your Online Submission for Reference 485/GB3283519 Could not process
Priority:      High

The submission for reference 485/GB3283519 was successfully received and was not
processed.

Check attached copy for more information.

This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail. 
Attached is a file GB3283519.zip which in turn contains a malicious executable GB10032014.pdf.scr which has an icon that makes it look like a PDF file. This has a VirusTotal detection rate of 7/50.

Automated analysis tools [1] [2] [3] show attempted downloads from i-softinc.com on 192.206.6.82 (MegaVelocity, Canada) and icamschat.com on 69.64.39.215 (Hosting Solutions International, US). I would recommend that you block traffic to the following IPs and domains:
192.206.6.82
i-softinc.com
icamschat.com

Wednesday, 5 March 2014

mms.Orange.co.uk "IMAGE Id 889195266-PicFFY2C TYPE=MMS" spam

A horribly managed spam turned up in my inbox, claiming to be an MMS message from Orange UK. Well, at least that's what it looked like when I got the HTML to render properly enough to make it readable..

Date:      Wed, 5 Mar 2014 09:14:13 +0000 [04:14:13 EST]
From:      mms.service3694@mms.Orange.co.uk
Subject:      IMAGE Id 889195266-PicFFY2C TYPE=MMS

Description: Orange

Received from: 447457714595 | TYPE=MMS
There's meant to be an embedded image, but it is completely corrupt. Not that it makes much difference..


Attached is a file called bulger,jpg which is actually a ZIP file, so you have to rename it from .jpg to .zip in order to infect yourself. Some assembly is required in this case..

Anyway, once you have done all that and unzipped it, you get a malicious file IMG0000002993.exe  which has  a VirusTotal detection rate of 17/50. The Malwr report shows that the malware attempts to connect with a bunch of IPs that mostly look like dynamic ADSL subscribers. This sort of behaviour looks like P2P/Gameover Zeus or something similar.