Dynamoo's Blog

Thursday 7 November 2013

"You received a voice mail" spam / Voice_Mail.exe

This fake voice mail spam has a malicious attachment:

Date:     Thu, 7 Nov 2013 15:58:15 +0100 [09:58:15 EST]
From:     Microsoft Outlook [no-reply@victimdomain.net]
Subject:     You received a voice mail

You received a voice mail : N_58Q-ILM-94XZ.WAV (182 KB)

Caller-Id:

698-333-5643

Message-Id:

80956-84B-12XGU

Email-Id:

[redacted]

This e-mail contains a voice message.
Double click on the link to listen the message.

Sent by Microsoft Exchange Server

Attached is a zip file in the format Voice_Mail_recipientname.zip which in turn contains a malicious file Voice_Mail.exe which has an icon to make it look like an audio file. VirusTotal detection for that is 7/47 and automated analysis tools [1] [2] show an attempted connection to amazingfloorrestoration.com on 202.150.215.66 (NewMedia Express, Singapore). Note that sometimes other sites on these servers have also been compromised, so if you see any odd traffic to this IP then it could well be malicious.

Wednesday 6 November 2013

"Voice Message from Unknown" spam / VoiceMail.zip

This fake voice mail spam comes with a malicious attachment:

Date:     Wed, 6 Nov 2013 22:22:28 +0800 [09:22:28 EST]
From:     Administrator [voice9@victimdomain]
Subject:     Voice Message from Unknown (886-966-4698)

- - -Original Message- - -

From: 886-966-4698

Sent: Wed, 6 Nov 2013 22:22:28 +0800

To: recipients@victimdomain

Subject: Private Message

The email appears to come from an email address on the victim's own domain and the body text contains a list of recipients within that same domain. Attached to the email is a file VoiceMail.zip which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file.

This malware file has a detection rate of 3/47 at VirusTotal. Automated analysis tools [1] [2] show an attempted connection to twitterbacklinks.com on 216.151.138.243 (Xeex, US) which is a web host that has been seen before in this type of attack.

Xeex seems to divide up its network into /28 blocks, which would mean that the likely compromised block would be 216.151.138.240/28 which contains the following domains:
twitterbacklinks.com
saferankbacklinks.com
youtubebacklinks.com
vubby.com
abc3k.com
pinterestbacklinks.com

Those domains are consistent with the ones compromised here and it it likely that they have all also been compromised.

Recommended blocklist:
69.26.171.176/28
216.151.138.240/28
twitterbacklinks.com
saferankbacklinks.com
youtubebacklinks.com
vubby.com
abc3k.com
pinterestbacklinks.com
bookmarkingbeast.com
antonseo.com
allisontravels.com
robotvacuumhut.com
glenburnlaw.com
timinteriorsystems.com
bulkbacklinks.com
prblogcomments.com
highprlinks.com
facebookadsppc.com

"Invoice 17731 from Victoria Commercial Ltd" spam leads to DOC exploit

This fake invoice email leads to a malicious Word document:

From: Dave Porter [mailto:dave.porter@blueyonder.co.uk]
Sent: 06 November 2013 12:06
To: [redacted]
Subject: Invoice 17731 from Victoria Commercial Ltd

Dear Customer :

Your invoice is attached to the link below:
[donotclick]http://www.vantageone.co.uk/invoice17731.doc
Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Victoria Commercial Ltd

The email originates from bosmailout13.eigbox.net [66.96.186.13] which belongs the Endurance International Group in the US. The malicious .DOC file is hosted at [donotclick]www.vantageone.co.uk/invoice17731.doc which appears to be a hacked legitimate web site.

Detection rates have continued to improve throughout the day and currently stand at 10/47. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.

A sandbox analysis confirms that it is malicious, in particular it connects to 158.255.2.60 (Mir Telematiki Ltd, Russia) and the following domains:
feed404.dnsquerys.com
feeds.nsupdatedns.com

It is the same attack as described by Blaze's Security Blog and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist:
118.67.250.91
158.255.2.60
feed404.dnsquerys.com
feeds.nsupdatedns.com
customer.invoice-appmy.com
customers.invoice-appmy.org
customer.appmys-ups.orgfeed404.dnsquerys.org
feed.queryzdnsz.org
static.invoice-appmy.com
vantageone.co.uk

Tuesday 5 November 2013

USPS spam / Label_442493822628.zip

This fake USPS spam has a malicious attachment:

Date:     Tue, 5 Nov 2013 14:24:45 +0000 [09:24:45 EST]
From:     USPS Express Services [service-notification@usps.gov]
Subject:     USPS - Missed package delivery

The courier company was not able to deliver your parcel by your address.

Cause: Error in shipping address.

Label: 442493822628

Print this label to get this package at our post office.

Please attention!
For mode details and shipping label please see the attached file.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
USPS Logistics Services.

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (UPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You

The attachment is Label_442493822628.zip which in turn contains a malicious executable Label_11052013.exe which has a VirusTotal detection rate of 6/46. Automated analysis [1] [2] shows an attempted connection to sellmakers.com on 192.64.115.140 (Namecheap, US). Note that there may be legitimate sites on that IP address, however it is possible that the whole server has been compromised.

