Dynamoo's Blog

Thursday, 20 December 2012

"New message" spam, fake dating sites and libertymonings.info

This "New message" themed spam leads to both a fake anti-virus page and a Java exploit on the domains site-dating2012.asia and libertymonings.info. There's some cunning trickery going on here too. First of all, let's start with some spam examples:

Date:     Thu, 20 Dec 2012 20:50:17 -0200
From:     "SecureMessage System" [2F5DEE622@hungter.com]
Subject:     New message

Click here to view the online version.

New private message from Terra Fisher received.

Total unread messages: 5

[ Read now ]
� Copyright 2012 SecureMessage System. All rights reserved.

If you would like to update your profile or unsubscribe, please click here.

PLEASE DO NOT REPLY TO THIS MESSAGE.

If you require Technical Support, please check Support Center for information.

-------------------------

Date:     Thu, 20 Dec 2012 20:36:14 -0200
From:     "Secure Message" [82E8ACBD@lipidpanel.com]
Subject:     New message

Click here to view the online version.

New private message from Josefina Albert received.

Total unread messages: 3

[ Read now ]
� Copyright 2012 SecureMessage System. All rights reserved.

If you would like to update your profile or unsubscribe, please click here.

PLEASE DO NOT REPLY TO THIS MESSAGE.

If you require Technical Support, please check Support Center for information.

In these cases, the targets URLs are [donotclick]site-dating2012.asia/link.php and [donotclick]site-dating2012.asia/link.php both hosted on 46.249.42.161 (Serverius Holding, Netherlands) and pretty much the same as the ones found a couple of days ago hiding out on 46.249.58.211(also at Serverius Holding).

These look like dating URLs, so you might assume that they are either a) a legitimate dating site or b) just some dating spam rather than malware. In any case, appearances are deceptive and it leads to fake AV site that seems to be very similar to this one. The deception goes a little deeper, because the link.php pages even forward through a fake affiliate-style link such as [donotclick]best-dating2010.info/?affid=00110&promo_type=5&promo_opt=1 before they get to the fake anti-virus page.

The site also contains an apparent Java exploit that loads in from libertymonings.info on 84.200.77.218 (Misterhost, Germany) which was also used in this attack. The malicious code is found at the page [donotclick]libertymonings.info/index/zzz/?a=YWZmaWQ9MDAxMTA= which attempts to download a Java exploit from [donotclick]libertymonings.info/analizator_data/ztsvgnvlmhe-a.qsypes.jar which is pretty thinly detected according to VirusTotal.

The following IPs and domains are all related and should be blocked if you can:

46.249.42.161
46.249.58.211
84.200.77.218
adeptsponsorlin.info
bestdating2012.asia
bestdating2012.info
best-dating-2012.info
bitnovembersgate.com
bursttsnetsbest.net
carswhilestaff.net
clemationsbloglogs.com
clemationslogs.com
cooldating2012.info
dating-2012.info
dating-2013.asia
datingbest2012.asia
datingbest2012.info
datingcool-2010.asia
datingcool2011.asia
datingcool2012.asia
datingcool2012.info
domainsjinniks.org
domainsqiprnodes.info
domainsreidstable.net
domainssguibulk9r.net
domainssguibulkniner.com
domainssidorsneeds.net
domainssinglgirs.com
domainssinglsdoms.com
domainssinglsnetss.info
domainssinglssunss.net
domainsstressadd.net
domainsstringho5.info
domainsstringho5.org
domainswithhelthhi.info
domainswithhelthhi.net
domssvorastwo.info
domssvorastwo.net
fresh-dating-2010.info
freshdating2012.info
fresh-dating-2013.info
gamesduoswin9.net
great-dating2010.asia
greatdating2012.asia
greatdating-2012.asia
greatdating2012.info
greatdating-2012.info
great-dating-2012.info
greatdating-2013.info
importslatenot.info
innersdomainsinser.com
latestdating2012.asia
latestdating2012.info
latestdating2013.info
left4deadfi3.info
left4deadfi3.net
libertymonings.info
libsgiftnet.info
libsgiftnet.org
loadsgamescraft.info
lomnetingstar.com
lubertylibcenterns.info
mobimemcashnesh.com
mobimemcashnesh.net
moderndating2010.asia
moderndating2012.asia
moderndating2013.info
mombersneftlife.net
monchianolist.info
morrisgussmir.net
my-dating2012.info
mydating2013.asia
mydating2013.asia
namessguibulk.net
namesstressadd.com
netsplacesformss.info
new-dating-2012.info
new-dating2013.asia
newdatingafter2010.asia
newdatingafter2012.info
newdatingafter2013.info
newdatingworld2012.asia
newdatingworld2012.info
newmeeting2010.asia
newmeeting2012.asia
newmeeting2012.info
oldspacesnets.net
omnihiteuropapluss.info
oregonsitynet.net
searchersnextdoms.info
searchersnextdoms.net
searchersstippich.info
shareself.info
site-dating-2012.asia
sitedating2012.info
site-dating2012.info
site-dating-2012.info
stathemliberiy.net
www.datingbest2012.info
x-dating2012.info
x-dating2013.asia

