Dynamoo's Blog

Wednesday 29 May 2013

University of Illinois CS department compromised

There's a bunch of malware sites infesting University of Illinois CS department machines in the 128.174.240.0/24, range, mostly pointed out in this post. Compromised machines are tarrazu.cs.uiuc.edu, croft.cs.illinois.edu, tsvi-pc.cs.uiuc.edu, mirco.cs.uiuc.edu, ytu-laptop.cs.uiuc.edu, node3-3105.cs.uiuc.edu and they are on the following IPs with the following malicious domains (I would recommend blocking the whole /24):

128.174.240.37
balckanweb.com
virgin-altantic.net
twintrade.net
biati.net
icensol.net
outlookexpres.net
gatareykahera.ru
curilkofskie.ru
exrexycheck.ru
gangrenablin.ru
contonskovkiys.ru

128.174.240.52
nvufvwieg.com
zeouk-gt.com
mydkarsy.com
trackerpro5.ru
avtotracki.ru
aviachecki.ru
techno5room.ru
getstatsp.ru

128.174.240.53
enway.pl

128.174.240.74
yelpwapphoned.com
streetgreenlj.com
crossdissstep.com
multipliedfor.com
sweetcarsinkas.at
roobihhooerses.at
stackltiplied.net
nitrogrenberd.net
salesplaytime.net
sludgekeychai.net
uestsradiates.net
smurfberrieswd.su
jounglehoodeze.su
sbliteratedtum.su
solidlettersiz.su

128.174.240.153
confideracia.ru
condalinaradushko.ru
pizdecnujzno.ru
ochengorit.ru
xenaidaivanov.ru

128.174.240.213
balckanweb.com
virgin-altantic.net
twintrade.net
biati.net
icensol.net
outlookexpres.net
gatareykahera.ru
curilkofskie.ru
exrexycheck.ru
gangrenablin.ru
contonskovkiys.ru

Update: the University says that this was a single machine on the network which has now been cleaned up.

Malware sites to block 29/5/13

These domains and IP addresses are connected to this malware spam run and belong to a group I call the "Amerika" gang (because they tend to use fake US addresses for their WHOIS details but really seem to be Russian).

It's quite a long set of lists: first there is a list of malware domains, then a list of malicious IPs and their web hosts, followed by a plain recommended blocklist list of IPs for copy-and-pasting, finally a list of IPs that are advertised as nameservers within this group for research purposes only.

You might notice something odd going on at the University of Illinois in the 128.174.240.0/24 range. Hmm..

Domains:
adverstindotanes.com
assumedwhacked.su
auditbodies.net
autocanonicals.com
aviachecki.ru
avtotracki.ru
balckanweb.com
bebomsn.net
bednotlonely.com
beveragerefine.su
biati.net
businessdocu.net
buyparrots.net
carambatv.net
chairsantique.net
cocainism.net
condalinaradushko.ru
condalinaradushko5.ru
condalinradishevo.ru
confideracia.ru
coping-capacity.com
crossdissstep.com
crushandflussh.net
curilkofskie.ru
decimallogme.com
docudat.ru
doorandstoned.com
down-vid.net
e-eleves.net
ernutkskiepro.ru
exrexycheck.ru
fastkrug.ru
federal-credit-union.com
fenvid.com
flipboardre-late.com
gangrenablin.ru
garohoviesupi.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
heavygear.net
heidipinks.com
hiddenhacks.com
hotamortisation.net
iberiti.com
icensol.net
independinsy.net
initiationtune.su
insectiore.net
jounglehoodeze.su
letsgofit.net
linguaape.net
metalcrew.net
mgdooling.ru
mortolkr4.com
multipliedfor.com
mydkarsy.com
myfreecamgirls.net
nitrogrenberd.net
normansvenn.com
notyetratedwort.com
nvufvwieg.com
ochengorit.ru
otoperhone.com
outbounduk.net
outlookexpres.net
peertag.com
penetratedsync.su
pizdecnujzno.ru
proxy-tor-service.com
recorderbooks.net
relectsdispla.net
reportingglan.com
restaurantequipmentparadise.net
roobihhooerses.at
rusistema.ru
salesplaytime.net
sbliteratedtum.su
scanskype.pl
secrettapess.com
secureaction120.com
sludgekeychai.net
smartsecurity-app.com
smartsecurityapp2013.com
smurfberrieswd.su
solidlettersiz.su
stackltiplied.net
streetgreenlj.com
streetlookups.com
susubaby.net
sweetcarsinkas.at
tasteh-pux.com
techno5room.ru
testerpro5.ru
timeschedulin.com
time-update.com
time-update.net
trackerpro5.ru
twintrade.net
uestsradiates.net
usergateproxy.net
virgin-altantic.net
xenaidaivanov.ru
yelpwapphoned.com
zeouk-gt.com
zoohits.net

