Sponsored by..

Friday 21 February 2014

PRFC (Epcylon Technologies, Inc) pump-and-dump spam

This pump-and-dump spam run happened last night, which would have been Thursday afternoon in the US. Usually spam runs of this type happen over the weekend, but this P&D run is not quite like others.
From:     Zelma Williams
Date:     20 February 2014 19:04
Subject:     Very important information. Please read

Hi [redacted]

I know you were expecting to hear back from me much earlier but I didn't want to get back to you empty-handed. I finally found the perfect stock for you and I am confident that it will make you some serious profit. Remember the one I told you about in November of last year right? You did very well on it and I think this PRFC stock will do the same for your portfolio again.
I have to let you know though that I'm not the only one who found out about PRFC today. A few of my colleagues are aware as well and they are telling their friends and family about it so I must advise you to move fast if you want to buy it. I think it's trading at just around 15 cents right now, if you wait too long it might be at 30 or even higher and at that time I won't be able to safely advise you to buy it. You can buy as many shares as you can first thing at market open on Friday or worst case scenario buy it on Monday but move fast.
I know you don't care about what the company does because you know I've done all the due diligence for you already but PRFC is actually amazing and I think it will do much better than even the one I told you about a few months ago.
One of the company's divisions offers mobile software solutions for the gaming industry. The mobile apps allow customers to play lottery and other games of chance and skill on their smartphones. The software is extremely advanced and could be the backbone of all mobile casinos in the future. It is expected that the US will legalize online gaming in the near future and this could catapult PRFC to new highs however even without that the company's software is extremely valuable in the rest of the world and could become extremely profitable.  Something big is definitely brewing at the company. I heard something about buy out rumors but I don't have all the details yet I will keep you posted over the coming days or weeks.
Anyway I won't bore you with much more blabber, but if you have a second do check out PRFC. By the way I will be expecting a nice gift from you once you make fat bank on this one and a nice dinner with the wives is in order. It's been too long since we last spent a good evening over a bottle of wine. I was going to call you to tell you about PRFC but I figured youre probably asleep now with those crazy shifts you've been working. Take care and call me if there's anything.

Talk soon
Your favorite friend and only broker :)
Appended to the spam is some random text to try to fool spam filters.

According to stock charts, this spam has been successful and has pushed up the Epcylon Technologies, Inc / PRFC price by about 40% in afternoon trading.


The chart shows that 72885 shares were traded in this period, moving stock up from $0.14 to $0.20, the highest value for this stock since August. Trading is normally pretty thin for this stock at between 0 to 10,000 shares per day, but it does sometimes peak higher.

Usually with pump-and-dump scams somebody buys a large quantity of a few days before the spam run. This doesn't appear to be the case here, which leads to the possibility that the spam run is being pushed by an existing stockholder (it is unlikely to be anything to do with Epcylon though). Another thing that differentiates this pump-and-dump run from others is that there does seem to be some mildly positive news about this company.

However, I would urge you not to buy these stocks. The usual pattern is that the stock price collapses shortly after the initial spam run when the party responsible for the spam cashes out.

The spam itself was sent to scraped email addresses and addresses taken from various data breaches, although there does appear to have been some basic listwashing done to evade detection.

Update: a second version is doing the rounds..

From:     Rowena Rasmussen caroline@ordernowapp.com
To:     caroline [caroline@victimdomain]
Date:     22 February 2014 14:48
Subject:     This is the best stock tip of the year

