Sponsored by..

Tuesday, 10 September 2013

Are top porn sites still riddled with malware?

Back in April I wrote an article about how several top porn sites were having issues with malware. An apparent infection at xvideos.com (link is a little NSFW) led to to look at the Google malware results for the past 90 data again.

I started with a list of sites in the top 1000 sites globally according to data at Alexa.com (a few have dropped out of the top 1000 since I collated the data set) and also used the Alexa data to work out the average number of daily pageviews per user. The next step was to look at Google's data on the number of infected pages and the total number of pages on the site, noting the date of last infection. From that I could work out an "infection likelihood" which is the probability of an average visitor coming into contact with malware during the period the site was infected.

What was surprising was just how clean these sites are looking (well, from a malware perspective). Last time some of the biggest sites had hundreds of pages infected, and now they appear to have virtually none. I've highlighted everything about 1% in red but note that the "riskiest" site (largeporntube.com) has been clean for a couple of months.
 
The results of my analysis are as follows:


Rank
Domain
Pageviews / User
Total pages
Infected
Date
Infection rate
Infection likelihood
38
xvideos.com
11.7
89427
0

0.00%
0.00%
51
xhamster.com
10
11356
1
2013-07-01
0.01%
0.09%
66
pornhub.com
5.6
6235
0

0.00%
0.00%
88
xnxx.com
9.5
26082
0

0.00%
0.00%
95
redtube.com
5
9189
0

0.00%
0.00%
99
youporn.com
5.6
1675
0

0.00%
0.00%
103
livejasmin.com
2.4
502
0

0.00%
0.00%
162
tube8.com
3.9
12697
0

0.00%
0.00%
169
youjizz.com
4.7
1385
0

0.00%
0.00%
227
hardsextube.com
3.3
71817
0

0.00%
0.00%
268
dmm.co.jp
9.2
1245
0

0.00%
0.00%
275
beeg.com
4.9
873
0

0.00%
0.00%
326
motherless.com
14.8
3196
4
2013-06-24
0.13%
1.84%
393
drtuber.com
2.8
1420
0

0.00%
0.00%
438
myfreecams.com
4
148
0

0.00%
0.00%
453
cam4.com
6.3
889
0

0.00%
0.00%
462
adultfriendfinder.com
7.8
241
0

0.00%
0.00%
464
bravotube.net
2.6
1098
0

0.00%
0.00%
502
ixxx.com
3.4
438
5
2013-09-05
1.14%
3.83%
528
chaturbate.com
14.7
2725
0

0.00%
0.00%
578
nuvid.com
2.8
884
0

0.00%
0.00%
588
spankwire.com
3.3
1182
0

0.00%
0.00%
591
porntube.com
2.9
734
0

0.00%
0.00%
595
pornerbros.com
1.9
946
1

0.11%
0.20%
607
largeporntube.com
3.2
5750
160
2013-07-20
2.78%
8.63%
676
yourlust.com
2.7
1224
0

0.00%
0.00%
697
4tube.com
4.3
1337
0

0.00%
0.00%
699
keezmovies.com
3
669
0

0.00%
0.00%
707
pornhublive.com
2.3
30
0

0.00%
0.00%
768
xhamstercams.com
1.8
5
0

0.00%
0.00%
780
h2porn.com
1.8
2193
1

0.05%
0.08%
800
4chan.org
26.7
218
0

0.00%
0.00%
804
video-one.com
13.7
1143
0

0.00%
0.00%
825
xtube.com
12.1
805
0

0.00%
0.00%
830
sunporno.com
2.7
360
0

0.00%
0.00%
848
porn.com
4
1281
0

0.00%
0.00%
864
perfectgirls.net
5.4
1958
5
2013-09-05
0.26%
1.37%
883
nudevista.com
8.7
2088
1
2013-08-03
0.05%
0.42%
931
redtubelive.com
2.8
33
0

0.00%
0.00%
942
alphaporno.com
1.9
10472
32
2013-07-21
0.31%
0.58%
1065
videosexarchive.com
3.8
5183
0

0.00%
0.00%
1238
hellporno.com
3
331
0

0.00%
0.00%
1382
watchmygf.com
1.3
11
0

0.00%
0.00%
1806
ah-me.com
2.7
235
0

0.00%
0.00%
  
So, what is going on? Have these sites cleaned up their act? Well, it certainly looks like there has been an improvement (despite the reported infection at xvideos.com above). 

Over 46,000 people looked at my previous blog post on the topic, and it was covered by some major news outlets [1] [2] [3] [4] [5]. Reaction was varied, and many porn site operators flatly denied the problem despite the Google statistics indicating otherwise.

So perhaps shining a light on the problem helped to clean it up. Perhaps the spike in malware was a temporary glitch. Perhaps the malware operators are better at hiding what they are doing. I suspect that it is a combination of all three.


Despite the apparent cleanup of these sites, my advice is that you still need to exercise caution. It is very important to make sure that your system is fully patched (you can use Secunia OSI to check if you have a Windows PC), and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware, and of course a good and up-to-date anti-virus or security package is essential. In addition, Google's Chrome browser is pretty good at picking up malicious sites, and the most dangerous browser to use tends to be Internet Explorer. And if you have Sun's Java platform installed on your system I would strongly recommend that you remove it as that it currently the most popular way of getting your machine infected.

BBB Spam / Case_0938818_2818.exe

This fake BBB spam has a malicious attachment:

Date:      Tue, 10 Sep 2013 15:07:14 +0100 [10:07:14 EDT]
From:      Better Business Bureau [Aldo_Austin@newyork.bbb.org]
Subject:      FW: Case IN11A44X2WCP44M

The Better Business Bureau has received the above-referenced complaint from one of your
customers regarding their dealings with you. The details of the consumer's concern are
included on the reverse. Please review this matter and advise us of your position.

As a neutral third party, the Better Business Bureau can help to resolve the matter.
Often complaints are a result of misunderstandings a company wants to know about and
correct.

In the interest of time and good customer relations, please provide the BBB with written
verification of your position in this matter by September 13, 2013. Your prompt response
will allow BBB to be of service to you and your customer in reaching a mutually agreeable
resolution. Please inform us if you have contacted your customer directly and already
resolved this matter.

The Better Business Bureau develops and maintains Reliability Reports on companies across
the United States and Canada . This information is available to the public and is
frequently used by potential customers. Your cooperation in responding to this complaint
becomes a permanent part of your file with the Better Business Bureau. Failure to
promptly give attention to this matter may be reflected in the report we give to
consumers about your company.

We encourage you to print this complaint (attached file - Case_IN11A44X2WCP44M), answer
the questions and respond to us.

We look forward to your prompt attention to this matter.

Sincerely,
Aldo_Austin
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201 
Attached to the message is a ZIP file Case_IN11A44X2WCP44M.zip which in turn contains an executable Case_0938818_2818.exe which has a shockingly low detection rate of just 1/46 at VirusTotal.

Automated analysis of the malware is inconclusive [1] [2] [3] [4], but it does generate outbound traffic to kwaggle.com port 443 on 64.50.166.122 (Lunar Pages, US). The domain thisisyourwife.co.uk on the same server is also hosting malware, I would therefore be suspicious about some of the other sites on the same box.