IPs and hosts:
5.175.155.183 (GHOSTnet, Germany)
37.131.214.69 (Interra Ltd, Russia)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal, China)
50.193.197.178 (Comcast, US)
54.214.22.177 (Amazon AWS, US)
62.109.30.168 (TheFirst-RU, Russia)
77.237.190.22 (Parsun Network Solutions, Iran)
82.50.45.42 (Telecom Italia, Italy)
91.93.151.127 (Global Iletisim Hizmetleri, Turkey)
91.193.75.55 (KGB Hosting, Serbia)
94.249.208.228 (GHOSTnet, Germany)
95.43.161.50 (BTC, Bulgaria)
99.61.57.201 (AT&T, US)
103.7.251.36 (Fiberathome, Bangladesh)
109.169.64.170 (ThrustVPS, US)
112.196.2.39 (Quadrant Televentures / HFCL Infotel, India)
114.4.27.219 (Indosat, Indonesia)
114.247.121.139 (China Unicom, China)
115.28.35.163 (HiChina Web Solutions, China)
122.160.51.9 (ABTS, Delhia)
128.174.240.37 (University of Illinois, US)
128.174.240.52 (University of Illinois, US)
128.174.240.74 (University of Illinois, US)
128.174.240.153 (University of Illinois, US)
128.174.240.213 (University of Illinois, US)
140.117.164.154 (Sun Yat-sen University, Taiwan)
151.1.224.118 (Itnet, Italy)
159.253.18.253 (FastVPS, Russia)
162.209.12.86 (Rackspace, US)
166.78.136.235 (Rackspace, US)
177.5.244.236 (Brasil Telecom, Brazil)
178.20.231.214 (Salay Telekomunikasyon Ticaret Limited, Turkey)
178.209.126.87 (WestCall Ltd, Russia)
181.52.237.17 (Telmex, Colmbia)
183.82.221.13 (Hitech, India)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
190.106.207.25 (Comcel, Guatemala)
192.154.103.81 (Gorillaservers, US)
192.210.216.53 (ColoCrossing, US)
197.246.3.196 (The Noor Group, Egypt)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
201.170.148.171 (Telefonos del Noroeste, Mexico)
204.45.7.213 (FDCservers.net, US)
208.68.36.11 (Digital Ocean, US)
210.61.8.50 (Chunghwa Telecom, Taiwan)
212.179.221.31 (Bezeq International, Israel)
213.113.120.211 (Telenor, Sweden)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)

Recommended IP blocklist:
5.175.155.183
37.131.214.69
41.89.6.179
42.62.29.4
50.193.197.178
54.214.22.177
62.109.28.0/22
77.237.190.0/24
82.50.45.42
91.93.151.127
91.193.75.0/24
94.249.208.228
95.43.161.50
99.61.57.201
103.7.251.36
109.169.64.170
112.196.2.39
114.4.27.219
114.247.121.139
115.28.35.163
122.160.51.9
128.174.240.0/24
140.117.164.154
151.1.224.118
159.253.18.0/24
162.209.12.86
166.78.136.235
177.5.244.236
178.20.231.214
178.209.126.87
181.52.237.17
183.82.221.13
186.215.126.52
188.32.153.31
190.106.207.25
192.154.103.81
192.210.216.53
197.246.3.196
201.65.23.153
201.170.148.171
204.45.7.213
208.68.36.11
210.61.8.50
212.179.221.31
213.113.120.211
217.174.211.1
222.200.187.83

IPs advertising as nameservers (I'm pretty sure some of these are bogus, so use these for research purposes only):
2.121.229.200 (Sky Broadband, UK)
5.175.146.153 (GHOSTnet, Germany)
5.175.154.17 (GHOSTnet, Germany)
5.175.154.149 (GHOSTnet, Germany)
5.231.18.4 (GHOSTnet, Germany)
6.18.199.178 (Department of Defense, US)
6.20.13.25 (Department of Defense, US)
8.13.139.1 (Level 3 Communications, US)
8.18.19.15 (Level 3 Communications, US)
8.18.19.16 (Level 3 Communications, US)
11.3.51.158 (Department of Defense, US)
12.179.132.98 (Intuit, US)
14.139.209.13 (National Institute Of Technology, India)
15.78.78.23 (Hewlett Packard, US)
15.84.23.131 (Hewlett Packard, US)
17.19.12.100 (Apple Inc, US)
20.2.45.143 (CSC, US)
22.100.28.100 (Department of Defense, US)
29.125.31.77 (Department of Defense, US)
42.96.142.17 (Alibaba, China)
42.96.194.13 (Alibaba, China)
46.254.18.79 (Internet-Hosting Ltd, Russia)
65.34.1.1 (RoadRunner / Bright House, US)
65.180.199.2 (Sprint, US)
66.100.109.112 (Savvis, US)
71.123.11.14 (Verizon, US)
77.99.44.18 (Virgin Media, UK)
80.249.65.80 (Djaweb, Algeria)
81.31.227.60 (Chapar Raseneg, Iran)
85.25.189.163 (Intergenia / PlusServer AG, Germany)
91.215.156.62 (Infinite Technologies, Netherlands)
91.242.214.33 (Hostcircle, India)
92.190.190.191 (France Telecom, France)
95.143.41.41 (Inline Internet / VPS4less, Germany)
112.72.64.217 (VTC Wireless Broadband Company, Vietnam)
114.199.141.85 (Hyundai Communications, Korea)
125.39.104.86 (Beijing Sinainternetinformationservice, China)
153.127.248.205 (Kagoya Japan Corporation, Japan)
162.209.14.28 (Rackspace, US)
173.1.12.57 (GoGrid LLC, US)
175.102.0.187 (Shanghai Yovole Networks, China)
176.19.224.180 (Mobily, Saudi Arabia)
177.5.230.242 (Brasil Telecom, Brazil)
184.106.229.74 (Rackspace, US)
186.25.27.65 (Telcel, Venezuela)
186.25.27.66 (Telcel, Venezuela)
201.101.98.89 (UniNet, Mexico)
202.63.105.86 (Southern Online Bio Technologies, India)
202.93.114.90 (FirstasiaNet, Indonesia)
207.58.158.186 (Servint, US)
207.182.146.247 (Xlhost, US)
209.140.18.37 (Landis Holdings, US)
210.25.137.197 (China Education and Research Network, China)
211.20.45.138 (Chunghwa Telecom, Taiwan)
214.191.12.134 (Department of Defense, US)
214.191.102.34 (Department of Defense, US)

