Sponsored by..

Thursday 20 February 2014

Suspect Cushion redirect on 62.212.128.22

I'm not entirely sure of what the payload is, but there is an apparent cushion redirect running on 62.212.128.22 (XenoSite, Netherlands) using hijacked GoDaddy domains (which is never a good sign). An example can be found with this URLquery report but in this case it seems to end up at a wallpaper site (picture here). VirusTotal sees the IP as being somewhat suspect.

Given that this is abusing subdomains of legitimate GoDaddy domains then on balance I would regard this as being malicious. All the subdomains I can find are listed here [pastebin], but they are all covered by this recommended blocklist:
46.231.87.57
310casting.com
analacrobatsfree.com
dovizpiyasa.net
dovmeara.com
dovmebakirkoy.com
dovmeblog.com
dovmeci.co
dovmeciadresleri.com
dovmecibul.com
dovme-resimlerim.com

Wednesday 19 February 2014

Somnath Bharti - porn site operator?

I seem to have written a lot about Somnath Bharti lately, and he's certainly a topic of interest in Indian politics. I'm not going to go on about his links to TopSites LLC (watch the video if you are interested), but I wanted to look at these persistent comments that Somnath Bharti was some sort of porn site operator.

If you want the really short version it's this - I've never seen any evidence that Mr Bharti has owned or operated a porn site. That's it.

But what are the links to porn, and where is there confusion?

allwebhunt.com links to porn and pro-pedophilia sites

It is beyond all reasonable doubt that allwebhunt.com is connected to Somnath Bharti. This was a directory of sites that was rapidly taken offline when the Times of India exposed the connection. Some of the more unsavoury contents of that site include a set links to pro-pedophilia sites which had been copied from the Open Directory Project (which had deleted them years ago). That's a pretty poor sense of judgement in this case, but it is really down to sloppiness rather than actual malice in my opinion.

But allwebhunt.com also linked to more regular porn sites, including the examples pictured below.

These entries appeared to be paid or sponsored ones, but the sites themselves are not Mr Bharti's and it does amuse me that some of the India news outlets criticising Mr Bharti for this do exactly the same things themselves.

Ultimately, allwebhut.com (and its predecessor topsites.us) directories are simply a catalogue of available sites, some of those links may be questionable but they do not imply ownership or mean that anything illegal is happening.

Ownership of teens-boy.net

One of the sites that Mr Bharti owned was teens-boy.net, according to historical WHOS records from 2005:

Domain:        teens-boy.net
Record Date:     2005-01-08
Registrar:     GOTNAMES.CA INC.
Server:     whois.gotnames.ca
Created:     2004-11-26
Updated:    
Expires:     2005-11-26

Domain teens-boy.net

  Date Registered: 2004-11-26
    Date Modified: 2004-11-30
      Expiry Date: 2005-11-26
             DNS1: ns1.www--search.com
             DNS2: ns2.www--search.com

  Registrant

                   My Directory LLC
                   PO Box 7334 - 101591
                   San Francisco, CA (US)
                   94120-73

  Administrative Contact

                   My Directory LLC
                   Somnath Bharti
                   PO Box 7334 - 101591
                   San Francisco
                   CA
                   US
                   94120-73
                   415-462-3044
                   530-504-8433
                   listings@mydir.org

  Technical Contact

                   My Directory LLC
                   Somnath Bharti
                   PO Box 7334 - 101591
                   San Francisco
                   CA
                   US
                   94120-73
                   415-462-3044
                   530-504-8433
                   listings@mydir.org

        Registrar: GotNames.ca
teens-boy.net had been a gay porn site until late 2004 as it appears in the Internet Archive [link is probably not safe for work]. The Internet Archive does not have any pictures on it in this case, but it is clear what the site is about by looking at the text.


It's an odd site for Mr Bharti to have in his name. But what did it actually look like after he bought it? The Internet Archive gives the answer again [this link is OK]. We can see that it just acts as a redirector to dirs.org which is yet another clone of the TopSites directory.




I guess this might have been an attempt at SEO, the domain was bought with a lot of other non-porn domains which also forwarded in this way. As far as I can tell, when the domain registration was up the domain simply expired at the end of 2005, it was re-registered by an unrelated party in 2007.