Recommended blocklist:
64.50.166.122
kwaggle.com
thisisyourwife.co.uk

ACH file ID "999.107" has been processed successfully spam / www.fiscdp.com.airfare-ticketscheap.com

This fake FISC ACH spam leads to malware on www.fiscdp.com.airfare-ticketscheap.com:

Date:      Tue, 10 Sep 2013 17:05:49 +0530 [07:35:49 EDT]
From:      Financial Institution Service [improvehv89@m.fiscdp.gov]
Subject:      ACH file ID "999.107"  has been processed successfully

Files FISC Processing Service

SUCCESS Notification
We have successfully handled ACH file 'ACH2013-09-09-62.txt' (id '999.107') submitted by user '[redacted]' on '2013-09-09 12:06:67.7'.
FILE SUMMARY:
Item count: 9
Total debits: $13,365.83
Total credits: $13,365.83

To find out more information   browse this link

The link in the email goes to a legitimate hacked site and then on to a malware landing page at [donotclick]www.fiscdp.com.airfare-ticketscheap.com/news/opens_heads_earlier.php (reports here and here) hosted on:
66.230.163.86 (Goykhman And Sons LLC, US)
95.87.1.19 (Trakia Kabel OOD , Bulgaria)
174.142.186.89 (iWeb Technologies)

The WHOIS details for airfare-ticketscheap.com are fake and the domain was registered just yesterday:
      LORIANN PERKINS
      8125 MANITOBA ST.
      PALYA DEL MAR, CA 90293
      US
      Phone: +1.7607224337
      Email: mybigben56@yahoo.com


The IPs in use indicate that this campaign forms part of the Amerika spam run. Several other malicious sites are on the same server, and I would recommend that you block the following in conjunction with this list:
66.230.163.86
95.87.1.19
174.142.186.89
actiry.com
airfare-ticketscheap.com
appsmartsecurity.com
bluavoughogma.com
boxbass.com
cernanrigndnisne55.net
certierskieanyofthe23.net
cosamortranas.com
dashuxmaecrme.com
dolekotoukart.com
dulethcentury.net
dvdramrautosel.su
email.pinterest.com.lacave-enlignes.com
evreisorinejsopgmrjnet28.net
explic.net
facebook.com.achrezervations.com
facebook.com.n.find-friends.lindoliveryct.net
favar.net
gggrecheskiysala99.net
giabit.net
gormonigraetnapovalahule26.net
hdmltextvoice.net
herbergers.com.content.customer-service.laptopsinstalled.net
hyatt.com.reservations.reservation.roccoscollar.net
includedtight.com
invoices.ulsmart.net
irs.gov.successsaturday.net
joyrideengend.net
lacave-enlignes.com
lhobbyrelated.com
liliputttt9999.info
magiklovsterd.net
microsoftstore.com.store.msusa.en_us.displaydownloadhistorypage.kemingpri.com
molul.com
musicstudioseattle.net
nacha-ach-processor.com
paypal.com.us.cmd.stjamesang.net
photos.walmart.com.orders.stjamesang.net
prgpowertoolse.su
spotssmalldor.com
www.facebook.com.achrezervations.com
www.fiscdp.com.airfare-ticketscheap.com
www.irs.gov.successsaturday.net
www.linkedin.com.achrezervations.com
www.nacha.org.multiachprocessor.com
www.nacha-ach-processor.com
www.redsox.com.tickets-service.lindoliveryct.net


Monday, 9 September 2013

ygregistry.org domain scam

This Chinese domain scammers never give up, this scam has been seen several times before [1] [2] [3] [4].

From:     Jim Bing [jim.bing@ygregistry.org]
Date:     9 September 2013 14:32
Subject:     Regarding "[redacted]" Cn domain name and Internet Keyword

Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China.
We received an application from Huaxiang Ltd on September 7, 2013. They want to register " [redacted] " as their Internet Keyword and " [redacted] .cn "、" [redacted] .com.cn " 、" [redacted] .net.cn "、" [redacted] .org.cn " domain names etc.., they are in China domain names. But after checking it, we find " [redacted] " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim
General Manager
Shanghai Office (Head Office)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.ygregistry.org
The whole thing is a fraud. Nobody in China is trying to register your domain name, and in any case registrars are not responsible for checking. They are simply trying to make you panic and buy an overpriced domain that you do not need and will never use.

Malware sites to block 9/9/13, part II

Another set of IPs and domains related to this attack detailed by Sophos, and overlapping slightly with the malicious servers documented here.

I've just listed the main domains, but the attack itself uses thousands of subdomains (e.g. zwgaf72d4erv7g.www5.tohk5ja.cc) to do evil things.

46.20.36.9 (Syslayer.com, Germany)
74.63.229.252 (Limestone Networks / 123systems Solutions, US)
77.81.244.226 (Elvsoft SRL, Netherlands)
173.243.118.198 (Continuum Data Centers, US)
198.52.243.229 (Centarra Networks, US)
199.188.206.183 (Namecheap Inc, US)
206.72.192.31 (Interserver Inc, US)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)

Blocklist:
46.20.36.9
74.63.229.252
77.81.244.226
173.243.118.198
198.52.243.229
199.188.206.183
206.72.192.31
213.156.91.110
ahthuvuz.cc
bo0keego.cc
but-kluczit.net
datsbull.net
eevootii.su
ezootoo.su
oogagh.su
oonucoog.cc
queiries.su
thepohzi.su
tohk5ja.cc
wahemah.cc
xigizubu.cc

Malware sites to block 9/9/13

These domains and IPs are associated with this gang, this list supersedes (or complements) the one I made last week.

1.209.108.29 (BORANET, Korea)
24.173.170.230 (Time Warner Cable, US)
37.153.192.72 (Routit BV, Netherlands)
42.121.84.12 (Aliyun Computing Co, China)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime, US)
74.63.233.79 (Limestone Networks Inc / 123Systems Solutions, US)
74.207.231.42 (Linode, US)
95.87.1.19 (Trakia Kabel, Bulgaria)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
95.242.252.26 (Telecom Italia, Italy)103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
111.93.115.216 (Tata Teleservices, India)
115.78.233.220 (Vietel Corporation, Vietnam)
115.160.146.142 (Wharf T&T Ltd, Hong Kong)
130.63.110.159 (York University, Canada)
140.116.72.75 (TANET, Taiwan)
141.20.102.73 (Humboldt-Universitaet zu Berlin, Germany)
148.204.64.107 (Instituto Politecnico Nacional, Mexico)
173.254.250.218 (OC3 Networks, US)
184.23.8.7 (Sonic.net, US)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Servi├žos Online LTDA, Brazil)
190.145.25.126 (Telmex Colombia, Colombia)
190.152.149.85 (Consejo De Participacion Ciudadana Y Control Soci, Ecuador)
192.241.199.191 (Digital Ocean, US)
194.42.83.60 (Interoute Communications, UK)
194.158.4.42 (Interoute Communications, France)
198.224.81.54 (AT&T, US)
199.115.228.213 (VolumeDrive, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.69.42.50 (Bay Area Video Coalition, US)
208.180.134.20 (Suddenlink Communications, US)
212.169.49.234 (Claranet, UK)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)
222.35.102.133 (China TieTong Telecommunications Corporation, China)
223.30.27.251 (Sify Limited, India)

