AICPA spam / children-bicycle.net

This fake AICPA spam leads to malware on the domain children-bicycle.net:

From:     Reggie Wilkins [blockp12@clients.aicpa.net]
Date:     25 September 2013 15:03
Subject:     Your accountant license can be cancelled.

You're receiving this email as a Certified Public Accountant and a member of AICPA.
Having trouble reading this email? View it in your browser.

AICPA logo
Cancellation of Accountant status due to tax return fraud allegations
Valued accountant officer,

We have received a complaint about your recent participation in tax return infringement  for one of your employers. According to AICPA Bylaw Subsection 730 your Certified Public Accountant license can be withdrawn in case of the occurrence of filing of a false or fraudulent tax return for your client or employer.

Please familiarize yourself with the notification below and provide your feedback to it within 14 days. The failure to do so within this term will result in cancellation of your CPA license.

Complaint.pdf


The American Institute of Certified Public Accountants.

Email: service@aicpa.org
Tel. 888.777.7077
Fax. 800.362.5066

I haven't seen AICPA themed spam for a long time, but this follows an established pattern. The link in the email goes to a legitimate hacked site and then on to a malware payload at [donotclick]www.aicpa.org.children-bicycle.net/news/aicpa-all.php (report here).. but only if the visitor is running Windows (more of which in a moment).

The domain children-bicycle.net is registered with fake WHOIS details and the pattern of the domain mark it out as belonging to the Amerika gang.

Administrative Name: Jennifer Horvath
Administrative Company: Jennifer Horvath
Administrative Address: 3499 Latitude Cove
Administrative Address: Milton
Administrative Address: GA
Administrative Address: 30004
Administrative Address: US
Administrative Email: mybigben56@yahoo.com
Administrative Tel: +1.7705008444

The payload is hosted on the following IP addresses (all also listed here):
24.111.103.183 (Midcontinent Media, US)
109.71.136.140 (OpWan, France)
184.82.233.29 (Network Operations Center, US)

As I mentioned, the code detects the visitor's OS and only sends the victim to the exploit kit if they are running Windows, others end up at the genuine aicpa.org website (click to enlarge).

Recommended blocklist:
24.111.103.183
109.71.136.140
184.82.233.29
cernanrigndnisne55.net
children-bicycle.net
demuronline.net
fdic.gov.horse-mails.net
fiscdp.com.airfare-ticketscheap.com
horse-mails.net
mails.rererereecils.com
nacha.org.smscente.net
pidrillospeeder.com
protektest.net
rererereecils.com
smscente.net
www.aicpa.org.children-bicycle.net
www.fdic.gov.horse-mails.net
www.nacha.org.demuronline.net
www.nacha.org.smscente.net

6rf.net and something evil on 198.50.225.121, 85.25.108.10 and 178.33.208.211

Here are a couple of IPs serving exploit kits.. the case in question is a legitimate site that loads code from 6rf.net and this in turn loads an exploit kit from [donotclick]yandex.ru.sgtfnregsnet.ru and [donotclick]l451l.witnessvacant.biz.

The .biz domain in this case is hosted on 198.50.225.121 (OVH, Canada) along with subdomains of the following (more here):

witnessvacant.biz
objectiongigs.biz
prosecutorpro.biz

That IP hosts various exploit kits and is suballocated to a Russian customer:

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:    
PostalCode:     430000
Country:        RU
RegDate:        2013-08-12
Updated:        2013-08-12
Ref:            http://whois.arin.net/rest/customer/C04667583

Those domains are also associated with some other OVH IPs of 178.33.208.211 and 46.105.166.99 (OVH, France). In both those cases, the OVH range is delegated to another Russian customer:
 organisation:   ORG-RL152-RIPE
org-name:       R5X.org ltd
org-type:       OTHER
address:        Krasnoselskaja 15-219
address:        346579 Moscow
address:        RU
abuse-mailbox:  abuse@r5x.org
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
source:         RIPE # Filtered

Domains associated with the OVH France servers (and I would recommend blocking these) are:
caseagency.biz
chqqwyotlook.biz
cqcodoyogold.biz
flogdoyfohoqobl.biz
gyfowkdoylgoqc.biz
hearsayavailable.biz
jailprojects.biz
liablegigs.biz
lqcolqbtthdoydozzl.biz
objectiongigs.biz
objectionjobs.biz
othtdoyttqd.biz
ottptqc.biz
ottylook.biz
prosecutorpro.biz
qdpqdqcdoyplqdd.biz
subpoenaproject.biz
testimonyjobs.biz
thoqkgvqqgchot.biz
tohhohoqohwoy.biz
vqolqtqdoyodl.biz
witnessvacant.biz

But that's not the only infection that 6rf.net is punting, as there is another malicious domain of [donotclick]yandex.ru.sgtfnregsnet.ru in use (report here) hosted on 85.25.108.10 (Intergenia AG, Germany). There appears to be at least one other malicious domain on the same server (googlebot.ru) which is also serving up an exploit kit [1] [2] and an examination of the rest of the domains on that IP show nothing at all of value:

yandex.ru.sgtfnregsnet.ru
googlerobot.ru
google.directadvertstat.ru
nationalaustralia.org

It looks like other malware sites have been hosted on that IP in the past, so I would recommend blocking that too, giving this recommended blocklist:
46.105.166.99
85.25.108.10
178.33.208.211
198.50.225.121
6rf.net
caseagency.biz
chqqwyotlook.biz
cqcodoyogold.biz
flogdoyfohoqobl.biz
gyfowkdoylgoqc.biz
hearsayavailable.biz
jailprojects.biz
liablegigs.biz
lqcolqbtthdoydozzl.biz
objectiongigs.biz
objectionjobs.biz
othtdoyttqd.biz
ottptqc.biz
ottylook.biz
prosecutorpro.biz
qdpqdqcdoyplqdd.biz
subpoenaproject.biz
testimonyjobs.biz
thoqkgvqqgchot.biz
tohhohoqohwoy.biz
vqolqtqdoyodl.biz
witnessvacant.biz
yandex.ru.sgtfnregsnet.ru
googlerobot.ru
google.directadvertstat.ru
nationalaustralia.org

"International Wire Transfer" spam / INTL_Wire_Report-09242013.zip

This fake wire transfer spam has a malicious attachment:

Date:      Tue, 24 Sep 2013 10:54:32 -0700 [13:54:32 EDT]
From:      Wells Fargo Event Messaging Admin [ofsrep.ceoemigw@wellsfargo.com]
Subject:      International Wire Transfer File Not Processed

We are unable to process your International Wire Transfer request due to insufficient funds in the identified account.

Review the information below and contact your Relationship Manager if you have questions, or make immediate arrangements to fund the account. If funds are not received by 09/24/2013 03:00 pm PT, the file may not be processed.

Please view the attached file for more details on this transaction.

Any email address changes specific to the Wire Transfer Service should be directed to Treasury Management Client Services at 1-800-AT-WELLS (1-800-289-3557).