DVLPMNT MARKETING, INC and www-goto.com confusion

Webnewswire.com ran a story looking at the WHOIS details of www-goto.com, a site that had been registered to Mr Bharti in 2005:

Domain:        www-goto.com
Record Date:     2005-05-18
Registrar:     INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Server:     whois.directnic.com
Created:     2004-12-08
Updated:    
Expires:     2005-12-08

Registrant:
 Media  LLC
 1158 26th Street #528
 Santa Monica, CA 90403
 US
 310-857-6666
Fax:530-504-8433

Domain Name: WWW-GOTO.COM

Administrative Contact:
 Bharti, Somnath sales@dirs.org
 1158 26th Street #528
 Santa Monica, CA 90403
 US
 310-857-6666
Fax:530-504-8433

Technical Contact:
 Bharti, Somnath sales@dirs.org
 1158 26th Street #528
 Santa Monica, CA 90403
 US
 310-857-6666
Fax:530-504-8433

Record last updated 05-17-2005 03:09:40 PM
Record expires on 12-08-2005
Record created on 12-08-2004

Domain servers in listed order:
    NS1.WWW-GOTO.COM    202.14.69.2
    NS2.WWW-GOTO.COM    202.14.69.117
They then looked at the current WHOIS details which are:
Domain:        www-goto.com
Record Date:     2014-02-06
Registrar:     DNC HOLDINGS, INC.
Server:     whois.directnic.com
Created:     2004-12-08
Updated:     2013-06-12
Expires:     2014-12-08 

Domain Name: WWW-GOTO.COM
Registry Domain ID:
Registrar WHOIS Server: whois.directnic.com
Registrar URL: http://www.directnic.com
Updated Date: -001-11-30T00:00:00-06:00
Creation Date: 2004-12-08T11:03:22-06:00
Registrar Registration Expiration Date: 2014-12-08T17:03:22-06:00
Registrar: DNC Holdings, Inc.
Registrar IANA ID: 291
Registrar Abuse Contact Email: abuse@directnic.com
Registrar Abuse Contact Phone: +1.8668569598
Domain Status: ok
Registrant Name: Domain Administrator
Registrant Organization: DVLPMNT MARKETING, INC.
Registrant Street: Hunkins Plaza
Registrant City: Charlestown
Registrant State/Province: Nevis
Registrant Postal Code: NA
Registrant Country: KN
Registrant Phone: 011-869-765-4496
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dvlpmntltd@gmail.com
Admin Name: Domain Administrator
Admin Organization: DVLPMNT MARKETING, INC.
Admin Street: Hunkins Plaza
Admin City: Charlestown
Admin State/Province: Nevis
Admin Postal Code: NA
Admin Country: KN
Admin Phone: 011-869-765-4496
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: dvlpmntltd@gmail.com
Tech Name: Domain Administrator
Tech Organization: DVLPMNT MARKETING, INC.
Tech Street: Hunkins Plaza
Tech City: Charlestown
Tech State/Province: Nevis
Tech Postal Code: NA
Tech Country: KN
Tech Phone: 011-869-765-4496
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: dvlpmntltd@gmail.com
Name Server: NS1.VOODOO.COM
Name Server: NS2.VOODOO.COM
URL of the ICANN WHOIS Data Problem Reporting System
http://wdprs.internic.net
The creation date for the domain is still 2004, so the domain has never dropped and been reregistered, it has been in continual existence since that date. The rather mysterious DVLPMNT MARKETING, INC certainly does seem to be connected with porn domains, but is this company controlled by Mr Bharti? No.


A look at the historical WHOIS details again yield some clues. The domain expired in 2008 and ended up being controlled by the registrar DirectNIC..
Domain:        www-goto.com
Record Date:     2008-12-19
Registrar:     INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Server:     whois.directnic.com
Created:     2004-12-08
Updated:     2008-12-09
Expires:     2009-12-08
Previous Screenshots
2008-12-18 screenshot
Reverse Whois:

Registrant:
 directNIC.com
 Expired Domain Name
 650 Poydras Street
 Suite 1150
 New Orleans, LA 70130
 US
 504-679-5170

Domain Name: WWW-GOTO.COM

Administrative Contact:
 Domain, Expired expireddomain@directnic.com
 Expired Domain Name
 650 Poydras Street
 Suite 1150
 New Orleans, LA 70130
 US
 504-679-5170

