Sponsored by..

Tuesday 6 August 2013

Malware sites to block 6/8/13

Following on from last week's list, this week seems to see a smaller number of servers and malicious domains from this crew.

5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
41.196.17.252 (Link Egypt, Egypt)
54.218.249.132 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
61.36.178.236 (DACOM Corp, Korea)
68.174.239.70 (Time Warner Cable, US)
78.47.248.101 (Hetzner, Germany)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
114.112.172.34 (Worldcom Teda Networks Technology Co. Ltd, China)
140.116.72.75 (TANET, Taiwan)
182.72.216.173 (Cusdelight Consultancy SE, India)
190.85.249.159 (Telmex Colombia, Colombia)
202.197.127.42 (CERNET, China)
208.115.237.88 (Limestone Networks / 123Systems Solutions, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)

5.175.191.124
24.173.170.230
41.196.17.252
54.218.249.132
59.124.33.215
61.36.178.236
68.174.239.70
78.47.248.101
95.87.1.19
114.112.172.34
140.116.72.75
182.72.216.173
190.85.249.159
202.197.127.42
208.115.237.88
217.64.107.108
abundanceguys.net
amods.net
annot.pl
autocompletiondel.net
avini.ru
badstylecorps.com
beachfiretald.com
cbstechcorp.net
crossplatformcons.com
datapadsinthi.net
dulethcentury.net
endom.net
exhilaratingwiki.net
exowaps.com
explicitlyred.com
fivelinenarro.net
flashedglobetrot.pl
frontrunnings.com
hdmltextvoice.net
housesales.pl
ignitedannual.com
includedtight.com
jdbcandschema.su
lhobbyrelated.com
magiklovsterd.net
onsespotlight.net
operapoland.com
ordersdeluxe.com
organizerrescui.pl
playtimepixelating.su
prgpowertoolse.su
relectsdispla.net
ringosfulmobile.com
scourswarriors.su
sludgekeychai.net
streetgreenlj.com
tagcentriccent.net
tagcentriccent.pl
wildgames-orb.net
zestrecommend.com
zukkoholsresv.pl

What is 65.222.202.0/24?

A breakdown of the suballocations of the Verizon Business 65.222.202.0/24 block, mentioned in connection with Torsploit:


Block Start End CustName: Description:
65.222.202.0/28 65.222.202.0 65.222.202.15 Science Applications Int SAIC (US Defense contractor)
65.222.202.16/28 65.222.202.16 65.222.202.31 Old Dominion Internet Possibly dormant VA corporation
65.222.202.32/28 65.222.202.32 65.222.202.47 FTS2001/US Government Federal Technology Service
65.222.202.48/29 65.222.202.48 65.222.202.55 Unknown "Torsploit" block
65.222.202.56/29 65.222.202.56 65.222.202.63 Universal Machine Co of Pottsdown Inc Universal Machines (www.umc-oscar.com)
65.222.202.64/28 65.222.202.64 65.222.202.79 Kitron Electronic Manufacturing Service
65.222.202.80/29 65.222.202.80 65.222.202.87 Morningside Sports Farm Horse Training Farm in VA
65.222.202.88/29 65.222.202.88 65.222.202.95 MetTel, Inc Telecommunications Service Provider
65.222.202.96/29 65.222.202.96 65.222.202.103 Guidestar NPO Information Service
65.222.202.104/29 65.222.202.104 65.222.202.111 Walt Disney Company Mickey Mouse outfit
65.222.202.112/28 65.222.202.112 65.222.202.127 Dental Concepts Dentistry
65.222.202.128/29 65.222.202.128 65.222.202.135 GARP Research & Securities Financial Analysts
65.222.202.136/29 65.222.202.136 65.222.202.143 Assured Packaging Inc Metal boxes
65.222.202.144/28 65.222.202.145 65.222.202.159 Unknown
66.222.202.160/28 66.222.202.161 66.222.202.174 Unknown
65.222.202.176/29 65.222.202.176 65.222.202.183 Butler Medical Transport Patient Transport Services
65.222.202.184/29 65.222.202.184 65.222.202.191 Federated IT Government IT contractor
65.222.202.192/28 65.222.202.192 65.222.202.207 Old Dominion Internet Possibly dormant VA corporation
65.222.202.208/29 65.222.202.208 65.222.202.215 Pharmceuticals International, Inc Healthcare
65.222.202.216/29 65.222.202.216 65.222.202.223 Unknown
65.222.202.224/29 65.222.202.224 65.222.202.231 Unknown
65.222.202.232/29 65.222.202.232 65.222.202.239 Live Nation Events Company, CA
65.222.202.240/28 65.222.202.240 65.222.202.255 Georgetown Dat School Washington DC school

Monday 5 August 2013

Torsploit: is 65.222.202.53 the NSA?