Event Message ID: S203-8767457

Date/Time Stamp: Tue, 24 Sep 2013 10:54:32 -0700  

----------------------------------------------------------------------------------------------------------------------------------------------------
Please do not reply to this email; this mailbox is only for delivery of Event Messaging notices. To ensure you receive these notices, add ofsrep.ceoemigw@wellsfargo.com to your address book.

For issues related to the receipt of this message, call toll free 1-800-AT-WELLS (1-800-289-3557) Monday through Friday between 4:00 am and 7:00 pm and Saturday between 6:00 am and 4:00 pm Pacific Time.

Customers outside the U.S. and Canada may contact their local representative's office, or place a collect call to Treasury Management Client Services at 1-704-547-0145.

Please have the Event Message ID available when you call.

Attached is a ZIP file called INTL_Wire_Report-09242013.zip which in turn contains a malicious executable INTL_Wire_Report-09242013.exe (note the date in encoded into the filename). The VirusTotal results show a so-so detection rate of 9/48.



Automated analysis [1] [2] [3] shows the usual sort of stuff plus network traffic to ta3online.org  on 108.168.164.202 (Softlayer, US) which is some sort of compromised legitimate site.



Blocking EXE-in-ZIP files at you network perimeter is absolutely the best way of avoid malware attacks like this.

Malware sites to block 24/9/2013

The malicious IPs and domains on this list are operated by this gang, and it replaces the list last week.

5.135.42.104 (OVH, Netherlands)
24.111.103.183 (Midcontinent Media, US)
24.173.170.230 (Time Warner Cable, US)
32.64.143.79 (AT&T, US)
37.153.192.72 (Routit BV, Netherlands)
37.221.163.174 (Voxility SRL, Romania)
42.121.84.12 (Aliyun Computing Co, China)
46.32.47.24 (Syd Energi, Denmark)
46.246.111.159 (Portlane Networks, Sweden)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
62.141.46.8 (fast IT, Germany)
69.94.163.22 (Region 18 Education Service Center, US)
69.163.40.39 (DirectSpace LLC, US)
77.123.54.28 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
79.190.173.125 (TPNET, Poland)
81.28.199.18 (KNET, France)
84.52.66.244 (West Call Ltd, Russia)
85.246.142.214 (PT Comunicacoes, Portugal)
91.220.77.83 (NTH Media, Switzerland)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
109.71.136.140 (OpWan, France)
123.183.210.42 (China Telecom, China)
125.20.14.222 (Price Water House Cooperation, India)
153.127.243.80 (Kagoya Japan Corporation, Japan)
163.32.78.2 (TANET, Taiwan)
174.142.186.89 (iWeb, Canada)
184.82.233.29 (Network Operations Center, US)
186.3.101.235 (Clientes Quito, Ecuador)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
194.44.93.219 (UARNet, Ukraine)
194.158.4.42 (Interoute Communications, France)
198.71.90.239 (Enzu Inc, US)
199.175.49.118 (VPS Cheap, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.115.114.69 (Wowrack, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
216.218.208.55 (Hurricane Electric, US)
223.30.27.251 (Sify Limited, India)
220.68.231.30 (Hansei University, Korea)

5.135.42.104
24.111.103.183
24.173.170.230
32.64.143.79
37.153.192.72
37.221.163.174
42.121.84.12
46.32.47.24
46.246.111.159
58.68.228.148
58.246.240.122
61.36.178.236
62.141.46.8
69.94.163.22
69.163.40.39
77.123.54.28
79.190.173.125
81.28.199.18
84.52.66.244
85.246.142.214
91.220.77.83
95.111.32.249
103.20.166.67
109.71.136.140
123.183.210.42
125.20.14.222
153.127.243.80
163.32.78.2
174.142.186.89
184.82.233.29
186.3.101.235
186.251.180.205
187.60.172.18
194.44.93.219
194.158.4.42
198.71.90.239
199.175.49.118
208.52.185.178
208.115.114.69
211.71.99.66
216.218.208.55
223.30.27.251
220.68.231.30
24kstudio.net
achrezervations.com
acomboramboarmiab722.net
aconsturcioneoftherive677.net
acormushkivsenamizv992.net
airfare-ticketscheap.com
aristonmontecarlo.net
bnamecorni.com
bundle.su
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
consistingsec.net
cremenatthemomenter56.net
crovvirnskieertater55.net
crovviyyyyyyuutater90.net
curse.su
deepsealinks.com
demuronline.net
diggingentert.com
dropdistri-butions.net
dulethcentury.net
ehtiebanishkeobprienrt25.net
ejanormalteene250.com
ejanormatoone240.com
elvisalive4ever.com
euteus.com
evreisorinejsopgmrjnet28.net
excelledblast.net
exeteenofthemid74.com
explorerlikem.com
fdic.gov.horse-mails.net
gigiandrose-sf.net
gjoonalitikeer310.com
gjoonanalitik300.com
glums.net
goodnoontoon11.net
gormonigraetnapovalahule26.net
grannyhair.ru
gromovierashodyna73.net
hdmltextvoice.net
higherpricedan.com
horse-mails.net
hotsuperfilms.com
infomashe.com
instotsvin.ru
isightbiowares.su
joyrideengend.net
kolopeto.net
lights-awake.net
loreddiverting.su
macache.net
maxichip.com
micnetwork100.com
mobile-unlocked.net
mssoft.in.net
multiachprocessor.com
myaxioms.com
nacha.org.smscente.net
nacha-ach-processor.com
namastelearning.net
nvufvwieg.com
oadims.net
ollerblogging.net
ordersdeluxe.com
outcastii.com
oversearadios.net
pardus-wiki.com
picturesoftdeath.com
pidrillospeeder.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
smartsecureconnect.com
smscente.net
softwareup.pw
spottingculde.com
stjamesang.net
techno-arena.net
thefastor.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
treesmustdownload.su
u-janusa.net
uprisingquicks.net
video-withtext.com
vip-proxy-to-tor.com
virginiarealtyonline.net
whosedigitize.net
wow-included.com
www.ejanormalteene250.com
www.fdic.gov.horse-mails.net
www.gjoonalitikeer310.com
www.nacha.org.demuronline.net
www.nacha.org.smscente.net

Siga Resources Inc (SGAE) pump-and-dump spam

This pump-and-dump (P&D) spam for Siga Resources Inc (SGAE) follows a familiar pattern: it starts almost immediately after the close of trading on the Friday and the characteristics match several other recent spam runs which have been sent out by the Kelihos botnet. The spams look like this:

Are We having Fun Yet? THIS COMPANY IS UP TODAY ON LARGE VOLUME.

Trading Date: Monday, September 23th
Closed at: 0.015
Company: Siga Resources Inc.
Symbol traded: SG_AE
Target Price: 0.25

Our Watchlist Alert!!! This Stock is back up on strong VOLUME!

----------

This Stock IS RED HOT!!! Massive Breakout!

Date: Sep 23th
Target: .55
Company Name: SIGA RESOURCES INC
Stock: S G_A-E
Buy it at: $0.02

Strong news and a scintillating chart could spell breakout. Driving
towards a new breakout level!

----------

My New Monster Pick Is ... Most Active!!!