Dear Investor,

If you're tired of playing the market for mediocre gains then you should read on. I'm Mike Statler. Some of you may know me from my last good stock tip (WPWR) which more than tripled within a short period of time (feel free to check it out). Now I have a brand new tip and I will think you will be pleased. This one should go up more than 6 times from current levels.
If you are interested in making a quick gain overnight, this is not for you, but if you're serious about buying my new tip PRFC and you are willing to hold a few weeks and see magic happen then you're definitely at the right place.
If you remember correctly I told you a few days ago about PRFC. I advised you to add it to your watch list but at the time I could not recommend that you buy it as I had not completed my due diligence.
I have good news and bad news for you. The bad news is that it is already up about 60% since I told you to add it to your watch list but the good news is that I think it still has a lot of room to go up and I expect to see PRFC trading at over 2 dollars before the end of the month or by the end of the 1st week of march at the absolute latest.
The company makes indispensable software that powers the backend of mobile gambling platforms. You can buy lottery on your smartphone, spin the roulette, enjoy blackjack or even play a game of poker. All this from your iphone or android phone. This is absolutely revolutionary and as we get closer to complete legalization of online gambling in America this little gem that is PRFC could soar dramatically.
PRFC (or Epcylon Technologies if you prefer) is going to work wonders for my subscribers' portfolios. I even bought $15,000 of it myself today. THAT'S how confident I am in it. I'm putting my money where my mouth is and I am telling you to BUY PRFC too if you believe in me, and if you don't it's too bad. You will be sending me an email two weeks from now saying how you regret not buying when I told you to do so.

Happy Trading,
I'm Mike Statler.

Update 24/2/14: new versions replace the text with an image in an attempt to bypass spam filters.



Update 25/2/14: a slightly different image this time, presumably in an attempt to evade scanners


Thursday 20 February 2014

Suspect Cushion redirect on 62.212.128.22

I'm not entirely sure of what the payload is, but there is an apparent cushion redirect running on 62.212.128.22 (XenoSite, Netherlands) using hijacked GoDaddy domains (which is never a good sign). An example can be found with this URLquery report but in this case it seems to end up at a wallpaper site (picture here). VirusTotal sees the IP as being somewhat suspect.

Given that this is abusing subdomains of legitimate GoDaddy domains then on balance I would regard this as being malicious. All the subdomains I can find are listed here [pastebin], but they are all covered by this recommended blocklist:
46.231.87.57
310casting.com
analacrobatsfree.com
dovizpiyasa.net
dovmeara.com
dovmebakirkoy.com
dovmeblog.com
dovmeci.co
dovmeciadresleri.com
dovmecibul.com
dovme-resimlerim.com

Wednesday 19 February 2014

Somnath Bharti - porn site operator?

I seem to have written a lot about Somnath Bharti lately, and he's certainly a topic of interest in Indian politics. I'm not going to go on about his links to TopSites LLC (watch the video if you are interested), but I wanted to look at these persistent comments that Somnath Bharti was some sort of porn site operator.

If you want the really short version it's this - I've never seen any evidence that Mr Bharti has owned or operated a porn site. That's it.

But what are the links to porn, and where is there confusion?

allwebhunt.com links to porn and pro-pedophilia sites

It is beyond all reasonable doubt that allwebhunt.com is connected to Somnath Bharti. This was a directory of sites that was rapidly taken offline when the Times of India exposed the connection. Some of the more unsavoury contents of that site include a set links to pro-pedophilia sites which had been copied from the Open Directory Project (which had deleted them years ago). That's a pretty poor sense of judgement in this case, but it is really down to sloppiness rather than actual malice in my opinion.

But allwebhunt.com also linked to more regular porn sites, including the examples pictured below.

These entries appeared to be paid or sponsored ones, but the sites themselves are not Mr Bharti's and it does amuse me that some of the India news outlets criticising Mr Bharti for this do exactly the same things themselves.

Ultimately, allwebhut.com (and its predecessor topsites.us) directories are simply a catalogue of available sites, some of those links may be questionable but they do not imply ownership or mean that anything illegal is happening.

Ownership of teens-boy.net

One of the sites that Mr Bharti owned was teens-boy.net, according to historical WHOS records from 2005:

Domain:        teens-boy.net
Record Date:     2005-01-08
Registrar:     GOTNAMES.CA INC.
Server:     whois.gotnames.ca
Created:     2004-11-26
Updated:    
Expires:     2005-11-26

Domain teens-boy.net

  Date Registered: 2004-11-26
    Date Modified: 2004-11-30
      Expiry Date: 2005-11-26
             DNS1: ns1.www--search.com
             DNS2: ns2.www--search.com

  Registrant

                   My Directory LLC
                   PO Box 7334 - 101591
                   San Francisco, CA (US)
                   94120-73