"ACH Notification : ACH Process End of Day Report" spam / ACAS1104201336289204PARA7747.zip

This fake ACH (or is it Paychex?) email has a malicious attachment:

Date:     Tue, 5 Nov 2013 08:28:30 -0500 [08:28:30 EST]
From:     "Paychex, Inc" [paychexemail@paychex.com]
Subject:     ACH Notification : ACH Process End of Day Report

Attached is a summary of Origination activity for 11/04/2013 If you need assistance
please contact us via e-mail at paychexemail@paychex.com during regular business hours.

Thank you for your cooperation.

Attached is a file ACAS1104201336289204PARA7747.zip which in turn contains an executable ACAS11042013.exe which has a VirusTotal detection rate of 7/46. Automated analysis [1] [2] shows an attempted connection to slowdating.ca on 69.64.39.215 (Hosting Solutions International, US). There are several legitimate sites on this server, however it is possible that the server itself is compromised.

The malware drops several files, including this one with a detection rate of 4/46 that also calls home to the same domain [1] [2] and a payload file with another low detection rate of 5/46 that rummages through the system [1] [2]. The payload appears to be a Zbot variant.

Monday 4 November 2013

"Payment Overdue - Please respond" spam / Payroll_Report-PaymentOverdue.exe

This fake SAGE spam has a malicious attachment:

Date: Mon, 4 Nov 2013 21:00:59 +0600 [10:00:59 EST]
From: Payroll Reports [payroll@sage.co.uk]

Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.

Sincerely,
Bernice Swanson

This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.

Attached is a file PaymentOverdue.zip which in turn contains a malicious executable Payroll_Report-PaymentOverdue.exe with a icon that makes it look like an Excel spreadsheet.

This malware has a VirusTotal detection rate of just 4/47, and automated analysis tools [1] [2] [3] shows an attempted connect to goyhenetche.com on 184.154.15.188 (Singlehop, US), a server that contains many legitimate domains but some more questionable ones too.

CCDCOE.org "Information Security Audit" spam

Here's a weird spam email..

From: CCDCOE [mailto:ccdcoe@ccdcoe.org]
Sent: Monday, November 04, 2013 12:16 PM
Subject: Information Security Audit

Dear Sir,

I am writing to inform you that NATO Cooperative Cyber Defence Centre of Excellence
conducted an information security audit of the network infrastructureof your organization. It
was carried out as part of exercise Steadfast Jazz 2013.

Our specialists have obtained access to theprivate network and the administration panel of the
website of your organization.

The level of information security of your organization does not meet the requirements of
NATO cyber security guidelines.

It is strongly recommended that you pay attention to this fact.

For more information you should contact NATO Cooperative Cyber Defence Centre of
Excellence.

Sincerely,

Col. Artur Suzik
Director,NATO Cooperative Cyber Defence Centre of Excellence

E-mail: ccdcoe@ccdcoe.org
Phone: +3727176800
Fax: +3727176308
Adress: Filtri tee 12, Tallinn 10132, Estonia

The email was sent to a target in Estonia, and the CCDCOE is a genuine NATO facility, also located in Estonia. The domain, telephone and fax number all appear genuine, and there are no attachments to the email nor are there any links.

However, the email is not genuine as it comes from 213.157.216.139 which is a Caucasus Online LLC ASDL subscriber in Georgia. Caucasus Online IPs are often seen in conjunction with botnets, so this is almost definitely a botnet node. The CCDCOE logo used in the email is also out of date.

A close examination of the mail headers shows that some of them have been faked in order to spoof an originating IP of 217.146.66.99 in Estonia.

Received: from dvb35.srv.it.ge (HELO dvb35.srv.it.ge) (213.157.216.139)
by [redacted] with SMTP; 4 Nov 2013 10:15:35 -0000
Received: mx1.zone.ee (HELO ccdcoe.org) ([217.146.66.99]) by
dvb35.srv.it.geL with ESMTP; Mon, 4 Nov 2013 12:01:08 +0200
Received: by ccdcoe.org (Postfix, from userid 309) id fu73vb6de6220; Mon, 4 Nov
2013 12:00:45 +0200
Received: from 10.1.1.218 (10.1.1.218:35781) by ccdcoe.org (Postfix) with SMTP
id gkuuqe31b7s45.9.2013.11.04.59.56; Mon, 4 Nov 2013 11:59:06 +0200
Message-ID: <20130e3f74d2.4353bd02@user>
From: "CCDCOE" <ccdcoe@ccdcoe.org>
To: [redacted]
Subject: Information Security Audit
Organization: CCDCOE

I can't figure out the purpose of this message, but it is almost definitely malicious. Perhaps there is a second part to this why has not been seen yet?

Wednesday 30 October 2013

"Corporate eFax message" spam / bulkbacklinks[.]com and Xeex.com

Oh my, do people really fall for this "Corporate eFax message" spam? Apparently people do because the spammers keep sending it out.

