Dynamoo's Blog

Tuesday 13 August 2013

Malware sites to block 13/8/13

These IPs and domains belong to this gang and this list follows on from the one I made last week.

5.39.14.148 (OVH, France)
5.231.57.253 (GHOSTnet, Germany)
15.185.121.30 (HP Cloud Services, US)
24.173.170.230 (Time Warner Cable, US)
37.99.18.145 (2day Telecom, Kazakhstan)
42.121.84.12 (Aliyun Computing Co / Alibaba Advertising Co, China)
50.2.109.148 (Eonix Corporation, US)
50.56.172.149 (Rackspace, US)
59.77.36.225 (CERNET, China)
59.124.33.215 (Chunghwa Telecom, Taiwan)
61.36.178.236 (LG DACOM, Korea)
65.190.51.124 (Time Warner Cable, US)
66.230.163.86 (Goykhman And Sons LLC, US)
68.174.239.70 (Time Warner Cable, US)
74.207.251.67 (Linode, US)
75.147.133.49 (Comcast Business Communcations, US)
78.47.248.101 (Hetzner, Germany)
88.86.100.2 (Supernetwork SRO, Czech Republic)
89.163.170.134 (Unitedcolo, Germany)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
95.111.32.249 (Mobiltel EAD, Bulgaria)
95.188.76.14 (Sibirtelecom OJSC, Russia)
95.138.165.133 (Rackspace, UK)
109.107.128.13 (The Blue Zone East, Jordan)
114.112.172.34 (Worldcom Teda Networks Technology, China)
123.202.15.170 (Hong Kong Broadband Network, Hong Kong)
140.113.87.153 (TANET, Taiwan)
140.116.72.75 (TANET, Taiwan)
173.224.211.216 (Psychz Networks, US)
177.53.80.39 (Cordeirópolis Ltda, Brazil)
185.5.54.162 (Interneto Vizija UAB, Lithunia)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
188.132.213.115 (Mars Global Datacenter Services, Turkey)
188.134.26.172 (Perspectiva Ltd, Russia)
190.85.249.159 (Telmex Colombia, Colombia)
190.95.222.196 (Homenet CIA. Ltda / Telconet, Ecuador)
198.211.115.228 (Digital Ocean Inc, US)
199.231.188.226 (Interserver Inc, US)
202.197.127.42 (CERNET, China)
204.124.182.30 (Volumedrive, US)
209.222.67.251 (Razor Inc, US)
212.68.34.88 (Mars Global Datacenter Services, Turkey)
216.158.67.42 (Webnx Inc, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)

Recommended blocklist:
5.39.14.148
5.231.57.253
15.185.121.30
24.173.170.230
37.99.18.145
42.121.84.12
50.2.109.148
50.56.172.149
59.77.36.225
59.124.33.215
61.36.178.236
65.190.51.124
66.230.163.86
68.174.239.70
74.207.251.67
75.147.133.49
78.47.248.101
88.86.100.2
89.163.170.134
95.87.1.19
95.111.32.249
95.188.76.14
95.138.165.133
109.107.128.13
114.112.172.34
123.202.15.170
140.113.87.153
140.116.72.75
173.224.211.216
177.53.80.39
185.5.54.162
186.251.180.205
188.132.213.115
188.134.26.172
190.85.249.159
190.95.222.196
198.211.115.228
199.231.188.226
202.197.127.42
204.124.182.30
209.222.67.251
212.68.34.88
216.158.67.42
217.64.107.108
50plus-login.com
abundanceguys.net
acautotentsale.net
allgstat.ru
amnsreiuojy.ru
amods.net
antidoctorpj.com
askfox.net
astarts.ru
autocompletiondel.net
avini.ru
badstylecorps.com
bbmasterbuilders.net
beachfiretald.com
beldenindcontacts.net
blindsay-law.net
bnamecorni.com
boardsxmeta.com
boats-sale.net
breakingtextediti.com
briltox.com
businessdocu.net
buycushion.net
calenderlabor.net
casinocnn.net
cbstechcorp.net
centow.ru
condalinneuwu37.net
condrskajaumaksa66.net
controlsalthoug.com
creativerods.net
credit-find.net
crossplatformcons.com
culturalasia.net
cyberflorists.su
datapadsinthi.net
devicesta.ru
dulethcentury.net
ehnihjrkenpj.ru
endom.net
evishop.net
exhilaratingwiki.net
exnihujatreetrichmand77.net
exowaps.com
fitstimekeepe.net
fivelinenarro.net
flashedglobetrot.pl
frontrunnings.com
frontsidecash.net
frutpass.ru
gatumi.com
gondorskiedelaahuetebanj88.net
gonulpalace.net
gormoshkeniation68.net
gotoraininthecharefare88.net
hdmltextvoice.net
hotkoyou.net
includedtight.com
info-for-health.net
inningmedicare.pl
intcheck.com
jonkrut.ru
kneeslapperz.net
legalizacionez.com
lhobbyrelated.com
liliputttt9999.info
lucams.net
made-bali.net
magiklovsterd.net
medusascream.net
micnetwork100.com
microsoftnotification.net
mifiesta.ru
mirris.ru
mobile-unlocked.net
moonopenomy.com
motobrio.net
musicstudioseattle.net
namastelearning.net
neplohsec.com
nightclubdisab.su
nvufvwieg.com
onsayoga.net
onsespotlight.net
ordersdeluxe.com
organizerrescui.pl
pacifista.ru
palmer-ford.net
partyspecialty.su
pinterest.com.onsayoga.net
prysmm.net
pure-botanical.net
quill.com.account.settings.musicstudioseattle.net
raekownholida.com
relectsdispla.net
restless.su
ringosfulmobile.com
saberig.net
sai-uka-sai.com
scourswarriors.su
sensetegej100.com
sensing-thefuture.com
seoworkblog.net
suburban.su
tagcentriccent.net
tagcentriccent.pl
taltondark.net
templateswell.net
thegalaxyatwork.com
thesecuritylistfx.net
tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
tor-connect-secure.com
u-janusa.net
viperlair.net
vip-proxy-to-tor.com
wildgames-orb.net
workeschaersecure.net
x-pertwindscreens.net
zestrecommend.com
zukkoholsresv.pl

