Sponsored by..

Showing posts sorted by relevance for query jolly works hosting. Sort by date Show all posts
Showing posts sorted by relevance for query jolly works hosting. Sort by date Show all posts

Saturday, 27 July 2013

Jolly Works Hosting.. is it really Jolly?

I was a little curious as to why I kept coming across Jolly Works Hosting from the Philippines when it came to malware hosting. They are a customer of Secured Servers LLC in the US, and when I took a close look at malware reports with Secured Servers IPs addresses it turns out that most of them were actually suballocated to Jolly Works Hosting instead.

Jolly Works has a real website and real customers, but not all of those customers are very desirable. In particular, these following IP addresses are current hotbeds of malware and are definitely worthy of blocking:

108.170.46.130
184.95.37.100
184.95.37.109
184.95.51.123
184.164.136.150

I have enumerated much of their network for research purposes and uploaded it here [csv]. The file contains the domain, IP, decimalised IP, WOT ratings, Google Prognosis and SURBL status. Do with it what you will.

As far as I can tell, these following Secured Servers IP ranges are suballocated to Jolly Works Hosting. There are some real legitimate websites in there, but if you wanted to do some sort of filtering or scoring with them then the ranges are:

66.85.153.160/27
108.170.6.16/28
108.170.7.160/28
108.170.13.192/27
108.170.29.128/27
108.170.46.128/29
174.138.163.176/28
174.138.172.48/28
184.95.37.96/28
184.95.37.144/28
184.95.38.32/29
184.95.51.112/28
184.95.54.208/28
184.164.136.80/28
184.164.136.128/27
184.164.141.32/27
184.164.147.128/27
184.164.151.32/27
184.171.167.192/28
209.188.0.96/27

Monday, 19 August 2013

"You have received a secure message" spam / securedoc.zip

This fake Citi spam contains a malicious attachment:

Date:      Mon, 19 Aug 2013 20:24:27 +0000 [16:24:27 EDT]
From:      "secure.email@citi.com" [secure.email@citi.com]
Subject:      You have received a secure message

You have received a secure message
Read your secure message by opening the attachment, securedoc. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.
First time users - will need to register after opening the attachment.
About Email Encryption - http://www.citi.com/citi/citizen/privacy/email.htm

Attached is a file securedoc.zip which in turn contains a malicious executable securedoc.exe which has a very low detection rate at VirusTotal of just 2/46. The Malwr analysis (and also ThreatExpert) shows that the file first connects to [donotclick]frankcremascocabinets.com/forum/viewtopic.php (a hijacked GoDaddy domain on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines) as seen before here, and it then tries to downoad additional components from:

[donotclick]lobbyarkansas.com/0d8H.exe
[donotclick]ftp.ixcenter.com/GMMo6.exe
[donotclick]faithful-ftp.com/kFbWXZX.exe

This second part has another very low VirusTotal detection rate of just 3/46. Malwr gives an insight into what the binary is doing, or alternatively you can look at the Comodo CAMAS report or ThreatExpert report

Recommened blocklist:
184.95.37.96/28
frankcremascocabinets.com
giuseppepiruzza.com
gordonpoint.biz
gordonpoint.info
hitechcreature.com
frankcremasco.com
lobbyarkansas.com
ftp.ixcenter.com
faithful-ftp.com

"You requested a new Facebook password" spam / frankcremascocabinets.com

This fake Facebook spam follows on from this one, but has a different malicious landing page at frankcremascocabinets.com:

From:     Facebook [update+hiehdzge@facebookmail.com]
Date:     19 August 2013 17:38
Subject:     You requested a new Facebook password

facebook
Hello,

You recently asked to reset your Facebook password.
Click here to change your password.
Didn't request this change?
If you didn't request a new password, let us know immediately.
Change Password
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
The link in the email goes to a legitimate hacked site which then tries to load one or more of the following three scripts:
[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js
[donotclick]katchthedeal.sg/stilling/rifts.js
[donotclick]ftp.navaglia.it/gazebo/cowboys.js

The victim is then directed to a malware payload at [donotclick]frankcremascocabinets.com/topic/able_disturb_planning.php hosted on 184.95.37.102 (Secured Servers, US / Jolly Works Hosting, Philippines). This domain is a hijacked GoDaddy domain and there are several others on the same server (listed below in italics).

