Dynamoo's Blog

Thursday 14 February 2013

Intuit spam / epionkalom.ru

This fake Intuit spam leads to malware on epionkalom.ru:

Date:     Thu, 14 Feb 2013 09:05:48 -0500
From:     "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:     Payroll Account Holded by Intuit

Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Thu, 14 Feb 2013 09:05:48 -0500.

    Finances would be gone away from below account # ending in 2317 on Thu, 14 Feb 2013 09:05:48 -0500
    amount to be seceded: 2246 USD
    Paychecks would be procrastinated to your personnel accounts on: Thu, 14 Feb 2013 09:05:48 -0500
    Log In to Review Operation

Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]epionkalom.ru:8080/forum/links/column.php hosted on a bunch of IP addresses that we have seen many, many times before:

91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

HP ScanJet spam / 202.72.245.146

This fake printer spam leads to malware on 202.72.245.146:

Date:     Thu, 14 Feb 2013 10:10:56 +0000
From:     AntonioShapard@hotmail.com
Subject:     Fwd: Re: Scan from a Hewlett-Packard ScanJet #6293
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-32347P.

SENT BY : TRISH
PAGES : 3
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

=================

Date:     Thu, 14 Feb 2013 06:07:00 -0800
From:     LinkedIn Password [password@linkedin.com]
Subject:     Fwd: Scan from a Hewlett-Packard ScanJet 83097855
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-775861P.

SENT BY : CARLINE
PAGES : 4
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The malicious payload is on [donotclick]202.72.245.146:8080/forum/links/column.php (report here) which is a familiar IP address belonging to Railcom in Mongolia. The following malicious websites are also active on the same server:
enakinukia.ru
dekamerionka.ru
evskindarka.ru
exibonapa.ru
esigbsoahd.ru
dmssmgf.ru
epianokif.ru
elistof.ru
dmpsonthh.ru
esekundi.ru
egihurinak.ru
exiansik.ru
ewinhdutik.ru
efjjdopkam.ru
eipuonam.ru
emaianem.ru
disownon.ru
estipaindo.ru
ejiposhhgio.ru
epilarikko.ru
damagalko.ru
emalenoko.ru
epiratko.ru
evujalo.ru
bananamamor.ru
eminakotpr.ru
dfudont.ru

"Copies of policies" spam / ewinhdutik.ru

This spam leads to malware on ewinhdutik.ru:

Date:     Thu, 14 Feb 2013 07:16:28 -0500
From:     "Korbin BERG" [ConnorAlmeida@telia.com]
Subject:     RE: Korbin - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Korbin BERG,

======================

Date:     Thu, 14 Feb 2013 03:30:52 +0530
From:     Tagged [Tagged@taggedmail.com]
Subject:     RE: KESHIA - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

KESHIA LEVINE,

The malicious payload is at [donotclick]ewinhdutik.ru:8080/forum/links/column.php (report here) hosted on the same IP addresses as this attack we saw earlier.

91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

HP ScanJet spam / eipuonam.ru

This fake printer spam leads to malware on eipuonam.ru:

Date:     Thu, 14 Feb 2013 -02:00:50 -0800
From:     "Xanga" [noreply@xanga.com]
Subject:     Fwd: Scan from a HP ScanJet #72551
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-39329P.

SENT BY : Ingrid
PAGES : 0
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The attachment HP_Document.htm contains a script that attempts to direct visitors to [donotclick]eipuonam.ru:8080/forum/links/column.php (report here) hosted on:

91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

The following IPs and sites should be blocked:
91.121.57.231
195.210.47.208
202.72.245.146
bananamamor.ru
damagalko.ru
dekamerionka.ru
dfudont.ru
disownon.ru
dmpsonthh.ru
dmssmgf.ru
efjjdopkam.ru
egihurinak.ru
eipuonam.ru
ejiposhhgio.ru
elistof.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
enakinukia.ru
epianokif.ru
epilarikko.ru
epiratko.ru
esekundi.ru
esigbsoahd.ru
estipaindo.ru
evskindarka.ru
evujalo.ru
exiansik.ru
exibonapa.ru

Something evil on 92.63.105.23

Looks like a nasty infestion of Blackhole is lurking on 92.63.105.23 (TheFirst-RU, Russia) - see an example of the nastiness here (this link is safe to click!). The following domains are present on this address, although there are probably more.

