Dynamoo's Blog

Thursday 16 February 2012

"Scan from a Hewlett-Packard Officejet" malicious spam / cserimankra.ru and samaragotodokns.ru

Another spam run with a malicious attachment:

Date:     Fri, 16 Feb 2012 11:24:56 +0700
From:     "VICTOR TALLEY"
Subject:     Scan from a Hewlett-Packard Officejet 3906171
Attachments:     HP_Scan-02.16_N05556.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP Officejet 97687P.

Sent by: VICTOR
Images : 9
Attachment Type: .HTML [Internet Explorer]

Hewlett-Packard Location: machine location not set
Device: PFJ722DS0IDJ4996064

The attachment attempts to download malicious code from cserimankra.ru:8080/images/aublbzdni.php which is multihomed (report here) and then attempts to download more malcode from samaragotodokns.ru:8080/images/jw.php?i=8

These .ru sites are hosted on a familiar set of IP addresses, very similar to the ones found here.

46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.76.184.100 (Comcast, US)
69.60.117.183 (Colopronto, US)
87.120.41.155 (Neterra, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
111.93.161.226 (Tata Teleservices, India)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
184.106.151.78 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.81.107.70 (Telemax, Peru)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband Co Ltd, South Korea)

If you need a bare set of IP addresses for pasting into a blocklist:

46.137.251.11
50.31.1.105
50.57.77.119
50.76.184.100
69.60.117.183
87.120.41.155
88.191.97.108
111.93.161.226
173.203.51.174
173.255.229.33
184.106.151.78
184.106.237.210
190.81.107.70
190.106.129.43
200.169.13.84
204.12.252.82
210.56.23.100
211.44.250.173

Update: cgolidaofghjtr.ru is being used in a similar spam run and is on the same servers.

Something evil on 212.95.54.22 (inferno.name)

Something evil is lurking on 212.95.54.22, a server belonging to black hat host inferno.name (mentioned here before).

I've never seen a legitimate site hosted by inferno.name, and I recommend that you block their IP ranges.. I ideidentified the following list last August, I haven't had the change to go back and check it again.

46.22.211.0/25
80.79.124.128/26
92.48.122.32/28
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
188.143.232.0/23
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

These are the some of malicious sites hosted on that server, it appears to be some sort of injection attack although it is still being analysed.

*.1905188000.1959caddylimousine.com
*.1959caddylimousine.com
*.2358552833.59caddylimousine.com
*.2851874892.elegantdesign-dfw.org
*.3278164984.elegantdesign-dfw.info
*.59caddylimousine.com
*.alvolo.co.uk.process.1905188000.1959caddylimousine.com
*.ca.redirect.3278164984.elegantdesign-dfw.info
*.co.uk.process.1905188000.1959caddylimousine.com
*.com.process.2851874892.elegantdesign-dfw.org
*.elegantdesign-dfw.info
*.elegantdesign-dfw.org
*.google.ca.redirect.3278164984.elegantdesign-dfw.info
*.google.com.process.2851874892.elegantdesign-dfw.org
*.google.it.process.2358552833.59caddylimousine.com
*.it.process.2358552833.59caddylimousine.com
*.process.1905188000.1959caddylimousine.com
*.process.2358552833.59caddylimousine.com
*.process.2851874892.elegantdesign-dfw.org
*.redirect.3278164984.elegantdesign-dfw.info
*.uk.process.1905188000.1959caddylimousine.com
1905188000.1959caddylimousine.com
212-95-54-22.local
2358552833.59caddylimousine.com
2851874892.elegantdesign-dfw.org
3278164984.elegantdesign-dfw.info
alvolo.co.uk.process.1905188000.1959caddylimousine.com
ca.redirect.3278164984.elegantdesign-dfw.info
co.uk.process.1905188000.1959caddylimousine.com
com.process.2851874892.elegantdesign-dfw.org
europschool.net.url.2523133614.elegantdesign-dfw.net
flyksa.com.redirect.465141941.59caddylimo.com
google.ca.redirect.3278164984.elegantdesign-dfw.info
google.com.process.2851874892.elegantdesign-dfw.org
google.it.process.2358552833.59caddylimousine.com
it.process.2358552833.59caddylimousine.com
oekb36.at.process.340120129.1959caddylimo.com
oekb36.at.redirect.411115172.59cadillaclimousine.com
process.1905188000.1959caddylimousine.com
process.2358552833.59caddylimousine.com
process.2851874892.elegantdesign-dfw.org
redirect.3278164984.elegantdesign-dfw.info
suche.aol.de.search.410468745.elegantdesign-dfw.org
uk.process.1905188000.1959caddylimousine.com
www.alvolo.co.uk.process.1905188000.1959caddylimousine.com
www.berrywestra.nl.search.43565349.1959caddylimousine.com
www.dianaamft.de.search.413644068.59caddylimo.com
www.feuerwehr-schweiz.ch.redirect.461037769.1959caddylimousine.com
www.frnd.de.query.333082952.1959caddylimo.com
www.frnd.de.url.318686353.elegantdesign-dfw.org
www.gaestehaus-schuett-niendorf.de.redirect.411264880.jennyspecialoffer.info
www.google.at.url.4079944488.59caddylimousine.com
www.google.ca.redirect.3278164984.elegantdesign-dfw.info
www.google.com.process.2851874892.elegantdesign-dfw.org
www.google.com.query.3384746824.elegantdesign-dfw.info
www.google.de.process.314184094.1959cadillaclimo.com
www.google.de.process.3384063282.59caddylimo.com
www.google.de.process.3464400104.elegantdesign-dfw.org
www.google.de.process.36453841.59cadillaclimo.com
www.google.de.process.412658054.59cadillaclimousine.com
www.google.de.query.15292270.elegantdesign-dfw.net
www.google.de.query.332541317.59cadillaclimousine.com
www.google.de.query.335211808.elegantdesign-dfw.org
www.google.de.query.3384406282.jennyspecialoffer.info
www.google.de.query.3464386393.59caddylimousine.com
www.google.de.query.464367892.1959caddylimo.com
www.google.de.redirect.3384265678.elegantdesign-dfw.info
www.google.de.redirect.3384350356.1959cadillaclimousine.com
www.google.de.redirect.3464464836.1959cadillaclimo.com
www.google.de.redirect.464534470.1959cadillaclimo.com
www.google.de.search.3384394923.1959cadillaclimo.com
www.google.de.search.3384492708.elegantdesign-dfw.com
www.google.de.search.382410083.1959cadillaclimousine.com
www.google.de.search.393679898.59caddylimousine.com
www.google.de.search.4082654881.1959caddylimousine.com
www.google.de.search.412756816.59caddylimousine.com
www.google.de.search.462774118.elegantdesign-dfw.info
www.google.de.search.463016893.59cadillaclimousine.com
www.google.de.url.15149077.59caddylimo.com
www.google.de.url.2523853156.elegantdesign-dfw.net
www.google.de.url.2531191013.1959cadillaclimousine.com
www.google.de.url.314298327.1959cadillaclimo.com
www.google.de.url.337083412.1959cadillaclimousine.com
www.google.de.url.3375711067.elegantdesign-dfw.net
www.google.es.process.3254798273.1959cadillaclimo.com
www.google.gr.process.11965077.1959cadillaclimousine.com
www.google.it.process.2358552833.59caddylimousine.com
www.google.nl.redirect.455319947.59caddylimo.com
www.google.nl.search.4251017144.1959cadillaclimousine.com
www.kefalonia-animal-trust.de.url.397020850.59cadillaclimousine.com
www.kgse.de.process.465129127.elegantdesign-dfw.info
www.klassik-in-berlin.de.search.464418679.59cadillaclimo.com
www.landwarenshop.de.search.463324361.59cadillaclimo.com
www.losan.de.redirect.318546405.1959cadillaclimousine.com
www.mein-unterrichtsmaterial.de.query.3254956884.1959cadillaclimousine.com
www.rafoeg.de.process.463558035.59caddylimo.com
www.sportfoto-vogler.de.process.337602454.elegantdesign-dfw.com
www.sportfoto-vogler.de.url.337492263.jennyspecialoffer.info
www.torleute.de.redirect.341391517.59caddylimo.com
www.welte.de.search.397762316.1959cadillaclimo.com

