Dynamoo's Blog

Wednesday 20 February 2013

Something evil on 62.212.130.115

Something evil seems to be lurking on 62.212.130.115 (Xenosite, Netherlands) - a collection of sites connected with the Blackhole exploit kit, plus indications of evil subdomains of legitimate hacked sites. All-in-all, this IP is probably worth avoiding.

Firstly, there are the evil subomains that have a format like 104648746540365e.familyholidayaccommodation.co.za - these are mostly hijacked .co.za and .cl domains.

The following list contains the legitimate domains and IPs that appear to have been hijacked. Ones marked in red have been flagged as malicious by Google. Remember, these IPs are not evil, it is just the subdomains that are (on a different IP).

190.196.23.231 (clean)
sanjoselosandes.cl
liceomixto.cl
servicioseximia.cl
siitec.cl
sictral.cl
specialdetail.cl
sycabogados.cl

199.34.228.100 (clean)
delfinos.co.za

208.70.149.57 (clean)
cafehavana.co.za
destinationsunlimited.co.za
firearmlicence.co.za
dolceluce.co.za
firearmsafe.co.za
firearmlicense.co.za
familysuite.co.za
bolandparkhotel.co.za
gamesmodels.com
onthebeachjbay.com
disc-deals.com

The second bunch of domains appear to be connected with the Blackhole Exploit kit (according to this report) and can be assumed to be malicious, and are hosted on 62.212.130.115:

google-statistic.in
libola.com
minizip.org
msdbug.com
msrst.com
nlsdl.org
ntdsapi.com
ntmsdba.com
pifmgr.org
piparse.com
spam-rep-service.in

This third group are almost definitely malicious and are on the same server:

garmonyoy.eu
harmonyoy.eu
kinyng.ru
ntimage.net
ntmsapi.net
ntmsmgr.net
pastaoyto.eu
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru

The final group is where it gets messy. These are malicious subdomains that either are on (or have recently been on) 62.212.130.115. It looks like they are hardened against analysis, but they certainly shouldn't be here and can be assumed to be malicious too,

54fd8c9fa1abf2b5.firearmsafe.co.za
32464a746740345e.familysuite.co.za
fece86cc9b68c8761151711302121857a5da12fce1b0b.sanjoselosandes.cl
ba7562877f032c1d0160451302111347717339942fd25832980fc947bbaab6e.liceomixto.cl 104698f48570d66e01910213021108078ff41b00051a92fb8f.liceomixto.cl
897581b79c33cf2d016045130210212851378959885060ea5995f416222722b.liceomixto.cl
cd028570a864fb7a01402413021722022144552c318ce7cab9e09a0d2a6a8b5.cafehavana.co.za
23753bc716e345fd114110130218141121065128682695243c3a6e68eaa454c.destinationsunlimited.co.za
23753bc716e345fd119181130218123421084144fafd9a8a2ecee7c9e8a813d.destinationsunlimited.co.za
23753bc716e345fd.destinationsunlimited.co.za
fefd56cf7bfb28e501402413021916372140748bad59371eb615c227bcf6494.firearmlicence.co.za
fefd56cf7bfb28e50191851302191616816357255aa3a775d33e0e87031dabd.firearmlicence.co.za
efce974cba68e97601902413021819141134725bc512d95c3a3367364f60e7f.dolceluce.co.za
54fd8c9fa1abf2b50152021302192150218227543eacf3e65962cfa456e6742.firearmsafe.co.za
54fd8c9fa1abf2b50190551302192029115216056c76db44aa04bf200b3dd64.firearmsafe.co.za
54fd8c9fa1abf2b501511113021919479278009323500c592bf3b0a3e0e48b8.firearmsafe.co.za
54fd8c9fa1abf2b5115023130219202841813244c0634fe85c4f0d28b6001ac.firearmsafe.co.za
54fd8c9fa1abf2b511511113021920019153428450b973995f121f87d07597d.firearmsafe.co.za
54fd8c9fa1abf2b5019003130219205011588175e845eee9fba56981ef9762f.firearmsafe.co.za
54fd8c9fa1abf2b5019184130219200951610365d41a651918d996c2262265f.firearmsafe.co.za
1002a8108524d63a01411013021917377210805bc813254f0b52ddadc7a4fb6.firearmlicense.co.za
1002a8108524d63a0190861302191834518734754e1569db098dc04657268c7.firearmlicense.co.za
1002a8108524d63a015135130219171541448694b4a5ad611740bce908b41e9.firearmlicense.co.za
1002a8108524d63a01608613021918067148673452fc4f3b25e4a92991e388c.firearmlicense.co.za
32464a746740345e0140861302191352721746257b791a8cb29212692450169.familysuite.co.za
ab02b3809e94cd8a0141851302171831719273654b106add758c4d1ea448054.bolandparkhotel.co.za
fe3116d33bd768c9014185130217152321157054e238a5d15e6899e06b4a256.bolandparkhotel.co.za
ab02b3809e94cd8a014014130217181671594515d6908be7ac815a5c8aec9bd.bolandparkhotel.co.za
104648746540365e.familyholidayaccommodation.co.za
2375dba7f6b3a5ad01900313021810166108414bc5043b30fcbf6df10ac0d36.delfinos.co.za
2375dba7f6b3a5ad.delfinos.co.za
2375dba7f6b3a5ad1141101302181050617308286822211b6e41c16bae4a8ad.delfinos.co.za
104618a40570566e0190861302141716512521554e01e13647caa0d7585e0a2.servicioseximia.cl
104618a40570566e01608613021416261099221452fc4f3fddf44bf19ce67a3.servicioseximia.cl
cd46f5c4e810bb0e014029130214200431169736dd938489c7b1b51af4b6f74.servicioseximia.cl
cd46f5c4e810bb0e0142031302142008713472502551149f67b7bdb45a92f07.servicioseximia.cl
104618a40570566e019096130214190761242645133a051309afb24913257bb.servicioseximia.cl
104618a40570566e01900713021417086116022bad56157e487133b8039b0fb.servicioseximia.cl
104618a40570566e.servicioseximia.cl
dc8a5458498c1a92019024130215034191505755a15eef17404dfc7a914c407.siitec.cl
fe7596178bc3d8dd01515913021423367212073189eb0ffdcfd7bc050f5cc84.sictral.cl
fe7596178bc3d8dd01612913021501048032017adf505b4a51493df8d7e7e8b.sictral.cl
01ce199c04785766.specialdetail.cl
01ce199c047857661140151302151103607956789e2ef312e860b4529ed0fdc.specialdetail.cl
76fdbedfa36bf075014025130213175772228515fdfce25de6ebd91bd067892.sanjoselosandes.cl
23fdcb3fd68b859511416113021320291114120d5436e9454395fe51a4f8bd4.sanjoselosandes.cl
32fd2a6f37db64c501613813021307218103025988506029ed2c2b5c8df9915.sanjoselosandes.cl
5431bca3a167f27901604513021414306142650adf4cf112a9c89769565e055.sanjoselosandes.cl
45fdad0fb0abe3b5.sanjoselosandes.cl
54fdec0ff1cba2d5.sanjoselosandes.cl
23fdcb3fd68b859501612913021321298189883d812e2a7244210d47d2832e5.sanjoselosandes.cl
fece86cc9b68c876.sanjoselosandes.cl
dcceb41ca9a8fab6.sanjoselosandes.cl
98fd50bf4d1b1e05019086130212235552028805ddb0cd40d31dd927eda2037.sanjoselosandes.cl
76fdbedfa36bf07501916613021318165124581972ac37159baca15f93b3b48.sanjoselosandes.cl
23fdcb3fd68b859501916113021320155132506020b16ab30472c9a28008598.sanjoselosandes.cl
76fdbedfa36bf07501612913021318103106829d074104b45444a6bd90368bb.sanjoselosandes.cl
76fdbedfa36bf07501902413021317264126483b1287cb246f1c65418b6a03c.sanjoselosandes.cl
cd8a85e8984ccb5211409913021215378176886b2072dbee3d87f6b240713fd.sanjoselosandes.cl
ef46f7f4ea10b90e.sycabogados.cl
45b90ddb20ff73e1.disc-deals.com
89fd717f5c4b0f5511511113021922528294810b80d17e6193d54e6faa102d8.gamesmodels.com
89fd717f5c4b0f55014185130219223852203155b41df139190d76dfce35e2c.gamesmodels.com
89fd717f5c4b0f550151311302192250727293718c48e6c9eab856d51453cbe.gamesmodels.com
0102d920f434a72a.chinese.onthebeachjbay.com