55-Inch TV Amazon.com spam / federal-credit-union.com

This fake Amazon.com spam leads to malware on federal-credit-union.com:

From:   auto-confirm@email.amazon.net [loyolay3@emalsrv.amazonmail.com]
Reply-To:   "auto-confirm@email.amazon.net" [loyolay3@emalsrv.amazonmail.com]
Date:   29 May 2013 16:55
Subject:   Amazon.com order of Samsung UN554X6050 55-Inch

		Kindle Store	\| Your Account \| Amazon.com
	Order Confirmation Order #134-8080453-8538443

[redacted]

Thank you for shopping with us. We’d like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.

Your estimated delivery date is: Thursday, May 30, 2013 - Friday, May 31, 2013 Your shipping speed: Next Day Air	Your order was sent to: Tyler Scott 2516 Columbia Dr Washington, WA 40830-9361 United States

Order Details

Order #134-8080453-8538443
Placed on Wensday, May 29, 2013

Samsung UN554X6050 55-Inch 1080p 120Hz LED 3D HDTV (Dark Grey)
Electronics
In Stock
Sold by World Wide Stereo, Inc.

$1,099.99


Item Subtotal:	$1,099.99
Shipping & Handling:	$0.00

Total Before Tax:	$1,099.99
Estimated Tax:	$0.00


Order Total:	$1,099.99

To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help.

Thank you for shopping with us.
Amazon.com

Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information.

This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

I have also seen a similar spam with the subject "Amazon.com order of Sharp UN55EH5080 55-Inch" and I guess there are others. The spam goes through a legitimate hacked site and ends up on [donotclick]federal-credit-union.com/news/basic_dream-goods.php (report here). Luckily right at the moment this domain is suspended and won't work, however. There is a very large number of connected domains though which I am compiling a blocklist for and will post later..

Update: some other subjects include "Amazon.com order of Panasonic UN55EH6030 55-Inch" and "Amazon.com order of Akai NPK55KR9070 55-Inch".

Update 2: the malicious landing page has been replaced with one using the domain ozonatorz.com.

Tuesday 28 May 2013

Something (a bit) evil on 158.255.212.96 and 158.255.212.97

The IPs 158.255.212.96 and 158.255.212.97 (EDIS GmbH, Austria) are hosting malware used in injection attacks (see this example for fussball-gsv.de). These two examples report a TDS URL pattern which is resistant to automated analysis. The domains appear to be part of a traffic exchanger system (never a good idea), but they have been used to distribute malware.

The following sites are hosted on those two domains, plus a link to the Google Safebrowsing diagnostics:
linkstoads.net [no malware reported]
node1.hostingstatics.org [malware reported]
node2.hostingstatics.org
nodeph.hostingstatics.org
numstatus.com [no malware reported]
systemnetworkscripts.org [no malware reported]
finger2.climaoluhip.org [malware reported]
connecthostad.net [malware reported]
netstoragehost.com [malware reported]
nethostingdb.com [no malware reported]

In the cases where no malware has been reported it may well be because Google hasn't visited the site. The domains all have anonymous WHOIS details and have been registered in the past year or so.

I can identify a couple more IPs in this cluster, and I would advise you to treat all the domains here as suspect and add them to your blocklist:
158.255.212.96
158.255.212.97
193.102.11.3
205.178.182.1
hostingstatics.org
climaoluhip.org
numstatus.com
linkstoads.net
systemnetworkscripts.org
connecthostad.net
netstoragehost.com
nethostingdb.com

fab.com spam

[Via the WeAreSpammers blog]

I've never heard of fab.com before, but online comments are very negative. Originating IP is 65.39.215.63 (Sailthru / Peer 1, US) spamvertising mailer.eu.fab.com on 63.251.23.249 (Insight Express LLC, US) which in turn leads to the main site of fab.com on 184.73.196.153 (Amazon.com, US). Avoid.

From: Fab [info@eu.fab.com]
To: donotemail@wearespammers.com
Date: 27 May 2013 17:26
Subject: Invite from jenotsxx@gmail.com to Fab
Mailing list: tm.3775.3198a5cdc7466d097e36916b482cde87.sailthru.com
Signed by: eu.fab.com

If you are unable to see this message, click here to viewTo ensure delivery to your inbox, please add info@eu.fab.com to your address book.

Great News!donotemail@wearespammers.com
Here's your exclusive invite from jenotsxx@gmail.com to join FabFab provides daily design inspirations and sales from the world's leading designers at prices up to 70% off retail.

