Sponsored by..

Friday, 2 March 2012

Linode blamed for Bitcoin theft

Linode feature so often on this blog that they have their own tag. OK, they're not the worst hosting company in terms of malicious sites on their network, but at the moment they come up regularly.

Now, sometimes a web host is purely black hat - they know exactly what their customers are up to and they don't care. Sometimes a legitimate web host gets duped into renting servers out to the bad guys, but usually they react eventually. Then there's a third possibility - the the servers have been hacked and are running malicious sites without the host's knowledge.

The thing is that over recent weeks, it seems that many servers hosting malware for those BBB / NACHA / IRS / etc emails that many people have been bombarded with look like legitimate servers that have been taken over. Of course, no web host wants to admit that they have insecure management systems, but then sometimes everything comes out in the open.

It turns out that deficiencies in Linode's security has led to the apparent theft of hundreds of thousands of bitcoins (an online currency). As detailed, the attack shows that the attacker appeared to mount the attack with very little trouble, leaving very little evidence behind them except that the bitcoins were missing.

Linode itself acknowledges the problem:

Manager Security Incident

Ensuring the security of our platform is our top priority. We maintain a strong security policy and aim to communicate openly should it ever be compromised. Thus, we are posting to describe a recent incident affecting the Linode Manager.

Here are the facts:

This morning, an intruder accessed a web-based Linode customer service portal. Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted.  All activity via the web portal is logged, and an exhaustive audit has provided the following:

All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin".  The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins.  Those customers affected have been notified.  If you have not received a notification then your account is unaffected.  Again, only eight accounts were affected.

The portal does not have access to credit card information or Linode Manager user passwords.  Only those eight accounts were viewed or manipulated -- no other accounts were viewed or accessed.

Security is our number one priority and has been for over eight years. We depend on and value the trust our customers have placed in us. Now, more than ever, we remain committed to ensuring the safety and security of our customers' accounts, and will be reviewing our policies and procedures to prevent this from ever recurring.
The thing is, this server compromise was immediately obvious because of the loss of bitcoins. But where servers are being used for the Blackhole Exploit Kit or other malware, it's a lot more subtle. I suspect that this isn't the first time recently that Linode has been compromised like this.. and it's probably not the only host with the problem. In recent months, the bad guys have moved their exploit servers from Eastern European cesspits to well-known hosts, many of which are based in the US. Is this all part of the same thing?

Intuit.com spam / migdaliasbistro.net and 213.179.193.132

The past couple of days have seen a lot of identical "Intuit.com" spam runs. Another one is starting up today with a malicious payload on migdaliasbistro.net hosted on 213.179.193.132 (Solidhost, Netherlands) and 41.64.21.71 (Dynamic ADSL, Egypt)

In particular, malware can be found at:
migdaliasbistro.net/main.php?page=4f7249b62ef4f934
migdaliasbistro.net/content/ap2.php?f=86cd2


There's a Wepawet report here.

There are several potentially malicious sites on this server. Blocking the IP address should protect against other evil domains:
perikanzas.com
abc-spain.net
migdaliasbistro.net
twistedtarts.net

Malware sites to block 2/3/12

The Spam Analysis blog has an excellent post analysing what is happening behind the scenes in the malware from some recent spam runs. I've taken their hard work and have broken out the domains and IP addresses that you may want to block.

Note that some of these sites may be legitimate hacked sites. Also 66.96.160.133 is a parking IP,, so there are several thousand other sites on the same address.

Domains:
almeconstruction.com
ampndesignclients.com
buddysbarbq.com
chovattuvt.com
curchamp.com
curcharge.com
curchart.com
ftp.intervene.com.br
impressiveclimate.com
indianwildlifetourism.com
mixestudio.com
pollypaw.com
pollypeaceful.com
ragsnipe.com
sadropped.com
splatstep.com
top59serv.ro
trucktumble.com
truckturtle.com
wonderfulwriggle.com

IPs and hosts:
50.2.7.120 (Infinitie, US)
64.150.166.137 (iPower, US)
66.96.160.133 (Endurance International, US) [parked]
66.232.108.46 (Kevin Shick, US)
74.207.245.244 (Linode, US)
78.47.211.154 (Hetzner, Germany)
85.9.26.253 (GTS, Romania)
112.78.2.141 (Online Data Services JSC, Vietnam)
173.213.90.237 (Serverhub, US)
173.213.90.238 (Serverhub, US)
174.123.39.34 (ThePlanet, US)
174.136.0.68 (Colo4, US)
184.173.192.173 (ThePlanet, US)
200.58.124.129 (Dattatec.com, Argentina)
200.98.197.68 (UOL, Brazil)
209.140.16.128 (Landis Holdings, US)
216.251.43.98 (InternetNamesForBusiness.com, US)

Plain IP list:
50.2.7.120
64.150.166.137
66.96.160.133
66.232.108.46
74.207.245.244
78.47.211.154
85.9.26.253
112.78.2.141
173.213.90.237
173.213.90.238
174.123.39.34
174.136.0.68
184.173.192.173
200.58.124.129
200.98.197.68
209.140.16.128
216.251.43.98

"Your Intuit.com order confirmation" / curcharge.com

Another fake Intuit order email leading to malware:

From: INTUIT INC. [mailto:support@careerbuilder.com]
Sent: 01 March 2012 15:26
Subject: Your Intuit.com order confirmation.

   
  Dear Customer:

Thank you for purchasing your software Intuit Market. We are processing and will message you when your order is processed. If you ordered several items, we may process them in more than one delivery (at no extra cost to you) to ensure quicker delivery.

If you have questions about your order, please call 1-800-955-8890.   

       

ORDER INFORMATION

Please download your full invoice
id #038964148686 information at Intuit small business website.

NEED HELP?

•    Email us at mktplace_customerservice@intuit.com.
•    Call us at 1-800-955-8890.
•    Reorder Intuit Checks Quickly and Easily starting with
the information from your previous order.
To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.
   
Thanks again for your order,

Intuit Market Customer Service
       

Privacy , Legal , Contact Us , About Us


You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.

Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.

If you receive an email message that appears to come from Intuit but that you suspect is a phishing e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.


2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.

The malicious payload is on curcharge.com/search.php?page=73a07bcb51f4be71 hosted on 174.136.0.68 (Colo4, US)

Thursday, 1 March 2012

"Your tax appeal status" / "Your Intuit.com software order" spam and trucktumble.com

Two different spams with the same payload, the first featuring a massive failure of competency:

Date:      Thu, 1 Mar 2012 18:34:39 +0300
From:      "INTUIT INC."
Subject:      Your Intuit.com software order.

dear {l1}:

thank you for {l2} intuit market. we {l3} and will {l4} when your {l5}. if you ordered {l6} items, we may {l7} them in more than one {l8} (at no extra cost to you) to {l9}.

if you have questions about your order, please call 1-800-955-8890.


order information

please download your {la}
id #{digit} information at intuit small business website.

need help?

    email us at mktplace_customerservice@intuit.com.
    call us at 1-800-955-8890.
    reorder intuit checks quickly and easily starting with
    the information from your previous order.

to help us better serve your needs, please take
a few minutes to let us know how we are doing.
submit your feedback here.

thanks again for your order,

intuit market customer service

privacy , legal , contact us , about us

you have received this business communication as part of our efforts to fulfill your request or service
your account. you may receive this and other business communications from us even if you have opted
out of marketing messages.

please note: this e-mail was sent from an auto-notification system that cannot accept incoming email
please do not reply to this message.

if you receive an email message that appears to come from intuit but that you suspect is a phishing
e-mail, please forward it immediately to spoof@intuit.com. please visit http://security.intuit.com/ for
additional security information.


