Dynamoo's Blog

Thursday 12 April 2012

Federal Reserve Wire Network spam / vanishingmasers.ru

This spam leads to malware on vanishingmasers.ru:

Date:     Thu, 12 Apr 2012 15:14:41 -0300
From:     "Lidia Polk" [uzbekistanqp39@sterkinekor.com]
Subject:     RE: Wire transfer cancelled

Good afternoon,

Wire transfer was canceled by the other bank.

Rejected transaction:

FEDWIRE REFERENCE NUMBER: SK9415179747ODP36641K

Wire Transfer Report: View

The Federal Reserve Wire Network

The payload is on vanishingmasers.ru:8080/pages/glavctkoasjtct.php (report here) which is hosted on some familiar looking IP addresses:

41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
83.170.91.152 (UK2.NET, UK)
85.214.204.32 (Strato AG, Germany)
88.190.22.72 (Free SAS / ProXad, France)
89.31.145.154 (Nexen, France)
112.78.124.115 (Sakura Internet, Japan)
125.19.103.198 (Bharti Infotel, India)
210.56.23.100 (Commission For Science And Technology, Pakistan)
211.44.250.173 (SK Broadband, Korea)
219.94.194.138 (Sakura Internet, Japan)

Plain list for copy-and-pasting:
41.168.5.140
62.85.27.129
83.170.91.152
85.214.204.32
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
210.56.23.100
211.44.250.173
219.94.194.138

LinkedIn Spam / prospero-marketing.net

This spam leads to malware:

From:    Patrice Burke premonition9@linkedin.com
Date:    12 April 2012 16:33
Subject:    LinkedIn Nofitication service message

LinkedIn
REMINDERS

Invitation reminders:
• From Kadeem Ruiz (Your classmate)

PENDING MESSAGES

• There are a total of 2 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2010, LinkedIn Corporation.

The malicious payload is on prospero-marketing.net/main.php?page=5ab26a646c9cf178 (report here) hosted on 85.189.11.134 and 41.64.21.71 which are the same IPs as seen in this attack yesterday.

Something evil on 91.230.147.204 / Aldevir Invest

There are a bunch of domains on 91.230.147.204 being used in injection attacks..

entra78ting1.rr.nu
kickp43erryba.rr.nu
ngem44entca.rr.nu
ecei45veda.rr.nu
pingyo18ungmea.rr.nu
lls83sea.rr.nu
ipsre94marka.rr.nu
ownsca11ncerdra.rr.nu
ipme54ntsa.rr.nu
pora96tionb.rr.nu
rhol48dingc.rr.nu
anyco35mmunic.rr.nu
ddispl59ayingad.rr.nu
duni54xdled.rr.nu
ate62bid.rr.nu
losin31gsind.rr.nu
eted47place.rr.nu
stem59lice.rr.nu
ense21sgene.rr.nu
prepa36repre.rr.nu
sbrill22iantte.rr.nu
repres92enteve.rr.nu
stiga68tedef.rr.nu
taxv93italf.rr.nu
ivisi07onbeg.rr.nu
les23leg.rr.nu
citati35onpreg.rr.nu
who97mhig.rr.nu
nit25ionh.rr.nu
long63edhi.rr.nu
gypt73iani.rr.nu
unde52sbank.rr.nu
tank95ersfl.rr.nu
supe54radol.rr.nu
opria79teprol.rr.nu
egulat49ionspl.rr.nu
partia68llyearl.rr.nu
asketb75allmul.rr.nu
ent69aryl.rr.nu
sswhyp63rogramm.rr.nu
otin51gform.rr.nu
tern37etban.rr.nu
asi59ain.rr.nu
conce87ptfin.rr.nu
ing85erin.rr.nu
sadjus10tmentin.rr.nu
yworld22widecon.rr.nu
mpti08ngcon.rr.nu
tril70lion.rr.nu
ini66ngco.rr.nu
meant86lakefo.rr.nu
epopu02latio.rr.nu
ieved92lebano.rr.nu
egis13lato.rr.nu
esa70cto.rr.nu
urdr08eamp.rr.nu
anie49sdar.rr.nu
rical10ibrar.rr.nu
ngnyb99omber.rr.nu
tlongt08ermwer.rr.nu
ggest37power.rr.nu
rswa90rbur.rr.nu
ari90ores.rr.nu
rece69ives.rr.nu
ment54leaks.rr.nu
earal02ltwos.rr.nu
tsp15ers.rr.nu
speakf56eelingt.rr.nu
iesst77atepot.rr.nu
hurric76anereu.rr.nu
elba98nkru.rr.nu
greedc57upelev.rr.nu
duc15edov.rr.nu
ens62how.rr.nu
dustry52dontow.rr.nu
nta17ctex.rr.nu
kelly44array.rr.nu
ns1.hoperjoper.ru
ns2.hoperjoper.ru