About Help Contact Us Return Policy Shipping Terms Privacy

Monday 27 May 2013

Citibank spam / Statement 57-27-05-2013.zip

This fake Citibank email has a malicious attachment:

Date:     Mon, 27 May 2013 23:25:06 +0530 [13:55:06 EDT]
From:     Millard Hinton [leftoverss75@gmail.com]
Subject:     Merchant Statement

Enclosed (xlsx|Exel file|document|file) is your Citibank Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech.
Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly.
----------
Learn more about Citibank Paymentech Solutions, LLC payment processing services at Citibank.
----------
THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer.

The attachment Statement 57-27-05-2013.zip contains a malicious executable Statement 57-27-05-2013.exe with a VirusTotal result of 12/46. The Comodo CAMAS report and Anubis report are pretty inconclusive. The ThreatTrack report [pdf] is more comprehensive some peer-to-peer traffic and accessing of the WAB. Simseer's prognosis is that this is a Zbot variant.

For the record, these are the checksums involved:

MD5	0bbf809dc46ed5d6c9f1774b13521e72
SHA1	9a50fa08e71711d26d86f34d8179f87757a88fa8
SHA256	00b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400

Friday 24 May 2013

Chase "Incoming Wire Transfer" spam / incoming_wire_05242013.zip

This fake Chase "Incoming Wire Transfer" email has a malicious attachment.

Date:     Fri, 24 May 2013 09:18:23 -0500 [10:18:23 EDT]
From:     Chase [Chase@emailinfo.chase.com]
Subject:     Incoming Wire Transfer

Note: This is a service message with information related to your Chase account(s). It may include specific details about transactions, products or online services. If you recently cancelled your account, please disregard this message.
CHASE
        We're writing to let you know the "Incoming Wire Transfer Report" is available.
If you are not aware of this transaction or have concerns about the request, please contact your company administrator.

The detailed Information about this transaction is available in the attached file.

Account: BUSINESS CHECKING/SAVINGS ACCOUNT
Date of deposit: 05/24/2013
Transaction number: 1
Type: International Wire Transfer
Amount: $161,381.56

If you aren't enrolled in "Incoming Transfer Report's" and think you've received this message in error, please call our Customer Support team immediately, using the phone number on the "Contact Us" page on Chase Online.

Note: This e-mail may contain confidential information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.



    E-mail Security Information



If you would like to learn more about e-mail security or want to report a suspicious e-mail, click here.

Note: If you are concerned about clicking links in this e-mail, the Chase Online services mentioned above can be accessed by typing www.chase.com directly into your browser.



If you want to contact Chase, please do not reply to this message, but instead go to www.chase.com. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.

Your personal information is protected by advanced technology. For more detailed security information, view our Online Privacy Policy. To request in writing: Chase Privacy Operations, PO Box 659752, San Antonio, TX 78265-9752.

JPMorgan Chase Bank, N.A. Member FDIC
2013 JPMorgan Chase & Co.
LCAA0213S

The attachment incoming_wire_05242013.zip contains an executable incoming_wire_05242013.exe with a detection rate of 9/47 at VirusTotal. The ThreatTrack report [pdf] and ThreatExpert report show various characteristics of this malware, in particular a callback to the following IPs and domains:

116.122.158.195
188.93.230.115
199.168.184.197
talentos.clicken1.com

Checksums are as follows:

MD5	f9182e5f13271cefc2695baa11926fab
SHA1	b3cff6332f2773cecb2f5037937bb89c6125ec15
SHA256	0a23cdcba850056f8425db0f8ad73dca7c39143cdafc61c901c8c3428f312f2d

Tuesday 21 May 2013

prospectdirect.org (Emailmovers Ltd) spam

Everything that this spammer says is a lie:

From:    Emily Norton [emily.norton@prospectdirect.org]
To:    [redacted]
Date:    21 May 2013 16:33
Subject:    Cater to your email marketing needs
Signed by:    prospectdirect.org

Hello,

I hope you don’t mind but I just wanted to contact you to discuss your email marketing strategy. If you don’t currently have one that is working for you then our client can help.

The company I am contacting you on behalf of have the dedicated knowledge and services to cater to your email marketing needs.

If you would like a quote please complete this form: http://prospectdirect.org/email-marketing-strategy

Leave your details at the link above or reply with any requirements.

Kind Regards,

Emily Norton

75 Glandovey Terrace, Newquay, Cornwall TR8 4QD

Tel: 0843 289 4698

This email (including any attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient please contact the sender and delete the email from your system. If you would no longer like to receive emails from us please unsubscribe here http://www.prospectdirect.org/landing/page.php?jq=[snip]

Firstly, the email was send to a scraped address from the website of the Slimeware Corporation and isn't any sort of opted-in address at all. The address of "75 Glandovey Terrace, Newquay, Cornwall TR8 4QD" simply does not exist, and the telephone number of 0843 289 4698 appears to belong to a completely unrelated company. I very much doubt there is anybody called "Emily Norton" involved, and there is no company in the UK with the name "Prospect Direct".

The website prospectdirect.org itself carefully hides any contact details, the WHOIS details are anonymous, the domain was created on 2012-07-19 and is hosted on 109.235.51.98 (Netrouting / Xeneurope , Netherlands). There are no contact details on the website and there is no identifying information at all.. it hasn't just been omitted by accident, the whole thing has been left meticulously clean by a professional spamming outfit.