Technical Contact:
 Domain, Expired expireddomain@directnic.com
 Expired Domain Name
 650 Poydras Street
 Suite 1150
 New Orleans, LA 70130
 US
 504-679-5170

Record last updated 12-09-2008 06:13:27 PM
Record expires on 12-08-2008
Record created on 12-08-2004

Domain servers in listed order:
    NS0.EXPIREDDOMAINSERVICES.COM    69.46.228.236
    NS1.EXPIREDDOMAINSERVICES.COM    69.46.228.237

DirectNIC reserve the right to auction off expired domains and the next WHOIS entry sees the domain being controlled by a domain parking company. It is unlikely that Mr Bharti or any of his associates received anything for this domain, it was essentially scrapped.

Is there any other evidence linking Somnath Bharti to porn?

Over the past couple of weeks I have re-examined the TopSites LLC business plus Mr Bharti's own Madgen Solutions from my own records and other public sources. These revealed all sort of interesting facts and allegations about Mr Bharti's activities.. but absolutely nothing that suggest that he owned or operated porn sites.

Of course, perhaps there is evidence that I am not aware of, but I would be very surprised if there is.. you can always send me an email if you have anything that will prove me wrong.


Tuesday 18 February 2014

Eisenburg, Whitman & Associates LLC (eisenburgwhitmancca.com) fake testimonial

Eisenburg, Whitman & Associates LLC is meant to be some sort of Florida-based debt collector, although their website at eisenburgwhitmancca.com appears to have been designed by a semi-literate teenager back in the late 1990s. Assuming that it is their website of course, and not someone trading on their name.

Their "testimonies" (sic) page at www.eisenburgwhitmancca.com/testimonies has a couple of testimonials, with photographs.


Let's look a little closer at the first testimonal that says:
To Whom it may concern;

       My Name is Albert Wells Ref # 13A-***86, I am writing this letter today to personally thank Eisenburg,Whitman & Associates. For all their help and support with helping me getting my credit repair and getting me headed, back on the path of financial independence, special thanks to James Norman. Sincerley Albert Wells. 

Let's have a closer look at "Albert Wells"..

Who is that?

Oh look... it is actually John Dramani Mahama who is president of Ghana, and can be seen an the identical photograph on Wikipeda.


https://en.wikipedia.org/w/index.php?title=John_Dramani_Mahama&oldid=551035462
Oh dear.

You can read whatever conclusions you like into that.

"Please look my CV" spam

This spam comes with a malicious payload:

Date:      Mon, 17 Feb 2014 13:31:32 -0500 [02/17/14 13:31:32 EST]
From:      My CV [arina6720@rvyleater.com]
Subject:      Please look my CV

Hello,

Let me introduce myself.
I am the winner of various beauty contests
and the most beautiful girl on the coast.

And I really want to get a job from you.
I attach my CV where you can find links to my accounts
in social networks and see my photos.

Kisses,
Alena Tailor
Attached is a ZIP file My_CV_document_social networks_ photos_6103.zip which in my sample was corrupt. A bit of work with a Base64 decoder revealed that the payload file is My_CV_document________________________.exe which would be malicious if it actually worked.

Monday 17 February 2014

Fake Evernote "Image has been sent" spam with RU:8080 payload

I've know that the RU:8080 gang appears to have been back for a while, but I haven't had a lot of samples.. here's a new one however.

Date:      Mon, 17 Feb 2014 16:19:40 -0700 [18:19:40 EST]
From:      accounts@pcfa.co.in
Subject:      Image has been sent

Image has been sent.
DSC_990341.jpg 33 Kbytes
Go To Evernote

Copyright 2014 Evernote Corporation. All rights reserved
The links in the email go to:
[donotclick]www.aka-im.org/1.html
[donotclick]bluebuddha.us/1.html

Which in turn loads a script from:
[donotclick]merdekapalace.com/1.txt
[donotclick]www.shivammehta.com/1.txt

That in turn attempts to load a script from [donotclick]opheevipshoopsimemu.ru:8080/dp2w4dvhe2 which is multihomed on the following IPs:
31.222.178.84 (Rackspace, UK)
37.59.36.223 (OVH, France)
54.254.203.163 (Amazon Data Services, Singapore)
78.108.93.186 (Majordomo LLC, Russia)
78.129.184.4 (Iomart Hosting, UK)
140.112.31.129 (TANET, Taiwan)
180.244.28.149 (PT Telkom Indonesia, Indonesia)
202.22.156.178 (Broadband ADSL, New Caledonia)

The URLquery report on the landing site indicates a possible Angler Exploit Kit, although the code itself is hardened against analysis.