Monday 12 August 2013

Facebook spam / guterhelmet.com

This fake Facebook spam leads to malware on guterhelmet.com:

Date:     Mon, 12 Aug 2013 17:51:17 -0200 [15:51:17 EDT]
From:     Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:     Willie Powell wants to be friends with you on Facebook.

facebook

interesting pages on facebook
mark as favorite web pages that interest you to receive their updates in your news feed.

Willie Powell
Willie Powell

Bao Aguliar
Bibi Akel

Eleanora Casella
Murray Carsten

Jordana Fiqueroa
Jona Fiorelli

Leisha Heape
Lacresha Hautala

Monnie Carrillo
Missy Carreiro
find more pages

go to facebook
the message was sent to {mailto_username}@{mailto_domain}. if you do not want to receive these e-mail. letters from facebook, please give up subscription.
facebook, inc., attention: department 415, po box 10005, palo alto, ca 94303

Is it me, or does everyone look the same?

The link in the email goes through a legitimate hacked site and then on to one of three scripts:
[donotclick]golift.biz/lisps/seventeen.js
[donotclick]fh-efront.clickandlearn.at/parboiled/couplets.js
[donotclick]ftp.elotus.org/products/cleats.js

From there, the victim is redirected to a hijacked GoDaddy domain with a malicious payload at [donotclick]guterhelmet.com/topic/able_disturb_planning.php hosted on 192.81.135.132 (Linode, US) along with a number of other hijacked domains (in italics below)

Recommended blocklist:
192.81.135.132
golift.biz
fh-efront.clickandlearn.at
ftp.elotus.org
guterglove.com
grandrapidsleaffilter.com
greenbayleaffilter.com
guterhelmet.com
guterprosva.com

Saturday 10 August 2013

CNN: " Canadian teenager Rehtaeh Parsons" spam leads to malware

The bad guys don't have much of a sense of shame. This fake CNN email leads to malware on hubbynwifewines.com:

Date:     Sat, 10 Aug 2013 01:33:17 +0330 [18:03:17 EDT]
From:     CNN [BreakingNews@mail.cnn.com]
Subject:     CNN: " Canadian teenager Rehtaeh Parsons"

2 face charges in case of Canadian girl who hanged self after alleged rape
By Stephanie Gallman and Phil Gast, CNN
updated 6:39 AM EDT, Fri August 9, 2013
Canadian teenager Rehtaeh Parsons, who was allegedly gang-raped and bullied, has died, her family said. Parsons, 17, was hospitalized after she tried to hang herself on Thursday, April 4. The high school student from Halifax, Nova Scotia, was taken off life support three days later.

Canadian teenager Rehtaeh Parsons

Two 18-year-old men face child pornography charges in connection with the case of a 17-year-old girl who hanged herself after she was allegedly gang-raped and bullied online, Canadian authorities said Thursday evening. Full story >>

The link in the email goes through a legitimate but hacked site and ends up running one of three scripts:
[donotclick]1494ccc706155932.lolipop.jp/canard/lockup.js
[donotclick]ftp.adaware.net/earwax/philosophic.js
[donotclick]hargobindtravels.com/coloratura/nesting.js

The victim is then sent to a malware payload site at [donotclick]hubbynwifewines.com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 72.249.76.197.

Recommended blocklist:
72.249.76.197
1494ccc706155932.lolipop.jp
ftp.adaware.net
hargobindtravels.com
housewalla.com
hubby-wife.com
hubbynwife.com
hubbynwifecakes.com
hubbynwifewines.com
hubbynwifedesigns.com

Thursday 8 August 2013

Citibank spam / Loan_08082013.exe

This fake Citibank spam comes with a malicious attachment:

Date:     Thu, 8 Aug 2013 13:09:04 -0500 [14:09:04 EDT]
From:     Erin_Gay [Erin_Gay@citibank.com]
Subject:     RE: Loan Approved

Your documents are ready , please sign them and email them back.

Thank you

Erin_Gay
Level III Account Management
817-835-6023 office
817-074-9181 cell Erin_Gay@citibank.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

The security of personal information about you is our priority. We protect this
information by maintaining physical, electronic, and procedural safeguards that meet
applicable law. We train our employees in the proper handling of personal information.
When we use other companies to provide services for us, we require them to protect the
confidentiality of personal information they receive.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.

The attachment is in the format Loan.recipient-name.zip and contains the executable Loan_08082013.exe (note the date is encoded into the filename).