Date:     Wed, 30 Oct 2013 23:33:23 +0900 [10:33:23 EDT]
From:     eFax Corporate [message@inbound.efax.com]
Subject:     Corporate eFax message from "673-776-6455" - 2 pages

Fax Message [Caller-ID: 673-776-6455] You have received a 2 pages fax at 2013-30-10
02:22:22 CST.* The reference number for this fax is
latf1_did11-1995781774-8924188505-39.View this fax using your PDF reader.Please visit
www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service!Home | Contact | Login | 2013 j2 Global
Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global
Communications, Inc.This account is subject to the terms listed in the eFax Customer
Agreement.

-----------------------

Date:     Wed, 30 Oct 2013 10:04:50 -0500 [11:04:50 EDT]
From:     eFax Corporate [message@inbound.efax.com]
Subject:     Corporate eFax message from "877-579-4466" - 5 pages

Fax Message [Caller-ID: 877-579-4466] You have received a 5 pages fax at 2013-30-10
05:55:55 EST.* The reference number for this fax is
latf1_did11-1224528296-8910171724-72.View this fax using your PDF reader.Please visit
www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or
your service.Thank you for using the eFax service!Home | Contact | Login | 2013 j2 Global
Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global
Communications, Inc.This account is subject to the terms listed in the eFax Customer
Agreement.

Attached to the message is a file FAX_10302013_1013.zip which in turn contains FAX_10302013_1013.exe (although the date is encoded into the filename so your version may be different) which has an icon that makes it look like a PDF file.

This has a very low detection rate at VirusTotal of just 1/46. Automated analysis tools [1] [2] [3] show an attempted connection to a domain bulkbacklinks.com on 69.26.171.187. This is part of the same compromised Xeex address range as seen here and here.

Xeex have not responded to notifications of a problem (apart from an AutoNACK). I recommend that you treat the entire 69.26.171.176/28 range as being malicious and you should block according to this list.

Something evil on 144.76.207.224/28

The network block 144.76.207.224/28 is currently hosting the Magnitude exploit kit (example report) [hat tip to Malekal.com judging from the report].

This is a Hetzner IP range suballocated to:
inetnum:        144.76.207.224 - 144.76.207.239
netname:        SPHERE-LTD
descr:          Sphere LTD.
country:        DE
admin-c:        AR10715-RIPE
tech-c:         AR10715-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
source:         RIPE # Filtered

person:         Alexander Redko
address:        Russia, 107031, Moscow, Proezd Dmitrosvkiy 8
phone:          +79104407852
nic-hdl:        AR10715-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered

Domains hosted on this range include the following, ones in bold are flagged by Google as being malicious:
1valubin.info
2valubin.info
3valubin.info
4valubin.info
5valubin.info
6valubin.info
7valubin.info
8valubin.info
9valubin.info
10valubin.info
11valubin.info
12valubin.info
13valubin.info
14valubin.info
1togenhaym.info
2togenhaym.info
3togenhaym.info
4togenhaym.info
5togenhaym.info
6togenhaym.info
7togenhaym.info
8togenhaym.info
9togenhaym.info
10togenhaym.info
11togenhaym.info
12togenhaym.info
13togenhaym.info
14togenhaym.info
15togenhaym.info
16togenhaym.info
17togenhaym.info
poovergosa.info
galikvento.info

I would recommend blocking all those domains plus the 144.76.207.224/28 range.

Sphere Ltd seem to have some quite big operations in Russia. For information only, these are the other IP address ranges that I can find.
5.9.217.0/26
5.9.249.112/28
5.9.255.192/27
46.22.212.16/28
78.46.169.160/27
78.47.67.128/29
78.47.217.112/28
80.79.117.168/29
80.79.118.132/30
80.79.118.252/30
88.198.103.96/28
144.76.192.96/27
144.76.207.224/28
195.2.252.0/23
195.88.208.0/23

Tuesday 29 October 2013

Suspect network: 69.26.171.176/28

69.26.171.176/28 is a small network range is suballocated from Xeex to the following person or company which appears to have been compromised.

%rwhois V-1.5:0000a0:00 rwhois.xeex.com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@xeex.com
network:class-name:network

There are three very recent Malwr reports involving sites in this range:

69.26.171.179 - bookmarkingbeast.com
69.26.171.181 - allisontravels.com
69.26.171.182 - robotvacuumhut.com

As a precaution, I would recommend temporarily blocking the whole range. These other sites are also hosted in the same block, and if you are seeing unusual traffic going to them then I would suspect that it is a malware infection:
bookmarkingbeast.com
antonseo.com
allisontravels.com
robotvacuumhut.com
glenburnlaw.com
timinteriorsystems.com
bulkbacklinks.com
prblogcomments.com
highprlinks.com
facebookadsppc.com

"Division of Unemployment Assistance" spam / attached_forms.exe

This spam comes with a malicious attachment:

Date:     Tue, 29 Oct 2013 11:12:18 -0600 [13:12:18 EDT]
From:     "info@victimdomain" [info@victimdomain]
Subject:     [No Subject]

A former employee(s) of your company or organization recently filed a claim for benefits
with the Division of Unemployment Assistance (DUA). In order to process this claim, DUA
needs information about each former employee. You are requested to:

Provide Wage and Separation information (Form 1062/1074)

And/or

Provide Separation Pay Information

If you do not provide this information, you may lose your right to appeal any
determination made on the claim.
To provide this information electronically, <b>please print attached claim (file) and
complete any outstanding forms.