I would recommend giving these spammers a wide berth given their catalogue of lies.

Update: filling in the request form gets a response from Emailmovers Ltd (emailmovers.com / emvrs.co). More on them soon...

Delivery_Information_ID-000512430489234.zip

The file Delivery_Information_ID-000512430489234.zip is being promoted by a spam run (perhaps aimed at Italian users, although all the hosts are German). I don't have a copy of the email itself, but my best guess is that it is a fake package delivery report.

So far I have identified three download locations for the malicious ZIP file:
[donotclick]www.interapptive.de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.vankallen.de/get/Delivery_Information_ID-000512453420234.zip
[donotclick]www.haarfashion.de/get/Delivery_Information_ID-000512430489234.zip

The ZIP file decompresses to Delivery_Information_ID-000512453420234.Pdf_______________________________________________________________.exe (note all those underscores!) which has a VirusTotal detection rate of 23/47 and has the following checksums:

MD5: 791a8d50acfea465868dfe89cdadc1fc
SHA1: be67a7598c32caf3ccea0d6598ce54c361f86b0a
SHA256: 9ae8fe5ea3b46fe9467812cbb2612c995c21a351b44b08f155252a51b81095d7

The Anubis report is pretty inconclusive but ThreatTrack reports [pdf] some peer-to-peer traffic and also some rummaging around the Window Address Book (WAB).

Update: sandrochka.de appears to be hosting the malicious ZIP as well.

Sunday 19 May 2013

Something evil on 50.116.28.24

50.116.28.24 (Linode, US) is hosting the callback servers for some Mac malware as mentioned here and here plus some other suspect sites. I would advise that you assume that all domains hosted on this IP are malicious, ones that are already marked as malware by Google are highlighted in red .

6699x.in
7e.xpsp.in
allotusual.in
approvaldesignteam.com
asodistrict.org
australiantestnew2333s.info
bbclsht4.knaqu.eu
bene-ficus.com
berstaska.com
bigbrothershome.org
bizforum.us
boostdeeming.org
c8.uk3.in
cagxjuhgvacsmjvdeo.com
capucchinopayments.com
cascotqhij.com
caytmlnlrou.com
checkincheckoutdoodling.in
ckgryagcibbcf.com
cross-bordertrade.eu
d3aya.net
desepil.com
docsforum.info
ds32v7k3.knaqu.eu
duomyvwabkuappgqxhp.com
englishmaninny.in
exactsixservice.com
fogorieort.com
galaint.statonlinekit.in
galokusemus.eu
ganycyhywek.eu
genecevaletoday.ws
getgluedeluxe.com
gidrim.com
giliminfobluster.com
godgivenwisdom.com
gokbwlivwvgqlretxd.com
googlebarcorp.com
gw.desepil.com
gysqreclw.com
havanaprom.com
hcvuririvnuq.com
hgydiduewiltga.com
hxpgffdwbevww.com
itismybestsite555.in
itismybestsite666.in
itismybestsite777.in
ivaserg.us
jbeqyjlvjqbmq.com
jexgpprgph.com
jngorreo.com
jpuityvakjgg.com
karambajobs.us
kaspyrsky.net
kckkjyqtokjlwfem.com
knaqu.eu
kudrizaial.in
kxkdyatouls.tv
labush.in
lekerdeka.com
liveonflyhelp.com
lotosmusicfm.net
lpkporti.com
mail.desepil.com
mambarada.com
michellesogood.in
monsboys.biz
mqjvmmcckkbwgihlbwm.com
mukevipvxvrq.com
musicmixb.co
myloanandcredit.net
n0r1.org
n-0-r-1.org
nanomirs.com
nbvusher.com
nogold.in
nogold.me
nr.kaspyrsky.net
ns1.musicmixb.co
ns1.searchhereonline.net
ns2.searchhereonline.net
ns4.searchhereonline.net
ofexplained.com
oodsydayvbmwj.com
podaitjnvfauh.com
prcgijpwvrl.com
pvpipkio.com
qobiragevuryt.com
realfirmvare.in
rumbaduna.com
sdvrcplyavjif.com
searchhereonline.net
secdfbpyopjhyhuw.com
securitytable.org
simplynamedgritty.in
sliokrvnkjenhwgpjl.com
sqhmkesvsraquihx.com
statonlinekit.in
storedlay.com
suhashvill.com
symbisecure.com
tentiklus.com
tetebebe.knaqu.eu
u.kaspyrsky.net
uk3.in
uxlyihgvfnqcrfcf.com
vdstestservice.info
vncs.knaqu.eu
voohnyqdinl.com
vosmefnuxkkmhbmuac.com
vwaeloyyutodtr.com
wbmpvebw.com
wgkyyalemnvhdrai.com
window-shopper.info
wir.knaqu.eu
wkabaspswbf.com
wwrgnyoqwcodyhg.com
www.desepil.com
x.n-0-r-1.org
x6690x.in
x6699x.in
xd11.in
xdgeivuswhon.com
xjpakmdcfuqe.in
xksax.biz
xphdllpguj.com
xpsp.in
yfsxwvqbsnghyln.com
ylamixambistarimbasicolasta.com

