Sponsored by..

Friday, 25 April 2014

"Unity Messaging System - Internal Payroll" spam

This fake payroll spam comes with a malicious attachment:

Date:      Fri, 25 Apr 2014 12:36:43 +0900 [04/24/14 23:36:43 EDT]
From:      Unity Messaging System [Unity_UNITY9@victimdomain.com]
Subject:      Internal Payroll

File Validity: 24/04/2014
Company : http://victimdomain.com
File Format: Office - Excel
Internal Name: Payroll
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Payroll.xls

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.
The email appears to be from the victim's own domain and references it in the body of the email. A look at the mail headers shows that this deception runs more deeply..

Received:     
    (qmail 19966 invoked from network); 25 Apr 2014 03:36:45 -0000
    from unknown (192.168.1.88) by [redacted] with QMQP; 25 Apr 2014 03:36:45 -0000
    from kctv1142.ccnw.ne.jp (218.216.224.142) by [redacted] with SMTP; 25 Apr 2014 03:36:45 -0000
    from voice533.victimdomain.com (10.0.0.41) by victimdomain.com (10.0.0.11) with Microsoft SMTP Server (TLS) id KFA60IPJ; Fri, 25 Apr 2014 12:36:43 +0900
    from message7154.victimdomain.com (10.31.162.90) by smtp.victimdomain.com (10.0.0.88) with Microsoft SMTP Server id C9PH5LWA; Fri, 25 Apr 2014 12:36:43 +0900


The actual origin of the spam is 218.216.224.142 in Japan. The lines before that are all fake and are attempting to make it look like the email originated from inside the victim's own network (using a 10.x.x.x address). Quite why they bother with this level of detail is a mystery, because anyone technically savvy should spot that it comes with a malicious payload.

The attachment is Payroll.zip which in turn contains a malicious executable Payroll.scr which has an icon that makes it look like an Excel file (which it isn't). If you are hiding file extensions (which is the insecure default setting for Windows then you might be fooled.

If you haven't already done it.. when you have a folder open in Windows, go into Organize -> Folder and search options -> View and then untick Hide extensions for known file types.


Then it will become clear that this isn't an Excel spreadsheet at all (ending in .xlsx or .xls) but it something more sinister.


Yes, .scr is actually an executable file (a more typical one would be .exe). In this case the file is definitely malicious and has a VirusTotal detection rate of 26/51.

Automated analysis tools [1] [2] [3] show an attempted download from:
[donotclick]tmupi.com/media/images/icons/team/Targ-2404USm.tar
[donotclick]altpowerpro.com/images/stories/highslide/Targ-2404USm.tar

These download locations are the same as used in this "Balance Scheet" spam from yesterday and I recommend that you block the domains in question.



Thursday, 24 April 2014

"Balance Scheet" spam

This terse spam has a malicious attachment:

Date:      Thu, 24 Apr 2014 12:80:56 GMT [08:08:00 EDT]
From:      Admin@victimdomain
Subject:      FW: Balance Scheet

Please save the attached file to your hard drive before deleting this message. Thank you.
The mail headers in the email have been faked to make it look like it originated inside the victim's own internal network. Attached to the email is an archive file Balance-Sheet.zip which in turn contains a malicious executable Balance-Sheet.exe which has a VirusTotal detection rate of just 3/51.

Automated analysis tools [1] [2] [3] show an attempted download from the following locations:
[donotclick]tmupi.com/media/images/icons/team/Targ-2404USm.tar
[donotclick]altpowerpro.com/images/stories/highslide/Targ-2404USm.tar




"Atlanta Consulting" fake job offer, atlantaconsulting.net / atlantaconsulting.us / atlantaconsulting.co

This fake job offer comes from a bunch of scammers passing themselves off as "Atlanta Consulting" (not to be confused with several legitimate firms of similar names)

From:     Gertrude Holden [multivariate88@afes.com]
Date:     24 April 2014 14:16
Subject:     Vacancy

Good Day!

A new advanced vacant position is available!

I am a chief personnel officer of an Australian consulting company. We deal with non-typical business solutions. Also we introduce different outsourcing solutions. Presently we have many clients in Europe. To anticipate our cooperation with them, we need to find few regional managers.
We offer a part-time employment and opportunity to advance. Also we provide free elementary training. Initial salary is 2000 euro. If our offer is interesting to you, please send your answer on our e-mail:

info @ atlantaconsulting . net   (remove spaces before sending email)

specifying your country, city of residence, contact telephone number and desired time for call. Our managers work 24 hours for you!

Best regards!
GERALD DAMIEN
The following domains are all part of the same scam:
atlantaconsulting.net
atlantaconsulting.co
atlantaconsulting.us


The WHOIS details for the domains are undoubtedly fake and are certainly not Australian:

Administrative Contact ID:                   COCO-5041
Administrative Contact Name:                 John Carpenter
Administrative Contact Address1:             831 Ridgeview Dr
Administrative Contact City:                 Frankfort
Administrative Contact State/Province:       KY
Administrative Contact Postal Code:          40601
Administrative Contact Country:              United States
Administrative Contact Country Code:         US
Administrative Contact Phone Number:         +1.6064521498
Administrative Contact Email:                jjcarp9@gmail.com


There's a flashy website with no real substance..


The sites are hosted on 151.236.22.16 (EDIS GmbH, US) and the email in this case originated from 190.67.150.55 in Colombia.

The so-called job is going to be money laundering, or perhaps parcel reshipping (described in the video below) or some other scam which will involve you doing something illegal. Avoid.


OnePlus One

[Via]

Expected Q2 201423rd April 2014

Possibly the greatest smartphone you have never heard of, the OnePlus One is an attractive, premium smartphone without the expensive price-tag.



OnePlus is a startup founded late last year by Pete Lau, vice-president of up-and-coming Chinese firm OPPO. The stated design philosophy of OnePlus is "Never Settle" which is reflected in an apparently very high quality of product design. The OnePlus One manages to look both smart and distinctive at the same time.

Elegance is sometimes only skin-deep, so what lies underneath the One's pleasing exterior? Inside is a 2.5GHz quad-core Qualcomm Snapdragon CPU with 3GB of RAM, 16 or 64GB of storage and a large 3100 mAh battery. On the front is a 5.5" 1080 x 1920 pixel full HD display with a 13 megapixel camera on the back and a 5 megapixel one on the front. It's worth noting that the main camera is a Sony Exmor unit which has a proven track record in this type of device.