This message may contain privileged and/or confidential information. Unless you are the
addressee (or authorized to receive for the addressee), you may not use, copy,
disseminate, distribute or disclose to anyone the message or any information contained in
the message.

Attached is a file with the rather long name of case#976179103613297~9392736683167.zip which contains a malicious executable attached_forms.exe with an icon that makes it look like a PDF file. The VirusTotal detections stand at 8/46 and automated analysis [1] [2] shows an attempted connection to bookmarkingbeast.com on 69.26.171.179 (Xeex Communications, US). That's just two IP addresses away from this other Xeex server mentioned here. I strongly suspect that there is a problem with servers in the 69.26.171.176/28 range so you might want to block those temporarily. This range is suballocated from Xeex to:

%rwhois V-1.5:0000a0:00 rwhois.xeex.com (by Network Connection Canada. V-1.0)
network:auth-area:69.26.160.0/19
network:network-name:69.26.171.176
network:ip-network:69.26.171.176/28
network:org-name:MJB Capital, Inc.
network:street-address:8275 South Eastern Avenue
network:city:Las Vegas
network:state:NV
network:postal-code:89123
network:country-code:US
network:tech-contact:Mark Bunnell
network:updated:2013-05-30 10:01:58
network:updated-by:noc@xeex.com
network:class-name:network

Something evil on 82.211.31.147

Still investigating this one, but 82.211.31.147 (IP-Projects, Germany) appears to be a completely rogue server hosting exploit kits and malware [1] [2].

The following domains and subdomains are associated with with IP address. I recommend blocking them, or more easily the IP address itself.

(Note, this is an updated and shorter version that in the original post)