Happy 20:12 20/12 2012

Happy 20:12 20/12 2012!

Yes, I know I've done this before but there's a rumour that it's the end of the world tomorrow.

Sendspace "You have been sent a file" spam / apendiksator.ru

This fake Sendspace spam leads to malware on apendiksator.ru:

Date:     Thu, 20 Dec 2012 09:25:36 -0300
From:     "SHIZUKO Ho"
Subject:     You have been sent a file (Filename: [redacted]-28.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]-6110219.pdf, (286.58 KB) waiting to be downloaded at sendspace.(It was sent by SHIZUKO Ho).

You can use the following link to retrieve your file:

Download Link

The file may be available for a limited time only.

Thank you,

sendspace - The best free file sharing service.

----------------------------------------------------------------------

Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

===============================

Date:     Thu, 20 Dec 2012 05:05:02 +0100
From:     "GENNIE Hensley"
Subject:     You have been sent a file (Filename: [redacted]-7123391.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]-38335.pdf, (282.44 KB) waiting to be downloaded at sendspace.(It was sent by GENNIE Hensley).

You can use the following link to retrieve your file:

Download Link

The file may be available for a limited time only.

Thank you,

sendspace - The best free file sharing service.

---------------------------------------------------------------------

Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]apendiksator.ru:8080/forum/links/column.php hosted on:

91.224.135.20 (Proservis UAB, Lithunia)
187.85.160.106 (Ksys Soluções Web, Brazil)
210.71.250.131 (Chunghwa Telecom, Taiwan)

These IPs and domains are all related and should be blocked:
91.224.135.20
187.85.160.106
210.71.250.131
afjdoospf.ru
angelaonfl.ru
akionokao.ru
apendiksator.ru

Wednesday, 19 December 2012

Wire Transfer spam / angelaonfl.ru

This fake Wire Transfer spam leads to malware on angelaonfl.ru:

Date:     Wed, 19 Dec 2012 11:26:24 -0500
From:     "Myspace" [noreply@message.myspace.com]
Subject:     Wire Transfer (3014YZ20)

Welcome,

Your Wire Transfer Amount: USD 45,429.29

Transfer Report: View

EULALIA Henry,

The Federal Reserve Wire Network

The malicious payload is at [donotclick]angelaonfl.ru:8080/forum/links/column.php hosted on the following IPs:

91.224.135.20 (Proservis UAB, Lithunia)
210.71.250.131 (Chunghwa Telecom, Taiwan)
217.112.40.69 (Utransit, UK)

The following domains and IPs are all related and should be blocked if you can:
91.224.135.20
210.71.250.131
217.112.40.69
pelamutrika.ru
antariktika.ru
apensiona.ru
aliamognoa.ru
ahiontota.ru
anifkailood.ru
podarunoki.ru
aseniakrol.ru
publicatorian.ru
pitoniamason.ru
aviaonlolsio.ru
dimarikanko.ru
adanagenro.ru
aofngppahgor.ru
apolinaklsit.ru
angelaonfl.ru

Facebook spam / 46.249.58.211 and 84.200.77.218

There are various Facebook spams doing the rounds pointing to a variety of malware sites on 46.249.58.211 and 84.200.77.218, for example:

From: FB.Team
Sent: 19 December 2012 14:30
Subject: Re-activate account

Hi [redacted],
Your account has been blocked due to spam activity.
To verify account, please follow this link:
http://www.facebook.com/confirmemail.php?e=[redacted]

You may be asked to enter this confirmation code: [redacted]
The Facebook Team

Didn't sign up for Facebook? Please let us know.