ueizqnm.changeip.name
fmmrlp.ddns.name
qhtqqtxqua.onmypc.org
jakrcr.changeip.org
slnpqel.lflinkup.org
ydrehhvgjz.ezua.com
hurocozr.onedumb.com
sspmrwli.jkub.com
gifqravi.dnsrd.com
uzdknpz.4dq.com
aotztod.almostmy.com
ttenmxqq.vizvaz.com
axyaqb.xxuz.com
ywtxkebtx.ns01.info
rmvpfdg.onmypc.info
zzxvxyi.mydad.info
iselktnfo.xxxy.info
fgzsnergle.compress.to
wjbluj.ns01.us
yxbbvktub.myfw.us
hxlxxaqntaxb.myfw.us
rqjghacecazb.myfw.us
oxegwgflld.myfw.us
hvdkdcgae.myfw.us
hhifsoine.myfw.us
nsnybecste.myfw.us
jebrglmzye.myfw.us
fowgvslqqvgf.myfw.us
mqqpwxjlf.myfw.us
hfkfeuqfvzf.myfw.us
ukwwwhkamh.myfw.us
tvodqreyyyh.myfw.us
aokeufvoci.myfw.us
ejyffxuookfi.myfw.us
qhbkyfehpbzi.myfw.us
idjgpnkmaj.myfw.us
sqqqrsnozlgj.myfw.us
kqpaxhumj.myfw.us
elfncrfubk.myfw.us
qeavazuugk.myfw.us
pbvmirnwk.myfw.us
miptvfzufwal.myfw.us
ookzctlfazdl.myfw.us
rjrzcrswqhl.myfw.us
hhzlhizlbil.myfw.us
lwztritpzuvl.myfw.us
erlsgwzbgwl.myfw.us
eslwbgkgyqhm.myfw.us
bkhrwvxblnm.myfw.us
ngcfuanjtm.myfw.us
orownhbgn.myfw.us
rwdpuifin.myfw.us
jjxhjygwcnln.myfw.us
azddoalylxsn.myfw.us
dfredwpcun.myfw.us
xglzbowlmuco.myfw.us
jtzxmudxtno.myfw.us
phibmvaqsap.myfw.us
tuobdghfp.myfw.us
ybzwfyvadq.myfw.us
gvbxwmicjvq.myfw.us
abtqgybicghr.myfw.us
hqzgrwmorws.myfw.us
kwjgjnmmcu.myfw.us
csllshncxdu.myfw.us
cbqlthvefhv.myfw.us
eivxprpbemv.myfw.us
yowbgyyykemw.myfw.us
jmmbspisw.myfw.us
aadhvxiftw.myfw.us
lswgpbvvkukx.myfw.us
zwzfvpxksyx.myfw.us
aggwgeskrby.myfw.us
jjfzmzfkoky.myfw.us
okctxkxny.myfw.us
jeyqstlybz.myfw.us
yxkgtyqmz.myfw.us
sqazmgapz.myfw.us
esuifzeipsz.myfw.us
pjkcyvzcyz.myfw.us
cejkopsbv.port25.biz
rawvgbygj.gr8name.biz
gyomtcnzc.dhcp.biz
efdghpug.sexxxy.biz

Wednesday 13 February 2013

"First Foundation Bank Secure Email Notification" spam

It looks a bit like a phish, but this "First Foundation Bank Secure Email Notification" spam has a ZIP file that leads to malware:

Date:     Wed, 13 Feb 2013 20:08:46 +0200 [13:08:46 EST]
From:     FF-inc Secure Notification [secure.notification@ff-inc.com]
Subject:     First Foundation Bank Secure Email Notification - 94JIMEEQ

You have received a secure message

Read your secure message by opening the attachment, secure_mail_94JIMEEQ. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.ff-inc.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.795.7643.

2000-2013 First Foundation Inc. All rights reserved.

Attached is a file called secure_mail_94JIMEEQ.zip which expands into.. well, nothing good.. a file called secure_mail_{_Case_DIG}.exe with an icon that is meant to disguise it as an Acrobat file.

VirusTotal detection rates are just 15/45 and the malware is resistant to analysis. Incidentally, emailing mobile@res.ff-inc.com just generates a failure message. Avoid.

NACHA spam / eminakotpr.ru

More fake NACHA spam, this time leading to malware on eminakotpr.ru:

Date:     Wed, 13 Feb 2013 05:24:26 +0530
From:     "ACH Network" [risk-management@nacha.org]
Subject:     Re: Fwd: ACH Transfer rejected

The ACH transaction, initiated from your checking acc., was canceled.