Update 15/11/12:
94.100.17.128/26 (94.100.17.128 - 94.100.17.191) is another inferno.name range that you should probably block.

NACHA Spam / billydimple.com and biggestblazer.com

Here we go again, another NACHA spam leading to a malicious payload..

From: The Electronic Payments Association risk_manager@nacha.org
Date: 15 February 2012 13:52
Subject: Rejected ACH payment

The ACH transaction (ID: 44103676925895), recently initiated from your bank account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     44103676925895
Rejection Reason     See details in the report below
Transaction Report     report_44103676925895.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The malware is on biggestblazer.com/search.php?page=73a07bcb51f4be71 (report here) which is hosted on 199.30.89.180 (Central Host Inc / Zerigo.. yet again). It attempts to download additional components from billydimple.com/forum/index.php?showtopic=656974 on 69.164.205.122 (Linode.. again).

I've now seen several malicious sites in the 199.30.89.0/24 range, it might be worth considering blocking the whole lot.

Wednesday 15 February 2012

"Submit your tax refund request" malware / synergyledlighting.net

This spam leads to a malicious payload on synergyledlighting.net - a domain we have seen a lot of recently with a habit of moving around.

Date:     Wed, 14 Feb 2012 18:06:23 +0530
From:     "Rolland Quintana"
Subject:     Submit your tax refund request
Attachments:     irs_logo.jpg

After the last annual computations of your financial activity we have determined that you are eligible to get a tax refund of $802.

Please submit the tax refund request and allow us 3-9 days in order to process it.

The delay of a refund can be caused by a variety of reasons.

E.g., sending incorrect records or not meeting a deadline.

To learn the details of your tax refund please open this link.

Best regards,
Tax Refund Department
Internal Revenue Service

The malware starts at synergyledlighting.net/main.php?page=6d63cba62f5eb9a0 and then downloads various components (report here). Today synergyledlighting.net is on 178.211.40.29 (Sayfa Net, Turkey). This is one where blocking both the IP and domain is probably a good idea.

SOCA seize rnbxclusive.com. Due process, anyone?

I've never heard of RnBXclusive (rnbxclusive.com), but it is a site to do with Urban Music which isn't really my cup of tea. However, visitors to the site today get a message from SOCA saying:

SOCA has taken control of this domain name.
The individuals behind this website have been arrested for fraud.

The majority of music files that were available via this site were stolen from the artists.
If you have downloaded music using this website you may have committed a criminal offence which carries a maximum penalty of up to 10 years imprisonment and an unlimited fine under UK law.

Your IP     Your Browser     Your OS     Time / Date
193.110.241.235
    Firefox10.0.1     WinXP     06:46:37
15/02/2012

    The above information can be used to identify you and your location.

SOCA has the capability to monitor and investigate you, and can inform your internet service provider of these infringements.

You may be liable for prosecution and the fact that you have received this message does not preclude you from prosecution.

As a result of illegal downloads young, emerging artists may have had their careers damaged. If you have illegally downloaded music you will have damaged the future of the music industry.

Visit pro-music.org for a list of legal music sites on the web.

One annoyance is that SOCA display the IP address of the visitor and basically accuse the visitor of being a criminal. But, more seriously, SOCA's message indicates that the site operator was guilty of illegal activities without a trial. Remember courts? Judges? That sort of thing? Any good lawyer could probably argue that SOCA's statement is prejudicial.

Also of interest, the .com name is registered through GoDaddy in the US, the site is hosted on 83.138.166.114 which appears to be in a Rackspace facility in the UK. It looks like SOCA might have gained control of the server rather than the domain name which shows no WHOIS changes.

TorrentFreak have some additional information here.

Tuesday 14 February 2012

NACHA Spam / biggestloop.com

Another NACHA spam leading to a malicious payload, this time on biggestloop.com.

Date:     Tue, 13 Feb 2012 19:06:18 +0100
From:     "The Electronic Payments Association"
Subject:     Your ACH transfer
Attachments:     nacha_logo.jpg

The ACH transaction (ID: 54525654754524), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Rejected transaction
Transaction ID:     54525654754524
Rejection Reason     See details in the report below
Transaction Report     report_54525654754524.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

I can't believe that there is a person in the world receiving this who will not have received hundreds of versions of the same thing before, but the spammers continue. The malicious payload is at biggestloop.com/main.php?page=27f6207e33edeeca (analysis here) on 206.214.68.57 (B2Net Solutions, Canada). Block the IP if you can. Better still, write some filters for your email system to keep the things far, far away.

This why I won't be using F-Secure Mobile Security

F-Secure Mobile Security is not a bad product - it includes anti-theft software, a virus scanner and a supposedly secure browser. In the UK, F-Secure charge £29.95 a year for this, which is pricey for an Android application, but usually F-Secure products are very good. You can get a month's free trial before you buy.

It has some strengths and weaknesses. But I won't upgrading to the paid version. Why not? Well, every day the same nag message comes up:

F-Secure would like to have your phone number for the purposes of possible product information and marketing related messaging. The cost of approval is that of one-stime standard SMS to Finland. Do you agree?