�2011 intuit, inc. all rights reserved. intuit, the intuit logo, quickbooks, quicken and turbotax,
among others, are registered trademarks of intuit inc.
the second one:

Date:      Thu, 1 Mar 2012 12:33:28 -0300
From:      "Jesus Kendall"
Subject:      Your tax appeal status.

Dear Business owner,
Hereby you are informed that your Tax Return Appeal id#8179621 has been DECLINED. If you consider that the IRS did not properly assess your case due to a misunderstanding of the facts, be prepared to submit additional information. You can download the rejection details and re-submit your appeal under the following link Online Tax Appeal.

Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday � Friday, 7:00 a.m. � 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).

In both cases the payload is trucktumble.com/search.php?page=73a07bcb51f4be71 on 64.94.238.71 (Nuclear Fallout Enterprises, US). Blocking the IP will stop other malware on the server causing you a problem, you may even want to block 64.94.238.0/24 because this host is getting a pretty poor reputation.


fff

"Your intuit.com order confirmation" spam / curchamp.com (74.207.245.244)

This fake "Intuit order" spam leads to malware. Apparently it was sent from Careerbuilder (which is kind of odd). Also note the "spoofing" warning near the bottom!

From: INTUIT INC. [mailto:noreply@careerbuilder.com]
Sent: 01 March 2012 14:30
Subject: Your intuit.com order confirmation.

  Dear Customer:

Thank you for purchasing your software Intuit Market. We are processing and will message you when your order is processed. If you ordered multiple items, we may process them in more than one shipment (at no extra cost to you) to ensure quicker delivery.

If you have questions about your order, please call 1-800-955-8890.

ORDER INFORMATION

Please download your complete order
id #443475245229 information at Intuit small business website.

NEED HELP?

•    Email us at mktplace_customerservice@intuit.com.
•    Call us at 1-800-955-8890.
•    Reorder Intuit Checks Quickly and Easily starting with
the information from your previous order.
To help us better serve your needs, please take
a few minutes to let us know how we are doing.
Submit your feedback here.
   
Thanks again for your order,

Intuit Market Customer Service


Privacy , Legal , Contact Us , About Us


You have received this business communication as part of our efforts to fulfill your request or service your account. You may receive this and other business communications from us even if you have opted out of marketing messages.

Please note: This e-mail was sent from an auto-notification system that cannot accept incoming email
Please do not reply to this message.

If you receive an email message that appears to come from Intuit but that you suspect is a phishing e-mail, please forward it immediately to spoof@intuit.com. Please visit http://security.intuit.com/ for additional security information.


©2011 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.

The link goes through two legitimate hacked sites and ends up on curchamp.com/search.php?page=73a07bcb51f4be71 (report here) which is hosted on 74.207.245.244 (Linode, US). This attempts to use a variety of exploits to take over the user's PC.

Blocking the IP rather than the domain will also stop any other malicious domains on the same server.

"Scan from a Hewlett-Packard Officejet" spam / caskjfhlkaspsfg.ru

Another malicious spam, this time with an attachment containing obfuscated code leading to caskjfhlkaspsfg.ru.

Date:      Thu, 1 Mar 2012 09:43:50 +0530
From:      ARLYNEO93ESQUIVEL@gmail.com
Subject:      Fwd: Re: Fwd: Scan from a Hewlett-Packard Officejet #603320
Attachments:     HP_Scan-27-499614.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP SmartJet 4931F.



Sent by: ARLYNE
Pages : 9
Attachment Type: .HTM [Internet Explorer/Mozilla Firefox]

The malware is on caskjfhlkaspsfg.ru:8080/images/aublbzdni.php , as with other recent .ru:8080 attacks, this is multihomed on a familiar set of IP addresses:

50.31.1.105 (Steadfast Networks, US)
69.60.117.183 (Colopronto, US)
78.107.82.98 (Corbina Telecom, Russia)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
96.125.168.172 (Websitewelcome, US)
111.93.161.226 (Tata Teleservices, India)
125.19.103.198 (Bharti Infotel, India)
128.134.57.112 (Kwangun University, Korea)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)

A bare list for copy-and-pasting:
50.31.1.105
69.60.117.183
78.107.82.98
83.238.208.55
95.156.232.102
96.125.168.172
111.93.161.226
125.19.103.198
128.134.57.112
173.203.51.174
184.106.200.65
184.106.237.210
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
210.109.108.210

DINETHOSTING / curvecheese.com

DINETHOSTING aka Digital Network JSC are a large Russian host that regularly hosts malware sites. Yesterday I came across the domain curvecheese.com (85.192.45.83) being used in a malicious spam run. This is in a block 85.192.32.0/20 allocated to this host.

I tend to block DINETHOSTING ranges as soon as I see malware on them. If you are blocking this host, I would recommend you add 85.192.32.0/20 to your blocklist.

Tuesday, 28 February 2012

BBB Spam / perikanzas.com and twistedtarts.net

BBB spam.. you must know what it looks like by now. Here are a couple of new domains:

perikanzas.com
41.64.21.71 (Dynamic ADSL, Egypt)
213.179.193.132 (Solidhost, Netherlands)

twistedtarts.net
109.68.33.18 (Mesh Digital, UK)

"Your Flight" spam / cparabnormapoopdsf.ru

This spam comes with a malicious attachment pointing to a page on cparabnormapoopdsf.ru.

Date:      Tue, 27 Feb 2012 03:53:09 +0530
From:      sales1@victimdomain.com
Subject:      Fwd: Your Flight N US787-8929269
Attachments:     FLIGHT_TICKET_N3988-753843.htm

Dear Customer,



FLIGHT NUMBER 8333-452628141

DATE/TIME : MARCH 23, 2011, 16:15 PM

ARRIVING AIRPORT: WASHINGTON DC INT. AIRPORT

PRICE : 856.77 USD



Your bought ticket is attached to the letter as a scan document (Internet Exlporer File).

To use your ticket you should print it.

LAKEISHA Wolff,

American Airlines

The payload is at cparabnormapoopdsf.ru:8080/images/aublbzdni.php (report here). As with other .ru:8080 attack, this one is multihomed on some familiar looking IPs:

50.31.1.105 (Steadfast Networks, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
83.238.208.55 (Netia Telekom, Poland)
95.156.232.102 (Optimate-server, Germany)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)

A bare list for copy-and-pasting:
50.31.1.105
78.83.233.242
83.238.208.55
95.156.232.102
125.19.103.198
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100
210.109.108.210

IRS Spam / pollypeach.com

Another IRS spam run leading to malware, this time on pollypeach.com.

Date:      Tue, 27 Feb 2012 17:02:45 +0600
From:      "Ofelia Childers"
Subject:      IRS notification of your tax appeal status.



