USPS spam / USPS_Label_861337597092.zip

This fake USPS spam contains a malicious attachment:

Date:      Thu, 6 Jun 2013 10:43:56 -0500 [11:43:56 EDT]
From:      USPS Express Services [service-notification@usps.com]
Subject:      USPS - Your package is available for pickup ( Parcel 861337597092 )

Postal Notification,

We attempted to deliver your item at 6 Jun 2013.
Courier service could not make the delivery of your parcel.
Status Deny / Invalid ZIP Code.

If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender.

Label/Receipt Number: 861337597092
Expected Delivery Date: Jun 6, 2013
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent

For mode details and shipping label please see the attached file.

Print this label to get this package at our post office.

Thank you,
© 2013 Copyright© 2013 USPS. All Rights Reserved.

*** This is an automatically generated email, please do not reply ***

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (USPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies.  Thank You

There is an attachment called USPS_Label_861337597092.zip which in turn contains a malicious executable file USPS_Label_06062013.exe (note the date is encoded into the filename). VirusTotal results for this are 18/47.

The Comodo CAMAS report shows an attempt to download more components from michaelscigarbar.net on 184.95.37.109 (Jolly Works Hosting, Philippines.. rented from Secured Servers in the US). URLquery shows a very large amount of malware activity on that IP, mostly apparently running on legitimate hacked domains. You should probably treat all of the following domains as hostile:
alliancelittleaviators.com
apparelacademy.com
apparelacademy.net
brokerforcolorado.com
carlaellisproperties.com
dragoncigars.net
heavenlycigars.net
libertychristianstore.com
michaelscigarbar.com
michaelscigarbar.net
michaelscigars.net
montverdestore.com
montverdestore.net
montverdestore.org

NatPay "Transmission Confirmation" spam / usforclosedhomes.net

This fake NatPay spam leads to malware on usforclosedhomes.net.

Version 1:

Date:      Thu, 6 Jun 2013 20:53:08 +0600 [10:53:08 EDT]
From:      National Payment Automated Reports System [dunks@services.natpaymail.net]
Subject:      Transmission Confirmation ~26306682~N25BHHL1~

Transmission Verification    
Contact Us
To:    
NPC Account # 26306682
Xavier Reed
   
Re:    
NPC Account # 26306682
D & - D5
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.

Batch Number       408
Batch Description       VENDOR PAY
Number of Dollar Entries       2
Number of Prenotes       0
Total Deposit Amount       $3,848.19
Total Withdraw Amount      $3,848.19
Batch Confirmation Number      50983
   
Date Transmitted      Thursday, June 06, 2013
Date Processed       Thursday, June 06, 2013
Call Start Time       4:06 PM
Call End Time       4:07 PM
Funding Method       2 Day Funding
Cycle       AM
Effective
Entry Date

Transaction Type
   
Entry
Identification

Routing/Transit

Bank Account
Entry Amount
06/08/2013     Checking - Deposit     XXXXXXXX     XXXXXXXXX     XXXXXXXXXX     $3,848.19
06/06/2013     Checking - Withdraw     Offset Entry     XXXXXXXXX     XXXXXXXXXX     -$3,848.19
Totals     $0.00
Report reference ID # N25BHHL1     Created on Thursday, June 06, 2013
Have a question about this report?  Please click here to send us an email with your question.

Version 2:

Date:      Thu, 6 Jun 2013 09:59:06 -0500
From:      National Payment Automated Reports System [lemuel@emalsrv.natpaymail.com]
Subject:      Transmission Confirmation ~10968697~607MPYRC~

Transmission Verification    
Contact Us
To:    
NPC Account # 10968697
Benjamin Turner
   
Re:    
NPC Account # 10968697
D & - MN
Thursday, July 04, 2013, Independence Day is a Federal Banking Holiday. All banks are closed for this holiday, therefore NatPay will not be able to process any files on that date. If you plan on transmitting for a paydate that falls between Thursday, July 04, 2013 and Thursday, July 11, 2013 you will need to the file a day earlier.