There has been a lot of chatter in the past day or so about the takedown of an Irish outfit called Freedom Hosting which hosted a number of "hidden services" on Tor, ranging from Tormail (which allows anonymous email communication) to.. well, Really Bad Stuff that you don't want to know about. Basically.. Law Enforcement (LE) appear to have discovered the real-world location of these servers on the other side of Tor and have busted the alleged operator.

What gets interesting is that some of these Tor services were infected with an injection script that attempted to reveal the real IP address of the the visitor through a security flaw in the version of Firefox in the Tor Bundle. There's an interesting analysis of the script here and the long and the short of it is that the injected code attempt to call back to 65.222.202.53, in order to track the Tor users involved.

So.. who is 65.222.202.53? Well, it seems to be a Verizon Business IP (part of a "ghost block" of 65.222.202.48/29) in the Washington DC area. You know.. the home of several government agencies or branches thereof. But now the Internet is awash with rumours that this IP address belongs to the NSA. But what evidence is there?

A lot of the fuss seems to have happened because of this tweet from Baneki Privacy Labs.

What Baneki are saying is that the whole 65.222.202.0/24 block (the "C block" in classful parlance) is owned by a government contractor called SAIC (apparently not the SAIC who own MG Motors!) and that SAIC are connected to the DoD. Although SAIC are certainly a military contractor, the error that they are making is to believe the report from DomainTools which appears to be misinterpreting the allocations in that particular block.


So, does SAIC (listed here as SCIENCE APPLICATIONS INT) own the whole /24? No. Verizon has simply allocated the first /28 in that block to SAIC, and it appears the DomainTools is misinterpreting that data.

NetRange:       65.222.202.0 - 65.222.202.15
CIDR:           65.222.202.0/28
OriginAS:   
NetName:        UU-65-222-202-D4
NetHandle:      NET-65-222-202-0-1
Parent:         NET-65-192-0-0-1
NetType:        Reassigned
Comment:        Addresses within this block are non-portable.
RegDate:        2006-09-14
Updated:        2006-09-14
Ref:            http://whois.arin.net/rest/net/NET-65-222-202-0-1

CustName:       SCIENCE APPLICATIONS INT
Address:        47332 EAGAN MCALLISTER LN
Address:        RM 1112 1st fl
City:           LEXINGTON PARK
StateProv:      MD
PostalCode:     20653-2461
Country:        US
RegDate:        2006-09-14
Updated:        2011-03-19
Ref:            http://whois.arin.net/rest/customer/C01446299


Other suballocations is that block do include government agencies, but just a couple of IPs away from the mystery IP is 65.222.202.56/29 which belongs to an industrial supply company called Universal Machines. Whoever uses 65.222.202.53 is very likely to be a corporate or government entity, but really that's pretty much all you can tell from the Verizon Business IP. DomainTools is great but as with any automated tool.. sometimes you need to double-check what it reports back.

But then Baneki make another claim.. that obviously 65.222.202.53 belongs to the NSA, because the NSA controls the entire 65.192.0.0/11 range (65.192.0.1 to 65.223.255.254) which is about 2 million IPs.
 This is what they were referring to:

Umm, well.. no. That's just another block allocated to Verizon Business. You may as well argue that everything in 0.0.0.0/0 belongs to the NSA on the same principle. Actually.. maybe it does, but that's another matter entirely. Again.. Robtex is a great tool but you sometimes need to sanity-check the output.

It may surprise you to learn that law enforcement officers and intelligence agencies are not normally complete fucking idiots when it comes to guarding their IP addresses. They do not (for example) sign up to Silk Road with their @fbi.gov email addresses or poke around the underweb from an NSA IP address range. Well, not normally..

I am not saying that the injection wasn't the work of the NSA. Or the CIA, FBI, DOD, IRS or another other Alphabet Soup Agency. But let's see some real evidence first, eh?

UPDATE: I had a closer look at the users of the /24 here. It's a mix of businesses and government organisations and contractors, not surprising given the physical location of the /24.

alliexfinancial.com / Alliexfinancial Ltd "Legal Registered Investment company" spam (is it a scam?)