Canceled transfer:

Transfer ID: FE-65426265630US

Transaction Report: View

August BLUE

NACHA - The National Automated Clearing House Association

The malicious payload is at [donotclick]eminakotpr.ru:8080/forum/links/column.php hosted on:

46.175.224.21 (MAXNET Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)

The following IPs and domains are all related and should be blocked:
46.175.224.21
91.121.57.231
202.72.245.146
bananamamor.ru
damagalko.ru
dekamerionka.ru
dfudont.ru
disownon.ru
dmpsonthh.ru
dmssmgf.ru
dumarianoko.ru
egihurinak.ru
elistof.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
enakinukia.ru
epianokif.ru
epilarikko.ru
epiratko.ru
esekundi.ru
esigbsoahd.ru
estipaindo.ru
evskindarka.ru
evujalo.ru
exiansik.ru
exibonapa.ru

Malware sites to block 13/2/13

These malicious sites appear to be part of a Waledac botnet. I haven't had much time to analyse what exactly what it going on, but here is one example from [donotclick]merwiqca.ru/nothing.exe: URLquery, VirusTotal, Comodo CAMAS, ThreatExpert.

I'm still working on IP addresses (there are a LOT), but these are the domains that I have managed to identify.. it is probably not an exhaustive list though.

afxeftof.ru
ahtiagge.ru
ajgijuap.ru
amxylkap.ru
apnifosa.ru
aqqajofi.ru
atxembef.ru
awetefid.ru
azvaebyn.ru
bakuzbuq.ru
bangurec.ru
bowbiluk.ru
bugfivin.ru
citpoloj.ru
copapjid.ru
didcufun.ru
dikojnah.ru
diqnawug.ru
diteqciq.ru
dubfoluc.ru
dohjapju.ru
dufyhive.ru
dyrzaqfu.ru
dyxketam.ru
ecrihgep.ru
egygumlo.ru
epejanhi.ru
ewenhugi.ru
fachejyp.ru
fawsilom.ru
fedvojvy.ru
fytfotlo.ru
gegwikaf.ru
guphumsa.ru
gybebeho.ru
gyvolnac.ru
gywquroz.ru
hikutcur.ru
ikbyznod.ru
ixfocgaf.ru
jiwviqpa.ru
jizugqux.ru
joljihuk.ru
junedles.ru
jureetse.ru
lafdamow.ru
linsubby.ru
linyaqor.ru
liwmiccu.ru
liwuwquh.ru
merwiqca.ru
narzoquc.ru
nozwyhvi.ru
nylzudwo.ru
nypmivhy.ru
nyzvelew.ru
ocbiccan.ru
ojvectyk.ru
ophirjih.ru
owideker.ru
papcybop.ru
pegkowoz.ru
picifcym.ru
pypwalve.ru
qiqwoxki.ru
qysmahku.ru
qysriloh.ru
rabpabyr.ru
racapsyq.ru
raguhloc.ru
rehvuwib.ru
rulwusyc.ru
secegbiw.ru
sedfibyr.ru
soduvnec.ru
solhusny.ru
sumjecyg.ru
syofzaim.ru
tijenric.ru
todqenym.ru
towmidar.ru
tubtihiv.ru
tunzovnu.ru
ugnyspyr.ru
vacrajak.ru
vehyfgor.ru
viackipa.ru
vibewpav.ru
voxyqjyc.ru
wowrizep.ru
xitydjeg.ru
xyjiekfe.ru
ypvudhek.ru
zazzeqan.ru
zehyqjol.ru
zempakiv.ru
zyqutfeb.ru
fpyyb.axcakqif.ru
gipwf7i.zempakiv.ru
gkca7nkr.tyryfpix.ru
boomsco.com
larstor.com
newrect.com

NACHA spam / thedigidares.net

This fake NACHA spam leads to malware on thedigidares.net:

Date:     Wed, 13 Feb 2013 12:10:27 +0000
From:     " NACHA" [limbon@direct.nacha.org]
Subject:     Aborted transfer

Canceled transaction
The ACH process (ID: 648919687408), recently sent from your bank account (by you), was canceled by the other financial institution.