Recommended blocklist:
184.95.37.96/28
ftp.hotwindsaunausa.com
katchthedeal.sg
ftp.navaglia.it
giuseppepiruzza.com
frankcremascocabinets.com
gordonpoint.biz
hitechcreature.com

frankcremasco.com

Friday, 26 July 2013

"welcome to the eBay community!" spam / artimagefrance.com

This fake eBay email leads to malware on artimagefrance.com:

Date:      Fri, 26 Jul 2013 21:40:48 +0900 [08:40:48 EDT]
From:      eBay [eBay@reply1.ebay.com]
Subject:      [redacted] welcome to the eBay community!



Items selected just for you.
View this message in your browser     eBay Buyer Protection
ebay™     Fashion     Electionics     Collectibles     Daily Deals     Sell To Buy
    Welcome to eBay. The simpler and safer way to shop and save.
You've got options when it comes to paying.
       
   
Learn more to protect yourself from spoof (fake) e-mails

eBay Inc. sent this e-mail to you at [redacted] because your Notification Preferences indicate that you want to receive general email promotions.

If you do not wish to receive further communications like this, please click here to unsubscribe. Alternatively, you can change your Notification Preferences in My eBay by Privacy Policy and User Agreement if you have any questions.

Copyright © 2013 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are trademarks of eBay Inc.
eBay Inc. is located at 2145 Hamilton Avenue, San Jose, CA 95125.

The link in the email goes to a legitimate hacked site and then runs one or more scripts from the following list of three:
[donotclick]75.126.43.229/deputy/clodhoppers.js
[donotclick]andywinnie.com/guessable/meteor.js
[donotclick]hansesquash.de/wimples/dunning.js

The victim is then sent to a malware landing page at [donotclick]artimagefrance.com/topic/accidentally-results-stay.php hosted on 184.95.37.110 (Secured Servers LLC, US / Jolly Works Hosting, Philippines). I would recommend blocking 184.95.37.96/28 in this case.

The domain is a hijacked GoDaddy domain, and the following hijacked domains appear to be in the neighbourhood. Ones flagged by Google as malware already are highlighted, although all should be considered as malicious.

184.95.37.100
fiberopticcableguy.com
fiberopticguy.com

guysanford.com
guyscards.com
hi-defhooters.com
y2k-usa.com

184.95.37.109
apparelacademy.com
apparelacademy.net
dragoncigars.net
heavenlycigars.net
libertychristianstore.com
michaelscigarbar.com
michaelscigarbar.net
michaelscigars.net
montverdestore.com
montverdestore.net
montverdestore.org
showmysupport.org


184.95.37.110
2013vistakonpresidentsclub.com
amicale-calvel.com
amicale-calvel.eu
artimagefrance.com
atmiaaustraliaconference.com


Thursday, 25 July 2013

"INCOMING FAX REPORT" spam / 2013vistakonpresidentsclub.com

This fake fax report spam (apparently from the Administrator at the Victim's domain) leads to malware on 2013vistakonpresidentsclub.com:

Date:      Thu, 25 Jul 2013 10:32:10 -0600 [12:32:10 EDT]
From:      Administrator [administrator@victimdomain]
Subject:      INCOMING FAX REPORT : Remote ID: 1150758119

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: 07/25/2013 02:15:22 CST
Speed: 23434 bps
Connection time: 09:04
Pages: 8
Resolution: Normal
Remote ID: 1150758119
Line number: 2
DTMF/DID:
Description: June Payroll

Click here to view the file online

********************************************************* 
The link in the spam leads to a legitimate hacked site and then on to one or more of these three intermediary scripts:

[donotclick]1954f7e942e67bc1.lolipop.jp/denominators/serra.js
[donotclick]internationales-netzwerk-portfolio.de/djakarta/opel.js
[donotclick]www.pep7.at/hampton/riposts.js

From there, the victim is sent to a malware landing page at [donotclick]2013vistakonpresidentsclub.com/topic/regard_alternate_sheet.php which was hosted on 162.216.18.169 earlier to day (like this spam) and was presumably a hijacked GoDaddy domain. I can't tell for certain if this site is clean now or not, but it seems to be on 184.95.37.110 which is a Jolly Works Hosting IP, which has been implicated in malware before. I would personally block 184.95.37.96/28 to be on the safe side.

Thursday, 6 June 2013

USPS spam / USPS_Label_861337597092.zip

This fake USPS spam contains a malicious attachment:

Date:      Thu, 6 Jun 2013 10:43:56 -0500 [11:43:56 EDT]
From:      USPS Express Services [service-notification@usps.com]
Subject:      USPS - Your package is available for pickup ( Parcel 861337597092 )

Postal Notification,

We attempted to deliver your item at 6 Jun 2013.
Courier service could not make the delivery of your parcel.
Status Deny / Invalid ZIP Code.

If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.

Label/Receipt Number: 861337597092
Expected Delivery Date: Jun 6, 2013
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent

For mode details and shipping label please see the attached file.

Print this label to get this package at our post office.

Thank you,
© 2013 Copyright© 2013 USPS. All Rights Reserved.

*** This is an automatically generated email, please do not reply ***

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (USPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies.  Thank You
There is an attachment called USPS_Label_861337597092.zip which in turn contains a malicious executable file USPS_Label_06062013.exe (note the date is encoded into the filename). VirusTotal results for this are 18/47.

The Comodo CAMAS report shows an attempt to download more components from michaelscigarbar.net on 184.95.37.109 (Jolly Works Hosting, Philippines.. rented from Secured Servers in the US). URLquery shows a very large amount of malware activity on that IP, mostly apparently running on legitimate hacked domains. You should probably treat all of the following domains as hostile:
alliancelittleaviators.com
apparelacademy.com
apparelacademy.net
brokerforcolorado.com
carlaellisproperties.com
dragoncigars.net
heavenlycigars.net
libertychristianstore.com
michaelscigarbar.com
michaelscigarbar.net
michaelscigars.net
montverdestore.com
montverdestore.net
montverdestore.org

Wednesday, 15 May 2013

Something evil on 184.95.51.123

184.95.51.123 (Secured Servers LLC, US / Jolly Works Hosting, Philippines) appears to be trying to serve the Blackhole Exploit kit through an injection attack (for example). The payload appears to be 404ing when viewed in the automated tools I am using, but indications are that the malware on this site is still very much live.

The domains on this server belong to a legitimate company, Lifestyle exterior Products, Inc. of Florida who are probably completely unaware of the issue.

These following domains are all flagged by Google as being malicious, and are all based on  184.95.51.123. I would recommend blocking the IP if you can, else the domains I can find are listed below:

exteriorbylifestyle.com
hurricanesafecard.com
hurricanesavingsgift.com
hurricaneshuttersdiscount.com
hurricaneshuttersgift.com
hurricaneshuttersrebate.com
hurricanestormsavings.com
hurricanestrength.com
hurricanestrengthsavings.com
lifelinewindows.com
lifestylebonita.com
lifestyleestero.com
lifestyleexcellence.com
lifestyleexterior.com
lifestyleexteriorstrong.com
lifestyleexteriorwindows.com


Friday, 23 November 2012

Malware sites to block 23/11/12

This bunch of IPs and domains are being used in a series of fairly well-targeted attacks involving malicious spam messages that look like they come from real financial organisations (such as this one).  The payload is apparently "Ponyloader".