civuxedajijo.biz
civuxedajijo.com
civuxedajijo.info
civuxedajijo.net
civuxedajijo.org
cytisyzahafo.info
cytisyzahafo.org
dedukoxejyki.info
dedukoxejyki.org
dihepopylira.info
dihepopylira.org
fagowemocule.net
ferehehusaro.info
ferehehusaro.org
geqybucubep.biz
geqybucubep.com
geqybucubep.info
geqybucubep.net
geqybucubep.org
herufexejinu.org
hozibojadygu.biz
hozibojadygu.com
hozibojadygu.info
hozibojadygu.net
hozibojadygu.org
kywyjolahoq.info
kywyjolahoq.net
kywyjolahoq.org
lugifosuwap.info
lugifosuwap.org
lunyhoqagotu.biz
lunyhoqagotu.com
lunyhoqagotu.info
lunyhoqagotu.net
lunyhoqagotu.org
nisahybonub.biz
nisahybonub.com
nisahybonub.info
nisahybonub.net
rycarimijoje.biz
rycarimijoje.com
rycarimijoje.info
rycarimijoje.net
rycarimijoje.org
sinigumawup.info
sinigumawup.org
vumytataciza.biz
vumytataciza.com
vumytataciza.info
vumytataciza.net
vumytataciza.org
zepykedaluto.biz
zepykedaluto.com
zepykedaluto.info
zepykedaluto.net
zepykedaluto.org
cassetewrt.biz
cassetewrt.com
cassetewrt.info
cassetewrt.net
cassetewrt.org
childho.com
childho.info
childho.net
childho.org
childhoodhnj.biz
childhoodhnj.com
childhoodhnj.info
childhoodhnj.net
childhoodhnj.org
cytisyzahafo.com
cytisyzahafo.net
delitenaryx.net
delitenaryx.us
dihepopylira.biz
dihepopylira.com
dihepopylira.net
dusixibanej.info
dusixibanej.net
dusixibanej.org
dusixibanej.us
fagowemocule.com
fagowemocule.info
ferehehusaro.biz
ferehehusaro.com
ferehehusaro.net
foqanapybiq.biz
foqanapybiq.com
foqanapybiq.info
foqanapybiq.net
foqanapybiq.org
geqybucube.biz
geqybucube.com
geqybucube.net
gonohulovene.net
guxulekabac.biz
guxulekabac.com
guxulekabac.info
guxulekabac.net
guxulekabac.org
hiluposukux.net
hiluposukux.org
hogyverysopi.biz
hogyverysopi.com
hogyverysopi.info
hogyverysopi.net
hogyverysopi.org
identitysdf.biz
identitysdf.com
identitysdf.info
identitysdf.net
identitysdf.org
kyqozozijugy.com
kyqozozijugy.info
kyqozozijugy.net
kyqozozijugy.org
letecaqawuxa.com
letecaqawuxa.info
letecaqawuxa.net
letecaqawuxa.org
lugifosuwap.biz
lugifosuwap.com
lugifosuwap.net
qegihugob.com
qegihugob.info
qegihugob.net
qegihugob.org
qegihugobag.com
qegihugobag.info
qegihugobag.net
qegihugobag.org
qynekugajyj.com
qynekugajyj.info
qynekugajyj.net
qynekugajyj.org
rekarunezyvi.net
signingnm.biz
signingnm.com
signingnm.info
signingnm.net
signingnm.org
sinigumawup.com
sinigumawup.net
tabletbvn.biz
tabletbvn.com
tabletbvn.net
tabletbvn.org
zobecokiloca.biz
zobecokiloca.com
zobecokiloca.info
efuvwguvoum.mine.nu
brbhogbfxxgu.mine.nu
ydmxkkyiqhiu.mine.nu
cppeklsmuexss.mine.nu
fhqfohlvdihxk.mine.nu
feqbesisuqi.blogdns.net
qhghiflvncq.blogdns.net
tilhuvmdefwu.gotdns.org
xjjfgjljivir.gotdns.org
dohotbiyotfx.blogdns.net
rqbiyiidrcrj.blogdns.net
ulchtvrwuvtnl.gotdns.org
pcowstdlxmd.for-our.info
dbgjkrymwqhgwcrxs.mine.nu
iykhbgluscjlbt.gotdns.org
tpvdjxyneijvwhlpxw.mine.nu
nomojmvmkmloxc.blogdns.net
kvworynoybhmxhv.gotdns.org
kwxlmthghilglps.gotdns.org
yibjilgetfssusp.gotdns.org
wnhsslxbrwtwc.for-our.info
cnlfdlfttgnmgks.blogdns.net
eyrdiygbcwkssld.blogdns.net
syieiqlwijppljs.blogdns.net
qjkmgebqexfgwyhe.gotdns.org
cwxqkwglydvwvnigepnf.mine.nu
kudtgttrrlyxibqhttgv.mine.nu
kxtrkjpihconmvhwfsps.mine.nu
wgsdqrgmpcbxhenujrub.mine.nu
hdledvwqiiyektoq.blogdns.net
huxvcjbdkycohlkg.blogdns.net
jlhyrfjbnwfcuyhd.blogdns.net
rkbyifuckfvgjqqk.blogdns.net
vfnxdwquisqdyxjk.blogdns.net
xhipdqfcvlukkgbj.blogdns.net
eimvggsifelgrmh.for-our.info
swlhtfbvqyjspng.for-our.info
mggkitlimroemebpnxobd.mine.nu
ershitlccewsljyou.blogdns.net
yqvvsfvsiswkjjipq.blogdns.net
gmldxogembxcuftnpo.gotdns.org
sljrowpdwiydhesmtx.gotdns.org
xkykencovusmcgxefn.gotdns.org
fxnbonjidwnsrpwp.for-our.info
puywylsnmkjuculhuo.blogdns.net
ubkdjenlfqiwdrvrmy.blogdns.net
gxtvostqmdlnvdvshmp.gotdns.org
imhsupwkkqcshqtowwd.gotdns.org
ptgssluejuimsnqljtf.gotdns.org
rprylexfclxbfdwffru.gotdns.org
xrffskqnesvosqydnwo.gotdns.org
enbiumecswjwbudrh.for-our.info
jrlqfbdtjppvbdhocjo.blogdns.net
nykqxjyihvcibbdwedp.blogdns.net
sbvhhiqnhxfutfktvet.blogdns.net
tgiglyojdggtsfevfvx.blogdns.net
jcgosegivocugffhhx.for-our.info
ucexdvultugwnnigkt.for-our.info
rhdsenonxuohknxhkrlg.blogdns.net
kxjhuuvdnguhwhxhqkmuk.gotdns.org
msxtfwbcupycminnlfihr.gotdns.org
pwhwjmbdrtummlxwhulxt.gotdns.org
rvfyeqfpgxleppjibyues.gotdns.org
xocxtcgbdujvvlphskrtq.gotdns.org
ffemcdevbudrefxswcx.for-our.info
hqoubobqtbowsceoyyqib.blogdns.net
wsbexuveyriuqurvjpxgg.blogdns.net
kecnbcjdtnirgfsekqrrk.for-our.info
trdhhkkkyjkwmyiqnlwyy.for-our.info
tkjesdouypdw.is-a-personaltrainer.com
cchllttcnxvur.is-a-personaltrainer.com
xxoyqcpvhhjycp.is-a-personaltrainer.com
sbhmdtlxodrnnbsd.is-a-personaltrainer.com
gbhenbnngbsnqggqm.is-a-personaltrainer.com
hurvqrlsoihvmsdge.is-a-personaltrainer.com
thdrugkitlcwbhwhll.is-a-personaltrainer.com
xljgonmwrxntjygnghp.is-a-personaltrainer.com
niflgslwubsdiddjrfdd.is-a-personaltrainer.com

Wells Fargo "Check copy" spam / Copy_10292013.zip

These fake Wells Fargo spam messages have a malicious attachment:

Date:     Tue, 29 Oct 2013 22:34:50 +0800 [10:34:50 EDT]
From:     Wells Fargo [Emilio.Hendrix@wellsfargo.com]
Subject:     FW: Check copy

We had problems processing your latest check, attached is a image copy.