46.249.58.211 (Serverius Holding, Netherlands)
newmeeting2012.asia
datingbest2012.asia
dating-2013.asia
new-dating2013.asia
mobimemcashnesh.com
domainssguibulkniner.com
innersdomainsinser.com
domainssinglsdoms.com
site-dating-2012.info
best-dating-2012.info
new-dating-2012.info
greatdating-2012.info
newdatingworld2012.info
site-dating2012.info
sitedating2012.info
freshdating2012.info
cooldating2012.info
greatdating2012.info
latestdating2012.info
datingcool2012.info
newdatingafter2012.info
datingbest2012.info
fresh-dating-2013.info
greatdating-2013.info
moderndating2013.info
latestdating2013.info
newdatingafter2013.info
shareself.info
searchersstippich.info
adeptsponsorlin.info
domssvorastwo.info
domainsqiprnodes.info
searchersnextdoms.info
lubertylibcenterns.info
netsplacesformss.info
domainssinglssunss.info
domainssinglsnetss.info
omnihiteuropapluss.info
domainderight.info
domainsreidstable.net
mobimemcashnesh.net
namessguibulk.net
adeptsponsorlin.net
domssvorastwo.net
domainssguibulk9r.net
domainssidorsneeds.net
searchersnextdoms.net
domainssinglssunss.net
bursttsnetsbest.net

84.200.77.218 (Misterhost, Germany)
namesstressadd.com
bitnovembersgate.com
domainssinglgirs.com
left4deadfi3.info
importslatenot.info
monchianolist.info
left4deadfi3.net
gamesduoswin9.net
domainsstressadd.net
oregonsitynet.net

GFI have some more details on this one here.

Malware sites to block 19/12/12

This group of sites appears to be using a fake AV applications to download a malicious file scandsk.exe (report here) via 79.133.196.103 (eTop, Poland) and 82.103.140.100 (Easyspeedy, Denmark) which then attempts to call home to 46.105.131.126 (OVH, Ireland).

This is a screenshot of the fake AV in action:

From this point, the scandsk.exe gets download either through an exploit or social engineering. This executable looks like some sort of downloader, which attempt to pull down additional data from these non-responding domains:

report.q7ws17sk1ywsk79g.com
report.7ws17sku7myws931u.com
report.u79i1qgmywskuo9o.com

There's some sort of trickery here, perhaps it requires exactly the right kind of factors to hit a valid URL, the automated analysis tools are inconsistent [1] [2] [3] but seem to indicate a C&C on 46.105.131.126. This IP belongs to OVH (no surprises there) but seems to have been suballocated:

inetnum:        46.105.131.120 - 46.105.131.127
netname:        marysanders1
descr:          marysanders1net
country:        IE
org:            ORG-OH5-RIPE
admin-c:        OTC9-RIPE
tech-c:         OTC9-RIPE
status:         ASSIGNED PA
mnt-by:         OVH-MNT
source:         RIPE # Filtered

I suspect that this whole block is being used for malicious purposes, 46.105.131.123 hosts a site called find-and-go.com registered in China which has been fingered as an attack site before (e.g. here, click at your own risk). I would recommend blocking the entire 46.105.131.120/29 to be on the safe side.

The infection sites are on 82.103.140.100 and 79.133.196.103, they make extensive use of subdomains of mooo.com, ez.lv and zyns.com. There are probably legitimate sites making use of these domains, but blocking them completely should give you few headaches.

79.133.196.103 is part of small block of IPs, 79.133.196.96/27, that I have seen malware on before, specifically 79.133.196.105 and 79.133.196.124. Blocking the entire /27 is probably a good idea.