  Administrative Contact

                   My Directory LLC
                   Somnath Bharti
                   PO Box 7334 - 101591
                   San Francisco
                   CA
                   US
                   94120-73
                   415-462-3044
                   530-504-8433
                   listings@mydir.org

  Technical Contact

                   My Directory LLC
                   Somnath Bharti
                   PO Box 7334 - 101591
                   San Francisco
                   CA
                   US
                   94120-73
                   415-462-3044
                   530-504-8433
                   listings@mydir.org

        Registrar: GotNames.ca
teens-boy.net had been a gay porn site until late 2004 as it appears in the Internet Archive [link is probably not safe for work]. The Internet Archive does not have any pictures on it in this case, but it is clear what the site is about by looking at the text.


It's an odd site for Mr Bharti to have in his name. But what did it actually look like after he bought it? The Internet Archive gives the answer again [this link is OK]. We can see that it just acts as a redirector to dirs.org which is yet another clone of the TopSites directory.




I guess this might have been an attempt at SEO, the domain was bought with a lot of other non-porn domains which also forwarded in this way. As far as I can tell, when the domain registration was up the domain simply expired at the end of 2005, it was re-registered by an unrelated party in 2007.

DVLPMNT MARKETING, INC and www-goto.com confusion

Webnewswire.com ran a story looking at the WHOIS details of www-goto.com, a site that had been registered to Mr Bharti in 2005:

Domain:        www-goto.com
Record Date:     2005-05-18
Registrar:     INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Server:     whois.directnic.com
Created:     2004-12-08
Updated:    
Expires:     2005-12-08

Registrant:
 Media  LLC
 1158 26th Street #528
 Santa Monica, CA 90403
 US
 310-857-6666
Fax:530-504-8433

Domain Name: WWW-GOTO.COM

Administrative Contact:
 Bharti, Somnath sales@dirs.org
 1158 26th Street #528
 Santa Monica, CA 90403
 US
 310-857-6666
Fax:530-504-8433

Technical Contact:
 Bharti, Somnath sales@dirs.org
 1158 26th Street #528
 Santa Monica, CA 90403
 US
 310-857-6666
Fax:530-504-8433

Record last updated 05-17-2005 03:09:40 PM
Record expires on 12-08-2005
Record created on 12-08-2004

Domain servers in listed order:
    NS1.WWW-GOTO.COM    202.14.69.2
    NS2.WWW-GOTO.COM    202.14.69.117
They then looked at the current WHOIS details which are:
Domain:        www-goto.com
Record Date:     2014-02-06
Registrar:     DNC HOLDINGS, INC.
Server:     whois.directnic.com
Created:     2004-12-08
Updated:     2013-06-12
Expires:     2014-12-08 

Domain Name: WWW-GOTO.COM
Registry Domain ID:
Registrar WHOIS Server: whois.directnic.com
Registrar URL: http://www.directnic.com
Updated Date: -001-11-30T00:00:00-06:00
Creation Date: 2004-12-08T11:03:22-06:00
Registrar Registration Expiration Date: 2014-12-08T17:03:22-06:00
Registrar: DNC Holdings, Inc.
Registrar IANA ID: 291
Registrar Abuse Contact Email: abuse@directnic.com
Registrar Abuse Contact Phone: +1.8668569598
Domain Status: ok
Registrant Name: Domain Administrator
Registrant Organization: DVLPMNT MARKETING, INC.
Registrant Street: Hunkins Plaza
Registrant City: Charlestown
Registrant State/Province: Nevis
Registrant Postal Code: NA
Registrant Country: KN
Registrant Phone: 011-869-765-4496
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: dvlpmntltd@gmail.com
Admin Name: Domain Administrator
Admin Organization: DVLPMNT MARKETING, INC.
Admin Street: Hunkins Plaza
Admin City: Charlestown
Admin State/Province: Nevis
Admin Postal Code: NA
Admin Country: KN
Admin Phone: 011-869-765-4496
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: dvlpmntltd@gmail.com
Tech Name: Domain Administrator
Tech Organization: DVLPMNT MARKETING, INC.
Tech Street: Hunkins Plaza
Tech City: Charlestown
Tech State/Province: Nevis
Tech Postal Code: NA
Tech Country: KN
Tech Phone: 011-869-765-4496
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: dvlpmntltd@gmail.com
Name Server: NS1.VOODOO.COM
Name Server: NS2.VOODOO.COM
URL of the ICANN WHOIS Data Problem Reporting System
http://wdprs.internic.net
The creation date for the domain is still 2004, so the domain has never dropped and been reregistered, it has been in continual existence since that date. The rather mysterious DVLPMNT MARKETING, INC certainly does seem to be connected with porn domains, but is this company controlled by Mr Bharti? No.