1.209.108.29
24.173.170.230
37.153.192.72
42.121.84.12
58.68.228.148
58.246.240.122
61.36.178.236
66.230.163.86
66.230.190.249
74.63.233.79
74.207.231.42
95.87.1.19
95.111.32.249
95.242.252.26
103.20.166.67
111.93.115.216
115.78.233.220
115.160.146.142
130.63.110.159
140.116.72.75
141.20.102.73
148.204.64.107
173.254.250.218
184.23.8.7
186.251.180.205
187.60.172.18
190.145.25.126
190.152.149.85
192.241.199.191
194.42.83.60
194.158.4.42
198.224.81.54
199.115.228.213
208.52.185.178
208.69.42.50
208.180.134.20
212.169.49.234
213.156.91.110
222.35.102.133
223.30.27.251
achrezervations.com
agence-moret.net
altertraveldream.com
amimeseason.net
bnamecorni.com
boardsxmeta.com
brasilmatics.net
bundle.su
casualcare.net
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
certierskieanyofthe23.net
chairsantique.net
checklistsseesmics.su
chernigovskievojninua55.net
controlsalthoug.com
credit-find.net
crovliivseoslniepodmore83.net
deepsealinks.com
dotier.net
dvdramrautosel.su
ehnihujasebenahujchtoza27.net
ehnynewyortenotbaber.net
ehtiebanishkeobprienrt25.net
elvisalive4ever.com
email.pinterest.com.lacave-enlignes.com
ergopets.com
ermitajniedelaincityof40.net
explic.net
facebook.com.achrezervations.com
favar.net
fender.su
ffupdate.pw
fulty.net
gaphotoid.net
gemochlenoftheierarhia23.net
germaniavampizdanahuj.net
germetikovskievremie29.net
gggrecheskiysala99.net
giabit.net
gonulpalace.net
gormonigraetnapovalahule26.net
gormoshkeniation68.net
gormovskieafrterskioepr30.net
grannyhair.ru
higherpricedan.com
hobox.net
hotbitscan.com
icentis-finance.net
insectiore.net
invoices.ulsmart.net
istatsking.ru
jessesautobody.net.rcom-dns.eu
kpsart.net
lacave-enlignes.com
lights-awake.net
liliputttt9999.info
lindoliveryct.net
macache.net
maxichip.com
medusascream.net
micnetwork100.com
mobile-unlocked.net
molul.com
multiachprocessor.com
myaxioms.com
mywebsitetips.net
nacha-ach-processor.com
namastelearning.net
ns1.namastelearning.net
ns2.namastelearning.net
nvufvwieg.com
oadims.net
ordersdeluxe.com
oversearadios.net
paypal.com.us.cmd.stjamesang.net
perkindomname.com
photos.walmart.com.orders.stjamesang.net
porschetr-ml.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
redsox.com.tickets-service.lindoliveryct.net
relectsdispla.net
rentipod.ru
saucancafe.net
scoutmoor.net
secureprotection5.com
soberimages.com
stjamesang.net
stonewallspwt.net
strutterradio.net
taltondark.net
templateswell.net
thefastor.com
thegalaxyatwork.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
trans-staronline.net
treesmustdownload.su
u-janusa.net
ulsmart.net
uprisingquicks.net
video-withtext.com
vineostat.ru
viperestats.ru
vip-proxy-to-tor.com
virginiarealtyonline.net
weekings.com
wildgames-orb.net
wow-included.com
www.facebook.com.achrezervations.com
www.linkedin.com.achrezervations.com
www.nacha.org.multiachprocessor.com
www.nacha-ach-processor.com
www.redsox.com.tickets-service.lindoliveryct.net
zinvolarstikel.com

Saturday, 7 September 2013

Dealerbid.co.uk "Quotation.zip" spam with malicious VBS script

The website dealerbid.co.uk has been compromised and their servers hacked in order to send spam to their customer list. Something similar has happened before a few months ago.

In this case the spam email was somewhat mangled, but I am assuming that the spammers know how to fix this. The spam email is as follows:

From:     Christopher Rawson [christopher.r@kema.com]
Date:     7 September 2013 14:04
Subject:     Quotation

Hello,

We have prepared a quotation, please see attached

With Kind Regards,
Christopher Rawson,
DNV KEMA Energy & Sustainability,

DNV KEMA is a real, legitimate company in the energy sector. But they did not send the spam, an examination of the headers shows that the sending IP is 213.171.204.75 which is the same IP as www.dealerbid.co.uk and mail.dealerbid.co.uk. The email is sent to an address ONLY used to register at dealerbid.co.uk. So, the upshot is that this domain is compromised and it is compromised right now.

The email is meant to have an attachment called Quotation.zip but in my sample the email was mis-formatted and instead the Base 64 encoded ZIP file was in the main body text, starting thus:

UEsDBBQAAAAIAGiQJENXc/
KQmRoAACj9AQANAAAAUXVvdGF0aW9uLnZic+1dS3PcOJK+K0L/QeHD
Some copy-and-pasting and work with a Base 64 decoder ended up with a valid ZIP file, containing a somewhat obfuscated VBS script Quotation.vbs  with a low VirusTotal detection rate of 4/46.

I really don't know a lot about VBScript, but it's an interpreted language (like Javascript), so with some care you can get it do decode itself for you. The payload of the scripts was delivered by a line
execute (lqkxATqgKvblFIwSvnvFaUHynrslFbmIziWPjzin)
Changing "execute" to a a series of commands to write a file out.txt can get the script to decode itself and present the deobfuscated code for you.

Set objFSO=CreateObject("Scripting.FileSystemObject")
outFile="out.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write execute (lqkxATqgKvblFIwSvnvFaUHynrslFbmIziWPjzin) & vbCrLf
objFile.Close
Obviously, great care should be taken to do this and a throwaway virtual machine is advised in case of errors.

I haven't had time to do much analysis of the malicious script, except that it attempts to download further components from klonkino.no-ip.org (port 1804) which is hosted on 146.185.24.207 (Hosting Services Inc, UK). I strongly recommend blocking no-ip.org domains in any case, but I certainly recommend the following blocklist:
klonkino.no-ip.org
146.185.24.207

I haven't had time to analyse the second script further, but it has a VirusTotal detection rate of 21/47 which isn't too bad. If you want to have a look yourself, you can download the script from here (zip file, password = virus).. but obviously you need to know what you are doing!

Friday, 6 September 2013

"Scanned Document Attached" spam / FSEMC.06092013.exe

This fake financial spam contains an encrypted attachment with a malicious file in it.

Date:      Fri, 6 Sep 2013 15:19:37 +0000 [11:19:37 EDT]
From:      Fiserv [Lawanda_Underwood@fiserv.com]
Subject:      FW: Scanned Document Attached

Dear Business Associate:

Protecting the privacy and security of client, company, and employee
information is one of our highest priorities. That is why Fiserv has
introduced the Fiserv Secure E-mail Message Center - a protected e-mail
environment designed to keep sensitive and confidential information
safe. In this new environment, Fiserv will be able to send e-mail
messages that you retrieve on a secured encrypted file.

You have an important message from Adam_Paul@fiserv.com.
To see your message, use the following password to decrypt attached file: JkSIbsJPPai

If this is your first time receiving a secure file from the
Fiserv Secure E-mail Message Center, you will be prompted to set up a
user name and password.

This message will be available until  Saturday Sep 07, 2013 at 17:50:42
EDT4

If you have any questions, please contact your Fiserv representative.

Sincerely,
Your Associates at Fiserv

Additional information about Fiserv Secure E-mail is available by
entering http://www.fiserv.com/secureemail/ into your Web browser and
pressing Enter.


The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.
Attached is an encrypted ZIP file which contains part of the victim's email address (or somebody else in the same domain) that has to be decrypted with the password JkSIbsJPPai. This in turn contains a malicious executable FSEMC.06092013.exe (note the date is encoded into the filename). The VirusTotal detection rate for this malware is only 6/47.

The malware then phones home to a site ce-cloud.com:443 hosted on 84.22.177.37 (ioMart, UK) and then uploads some data [1] [2] [3] [4] . What happens next is unclear, but you can guarantee that it is nothing good.

Blocking access to ce-cloud.com or 84.22.177.37 may provide some protection. Blocking EXE-in-ZIP files is an even more effective approach if you can do it.

CNN "The United States began bombing" spam / luggagepreview.com

This fake CNN spam leads to malware on luggagepreview.com:

Date:      Fri, 6 Sep 2013 11:30:57 -0600 [13:30:57 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: "The United States began bombing"

The United States began bombing!
By Casey Wian, CNN
updated 9:01 AM EDT, Wed August 14, 2013


(CNN) -- Pentagon officials said that the United States launched the first strikes against Syria. It was dropped about 15 bomn on stalitsu syria Damascus.  Full story >>
Rescuing Hannah Anderson

    Sushmita Banerjee was kidnapped and killed in Afghanistan, police say
    No one has claimed responsibility for her death, but police suspect militants
    Banerjee wrote "A Kabuliwala's Bengali Wife" about her escape from the Taliban

The link in the email is meant to go to [donotclick]senior-tek.com/tenth/index.html but the "Full story" link has a typo in and goes to senior-tekcom/tenth/index.html (without the dot) instead which obviously fails. This site then tries to load these three scripts:
[donotclick]crediamo.it/disburse/ringmaster.js
[donotclick]stages2saturn.com/scrub/reproof.js
[donotclick]www.rundherum.at/rabbiting/irritate.js

From there the visitor is sent to a malicious payload at  [donotclick]luggagepreview.com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 174.140.171.207 (DirectSpace LLC, US) along with several other hijacked domains listed below in italics.