Emilio Hendrix
Wells Fargo Check Processing Services
817-576-4067 office
817-192-2390 cell Emilio.Hendrix@wellsfargo.com

Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.

--------------------

Date:     Tue, 29 Oct 2013 14:41:46 +0000 [10:41:46 EDT]
From:     Wells Fargo [Leroy.Dale@wellsfargo.com]
Subject:     FW: Check copy

We had problems processing your latest check, attached is a image copy.

Leroy Dale
Wells Fargo Check Processing Services
817-480-3826 office
817-710-4624 cell Leroy.Dale@wellsfargo.com

Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.

Attached is an executable file Copy_10292013.zip which contains an executable file Copy_10292013.exe which is (of course) malicious. Note that the date is encoded into the filenames, so future versions of this will vary.

The VirusTotal detection rate is just 3/47. Automated analysis [1] [2] shows an attempted connection to allisontravels.com on 69.26.171.181 (Xeex Communications, US) which appears to be the only site currently on this server. I would recommend blocking one or both of these.

gg

Monday 28 October 2013

Google Ads and #FFF7ED.. what's wrong with this picture?

So here's a long-standing source of irritation that I decided to have a poke at today.. Google Ads in search results. Now, obviously this is one of the main ways that Google makes money and frankly it's part of the deal in them giving you all those search results for free.

Let's take a look at a typical results page, for the term data recovery software (this is traditionally one of the most expensive search terms to advertise for).

The first three results are advertisements, they are displayed on a very pale pink background with a hex colour of #FFF7ED (compared to #FFFFFF for pure white). Can you see them?

The answer seems to be.. some people can, and some people can't. Now, I am colour blind.. but sometimes I can see the background, but other times it appears to be completely invisible. It really seems to depend on the monitor that I'm using.. it does seem that quite a lot of displays are very poor at displaying that particular colour.

Frankly this sort of thing is poor design, with very similar contrast levels between the two areas that are meant to be distinguishable. The coloured area is about 97% of the brightness of the white area, which isn't enough to make it clear in my opinion.

Just in case you can't see the ads, here's the same screenshot with a histogram equalise function applied.

Here are the two colours side-by-side. You might find that moving your head from side-to-side will make the colour more apparent, but on some monitors it makes no difference.

The pink background is on the left. Can you see it? On some monitors I can, but on others I can't. So, let's take a photo of one of the monitors that seems to be struggling.

Can you see the difference now? Almost definitely not, because the slight red cast has vanished. And it isn't just one monitor either, this seems to be common among many different monitors that I have looked at. By and large, all these monitors are set to their default settings, but some fiddling around can usually make the background more apparent.. usually at the cost of some weird colours elsewhere.

There is of course a security issue here.. many of these ads lead are rather misleading. Do a search for download skype (or any other free download) and check the ads that appear (some of which are on the top rather than the side). Do you really want to click those?

No, you probably don't.. but there's a danger with more obscure software that you could end up downloading something that you don't want because the ads are not always easily distinguishable from the real search results. And I have certainly noticed an uptick in crapware installations for people who thought they were downloading an official version of something, only to discover that they are not.

And yes, I do know that the ads shows "Ads related to.." above them, but how many ads are there? One? Two? Three? If you can't see the colour then it is hard to tell.

Has something changed? Has Google deliberately chosen a colour that is hard to make out on some monitors? Or do some monitors (and these are mostly mainstream Dell units) have very poor colour fidelity? What do people thing?

American Express "Fraud Alert" spam / steelhorsecomputers.net

This fake Amex spam leads to malware on steelhorsecomputers.net:

From:    American Express [fraud@aexp.com]
Date:    28 October 2013 14:14
Subject:    Fraud Alert : Irregular Card Activity

Irregular Card Activity


Dear Customer,

We detected irregular card activity on your American Express

Check Card on 28th October, 2013.

As the Primary Contact, you must verify your account activity before you can
continue using your card, and upon verification, we will remove any restrictions
placed on your account.

To review your account as soon as possible please.

Please click on the link below to verify your information with us:

https://www.americanexpress.com/

If you account information is not updated within 24 hours then your ability
to access your account will be restricted.

We appreciate your prompt attention to this important matter.

© 2013 American Express Company. All rights reserved.

AMEX Fraud Department

The link in the email goes through a legitimate but hacked site and then runs of of the following three scripts:
[donotclick]kaindustries.comcastbiz.net/imaginable/emulsion.js
[donotclick]naturesfinest.eu/eroding/patricians.js
[donotclick]winklersmagicwarehouse.com/handmade/analects.js

From there, the victim is sent to a malware landing page at [donotclick]steelhorsecomputers.net/americanexpress/ which is a hijacked GoDaddy domain hosted on 96.126.102.8 (Linode, US). There are other hijacked GoDaddy domains too, listed below in italics.

