Sponsored by..

Monday, 11 March 2013

Something evil on 176.31.140.64/28

176.31.140.64/28 is an OVH block suballocated to Sidharth Shah (mentioned in this earlier post). It contains a a small number of malicious domains flagged by Google (in red), most of the rest of the sites have a very poor WOT rating (in yellow). I'll post more details later. You can safely assume that everything in this block is malicious, and I note that some of the domains are refugees from this malware site.

Malware is hosted on 176.31.140.64, 176.31.140.65, 176.31.140.66 and 176.31.140.67. There appear to be no legitimate sites in this block.

a50055.info
a6066.info
a70077.info
a80088.info
add5005.info
any303.info
apple2001.info
apple2002.info
apple2003.info
apt707.info
art808.info
article404.info
admin645.info
adscard.net
adscoast.com
adscoast.net
adsknoll.com
adsknoll.net
adsmonsterslda.me
adsmonsterslda.net
adspolis.net
adsregarding.com
adsregarding.net
adsset.net
adsspark.com
adsspark.net
adstimes.net
adstown.net
adsvoice.net
akon342.info
alfa763.info
allknowingredscale.org
apolonq3.info
belligerentperformance.biz
booksdesk.org
bymailunstandard.org
cameraandspidermans.org
compatiblesohoos.biz
compellingseven.org
convertingsupply.org
deactivatelens.org
deletionaffordably.org
dlnabeta.org
draggingdownbreakdown.biz
enjoycapacious.org
entertainingsubpoenaed.org
fantasyactv.org
flipsendnow.org
graphicaluseby.org
hardwareturkish.org
ifdependable.org
ignoreorion.biz
imapnearing.org
indeliblefeaturewise.org
inexplicablysitespring.biz
initiatingslatenot.org
innovationfifth.org
inquiryunintuitively.org
interviewsmartcolumns.org
ipartitiontroublesome.org
irresponsibledefrag.biz
jeffalwaysrunning.org
languageinads.com
languageinads.net
leaveinteracted.biz
lowriskremembers.org
machinemargins.biz
madeenergy.biz
materialhencefullfeatured.org
minilabsdetailed.org
modesorganizecontentbased.org
multipledocumentthe.org
museumsinterest.org
nettalksdlsr.biz
nontechnicalcrossdisciplinary.org
notracessurfers.org
offensivesimple.biz
onyxlost.biz
operatingshorter.biz
overloadhell.org
playlistshears.biz
pointandshootfortunately.org
pushedcddb.org
recipesmailings.org
reconfigureboundaries.org
redorewards.biz
remarkablyracer.biz
retrievingevidently.biz
rummaginglistenandrepeats.org
seldomsnailmail.org
selfhealingduo.org
skimmingmanys.org
slideshareempower.org
sorryenters.biz
stretchedtool.org
superdatscalable.biz
taxactsfacebook.org
tonegrapple.biz
tonguesweetening.biz
transformingprofessional.org
transparencymonitoring.org
upsellmediathe.org
usingthisxploreing.org
visualbeesdaemon.org
vpmediastudios.org
westsidespiderman.biz
whocompatible.biz
wpcbots.org
zipsstorms.org
aapp202.info
accon101.info
after121.info
agg7574.info
all9009.info
amigosunspot.biz
bureaubasic.biz
checkinsbr.org
curateeyeballs.biz
efficacycull.biz
inappmovies.biz
menudrivenexternal.biz
moveoutgunned.biz
multitrackonew.net
palmnetstories.biz
predictkillersounding.biz
prohibitingbod.info
redirectionvx.org
selfdefensealphabetical.biz
syncopationhaving.biz
trimmingshyamalan.biz
versustempo.info
altirismotodv.net
bullzipskewing.biz
distortionexperts.net
inteloutdone.biz
opinedvdrw.net
peachtreesauto.net
snowfallsought.net
Posted by at No comments:
Labels: , , , , ,

Something evil on 37.59.214.0/28

37.59.214.0/28 is an OVH IP range suballocated to a person called Sidharth Shah in Maryland (more of whom later). At the moment it is hosting a number of malware sites with a hard-to-determine payload such as [donotclick]55voolith.info:89/forum/had.php which is evading automated analysis.

