Dynamoo's Blog

Tuesday, 22 January 2013

"Batch Payment File Reversed" spam / kendallvile.com

This spam leads to malware on kendallvile.com:

From:    batchservice@eftps.net [batchservice@eftps.net]
Date:    22 January 2013 17:56
Subject:    Batch Payment File Reversed

=== PLEASE NOT REPLY TO THIS MESSAGE===

[redacted]

This notification was mailed to inform you that your payment file has Reversed. 2013-01-21-9.56.22.496135

Detailed information is accessible by sign into the Batch Provider with this link.

--
With Best Regards,
EFTPS

Contact Us: EFTPS Batch Provider Customer Service

This leads to an exploit kit on [donotclick]kendallvile.com/detects/exceptions_authority_distance_disturbing.php (report here) hosted on the very familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea) which should be blocked if you can.

Dutch language Swiss tax spam / africanbeat.net

This Nederlands language spam appears to be from some Swiss tax authority, but in fact it leads to the Blackhole Exploit kit on africanbeat.net:

From:    report@ag.ch via bernina.co.il
Date:    22 January 2013 13:48
Subject:    Re: je NAT3799 belastingformulier
Mailed-by:    bernina.co.il

[redacted]

Wij willen brengen aan uw bericht dat je hebt fouten gemaakt bij het invullen van de meest recente belastingformulier NAT3799 (ID: 023520).
vindt u aanbevelingen en tips van onze fiscalisten HIER
( Wacht 2 minuten op het verslag te laden)

Wij verzoeken u om corrigeer de fouten en verzenden de gecorrigeerd aangifte aan uw belastingadviseur zo snel mogelijk.

Kanton Aargau
Sonja Urech
Sachbearbeiterin Wehrpflichtersatzverwaltung
Departement Gesundheit und Soziales
Abteilung Militär und Bevölkerungsschutz
Rohrerstrasse 7, Postfach, 6253 Aarau
Tel.: +41 (0)62 332 31 62
Fax: +41 (0)62 332 33 18

Translated as:

We want to bring to your notice that you have made mistakes when completing the most recent tax form NAT3799 (ID: 023520).
You can find recommendations and tips from our tax specialists HERE
(Wait 2 minutes for the report to load)

We ask you to correct the error and send the corrected report to your tax advisor as soon as possible.

The link leads to an exploit kit at [donotclick]africanbeat.net/detects/urgent.php (report here) hosted on the familiar IP address of 222.238.109.66 (Hanaro Telecom, Korea). The following domains are active on this server:

africanbeat.net
seoseoonwe.com
alphabeticalwin.com
bestwesttest.com
prepadav.com
masterseoprodnew.com
cocolspottersqwery.com
teamrobotmusic.net
shininghill.net
terkamerenbos.net

Something evil on 109.123.66.30

109.123.66.30 (UK2.NET, UK) hosts several domains containing the Blackhole Exploit Kit (example here). The domains in user are (mostly) legitimate hacked domains, but there are a couple of odd things here.

Most of the malicious domains have a format like this: 700ff4ad03c655cb11919113011611137102708d4fb6daf0e74bea4aa5e8f9f.darkhands.com - in this case darkhands.com is a legitimate domain registered to an individual in Australia, but it has been hacked to create a who load of malicious subdomains, hosted on another server from www.darkhands.com.

In fact, almost all the domains are registered to Australians, but the key thing is in that all of those cases the main domains are hosted by OrionVM in Australia, with the main domains hosted in the 49.156.18.0/24 block. Update: it seems that a single customer was compromised and the OrionVM issue has been resolved.

So how can the main (legitimate) sites be hosted in 49.156.18.0/24, but the malicious subdomains are hosted on a completely different network in the UK. I suspect that there is a compromise of some sort at OrionVM which has allowed the DNS records to be change (it should be noted that these domains used several different registrars).

