Sponsored by..

Tuesday, 10 September 2013

Are top porn sites still riddled with malware?

Back in April I wrote an article about how several top porn sites were having issues with malware. An apparent infection at xvideos.com (link is a little NSFW) led to to look at the Google malware results for the past 90 data again.

I started with a list of sites in the top 1000 sites globally according to data at Alexa.com (a few have dropped out of the top 1000 since I collated the data set) and also used the Alexa data to work out the average number of daily pageviews per user. The next step was to look at Google's data on the number of infected pages and the total number of pages on the site, noting the date of last infection. From that I could work out an "infection likelihood" which is the probability of an average visitor coming into contact with malware during the period the site was infected.

What was surprising was just how clean these sites are looking (well, from a malware perspective). Last time some of the biggest sites had hundreds of pages infected, and now they appear to have virtually none. I've highlighted everything about 1% in red but note that the "riskiest" site (largeporntube.com) has been clean for a couple of months.
 
The results of my analysis are as follows:


Rank
Domain
Pageviews / User
Total pages
Infected
Date
Infection rate
Infection likelihood
38
xvideos.com
11.7
89427
0

0.00%
0.00%
51
xhamster.com
10
11356
1
2013-07-01
0.01%
0.09%
66
pornhub.com
5.6
6235
0

0.00%
0.00%
88
xnxx.com
9.5
26082
0

0.00%
0.00%
95
redtube.com
5
9189
0

0.00%
0.00%
99
youporn.com
5.6
1675
0

0.00%
0.00%
103
livejasmin.com
2.4
502
0

0.00%
0.00%
162
tube8.com
3.9
12697
0

0.00%
0.00%
169
youjizz.com
4.7
1385
0

0.00%
0.00%
227
hardsextube.com
3.3
71817
0

0.00%
0.00%
268
dmm.co.jp
9.2
1245
0

0.00%
0.00%
275
beeg.com
4.9
873
0

0.00%
0.00%
326
motherless.com
14.8
3196
4
2013-06-24
0.13%
1.84%
393
drtuber.com
2.8
1420
0

0.00%
0.00%
438
myfreecams.com
4
148
0

0.00%
0.00%
453
cam4.com
6.3
889
0

0.00%
0.00%
462
adultfriendfinder.com
7.8
241
0

0.00%
0.00%
464
bravotube.net
2.6
1098
0

0.00%
0.00%
502
ixxx.com
3.4
438
5
2013-09-05
1.14%
3.83%
528
chaturbate.com
14.7
2725
0

0.00%
0.00%
578
nuvid.com
2.8
884
0

0.00%
0.00%
588
spankwire.com
3.3
1182
0

0.00%
0.00%
591
porntube.com
2.9
734
0

0.00%
0.00%
595
pornerbros.com
1.9
946
1

0.11%
0.20%
607
largeporntube.com
3.2
5750
160
2013-07-20
2.78%
8.63%
676
yourlust.com
2.7
1224
0

0.00%
0.00%
697
4tube.com
4.3
1337
0

0.00%
0.00%
699
keezmovies.com
3
669
0

0.00%
0.00%
707
pornhublive.com
2.3
30
0

0.00%
0.00%
768
xhamstercams.com
1.8
5
0

0.00%
0.00%
780
h2porn.com
1.8
2193
1

0.05%
0.08%
800
4chan.org
26.7
218
0

0.00%
0.00%
804
video-one.com
13.7
1143
0

0.00%
0.00%
825
xtube.com
12.1
805
0

0.00%
0.00%
830
sunporno.com
2.7
360
0

0.00%
0.00%
848
porn.com
4
1281
0

0.00%
0.00%
864
perfectgirls.net
5.4
1958
5
2013-09-05
0.26%
1.37%
883
nudevista.com
8.7
2088
1
2013-08-03
0.05%
0.42%
931
redtubelive.com
2.8
33
0

0.00%
0.00%
942
alphaporno.com
1.9
10472
32
2013-07-21
0.31%
0.58%
1065
videosexarchive.com
3.8
5183
0

0.00%
0.00%
1238
hellporno.com
3
331
0

0.00%
0.00%
1382
watchmygf.com
1.3
11
0

0.00%
0.00%
1806
ah-me.com
2.7
235
0

0.00%
0.00%
  
So, what is going on? Have these sites cleaned up their act? Well, it certainly looks like there has been an improvement (despite the reported infection at xvideos.com above). 