Batch Number     219
Batch Description     VENDOR PAY
Number of Dollar Entries     2
Number of Prenotes     0
Total Deposit Amount     $2,549.12
Total Withdraw Amount     $2,549.12
Batch Confirmation Number     24035
   
Date Transmitted     Thursday, June 06, 2013
Date Processed     Thursday, June 06, 2013
Call Start Time     4:06 PM
Call End Time     4:07 PM
Funding Method     2 Day Funding
   
Cycle     AM
Effective

Entry Date

Transaction Type
   
Entry

Identification

Routing/Transit

Bank Account

Entry Amount
06/08/2013     Checking - Deposit     XXXXXXXX     XXXXXXXXX     XXXXXXXXXX     $2,549.12
06/06/2013     Checking - Withdraw     Offset Entry     XXXXXXXXX     XXXXXXXXXX     -$2,549.12
Totals     $0.00
Report reference ID # 607MPYRC     Created on Thursday, June 06, 2013
Have a question about this report? Please click here to send us an email with your question.

The malicious payload is on [donotclick]usforclosedhomes.net/news/walls_autumns-serial.php (report here) hosted on the following IPs:
41.89.6.179 (Kenya Education Network, Kenya)
46.18.160.86 (Saudi Electronic Info Exchange Company (Tabadul) JSC, Saudi Arabia)
93.89.235.13 (FBS Bilisim Cozumleri, Cyprus)
112.170.169.56 (Korea Telecom, South Korea)

The cluster of IPs and domains this belongs to identifies it as part of the Amerika spam run.

Blocklist:
41.89.6.179
46.18.160.86
93.89.235.13
112.170.169.56
abacs.pl
biati.net
buyparrots.net
citysubway.net
condalnuashyochetto.ru
cunitarsiksepj.ru
eheranskietpj.ru
ejoingrespubldpl.ru
enway.pl
federal-credit-union.com
gnunirotniviepj.ru
gstoryofmygame.ru
icensol.net
myhispress.com
onlinedatingblueprint.net
oydahrenlitutskazata.ru
ozonatorz.com
smartsecurityapp2013.com
sngroup.pl
twintrade.net
usforclosedhomes.net

Innex, Inc fake spam

Innex, Inc is a real company. This spam email message is not from Innex, Inc.

From:     PURCHASING DEPARTMENT [fdmelo@fucsalud.edu.co]
To:
Reply-To:     pinky.yu@chanqtjer.com.tw
Date:     6 June 2013 08:55
Subject:     Innex, Inc.


Sir/Madam,

Our Company is interested in your product, that we saw  in trading site,

Your early reply is very necessary for further detail specification immediately you receive our email.

Regards
Purchasing manager,
Mr James Vincent .

Innex, Inc.
325 Enterprise Place,
Pomona, CA 91768
United States.

Innex is based in California in the US, but the email appears to be from a university in Colombia and solicits replies to an email address in Taiwan. Note as well that the email is very vague about the "product" they are interested in, and the To: field is blank as the recipient list has been suppressed (i.e. it is being sent to multiple recipients). Avoid.

rxlogs.net: spam or Joe Job?

I've had nearly one hundred of these this morning. Is it a genuine spam run or a Joe Job?

Date:      Thu, 6 Jun 2013 09:44:18 -0700 [12:44:18 EDT]
From:      Admin [whisis101@gmail.com]
Reply-To:      ec2-abuse@amazon.com

facebook   
You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 4 ago.
This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.

If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team

The link in the emails goes to multiple pages on rxlogs.net which as far I as can tell is not malware, but is a blog about online pharmacies. But is is spam? Well, let's dig a little deeper..

Each email comes from a different IP, probably being sent by a botnet. That's pretty normal for pharma spam, but in this case there appear to be some anomalous addition headers..

The mildly munged headers from an example email are quite revealing. It appears that there are references to Amazon ECS (Amazon's cloud service) and a valid sender address of whisis101 -at- gmail.com injected into the headers, along with a load of other elements that you'd expect from botnet spam. The email has at no point hit either Gmail or Amazon, but the headers appear to have been faked in order to generate reports to Amazon and/or Gmail. It's worth noting that rxlogs.net is hosted on 107.20.147.122 which is an Amazon IP, so this is beginning to look like a Joe Job.