Another oddity is that these hijacked domains only go from A to I alphabetically, which indicates that there might be some other malicious servers in this same group. The domains are:

00.co.kr
07drama.com
1001mg.com
1sim.net
20cargo.com
2ndi.com
2seul.net
3gendata.co.kr
atomthecreators.com
bodaguatemala.com
ciudaddelangel.com
colmodasa.com
ctsau.com
cyberdyne.net.au
dafconstructions.com
darkhands.com
deanmathers.com
demon-networks.com
dentistasguatemala.com
dfs-mortgages.com.au
easygosa.com
elitebusinesssupplies.com.au
eliteoz.com.au
enaballet.com
escapeelsalvador.com
fairymeadowsurfclub.com.au
floor-me.com.au
furniturebiweb.com.au
frankflick.com
fwmesker.com.au
gcbustours.com.au
giftsbiweb.com.au
goddessmassage.com.au
goldcoastnorth.org.au
goldcoastpacifictours.com.au
greyfoxjumps.com
grubisaguitars.com
img.or.kr

Also hosted on 109.123.66.30 are some malicious .in domains that were previously on 87.229.26.138 (see here):
gguwvn.in
gmvgyx.in
humswz.in
jlqrnp.in
krvrkh.in
lupszm.in
nwujgl.in
onylkp.in
pmkvyh.in
sirrpk.in
tmthzz.in
ukokqz.in
ymjjjm.in
yxrkyu.in
zjmnwv.in
znztip.in
zpjhjv.in

It looks like there are some legitimate sites on the same server, but blocking 109.123.66.30 is probably a good idea.

