Dynamoo's Blog

Thursday 15 March 2012

goo.gl/FP84h link leads to malware

Another malware campaign using the goo.gl redirector leading to a malicious payload, this time on 66.151.138.87.

From:    OP 25939760 Y tuelkv60@yahoo.com
To:    ptofomen@elpuertosm.net
Date:    15 March 2012 08:35
Subject:    LinkedIn Corporation account on Hold Ref78087257
Signed by:    yahoo.com

CaseȌ99-4582982-70209467-8-373
< !--PZ 62188868 V

http://goo.gl/FP84h

XR 28309138 C

The goo.gl redirector goes to shfd19za.roversmolina.ru (multihomed, see below) and then ends up on a malicious page at 66.151.138.87/showthread.php?t=72d268be707a5fb7 (Nuclear Fallout Enterprises, US again).

The intermediate site is multihomed on what looks like a botnet:

1.170.145.188 (HINET, Tawian)
37.99.3.131 (2day Telecom, Kazakhstan)
46.158.89.63 (Rostelecom, Russia)
46.166.89.234 (Sibtranstelecom, Russia)
59.161.112.144 (Tata Communications, India)
61.90.53.87 (True Internet, Thailand)
94.41.81.55 (Ufanet, Russia)
95.28.225.180 (Vimpelcom, Russia)
95.57.1.107 (Kazakhtelecom, Kazakhstan)
95.58.88.151 (Kazakhtelecom, Kazakhstan)
95.58.106.240 (Kazakhtelecom, Kazakhstan)
95.176.193.129 (Telekom Slovenije, Slovenia)
109.194.43.62 (ER-Telecom Holding, Russia)
112.110.219.218 (Pune Mobile Subscriber, India)
114.43.145.75 (HINET, Taiwan)
117.195.168.49 (BSNL Internet, India)
122.179.171.126 (Airtel, India)
123.17.240.127 (VNPT, Vietnam)
123.18.190.230 (VNPT, Vietnam)
178.46.12.159 (Rostelecom, Russia)

Plain list for copy-and-pasting:
1.170.145.188
37.99.3.131
46.158.89.63
46.166.89.234
59.161.112.144
61.90.53.87
94.41.81.55
95.28.225.180
95.57.1.107
95.58.88.151
95.58.106.240
95.176.193.129
109.194.43.62
112.110.219.218
114.43.145.75
117.195.168.49
122.179.171.126
123.17.240.127
123.18.190.230
178.46.12.159
66.151.138.87

Wednesday 14 March 2012

INTUIT / IRS malicious spam and georgekinsman.net

There are two parallel spam campaigns running right not, one in the "Intuit.com invoice" form, one in the "IRS Tax Appeal form".

Both spams lead to a malicious page at georgekinsman.net/main.php?page=c9a5e6d306c55c68 (report here) hosted on the very familiar IP address of 41.64.21.71. Block it if you haven't already.

"Scan from a Hewlett-Packard ScanJet" malware / doosdkdkjsjdfo.ru

This old attack again, a malicious email with an attachment leading to doosdkdkjsjdfo.ru

Date:     Wed, 14 Mar 2012 12:31:50 +0530
From:     officejet@victimdomain.com
Subject:     Re: Fwd: Scan from a Hewlett-Packard ScanJet 297552
Attachments:     HP_Scanjet-14-626146.htm

Attached document was scanned and sent

to you using a Hewlett-Packard ScanJet 93988PP.

SENT BY: Teagan
PAGES : 2
FILETYPE: .HTML [Internet Explorer File]

The malware is on doosdkdkjsjdfo.ru:8080/images/aublbzdni.php, which is multihomed on a subset of the IPs in this other recent attack. A Wepawet report can be found here.

62.85.27.129 (Microlink Latvia Ltd, Latvia)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
95.156.232.102 (Optimate-Server, Germany)
111.93.161.226 (Tata Teleservices, India)
118.97.9.60 (Telekomunikasi, Indonesia)
125.19.103.198 (Bharti Infotel, India)
190.81.107.70 (Telmex, Peru)
200.169.13.84 (Century Telecom Ltda, Brazil)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)

Plain list for copy-and-pasting:
62.85.27.129
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
190.81.107.70
200.169.13.84
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138

nu.nl compromised with svitart.in attack

Popular Netherlands news site nu.nl (Global rank 544, NL rank 4 according to Alexa) has been compromised in an injection attack of some sort, leading to an exploit kit hosted on svitart.in.