The domains seem to be legitimate but hacked, and in some cases the server infrastructure also looks like it is something legitimate that has been taken over by the bad guys. However, the chances are that you are more likely to see these sites as the result of a malicious spam run rather than anything else, and you should consider blocking them.

Malware servers:
50.116.16.118 (Bluehost, US)
64.94.101.200 (Nuclear Fallout Enterprises, US)
69.194.194.216 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
94.76.235.199 (Simply Transit, UK)
173.246.103.59 (Gandi, US)
173.246.103.112 (Gandi, US)
173.246.103.124 (Gandi, US)
173.246.103.184 (Gandi, US)
173.246.104.21 (Gandi, US)
174.140.168.143 (DirectSpace Networks, US)
198.74.52.86 (Linode, US)
209.188.0.118 (Secured Servers, US / Jolly Works Hosting, Philippines)

Plain list of IPs for copy-and-pasting:
50.116.16.118
64.94.101.200
69.194.194.216
70.42.74.152
94.76.235.199
173.246.103.59
173.246.103.112
173.246.103.124
173.246.103.184
173.246.104.21
174.140.168.143
198.74.52.86
209.188.0.118

Apparently malicious domains and subdomains:
50.116.16.118 (Bluehost, US)
64.94.101.200 (Nuclear Fallout Enterprises, US)
69.194.194.216 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
94.76.235.199 (Simply Transit, UK)
173.246.103.59 (Gandi, US)
173.246.103.112 (Gandi, US)
173.246.103.124 (Gandi, US)
173.246.103.184 (Gandi, US)
173.246.104.21 (Gandi, US)
174.140.168.143 (Gandi, US)
198.74.52.86 (Linode, US)
209.188.0.118 (Secured Servers, US)