USPS spam / USPS delivery failure report.zip

This fake USPS spam contains malware in an attachment called USPS delivery failure report.zip.

Date:     Wed, 20 Feb 2013 06:40:39 +0200 [02/19/13 23:40:39 EST]
From:     USPS client manager Michael Brewer [reports@usps.com]
Subject:     USPS delivery failure report

USPS notification

Our company’s courier couldn’t make the delivery of package.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: KnoxvilleFort
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: M1PZN6BI4F
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $8.26 for each day of keeping of it.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
USPS Global.

The attachment is double-zipped, presumably to try to evade virus and content scanners. Opening it extracts another ZIP file called USPS report id 943577924988734.zip which contains another file called USPS report id 943577924988734.exe.

The VirusTotal detections for this are patchy and fairly generic. Automated analysis tools are pretty inconclusive when it comes to the payload, although if you are trying to clean it up then starting with HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched (which is set to "C:\Documents and Settings\All Users\svchost.exe") is probably a good start.

Tuesday 19 February 2013

Cyberbunker fake pharma spam / 84.22.104.123

Crime-friendly host Cyberbunker strikes again, this time hosting more fake pharma sites on 84.22.104.123, being promoted through this suspicious looking spam:

Date:     Tue, 19 Feb 2013 22:58:26 +0000 (GMT)
From:     Apple [noreply@bellona.wg.saar.de]
To:     [redacted]
Subject:     Your Apple ID was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5


Dear Customer,
Your Apple ID ([redacted]) was used to sign in to FaceTime, iCloud, and iMessage on an iPhone 5.
If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn More.

Privacy Policy
Copyright 2013 Apple Inc. 1 Infinite Loop, Cupertino CA 95014 - All Rights Reserved.

The spam has a link to an illegally hacked legitimate site that then bounces to drugstorepillstablets.ru hosted on 84.22.104.123 along with these following spammy sites:

medicalhealthcaretab.com
washealthcare.com
presenthiring.com
prescriptionfiscal.com
salelindahl.com
pillcarney.com
healthviagraobesity.com
sdewyuvze.net
lxie.ru
ongy.ru
drugstorepillstablets.ru

Cyberbunker is nothing but bad news. Blocking 84.22.96.0/19 is an exceptionally good idea.

Something evil on 74.208.148.35

Spotted by the good folks at GFI Labs here, here and here are several Canadian domains on the same server, 74.208.148.35 (1&1, US):

justcateringfoodservices.com
dontgetcaught.ca
blog.ritual.ca
lumberlandnorth.com

Obviously, there's some sort of server-level compromise here. Blocking access to 74.208.148.35 will give some protection against several very active malicious spam campaigns.

UPS Spam / emmmhhh.ru

The spammers sending this stuff out always confuse UPS with USPS, this one is not exception although on balance it is more UPS than USPS.. anyway, it leads to malware on emmmhhh.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Valda Gill via LinkedIn
Sent: 19 February 2013 10:00
Subject: United Postal Service Tracking Nr. H9878032462

You can use UPS .COM to:
Ship Online
Schedule a Pickup
Open a UPS .COM Account


Welcome to UPS Team
Hi, [redacted].