More here (in Nederlands or Google Translated).

goo.gl/NEQlS link leads to malware

Another case of the goo.gl redirector being used for evil:

From:    Dilip Lalita dklalita1977@yahoo.com
Date:    14 March 2012 09:38
Subject:    Changes in FDIC policy #22666447
Signed by:    yahoo.com

Id 36-4866333-96425034-8-662
< !--KG 19021150 K

http://goo.gl/NEQlS

HF 22555007 Z

goo.gl/NEQlS leads to m6ttp.burdencrigyll.ru (multihomed, see below) and then to a malicious payload site at 64.150.166.50/showthread.php?t=72d268be707a5fb7 (iPower, US). This URL contains an exploit kit.

The intermediate step is hosted on several servers:

31.40.240.89 (Ukrainian American Joint Venture, Ukraine)
31.45.144.128 (VIPnet, Croatia)
46.146.101.194 (ER-Telecom Holding, Russia)
46.173.172.249 (Galitski Telekommunications, Ukraine)
49.0.153.231 (Yokozunanet, Mongolia)
59.93.196.162 (BSNL Internet, India)
59.103.211.151 (Pakistan Telecommunication Company Limited, Pakistan)
59.161.115.17 (TATA Communications, India)
61.227.168.35 (HINET, Taiwan)
77.34.225.103 (Rostelecom, Russia)
91.82.23.56 (Invitel, Hungary)
95.57.154.111 (Kazakhtelecom, Kazakhstan)
95.57.188.134 (Kazakhtelecom, Kazakhstan)
95.188.155.101 (Rostelecom, Russia)
95.234.146.196 (Alice, Italy)
109.191.44.122 (Intersvyaz-2, Russia)
114.163.159.142 (Open Computer Network, Japan)
115.242.148.93 (Reliance Communication, India)
122.175.149.136 (Bharti Airtel, India)
178.91.60.141 (Kazakhtelecom, Kazakhstan)

This is a plain list for copy-and-pasting:
31.40.240.89
31.45.144.128
46.146.101.194
46.173.172.249
49.0.153.231
59.93.196.162
59.103.211.151
59.161.115.17
61.227.168.35
77.34.225.103
91.82.23.56
95.57.154.111
95.57.188.134
95.188.155.101
95.234.146.196
109.191.44.122
114.163.159.142
115.242.148.93
122.175.149.136
178.91.60.141
64.150.166.50

Tuesday 13 March 2012

MS12-020: this is not good

MS12-020.. what can I say except that this is NOT GOOD. If you're running RDP on your clients or servers then this is something you need to patch RIGHT NOW..

Update: the folks at the ISC think so too. This is wormable and apparently not difficult to exploit, assuming it is switched on. So, you either need to patch or disable it.. or a combination of both.

Update 2: a visitor left a note to say they were working on a vulnerability scanner at rdpcheck.com . It's not ready yet, but there's a signup form on the page for more information.

Update 3: Allegedly, there is PoC code available for this on Pastebin, although this has not been independently confirmed.

Update 4: The ISC have changed the INFOCON status to yellow because of the perceived high risk.

Update 5: There is now an nmap script available to scan for vulnerable machines here.

BBB Spam / mynourigen.net

More BBB spam leading to malware, this time at mynourigen.net. For example:

Date:     Tue, 13 Mar 2012 20:39:07 +0700
From:     "BBB"
Subject:     Important! BBB complaint activity report
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have been filed a complaint (ID 92163107) from one of your customers related to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this question and let us know of your opinion as soon as possible.

We hope to hear from you very soon.

Sincerely,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau

Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

Date:     Tue, 13 Mar 2012 14:42:30 +0100
From:     "Better Business Bureau"
Subject:     Your customer complained to BBB
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 31347804) from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this issue and let us know of your position as soon as possible.

We hope to hear from you very soon.

