Sponsored by..

Tuesday, 28 May 2013

fab.com spam

[Via the WeAreSpammers blog]

I've never heard of fab.com before, but online comments are very negative.  Originating IP is 65.39.215.63 (Sailthru / Peer 1, US) spamvertising mailer.eu.fab.com on 63.251.23.249 (Insight Express LLC, US) which in turn leads to the main site of fab.com on 184.73.196.153 (Amazon.com, US). Avoid.

From: Fab [info@eu.fab.com]
To: donotemail@wearespammers.com
Date: 27 May 2013 17:26
Subject: Invite from jenotsxx@gmail.com to Fab
Mailing list: tm.3775.3198a5cdc7466d097e36916b482cde87.sailthru.com
Signed by: eu.fab.com

 
         

If you are unable to see this message, click here to viewTo ensure delivery to your inbox, please add info@eu.fab.com to your address book.

Smile,

Great News!donotemail@wearespammers.com
Here's your exclusive invite from jenotsxx@gmail.com to join FabFab provides daily design inspirations and sales from the world's leading designers at prices up to 70% off retail.









About Help Contact Us Return Policy Shipping Terms Privacy tw fb

Monday, 27 May 2013

Citibank spam / Statement 57-27-05-2013.zip

This fake Citibank email has a malicious attachment:

Date:      Mon, 27 May 2013 23:25:06 +0530 [13:55:06 EDT]
From:      Millard Hinton [leftoverss75@gmail.com]
Subject:      Merchant Statement

Enclosed (xlsx|Exel file|document|file) is your Citibank Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech.
Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly.
----------
Learn more about Citibank Paymentech Solutions, LLC payment processing services at Citibank.
----------
THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. 

The attachment Statement 57-27-05-2013.zip contains a malicious executable Statement 57-27-05-2013.exe with a VirusTotal result of 12/46. The Comodo CAMAS report and Anubis report are pretty inconclusive. The ThreatTrack report [pdf] is more comprehensive some peer-to-peer traffic and accessing of the WAB. Simseer's prognosis is that this is a Zbot variant.

For the record, these are the checksums involved:
MD50bbf809dc46ed5d6c9f1774b13521e72
SHA19a50fa08e71711d26d86f34d8179f87757a88fa8
SHA25600b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400

Friday, 24 May 2013

Chase "Incoming Wire Transfer" spam / incoming_wire_05242013.zip

This fake Chase "Incoming Wire Transfer" email has a malicious attachment.

Date:      Fri, 24 May 2013 09:18:23 -0500 [10:18:23 EDT]
From:      Chase [Chase@emailinfo.chase.com]
Subject:      Incoming Wire Transfer


Note: This is a service message with information related to your Chase account(s). It may include specific details about transactions, products or online services. If you recently cancelled your account, please disregard this message.
CHASE    
          We're writing to let you know the "Incoming Wire Transfer Report" is available.
If you are not aware of this transaction or have concerns about the request, please contact your company administrator.

The detailed Information about this transaction is available in the attached file.

Account: BUSINESS CHECKING/SAVINGS ACCOUNT
Date of deposit: 05/24/2013
Transaction number: 1
Type: International Wire Transfer
Amount: $161,381.56

If you aren't enrolled in "Incoming Transfer Report's" and think you've received this message in error, please call our Customer Support team immediately, using the phone number on the "Contact Us" page on Chase Online.

Note: This e-mail may contain confidential information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
       

   
    E-mail Security Information    
   
   

If you would like to learn more about e-mail security or want to report a suspicious e-mail, click here.

Note: If you are concerned about clicking links in this e-mail, the Chase Online services mentioned above can be accessed by typing www.chase.com directly into your browser.

   

If you want to contact Chase, please do not reply to this message, but instead go to www.chase.com. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.

Your personal information is protected by advanced technology. For more detailed security information, view our Online Privacy Policy. To request in writing: Chase Privacy Operations, PO Box 659752, San Antonio, TX 78265-9752.

JPMorgan Chase Bank, N.A. Member FDIC
2013 JPMorgan Chase & Co.
LCAA0213S

The attachment incoming_wire_05242013.zip contains an executable incoming_wire_05242013.exe with a detection rate of 9/47 at VirusTotal. The ThreatTrack report [pdf] and ThreatExpert report show various characteristics of this malware, in particular a callback to the following IPs and domains:

116.122.158.195
188.93.230.115
199.168.184.197
talentos.clicken1.com

Checksums are as follows:
MD5f9182e5f13271cefc2695baa11926fab
SHA1b3cff6332f2773cecb2f5037937bb89c6125ec15
SHA2560a23cdcba850056f8425db0f8ad73dca7c39143cdafc61c901c8c3428f312f2d

Tuesday, 21 May 2013

prospectdirect.org (Emailmovers Ltd) spam

Everything that this spammer says is a lie:

From:     Emily Norton [emily.norton@prospectdirect.org]
To:     [redacted]
Date:     21 May 2013 16:33
Subject:     Cater to your email marketing needs
Signed by:     prospectdirect.org

Hello,

I hope you don’t mind but I just wanted to contact you to discuss your email marketing strategy. If you don’t currently have one that is working for you then our client can help.

The company I am contacting you on behalf of have the dedicated knowledge and services to cater to your email marketing needs.