DEAR CUSTOMER , We were not able to delivery the post package

PLEASE PRINT OUT THE INVOICE COPY ATTACHED AND COLLECT THE PACKAGE AT OUR DEPARTMENT.

With best regards , UPS Customer Services.

    ________________________________________
Copyright 2011 United Parcel Service of America, Inc. Your USPS .us Customer Services, the Your USPS Team brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
Please do not reply directly to this e-mail. USPS .us Customer Services will not receive any reply message. For questions or comments, visit Contact UPS.
We understand the importance of privacy to our customers. For more information, please consult the Your USPS Customer Services Privacy Policy.
This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.

There is an attachment UPS_ID5408466.htm which attempts to direct visitors to [donotclick]emmmhhh.ru:8080/forum/links/column.php hosted on:

50.31.1.104 (Steadfast Networks, US)
66.249.23.64 (Endurance International, US)
195.210.47.208 (PS Internet Company, Kazakhstan)

The following IPs and domains are all malicious and should be blocked:
50.31.1.104
66.249.23.64
195.210.47.208
efjjdopkam.ru
eipuonam.ru
ejiposhhgio.ru
ejjiipprr.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
emmmhhh.ru
enakinukia.ru
epilarikko.ru
epionkalom.ru
esigbsoahd.ru
estipaindo.ru
ewinhdutik.ru
exiansik.ru
exibonapa.ru

Something evil on 67.208.74.71

67.208.74.71 (Inforelay, US) is a parking IP with several thousand IPs hosted on it. However, it also includes a large number of malicious sites using Dynamic DNS servces. Some of these sites have recently moved from the server mentioned here.

Probably most of the sites on this server are legitimate and blocking access to it might cause some problems. However, you can block most of these malicious domains by targeting the Dynamic DNS domain, the bulk of which are as follows:

assexyas.com
athersite.com
byinter.net
findhere.org
isgre.at
isthebe.st
kwik.to
lookin.at
lowestprices.at
myfw.us
myredirect.us
onmypc.info
onmypc.org
onthenetas.com
ontheweb.nu
passinggas.net
rr.nu

You can find a copy of the domains, IPs, WOT ratings and Google prognosis here [csv].

These following domains are hosted on 67.208.74.71 and are listed as malicious by Google's Safe Browsing Diagnostics:

govgrantstodays.assexyas.com
kqenc.assexyas.com
tesyf.assexyas.com
athersite.com
qezwdz.athersite.com
tdbnsc.athersite.com
www1.safeqwcleanerdm.athersite.com
www1.simple-ozfgsecurity.athersite.com
dnwswurowz.byinter.net
kcshhdvqzmte.byinter.net
mhlswzmqpe.byinter.net
oorkaibadtb.byinter.net
wonfhujmel.byinter.net
ztmgyzknjpf.byinter.net
cmvwixzxhl.findhere.org
dhyaugqmbgwm.findhere.org
gkqqujqsd.findhere.org
lvindkiys.findhere.org
lyfxhiyza.findhere.org
pvhetiozstg.findhere.org
tdtxohbjbvzx.findhere.org
thgdtujicjtq.findhere.org
ueuvjqhvao.findhere.org
wcnnrcjgb.findhere.org
free-ddddsex-ddddpasswords.isthebe.st
free-dsex-dpasswords.isthebe.st
index.isthebe.st
radiomangalia.isthebe.st
asfqphphk.kwik.to
gebofuoautl.kwik.to
lqlonqihgkco.kwik.to
mowkespvffn.kwik.to
nbnezaszei.kwik.to
qmgplmfyibh.kwik.to
ydsjveyfjr.kwik.to
rrmoymcqskq.lookin.at
htrxcytvfmhg.lowestprices.at
aadhvxiftw.myfw.us
abtqgybicghr.myfw.us
ameyznosvam.myfw.us
amvgvvyasde.myfw.us
aokeufvoci.myfw.us
azddoalylxsn.myfw.us
azojgzmnj.myfw.us
bkhrwvxblnm.myfw.us
caedvkkimck.myfw.us
cbqlthvefhv.myfw.us
ckvwoajjjg.myfw.us
crmnfeeooft.myfw.us
csllshncxdu.myfw.us
cudthmeyl.myfw.us
cwvmtudybwvr.myfw.us
dfredwpcun.myfw.us
dnbdjddrvwl.myfw.us
dsublegejzg.myfw.us
ebgilaznkcxa.myfw.us
ebhiacfkaddk.myfw.us
eepyofqzl.myfw.us
eivxprpbemv.myfw.us
ejyffxuookfi.myfw.us
eldttmawnvt.myfw.us
elfncrfubk.myfw.us
eprlccywb.myfw.us
erlsgwzbgwl.myfw.us
eslwbgkgyqhm.myfw.us
esuifzeipsz.myfw.us
euhhmufug.myfw.us
ewvwzpiqw.myfw.us
eyefvnzwoyg.myfw.us
ezphudgyyjy.myfw.us
femtpvrvr.myfw.us
feutgqoyxc.myfw.us
fowgvslqqvgf.myfw.us
fugqgxxuiwe.myfw.us
gbptzyqhoc.myfw.us
gmnmwmuhf.myfw.us
gohvjgbrplkm.myfw.us
gvbxwmicjvq.myfw.us
gyuaowfnlrw.myfw.us
hcdazkdqlvci.myfw.us
hcwryplhc.myfw.us
hfkfeuqfvzf.myfw.us
hhifsoine.myfw.us
hhzlhizlbil.myfw.us
hqzgrwmorws.myfw.us
hvdkdcgae.myfw.us
hwmhlbscbs.myfw.us
hxlxxaqntaxb.myfw.us
idjgpnkmaj.myfw.us
isdrjerrd.myfw.us
itzpsmkbyabo.myfw.us
jebrglmzye.myfw.us
jeyqstlybz.myfw.us
jjfzmzfkoky.myfw.us
jjxhjygwcnln.myfw.us
jmmbspisw.myfw.us
jspyaaqfuj.myfw.us
jugfzxlitus.myfw.us
jumzijibbh.myfw.us
jybvhfvfhwu.myfw.us
kbahixlxpe.myfw.us
kqpaxhumj.myfw.us
ktxxlgwgze.myfw.us
kwjgjnmmcu.myfw.us
ljszveihhqb.myfw.us
lswgpbvvkukx.myfw.us
lsxswsgka.myfw.us
lwztritpzuvl.myfw.us
mibgbbbwioml.myfw.us
miptvfzufwal.myfw.us
mldtdbsoko.myfw.us
mqqpwxjlf.myfw.us
mrqmsbqrdkvk.myfw.us
mydvonyeagt.myfw.us
ngcfuanjtm.myfw.us
nsnybecste.myfw.us
nvkdyjhplpo.myfw.us
okctxkxny.myfw.us
ookzctlfazdl.myfw.us
oqlupounl.myfw.us
orownhbgn.myfw.us
oxegwgflld.myfw.us
pbvmirnwk.myfw.us
phibmvaqsap.myfw.us
phvcbflqrsbo.myfw.us
qeavazuugk.myfw.us
qhbkyfehpbzi.myfw.us
qivtnqqxjnp.myfw.us
qlhkccfosm.myfw.us
qyjkiuopo.myfw.us
rexewmyxgl.myfw.us
rjrzcrswqhl.myfw.us
rjytkixbfjxkk.myfw.us
rqjghacecazb.myfw.us
rwdpuifin.myfw.us
rynucqapeinv.myfw.us
sqazmgapz.myfw.us
sqqqrsnozlgj.myfw.us
srutebmduoh.myfw.us
sslqlwitv.myfw.us
tevrntjkrl.myfw.us
tsxwbywjwdm.myfw.us
tuobdghfp.myfw.us
tvodqreyyyh.myfw.us
ujzkfdpdf.myfw.us
ukwwwhkamh.myfw.us
wbynflhapl.myfw.us
weapwihjpu.myfw.us
whxszkeaot.myfw.us
wigfdfuvps.myfw.us
wpddnjknrn.myfw.us
wpvhiedhnzxs.myfw.us
wtgylzokmsyd.myfw.us
xiudvllnl.myfw.us
ybzwfyvadq.myfw.us
yowbgyyykemw.myfw.us
yrhamrfrzk.myfw.us
ywzjvqssv.myfw.us
yxbbvktub.myfw.us
yxkgtyqmz.myfw.us
yznafipqmd.myfw.us
zqruajfsgir.myfw.us
zwzfvpxksyx.myfw.us
zzjsujpstcsx.myfw.us
ryeyymburbyr.myredirect.us
twenbrmndfui.myredirect.us
zfhbsvcererr.myredirect.us
btwosfunny.onthenetas.com
xfinity-dddddddddddddddddddddddddddddddzimbra.onthenetas.com
xfinity-dddddddddddddddddddzimbra.onthenetas.com
forehmailywt.ontheweb.nu
hahasfunnyfb.ontheweb.nu
lhixjcdtgypr.ontheweb.nu
pornogratis.ontheweb.nu
pwvmochqwb.ontheweb.nu
qlphivcmm.ontheweb.nu
uhjqzvcjfmb.ontheweb.nu
ohchr.passas.us
mysignin-ddddddddddddddddddddddddddddddddddddddddddcomcast.passinggas.net
passinggas.net
andsto57cksstar.rr.nu
cha39nce.rr.nu
chelpo94landsa.rr.nu
dahfugwhsmzi.rr.nu
deunce68rtaint.rr.nu
its53new.rr.nu
jarujtltg.rr.nu
lasimp04risoned.rr.nu
nabwpjdola.rr.nu
nytndbssyrtkjuykiryu7.rr.nu
ssbo98omin.rr.nu
tenin58gaccel.rr.nu
tentsf05luxfig.rr.nu
jsngupdwxeoa.uglyas.com

These domains are hosted on 67.208.74.71 and are not flagged by Google, but almost all have a poor WOT reputation and are very likely to be malicious:

skidka-ddddd90.bestdeals.at
ensac.byinter.net
safe-defensehrm.byinter.net
combo-dddddddddddddddddddd04-ddddddddddddddddddddkarla.findhere.org
daphne-d52full.findhere.org
mabjdawzaqw.findhere.org
netnummers.findhere.org
nqonet.findhere.org
odiwmklhah.findhere.org
www2.first-ozsoft.findhere.org
xcnyyj7973.findhere.org
ycqtxsac62.findhere.org
215.isgre.at
power-dddfiarmy.isgre.at
ab-din.kwik.to
ag-in.kwik.to
confirm.content.files.internet.secure.access.go.kwik.to
confirm.content.files.internet.secure.access.goto.kwik.to
ksarefunny.kwik.to
media.secure.sites.acc.portal00.kwik.to
media.secure.sites.acc.portal0002.kwik.to
media.secure.sites.acc.portal001.kwik.to
media.secure.sites.acc.portal003.kwik.to
newess.kwik.to
portal00.kwik.to
www2.safeyg-sentinel.kwik.to
www2.strongsoftyc.kwik.to
ebzryeaba.lookin.at
game.lookin.at
gdz-dddddddatanasyan.lookin.at
ru-drabota.lookin.at
skidka-dvsem.lookin.at
teiinxdpe.lookin.at
wett-dddwendy.lookin.at
what.are-you.lookin.at
wyoqdaeru.lookin.at
iuntrbtyvstbn.lowestprices.at
mof-ddddddddddddddddddddddddddweb.lowestprices.at
mof-ddweb.lowestprices.at
aggwgeskrby.myfw.us
htawhcgamvq.myfw.us
jtzxmudxtno.myfw.us
mexico.activa.myfw.us
michelemontas.myfw.us
pjkcyvzcyz.myfw.us
savejtxv-sentinel.myfw.us
secure4.lac.enroll.mexico.myfw.us
umbbwtcler.myfw.us
www2.simplehircantivir.myfw.us
xglzbowlmuco.myfw.us
9999992099.rr.nu
asin54grepl.rr.nu
mila.kat.sexyphoto.athersite.comkede.rr.nu
ossnyfpkag.rr.nu
ourae.rr.nu
pcnews.rr.nu
personalhvrsecurity.rr.nu
pimping.gangsta-paradise.rr.nu
rrrrrrrrrr.rr.nu
save-antivirchecker.rr.nu
topsentinelet.rr.nu
vpnfx-d001.rr.nu
www1.mystemguard.rr.nu
www1.personal-antivirgwg.rr.nu
www3.netsurfingprotectionwe.rr.nu