Recommended blocklist:
174.140.171.207
luggagepoint.de
luggagewalla.com
londonleatherusa.com
luggagejc.com
londonleatheronline.com
luggagecast.com
luggage-tv.com
luggagepreview.com
dyweb.info
yesrgood.info
dai-li.info
expopro.info
crediamo.it
stages2saturn.com
www.rundherum.at

Facebook spam / www.facebook.com.achrezervations.com

This fake Facebook spam leads to malware on www.facebook.com.achrezervations.com:

Date:      Fri, 6 Sep 2013 08:07:14 -0500 [09:07:14 EDT]
From:      Facebook [notification+puppies9@mail.facebookmail.net]
Reply-To:      noreply [noreply@postmaster.facebookmail.org]
Subject:      Cole Butler confirmed your Facebook friend request

facebook
   
Cole Butler has confirmed that you're friends on Facebook.
You may know some of Cole's Friends
    Daren Douglas
1 mutual friends
   
Add Friend
   
    Gertrude Souza
14 mutual friends
   
Add Friend
    Brice Kelly
3 mutual friends
   
Add Friend
   
    Beverly Howard
12 mutual friends
   
Add Friend
    Julia Metz
6 mutual friends
   
Add Friend
   
    Nora Belanger
6 mutual friends
   
Add Friend
View Timeline
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate hacked site and then to an exploit kit on [donotclick]www.facebook.com.achrezervations.com/news/implement-circuit-false.php (report here) hosted on the following servers:
66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
115.78.233.220 (Vietel Corporation, Vietnam)
194.42.83.60 (Interoute Hosting, UK)

The following IPs and domains are all malicious and belong to this gang, I recommend you block them:
66.230.163.86
95.111.32.249
115.78.233.220
194.42.83.60
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
achrezervations.com
actiry.com
appsmartsecurity.com
askfox.net
bnamecorni.com
boxbass.com
casualcare.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
certierskieanyofthe23.net
chernigovskievojninua55.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
cirriantisationsansidd79.net
crobnivmocanriendi56.net
cyberflorists.su
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihujasebejav15.ru
ehtiebanishkeobprienrt25.net
email.pinterest.com.lacave-enlignes.com
ermitajniedelaincityof40.net
evarse.com
explic.net
facebook.com.achrezervations.com
facebook.com.n.find-friends.lindoliveryct.net
favar.net
ffupdate.pw
germaniavampizdanahuj.net
germetikovskievremie29.net
gggrecheskiysala99.net
giabit.net
gormovskieafrterskioepr30.net
grannyhair.ru
gromoviepechiniegierskie.net
herbergers.com.content.customer-service.laptopsinstalled.net
hotbitscan.com
hyatt.com.reservations.reservation.roccoscollar.net
invoices.ulsmart.net
istatsking.ru
lacave-enlignes.com
liliputttt9999.info
maxichip.com
micnetwork100.com
microsoftstore.com.store.msusa.en_us.displaydownloadhistorypage.kemingpri.com
mirrorsupply.com
molul.com
multiachprocessor.com
musicstudioseattle.net
nacha-ach-processor.com
nvufvwieg.com
oleannyinsurance.net
paypal.com.us.cmd.stjamesang.net
photographysmile.net
photos.walmart.com.orders.stjamesang.net
redsox.com.tickets-service.lindoliveryct.net
smartsecureconnect.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
vineostat.ru
viperestats.ru
vip-proxy-to-tor.com
weekings.com
wingdress.net
www.appsmartsecurity.com
www.facebook.com.achrezervations.com
www.hyatt.com.reservations.reservation.roccoscollar.net
www.nacha.org.multiachprocessor.com
www.nacha-ach-processor.com
www.redsox.com.tickets-service.lindoliveryct.net

Something evil on 37.59.164.209 (OVH)

37.59.164.209 is a server operated by OVH in France. It has many malicious domains hosted on it, indeed almost everything on it is flagged by Google as being malicious (highlighted in the list below). Blocking access to that IP address is the simplest approach as the malicious sites do seem to be in some flux.

Recommended blocklist:
fat-jaguar.info
amazingfingerprint.pingpong-shop.info
androidexclusiveaccepted.soda-waters.info
annesindecisive.ru
antilostprivacystar.soda-waters.info
arrayschamp.pingpong-shop.info
atomicexcelled.pingpong-shop.info
bisnothings.picture-editorsplus.com
bumpyrogue.pingpong-shop.info
cheerskasperskys.get-well-now.info
compilingresolved.get-well-now.info
compositingupfront.soda-waters.info
couponexposes.pingpong-shop.info
defraggingentire.soda-waters.info
designationrim.pingpong-shop.info
dipsisolated.ru
distortstrand.picture-editorsplus.com
droidsreceiver.pingpong-shop.info
errorannouncement.get-well-now.info
experttouserhome.picture-editorsplus.com
fdrsitelets.picture-editorsplus.com
flauntmalwarefighting.ru
fsecurevitas.picture-editorsplus.com
get-well-now.info
jfaxbike.get-well-now.info
karmic-koala.info
kudosphilly.picture-editorsplus.com
laguardiaduly.soda-waters.info
maoctopus.get-well-now.info
meaningsvisor.get-well-now.info
middletierpreventionandcleanup.picture-editorsplus.com
mtvmick.get-well-now.info
mypalmbehaviors.picture-editorsplus.com
nicesoundingextracting.soda-waters.info
noncopyrightprotectedfipscertified.soda-waters.info
nonstopeverconnected.soda-waters.info
offlineclosets.soda-waters.info
pbsearns.get-well-now.info
performgenre.soda-waters.info
pingpong-shop.info
plannerwaiter.get-well-now.info
reopeningphenomenal.pingpong-shop.info
retainedamazoncom.soda-waters.info
satiategb.get-well-now.info
savedtranscodes.soda-waters.info
soda-waters.info
treestructurezeroes.pingpong-shop.info
turbotwisttristate.get-well-now.info
wavelinkswing.pingpong-shop.info
webcontentfaces.ru
www.fat-jaguar.info
xmlbasedautomaticupdate.pingpong-shop.info

certificationthumbtack.job-orders.info
club-sandwich.info
datver.job-orders.info
job-orders.info
mirrorskitschy.job-orders.info
mountain-lion.biz
onion-sauce.com
openglkinectd.job-orders.info
poolseeming.job-orders.info
smallerwebspecific.job-orders.info
trendmicroaddfiletobackup.ru
tweakshunting.job-orders.info

Thursday, 5 September 2013

NACHA spam / nacha-ach-processor.com

This fake NACHA spam (I thought these were out of fashion!) leads to malware on nacha-ach-processor.com:

From:     The Electronic Payments Association - NACHA [leansz35@inbound.nacha.com]
Date:     5 September 2013 17:55
Subject:     Rejected ACH transfer

The ACH transaction (ID: 985284643257), yesterday sent from your account (by one of your account members), was cancelled by the recipient's bank.

Cancelled transaction
ACH ID:     985284643257
Rejection Reason     See additional info in the statement below
Transaction Detailed Report     View Report 985284643257

About NACHA

NACHA occupies a unique role in the association world, serving as both an industry trade association and administrator of Automated Clearing House (ACH) Network. As the industry trade association that oversees the ACH Network, NACHA provides services in three key functional areas:

The NACHA Operating Rules provide the legal foundation for the exchange of ACH payments and ensure that the ACH Network remains efficient, reliable, and secure for the benefit of all participants. In its role as Network administrator, NACHA manages the rulemaking process and ensures that proposed ACH applications are consistent with the Guiding Principles of the ACH Network. The rulemaking process provides a disciplined, well-defined methodology to propose and develop and propose rules amendments to the NACHA voting membership, the decision makers for the NACHA Operating Rules.