Recommended blocklist:
46.105.131.120/29
82.103.140.100
79.133.196.97/27
mooo.com
ez.lv
zyns.com

Alternatively, these are some of the subdomains in use.. there are a lot of them, and probably more than I have listed here.

82.103.140.100
www2.x49v36a57puq66.ez.lv
www2.tpzqzg4k2scre0.mooo.com
www2.afc5l4vfohgsz0.mooo.com
www2.f4t9jm7x21.mooo.com
www2.q9iuiwcoq2uvy-2.mooo.com
www2.wwml9bvprhllq2.mooo.com
www2.cjpujub6n0e5u2.mooo.com
www2.t-hih2cnpkpjy2.mooo.com
www2.afbsv8ooj-3.mooo.com
www2.yhqgj6kntn9ru3.mooo.com
www2.q-5f75azo15f214.mooo.com
www2.pbsx2znwccc9a4.mooo.com
www2.wa9bb2z4r3ojz-5.mooo.com
www2.abjbxt7a65.mooo.com
www2.fmrmta0nhmql95.mooo.com
www2.xkpcakk8fnvp95.mooo.com
www2.l6gbfb6l5.mooo.com
www2.ewl91b7p86.mooo.com
www2.uwgsohupxy1de6.mooo.com
www2.g-gq0soprruf5h6.mooo.com
www2.m7yzf62rp6.mooo.com
www2.vov9fsmlyq9257.mooo.com
www2.r2qrxdwo979vj7.mooo.com
www2.j9qm7o00stdyx7.mooo.com
www2.laysltotae8xd8.mooo.com
www2.wp0poz3aq7a7q8.mooo.com
www2.lisbp4cv0v6w09.mooo.com
www2.a50oup6hw0u9c9.mooo.com
www2.pa68ewk9fuqoe9.mooo.com
www2.ohcaob1cffx4l9.mooo.com
www2.g-gysij61cwkkr9.mooo.com
www2.j-8pdx3cfjxgba.mooo.com
www2.h-3aq08aicxn2c.mooo.com
www2.i-7w3rj3j54msmc.mooo.com
www2.j94ysol4em1jd.mooo.com
www2.b5nxk76wnd.mooo.com
www2.r-72i3awaqe.mooo.com
www2.e1k6twcnwqkueh.mooo.com
www2.l00mfws4y9p7ci.mooo.com
www2.l-30w3ulnwvj0qi.mooo.com
www2.z9tbs222g9unk.mooo.com
www2.g-3hww04s0mv5mn.mooo.com
www2.d-9w6t7gvgqm1o.mooo.com
www2.v3sinde9go.mooo.com
www2.l926nykwyj27mo.mooo.com
www2.e8dp78999hr5u.mooo.com
www2.y-8ppqnq8kglsou.mooo.com
www2.k79jcizh268qu.mooo.com
www2.v-9ifaa40v4bu1w.mooo.com
www2.p-2l65dl6w.mooo.com
www2.w15s6udfkhp5ry.mooo.com
www2.jjiqnfn6gj5ht-0.ez.lv
www2.z1jdd6o1e1kss0.ez.lv
www2.h-ccawkohe3qpi3.ez.lv
www2.hzyr7bh8gok2p4.ez.lv
www2.djti1cxaiz9wk5.ez.lv
www2.i-lojtegi396u5.ez.lv
www2.zgurkoad-7.ez.lv
www2.z26df3ueq3j2t7.ez.lv
www2.u263xcu8.ez.lv
www2.kyumtava8e6qv-9.ez.lv
www2.vn6wbwn7abt319.ez.lv
www2.w-5e04vjusiibj9.ez.lv
www2.n9vrk7p00g.ez.lv
www2.t3fjazatb9yov.ez.lv