Over 46,000 people looked at my previous blog post on the topic, and it was covered by some major news outlets [1] [2] [3] [4] [5]. Reaction was varied, and many porn site operators flatly denied the problem despite the Google statistics indicating otherwise.

So perhaps shining a light on the problem helped to clean it up. Perhaps the spike in malware was a temporary glitch. Perhaps the malware operators are better at hiding what they are doing. I suspect that it is a combination of all three.


Despite the apparent cleanup of these sites, my advice is that you still need to exercise caution. It is very important to make sure that your system is fully patched (you can use Secunia OSI to check if you have a Windows PC), and a combination of Firefox + NoScript is very good at locking down your browser (note that this isn't really for novices). Logging in as something other than an administrator can also help to reduce the impact of malware, and of course a good and up-to-date anti-virus or security package is essential. In addition, Google's Chrome browser is pretty good at picking up malicious sites, and the most dangerous browser to use tends to be Internet Explorer. And if you have Sun's Java platform installed on your system I would strongly recommend that you remove it as that it currently the most popular way of getting your machine infected.

BBB Spam / Case_0938818_2818.exe

This fake BBB spam has a malicious attachment:

Date:      Tue, 10 Sep 2013 15:07:14 +0100 [10:07:14 EDT]
From:      Better Business Bureau [Aldo_Austin@newyork.bbb.org]
Subject:      FW: Case IN11A44X2WCP44M

The Better Business Bureau has received the above-referenced complaint from one of your
customers regarding their dealings with you. The details of the consumer's concern are
included on the reverse. Please review this matter and advise us of your position.

As a neutral third party, the Better Business Bureau can help to resolve the matter.
Often complaints are a result of misunderstandings a company wants to know about and
correct.

In the interest of time and good customer relations, please provide the BBB with written
verification of your position in this matter by September 13, 2013. Your prompt response
will allow BBB to be of service to you and your customer in reaching a mutually agreeable
resolution. Please inform us if you have contacted your customer directly and already
resolved this matter.

The Better Business Bureau develops and maintains Reliability Reports on companies across
the United States and Canada . This information is available to the public and is
frequently used by potential customers. Your cooperation in responding to this complaint
becomes a permanent part of your file with the Better Business Bureau. Failure to
promptly give attention to this matter may be reflected in the report we give to
consumers about your company.

We encourage you to print this complaint (attached file - Case_IN11A44X2WCP44M), answer
the questions and respond to us.

We look forward to your prompt attention to this matter.

Sincerely,
Aldo_Austin
Council of Better Business Bureaus
3033 Wilson Blvd, Suite 600
Arlington, VA 22201 
Attached to the message is a ZIP file Case_IN11A44X2WCP44M.zip which in turn contains an executable Case_0938818_2818.exe which has a shockingly low detection rate of just 1/46 at VirusTotal.

Automated analysis of the malware is inconclusive [1] [2] [3] [4], but it does generate outbound traffic to kwaggle.com port 443 on 64.50.166.122 (Lunar Pages, US). The domain thisisyourwife.co.uk on the same server is also hosting malware, I would therefore be suspicious about some of the other sites on the same box.