There are two buttons.. Yes and No. Click "No" and the message seems to go away.. until the next day. And the day after that. And the day after that. You get the picture. Either this is a bug or it is a very aggressive attempt to get you to agree to SMS marketing. Either way it's a big turnoff and I'll be looking for another product to protect my Android..

NACHA Spam / freac.net

Another NACHA spam, this time with a malicious payload on the site freac.net.

Date:     Tue, 13 Feb 2012 11:12:12 +0100
From:     "The Electronic Payments Association" [alerts@nacha.org]
Subject:     ACH transaction canceled
Attachments:     nacha_logo.jpg

The ACH transfer (ID: 14282248034397), recently sent from your checking account (by you or any other person), was canceled by the other financial institution.

Rejected transaction
Transaction ID:     14282248034397
Rejection Reason     See details in the report below
Transaction Report     report_14282248034397.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The malware is on freac.net/main.php?page=cd12dfacc57c3f82 (report here) which is on IP address 12.133.182.133 (Huawei Technologies, US). Blocking access to the IP address will prevent any other malicious sites on the server from being a problem.

"Arch Coal Corp" spam lead to malware / coajsfooioas.ru and tuberkulesneporok.ru

A slightly different spam from the usual Xerox rubbish, but with a similar malicious payload.. this time on the domains coajsfooioas.ru and tuberkulesneporok.ru.

Date:     Tue, 13 Feb 2012 04:59:42 +0900
From:     "DELL AVILES" Arch Coal Corp . [AfinaGuridi@auburn.edu]
Subject:     Re: Intercompany inv. from Arch Coal Corp.
Attachments:     Invoice_02_7_h158329.htm

Good day

Attached the intercompany inv. for the period Dec. 2011 til Jan.. 2012.

Thanks a lot for supporting this process

DELL AVILES

Arch Coal Corp.

The obfuscated javascript in the attachment attempts to download malicious code from coajsfooioas.ru:8080/images/aublbzdni.php followed by more code from tuberkulesneporok.ru:8080/images/jw.php?i=8 (Wepawet report here).

These domains are multihosted on the same IPs as listed here. Blocking access to those IPs should stop further malware attacks from being successful.

Monday 13 February 2012

"Scan from a Xerox W. Pro #6999878 " spam / ckolmadiiasf.ru

This spam comes with a malicious attachment that attempts to download malware from ckolmadiiasf.ru:8080/images/aublbzdni.php

Date:     Mon, 12 Feb 2012 07:57:23 +0700
From:     scan@victimdomain.com
Subject:     Fwd: Scan from a Xerox W. Pro #6999878
Attachments:     Xerox_Doc-l1616.htm

Please open the attached document. It was scanned and sent

to you using a Xerox WorkCentre Pro.

Sent by: SUSANNAH
Number of Images: 6
Attachment File Type: .HTML [Internet Explorer Format]

Xerox WorkCentre Location: machine location not set
Device Name: XEROX5427OD9ID86

This is one of those cases where the malicious domain is massively multihomed (there's a plain list at the end of the post if you want to copy and paste):

46.105.97.103 (OVH Systems, France)
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost, US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast Business Communications, US)
69.60.117.183 (Colopronto, US)
72.22.83.93 (iPower, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
87.120.41.155 (Neterra Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
93.189.88.198 (SiliconTower, Spain)
98.158.180.244 (Hosting Services Inc, US)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
174.122.121.154 (ThePlanet, US)
184.106.151.78 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)

Looks familiar? Well, it is almost identical to this list with a few servers taken out of action.

46.105.97.103
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
78.83.233.242
87.120.41.155
88.191.97.108
93.189.88.198
98.158.180.244
173.203.51.174
173.255.229.33
174.122.121.154
184.106.151.78
184.106.237.210
190.106.129.43
200.169.13.84
204.12.252.82

NACHA Spam / cooldcloud.com and twistcosm.com

Yet more NACHA spam leading to a malicious payload, this time on cooldcloud.com.

Date:     Mon, 12 Feb 2012 08:16:16 -1100
From:     "The Electronic Payments Association"
Subject:     ACH transfer rejected
Attachments:     nacha_logo.jpg

The ACH transfer (ID: 1366285882700), recently initiated from your bank account (by you or any other person), was rejected by the other financial institution.

Rejected transaction
Transaction ID:     1366285882700
Rejection Reason     See details in the report below
Transaction Report     report_1366285882700.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

==================

Date:     Mon, 12 Feb 2012 19:06:12 +0000
From:     "The Electronic Payments Association"
Subject:     ACH transfer rejected
Attachments:     nacha_logo.jpg

The ACH transaction (ID: 9485030409966), recently sent from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     9485030409966
Rejection Reason     See details in the report below
Transaction Report     report_9485030409966.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The malware is at cooldcloud.com/search.php?page=73a07bcb51f4be71 hosted on 74.91.117.227 (Nuclear Fallout Enterprises... again). Blocking the IP is best as that will protect against other malware, although you may want to block more widely given the problems with this host.

The malware tries to download additional content from twistcosm.com/forum/index.php?showtopic=656974 on 199.30.89.139 (Central Host / Zerigo Inc), another problem hosting company.

You can find a Wepawet report here.

NACHA Spam / beaverday.biz

More fake NACHA spam, this time with a malicious payload on the domain beaverday.biz.

From: The Electronic Payments Association office@officecar.ro
Reply-To: The Electronic Payments Association
To: itd@sos.com.ph
Date: 13 February 2012 10:06
Subject: ACH transfer error

Dear Chief Accounting Officer,

We are sorry to inform you, that Direct Deposit payment (ID801400587332) has not been credited to the receiver account, because of partially missing banking details.

Direct Deposit procedure incomplete
Transaction ID :     801400587332
Details:     Please use the transfer correction request below provide the correct banking information.
Transfer Status     report-801400587332.doc (Micro soft Word Document)

Home About Us Site Map Contact Us NACHA Inquiries NACHA Privacy Policy NACHA Code of Conduct Disclaimer
Membership Education ACH Network ACH Rules Risk & Compliance News & Resources NACHA eStore

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

2012 NACHA - The Electronic Payments Association

The payload is a Blackhole exploit kit at beaverday.biz/search.php?page=977334ca118fcb8c (Wepawet report here) which is hosted on 199.30.89.139 (Central Host Inc / Zerigo.net), just a few IPs away from 199.30.89.135 as used in this spam run a few days ago. I have also seen malicious activity on 199.30.91.44 in the same /21.. perhaps Zerigo / Central Host have a problem? Block IPs as you feel is appropriate..