Friday 17 May 2013

Newegg.com spam / balckanweb.com

This fake Newegg.com spam leads to malware:

Date:     Fri, 17 May 2013 10:29:20 -0600 [12:29:20 EDT]
From:     Newegg [info@newegg.com]
Subject:     Newegg.com - Payment Charged
Priority:     High Priority 1

Newegg logo
My Account     My Account |     Customer Services     Customer Services

Twitter     Twitter     You Tube     You Tube     Facebook     Facebook     Myspace     Myspace
click to browse e-Blast     click to browse Shell Shocker     click to browse Daily Deals
Computer Hardware     PCs & Laptops     Electronics     Home Theater     Cameras     Software     Gaming     Cell Phones     Home & Office     MarketPlace     Outlet     More

Customer ID: [redacted]
Account Number: 23711731
Dear Customer,

Thank you for shopping at Newegg.com.

We are happy to inform you that your order (Sales Order Number: 97850177) has been successfully charged to your AMEX and order verification is now complete.

If you have any questions, please use our LiveChat function or visit our Contact Us Page.

Once You Know, You Newegg.

Your Newegg.com Customer Service Team

ONCE YOU KNOW, YOU NEWEGG. Ž
Policy and Agreement | Privacy Policy | Confidentiality Notice
Newegg.com, 9997 Rose Hills Road, Whittier, CA. 90601-1701 | Š 2000-2013 Newegg Inc. All rights reserved.

In the version I have the link doesn't work, but I believe that it goes to [donotclick]balckanweb.com/news/unpleasant-near_finally-events.php (report here) hosted or having nameservers on the following IPs:
5.231.24.162 (GHOSTnet, Germany)
71.107.107.11 (Verizon, US)
108.5.125.134 (Verizon, US)
198.50.169.2 (OVH, Canada)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)
209.59.223.119 (Endurance International Group, US)

The domains and IPs indicate that this is part of the "Amerika" spam run.

Blocklist (including nameservers):
5.231.24.162
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
209.59.223.119
balckanweb.com
bestunallowable.com
biati.net
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
icensol.net
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
recorderbooks.net
smartsecurity-app.com
twintrade.net
virgin-altantic.net
zonebar.net

"Referral link" spam / rockingworldds.net and parishiltonnaked2013.net

This spam comes from a hacked AOL email account and leads to malware on 62.76.190.11:

From: [AOL sender]
Sent: 17 May 2013 14:12
To: [redacted]
Subject: [AOL screen name]

Subject :RE(8)
Sent: 5/17/2013 2:11:53 PM
referral link
http://printcopy.co.za/elemqi.php?whvbcfm

The link goes through a legitimate hacked site and in this case ends up at [donotclick]rockingworldds.net/sword/in.cgi?6 (report here) which either redirects to a weight loss spam site or alternatively a malware landing page at [donotclick]parishiltonnaked2013.net/ngen/controlling/coupon_voucher.php (report here) which appears to load the BlackHole Exploit Kit. Both these sites are hosted on 62.76.190.11 (Clodo-Cloud / IT House, Russia).

That server contains a number of other suspect domains that I would suggest that you add to your blocklist:
62.76.190.11
bestukdeals2013.net
catpowers.org
gabbingdeals.com
moonflyerss.com
moonflyerss.net
moonflyerss.org
parishiltonnaked2013.com
parishiltonnaked2013.net
parishiltonnaked2013.org
rockelssens.com
rockelssens.net
rockelssens.org
rockingworldds.com
rockingworldds.net
rockingworldds.org
stofennerson.com
stofennerson.net
stonehengeexposed.com
stonehengeexposed.org
weightlosssystemonline.com

I have several IPs blocked in the 62.76.184.0/21 range, you may want to consider blocking the entire lot if you don't have any reason to send web traffic to Russia.

Thursday 16 May 2013

Wells Fargo and Citi spam / SecureMessage.zip and Securedoc.zip

This fake Wells Fargo message contains a malicious attachment:

Date:     Thu, 16 May 2013 23:24:38 +0800 [11:24:38 EDT]
From:     "Grover_Covington@wellsfargo.com" [Grover_Covington@wellsfargo.com]
Subject:     New Secure Message

Wells Fargo
    Help

To Read This Message:




Look for and open SecureMessage.zip (typically at the top or bottom; location varies by email service).
Secure Message

This message was sent to : [redacted]

Email Security Powered by Voltage IBE

Copyright 2013 Wells Fargo. All rights reserved

The attachment SecureMessage.zip contains a file SecureMessage.exe which has a SHA256 of 289bd82b66ed0c66f0e6a947cb61c928275c1053fa5d2b1119828217f61365ba and is only detected by 2/45 scanning engines at VirusTotal.

The second version is a fake Citi spam with an attachment Securedoc.zip which contains Securedoc.exe. This is the same executable with the same SHA256, just a different name.

Date:     Thu, 16 May 2013 10:16:27 -0500 [11:16:27 EDT]
From:     "secure.email@citi.com" [secure.email@citi.com]
Subject:     You have received a secure message

You have received a secure message

Read your secure message by opening the attachment, securedoc.html You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504.