Recommended blocklist:
96.126.102.8
8353333.com
chrisfrillman.com
steelhorsecomputers.net
steelhorsecomputers.com
kaindustries.comcastbiz.net
naturesfinest.eu
winklersmagicwarehouse.com

Sunday 27 October 2013

"You are a Mercedes-Benz winner !!!" spam

This is a slightly novel twist on an advanced fee fraud scam:

From:    Mercedes-Benz [desk_notification@yahoo.com]
Reply-To:    bmlot20137@live.com
Date:    27 October 2013 13:44
Subject:    You are a Mercedes-Benz winner !!!

Dear Recipient,

You have received a loyalty reward from Mercedes-Benz, Answer the Below question correctly and stand a chance of winning our Promotional Award Grand prize of $4,000,000USD and a Brand New 2013 Mercedes-Benz GLK350 4Matic SUV Car. If you have never had a Mercedes-Benz Product, this is your chance to benefit from our company while if you have any of our products this is your opportunity of enjoying some of our benefits apart from the comfortability and efficiency of our products. Just answer the questions asked below and you could be a winner:

QUESTION:

(1). What year was Mercedes-Benz found?
(a). 1946
(b). 1926
(c). 1936

(2). Who was the founder of Benz?
(a). Terry Benz
(b). Tom Benz
(c). Karl Benz

(3). In which country is the Benz Headquarter Located?
(a). Germany
(b). United Kingdom
(c). United State of America

Note that you are to send your answers along with your Full Name, Sex, Age, Phone Number, Country and Occupation.to our Fiduciary agent:

Mr.Richard Ashton
Email: bmlot20137@live.com
TEL: +44 703 590 2283
Fax: +44 871-247-6031

Our aims to support the abilities of the neediest groups to fulfill human dignity and social justice in cooperation with development partners in the world.

Kind Regards,
Mrs.Katherine Dooley
Mercedes-Benz,Online coordinator

The email was sent to a spamtrap address from 41.138.182.219 which is in Lagos, Nigeria via a mail server in the US at 65.40.236.192 (Embarq).

You might wonder what the scam is because it looks like a competition.. once you have answered the three trivially easy questions (we all know that Mercedes Benz was founded by Terry Benz in 1946 and is headquartered in the UK, after all) then you will find that you'll need to pay a stiff fee to get your prize.. which will never materialise.

Saturday 26 October 2013

Never mind the NSA, here is LinkedIn Intro

LinkedIn recently announced LinkedIn Intro which is an add-in to the iOS mail app, allowing you do display a contact's LinkedIn data in the message you are reading by injected code into the datastream. This is of marginal use to most people, and many reader will recognise this as being something that annoying browser plugins have done for some time.

Despite LinkedIn's Pledge of Privacy, many people are concerned that LinkedIn is intercepting and reading your email. I don't believe that LinkedIn is at all interested in the content of your email, but I do believe that it is interested in finding out who you contact instead in order to sell its so-called "product" on to more and more people.

Here's a thing - I use LinkedIn under an assumed name, but somehow LinkedIn thinks that I may know various people. Now, some of those are obviously connected to my fake profile.. but then it suggested that I know my own wife. We obviously I do, but the fake profile has no connection to her.. so the only source of this information must have been our shared IP address at home.

Then LinkedIn goes on a data-mining spree and suggests that I know all my coworkers who I also share an IP address with - which is true, but the fake profile I created does not. So, it seems pretty clear that LinkedIn uses your IP address to match you up with others.

LinkedIn has often been accused of rummaging through people's mailboxes without permission, but in this case it was not possible as my LinkedIn account is not linked to any mailboxes and uses a different username and password, so IP address is the only logical source of this.

But one day my wife (an occasional LinkedIn user) reported something very creepy indeed.. it reported that she may know a relative of mine that she does not really ever contact. And then some time later, I had another relative pop up in my fake profile. Where the hell does this information come from?

I have several theories about what is going on, including a deep suspicion that LinkedIn creates shadow profiles of non-members, and that it also includes hidden data about the relationships of members as well.. but those are just my opinions and I have nothing concrete to back them up. But what I do know from playing around with fake profiles is that LinkedIn is extremely clever and building up a network of suggested contacts whether you want them to or not.

LinkedIn's primary resource is the personal connections of its users. And just possibly that extends to shadow profiles of non-users as well. And that brings us back to LinkedIn Intro.. the quickest way of building up a truly massive collection of data about personal relationships is to do a traffic analysis on their email. You don't need to know the content, but if you know who they send and receive emails from then you will easily enumerate their professional and personal relationships. And then you can monetise that.

In the end, it doesn't matter if you sign up for LinkedIn Intro or not, because if just one person in your email chain does us it, then there's the possibility that LinkedIn will slurp up all that data for its own use.

LinkedIn has been accused by some of being the creepiest social network, and some commentators have gone even deeper into the risks of using Intro. There's even a lawsuit claiming that LinkedIn hacked email contacts but actually I suspect that LinkedIn wouldn't even need to bother doing that as it is clearly very efficient in working out contacts without it.

I suspect that at some point the issue of LinkedIn's data gathering will become a big issue, and the company will either need to explain exactly how it collects its data or perhaps someone on the inside will leak it out. Are they doing something illegal? Probably not. Are they doing something very creepy? Almost definitely yes.