The initial file is just a trojan downloader. VirusTotal results are 10/45. The Malwr analysis gives some excellent details of what is going in, included attempted downloads from the following locations:
[donotclick]www.arki.com/ponyb/gate.php
[donotclick]ftp.miniaturesbykim.com/fzKU1Y.exe
[donotclick]www.gfchargers.org/iwa4s1.exe
[donotclick]ftp.jason-tooling.com/nhdx.exe
[donotclick]www.rachelcondry.com/nLiZVHtr.exe

This downloads a Zeus variant with a very low detection rate of 4/45. The Malwr analysis for this part shows some apparent peer-to-peer traffic (note some of these IPs are legitimate and belong to Google):
88.84.107.110
184.39.153.172
116.15.200.129
108.210.216.93
79.10.245.249
130.251.186.103
75.32.154.102
50.65.158.6
99.146.98.160
69.246.97.159
76.226.134.206
88.68.122.74
200.91.49.183
157.100.168.252
99.181.10.118
108.234.133.110
108.240.232.212
108.74.172.39
178.238.233.29
69.115.119.227
99.26.122.34
173.194.67.99
23.25.36.93
173.194.67.94
174.96.27.128
2.158.160.98
123.201.22.66
187.214.18.148
174.141.40.194
97.67.116.122
173.209.69.2
103.1.71.126
204.155.62.5
97.96.126.195
208.118.221.212
50.78.124.173

TigerDirect.com spam / palmer-ford.net

This fake TigerDirect.com spam leads to malware on palmer-ford.net:

Date:     Thu, 8 Aug 2013 21:54:14 +0400 [13:54:14 EDT]
From:     "TigerDirect.com" [noreply@tigerdirect.com]
Subject:     Your TigerDirect.com Order I9179488 Shipment Update

ComputersComputer PartsElectronicsTV & VideoCameras & SurveillanceCell Phones
Order Shipped:

08/07/2013
Order No.

I9179488
Shipment Total:

$732.20
Shipment Confirmation

[redacted],

Your order shipped on 08/07/2013 and is on its way to you. Click here to log in to MY ACCOUNT for the latest information on your order.

Below, you’ll find a recap of the shipped item(s):

TRACKING NUMBER(S):
1Z2V811KO067774417
(Note: Tracking information may not be available immediately; it may take up to 1 full business day for packages that have reached the shipper to have activity associated with the tracking number. Shipping confirmations for USPS and international shipments as well as for some special order items will not include a tracking number.)
Shipped Items:

Quantity
Lenovo H718 Desktop PC - 2nd Gen. Intel Core i3-1130 3.2GHz, 4GB DDR3, 500GB HDD, DVDRW, Windows 8 64-bit, Keyboard & Mouse, (65412680) (T56-C5300 )


1


(Click Image Above To Track Your Order) Allow 24 hours for the tracking # to appear in the Shippers' System.
Manufacturer Tech Support: 1-877-453-6686
Manufacturer Tech URL: www.lenovo.com

Again, for the latest information on your order, please click here to log in to MY ACCOUNT. You can also view your Order History, get Invoice Copies, Return Authorizations, add Product Reviews and much more.

Regards,

TigerDirect.com
Customer Care Team

CHECK OUT THE LATEST DEALS - CLICK HERE

Shipment Information
Abigail Hall
2864 N Bell Rd

Pasadena, SC 72936
Your shipping method varies. Please view the chart below for approximate transit times.

Transit Times
Truck Delivery: 7 - 10 Business Days
EconoShip Delivery: 4 - 9 Business Days
UPS Ground: 2 - 7 Business Days
UPS Second Day: 2 Business Days
UPS Next Day Air: 1 Business Day
US Postal Service: 2-3 Business Day Including Saturdays

Saturdays, Sundays and holidays do not count toward the estimated transit days. Packages that leave our fulfillment center on Saturdays, Sundays or holidays will not actually reach the shipper until Monday or the next business day.

Should you have any additional questions regarding your order, please feel free to visit our customer help pages at http://www.tigerdirect.com/help/.

Should you need to exchange or return a product, please visit http://www.tigerdirect.com/sectors/help/return.asp

Other Items to Consider

Home Theater Week

Search over 100,000 Products in Stock...
            Refer-A-Friend
Deal Alerts via
    Sign up for RSS

TigerDirect.com is not responsible for typographical errors or omissions. This email was sent to dynamoo@spamcop.net in response to Order # I9179488.

Note that TigerDirect.com never sells, rents, or shares your email address For more information, please review the TigerDirect.com Privacy Policy at: http://www.tigerdirect.com/sectors/aboutus/privacy.asp

Call Center Hours of Operation: Mon - Fri: 7am til 1am ET and Sat - Sun: 8am til Midnight ET

For Merchandise Returns: c/o TigerDirect Warehouse - 175 Ambassador Drive, Naperville, IL 60540

Copyright © 2013 - TigerDirect, Inc. 7795 West Flagler Street, Suite 35, Miami, FL 33144 (Corporate Headquarters: No Returns Accepted)
LEGAL NOTICES| PRIVACY POLICY

The email looks pretty convincing:

Clicking on the links in the email takes you to a legitimate hacked site and then on to a malware landing page at [donotclick]www.tigerdirect.com.secure.orderlogin.asp.palmer-ford.net/news/tiger-direct.php (report here) which contains an exploit kit.

Although it looks a bit like the link is actually on the tigerdirect.com site, it is actually hosted on the recently registered domain palmer-ford.net which has characteristically fake WHOIS details that mark it out as belonging to the Amerika gang.