NACHA develops and implements a comprehensive, end-to-end risk management framework that includes network entry requirements, ongoing requirements, enforcement, and ACH Operator tools and services. Collectively, the strategy addresses risk and quality in the ACH Network by minimizing unauthorized entries and customer services costs to all Network participants.

14560 Sunny Valley Drive, Suite 204
Herndon, VA 20171

© 2013 NACHA - The Electronic Payments Association
The link in the email goes through a legitimate hacked site and then attempts to direct visitors to [donotclick]www.nacha-ach-processor.com/news/ach-report.php (report here) which is hosted on the following IPs:

66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
194.42.83.60 (Interoute Hosting, UK)

The IPs in use identify it as belonging to what I call the Amerika gang. There are several other malicious domains on these same IPs, and they form part of this larger group of dangerous IPs and domains.

Recommended blocklist:
66.230.163.86
95.111.32.249
194.42.83.60
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
actiry.com
appsmartsecurity.com
askfox.net
bnamecorni.com
boxbass.com
casualcare.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
certierskieanyofthe23.net
chernigovskievojninua55.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
cirriantisationsansidd79.net
crobnivmocanriendi56.net
cyberflorists.su
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihujasebejav15.ru
ehtiebanishkeobprienrt25.net
email.pinterest.com.lacave-enlignes.com
ermitajniedelaincityof40.net
etitkadritenskiefori.net
evarse.com
explic.net
facebook.com.n.find-friends.lindoliveryct.net
favar.net
ffupdate.pw
germaniavampizdanahuj.net
germetikovskievremie29.net
gggrecheskiysala99.net
giabit.net
gormovskieafrterskioepr30.net
grannyhair.ru
gromoviepechiniegierskie.net
herbergers.com.content.customer-service.laptopsinstalled.net
hotbitscan.com
hyatt.com.reservations.reservation.roccoscollar.net
immediatechecking.su
istatsking.ru
lacave-enlignes.com
liliputttt9999.info
maxichip.com
micnetwork100.com
microsoftstore.com.store.msusa.en_us.displaydownloadhistorypage.kemingpri.com
mirrorsupply.com
molul.com
multiachprocessor.com
musicstudioseattle.net
nacha-ach-processor.com
nvufvwieg.com
oleannyinsurance.net
paypal.com.us.cmd.stjamesang.net
photographysmile.net
photos.walmart.com.orders.stjamesang.net
redsox.com.tickets-service.lindoliveryct.net
smartsecureconnect.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
viperestats.ru
vip-proxy-to-tor.com
weekings.com
wingdress.net
www.appsmartsecurity.com
www.hyatt.com.reservations.reservation.roccoscollar.net
www.nacha.org.multiachprocessor.com
www.redsox.com.tickets-service.lindoliveryct.net

Facebook spam / kapcotool.com

This fake Facebook spam leads to malware on kapcotool.com:

From:     Facebook [no-reply@facebook.com]
Date:     5 September 2013 15:21
Subject:     Michele Murdock wants to be friends with you on Facebook.

facebook
   
Michele Murdock wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request
         
See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The link in the email uses an obscure URL shortening serving to go first to [donotclick]fenixa.com/97855 and then to [donotclick]magic-crystal.ch/normalized/index.html, and at this point it attempts to load the following three scripts:

[donotclick]00398d0.netsolhost.com/mcguire/forgiveness.js
[donotclick]202.212.131.8/ruses/nonsmokers.js
[donotclick]japanesevehicles.us/vector/internees.js

The final step is a malware landing page at [donotclick]kapcotool.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 74.207.227.154 (Linode, US) along with some other hijacked domains listed in italics below.

Recommended blocklist:
74.207.227.154
jgburgerlounge.ca
jngburgerjoint.ca
jngburgerjoint.com
johnmejalli.com
justcreature.com
justmonster.com
kalcodistributors.com
kapcotool.com
00398d0.netsolhost.com
japanesevehicles.us
202.212.131.8

Wednesday, 4 September 2013

HSBC spam / Original Copy (Edited).zip

This fake HSBC spam links to a malicious ZIP file:

Date:      Wed, 4 Sep 2013 01:45:17 -0700 [04:45:17 EDT]
From:      HSBC Wire Advising service [wireservice@hsbc.com.hk]
Reply-To:      hsbcadviceref@mail.com
Subject:      HSBC Payment Advice Ref: [H6789000] / ACH Credits / Customer Ref: [PO780090] (Edited)


Dear Sir/Madam,

The attached payment advice is issued at the request of our customer. The advice is for your reference only.

Kindly Accept Our apology On the copy we sent earlier.

1 attachments (total 586 KB)
View slide show (1)
Download all as zip

Yours faithfully,
Global Payments and Cash Management
HSBC


Copyright © HSBC Group 2013. All rights reserved.Copyright/IP Policy | Terms of Service
NOTICE: We collect personal information on this site. To learn more about how we use your information, see our Privacy Policy.

"SAVE PAPER - THINK BEFORE YOU PRINT!"


The link in the email goes to a file sharing site at [donotclick]ge.tt/api/1/files/1AFpS3r/0/blob?download and then downloads a file Original Copy (Edited).zip which contains a malicious executable Original Copy (Edited).scr (actually a renamed .EXE file, not a screensaver). The VirusTotal detection rate is 14/16.

The malware uses various techniques to prevent being analysed in a sandbox, but the ThreatExpert report shows some network activity including a suspect connection to ftp.advice.yzi.me (185.28.21.26, Hostinger International US) which might be worth blocking.

PayPal spam / dshapovalov.info

This fake (and badly formatted) fake PayPal spam email leads to malware on dshapovalov.info:

Date:      Wed, 4 Sep 2013 08:33:25 -0500 [09:33:25 EDT]
From:      PayPal [service@int.paypal.com]
Subject:      History of transactions #PP-011-538-446-067

ID

Transaction: { figure } {SYMBOL }

On your account malicious activity , for 1 hour was filmed around $ 100 , in small amounts In order to avoid blocking the account you need to go in. Authenticate Now

Sincerely, Services for protection

Department

PayPal does not tolerate fraud or illegal activities. Your complaint It was noted in the minutes of PayPal user you reported . If we find that This user has violated our policies , we will investigate and take appropriate action. In this case , you can contact in the future status this complaint.

To ensure that future transactions proceed smoothly, we suggest you visit PayPal site and click the Security Center link located at the top of any page. There you will find tips on how to avoid scammers " Fraud Prevention Tips for Buyers " section.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance , log in to your PayPal account and click the Help link in the upper right corner of any page PayPal.

Copyright © 1999-2013 PayPal. All rights reserved.

PPID PP {DIGIT } The history of monetary transactions 

The link in the email goes through a URL shortening service at [donotclick]url7.org/KRh - one annoying feature with this service is that you have to click through a form to get the link, so it isn't easy to see where you are going to land. In this case it is [donotclick]184.168.56.23/observatories/index.html and then it runs one of the following three scripts:
[donotclick]81.143.33.169/garrotting/rumples.js
[donotclick]northeastestateagency.co.uk/queues/relaxes.js
[donotclick]mineralmizer.webpublishpro,com/peps/dortmund.js

From there, the victim is sent to a hijacked GoDaddy domain at [donotclick]dshapovalov.info/topic/able_disturb_planning.php hosted on 192.81.134.241 (Linode, US) which is the same server used in this attack. There are other hijacked GoDaddy domains on the same domain (listed below in italics).

Recommended blocklist:
192.81.134.241
watchfp.org
watchfp.mobi
journeyacrossthesky.com
dshapovalov.info
watchfp.net
dshapovalov.info

mineralmizer.webpublishpro.com
northeastestateagency.co.uk
81.143.33.169

Something is very wrong with Gandi US (AS29169 / 173.246.96.0/20)

Recently I have been suggesting reader block quite a few individual IPs at Gandi in the US, but I hadn't noticed exactly how many IPs I had been suggesting until a couple of days ago.