Recommended blocklist:
64.50.166.122
kwaggle.com
thisisyourwife.co.uk

ACH file ID "999.107" has been processed successfully spam / www.fiscdp.com.airfare-ticketscheap.com

This fake FISC ACH spam leads to malware on www.fiscdp.com.airfare-ticketscheap.com:

Date:      Tue, 10 Sep 2013 17:05:49 +0530 [07:35:49 EDT]
From:      Financial Institution Service [improvehv89@m.fiscdp.gov]
Subject:      ACH file ID "999.107"  has been processed successfully

Files FISC Processing Service

SUCCESS Notification
We have successfully handled ACH file 'ACH2013-09-09-62.txt' (id '999.107') submitted by user '[redacted]' on '2013-09-09 12:06:67.7'.
FILE SUMMARY:
Item count: 9
Total debits: $13,365.83
Total credits: $13,365.83

To find out more information   browse this link

The link in the email goes to a legitimate hacked site and then on to a malware landing page at [donotclick]www.fiscdp.com.airfare-ticketscheap.com/news/opens_heads_earlier.php (reports here and here) hosted on:
66.230.163.86 (Goykhman And Sons LLC, US)
95.87.1.19 (Trakia Kabel OOD , Bulgaria)
174.142.186.89 (iWeb Technologies)

The WHOIS details for airfare-ticketscheap.com are fake and the domain was registered just yesterday:
      LORIANN PERKINS
      8125 MANITOBA ST.
      PALYA DEL MAR, CA 90293
      US
      Phone: +1.7607224337
      Email: mybigben56@yahoo.com


The IPs in use indicate that this campaign forms part of the Amerika spam run. Several other malicious sites are on the same server, and I would recommend that you block the following in conjunction with this list:
66.230.163.86
95.87.1.19
174.142.186.89
actiry.com
airfare-ticketscheap.com
appsmartsecurity.com
bluavoughogma.com
boxbass.com
cernanrigndnisne55.net
certierskieanyofthe23.net
cosamortranas.com
dashuxmaecrme.com
dolekotoukart.com
dulethcentury.net
dvdramrautosel.su
email.pinterest.com.lacave-enlignes.com
evreisorinejsopgmrjnet28.net
explic.net
facebook.com.achrezervations.com
facebook.com.n.find-friends.lindoliveryct.net
favar.net
gggrecheskiysala99.net
giabit.net
gormonigraetnapovalahule26.net
hdmltextvoice.net
herbergers.com.content.customer-service.laptopsinstalled.net
hyatt.com.reservations.reservation.roccoscollar.net
includedtight.com
invoices.ulsmart.net
irs.gov.successsaturday.net
joyrideengend.net
lacave-enlignes.com
lhobbyrelated.com
liliputttt9999.info
magiklovsterd.net
microsoftstore.com.store.msusa.en_us.displaydownloadhistorypage.kemingpri.com
molul.com
musicstudioseattle.net
nacha-ach-processor.com
paypal.com.us.cmd.stjamesang.net
photos.walmart.com.orders.stjamesang.net
prgpowertoolse.su
spotssmalldor.com
www.facebook.com.achrezervations.com
www.fiscdp.com.airfare-ticketscheap.com
www.irs.gov.successsaturday.net
www.linkedin.com.achrezervations.com
www.nacha.org.multiachprocessor.com
www.nacha-ach-processor.com
www.redsox.com.tickets-service.lindoliveryct.net


Monday, 9 September 2013

ygregistry.org domain scam

This Chinese domain scammers never give up, this scam has been seen several times before [1] [2] [3] [4].

From:     Jim Bing [jim.bing@ygregistry.org]
Date:     9 September 2013 14:32
Subject:     Regarding "[redacted]" Cn domain name and Internet Keyword

Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

This email is from China domain name registration center, which mainly deal with the domain name registration and dispute internationally in China.
We received an application from Huaxiang Ltd on September 7, 2013. They want to register " [redacted] " as their Internet Keyword and " [redacted] .cn "、" [redacted] .com.cn " 、" [redacted] .net.cn "、" [redacted] .org.cn " domain names etc.., they are in China domain names. But after checking it, we find " [redacted] " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim
General Manager
Shanghai Office (Head Office)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.ygregistry.org
The whole thing is a fraud. Nobody in China is trying to register your domain name, and in any case registrars are not responsible for checking. They are simply trying to make you panic and buy an overpriced domain that you do not need and will never use.