A look at the historical WHOIS details again yield some clues. The domain expired in 2008 and ended up being controlled by the registrar DirectNIC..
Domain:        www-goto.com
Record Date:     2008-12-19
Registrar:     INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Server:     whois.directnic.com
Created:     2004-12-08
Updated:     2008-12-09
Expires:     2009-12-08
Previous Screenshots
2008-12-18 screenshot
Reverse Whois:

Registrant:
 directNIC.com
 Expired Domain Name
 650 Poydras Street
 Suite 1150
 New Orleans, LA 70130
 US
 504-679-5170

Domain Name: WWW-GOTO.COM

Administrative Contact:
 Domain, Expired expireddomain@directnic.com
 Expired Domain Name
 650 Poydras Street
 Suite 1150
 New Orleans, LA 70130
 US
 504-679-5170

Technical Contact:
 Domain, Expired expireddomain@directnic.com
 Expired Domain Name
 650 Poydras Street
 Suite 1150
 New Orleans, LA 70130
 US
 504-679-5170

Record last updated 12-09-2008 06:13:27 PM
Record expires on 12-08-2008
Record created on 12-08-2004

Domain servers in listed order:
    NS0.EXPIREDDOMAINSERVICES.COM    69.46.228.236
    NS1.EXPIREDDOMAINSERVICES.COM    69.46.228.237

DirectNIC reserve the right to auction off expired domains and the next WHOIS entry sees the domain being controlled by a domain parking company. It is unlikely that Mr Bharti or any of his associates received anything for this domain, it was essentially scrapped.

Is there any other evidence linking Somnath Bharti to porn?

Over the past couple of weeks I have re-examined the TopSites LLC business plus Mr Bharti's own Madgen Solutions from my own records and other public sources. These revealed all sort of interesting facts and allegations about Mr Bharti's activities.. but absolutely nothing that suggest that he owned or operated porn sites.

Of course, perhaps there is evidence that I am not aware of, but I would be very surprised if there is.. you can always send me an email if you have anything that will prove me wrong.


Tuesday 18 February 2014

Eisenburg, Whitman & Associates LLC (eisenburgwhitmancca.com) fake testimonial

Eisenburg, Whitman & Associates LLC is meant to be some sort of Florida-based debt collector, although their website at eisenburgwhitmancca.com appears to have been designed by a semi-literate teenager back in the late 1990s. Assuming that it is their website of course, and not someone trading on their name.

Their "testimonies" (sic) page at www.eisenburgwhitmancca.com/testimonies has a couple of testimonials, with photographs.


Let's look a little closer at the first testimonal that says:
To Whom it may concern;

       My Name is Albert Wells Ref # 13A-***86, I am writing this letter today to personally thank Eisenburg,Whitman & Associates. For all their help and support with helping me getting my credit repair and getting me headed, back on the path of financial independence, special thanks to James Norman. Sincerley Albert Wells. 

Let's have a closer look at "Albert Wells"..

Who is that?

Oh look... it is actually John Dramani Mahama who is president of Ghana, and can be seen an the identical photograph on Wikipeda.


https://en.wikipedia.org/w/index.php?title=John_Dramani_Mahama&oldid=551035462
Oh dear.

You can read whatever conclusions you like into that.

"Please look my CV" spam

This spam comes with a malicious payload:

Date:      Mon, 17 Feb 2014 13:31:32 -0500 [02/17/14 13:31:32 EST]
From:      My CV [arina6720@rvyleater.com]
Subject:      Please look my CV

Hello,

Let me introduce myself.
I am the winner of various beauty contests
and the most beautiful girl on the coast.