This is a dodgy looking /24 allocated to:

inetnum:         91.230.147.0 - 91.230.147.255

netname:         zuzu-net

descr:           OOO "Aldevir Invest"

country:         RU

org:             ORG-OI19-RIPE

admin-c:         KY241-RIPE

tech-c:          KY241-RIPE

status:          ASSIGNED PI

mnt-by:          RIPE-NCC-END-MNT

mnt-lower:       RIPE-NCC-END-MNT

mnt-by:          zuzu-mnt

mnt-routes:      zuzu-mnt

mnt-domains:     zuzu-mnt

source:          RIPE # Filtered

organisation:    ORG-OI19-RIPE

org-name:        OOO "Aldevir Invest"

org-type:        other

address:         192012, St.-Petersburg, Chernova ul., 25, office 12

mnt-ref:         zuzu-mnt

mnt-by:          zuzu-mnt

source:          RIPE # Filtered

person:          Krutko Evgeni Yurevich

address:         192012, St.-Petersburg, Chernova ul., 25, office 12

phone:           +7812850202

nic-hdl:         KY241-RIPE

mnt-by:          zuzu-mnt

source:          RIPE # Filtered

route:           91.230.147.0/24

descr:           Route for DC

origin:          AS5508

mnt-by:          zuzu-mnt

source:          RIPE # Filtered

Some of these domains were previously hosted on Specialist ISP, one of the blackest hat hosting providers that I know of. I would suggest blocking the entire /24 on this to be on the safe side.

For info, the following sites are also in that /24 block:

kleostor.com
prillipapa.biz
prillipapa.com
prillipapa.info
prillipapa.net
prillipapa.org
zeraniko.biz
zeraniko.com
zeraniko.info
zeraniko.net
zeraniko.org
zex-tezx.com
argobuilding.in
mybackdomain888.in
besthostnets.com
firstnethosting.com
highesthostnets.com
tophostnetworks.org
lockandkeyeventsparty.com
thisdomainsmakemetired.info
hashs.ru
allyrboom.com
trisstan-express.org
tropicana-tour.org

Wednesday 11 April 2012

Wire Transfer spam / wiskonsintpara.ru

This spam leads to malware on wiskonsintpara.ru:

From:   Marcel Ouellette RaymondKalan@nyc.rr.com
Date:   11 April 2012 13:30
Subject:   Re: Wire Transfer Confirmation (FED REFERENCE 42420PP01)

Dear Bank Account Operator,
WIRE TRANSACTION: WIRE-900098281493111
CURRENT STATUS: CANCELLED

You can find details in the attached file.(Internet Explorer file)
Transfer_N883664.htm

There's an HTML attachment which attempts to load malicious content from wiskonsintpara.ru:8080/img/?promo=nacha (although this wasn't working when I tested it). This domain is multihomed on a set of IP addresses we have seen a lot of lately and are definitely worth blocking:

41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
88.190.22.72 (Free SAS / ProXad, France)
89.31.145.154 (Nexen, France)
112.78.124.115 (Sakura Internet, Japan)
125.19.103.198 (Bharti Infotel, India)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband, Korea)
219.94.194.138 (Sakura Internet, Japan)

Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
62.85.27.129
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
202.149.85.37
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138

LinkedIn Spam / baiparz.com

This fake LinkedIn message leads to malware:

Date:     Wed, 11 Apr 2012 15:09:48 -0300
From:     "Pasquale Nieves" [warthogv@linkedin.com]
Subject:     LinkedIn Nofitication service message

LinkedIn
REMINDERS

Invitation reminders:
? From Felix Byers (Your Colleague)

PENDING MESSAGES

? There are a total of 2 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

There's a malicious payload at baiparz.com/main.php?page=f93de12c807d28df (report here) which is hosted by Griffin Internet in the UK on 85.189.11.134 and also can be found on the familiar IP address of 41.64.21.71 which is an ADSL subscriber in Egypt.

Tuesday 10 April 2012

Intuit.com spam / webmastaumuren.ru

Here's a fake Intuit spam leading to malware on webmastaumuren.ru:8080:

From: Yvonne Lewis [mailto:MalikDuenes@choice.net]
Sent: 10 April 2012 12:03
Subject: Dowload your Intuit.com invoice.

Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-367-0794 ($4.49/min).

ORDER INFORMATION
Please download your complete order id #4147367 from the attachment.(Open with Internet Explorer)

©2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.

The malware is on webmastaumuren.ru:8080/navigator/jueoaritjuir.php (report here) which is multihomed on the same IP addresses found here.

US Airways Spam / 50.116.5.41 and 174.140.165.197

This fake US Airways spam leads to malware on 50.116.5.41

Date:     Tue, 10 Apr 2012 19:18:16 +0530
From:     "US Airways - Reservations" [usair@myusairways.com]
Subject:     Confirm your US airways online reservation.



You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying abroad). Then, all you have to do is print your boarding pass and proceed to the gate.

Confirmation code: 956153

Check-in online: Online reservation details


Flight

1396
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 4/5/2012

�
We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.

The payload is on 50.116.5.41/showthread.php?t=73a07bcb51f4be71 (report here) which is hosted by Linode in the US.

Update: a similar spam is also doing the rounds with a payload on 174.140.165.197 (Directspace, US)

jueoaritjuir.php attacks to block

There have been a helluvalot of malicious spams in the past few days, some using HTML attachments and some using an HTML-in-ZIP attack, for example:

Intercompany inv. from Safeco Corporation Corp.
Invoice_1750544151.zip
Invoice.htm

Scan from a HP ScanJet #24166324
Scan_HPa.zip
HP_Scan.htm

Re: End of Aug. Statement Required
Invoice_N{DIG}.htm

Your Flightticket
FLIGHT_TICKET_N24207.zip
Ticket.htm

FEDEX: DELIVER CONFIRMATION - FAILED 335929
Collect_Letter-176310.htm

Payload URLs include:
hxxp://41.168.5.140:8080/navigator/jueoaritjuir.php
hxxp://62.85.27.129:8080/navigator/jueoaritjuir.php
hxxp://78.83.233.242:8080/navigator/jueoaritjuir.php
hxxp://81.30.160.7:8080/navigator/jueoaritjuir.php
hxxp://88.190.22.72:8080/navigator/jueoaritjuir.php
hxxp://89.31.145.154:8080/navigator/jueoaritjuir.php
hxxp://112.78.124.115:8080/navigator/jueoaritjuir.php
hxxp://194.85.97.121:8080/navigator/jueoaritjuir.php
hxxp://211.44.250.173:8080/navigator/jueoaritjuir.php
hxxp://219.94.194.138:8080/navigator/jueoaritjuir.php
hxxp://webalizerindians.ru:8080/navigator/jueoaritjuir.php

By host:
41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
81.30.160.7 (Vinteleport, Ukraine)
88.190.22.72 (Free SAS / ProXad, France)
89.31.145.154 (Nexen, France)
112.78.124.115 (Sakura Internet, Japan)
125.19.103.198 (Bharti Infotel, India)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband, Korea)
219.94.194.138 (Sakura Internet, Japan)

Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
62.85.27.129
81.30.160.7
88.190.22.72
89.31.145.154
112.78.124.115
125.19.103.198
194.85.97.121
202.149.85.37
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138

These IPs seem pretty consistent at the moment, blocking them should offer some degree of protection.

Friday 6 April 2012

"Scan from a Hewlett-Packard ScanJet" spam 6/4/12

Another fake HP scan spam email leading to malware. This one follows the new technique of putting a malicious HTML (HP_Scan.htm) file inside a ZIP file to reduce the risk of it being blocked, and then it has multiple payload sites to try to get a higher infection rate. Nasty.

Date:     Fri, 6 Apr 2012 08:29:34 +0200
From:     "Hewlett-Packard Officejet 70419A" [JaysonGritten@estout.com]
Subject:     Scan from a Hewlett-Packard ScanJet #02437326
Attachments:     HP_Document-12-Z1380.zip

Attached document was scanned and sent

to you using a Hewlett-Packard HP Officejet 45211A.

Sent by: MILLIE
Images : 7
Attachment Type: ZIP [DOC]

Hewlett-Packard Officejet Location: machine location not set
Device: OFC347AA3BSX37057762

The payload can be found at:
hxxp://211.44.250.173:8080/navigator/jueoaritjuir.php
hxxp://62.85.27.129:8080/navigator/jueoaritjuir.php
hxxp://219.94.194.138:8080/navigator/jueoaritjuir.php
hxxp://78.83.233.242:8080/navigator/jueoaritjuir.php
..the IP address can also be found in this attack.