There are a number of other hostile sites on those same IPs (listed below in Italics). I would recommend blocking the following IPs and domains:
31.222.178.84
37.59.36.223
54.254.203.163
78.108.93.186
78.129.184.4
140.112.31.129
180.244.28.149
202.22.156.178
afrikanajirafselefant.biz
bakrymseeculsoxeju.ru
boadoohygoowhoononopee.biz
bydseekampoojopoopuboo.biz
jolygoestobeinvester.ru
noaphoapofoashike.biz
opheevipshoopsimemu.ru
ozimtickugryssytchook.org
telaceeroatsorgoatchel.biz
ypawhygrawhorsemto.ru

aka-im.org
bluebuddha.us
merdekapalace.com
shivammehta.com



Sunday 16 February 2014

"Account Credited" / TTCOPY.jar spam

This spam email comes with a malicious .JAR attachment:

From:     Tariq Bashir muimran@giki.edu.pk
Reply-To:     Tariq Bashir [ta.ba@hot-shot.com]
Date:     15 February 2014 11:03
Subject:     Account Credited

Dear Sir,

I am sorry for my late response; our bank has credited 50% of Total amount on invoice to your bank account, the balance will be paid against BOL.

Find attached Bank TT  and update us on delivery schedule.

Regards,

Tariq Bashir
Remal Al Emarat Travel & Tourism L.L.C.
Al Muteena Street, Salsabeel Building, 103
P.O. Box 56260, Dubai, UAE
Tel: +971 4 271 54 06
Fax: +971 4 271 50 65
Mobile: +971 50 624 62 05
e-mail: ta.ba@hot-shot.com

The spam email originates from 121.52.146.226 (mail.giki.edu.pk) and comes with a malicious attachment TTCOPY.jar which is a Java application. This has a VirusTotal detection rate of 12/50 and the Malwr analysis reports an attempted connection to clintiny.no-ip.biz on 67.215.4.123 (GloboTech, Canada / MaXX Ltd, Germany).

Although this is an unusual threat, Java attacks are one of the  main ways that an attacker will gain access to your system. I strongly recommend deinstalling Java if you have it installed.

I can find two highly suspect IP blocks belonging to MaXX Ltd which I recommend blocking, along with the domains specified below:

67.215.4.64/28
67.215.4.120/29
u558801.nvpn.so
jagajaga.no-ip.org
jazibaba.no-ip.org
cyberx2013.no-ip.org
deltonfarmhouse.no-ip.biz
deltoncowstalls.no-ip.org
can2-pool-1194.nvpn.so
jazibaba1.no-ip.biz
ns2.rayaprodserver.com
kl0w.no-ip.org
jajajaja22.no-ip.org
mozillaproxy.zapto.org

Friday 14 February 2014

Malware sites to block 14/2/14

This bunch of OVH Canada hosted nameserver and IP ranges are supporting malware distribution via the Nuclear Exploit Kit (as described here by Umbrella Labs).

OVH Canada have a long history with this bad actor (who I believe to be r5x.org), and these /29 and /30 blocks spread throughout OVH's range make it more difficult to block the IPs. Are OVH providing snowshoe malware distribution services? It does look like it. Perhaps OVH can prove me wrong by banishing this bad customer once and for all.

First of all, we have a set of nameservers being used to support mostly .pw domains hosting the Nuclear EK. The nameservers I can see that are active are:

dns1.alcogylogyc.com
dns2.alcogylogyc.com

dns1.bedroklow.com
dns2.bedroklow.com

dns1.boobledns.com
dns2.boobledns.com

dns1.dedains.com
dns2.dedains.com

dns1.dnshelpers.com
dns2.dnshelpers.com

dns1.eleziks.info
dns2.eleziks.info

dns1.europinghome.com
dns2.europinghome.com

dns1.flouwping.com
dns2.flouwping.com

dns1.geovipns.com
dns2.geovipns.com

dns1.glousby.com
dns2.glousby.com

dns1.goldrushns.net
dns2.goldrushns.net

dns1.goupfaster.info
dns2.goupfaster.info

dns1.grephipst.com
dns2.grephipst.com

dns1.hazahaza.net
dns2.hazahaza.net

dns1.highlinerservices.com
dns2.highlinerservices.com

dns1.hiporq.com
dns2.hiporq.com

dns1.hopsups.com
dns2.hopsups.com

dns1.hyperbola.info
dns2.hyperbola.info

dns1.kakzumi.com
dns2.kakzumi.com

dns1.masscarete.com
dns2.masscarete.com

dns1.koljong.com
dns2.koljong.com

dns1.masssilk.com
dns2.masssilk.com

dns1.mifthme.net
dns2.mifthme.net

dns1.mitilean.net
dns2.mitilean.net

dns1.muslibusli.org
dns2.muslibusli.org

dns1.neitronefx.org
dns2.neitronefx.org

dns1.nutizk.org
dns2.nutizk.org

dns1.performanced.net
dns2.performanced.net

dns1.platusinplatus.org
dns2.platusinplatus.org

dns1.plemians.org
dns2.plemians.org

dns1.poeglu.net
dns2.poeglu.net

dns1.popkirko.com
dns2.popkirko.com

dns1.portfoliorealtors.com
dns2.portfoliorealtors.com

dns1.seburingo.net
dns2.seburingo.net

dns1.sretunset.net
dns2.sretunset.net

dns1.timverbahdd.net
dns2.timverbahdd.net

dns1.telalcobuh.info
dns2.telalcobuh.info

dns1.vinigretov.net
dns2.vinigretov.net

dns1.yakuns.net
dns2.yakuns.net

Those nameservers are hosted in the following ranges, exclusively supplied by OVH Canada. If you are in a security-sensitive environment then I would recommend using larger blocks.

142.4.194.0/29
192.95.6.24/29
192.95.10.16/29
192.95.46.56/30
192.95.46.60/30
192.95.47.232/30
192.95.47.236/30
198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.204.240/30
198.50.204.244/30
198.50.212.172/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.235.196/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30

I can see the following domains being actively supported by these nameservers, all of which should be considered hostile:

activresa.biz
airlead.biz
allbat.biz
battingkayaking.pw
bikinghighs.pw
blackconstruction.biz
blizzardfielder.pw
bowpollutant.pw
bronzefoger.pw
cardiologistfastlane.pw
choiceshell.biz
clubdewef.pw
coachmacroburst.pw
competitordownburst.pw
competitormist.pw
competitormoisture.pw
cookray.pw
creativegeo.biz
cricketslush.pw
cricketsmoke.pw
curlingdefense.pw
dailyaqua.biz
decemberboxer.pw
digitalra.biz
drummerballerina.pw
epeeradar.pw
evergreenplay.pw
exercisebreeze.pw
experptware.biz
expertsurvey.biz
eyefreeze.biz
fieldingboxer.pw
fieldingdrizzle.pw
fieldingrainbands.pw
firstozip.biz
fitnessrafting.pw
flypanda.biz
furnacerace.pw
galekarate.pw
gamecoldfront.pw
glacierfootball.pw
glacierhelmet.pw
goalsnowstorm.pw
goldhailey.pw
heaterboxing.pw
hibernatebatting.pw
hibernateguard.pw
homesteamz.pw
hotchocolatefield.pw
hotchocolateplayoffs.pw
icebergcatcher.pw
icecaprace.pw
icehockeyair.pw
jacketcyclist.pw
januarygame.pw
javelinmicroburst.pw
jockeycustodian.pw
judodegreeo.pw
kayakermacroburst.pw
kayakingleeward.pw
kickballeyer.pw
lacrossebarometer.pw
lightcasa.biz
magicse.biz
manufacturerpresto.pw
mapmove.biz
mittensrafting.pw
movieprice.biz
negotiatorsecond.pw
netfogert.pw
novelistflutist.pw
onbytce.biz
onlincerobo.biz
playingsnowflake.pw
polarkayaking.pw
poolridgeq.pw
quiltcanoe.pw
quiltquarter.pw
racketforecast.pw
ridingmacroburst.pw
safemeta.biz
scanbeat.biz
snowflakereferee.pw
snowyboules.pw
stovecricket.pw
stovegolfer.pw
thermometerequipment.pw
thinkisoftware.biz
winterdefense.pw
zerocompetition.pw