Received: from lsh410.van.ca.siteprotect.com (204.174.223.206)
  by [redacted] with SMTP; 6 Jun 2013 07:37:53 -0000
Date: Thu, 6 Jun 2013 00:37:53 -0700
To: [redacted]
From: Admin [whisis101 -at- gmail.com]
Return-Path: [bantstreetpottery -at- sctelco.net.au]
Reply-To: ec2-abuse -at- amazon.com
Subject: Reminder: Reset your password
Message-Id: [2cc3f11ac2ce3aa7d59d8682eee6df05@notify.amazon.com]
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit

So what do we know about the domain rxlogs.net? Well, the WHOIS details appear to be genuine and not hidden, I've redacted the most of the personal information but some of the key details are:

domain:       rxlogs.net
owner:        Stephen K. Walker
email:        whisis101 -at- gmail.com
address:      [redacted]
city:         [redacted]
postal-code:  [redacted]
country:      US
phone:        +7.[redacted]

The "From" address in the email matches the registration address in the WHOIS. Does that make it a genuine email? No, because no spammer is stupid enough to use their real email address in a spam run like this. Again, this smells like a Joe Job.

Another key indicator that this is a Joe Job is that all the dozens of emails have been sent to a spamcop.net email address, and there are far more emails that you would normally see for this type of spam run. This behaviour is typical for a Joe Job attack, the spammer pick the people who are most likely to complain and then hit them repeatedly to get try to get them to file a complaint with the victim's web host.

If you use Gmail, the email links back to a spare but apparently genuine Google+ profile, which links back to rxlogs.net. Which really leads to the next question.. what is rxlogs.net about?

rxlogs.net appears to be a genuine attempt to look at and rate online pharmacies using secondary sources to judge reliability and trustworthiness. The sites carries some paid advertising, but doesn't appear to deal with prescription medications directly, it looks like an affiliate site.

I'm not an expert in the US online pharmacy market, but I do know that you can check the legitimacy of online pharmacies with LegitScript but this is not without criticism.

My guess is that what has happened here is that Mr Walker has posted something on rxlogs.net which exposes a bogus pharma operation run by the same spammers sending out these emails. In other words, I believe this is a Joe Job and not a "genuine" spam run, and rxlogs.net is simply another victim of the bad guys.

More Champions Club Community spam

These grubby little spammers are at it again. Apparently Steve Jobs is dead. Who knew?

Anyway, the originating IP is 217.174.248.194 [web1-opp2.champions-bounce.co.uk] (Fasthosts, UK). Spamvertised domains are champions.onlineprintproofing.co.uk also on 217.174.248.194 and championsclubcommunity.com on 109.203.113.124 (Eukhost, UK). Give these spammers a wide berth.

From:     The Editor - Champions Club Community
Reply-To:     contactus2@championsclubcommunity.com
Date:     5 June 2013 05:45
Subject:     CCC LIFE : This Month - Steve Jobs In Focus

Hello and a very warm welcome to the latest newsletter from Champions Club Community!

This month we have an eclectic mix of articles, hopefully with something for everybody.

Here are a few of the headline articles, with links directly to our site:

    Steve Jobs, often described as a visionary during his life, there has been much speculation about the significance of his last words… http://championsclubcommunity.com/rip-steve-jobs/

    His Royal Highness The Prince of Wales, Patron of Samaritans, hosted a reception for distinguished guests and volunteers to launch the celebrations marking 60 years since the charity received its first call in November 1953. http://championsclubcommunity.com/samaritans-start-60th-celebrations/

    A question was posed to the Dalai Lama - “WHAT IS the thing about humanity that surprises you the most?” His answer:  “Man… sacrifices his health to make money. Then he sacrifices his money to try to gain back his health.” http://championsclubcommunity.com/a-question-was-posed-to-dalai-lama-provided-by-guy-insull/