A slightly odd spam, sent to a scraped email address:

From:     Dirk Nunes [flamwood888@gmail.com]
Date:     5 August 2013 10:54
Subject:     Legal Registered Investment company
Signed by:     gmail.com

alliexfinancial Ltd                                                                                                       Our advantages :

Legal Registered Investment company

Guaranteed Return on Investments

Principal Deposits Protection

Trustwave Trusted Commerce Seal

Extended Validation SSL Certificate

DDoss Protected Dedicated Server

Instant Withdrawal Processin                                                                JOIN NOW https://alliexfinancial.com/?ref=flamwood
Description:
Alliexfinancial Ltd is the UK registered legal international investment company. The company was created by a group of qualified experts, professional bankers, traders and analysts who specialized in the stock, bond, futures, currencies, gold, silver and oil trading with having more than ten years of extensive practical experiences of combined personal skills, knowledge, talents and collective ambitions for success.

plans:

2.2% for 7 days ( 115.4% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 1 $1 - $500 2.20


2.5% for 14 days (135% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 2 $10 - $1,000 2.50


2.7% for 21 days (156.7% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 3 $10 - $2,500 2.70


3% daily for 60 days (280% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 4 $10 - $50,000 3.00

  JOIN NOW https://alliexfinancial.com/?ref=flamwood    Inline image 1
The link to alliexfinancial.com/?ref=flamwood looks very much like an affiliate link, given the close match to the spammer's email address. The target site does not appear to be malicious according to URLquery.

So, what is alliexfinancial.com? It appears to be some sort of HYIP (High-Yield Investment Program) that offers up to 3.0% return on a investement.. per day.


Are these return rates sustainable? My personal opinion is that I can't see how it would be possible.

So who is this company. The website states "Alliexfinancial Ltd is the UK registered legal international investment company" which is a bit ungrammatical. It also quotes the apparently valid phone number of +44 161 7110107 which is a Manchester number.

I was interested to find that Alliexfinancial Ltd is a registered company at Companies House in the UK:
ALLIEXFINANCIAL LTD
ADVANTAGE BUSINESS CENTRE
132-134 GREAT ANCOATS STREET
MANCHESTER
ENGLAND
M4 6DE
Company No. 07892518
This details match the WHOIS details of the domain precisely:

ALLIEXFINANCIAL LTD
Paul Aleckson
Email:admin@alliexfinancial.com
132-134 GREAT ANCOATS STREET
ADVANTAGE BUSINESS CENTRE
M4 6DE MANCHESTER
United Kingdom
Tel: +44.1617110107
 The domain was registered in December 2009, so it has been around for a little while. The website is proxied by Cloudflare, but I think that the underlying IP address is probably 31.204.130.25 (i3d, Netherlands).

One problem - there's no such company listed on the Financial Services Register, although they do claim to be regulated in the UK:
Alliexfinancial Ltd activities are regulated by the United Kingdom international business authorities and complies with the United Kingdom legislation.
So, if they're not on the Register I am frankly a bit puzzled as to who their regulator is. They do not quote any reference number. However, they are not listed as being an unauthorised firm either.

One other problem - Companies House says that the company was incorporated in 2011, but the site claims they have been active for at least three years (i.e. since 2010):
For the last three years, the amount of funds managed by us has reached an enormous rate that is important to the company's growth and its stability. We are doing our best to make successful forecasts, and our traders work nearly 24 hours a day to make a more stable profit both for us and our investors. 

Perhaps this is an unregulated scheme? I'm not that much of a legal expert in these things, but I do note that the FCA has cautionary guidance on unregulated collective investment schemes (UCIS). In partciular you cannot recommend a UCIS to the general public, and a spam email sent to a scraped address certainly seems to be an attempt to enrol the public into such a scheme.

So, who runs Alliexfinancial Ltd? The Companies House Director's Report [rtf] mentions a sole director, 28 year old Ukranian national Mr Vladimer Ganaga (it's an odd transliteration, I'd expected Vladimir Ganaga to be a more literal way of writing Владимир Ганага). Apart from an NSFW Vkontakte page there's not much verifiable information.

I'm not a financial adviser, but I certainly wouldn't invest any money in this scheme. Do you have any experiences with it? If you do, perhaps you would consider leaving a comment below (all comments are the responsibility of their owners).

Update 12/9/13: in the past couple of days the Alliexfinancial site went offline and payments to investors stopped. No surprises there!

Sunday 4 August 2013

BLDW "Building Turbines Corp" pump-and-dump spam

This illegal spam run almost definitely does not come from Building Turbines Corp (BLDW) but instead someone trying to game the system through a pump-and-dump scam.