Transaction ID:     648919687408
Cancellation Reason     Review additional info in the statement below
Transaction Detailed Report     Report_648919687408.xls (Microsoft/Open Office Word Document)

13150 Sunrise Street, Suite 100 Herndon, VA 20174 (703) 561-1200

� 2013 NACHA - The Electronic Payments Association

The malicious payload is at [donotclick]thedigidares.net/detects/irritating-crashed-registers.php (report here) hosted on:

134.74.14.98 (City College of New York, US)
175.121.229.209 (Hanaro Telecom, Korea)

The following IPs and domains are linked and should be blocked:
134.74.14.98
175.121.229.209
albaperu.net
capeinn.net
thedigidares.net
madcambodia.net
micropowerboating.net
dressaytam.net
acctnmrxm.net
albaperu.net
live-satellite-view.net
dressaytam.net

Tuesday 12 February 2013

Something evil on 192.81.129.219

It looks like there's a nasty case of the Blackhole Exploit kit on 192.81.129.219 (see example). The IP is controlled by Linode in the US who have been a bit quiet recently. Here are the active domains that I can identify on this IP:

17.soldatna.com
17.coloryourpatiowholesale.com
17.silvascape.com
17.dcnwire.com
17.canyonturf.com
17.kdebug.com
17.soldatnacapital.com
17.swvmail.com
17.drycanyon.com
17.wolfmountaingroup.com
17.designerbiochar.com
17.easygardencolor.com
17.devicelogics.com
17.springwoodventures.com
17.designersoils.com
17.drdos.com
17.wolfmountainproducts.com
17.soldatnainvestments.com
17.themulchpit.com
17.soleradevelopment.com
17.silvasport.com
17.scenicdesign.us
17.dailyexpress.us
17.canyonturf.net
17.southwesttelecom.net
17.wlfmtn.net
17.coloryourpatio.net
17.designersoils.net
17.scenicdesign.biz

Changelog spam / emaianem.ru

This changelog spam leads to malware on emaianem.ru:

Date:     Tue, 12 Feb 2013 09:11:11 +0200
From:     LinkedIn Password [password@linkedin.com]
Subject:     Re: Changlog 10.2011

Good day,

changelog update - View

L. KIRKLAND

=================

Date:     Tue, 12 Feb 2013 05:14:54 -0600
From:     LinkedIn [welcome@linkedin.com]
Subject:     Fwd: Re: Changelog as promised(updated)

Good morning,

as prmised updated changelog - View

L. AGUILAR

The malicious payload is at [donotclick]emaianem.ru:8080/forum/links/column.php and is hosted on the same servers as found here.

IRS spam / micropowerboating.net

This fake IRS spam leads to malware on micropowerboating.net:

Date:     Tue, 12 Feb 2013 22:06:55 +0800
From:     Internal Revenue Service [damonfq43@taxes.irs.gov]
Subject:     Income Tax Refund TURNED DOWN

Hereby we have to note that Your State Tax Refund Appeal ({ID: 796839212518), recently has been RETURNED. If you believe that IRS did not properly estimate your case due to misunderstanding of the fact(s), be prepared to serve additional information. You can obtain refusal to accept details and re-submit your appeal by browsing a link below.

Please enter official website for information

Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
9611 Tellus. Av.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.

==============================

Date:     Tue, 12 Feb 2013 15:00:35 +0100
From:     Internal Revenue Service [zirconiumiag0@irs.gov]
Subject:     Income Tax Refund NOT ACCEPTED

Hereby we hav to inform that Your Income Tax Refund Appeal ({ID: 46303803645929), recently has been CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to equip additional information. You can obtain non-acceptance details and re-submit your appeal by browsing a link below.

Please browse official site for more information

Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
3192 Aliquam Rd.
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.

==============================

Date:     Tue, 12 Feb 2013 15:13:37 +0100 [09:13:37 EST]
From:     Internal Revenue Service [idealizesmtz@informer.irs.gov]
Subject:     Income Tax Refund TURNED DOWN

Hereby You notified that Your Income Tax Outstanding transaction Appeal (No: 8984589927661), recently was CANCELED. If you believe that IRS did not properly estimate your case due to misapprehension of the fact(s), be prepared to deliver additional information. You can obtain refusal of acceptance details and re-submit your appeal by using a link below.

Please enter official site for information

Internal Revemue Service
Internal Revenue Services United States, Department of Treasury
P.O. Box 265
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.