    Pope Francis I. He is opposed to gay marriage, regards the Falklands Islands as being usurped by the UK, and it is not believed that he will allow priests to marry: controversial or merely traditionalist? http://championsclubcommunity.com/pope-francis-1-a-new-hope-for-the-world-by-dianna-moylan/

    “The spirit of good business is the excellence of the connection between purchaser and supplier.” John Meredith examines “The 8th Habit” in which Stephen Covey says that a tactical plan begins with the customer…  http://championsclubcommunity.com/execution-of-the-strategic-plan-by-john-meredith/

As always, there is a whole lot more inside the magazine.  Enjoy the read and do join in if you have a story to tell that will inspire others to Make A Difference! (Go MAD!!).

Kind regards,

The Editor, Champions Club Community

Please note: if you no longer wish to receive these newsletter communications from us you can unsubscribe from our mailing list by using the "unsubscribe" link at the bottom of this email. Thank you.

"Fiserv Secure Email Notification" spam with an encrypted, malicious ZIP attachment

This spam email contains an encrypted ZIP file with password-protected malware.

Date:      Mon, 3 Jun 2013 14:11:14 -0500 [15:11:14 EDT]
From:      Fiserv Secure Notification [secure.notification@fiserv.com]
Subject:      Fiserv Secure Email Notification - IZCO4O4VUHV83W1

You have received a secure message

Read your secure message by opening the attachment, SecureMessage_IZCO4O4VUHV83W1.zip.

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password -  Iu1JsoKaQ

To read the encrypted message, complete the following steps:

 -  Double-click the encrypted message file attachment to download the file to your computer.
 -  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
 -  The message is password-protected, enter your password to open it.

To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.840.0668.

2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

Of course, it would be supremely pointless password protecting a document and then including the password in the email! The file has been password protected in an attempt to thwart anti-virus software. In this case, the password for the file SecureMessage_IZCO4O4VUHV83W1.zip is Iu1JsoKaQ which in turn leads to a file called SecureMessage_06032013.exe (note the date in included in that filename).

At the moment the VirusTotal detection rate is a so-so 16/47. The ThreatTrack analysis identifies some locations that the malware phones home to:
netnet-viaggi.it
paulcblake.com
74.54.147.146
116.122.158.195
190.147.81.28
194.184.71.7
207.204.5.170

For the records, those IPs belong to:
74.54.147.146 (ThePlanet, US)
116.122.158.195 (Hanaro Telecom, Korea)
190.147.81.28 (Telmex, Colombia)
194.184.71.7 (Ouverture Service, Italy)
207.204.5.170 (Register.com, US)

Medfos sites to block 31/5/13

The following domains and IPs are currently being used as C&C servers by the Medfos family of trojans (this one in particular):

84.32.116.110
85.25.132.55
173.224.210.244
184.82.62.16
188.95.48.152
ehistats.su
emstats.su
ieguards.su
iestats.cc
inetprotections.su
iprotections.su
netprotections.cc
sysinfo.cc
sysinfonet.cc
westats.cc

The hosts involved are:
84.32.116.110 (LIX Solutions, Lithunia)
85.25.132.55 (Intergenia / PlusServer AG, Germany)
173.224.210.244 (Psychz Networks, US)
184.82.62.16 (HostNOC, US)
188.95.48.152 (Globab Layer, Netherlands)

The domains listed are used in conjunction with hundreds of subdomains. Blocking the main domain will be the best approach, else the ones that I have been able to determine are listed here.

NewEgg.com spam / 174.140.171.233

This fake NewEgg.com spam leads to malware on 174.140.171.233:

Date:      Thu, 30 May 2013 16:06:12 +0000 [12:06:12 EDT]
From:      Newegg [info@newegg.com]
Subject:      Newegg.com - Payment  Charged

Newegg logo    
My Account     My Account |     Customer Services     Customer Services
�
Twitter     Twitter     You Tube     You Tube     Facebook     Facebook     Myspace     Myspace
click to browse e-Blast     click to browse Shell Shocker     click to browse Daily Deals
Computer Hardware     PCs & Laptops     Electronics     Home Theater     Cameras     Software     Gaming     Cell Phones     Home & Office     MarketPlace     Outlet     More

Customer ID: [redacted]
Account Number: 24577609
Dear Customer,

Thank you for shopping at Newegg.com.