If you would like a quote please complete this form: http://prospectdirect.org/email-marketing-strategy

Leave your details at the link above or reply with any requirements.

Kind Regards,

Emily Norton

75 Glandovey Terrace, Newquay, Cornwall TR8 4QD

Tel: 0843 289 4698

This email (including any attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient please contact the sender and delete the email from your system. If you would no longer like to receive emails from us please unsubscribe here http://www.prospectdirect.org/landing/page.php?jq=[snip]
Firstly, the email was send to a scraped address from the website of the Slimeware Corporation and isn't any sort of opted-in address at all. The address of "75 Glandovey Terrace, Newquay, Cornwall TR8 4QD" simply does not exist, and the telephone number of 0843 289 4698 appears to belong to a completely unrelated company. I very much doubt there is anybody called "Emily Norton" involved, and there is no company in the UK with the name "Prospect Direct".

The website prospectdirect.org itself carefully hides any contact details, the WHOIS details are anonymous, the domain was created on 2012-07-19 and is hosted on 109.235.51.98 (Netrouting / Xeneurope , Netherlands). There are no contact details on the website and there is no identifying information at all.. it hasn't just been omitted by accident, the whole thing has been left meticulously clean by a professional spamming outfit.


I would recommend giving these spammers a wide berth given their catalogue of lies.

Update: filling in the request form gets a response from Emailmovers Ltd (emailmovers.com / emvrs.co). More on them soon...

Delivery_Information_ID-000512430489234.zip

The file Delivery_Information_ID-000512430489234.zip is being promoted by a spam run (perhaps aimed at Italian users, although all the hosts are German). I don't have a copy of the email itself, but my best guess is that it is a fake package delivery report.

So far I have identified three download locations for the malicious ZIP file:
[donotclick]www.interapptive.de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.vankallen.de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.haarfashion.de/get/Delivery_Information_ID-000512430489234.zip

The ZIP file decompresses to Delivery_Information_ID-000512453420234.Pdf_______________________________________________________________.exe (note all those underscores!) which has a VirusTotal detection rate of 23/47 and has the following checksums:

MD5: 791a8d50acfea465868dfe89cdadc1fc
SHA1: be67a7598c32caf3ccea0d6598ce54c361f86b0a
SHA256: 9ae8fe5ea3b46fe9467812cbb2612c995c21a351b44b08f155252a51b81095d7

The Anubis report is pretty inconclusive but ThreatTrack reports [pdf] some peer-to-peer traffic and also some rummaging around the Window Address Book (WAB).

Update:  sandrochka.de appears to be hosting the malicious ZIP as well.

Sunday, 19 May 2013

Something evil on 50.116.28.24

50.116.28.24 (Linode, US) is hosting the callback servers for some Mac malware as mentioned here and here plus some other suspect sites. I would advise that you assume that all domains hosted on this IP are malicious, ones that are already marked as malware by Google are highlighted in  red .

6699x.in
7e.xpsp.in
allotusual.in
approvaldesignteam.com
asodistrict.org
australiantestnew2333s.info
bbclsht4.knaqu.eu
bene-ficus.com
berstaska.com
bigbrothershome.org
bizforum.us
boostdeeming.org
c8.uk3.in
cagxjuhgvacsmjvdeo.com
capucchinopayments.com
cascotqhij.com
caytmlnlrou.com
checkincheckoutdoodling.in
ckgryagcibbcf.com
cross-bordertrade.eu
d3aya.net
desepil.com
docsforum.info
ds32v7k3.knaqu.eu
duomyvwabkuappgqxhp.com
englishmaninny.in
exactsixservice.com
fogorieort.com
galaint.statonlinekit.in
galokusemus.eu
ganycyhywek.eu
genecevaletoday.ws
getgluedeluxe.com
gidrim.com
giliminfobluster.com
godgivenwisdom.com
gokbwlivwvgqlretxd.com
googlebarcorp.com
gw.desepil.com
gysqreclw.com
havanaprom.com
hcvuririvnuq.com
hgydiduewiltga.com
hxpgffdwbevww.com
itismybestsite555.in
itismybestsite666.in
itismybestsite777.in
ivaserg.us
jbeqyjlvjqbmq.com
jexgpprgph.com
jngorreo.com
jpuityvakjgg.com
karambajobs.us
kaspyrsky.net
kckkjyqtokjlwfem.com
knaqu.eu
kudrizaial.in
kxkdyatouls.tv
labush.in
lekerdeka.com
liveonflyhelp.com
lotosmusicfm.net
lpkporti.com
mail.desepil.com
mambarada.com
michellesogood.in
monsboys.biz
mqjvmmcckkbwgihlbwm.com
mukevipvxvrq.com
musicmixb.co
myloanandcredit.net
n0r1.org
n-0-r-1.org
nanomirs.com
nbvusher.com
nogold.in
nogold.me
nr.kaspyrsky.net
ns1.musicmixb.co
ns1.searchhereonline.net
ns2.searchhereonline.net
ns4.searchhereonline.net
ofexplained.com
oodsydayvbmwj.com
podaitjnvfauh.com
prcgijpwvrl.com
pvpipkio.com
qobiragevuryt.com
realfirmvare.in
rumbaduna.com
sdvrcplyavjif.com
searchhereonline.net
secdfbpyopjhyhuw.com
securitytable.org
simplynamedgritty.in
sliokrvnkjenhwgpjl.com
sqhmkesvsraquihx.com
statonlinekit.in
storedlay.com
suhashvill.com
symbisecure.com
tentiklus.com
tetebebe.knaqu.eu
u.kaspyrsky.net
uk3.in
uxlyihgvfnqcrfcf.com
vdstestservice.info
vncs.knaqu.eu
voohnyqdinl.com
vosmefnuxkkmhbmuac.com
vwaeloyyutodtr.com
wbmpvebw.com
wgkyyalemnvhdrai.com
window-shopper.info
wir.knaqu.eu
wkabaspswbf.com
wwrgnyoqwcodyhg.com
www.desepil.com
x.n-0-r-1.org
x6690x.in
x6699x.in
xd11.in
xdgeivuswhon.com
xjpakmdcfuqe.in
xksax.biz
xphdllpguj.com
xpsp.in
yfsxwvqbsnghyln.com
ylamixambistarimbasicolasta.com