This is an LTE-capable device with NFC support and all the usual high-end features. But there are some more unusual features too.. prefer on-screen navigation buttons? You can have those. Prefer the buttons at the bottom? Well, you can switch on those instead. Want to personalise your phone? You can change the back of the device, and you can even use a wooden panel like the Moto X. In fact, the OnePlus One seems to be full of little design details that lift it way above the run-of-the-mill and allow it to compete with leaders such as the HTC One M8 and Apple iPhone 5S.

The operating system is Cyanogenmod 11S which is a reworking of Android 4.4. Cyanogenmod is popular with people who like to create custom ROMs for their Android devices, and it has a dedicated following of users and developers. You can control the OnePlus with gesture control and pretty much customise it in exactly they way you want.. something that can be difficult with other Android handsets.

The hardware and software look appealing.. but what about the price? OnePlus say that the One will cost $299 / €269 for the 16GB Silk White version or $349 / €299 for the 64GB Sandstone Black version. Initial markets will be the US most of Western Europe* plus Hong Kong and Taiwan.


 That price is about half that of the HTC One M8 which is probably the best handset on the market at the time of writing. OnePlus say that the One should be available during Q2 although the initial release looks like it will be through invitation only. More details can be found on their website at oneplus.net.

One word of warning though - OnePlus are a completely new startup and the company has no track record in getting products to market (although many of their employees do). It's quite possible that the product might ship late (or not at all), the price might change or the quality might not be up to scratch. But we certainly hope that this handset is as good as it promises to be.

* Austria, Belgium, Denmark, Finland, France, Germany, Italy, Netherlands, Portugal, Spain, Sweden, United Kingdom.

OnePlus One at a glance
Available:
Q2 2014
Network:
GSM 850 / 900 / 1800 / 1900
UMTS 850 / 900 / 1700 / 1900 / 2100
LTE Bands 1 / 3 / 4 / 7 / 17 / 38 / 40
Data:
GPRS + EDGE + UMTS (3G) + HSPA+ +
LTE + WiFi
Screen:
5.5" 1080 x 1920 pixels
Camera:
13 megapixels (main)
5 megapixels (sub)
Size:
Large smartphone
153 x 76 x 8.9mm / 162 grams
Bluetooth:
Yes
Internal memory:
16GB / 64GB
Memory card:
None
CPU:
2.5GHz quad-core
RAM:
3GB
Java:
Optional
GPS:
Yes (plus GLONASS)
OS:
Cyanogenmod 11S / Android 4.4
Battery life:
Not specified (3100 mAh cell)


Wednesday, 23 April 2014

"Broad Oak Toiletries Ltd" fake invoice spam

UPDATE 2014-05-06:  there is a new version of this with a malicious .PDF attachment, please scroll down for more details.

This spam purports to be from a legitimate company called Broad Oak Toiletries Ltd, but in fact it is a fake with a malicious payload and it does not come from Broad Oak Toiletries at all (some other reports say their email has been hacked, it has not.. this is a forgery)

Date:      Wed, 23 Apr 2014 08:13:19 +0000 [04:13:19 EDT]
From:      Sue Mockridge [smockridges2@Broad-oak.co.uk]
Subject:      Invoice 739545

Hello,

Please can you let me have a payment date for the attached March Invoice?

Kind Regards

Sue Mockridge
Accounts Administrator

' (Main) 01884 242626  ' (Direct Dial) 01884 250764

Please consider the environment before printing

Broad Oak Toiletries Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
Registered No. 1971053 England & Wales
Telephone: +44 (0) 1884 242626
Facsimile: +44 (0) 1884 242602


CONFIDENTIALITY:
The information in this email and any attachments is confidential. It is intended solely for the attention and use of the named addressee(s). The unauthorised copying, retransmission, dissemination and other use of, or taking of any action in reliance upon, this information is prohibited. Unless explicitly stated otherwise, the contents of this message are strictly subject to contract; any views expressed may be personal and shall not create a binding legal contract or other commitment on the part of Broad Oak Toiletries Ltd.

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
The attachment is Invoice 493234 March 2014.zip which in turn contains a malicious executable Invoice 288910 March 2014.exe which has a VirusTotal detection rate of just 2/51.

Automated analysis tools [1] [2] show attempted connections to the following URLs:
72.34.47.163/11
91.99.102.154/11
yourmedialinkonline.com/11
dframirez.com/11
duvarikapla.com/11
duvallet.eu/11
24hr-ro.com/11
edwardalba.com/11
ekodin.rs/11
exorcist.go.ro/11
kuikencareercoaching.nl/11
sic-choppers.goracer.de/11
chriswolf.be/11
colorcopysite.com/11
mashhadsir.com/11
akirkpatrick.com/11
www.amelias-decoration.nl/11
netvietpro.com/11
guaempresas.com/11
hayatreklam.net/11
acenber.sbkml.k12.tr/11
how-hayonwye.com/11
iconservices.biz/11
idede.sbkml.k12.tr/11
www.tcrwharen.homepage.t-online.de/11
ec2-107-20-241-193.compute-1.amazonaws.com/11
www.derileq.com.mx/11
iaimrich.com/11
joyscenter.com/11
josip-stadler.org/11
www.kalkantzakos.com/11
files.karamellasa.gr/11
krptb.org.tr/11
legraff.com.tr/11
jieyi.com.ar/11
m.pcdbd.info/11
maestroevent.com/11
www2.makefur.co.jp/11
marcin_dybek.fm.interia.pl/11
marzenamaks.eu.interia.pl/11
mehmetunal.ztml.k12.tr/11
job.yesyo.com/11
mofilms.com/11
multimarge.ph/11
nbd.xon.pl/11
netset.ir/11
allforlove.de/11
ncapkur.sbkml.k12.tr/11
neumandina.com/11
209.217.235.25/~nanakram/11
home.planet.nl/~monst021/11
masterdiskeurope.com/~mooch/11
members.aon.at/~mredsche/11