First time users - will need to register after opening the attachment.
About Email Encryption - http://www.citi.com/citi/citizen/privacy/email.htm

The ThreatExpert report reveals some information, but the best analysis is this ThreatTrack report. Between them they identify some IPs and domains worth blocking:

69.89.21.99
116.122.158.195
212.58.4.13
mail.yaklasim.com
ryulawgroup.com

Walmart.com spam / virgin-altantic.net

Another variant of this spam is doing the rounds, this time leading to a landing page on virgin-altantic.net:

From: Wallmart.com [mailto:sculptsu@complains.wallmartmail.com]
Sent: 16 May 2013 15:35
Subject: Thanks for your Walmart.com Order 3450995-348882

Visit Walmart.com |
Help |
My Account |
Track My Orders

[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping
• You'll receive another email, with tracking information, when your order ships.
• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
     Ship to Home
    Gabriel Miller
1881 Granada Dr
Washington, NC 68025-3157
USA

Walmart.com     Order Number: 3450995-348882

Ship to Home - Standard
Items    Qty    Arrival Date     Price
Samsung UN55EH9050 42" 1080p 600Hz Class LED (3.7" ultra-slim) 3D HDTV    1     Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home.     $898.00

Subtotal:    $898.00
Shipping:    Free
Tax:     $62.86
See our Returns Policy or
contact Customer Service
Walmart.com Total:    $960.86
Order Summary
Order Date:    05/15/2013
Subtotal:    $898.00
Shipping:    Free
Tax:     $62.86
Order Total:    $960.86
Credit card:    $960.86
        Billing Information
Payment Method:
Credit card

If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,

Your Walmart.com Customer Service Team
www.walmart.com

Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!

The malicious payload is at [donotclick]virgin-altantic.net/news/ask-index.php (report here). IP addresses are the same as in the other attack, although obviously if you are blocking by domain you should add virgin-altantic.net too.

Walmart.com spam / bestunallowable.com

This fake Walmart spam leads to malware on bestunallowable.com:

From:    Wallmart.com [deviledm978@news.wallmart.com]
Date:    16 May 2013 14:02
Subject:    Thanks for your Walmart.com Order 3795695-976140

Walmart
Visit Walmartcom |     Help |     My Account |     Track My Orders

[redacted]
Thanks for ordering from Walmart.com. We're currently processing your order.
Items in your order selected for shipping

• You'll receive another email, with tracking information, when your order ships.

• If you're paying by credit card or Bill Me Later®, your account will not be charged until your order ships. If you see a pending charge on your account prior to your items shipping, this is an authorization hold to ensure the funds are available. All other forms of payment are charged at the time the order is placed.
Shipping Information
    Ship to Home


Hannah Johnson
1961 12 Rd
Orange, NC 68025-3157
USA


Walmart.com     Order Number: 3795695-976140
Ship to Home - Standard
Items     Qty     Arrival Date     Price
Philips UN65EH9060 50" 1080p 60Hz Class LED (Internet Connected) 3D HDTV     1     Arrives by Tue., May 21
Eligible for Free Standard Shipping to Home.     $898.00
Subtotal:     $898.00
Shipping:     Free
Tax:     $62.86
See our Returns Policy or
contact Customer Service     Walmart.com Total:     $960.86
Order Summary
Order Date:     05/15/2013
Subtotal:     $898.00
Shipping:     Free
Tax:     $62.86
Order Total:     $960.86
Credit card:     $960.86

Billing Information
Payment Method:
Credit card
If you have any questions, please refer to help.walmart.com or reply to this email and let us know how we can help.
Thanks,

Your Walmart.com Customer Service Team
www.walmart.com

Rollbacks     Sign Up for Email Savings and Updates
Have the latest Rollbacks, hot new releases, great gift ideas and more sent right to your inbox!

©Walmart.com USA, LLC, All Rights Reserved.

The link goes through a legitimate hacked site and ends up on a malware page at [donotclick]bestunallowable.com/news/ask-index.php (report here) hosted on:

108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)

The WHOIS details are characterstic of the Amerika gang:
   Administrative Contact:
   McDonough, Tara ukcastlee@mail.com
   38 Wee Burn Lane
   DARIEN, CO 06820
   US
   2036566697

Blocklist (including nameservers):
71.107.107.11
108.5.125.134
198.50.169.2
198.61.147.58
bestunallowable.com
biati.net
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
icensol.net
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
recorderbooks.net
smartsecurity-app.com
twintrade.net
virgin-altantic.net
zonebar.net

HMRC spam / VAT Returns Repot 517794350.doc

This fake HMRC (UK tax authority) spam contains a malicious attachment:

From: noreply@hmrc.gov.uk [mailto:noreply@hmrc.gov.uk]
Sent: 16 May 2013 10:48
Subject: Successful Receipt of Online Submission for Reference 517794350

Thank you for sending your VAT Return online. The submission for reference 517794350 was successfully received on 2013-05-16 T10:45:27 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

The attachment is VAT Returns Repot 517794350.doc which contains an exploit which is currently being analysed. It is likely to use the same vulnerability as this attack. VirusTotal results are just 1/46, so either this is something completely new or it is a corrupt sample.