Wednesday 12 February 2014

"Track shipments/FedEx" spam

This fake FedEx spam leads to malware:

Date:      Wed, 12 Feb 2014 07:53:36 -0700 [09:53:36 EST]
From:      FedEx [yama@rickyz.jp]
Subject:      Track shipments/FedEx 7487214609167750150131 results: Delivered

Track shipments/FedEx Office orders summary results:
-----------------------------------------------------------------------
Tracking number        Status              Date/Time
7487214609167750150131  Delivered           Feb 11, 2014     
                                           11:20 AM     

Track shipments/FedEx Office orders detailed results:
-----------------------------------------------------------------------
Tracking number       7487214609167750150131

Reference             304562545939440100902500000000
Ship date             Feb 03, 2014
Ship From           NEW YORK, NY
Delivery date         Feb 11, 2014 11:20 AM
Service type          FedEx SmartPost

Tracking results as of Feb 11, 2014 3:37 PM CST


Click Here and get Travel History
-----------------------------------------------------------------------


Disclaimer
-----------------------------------------------------------------------

FedEx has not validated the authenticity of any email address.

In this case, the link in the email goes to [donotclick]pceninternet.net/tracking.php?id_7487214609167750150131 which downloads an archive file track_shipments_FedEx.zip.


In turn, this ZIP file contains the malicious executable with the lovely name of Track_shipments_FedEx_Office_orders_summary_results_Delivered_tracking_number_9384758293431234834312_idju2f83f9hjv78fh7899382r7f9sdh8wf.doc.exe
which has an icon that makes it look like a Word document. This has a VirusTotal detection rate of 15/49, but automated analysis tools are inconclusive as to its payload [1] [2] [3].




Malware (Neutrino EK?) sites to block 12/2/14

The following IPs and domains appear to be in use for spreading exploit kits via injection attacks - 108.178.7.118 (Singlehop, US) [1] [2] and 212.83.164.87 (Online SAS, France) [3] [4]. The payload isn't clear, but some of the URLquery reports indicate Neutrino.

In the case I saw, the victim was directed to the EK from a compromised site at greetingstext.com. I cannot reproduce the problem with URLquery or any other tool, but log files do not lie.

I would recommend that you block these following IPs and domains as a precaution:

108.178.7.118
212.83.164.87
jakiewebs.com
sheethoo.com
chaefooh.com
goldnclouds.com
nofledno.com
zeuriele.com
wqywdo.xip.io
glindeb.com

Video: Somnath Bharti's links to TopSites LLC

Articles on Somnath Bharti and TopSites LLC

You can find some of the history about TopSites LLC and Mr Bharti's involvement in my old "diary" articles written between 2003 and 2007.
Later articles can be found by looking for the Somnath Bharti tag on this blog.

Monday 10 February 2014

81.4.106.132 / oochooch.com / 10qnbkh.xip.io

I don't like the look of this [urlquery], seems to be the payload site for some sort of injection attack. Might be worth blocklisting 81.4.106.132.




Evil .pw domains on 31.41.221.131 to 31.41.221.135

Thanks to Malekal for the heads up, the current batch of evil .pw domains that have been distributing malware appear to have shifted to the following IP addresses:

31.41.221.131
31.41.221.132
31.41.221.133
31.41.221.134
31.41.221.135

These IP addresses belong to Besthosting in Ukraine. A typical payload of one of these malicious sites looks like this URLquery report.

The evil .pw domains in use all use a subdomain of one of the following:
arrowjogger.pw
athleticsarchery.pw
athleticsjudo.pw
ballkayaker.pw
baseballcompetition.pw
basketballplaying.pw
batongoal.pw
battingfield.pw
battinggymnast.pw
boulesplaying.pw
boxerfielder.pw
boxerplay.pw
canoeingbaton.pw
canoekarate.pw
competearena.pw
competitiongolfer.pw
crewjumping.pw
dartgym.pw
defensebicycle.pw
diamondracer.pw
discushurdle.pw
divemedal.pw
diverbiking.pw
diverracket.pw
dodgeballkayaker.pw
fielddefense.pw
gearcompetitor.pw
golfbow.pw
golfercyclist.pw
golfingchampionship.pw
golfingorienteering.pw
halftimedecathlon.pw
handballdart.pw
huddledart.pw
huddledartboard.pw
javelinbaton.pw
leaguedart.pw
medaljogger.pw
medaljogger.pw
movementarchery.pw
pitchbiathlon.pw
pitchexercise.pw
playbunt.pw
playmove.pw
playoffschampion.pw
polediver.pw
polofencing.pw
pooljump.pw
racketrunning.pw
relaycompete.pw
rungymnastics.pw