A Wepawet report can be found here. Anti-virus detection is pretty poor at the moment.

The bad guys certainly seem to have found a way to bring more machines into contact with this malware. Take care!

Thursday 5 April 2012

US Airways Spam / 209.59.218.94

Another US Airways spam, malformed this time, pointing to malware on 209.59.218.94.

Date:     Thu, 5 Apr 2012 14:10:48 +0000
From:     "US Airways - Reservations" [usair@myusairways.com]
Subject:     Confirm your US airways online reservation.

you {l2} check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying {l3}). {l4}, all you {l5} to do is print your boarding pass and {l6} to the gate.

confirmation code: {digit}

check-in online: online reservation details

flight

{digit}
departure city and time

washington, dc (dca) 10:00pm

depart date: 4/5/2012

we are committed to protecting your privacy. your information is kept private and confidential. for information about our privacy policy visit usairways.com.

us airways, 111 w. rio salado pkwy, tempe, az 85281 , copyright us airways , all rights reserved.

The malicious payload is at 209.59.218.94/showthread.php?t=73a07bcb51f4be71 (report here). This is hosted by Endurance International in the US.

US Airways Spam / 174.140.171.117

Another US Airways spam leading to malware on a Directspace IP (174.140.171.117)

Date:     Thu, 5 Apr 2012 18:54:19 +0700
From:     "US Airways - Reservations" [support@myusairways.com]
Subject:     US Airways online check-in.


You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). After that, all you need to do is print your boarding pass and go to the gate.

Confirmation code: 610235

Check-in online: Online reservation details


Flight

5266
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 4/5/2012


We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.

The malicious payload is on 174.140.171.117 (report here) hosted by Directspace in the US. This is the third time in recent days that Directspace have hosted such a site in this range, the others were 174.140.171.173 (here) and 174.140.166.138 (here).

Malicious spam / Invoice_N{DIG}.zip

We're seeing a huge spam run at the moment with various subject and attachments, but typically using an HTML-in-ZIP attack with an attachment called Invoice_N{DIG}.zip

Subjects include:
DHL: DELIVER CONFIRMATION - FAILED 113996
FW: End of Aug. Statement
FW: Scan from a Xerox W. Pro #7338339
although there are probably many others.

The attachment leads to a multihomed exploit kit (report here) on:
hxxp://41.168.5.140:8080/navigator/jueoaritjuir.php
hxxp://62.85.27.129:8080/navigator/jueoaritjuir.php
hxxp://78.83.233.242:8080/navigator/jueoaritjuir.php
hxxp://180.235.150.72:8080/navigator/jueoaritjuir.php
hxxp://211.44.250.173:8080/navigator/jueoaritjuir.php
hxxp://219.94.194.138:8080/navigator/jueoaritjuir.php

Hosts:
41.168.5.140 (Neotel, South Africa)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net, Bulgaria)
180.235.150.72 (Ardh Global, Indonesia)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)

Plain list for copy-and-pasting:
41.168.5.140
62.85.27.129
78.83.233.242
180.235.150.72
211.44.250.173
219.94.194.138

Wednesday 4 April 2012

US Airways Spam / 174.140.166.138

Another one of a spate of fake US Airways emails, with a link leading to malware:

From:    US Airways - Reservations reservations@myusairways.com
Date:    4 April 2012 14:58
Subject:    US Airways online check-in.

You should check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying abroad). After that, all you have to do is print your boarding pass and go to the gate.

Confirmation code: 266492

Check-in online: Online reservation details


Flight

0312
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 4/5/2012

We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.

The malicious payload is on 174.140.166.138 (report here) hosted by Directspace in the US. Avoid.

playbill.com hacked

playbill.com covers listings and tickets for theatre events in New York and London. It's a popular site in the US, ranked 3350 according to Alexa.

Unfortunately, the site has been hacked with exploit code for the Java AtomicReferenceArray unsafe typing (CVE-2012-0507) vulnerability (report here), apparently loading malicious components from dezbvu.dyndns-server.com/forum/s1 (62.76.180.69 - ClodoCloud / IT House Ltd, Russia).

Remember you keep your Java up to date to avoid this sort of drive-by attack.

"End of Aug. Statement" spam / dhjhgfkjsldkjdj.ru

This "End of Aug. Statement" spam uses the same malicious payload as this one earlier today.