Friday, 17 May 2013

Newegg.com spam / balckanweb.com

This fake Newegg.com spam leads to malware:

Date:      Fri, 17 May 2013 10:29:20 -0600 [12:29:20 EDT]
From:      Newegg [info@newegg.com]
Subject:      Newegg.com - Payment Charged
Priority:      High Priority 1


Newegg logo    
My Account     My Account |     Customer Services     Customer Services

Twitter     Twitter     You Tube     You Tube     Facebook     Facebook     Myspace     Myspace
click to browse e-Blast     click to browse Shell Shocker     click to browse Daily Deals
Computer Hardware     PCs & Laptops     Electronics     Home Theater     Cameras     Software     Gaming     Cell Phones     Home & Office     MarketPlace     Outlet     More

Customer ID: [redacted]
Account Number: 23711731
Dear Customer,

Thank you for shopping at Newegg.com.

We are happy to inform you that your order (Sales Order Number: 97850177) has been successfully charged to your AMEX and order verification is now complete.

If you have any questions, please use our LiveChat function or visit our Contact Us Page.

Once You Know, You Newegg.

Your Newegg.com Customer Service Team


ONCE YOU KNOW, YOU NEWEGG. Ž
Policy and Agreement | Privacy Policy | Confidentiality Notice
Newegg.com, 9997 Rose Hills Road, Whittier, CA. 90601-1701 | Å  2000-2013 Newegg Inc. All rights reserved.

In the version I have the link doesn't work, but I believe that it goes to [donotclick]balckanweb.com/news/unpleasant-near_finally-events.php (report here) hosted or having nameservers on the following IPs:
5.231.24.162 (GHOSTnet, Germany)
71.107.107.11 (Verizon, US)
108.5.125.134 (Verizon, US)
198.50.169.2 (OVH, Canada)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
209.59.223.119 (Endurance International Group, US)

The domains and IPs indicate that this is part of the "Amerika" spam run.

Blocklist (including nameservers):
5.231.24.162
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
209.59.223.119
balckanweb.com
bestunallowable.com
biati.net
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
icensol.net
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
recorderbooks.net
smartsecurity-app.com
twintrade.net
virgin-altantic.net
zonebar.net

"Referral link" spam / rockingworldds.net and parishiltonnaked2013.net

This spam comes from a hacked AOL email account and leads to malware on 62.76.190.11:

From: [AOL sender]
Sent: 17 May 2013 14:12
To: [redacted]
Subject: [AOL screen name]

Subject :RE(8)
Sent: 5/17/2013 2:11:53 PM
referral link
http://printcopy.co.za/elemqi.php?whvbcfm
The link goes through a legitimate hacked site and in this case ends up at [donotclick]rockingworldds.net/sword/in.cgi?6 (report here) which either redirects to a weight loss spam site or alternatively a malware landing page at [donotclick]parishiltonnaked2013.net/ngen/controlling/coupon_voucher.php (report here) which appears to load the BlackHole Exploit Kit. Both these sites are hosted on 62.76.190.11  (Clodo-Cloud / IT House, Russia).

That server contains a number of other suspect domains that I would suggest that you add to your blocklist:
62.76.190.11
bestukdeals2013.net
catpowers.org
gabbingdeals.com
moonflyerss.com
moonflyerss.net
moonflyerss.org
parishiltonnaked2013.com
parishiltonnaked2013.net
parishiltonnaked2013.org
rockelssens.com
rockelssens.net
rockelssens.org
rockingworldds.com
rockingworldds.net
rockingworldds.org
stofennerson.com
stofennerson.net
stonehengeexposed.com
stonehengeexposed.org
weightlosssystemonline.com

I have several IPs blocked in the 62.76.184.0/21 range, you may want to consider blocking the entire lot if you don't have any reason to send web traffic to Russia.