1.alikeword.com
1.basicwheel.com
1.bigbroshark.net
1.blueseadolphin.net
1.callteamverve.com
1.connectedwheel.com
1.forrest-lake.info
1.killerwheel.com
1.lake-forrest.com
1.lake-forrest.info
1.lake-forrest.net
1.lowcowroller.com
1.lowcowroller.net
1.metallbeaar.net
1.rabbitharky.com
1.rabbitharky.net
1.roboxanger.net
2.5900bracknell.info
2.alikeword.com
2.allenpremierhomes.com
2.aloeups.com
2.alohevera.com
2.basicwheel.com
2.bigbroshark.net
2.blueseadolphin.net
2.boxanh.com
2.callteamverve.com
2.carrollton-realestate.com
2.connectedwheel.com
2.forrest-lake.info
2.frommyhousetoyours.com
2.killerwheel.com
2.lake-forrest.com
2.lake-forrest.info
2.lake-forrest.net
2.lowcowroller.com
2.lowcowroller.net
2.metallbeaar.net
2.pacbancwholesale.com
2.pacificbancwholesale.com
2.rabbitharky.com
2.rabbitharky.net
2.refiinc.com
2.roboxanger.net
2.taxreliefofamerica.com
2.webdedang.com
2.webdedang.net
2.wholesalepbm.com
2.zerocostfha.com
2.zfhaloan.com
3.alikeword.com
3.amandahuynh.com
3.basicwheel.com
3.bigbroshark.net
3.bluepointmortgage.com
3.blueseadolphin.net
3.callteamverve.com
3.connectedwheel.com
3.coolerpillow.com
3.directfhafunding.com
3.forrest-lake.info
3.gutterkings.biz
3.helpmemodify.com
3.insulkings.com
3.killerwheel.com
3.lake-forrest.com
3.lake-forrest.info
3.lake-forrest.net
3.lowcowroller.com
3.lowcowroller.net
3.markmatta.com
3.metallbeaar.net
3.rabbitharky.com
3.rabbitharky.net
3.roboxanger.net
4.alikeword.com
4.androidislamic.com
4.basicwheel.com
4.bigbroshark.net
4.blueseadolphin.net
4.callteamverve.com
4.collecorvino.org
4.connectedwheel.com
4.dlevo.com
4.forrest-lake.info
4.habitacoesferiasacores.com
4.icedambusters.net
4.icedambusters.org
4.insul-king.com
4.insulking.org
4.insul-king.org
4.insul-kings.org
4.islamicandroid.com
4.islamicmid.com
4.islamictab.com
4.killerwheel.com
4.lake-forrest.com
4.lake-forrest.info
4.lake-forrest.net
4.lowcowroller.com
4.lowcowroller.net
4.lowellgeneralcarjacking.com
4.lowellgeneralhospitalcarjacking.com
4.lowellgeneralhospitalcarjacking.net
4.metallbeaar.net
4.rabbitharky.com
4.rabbitharky.net
4.roboxanger.net
5.alikeword.com
5.attilacrm.com
5.basicwheel.com
5.bigbroshark.net
5.bitwin.com
5.blueseadolphin.net
5.callteamverve.com
5.connectedwheel.com
5.forrest-lake.info
5.killerwheel.com
5.lake-forrest.com
5.lake-forrest.info
5.lake-forrest.net
5.lowcowroller.com
5.lowcowroller.net
5.metallbeaar.net
5.rabbitharky.com
5.rabbitharky.net
5.roboxanger.net
6.alikeword.com
6.alohevera.com
6.basicwheel.com
6.bigbroshark.net
6.blueseadolphin.net
6.callteamverve.com
6.connectedwheel.com
6.fionabuchanan.com
6.forevergreen.us.com
6.forrest-lake.info
6.grapafood.com
6.hotels-rooms.com
6.incidentalrecruitment.com
6.killerwheel.com
6.lake-forrest.com
6.lake-forrest.info
6.lake-forrest.net
6.lowcowroller.com
6.lowcowroller.net
6.metallbeaar.net
6.negutterking.org
6.negutterkings.biz
6.negutterkings.info
6.negutterkings.net
6.negutterkings.org
6.nomoreicedams.com
6.nomoreicedams.net
6.rabbitharky.com
6.rabbitharky.net
6.roboxanger.net
7.alikeword.com
7.basicwheel.com
7.bigbroshark.net
7.blueseadolphin.net
7.callteamverve.com
7.connectedwheel.com
7.forrest-lake.info
7.killerwheel.com
7.lake-forrest.com
7.lake-forrest.info
7.lake-forrest.net
7.lowcowroller.com
7.lowcowroller.net
7.metallbeaar.net
7.rabbitharky.com
7.rabbitharky.net
7.roboxanger.net
8.alikeword.com
8.aloeventures.com
8.aloeverasoftdrinks.com
8.aloevirgin.com
8.basicwheel.com
8.bigbroshark.net
8.blueseadolphin.net
8.cafesexcelentes.com
8.callteamverve.com
8.connectedwheel.com
8.corporatemodeler.com
8.elbancodelospobres.com
8.foodex.us
8.forrest-lake.info
8.joanvaldez.com
8.killerwheel.com
8.klipette.com
8.koguis.com
8.lake-forrest.com
8.lake-forrest.info
8.lake-forrest.net
8.lowcowroller.com
8.lowcowroller.net
8.metallbeaar.net
8.rabbitharky.com
8.rabbitharky.net
8.roboxanger.net
9.alikeword.com
9.basicwheel.com
9.bigbroshark.net
9.blueseadolphin.net
9.bohmamei.com
9.boondocksdistillery.com
9.callteamverve.com
9.connectedwheel.com
9.forrest-lake.info
9.hclinstitute.com
9.i-am-a-pussy.com
9.killerwheel.com
9.lake-forrest.com
9.lake-forrest.info
9.lake-forrest.net
9.lowcowroller.com
9.lowcowroller.net
9.metallbeaar.net
9.rabbitharky.com
9.rabbitharky.net
9.roboxanger.net
alikeword.com
app-market.it
basicwheel.com
bigbroshark.com
bigbroshark.net
blueseadolphin.com
blueseadolphin.net
callteamverve.com
connectedwheel.com
forrest-lake.info
killerwheel.com
lake-forrest.com
lake-forrest.info
lake-forrest.net
lowcowroller.com
lowcowroller.net
maxiwheel.com
metallbeaar.com
metallbeaar.net
rabbitharky.com
rabbitharky.net
roboxanger.net
selfwheel.com
subwheel.com