We are happy to inform you that your order (Sales Order Number: 20781193) has been successfully charged to your�AMEX and order verification is now complete.

If you have any questions, please use our LiveChat function or visit our Contact Us Page.

Once You Know, You Newegg.

Your Newegg.com Customer Service Team


ONCE YOU KNOW, YOU NEWEGG. �
Policy and Agreement | Privacy Policy | Confidentiality Notice
Newegg.com, 9997 Rose Hills Road, Whittier, CA. 90601-1701 | � 2000-2013 Newegg Inc. All rights reserved.

The malicious payload is any one of a number of domains hosted on 174.140.171.233 which is also being used in this attack. Blocking the IP is the easiest way to protect against the malicious sites hosted on that server.

ADP spam / 4rentconnecticut.com and 174.140.171.233

This summary is not available. Please click here to view the post.

Al Rowaad Advocates - scumbag, spammy lawyers

This scumbag law firm from the UAE advertises itself through spam.

From:     Professional Lawyers in the UAE [uaelawyers@gmx.com]
Reply-To:     uaelawyers@gmx.com
Date:     30 May 2013 18:52
Subject:     Al Rowaad Advocates - Monthly Newsletter - May 2013

Dear Sirs,

Please forgive our direct email which is intended to give a brief introduction to our law firm based in the United Arab Emirates.

Al Rowaad Advocates and Legal Consultancy is an astute, diverse firm of lawyers working for businesses and private clients, nationally and internationally. The firm is highly regarded, often recommended by other lawyers and is known for combining creative solutions with commercial pragmatism and a friendly, sensitive approach. The firm is also renowned for its integrity and experience in dealing with complex and varied legal issues. Al Rowaad has expertise in clinical negligence, corporate and commercial work, criminal litigation, dispute resolution, family law, employment, real estate and regulatory work.

Al Rowaad Advocates and Legal Consultancy is proud to introduce its monthly newsletter that will discuss topical issues in the legal profession. The newsletter will touch upon various areas of law in the UAE and analyse changes in complex legislative, governance and regulatory provisions.

If you wish to subscribe, please email us at uaelawyers@gmx.com.

Thank you,
Al Rowaad Advocates & Legal Consultancy
Tel.: +971 4 3254000
Fax: +971 4 358 9494

Integrity? Sending spam to an email address that you scraped off the web? I don't think so. The originating IP is 220.112.38.133 in China, presumably where they have outsourced their scummy marketing to.

Amazon.com 55 inch TV spam / ozonatorz.com

This earlier spam run about various brands of 55 inch TVs from Amazon has been updated and is now directing victims to a malware landing page on the domain ozonatorz.com:

From: auto-confirm@emlreq.amazon.com [mailto:bald4@customercare.amazon.com]
Sent: 29 May 2013 17:06
To: [redacted]
Subject: Amazon.com order of Akai NPK55KR9070 55-Inch

Kindle Store | Your Account | Amazon.com Order Confirmation Order #175-7801666-2934626 [redacted] Thank you for shopping with us. Wed like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com. Your estimated delivery date is: Thursday, May 30, 2013 - Friday, May 31, 2013 Your shipping speed: Next Day Air Your order was sent to: Benjamin Phillips 2724 3rdCotton Avenue Cohoes, CA 62229-6646 United States Order Details Order #175-7801666-2934626 Placed on Wensday, May 29, 2013 Akai NPK55KR9070 55-Inch 1080p 120Hz LED 3D HDTV (Silber) Electronics In Stock Sold by MODIA $979.98 Item Subtotal: $979.98 Shipping & Handling: $0.00 Total Before Tax: $979.98 Estimated Tax: $0.00 Order Total: $979.98 To learn more about ordering, go to Ordering from Amazon.com. If you want more information or need more assistance, go to Help. Thank you for shopping with us. Amazon.com Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information. This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.