The malicious payload is on [donotclick]micropowerboating.net/detects/pending_details.php (report here) hosted on:

175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)

The following IPs and domains should be blocked:
175.121.229.209
198.144.191.50
micropowerboating.net
morepowetradersta.com
asistyapipressta.com
uminteraktifcozumler.com
rebelldagsanet.com
madcambodia.net
acctnmrxm.net
capeinn.net
albaperu.net
live-satellite-view.net

eFax spam / estipaindo.ru

This fake eFax spam leads to malware on estipaindo.ru:

From: messages-noreply@bounce.linkedin.com
Sent: 12 February 2013 04:10
Subject: Efax Corporate

Fax Message [Caller-ID: 181999356]

You have received a 44 pages fax at Tue, 12 Feb 2013 05:10:03 +0100, (944)-095-3172.

* The reference number for this fax is [eFAX-101609258].

View attached fax using your Internet Browser.

________________________________________
© 2013 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

The malicious payload is at [donotclick]estipaindo.ru:8080/forum/links/column.php (report here) hosted on:

46.175.224.21 (Maxnet Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)

The following IPs and domains can be blocked:
46.175.224.21
91.121.57.231
202.72.245.146
enakinukia.ru
dekamerionka.ru
evskindarka.ru
exibonapa.ru
dmssmgf.ru
epianokif.ru
elistof.ru
dmpsonthh.ru
esekundi.ru
egihurinak.ru
exiansik.ru
disownon.ru
epilarikko.ru
damagalko.ru
dumarianoko.ru
emalenoko.ru
epiratko.ru
evujalo.ru
bananamamor.ru
dfudont.ru
estipaindo.ru
emaianem.ru

Monday 11 February 2013

Something evil on 46.165.206.16

This is a little group of fake analytics sites containing malware (for example), hosted on 46.165.206.16 (Leaseweb, Germany). Sites listed in red have already been tagged by Google Safe Browsing diagnostics, presumably the others have stayed below the radar.

adstat150.com
cexstat20.com
katestat77.us
kmstat505.us
kmstat515.us
kmstat530.com
lmstat450.com
mptraf11.info
mptraf2.info
mxstat205.us
mxstat570.com
mxstat740.com
mxstat760.com
rxtraf25.ru
rxtraf26.ru
skeltds.us
vmstat100.com
vmstat120.com
vmstat140.com
vmstat210.com
vmstat230.com
vmstat320.com

NACHA Spam / albaperu.net

This fake NACHA spam leads to malware on albaperu.net:

Date:     Mon, 11 Feb 2013 11:39:03 -0500 [11:39:03 EST]
From:     ACH Network [reproachedwp41@direct.nacha.org]
Subject:     ACH Transfer canceled

Aborted transfer
The ACH process (ID: 838907191379), recently initiated from your checking account (by one of your account members), was reversed by the other financial institution.

Transaction ID:     838907191379
Reason of Cancellation     See detailed information in the despatch below
Transaction Detailed Report     RP838907191379.doc (Microsoft Word Document)



13150 Sunrise Drive, Suite 100 Herndon, VA 20172 (703) 561-1600

� 2013 NACHA - The Electronic Payments Association

The malicious payload is at [donotclick]albaperu.net/detects/case_offices.php (report here) hosted on:

175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)

The following malicious domains are present on these IPs and should be blocked:
acctnmrxm.net
albaperu.net
asistyapipressta.com
capeinn.net
live-satellite-view.net
madcambodia.net
morepowetradersta.com
rebelldagsanet.com
uminteraktifcozumler.com

British Airways spam / epianokif.ru

This fake British Airways spam leads to malware on epianokif.ru:

Date:     Mon, 11 Feb 2013 11:30:39 +0330
From:     JamesTieszen@[victimdomain.com]
Subject:     British Airways E-ticket receipts
Attachments:     E-Ticket-N234922XM.htm

e-ticket receipt
Booking reference: DZ87548418
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.

Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)

Yours sincerely,

British Airways Customer Services

British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.

British Airways Plc is a public limited company registered in England and Wales. Registered number: 74665737. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.

How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.

If you require further assistance you may contact us

If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The malicious payload is at [donotclick]epianokif.ru:8080/forum/links/column.php (report here) hosted on:

82.148.98.36 (Qatar Telecom, Qatar)
195.210.47.208 (PS Internet Company, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

The following malicious domains can also be seen on these IPs:
epianokif.ru
enakinukia.ru
dekamerionka.ru
evskindarka.ru
exibonapa.ru
dmssmgf.ru
epianokif.ru
elistof.ru
dmpsonthh.ru
esekundi.ru
egihurinak.ru
exiansik.ru
disownon.ru
epilarikko.ru
damagalko.ru
dumarianoko.ru
emalenoko.ru
epiratko.ru
evujalo.ru
bananamamor.ru
dfudont.ru

Something evil on 46.163.79.209

The following sites are connected with some ADP-themed malware that has been doing the rounds for the past few days. As far as I can tell, they are some sort of download server for this malware, hosted on 46.163.79.209 (Host Europe, Germany), it all looks quite nasty.

social-neos.eu
cloud.social-neos.eu
quest.social-neos.eu
archiv.social-neos.eu
eyon-neos.eu
international.eyon-neos.eu
ns.eyon-neos.eu
euroherz.eyon-neos.eu

The domains look like they might be legitimate onese that have been hijacked, nonetheless blocking them would be an excellent move.