   Administrative Contact, Technical Contact:
   Mills, Lawrence rexona1948@live.com
   5700 Arlington Ave
   Bronx, NY 10471
   US
   7185432402

The malware domain is hosted on the following IPs along with some other malicious domains:
95.111.32.249 (Mobitel EAD, Bulgaria)
199.231.188.226 (Interserver Inc, US)
216.158.67.42 (Webnx Inc, US)

Recommended blocklist:
95.111.32.249
199.231.188.226
216.158.67.42
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
askfox.net
briltox.com
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
cirriantisationsansidd79.net
condalinneuwu37.net
condrskajaumaksa66.net
cyberflorists.su
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihujasebejav15.ru
evishop.net
exnihujatreetrichmand77.net
facebook.com.n.find-friends.oncologistoncology.net
firefoxupd.pw
firerice.com
fulty.net
gnanosnugivnehu.ru
gotoraininthecharefare88.net
klwines.com.order.complete.prysmm.net
liliputttt8888.info
links.emails.bmwusa.com.open.pagebuoy.net
lucams.net
merchantcenter.intuit.com.click-for-click.com
micnetwork100.com
mifiesta.ru
onemessage.verizonwireless.com.verizonwirelessreports.com
onsayoga.net
partyspecialty.su
paypal.com.us.planetherl.net
pinterest.com.onsayoga.net
quill.com.account.settings.managemyaccount.moonopenomy.com
quipbox.com
sai-uka-sai.com
sartorilaw.net
seoworkblog.net
tintencenter.net
verizonwirelessreports.com
vitans.net
www.aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
www.klwines.com.order.complete.prysmm.net
www.linkedin.com.e.v2.kennebunkauto.net
www.paypal.com.us.planetherl.net
www.pinterest.com.onsayoga.net
www.tigerdirect.com.secure.orderlogin.asp.palmer-ford.net
www.verizonwirelessreports.com

Facebook spam / hubby-wife.com and 72.249.76.197

This fake Facebook spam leads to malware on hubby-wife.com:

Date:     Thu, 8 Aug 2013 09:36:19 -0800 [13:36:19 EDT]
From:     Facebook [update+zj433fgc2_aay@facebookmail.com]
Subject:     Doug Bernal wants to be friends with you on Facebook.

Interesting Pages on Facebook
Mark as favorite web pages that interest you to receive their updates in your News Feed.

Doug Bernal
Doug Bernal

Hyo Auiles
Gigi Arvay

Hester Brush
Lesa Bueschel

Crawford Eredia
Casey Elting

Delfina Grode
Deandrea Grise

Tori Circle
Austin Chum
Find more pages

Go to Facebook
The message was sent to [redacted]. If you do not want to receive these e-mail. letters from Facebook, please give up subscription.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Doug is quite a feminine looking bloke:

Clicking on the link in the email goes through a legitimate hacked site, and from there onto one of three scripts:
[donotclick]art.impactmt.com/ecology/christmases.js
[donotclick]palka-teleskopowa.pl/puppet/leafed.js
[donotclick]outoftheblueproductions.com/pipelines/tutsi.js

From here, the victim is sent to a malware payload at [donotclick]hubby-wife.com/topic/able_disturb_planning.php which (predictably) a hijacked GoDaddy domain hosted on 72.249.76.197 (Networld Internet Services) along with several other GoDaddy domains which are highlighted below.

Recommended blocklist:
72.249.76.197
art.impactmt.com
palka-teleskopowa.pl
outoftheblueproductions.com
hubby-wife.com
housewalla.com
hubbynwife.com
hubbynwifecakes.com

eFax / jConnect spam and eliehabib.com

This fake fax spam leads to malware on eliehabib.com:

Date:     Wed, 7 Aug 2013 13:05:22 -0600 [15:05:22 EDT]
From:     Fax Message [message@inbound.efax.com]
Subject:     Fax Message at 2013-08-07 01:54:34 EST

Blue Bar
Fax Message

You have received 4 fax page(s) at 2013-08-07 01:54:34 EST.

* The reference number for this fax is wlmt_bgp85-3506454489-3878764215-49.
* The transmission start time for this fax is .

Click here to view this message in your web browser
Please visit http://www.j2.com/help if you have any questions regarding this message or your j2 service.

Thank you for using jConnect!
Home|Contact|Login
Powered by j2

2013 j2 Global Communications, Inc. All rights reserved.
jConnect is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the jConnect Customer Agreement.

The link in the email goes through a legitimate hacked site and then on to three scripts as follows:
[donotclick]v3dev.eu/conciseness/bragging.js
[donotclick]masperblog.it/manacle/barnaul.js
[donotclick]shop.zhengtugps.com/submissions/snipped.js

From then on the victim is sent to a payload site at [donotclick]eliehabib.com/topic/seconds-exist-foot.php which is a hacked domain registered by GoDaddy, hosted on 173.246.105.15 (Gandi, US). There are probably other malicious domains that I cannot see on the same server.

Recommended blocklist:
173.246.105.15
v3dev.eu
masperblog.it
shop.zhengtugps.com
eliehabib.com

Tuesday 6 August 2013

Pharma sites to block 6/8/13

A new list of pharma sites and IPs, related to this bunch.