Recommended blocklist:
72.34.47.163
91.99.102.154
yourmedialinkonline.com
dframirez.com
duvarikapla.com
duvallet.eu
24hr-ro.com
edwardalba.com
ekodin.rs
exorcist.go.ro
kuikencareercoaching.nl
sic-choppers.goracer.de
chriswolf.be
colorcopysite.com
mashhadsir.com
akirkpatrick.com
www.amelias-decoration.nl
netvietpro.com
guaempresas.com
hayatreklam.net
acenber.sbkml.k12.tr
how-hayonwye.com
iconservices.biz
idede.sbkml.k12.tr
www.tcrwharen.homepage.t-online.de
ec2-107-20-241-193.compute-1.amazonaws.com
www.derileq.com.mx
iaimrich.com
joyscenter.com
josip-stadler.org
www.kalkantzakos.com
files.karamellasa.gr
krptb.org.tr
legraff.com.tr
jieyi.com.ar
m.pcdbd.info
maestroevent.com
www2.makefur.co.jp
marcin_dybek.fm.interia.pl
marzenamaks.eu.interia.pl
mehmetunal.ztml.k12.tr
job.yesyo.com
mofilms.com
multimarge.ph
nbd.xon.pl
netset.ir
allforlove.de
ncapkur.sbkml.k12.tr
neumandina.com

UPDATE 2014-05-06:
A new version of this is circulating with a malicious .PDF attachment April invoice 914254.pdf although this time the body text is "Please can you let me have a payment date for the attached April Invoice?" and subject is "Invoice 396038 April". Email addresses spotted so far include

The VirusTotal detection rate for this is 7/51. Automated analysis is somewhat inconclusive. There are some indications that this might be using an Acrobat flaw CVE-2010-0188 which was patched a long time ago, so if have an up-to-date version of Acrobat Reader you may be protected. Also, if you opened the email in Gmail and used Google's PDF viewer you should be OK too.

Remember though that .PDF files and other document types can also spread malware, so exercise caution when dealing with emails from unknown sources.

UPDATE 2014-05-06 II:
A contact analysed the PDF (thanks) and determined that it then downloaded an executable from [donotclick]dr-gottlob-institut.de/11.exe (I guess "11" is a Spinal Tap reference) which has a VirusTotal detection rate of just 4/51.

Automated analysis tools [1] [2] [3] show that this in turn downloads components from the following locations:

pgalvaoteles.pt/111
axisbuild.com/111
sadiqtv.com/111
hostaldubai.com/111
nbook.far.ru/111
relimar.com/111
webbook.pluto.ro/111
bugs.trei.ro/111
gaunigeria.com/111
rubendiaz.net/111
adventiaingenieria.es/111
assurances-immobilier.com/111
markus.net.pl/111
www.mrpeter.it/111
inmobiliariarobinson.com/111
cigelecgeneration.com/111
hbeab.com/111
lefos.net/111
pk-100331.fdlserver.de/111
decota.es/111
krasienin.cba.pl/111
rallyeair.com/111
camnosa.com/111
caclclo.web.fc2.com/111
beautysafari.com/111
www.delytseboer.com/111
atelierprincesse.web.fc2.com/111
czarni.i15.eu/111
gogetgorgeous.com/111

This is very similar to the previous infection, although this time "11" has been dialed up to "111". This file (111.exe) has a VirusTotal detection rate of only 2/52 which does various bad things [1] [2] [3].

Because detection rates are still low, you might want to consider blocking the following domains:
dr-gottlob-institut.de
pgalvaoteles.pt
axisbuild.com
sadiqtv.com
hostaldubai.com
nbook.far.ru
relimar.com
webbook.pluto.ro
bugs.trei.ro
gaunigeria.com
rubendiaz.net
adventiaingenieria.es
assurances-immobilier.com
markus.net.pl
www.mrpeter.it
inmobiliariarobinson.com
cigelecgeneration.com
hbeab.com
lefos.net
pk-100331.fdlserver.de
decota.es
krasienin.cba.pl
rallyeair.com
camnosa.com
caclclo.web.fc2.com
beautysafari.com
www.delytseboer.com
atelierprincesse.web.fc2.com
czarni.i15.eu
gogetgorgeous.com

UPDATE 2014-05-06 III: 
Another downloaded file is:
[donotclick]files.karamellasa.gr/tvcs_russia/2.exe

This has a VirusTotal detection rate of just 1/51 which makes it almost invisible. Automated analysis [1] [2] [3] [4] shows that it creates fake svchost.exe and csrss.exe, and sends a DNS query for smtp.gmail.com among other things.

Payload appears to be Gameover / P2P Zeus.

(btw, thanks to the #MalwareMustDie team for help!)

UPDATE 2014-05-12:
Another spam run is in progress, with yet another malicious PDF attachment, this time with a VirusTotal detection rate of  8/50.

The PDF downloads a file from:
[donotclick]infodream.eu/images/1.exe
..which has a VirusTotal detection rate of just 3/52. The Malwr analysis shows an attempted download from:

[donotclick]www.freshanswer.com/b70.exe
[donotclick]files.karamellasa.gr/tvcs_russia/2.exe
[donotclick]park-laedchen.de/illustrate/offending


Out of these only the first download appears to be working, the binary has a detection rate of 27/52. Automated analysis of this binary [1] [2] [3] shows that it attempts to connect to various legitimate services plus these suspect IPs in Russia:
217.174.105.92
93.171.173.34
91.221.36.184
37.143.15.103
146.255.194.173

Thanks again to the #MalwareMustDie team for assistance!


Thursday, 17 April 2014

omronfitness.com hacked, used in pharma spam run

Overnight I received about 500 messages similar to this:

Thank you for considering our products and services, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

Thank you for taking the time to contact us.

Regards, Bethany Briseno, Support Team manager.

---------

Thank you for your letter of Apr 17, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

Thank you for taking the time to contact us.

Regards, Silas Mixon, Support Team manager.

---------

Thank you for considering our products and services, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Sincerely, Jenna Golden, Support Team manager.

---------


Thank you for your letter of Apr 17, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Sincerely, Fredricka Palacios, Support Team manager.
In each case the message was from either "Support Center" or "Ticket Support" with a subject in the form of "Ticket [#5409290]" (the number is random).



The links in the email go to a legitimate site omronfitness.com belonging to Omrom Healthcare which has been hacked to serve illegal pharmacy pages, for example:
[donotclick]omronfitness.com/buyaccutane/
[donotclick]omronfitness.com/buyflomax/


The landing page does not appear to be malicious, but care should be taken. See this URLquery report for an example.

Omron is a multibillion dollar Japanese corporation, but it appears to have been hacked through an insecure WordPress installation which is rather shabby.

One amusing sidenote, the server 23.21.115.143 that hosts omronfitness.com also hosts another Omron-owned site moronfitness.co. Enough said.

Update 22/4/2014: Omron say that they have now fixed the issue.

Wednesday, 16 April 2014

Something still evil on 66.96.223.192/27

Last week I wrote about a rogue netblock hosted by Network Operation Center in the US. Well, it's still spreading malware but now there are more domains active on this range.