And I really want to get a job from you.
I attach my CV where you can find links to my accounts
in social networks and see my photos.

Kisses,
Alena Tailor
Attached is a ZIP file My_CV_document_social networks_ photos_6103.zip which in my sample was corrupt. A bit of work with a Base64 decoder revealed that the payload file is My_CV_document________________________.exe which would be malicious if it actually worked.

Monday 17 February 2014

Fake Evernote "Image has been sent" spam with RU:8080 payload

I've know that the RU:8080 gang appears to have been back for a while, but I haven't had a lot of samples.. here's a new one however.

Date:      Mon, 17 Feb 2014 16:19:40 -0700 [18:19:40 EST]
From:      accounts@pcfa.co.in
Subject:      Image has been sent

Image has been sent.
DSC_990341.jpg 33 Kbytes
Go To Evernote

Copyright 2014 Evernote Corporation. All rights reserved
The links in the email go to:
[donotclick]www.aka-im.org/1.html
[donotclick]bluebuddha.us/1.html

Which in turn loads a script from:
[donotclick]merdekapalace.com/1.txt
[donotclick]www.shivammehta.com/1.txt

That in turn attempts to load a script from [donotclick]opheevipshoopsimemu.ru:8080/dp2w4dvhe2 which is multihomed on the following IPs:
31.222.178.84 (Rackspace, UK)
37.59.36.223 (OVH, France)
54.254.203.163 (Amazon Data Services, Singapore)
78.108.93.186 (Majordomo LLC, Russia)
78.129.184.4 (Iomart Hosting, UK)
140.112.31.129 (TANET, Taiwan)
180.244.28.149 (PT Telkom Indonesia, Indonesia)
202.22.156.178 (Broadband ADSL, New Caledonia)

The URLquery report on the landing site indicates a possible Angler Exploit Kit, although the code itself is hardened against analysis.

There are a number of other hostile sites on those same IPs (listed below in Italics). I would recommend blocking the following IPs and domains:
31.222.178.84
37.59.36.223
54.254.203.163
78.108.93.186
78.129.184.4
140.112.31.129
180.244.28.149
202.22.156.178
afrikanajirafselefant.biz
bakrymseeculsoxeju.ru
boadoohygoowhoononopee.biz
bydseekampoojopoopuboo.biz
jolygoestobeinvester.ru
noaphoapofoashike.biz
opheevipshoopsimemu.ru
ozimtickugryssytchook.org
telaceeroatsorgoatchel.biz
ypawhygrawhorsemto.ru

aka-im.org
bluebuddha.us
merdekapalace.com
shivammehta.com



Sunday 16 February 2014

"Account Credited" / TTCOPY.jar spam

This spam email comes with a malicious .JAR attachment:

From:     Tariq Bashir muimran@giki.edu.pk
Reply-To:     Tariq Bashir [ta.ba@hot-shot.com]
Date:     15 February 2014 11:03
Subject:     Account Credited

Dear Sir,

I am sorry for my late response; our bank has credited 50% of Total amount on invoice to your bank account, the balance will be paid against BOL.

Find attached Bank TT  and update us on delivery schedule.

Regards,

Tariq Bashir
Remal Al Emarat Travel & Tourism L.L.C.
Al Muteena Street, Salsabeel Building, 103
P.O. Box 56260, Dubai, UAE
Tel: +971 4 271 54 06
Fax: +971 4 271 50 65
Mobile: +971 50 624 62 05
e-mail: ta.ba@hot-shot.com

The spam email originates from 121.52.146.226 (mail.giki.edu.pk) and comes with a malicious attachment TTCOPY.jar which is a Java application. This has a VirusTotal detection rate of 12/50 and the Malwr analysis reports an attempted connection to clintiny.no-ip.biz on 67.215.4.123 (GloboTech, Canada / MaXX Ltd, Germany).

Although this is an unusual threat, Java attacks are one of the  main ways that an attacker will gain access to your system. I strongly recommend deinstalling Java if you have it installed.