61.150.109.186 (China Telecom, China)
91.199.149.238 (Novosibirsk A3 Ltd, Russia)
91.199.149.239 (Novosibirsk A3 Ltd, Russia)
91.204.162.81 (Network Communication, Poland)
91.204.162.96 (Network Communication, Poland)
91.216.163.92 (Informacines Sistemos Ir Technologijos UAB, Lithunia)
178.88.64.149 (Kazakh Telecom, Kazakhstan)
185.5.99.145 (Biznes-host.pl, Poland)
185.8.106.161 (HybridServers, Lithunia)
190.55.85.133 (Telecentro S.A., Argentina)
192.162.19.196 (FOP Budko Dmutro Pavlovuch, Ukraine)
200.185.230.32 (Ajato Telecomunicacao Ltda, Brazil)
202.197.127.42 (CERNET, China)
218.92.160.138 (Funing Tianlong Netbar, China)

61.150.109.186
91.199.149.0/24
91.204.162.81
91.204.162.96
91.216.163.92
178.88.64.149
185.5.99.145
185.8.106.161
190.55.85.133
192.162.19.0/24
200.185.230.32
202.197.127.42
218.92.160.138
1bqmv6ir.tabletmedicinert.com
1n77x6up.mediastoreplus.com
54djq7gs.tabletmedicinert.com
5n2f.mediastoreplus.com
6tpvvfwl.mediastoreplus.com
6un8dtnf.mediastoreplus.com
7geh.mediastoreplus.com
8u4lrx6.mediastoreplus.com
a1nyffx.mediastoreplus.com
a6g9whoe.tabletmedicinert.com
avagdezc.net
biotechealthcarepills.pl
boschwelness.com
caloriesviagra.com
canadaipad.com
canadaviagracanadas.com
canadaviagracent.com
canadiancanada.com
canadian-pharmacy-ltd.org
carerxpatient.com
coopaq.ru
d5pz5c35.tabletmedicinert.com
d8chph3.mediastoreplus.com
dacl3uy1.tabletmedicinert.com
deii.ru
dieein.com
dietarymeds.com
dietwelweight.com
drugmedsgenerics.com
drugsdrugstorepills.com
drugstorepillwalgreens.com
eari.ru
familymedicinerx.com
finding.dietpillgenerics.com
genericswelloch.com
ghwfloaf.com
gied.ru
gtyktdli.com
healthcarebiotechnology.net
hece.ru
herbalburdette.com
herbalprescriptiondrugs.com
htta.ru
iald.ru
in.taxwelnesslevitra.com
inningmedicare.pl
isoe.ru
jmwxxvyj.com
joam.ru
judact.ru
jx5nqjzf.tabletmedicinert.com
kindredhealthcaretab.pl
knei.ru
knr78b16.tabletmedicinert.com
korsinskytrarx.com
laug.ru
m62i5x7e.tabletmedicinert.com
marijuanamedicalviagra.com
marl.myherbalpharmacy.com
mbid.ru
mediastoreplus.com
medicaltabgroup.com
medicaresupplementrx.net
medicinetabletsurface.com
medicinevitamin.com
mediterraneanpharmacydiet.com
medopioid.pl
medsherbalbosch.nl
myherbalpharmacy.com
myviagragenerics.pl
newpillcialis.eu
nmvwta.mediastoreplus.com
nrytgyxvom.com
opioidpill.com
p6vxdhiu.tabletmedicinert.com
paracanada.com
paub.ru
pharmedtransplant.com
phof.ru
pillcanadian.com
pillgenericsgroup.com
pillsmedicinepatients.com
pillssmartrend.com
pillsstreetinsider.com
pillstabletspharmacy.ru
ptnh86kk.tabletmedicinert.com
qatt.ru
qkwc1s52.tabletmedicinert.com
rggrjipn.com
ruld.ru
satishmeds.pl
siew.ru
skah.ru
smartrendsale.com
sutasu.ru
tabletcareandroid.nl
tabletmedicaid.pl
tlar.ru
tmedf7c4j.mediastoreplus.com
torontotab.pl
tuo.mediastoreplus.com
tys.mediastoreplus.com
u0s3oqf6.tabletmedicinert.com
uney.ru
virv.ru
vitaminnutritionherbal.com
vomise.ru
welnessnsmt.com
wroo.ru
xior.ru
yesydzevr.com
yn72ov2j.tabletmedicinert.com
zwig.ru

Malware sites to block 6/8/13

Following on from last week's list, this week seems to see a smaller number of servers and malicious domains from this crew.

5.175.191.124 (GHOSTnet, Germany)
24.173.170.230 (Time Warner Cable, US)
41.196.17.252 (Link Egypt, Egypt)
54.218.249.132 (Amazon AWS, US)
59.124.33.215 (Chungwa Telecom, Taiwan)
61.36.178.236 (DACOM Corp, Korea)
68.174.239.70 (Time Warner Cable, US)
78.47.248.101 (Hetzner, Germany)
95.87.1.19 (Trakia Kabel OOD, Bulgaria)
114.112.172.34 (Worldcom Teda Networks Technology Co. Ltd, China)
140.116.72.75 (TANET, Taiwan)
182.72.216.173 (Cusdelight Consultancy SE, India)
190.85.249.159 (Telmex Colombia, Colombia)
202.197.127.42 (CERNET, China)
208.115.237.88 (Limestone Networks / 123Systems Solutions, US)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)