These sites appear to have been hosted recently on 67.208.74.71 and are flagged as malware by Google, but are not resolving at present:

aotztod.almostmy.com
ueizqnm.changeip.name
jakrcr.changeip.org
fgzsnergle.compress.to
fmmrlp.ddns.name
gyomtcnzc.dhcp.biz
gifqravi.dnsrd.com
ydrehhvgjz.ezua.com
rawvgbygj.gr8name.biz
sspmrwli.jkub.com
slnpqel.lflinkup.org
ywtxkebtx.ns01.info
wjbluj.ns01.us
hurocozr.onedumb.com
rmvpfdg.onmypc.info
qhtqqtxqua.onmypc.org
cejkopsbv.port25.biz
efdghpug.sexxxy.biz
ttenmxqq.vizvaz.com
iselktnfo.xxxy.info

These domains appear to have been recently hosted on 67.208.74.71, are not flagged as malicious by Google but are nonetheless suspect.

uzdknpz.4dq.com
zzxvxyi.mydad.info
blur.rr.nu
org.rr.nu
axyaqb.xxuz.com

Friday 15 February 2013

Wire transfer spam / 202.72.245.146

This fake wire transfer spam leads to malware on 202.72.245.146:

Date:     Fri, 15 Feb 2013 07:24:40 -0500
From:     Tasha Rosenthal via LinkedIn [member@linkedin.com]
Subject:     RE: Wire transfer cancelled

Good day,

Wire Transfer was canceled by the other bank.

Canceled transaction:

FED NR: 94813904RE5666838

Transfer Report: View

The Federal Reserve Wire Network

The malicious payload is on [donotclick]202.72.245.146:8080/forum/links/public_version.php (Railcom, Mongolia) (report here) which is a well-known malicious IP that you should definitely block if you can.

Update: there is also a "Scan from a HP ScanJet #841548" spam for the same IP, sending victims to [donotclick]202.72.245.146:8080/forum/links/column.php

"Cum Avenue" IRS Spam / azsocseclawyer.net

This fake IRS spam (from an office on "Cum Avenue"!) actually leads to malware on azsocseclawyer.net:

Date:     Fri, 15 Feb 2013 09:47:25 -0500
From:     Internal Revenue Service [ahabfya196@etax.irs.gov]
Subject:     pecuniary penalty for delay of tax return filling

Herewith we are informing you that you are required to pay a surcharge for not filling the income tax return prior to January 31.

Please note that IRS Section 7117-F-8 specifies a money penalty of $2.000 for each Form 479 that is filled later than deadline for filling the income tax return or does not contain the exhaustive information described in 7117-F-8.

You will be released from the pecuniary penalty when the taxpayer shows that the failure to file was caused by substantial reason.

Please visit official website for more information

Internal Revenue Services United States, Department of Treasury
Ap #822-9450 Cum Avenue
Hours of Operation: Monday-Friday, 11:30AM - 16:30PM your local time.

The malicious payload is at [donotclick]azsocseclawyer.net/detects/necessary_documenting_broadcasts-sensitive.php (report here) hosted on:

77.241.192.47 (VPSNET, Lithunia)
175.121.229.209 (Hanaro Telecom, Korea)

The following domains are currently visible on those IPs are should be regarded as malicious:
albaperu.net
azsocseclawyer.net
derdondetes.com
dressaytam.net
estudienteyo.com
extuderbest.com
madcambodia.net
micropowerboating.net
mochentopen.com
theatreli.net
thedigidares.net

Malware sites to block 15/2/13

A set of malware sites.. or I think two sets of malware sites that you might want to block. The .ru domains are connected with this botnet, a second set of sites seem to be something else malicious. Both groups of sites are connected by a server at 142.0.45.27 (Volumedrive, US) which may be a C&C server. Interested parties might want to poke at the server a bit..