Sincerely,

Carlos Baxter

Dispute Counselor
Better Business Bureau

Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

Date:     Tue, 13 Mar 2012 14:53:11 +0100
From:     "BBB"
Subject:     BBB important information
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 11043517) from your customer in regard to their dealership with you.

Please open the COMPLAINT REPORT below to find the details on this case and let us know of your point of view as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau

Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

Date:     Tue, 13 Mar 2012 14:30:45 +0100
From:     "BBB"
Subject:     BBB processing RE: Case ID 06216966
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau informs you that we have been sent a complaint (ID 06216966) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT below to view more information on this case and suggest us about your position as soon as possible.

We hope to hear from you very soon.

Kind regards,

Carlos Baxter

Dispute Counselor
Better Business Bureau

Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==========

The malicious payload is on mynourigen.net/main.php?page=dc6f9d2a120107b9 and mynourigen.net/content/ap2.php?f=fa88c - it's the usual mixed bag of exploits.

mynourigen.net is apparently hosted on 41.64.21.71 in Egypt (seen many times before). The following domains are also associated with the same IP and can be considered to be malicious.

abc-spain.net
bonus100get.com
excellentworkchoise.com
foryouhomework.com
freac.net
get100bonus.com
getbonus100.com
icemed.net
likethisjob.com
perfectbusinesschance.net
sony-zeus.net
stafffire.net
synergyledlighting.net
systemtestnow.com
themeparkoupons.net
workatyourhomenow.com
yourbeautifulchance.com
yourbeautifullife.net
yourlifechance.net
yourpersonaldefence.com

"I'm in trouble! " spam / ckjsfhlasla.ru

Another recycled spam campaign leading to malware:

Date:     Tue, 13 Mar 2012 01:52:30 +0700
From:     "Greyson Montoya"
Subject:     I'm in trouble!
Attachments:     Image_DIG33080106.htm

I was at a party yesterday, got drunk, couldn't drive the car, somebody gave me a lift on my car, and crossed on the red light!
I've just got the pictures, maybe you know him???

I have attached the photo to the mail (Open with Internet Explorer).

I need to find him urgently!

Thank you
Niju

The malicious web page is at ckjsfhlasla.ru:8080/images/aublbzdni.php which is hosted on exactly the same IP addresses as this spam run yesterday. Blocking these IPs would be prudent.

Monday 12 March 2012

"Scan from a Xerox W. Pro" spam / cjjasjjikooppfkja.ru

A fairly familiar spam with a malicious attachment:

Date:     Mon, 12 Mar 2012 08:32:11 +0100
From:     "KATELYN NEAL"
Subject:     Fwd: Scan from a Xerox W. Pro #0099345
Attachments:     Xerox_Workcentre_03.08_FZ1820.htm

Please open the attached document. It was scanned and sent

to you using a Xerox WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: .HTML

WorkCentre Pro Location: machine location not set
Device Name: XRX318AA5BSX3515459

The attachment leads to a malicious page at cjjasjjikooppfkja.ru:8080/images/aublbzdni.php. This domain is multihomed at:

62.85.27.129 (Microlink Latvia Ltd, Latvia)
83.238.208.55 (Netia SA, Poland)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
95.156.232.102 (Optimate-Server, Germany)
111.93.161.226 (Tata Teleservices, India)
118.97.9.60 (Telekomunikasi, Indonesia)
125.19.103.198 (Bharti Infotel, India)
190.81.107.70 (Telmex, Peru)
200.169.13.84 (Century Telecom Ltda, Brazil)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)

Plain list:
62.85.27.129
83.238.208.55
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
190.81.107.70
200.169.13.84
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138

Blocking hese IPs would be a good idea.

"URGENT: Your pension could be underperforming" SMS Spam

Arriving just minutes apart from this spam and probably related, these SMS spamming scumbags are back with another pitch:

URGENT: Your pension could be underperforming and could leave you with less then you thought on retirement, reply REVIEW for a free review now, STOP to opt out.