5.175.191.124
24.173.170.230
41.196.17.252
54.218.249.132
59.124.33.215
61.36.178.236
68.174.239.70
78.47.248.101
95.87.1.19
114.112.172.34
140.116.72.75
182.72.216.173
190.85.249.159
202.197.127.42
208.115.237.88
217.64.107.108
abundanceguys.net
amods.net
annot.pl
autocompletiondel.net
avini.ru
badstylecorps.com
beachfiretald.com
cbstechcorp.net
crossplatformcons.com
datapadsinthi.net
dulethcentury.net
endom.net
exhilaratingwiki.net
exowaps.com
explicitlyred.com
fivelinenarro.net
flashedglobetrot.pl
frontrunnings.com
hdmltextvoice.net
housesales.pl
ignitedannual.com
includedtight.com
jdbcandschema.su
lhobbyrelated.com
magiklovsterd.net
onsespotlight.net
operapoland.com
ordersdeluxe.com
organizerrescui.pl
playtimepixelating.su
prgpowertoolse.su
relectsdispla.net
ringosfulmobile.com
scourswarriors.su
sludgekeychai.net
streetgreenlj.com
tagcentriccent.net
tagcentriccent.pl
wildgames-orb.net
zestrecommend.com
zukkoholsresv.pl

What is 65.222.202.0/24?

A breakdown of the suballocations of the Verizon Business 65.222.202.0/24 block, mentioned in connection with Torsploit:

Block	Start	End	CustName:	Description:
65.222.202.0/28	65.222.202.0	65.222.202.15	Science Applications Int	SAIC (US Defense contractor)
65.222.202.16/28	65.222.202.16	65.222.202.31	Old Dominion Internet	Possibly dormant VA corporation
65.222.202.32/28	65.222.202.32	65.222.202.47	FTS2001/US Government	Federal Technology Service
65.222.202.48/29	65.222.202.48	65.222.202.55	Unknown	"Torsploit" block
65.222.202.56/29	65.222.202.56	65.222.202.63	Universal Machine Co of Pottsdown Inc	Universal Machines (www.umc-oscar.com)
65.222.202.64/28	65.222.202.64	65.222.202.79	Kitron	Electronic Manufacturing Service
65.222.202.80/29	65.222.202.80	65.222.202.87	Morningside Sports Farm	Horse Training Farm in VA
65.222.202.88/29	65.222.202.88	65.222.202.95	MetTel, Inc	Telecommunications Service Provider
65.222.202.96/29	65.222.202.96	65.222.202.103	Guidestar	NPO Information Service
65.222.202.104/29	65.222.202.104	65.222.202.111	Walt Disney Company	Mickey Mouse outfit
65.222.202.112/28	65.222.202.112	65.222.202.127	Dental Concepts	Dentistry
65.222.202.128/29	65.222.202.128	65.222.202.135	GARP Research & Securities	Financial Analysts
65.222.202.136/29	65.222.202.136	65.222.202.143	Assured Packaging Inc	Metal boxes
65.222.202.144/28	65.222.202.145	65.222.202.159	Unknown
66.222.202.160/28	66.222.202.161	66.222.202.174	Unknown
65.222.202.176/29	65.222.202.176	65.222.202.183	Butler Medical Transport	Patient Transport Services
65.222.202.184/29	65.222.202.184	65.222.202.191	Federated IT	Government IT contractor
65.222.202.192/28	65.222.202.192	65.222.202.207	Old Dominion Internet	Possibly dormant VA corporation
65.222.202.208/29	65.222.202.208	65.222.202.215	Pharmceuticals International, Inc	Healthcare
65.222.202.216/29	65.222.202.216	65.222.202.223	Unknown
65.222.202.224/29	65.222.202.224	65.222.202.231	Unknown
65.222.202.232/29	65.222.202.232	65.222.202.239	Live Nation	Events Company, CA
65.222.202.240/28	65.222.202.240	65.222.202.255	Georgetown Dat School	Washington DC school

Monday 5 August 2013

Torsploit: is 65.222.202.53 the NSA?

There has been a lot of chatter in the past day or so about the takedown of an Irish outfit called Freedom Hosting which hosted a number of "hidden services" on Tor, ranging from Tormail (which allows anonymous email communication) to.. well, Really Bad Stuff that you don't want to know about. Basically.. Law Enforcement (LE) appear to have discovered the real-world location of these servers on the other side of Tor and have busted the alleged operator.

What gets interesting is that some of these Tor services were infected with an injection script that attempted to reveal the real IP address of the the visitor through a security flaw in the version of Firefox in the Tor Bundle. There's an interesting analysis of the script here and the long and the short of it is that the injected code attempt to call back to 65.222.202.53, in order to track the Tor users involved.

So.. who is 65.222.202.53? Well, it seems to be a Verizon Business IP (part of a "ghost block" of 65.222.202.48/29) in the Washington DC area. You know.. the home of several government agencies or branches thereof. But now the Internet is awash with rumours that this IP address belongs to the NSA. But what evidence is there?

A lot of the fuss seems to have happened because of this tweet from Baneki Privacy Labs.

What Baneki are saying is that the whole 65.222.202.0/24 block (the "C block" in classful parlance) is owned by a government contractor called SAIC (apparently not the SAIC who own MG Motors!) and that SAIC are connected to the DoD. Although SAIC are certainly a military contractor, the error that they are making is to believe the report from DomainTools which appears to be misinterpreting the allocations in that particular block.

So, does SAIC (listed here as SCIENCE APPLICATIONS INT) own the whole /24? No. Verizon has simply allocated the first /28 in that block to SAIC, and it appears the DomainTools is misinterpreting that data.