As for those subdomains I wrote about, well here are some examples (there are probably many more!)
9e3cca5e3db56bb811912113012211341099855c391a9f23ee6fdf9310ef65f.escapeelsalvador.com
9e3cca5e3db56bb8.escapeelsalvador.com
43c327b1d06a8667016129130121170261378958c50c75b554d3acbb2bf6327.ciudaddelangel.com
4378075af081a68c01911413012115588268499bd156f02785043714358bc6d.bodaguatemala.com
adc3e9311efa48f701604513012020274181958c0c1dd94d15b082c2f456729.2seul.net
613c852e72852488.12bears.org
4378075af081a68c119070130121141091436015a23f6147f4a5cb6f46c9612.bodaguatemala.com
4378075af081a68c01608613012113376175301d0604046f19450957fd59d89.bodaguatemala.com
4378075af081a68c0190861301211545518988357b1766a7c844beb4d7d552d.bodaguatemala.com
cb3c7f5e8885de88019102130121235232244364ff60ccc807ebd5d014bc12a.dentistasguatemala.com
cb3c7f5e8885de8801902413012123563228240bb24890930199ff12981f22c.dentistasguatemala.com
4387a7b5506e066301515913012202291029798326847e181e5c85ee57ec48c.doctoresguatemala.com
e93c8d2e7a852c88014072130119115171974917aa12cca08315e832c31f05b.07drama.com
e93c8d2e7a852c88019016130119091781150715f71f0b9afdd4128ec4cbb9c.07drama.com
da0f5ebda916ff1b01402413011913245133774bd3f2acbdbb427f332b0509e.07drama.com
4378c7aa3071667c01511113012120512184494445a0a9fabe4d9f815049c39.colmodasa.com
4378c7aa3071667c1191211301211930317435053144fdeced2f362b8701b9c.colmodasa.com
f80fcced3b066d0b1191211301220847209700257ce00433c7d66b6873eb420.easygosa.com
f80fcced3b066d0b0190861301220832613187254b83422e0b4c441fde73336.easygosa.com
073c137ee495b2980140251301220622508971181451a35f7f31a53edbc1f68.easygosa.com
073c137ee495b298.easygosa.com
ad870975fedea8d3019044130119144392288741f96f4d9d259a1b9c46683e0.1001mg.com
9eb4aa965d5d0b5001418513012018266185128b200492041c9fa22e5d7765e.2ndi.com
43c347f1b07ae67701418513011715199157549c11b32571ee03ac63e5df44a.frankflick.com
43c327b1d06a8667014102130121164341794225edd7badb251a6d939612b70.ciudaddelangel.com
43c327b1d06a8667119121130121182651816415774ff223bcf7794f72f9901.ciudaddelangel.com
43c327b1d06a8667016129130121170261378958c50c75b554d3acbb2bf6327.ciudaddelangel.com
bc4bb8f94f32193f114161130120170671429678682220d8fb9257f98a64133.20cargo.com
bc4bb8f94f32193f116161130120160641274345c1e0d1e821270ad394dce24.20cargo.com
9e3cca5e3db56bb801907013012210373118558538d878c0932bac859f75915.escapeelsalvador.com
9e3cca5e3db56bb811412113012210099114754a47f7f4cdd48cdf995c40c69.escapeelsalvador.com
9e3cca5e3db56bb80190861301221149212109450483885b4caf3bc1aa9f0ec.escapeelsalvador.com
700ff4ad03c655cb114163130116131561128525b412bf0eb1f0d8b3373d530.darkhands.com
700ff4ad03c655cb01902413011612555164840bb4054383b351bed0be72cb0.darkhands.com
700ff4ad03c655cb019025130116115161699125ddc19c767ee08cad8037869.darkhands.com
700ff4ad03c655cb01906313011612074085590bc4ca3a96ab9f70f60a845be.darkhands.com
700ff4ad03c655cb11919113011611137102708d4fb6daf0e74bea4aa5e8f9f.darkhands.com
da871eb5e9debfd3.demon-networks.com
da871eb5e9debfd3014025130116170451125355cc8672327f4e3759493a7b6.demon-networks.com
da871eb5e9debfd311416313011617182114754b6edb0d4e245e105a88985e8.demon-networks.com
cb789f8a68e13eec01402413011611067087175549c49b8c26df1b1e117ce52.dafconstructions.com
cb789f8a68e13eec0190241301161048514233351542cd2b24d195ba0bf6f2b.dafconstructions.com
cb789f8a68e13eec0191371301160824408432252ef981c7a10856259ae52ff.dafconstructions.com
8f0fdbcd2c567a5b.greyfoxjumps.com
8f0fdbcd2c567a5b0190761301181449720858689e2e4bcb46d495489f755db.greyfoxjumps.com
8f0fdbcd2c567a5b01410413011815492132506be98360c690e0577314b571c.greyfoxjumps.com
25c3a1b1562a002701615313011819586240920cc2c0a048cb012e78ce717e3.grubisaguitars.com
25c3a1b1562a002701409913011818231126800513e8276203b5e4706c64ac5.grubisaguitars.com
25c3a1b1562a0027.grubisaguitars.com
cb4b6fe99882ce8f01402413011613576192736c93af1192f50fb15cfe1fb20.deanmathers.com
52874685b15ee75301902413012112331103342bb3bba5bfc191f0fcffeff42.atomthecreators.com
07b43316c4cd92c00191841301211308110270853cafa0ede390f54488279a2.atomthecreators.com
52874685b15ee753.atomthecreators.com
52874685b15ee753014072130121104741407487aa1c9758f11ecec8a5080e9.atomthecreators.com
52874685b15ee753014064130121125041591348d3a795f75aa30f3c07c12fa.atomthecreators.com
52874685b15ee75301918513012110462108414055334aad721923de002768f.atomthecreators.com
ad4b99a96ed238df01902413011700222020288c860e4eed12a0c47a53b2d01.enaballet.com
ad4b99a96ed238df.enaballet.com
8f875b85acdefad3.ctsau.com
8f875b85acdefad3014086130115235542019295b59f74e05eefad146e21954.ctsau.com
520fa6dd5146074b01902413011903443069106c9587029dc299fef3a02a1cf.00.co.kr
da3c3e0ec9c59fc8014050130121084910792509f94ca468b493ae140b594f1.3gendata.co.kr
8f0f8bdd7c062a0b019044130121095082044654e48461a03046b9a158f0b56.3gendata.co.kr
da3c3e0ec9c59fc8.3gendata.co.kr
ad0fa92d5e96089b.12.img.or.kr
1687c295352e632301904413012011471097002d9bf1df5a4477988e98ea7f5.1sim.net
1687c295352e6323019115130120125041553301f169b228df07c49f6f8243f.1sim.net
8f4b9b896c123a1f0190241301181159211348659b5706dd8bba9ac9f65cc8a.goldcoastnorth.org.au
52c376c1814ad747116159130117164792434566ca998fa703bdba9f5fad36c.furniturebiweb.com.au
cb87bff5487e1e73019024130117230451540624eab8d91eedee6aae935bce8.giftsbiweb.com.au
250fa16d5616001b116062130117064610561095bc0c075f5de40e7ed52d204.fairymeadowsurfclub.com.au
6187852572ae24a3014077130118075481933705d68a7d58e329cd19e1d4831.goddessmassage.com.au
e9c32dd1daaa8ca71141631301171015509319889e28e6ae67eb0ff6dea8d71.floor-me.com.au
e9c32dd1daaa8ca70190861301171005507734854b82701243446e1f5747513.floor-me.com.au
e9c32dd1daaa8ca7.floor-me.com.au
e9c32dd1daaa8ca70150461301171003307037446410ff324aa6549c60cc9e7.floor-me.com.au
700f44ddb356e55b014025130117185911325065edcde5312a0fbd05c98f038.fwmesker.com.au
700f44ddb356e55b.fwmesker.com.au
700f944d6326352b019084130116191021210948682e24ad4db4900e40a73b4.dfs-mortgages.com.au
700f944d6326352b1141631301161913413314058ae84aa556671678b3f5e96.dfs-mortgages.com.au
700f944d6326352b.dfs-mortgages.com.au
f83c9c6e6b353d381141631301151452414962455f29541148efc4e37826913.elitebusinesssupplies.com.au
f83c9c6e6b353d3801511113011515087109682445a0a9f951927ef50f6d8c4.elitebusinesssupplies.com.au
070f33bdc4e692eb0191141301151407910841451c188064ca7eab689697868.elitebusinesssupplies.com.au
070f33bdc4e692eb0140861301151349718988357a3ee82f57b94dee43ccb7a.elitebusinesssupplies.com.au
61f02502d2998494119191130118142491702293e019202990ce84e1570c0db.goldcoastpacifictours.com.au
708774f5836ed5630140181301180909508051875c927d7e6aa55de3837e434.goldcoastbuschartertours.com.au
f8b4ac165b9d0d90014096130117213511429674e08c2686a0bb289bc3fa9d8.gcbustours.com.au
bcf038d2cf899984119163130115182621198264fd5f6cf84137810b203d561.eliteoz.com.au
61f0c522327964740190861301152121515564750483987b2c6cc62e0435464.eliteoz.com.au
61f0c52232796474.eliteoz.com.au
bcf038d2cf89998401404313011519058127117579abdbfca7f3f850c10f19b.eliteoz.com.au
bcf038d2cf8999840140241301151905812711753ae2611208cafdf0c10f19b.eliteoz.com.au
61f0c522327964740140161301152137113028789e2464b24229b3f5a3a889e.eliteoz.com.au
bcf0b8624f091904115129130116034061033429069f5026657971ac822f264.cyberdyne.net.au