Or if you just want to block domains rather than subdomains:
alikeword.com
app-market.it
basicwheel.com
bigbroshark.com
bigbroshark.net
blueseadolphin.com
blueseadolphin.net
callteamverve.com
connectedwheel.com
forrest-lake.info
killerwheel.com
lake-forrest.com
lake-forrest.info
lake-forrest.net
lowcowroller.com
lowcowroller.net
maxiwheel.com
metallbeaar.com
metallbeaar.net
rabbitharky.com
rabbitharky.net
roboxanger.net
selfwheel.com
subwheel.com

Friday, 12 October 2012

ADP spam / 184.164.151.54

Yet more ADP-themed spam, this time leading to malware on 184.164.151.54:

Date:      Fri, 12 Oct 2012 14:48:18 +0530
From:      "ADPClientServices" [ADPClientServices@adp.com]
Subject:      ADP Urgent Notification

Your Transaction Report(s) have been uploaded to the web site:



https://www.flexdirect.adp.com/client/login.aspx



Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).



Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.



Thank You,

ADP Benefit Services

The malicious payload is at [donotclick]184.164.151.54/links/rules_familiar-occurred.php (hosted by the ironically named Secured Servers LLC in the US aka Jolly Works hosting of the Philippines).

Thursday, 4 October 2012

"Corporate eFax message" spam / 184.164.136.147

These fake fax messages lead to malware on 184.164.136.147:

Date:      Thu, 04 Oct 2012 19:00:16 +0200
From:      "eFax.Alert" [E988D6C@vida.org.pt]
Subject:      Corporate eFax message - 09 pages




Fax Message [Caller-ID: 341-498-5688]
You have received a 09 pages fax at Thu, 04 Oct 2012 19:00:16 +0200.

* The reference number for this fax is min1_20121004190016.8673161.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.
Thank you for using the eFax service!
Home | Contact | Login
� 2011 j2 Global Communications, Inc. All rights reserved.
eFax� is a registered trademark of j2 Global Communications, Inc.
This account is subject to the terms listed in the eFax� Customer Agreement.

The malicious payload is at [donotclick]184.164.136.147/links/assure_numb_engineers.php  which is an IP address belonging to Secured Servers LLC in the US and suballocated to:

autharea=184.164.128.0/19
xautharea=184.164.128.0/19
network:Class-Name:network
network:Auth-Area:184.164.128.0/19
network:ID:NET-11719.184.164.136.128/27
network:Network-Name:Public
network:IP-Network:184.164.136.128/27
network:IP-Network-Block:184.164.136.128 - 184.164.136.159
network:Org-Name:Jolly Works Hosting
network:Street-Address:Unit 3C No. 831 SAM Building, Dagupan Road
network:City:Manilla
network:State:NCR
network:Postal-Code:1013
network:Country-Code:PH
network:Tech-Contact:MAINT-11719.184.164.136.128/27
network:Created:20110811175617000
network:Updated:20110811175617000
network:Updated-By:dnsadmin@securedservers.com
contact:POC-Name:Nevin Poly
contact:POC-Email:supportsages@gmail.com
contact:POC-Phone:
contact:Tech-Name:DNS Administrator
contact:Tech-Email:dnsadmin@securedservers.com
contact:Tech-Phone:(480) 422-2023
contact:Abuse-Name:Abuse
contact:Abuse-Email:abuse@securedservers.com
contact:Abuse-Phone:+1-480-422-2022 (Office)


It might be worth blocking 184.164.136.128/27 to be on the safe side.