As a bonus, these are the IPs that I can find connected with the .ru botnet that I have collected over the past few days. Some of them are dynamic, but it might be a starting point if anyone wants to poke at that botnet a bit more.

actuallywebdav.biz
adoptionarchive.org
adscard.net
adsknoll.net
adsmonsterslda.me
adsmonsterslda.net
adspolis.net
adsspark.com
adstimes.net
adstown.net
akon342.info
apolonq3.info
arenthis.org
bigtimetcpip.org
booksdesk.org
bounceeleven.biz
carambala.com
casesswooshpretty.net
classifyipchains.biz
columnheavyhanded.org
competingopts.biz
conaninefficiently.biz
confickerclones.com
cuxystaf.ru
dlnabeta.org
efisamil.ru
enjoycapacious.org
exciifun.ru
extcg.org
eyefulconcern.com
fan.ysb3.net
fesdrtfgfddsadsa.homelinux.com
filesforretail.org
gazzuxiz.ru
greatville.org
huaxydpa.ru
hudsfjfdsueofakl.homelinux.com
ifdependable.org
ifkyxdys.ru
img.handyworksfl.com
img.sppta.org
iqkibbuz.ru
ivqojsaj.ru
kamisca.com
kejfhtee.cu.cc
kemalxun.ru
koldpsaofdkdlsa.homelinux.com
kopsakfdsasew.homelinux.com
languageinads.com
languageinads.net
lebowskiappcentric.org
libertynetsgums.info
limminglory.net
lisybsij.ru
live.28356365.com
lowerqualitydocstac.in
milioneer.com
missiledongle.biz
modesthalfempty.org
moneysfilegon.net
navaten.tk
netingsixform.net
nobuaudiophile.org
offensivesimple.biz
ohvelzym.ru
partyharddns.com
performingspinoffs.org
pipelivemotion.biz
pyncegok.ru
resendfold.biz
safelyplayback.biz
sedikivu.tk
startstracker.info
syllablesshrinkwrap.org
syrjikhe.ru
techntitus.com
touristdefinitions.biz
tracktighter.biz
upicampaign.com
usingthisxploreing.org
velvetnoret.com
vowakabo.tk
wontlogics.biz
wpw.bestgoodshop.info
www.aanoownsw.tld.cc
ybavwego.ru
ykmeffyw.ru
ylgoaxle.ru
yvxaghod.ru
zypvynas.ru

Thursday 14 February 2013

Intuit spam / epionkalom.ru

This fake Intuit spam leads to malware on epionkalom.ru:

Date:     Thu, 14 Feb 2013 09:05:48 -0500
From:     "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:     Payroll Account Holded by Intuit

Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Thu, 14 Feb 2013 09:05:48 -0500.

    Finances would be gone away from below account # ending in 2317 on Thu, 14 Feb 2013 09:05:48 -0500
    amount to be seceded: 2246 USD
    Paychecks would be procrastinated to your personnel accounts on: Thu, 14 Feb 2013 09:05:48 -0500
    Log In to Review Operation

Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]epionkalom.ru:8080/forum/links/column.php hosted on a bunch of IP addresses that we have seen many, many times before:

91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

HP ScanJet spam / 202.72.245.146

This fake printer spam leads to malware on 202.72.245.146:

Date:     Thu, 14 Feb 2013 10:10:56 +0000
From:     AntonioShapard@hotmail.com
Subject:     Fwd: Re: Scan from a Hewlett-Packard ScanJet #6293
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-32347P.

SENT BY : TRISH
PAGES : 3
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

=================

Date:     Thu, 14 Feb 2013 06:07:00 -0800
From:     LinkedIn Password [password@linkedin.com]
Subject:     Fwd: Scan from a Hewlett-Packard ScanJet 83097855
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-775861P.

SENT BY : CARLINE
PAGES : 4
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The malicious payload is on [donotclick]202.72.245.146:8080/forum/links/column.php (report here) which is a familiar IP address belonging to Railcom in Mongolia. The following malicious websites are also active on the same server:
enakinukia.ru
dekamerionka.ru
evskindarka.ru
exibonapa.ru
esigbsoahd.ru
dmssmgf.ru
epianokif.ru
elistof.ru
dmpsonthh.ru
esekundi.ru
egihurinak.ru
exiansik.ru
ewinhdutik.ru
efjjdopkam.ru
eipuonam.ru
emaianem.ru
disownon.ru
estipaindo.ru
ejiposhhgio.ru
epilarikko.ru
damagalko.ru
emalenoko.ru
epiratko.ru
evujalo.ru
bananamamor.ru
eminakotpr.ru
dfudont.ru

"Copies of policies" spam / ewinhdutik.ru

This spam leads to malware on ewinhdutik.ru:

Date:     Thu, 14 Feb 2013 07:16:28 -0500
From:     "Korbin BERG" [ConnorAlmeida@telia.com]
Subject:     RE: Korbin - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Korbin BERG,

======================

Date:     Thu, 14 Feb 2013 03:30:52 +0530
From:     Tagged [Tagged@taggedmail.com]
Subject:     RE: KESHIA - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

KESHIA LEVINE,

The malicious payload is at [donotclick]ewinhdutik.ru:8080/forum/links/column.php (report here) hosted on the same IP addresses as this attack we saw earlier.

91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

HP ScanJet spam / eipuonam.ru

This fake printer spam leads to malware on eipuonam.ru:

Date:     Thu, 14 Feb 2013 -02:00:50 -0800
From:     "Xanga" [noreply@xanga.com]
Subject:     Fwd: Scan from a HP ScanJet #72551
Attachments:     HP_Document.htm

Attached document was scanned and sent

to you using a HP A-39329P.

SENT BY : Ingrid
PAGES : 0
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The attachment HP_Document.htm contains a script that attempts to direct visitors to [donotclick]eipuonam.ru:8080/forum/links/column.php (report here) hosted on:

91.121.57.231 (OVH, France)
195.210.47.208 (PS Internet, Kazakhstan)
202.72.245.146 (Railcom, Mongolia)

The following IPs and sites should be blocked:
91.121.57.231
195.210.47.208
202.72.245.146
bananamamor.ru
damagalko.ru
dekamerionka.ru
dfudont.ru
disownon.ru
dmpsonthh.ru
dmssmgf.ru
efjjdopkam.ru
egihurinak.ru
eipuonam.ru
ejiposhhgio.ru
elistof.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
enakinukia.ru
epianokif.ru
epilarikko.ru
epiratko.ru
esekundi.ru
esigbsoahd.ru
estipaindo.ru
evskindarka.ru
evujalo.ru
exiansik.ru
exibonapa.ru