Sunday 12 February 2012

"Scan from a Xerox WorkCentre Pro" spam with malicious attachment / cojsdhfhhlsl.ru

Here's a slightly new twist on a very familiar theme, with an email attachment that contains an HTML page with obfuscated javascript.. leading to malware.

Date:     Sun, 11 Feb 2012 12:26:18 +0100
From:     "JANICE Heller" [KailaStuck@engineeringdesign.com]
Subject:     Re: Scan from a Xerox WorkCentre Pro #383806
Attachments:     Xerox_Doc_X30366.htm

Please open the attached document. It was scanned and sent

to you using a Xerox WorkCentre Pro.

Sent by: Guest
Number of Images: 8
Attachment File Type: .HTML [Internet Explorer Format]

WorkCentre Pro Location: machine location not set
Device Name: KDX157PS0MSUDX382782

The file Xerox_Doc_X30366.htm attempts to open a malicious web page at cojsdhfhhlsl.ru:8080/images/aublbzdni.php which contains the Blackhole exploit kit (the Wepawet report is here).

This domain is multihomed on some very familar looking IP addresses.. in fact, they are almost identical to this spam attack. If you have blocked those IPs then you will be protected against this one.

For the record, the IPs and hosts are:
46.105.97.103 (OVH Systems, France)
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost, US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast Business Communications, US)
69.60.117.183 (Colopronto, US)
72.22.83.93 (iPower, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
87.120.41.155 (Neterra Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
93.189.88.198 (SiliconTower, Spain)
98.158.180.244 (Hosting Services Inc, US)
125.214.74.8 (Web24 Pty Ltd, Australia)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
174.122.121.154 (ThePlanet, US)
184.106.151.78 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)
209.114.47.158 (Slicehost, US)

If you need a plain listing for pasting into a blocklist, use:
46.105.97.103
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
78.83.233.242
87.120.41.155
88.191.97.108
93.189.88.198
98.158.180.244
125.214.74.8
173.203.51.174
173.255.229.33
174.122.121.154
184.106.151.78
184.106.200.65
184.106.237.210
190.106.129.43
200.169.13.84
204.12.252.82
209.114.47.158

Friday 10 February 2012

Malformed "nacha5_sbj}" spam leads to malware

Some stupid spammer has screwed up their campaign:

Date:     Fri, 9 Feb 2012 20:07:15 +0430
From:     payment@nacha.org
Subject:     nacha5_sbj}
Attachments:     nacha.jpg

The following information concerns the ACH transfer that was originally effectuated by you or any other person on 02-02-2012.

Transaction ID:
    89024101013314
Transaction status:    declined
Supplementary information:    Please read the detailed report

Faithfully,
Violette Coirs.

2012 NACHA - The Electronic Payments Association

This is a system generated email. Please do not respond.

The malicious payload is synergyledlighting.net/main.php?page=4e4959105994cf84 hosted on 131.94.130.132 (Florida International University, US) and 173.236.78.113 (Singlehop, US). That same domain was found in this spam, although one of the IPs has changed since then.

The Florida International University IP address gives a clue as to what is going on here - these servers are most likely hacked rather than rented. This also explains why some IPs have seemingly legitimate sites on them. Still, blocking access to these IPs is the safest thing to do.

"End of Aug. Statement" spam / kamarovoskorlovo.ru and serebrokakzoloto.ru

Here's yet more spam with a malicious payload:

Date:     Fri, 9 Feb 2012 09:46:12 +0300
From:     BlandTAINA@gmail.com
Subject:     Re: FW: End of Aug. Statement
Attachments:     Invoice_8W20576.htm

Hi,

as reqeusted I give you inovices issued to you per february (Internet Explorer format).

Regards

TAINA Bland

"Invoice_8W20576.htm" is an HTML attachment containing some obfuscated Javascript that connects to kamarovoskorlovo.ru:8080/images/aublbzdni.php which then attempts to download some malicious components from that domain and also serebrokakzoloto.ru:8080/images/jw.php?i=8 . A Wepawet report can be found here and here.

kamarovoskorlovo.ru and serebrokakzoloto.ru are multihomed on several servers (a raw list can be found at the end of the post). You'll notice that Slicehost figures prominently.

46.105.97.103 (OVH Systems, France)
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost, US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast Business Communications, US)
69.60.117.183 (Colopronto, US)
72.22.83.93 (iPower, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
87.120.41.155 (Neterra Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
93.189.88.198 (SiliconTower, Spain)
98.158.180.244 (Hosting Services Inc, US)
125.214.74.8 (Web24 Pty Ltd, Australia)
173.201.187.225 (GoDaddy, US)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
174.122.121.154 (ThePlanet, US)
184.106.151.78 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)
209.114.47.158 (Slicehost, US)

Blocking access to those IPs will prevent any other malicious sites on the same servers from causing problems. Underneath is a raw list that you can copy and pase.

46.105.97.103
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
78.83.233.242
87.120.41.155
88.191.97.108
93.189.88.198
98.158.180.244
125.214.74.8
173.201.187.225
173.203.51.174
173.255.229.33
174.122.121.154
184.106.151.78
184.106.200.65
184.106.237.210
190.106.129.43
200.169.13.84
204.12.252.82
209.114.47.158

Thursday 9 February 2012

Evil network revisited (again): Specialist Ltd / Specialist-ISP-PI2 AS48691(194.28.112.0/22)

Specialist ISP is a black hat hosting company in Transnistria that I have covered before. Things have been a bit quiet on that front for a while until today when the malware site enswdzq112aazz.com came to my attention.

A lot of the bad sites have migrated from Specialist recently, but one unusual thing about Specialist is that all the sites are bad sites. So where are all those bad sites now?