79.133.196.103
www1.d6kpgdkvrolql3.zyns.com
www1.v7cqv8zdy4pjn5.mooo.com
www1.gno1meqrlspf5-0.zyns.com
www1.ibtu6x7oi3278-0.zyns.com
www1.b95ixcr30.zyns.com
www1.z-xq6xi2p7yx60.zyns.com
www1.p-aijej0.zyns.com
www1.jzyycis0.zyns.com
www1.u1wfjjs0.zyns.com
www1.h7xwv84x1huu0.zyns.com
www1.o-3xvokohw0.zyns.com
www1.fetmg6oukfvvw0.zyns.com
www1.wxe3vgvuk6th-1.zyns.com
www1.nuiq1hvmga2d11.zyns.com
www1.w5ndppqbx3p21.zyns.com
www1.u8r2a5xfb0xp51.zyns.com
www1.gbrl4es5xro4b1.zyns.com
www1.z-gfckpx0nst8c1.zyns.com
www1.ma5x4qfhh1.zyns.com
www1.ps61hen1.zyns.com
www1.cvhc6cr1.zyns.com
www1.ucfjffrizboz1.zyns.com
www1.vlza5kzj32.zyns.com
www1.cutyfk82tkfc52.zyns.com
www1.p3gn08hp62.zyns.com
www1.xa9xfs70sn92.zyns.com
www1.tt4h8odbcfxtq2.zyns.com
www1.j8qi8gl3d5jpv2.zyns.com
www1.iatjl4x2.zyns.com
www1.zqclyyon8-3.zyns.com
www1.c4w46c-3.zyns.com
www1.iu3b7pys9yah23.zyns.com
www1.veduncogo0u683.zyns.com
www1.bq1la1lcr3.zyns.com
www1.sm30hwbrxb5az3.zyns.com
www1.osxzdpb-4.zyns.com
www1.e1xyho-4.zyns.com
www1.h5yqudc184.zyns.com
www1.bctzuagte4.zyns.com
www1.gr56vr5wxvg7n4.zyns.com
www1.m5sfchcmj27cq4.zyns.com
www1.l1rtz0zaj4fnq4.zyns.com
www1.y-4an259ivs7vq4.zyns.com
www1.t8lkv8y4.zyns.com
www1.ycj49f-5.zyns.com
www1.o31omt35.zyns.com
www1.w032ang27l9d55.zyns.com
www1.x-96pxhseft8vo5.zyns.com
www1.p8yzcs8ch-6.zyns.com
www1.dhapuz06.zyns.com
www1.k-1m2fwr1zkha6.zyns.com
www1.rqc6n0zob6.zyns.com
www1.uicqviiewuukp6.zyns.com
www1.y4fyk9kw4e0lu6.zyns.com
www1.nbv4tzxo9452-7.zyns.com
www1.a6f4udb912c49-7.zyns.com
www1.ao3r3psunacd-7.zyns.com
www1.b7k6w2pnmz127.zyns.com
www1.i-vmtcr70kg2up7.zyns.com
www1.j-2qw3j92dq8x7.zyns.com
www1.yhxt4s4j78ry7.zyns.com
www1.frmbxxqc875pj-8.zyns.com
www1.axttts-8.zyns.com
www1.w-5z76xligg58.zyns.com
www1.scowhjo755l6d8.zyns.com
www1.br3u9dxxar5td8.zyns.com
www1.y5nxjxm8.zyns.com
www1.b6bu6gh1zcp8.zyns.com
www1.tnluwilt6mp2-9.zyns.com
www1.nnn17u67qzt219.zyns.com
www1.agdd43g049.zyns.com
www1.bcg6p4ctazktc9.zyns.com
www1.yoioas053gtbe9.zyns.com
www1.a-rra5zgikgcf9.zyns.com
www1.sx5egikt2kmqf9.zyns.com
www1.du3ikfh9.zyns.com
www1.f-5uhlm9.zyns.com
www1.xfrqbmljcp48n9.zyns.com
www1.r-aaqewzo8mp9.zyns.com
www1.jllt99r0v9.zyns.com
www1.uyi3rupgv9pdw9.zyns.com
www1.g8z0v3j7gwd7of.zyns.com
www1.v-1ou2ri1zrg0qf.zyns.com
www1.j02zhivh.zyns.com
www1.m0xqnb0l4j.zyns.com
www1.p5yte9ud3fbxbj.zyns.com
www1.o-2kuc2s8nkirik.zyns.com
www1.c58qlq5xcj0jrl.zyns.com
www1.v6r445h3ffl3m.zyns.com
www1.y-1gh1dkd6m.zyns.com
www1.b5sfmondbm.zyns.com
www1.d0mprkrn.zyns.com
www1.m8gnbsm902rx1p.zyns.com
www1.q-1nvlobckqmv9q.zyns.com
www1.j8o4hnar.zyns.com
www1.a4d2od4p7wyxas.zyns.com
www1.w2up72la0jj4fs.zyns.com
www1.p-7mmwht.zyns.com
www1.b-8zowxdx7c9mt.zyns.com
www1.x6nal9syket14u.zyns.com
www1.q7l2p44v81oyxw.zyns.com
www1.x-1qeru80ijr0yw.zyns.com
www1.k2o7ux378x.zyns.com
www1.y-34sc9n3kutsy.zyns.com
www1.q3nxdktdixzfzy.zyns.com
www1.t7nh3q177z.zyns.com