Thursday, 16 May 2013

Wells Fargo and Citi spam / SecureMessage.zip and Securedoc.zip

This fake Wells Fargo message contains a malicious attachment:

Date:      Thu, 16 May 2013 23:24:38 +0800 [11:24:38 EDT]
From:      "Grover_Covington@wellsfargo.com" [Grover_Covington@wellsfargo.com]
Subject:      New Secure Message


Wells Fargo    
    Help

To Read This Message:

   
   

Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).
Secure Message    

This message was sent to : [redacted]

Email Security Powered by Voltage IBE

Copyright 2013 Wells Fargo. All rights reserved

The attachment SecureMessage.zip contains a file SecureMessage.exe which has a SHA256 of 289bd82b66ed0c66f0e6a947cb61c928275c1053fa5d2b1119828217f61365ba and is only detected by 2/45 scanning engines at VirusTotal.

The second version is a fake Citi spam with an attachment Securedoc.zip which contains Securedoc.exe. This is the same executable with the same SHA256, just a different name.

Date:      Thu, 16 May 2013 10:16:27 -0500 [11:16:27 EDT]
From:      "secure.email@citi.com" [secure.email@citi.com]
Subject:      You have received a secure message

You have received a secure message

Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.

First time users - will need to register after opening the attachment.
About Email Encryption - http://www.citi.com/citi/citizen/privacy/email.htm
The ThreatExpert report reveals some information, but the best analysis is this ThreatTrack report. Between them they identify some IPs and domains worth blocking:

69.89.21.99
116.122.158.195
212.58.4.13
mail.yaklasim.com
ryulawgroup.com

Walmart.com spam / virgin-altantic.net

Another variant of this spam is doing the rounds, this time leading to a landing page on virgin-altantic.net:

From: Wallmart.com [mailto:sculptsu@complains.wallmartmail.com]
Sent: 16 May 2013 15:35
Subject: Thanks for your Walmart.com Order 3450995-348882


Visit Walmart.com  |
Help  |
My Account  |
Track My Orders


[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping
• You'll receive another email, with tracking information, when your order ships.
• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
     Ship to Home   
    Gabriel Miller
1881 Granada Dr
Washington, NC 68025-3157
USA    



Walmart.com     Order Number: 3450995-348882

Ship to Home - Standard
Items    Qty    Arrival Date     Price
Samsung UN55EH9050 42" 1080p 600Hz Class LED (3.7" ultra-slim) 3D HDTV    1     Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home.     $898.00

Subtotal:    $898.00
Shipping:    Free
Tax:     $62.86
See our Returns Policy or
contact Customer Service
Walmart.com Total:    $960.86
Order Summary
Order Date:    05/15/2013
Subtotal:    $898.00
Shipping:    Free
Tax:     $62.86
Order Total:    $960.86
Credit card:    $960.86
        Billing Information
Payment Method:
Credit card

If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,

Your Walmart.com Customer Service Team
www.walmart.com

 
Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!     

The malicious payload is at [donotclick]virgin-altantic.net/news/ask-index.php (report here). IP addresses are the same as in the other attack, although obviously if you are blocking by domain you should add virgin-altantic.net too.

Walmart.com spam / bestunallowable.com

This fake Walmart spam leads to malware on bestunallowable.com:

From:     Wallmart.com [deviledm978@news.wallmart.com]
Date:     16 May 2013 14:02
Subject:     Thanks for your Walmart.com Order 3795695-976140

Walmart    
Visit Walmartcom  |     Help  |     My Account  |     Track My Orders

[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping

• You'll receive another email, with tracking information, when your order ships.

• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
      Ship to Home    
   

Hannah Johnson
1961 12 Rd
Orange, NC 68025-3157
USA
   

Walmart.com     Order Number: 3795695-976140
Ship to Home - Standard
Items     Qty     Arrival Date     Price
Philips UN65EH9060 50" 1080p 60Hz Class LED (Internet Connected) 3D HDTV     1     Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home.     $898.00
Subtotal:     $898.00
Shipping:     Free
Tax:     $62.86
See our Returns Policy or
contact Customer Service     Walmart.com Total:     $960.86
Order Summary
Order Date:     05/15/2013
Subtotal:     $898.00
Shipping:     Free
Tax:     $62.86
Order Total:     $960.86
Credit card:     $960.86
       
Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,

Your Walmart.com Customer Service Team
www.walmart.com


Rollbacks     Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!
   
©Walmart.com USA, LLC, All Rights Reserved.

 The link goes through a legitimate hacked site and ends up on a malware page at [donotclick]bestunallowable.com/news/ask-index.php (report here) hosted on:

108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)

The WHOIS details are characterstic of the Amerika gang:
   Administrative Contact:
   McDonough, Tara  ukcastlee@mail.com
   38 Wee Burn Lane
   DARIEN, CO 06820
   US
   2036566697

Blocklist (including nameservers):
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
bestunallowable.com
biati.net
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
icensol.net
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
recorderbooks.net
smartsecurity-app.com
twintrade.net
virgin-altantic.net
zonebar.net

HMRC spam / VAT Returns Repot 517794350.doc

This fake HMRC (UK tax authority) spam contains a malicious attachment:

From: noreply@hmrc.gov.uk [mailto:noreply@hmrc.gov.uk]
Sent: 16 May 2013 10:48
Subject: Successful Receipt of Online Submission for Reference 517794350


Thank you for sending your VAT Return online. The submission for reference 517794350 was successfully received on 2013-05-16 T10:45:27 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

The attachment is VAT Returns Repot 517794350.doc which contains an exploit which is currently being analysed. It is likely to use the same vulnerability as this attack. VirusTotal results are just 1/46, so either this is something completely new or it is a corrupt sample.