Date: Monday, September 23, 2013
Current Price: 0.015
Tick: S-GA-E
Name: SIGA RESOURCES CORP
Short Term Target Price: 0.20

This company had another strong day! We could see further gains
ahead tomorrow. One NOT to Miss.

----------

Take a look at your favorite stock charts. It is featured company ready to
pop!!!

Sym: S-G_A E
Current Price: .02
Date: Monday, Sep 23th, 2013
Company: SIGA RESOURCES, CORP
4-Day Target: $.50

It Broadens Target Markets! Its Time to Buy Again...

Sample subject lines:
Subject:     Potential Breakout Stock
Subject:     Are you missing this?
Subject:     This Company looks ready to explode!
Subject:     Do Not Miss This One, You Will Be Bummed If You Do!

As I posted last week, observation of similar P&D spams is that the share price often collapses completely when the spamming stops.

Siga Resources in involved in small-scale minerals exploration. I'm not a financial analyst, but this firm looks almost dormant with zero income and effectively no cash in the bank. There has been no significant news for over a year. Siga's own 10-K filing for 2013 is extremely bleak and uses phrases such as "we have not generated any revenues since our formation on January 18, 2007" and "We require additional cash to continue operations. Such operations could take many years of exploration and would require expenditure of very substantial amounts of money, money we do not presently have and may never be able to raise. If we cannot raise it we will have to abandon our planned exploration activities and go out of business" and "We have one joint venture project on the Lucky Thirteen Claim. The joint venture has to date defaulted on payments to keep the ownership in the Lucky Thirteen Claim intact. Consequently, we are at risk of losing our interests in the Lucky Thirteen Claim entirely."

In short, there is no news at all that would make you want to buy this stock. And it is very important to realise that any information contained in the spam messages is merely a lie to boost the price, sent out by unknown parties.

The stock has not done well since it started, trading at around $0.55 to $0.60 until mid-2011 when it peaked at $2.40. It has since fallen to levels between $0.01 and $0.02.

On a typical day, share trades in SGAE are close to zero and rarely exceed 100,000 shares. But on Friday alone, over a million shares were traded in SGAE with 1.7 million shares traded in total across the week a prices ranges from $0.0288 to $0.015. I believe that the majority of those share trades were done by the spammers themselves taking up a position, with speculators adding a small volume on top.

Do not be tempted to buy SGAE shares on the back of these spammed-out solicitations. They are simply the actions of someone trying to offload almost worthless stock at an inflated price, and past history with these spamvertised stocks shows that there is a high risk that the price will collapse completely afterwards.

WhatsApp "3 New Voicemail(s)" spam and 219.235.1.127

I am indebted to Gary Warner for his analysis of this malware. But I can't resist having a poke at it myself. This malware is particularly cunning.

First of all, it starts with a WhatsApp-themed spam:

From:     WhatsApp Messaging Service
Date:     20 September 2013 19:36
Subject:     3 New Voicemail(s)

WhatsApp

You have a new voicemail!
Details
Time of Call: Sep-17 2013 04:05:07
Lenth of Call: 04 seconds

Play

*If you cannot play, move message to the "Inbox" folder.

2013 WhatsApp Inc 

I'm sort-of-vaguely aware of the existence of WhatsApp in the same way that I am vaguely aware of my wife's birthday. Here's the thing though.. click on the link on the PC and you get a fake Plesk 404 page (see this report). But click on it using an Android device and you get something very different.

So, armed with a random Android user agent string and WGET, I accessed the link (in this case [donotclick]www.organocontinuo.com/app.php?message=hADXwckiPdaYKjapSiWJyMR/guGMDz4l8/PCDGmSemg=) and ended up with a 2,735,848 byte file called WhatsApp.apk instead.

I didn't test this on an Android device or the ADK, but apparently it is possible that clicking the link installs the malware without asking on certain devices. The VirusTotal score for this .apk is a pretty health 21/48, but who runs anti-virus software on their Android? (If you aren't running AV, then try this).

So what does it do? Well, I've been using the Anubis sandbox to analyse Windows binaries for a while, but it can analyse the results of Android .apk files too, which is pretty darned cool. And this is what Anubis sees the malicious Android app doing.

Now, if you've read Gary's blog then you will know that this is an Android-based fake anti-virus application. Anubis says that the application's reported URL is defenderandroid.org but I am not sure if this is fake. However, the application certainly seems to send traffic to 219.235.1.127 (Shanghai QianWan Network, China) which is probably a darned good candidate for blocking (if you can). This IP has been spotted with PC-based fake AV programs before [1] [2] [3].

Up until April, the IP  219.235.1.127  hosted the domains w0580.com and juyuanfang.com, both registered to the same person using the email address sisibin@qq.com. I do not know if they are connected with the fake AV in any way.

Although mobile malware is getting more common, this is the first time that I have seen an attack like this. All smartphone and tablet users need to be aware of the very real risks of malware on thier devices and should take the appropriate steps to keep themselves safe.

Apple (AAPL) pump-and-dump spam

A pump and dump spam trying to move Apple (AAPL) stock? Really? I don't think a spam run is going to have much effect on a $473 share in a company worth $420bn.

From: lpskann@scminvest.com
Subject: This Company continues to surge, could new highs be ahead?

Apple has presented its new models - iPhone 5S and iPhone 5C,
which actually have not moved the providers of financing. But, we
got to hear about the confidential novelty, which is created in
Cupertino (the Main Office of the Apple Company). This specialty
will be of interest for everyone. Through just a year, everybody
will utilize it. Namely now the time is ripe to acquire the
Apple's securities. Their value will be quick increased!!!

#goodluckwiththat- here's another one:

From: h.strutzmann@raymondjames.com
Subject: This Company is Hot and Premarket analysis is ready

The new-developed models, i.e. iPhone 5S and iPhone 5C, have
been recommended by the Apple Company. Nevertheless the
products have not impressed the business sponsors.
Nevertheless, we have learned about the secret new product,
which is being worked out in Cupertino, the Main Office of
the Apple Company, which will be required by a wide
audience. (It is going to be put in use by everybody duting
the course of only one year). Now it's about time to take
possession of the shareholding of Apple, because quite soon
they will go up in value!

A third sample adds the stock ticker symbol:

Subject:      Advanced Trading Alert Notice

Apple Company (Nasdaq:AA PL) has shown its new-developed models - iPhone
5S and iPhone 5C, which indeed have been not very impressive for the
providers of capital. Still, we got the wind of the confidential new
product, which is created in Cupertino (the Principal Business Place of
the Apple). This new product will be needed by all the people. During
just one year, all the people will put in use the product. Presently it's
high time to obtain the Apple's securities. Their price will grow quite
soon.

And some more rather ungrammatical auto-generated examples..

The providers of financing have not been struck by the
new-developed models, i.e. iPhone 5S and iPhone 5C, which have
been introduced by the Apple. Still, we have got the wind of
the fact that in Cupertino (the Apple's Headquarter), a
confidential innovation is being created. The item will be
popular for all the people. It will be wide put on within just
a year. Right now is the perfect timing for acquiring the
shares of the Apple. Very soon these shares of stock will
increase high in value.