The sending number this time was +447895882070 although this will change as numbers get blocked.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

"Records passed to us show you're entitled to a refund.." SMS Spam

These scumbag SMS spammers again:

Records passed to us show you're entitled to a refund approximately £2560 in compensation from mis-selling of PPI on your credit card or loan.Reply INFO or stop

This is pure and simple spam, there are no "records" showing any such thing. In this case the spam came from +447790682898 although spammers often change their numbers.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

goo.gl/C9bsq link leads to malware

A bit of a shift in spammer tactics here:

From:    Mohit Girsh girshmohit1988@yahoo.com
Date:    12 March 2012 11:54
Dubject:    Electronic payments are suspended #08763672
Signed by:    yahoo.com

Id 57-8033394-13999809-0-895

< !--ZZ 81490908 C

hxxp://goo.gl/C9bsq

hxxp://goo.gl/C9bsq redirects to hxxp://2ecdn.barelybowler.ru/ which is multihomed:

31.176.195.196 (BH Telecom, Bosnia)
31.181.92.124 (Rostelecom , Russia)
37.99.67.48 (2DAY Telecom, Kazakhstan)
41.108.45.166 (Algerie Telecom, Algeria)
41.201.113.112 (Unknown network, Algeria)
46.70.226.182 (Armentel, Armenia)
49.145.121.75 (Philippine Long Distance Telephone Company, Philippines)
58.152.217.249 (PCCW, Hong Kong)
77.34.109.74 (Rostelecom , Russia)
77.125.246.251 (012 Smile, Israel)
83.28.56.41 (Neostrada Plus, Poland)
83.31.168.111 (Neostrada Plus, Poland)
85.29.167.135 (2DAY Telecom, Kazakhstan)
89.208.229.196 (Digital Network JSC, Russia)
91.234.24.217 (Evgeniy Kondratyk, Ukraine)
94.41.158.248 (Ufanet, Russia)
94.41.254.115 (Ufanet, Russia)
95.56.208.29 (Kazakhtelecom, Kazakhstan)
114.37.87.205 (Hinet, Taiwan)
119.42.75.15 (CAT Telecom, Thailand)

This redirects to: hxxp://74.91.121.248/showthread.php?t=72d268be707a5fb7

..which is an exploit kit (see this report) hosted by Nuclear Fallout Enterprises in the US (again).

A plain list of IPs in case you want to copy and paste into a blocklist:

31.176.195.196
31.181.92.124
37.99.67.48
41.108.45.166
41.201.113.112
46.70.226.182
49.145.121.75
58.152.217.249
77.34.109.74
77.125.246.251
83.28.56.41
83.31.168.111
85.29.167.135
89.208.229.196
91.234.24.217
94.41.158.248
94.41.254.115
95.56.208.29
114.37.87.205
119.42.75.15
74.91.121.248

Friday 9 March 2012

"Scan from a HP Officejet #235612" / cnnvcnsaoljfrut.ru

Another fake OfficeJet spam with a malicious attachment:

Date:     Fri, 9 Mar 2012 05:40:05 +0100
From:     "Valentino CONNELLY"
Subject:     Scan from a HP Officejet #235612
Attachments:     HP_Document_SPK23127.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP Officejet 2975OF.

Sent: by Valentino
Image(s) : 1
Attachment: HTML [.htm]

Hewlett-Packard Officejet Location: machine location not set
Device: POD866K0PL44119329S

The malware is on cnnvcnsaoljfrut.ru:8080/images/aublbzdni.php (report here) which is multihomed on a familiar looking list of IP addresses:

78.107.82.98 (Corbina Telecom, Russia)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
111.93.161.226 (Tata Teleservices, India)
125.19.103.198 (Bharti Infotel, India)
190.81.107.70 (Telmex, Peru)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband Co Ltd, Korea)

Plain list for copy-and-pasting:
78.107.82.98
83.238.208.55
95.156.232.102
111.93.161.226
125.19.103.198
190.81.107.70
194.85.97.121
202.149.85.37
210.56.23.100
211.44.250.173

Something evil on 178.211.33.203 and 109.236.80.151

178.211.33.203 and 109.236.80.151 are a pair of IP addresses distributing some sort of malware in a coordinated attack. They seem to be part of the same attack. The malware itself is still pending analysis, but you might want to block these URLs and/or IPs.

Incidentally, the domains seem legitimate GoDaddy-registered ones, but I am guessing they have been hacked to serve up malware on their *.domainname.com subdomains.