Dear Accountant Officer,
Hereby you are notified that your Income Tax Return Appeal id#0184348 has been REJECTED. If you believe the IRS did not properly assess your case due to a misinterpretation of the case details, be prepared to provide additional information. You can obtain the rejection report and re-submit your appeal under the following link Online Tax Appeal.

Internal Revenue Service
Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday � Friday, 7:00 a.m. � 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time).

The malicious payload is on pollypeach.com/search.php?page=73a07bcb51f4be71 and pollypeach.com/content/ap2.php?f=e4649 (see the report here), hosted on 69.163.45.128 (Directspace, US). Blocking the IP rather than the domain will stop any further infections from that server.

NACHA Spam / cgunikqakklsdpfo.ru

A terse version of the familiar NACHA fake spam, leading to malware:

Date:      Mon, 26 Feb 2012 12:16:40 +0530
From:      accounting@victimdomain.com
Subject:      Fwd: ACH and Wire transfers disabled.

Dear Online Account Operator,
Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department

The payload is on cgunikqakklsdpfo.ru:8080/img/?promo=nacha which is multihomed (details below). It's pretty easy to search your outbound logs for connection attempts to .ru:8080 if you haven't got filtering enabled.

The list of IPs gets a little shorter every time, but there are still some familiar hosts here:

50.31.1.105 (Steadfast Networks, US)
69.60.117.183 (Colopronto, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
95.156.232.102 (Optimate-server, Germany)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)

A plain list for copy-and-pasting:
50.31.1.105
69.60.117.183
78.83.233.242
88.191.97.108
95.156.232.102
125.19.103.198
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
209.114.47.158
210.56.23.100

BBB and AICPA spam / 110hobart.com

Two spam runs with essentially the same malicious payload..

Date:      Mon, 26 Feb 2012 12:30:50 +0100
From:      "BBB"
Subject:      BBB case ID 73773062
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau notifies you that we have been sent a complaint (ID 73773062) from your customer in regard to their dealership with you.

Please open the COMPLAINT REPORT below to obtain the details on this matter and inform us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

Arnold Melendez

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Leading to 110hobart.com/main.php?page=f46555a4a5b80a04 and 110hobart.com/content/ap2.php?f=cc677, and also:

Date:      Mon, 26 Feb 2012 11:16:30 +0100
From:      "Adan Jordan"
Subject:      Tax return fraud notification.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of Public Account Status due to tax return fraud accusations

Valued AICPA member,

We have received a notice of your recent involvement in income tax refund infringement on behalf of one of your clients. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be cancelled in case of the act of filing of a false or fraudulent tax return on the member's or a client's behalf.

Please familiarize yourself with the notification below and respond to it within 21 days. The failure to respond within this time-frame will result in cancellation of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066


Leading to 110hobart.com/content/ap2.php?f=cc677 and 110hobart.com/main.php?page=02876dd2afe89394 (a slightly different URL from before)

The IP address is a familiar one, 41.64.21.71 which is allegedly an ADSL subscriber in Cairo. This IP has been used in several attacks recently, blocking it would be a really good idea.

Friday, 24 February 2012

AICPA Spam / synetworks.net and housespect.net

More fake AICPA spam leading to malware..

Date:      Fri, 23 Feb 2012 12:29:00 +0100
From:      "Jonathon Humphrey"
Subject:      Termination of your CPA license.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of Accountant status due to income tax fraud accusations

Dear AICPA member,

We have received a complaint about your alleged participation in income tax fraudulent activity on behalf of one of your clients. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be terminated in case of the event of submitting of a false or fraudulent income tax return on the member's or a client's behalf.

Please be informed of the complaint below and provide your feedback to it within 7 days. The failure to respond within this term will result in withdrawal of your CPA license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

==================

Date:      Fri, 23 Feb 2012 12:28:45 +0100
From:      "Dominic Moreno"
Subject:      Your accountant license can be revoked.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of Public Account Status due to tax return fraud accusations

Dear accountant officer,

We have been informed of your alleged involvement in income tax fraudulent activity for one of your clients. According to AICPA Bylaw Subsection 730 your Certified Public Accountant status can be revoked in case of the aiding of presenting of a incorrect or fraudulent tax return on the member's or a client's behalf.

Please be notified below and provide your feedback to it within 7 days. The failure to do so within this period will result in suspension of your Accountant status.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066
The links go through a legitimate hacked site to some obfuscated javascipt leading to a malicious payload on synetworks.net/main.php?page=2d057d472cd217e2 and synetworks.net/content/ap2.php?f=3dc5c (report here) hosted on 76.12.101.172 (HostMySite, US). That IP is also home to housespect.net which also appears to be malicious. Blocking the IP should prevent any other malicious sites on the same server from being a problem.

Thursday, 23 February 2012

HP OfficeJet spam / cruoinaikklaoifpa.ru and upjachkajasamns.ru

This isn't from a HP OfficeJet, the attachment leads to malware..

Date:      Thu, 22 Feb 2012 05:04:38 +0700
From:      scanner@victimdomain.com
Subject:      Fwd: Re: Scan from a Hewlett-Packard Officejet #19152659
Attachments:     HP_Officejet_02-23_OFCJET88353.htm

Attached document was scanned and sent



to you using a Hewlett-Packard HP OfficeJet 34612A.



Sent by: FELICE
Images : 0
Attachment Type: .HTML [Internet Explorer]

HP Officejet Location: --

The .htm file attempts to redirect the victim to a malicious page at cruoinaikklaoifpa.ru:8080/images/aublbzdni.php and as with this recent spate of ".ru:8080" sites it is multihomed. It then tries to download additional malware from upjachkajasamns.ru:8080/images/jw.php?i=8 on the same IP addresses. The list is pretty similar to this one with a few additions.

46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.57.118.247 (Slicehost US)
69.60.117.183 (Colopronto, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
79.101.30.15 (Serbia Telekom, Serbia)
88.191.97.108 (Free SAS / ProXad, France)
95.156.232.102 (Optimate-server, Germany)
98.158.180.244 (VPS.net Atlanta / Hosting Services Inc, US)
125.19.103.198 (Bharti Infotel, India)
125.214.74.8 (Web24 Pty, Australia)
147.83.22.79 (Universitat Politecnica de Catalunya, Spain)
173.203.51.174 (Slicehost US)
184.106.200.65 (Slicehost US)
184.106.237.210 (Slicehost US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.152.221.233 (SystemInPlace, US)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)

A plain list for copy-and-pasting:
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
69.60.117.183
78.83.233.242
79.101.30.15
88.191.97.108
95.156.232.102
98.158.180.244
125.19.103.198
125.214.74.8
147.83.22.79
173.203.51.174
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
204.152.221.233
209.114.47.158
210.56.23.100
210.56.24.226

AICPA Spam / srsopen.net

Another fake spam email claiming to be from AICPA, but actually leading to malware, this time on srsopen.net.

Date:      Thu, 22 Feb 2012 11:29:29 +0100
From:      "Guadalupe Kessler"
Subject:      Fraudulent tax return assistance accusations.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to income tax fraud allegations

Valued accountant officer,

We have received a complaint about your alleged participation in income tax infringement for one of your employers. According to AICPA Bylaw Subsection 765 your Certified Public Accountant license can be cancelled in case of the event of presenting of a incorrect or fraudulent tax return for your client or employer.