Friday 25 October 2013

"You have received a new debit" Lloyds TSB spam

This fake Lloyds TSB message has a malicious attachment:

Date:     Fri, 25 Oct 2013 13:55:41 +0200 [07:55:41 EDT]
From:     LloydsTSB [noreply@lloydstsb.co.uk]
Subject:     You have received a new debit
Priority:     High Priority 1 (High)

This is an automatically generated email by the Lloyds TSB PLC LloydsLink online payments Service.

The details of the payment are attached.

============================================================================
This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments.

Attached is a zip file in the format Report_recipientname.zip which in turn contains a malicious executable Report_10252013.exe (note the date is encoded into the filename). The file has an icon to make it look like a PDF file, but it isn't.

The VirusTotal detection rate is a so-so 13/47. Automated analysis [1] [2] shows an attempted connection to www.baufie.com on 173.203.199.241 (Rackspace, US). Often these callbacks indicate a completely compromised server, so it may be possible that there are other sites being abused on the same box.

Malware sites to block 25/10/2013

This list replaces this one, and mostly contains domains and IPs connected with this gang. The list starts with IPs and web hosts, followed by plain IPs and domains for copy-and-pasting.

5.175.171.89 (GHOSTnet, Germany)
5.231.40.197 (GHOSTnet, Germany)
5.231.47.92 (GHOSTnet, Germany)
31.210.112.28 (Veri Merkezi Hizmetleri, Turkey)
42.121.84.12 (Aliyun Computing Co, China)
60.199.253.165 (Taiwan Fixed Network Co, Taiwan)
63.251.135.19 (Internap, US)
78.100.140.171 (Qatar Telecom, Qatar)
81.91.159.212 (Datak Internet Engineering, Iran)
103.28.255.207 (Ani Network Pvt Ltd, India)
112.124.27.158 (Alibaba Advertising Co, China)
146.185.147.26 (Digital Ocean, Netherlands)
161.24.16.127 (Centro Tecnico Aeroespacial, Brazil)
181.41.200.191 (Host1plus Brazil, Brazil)
186.3.101.235 (Clientes Quito, Ecuador)
186.151.240.197 (Municipalidad De Zaragoza, Guatemala)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
189.1.169.28 (Maxihost Hospedagem de Sites Ltda, Brazil)
196.40.9.113 (Terminales Santamaria, Costa Rica)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
223.30.27.251 (Sify Limited, India)

5.175.171.89
5.231.40.197
5.231.47.92
31.210.112.28
42.121.84.12
60.199.253.165
63.251.135.19
78.100.140.171
81.91.159.212
103.28.255.207
112.124.27.158
146.185.147.26
161.24.16.127
181.41.200.191
186.3.101.235
186.151.240.197
186.251.180.205
189.1.169.28
196.40.9.113
211.71.99.66
223.30.27.251
acondorwoonkary120.com
avasdayspa.net
blackbox-e.net
bonds.su
carefordying.net
carrykeyboard.net
ceravdilicheskinevoz76.net
consumersshow.net
cormushkaneplohatak300.com
cronshtainymorenah55.net
derivatiexchange.com
dotier.net
dropdistri-butions.net
dulethcentury.net
ermeentroper110.com
ermirovaniedoom153.com
ermirovanievood152.com
ermxxrtroper210.com
eventlogselfn.net
excelledblast.net
foi.su
gormonnsnter105.net
gromydoonye250.com
groove.su
gumatexx.net
hdmltextvoice.net
idersnonvirus.com
introlinkage.com
introlinkage.su
jurassic-spa.net
kotzebuepolice.net
leedsprobate.net
lyvegetarians.net
mesmultimedia.com
milkdriver.com
mymulejams.net
nacase.net
ny-headsets.org
ordersdeluxe.com
pro-senioren.net
rojecttalkway.com
sandlord.com
stabilitymess.net
thetokion.com
uprisingquicks.net
zigbeejournal.net

Thursday 24 October 2013

"My resume" spam / Resume_LinkedIn.exe

This rather terse spam email message has a malicious attachment:

Date:     Thu, 24 Oct 2013 15:45:37 +0200 [09:45:37 EDT]
From:     Elijah Parr [Elijah.Parr@linkedin.com]
Subject:     My resume

Attached is my resume, let me know if its ok.

Thanks,
Elijah Parr

------------------------

Date:     Thu, 24 Oct 2013 19:14:37 +0530 [09:44:37 EDT]
From:     Greg Barnes [Greg.Barnes@linkedin.com]
Subject:     My resume

Attached is my resume, let me know if its ok.

Thanks,
Greg Barnes

The attachment is Resume_LinkedIn.zip which in turn contains a malicious executable Resume_LinkedIn.exe with an icon to make it look like a Word Document rather than an executable.

VirusTotal is timing out at the moment, but earlier only one AV engine detected it (Norman). Automated analysis tools [1] [2] show an attempted connection to homevisitor.co.uk on 64.50.166.122 (Lunarpages, US). This server was distributing malware last month too, so we must assume that it is compromised. Blocking that IP address would probably be a good idea as there are several other compromised domains on that same server [1] [2].