I can find two highly suspect IP blocks belonging to MaXX Ltd which I recommend blocking, along with the domains specified below:

67.215.4.64/28
67.215.4.120/29
u558801.nvpn.so
jagajaga.no-ip.org
jazibaba.no-ip.org
cyberx2013.no-ip.org
deltonfarmhouse.no-ip.biz
deltoncowstalls.no-ip.org
can2-pool-1194.nvpn.so
jazibaba1.no-ip.biz
ns2.rayaprodserver.com
kl0w.no-ip.org
jajajaja22.no-ip.org
mozillaproxy.zapto.org

Friday 14 February 2014

Malware sites to block 14/2/14

This bunch of OVH Canada hosted nameserver and IP ranges are supporting malware distribution via the Nuclear Exploit Kit (as described here by Umbrella Labs).

OVH Canada have a long history with this bad actor (who I believe to be r5x.org), and these /29 and /30 blocks spread throughout OVH's range make it more difficult to block the IPs. Are OVH providing snowshoe malware distribution services? It does look like it. Perhaps OVH can prove me wrong by banishing this bad customer once and for all.

First of all, we have a set of nameservers being used to support mostly .pw domains hosting the Nuclear EK. The nameservers I can see that are active are:

dns1.alcogylogyc.com
dns2.alcogylogyc.com

dns1.bedroklow.com
dns2.bedroklow.com

dns1.boobledns.com
dns2.boobledns.com

dns1.dedains.com
dns2.dedains.com

dns1.dnshelpers.com
dns2.dnshelpers.com

dns1.eleziks.info
dns2.eleziks.info

dns1.europinghome.com
dns2.europinghome.com

dns1.flouwping.com
dns2.flouwping.com

dns1.geovipns.com
dns2.geovipns.com

dns1.glousby.com
dns2.glousby.com

dns1.goldrushns.net
dns2.goldrushns.net

dns1.goupfaster.info
dns2.goupfaster.info

dns1.grephipst.com
dns2.grephipst.com

dns1.hazahaza.net
dns2.hazahaza.net

dns1.highlinerservices.com
dns2.highlinerservices.com

dns1.hiporq.com
dns2.hiporq.com

dns1.hopsups.com
dns2.hopsups.com

dns1.hyperbola.info
dns2.hyperbola.info

dns1.kakzumi.com
dns2.kakzumi.com

dns1.masscarete.com
dns2.masscarete.com

dns1.koljong.com
dns2.koljong.com

dns1.masssilk.com
dns2.masssilk.com

dns1.mifthme.net
dns2.mifthme.net

dns1.mitilean.net
dns2.mitilean.net

dns1.muslibusli.org
dns2.muslibusli.org

dns1.neitronefx.org
dns2.neitronefx.org

dns1.nutizk.org
dns2.nutizk.org

dns1.performanced.net
dns2.performanced.net

dns1.platusinplatus.org
dns2.platusinplatus.org

dns1.plemians.org
dns2.plemians.org

dns1.poeglu.net
dns2.poeglu.net

dns1.popkirko.com
dns2.popkirko.com

dns1.portfoliorealtors.com
dns2.portfoliorealtors.com

dns1.seburingo.net
dns2.seburingo.net

dns1.sretunset.net
dns2.sretunset.net

dns1.timverbahdd.net
dns2.timverbahdd.net

dns1.telalcobuh.info
dns2.telalcobuh.info

dns1.vinigretov.net
dns2.vinigretov.net

dns1.yakuns.net
dns2.yakuns.net

Those nameservers are hosted in the following ranges, exclusively supplied by OVH Canada. If you are in a security-sensitive environment then I would recommend using larger blocks.

142.4.194.0/29
192.95.6.24/29
192.95.10.16/29
192.95.46.56/30
192.95.46.60/30
192.95.47.232/30
192.95.47.236/30
198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.204.240/30
198.50.204.244/30
198.50.212.172/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.235.196/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30