UPDATE: ThreatTrack reports that the malware sample appears to make contact with the following IPs which are all dynamic IP addresses, indicating perhaps a P2P version of Zeus:
62.103.27.242
76.245.44.216
86.124.111.218
92.241.139.165
122.179.128.38
189.223.139.172
190.42.161.35

"Invoice Copy" spam / invoice copy.zip

This fake invoice email contains a malicious attachment:

Date:     Thu, 16 May 2013 00:27:41 -0500 [01:27:41 EDT]
From:     Karen Parker [Kk.parker@tiffany.com]
Subject:     invoice copy

Kindly open to see export License and payment invoice attached,meanwhile we sent the balance payment yesterday.Please confirm if it has settled in your account or you can call ifthere is any problem.ThanksKaren parker

The attachment is invoice copy.zip which in turn contains an executable invoice copy.exe which has an icon to make it look like a spreadsheet. VirusTotal results are a pretty poor 7/45 and indicate that this is a Zbot variant.

The Comodo CAMAS report indicates that the malware seems to be rummaging though address books and gives the following characteristics:

Size	331776
MD5	ebdcd7b8468f28932f235dc7e0cd8bcd
SHA1	a3d251b8f488ef1602e7016cb1f51ffe116d7917
SHA256	4b15971cf928a42d44afdf87a517d229e4aabbb5967cb9230a19592d2b939fe6

The ThreatExpert report and Anubis report are pretty inconclusive. The ThreatTrack report is nicely detailed and gives some details about network connections which I haven't had a chance to analyse yet.

As ever, blocking EXE-in-ZIP files at the perimeter is the best way to guard against this type of threat.

Wednesday 15 May 2013

ADP spam / outlookexpres.net

This fake ADP spam leads to malware on outlookexpres.net:

Date:     Wed, 15 May 2013 22:39:26 +0400
From:     "donotreply@adp.com" [phrasingr6@news.adpmail.org]
Subject:     adp_subj

ADP Instant Warning

Report #: 55233

Respected ADP Client May, 15 2013

Your Processed Transaction Report(s) have been uploaded to the website:

Sign In here

Please see the following information:

• Please note that your bank account will be charged within 1 business banking day for the sum shown on the Statement(s).

• Please don't try to reply to this message. automative notification system not configured to accept incoming email. Please Contact your ADP Benefits Expert.

This email was sent to existing users in your company that access ADP Netsecure.

As every time, thank you for using ADP as your business affiliate!

Rep: 55233 [redacted]

The link in the spam email goes through a legitimate but hacked site and ends up on a malware landing page at [donotclick]outlookexpres.net/news/estimate_promising.php (report here) hosted on the same IPs found in this attack:
36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)

Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
outlookexpres.net
peertag.com
pinformer.net
priorityclub.pl
smartsecurity-app.com
twintrade.net
zonebar.net

Something evil on 184.95.51.123

184.95.51.123 (Secured Servers LLC, US / Jolly Works Hosting, Philippines) appears to be trying to serve the Blackhole Exploit kit through an injection attack (for example). The payload appears to be 404ing when viewed in the automated tools I am using, but indications are that the malware on this site is still very much live.

The domains on this server belong to a legitimate company, Lifestyle exterior Products, Inc. of Florida who are probably completely unaware of the issue.

These following domains are all flagged by Google as being malicious, and are all based on 184.95.51.123. I would recommend blocking the IP if you can, else the domains I can find are listed below:

exteriorbylifestyle.com
hurricanesafecard.com
hurricanesavingsgift.com
hurricaneshuttersdiscount.com
hurricaneshuttersgift.com
hurricaneshuttersrebate.com
hurricanestormsavings.com
hurricanestrength.com
hurricanestrengthsavings.com
lifelinewindows.com
lifestylebonita.com
lifestyleestero.com
lifestyleexcellence.com
lifestyleexterior.com
lifestyleexteriorstrong.com
lifestyleexteriorwindows.com

Facebook spam / otophone.net

This fake Facebook spam leads to malware on otophone.net:

Date:     Tue, 14 May 2013 15:29:24 -0500 [05/14/13 16:29:24 EDT]
From:     Facebook [notification+LTFS15RDTR@facebookmail.com]
Subject:     Jonathan Rogers wants to be friends on Facebook

facebook
Jonathan Rogers wants to be friends with you on Facebook Facebook.

Jonathan Rogers
1083 friends · 497 photos · 2 notes · 1535 Wall posts
Confirm Friend Request

See All Requests
This message was sent to dynamoo@spamcop.net. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 417 P.O Box 10005 Palo Alto CA 96303

The link in the email goes through a legitimate hacked site and then ends up on a malware landing page at [donotclick]otophone.net/news/appreciate_trick_hanging.php (report here) hosted on the following IPs:

36.224.16.74 (Chunghwa Telecom, Taiwan)
108.5.125.134 (Verizon, US)
198.61.147.58 (Matt Martin Real Estate Management / Rackspace, US)

The WHOIS details are characteristic of the "Amerika" series of malware spams.
    MURNANE, LARRY samyidea@yahoo.com
    690 West B
    SAN DIEGO, CA 92101
    US
    +1.8588695411

Blocklist:
36.224.16.74
108.5.125.134
198.61.147.58
contonskovkiys.ru
curilkofskie.ru
exrexycheck.ru
fenvid.com
gangrenablin.ru
gatareykahera.ru
janefgort.net
klosotro9.net
mortolkr4.com
nopfrog.pw
otophone.net
peertag.com
pinformer.net
priorityclub.pl
smartsecurity-app.com
zonebar.net