Please be notified below and respond to it within 21 days. The failure to respond within this term will result in cancellation of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

The malicious payload is at srsopen.net/main.php?page=78581944265196f1 , as usual the first step is a legitimate hacked site. srsopen.net is hosted on two familiar IP addresses, 115.249.190.46 and 41.64.21.71 most recently seen here.

"You may be entitled to up to £3000 from mis-sold PPI" SMS Spam

I hadn't heard anything from these scummy SMS spammers recently, I assumed they had been busted in one of the recent crackdowns.
Urgent - You may be entitled to up to £3000 from mis-sold PPI on loans or credit cards. For a free no obligation check reply PPI or STOP to opt out
The sending number was +447866079549, although these spammers change their number more often than their underwear.

If you get one of these, you should forward the spam to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

Wednesday, 22 February 2012

NACHA Spam / campingomotion.com

Another NACHA spam with a malicious payload:

From: The Electronic Payments Association filmeboo@filmeboo.com
Reply-To: The Electronic Payments Association
Date: 22 February 2012 21:46
Subject: Technical failure report

Valued Customer,

Unfortunately we notify you , that Direct Deposit payment (#ACH603865004417US) could not be completed, because of discontinued receipient account.

Direct Deposit procedure incomplete
Transaction # :     ACH603865004417US
Information:     Please download and print the transfer correction request below adjust the recipient banking details.
Transfer Report     report-ACH603865004417US.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100

2012 NACHA - The Electronic Payments Association

The malicious payload is on campingomotion.com/search.php?page=977334ca118fcb8c, IP 199.230.54.75 (Servint, US). Block the IP address in addition to the domain if you can.

"Urgent! Check the access to your card!" / cpojkjfhotzpod.ru

Another malicious spam pointing to cpojkjfhotzpod.ru:8080

Date:      Wed, 21 Feb 2012 06:09:01 -0800
From:      "Keitha Hanks"
Subject:      Urgent! Check the access to your card!

We have detected operations with large amounts on your card which fact had not previously been observed. Please, familiarize yourself with the copies and contact us in case these transfers of amounts were not made by you.
operations screenshot.jpg 103kb

With best regards
Keitha Hanks
MD5 check sum: xxxxxxxxxxxxxxxxxxxxx


The link in the spam goes to a legitimate hacked site and then cpojkjfhotzpod.ru:8080/images/aublbzdni.php as seen in this spam run. Blocking the list of IPs mentioned in that post is probably prudent.

Contract spam / cpojkjfhotzpod.ru

Another spam run (will they ever end?) this time with a malicious .htm attachment that tries to download from cpojkjfhotzpod.ru. Here are some examples:

Date:      Wed, 21 Feb 2012 07:17:49 +0800
From:      "LARUE Riley"
Subject:      Fw: Contract from LARUE
Attachments:     Contract_Scan_N5005.htm

Good afternoon,



In the attached file I am forwarding you the Translation of the Job Contract

that I have just received yesterday. I am really sorry for the delay.



Best regards,

LARUE Riley, secretary

==========

Date:      Wed, 21 Feb 2012 05:17:01 +0700
From:      "DELORIS Hensley"
Subject:      Fw: Contract of 09.06.2011
Attachments:     Contract_Scan_N0395.htm

Dear Customers,

In the attached file I am forwarding you the Translation of the Job Contract

that I have just received yesterday. I am really sorry for the delay.



Best regards,

DELORIS Hensley, secretary

===========


Date:      Wed, 21 Feb 2012 09:10:09 +0900
From:      "ALISHA MCMILLIAN"
Subject:      Fw: Contract from ALISHA
Attachments:     Contract_Scan_N67448.htm

Dear Customers,

In the attached file I am transferring you the Translation of the Sales Contract



that I have just received today. I am really sorry for the delay.

Best regards,

ALISHA MCMILLIAN, secretary

==========

Date:      Wed, 21 Feb 2012 04:41:45 +0700
From:      "Drake Milton"
Subject:      Fw: Contract of 09.06.2011
Attachments:     Contract_Scan_N7682.htm

Hello,

In the attached file I am forwarding you the Translation of the Purchase Contract

that I have just received a minute ago. I am really sorry for the delay.

Best regards,

Drake Milton, secretary

==========

The malicous payload is on cpojkjfhotzpod.ru:8080/images/aublbzdni.php which is multihomed on several IP addresses, most of which we have seen before (and many of which are with Slicehost). A plain list is at the end for copy-and-pasting.

46.137.251.11 Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast, US)
69.60.117.183(Colopronto, US)
72.22.83.93 (iPower, US)
79.101.30.15 (Serbia Telekom, Serbia)
83.170.91.152 (UK2.NET, UK)
87.120.41.155 (Neterra, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
94.20.30.91 (Delta Telecom, Azerbaijan)
95.156.232.102 (Optimate-server, Germany)
98.158.180.244 (VPS.net Atlanta / Hosting Services Inc, US)
125.19.103.198 (Bharti Infotel, India)
125.214.74.8 (Web24 Pty, Australia)
173.203.51.174 (Slicehost, US)
184.106.151.78 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.152.221.233 (SystemInPlace, US)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)

46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
79.101.30.15
83.170.91.152
87.120.41.155
88.191.97.108
94.20.30.91
95.156.232.102
98.158.180.244
125.19.103.198
125.214.74.8
173.203.51.174
184.106.151.78
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
204.152.221.233
209.114.47.158
210.56.23.100
210.56.24.226

BBB Spam / energirans.net

Yet another malicious fake BBB spam run, this time with a malicious payload on the domain energirans.net.

Date:      Wed, 21 Feb 2012 11:21:48 +0100
From:      "BBB"
Subject:      Better Business Bureau complaint
Attachments:     betterbb_logo.jpg

Good afternoon,

Here with the Better Business Bureau would like to inform you that we have received a complaint (ID 15343433) from a customer of yours in regard to their dealership with you.

Please open the COMPLAINT REPORT below to view the details on this issue and suggest us about your position as soon as possible.

We hope to hear from you shortly.

Regards,

Rebecca Wilcox

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
The link in the email goes to a legitimate hacked site and then via some obfuscated javascript to energirans.net/main.php?page=598991e7306ac07e where it attempts to infect the machine with the Blackhole Exploit kit.

energirans.net is hosted on 41.64.21.71 (Dynamic ADSL, Egypt), 115.249.190.46 (Reliance Communication, India) which are the same IPs as found in this spam run. Blocking them is probably a very good idea.

AICPA Spam / favoriteburger.net

Following on from yesterday's AICPA spam run, a new domain is in use for the malicious payload, favoriteburger.net/search.php?page=73a07bcb51f4be71 on 209.59.212.14 (Endurance International Group again). The IP is worth blocking, and you may want to consider blocking larger ranges of this ISP who seem to have a problem with this type of malicious site.