A full list of the subdomains I can find are listed here [pastebin]. I would recommend that you apply the following blocklist:

66.96.223.192/27
andracia.net
beyfiersd.com
beyfiersd.info
beyfiersd.net
capcomcom.com
chebuesx.com
chebuesx.info
chebuesx.net
clicksuntruck.org
damaumsw.net
damaumsx.com
damaumsx.info
damaumsx.net
denovlib.com
denovlib.info
denovlib.net
ehgaugysd.com
ehgaugysd.info
ehgaugysd.net
epdiyfetzs.com
epdiyfetzs.info
epdiyfetzs.net
estebasw.com
estebasw.info
estebasw.net
estebasx.com
estebasx.info
estebasx.net
euvllali.com
euvllali.net
falaporto.com
fortynineseven.com
freemiewgrow.org
garrupyotpq.com
garrupyotpq.info
garrupyotpq.net
geortogils.com
geortogils.info
geortogils.net
gykrabowss.com
gykrabowss.info
gykrabowss.net
hacynkraihc.com
hacynkraihc.info
hacynkraihc.net
helloadultking.biz
hellotreeboom.org
hepiqs.com
hepiqs.info
hepiqs.net
hukelmsqs.info
hukelmsqs.net
jalihs.com
jalihs.info
jalihs.net
jeyjoyjang.org
jisoss.com
jisoss.info
jisoss.net
jkuacobijs.com
joduebey.com
joduebey.net
julynosw.com
julynosx.com
kenkyissd.com
kenkyissd.info
kenkyissd.net
kewennub.com
kewennub.info
kewennub.net
klitryujk.org
lalaghoqs.com
lalaghoqs.info
lalaghoqs.net
loryneaqs.com
loryneaqs.info
loryneaqs.net
maifrchsd.com
maifrcwe.info
maifrcwe.net
mallwysq.net
matsumwe.com
matsumwe.info
matsumwe.net
megasuperduper.org
mibradburnb.com
mibradburnb.info
mibradburnb.net
moarlejitta.com
mopcapcap.com
musxiicqs.com
musxiicqs.info
myruvs.com
njooixrc.com
njooixrc.info
njooixrc.net
oatgirle.com
oatgirle.info
oatgirle.net
odtoidcasz.info
odtoidcasz.net
penapolj.com
penapolj.info
penapolj.net
sakoboresz.com
sakoboresz.info
sakoboresz.net
serenesq.com
serenesq.info
serenesq.net
simarosq.com
simarosq.info
simarosq.net
singsongsing.org
soontrilkittra.biz
sweethouseinc.org
tenynnilsz.com
tenynnilsz.info
tenynnilsz.net
tnirinsq.com
tnirinsq.info
tnirinsq.net
tralalaone.biz
tralalatwo.biz
tuanhefesz.com
tuanhefesz.info
tuanhefesz.net
tynepompling.org
ukrheynasz.com
ukrheynasz.info
ukrheynasz.net
viewtickshot.org
wladimirmosk.com
xuboutwesz.com
xuboutwesz.info
xuboutwesz.net
ynccyrousz.com
ynccyrousz.info
ynccyrousz.net
zeedirfung.org
zeigfridtank.biz

Tuesday, 15 April 2014

Sky.com "Statement of account" spam

Another fake sky.com email with a malicious payload..

Date:      Tue, 15 Apr 2014 19:40:23 +0800 [07:40:23 EDT]
From:      "Sky.com" [statement@sky.com]
Subject:      Statement of account

Afternoon,

Please find attached the statement of account.

We look forward to receiving payment for the February invoice as this is now due for
payment.

Regards,
Kathy

This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP. 
Attached is a file Statement.zip which contains a malicious executable Statement.scr which has a VirusTotal detection rate of 9/51. Automated analysis tools [1] [2] [3] show an attempted download from the following locations:
[donotclick]pelicansea.com/css/1504UKd.zip
[donotclick]twinest.com/images/1504UKd.zip


A number of other IPs are contacted as well, indicating this this is P2P/Gameover Zeus.


Friday, 11 April 2014

Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.120.207.254

[NOTE: the IPs listed here appear to have been cleaned up]

This set of IPs is being used to push the Angler EK [1] [2]:

Intergenia, Germany
62.75.140.236
62.75.140.237
62.75.140.238

Network Operations Center (HostNOC), US
64.120.207.253
64.120.207.254

A look at the /24s that these ranges are in indicates a mix of malicious and legitimate sites, but on the whole it might be a good idea to consider blocking traffic to 62.75.140.0/24 and 64.120.207.0/24.

Sites on these IPs consist of hijacked subdomains of (mostly) legitimate domains in the Intergenia range and purely malicious domains in the HostNOC range. I would recommend that you block the following:

(Intergenia)
casga.sogesca.al
enetian.reddigitalonline.com
southerly.rademsis.com
smallpox.purehealthforyou.com
vender.puteando.com.ar
tender.revsanders.com
lordly.pxz55.com
plumbing.ranperhar.com
flatness.radioxto.com.ar
implement.webshark.com.br
incendiary.whitennerdy.com
instructor.valiza.com
penal.unhasdeouro.com.br
afia.fotigrafia.com.ar
fanny.gamesgamesgames.eu
fug.fugusg.com
intermediary.roboticdreamblog.com
lithium.thiersheetmetal.com
lyrical.thoitrangtre360.com
maximum.riversofgrog.com.au
meaty.vvw5.com
sevice.fuzzyservice.ru
tough.thingiebox.com
transfigure.rmtradinggroup.com
vibrate.saltaland.com.ar
ford.somerford.me
recoil.quintafeira.com.br
solaris.solartrailers.net
surgery.replikacctv.com
wore.quietbytes.com
all.inews4all.com
andre.andro-tech2.info
andy.animadeco.pl
back.bbb-tl.com
begun.beatrizcarrillo.com
belsu.benda.si
binolyt.diymodstore.net
bird.mjdpe.net
bunny.doctorcat.org
bvirtual.t25workoutsale.com
creat.hijac-creative.com
dario.casio-c.com
dd.adamknight.info
desolate.soarstudio.com
dolly.shoppingadvisor.com.ar
emoc.cccuauhtemoc.mx
facilitator.tricksshop.com.br
ff.advidlabs.com
ff.variedades.info
fina.canecafina.com.br

(HostNOC)
odtoidcwe.info
odtoidcwe.com
odtoidcwe.net
bychemawe.info
bychemawe.net
bychemawe.com
cunideawe.net
cunideawe.com
cunideawe.info