The financiers have not been struck by the new-developed products, i.e.
iPhone 5S and iPhone 5C, which have been shown by the Apple. But, we have
got to hear that in Cupertino (the Apple's Headquarter), a non-public
newcomer is being designed. The item will be required by all the people. It
will be wide put on in just a year. Now is the right time for purchasing
the equity of the Apple. Fast these shareholding will grow high in price.

iPhone 5S and iPhone 5C present the fresh items, which were shown by the
Apple Company (Nasdaq:AA_PL). Nevertheless, these products have little
effect on the providers of financing. All the same, we got to learned that
in Cupertino (where the Apple's Principal Business Office is located), an
undercover recent development gadget is being elaborated. Namely this
novelty will be of interest for everybody (the recent development will be
applied by all the people within the course of one year). The Apple's equity
shall be purchased right at the moment, as fast they will increase in price!


Apple Company (Nasdaq:AAP-L) has offered its latter-day
products - iPhone 5S and iPhone 5C, which actually have
little effect on the backers. However, we got the wind of
the undercover innovation, which is produced in Cupertino
(the General Headquarter of the Apple). This recent
development will be needed by everybody. Within only one
year, everyone will utilize it. Namely now it's about time
to get hold of the Apple's shareholding. Their price will
grow quite soon!!!

Apple Company (Nasdaq:A-A_P L) has presented its new models - iPhone 5S
and iPhone 5C, which indeed have not struck the fund clients. All the
same, we got to learned about the undercover novelty, which is designed
in Cupertino (the Principal Place of Business of the Apple Company).
This new product will be required by all the people. During the course
of just a year, everybody will put on it. The present moment the time is
ripe to get hold of the Apple's shares. Their price will soon grow.

The Apple Company (Nasdaq:A-A-PL) has introduced its new products - iPhone 5S
and iPhone 5C, which truly have little impression on the fund clients. But,
we got to learned about the private newcomer, which is created in Cupertino
(the General Headquarter of the Apple Company). This recent development will
be of interest for everyone. During just a year, everyone will use it. Right
now is the time to obtain the Apple's equity. Their price will grow quite
soon. 

"INCOMING FAX REPORT" spam / lesperancerenovations.com

This fake fax spam appears to come from the Administrator at the victim's domain:

Date:      Wed, 18 Sep 2013 15:01:42 -0500 [16:01:42 EDT]
From:      Administrator [administrator@victimdomain]
Subject:   INCOMING FAX REPORT : Remote ID: 8775654573

*********************************************************
INCOMING FAX REPORT
*********************************************************

Date/Time: 09/18/2013 05:11:15 EST
Speed: 39287 bps
Connection time: 02:07
Pages: 2
Resolution: Normal
Remote ID: 8775654573
Line number: 1
DTMF/DID:
Description: August Payroll

Click here to view the file online

*********************************************************

The link in the email goes to a legitimate but hacked site and then tries to load one of the following three scripts:
[donotclick]0068421.netsolhost.com/partisanship/poached.js
[donotclick]ade-data.com/exuded/midyear.js
[donotclick]fangstudios.com/macedonian/piles.js

In turn, these try to direct the visitor to a malware landing page at [donotclick]lesperancerenovations.com/topic/seconds-exist-foot.php which is a hijacked GoDaddy domain hosted on 174.140.169.145  (DirectSpace, US) along with several other hijacked GoDaddy domains listed below in italics.

Recommended blocklist:
174.140.169.145
lesperancerenovations.com
louievozza.com
louvozza.com
lv-contracting.com
lvconcordecontracting.com
saltlakecityutahcommercialrealestate.com
0068421.netsolhost.com
ade-data.com
fangstudios.com

FDIC spam / horse-mails.net

This fake FDIC spam leads to malware on www.fdic.gov.horse-mails.net:

Date:      Tue, 17 Sep 2013 15:28:52 +0330 [07:58:52 EDT]
From:      insurance.coverage@fdic.gov
Subject:      FDIC: About your business account

Dear Business Customer,

We have important news regarding your financial institution.

Please View to see further details.

This includes information on the acquiring bank (if applicable), how your accounts and loans are affected, and how vendors can file claims against the receivership
FDÌC     Questions for FDÌC?
Contact Us

The FDÌC receives no Congressional appropriations - it is funded by premiums that banks and thrift institutions pay for deposit insurance coverage and from earnings on investments in U.S. Treasury securities. The FDÌC insures approximately $9 trillion of deposits in U.S. banks and thrifts - deposits in virtually every bank and thrift in the country.

Federal Insurance Company · 3501 Fairfax Drive · Arlington VA 22225 · 877-275-3342 

The link goes through a legitimate hacked site and onto a malware landing page at [donotclick]www.fdic.gov.horse-mails.net/news/fdic-insurance.php which belongs to the Amerika gang and is hosted on the following IPs (the recommend blocklist is at the end of the post):
37.221.163.174 (Voxility S.R.L., Romania)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
109.71.136.140 (OpWan SARL, France)
174.142.186.89 (iWeb Technologies, Canada)
216.218.208.55 (Hurricane Electric, US)

Of interest, the legitimate hacked site that is linked to tries to do some OS detection which is a new feature (pictured below)

Recommended blocklist (use in conjunction with this):
37.221.163.174
95.111.32.249
109.71.136.140
174.142.186.89
216.218.208.55
airfare-ticketscheap.com
bnamecorni.com
bundle.su
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
demuronline.net
evreisorinejsopgmrjnet28.net
fiscdp.com.airfare-ticketscheap.com
germaniavampizdanahuj.net
gormonigraetnapovalahule26.net
grannyhair.ru
gstarstats.ru
horse-mails.net
maxichip.com
micnetwork100.com
mirrorsupply.com
nacha.org.samsung-galaxy-games.net
nvufvwieg.com
pidrillospeeder.com
smartsecureconnect.com
softwareup.pw
tor-connect-secure.com
vineostat.ru
vip-proxy-to-tor.com
www.fdic.gov.horse-mails.net
www.fiscdp.com.airfare-ticketscheap.com
www.irs.gov.successsaturday.net
www.nacha.org.demuronline.net
www.nacha.org.multiachprocessor.com
www.nacha.org.samsung-galaxy-games.net
www.nacha.org.smscente.net

ADP spam / ADP_831290760091.zip

This fake ADP spam has a malicious attachment:

Date:      Tue, 17 Sep 2013 20:32:04 +0530 [11:02:04 EDT]
From:      ADP ClientServices
Subject:      ADP - Reference #831290760091
Priority:      High Priority 1 (High)

We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.

Transaction details are shown in the attached file.

Reference #831290760091

This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you. 

Attached to the email is a file called ADP_831290760091.zip which in turn contains ADP_Reference_09172013.exe which has a VirusTotal detection rate of 9/48.

Automated analysis [1] [2] [3] shows a connection attempt to awcoomer.com on  78.157.201.219 (UK Dedicated Servers Ltd, UK). I don't have any evidence of further infections on this server, it does host 30+ legitimate UK sites if that helps..