NetRange:       65.222.202.0 - 65.222.202.15
CIDR:           65.222.202.0/28
OriginAS:
NetName:        UU-65-222-202-D4
NetHandle:      NET-65-222-202-0-1
Parent:         NET-65-192-0-0-1
NetType:        Reassigned
Comment:        Addresses within this block are non-portable.
RegDate:        2006-09-14
Updated:        2006-09-14
Ref:            http://whois.arin.net/rest/net/NET-65-222-202-0-1

CustName:       SCIENCE APPLICATIONS INT
Address:        47332 EAGAN MCALLISTER LN
Address:        RM 1112 1st fl
City:           LEXINGTON PARK
StateProv:      MD
PostalCode:     20653-2461
Country:        US
RegDate:        2006-09-14
Updated:        2011-03-19
Ref:            http://whois.arin.net/rest/customer/C01446299

Other suballocations is that block do include government agencies, but just a couple of IPs away from the mystery IP is 65.222.202.56/29 which belongs to an industrial supply company called Universal Machines. Whoever uses 65.222.202.53 is very likely to be a corporate or government entity, but really that's pretty much all you can tell from the Verizon Business IP. DomainTools is great but as with any automated tool.. sometimes you need to double-check what it reports back.

But then Baneki make another claim.. that obviously 65.222.202.53 belongs to the NSA, because the NSA controls the entire 65.192.0.0/11 range (65.192.0.1 to 65.223.255.254) which is about 2 million IPs.

This is what they were referring to:

Umm, well.. no. That's just another block allocated to Verizon Business. You may as well argue that everything in 0.0.0.0/0 belongs to the NSA on the same principle. Actually.. maybe it does, but that's another matter entirely. Again.. Robtex is a great tool but you sometimes need to sanity-check the output.

It may surprise you to learn that law enforcement officers and intelligence agencies are not normally complete fucking idiots when it comes to guarding their IP addresses. They do not (for example) sign up to Silk Road with their @fbi.gov email addresses or poke around the underweb from an NSA IP address range. Well, not normally..

I am not saying that the injection wasn't the work of the NSA. Or the CIA, FBI, DOD, IRS or another other Alphabet Soup Agency. But let's see some real evidence first, eh?

UPDATE: I had a closer look at the users of the /24 here. It's a mix of businesses and government organisations and contractors, not surprising given the physical location of the /24.

alliexfinancial.com / Alliexfinancial Ltd "Legal Registered Investment company" spam (is it a scam?)

A slightly odd spam, sent to a scraped email address:

From:    Dirk Nunes [flamwood888@gmail.com]
Date:    5 August 2013 10:54
Subject:    Legal Registered Investment company
Signed by:    gmail.com

alliexfinancial Ltd                                                                                                       Our advantages :

Legal Registered Investment company

Guaranteed Return on Investments

Principal Deposits Protection

Trustwave Trusted Commerce Seal

Extended Validation SSL Certificate

DDoss Protected Dedicated Server

Instant Withdrawal Processin                                                                JOIN NOW https://alliexfinancial.com/?ref=flamwood
Description:
Alliexfinancial Ltd is the UK registered legal international investment company. The company was created by a group of qualified experts, professional bankers, traders and analysts who specialized in the stock, bond, futures, currencies, gold, silver and oil trading with having more than ten years of extensive practical experiences of combined personal skills, knowledge, talents and collective ambitions for success.

plans:

2.2% for 7 days ( 115.4% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 1 $1 - $500 2.20

2.5% for 14 days (135% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 2 $10 - $1,000 2.50

2.7% for 21 days (156.7% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 3 $10 - $2,500 2.70

3% daily for 60 days (280% total return)
Plan Spent Amount ($) Daily Profit (%)%)
Plan 4 $10 - $50,000 3.00

JOIN NOW https://alliexfinancial.com/?ref=flamwood    Inline image 1

The link to alliexfinancial.com/?ref=flamwood looks very much like an affiliate link, given the close match to the spammer's email address. The target site does not appear to be malicious according to URLquery.

So, what is alliexfinancial.com? It appears to be some sort of HYIP (High-Yield Investment Program) that offers up to 3.0% return on a investement.. per day.

Are these return rates sustainable? My personal opinion is that I can't see how it would be possible.

So who is this company. The website states "Alliexfinancial Ltd is the UK registered legal international investment company" which is a bit ungrammatical. It also quotes the apparently valid phone number of +44 161 7110107 which is a Manchester number.

I was interested to find that Alliexfinancial Ltd is a registered company at Companies House in the UK:

ALLIEXFINANCIAL LTD
ADVANTAGE BUSINESS CENTRE
132-134 GREAT ANCOATS STREET
MANCHESTER
ENGLAND
M4 6DE
Company No. 07892518

This details match the WHOIS details of the domain precisely:

ALLIEXFINANCIAL LTD
Paul Aleckson
Email:admin@alliexfinancial.com
132-134 GREAT ANCOATS STREET
ADVANTAGE BUSINESS CENTRE
M4 6DE MANCHESTER
United Kingdom
Tel: +44.1617110107

The domain was registered in December 2009, so it has been around for a little while. The website is proxied by Cloudflare, but I think that the underlying IP address is probably 31.204.130.25 (i3d, Netherlands).

One problem - there's no such company listed on the Financial Services Register, although they do claim to be regulated in the UK:

Alliexfinancial Ltd activities are regulated by the United Kingdom international business authorities and complies with the United Kingdom legislation.

So, if they're not on the Register I am frankly a bit puzzled as to who their regulator is. They do not quote any reference number. However, they are not listed as being an unauthorised firm either.