There are lots of variations on the spam, but here are three examples:

Subject: This Stock is our New Wild Sub-Penny Pick!

Green Energy Company Signs Deal to Construct Rooftop Wind Turbines
for 90 Thousand Sq-Ft Stockroom. Building Turbines (PINKSHEETS:
BL_D_W) Concentrates on the Design and Construction of Patented
Roof Top Wind Turbines.

Current Price: .038
Short Term Target: .40
Company: Building Turbines Corp.
Date: August, 5th
Sym: BL_D_W

Renewable Power Corporation Wired To Soar Monday!

==========

Subject: Pay Attention To Detail

Austin Company Pens Contract to Provide Roof Wind Turbines for 90K
Sq-Ft Warehouse. Building Turbines Corp. (OTC PINK: B L_D_W)
Focuses on the Design and Construction of Patented Roof Top Wind
Turbines.

Long Term Target: $.95
Company Name: BUILDING TURBINES CORP
Trading Date: Monday, Aug 5, 2013
To buy: B L_D_W
Market: $.038

Ecological Power Business In Line To Ascend Next Week.

==========


Subject: It Could Make a Rally and Soar! (Huge News Out!)

Green Energy Corporation Clinches Contract to Construct Roof
Wind Turbines for 90,000 Square Foot Stockroom. BUILDING
TURBINES, CORP. (PINKS: BL_D W) Concentrates on the Design and
Manufacture of Patented Roof Top Wind Turbines.

Short Term Target: 0.20
Trade Date: Aug, 5th
Company: Building Turbines Corp.
Latest Pricing: .038
Traded as: BL_D W

Green Energy Business Equipped To Rise Monday!!!


BLDW stock isn't really valuable, losing 88.6% of its value since the company was floated in April 2011, and it has been bouncing around the two to four cent level since the beginning of 2013. But this isn't really about the real prospects of the company, this is a straightforward attempt to manipulate the system for profit.

In the past few days, someone has bought about 2.5 million shares in the company at about 4 cents, our past analysis would indicate that this is likely to be the spammer taking up positions.


The spammers may have targeted BLDW stock on their own initiative, but the recent HAIR spam run seems to be for another party. No matter, if you take the example of HAIR then any investors who had followed the spam's fake tips would have ended up losing about 90% of their investment. I'm not saying the BLDW is going to collapse, stay afloat or whatever.. but what I am saying is that you should simply ignore BLDW stock completely because this spam run is simply an attempt at market manipulation.

Friday 2 August 2013

redwoodoptions.com "Joe Job" spam

I don't know anything about "Redwood Options" redwoodoptions.com but it seems to deal in binary options. In my personal opinion, this kind of derivative trading helped to lead to the banking collapse and should be outlawed.

Subject: For Trader
Subject: For Investor
Subject: Start Trading Now

Trade Forex, Commodities, Stocks and Indices with Up to 81% Return!
- Exclusive 60 second option
- Onetouch weekly options up to 500% return
- Up to $5000 welcome bonus

Start trading: http://www.redwoodoptions.com

That having been said, this spam run is almost definitely nothing to do with them and is instead someone trying to disrupt their (apparently lawful) business.

My advice.. ignore it and delete it.

cpro.su "Joe Job" spam run

This spam run is aimed at disrupting the underground forum cpro.su:
Subject: International carding board on new domain
Subject: Private Hacking and Carding Forum / New Domain

Welcome to Private Hacking and Carding Forum. We talking and sharing about
CVV, Paypal, Accounts, Bank Logs, Hacking Tools and Carding Tips. Newbie is
not allowed here. Do not enter if you don't know what to do...
http://cpro.su/ (*NEW domain!) 
People involved in this sort of stuff don't advertise it, but as far as I can tell cpro.su actually does deal in some unsavoury things.

What should you do about it? Nothing. The spam run will probably finish soon enough, and there's no point picking a fight with either side unless you really know what you are doing.



Malekal.com "Joe Job" spam

Update: there is a new version of this Joe Job spam, now mentioning this post in the body text (more info).

Malekal's Site  is a French-language site covering malware and spam. This particular spam run (called a "Joe Job") is not from Malekal, but is instead attempting to disrupt the site. Presumably the bad guys have found something the don't like.

Here are some examples:
Subject: Trojan Fake Police
Subject: Virus Gendarmerie
Subject: Virus Gendarmerie Nationale
Subject: Trojan Ransomware

Trojan Fake Police / Virus Gendarmerie Nationale : violation de la loi
francaise http://www.malekal.com/

If you are getting these, it is because you have been flagged up via a "reverse listwashing" process as somebody who is likely to complain about spam. Reporting the originating IP of the spam email would probably be helpful, reporting malekal.com on the other hand will only help the bad guys to remove a useful resource.