The malicious payload is on [donotclick]ozonatorz.com/news/basic_dream-goods.php (report here) hosted on:
41.89.6.179 (Kenya Education Network, Kenya)
141.28.126.201 (Hochschule Furtwangen, Germany)
177.5.244.236 (Brasil Telecom, Brazil)
208.68.36.11 (Digital Ocean, US)

These IPs form part of a much larger network of malicious sites listed here, but if we concentrate of these IPs only we get the following blocklist:
41.89.6.179
141.28.126.201
177.5.244.236
208.68.36.11
aviachecki.ru
avtotracki.ru
balckanweb.com
biati.net
buyparrots.net
federal-credit-union.com
giwmmasnieuhe.ru
icensol.net
mydkarsy.com
nvufvwieg.com
ozonatorz.com
rusistema.ru
smartsecurityapp2013.com
techno5room.ru
testerpro5.ru
trackerpro5.ru
twintrade.net
zeouk-gt.com

University of Illinois CS department compromised

There's a bunch of malware sites infesting University of Illinois CS department machines in the 128.174.240.0/24, range, mostly pointed out in this post. Compromised machines are tarrazu.cs.uiuc.edu, croft.cs.illinois.edu, tsvi-pc.cs.uiuc.edu, mirco.cs.uiuc.edu, ytu-laptop.cs.uiuc.edu, node3-3105.cs.uiuc.edu and they are on the following IPs with the following malicious domains (I would recommend blocking the whole /24):

128.174.240.37
balckanweb.com
virgin-altantic.net
twintrade.net
biati.net
icensol.net
outlookexpres.net
gatareykahera.ru
curilkofskie.ru
exrexycheck.ru
gangrenablin.ru
contonskovkiys.ru

128.174.240.52
nvufvwieg.com
zeouk-gt.com
mydkarsy.com
trackerpro5.ru
avtotracki.ru
aviachecki.ru
techno5room.ru
getstatsp.ru

128.174.240.53
enway.pl

128.174.240.74
yelpwapphoned.com
streetgreenlj.com
crossdissstep.com
multipliedfor.com
sweetcarsinkas.at
roobihhooerses.at
stackltiplied.net
nitrogrenberd.net
salesplaytime.net
sludgekeychai.net
uestsradiates.net
smurfberrieswd.su
jounglehoodeze.su
sbliteratedtum.su
solidlettersiz.su

128.174.240.153
confideracia.ru
condalinaradushko.ru
pizdecnujzno.ru
ochengorit.ru
xenaidaivanov.ru

128.174.240.213
balckanweb.com
virgin-altantic.net
twintrade.net
biati.net
icensol.net
outlookexpres.net
gatareykahera.ru
curilkofskie.ru
exrexycheck.ru
gangrenablin.ru
contonskovkiys.ru

Update: the University says that this was a single machine on the network which has now been cleaned up.

Malware sites to block 29/5/13

These domains and IP addresses are connected to this malware spam run and belong to a group I call the "Amerika" gang (because they tend to use fake US addresses for their WHOIS details but really seem to be Russian).

It's quite a long set of lists: first there is a list of malware domains, then a list of malicious IPs and their web hosts, followed by a plain recommended blocklist list of IPs for copy-and-pasting, finally a list of IPs that are advertised as nameservers within this group for research purposes only.

You might notice something odd going on at the University of Illinois in the 128.174.240.0/24 range. Hmm..