"Support Center" spam / phticker.com

Not malware this time, but this fake "Support Center" spam leads to a fake pharma site at phticker.com:

Date:     Mon, 11 Feb 2013 06:13:52 -0700
From:     "Brinda Wimberly" [noreply@mdsconsulting.be]
Subject:     Support Center

    Welcome to Help Support Center

Hello,

You have been successfully registered in our Ticketing System

Please, login and check status of your ticket, or report new ticket here

See All tickets

Go To Profile

This message was sent to [redacted]. Should you have any questions, or if you believe that you have received this in error please contact us at support center.

The site appears to be clean from a malware perspective and is hosted on 171.25.190.246 (Verus AS, Latvia) along with these other fake pharma sites:

nislevitra.com
tablethealthipad.com
tivozanibkimedicine.com
marijuanarxmedicine.com
drugstorepharmacycenterline.com
medicalwelhealthcare.com
physicianslnesshealth.com
newhealthpharm.com
gokeyscan.com
medpillsprescription.com
wichigenerics.com
boschmeds.com
pillcarney.com
healthviagraobesity.com
pharmedicinehat.net
rxlevitrainc.eu
tabletdrugipad.eu
pillsphysicpharma.ru
xree.ru
lxie.ru
zeap.ru
tabspharmacytablets.ru
pillsmedicalsrx.ru
poey.ru
ongy.ru
phticker.com

Saturday 9 February 2013

ADP spam / 048575623_02082013.zip

This fake ADP spam comes with a malicious attachment:

Date:     Fri, 8 Feb 2013 18:26:05 +0100 [12:26:05 EST]
From:     "ops_invoice@adp.com" [ops_invoice@adp.com]
Subject:     ADP Payroll Invoice for week ending 02/08/2013 - 01647

Your ADP Payroll invoice for last week is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.

Thank you for choosing ADP Payroll.

Important: Please do not respond to this message. It comes from an unattended mailbox.

In this case there was a ZIP file called 048575623_02082013.zip (this may vary) with an attachment 048575623_02082013.exe designed to look like a PDF file.

VirusTotal identifies it as a Zbot variant. According to ThreatExpert, the malware attempts to connect to the following hosts:

eyon-neos.eu
quest.social-neos.eu
social-neos.eu

These may be legitimate hacked domains, but if you are seeing unexpected traffic going to them then it could be a Zbot indicator.

BBB Spam / madcambodia.net

This fake BBB spam leads to malware on madcambodia.net:

Date:     Fri, 8 Feb 2013 11:55:55 -0500 [11:55:55 EST]
From:     Better Business Bureau [notify@bbb.org]
Subject:     BBB details about your cliente's pretense ID 43C796S77

Better Business Bureau ©
Start With Trust ©

Thu, 7 Feb 2013

RE: Issue No. 43C796S77

[redacted]

The Better Business Bureau has been booked the above mentioned claim letter from one of your purchasers in respect of their business contacts with you. The detailed description of the consumer's concern are available for review at a link below. Please pay attention to this subject and let us know about your judgment as soon as possible.

We pleasantly ask you to visit the GRIEVANCE REPORT to reply on this claim.

We awaits to your prompt response.

Best regards
Luis Davis
Dispute Advisor
Better Business Bureau

Better Business Bureau
3073 Wilson Blvd, Suite 600 Arlington, VA 23501
Phone: 1 (703) 276.0100   Fax: 1 (703) 525.8277

This note was sent to [redacted]. Don't want to receive these emails anymore? You can unsubscribe

The malicious payload is at [donotclick]madcambodia.net/detects/review_complain.php (report here) hosted on:

175.121.229.209 (Hanaro Telecom, Korea)
198.144.191.50 (Chicago VPS, US)

The following domains appear to be active on these IPs:
madcambodia.net
acctnmrxm.net
capeinn.net
starsoftgroup.net
live-satellite-view.net
morepowetradersta.com