From: Margo Lawrence [mailto:robbersab@alumni.insead.edu]
Sent: 04 April 2012 14:17
Subject: Re: FW: End of Aug. Statement

,
as reqeusted I give you inovices issued to you per february (Internet Explorer format).

Regards

Dollie Mcguire

There's an HTML-in-ZIP attachment, leading to a malicious payload at dhjhgfkjsldkjdj.ru (report here). Blocking access to the IP addresses shown in this post may be prudent.

Intuit.com spam / dhjhgfkjsldkjdj.ru

Another fake Intuit spam leading to malware, this time on dhjhgfkjsldkjdj.ru:

Date:     Wed, 4 Apr 2012 11:33:37 +0100
From:     pXTwWE@gmail.com
Subject:     Dowload your Intuit.com invoice.
Attachments:     Intuit_Order-255798.htm

Dear customer: Thank you for ordering from Intuit Market. We are processing and will message you when your order ships. If you ordered multiple items, we may sned them in more than one delivery (at no extra cost to you) to ensure quicker delivery. If you have questions about your order please call 1-900-374-9959 ($2.89/min).
ORDER INFORMATION
Please download your complete order id #5400523 from the attachment.(Open with Internet Explorer)
�2012 Intuit, Inc. All rights reserved. Intuit, the Intuit Logo, Quickbooks, Quicken and TurboTax, among others, are registered trademarks of Intuit Inc.

The malware is a Phoenix exploit kit at dhjhgfkjsldkjdj.ru:8080/navigator/jueoaritjuir.php (Wepawet Report here) which is multihomed on the IPs below, a very similar list to this recent spam run.

41.66.137.155 (AfricaINX, South Africa)
41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
78.107.82.98 (Vimpelcom, Russia)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
125.19.103.198 (Bharti Infotel Ltd, India)
180.235.150.72 (Ardh Global, Indonesia)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
200.169.13.84 (Comite Gestor Da Internet, Brazil)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet, Japan)

Plain list for copy-and-pasting:
41.66.137.155
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
78.107.82.98
89.218.55.51
125.19.103.198
180.235.150.72
194.85.97.121
200.169.13.84
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138

Tuesday 3 April 2012

SMS Spam: "We have been trying to contact you regards your recent accident"

These scumbag SMS spammers are at it again:

URGENT: We have been trying to contact you regards your recent accident; you could be due up to £5,100 in compensation. Reply CLAIM for info, STOP to opt out.

In this case, the sender's number is +447788313443 but this will change as the networks block it.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Hopefully the carriers will act if there are enough complaints.

US Airways Spam / 109.202.98.43

Another US Airways fake email leading to malware:

Date:     Tue, 3 Apr 2012 14:26:03 +0200
From:     "US Airways - Reservations" [reservations@myusairways.com]
Subject:     Confirm your US airways online reservation.

You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying internationally). Then, all you need to do is print your boarding pass and head to the gate.

Confirmation code: 336881

Check-in online: Online reservation details


Flight

0989
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 4/5/2012

We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.

The malware is on 109.202.98.43/showthread.php?t=73a07bcb51f4be71 (report here) hosted Global Layer, Netherlands.

"Info in regard to keeping well" spam / ListK LLC

This spam appears to be some sort of probing attack, looking for valid email addresses. In this case, the email was send to an address that didn't actually exist.

From:    Roy Johnson Roy.Johnson@verif1cationtime4.com
Date:    3 April 2012 06:45
Subject:    Info in regard to keeping well.

This is a one time public service message about Attention Deficit
Hyperactivity Disorder (ADHA) and no further emails will be sent.

ADHD (attention deficit hyperactivity disorder), sometimes called ADD
(attention deficit disorder), is linked with hyperactivity, impulsive
behavior, and attention problems in both children and adults. It's
estimated that up to 12 percent of school-aged children and 6 percent of
adults have ADHD, making it harder for them to focus on tasks, manage
their time, control their behavior, or even sit still. There is no
single test to diagnose ADD/ADHD. To reach a diagnosis, a doctor or
specialist may do a physical exam to rule out any physical problems, as
well as ask questions about behavior in certain situations. Treatment is
often a combination of medication and behavioral therapy. The goals of
treatment are to help the person control impulsive behaviors, do better
in school or work, and improve social relationships. Keep well.

This appears to be an attempt to bypass spam filters, and also the relevant spam laws by apparently not being a commercial email message.