These sites are still hosted by Specialist ISP:

194.28.112.11
cliffordtravel.biz

194.28.113.26
sekurepays.org

194.28.114.102
ation72histor.rr.nu
comm98andsp.rr.nu
doutl31inesst.rr.nu
earni61ngunde.rr.nu
enormousw1illa.com
ens122zzzddazz.com
ensm60erch.rr.nu
enswdzq112aazz.com
eorge00gamee.rr.nu
ggesti51ngbina.rr.nu
globalpoweringgathering.com
globalpoweringgatheringit.com
globalpoweringgatheringon.com
h102-114.net.lan-rybnitsa.com
hoperjoper.ru
iess70elec.rr.nu
ift72hbot.rr.nu
ilto27nint.rr.nu
infoitpoweringgathering.com
infoitpoweringgatheringit.com
infoitpoweringgatheringon.com
inful07commi.rr.nu
lessthenaminutehandle.com
lessthenaseconddeal.com
llowe31dmeth.rr.nu
mail.sweepstakesandcontestsinfo.com
ns1.hoperjoper.ru
ns2.hoperjoper.ru
root.sweepstakesandcontestsinfo.com
sical59lymemo.rr.nu
sokoloperkovuske.com
sokoloperkovuskeci.com
sokoloperkovuskedi.com
sweepstakesandcontestsdo.com
sweepstakesandcontestsinfo.com
tyco93uplin.rr.nu
wbesnancer.org

Bad sites that have moved elsewhere:

46.4.31.134 (Hetzner Online Germany)
boskoop2nepal.info
bossal.info
bramrozafestival.info
brand-central.info
childsurvival.info
creedenceclearwatersurvival.info
damesfutsal.info
datadigital.info
farmsurvival.info
haaglandia-futsal.info
hvdwal.info
josal.info
kadefestival.info
literatuurfestival.info
mvanderwal.info
noordelijkkoorfestival.info
oordfestival.info
paulvosdewael.info
petstotal.info
rebootfestival.info
spankabel.info
stiltefestival.info
tinkel-bel.info
vetstival.info
vicl.info
worldfuneral.info

199.59.241.235 (Bodis LLC, China)
2ti0pv3y.ru
bim6xe3t.ru
nl6fa53.com
twqhde3i.ru

The majority of other sites are parked or don't resolve. It is not surprising at all to see the Hetzner and Bodis are taking up the slack. You may want to block those IP addresses or even their whole netblocks.

Wednesday 8 February 2012

"Acid Free Coffee" spam.. again.

Another spam run promoting "acid free coffee", but this time the spammers are trying a trick to avoid detection.

From: "Acid Free Coffee" [ppingu84@yahoo.com]
Subject: Acid Free Coffee

I just discovered this amazing coffee. Its incredibly smooth and rich like nothing I have ever tasted before. Google Acid Free Coffee or click here http://tinyurl.com/6otas83 to search it. This is really worth your time.

The link really does go to Google, specifically https://www.google.com/search?sourceid=chrome&ie=UTF-8&q=acid+free+coffee .. and who is the first result for acid free coffee? It's Tylers Coffees who have been seen before in this spam run.

Tylers Coffees deny having anything to do with it.. or at least someone claiming to be Tylers Coffees denied it in the comments to the previous post: "we are sorry about all this. We have our IT looking in to it. IT WAS NOT SENT BY US. Thank you for your support please email us for a free bag of coffee we again a very sorry for the incovinces"

This time the spam came from 173.192.141.86, an IP address belonging to Softlayer Technologies in the US, but suballocated to an Indian outfit called ucvhost.com.

According to Tylers Coffees Facebook page, other people are seeing exactly the same thing:

My personal opinion is that "acid free coffee" sounds like some sort of beverage made from snake oil, but if people want to buy it then that is fair enough.. however, if Tylers Coffees really are promoting a brand through spam then is both unethical and illegal.

NACHA Spam / bluemator.com, synergyledlighting.net and hakkage.com

There has been a ton of NACHA-themed spam today, here are some examples:

Date:     Wed, 7 Feb 2012 18:17:43 +0200
From:     alert@nacha.org
Subject:     ACH payment canceled

The ACH transaction (ID: 8321348803546), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transaction
Transaction ID:     8321348803546
Reason of rejection     See details in the report below
Transaction Report     report_8321348803546.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

================

Date:     Wed, 7 Feb 2012 17:13:42 +0100
From:     payment@nacha.org
Subject:     Rejected ACH transaction

The ACH transaction (ID: 5999727582818), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transfer
Transaction ID:     5999727582818
Reason for rejection     See details in the report below
Transaction Report     report_5999727582818.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

================

Date:     Wed, 7 Feb 2012 15:14:00 +0100
From:     transfers@nacha.org
Subject:     Rejected ACH transaction

The ACH transfer (ID: 5896958322102), recently sent from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transaction
Transaction ID:     5896958322102
Reason for rejection     See details in the report below
Transaction Report     report_5896958322102.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

==================

Date:     Wed, 7 Feb 2012 15:58:54 +0200
From:     payments@nacha.org
Subject:     Your ACH transfer

The ACH transfer (ID: 118757985791), recently sent from your bank account (by you or any other person), was rejected by the other financial institution.

Canceled transfer
Transaction ID:     118757985791
Reason for rejection     See details in the report below
Transaction Report     report_118757985791.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

==================

Date:     Wed, 7 Feb 2012 13:15:17 +0200
From:     alert@nacha.org
Subject:     ACH payment canceled

The ACH transaction (ID: 926663997526), recently sent from your bank account (by you or any other person), was rejected by the other financial institution.

Rejected transfer
Transaction ID:     926663997526
Reason for rejection     See details in the report below
Transaction Report     report_926663997526.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The bad guys are using very heaving obfuscated javascript to try to hide what they are doing, but there is a malicious payload at the following URLs:

bluemator.com/search.php?page=73a07bcb51f4be71 [199.30.89.135 - Zerigo, US]
bluemator.com/content/adp2.php?f=126
hakkage.com/forum/index.php?showtopic=656974 [173.255.210.86 - Linode, US]
synergyledlighting.net/main.php?page=30e3ec8cd29abd6b [173.236.78.113 - Singlehop, US and 173.212.222.36 - HostNOC, US[
synergyledlighting.net/content/adp2.php?f=50

You can see a sample Wepawet report here and here.

Blocking access to the IPs 199.30.89.135, 173.255.210.86, 173.236.78.113 and 173.212.222.36 is probably a good idea..

Tuesday 7 February 2012

INTUIT / IRS malicious spam and advisor-jobhiring.com

Another malicious spam like this one and this one.

Date:     Tue, 6 Feb 2012 09:10:07 +0100
From:     "INTUIT INC." [software@quickbooks.com]
Subject:     Urgent! Tax information needed!.

Dear Sir/Madam,

In order to guarantee that exact information is being sustained on our systems, and to be able to give you better quality of service; INTUIT INC. has participated in the Internal Revenue Service [IRS] Name and TIN Matching Program.

It appears that your name and/or Social Security Number or Employer Identification Number, that is indicated on your account is not in compliance with the information obtained from the SSA.

In order for INTUIT INC. to update your account, please use the following link.

Regards,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

================

Date:     Tue, 6 Feb 2012 09:09:00 +0100
From:     "INTUIT INC." [software@quickbooks.com]
Subject:     Please verify your tax information ASAP.