Malware sites to block 9/9/13, part II

Another set of IPs and domains related to this attack detailed by Sophos, and overlapping slightly with the malicious servers documented here.

I've just listed the main domains, but the attack itself uses thousands of subdomains (e.g. zwgaf72d4erv7g.www5.tohk5ja.cc) to do evil things.

46.20.36.9 (Syslayer.com, Germany)
74.63.229.252 (Limestone Networks / 123systems Solutions, US)
77.81.244.226 (Elvsoft SRL, Netherlands)
173.243.118.198 (Continuum Data Centers, US)
198.52.243.229 (Centarra Networks, US)
199.188.206.183 (Namecheap Inc, US)
206.72.192.31 (Interserver Inc, US)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)

Blocklist:
46.20.36.9
74.63.229.252
77.81.244.226
173.243.118.198
198.52.243.229
199.188.206.183
206.72.192.31
213.156.91.110
ahthuvuz.cc
bo0keego.cc
but-kluczit.net
datsbull.net
eevootii.su
ezootoo.su
oogagh.su
oonucoog.cc
queiries.su
thepohzi.su
tohk5ja.cc
wahemah.cc
xigizubu.cc

Malware sites to block 9/9/13

These domains and IPs are associated with this gang, this list supersedes (or complements) the one I made last week.

1.209.108.29 (BORANET, Korea)
24.173.170.230 (Time Warner Cable, US)
37.153.192.72 (Routit BV, Netherlands)
42.121.84.12 (Aliyun Computing Co, China)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime, US)
74.63.233.79 (Limestone Networks Inc / 123Systems Solutions, US)
74.207.231.42 (Linode, US)
95.87.1.19 (Trakia Kabel, Bulgaria)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
95.242.252.26 (Telecom Italia, Italy)103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
111.93.115.216 (Tata Teleservices, India)
115.78.233.220 (Vietel Corporation, Vietnam)
115.160.146.142 (Wharf T&T Ltd, Hong Kong)
130.63.110.159 (York University, Canada)
140.116.72.75 (TANET, Taiwan)
141.20.102.73 (Humboldt-Universitaet zu Berlin, Germany)
148.204.64.107 (Instituto Politecnico Nacional, Mexico)
173.254.250.218 (OC3 Networks, US)
184.23.8.7 (Sonic.net, US)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Servi├žos Online LTDA, Brazil)
190.145.25.126 (Telmex Colombia, Colombia)
190.152.149.85 (Consejo De Participacion Ciudadana Y Control Soci, Ecuador)
192.241.199.191 (Digital Ocean, US)
194.42.83.60 (Interoute Communications, UK)
194.158.4.42 (Interoute Communications, France)
198.224.81.54 (AT&T, US)
199.115.228.213 (VolumeDrive, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.69.42.50 (Bay Area Video Coalition, US)
208.180.134.20 (Suddenlink Communications, US)
212.169.49.234 (Claranet, UK)
213.156.91.110 (Ukrainian Special Systems Network, Ukraine)
222.35.102.133 (China TieTong Telecommunications Corporation, China)
223.30.27.251 (Sify Limited, India)