UPDATE: ThreatTrack reports that the malware sample appears to make contact with the following IPs which are all dynamic IP addresses, indicating perhaps a P2P version of Zeus:
62.103.27.242
76.245.44.216
86.124.111.218
92.241.139.165
122.179.128.38
189.223.139.172
190.42.161.35

"Invoice Copy" spam / invoice copy.zip

This fake invoice email contains a malicious attachment:

Date:      Thu, 16 May 2013 00:27:41 -0500 [01:27:41 EDT]
From:      Karen Parker [Kk.parker@tiffany.com]
Subject:      invoice copy

Kindly open to see export License and payment invoice attached,meanwhile we sent the balance payment yesterday.Please confirm if it has settled in your account or you can call ifthere is any problem.ThanksKaren parker
The attachment is invoice copy.zip which in turn contains an executable invoice copy.exe which has an icon to make it look like a spreadsheet. VirusTotal results are a pretty poor 7/45 and indicate that this is a Zbot variant.

The Comodo CAMAS report indicates that the malware seems to be rummaging though address books and gives the following characteristics:

Size331776
MD5ebdcd7b8468f28932f235dc7e0cd8bcd
SHA1a3d251b8f488ef1602e7016cb1f51ffe116d7917
SHA2564b15971cf928a42d44afdf87a517d229e4aabbb5967cb9230a19592d2b939fe6

The ThreatExpert report and Anubis report are pretty inconclusive. The ThreatTrack report is nicely detailed and gives some details about network connections which I haven't had a chance to analyse yet.

As ever, blocking EXE-in-ZIP files at the perimeter is the best way to guard against this type of threat.



Wednesday, 15 May 2013

ADP spam / outlookexpres.net

This fake ADP spam leads to malware on outlookexpres.net:


Date:      Wed, 15 May 2013 22:39:26 +0400
From:      "donotreply@adp.com" [phrasingr6@news.adpmail.org]
Subject:      adp_subj


ADP Instant Warning

Report #: 55233

Respected ADP Client May, 15 2013

Your Processed Transaction Report(s) have been uploaded to the website:

Sign In here

Please see the following information:

• Please note that your bank account will be charged within 1 business banking day for the sum shown on the Statement(s).

• Please don't try to reply to this message. automative notification system not configured to accept incoming email. Please Contact your ADP Benefits Expert.

This email was sent to existing users in your company that access ADP Netsecure.

As every time, thank you for using ADP as your business affiliate!

Rep: 55233 [redacted]

The link in the spam email goes through a legitimate but hacked site and ends up on a malware landing page at [donotclick]outlookexpres.net/news/estimate_promising.php (report here) hosted on the same IPs found in this attack:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)

Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
smartsecurity-app.com
twintrade.net
zonebar.net

Something evil on 184.95.51.123

184.95.51.123 (Secured Servers LLC, US / Jolly Works Hosting, Philippines) appears to be trying to serve the Blackhole Exploit kit through an injection attack (for example). The payload appears to be 404ing when viewed in the automated tools I am using, but indications are that the malware on this site is still very much live.

The domains on this server belong to a legitimate company, Lifestyle exterior Products, Inc. of Florida who are probably completely unaware of the issue.

These following domains are all flagged by Google as being malicious, and are all based on  184.95.51.123. I would recommend blocking the IP if you can, else the domains I can find are listed below:

exteriorbylifestyle.com
hurricanesafecard.com
hurricanesavingsgift.com
hurricaneshuttersdiscount.com
hurricaneshuttersgift.com
hurricaneshuttersrebate.com
hurricanestormsavings.com
hurricanestrength.com
hurricanestrengthsavings.com
lifelinewindows.com
lifestylebonita.com
lifestyleestero.com
lifestyleexcellence.com
lifestyleexterior.com
lifestyleexteriorstrong.com
lifestyleexteriorwindows.com


Facebook spam / otophone.net

This fake Facebook spam leads to malware on otophone.net:

Date:      Tue, 14 May 2013 15:29:24 -0500 [05/14/13 16:29:24 EDT]
From:      Facebook [notification+LTFS15RDTR@facebookmail.com]
Subject:      Jonathan Rogers wants to be friends on Facebook

facebook
Jonathan Rogers wants to be friends with you on Facebook Facebook.
   
Jonathan Rogers
1083 friends · 497 photos · 2 notes · 1535 Wall posts
Confirm Friend Request
   
See All Requests
This message was sent to dynamoo@spamcop.net. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 417 P.O Box 10005 Palo Alto CA 96303
The link in the email goes through a legitimate hacked site and then ends up on a malware landing page at [donotclick]otophone.net/news/appreciate_trick_hanging.php (report here) hosted on the following IPs:

36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)


The WHOIS details are characteristic of the "Amerika" series of malware spams.
    MURNANE, LARRY  samyidea@yahoo.com
    690 West B
    SAN DIEGO, CA 92101
    US
    +1.8588695411


Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
peertag.com
pinformer.net
priorityclub.pl
smartsecurity-app.com
zonebar.net

Tuesday, 14 May 2013

Something evil on 94.242.198.16

I'm not entirely sure what this is, I think it's an injection attack leading to a malware server on 94.242.198.16 (Root SA, Luxemburg) which is using various stealth techniques to avoid detection.