MoneyGram "Payment notification email" spam / drstephenlwolman.com

This fake MoneyGram spam leads to malware on drstephenlwolman.com:

Date:      Fri, 2 Aug 2013 22:23:53 +0330 [14:53:53 EDT]
From:      "Moneygram Inc." [infusionnbb3@gmail.com]
Subject:      Payment notification email
Revenues notification email
This is an automated email - please do not reply!

Dear customer!

You are receiving this notification because of you have been received the payment.
It may take a some time for this transaction to appear in the Recent Activity list on your account page.


Transaction details

Transaction sum: 110 USD
Transaction date: 2013/08/02

View the details of this transaction online

Thank you for using MoneyGram services!

MoneyGram ® 2013
Payload is on [donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php via [donotclick]new.hotelniles.com/xd2iqku.html  and some intermediate scripts.

More analysis later..

Part II

OK, I have a little more time to look at this. Here is the screenshot:

Clicking the link takes you to a "ThreeScripts" page, but subtly different from previous ones, leading to scripts at:
[donotclick]nutnet.ir/dl/nnnew.txt
[donotclick]www.emotiontag.net/cp/nnnew.txt
[donotclick]aurummulier.pl/nnnew.txt

These scripts use a ".txt" extenstion, presumably to fool AV scanners.

The next step is a kind of weird Javascript leading to a malware page at [donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php hosted on 74.91.118.212 (Nuclear Fallout Enterprises, US).


The domain in question is a hijacked GoDaddy domain.The payload is hardened against analysis. There will almost definitely be other hijacked domains hosted on this server, blocking access to it might be a good idea.

"Your most recent payment has been processed" spam / capitalagreements.com

This fake Discover Card spam leads to malware on capitalagreements.com:


Date:      Fri, 2 Aug 2013 20:41:09 +0200 [14:41:09 EDT]
From:      Discover Card [dontrply@service.discovercard.com]
Reply-To:      dontrply@service.discovercard.com


    Discover
     Access My Account
   
    ACCOUNT CONFIRMATION     Statements | Payments | Rewards    
    Your most recent payment has been processed.
   
Dear Customer,

This e-mail is to confirm that we have processed your most recent payment. Please remember to use your new information the next time you log in.

To view more details please click here.

Log In to review your account details or to make additional changes.


Please Note: If you did not make this request, please contact us immediately at 1-800-DISCOVER (1-800-347-2683).
   
Sign up    

Don't miss out—sign up to get exclusive offers via e-mail from Discover.

Sign Up

Facebook     Twitter     I Love Cashback Bonus Blog     Mobile

Add discover@service.discover.com to your address book to ensure delivery of these e-mails.
See ways to help identify authentic Discover e-mails by visiting our email security page.


    IMPORTANT INFORMATION

This e-mail was sent to [redacted].

You are receiving this Discover e-mail as a confirmation of your account activity.

Log in to update your e-mail address or view your account e-mail preferences.

If you have any questions about your account, please log in to contact us securely and we will be happy to assist you.

Please do not reply to this e-mail as we are not able to respond to messages sent to this address.

DISCOVER and other trademarks, logos and service marks used in this e-mail are the trademarks of Discover Financial Services or their respective third-party owners.

Discover Products Inc.
P.O. Box 30666
Salt Lake City, UT 84130
©2013 Discover Bank, Member FDIC

TRUPCHNG_A1_A1_A1
   
The link in the email goes to a legitimate hacked site and then one to three scripts as follows:
[donotclick]ekaterini.mainsys.gr/overspreading/hermaphrodite.js
[donotclick]sisgroup.co.uk/despairs/marveled.js
[donotclick]psik.aplus.pl/christian/pickford.js

After that, the victim is directed to the malware landing page at [donotclick]capitalagreements.com/topic/regard_alternate_sheet.php which is a hijacked GoDaddy domain hosted on 66.228.60.243 (Linode, US), along with several other hijacked domains.

The attack is fundamentally the same as this American Express themed malspam run described here.

Recommended blocklist:
66.228.60.243
northernforestcanoetrail.com
northforestcanoetrail.org
yourcaribbeanconnection.com
capitalagreements.com
buyfranklinrealty.com
franklinrealtyofcc.com
frccc.com
sellcitruscountyrealestate.com

Thursday 1 August 2013

Olborg Ltd / ОЛЬБОРГ / o1host.net (AS57636) revisited

Update:  I am trying to verify claims that Olborg Ltd are operating a sinkhole (which is a good thing) rather than a malware server (a bad thing).