Hello,

In our continuing effort to guarantee that correct information is being maintained on our systems, and to be able to give you better quality of service; INTUIT INC. has partaken in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have found out, that your name and/or TIN, that we have on your account does not correspond to the data obtained from the IRS.

In order to check and update your account, please enter the site.

Yours truly,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

The first click is a 0catch free hosting site which then redirects visitors to advisor-jobhiring.com/main.php?page=817d6901506e5d51 (Wepawet report here) hosted on 216.224.230.219 (Phoenix Internet, US) and 173.212.222.36 (HostNOC, US). Blocking the IPs should prevent any other malicious sites on the same server from causing problems. Alternatively, you could block access to the 0catch domains (list here) as they have been abused by spammers before.

Monday 6 February 2012

"Your tax information needs verification" / hakkacraft.com and hakkayard.com

Another version of this spam leading to a malicious web page..

Date:     Mon, 5 Feb 2012 13:43:16 +0000
From:     "INTUIT INC." [tools@intuit.com]
Subject:     Your tax information needs verification.

Hello,

With intent to assure that correct data is being maintained on our systems, and to be able to grant you better quality of service; INTUIT INC. has partaken in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have found out, that your name and/or Employer Identification Number, that is specified on your account is not in compliance with the information on file with the IRS.

In order to check and update your account, please click here.

Yours truly,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

The link in the email bounces through a couple a hacked legitimate sites and then lands on http://hakkacraft.com/search.php?page=73a07bcb51f4be71 (Wepawet report is here). There is a subsequent download attempted from hakkayard.com/forum/index.php?showtopic=656974

hakkacraft.com is hosted on 173.248.190.192 (Zerigo Inc / wehostwebsites.com, US). hakkayard.com is on 66.228.54.47 (Linode, US). Blocking the IP addresses will block any other malicious sites on the same server.

Thursday 2 February 2012

NACHA Spam / hakkabout.com and kansamentos.com

More NACHA spam with a malicious payload..

Date:     Thu, 1 Feb 2012 13:05:58 +0100
From:     risk@nacha.org
Subject:     Rejected ACH payment

The ACH transfer (ID: 424339813641), recently sent from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transfer
Transaction ID:    424339813641
Reason for rejection    See details in the report below
Transaction Report    report_424339813641.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The link redirects through a couple of legitimate hacked sites and ends up on hakkabout.com/search.php?page=73a07bcb51f4be71 on 96.126.117.251 (Linode, US). According to Wepawet, a subsequent download is attempted from kansamentos.com/forum/index.php?showtopic=192151 on 66.151.138.179 (Nuclear Fallout Enterprises, US). Blocking those two IPs is probably a good idea, although it isn't the first time that Linode or Nuclear Fallout Enterprises have hosted malware recently and it may not be the last.

Wednesday 1 February 2012

NACHA Spam / sulusify.com

More NACHA spam leading to a malicious payload..

Date:     Wed, 31 Jan 2012 10:43:44 +0200
From:     transactions@nacha.org
Subject:     ACH payment canceled

The ACH transfer (ID: 64930940909169), recently initiated from your checking account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     64930940909169
Reason of rejection     See details in the report below
Transaction Report     report_64930940909169.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

In this case, the malware is at sulusify.com/search.php?page=73a07bcb51f4be71 (it goes through a couple of redirectors first). A Wepawet report is here.

This is on 209.59.221.65 which is the Endurance International Group.. again. There are several malicious IPs in the 209.59.192.0/19 range now, perhaps indicating a deeper problem with this host.

Tuesday 31 January 2012

NACHA Spam / sulusate.com

More NACHA spam leading to a malicious payload:

Date: 31 January 2012 22:55
Subject: ACH transaction fault

The ACH transaction ID: 415864020375, that had been effectuated from your banking account lately, was rejected by the the bank of the recipient.

ACH transfer declined
Transaction ID:     415864020375
Details:     please see the report below for details
Transaction Report     report_415864020375.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

This leads to a malicious payload at sulusate.com/search.php?page=977334ca118fcb8c, hosted on 209.59.220.98 (Endurance International Group, US). A Wepawet report for the malicious page is here.

Blocking the IP will prevent other malicious sites on the same server from doing their stuff. Endurance International has hosted several such malicious sites recently.

NACHA Spam / matoreria.com

Another NACHA spam run leading to a malicious payload..

Date:     Tue, 30 Jan 2012 11:02:13 +0000
From:     info@nacha.org
Subject:     Your ACH transaction

The ACH transaction (ID: 8519169560300), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Canceled transfer
Transaction ID:     8519169560300
Rejection Reason     See details in the report below
Transaction Report     report_8519169560300.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The payload is on matoreria.com/search.php?page=73a07bcb51f4be71 hosted on 66.150.164.137 (Nuclear Fallout Enterprises, Seattle). We've seen this ISP before. At the moment the payload seems not to be working properly.

Blocking access to the IP address will also block access to any other malicious sites on the same server.

Sunday 29 January 2012

Fake jobs: euro@ultraups.com

The "Lapatasker" money mule recruiters have been fairly quiet for a while, but here is a new one:

From: Barrmanager@pacbell.net maurogonzal22@gmail.com
Date: 28 January 2012 01:39
Subject: Parttime Job

Compliments

I am the personnel department manager and I am appealing to you in the name of the large-scale and first-rate partnership.

Our company is met in many departments, such as:
- property
- bank account operations
- transportation and logistics
- private enterprise service
- etc.

We need a person to fill the vacancy of a regional manager in Europe:
- salary 2.600 euro + bonus
- 2 - 3 working hours per day
- individual time-table

If our offer is interesting for you email us the required information:
e u r o @ u l t r a u p s . c o m (Please Delete Spaces In Email Address Before Mailing Us)
Full name:
Country:
City
E-mail:
Contact phone number:

Attention! We need just the people residing in EU.

Please, write your Telephone Number and our manager will contact with you and answer all your questions.

The "jobs" offered are illegal activities such as money laundering, so signing up to them could land you in serious trouble with law enforcement and seriously out of pocket.

The domain was registered a while ago, probably with fake registrant details:
    Alexis Putt
    Email: alexisputt@yahoo.co.uk
    Organization: Alexis Putt
    Address: St Katharine's Way 12
    City: London
    State: London
    ZIP: E1W 1DD
    Country: GB
    Phone: +44.0113343341

If you have any more example emails, please consider sharing them in the comments.

Friday 27 January 2012

Oh yeah..

..chicka chickaaah!

"INTUIT INC" malicious spam and {int_link} fail

A new version of a familiar spam that is meant to have a malicious payload:

Date:     Thu, 25 Jan 2012 20:43:03 +0100
From:     "INTUIT INC." [onlinebanking@ealerts.bankofamerica.com]
Subject:     Your tax information needs verification.