1.209.108.29
24.173.170.230
37.153.192.72
42.121.84.12
58.68.228.148
58.246.240.122
61.36.178.236
66.230.163.86
66.230.190.249
74.63.233.79
74.207.231.42
95.87.1.19
95.111.32.249
95.242.252.26
103.20.166.67
111.93.115.216
115.78.233.220
115.160.146.142
130.63.110.159
140.116.72.75
141.20.102.73
148.204.64.107
173.254.250.218
184.23.8.7
186.251.180.205
187.60.172.18
190.145.25.126
190.152.149.85
192.241.199.191
194.42.83.60
194.158.4.42
198.224.81.54
199.115.228.213
208.52.185.178
208.69.42.50
208.180.134.20
212.169.49.234
213.156.91.110
222.35.102.133
223.30.27.251
achrezervations.com
agence-moret.net
altertraveldream.com
amimeseason.net
bnamecorni.com
boardsxmeta.com
brasilmatics.net
bundle.su
casualcare.net
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
certierskieanyofthe23.net
chairsantique.net
checklistsseesmics.su
chernigovskievojninua55.net
controlsalthoug.com
credit-find.net
crovliivseoslniepodmore83.net
deepsealinks.com
dotier.net
dvdramrautosel.su
ehnihujasebenahujchtoza27.net
ehnynewyortenotbaber.net
ehtiebanishkeobprienrt25.net
elvisalive4ever.com
email.pinterest.com.lacave-enlignes.com
ergopets.com
ermitajniedelaincityof40.net
explic.net
facebook.com.achrezervations.com
favar.net
fender.su
ffupdate.pw
fulty.net
gaphotoid.net
gemochlenoftheierarhia23.net
germaniavampizdanahuj.net
germetikovskievremie29.net
gggrecheskiysala99.net
giabit.net
gonulpalace.net
gormonigraetnapovalahule26.net
gormoshkeniation68.net
gormovskieafrterskioepr30.net
grannyhair.ru
higherpricedan.com
hobox.net
hotbitscan.com
icentis-finance.net
insectiore.net
invoices.ulsmart.net
istatsking.ru
jessesautobody.net.rcom-dns.eu
kpsart.net
lacave-enlignes.com
lights-awake.net
liliputttt9999.info
lindoliveryct.net
macache.net
maxichip.com
medusascream.net
micnetwork100.com
mobile-unlocked.net
molul.com
multiachprocessor.com
myaxioms.com
mywebsitetips.net
nacha-ach-processor.com
namastelearning.net
ns1.namastelearning.net
ns2.namastelearning.net
nvufvwieg.com
oadims.net
ordersdeluxe.com
oversearadios.net
paypal.com.us.cmd.stjamesang.net
perkindomname.com
photos.walmart.com.orders.stjamesang.net
porschetr-ml.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
redsox.com.tickets-service.lindoliveryct.net
relectsdispla.net
rentipod.ru
saucancafe.net
scoutmoor.net
secureprotection5.com
soberimages.com
stjamesang.net
stonewallspwt.net
strutterradio.net
taltondark.net
templateswell.net
thefastor.com
thegalaxyatwork.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
trans-staronline.net
treesmustdownload.su
u-janusa.net
ulsmart.net
uprisingquicks.net
video-withtext.com
vineostat.ru
viperestats.ru
vip-proxy-to-tor.com
virginiarealtyonline.net
weekings.com
wildgames-orb.net
wow-included.com
www.facebook.com.achrezervations.com
www.linkedin.com.achrezervations.com
www.nacha.org.multiachprocessor.com
www.nacha-ach-processor.com
www.redsox.com.tickets-service.lindoliveryct.net
zinvolarstikel.com

Saturday, 7 September 2013

Dealerbid.co.uk "Quotation.zip" spam with malicious VBS script

The website dealerbid.co.uk has been compromised and their servers hacked in order to send spam to their customer list. Something similar has happened before a few months ago.

In this case the spam email was somewhat mangled, but I am assuming that the spammers know how to fix this. The spam email is as follows:

From:     Christopher Rawson [christopher.r@kema.com]
Date:     7 September 2013 14:04
Subject:     Quotation

Hello,

We have prepared a quotation, please see attached

With Kind Regards,
Christopher Rawson,
DNV KEMA Energy & Sustainability,

DNV KEMA is a real, legitimate company in the energy sector. But they did not send the spam, an examination of the headers shows that the sending IP is 213.171.204.75 which is the same IP as www.dealerbid.co.uk and mail.dealerbid.co.uk. The email is sent to an address ONLY used to register at dealerbid.co.uk. So, the upshot is that this domain is compromised and it is compromised right now.

The email is meant to have an attachment called Quotation.zip but in my sample the email was mis-formatted and instead the Base 64 encoded ZIP file was in the main body text, starting thus:

UEsDBBQAAAAIAGiQJENXc/
KQmRoAACj9AQANAAAAUXVvdGF0aW9uLnZic+1dS3PcOJK+K0L/QeHD
Some copy-and-pasting and work with a Base 64 decoder ended up with a valid ZIP file, containing a somewhat obfuscated VBS script Quotation.vbs  with a low VirusTotal detection rate of 4/46.