The owner of this block is as follows:
organisation:   ORG-SS252-RIPE
org-name:       Shah Sidharth
org-type:       OTHER
address:        12218 Skylark Rd
address:        20871 Clarksburg
address:        US
abuse-mailbox:  ovhresell@gmail.com
phone:          +1.5407378283
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
source:         RIPE # Filtered

Malware is hosted on 37.59.214.0, 37.59.214.1 and 37.59.214.0. There do not appears to be any legitimate sites in this range. Google has already flagged some of these as malicious (marked in red), so you can safely assume that they are all malicious:

1dabify.info
1linktube.info
1myloo.info
1trilium.info
2drill.info
2mars.info
2scrool.info
2skills.info
2walls.info
abubblespot.info
achatterjam.info
athoughtpedia.info
atwitterdrive.info
ayakilith.info
alivexs.info
arealster.info
arealtune.info
atopjam.info
ayombu.info
bbrightbridge.info
bdabdog.info
bfatri.info
bmyva.info
11chattervine.info
11fandu.info
11ncat.info
11tanix.info
22chatset.info
22cogizio.info
22jalium.info
22jaxworks.info
22ooyo.info
22thoughtspace.info
33demilium.info
33digipad.info
33skire.info
3digiset.info
3edgeblab.info
3linkshots.info
3livelounge.info
3meenix.info
3viva.info
5ailium.info
5flashster.info
5gabwire.info
5lalium.info
5skyzu.info
7demiboo.info
7gedeo.info
7jumpbean.info
7jumplist.info
7zambu.info
8abagen.info
8bubbledog.info
8cogitz.info
8plamba.info
8tajo.info
8twitterbox.info
Posted by at No comments:
Labels: , , , , ,

Friday, 8 March 2013

RU:8080 and Amerika spam runs

For about the past year I have seen two very persistent spam runs leading to malware, typically themed along the lines of fake emails from the BBB, LinkedIn, NACHA, USPS and ADP.

The most obvious characteristic of one of the spam runs in the use of a malware landing page containing .ru:8080, registered through NAUNET to the infamous "private person". In order to aid researchers, I have labelled this series as RU:8080. You can see some current nastiness in action at Malware Must Die.

But there's a second spam run as well, which appears to be similarly themed but using different servers. In this case, the domains registered are typically .net, .org and .com emails (with .pro and .biz used from time-to-time). These domains are registered with fake names and addresses purporting to be in the US, but indicators show that this spam may well originate from within Russia.

I've labelled this series as Amerika (yes, there was a TV show of the same name) because frankly the domains are about as American as apple pie sharlotka. The Amerika spam run is a little harder to identify, so there may be some errors in it.

I don't have any deep insight into either spam run or the payloads they deliver, but if you are interested in looking more deeply at the patterns then hopefully this will be of some use!
Posted by at No comments:
Labels: , , , ,

AT&T spam (again)

This fake AT&T spam leads to malware on.. well, in this case nothing at all.

Date:      Fri, 8 Mar 2013 10:37:24 -0500 [10:37:24 EST]
From:      AT&T Customer Care [icare7@amcustomercare.att-mail.com]
Subject:      Your AT&T wireless bill is ready to view


att.com | Support | My AT&T Account     Rethink Possible
Your wireless bill is ready to view
Dear Customer,

Your monthly wireless bill for your account is now available online.

Total Balance Due: $1695.64

Log in to myAT&T to view your bill and make a payment. Or register now to manage your account online. By dialing *PAY (*729) from your wireless phone, you can check your balance or make a payment - it's free.

Smartphone users: download the free app to manage your account anywhere, anytime.


Thank you,
AT&T Online Services
att.com


Contact Us
AT&T Support - quick & easy support is available 24/7.

Find us on Facebook   Talk to us on twitter   AT&T Community    
Get Peace of Mind

Set up secure AutoPay from your checking account.

Learn more
Go Paperless

Save time, money and the environment.

Learn more
Online Deals!

Shop the Best Deals in your area for Phone, TV, Internet and Wireless.

Learn more
Device Tutorials
Information specific about your phone     Smart Controls
Block calls, set mobile purchase limits, manage usage, and more     Payment Arrangements
Explore your options for arranging a payment plan
PLEASE DO NOT REPLY TO THIS MESSAGE    
©2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. Subsidiaries and affiliates of AT&T Inc. provide products and services under the AT&T brand.
Privacy Policy


In this case the link goes to a redirector page at [donotclick]vtcrm.update.se/eben/index.html hosted 62.109.34.50 in Sweden. It looks like someone has speedily removed the redirector page so I can't tell you much about the malicious landing page. Kudos to Ilait AB or whoever fixed the problem!
Posted by at No comments:
Labels: , ,

LinkedIn spam / giminalso.ru

This fake LinkedIn spam leads to malware on giminalso.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 08 March 2013 10:24
Subject: Aylin is now part of your network. Keep connecting...