Domains:
adverstindotanes.com
assumedwhacked.su
auditbodies.net
autocanonicals.com
aviachecki.ru
avtotracki.ru
balckanweb.com
bebomsn.net
bednotlonely.com
beveragerefine.su
biati.net
businessdocu.net
buyparrots.net
carambatv.net
chairsantique.net
cocainism.net
condalinaradushko.ru
condalinaradushko5.ru
condalinradishevo.ru
confideracia.ru
coping-capacity.com
crossdissstep.com
crushandflussh.net
curilkofskie.ru
decimallogme.com
docudat.ru
doorandstoned.com
down-vid.net
e-eleves.net
ernutkskiepro.ru
exrexycheck.ru
fastkrug.ru
federal-credit-union.com
fenvid.com
flipboardre-late.com
gangrenablin.ru
garohoviesupi.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
heavygear.net
heidipinks.com
hiddenhacks.com
hotamortisation.net
iberiti.com
icensol.net
independinsy.net
initiationtune.su
insectiore.net
jounglehoodeze.su
letsgofit.net
linguaape.net
metalcrew.net
mgdooling.ru
mortolkr4.com
multipliedfor.com
mydkarsy.com
myfreecamgirls.net
nitrogrenberd.net
normansvenn.com
notyetratedwort.com
nvufvwieg.com
ochengorit.ru
otoperhone.com
outbounduk.net
outlookexpres.net
peertag.com
penetratedsync.su
pizdecnujzno.ru
proxy-tor-service.com
recorderbooks.net
relectsdispla.net
reportingglan.com
restaurantequipmentparadise.net
roobihhooerses.at
rusistema.ru
salesplaytime.net
sbliteratedtum.su
scanskype.pl
secrettapess.com
secureaction120.com
sludgekeychai.net
smartsecurity-app.com
smartsecurityapp2013.com
smurfberrieswd.su
solidlettersiz.su
stackltiplied.net
streetgreenlj.com
streetlookups.com
susubaby.net
sweetcarsinkas.at
tasteh-pux.com
techno5room.ru
testerpro5.ru
timeschedulin.com
time-update.com
time-update.net
trackerpro5.ru
twintrade.net
uestsradiates.net
usergateproxy.net
virgin-altantic.net
xenaidaivanov.ru
yelpwapphoned.com
zeouk-gt.com
zoohits.net

IPs and hosts:
5.175.155.183 (GHOSTnet, Germany)
37.131.214.69 (Interra Ltd, Russia)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal, China)
50.193.197.178 (Comcast, US)
54.214.22.177 (Amazon AWS, US)
62.109.30.168 (TheFirst-RU, Russia)
77.237.190.22 (Parsun Network Solutions, Iran)
82.50.45.42 (Telecom Italia, Italy)
91.93.151.127 (Global Iletisim Hizmetleri, Turkey)
91.193.75.55 (KGB Hosting, Serbia)
94.249.208.228 (GHOSTnet, Germany)
95.43.161.50 (BTC, Bulgaria)
99.61.57.201 (AT&T, US)
103.7.251.36 (Fiberathome, Bangladesh)
109.169.64.170 (ThrustVPS, US)
112.196.2.39 (Quadrant Televentures / HFCL Infotel, India)
114.4.27.219 (Indosat, Indonesia)
114.247.121.139 (China Unicom, China)
115.28.35.163 (HiChina Web Solutions, China)
122.160.51.9 (ABTS, Delhia)
128.174.240.37 (University of Illinois, US)
128.174.240.52 (University of Illinois, US)
128.174.240.74 (University of Illinois, US)
128.174.240.153 (University of Illinois, US)
128.174.240.213 (University of Illinois, US)
140.117.164.154 (Sun Yat-sen University, Taiwan)
151.1.224.118 (Itnet, Italy)
159.253.18.253 (FastVPS, Russia)
162.209.12.86 (Rackspace, US)
166.78.136.235 (Rackspace, US)
177.5.244.236 (Brasil Telecom, Brazil)
178.20.231.214 (Salay Telekomunikasyon Ticaret Limited, Turkey)
178.209.126.87 (WestCall Ltd, Russia)
181.52.237.17 (Telmex, Colmbia)
183.82.221.13 (Hitech, India)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
190.106.207.25 (Comcel, Guatemala)
192.154.103.81 (Gorillaservers, US)
192.210.216.53 (ColoCrossing, US)
197.246.3.196 (The Noor Group, Egypt)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
201.170.148.171 (Telefonos del Noroeste, Mexico)
204.45.7.213 (FDCservers.net, US)
208.68.36.11 (Digital Ocean, US)
210.61.8.50 (Chunghwa Telecom, Taiwan)
212.179.221.31 (Bezeq International, Israel)
213.113.120.211 (Telenor, Sweden)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)