Date:      Tue, 20 Feb 2012 22:31:55 -0300
From:      "Gilbert Ayers"
Subject:      Termination of your accountant license.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Cancellation of CPA license due to tax return fraud allegations

Valued accountant officer,

We have received a notice of your possible assistance in income tax refund fraudulent activity for one of your employers. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be withdrawn in case of the fact of filing of a false or fraudulent income tax return on the member's or a client's behalf.

Please be informed of the complaint below and provide your feedback to it within 14 days. The failure to do so within this term will result in termination of your Accountant status.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

Tuesday, 21 February 2012

Some malware sites to block 21/2/12

These sites are being used in current spam runs to distribute the Blackhole Exploit Kit. You may want to block the IPs (mostly home PCs) or domains or both.

bestsecondchance.net
freac.net
likethisjob.com
synergyledlighting.net
sysfilecore.com
systemtestnow.com
thai4me.com
yourbeautifullife.net
41.64.21.71
69.76.48.235
98.213.116.76
115.249.190.46
151.56.49.48
151.70.111.200
174.48.136.189


For the record, those IPs are on the following providers:
41.64.21.71 (Dynamic ADSL, Egypt)
69.76.48.235 (Road Runner, US)
98.213.116.76 (Comcast, US)
115.249.190.46 (Reliance Communication, India)
151.56.49.48 (IUnet, Italy)
151.70.111.200 (IUnet, Italy)
174.48.136.189 (Comcast, US)

AICPA Spam / thai4me.com

Another spam run allegedly from "The American Institute of Certified Public Accountants" (AICPA) leading to malware, this time with a malicious payload on the domain thai4me.com.
From: Guillermo Reed risk.manager@aicpa.org
Date: 20 February 2012 11:18
Subject: Income tax return fraud accusations.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

AICPA logo
Termination of CPA license due to income tax fraud allegations
Dear AICPA member,

We have received a complaint about your possible involvement in income tax return fraud  for one of your clients. According to AICPA Bylaw Paragraph 500 your Certified Public Accountant status can be terminated in case of the aiding of filing of a false or fraudulent tax return on the member's or a client's behalf.

Please be informed of the complaint below and respond to it within 14 days. The failure to provide the clarifications within this period will result in termination of your Accountant status.

Complaint.pdf


The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

=================

Date:      Tue, 20 Feb 2012 12:42:12 +0200
From:      "Devon Staley"
Subject:      Fraudulent tax return assistance accusations.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud accusations

Valued AICPA member,

We have been notified of your alleged involvement in tax return fraud for one of your employees. According to AICPA Bylaw Subsection 765 your Certified Public Accountant license can be cancelled in case of the fact of submitting of a false or fraudulent income tax return for your client or employer.

Please find the complaint below below and provide your feedback to it within 21 days. The failure to provide the clarifications within this term will result in withdrawal of your Accountant license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

=================

Date:      Tue, 20 Feb 2012 11:38:30 +0100
From:      "Ervin Witherspoon"
Subject:      Termination of your accountant license.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud allegations

Dear AICPA member,

We have received a complaint about your recent assistance in income tax refund fraudulent activity on behalf of one of your employees. According to AICPA Bylaw Paragraph 765 your Certified Public Accountant license can be withdrawn in case of the event of submitting of a false or fraudulent income tax return on the member's or a client's behalf.

Please familiarize yourself with the notification below and provide your feedback to it within 7 days. The failure to provide the clarifications within this term will result in suspension of your Accountant license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

The link leads through a legitimate hacked site to thai4me.com/main.php?page=7d486a09d440e84a which attempts to download a Java exploit. The domain thai4me.com is hosted on 41.64.21.71 (Dynamic ADSL, Egypt), 115.249.190.46 (Reliance Communication, India). Those IPs also contain other malicious sites, blocking them is probably a good move.

Saturday, 18 February 2012

Why you shouldn't use "The Good Care Guide" (goodcareguide.co.uk)

The Good Care Guide (goodcareguide.co.uk) looks like an admirable thing at first glance - an independent way for user of care services for the elderly and infants to review the quality of care both good and bad. This is particularly useful with care for the elderly where there often isn't much information, and the site has generated a lot of press comment (for example, the BBC, Sky News and the Press Association).

So... is this an entirely altruistic service? Not really. The Good Care Guide is provided in part by My Family Care Ltd which specialises in providing emergency, out-of-hours and holiday homecare for children and the elderly (e.g. emergencychildcare.co.uk, outofschoolcare.co.uk, emergencyhomecare.co.uk and myfamilycare.co.uk). Not that there appears to be anything wrong with these services, in fact they look to be pretty good and fill an important market niche.

When you sign up to write a review for the Good Care Guide, you have to give pretty much ALL your personal information including home address and telephone number. OK, that's fair enough if you want to make sure that the reviews are genuine..



The catch comes with the privacy policy which to be fair spells out what they are going to do with your personal information very clearly.
With whom we share your information

GCG may share your information with the following entities:
  • Third-party vendors who provide services or functions on our behalf. Third-party vendors have access to and may collect information only as needed to perform their functions and are not permitted to share or use the information for any other purpose.
  • Business partners with whom we may offer products or services in conjunction. You can tell when a third party is involved in a product or service you have requested because their name will appear either with ours or separately.
  • Affiliated Web sites. If you were referred to GCG from another Web site, we may share your registration information, such as your name, email address, mailing address and telephone number about you with that referring Web site. We have not placed limitations on the referring Web sites' use of personal information and we encourage you to review the privacy policies of any Web site that referred you to GCG.
  • Companies within our corporate family. We may share your personal information within the My Family Care Group. This sharing enables us to provide you with information about care services which might interest you.

So basically.. they will share your information with other parts of their own company, any referring website and indeed any third party business partner that they seem fit. OK, everybody needs to run a business but there is no opt out clause. If you want to write a review, then you are agreeing to receive marketing communication by email, post and even telephone regarding care services, essentially without limitation.

The Good Care Guide are not doing anything illegal. But childcare is expensive, and care for the elderly is very expensive. There is a lot of money to be made out of this type of care, and it looks like the operators of the Good Care Guide want a share of this market through their own paid-for services.

Until the Good Care Guide give an opt-out for marketing communications, then I cannot recommend this service as it looks suspiciously like a lead generator rather than a public service.

Friday, 17 February 2012

"Your accountant CPA license termination" spam / biggestsetter.com and 199.30.89.0/24

I haven't seen this spam before, but the malicious payload it leads to is very familiar..

Date:      Fri, 16 Feb 2012 14:35:18 +0200
From:      "Mae Keller"
Subject:      Your accountant CPA license termination.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of CPA license due to income tax fraud allegations

Dear AICPA member,

We have received a complaint about your alleged participation in tax return fraudulent activity� on behalf of one of your employees. According to AICPA Bylaw Section 700 your Certified Public Accountant license can be cancelled in case of� the occurrence of filing of a misguided or fraudulent income tax return on the member's or a client's behalf.�

Please familiarize yourself with the notification below and respond to it within 7 days. The failure to provide the clarifications within this term will result in withdrawal of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

Although it claims to be from "The American Institute of Certified Public Accountants" (aicpa.org), the "from" address claims to be the BBB.