Thursday, 10 April 2014

"CCAHC: Climate Change And Health Conference 2014" scam

This spam is a form of advanced fee fraud scam:

From:     CCAHC ccahc@live.com
Reply-To:     ccahc@e-mile.co.uk
Date:     10 April 2014 16:04
Subject:     Call for Poster

CCAHC: Climate Change And Health Conference 2014


Dear Colleague,
On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014. 
The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues.
The main theme for this year's poster session is:  "Impacts of Climate Change in Health and Nutrition"
While this is the main theme for the poster session it is not exclusive and you are welcome to submit a poster outside of this theme.
CCAHC 2014 showcases yet another exceptional programme with the latest scientific and best practice consensus on sustainable environment, biometeorological adaptation, global warming, climate change, waste management, greenhouse gas, pollution control, heart health, obesity, weight management, diabetes, child health, gut health, food sensitivity, healthy living and many other hot topics.
Why Attend:
  • Receive current updates on a range of topics, from leaders and expert practitioners.
  • Understand the latest scientific research in detail and discover its implications for your work.
  • Explore and debate controversial topics, discuss what is best for your clients and patients.
  • Sponsorship of air ticket, travel insurance, visa fees and per diem.
  • Enhance your skill set and progress your career.
  • Network with hundreds of other professionals involved in diet, nutrition, environment, health and lifestyle.
  • Participate in the Exhibitor Trail and win prizes!
  • Present your research, project, product or campaign, attract attention and promote your achievements
  • Registration is free of charge for participants from developing countries.
Paper Submissions:
Fax or e-mail up to 300 words describing your proposed paper on or before 18th April 2014. The paper will then be sent to the Advisory Board for evaluation and authors will be given feedback on or before 25th April 2014. The highest rated papers will be invited to present at the conference.
Sincerely yours,
Professor Jon Lloyd
Conference Chair
Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom.
Tel: +44 (0)70 8764 2424 | +44 (0)70 2404 4920
Fax: +44 (0)843 562 2173
The email originates from 196.46.246.174 (Airtel, Nigeria) via 221.120.96.3 in Bangladesh. Note that the sender is using free email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap.

According to this article at 419scam.org the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will vanish, taking their mythical conference with them.

Avoid.

Wednesday, 9 April 2014

Something evil on 66.96.223.192/27

There seems to be some exploit activity today on the IP range 66.96.223.192/27 (a customer of Network Operations Center, US). Most domains are already flagged as malicious by Google, and I've reported on bad IPs in this range before.

A list of the domains I can find in this range, their myWOT ratings and Google and SURBL prognoses can be found here [csv].

I would recommend applying the following blocklist:
66.96.223.192/27
capcomcom.com
chebuesx.com
damaumsx.com
denovlib.com
epdiyfetzs.com
estebasw.com
euvllali.com
falaporto.com
fortynineseven.com
geortogils.com
gykrabowss.com
hepiqs.com
jalihs.com
jisoss.com
jkuacobijs.com
joduebey.com
kewennub.com
moarlejitta.com
mopcapcap.com
myruvs.com
njooixrc.com
oatgirle.com
penapolj.com
wladimirmosk.com
chebuesx.info
damaumsx.info
denovlib.info
epdiyfetzs.info
estebasx.info
garrupyotpq.info
geortogils.info
gykrabowss.info
hepiqs.info
jalihs.info
jisoss.info
njooixrc.info
oatgirle.info
penapolj.info
andracia.net
damaumsx.net
denovlib.net
epdiyfetzs.net
estebasx.net
euvllali.net
garrupyotpq.net
geortogils.net
gykrabowss.net
hepiqs.net
jalihs.net
jisoss.net
joduebey.net
kewennub.net
mibradburnb.net
njooixrc.net
oatgirle.net
penapolj.net
clicksuntruck.org
freemiewgrow.org
hellotreeboom.org
jeyjoyjang.org
klitryujk.org
megasuperduper.org
singsongsing.org
sweethouseinc.org
tynepompling.org
zeedirfung.org
estebasx.com
garrupyotpq.com
hacynkraihc.com
julynosw.com
julynosx.com
mibradburnb.com
estebasw.info
hacynkraihc.info
kewennub.info
mibradburnb.info
chebuesx.net
damaumsw.net
estebasw.net
hacynkraihc.net

Tuesday, 8 April 2014

Michael Price and BizSummits get ROKSO listed, scurry under the spotlight

Recently I wrote about a spam run being sent by Michael Price and/or BizSummits and examined the high level of fake material on their "Summits" websites.

In the past few days, BizSummits and Michael Price have the very dubious distinction of being listed in the Spamhaus ROKSO list of what they consider to be the worst spammers worldwide.

A ROKSO listing is bad news because it means that reputable web hosts will not do business with them.

So what happened next?

Well, basically most of the domains listed here have suddenly changed registrar and IP address, and the WHOIS details have been changed to something that looks rather fake (in my opinion). For example, the domain BizSummits.org has the WHOIS details changed from:

Registrant ID:CR38175629
Registrant Name:DNS Administrator
Registrant Organization:BizSummits
Registrant Street: 1200 Abernathy Rd, 17th Floor
Registrant City:Atlanta
Registrant State/Province:Georgia
Registrant Postal Code:30328
Registrant Country:US
Registrant Phone:+1.8006003389
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:dnsadmin@bizsummits.org


to

Registrant ID:NS-b48b7b229f5dc
Registrant Name:Michael Loeloff
Registrant Organization:
Registrant Street: 8380 Lagos De Campo Blvd
Registrant City:Tamarac
Registrant State/Province:FL
Registrant Postal Code:33321
Registrant Country:US
Registrant Phone:+1.2025688305
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:dnsadmin@bizsummits.org


..which is an anonymous-looking apartment in Florida. Most of the other domains have been geographically scattered to different addresses and names. Strangely none of the registrants seem to have a web footprint. In my personal opinion, these addresses are deliberately fake, and they have been changed by someone working for BizSummits.

It isn't just the WHOIS details that changed, the registrar in the case of BizSummits.org has changed from GoDaddy to NameSilo for unknown reasons. And also the IP address has changed from 184.168.221.27 (GoDaddy) to 198.199.112.47 (Digital Ocean). To me that looks like GoDaddy booted them off their network, although there could be other explanations I suppose.