 I would recommend blocking those domains and the above-listed IPs (or alternatively 31.41.221.128/29 or 31.41.221.128/25). A full list of all the subdomains I can find is here [pastebin]

Saturday 8 February 2014

Somnath Bharti's allwebhunt.com linked to pro-pedophilia sites

Delhi minister Somnath Bharti's allwebhunt.com site was linking to pro-pedophilia sites as late as 31st December 2013, according to Google [warning: I do not advise that you click on the links in that page]. Here is a screenshot (some descriptions may offend) (if you have difficulty with seeing the text, try this version). The ownership link between allwebhunt.com and Mr Bharti is described here.

That content was most likely taken from a controversial category at The Open Directory Project which no longer exists.

The Open Directory Project does try to be all-inclusive in what it catalogues, but I suspect that pro-paedophile sites were something that it felt it could not condone.

Friday 7 February 2014

Headlines Today (India): Somnath Bharti's spammer connection

I'm not sure what all this fascination is with Mr Bharti's alleged connections to porn.. I've never found any evidence that he has hosted or owned sites with pornographic content. But there's certainly a great deal of evidence linking him with spam outfit TopSites LLC.

Somnath Bharti denies link to TopSites LLC in 2004

This is Somnath Bharti's denial of any involvement in TopSites LLC (explored here and in other posts). I believe that the evidence of Mr Bharti's involvement is overwhelming. However, here is a copy of the original email he sent me complete with mail headers so that independent individuals can look into its authenticity.

Return-Path: <somnath.bharti@gmail.com>
Received: from unknown (HELO blade5.cesmail.net) (192.168.1.215)
  by c60.cesmail.net with SMTP; 14 Nov 2004 13:43:23 -0500
Received: (qmail 5069 invoked by uid 1010); 14 Nov 2004 18:43:22 -0000
Delivered-To: spamcop-net-dynamoo@spamcop.net
Received: (qmail 5045 invoked from network); 14 Nov 2004 18:43:21 -0000
Received: from unknown (192.168.1.101)
  by blade5.cesmail.net with QMQP; 14 Nov 2004 18:43:21 -0000
Received: from rproxy.gmail.com (64.233.170.197)
  by mailgate.cesmail.net with SMTP; 14 Nov 2004 18:43:21 -0000
Received: by rproxy.gmail.com with SMTP id r35so540853rna
        for <dynamoo@spamcop.net>; Sun, 14 Nov 2004 10:43:20 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding;
        b=AItQWQnfUOPREzb2USZ1AAdfuMy54ME4VonsHz7VdB93Wd8apOkFSOrdqjkbLLFqI6nUaFy2cKrbLXTrFSLC0p5Kj2ZdwK0Qb6CFZjbS24HecjymNLUahhMUBp3AbEb0M/t/EXhC4N0HZeCD06YP/TK7XF0dZaqNweevm4cXL4E=
Received: by 10.38.102.45 with SMTP id z45mr1019046rnb;
        Sun, 14 Nov 2004 10:43:20 -0800 (PST)
Received: by 10.38.151.16 with HTTP; Sun, 14 Nov 2004 10:43:20 -0800 (PST)
Message-ID: <4e0e2d5304111410431d08a7bb@mail.gmail.com>
Date: Sun, 14 Nov 2004 10:43:20 -0800
From: Somnath <somnath.bharti@gmail.com>
Reply-To: Somnath <somnath.bharti@gmail.com>
To: dynamoo@spamcop.net
Subject: surprising and serious
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade5
X-Spam-Level:
X-Spam-Status: hits=0.0 tests=RCVD_BY_IP version=3.0.0
X-SpamCop-Checked: 192.168.1.101 64.233.170.197 10.38.102.45 10.38.151.16

Hi Conrad,

I was taken by surprise to find you listing my name, one of my
properties address and my picture in an article on a company named
"TopSites LLC" on your site. I don't know on what basis you have been
talking so emphatic without cross verifying with the person you are
talking about. To my utter surprise, you have been having this article
on your site accusing me of being related to a company I have heard
only through your article. Please have the same removed ASAP and
explain to me what made you write all this about a person, not even
remotely attached to any such company.
Please acknowledge of this email and have any and everything related
my name, my pic and c-28 address removed. I am available at
+91-9891819893, if you have anything to talk about. Also, post on the
same page an apology for this grievous mistake on your part.