One other problem - Companies House says that the company was incorporated in 2011, but the site claims they have been active for at least three years (i.e. since 2010):

For the last three years, the amount of funds managed by us has reached an enormous rate that is important to the company's growth and its stability. We are doing our best to make successful forecasts, and our traders work nearly 24 hours a day to make a more stable profit both for us and our investors.

Perhaps this is an unregulated scheme? I'm not that much of a legal expert in these things, but I do note that the FCA has cautionary guidance on unregulated collective investment schemes (UCIS). In partciular you cannot recommend a UCIS to the general public, and a spam email sent to a scraped address certainly seems to be an attempt to enrol the public into such a scheme.

So, who runs Alliexfinancial Ltd? The Companies House Director's Report [rtf] mentions a sole director, 28 year old Ukranian national Mr Vladimer Ganaga (it's an odd transliteration, I'd expected Vladimir Ganaga to be a more literal way of writing Владимир Ганага). Apart from an NSFW Vkontakte page there's not much verifiable information.

I'm not a financial adviser, but I certainly wouldn't invest any money in this scheme. Do you have any experiences with it? If you do, perhaps you would consider leaving a comment below (all comments are the responsibility of their owners).

Update 12/9/13: in the past couple of days the Alliexfinancial site went offline and payments to investors stopped. No surprises there!

Sunday 4 August 2013

BLDW "Building Turbines Corp" pump-and-dump spam

This illegal spam run almost definitely does not come from Building Turbines Corp (BLDW) but instead someone trying to game the system through a pump-and-dump scam.

There are lots of variations on the spam, but here are three examples:

Subject: This Stock is our New Wild Sub-Penny Pick!

Green Energy Company Signs Deal to Construct Rooftop Wind Turbines
for 90 Thousand Sq-Ft Stockroom. Building Turbines (PINKSHEETS:
BL_D_W) Concentrates on the Design and Construction of Patented
Roof Top Wind Turbines.

Current Price: .038
Short Term Target: .40
Company: Building Turbines Corp.
Date: August, 5th
Sym: BL_D_W

Renewable Power Corporation Wired To Soar Monday!

==========

Subject: Pay Attention To Detail

Austin Company Pens Contract to Provide Roof Wind Turbines for 90K
Sq-Ft Warehouse. Building Turbines Corp. (OTC PINK: B L_D_W)
Focuses on the Design and Construction of Patented Roof Top Wind
Turbines.

Long Term Target: $.95
Company Name: BUILDING TURBINES CORP
Trading Date: Monday, Aug 5, 2013
To buy: B L_D_W
Market: $.038

Ecological Power Business In Line To Ascend Next Week.

==========

Subject: It Could Make a Rally and Soar! (Huge News Out!)

Green Energy Corporation Clinches Contract to Construct Roof
Wind Turbines for 90,000 Square Foot Stockroom. BUILDING
TURBINES, CORP. (PINKS: BL_D W) Concentrates on the Design and
Manufacture of Patented Roof Top Wind Turbines.

Short Term Target: 0.20
Trade Date: Aug, 5th
Company: Building Turbines Corp.
Latest Pricing: .038
Traded as: BL_D W

Green Energy Business Equipped To Rise Monday!!!

BLDW stock isn't really valuable, losing 88.6% of its value since the company was floated in April 2011, and it has been bouncing around the two to four cent level since the beginning of 2013. But this isn't really about the real prospects of the company, this is a straightforward attempt to manipulate the system for profit.

In the past few days, someone has bought about 2.5 million shares in the company at about 4 cents, our past analysis would indicate that this is likely to be the spammer taking up positions.

The spammers may have targeted BLDW stock on their own initiative, but the recent HAIR spam run seems to be for another party. No matter, if you take the example of HAIR then any investors who had followed the spam's fake tips would have ended up losing about 90% of their investment. I'm not saying the BLDW is going to collapse, stay afloat or whatever.. but what I am saying is that you should simply ignore BLDW stock completely because this spam run is simply an attempt at market manipulation.

Friday 2 August 2013

redwoodoptions.com "Joe Job" spam

I don't know anything about "Redwood Options" redwoodoptions.com but it seems to deal in binary options. In my personal opinion, this kind of derivative trading helped to lead to the banking collapse and should be outlawed.

Subject: For Trader
Subject: For Investor
Subject: Start Trading Now

Trade Forex, Commodities, Stocks and Indices with Up to 81% Return!
- Exclusive 60 second option
- Onetouch weekly options up to 500% return
- Up to $5000 welcome bonus

Start trading: http://www.redwoodoptions.com

That having been said, this spam run is almost definitely nothing to do with them and is instead someone trying to disrupt their (apparently lawful) business.

My advice.. ignore it and delete it.

cpro.su "Joe Job" spam run

This spam run is aimed at disrupting the underground forum cpro.su:

Subject: International carding board on new domain
Subject: Private Hacking and Carding Forum / New Domain

Welcome to Private Hacking and Carding Forum. We talking and sharing about
CVV, Paypal, Accounts, Bank Logs, Hacking Tools and Carding Tips. Newbie is
not allowed here. Do not enter if you don't know what to do...
http://cpro.su/ (*NEW domain!)

People involved in this sort of stuff don't advertise it, but as far as I can tell cpro.su actually does deal in some unsavoury things.

What should you do about it? Nothing. The spam run will probably finish soon enough, and there's no point picking a fight with either side unless you really know what you are doing.