178.211.33.203
*.extensionbay.com
*.kingoftheaquarium.com
*.vicandbarbs.net
*.dancesearcy.com
*.learn2drive4free.com
34107.vicandbarbs.net
30659.vicandbarbs.net
8918.vicandbarbs.net
28980.majesticbetta.com
52734.majesticbetta.com
37926.majesticbetta.com
39168.majesticbetta.com
5139.majesticbetta.com
2673.learn2drive4free.com
51226.kingoftheaquarium.com
59038.kingoftheaquarium.com
29878.kingoftheaquarium.com
50588.kingoftheaquarium.com
24898.dancesearcy.com

109.236.80.151
*.bankingonbankers.com
*.bankdirectoryonline.com
*.californiagoldbook.com
*.ch.redirect.2350283972.bankingonbankers.com
*.google.ch.redirect.2350283972.bankingonbankers.com
*.redirect.2350283972.bankingonbankers.com
2350283972.bankingonbankers.com
31337.bankingonbankers.com
ch.redirect.2350283972.bankingonbankers.com
google.ch.redirect.2350283972.bankingonbankers.com
redirect.2350283972.bankingonbankers.com
www.google.ch.redirect.2350283972.bankingonbankers.com
*.2350283972.bankingonbankers.com
int.ask.com.redirect.384569840.bankdirectoryonline.com
www.google.de.redirect.312464722.bankdirectoryonline.com
www.google.de.query.11111533.bankdirectoryonline.com
www.lr-aloevera.at.search.1639590514.bankdirectoryonline.com
www.google.de.query.39586074.bankdirectoryonline.com
www.surftipp.de.query.320136795.bankdirectoryonline.com
suche.aol.de.query.469388806.bankdirectoryonline.com
www.google.at.redirect.512545616.bankdirectoryonline.com
www.google.de.redirect.3379156420.californiagoldbook.com
www.google.de.search.3333773661.californiagoldbook.com
www.google.de.query.3386209042.californiagoldbook.com
www.google.de.query.3261224572.californiagoldbook.com
www.google.com.tr.search.274580395.californiagoldbook.com
www.google.de.search.342911457.californiagoldbook.com
www.google.com.query.417110658.californiagoldbook.com
www.google.ca.process.983249139.californiagoldbook.com
www.google.de.search.310514469.californiagoldbook.com
www.google.de.redirect.417610242.bankingonbankers.com
www.google.at.url.427019192.bankingonbankers.com
www.google.de.query.3262094134.bankingonbankers.com
www.google.fr.redirect.579034634.bankingonbankers.com
www.google.de.query.3334101725.bankingonbankers.com
www.google.de.url.524065725.bankingonbankers.com
www.google.de.url.341584535.bankingonbankers.com
www.ferienwohnung-hotels-kroatien.de.query.451051745.bankingonbankers.com
www.google.com.br.query.4120413008.bankingonbankers.com
www.google.de.process.277767529.bankingonbankers.com

Will visiting Blinkx.com infect your computer?

I've coved Blinkx before in connection with unwanted software installations. They recently came to my attention again.. and not in a good way.

Let's start with the Google Safe Browsing Diagnostics for blinkx.com:

Safe Browsing
Diagnostic page for blinkx.com
What is the current listing status for blinkx.com?
This site is not currently listed as suspicious.
What happened when Google visited this site?
Of the 1007 pages we tested on the site over the past 90 days, 92 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-03-09, and the last time suspicious content was found on this site was on 2012-03-08.Malicious software includes 6 trojan(s), 1 exploit(s). Successful infection resulted in an average of 2 new process(es) on the target machine.
Malicious software is hosted on 6 domain(s), including miopardenton.bee.pl/, inturpo.com/, ighlandhorn.jesais.fr/.
5 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including inturpo.com/, adv-adserver.com/, adversalservers.com/.
This site was hosted on 32 network(s) including AS209 (QWEST), AS14743 (INTERNAP), AS1299 (TELIANET).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, blinkx.com did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
Next steps:
Return to the previous page.