FedEx spam FAIL

This fake FedEx spam is presumably meant to have a malicious payload:

Date:      Tue, 17 Sep 2013 13:02:25 +0000 [09:02:25 EDT]
From:      webteam@virginmedia.com
Subject:      Your Rewards Order Has Shipped
Headers:      Show All Headers           
                   
This is to confirm that one or more items in your order has been shipped. Note that multiple items in an order may be shipped separately.            
                   
You can review complete details of your order on the Order History page            
                   
Thanks for choosing FedEx.            
                       
Order Confirmation Number: 0410493
Order Date: 09/15/2013            
                       
Redemption Item     Quantity     Tracking Number            
Paper, Document    16    <          

fedex.com     Follow FedEx:        
                                   
You may receive separate e-mails with tracking information for reward ordered.    

My FedEx Rewards may be modified or terminated at any time without notice. Rewards points available for qualifying purchases and certain exclusions apply. For details and a complete listing of eligible products and services please read My FedEx Rewards Terms and Conditions .    

©2012 FedEx. The content of this message is protected by copyright and trademark laws under U.S. and international law. Review our privacy policy . All rights reserved

Presumably there is meant to be a malicious link or attachment, but there isn't. However, the bad guys will probably use the same template again with a WORKING payload, so please take care.

SpeedPacket, CookieBomb and something evil on 37.58.73.42, 95.156.228.69 and 195.210.43.42

A few days ago the Internet Storm Center raised a question about activity on 37.58.73.42 (Softlayer, Netherlands / Techpreneurs India Pvt Ltd, India), 95.156.228.69 (Game Company, Germany) and 195.210.43.42 (Syntis, France).

I hadn't seen the attack in question until today with this injection attack on a legitimate site, using a Cookie Bomb script [1] [2] to send victims to a site [donotclick]11p1rjqaahmp7asqbeqd5fx.bouwslim.be via an intermediary hacked site. The malicious domain is hosted on 95.156.228.69 which forms part of this cluster of three servers.

Reverse DNS indicates tens of thousands of malicious sites, mostly subdomains of domains hijacked from customers of a Belgian company called SpeedPacket, but there are also some other malicious .ru domains some of which I have spotted before on a server in Romania.

The SpeedPacket hijacks are interesting. They have been going on since at least July, and it appears that they are being hijacked in alphabetical order. From my perspective, it looks like one domain gets hijacked, used for evil purposes.. and then it either gets cleaned up by SpeedPacket, or the bad guys are returning it once they have used it. I've never seen anything like that before. For example, using the data from VirusTotal, we can map it out as follows:

04/07/2013    antwerpen-drukkerij.be
13/08/2013    behangwerk.be
15/08/2013    belgianpowersystem.be
21/08/2013    benzino.be
22/08/2013    besparen-isoleren.be
22/08/2013    beste-frankiermaschine
31/08/2013    beveiligingen-vergelijken.be
01/09/2013    bevloerders.be
01/09/2013    bewakingsvideo.be
03/09/2013    binnen-deuren.be
05/09/2013    binnenhuisarchitecten-vergelijken.be
07/09/2013    bizgo.be
07/09/2013    bizzdir.be
08/09/2013    bleachen.be
09/09/2013    blocnotes-drukken.be
09/09/2013    bobbo.be
11/09/2013    bodyhealth.be
11/09/2013    boeddhabeelden.be
11/09/2013    boekbinderijen.be
11/09/2013    boeken-tweedehands.be
12/09/2013    boeken-tweedehands.be
12/09/2013    boiler-op-zonne-energie.be
13/09/2013    boilershop.be
13/09/2013    boiler-warmtepomp.be
14/09/2013    boldea.ro
14/09/2013    boniface.be
16/09/2013    bourgondischschild.be
16/09/2013    bouwcorrect.be
17/09/2013    bouw-materialen.be
17/09/2013    bouwslim.be

At the time of writing, only the domain bouwslim.be seems to be resolving, the rest appear to have been cleaned up.

These domains [pastebin] all appear to have been hijacked from SpeedPacket's customers and have been used in CookieBomb attacks. We can count 138 SpeedPacket domains that have been abused so far.

So, how may domains do SpeedPacket look after? We traced back the hijacked domains to their originating servers and found these 2318 domains [pastebin]. 138 out of 2318 doesn't sound too bad, until you realise that the hijack is happening alphabetically and bouwslim.be is the 316th domain on the list.. so, from that date it looks like a shocking 138/316 (44%) of SpeedPacket domains have been compromised so far.

As I said, there are also some other domains hosted on these servers including some malicious .ru domains. I don't recommend that you block the SpeedPacket customers listed, simply because blocking the IPs is simpler and less likely to block a legitimate site.. but still, if it is your network then it is your rules that apply.

Recommended blocklist:
37.58.73.42
95.156.228.69
195.210.43.42
datingbay.eu
datingbay.us
arcgyj.ru
gmzuwr.ru
gnlhxr.ru
gqwgup.ru
gwggjs.ru
hiitok.ru
hjjjtp.ru
hljnpn.ru
hoqvmh.ru
hrgvrl.ru
htgkyl.ru
ihjxyw.ru
ilpkyu.ru
ivxwzs.ru
ixwsnw.ru
jpkkyy.ru
jtgqqt.ru
kinyng.ru
kjlluq.ru
klzwlz.ru
ksmhwj.ru
lqohmk.ru
lryuuy.ru
luiwmt.ru
lulpqm.ru
lvyrts.ru
lwxzuj.ru
mzjtwz.ru
nsggtm.ru
nsnikn.ru
nsnwzr.ru
nxtmrg.ru
ohskou.ru
olpnso.ru
onjmzs.ru
orjoik.ru
ovhirm.ru
oxxukz.ru
pguirk.ru
plvzjy.ru
ppvyot.ru
pvmkzn.ru
pvzvnp.ru
qroxil.ru
qugpiw.ru
qyloyh.ru
rgqvgm.ru
rhpxwr.ru
rszqxv.ru
rvwwko.ru
rwrkhx.ru
silotw.ru
toqizs.ru
tpxhpz.ru
trlnps.ru
ugjkxh.ru
ugvsmt.ru
umpynu.ru
vpzpkh.ru
vtqkmh.ru
vwjitv.ru
wltmpm.ru
wmhxul.ru
wqgzuo.ru
wstnog.ru
wvgyjr.ru
ximoql.ru
xqixtr.ru
xxpqzs.ru
ylypln.ru
ynjskx.ru
ynxgys.ru
yzxxtj.ru
zhkmgj.ru
zjqtih.ru
zromwk.ru
zrzuhj.ru
ztlwwm.ru
zuihwg.ru
zuknsr.ru

Malware sites to block 17/9/13

This set of malicious IPs and domains is associate with this gang, and the list replaces the last one published here.