In this case, the spam went through a relay at 174.142.85.218, but the originating IP appears to be 208.115.221.34, a Limestone Networks IP suballocated to a outfit called "24Shells, Feasterville, PA 19053, US" who control a small block of 208.115.221.32/29 (208.115.221.32 - 208.115.221.39) in this range.

So far, I have discovered the following (anonymous) domains and IP addresses connected with this spammer:

174.142.85.218 (iWeb / Listk LLC, Canada)
mx.verif1cationtime4.com

208.115.221.34 (Limestone Networks, US. Suballocated to "24Shells, Feasterville, PA 19053, US")
mail.vprtcls3.com

174.142.82.119 (iWeb, Canada)
mail.3vermethod.com

96.31.93.88 (Noc4Hosts, US)
mx.verif1cationtime2.com

209.54.55.171 (Native Hosting, US)
mx.verif1cationtime3.com

216.245.208.34 (24Shells, US)
mail.2vermethod.com

173.236.84.2 (Singlehop, US)
mx.4vermethod.com

74.112.248.179 (Triple8, US)
mail.vprtcls1.com

Out of these IPs, 174.142.85.218 is the most interesting. It belongs to iWeb in Canada (Canada is a great home for spammers) but is suballocated to:

NetRange:       174.142.85.216 - 174.142.85.223

CIDR:           174.142.85.216/29

OriginAS:     

NetName:        IWEB-CL-T215-200CN-1330

NetHandle:      NET-174-142-85-216-1

Parent:         NET-174-142-0-0-1

NetType:        Reassigned

RegDate:        2010-05-14

Updated:        2010-05-14

Ref:            http://whois.arin.net/rest/net/NET-174-142-85-216-1

CustName:       ListK LLC

Address:        1200 Abernathy Road

City:           Atlanta

StateProv:      GA

PostalCode:     30328

Country:        US

RegDate:        2010-05-14

Updated:        2011-11-21

Ref:            http://whois.arin.net/rest/customer/C02496703

ListK LLC has a website at listk.com and are based in Atlanta, Georgia (BBB report here). Their web site gives an indication as to exactly what this spam is about:

NameDiscoverer™ helps clients add net new contacts to their lists by utilizing our proprietary search technology to identify, gather and verify contacts and provide their titles and business email addresses.

SmartSender™ is our state-of-the-art email deployment platform that rotates and pulses emails over multiple servers so your emails never get filtered out as part of a bulk send.

eDNA™ helps companies add fresh, deliverable B2B email addresses to their lists using our proprietary technology - not by matching to an existing, tired list of emails off the shelf.

This describes the spam probe exactly, it is using existing contact details to try to form a valid email address, and then probe it from several different IP addresses to try to bypass spam filters.

In my personal opinion, this is unethical and arguably illegal as the spam is indeed part of a commercial offering. If you receive spam from this outfit, you should report it to their hosting providers. I also recommend complaining to the BBB if you are in the US.

Just for reference the mail headers involved are as follows:

Received: from mx.verif1cationtime4.com ([174.142.85.218])
    by ---------- with esmtp (Exim 4.69)
    id 1SEwkh-0006gp-2Y
    for ----------; Tue, 03 Apr 2012 06:58:00 +0100
Received: from 208.115.221.34
        by mail.3vermethod.com (Merak 8.9.1) with ASMTP id NJW04750
        for <---------->; Tue, 03 Apr 2012 01:45:50 -0400
Status:
Message-ID: <20120403014518.8b1d3b8d2d@3b5e>
From: "Roy Johnson"
To: ----------
Date: Tue, 3 Apr 2012 01:45:18 -0400
X-Priority: 3
X-Mailer: SkillCaster
MIME-Version: 1.0
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
    ----------
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled
    version=3.2.5
Subject: Info in regard to keeping well.
Content-Type: text/plain;
    charset="us-ascii"
Content-Transfer-Encoding: 7bit
Delivered-To: ----------

Monday 2 April 2012

US Airways Spam / 174.140.171.173

This spam appears to be from US Airways, but it actually leads to malware on 174.140.171.173.

From:    US Airways - Reservations support@myusairways.com
Date:    2 April 2012 15:15
Subject:    US Airways online check-in confirmation.

You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying abroad). After that, all you need to do is print your boarding pass and proceed to the gate.

Confirmation code: 778136

Check-in online: Online reservation details


Flight

7557
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 4/5/2012

We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.

The link goes through a couple of legitimate hacked sites and ends up at 174.140.171.173/showthread.php?t=73a07bcb51f4be71 which contains a malicious payload. This IP is hosted by Directspace in the US.