This is what I'm seeing.. code is getting injected into sites referring to [donotclick]fryzjer.me/hpoxqnj.php (report) or [donotclick]stempelxpress.nl/vechoix.php (report) which (if called in the correct way) tries to forward the victim to
[donotclick]ice.zoloni-kemis.info/lyxtp?ftqvixid=94764 or [donotclick]ice.zoloni-kemis.info/lifym?ftypyok=947645 hosted on 94.242.198.16.

VirusTotal reports this as a bad IP, and out of several domains associated with this IP, almost all are red-flagged by Google for malware. The site contains several subdomains of the following domains.. I would recommend the following blocklist:
94.242.198.16
integrate-koleiko.com
integrate-koleiko.org
integrate-koleiko.net
muroi-uroi-loi.info
muroi-uroi-loi.org
muroi-uroi-loi.net
zoloni-kemis.info

Subdomains spotted include:
dde.integrate-koleiko.com
drom.muroi-uroi-loi.info
helm.muroi-uroi-loi.org
ice.zoloni-kemis.info
lopre.integrate-koleiko.org
maj.muroi-uroi-loi.net
nop.integrate-koleiko.org
oi.integrate-koleiko.net
vyo.integrate-koleiko.net
xs.integrate-koleiko.com

Bank of America spam / RECEIPT428-586.doc

This fake Bank of America message has a malicious Word document attached:

Date:      Tue, 14 May 2013 10:16:05 +0500 [01:16:05 EDT]
Subject:      Your transaction is completed

Transaction is completed. $51317477 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt of payment is attached.

*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC. Equal Housing Lender Opens in new window
© 2013 Bank of America Corporation. All rights reserved 

The attached document is RECEIPT428-586.doc which contains a CVE-2012-0158 / MS12-027 exploit, so a fully patched Windows system should be immune. Further analysis is pending, but the payload is likely to be P2P / Gameover Zeus as found in this attack. VirusTotal detections stand at just 11/46. Further analysis is pending.

Monday, 13 May 2013

"Confidential - Secure Message from AMEX" spam / SecureMail.zip

This fake Amex email has a malicious attachment:

Date:      Tue, 14 May 2013 01:34:36 +0600 [15:34:36 EDT]
From:      American Express [Jarvis_Randall@aexp.com]
Subject:      Confidential - Secure Message from AMEX    

Secure Message
                   
The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.

Note: The attached file contains encrypted data.

If you have any questions, please call us at 800-748-8515, option 0. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.

Thank you,
American Express

2012 American Express Company. All rights reserved.

There is an attachment SecureMail.zip which in turn contains an executable file SecureMail.exe which has an icon designed to look like a PDF file. VirusTotal results for the malware are just 15/46.

Comodo CAMAS reports the following characteristics and also a connection to a known malware C&C server mail.yaklasim.com on 212.58.4.13 (DorukNet, Turkey).

Size137216
MD520de8bad8bf8279e4084e9db461bd140
SHA1caacc00d68f41dad9b1abb02f9e243911f897852
SHA25618e2fc0b9386cadc31fb15cb38d9fa5d274f42b8127b349a14c962329b691ee7

The ThreatTrack report also shows a connection to 212.58.4.13 as well as 62.233.104.156 (IOMART, UK) and several other IPs that may form part of a botnet. Blocking EXE-in-ZIP files at the perimeter is a good move if you can do it. Update: the ThreatExpert report also shows a connection to 116.122.158.195 (Hanaro Telecom, Korea) which is probably also worth blocking.

Blocklist:
mail.yaklasim.com
212.58.4.13
62.233.104.156
116.122.158.195

Something evil on 188.241.86.33

188.241.86.33 (Megahost, Romania) is a malware server currently involved in injection attacks, serving up the Blackhole exploit kit, Zbot and a side order of Cdorked [1] [2].

This IP hosts a variety of domains, some of which are purely malicious, some of which are hijacked subdomains of legitimate ones. Blocking the IP address is the easiest approach, else I would recommend blocking all the domains that are being abused:

01libertynet.fr.fo
0-film.com
100girlsfree.com
365conseils.net
4unblock.info
5becquet.fr.fo
6x0.fr
7eebr.com
8-cents.com
8cents.fr.fo
a2smadagascar.mg
abc-maroc.com
abcm-jeanpetit.eu
aberkane.org
abjworld.com
abkari.fr
abkaribrahem.com
abousajid.net
abshore.com
acabimport.fr
acajb.org
acgl-congo.com
acgl-congo.fr
achacunsoncartable.com
acl-africa.com
actionalternance.fr
activbold.com
acts42.fr
actu-assurance.com
actubuntu.fr.fo
actu-minecraft.com
garmonyoy.eu
gmzuwr.ru
harmonyoy.eu
hrgvrl.ru
kinyng.ru
luiwmt.ru
ntdsapi.com
ntimage.net
ntmsapi.net
olpnso.ru
pastaoyto.eu
piparse.com
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru
tpxhpz.ru
trlnps.ru
zuihwg.ru
zuknsr.ru