Recommended IP blocklist:
5.175.155.183
37.131.214.69
41.89.6.179
42.62.29.4
50.193.197.178
54.214.22.177
62.109.28.0/22
77.237.190.0/24
82.50.45.42
91.93.151.127
91.193.75.0/24
94.249.208.228
95.43.161.50
99.61.57.201
103.7.251.36
109.169.64.170
112.196.2.39
114.4.27.219
114.247.121.139
115.28.35.163
122.160.51.9
128.174.240.0/24
140.117.164.154
151.1.224.118
159.253.18.0/24
162.209.12.86
166.78.136.235
177.5.244.236
178.20.231.214
178.209.126.87
181.52.237.17
183.82.221.13
186.215.126.52
188.32.153.31
190.106.207.25
192.154.103.81
192.210.216.53
197.246.3.196
201.65.23.153
201.170.148.171
204.45.7.213
208.68.36.11
210.61.8.50
212.179.221.31
213.113.120.211
217.174.211.1
222.200.187.83

IPs advertising as nameservers (I'm pretty sure some of these are bogus, so use these for research purposes only):
2.121.229.200 (Sky Broadband, UK)
5.175.146.153 (GHOSTnet, Germany)
5.175.154.17 (GHOSTnet, Germany)
5.175.154.149 (GHOSTnet, Germany)
5.231.18.4 (GHOSTnet, Germany)
6.18.199.178 (Department of Defense, US)
6.20.13.25 (Department of Defense, US)
8.13.139.1 (Level 3 Communications, US)
8.18.19.15 (Level 3 Communications, US)
8.18.19.16 (Level 3 Communications, US)
11.3.51.158 (Department of Defense, US)
12.179.132.98 (Intuit, US)
14.139.209.13 (National Institute Of Technology, India)
15.78.78.23 (Hewlett Packard, US)
15.84.23.131 (Hewlett Packard, US)
17.19.12.100 (Apple Inc, US)
20.2.45.143 (CSC, US)
22.100.28.100 (Department of Defense, US)
29.125.31.77 (Department of Defense, US)
42.96.142.17 (Alibaba, China)
42.96.194.13 (Alibaba, China)
46.254.18.79 (Internet-Hosting Ltd, Russia)
65.34.1.1 (RoadRunner / Bright House, US)
65.180.199.2 (Sprint, US)
66.100.109.112 (Savvis, US)
71.123.11.14 (Verizon, US)
77.99.44.18 (Virgin Media, UK)
80.249.65.80 (Djaweb, Algeria)
81.31.227.60 (Chapar Raseneg, Iran)
85.25.189.163 (Intergenia / PlusServer AG, Germany)
91.215.156.62 (Infinite Technologies, Netherlands)
91.242.214.33 (Hostcircle, India)
92.190.190.191 (France Telecom, France)
95.143.41.41 (Inline Internet / VPS4less, Germany)
112.72.64.217 (VTC Wireless Broadband Company, Vietnam)
114.199.141.85 (Hyundai Communications, Korea)
125.39.104.86 (Beijing Sinainternetinformationservice, China)
153.127.248.205 (Kagoya Japan Corporation, Japan)
162.209.14.28 (Rackspace, US)
173.1.12.57 (GoGrid LLC, US)
175.102.0.187 (Shanghai Yovole Networks, China)
176.19.224.180 (Mobily, Saudi Arabia)
177.5.230.242 (Brasil Telecom, Brazil)
184.106.229.74 (Rackspace, US)
186.25.27.65 (Telcel, Venezuela)
186.25.27.66 (Telcel, Venezuela)
201.101.98.89 (UniNet, Mexico)
202.63.105.86 (Southern Online Bio Technologies, India)
202.93.114.90 (FirstasiaNet, Indonesia)
207.58.158.186 (Servint, US)
207.182.146.247 (Xlhost, US)
209.140.18.37 (Landis Holdings, US)
210.25.137.197 (China Education and Research Network, China)
211.20.45.138 (Chunghwa Telecom, Taiwan)
214.191.12.134 (Department of Defense, US)
214.191.102.34 (Department of Defense, US)