I really don't know a lot about VBScript, but it's an interpreted language (like Javascript), so with some care you can get it do decode itself for you. The payload of the scripts was delivered by a line
execute (lqkxATqgKvblFIwSvnvFaUHynrslFbmIziWPjzin)
Changing "execute" to a a series of commands to write a file out.txt can get the script to decode itself and present the deobfuscated code for you.

Set objFSO=CreateObject("Scripting.FileSystemObject")
outFile="out.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write execute (lqkxATqgKvblFIwSvnvFaUHynrslFbmIziWPjzin) & vbCrLf
objFile.Close
Obviously, great care should be taken to do this and a throwaway virtual machine is advised in case of errors.

I haven't had time to do much analysis of the malicious script, except that it attempts to download further components from klonkino.no-ip.org (port 1804) which is hosted on 146.185.24.207 (Hosting Services Inc, UK). I strongly recommend blocking no-ip.org domains in any case, but I certainly recommend the following blocklist:
klonkino.no-ip.org
146.185.24.207

I haven't had time to analyse the second script further, but it has a VirusTotal detection rate of 21/47 which isn't too bad. If you want to have a look yourself, you can download the script from here (zip file, password = virus).. but obviously you need to know what you are doing!

Friday, 6 September 2013

"Scanned Document Attached" spam / FSEMC.06092013.exe

This fake financial spam contains an encrypted attachment with a malicious file in it.

Date:      Fri, 6 Sep 2013 15:19:37 +0000 [11:19:37 EDT]
From:      Fiserv [Lawanda_Underwood@fiserv.com]
Subject:      FW: Scanned Document Attached

Dear Business Associate:

Protecting the privacy and security of client, company, and employee
information is one of our highest priorities. That is why Fiserv has
introduced the Fiserv Secure E-mail Message Center - a protected e-mail
environment designed to keep sensitive and confidential information
safe. In this new environment, Fiserv will be able to send e-mail
messages that you retrieve on a secured encrypted file.

You have an important message from Adam_Paul@fiserv.com.
To see your message, use the following password to decrypt attached file: JkSIbsJPPai

If this is your first time receiving a secure file from the
Fiserv Secure E-mail Message Center, you will be prompted to set up a
user name and password.

This message will be available until  Saturday Sep 07, 2013 at 17:50:42
EDT4

If you have any questions, please contact your Fiserv representative.

Sincerely,
Your Associates at Fiserv

Additional information about Fiserv Secure E-mail is available by
entering http://www.fiserv.com/secureemail/ into your Web browser and
pressing Enter.


The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.
Attached is an encrypted ZIP file which contains part of the victim's email address (or somebody else in the same domain) that has to be decrypted with the password JkSIbsJPPai. This in turn contains a malicious executable FSEMC.06092013.exe (note the date is encoded into the filename). The VirusTotal detection rate for this malware is only 6/47.

The malware then phones home to a site ce-cloud.com:443 hosted on 84.22.177.37 (ioMart, UK) and then uploads some data [1] [2] [3] [4] . What happens next is unclear, but you can guarantee that it is nothing good.

Blocking access to ce-cloud.com or 84.22.177.37 may provide some protection. Blocking EXE-in-ZIP files is an even more effective approach if you can do it.