Something evil on 92.63.105.23

Looks like a nasty infestion of Blackhole is lurking on 92.63.105.23 (TheFirst-RU, Russia) - see an example of the nastiness here (this link is safe to click!). The following domains are present on this address, although there are probably more.

ueizqnm.changeip.name
fmmrlp.ddns.name
qhtqqtxqua.onmypc.org
jakrcr.changeip.org
slnpqel.lflinkup.org
ydrehhvgjz.ezua.com
hurocozr.onedumb.com
sspmrwli.jkub.com
gifqravi.dnsrd.com
uzdknpz.4dq.com
aotztod.almostmy.com
ttenmxqq.vizvaz.com
axyaqb.xxuz.com
ywtxkebtx.ns01.info
rmvpfdg.onmypc.info
zzxvxyi.mydad.info
iselktnfo.xxxy.info
fgzsnergle.compress.to
wjbluj.ns01.us
yxbbvktub.myfw.us
hxlxxaqntaxb.myfw.us
rqjghacecazb.myfw.us
oxegwgflld.myfw.us
hvdkdcgae.myfw.us
hhifsoine.myfw.us
nsnybecste.myfw.us
jebrglmzye.myfw.us
fowgvslqqvgf.myfw.us
mqqpwxjlf.myfw.us
hfkfeuqfvzf.myfw.us
ukwwwhkamh.myfw.us
tvodqreyyyh.myfw.us
aokeufvoci.myfw.us
ejyffxuookfi.myfw.us
qhbkyfehpbzi.myfw.us
idjgpnkmaj.myfw.us
sqqqrsnozlgj.myfw.us
kqpaxhumj.myfw.us
elfncrfubk.myfw.us
qeavazuugk.myfw.us
pbvmirnwk.myfw.us
miptvfzufwal.myfw.us
ookzctlfazdl.myfw.us
rjrzcrswqhl.myfw.us
hhzlhizlbil.myfw.us
lwztritpzuvl.myfw.us
erlsgwzbgwl.myfw.us
eslwbgkgyqhm.myfw.us
bkhrwvxblnm.myfw.us
ngcfuanjtm.myfw.us
orownhbgn.myfw.us
rwdpuifin.myfw.us
jjxhjygwcnln.myfw.us
azddoalylxsn.myfw.us
dfredwpcun.myfw.us
xglzbowlmuco.myfw.us
jtzxmudxtno.myfw.us
phibmvaqsap.myfw.us
tuobdghfp.myfw.us
ybzwfyvadq.myfw.us
gvbxwmicjvq.myfw.us
abtqgybicghr.myfw.us
hqzgrwmorws.myfw.us
kwjgjnmmcu.myfw.us
csllshncxdu.myfw.us
cbqlthvefhv.myfw.us
eivxprpbemv.myfw.us
yowbgyyykemw.myfw.us
jmmbspisw.myfw.us
aadhvxiftw.myfw.us
lswgpbvvkukx.myfw.us
zwzfvpxksyx.myfw.us
aggwgeskrby.myfw.us
jjfzmzfkoky.myfw.us
okctxkxny.myfw.us
jeyqstlybz.myfw.us
yxkgtyqmz.myfw.us
sqazmgapz.myfw.us
esuifzeipsz.myfw.us
pjkcyvzcyz.myfw.us
cejkopsbv.port25.biz
rawvgbygj.gr8name.biz
gyomtcnzc.dhcp.biz
efdghpug.sexxxy.biz

Wednesday 13 February 2013

"First Foundation Bank Secure Email Notification" spam

It looks a bit like a phish, but this "First Foundation Bank Secure Email Notification" spam has a ZIP file that leads to malware:

Date:     Wed, 13 Feb 2013 20:08:46 +0200 [13:08:46 EST]
From:     FF-inc Secure Notification [secure.notification@ff-inc.com]
Subject:     First Foundation Bank Secure Email Notification - 94JIMEEQ

You have received a secure message

Read your secure message by opening the attachment, secure_mail_94JIMEEQ. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.ff-inc.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.795.7643.

2000-2013 First Foundation Inc. All rights reserved.

Attached is a file called secure_mail_94JIMEEQ.zip which expands into.. well, nothing good.. a file called secure_mail_{_Case_DIG}.exe with an icon that is meant to disguise it as an Acrobat file.

VirusTotal detection rates are just 15/45 and the malware is resistant to analysis. Incidentally, emailing mobile@res.ff-inc.com just generates a failure message. Avoid.

NACHA spam / eminakotpr.ru

More fake NACHA spam, this time leading to malware on eminakotpr.ru:

Date:     Wed, 13 Feb 2013 05:24:26 +0530
From:     "ACH Network" [risk-management@nacha.org]
Subject:     Re: Fwd: ACH Transfer rejected

The ACH transaction, initiated from your checking acc., was canceled.

Canceled transfer:

Transfer ID: FE-65426265630US

Transaction Report: View

August BLUE

NACHA - The National Automated Clearing House Association

The malicious payload is at [donotclick]eminakotpr.ru:8080/forum/links/column.php hosted on:

46.175.224.21 (MAXNET Lukasz Hamerski, Poland)
91.121.57.231 (OVH, France)
202.72.245.146 (Railcom, Mongolia)

The following IPs and domains are all related and should be blocked:
46.175.224.21
91.121.57.231
202.72.245.146
bananamamor.ru
damagalko.ru
dekamerionka.ru
dfudont.ru
disownon.ru
dmpsonthh.ru
dmssmgf.ru
dumarianoko.ru
egihurinak.ru
elistof.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
enakinukia.ru
epianokif.ru
epilarikko.ru
epiratko.ru
esekundi.ru
esigbsoahd.ru
estipaindo.ru
evskindarka.ru
evujalo.ru
exiansik.ru
exibonapa.ru

Malware sites to block 13/2/13

These malicious sites appear to be part of a Waledac botnet. I haven't had much time to analyse what exactly what it going on, but here is one example from [donotclick]merwiqca.ru/nothing.exe: URLquery, VirusTotal, Comodo CAMAS, ThreatExpert.