Click on the "complaint.pdf" link and you are redirected to biggestsetter.com/search.php?page=73a07bcb51f4be71  which attempts to download the Blackhole Exploit Kit. biggestsetter.com  is hosted on 199.30.89.187 (Zerigo / Central Host Inc). This netblock has been used several times in the past few days so my advice is to block access to 199.30.89.0/24.

Some more examples:

Date:      Fri, 16 Feb 2012 14:40:46 +0100
From:      "Susie Smallwood"
Subject:      Termination of your accountant license.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to tax return fraud accusations

Dear AICPA member,

We have been notified of your recent assistance in income tax refund fraud on behalf of one of your clients. According to AICPA Bylaw Section 600 your Certified Public Accountant status can be withdrawn in case of the occurrence of submitting of a misguided or fraudulent income tax return on the member's or a client's behalf.

Please familiarize yourself with the complaint below and respond to it within 7 days. The failure to respond within this term will result in cancellation of your Accountant license.

Complaint.pdf

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

===============

Date:      Fri, 16 Feb 2012 14:25:24 +0100
From:      "Alvaro Best"
Subject:      Tax return fraud notification.

You're receiving this message as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Revocation of Public Account Status due to tax return fraud allegations

Dear accountant officer,

We have been notified of your possible participation in income tax return fraudulent activity for one of your clients. According to AICPA Bylaw Section 700 your Certified Public Accountant status can be cancelled in case of the act of submitting of a misguided or fraudulent income tax return for your client or employer.

Please find the complaint below below and respond to it within 14 days. The failure to provide the clarifications within this period will result in withdrawal of your Accountant status.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

===============

Date:      Fri, 16 Feb 2012 14:21:48 +0100
To:      
Subject:      Fraudulent tax return assistance accusations.

You're receiving this notification as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

Termination of CPA license due to income tax fraud allegations

Dear AICPA member,

We have received a complaint about your possible assistance in tax return fraudulent activity on behalf of one of your employers. According to AICPA Bylaw Section 500 your Certified Public Accountant license can be withdrawn in case of the fact of submitting of a incorrect or fraudulent tax return for your client or employer.

Please find the complaint below below and respond to it within 21 days. The failure to respond within this period will result in withdrawal of your CPA license.

Complaint.doc

The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

freac.net is back with a BBB spam run

freac.net is a domain used by malicious spam email pretending to be from the BBB or NACHA, as in this example. In that case, freac.net was apparently hosted on an IP belonging to Huawei in the US, but shortly afterwards it went non-resolving.

Well, freac.net is back and so is the spam promoting it.. e.g.

Date:      Fri, 16 Feb 2012 14:30:35 +0530
From:      "BBB"
Subject:      BBB case ID 28764441
Attachments:     betterbb_logo.jpg

Hello,

Here with the Better Business Bureau would like to notify you that we have received a complaint (ID 28764441) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to find more information on this case and let us know of your position as soon as possible.

We are looking forward to hearing from you.

Regards,

Carlos Baxter

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

===========

Date:      Fri, 16 Feb 2012 14:26:31 +0530
From:      "BBB"
Subject:      BBB complaint processing
Attachments:     betterbb_logo.jpg

Attention: Owner/Manager

Here with the Better Business Bureau would like to notify you that we have been sent a complaint (ID 78067910) from a customer of yours related to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this case and inform us about your opinion as soon as possible.

We are looking forward to hearing from you.

Faithfully,

Theresa Morris

Dispute Counselor
Better Business Bureau


Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Currenly freac.net is hosted on 46.4.226.18 and 41.64.21.71, the first is a server rented from Hetzner in Germany, oddly the second is an ADSL line in Cairo.

Anyway, blocking those IPs will stop any further infections from those IPs. A Wepawet report for this infection is here.

Thursday, 16 February 2012

"Scan from a Hewlett-Packard Officejet" malicious spam / cserimankra.ru and samaragotodokns.ru

Another spam run with a malicious attachment:

Date:      Fri, 16 Feb 2012 11:24:56 +0700
From:      "VICTOR TALLEY"
Subject:      Scan from a Hewlett-Packard Officejet 3906171
Attachments:     HP_Scan-02.16_N05556.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP Officejet 97687P.

Sent by: VICTOR
Images : 9
Attachment Type: .HTML [Internet Explorer]

Hewlett-Packard Location: machine location not set
Device: PFJ722DS0IDJ4996064
The attachment attempts to download malicious code from cserimankra.ru:8080/images/aublbzdni.php  which is multihomed (report here) and then attempts to download more malcode from samaragotodokns.ru:8080/images/jw.php?i=8

These .ru sites are hosted on a familiar set of IP addresses, very similar to the ones found here.

46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.76.184.100 (Comcast, US)
69.60.117.183 (Colopronto, US)
87.120.41.155 (Neterra, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
111.93.161.226 (Tata Teleservices, India)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
184.106.151.78 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.81.107.70 (Telemax, Peru)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband Co Ltd, South Korea)

If you need a bare set of IP addresses for pasting into a blocklist:

46.137.251.11
50.31.1.105
50.57.77.119
50.76.184.100
69.60.117.183
87.120.41.155
88.191.97.108
111.93.161.226
173.203.51.174
173.255.229.33
184.106.151.78
184.106.237.210
190.81.107.70
190.106.129.43
200.169.13.84
204.12.252.82
210.56.23.100
211.44.250.173

Update: cgolidaofghjtr.ru is being used in a similar spam run and is on the same servers.

Something evil on 212.95.54.22 (inferno.name)

Something evil is lurking on 212.95.54.22, a server belonging to black hat host inferno.name (mentioned here before).

I've never seen a legitimate site hosted by inferno.name, and I recommend that you block their IP ranges.. I ideidentified the following list last August, I haven't had the change to go back and check it again.

46.22.211.0/25
80.79.124.128/26
92.48.122.32/28
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
188.143.232.0/23
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

These are the some of malicious sites hosted on that server, it appears to be some sort of injection attack although it is still being analysed.