CNN "The United States began bombing" spam / luggagepreview.com

This fake CNN spam leads to malware on luggagepreview.com:

Date:      Fri, 6 Sep 2013 11:30:57 -0600 [13:30:57 EDT]
From:      CNN [BreakingNews@mail.cnn.com]
Subject:      CNN: "The United States began bombing"

The United States began bombing!
By Casey Wian, CNN
updated 9:01 AM EDT, Wed August 14, 2013


(CNN) -- Pentagon officials said that the United States launched the first strikes against Syria. It was dropped about 15 bomn on stalitsu syria Damascus.  Full story >>
Rescuing Hannah Anderson

    Sushmita Banerjee was kidnapped and killed in Afghanistan, police say
    No one has claimed responsibility for her death, but police suspect militants
    Banerjee wrote "A Kabuliwala's Bengali Wife" about her escape from the Taliban

The link in the email is meant to go to [donotclick]senior-tek.com/tenth/index.html but the "Full story" link has a typo in and goes to senior-tekcom/tenth/index.html (without the dot) instead which obviously fails. This site then tries to load these three scripts:
[donotclick]crediamo.it/disburse/ringmaster.js
[donotclick]stages2saturn.com/scrub/reproof.js
[donotclick]www.rundherum.at/rabbiting/irritate.js

From there the visitor is sent to a malicious payload at  [donotclick]luggagepreview.com/topic/able_disturb_planning.php which is a hacked GoDaddy domain hosted on 174.140.171.207 (DirectSpace LLC, US) along with several other hijacked domains listed below in italics.

Recommended blocklist:
174.140.171.207
luggagepoint.de
luggagewalla.com
londonleatherusa.com
luggagejc.com
londonleatheronline.com
luggagecast.com
luggage-tv.com
luggagepreview.com
dyweb.info
yesrgood.info
dai-li.info
expopro.info
crediamo.it
stages2saturn.com
www.rundherum.at

Facebook spam / www.facebook.com.achrezervations.com

This fake Facebook spam leads to malware on www.facebook.com.achrezervations.com:

Date:      Fri, 6 Sep 2013 08:07:14 -0500 [09:07:14 EDT]
From:      Facebook [notification+puppies9@mail.facebookmail.net]
Reply-To:      noreply [noreply@postmaster.facebookmail.org]
Subject:      Cole Butler confirmed your Facebook friend request

facebook
   
Cole Butler has confirmed that you're friends on Facebook.
You may know some of Cole's Friends
    Daren Douglas
1 mutual friends
   
Add Friend
   
    Gertrude Souza
14 mutual friends
   
Add Friend
    Brice Kelly
3 mutual friends
   
Add Friend
   
    Beverly Howard
12 mutual friends
   
Add Friend
    Julia Metz
6 mutual friends
   
Add Friend
   
    Nora Belanger
6 mutual friends
   
Add Friend
View Timeline
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

The link in the email goes to a legitimate hacked site and then to an exploit kit on [donotclick]www.facebook.com.achrezervations.com/news/implement-circuit-false.php (report here) hosted on the following servers:
66.230.163.86 (Goykhman And Sons LLC, US)
95.111.32.249 (Megalan / Sofia Mobiltel EAD, Bulgaria)
115.78.233.220 (Vietel Corporation, Vietnam)
194.42.83.60 (Interoute Hosting, UK)