Cheeky exploit kit on avirasecureserver.com

What is avirasecureserver.com? Well, it's not Avira that's for sure.. it is in fact a server for the Blackhole Exploit Kit.

This site is hosted on 82.145.57.3, an Iomart / Rapidswitch IP that appears to have been reallocated to:
person:         Dimitar Kolev
address:        QHoster Ltd
address:        Apt 1859
address:        Chynoweth House
address:        Trevissome Park
address:        Truro
address:        TR4 8UN
address:        GB
phone:          +13232180069
abuse-mailbox: abuse@qhoster.com
nic-hdl:        DK5560-RIPE
mnt-by:         RAPIDSWITCH-MNT
source:         RIPE # Filtered

Trevissome Park is a small business park in Cornwall, there certainly isn't a building with over 1000 apartments there, so we can assume that "Apt" is a euphemism for a post box. There's also no company in the UK called QHoster Ltd. In fact, if we check the QHoster.com domain we can see that it is a Bulgarian firm:

    QHoster Ltd.
    Dimitar Kolev        (domains@qhoster.net)
    27 Nikola D. Petkov Str.
    Sevlievo
    Gabrovo,5400
    BG
    Tel. +359.898547122
    Fax. +359.67535954

QHoster has an IP block of 82.145.57.0/25 suballocated to it. A quick poke around indicates not much of value in this range, you may want to consider blocking the /25 as a precaution.