Conversely, most of the domains used in the spam run listed here appear to have been deleted, either by the registrar or by the owner. It doesn't really matter as far as evidence is concerned because services such as DomainTools maintain historical WHOIS records.

Overall, there seems to be a great deal of scurrying around as the spotlight has been shone on their activities.

I'm curious as to whether or not Michael Price or BizSummits think that the spam run sent from their servers was legitimate and legal, and as to whether or not they believe that the use of the images from other companies is justified.

It does appear that someone using Michael Price's photograph and name tried to post a comment, and then thought better of it. Hmmm.


Sage "Please see attached copy of the original invoice" spam

This fake Sage spam comes with a malicious attachment:

Date:      Tue, 8 Apr 2014 08:65:82 GMT
From:      Sage [Merrill.Sterling@sage-mail.com]
Subject:      RE: BACs #3421309

Please see attached copy of the original invoice. 

Attached is a file BACs-3421309.zip which in turn contains a malicious executable BACs-040814.exe which has a VirusTotal detection rate of 10/51.

The Malwr analysis shows that it attempts to download a configuration file from [donotclick]hemblecreations.com/images/n0804UKd.dim and then it attempts to connect to a number of other domains and IP addresses.

Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij.biz
twplfztldagaydcacebqpypm.net
aidyhnzrkqomndihmttglrcmpf.com
jnojswlbzdxondfahwgbmluyl.ru
wcaebnfwljamemlzhqwqsovzlfq.com
skirtrslbtjrjfphemnnjqowuus.biz
uobihirghyscvswgwolneuscyamh.org
hvchqgyzfitaiugmbmifdwclrk.info
hemblecreations.com

Monday, 7 April 2014

Quantcast email address leak

Quantcast measures web analytics, and they are widely used by many websites worldwide, including one I operated myself.

However, it seems that Quantcast have some sort of email address leak because the following spam email was sent to an address only used to sign up for Quantcast's services.

From:     iTriplingStocks [redacted]@livraphone.fr
Date:     7 April 2014 20:08
Subject:     Dear [redacted], Three hundred percent gains is super possible



However in 1381 a treaty was signed in which allowed him to return. In 2008, Thames Water submitted plans for 96 homes on the site. Connor's horse Waterford Crystal. French hands between 1781 and 1782, and broken up in 1797. They were later replaced by Generation 1 DVD volumes, and later complete season boxed sets. It consists of the village of Luzein which is made up of the sections of Buchen, Luzein, Pany and Putz. February 1955, while in reserve. Juan Sebastian Lach moved to Europe and studied for a doctorate in cognitive musicology. Stop, only add extraordinary stunts here, and only if you have reliable sources. I think I want to be in the Guinness Book of World Records.
However at Dawn workers cleared the gap where the animals came in trapping them in. Germany dated from roughly 14,000 years ago. Francesco also made furniture and panelling for private and ecclesiatical clients. He claimed to be a god, whereas he was only a servant of the Devil, and as such he met his fate. There have been two unofficial fan remakes. Ecuador, at an altitude between 2,100 and 2,300 m asl. O God, do not leave me. The design has been simplified and a whole range of new security features were introduced.
Indonesian general as ambassador to Australia. Diagram created by me. When Gomo died in 1815, Senachewine became chief of the village. The same magazine gave Hannity their Freedom of Speech Award in 2003. Chavan started his political career in 1991,his name was proposed by Mr. Yale, Fruton became Director of the Division of Science, a position he held until 1962. City Sightseeing Ltd to City Sightseeing Worldwide S. If there were some heightened state of tension, we would, believe me, we would not let them get that close.
The first pressing of the album came in sleeve case packaging. Turkishness and the Republic. Hendschiken while 255 people commuted into the municipality for work. The Broletto in Como is faced with polychrome marble. About 20 additional motels, Inns and Bed and Breakfast operations are based in Digby making tourism an important employer. Alan Bray, a bassist. Italian Ministry of Treasury. Kentucky's head football coach. Soldiers, and turned against the Soviet regime. The source of information should be relevant, including existing solutions. Beata Vergine Assunta e S. In space DeGill has been captured by his old nemesis, the big game hunter Pontifadora the Conquistadora.
When assessing mental involvement in narrative text, items involved more imagery and imagination. Windham was founded in 1951 by Walter F. Diescher and John Endres became friends and business partners. He has also directed videos for The Saturdays and Sugababes.

The spam is an RCHA pump-and-dump spam as reported here, and this spam does make heavy use of email addresses stolen in this way.

It is impossible to say when the email addresses leaked from Quantcast or what data may have leaked with them, however the possibility of a spammer guessing this particular email address would be one in 26^12 (95,428,956,661,682,176) which is practically zero.

Update: Quantcast are investigating the issue at present.

Sunday, 6 April 2014

"Produce & Information" / Media Trade Company spam

This spam email links to a malicious file:
From:     Media Trade info@mediatrade.com
Reply-To:     ourmediatrade@yahoo.com
Date:     6 April 2014 16:26
Subject:     Produce & Information

Good Day

How are you today?
This is Media Trade Company, we have interest in your product. And our company is planing on placing an order with your company, Please open and click on the pdf icon to see the attached document of our produce information and company details.

Thank you and have a nice day

Best regards
THKS/B.RGDS

Attached is a file Our Produce Info.html which in turn contains a link to [donotclick]surevilla.h19.ru/Our%20Produce%20Info.exe hosted on 89.108.91.183 (Agava Ltd, Russia). This IP address is suspected of badness and blocking it would be an prudent idea, alternatively you could block the dynamic DNS domain of h19.ru which is being abused in this case.

The malicious file has a detection rate of 25/51 at VirusTotal with some indication that this is either a variant of Zbot or some sort of ransomware. The Malwr analysis shows some sort of download taking place from [donotclick]ourdailyshopping.com/images/win/check/file.php hosted on 91.223.82.188. Also, the Anubis analysis gives an idea as to the files created.

Of interest, this IP of 91.223.82.188 belongs to a company I have never heard of called International Widespread Services Limited aka IWS Networks Ltd of the UAE. They also provide the mail relay used in the spam which is 185.7.35.90.

Recommended blocklist:
89.108.91.183
91.223.82.188
surevilla.h19.ru
ourdailyshopping.com

I would also recommend that you consider blocking the domain h19.ru which may block some legitimate sites but should offer additional protection.