Last week I pointed out a malware site on 91.233.244.102 hosted by Olborg Ltd / ООО "ОЛЬБОРГ" (AS57636) [1] [2] (website at o1host.net) and made a recommendation that admins block access to the entire 91.233.244.0/23 block.

A polite but concerned email from a customer of Olborg with a legitimate sitein that range asked if I wasn't being rather harsh to Olborg with the recommended /23 block, for just one rogue IP.

First, let me explain my rationale behind recommending larger blocks that just single IP addresses. With many web hosts (and yes, a lot of those are in Eastern Europe) the badness isn't usually restricted to one IP address. This appears to be the case with Olborg, with more than one IP looking suspicious. From the point of view of an administrator, blocking a /24 or /23 displaying these characteristics is often the safest approach.. after all, a /24 only represents 0.000006% of the total address space of the internet, but malware sites do tend to cluster.

So, what exactly is going on with Olborg? Although it has 91.233.244.0/23 allocated to it, it only currently uses 91.233.244.0/24 (i.e. the lower half of the range). Of those IPs there appear to be two main blocks, lower down in the range 91.233.244.20, 91.233.244.22 and 91.233.244.28 all seem to host legitimate sites. But further up, 91.233.244.102, 91.233.244.103 and 91.233.244.106 seem to be malicious. It's hardly the most evil web host in the world though, but these rogue IPs are a concern.

I had a look at all the sites I could find in this address range and analysed their WOT ratings, Google malware prognosis and SURBL status, you can find it here [csv]. The SURBL code takes a little explaining, but basically 127.0.0.16 is malware, 127.0.0.4 is (mostly) spam and 127.0.0.20 is both. There more explanation of that here.

The IP 91.233.244.102 has been an issue for over a year [1] [2] [3] [4] although it may or may not be clean at the moment (anti-analysis techniques mean that it can be hard to be certain). Clean or not, I would certainly advise you not to send traffic to this IP.

OK. So you've read this far and somehow I have still kept you interested in Olborg Ltd. All the badness I can find is concentrated in 91.233.244.96/28 and blocking that should keep you protected from any current potential nastiness. Alternatively, you can block the /23, but do bear in mind that there are some legimate customers in that range too (update: and if they are running a sinkhole then there's no point blocking the /23 anyway)


Pump and dump spam flogs a dead horse with Biostem U.S. Corporation (HAIR)

About a month-and-a-half ago I had a look at the pump-and-dump spam promoting Biostem U.S. Corporation (HAIR) when it was trading at around $0.30.

Surprisingly, the pump-and-dump spam is still ongoing which will make it nearly two months of spam on one single stock..

This Company Will Make an Impressive Recovery! It is the answer
to your portfolio troubles!

Date: August 1st
Long Term Target: .85
Per share price: .035
Ticker: HAI_R
Name: Biostem Corp.

You might want to sit down before reading this... Stocks To
Look At!

So, out of curiosity I schlepped across to look at their stock price and was slightly surprised to see that it has lost around 90% of its value since the spam run started. What happened? Well, on 19th July the stock price fell off a cliff when rather predictably Biostem announced that it was shutting up shop, and looking at news reports there seems to be little chance of recovery.



But now with shares bouncing along at around the 3 to 4 cents mark the pump-and-dump seems to be continuing, and since the collapse it appears that around 9.6 million shares have been traded, which is about 8.4% of the total equity. At today's prices those shares are worth about $336,000. A little over a year ago, on May 28th 2012, Biostem stock peaked at $439 per share, at close of business yesterday they were just 3.5 cents.. a 99.2% drop. Somebody has certainly taken a haircut on these stocks..

Wednesday 31 July 2013

"Documento importante : 5039403 !!" spam / Planilha-Documento.docx_.rar

This terse Portuguese language spam has a malicious attachment:

From:     Adriane Camargo. [adriane@yahoo.com.br]
Date:     29 July 2013 20:59
Subject:     Documento importante : 5039403 !!

Arquivo : DC-59KDJF994J3K303940430DJJRI8.rar ( 173,4 KB)

The link in the email downloads goes through a legitimate hacked site and then downloads a RAR file from [donotclick]www.equilibrionutriesportiva.com.br/site/wp-admin/network/icons/equilib/fing3234/Planilha-Documento.docx_.rar which has a VirusTotal detection rate of 17/46 and is identified as a trojan downloader.