Tuesday, 18 December 2012

LinkedIn spam / apensiona.ru

This fake LinkedIn spam leads to malware on apensiona.ru:

From: messages-noreply@bounce.linkedin.com on behalf of LinkedIn Connections
Sent: Tue 18/12/2012 14:01
Subject: Join my network on LinkedIn

LinkedIn
Hien Lawson has indicated you are a Friend
I'd like to add you to my professional network on LinkedIn.

- Hien Lawson

Accept
View invitation from Hien Lawson

WHY MIGHT CONNECTING WITH Hien Lawson BE A GOOD IDEA?

Hien Lawson's connections could be useful to you

After accepting Hien Lawson's invitation, check Hien Lawson's connections to see who else you may know and who you might want an introduction to. Building these connections can create opportunities in the future.
2012, LinkedIn Corporation

The malicious payload is at [donotclick]apensiona.ru:8080/forum/links/column.php (the same payload as here) although this time the IPs have changed to:

109.235.71.144 (Serveriai, Lithunia)
176.31.111.198 (OVH, France)
217.112.40.69 (Utransit , UK)

Here's a plain list if you want to block the lot:
109.235.71.144
176.31.111.198
217.112.40.69

Blocking emails from linkedin.com at your perimeter might also be a good idea.

UPS (or is it USPS) spam / apensiona.ru

Spammers often get UPS and the USPS mixed up. They're not the same thing at all. And this one throws FilesTube into the mix as well. Anyway, this fake UPS / USPS / FilesTube spam leads to malware on apensiona.ru:

From: FilesTube [mailto:filestube@filestube.com]
Sent: 17 December 2012 06:01
Subject: Your Tracking Number H7300014839

USPS Customer Services for big savings!
Can't see images? CLICK HERE.

UPS - UPS TEAM 60 >>

Already Have
an Account?

Enjoy all UPS has to offer by linking your My UPS profile to your account.

Link Your
Account Now >>


UPS - UPS .com Customer Services

Good Evening, [redacted].

DEAR USER , Recipient's address is wrong

Track your Shipment now!

With Respect To You , Your UPS .com Customer Services.


Shipping
    Tracking
    Calculate Time & Cost
    Open an Account



@ 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the UPS brandmark, and the color brown are
trademarks of United Parcel Service of America, Inc. All rights reserved.

This is a marketing e-mail for UPS services. Click here to update your e-mail preferences or to unsubscribe to
USPS Team marketing e-mail. For information on UPS's privacy practices, please refer to UPS Privacy Policy.

Your USPS .us Customer Services, 8 Glenlake Parkway, NE - Atlanta, GA 30585
Attn: Customer Communications Department

The malicious payload is at [donotclick]apensiona.ru:8080/forum/links/column.php which is hosted on 217.112.40.69 (Utransit, claims to be from the UK but probably Russia). The following malicious domains are also on that IP address:

pelamutrika.ru
antariktika.ru
aliamognoa.ru
ahiontota.ru
anifkailood.ru
podarunoki.ru
aseniakrol.ru
publicatorian.ru
pitoniamason.ru
aviaonlolsio.ru
dimarikanko.ru
adanagenro.ru
aofngppahgor.ru
apolinaklsit.ru
apensiona.ru