*.1905188000.1959caddylimousine.com
*.1959caddylimousine.com
*.2358552833.59caddylimousine.com
*.2851874892.elegantdesign-dfw.org
*.3278164984.elegantdesign-dfw.info
*.59caddylimousine.com
*.alvolo.co.uk.process.1905188000.1959caddylimousine.com
*.ca.redirect.3278164984.elegantdesign-dfw.info
*.co.uk.process.1905188000.1959caddylimousine.com
*.com.process.2851874892.elegantdesign-dfw.org
*.elegantdesign-dfw.info
*.elegantdesign-dfw.org
*.google.ca.redirect.3278164984.elegantdesign-dfw.info
*.google.com.process.2851874892.elegantdesign-dfw.org
*.google.it.process.2358552833.59caddylimousine.com
*.it.process.2358552833.59caddylimousine.com
*.process.1905188000.1959caddylimousine.com
*.process.2358552833.59caddylimousine.com
*.process.2851874892.elegantdesign-dfw.org
*.redirect.3278164984.elegantdesign-dfw.info
*.uk.process.1905188000.1959caddylimousine.com
1905188000.1959caddylimousine.com
212-95-54-22.local
2358552833.59caddylimousine.com
2851874892.elegantdesign-dfw.org
3278164984.elegantdesign-dfw.info
alvolo.co.uk.process.1905188000.1959caddylimousine.com
ca.redirect.3278164984.elegantdesign-dfw.info
co.uk.process.1905188000.1959caddylimousine.com
com.process.2851874892.elegantdesign-dfw.org
europschool.net.url.2523133614.elegantdesign-dfw.net
flyksa.com.redirect.465141941.59caddylimo.com
google.ca.redirect.3278164984.elegantdesign-dfw.info
google.com.process.2851874892.elegantdesign-dfw.org
google.it.process.2358552833.59caddylimousine.com
it.process.2358552833.59caddylimousine.com
oekb36.at.process.340120129.1959caddylimo.com
oekb36.at.redirect.411115172.59cadillaclimousine.com
process.1905188000.1959caddylimousine.com
process.2358552833.59caddylimousine.com
process.2851874892.elegantdesign-dfw.org
redirect.3278164984.elegantdesign-dfw.info
suche.aol.de.search.410468745.elegantdesign-dfw.org
uk.process.1905188000.1959caddylimousine.com
www.alvolo.co.uk.process.1905188000.1959caddylimousine.com
www.berrywestra.nl.search.43565349.1959caddylimousine.com
www.dianaamft.de.search.413644068.59caddylimo.com
www.feuerwehr-schweiz.ch.redirect.461037769.1959caddylimousine.com
www.frnd.de.query.333082952.1959caddylimo.com
www.frnd.de.url.318686353.elegantdesign-dfw.org
www.gaestehaus-schuett-niendorf.de.redirect.411264880.jennyspecialoffer.info
www.google.at.url.4079944488.59caddylimousine.com
www.google.ca.redirect.3278164984.elegantdesign-dfw.info
www.google.com.process.2851874892.elegantdesign-dfw.org
www.google.com.query.3384746824.elegantdesign-dfw.info
www.google.de.process.314184094.1959cadillaclimo.com
www.google.de.process.3384063282.59caddylimo.com
www.google.de.process.3464400104.elegantdesign-dfw.org
www.google.de.process.36453841.59cadillaclimo.com
www.google.de.process.412658054.59cadillaclimousine.com
www.google.de.query.15292270.elegantdesign-dfw.net
www.google.de.query.332541317.59cadillaclimousine.com
www.google.de.query.335211808.elegantdesign-dfw.org
www.google.de.query.3384406282.jennyspecialoffer.info
www.google.de.query.3464386393.59caddylimousine.com
www.google.de.query.464367892.1959caddylimo.com
www.google.de.redirect.3384265678.elegantdesign-dfw.info
www.google.de.redirect.3384350356.1959cadillaclimousine.com
www.google.de.redirect.3464464836.1959cadillaclimo.com
www.google.de.redirect.464534470.1959cadillaclimo.com
www.google.de.search.3384394923.1959cadillaclimo.com
www.google.de.search.3384492708.elegantdesign-dfw.com
www.google.de.search.382410083.1959cadillaclimousine.com
www.google.de.search.393679898.59caddylimousine.com
www.google.de.search.4082654881.1959caddylimousine.com
www.google.de.search.412756816.59caddylimousine.com
www.google.de.search.462774118.elegantdesign-dfw.info
www.google.de.search.463016893.59cadillaclimousine.com
www.google.de.url.15149077.59caddylimo.com
www.google.de.url.2523853156.elegantdesign-dfw.net
www.google.de.url.2531191013.1959cadillaclimousine.com
www.google.de.url.314298327.1959cadillaclimo.com
www.google.de.url.337083412.1959cadillaclimousine.com
www.google.de.url.3375711067.elegantdesign-dfw.net
www.google.es.process.3254798273.1959cadillaclimo.com
www.google.gr.process.11965077.1959cadillaclimousine.com
www.google.it.process.2358552833.59caddylimousine.com
www.google.nl.redirect.455319947.59caddylimo.com
www.google.nl.search.4251017144.1959cadillaclimousine.com
www.kefalonia-animal-trust.de.url.397020850.59cadillaclimousine.com
www.kgse.de.process.465129127.elegantdesign-dfw.info
www.klassik-in-berlin.de.search.464418679.59cadillaclimo.com
www.landwarenshop.de.search.463324361.59cadillaclimo.com
www.losan.de.redirect.318546405.1959cadillaclimousine.com
www.mein-unterrichtsmaterial.de.query.3254956884.1959cadillaclimousine.com
www.rafoeg.de.process.463558035.59caddylimo.com
www.sportfoto-vogler.de.process.337602454.elegantdesign-dfw.com
www.sportfoto-vogler.de.url.337492263.jennyspecialoffer.info
www.torleute.de.redirect.341391517.59caddylimo.com
www.welte.de.search.397762316.1959cadillaclimo.com

Update 15/11/12:
94.100.17.128/26 (94.100.17.128 - 94.100.17.191) is another inferno.name range that you should probably block.

NACHA Spam / billydimple.com and biggestblazer.com

Here we go again, another NACHA spam leading to a malicious payload..

From:  The Electronic Payments Association risk_manager@nacha.org
Date: 15 February 2012 13:52
Subject: Rejected ACH payment

The ACH transaction (ID: 44103676925895), recently initiated from your bank account (by you or any other person), was canceled by the Electronic Payments Association.

Canceled transfer
Transaction ID:     44103676925895
Rejection Reason     See details in the report below
Transaction Report     report_44103676925895.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171

2011 NACHA - The Electronic Payments Association
The malware is on biggestblazer.com/search.php?page=73a07bcb51f4be71 (report here) which is hosted on 199.30.89.180 (Central Host Inc / Zerigo.. yet again). It attempts to download additional components from billydimple.com/forum/index.php?showtopic=656974  on 69.164.205.122 (Linode.. again).

I've now seen several malicious sites in the 199.30.89.0/24 range, it might be worth considering blocking the whole lot.

Wednesday, 15 February 2012

"Submit your tax refund request" malware / synergyledlighting.net

This spam leads to a malicious payload on synergyledlighting.net - a domain we have seen a lot of recently with a habit of moving around.

Date:      Wed, 14 Feb 2012 18:06:23 +0530
From:      "Rolland Quintana"
Subject:      Submit your tax refund request
Attachments:     irs_logo.jpg

After the last annual computations of your financial activity we have determined that you are eligible to get a tax refund of $802.

Please submit the tax refund request and allow us 3-9 days in order to process it.

The delay of a refund can be caused by a variety of reasons.

E.g., sending incorrect records or not meeting a deadline.

To learn the details of your tax refund please open this link.

Best regards,
Tax Refund Department
Internal Revenue Service

The malware starts at synergyledlighting.net/main.php?page=6d63cba62f5eb9a0 and then downloads various components (report here). Today synergyledlighting.net is on 178.211.40.29 (Sayfa Net, Turkey). This is one where blocking both the IP and domain is probably a good idea.

SOCA seize rnbxclusive.com. Due process, anyone?

I've never heard of RnBXclusive (rnbxclusive.com), but it is a site to do with Urban Music which isn't really my cup of tea. However, visitors to the site today get a message from SOCA saying:

SOCA has taken control of this domain name.    
The individuals behind this website have been arrested for fraud.