24.173.170.230 (Time Warner Cable, US)
32.64.143.79 (AT&T, US)
37.153.192.72 (Routit BV, Netherlands)
42.121.84.12 (Aliyun Computing Co, China)
46.246.111.159 (Portlane Networks, Sweden)
58.68.228.148 (Beijing Blue I.T Technologies Co., China)
58.246.240.122 (China Unicom, China)
61.36.178.236 (LG DACOM, Korea)
62.141.46.8 (fast IT, Germany)
66.230.163.86 (Goykhman and Sons LLC, US)
66.230.190.249 (ISPrime, US)
77.123.54.28 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
83.148.208.151 (Salon Seudun Puhelin Oy, Finland)
84.52.66.244 (West Call Ltd, Russia)
95.87.1.19 (Trakia Kabel, Bulgaria)
95.111.32.249 (Megalan / Mobiltel EAD, Bulgaria)
103.20.166.67 (PT. Visikom Indo Sentratama, Indonesia)
112.124.55.133 (Hangzhou Alibaba Advertising Co.,Ltd., China)
115.78.233.220 (Vietel Corporation, Vietnam)
115.160.146.142 (Wharf T&T Ltd, Hong Kong)
119.78.243.74 (CSTNET, China)
125.20.14.222 (Price Water House Cooperation, India)
141.20.102.73 (Humboldt-Universitaet zu Berlin, Germany)
153.127.243.80 (Kagoya Japan Corporation, Japan)
159.226.51.161 (CSTNET, China)
172.245.62.181 (Colocrossing, US)
173.230.130.69 (Linode, US)
174.142.186.89 (iWeb Technologies, Canada)
178.33.132.103 (OVH, France)
178.239.180.211 (Enter S.r.l., Italy)
184.82.233.29 (Network Operations Center, US)
185.19.95.170 (TTNETDC, Turkey)
186.251.180.205 (Infotech Informatica e Assistencia Tecnica Ltda, Brazil)
187.60.172.18 (Linhares Serviços Online LTDA, Brazil)
192.210.198.198 (Valley Host, US)
192.237.186.71 (Rackspace, US)
194.158.4.42 (Interoute Communications, France)
198.71.90.239 (Enzu Inc, US)
208.52.185.178 (BroadRiver Communication Corp, US)
208.180.134.20 (Suddenlink Communications, US)
211.71.99.66 (Beijing Institute of Clothing Technology, China)
212.169.49.234 (Claranet, UK)
216.218.208.55 (Hurricane Electric, US)
220.68.231.30 (Hansei University, Korea)
223.30.27.251 (Sify Limited, India)

Blocklist:
24.173.170.230
32.64.143.79
37.153.192.72
42.121.84.12
46.246.111.159
58.68.228.148
58.246.240.122
61.36.178.236
62.141.46.8
66.230.163.86
66.230.190.249
77.123.54.28
83.148.208.151
84.52.66.244
95.87.1.19
95.111.32.249
103.20.166.67
112.124.55.133
115.78.233.220
115.160.146.142
119.78.243.74
125.20.14.222
141.20.102.73
153.127.243.80
159.226.51.161
172.245.62.181
173.230.130.69
174.142.186.89
178.33.132.103
178.239.180.211
184.82.233.29
185.19.95.170
186.251.180.205
187.60.172.18
192.210.198.198
192.237.186.71
194.158.4.42
198.71.90.239
208.52.185.178
208.180.134.20
211.71.99.66
212.169.49.234
216.218.208.55
220.68.231.30
223.30.27.251
achrezervations.com
aconsturcioneoftherive677.net
airfare-ticketscheap.com
aristonmontecarlo.net
berylhowell.net
bnamecorni.com
bundle.su
cernanrigndnisne55.net
cerovskiprijatnomnebi25.net
certerianshndieony24.net
clothestaxact.com
consistingsec.net
crovliivseoslniepodmore83.net
crovniedelamjdusaboye73.net
crovvirnskieertater55.net
deepsealinks.com
demuronline.net
diggingentert.com
dotier.net
dulethcentury.net
ehnihjrkenpj.ru
ehnynewyortenotbaber.net
ehtiebanishkeobprienrt25.net
elvisalive4ever.com
ermiarmirovanieyye46.net
ermitajnierisunkiane45.net
euteus.com
evreisorinejsopgmrjnet28.net
excelledblast.net
fiscdp.com.airfare-ticketscheap.com
gemochlenoftheierarhia23.net
germaniavampizdanahuj.net
germoshanyofthesity72.net
gormonigraetnapovalahule26.net
gormoshkeniation68.net
grannyhair.ru
gromovierashodyna73.net
gstarstats.ru
hdmltextvoice.net
higherpricedan.com
imagoindia.net
infomashe.com
irs.gov.successsaturday.net
isightbiowares.su
joyrideengend.net
kneeslapperz.net
lacave-enlignes.com
lights-awake.net
lindoliveryct.net
macache.net
maxichip.com
medusascream.net
micnetwork100.com
mirrorsupply.com
mobile-unlocked.net
multiachprocessor.com
myaxioms.com
nacha.org.samsung-galaxy-games.net
nacha-ach-processor.com
namastelearning.net
nvufvwieg.com
oadims.net
onsayoga.net
ordersdeluxe.com
oversearadios.net
perkindomname.com
picturesoftdeath.com
pidrillospeeder.com
powerranger-toys.net
priceless.su
printingupplies.com
pure-botanical.net
samsung-galaxy-games.net
smartolen.com
smartsecureconnect.com
softwareup.pw
spottingculde.com
stjamesang.net
successsaturday.net
taltondark.net
theamberroomct.com
timelessmusicstore.com
tonalfreeworld.net
tor-connect-secure.com
treesmustdownload.su
u-janusa.net
uprisingquicks.net
video-withtext.com
vineostat.ru
vip-proxy-to-tor.com
virginiarealtyonline.net
whosedigitize.net
wow-included.com
www.fiscdp.com.airfare-ticketscheap.com
www.irs.gov.successsaturday.net
www.nacha.org.demuronline.net
www.nacha.org.multiachprocessor.com
www.nacha.org.samsung-galaxy-games.net

eFax spam / rockims.com

This fake eFax spam leads to malware on rockims.com:

Date:      Mon, 16 Sep 2013 22:43:06 +0400 [14:43:06 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message - 1 pages

Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.


Fax Message [Caller-ID: 854-349-9584]

You have received a 1 pages fax at 2013-16-09 01:11:11 CST.

* The reference number for this fax is latf1_did11-1237910785-2497583013-24.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.

Thank you for using the eFax service!
Home | Contact | Login |
Powered by j2

2013 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

The link in the email goes through a legitimate hacked site and then runs one of the following three scripts:
[donotclick]die-web-familie.homepage.t-online.de/quasar/monte.js
[donotclick]dim-kalogeras-ka-lar.schools.ac.cy/initials/casanovas.js
[donotclick]ade-data.com/exuded/midyear.js

These then lead to a malware payload at [donotclick]rockims.com/topic/seconds-exist-foot.php which is a hijacked GoDaddy domain hosted on 192.81.133.143 (Linode, US) along with quite a few other hijacked domains (listed in italics below).