     [redacted], Congratulations!
You and Aylin are now connected.

    Aylin Welsh

--
Tajikistan    

2012, LinkedIn Corporation
The malicious payload is at [donotclick]giminalso.ru:8080/forum/links/column.php (report here) hosted on the same IPs as in this other attack today:

41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)


Posted by at 1 comment:
Labels: , , , , , ,

"Your tax return appeal is declined" / gimilako.ru

This following fake IRS spam leads to malware on gimilako.ru:

From: Myspace [mailto:noreply@message.myspace.com]
Sent: 07 March 2013 20:55
Subject: Your tax return appeal is declined.

Dear Chief Account Officer,
Hereby you are notified that your Income Tax Refund Appeal id#9518045 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit your appeal by using the instructions in the attachment.

Internal Revenue Service


Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday Friday, 7:00 a.m. 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time). 
The malicious payload is at [donotclick]gimilako.ru:8080/forum/links/column.php (reported here) hosted on:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
89.107.184.167
212.180.176.4
gimilako.ru
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
gosbfosod.ru
Posted by at No comments:
Labels: , , , , ,

Adobe CS4 spam / guuderia.ru

This fake Adobe spam leads to malware on guuderia.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Donnie Cherry via LinkedIn
Sent: 07 March 2013 12:39
Subject: Order N40898

Good afternoon,

You can download your Adobe CS4 License here -

We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.


Adobe Systems Incorporated
The malicious payload is at [donotclick]guuderia.ru:8080/forum/links/column.php (report here) hosted on:

41.72.150.100 (Hetzner, South Africa)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
212.180.176.4
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
guuderia.ru
gosbfosod.ru

Posted by at No comments:
Labels: , , , ,

Thursday, 7 March 2013

Malware sites to block 7/3/13

Some Cridex-based nastiness here. These are the malicious domains that I can find on the IPs mentioned, alternatively you can just block:

173.246.102.2 (Gandi, US)
173.255.215.242 (Linode, US)
64.13.172.42 (Silicon Valley Colocation, US)

Blocklist:
173.246.102.2
173.255.215.242
64.13.172.42
17.247nycr.com
17.optimax-fuel-saver.us
17.grantmassie.org
17.seniorgazette.org
17.scottbarr.org
17.kingdom-mystery.org
17.landvirginia.com
17.schnoescpa.com
17.rbasa.com
17.thinkgreensa.com
17.hogwashiniowa.com
17.ledbymmhd.com
17.ultimateserviceexperience.com
17.yourbrokerforlife.com
17.grantmassie.com
17.lascrittore.com
17.bearfoothouse.com
17.setapartcreative.com
17.sanantoniosiding.com
17.webezmarketing.com
17.iowahogwash.com
17.avbapi.com
17.sanantoniohardiplank.com
17.apielectrical.com
17.lwrbeerfestival.com
17.kathybissell.com
17.cpadahm.com
17.doorssanantoniocom.com
17.deborahramanathan.com
17.drdeborahramanathan.com
17.foodypon.com
17.renewalanderson.com
17.rbasanantonio.com
17.renewalsanantonio.com
17.thetelecomgroup.com
17.247nycr.com
17.mmholidaydecor.com
17.quakertownfamilydoctor.com
17.dmmbs.com
17.dmmmbs.com
17.kbgolfcoursesales.com
17.seniorgolfrankings.com
17.redtreebookings.com
17.southwest-referrals.com
17.texcoteproblems.com
17.taberydesigns.com
17.moffdomains.com
17.thebusiness-solutions.com
17.dchealthcaresolutions.com
17.deadbeatcustomers.com
17.docholidaybanners.com
17.worldclassexteriors.com
17.southwestexteriors.com
17.productpurveyors.com
17.valuationwidgets.com
17.profitzplus.com
17.culliganwaternet.com
17.soonerflight.com
17.bradentons-finest.com
17.opti-max.com
17.meccandivinity.com
17.247nycrealty.com
17.foodypon.info
17.brightdirection.us
17.optimaxmagnetics.us
17.optimax.us
17.ir-c.net
17.grantmassie.net
17.americanseniorgazette.net
17.sanantoniosiding.net
17.sanantoniodoors.net
17.sanantoniowindows.net
17.culliganwaternet.net
17.bestbysouthwest.net
17.brightdirection.biz
20.anythinginternational.biz
20.anythinginternational.com
20.chelsiamd.com
kfz-youngtimerservice.de
mtmedia.net
cinemacityhu.iq.pl


Posted by at 2 comments:
Labels: , , ,
Subscribe to: Posts (Atom)