Saturday, 5 April 2014

RCHA / Rich Pharmaceuticals, Inc pump-and-dump spam

This pump-and-dump spam is trying to boost the share price of Rich Pharmaceuticals, Inc (RCHA)

From:     SuperStock Advisor
Date:     5 April 2014 16:37
Subject:     A biotech company that will make you big bucks

Think about it. What if you had the hunch to buy something low and sell it high. What if that clever move made you three or five times your principal? When is the last time you saw a stock quintuple within a few days?

R_C_H_A is a little biopharma company that you can buy for around 20 cents on Monday. A little bird has told me that something big is happening over there and that we can expect to see it go past a dollar before the end of the week.


This could be your move of the year, or even the best move of your life. Or you can just watch it pass by and do nothing. At least next time I present you with something you will listen with absolute belief and get to ride that wave. Last time I recommended a company to a friend it tripled in 3 days.

If you can buy R_C_H_A on Monday morning, consider yourself lucky and I want to hear about how much you will make this coming week!

So make sure to tell me!

-----------------

From:     iStockAdvisor
Date:     5 April 2014 06:35
Subject:     One stock. Five times your principal.

My dear fellow investor when is the last time you actually made a few bucks in the market?

With this bull pattern going on it is hard to find a winner that will stand out and actually produce gains that are above average.

Not only do I believe that I've found a solid company but I am certain that I've found the next company that will quintuple in a heart beat.

RCHA is set to take the world by storm and this little pharmaceutical company should soar from current levels of 20 cents to over a dollar this coming week.

If you don't believe me just watch where it goes on Monday and I promise you, you will want to buy as much as you can to make sure you catch this rocket before it takes off. I expect to see it nearly double on Monday alone. God knows how high and how fast RCHA will go from there on.

-----------------

From:     iBuyStock
Date:     5 April 2014 12:50
Subject:     The best stocktip for [redacted]
The last spam uses a GIF image (MD5 144f8295df4241d9a411b5a5b3f2c793)  plus a load of random text to try to fool spam filters.

Pump-and-dump spams are always a type of fraud, and the stock prices usually collapse very soon afterwards. The collapse in RCHA stock prices seems to be happening right now according to the stock chart.


The stock price crashed sharply on Friday 4th April, dropping by 31% as 417,000 shares were traded. RCHA's history is convoluted and they have very little in the way of cash assets and relatively large liabilities.

Often with pump-and-dump spam runs there is a pattern of buying before the spam starts, but in this case there is no discernible pattern which makes me think that an existing stockholder is involved in the operation, in an attempt to bolster the share price as they dump stock.

Avoid.

Update: here are some more samples that arrived overnight..


From:     iStocksInformer
Date:     6 April 2014 12:21
Subject:     This pharmaceutical could quadruple fast

iStocksInformer


What if you could get into a stock before it soared? I know it’s hard to time things properly. The market has been good overall as of late but it is getting harder and harder to make big gains in a short period of time.

I’ve found the next big mover, but you have to buy fast because on Monday morning you should be able to pick it up for around 20 cents. Come tuesday it could be too late. A reliable source has told me that we expect R.C.H.A to gain 5x its current levels and break a dollar before the end of the week.

They are working on some ground breaking stuff, and perhaps the FDA is about to approve something they have been working on?

I come across a situation like this very few times per decade. This is in fact only the third time I’ve been told about a company that is about to soar. If you can buy R.C.H.A for around 20 cents on Monday I would say that you are in great shape and I’d ride the wave up to over a dollar if i were you.

(c) 2014. All rights reserved.
About us   |   Legal notice   |   Unsubscribe

---------------------

From:     iTopStocksPicker
Date:     6 April 2014 10:02
Subject:     This little company could tenfold your investment, arwildcbrender

ii_BACC5C509C1F3BC4.jpg


Update 2014-04-07: the markets have opened and the pump and dump spam continues, although it has changed pitch.

From:     iGoldenStocks
Date:     7 April 2014 18:02
Subject:     Already UP 58%!

This is the opportunity of the year. It has come knocking on our door and trust me I am not going to miss this chance. A trusted friend of mine told me that R* C* H* A is about to go from 20 cents to over a dollar. This little biopharmaceutical company has been working on mind boggling technologies to treat acute myolegenous leukemia and something tells me they are about to announce something huge.


What could it be I don’t know, but everything seems to agree on the fact that it will go up very fast. If you are amongst the lucky ones we should be able to buy shares for cheap on Monday. Like between 20 and 30 cents. If we can do that I’d say we are in great shape and we can expect to ride the train up to over a dollar.

I’ll be holding until then I hope you do the same too I want to see us pull as much as possible out of this. I am sick of playing the big companies that don’t produce much gains.

It’s time for a big move!

-----------------------

From:     iTopStocks
Date:     7 April 2014 18:06
Subject:     +58% in 1 DAY! Best Stock For [redacted]

ii_CD6438C3011A236E.gif

In fact, at the time of writing the stock has increased in price by 75%. A big deal? A week ago the stock was at 30 cents, now it is at 35 cents.. but it dropped to 20 cents on Friday before the pump-and-dump run started. At the time of writing, almost two million shares have been traded. On a typical day there are zero trades.

Source: NASDAQ

But has the stock price actually gone up in value? All these figures show is a bubble caused by the pump-and-dump operation, I suspect that most of the sales come from whoever is behind the spam offloading stock onto unsuspecting investors.. and when they try to sell the stock they will end up taking a loss.

In the medium run, most stocks promoted through pump-and-dump spam runs collapse afterwards. I suspect the same thing will happen here.

Update 2014-04-08: two new variants this morning, both reflecting the share price from yesterday..

From:     MarketClub Top Stocks
Date:     8 April 2014 07:08
Subject:     Don't you deserve an edge in the market?

MarketClub Top Stocks


Do you remember me? Yes I emailed you a few days ago and I told you to watch R+C+H+A. This little biotech company has been working on ground breaking drugs and I advised you that you should buy shares in it on Monday morning for around 20 cents. If you don't remember, go back and look at your emails.

It has now pushed past 30 cents and it is showing very strong signs of continuation. Something tells me this stock will go past 2 or even 3 dollars in the coming days.

If you see the type of activity it is experiencing right now that's definitely not normal. Something absolutely massive is brewing for sure over there and there could be a phenomenal announcement coming in the next few days that will catapult the price much further.

This is not really tip *wink*, just a friendly advice. Make sure to buy as many R+C+H+A shares as you can.


You will be pleasantly surprised.


(c) 2014 MarketClub Top Stocks. All rights reserved.

------------------

From:     iStockMarketInsider
Date:     8 April 2014 05:38
Subject:     Top 5 Trending Stocks

StockMarketInsider Magazine   



As you can see the market is crashing hard the past few days.