The majority of music files that were available via this site were stolen from the artists.    
If you have downloaded music using this website you may have committed a criminal offence which carries a maximum penalty of up to 10 years imprisonment and an unlimited fine under UK law.      
     
Your IP     Your Browser     Your OS     Time / Date
193.110.241.235
    Firefox10.0.1     WinXP     06:46:37
15/02/2012
   
    The above information can be used to identify you and your location.

SOCA has the capability to monitor and investigate you, and can inform your internet service provider of these infringements.

You may be liable for prosecution and the fact that you have received this message does not preclude you from prosecution.

As a result of illegal downloads young, emerging artists may have had their careers damaged. If you have illegally downloaded music you will have damaged the future of the music industry.

Visit pro-music.org for a list of legal music sites on the web.

One annoyance is that SOCA display the IP address of the visitor and basically accuse the visitor of being a criminal. But, more seriously, SOCA's message indicates that the site operator was guilty of illegal activities without a trial. Remember courts? Judges? That sort of thing? Any good lawyer could probably argue that SOCA's statement is prejudicial.

Also of interest, the .com name is registered through GoDaddy in the US, the site is hosted on 83.138.166.114 which appears to be in a Rackspace facility in the UK. It looks like SOCA might have gained control of the server rather than the domain name which shows no WHOIS changes.

TorrentFreak have some additional information here.

Tuesday, 14 February 2012

NACHA Spam / biggestloop.com

Another NACHA spam leading to a malicious payload, this time on biggestloop.com.

Date:      Tue, 13 Feb 2012 19:06:18 +0100
From:      "The Electronic Payments Association"
Subject:      Your ACH transfer
Attachments:     nacha_logo.jpg

The ACH transaction (ID: 54525654754524), recently initiated from your bank account (by you or any other person), was canceled by the other financial institution.

Rejected transaction
Transaction ID:     54525654754524
Rejection Reason     See details in the report below
Transaction Report     report_54525654754524.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

I can't believe that there is a person in the world receiving this who will not have received hundreds of versions of the same thing before, but the spammers continue. The malicious payload is at biggestloop.com/main.php?page=27f6207e33edeeca (analysis here) on 206.214.68.57 (B2Net Solutions, Canada). Block the IP if you can. Better still, write some filters for your email system to keep the things far, far away.

This why I won't be using F-Secure Mobile Security

F-Secure Mobile Security is not a bad product - it includes anti-theft software, a virus scanner and a supposedly secure browser. In the UK, F-Secure charge £29.95 a year for this, which is pricey for an Android application, but usually F-Secure products are very good. You can get a month's free trial before you buy.

It has some strengths and weaknesses. But I won't upgrading to the paid version. Why not? Well, every day the same nag message comes up:
F-Secure would like to have your phone number for the purposes of possible product information and marketing related messaging. The cost of approval is that of one-stime standard SMS to Finland. Do you agree?
There are two buttons.. Yes and No. Click "No" and the message seems to go away.. until the next day. And the day after that. And the day after that. You get the picture. Either this is a bug or it is a very aggressive attempt to get you to agree to SMS marketing. Either way it's a big turnoff and I'll be looking for another product to protect my Android..

NACHA Spam / freac.net

Another NACHA spam, this time with a malicious payload on the site freac.net.

Date:      Tue, 13 Feb 2012 11:12:12 +0100
From:      "The Electronic Payments Association" [alerts@nacha.org]
Subject:      ACH transaction canceled
Attachments:     nacha_logo.jpg

The ACH transfer (ID: 14282248034397), recently sent from your checking account (by you or any other person), was canceled by the other financial institution.

Rejected transaction
Transaction ID:     14282248034397
Rejection Reason     See details in the report below
Transaction Report     report_14282248034397.doc (Microsoft Word Document)

13450 Sunrise Valley Drive, Suite 100

Herndon, VA 20171

2011 NACHA - The Electronic Payments Association

The malware is on freac.net/main.php?page=cd12dfacc57c3f82 (report here) which is on IP address 12.133.182.133 (Huawei Technologies, US). Blocking access to the IP address will prevent any other malicious sites on the server from being a problem.

"Arch Coal Corp" spam lead to malware / coajsfooioas.ru and tuberkulesneporok.ru

A slightly different spam from the usual Xerox rubbish, but with a similar malicious payload.. this time on the domains coajsfooioas.ru and tuberkulesneporok.ru.

Date:      Tue, 13 Feb 2012 04:59:42 +0900
From:      "DELL AVILES" Arch Coal Corp . [AfinaGuridi@auburn.edu]
Subject:      Re: Intercompany inv. from Arch Coal Corp.
Attachments:     Invoice_02_7_h158329.htm

Good day

Attached the intercompany inv. for the period Dec. 2011 til Jan.. 2012.

Thanks a lot for supporting this process

DELL AVILES

Arch Coal Corp. 

The obfuscated javascript in the attachment attempts to download malicious code from coajsfooioas.ru:8080/images/aublbzdni.php followed by more code from tuberkulesneporok.ru:8080/images/jw.php?i=8 (Wepawet report here).

These domains are multihosted on the same IPs as listed here. Blocking access to those IPs should stop further malware attacks from being successful.

Monday, 13 February 2012

"Scan from a Xerox W. Pro #6999878 " spam / ckolmadiiasf.ru

This spam comes with a malicious attachment that attempts to download malware from ckolmadiiasf.ru:8080/images/aublbzdni.php

Date:      Mon, 12 Feb 2012 07:57:23 +0700
From:      scan@victimdomain.com
Subject:      Fwd: Scan from a Xerox W. Pro #6999878
Attachments:     Xerox_Doc-l1616.htm

Please open the attached document. It was scanned and sent



to you using a Xerox WorkCentre Pro.



Sent by: SUSANNAH
Number of Images: 6
Attachment File Type: .HTML [Internet Explorer Format]

Xerox WorkCentre Location: machine location not set
Device Name: XEROX5427OD9ID86

This is one of those cases where the malicious domain is massively multihomed (there's a plain list at the end of the post if you want to copy and paste):

46.105.97.103 (OVH Systems, France)
46.137.251.11 (Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost, US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast Business Communications, US)
69.60.117.183 (Colopronto, US)
72.22.83.93 (iPower, US)
78.83.233.242 (MVN Systems Ltd, Bulgaria)
87.120.41.155 (Neterra Ltd, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
93.189.88.198 (SiliconTower, Spain)
98.158.180.244 (Hosting Services Inc, US)
173.203.51.174 (Slicehost, US)
173.255.229.33 (Linode, US)
174.122.121.154 (ThePlanet, US)
184.106.151.78 (Slicehost, US)
184.106.237.210 (Slicehost, US)
190.106.129.43 (G2KHosting, Argentina)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.12.252.82 (Jaidee Daijai, US)

Looks familiar? Well, it is almost identical to this list with a few servers taken out of action.

46.105.97.103
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
78.83.233.242
87.120.41.155
88.191.97.108
93.189.88.198
98.158.180.244
173.203.51.174
173.255.229.33
174.122.121.154
184.106.151.78
184.106.237.210
190.106.129.43
200.169.13.84
204.12.252.82