The full list of malicious domains that I can find are below, although I would not expect these to be comprehensive:
040071c6fea7a5bb.365conseils.net
040071c6fea7a5bb01510713050515418167059c09c0824647b0d28469f9a86.365conseils.net
0433a1152ec475d801921313051101474089711298c7e6a1fd7545bc5552d41.achacunsoncartable.com
0433a1152ec475d811601613051104237096368adea8ce55a82f4544fbc01c0.achacunsoncartable.com
0488a1ee2eff75e301425213050201233048184bab90de52abca095e43c0e9e.0-film.com
04bb718dfefca5e0.5becquet.fr.fo
04bb718dfefca5e001607913050610062053256cc4d0ecce785bc8e30493292.5becquet.fr.fo
04cc71bafe5ba5470150421305111855518829847e724828b3c53aec8153583.acts42.fr
157790811f40445c.acajb.org
157790811f40445c01601013051008229123947a4ec000bad7503601a8b8345.acajb.org
157790811f40445c016138130510070780741784317a42a2bccfff6c9b9b979.acajb.org
157790811f40445c019162130510065681946385f315786814d0cea69ce8664.acajb.org
15bba06d2f1c7400.6x0.fr
15bba06d2f1c740001620213050615286119192adfefaf19e4e8a5586a6dd7e.6x0.fr
15ff3069bf78e464.01libertynet.fr.fo
15ff3069bf78e4640110311305011655920288060206a1a1261478459ff3e75.01libertynet.fr.fo
15ff3069bf78e4640142371305011633812870254adfea351ba45ccd84b6ed9.01libertynet.fr.fo
15ffa0792ff874e4.8-cents.com
15ffa0e92f18740401401013051215157128702d9606903880327e698feccbe.actu-minecraft.com
15ffa0e92f1874040141021305121800510682957d930ed7606e94e5678e741.actu-minecraft.com
15ffa0e92f187404014185130512171461299704fdc6792b87c632c2dc8ea0b.actu-minecraft.com
260093561ce747fb.abousajid.net
260093561ce747fb0140101305091529613535950ae91792a9d74ca508e99ad.abousajid.net
260093561ce747fb01603113050915274112535b852cc96df15044d0c5bab97.abousajid.net
26bb633dec4cb75001620213050607357124264d8f6315b9f394ea624df9b66.4unblock.info
26bb633dec4cb75011613913050607052045014adf4c310b3e0bdc47f2861d7.4unblock.info
26bb633dec4cb750116139130506075451302874ade020351e0c39fd5a78c27.4unblock.info
26cc33cabc2be737.actionalternance.fr
26cc33cabc2be73701612213051111086088443c09a6c2cac05c63f7129fe6a.actionalternance.fr
26cc33cabc2be73711601013051110582102074d8f6315c81c1d1cdcd96f60e.actionalternance.fr
26ff93b91cb847a4.100girlsfree.com
26ffa3892c787764019185130512123091695955dc240716cf6878a05b14ee3.actu-minecraft.com
378852cedd4f8653015013130507031910377234406e79b09f6cd6bc3f531b4.8-cents.com
3788a28e2d1f760301404913050802257090662bc33361ff65bce2fa3130839.8cents.fr.fo
40bb751dfa9ca180.8-cents.com
517794411bd040cc.100girlsfree.com
620007168887d39b0141851305072124915913454b8c0a26fb88da3bde7a868.8-cents.com
620007168887d39b01918513050722262103342525b024b1b95bf7573a67195.8-cents.com
623307c58864d378.abc-maroc.com
62333795a894f38801400913051305512080201a47fe7464fbbe561520e01bc.actu-minecraft.com
62333795a894f38801603113051303131041527adf4c310ff3253949005312c.actu-minecraft.com
62446762e8c3b3df.a2smadagascar.mg
62ff57f9c8f893e4.actu-minecraft.com
7344966219c342df.aberkane.org
73cca65a29eb72f7.abshore.com
73cca65a29eb72f701512413050919272107463ccba6e6189fc6986eb8f2d7c.abshore.com
73cca65a29eb72f701601013050919063097002c09c2522cddbf7f407171835.abshore.com
73ff2629a9d8f2c4.actu-minecraft.com
73ff2629a9d8f2c4014010130512092430878098d3a2e5e755dff1f2afa2bf8.actu-minecraft.com
73ffc65949981284.100girlsfree.com
8c443932b693ed8f11601013050822381104927d18d35b903767ba446417aca.aberkane.org
8cffe9c966783d64.abkaribrahem.com
8cffe9c966783d6401401013050909354101757b20d50dc4a53c3f60028ce42.abkaribrahem.com
8cffe9c966783d64015129130509101070859078f510042f6ec44d7e433dae2.abkaribrahem.com
9d3358f5d7848c98.7eebr.com
9d3358f5d7848c9801120213050617401078933d8645f3e106c2cfc1598a843.7eebr.com
9d7718418740dc5c.actu-minecraft.com
9d77b8b137606c7c.acgl-congo.fr