If you want to make a few bucks you need to forget the general market and focus on this tip I gave you a few days ago. I mentioned it to you over the week end.

The little undervalued company is R|C|H|A and if you recall I told you to buy it when it was still at 20cents. Now It's passed 30 but it is still worth buying.

I think we will be looking at it trading in the 2-3dollar range next week.

Make sure to pick up a few shares if you can and you will be very impressed with the results. There's rumors that R|C|H|A could be on the verge of announcing some FDA approval for one of its drugs.

That may be why it's going crazy right now!


 (c) 2014. StockMarketInsider. All rights reserved.

 To Unsubscribe click here


Wednesday, 2 April 2014

Something evil on 66.96.223.204

66.96.223.204 (Network Operations Center, US) appears to be hosting some sort of malicious redirectors being used in current malware campaigns. VirusTotal gives a snapshot of the badness.

Sites hosted on this IP include:
epdiyfetzs.com
epdiyfetzs.info
f50n.jalihs.com
gv0.jalihs.info
hepiqs.com
hepiqs.info
hepiqs.net
jalihs.com
mqo9.hepiqs.net
mxvf.hepiqs.info
p9t.epdiyfetzs.com
slqts.epdiyfetzs.net
x0v4b.jalihs.info
zrzvz.hepiqs.info
mblo.epdiyfetzs.com
eb5pxy.hepiqs.com
ot7gdz.hepiqs.com
zs89w.jalihs.com
wpnd4i.jalihs.com
ns2.manbake.com
geortogils.com
cf3.geortogils.com
novinhasbr.com
ns1.novinhasbr.com
epdiyfetzs.net
muiknq.epdiyfetzs.net
qlkz1e.epdiyfetzs.net
t5dns.hepiqs.info
jalihs.info
ranbert.info
mx2.ranbert.info
ns2.ranbert.info
ycqr.ranbert.info
yrkr.ranbert.info
yrqz.ranbert.info
yckrv.ranbert.info
yrkrv.ranbert.info
pckcsq.ranbert.info
pckrvq.ranbert.info
prqcvk.ranbert.info
prqwvq.ranbert.info
ns2.ricbank.info
ns2.trainmick.info
5x5d2l.epdiyfetzs.info
geortogils.info
ns2.termitepit.info
mx1.staticpulled.info
ns1.staticpulled.info


Recommended blocklist:
66.96.223.204
epdiyfetzs.com
epdiyfetzs.info
epdiyfetzs.net
geortogils.com
geortogils.info
hepiqs.com
hepiqs.info
hepiqs.net
jalihs.com
jalihs.info
manbake.com
novinhasbr.com
ranbert.info
ricbank.info
staticpulled.info
termitepit.info
trainmick.info

Something evil on 213.229.69.41

This tweet by Malmouse got me investigating what was happening on 213.229.69.41.. and the answer is that it appears to be unmitigated badness.

First of all, these domains are either currently or recently hosted on 213.229.69.41, or are associated with it in some way. Ones currently regarded as malicious by Google are highlighted.

cdnjscript.com
cssjscript.com
cssjscript.com
dolinkjs.com
domainjscript.com
getjslink.com
gfthost.com
gotojscript.com
hrefjscript.com
jscriptcdn.com
jscriptcss.com
jscriptin.com
jscriptmod.com
jscriptnow.com
jscriptstyle.com
js-href.com
js-link.com
linkinscript.com
linkjscript.com
metajscript.com
modjscript.com
namejscript.com
regjscript.com
scriptaccept.com
scriptdo.com
scripthttp.com
scriptshttp.com
stylejscript.com
timejscript.com
webjavascript.com
webjslink.com
webjsname.com

VirusTotal gives a good overview of the badness on this IP.


All these domains appear to be recently registered with the exception of gfthost.com which has ns1.gfthost.com and ns2.gfthost.com hosted on the same IP. Both those nameservers are used exclusively for these malware domains, so there must be some sort of connection. The WHOIS details for that are:

Registrant Name: Nikolay Legkov
Registrant Organization: -
Registrant Street: Nevsky 23-7
Registrant City: Saint-Petersburg
Registrant State/Province: Saint-Petersburg
Registrant Postal Code: 197008
Registrant Country: ru
Registrant Phone: +79052789848
Registrant Phone Ext:
Registrant Fax: +79052789848
Registrant Fax Ext:
Registrant Email: admin@gfthost.com


Of course it is trivially easy to fake WHOIS details, so I cannot guarantee that this is really the person behind the malware domains.

Anyway, I recommend that you block 213.229.69.41 (Simply Transit, UK) and/or the domains listed above.

Tuesday, 1 April 2014

rbs.com "RE: Copy" spam

This very terse spam has a malicious attachment:

Date:      1 Apr 2014 14:25:39 GMT [10:25:39 EDT]
From:      Kathryn Daley [Kathryn.Daley@rbs.com]
Subject:      RE: Copy

(Copy-01042014) 
The attachment is Copy-04012014.zip which in turn contains a malicious executable Copy-04012014.scr which has a VirusTotal detection rate of just 3/50.

The Malwr analysis shows that is has the characteristics of P2P/Gameover Zeus and it makes several network connections starting with a download of a configuration file from: [donotclick]photovolt.ro/script/0104UKd.bis

The malware then tries to contact a number of other domains. I recommend using the following blocklist:
50.116.4.71
photovolt.ro
aulbbiwslxpvvphxnjij.biz
wcdmfdujnfmsdbatgqguxkkr.com    
kjcuyddisgrmzfqfirwjzqglqdq.ru    
gavwnvhaknbytkvcojeifeyhcizxof.biz    
ysnvydeyswzjbxsofchsctsg.net    
cprhxsjukhuemfqrsdqhvo.org    
zdlaupvpfmwotcxcxfedrwfq.info    
ovxwwgvoupfuxhuibqwkwcjzqci.com    
knpfmvdpbljfgecidpfyovjzpz.ru    
xkzqwhyaixguhqrwskbqqcpz.com






Something evil on 64.202.116.124

64.202.116.124 (HostForWeb, US) is currently hosting exploit kits (see this example). I recommend that you block traffic to this IP or the domains listed in this pastebin.

Most of the domains listed are dynamic DNS ones. If you block all such domains in that list it is nice and managable:


in.ua
myftp.org
sytes.net
hopto.org
no-ip.biz
myvnc.com
sytes.net
no-ip.info
tobaccopeople.com