According to Anubis, the malware then attempts to download additional components from [donotclick]www.equilibrionutriesportiva.com.br/site/wp-admin/network/icons/equilib/fing3234/ie.exe but this seems to generate a 403 error.

Other analyses are pending. Update: here is an analysis from Comodo CAMAS.

Tuesday 30 July 2013

Facebook spam / deltaoutriggercafe.com

These guys are busy. This fake Facebook spam leads to malware on deltaoutriggercafe.com:

Date:      Tue, 30 Jul 2013 15:05:25 -0500 [16:05:25 EDT]
From:      Facebook [no-reply@facebook.com]
Subject:      Issac Dyer wants to be friends with you on Facebook.

facebook
   
Issac Dyer wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
       
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
I don't know about you, but I think Isaac looks a bit like a girl.


Predicatably, clicking on the link in the email leads to a legitimate hacked site and then the same redirector scripts found in this spam run. However, in this case the target has now changed to [donotclick]deltaoutriggercafe.com/topic/able_disturb_planning.php which is hosted on 66.175.217.235 (Linode, US) along with a whole bunch of other similar domains that have been hijacked from GoDaddy.

Recommended blocklist:
66.175.217.235
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltamarineinspections.net
deltaoutriggercafe.com
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net

eBay "ready to get started? Here’s how." spam / deltamarineinspections.net

There is currently an eBay-themed  "ready to get started? Here’s how" spam run active, effectively almost the same as this one, except this time there is a new set of intermediate scripts and payload page. The three scripts involved are:

[donotclick]03778d6.namesecurehost.com/meaningful/unsnapping.js
[donotclick]icontractor.org/followings/trolloped.js
[donotclick]tvassist.co.uk/plead/grueled.js

..leading to a payload page at  [donotclick]deltamarineinspections.net/topic/able_disturb_planning.php on 66.175.217.235 (Linode, US). The domains in use are hijacked from a GoDaddy account and belong to the same poor sod that last control of the ones here.

Recommended blocklist:
66.175.217.235
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltamarineinspections.net
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net


"Your password on Pinterest was Successfully modified!" spam / onsayoga.net

This fake Pinterest spam leads to malware on onsayoga.net:

Date:      Tue, 30 Jul 2013 11:17:28 -0500 [12:17:28 EDT]
From:      Pinterest [caulksf8195@customercare.pinterrest.net]
Subject:      Your password on Pinterest was Successfully modified!

A Few Updates...
[redacted]
  
[redacted]  

Changing your password is complete. Please use the link below within 24 hours. reset. Receive New Password to email.
  
Ask for a New Password  
            
Pinterest is a tool for collecting and organizing things you love.

This email was sent to [redacted].
Don’t want activity notifications? Change your email preferences.

©2013 Pinterest, Inc. | All Rights Reserved
Privacy Policy | Terms and Conditions

The link goes through a legitimate hacked site and then on to [donotclick]www.pinterest.com.onsayoga.net/news/pinterest-paswword-changes.php (report here) which is hosted on the following IPs:
95.111.32.249 (Megalan EAD, Bulgaria)
122.128.109.46 (Ximbo / CPCnet, Hong Kong)
209.222.67.251 (Razor Inc, US)

These IPs are controlled by this gang and form part of this large network of malicious IPs and domains. I recommend you use that list in conjunction with blocking onsayoga.net.

CNN "Angelina Jolie tops list of highest-paid actresses" spam / deltadazeresort.net

This fake CNN spam leads to malware on deltadazeresort.net:

Date:      Tue, 30 Jul 2013 17:52:54 +0330 [10:22:54 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: Forbes: Angelina Jolie tops list of highest-paid actresses

Forbes: Angelina Jolie tops list of highest-paid actresses
By Sheridan Watson, EW.com
July 29, 2013 -- Updated 2014 GMT (0414 HKT)
Angelina Jolie attends a June 2013 premiere of her fiance Brad Pitt's movie,
Angelina Jolie attends a June 2013 premiere of her fiance Brad Pitt's movie, "World War Z."


(EW.com) -- She might not get paid as much as "Iron Man," but there's no doubt that celestial beauty Angelina Jolie is smiling all the way to the bank.

This year, Jolie topped Forbes' annual list of the highest-paid actresses in Hollywood with an incredibly robust $33 million.