Dear Sir/Madam,

In our continuing effort to assure that exact information is being kept up on our systems, as well as to provide you better quality of service; INTUIT INC. has taken part in the Internal Revenue Service [IRS] Name and TIN Matching Program.

We have found out, that your name and/or Employer Identification Number, that is indicated on your account is different from the information on file with the IRS.

In order to check and update your account, please enter the secure section.

Yours sincerely,
INTUIT INC.

Corporate Headquarters
2632 Marine Way
Mountain View, CA 94043

OK, the sharp eyed amongst you will have noticd that "INTUIT" and "bankofamerica.com" are two different entities. What you can't see is that the moron spammer has sent out all the links pointing to just http://{int_link}/ rather than remembering to include the spam URL. No doubt the next version of this will have a malicious payload, so take care.

Thursday 26 January 2012

Some malware sites to block 26/1/12

Some more malware sites to block, being used in current spam runs to distribute the blackhole exploit kit. Block the domains and IPs if you can.

Eonix, Canada
173.213.93.203
clostescape.com

Zerigo, US
173.248.190.37
chilleloot.com

Colo4Dallas, US
174.136.0.87
chillegraph.com
chilleline.com

Ixvar, Canada
174.142.247.164
clostery.com

Hostforweb, US
205.234.187.6
sulusient.com

Networld Internet, US
207.210.96.45
clostehold.com
72.249.126.223
chillemap.com

Confluence Networks, BVI
208.91.197.27 (parked)
closteyard.com

Endurance International, US
209.59.220.57
closteland.com
closterange.com
209.59.220.65
sulusity.com
209.59.220.202
chillency.com
209.59.221.158
closteation.com

Nuclear Fallout Enterprises, US
66.150.164.192
chilletect.com
74.91.119.202
sulusality.com

Linode, US
69.164.199.231
chillepay.com
96.126.96.123
chillechart.com
96.126.102.252
sulusium.com

Not resolving
chillebucks.com
chillecash.com
chillefunds.com
chillestruct.com
sulusius.com
sulusize.com

NACHA Spam / chillechart.com and chillepay.com

More fake NACHA spam leading to malware, this time the malicious payload is at chillechart.com on 96.126.96.123 (Linode, New Jersey).

Date:     Thu, 25 Jan 2012 10:40:06 +0100
From:     "alerts@nacha.org" [alerts@nacha.org]
Subject:     Your pending ACH debit transfer

Dear Account Holder,

This message includes an important notice about the ACH debit transfer sent on your behalf, that was detained by our bank:
Transaction #:    766253676295142
Transaction status:    pending

In order to resolve this matter, we prompt you to check the details of your transaction using the link below.

Faithfully yours,
Stephanie Barrera
Accounting Department

This follows the same pattern we have seen over the past few days. A Wepawet report for the malicious page is here. Blocking the IP address rather than the domain should block any other malicious sites on the server.

Update: chillepay.com is also being used in this spam run, hosted on 69.164.199.231 (also Linode)

Wednesday 25 January 2012

Lazy BBB / "ACH transfer pending" spam, chillestruct.com and closteation.com

Here's a lazy spam about an "ACH transfer" that appears to come from the BBB, because the spammers have mixed up the campaigns.

Date:     Wed, 24 Jan 2012 13:31:58 +0100
From:     "manager@bbb.org" [manager@bbb.org]
Subject:     ACH transfer pending

Dear Sir or Madam,

This message includes a notification about the ACH debit transfer sent on your behalf, that was held by our bank:

Transaction ID: 471209863177939
Transaction status: pending

In order to resolve this matter, please review the transaction details using the link below as soon as possible.

Yours faithfully,
Kathy Quirk
Accounting Department

The link in the spam routes through a couple of hacked sites to a malicious payload at chillestruct.com on 173.248.190.37 (Zerigo Inc, California) and closteation.com on 209.59.221.158 (Endurance International, Massachusetts). Wepawet reports are here and here.

Blocking the IPs will prevent any other malicious sites on those servers from causing problems.

Tuesday 24 January 2012

BBB Spam / chillebucks.com, sulusize.com and sulusity.com

More fake BBB spam leading to a malicious payload, this time hosted on the domain sulusize.com on 174.136.4.211 (Colo4, US). The server appears to be a legitimate hacked server, but blocking traffic to that IP is probably a wise idea if you can do it.

Some sample emails (the usual fake BBB approach):

Date:     Tue, 23 Jan 2012 11:51:58 +0100
From:     "BBB" [info@bbb.org]
Subject:     Better Business Bureau service
Attachments:     betterbb_logo.jpg

Attn: Owner/Manager

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 23387543) from your customer with respect to their dealership with you.

Please open the COMPLAINT REPORT below to find the details on this question and suggest us about your position as soon as possible.

We hope to hear from you very soon.

Sincerely,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau

Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

==============

Date:     Tue, 23 Jan 2012 12:16:00 +0100
From:     "Better Business Bureau" [risk.manager@bbb.org]
Subject:     Re: your customer�s complaint ID 83031311
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau notifies you that we have received a complaint (ID 83031311) from one of your customers in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this question and suggest us about your point of view as soon as possible.

We hope to hear from you very soon.

Regards,

Fernando Grodhaus

Dispute Counselor
Better Business Bureau

The malware tries to download further code from sulusity.com on 209.59.220.65 (Endurance International Group, US).. another one to block. A Wepawet analysis is here.

Update #1: another version is doing the rounds with the initial malware hosted on chillebucks.com (69.163.37.22, Bula Networks California).

Update #2: The Wepawet analysis indicates that this might do something with the user's Facebook account as well as the usual malware payload.

Monday 23 January 2012

Virus: "I'm in trouble!" spam (again)

This is an email with a link leading to malware. We've seen this pitch before:

Subject: Re: I'm in trouble!

I was at a party yesterday, got drunk, couldn't drive the car, somebody gave me a lift on my car, and crossed on the red light!
I've just got the pictures, maybe you know him???
Here is the photo

I need to find him urgently!

Thank you
Belita

The link goes to a legitimate hacked site, then to a multihomed .ru site on the following IPs:
125.214.74.8
129.67.100.11
173.201.187.225
173.230.137.129
173.255.229.33
174.122.121.154
209.59.222.145
211.44.250.173
213.193.231.210
24.37.34.163
46.105.28.61
50.57.77.119
50.57.118.247
74.208.205.185
78.47.135.105
78.129.233.8
80.90.199.196
81.31.43.43
82.165.197.58
83.170.91.152
84.246.210.87
85.214.204.32
87.106.201.119
93.189.88.198
97.74.87.3

This is pretty much the same IP list as seen last week (new IPs highlighted). It's unclear at the moment which domains are on the IPs (though there are some Redret domains here), so blocking the addresses is the safest bet.