The problem seems to exist in the 173.246.96.0/20 block of AS29169 (173.246.96.0 - 173.246.111.255), a range of IP addresses that houses very many legitimate domains. Unfortunately, it also houses several malicious servers in the 173.246.102.0/24, 173.246.103.0/24 and 173.246.104.0/24 ranges, alongside legitimate sites.

First of all, let's look at the warnings I have given about this IP range just in this blog alone (ignoring all external sources):


173.246.101.146
CNN "Harrison Ford" spam / 173.246.101.146 and fragrancewalla.com
173.246.102.2
Malware sites to block 7/3/13
173.246.102.223
Citi Cards spam / 6.bbnface.com and 6.mamaswishes.com
173.246.102.246
Something evil on 173.246.102.246
173.246.103.26
ADP spam / 14.sofacomplete.com
173.246.103.59
Malware sites to block 23/11/12
173.246.103.112
Malware sites to block 22/11/12
173.246.103.124
Malware sites to block 23/11/12
173.246.103.184
Malware sites to block 23/11/12
173.246.104.104
Something evil on 173.246.104.104
173.246.104.136
CNN "Angelina Jolie tops list of highest-paid actresses" spam / deltadazeresort.net
173.246.104.154
Something evil on 173.246.104.154
173.246.104.184
PayPal spam / londonleatheronline.com
173.246.104.21
Malware sites to block 23/11/12
173.246.104.55
"INCOMING FAX REPORT" spam / chellebelledesigns.com
173.246.105.15
eFax / jConnect spam and eliehabib.com
173.246.106.150
"Scan from a Xerox WorkCentre" spam / Scan_06122013_29911.zip


So, curious about how bad the situation was I went off to identify servers currently hosting malware, and the list I came up with was:


173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185


That's quite a concentration of badness. You can see a full list of the malicious domains, WOT ratings, Google prognosis and SURBL codes here [csv]. There's a plain list of domains at the end of the post for copy-and-pasting.


Now, normally I would recommend blocking at least a /24 when dealing with this sort of level badness, but as this overview of the /20 shows [csv] there are a load of legitimate sites interspersed with the malware. Of course, you may want to block chunks of this IP range anyway and live with the collateral damage.. if you are hosted in this range then I suggest it is time to look for a new host.



Over the past 12 months there have been at least 25 malware servers in this block, with 173.246.102.0/24 hosting 5, 173.246.103.0/24 hosting 8 and 173.246.104.0 hosting 9. Something must be seriously wrong at Gandi to allow this to happen.


Recommended blocklist:
173.246.102.2
173.246.102.202
173.246.102.223
173.246.102.250
173.246.103.47
173.246.103.191
173.246.103.232
173.246.104.52
173.246.104.55
173.246.104.104
173.246.104.128
173.246.104.154
173.246.104.184
173.246.104.185
17.247nycr.com
17.247nycrealty.com
17.allianceyouthsports.com
17.americanseniorgazette.net
17.apielectrical.com
17.apipoolservice.com
17.bearfoothouse.com
17.bestbysouthwest.net
17.bradentons-finest.com
17.carlileenrollment.com
17.ccbenroll.com
17.chefsenrollment.com
17.culliganwaternet.com
17.culliganwaternet.net
17.dchealthcaresolutions.com
17.deadbeatcustomers.com
17.deborahramanathan.com
17.docholidaybanners.com
17.doorssanantoniocom.com
17.drdeborahramanathan.com
17.enrollmentforce.com
17.entrepreneursnetworkofmichigan.com
17.foodypon.com
17.foodypon.info
17.grantmassie.com
17.grantmassie.net
17.grantmassie.org
17.heyculliganman.net
17.kathybissell.com
17.kbgolfcoursesales.com
17.kingdom-mystery.org
17.landvirginia.com
17.lascrittore.com
17.ledbymmhd.com
17.lonestarenrollment.com
17.lwrbeerfestival.com
17.meccandivinity.com
17.mmholidaydecor.com
17.moffdomains.com
17.nstarbankenrollment.com
17.opti-max.com
17.optimax.us
17.paperlessenrollment.com
17.paperlessenrollments.com
17.productpurveyors.com
17.quakertownfamilydoctor.com
17.rbasa.com
17.rbasanantonio.com
17.redtreebookings.com
17.renewenrollment.com
17.sanantoniodoors.net
17.sanantoniohardiplank.com
17.sanantoniosiding.com
17.sanantoniosiding.net
17.sanantoniowindows.net
17.scottbarr.org
17.seniorgazette.org
17.seniorgolfrankings.com
17.soonerflight.com
17.southwestexteriors.com
17.texcoteproblems.com
17.thebusiness-solutions.com
17.themarketmakers.org
17.thetelecomgroup.com
17.ultimateserviceexperience.com
17.ultimateserviceguarantee.com
17.valuationwidgets.com
17.vinyl-windows.org
17.webezmarketing.com
17.worldclassexteriors.com
17.yourbrokerforlife.com
1800callabe.com
1866callabe.com
19.accentchicagostore.com
19.advancedweb2solutions.com
19.campaignsusa.com
19.collectiblesminnesota.com
19.diet4usa.org
19.floridafractionalproperty.com
19.floridafractionalrealestate.info
19.floridafractionalrealestate.us
19.giftbasketminnesota.com
19.giftminn.com
19.giftminnesota.com
19.giftmn.com
19.giftsfromminnesota.com
19.giftsminnesota.com
19.icandyliciousshop.com
19.icandyliciousstore.com
19.icandysugarshoppe.com
19.icandysugarshoppe.org
19.kitchenandbathatlanta.com
19.kodiakgaming.com
19.lovefromchicago.com
19.lovefromchicagostore.com
19.lovefromcompanies.com
19.lovefrommn.com
19.minngift.com
19.minnsotagifts.net
19.minnstore.com
19.mngift.com
19.navypierstore.com
19.northwoodscabinstore.com
19.pacifictusk.com
19.pacifictuskbuilders.com
19.souvenirminnesota.com
19.storeminn.com
19.sunburstsouvenirs.com
19.sunburstsouvenirs.info
19.sunburstsouvenirs.net
19.thelovefromcompanies.com
21.3to2converter.com
21.aribadellago.com
21.az55pluscommunity.com
21.baleraatfirerock.com
21.bringmemyleads.biz
21.bringmemyleads.com
21.bringmemyleads.info
21.bringmemyleads.net
21.bringmemyleads.org
21.bringmemyleads.us
21.cedrictherealtor.com
21.cedricthevegasrealtor.com
21.cordilleraatcopperwynd.com
21.crestviewatfountainhills.com
21.customswitchpanel.com
21.homesbythefountain.com
21.liquidstainedglass.com
21.liveinfountainhills.com
21.liveinlassendas.com
21.luxuriousscottsdale.com
21.wow-bottles.com
23.area-plumbing-company.com
23.garryowen.biz
23.goalsettingprogram.biz
23.mdvideoproduction.com
4.whereintuscany.com
4.whereintuscia.com
4.whereinumbria.com
4.whereinvaldaosta.com
4.whereinveneto.com
6.bbnface.com
6.bbnfaces.com
6.bbnfaces.net
6.mamasauction.com
6.mamaswishes.com
6.mamaswishes.net
6.mamaswishes.org
abemoussa.com
abemuggs.com
abes.co
abes.net
abesburger.com
biobcetsozxzxifwchyxxslfcaxws.info
byvcxdydxgyzxqwvnqktgpbfm.com
chellebelledesign.com
chellebelledesigns.com
eaeobxgtsvsjzljwkskvcaegqyay.net
findmynewschool.com
findyourpetcare.info
findyourpetcare.net
findyourpetcare.org
folsomdogplay.com
folsomdogs.com
folsomdogtrainingschool.com
godogresort.com
gottaghost.com
gottagirl.net
greawsome.com
gubmpfypeisctovkgaqghircxsfqlqc.biz
ingeuswghskzddxxlvgmqpvk.net
janetmoss.com
jerseycitybags.com
jerseyluggage.com
jmosswinery.com
jrzlzhmrwomfhaeqclwokvdm.net
kennethcolenyoutlet.com
kiddypals.com
kidswalla.com
kitchenwalla.com
kneetite.com
kzusdyhpypeavgltsjvdljpvojqg.com
labodysculpt.com
lacellulaze.com
laserabs.com
laserbod.com
laserbodycontour.com
laserbodyfit.com
laserbodysculpt.com
laserbodysculpt.info
laserbodysculpt.net
laserbodysculpt.org
laserbodytight.com
laserfigure.com
laserlipobanking.com
laserlipofirm.com
laserlipomanhattan.com
laserlipoplasticsurgeon.com
laserlipo-plasticsurgeon.com
laserlipoplasticsurgeons.com
laserlipo-plasticsurgeons.com
laserlipopro.com
laserliposolution.com
laserlipotight.com
laserlipotopdocs.com
laserniptuck.com
laserpecs.com
laser-sculpt.com
laser-sculpting.com
lasertoned.com
lasertuck.com
lazersculpt.com
lazertite.com
lidlaser.com
lidtight.com
lipo-exatlanta.com
lipo-exbeverlyhills.com
london-leather.com
magnetas.mx
marinedockladders.com
marzenamelby.com
minneapolisareareosales.com
minneapolisforeclosuredeals.com
pciinvbupnxkfatrsuhicuaue.net
prdqjfhwookftucvkwclhyzlyt.biz
premiumrentalproperty.com
remote-recording-mixing.com
rglrlprbayscvwfkqmbqtkj.com
rockvilleautobody.biz
roll-on-bracelets.info
scnrpnqojbaymfvclcdqhtpdi.org
share.afghans.net
shuofrpvcyukzgqnjbykrvkddu.com
stevecozz.com
tgvwvofaamqcciqhiqoutoprwkqwjn.com
theinternetchauffeur.biz
the-internet-chauffeur.com
trippling.com
twbevoabakbrghlnfylbuempvmfmb.org
twincitiesfamilywellness.com
veolux.com
yhlnibrgxwxplfjsoauondhunv.com
ylhqlrgqxgordeytindafukreqjvtw.info