The link in the email goes to a legitimate hacked site and then to one or more of three scripts:

[donotclick]00002nd.rcomhost.com/immanent/surfeit.js
[donotclick]theplaidfox.com/bulbs/falcon.js
[donotclick]sandbox.infotraxdevdocs.com/afforestation/provosts.js

From there the victim is sent to a landing page at [donotclick]deltadazeresort.net/topic/able_disturb_planning.php. At the time of writing this hijacked GoDaddy domain does not resolve, but it was recently hosted on the following IPs alongside these other hacked GoDaddy domains:

66.175.217.235 (Linode, US)
173.246.104.136 (Gandi, US)
deltaboatraces.net
deltaboatworks.net
deltadazeresort.net
deltarentalcenter.net
deltariverhouse.net
deltayachtclub.net

Pharma sites to block 30/7/13

This IPs host (fake) pharma sites which seem to be associated with this gang and share some of their infrastructure. As far as I can tell, none of them host malware.. but the IPs involved could be repurposed as malware servers and blocking them might be prudent.

88.190.218.27 (PROXAD Free SAS, France)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.200.13.15 (SKS-Lugan, Ukraine)
91.204.162.81 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
94.152.188.165 (KEI, Poland)
94.242.239.4 (root SA, Luxemburg)
109.107.203.45 (Vodafone, Czech Republic)
192.162.19.196 (FOP Budko Dmutro Pavlovuch, Ukraine)
198.23.59.79 (LiquidNet US LLC, US)

Recommended blocklist:
88.190.218.27
91.199.149.0/24
91.200.13.0/24
91.204.162.81
91.204.162.96
94.152.188.165
94.242.239.4
109.107.203.45
192.162.19.0/24
198.23.59.79
1bqmv6ir.tabletmedicinert.com
3hpd38kt.tabletmedicinert.com
3j2ilmza.tabletmedicinert.com
3taa0484.tabletmedicinert.com
54djq7gs.tabletmedicinert.com
6tpvvfwl.mediastoreplus.com
6w8vrnw1.tabletmedicinert.com
9351s3cc.tabletmedicinert.com
a1nyffx.mediastoreplus.com
a6g9whoe.tabletmedicinert.com
androidsaletablet.com
bbji3ka1.tabletmedicinert.com
biotechpharmhealthcare.com
boschtrameds.com
caloriesviagra.com
canadaipad.com
canadamedsopioid.com
canadapharmcanadian.com
canadaviagracent.com
canadiancanada.com
carerxpatient.com
chof.ru
d5pz5c35.tabletmedicinert.com
dacl3uy1.tabletmedicinert.com
deii.ru
dispensariesrx.com
drugenericswelness.com
druggenericspharmacy.com
drugmedsgenerics.com
drugsdrugstorepills.com
drugstorepillwalgreens.com
e66y531e.tabletmedicinert.com
familymedicinerx.com
flefdukt.com
gied.ru
healthcarebiotechnology.net
herbalburdette.com
iald.ru
in.taxwelnesslevitra.com
innovatory.vitaminnutritionherbal.com
isoe.ru
jaid.ru
jx5nqjzf.tabletmedicinert.com
knr78b16.tabletmedicinert.com
laug.ru
m62i5x7e.tabletmedicinert.com
marijuanadispensariesmedical.com
marijuanamedicalviagra.com
mediastoreplus.com
medicaltabgroup.com
medicarewiqi.pl
medicinetabletsurface.com
medopioid.pl
medsherbalbosch.nl
mentalevitrapill.com
mymedicaretablet.com
mypharmacyherbal.com
myviagragenerics.pl
newpharmacyherbal.com
nmvwta.mediastoreplus.com
nrytgyxvom.com
nureri.ru
oc597g5g.tabletmedicinert.com
opioidpill.com
p6vxdhiu.tabletmedicinert.com
paracanada.com
paub.ru
pepras.ru
phof.ru
pillgenericsgroup.com
pillscialistorture.com
pillssmartrend.com
pillsstreetinsider.com
ptnh86kk.tabletmedicinert.com
qatt.ru
qkwc1s52.tabletmedicinert.com
ro3dk20p.tabletmedicinert.com
ruld.ru
rxsmartrend.com
satishmeds.pl
siew.ru
skah.ru
sugh.ru
tabbosch.com
tabletmedicaid.pl
tabletmedicinert.com
taxwelnesslevitra.com
tlar.ru
tmdtmnv5.tabletmedicinert.com
ttds2eew.tabletmedicinert.com
u0s3oqf6.tabletmedicinert.com
uney.ru
vitaminnutritionherbal.com
vomise.ru
yesydzevr.com
yn72ov2j.tabletmedicinert.com
zwig.ru