Tylers Coffees (tylerscoffees.com) tastes of spam

Here's an annoying spam I have been getting lately:

From:     "Coffee News" [news.coffee@yahoo.com]
Subject:     Check out this coffee


Acid Free Coffee
A little cup of java can mean a big problem for stomachs. Acid levels in coffee, as well as impurities and resins, may wreak havoc on the digestive tract. Our customers with sensitive stomachs are relieved to learn that they can still continue enjoying a great cup of coffee whenever they want.

Benefits of an acid free coffee are tooth enamel is protected and teeth are stronger leading to fewer cavities.
    for $5

Where it Comes From

The Finest hand-picked Arabica beans are shipped from South America to our roasting factory in Arizona.We use Swiss Water Based Process to decaffeinate our Arabica coffee beans
Read more
How We Make It

We use a “Z-Roasting” process that optimizes the time the coffee beans are cooked; the result is high levels of caffeine and free of acid. Benefits of an acid free coffee are tooth enamel is protected and teeth are stronger leading to fewer cavities.
Read more
Regular vs. Decaf

Regular: Rockets you forward with level of caffeine that exceeds most other coffee brands.

Decaf: Same great taste as the regular coffee minus the rocket energy, so that you can finally take that sleep you deserve.

Either way - you will LOVE IT !!

Read more

If you want us to take you off our mailing list, please click on the link below
Not interested anymore? Unsubscribe here.

I've seen this several times, to begin with they were trying to use tinyurl.com to mask their URL, but they're pretty good at terminating spammers.

Subsequent runs use the domain justcoffee-noacid.com in the emails. Although the domain has anonymous WHOIS details, it's notable that the spammer is using Piradius Net, a black hat web host from Malaysia as a host. We've seen these guys before.

justcoffee-noacid.com has a miminal amount of content, and depending on which link you click through, you either get redirected to tylerscoffees.com or you get a spammy page tempting you to click through.

In all cases the spam comes through 118.123.6.123 in China.

tylerscoffees.com is a website belonging to Tylers Coffee, a firm in Arizona.

The domain is registered to:

      ornsteins, ian ian@innovativeformulations.com
      1810 s 6th ave
      tucson, Arizona 85713
      United States
      (520) 628-1553      Fax -- (520) 628-1580

The company seems to be legitimate (although personally I have doubts about their claims over "acidic coffee"), but it looks like someone has decided to try some web site promotion without fully checking what was being done. Spamming out from China via a black hat host in Malaysia is one very easy way to damage your brand..

Friday 20 January 2012

0catch.com and malicious BBB spam

We're currently seeing a spate of malicious BBB spam (like this) being routed through free web hosting sites operated by 0catch.com.

A simple way of blocking this attack is to block the 0catch.com domains. I've never found anything really valuable hosted by this firm, so you probably won't be missing much.

These are all the domains that I can find, if you know of any others then please consider sharing them in the comments:

00freehost.com
00freeweb.com
012webpages.com
0catch.com
0-catch.com
100freemb.com
100megsfree5.com
150m.com
1freewebspace.com
1sweethost.com
741.com
angelcities.com
arcadepages.com
bigheadhosting.net
builtfree.org
designcarthosting.com
digitalzones.com
dreamstation.com
easyfreehosting.com
envy.nu
exactpages.com
ez-sites.ws
fcpages.com
freecities.com
freehostyou.com
freesite.org
freewaywebhost.com
freewebpages.org
freewebportal.com
freewebsitehosting.com
fw.bz
greatnow.com
instantwebgenius.com
just-allen.com
justicewasgreen.com
maddsites.com
megz-bytes.com
mindnmagick.com
o-f.com
parknhost.com
reco.ws
servetown.com
usafreespace.com
virtue.nu
website-home.ws
wtcsites.com

Thursday 19 January 2012

Wire transfer malicious spam / monikabestolucci.ru:8801 and 78.159.118.226

More malicious spam doing the rounds, but this time it's more complicated than before.

From: accounting@victimdomain.com [mailto:accounting@victimdomain.com]
Sent: 18 January 2012 02:14
Subject: Re: Wire Transfer Confirmation (FED_93711S15719)

Dear Bank Account Operator,
WIRE TRANSACTION: FWD-7563133392175652
CURRENT STATUS: PENDING

Please Review your transaction as soon as possible.

The link goes to a legitimate hacked site containing some heavily obfuscated javascript, in turn this points to monikabestolucci.ru:8801 and then downloads further code from 78.159.118.226/forum/hp.php?i=8 (Netdirect, Germany) - the Wepawet report is here, there also an Anubis report on the binary here.

monikabestolucci.ru is massively multihomed (a raw list is at the end of the post) presumably on legitimate hacked servers.

24.37.34.163 (Videotron, Canada)
46.105.28.61 (OVH Systems, Italy)
50.57.77.119 (Slicehost, Texas)
50.57.118.247 (Slicehost, Texas)
74.207.248.120 (Linode, New Jersey)
74.208.205.185 (1&1, US)
78.47.122.11 (Hetzner, Germany)
80.90.199.196 (Webfusion, UK)
81.31.43.43 (Master Internet, Czech Republic)
82.165.197.58 (1&1, Germany)
83.170.91.152 (UK2.NET, UK)
84.246.210.87 (Infortelecom, Spain)
88.191.97.108 (Dedibox SAS, France)
97.74.87.3 (GoDaddy, Arizona)
124.11.65.210 (TFN, Taiwan)
125.214.74.8 (Web24, Australia)
129.67.100.11 (Oxford University, UK)
173.201.187.225 (GoDaddy, Arizona)
173.230.137.129 (Linode, Florida)
173.255.229.33 (Linode, New Jersey)
174.122.121.154 (ThePlanet, Texas)
209.59.222.145 (Endurance International, Massachusetts)
211.44.250.173 (SK Broadband, Korea)

Blocking these IPs might be a pain, but it would block any other malicious sites on the same servers.

Raw list:
24.37.34.163
46.105.28.61
50.57.77.119
50.57.118.247
74.207.248.120
74.208.205.185
78.47.122.11
80.90.199.196
81.31.43.43
82.165.197.58
83.170.91.152
84.246.210.87
88.191.97.108
97.74.87.3
124.11.65.210
125.214.74.8
129.67.100.11
173.201.187.225
173.230.137.129
173.255.229.33
174.122.121.154
209.59.222.145
211.44.250.173

Link List

Sponsored by..