Something evil on 174.140.168.239

The server at 174.140.168.239 (DirectSpace Networks LLC, US) is currently hosting a large number of hijacked GoDaddy domains and is being used to distribute malware [1] [2] [3].

It looks like this server has been active for a couple of months and has been used for a variety of evil purposes, I strongly recommend blocking the following:

174.140.168.239
50shadesofshades.com
50shadesofsunshades.com
800fragrances.com
aeroliteluggage.com
aerotechluggage.com
babysurplusshop.com
bagcast.com
bagd.us
bagdup.com
baggagereviews.com
bagpreview.com
bagpreviews.com
bagsare.us
bagsr.me
bagsr.us
bagswalla.com
bag-tv.com
bhanoteenterprises.com
carluccileather.com
carluccileathers.com
checkpointbackpacks.com
checkpoint-friendly-backpacks.com
checkpoint-friendly-bag.com
checkpoint-friendly-bags.com
checkpointfriendlybusinesscases.com
checkpointfriendlylaptopcases.com
checkpoint-friendly-laptopcases.com
checkpoint-friendly-luggage.com
checkpointfriendlytravelaccessories.com
checkpoint-friendly-travel-accessories.com
checkpointluggage.com
chimneycapsupply.com
clotheswalla.com
consumerluggage.com
coolstowage.com
copperguttersupply.com
couponwalla.com
dealdin.com
eguttersupply.com
filterflowgutterguard.com
guttersupply.mobi
iguttersupply.com
micromeshguttercover.com
micromeshleafguard.com
ornamentalgutters.com
radiantcarbonheat.com
roofmaterialsupply.com
roofpanelsupply.com
rooftilesupply.com
shinglesupply.com
slatesupply.com
solarroofingsupply.com
thinkgreensupply.com
vidaline.com

Facebook spam / watchfp.net

All this malware-laden Facebook spam is boring. Here's another one, leading to a malicious payload on watchfp.net:

Date: Tue, 3 Sep 2013 11:37:14 -0700 [14:37:14 EDT]
From: Facebook [notification+zrdohvri=vd1@facebookmail.com]
Subject: Blake Miranda tagged 5 photos of you on Facebook

facebook

Blake Miranda added 5 photos of you.
See photos

Go to notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

Blake is pretty feminine looking for a bloke:

The photograph is stolen from the website of Ashot Gevorkyan [some pictures perhaps nsfw] who has quite a nice porfolio. Anyway.. the link in the email uses a shortening service:

[donotclick]u.to/r05nBA which goes to
[donotclick]www.rosenberger-kirwa.de/triassic/index.html which loads one of the following:
[donotclick]safbil.com/stashed/flout.js
[donotclick]ftp.spectrumnutrition.ca/sunscreens/copping.js
[donotclick]schornsteinfeger-helmste.de/covetously/turk.js


The final step is that the victim ends up on a malware landing page at [donotclick]watchfp.net/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 192.81.134.241 (Linode, US) along with some other hijacked domains listed in italics below. The attack is characteristic of the ThreeScripts series of malicious spam emails.

Recommended blocklist:
192.81.134.241
watchfp.org
watchfp.mobi
watchfp.net

safbil.com
ftp.spectrumnutrition.ca
schornsteinfeger-helmste.de

Tuesday, 3 September 2013

PayPal spam / londonleatheronline.com

This fake PayPal spam leads to malware on londonleatheronline.com:

Date:      Tue, 3 Sep 2013 09:43:09 +0400 [01:43:09 EDT]
From:      PayPal [service@int.paypal.com]
Subject:      Identity Issue #PP-716-472-864-836

We are writing you this email in regards to your PayPal account. In accordance with our "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.

Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to verification@paypal.com along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill ).
For more details please see on the page View all details

Your case ID for this reason is PP-U3PR33YIL8AV

For your protection, we might limit your account access. We apologize for any inconvenience this may cause.

Thanks,

PayPal

CONFIDENTIALITY NOTICE:

This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (PayPal , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You

PayPal Email ID PP53161

The link in the email goes to a legitimate hacked site and then loads one of these three scripts:
[donotclick]ftp.casacalderoni.com/liquids/pythias.js
[donotclick]tuviking.com/trillionth/began.js
[donotclick]walegion.comcastbiz.net/wotan/reuses.js

These scripts then try to deliver the victim to a malicious payload at [donotclick]londonleatheronline.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which is the same server as used in this attack, along with a number of other hijacked domains which are listed in italics below.

Recommended blocklist:
173.246.104.184
jerseycitybags.com
jerseyluggage.com
kennethcolenyoutlet.com
kiddypals.com
kidswalla.com
kitchenwalla.com
london-leather.com
londonleatheronline.com

ftp.casacalderoni.com
tuviking.com
walegion.comcastbiz.net

Monday, 2 September 2013

MONK spam tries to profit from WAR threat

The MONK (Monarchy Resources Inc) pump-and-dump spam continues. This time though, the spammers are trying to capitalise on the threat of war in the Middle East:

From:     belova04@jeel.com
Date:     2 September 2013 17:32
Subject:     This Stock just released Big News!

Are you interested in enriching yourself by means of war? It`s the very
time to do it! As soon as the first bombs get to the earth in Syria,
stone oil prices will move up the same as MONARCHY RESOURCES INC
(M-ON_K) share price. Go make money on Mon, Sep 2, 2013, get M-ON_K
shares!!!
As previously discussed, the stock price for this company has tanked and is unlikely to get any better. If you attempt to do some war profiteering on this stock then you will lose out, and frankly you won't get any sympathy from me.

Here are some other variants of the same scummy email:

You can make money on war!!! It`s right time to make it. The
moment the first rockets descend to Syria, oil prices will
rise the same as MONARCHY RESOURCES INC. (M O N_K) bond
price!!! Begin earning profits on Monday, September 02, 2013,
grab M O N_K shares.