If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

Not listed as suspicious? But 92 out of 1007 pages attempt to install malware! That's 9.1% of all pages on the site that Google checked! But people who visit Blinkx don't just visit one page. According to Alexa, the average visitor views 3.88 pages on the site. It also notes that blinkx.com is the 1994th most popular site worldwide.

We can work out the probability of infection using the data, it's is (1-(1-(92/1007))^3.88)) which equates to a 31% possibility that the average blinkx.com visitor will be exposed to malware. OK, that's assuming that the data is accurate, and since I know for a fact there are more than 1007 pages on Blinkx and that Alexa data has its critics.. well, take that figure as being indicative rather than 100% accurate.

Compete.com reports that over 5 million US visitors look at the site per month. There are doubtless millions more visiting this site. So exactly how many people have been infected while visiting blinkx.com?

My suggestions? If you are an IT administrator, I think you want to seriously consider if allowing your users to visit blinkx.com is in line with your corporate governance strategy..

Thursday 8 March 2012

AICPA spam / themeparkoupons.net

Another AICPA spam run is also doing the rounds with a malicious payload on:

themeparkoupons.net/main.php?page=89cd1f8b9fb67fbc
themeparkoupons.net/content/ap2.php?f=4f07a

The IP appears to be 41.64.21.71 (Dynamic ADSL, Egypt). This IP has been seen many times before, so blocking it would be a very good idea.

"Inter-company inv. from Aleris International Corp. " / cruikdfoknaofa.ru

The so-called invoice attached to this email leads to malware:

Date:     Thu, 8 Mar 2012 08:06:00 +0100
From:     "EDDIE HERRINGTON"
Subject:     Re: Inter-company inv. from Aleris International Corp.
Attachments:     Invoice_l8004324237.htm

Hallo

Attached the corp. invoice for the period July 2011 til Aug. 2011.

Thanks a lot for supporting this process

EDDIE HERRINGTON

Aleris International Corp.

The malware is on cruikdfoknaofa.ru:8080/images/aublbzdni.php (report here). This domain is multihomed on the following IPs:

78.107.82.98 (Corbina Telecom, Russia)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
111.93.161.226 (Tata Teleservices, India)
125.19.103.198 (Bharti Infotel, India)
190.81.107.70 (Telmex, Peru)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
200.169.13.84 (Century Telecom Ltda, Brazil)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband Co Ltd, Korea)
Plain list:
78.107.82.98
83.238.208.55
95.156.232.102
111.93.161.226
125.19.103.198
190.81.107.70
194.85.97.121
200.169.13.84
202.149.85.37
210.56.23.100
211.44.250.173

Wednesday 7 March 2012

BBB Spam / babblesunet.com

Yet another identikit BBB Spam run this morning, with a malicious payload on the site babblesunet.com.

The bad stuff is on babblesunet.com/showthread.php?t=73a07bcb51f4be71 hosted on 69.163.40.209 (Directspace, US). Blocking the IP address should stop any other malicious sites on that server from causing harm.

Intuit spam / sony-zeus.net

Another fake INTUIT spam run is in progress, this time using the domain sony-zeus.net to deliver the payload.

The malware is hosted on sony-zeus.net/content/ap2.php?f=ef572 and sony-zeus.net/main.php?page=fac4e861546108ef on 213.179.193.132 (Solidhost, Netherlands). We've seen this IP before, so it is well worth blocking.

BBB Spam / cjhsdvbfbczuet.ru

Today's spam runs are just firing up now, with a fake BBB spam containing at attachment that tries to direct visitors to cjhsdvbfbczuet.ru.

Date:     Wed, 7 Mar 2012 -06:40:22 -0800
From:     "FANNY Baez"
Subject:     Better Business Bureau Complaint
Attachments:     Complaint_ID87rP25441.htm

Good afternoon,

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 323259211) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT attached to this email (open with Internet Explorer/Firefox)
to view the details on this issue and suggest us about your position as soon as possible.

We hope to hear from you shortly.

Regards,
FANNY Baez

Dispute Counselor
Better Business Bureau

The payload site is at cjhsdvbfbczuet.ru:8080/images/aublbzdni.php but at the moment it doesn't seem to be resolving so there are no IPs to block. However, monitoring your logs for .ru:8080 from time-to-time could help detect users who have clicked through.