9d77b8b137606c7c01512913051017572124898c056644eb855f5a4b166d2b9.acgl-congo.fr
9d88a81e27af7cb3.abkaribrahem.com
9dbb984d17cc4cd01160101305062232917783743db39d1cf46f37b436dd266.8-cents.com
9dbbb80d37ac6cb0015186130508121671023918f51f80188036111f6dc1f72.a2smadagascar.mg
aeff6b49e4a8bfb4015258130512004781489908ea4b42446e65516bff5ab95.actu-assurance.com
aeff6b49e4a8bfb411601613051200491038674c7b4814aa786570ce3c5098f.actu-assurance.com
bf008a6605f75eeb014010130507173520947835ffc0f0fb081b68065c7e066.8-cents.com
bf008a6605f75eeb01412613050720045090345594f60a636367054ee54e604.8-cents.com
bf33fa7575d42ec8.abc-maroc.com
bf33fa7575d42ec801401013050814009075129bad428136689be7a7da2e9cb.abc-maroc.com
bf33fa7575d42ec8014086130508152020843224d40b5b7505fae9f56aea685.abc-maroc.com
bf33fa7575d42ec801510713050813215101440d61264b31e2cab4662a78b84.abc-maroc.com
bf33fa7575d42ec8016010130508150860906628cb9bce1fcee0c3f22846b31.abc-maroc.com
bf77da9155000e1c.100girlsfree.com
bfbbfaed65ec3ef0.100girlsfree.com
bfccba4a359b6e87.acgl-congo.com
bfccba4a359b6e87014075130510163331172904d4082d81aa81553b5898a2f.acgl-congo.com
bfccba9a259b7e87014010130512212151534285c4d64918e520db9a4a99c7a.actu-minecraft.com
c833cdf542641978.8-cents.com
c833cdf54264197801423713050716106092564c3e2cfb86aac81596dd164e8.8-cents.com
c833cdf542641978019037130507161140855905a1d39c59b9e2e19868866db.8-cents.com
c833fd7572942988014075130511135972133414d40dcf123ee454bb96f2478.activbold.com
c8777de1f220a93c.acajb.org
c8777de1f220a93c014237130510094241134864ffcf0d244b3e0d591c517c2.acajb.org
c8777de1f220a93c114181130510110690897115be0c137c3bfca9956675ebe.acajb.org
c8778d3102a059bc.100girlsfree.com
c8bbfd5d72ec29f0.100girlsfree.com
c8cc1d7a928bc997.actu-minecraft.com
c8cc1d7a928bc9970160931305121954723299543db39d15a4534253bd539f9.actu-minecraft.com
c8cc2deaa26bf977.8-cents.com
c8cc2deaa26bf97701112913050712338147722412926bcc5c4907c1308b240.8-cents.com
c8cc2deaa26bf9770140251305071408106561954a1b95da26542af79a4589c.8-cents.com
c8cc2deaa26bf977016185130507134131011234162579342dbc1f47b4f7fd2.8-cents.com
c8ff1d1992d8c9c4.acgl-congo.com
c8ff1d1992d8c9c401410113051011536170546863d58f33f68331b59ea7c90.acgl-congo.com
c8ff1d1992d8c9c401502213051013158117290d619001d01efd2a3e1b3f29b.acgl-congo.com
d900ac1623d778cb.acabimport.fr
d9442c22a383f89f01408613050902089060547bb26d67892ae078d34f997c1.abjworld.com
d9772c61a390f88c.100girlsfree.com
d9777cd1f360a87c.abkari.fr
d9bb3cfdb36ce870.8cents.fr.fo
d9cc9c8a137b4867.actubuntu.fr.fo
ea003fc6b017eb0b.acl-africa.com
ea003fc6b017eb0b0140551305110632611348655c9f49488e5a4ecb8292208.acl-africa.com
ea33af4520847b9811601013051002514098270cc4d0ed8f39b52f8e725fadc.acabimport.fr
ea776f71e0c0bbdc.abkari.fr
ea776f71e0c0bbdc01401013050912097090662863d2ab4a57e7f0a96b25cf1.abkari.fr
ea776f71e0c0bbdc01920213050913332090345d02caa653dae6865511b8036.abkari.fr
ea885f2ed0bf8ba301620213050804177079250c7c38ecdab30e8e836a60be8.8cents.fr.fo
ea885f2ed0bf8ba301620213050804285084005d073cf45420d7a00dd3d73a2.8cents.fr.fo
ea885f2ed0bf8ba311601013050802399148356d812e2a73d403f9c106d463c.8cents.fr.fo
ea886f6ee0efbbf3.8-cents.com
eacc6f4ae0ebbbf7.abcm-jeanpetit.eu
eacc6f4ae0ebbbf701401013050819143098587bcc05684f8eaabdbf34aacb5.abcm-jeanpetit.eu
eacc6f4ae0ebbbf7014098130508182081375786dd748438ddc6d700470919b.abcm-jeanpetit.eu
eacc6f4ae0ebbbf711601013050818299170546cc4d0ecc24766a4257413c24.abcm-jeanpetit.eu
fbbb6e6de11cba00.5becquet.fr.fo
fbbb6e6de11cba0011601013050614153074812c6661d86385ba30356756c7e.5becquet.fr.fo
garmonyoy.eu
gmzuwr.ru
harmonyoy.eu
hrgvrl.ru
kinyng.ru
luiwmt.ru
ntdsapi.com
ntimage.net
ntmsapi.net
olpnso.ru
pastaoyto.eu
piparse.com
plustab.net
polstore.net
puntooy.eu
pvzvnp.ru
rvwwko.ru
tpxhpz.ru
trlnps.ru
zuihwg.ru
zuknsr.ru