It`s your turn to make money on war! It`s the very time to make it.
As soon as the first bombs touch the ground in Syria, black gold
prices will skyrocket as well as MONARCHY RESOURCES, INC (M-O-N K)
bond price. Start making money on Mon, Sep 02, 2013, get M-O-N K
shares.

There is a real opportunity to make money on war. It`s right time to
do it!!! As soon as the first bombs touch the ground in Syria, petrol
prices will move up just as Monarchy Resources, Inc (M-O_NK) bond
price. Start making money on Sep 2nd, grab M-O_NK shares!

Do you want to earn money on war? It`s the very time to realize
your plans! Just as the first bombs get to the earth in Syria,
oil prices will move up as well as Monarchy Resources, Inc
(MO-NK) share price! Go make profits on Sep 2nd, grab MO-NK
shares!!!

Facebook spam / london-leather.com

This fake Facebook spam leads to malware on london-leather.com:

Date:      Mon, 2 Sep 2013 19:59:52 +0300 [12:59:52 EDT]
From:      Facebook [update+hiehdzge@facebookmail.com]
Subject:      Victoria Carpenter commented on your status

facebook
Hello,
Victoria Carpenter commented on your status.
Victoria wrote: "so cute;)"

Go to comments

Reply to this email to comment on this status.
See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

In this case the link in the spam appears to use some sort of URL shortening service, first going to [donotclick]jdem.cz/5xxb8 then [donotclick]93.93.189.108/exhortation/index.html where it attempts to load one of the following three scripts:
[donotclick]codebluesecuritynj.com/mummifies/stabbed.js
[donotclick]mobileforprofit.net/affected/liberal.js
[donotclick]tuviking.com/trillionth/began.js

These scripts in turn direct the visitor to a malicious payload site at [donotclick]london-leather.com/topic/able_disturb_planning.php which is a hijacked GoDaddy domain hosted on 173.246.104.184 (Gandi, US) which hosts a number of malicious domains, also hijacked from GoDaddy and listed in italics below.

Recommended blocklist:
173.246.104.184
london-leather.com
kitchenwalla.com
kidswalla.com
jerseyluggage.com
jerseycitybags.com
kiddypals.com
kennethcolenyoutlet.com

codebluesecuritynj.com
mobileforprofit.net
tuviking.com





Malware sites to block 2/9/13

These IPs and domains are associated with this gang and should all be considered as malicious. This list follows on from this earlier one.

1.209.108.29 (BORANET, Korea)
5.135.114.100 (OVH / onetsolutions.fr, France)
24.173.170.230 (Time Warner Cable, US)
37.200.69.43 (Selectel Ltd, Russia)
42.121.84.12 (Aliyun Computing Co, China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime, US)
69.162.72.72 (Limestone Networks Inc, US)
70.184.34.191 (Cox Communications, US)
74.207.231.42 (Linode, US)
75.147.133.49 (Comcast Business Communications, US)
80.243.190.98 (Redstation Limited, UK)
86.17.154.46 (Virgin Media, UK)
91.228.199.178 (Biznes-Host.pl, Poland)
95.87.1.19 (Trakia Kabel, Bulgaria)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
124.168.203.102 (iiNet Limited, Australia)
130.63.110.159 (York University, Canada)
130.243.124.155 (University Of Orebro, Sweden)
140.116.72.75 (TANET, Taiwan)
141.20.102.73 (Humboldt-Universitaet zu Berlin, Germany)
146.185.211.230 (Petersburg Internet Network Ltd, Russia)
148.204.64.107 (Instituto Politecnico Nacional, Mexico)
176.15.159.135 (Corbina Telecom, Russia)
183.82.8.231 (Beam Telecom, India)
184.23.8.7 (Sonic.net, US)
186.31.249.242 (ETB, Colombia)
187.60.172.18 (Linhares Servi├žos Online LTDA, Brazil)
188.134.26.172 (Perspectiva Ltd, Russia)
190.85.249.159 (Telmex Colombia, Colombia)
190.152.149.85 (Consejo De Participacion Ciudadana Y Control Soci, Ecuador)
194.158.4.42 (Interoute, France)
208.52.185.178 (BroadRiver Communication Corp, US)
209.92.247.180 (FASTNET Corporation, US)
212.83.84.253 (Chello / UPC, Netherlands)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)
217.64.107.108 (Society Of Mali's Telecommunications, Mali)
220.247.243.174 (Sri Lanka Telecom Internet, Sri Lanka)
222.35.102.133 (China TieTong Telecommunications Corporation, China)

Plain list for copy-and-pasting:
1.209.108.29
5.135.114.100
24.173.170.230
37.200.69.43
42.121.84.12
58.246.240.122
61.36.178.236
66.230.163.86
66.230.190.249
69.162.72.72
70.184.34.191
74.207.231.42
75.147.133.49
80.243.190.98
86.17.154.46
91.228.199.178
95.87.1.19
95.111.32.249
103.20.166.67
124.168.203.102
130.63.110.159
130.243.124.155
140.116.72.75
141.20.102.73
146.185.211.230
148.204.64.107
176.15.159.135
183.82.8.231
184.23.8.7
186.31.249.242
187.60.172.18
188.134.26.172
190.85.249.159
190.152.149.85
194.158.4.42
208.52.185.178
209.92.247.180
212.83.84.253
213.156.91.110
217.64.107.108
220.247.243.174
222.35.102.133
agence-moret.net
apelecsa.net
appsmartsecurity.com
arriowzzetobe.net
bluavoughogma.com
bnamecorni.com
boardsxmeta.com
casualcare.net
cbstechcorp.net
certerianshndieony24.net
certyfikattechniczny.net
checklistsseesmics.su
chernigovskievojninua55.net
controlsalthoug.com
cosamortranas.com
couforstaytttttt22.net
crobnivmocanriendi56.net
dashuxmaecrme.com
dotier.net
dvdramrautosel.su
ehnynewyortenotbaber.net
ehtiebanishkeobprienrt25.net
email.pinterest.com.lacave-enlignes.com
etitkadritenskiefori.net
evarse.com
exhilaratingwiki.net
explic.net
facebook.com.n.find-friends.lindoliveryct.net
favar.net
frutpass.ru
fulty.net
gaphotoid.net
germaniavampizdanahuj.net
germetikovskievremie29.net
gormoshkeniation68.net
grannyhair.ru
gromoviepechiniegierskie.net
halcyonnightz.com
hdmltextvoice.net
higherpricedan.com
hotbitscan.com
hyatt.com.reservations.reservation.roccoscollar.net
icentis-finance.net
immediatechecking.su
includedtight.com
infomashe.com
intcheck.com
isightbiowares.su
istatsking.ru
jdbcandschema.su
joyrideengend.net
kneeslapperz.net
kpsart.net
labscaner.com
lights-awake.net
macache.net
medusascream.net
micnetwork100.com
mirrorsupply.com
mobile-unlocked.net
moov-store.net
myaxioms.com
nvufvwieg.com
oneuppositions.net
onlineclayclubs.com
ordersdeluxe.com
picturesoftdeath.com
priceless.su
pure-botanical.net
qualysguardviewin.su
redsox.com.tickets-service.lindoliveryct.net
relectsdispla.net
saucancafe.net
scoutmoor.net
smartsecureconnect.com
spotssmalldor.com
stonewallspwt.net
streetgreenlj.com
strutterradio.net
templateswell.net
thegalaxyatwork.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
trans-staronline.net
u-janusa.net
uprisingquicks.net
video-withtext.com
viperestats.ru
vip-proxy-to-tor.com
virtiaspase.net
weekings.com
whosedigitize.net
wildgames-orb.net
wingdress.net
www.appsmartsecurity.com
www.hyatt.com.reservations.reservation.roccoscollar.net
www.redsox.com.tickets-service.lindoliveryct.net