Recommended blocklist:
192.81.133.143
dim-kalogeras-ka-lar.schools.ac.cy
die-web-familie.homepage.t-online.de
ade-data.com
actorbell.com
facebookfansincrease.com
fillmaka.com
fillmmaka.com
filmaka.biz
filmaka.co.uk
filmaka.info
filmaka.org
filmaka.us
filmmaka.com
filmpunjab.com
fimaka.com
journeyacrossthesky.com
journeyacrossthesky.org
luckyemily.com
manpreetsidhu.com
ogaps.com
oshaughnessyfam.com
reliable661.com
rockcet.com
rockims.com

Walls Fargo spam / WellsFargo - Important Documents.zip

This fake Wells Fargo spam has a malicious attachment:

Date:      Mon, 16 Sep 2013 09:26:51 -0500 [10:26:51 EDT]
From:      Harrison_Walsh@wellsfargo.com
Subject:      IMPORTANT Documents - WellsFargo

Please review attached documents.

Harrison_Walsh
Wells Fargo Advisors
817-674-9414 office
817-593-0721 cell Harrison_Walsh@wellsfargo.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you. 

Attached is a ZIP file called WellsFargo - Important Documents.zip which in turn contains a malicious executable WellsFargo - Important Documents.exe which has a very low VirusTotal rate of 2/47.

Automated analysis tools [1] [2] [3] detect network traffic to [donotclick]www.c3dsolutions.com  hosted on 173.229.1.89 (5Nines LLC, US). At present I do not have any evidence of further malware sites on that server.

Alanco Technologies Inc (ALAN) pump-and-dump spam run

Alanco Technologies Inc is an Arizona-based firm found in 1969 that used to be active in several technology markets, but over recent years it has divested itself of those assets and its primary business activities are now in the business of waste water disposal. The company does not make a profit (and indeed in some recent years made no direct income whatsoever). The bulk of its financial assets are tied up in a company called ORBCOMM. Alanco categorises itself as a high risk venture (see page 4 of this filing). Although the market capitlisation is $3.2m, the value of the enterprise itself is just $1.4m.

There are no apparent newsworthy events going on with this firm, however starting after the close of trading on Friday 13th September, a large scale pump-and-dump spam run started to promote the stock. There have been several other recent pump-and-dump spam runs similar to this, pushed out by the Kelihos botnet on behalf of parties unknown.

The stock price of ALAN has not done well over the past 12 months:

Share trading is sporadic, but a recent sustained burst of share trading of around 96,000 shares pushed the price up from around $0.45 to $0.62, perhaps costing around $50,000 or so. Analysis of previous recent pump-and-dump spam runs indicates that this may well the the spammers themselves taking up a position in the company.

It's a characteristic of this type of pump-and-dump spam that the spam emails start almost immediately after trading closes, probably to try to persuade people to put in automated buys on Monday morning when the scammers will try to offload stock at an inflated price. Here are some of the spams being sent:

Subject: We release the Titan!
Was A Bust Today! This Company is Our Private Pick!!!

To buy: A_L A-N
Last Trade: $.6399
Company: ALANCO TECHNOLOGIES INC.
Target Price: $3.55
Trading Date: September, 16th

Our Watchlist was a WINNER! It Will Be Featured In The Wall Street
Journal Tomorrow.

Subject: We Were on The Money with This Stock
I would love it to fill in gap... I hope you own it!!!

Stock: A L A-N
At this time: $0.64
Company: ALANCO TECHNOLOGIES, INC
Long Term Target: $1.90
Date: Mon, Sep 16th, 2013

It Speaks For Itself. No Better Way To Kickstart This Week! CORRECTION!

Subject: Most Active
Online Trading Account!!! This Company Looks Ready To Bounce!

Stock Symbol: ALA_N
Currently traded: .6399
Company Name: ALANCO TECHNOLOGIES CORP
Target: $1.90
Trade Date: Mon, September 16th, 2013

It is going to make you happy smile!!! I hope you own it.

Subject: Your stock
This Stock Could Make A Huge Come Back! Small Cap Source.

Sym: AL_AN
Current Price: $.6399
Company: Alanco Technologies, Inc.
Long Term Target Price: $1.20
Trade Date: Sep 16th

Call your Broker Directly to Place an Order. It is Showing
signs of a break out!

Subject: It is Showing signs of a break out
Are you watching this? This stock is very fast becoming one of our
favourites!

Symbol traded: A L_AN
Latest Pricing: .6399
Company Name: ALANCO TECHNOLOGIES, INC.
Short Term Target: 2.65
Trade Date: Mon, September 16th, 2013

This Company Shows Gains!!! It could be the next 10x winner!

Subject: This Company Could be Acquisition Target
IT IS CHEAP, IN BIG DEMAND, AND VERY PROFITABLE. If you like profits,
you need to buy this.

Symbol to buy: A LA N
Closed at: $0.64
Name: Alanco Technologies, Corp.
Target: $2.50
Trading Date: Monday, Sep 16th, 2013

More Momentum Coming!!! What an amazing day!!!

Subject: Just a few minutes left to buy it before the end of the day!
A New Bonus Technical Report Tomorrow @ the Market Open!!! Shocking
Discovery Revealed Tomorrow!

Stock Symbol: A_LA N
Latest Pricing: $0.6399
Company Name: ALANCO TECHNOLOGIES, CORP
Long Term Target: $3.80
Trading Date: September 16

Don`t Miss this Easy One. It is ready to explode in price and volume!!!

Subject: My new #1 pick!
This Stock Runs to Gain this Morning! We Want More! Details Inside!
This Company just released HUGE news!

To buy: A LA N
Today Price: $0.64
Name: Alanco Technologies, Corp
Target: 1.20
Date: Mon, September 16

Expect a new rally! This Company Moves Forward.

So.. just how do these pump-and-dump advertised stocks run? The answer is.. badly. Recently promoted stock MONK fell from around $0.23 to $0.047 (an 80% loss), BLDW has been rather flat overall going from $0.044 to $0.048 (a 9% increase), HAIR dropped from $0.36 to $0.0378 (a 90% loss) and NOST from $0.0074 to $0.0030 (a 59% loss). So if you are tempted to follow the spam and buy ALAN, then these recent figures would indicate that it's highly risky with a limited chance of reward.

citizensbank.com "Issue File I3774 Processed" spam

For some reason I'm seeing a lot of these EXE-in-ZIP attacks recently. Here's another one with a malicious attachment:

Date:      Fri, 13 Sep 2013 11:09:53 -0500 [12:09:53 EDT]
From:      "GISPROD@citizensbank.com" [GISPROD@citizensbank.com]
Subject:      Issue File I3774 Processed

Regarding Issue File 3774 - Total Issue Items # 36 Total Issue Amount $42,171.75 This
will confirm that your issue file has been processed. Please verify the information in
attached report; if you find there are discrepancies in what you believe your totals
should be and what we have reported, please contact the Reconciliation Department at
1-888-333-2909 Option # 3 between the hours of 8:00am and 4:00pm ET not later than 24
hours after you receive this notice. *** Please note, this message was created on the RBS
FileGateway system ***

-----------------------------------------
Use of email is inherently insecure. Confidential information,
including account information, and personally identifiable
information, should not be transmitted via email, or email
attachment. In no event shall Citizens or any of its affiliates
accept any responsibility for the loss, use or misuse of any
information including confidential information, which is sent to
Citizens or its affiliates via email, or email attachment. Citizens
does not guarantee the accuracy of any email or email attachment,
that an email will be received by Citizens or that Citizens will
respond to any email. This email message is confidential and/or privileged. It is to be
used by the intended recipient only. Use of the information
contained in this email by anyone other than the intended recipient
is strictly prohibited. If you have received this message in error,
please notify the sender immediately and promptly destroy any
record of this email.