The following IPs and domains are all malicious and belong to this gang, I recommend you block them:
66.230.163.86
95.111.32.249
115.78.233.220
194.42.83.60
50plus-login.com
aa.com.reservation.viewfareruledetailsaccess.do.sai-uka-sai.com
achrezervations.com
actiry.com
appsmartsecurity.com
askfox.net
bnamecorni.com
boxbass.com
casualcare.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
certierskieanyofthe23.net
chernigovskievojninua55.net
ciriengrozniyivdd.ru
cirormdnivneinted40.ru
cirriantisationsansidd79.net
crobnivmocanriendi56.net
cyberflorists.su
driversupdate.pw
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihujasebejav15.ru
ehtiebanishkeobprienrt25.net
email.pinterest.com.lacave-enlignes.com
ermitajniedelaincityof40.net
evarse.com
explic.net
facebook.com.achrezervations.com
facebook.com.n.find-friends.lindoliveryct.net
favar.net
ffupdate.pw
germaniavampizdanahuj.net
germetikovskievremie29.net
gggrecheskiysala99.net
giabit.net
gormovskieafrterskioepr30.net
grannyhair.ru
gromoviepechiniegierskie.net
herbergers.com.content.customer-service.laptopsinstalled.net
hotbitscan.com
hyatt.com.reservations.reservation.roccoscollar.net
invoices.ulsmart.net
istatsking.ru
lacave-enlignes.com
liliputttt9999.info
maxichip.com
micnetwork100.com
microsoftstore.com.store.msusa.en_us.displaydownloadhistorypage.kemingpri.com
mirrorsupply.com
molul.com
multiachprocessor.com
musicstudioseattle.net
nacha-ach-processor.com
nvufvwieg.com
oleannyinsurance.net
paypal.com.us.cmd.stjamesang.net
photographysmile.net
photos.walmart.com.orders.stjamesang.net
redsox.com.tickets-service.lindoliveryct.net
smartsecureconnect.com
tickets-service.lindoliveryct.net
tor-connect-secure.com
vineostat.ru
viperestats.ru
vip-proxy-to-tor.com
weekings.com
wingdress.net
www.appsmartsecurity.com
www.facebook.com.achrezervations.com
www.hyatt.com.reservations.reservation.roccoscollar.net
www.nacha.org.multiachprocessor.com
www.nacha-ach-processor.com
www.redsox.com.tickets-service.lindoliveryct.net

Something evil on 37.59.164.209 (OVH)

37.59.164.209 is a server operated by OVH in France. It has many malicious domains hosted on it, indeed almost everything on it is flagged by Google as being malicious (highlighted in the list below). Blocking access to that IP address is the simplest approach as the malicious sites do seem to be in some flux.

Recommended blocklist:
fat-jaguar.info
amazingfingerprint.pingpong-shop.info
androidexclusiveaccepted.soda-waters.info
annesindecisive.ru
antilostprivacystar.soda-waters.info
arrayschamp.pingpong-shop.info
atomicexcelled.pingpong-shop.info
bisnothings.picture-editorsplus.com
bumpyrogue.pingpong-shop.info
cheerskasperskys.get-well-now.info
compilingresolved.get-well-now.info
compositingupfront.soda-waters.info
couponexposes.pingpong-shop.info
defraggingentire.soda-waters.info
designationrim.pingpong-shop.info
dipsisolated.ru
distortstrand.picture-editorsplus.com
droidsreceiver.pingpong-shop.info
errorannouncement.get-well-now.info
experttouserhome.picture-editorsplus.com
fdrsitelets.picture-editorsplus.com
flauntmalwarefighting.ru
fsecurevitas.picture-editorsplus.com
get-well-now.info
jfaxbike.get-well-now.info
karmic-koala.info
kudosphilly.picture-editorsplus.com
laguardiaduly.soda-waters.info
maoctopus.get-well-now.info
meaningsvisor.get-well-now.info
middletierpreventionandcleanup.picture-editorsplus.com
mtvmick.get-well-now.info
mypalmbehaviors.picture-editorsplus.com
nicesoundingextracting.soda-waters.info
noncopyrightprotectedfipscertified.soda-waters.info
nonstopeverconnected.soda-waters.info
offlineclosets.soda-waters.info
pbsearns.get-well-now.info
performgenre.soda-waters.info
pingpong-shop.info
plannerwaiter.get-well-now.info
reopeningphenomenal.pingpong-shop.info
retainedamazoncom.soda-waters.info
satiategb.get-well-now.info
savedtranscodes.soda-waters.info
soda-waters.info
treestructurezeroes.pingpong-shop.info
turbotwisttristate.get-well-now.info
wavelinkswing.pingpong-shop.info
webcontentfaces.ru
www.fat-jaguar.info
xmlbasedautomaticupdate.pingpong-shop.info

certificationthumbtack.job-orders.info
club-sandwich.info
datver.job-orders.info
job-orders.info
mirrorskitschy.job-orders.info
mountain-lion.biz
onion-sauce.com
openglkinectd.job-orders.info
poolseeming.job-orders.info
smallerwebspecific.job-orders.info
trendmicroaddfiletobackup.ru
tweakshunting.job-orders.info