I'm still working on IP addresses (there are a LOT), but these are the domains that I have managed to identify.. it is probably not an exhaustive list though.

afxeftof.ru
ahtiagge.ru
ajgijuap.ru
amxylkap.ru
apnifosa.ru
aqqajofi.ru
atxembef.ru
awetefid.ru
azvaebyn.ru
bakuzbuq.ru
bangurec.ru
bowbiluk.ru
bugfivin.ru
citpoloj.ru
copapjid.ru
didcufun.ru
dikojnah.ru
diqnawug.ru
diteqciq.ru
dubfoluc.ru
dohjapju.ru
dufyhive.ru
dyrzaqfu.ru
dyxketam.ru
ecrihgep.ru
egygumlo.ru
epejanhi.ru
ewenhugi.ru
fachejyp.ru
fawsilom.ru
fedvojvy.ru
fytfotlo.ru
gegwikaf.ru
guphumsa.ru
gybebeho.ru
gyvolnac.ru
gywquroz.ru
hikutcur.ru
ikbyznod.ru
ixfocgaf.ru
jiwviqpa.ru
jizugqux.ru
joljihuk.ru
junedles.ru
jureetse.ru
lafdamow.ru
linsubby.ru
linyaqor.ru
liwmiccu.ru
liwuwquh.ru
merwiqca.ru
narzoquc.ru
nozwyhvi.ru
nylzudwo.ru
nypmivhy.ru
nyzvelew.ru
ocbiccan.ru
ojvectyk.ru
ophirjih.ru
owideker.ru
papcybop.ru
pegkowoz.ru
picifcym.ru
pypwalve.ru
qiqwoxki.ru
qysmahku.ru
qysriloh.ru
rabpabyr.ru
racapsyq.ru
raguhloc.ru
rehvuwib.ru
rulwusyc.ru
secegbiw.ru
sedfibyr.ru
soduvnec.ru
solhusny.ru
sumjecyg.ru
syofzaim.ru
tijenric.ru
todqenym.ru
towmidar.ru
tubtihiv.ru
tunzovnu.ru
ugnyspyr.ru
vacrajak.ru
vehyfgor.ru
viackipa.ru
vibewpav.ru
voxyqjyc.ru
wowrizep.ru
xitydjeg.ru
xyjiekfe.ru
ypvudhek.ru
zazzeqan.ru
zehyqjol.ru
zempakiv.ru
zyqutfeb.ru
fpyyb.axcakqif.ru
gipwf7i.zempakiv.ru
gkca7nkr.tyryfpix.ru
boomsco.com
larstor.com
newrect.com

NACHA spam / thedigidares.net

This fake NACHA spam leads to malware on thedigidares.net:

Date:     Wed, 13 Feb 2013 12:10:27 +0000
From:     " NACHA" [limbon@direct.nacha.org]
Subject:     Aborted transfer

Canceled transaction
The ACH process (ID: 648919687408), recently sent from your bank account (by you), was canceled by the other financial institution.

Transaction ID:     648919687408
Cancellation Reason     Review additional info in the statement below
Transaction Detailed Report     Report_648919687408.xls (Microsoft/Open Office Word Document)

13150 Sunrise Street, Suite 100 Herndon, VA 20174 (703) 561-1200

� 2013 NACHA - The Electronic Payments Association

The malicious payload is at [donotclick]thedigidares.net/detects/irritating-crashed-registers.php (report here) hosted on:

134.74.14.98 (City College of New York, US)
175.121.229.209 (Hanaro Telecom, Korea)

The following IPs and domains are linked and should be blocked:
134.74.14.98
175.121.229.209
albaperu.net
capeinn.net
thedigidares.net
madcambodia.net
micropowerboating.net
dressaytam.net
acctnmrxm.net
albaperu.net
live-satellite-view.net
dressaytam.net

Tuesday 12 February 2013

Something evil on 192.81.129.219

It looks like there's a nasty case of the Blackhole Exploit kit on 192.81.129.219 (see example). The IP is controlled by Linode in the US who have been a bit quiet recently. Here are the active domains that I can identify on this IP:

17.soldatna.com
17.coloryourpatiowholesale.com
17.silvascape.com
17.dcnwire.com
17.canyonturf.com
17.kdebug.com
17.soldatnacapital.com
17.swvmail.com
17.drycanyon.com
17.wolfmountaingroup.com
17.designerbiochar.com
17.easygardencolor.com
17.devicelogics.com
17.springwoodventures.com
17.designersoils.com
17.drdos.com
17.wolfmountainproducts.com
17.soldatnainvestments.com
17.themulchpit.com
17.soleradevelopment.com
17.silvasport.com
17.scenicdesign.us
17.dailyexpress.us
17.canyonturf.net
17.southwesttelecom.net
17.wlfmtn.net
17.coloryourpatio.net
17.designersoils.net
17.scenicdesign.biz

Changelog spam / emaianem.ru

This changelog spam leads to malware on emaianem.ru:

Date:     Tue, 12 Feb 2013 09:11:11 +0200
From:     LinkedIn Password [password@linkedin.com]
Subject:     Re: Changlog 10.2011

Good day,

changelog update - View

L. KIRKLAND

=================

Date:     Tue, 12 Feb 2013 05:14:54 -0600
From:     LinkedIn [welcome@linkedin.com]
Subject:     Fwd: Re: Changelog as promised(updated)

Good morning,

as prmised updated changelog - View

L. AGUILAR

The malicious payload is at [donotclick]emaianem.ru:8080/forum/links/column.php and is hosted on the same servers as found here.