--
Regards,
Somnath Bharti

Something evil on 69.64.39.166

69.64.39.166 (Hosting Solutions International, US) appears to be hosting an exploit kit (possibly Fiesta) according to URLquery reports such as this one.

The code is being injected into target websites, possibly through a malvertising campaign. I would recommend blocking the IP address as the simplest option, although I can identify the following domains on that same IP, all of which are likely to be malicious.


advrzc.myftp.org
amyoau.myftp.biz
aokljwwsap.serveftp.com
bgocodwsiu.myftp.org
bpknbvmc.serveftp.com
cjhkxfpdw.serveftp.com
cvxeitw.serveftp.com
cxrhtcau.myftp.biz
czwaiys.myftp.org
dhdwjwve.myftp.org
djqlcce.myftp.org
drituglgjh.serveftp.com
drpmsmt.serveftp.com
ehetlmna.myftp.biz
euimho.serveftp.com
fvyzhy.serveftp.com
hljozqutc.myftp.org
hlwswbaap.serveftp.com
hwtlzdxic.serveftp.com
idoplhj.serveftp.com
iyrseedlt.myftp.biz
lkuvivr.myftp.biz
lxeoic.myftp.org
orrlnypdvz.myftp.biz
osuqlc.myftp.org
plwxycxij.myftp.org
pmkawqgvob.myftp.org
puifnjav.myftp.biz
sbrckuod.serveftp.com
thtnuj.myftp.biz
ucuqgd.myftp.org
uqqyscgq.myftp.org
uuzkpb.myftp.biz
welfcsuybw.serveftp.com
ykypxoub.myftp.org
yrziqui.serveftp.com
yxoiyjbjt.myftp.biz

"Authorization to Use Privately Owned Vehicle on State Business" spam

We've seen this particular type of malware-laden spam before..

Date:      Fri, 7 Feb 2014 17:08:16 +0700 [05:08:16 EST]
From:      Callie Figueroa [Callie@victimdomain]
Subject:      Annual Form - Authorization to Use Privately Owned Vehicle on State Business

All employees need to have on file this form STD 261 (attached).  The original is
retained by supervisor and copy goes to Accounting. Accounting need this form to approve
mileage reimbursement.

The form can be used for multiple years, however it needs to re-signed annually by
employee and supervisor.

Please confirm all employees that may travel using their private car on state business
(including training) has a current STD 261 on file.  Not having a current copy of this
form on file in Accounting may delay a travel reimbursement claim. 
The email appears to originate from within the victim's own domain but doesn't. Attached is an archive file Form_STD261.zip which in turn contains a malicious executable Form_STD261.scr which has a VirusTotal detection rate of just 3/51.

Anubis reports an attempted connection to faneema.com on 198.38.82.223 (Mochahost, US). I recommend blocking both the domain and IP address in this case.

rbs.co.uk "Important Docs" spam

This fake spam claiming to be from the Royal Bank of Scotland has a malicious attachment:

Date:      Fri, 7 Feb 2014 15:44:19 +0530 [05:14:19 EST]
From:      Doris Clay [Doris@rbs.co.uk]
Subject:      Important Docs

Account report.

Tel:  01322 589422
Fax: 01322 296116
email: Doris@rbs.co.uk

This information is classified as Confidential unless otherwise stated.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
Attached is a file AccountReport.zip which in turn contains a malicious executable AccountReport.scr which has a VirusTotal detection rate of 4/50.

Automated analysis tools [1] [2] show a downlad of en encrypted file from the following locations:
[donotclick]professionalonlineediting.com/theme/cc/images/07UKex.enc
[donotclick]mararu.ro/Media/07UKex.enc

Both those sites are hosted by Mochanin Corp in the US, indicating perhaps a wider problem with that host.

Recommended blocklist:
204.93.165.33
50.31.147.54
professionalonlineediting.com
mararu.ro

I love Google's home page..

I love Google's home page today..