There is a malicious attachment called issue_report_I3774.zip which in turn contains an executable file issue_report_I6576543219672.exe which has a detection rate of 12/47 at VirusTotal. Automated analysis [1] [2] [3] shows some of the mechanics of the malware, including network communications with wptutes.com on 74.221.210.124 (DME Hosting LLC, US).

Recent experience with this type of attack shows that when one domain on a sever is compromised, then they all are. If you want to block everything then the following domains appear to be on that server:

2ndry.com
bar-stool.info
electric-wheelchair.info
freeb4u.com
gov-l.net
hot-buys.org
hot-water.org
iconsumers.org
leather-handbags.info
storage-cabinets.info
thesafeconsumer.com
wptutes.com

QuickBooks spam / Invoice_20130912.zip

This fake QuickBooks spam has a malicious attachment:

Date:      Thu, 12 Sep 2013 20:29:17 +0200 [14:29:17 EDT]
From:      QuickBooks Invoice [auto-invoice@quickbooks.com]
Subject:      Important - Payment Overdue

Please find attached your invoices for the past months. Remit the payment by 09/16/2013 as outlines under our "Payment Terms" agreement.

Thank you for your business,

Sincerely,
Quentin Sprague

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you. 

The attachment is Invoice_20130912.zip which in turn contains a malicious executable Invoice_20130912.exe (note the date is encoded into the filename). The detection rate at VirusTotal is just 3/46.

Automated analysis [1] [2] [3] [4] shows that amongst other things, the file attempt to communicate with the domain leightongriffiths.com on an apparently compromised server at 64.50.166.122 which has been seen before.

Given that there are now several domains serving malware on the same server [1] [2] it is probably safe to assume that all the domains on that server are malicious and should be blocked.

Recommended blocklist:
64.50.166.122
4-access.com
ashburnes.com
bevan-holdings.com
bevanholdings.com
biffberry.com
camelotdevelopments.com
cardiffpower.com
carterlaurenconstruction.com
celebrategoodtimes.com
churchgatetrading.com
ciderbrokers.com
creativehomeworker.com
dcmsservices.com
deserve.org.uk
dignifiedcelebrations.com
doaus.com
drippingstrawberry.com
eflengineering.com
fruityblue.com
goldhaven.co.uk
gwentpressurewashers.co.uk
gwentpressurewashers.com
gympiper.info
haveyougotone.com
ivelostmymarbles.com
janglesmacrame.com
joannehawkins.com
justnoodles.co.uk
kinggems.com
kingmarbles.com
kwaggle.com
leightongriffiths.com
leisuremaintenanceltd.com
lmpropertyinvestments.com
macaraya.com
manorbrick.com
manorbrickyards.co.uk
marbledelights.com
marbleicious.com
motorhomeparadise.com
mykidbrother.com
mypersonalname.co.uk
mywebsitegroup.com
newportairport.co.uk
pnoa.co.uk
properteye.com
rockthecasbah.eu
rpduk.com
squaremileinsurance.com
steveperrott.com
talonstamed.com
thedrippingstrawberry.com
theitalianjob.mobi
thisisyourwife.co.uk
zestimports.com

USPS spam / Label_FOHWXR30ZZ0LNB1.zip

This fake USPS spam has a malicious attachment:

Date:      Wed, 11 Sep 2013 11:19:05 -0500 [12:19:05 EDT]
From:      USPS Express Services [service-notification@usps.com]
Subject:      USPS - Missed package delivery
Priority:      High Priority 1 (High)

Notification

Our company's courier couldn't make the delivery of package.

REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: Sort Order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: UGLFOHWXR30ZZ0LNB1
FEATURES: No

Label is enclosed to the letter.
Print a label and show it at your post office.

An additional information:

You can find the information about the procedure and conditions of parcels keeping in the nearest office.

Thank you for using our services.
USPS Global.

*** This is an automatically generated email, please do not reply ***

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (USPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies.  Thank You

There is an attachment Label_FOHWXR30ZZ0LNB1.zip which in turn contains an executable Label_368_09112013_JDSL.exe which has a very low detection rate at VirusTotal of just 2/47. Automated analysis [1] [2] [3] shows an attempted connection to a hijacked domain drippingstrawberry.com hosted on 64.50.166.122 (LunarPages, US) with quite a lot of other hijacked domains. Blocking or monitoring traffic to this IP could stop the infection

URLquery shows the following domains are distributing malware on that server:
cardiffpower.com
celebrategoodtimes.com
drippingstrawberry.com
thisisyourwife.co.uk

For the record, the following domains appear to be on that server. They all look legitimate, but some others may be hijacked (and others may not be). Do with this list what you will:
4-access.com
ashburnes.com
bevan-holdings.com
bevanholdings.com
biffberry.com
camelotdevelopments.com
cardiffpower.com
carterlaurenconstruction.com
celebrategoodtimes.com
churchgatetrading.com
ciderbrokers.com
creativehomeworker.com
dcmsservices.com
deserve.org.uk
dignifiedcelebrations.com
doaus.com
drippingstrawberry.com
eflengineering.com
fruityblue.com
goldhaven.co.uk
gwentpressurewashers.co.uk
gwentpressurewashers.com
gympiper.info
haveyougotone.com
ivelostmymarbles.com
janglesmacrame.com
joannehawkins.com
justnoodles.co.uk
kinggems.com
kingmarbles.com
kwaggle.com
leightongriffiths.com
leisuremaintenanceltd.com
lmpropertyinvestments.com
macaraya.com
manorbrick.com
manorbrickyards.co.uk
marbledelights.com
marbleicious.com
motorhomeparadise.com
mykidbrother.com
mypersonalname.co.uk
mywebsitegroup.com
newportairport.co.uk
pnoa.co.uk
properteye.com
rockthecasbah.eu
rpduk.com
squaremileinsurance.com
steveperrott.com
talonstamed.com
thedrippingstrawberry.com
theitalianjob.mobi
thisisyourwife.co.uk
zestimports.com

UPDATE
This is an alternative version with the same payload: 
Date:      Wed, 11 Sep 2013 14:54:14 -0600 [16:54:14 EDT]
From:      Xerox WorkCentre
Subject:      Scanned Image from a Xerox WorkCentre

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: spamcop.net
Number of Images: 5
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: 07PR24RHFD

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

Attachment is Scan_883_00286191_7159.zip which expands to scanned_doc_091113.exe