Monday, 21 January 2013

Intuit spam / danadala.ru

This fake Intuit spam leads to malware on danadala.ru:

Date:     Mon, 21 Jan 2013 04:45:31 -0300
From:     RylieBouthillette@hotmail.com
Subject:     Payroll Account Holded by Intuit

Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Mon, 21 Jan 2013 04:45:31 -0300.

    Finances would be gone away from below account # ending in 8134 on Mon, 21 Jan 2013 04:45:31 -0300
    amount to be seceded: 5670 USD
    Paychecks would be procrastinated to your personnel accounts on: Mon, 21 Jan 2013 04:45:31 -0300
    Log In to Review Operation

Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]danadala.ru:8080/forum/links/column.php hosted on a familiar bunch of IPs that have been used in several recent attacks:

89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)

The following malicious domains seems to be active at present:
dekamerionka.ru
danadala.ru
dmssmgf.ru
dmpsonthh.ru
demoralization.ru
damagalko.ru
dozakialko.ru
dopaminko.ru
dumarianoko.ru
dfudont.ru

LinkedIn spam / prepadav.com

This fake LinkedIn spam leads to malware on prepadav.com:

From: LinkedIn [mailto:news@linkedin.com]
Sent: 21 January 2013 16:21
Subject: LinkedIn Reminder from your co-worker

LinkedIn
REMINDERS
Invitation reminders:
▫ From CooperWright ( Your employer)

PENDING LETTERS
• There are a total of 2 messages awaiting your action. Acces to your InBox now.
Don't wish to receive email notifications? Adjust your letters settings.
LinkedIn respect your privacy. In no circumstances has LinkedIn made your e-mail acceptable to any other LinkedIn user without your allowance. © 2013, LinkedIn Corporation.

The malicious payload is at [donotclick]prepadav.com/detects/region_applied-depending.php hosted on 222.238.109.66 (Hanaro Telecom, Korea). This IP has been used in several malware attacks recently and it should be blocked if you can.

The following malicious websites are active on this server:
seoseoonwe.com
alphabeticalwin.com
splatwetts.com
bestwesttest.com
masterseoprodnew.com
cocolspottersqwery.com
teamrobotmusic.net
vaishalihotel.net
shininghill.net
terkamerenbos.net
prepadav.com

Kenyan Judiciary (judiciary.go.ke) hacked to serve malware

The Judiciary of the Republic of Kenya has a mission to deliver justice fairly, impartially and expeditiously, promote equal access to justice, and advance local jurispudence by upholding the rule of law. Unfortunately, it has also been hacked to serve up malware.

The site has been compromised to serve up an exploit kit being promoted by spam email. There's a redirector at [donotclick]www.judiciary.go.ke/wlc.htm attempting to redirect visitors to [donotclick]dfudont.ru:8080/forum/links/column.php where there's a nasty exploit kit.

Of course, most visitors to the judiciary.go.ke site won't see that particular exploit. But if someone can create an arbitrary HTML page on that server, then they pretty much have the run of the whole thing and they can do what they like. So the question might be.. what else has been compromised? Hmm.

Friday, 18 January 2013

ADP spam / dopaminko.ru

This fake ADP spam leads to malware on dopaminko.ru:

Date:     Fri, 18 Jan 2013 09:08:38 -0500
From:     "service@paypal.com" [service@paypal.com]
Subject:     ADP Immediate Notification

ADP Immediate Notification
Reference #: 544043911

Fri, 18 Jan 2013 09:08:38 -0500
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:

    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.

This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 206179035

HR. Payroll. Benefits.

The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious payload is at [donotclick]dopaminko.ru:8080/forum/links/column.php hosted on the following familiar IP addresses:

89.111.176.125 (Garant-Park-Telecom, Russia)
91.224.135.20 (Proservis UAB, Lithunia)
212.112.207.15 (ip4 GmbH, Germany)

These following malicious domains appear to be active on these servers:
dekamerionka.ru
dmssmgf.ru
dmpsonthh.ru
dmeiweilik.ru
demoralization.ru
damagalko.ru
dozakialko.ru
dopaminko.ru
dumarianoko.ru
dimanakasono.ru
bananamamor.ru
dfudont.ru