I can see the following domains being actively supported by these nameservers, all of which should be considered hostile:

activresa.biz
airlead.biz
allbat.biz
battingkayaking.pw
bikinghighs.pw
blackconstruction.biz
blizzardfielder.pw
bowpollutant.pw
bronzefoger.pw
cardiologistfastlane.pw
choiceshell.biz
clubdewef.pw
coachmacroburst.pw
competitordownburst.pw
competitormist.pw
competitormoisture.pw
cookray.pw
creativegeo.biz
cricketslush.pw
cricketsmoke.pw
curlingdefense.pw
dailyaqua.biz
decemberboxer.pw
digitalra.biz
drummerballerina.pw
epeeradar.pw
evergreenplay.pw
exercisebreeze.pw
experptware.biz
expertsurvey.biz
eyefreeze.biz
fieldingboxer.pw
fieldingdrizzle.pw
fieldingrainbands.pw
firstozip.biz
fitnessrafting.pw
flypanda.biz
furnacerace.pw
galekarate.pw
gamecoldfront.pw
glacierfootball.pw
glacierhelmet.pw
goalsnowstorm.pw
goldhailey.pw
heaterboxing.pw
hibernatebatting.pw
hibernateguard.pw
homesteamz.pw
hotchocolatefield.pw
hotchocolateplayoffs.pw
icebergcatcher.pw
icecaprace.pw
icehockeyair.pw
jacketcyclist.pw
januarygame.pw
javelinmicroburst.pw
jockeycustodian.pw
judodegreeo.pw
kayakermacroburst.pw
kayakingleeward.pw
kickballeyer.pw
lacrossebarometer.pw
lightcasa.biz
magicse.biz
manufacturerpresto.pw
mapmove.biz
mittensrafting.pw
movieprice.biz
negotiatorsecond.pw
netfogert.pw
novelistflutist.pw
onbytce.biz
onlincerobo.biz
playingsnowflake.pw
polarkayaking.pw
poolridgeq.pw
quiltcanoe.pw
quiltquarter.pw
racketforecast.pw
ridingmacroburst.pw
safemeta.biz
scanbeat.biz
snowflakereferee.pw
snowyboules.pw
stovecricket.pw
stovegolfer.pw
thermometerequipment.pw
thinkisoftware.biz
winterdefense.pw
zerocompetition.pw



Wednesday 12 February 2014

"Track shipments/FedEx" spam

This fake FedEx spam leads to malware:

Date:      Wed, 12 Feb 2014 07:53:36 -0700 [09:53:36 EST]
From:      FedEx [yama@rickyz.jp]
Subject:      Track shipments/FedEx 7487214609167750150131 results: Delivered

Track shipments/FedEx Office orders summary results:
-----------------------------------------------------------------------
Tracking number        Status              Date/Time
7487214609167750150131  Delivered           Feb 11, 2014     
                                           11:20 AM     

Track shipments/FedEx Office orders detailed results:
-----------------------------------------------------------------------
Tracking number       7487214609167750150131

Reference             304562545939440100902500000000
Ship date             Feb 03, 2014
Ship From           NEW YORK, NY
Delivery date         Feb 11, 2014 11:20 AM
Service type          FedEx SmartPost

Tracking results as of Feb 11, 2014 3:37 PM CST


Click Here and get Travel History
-----------------------------------------------------------------------


Disclaimer
-----------------------------------------------------------------------

FedEx has not validated the authenticity of any email address.

In this case, the link in the email goes to [donotclick]pceninternet.net/tracking.php?id_7487214609167750150131 which downloads an archive file track_shipments_FedEx.zip.


In turn, this ZIP file contains the malicious executable with the lovely name of Track_shipments_FedEx_Office_orders_summary_results_Delivered_tracking_number_9384758293431234834312_idju2f83f9hjv78fh7899382r7f9sdh8wf.doc.exe
which has an icon that makes it look like a Word document. This has a VirusTotal detection rate of 15/49, but automated analysis tools are inconclusive as to its payload [1] [2] [3].




Malware (Neutrino EK?) sites to block 12/2/14

The following IPs and domains appear to be in use for spreading exploit kits via injection attacks - 108.178.7.118 (Singlehop, US) [1] [2] and 212.83.164.87 (Online SAS, France) [3] [4]. The payload isn't clear, but some of the URLquery reports indicate Neutrino.

In the case I saw, the victim was directed to the EK from a compromised site at greetingstext.com. I cannot reproduce the problem with URLquery or any other tool, but log files do not lie.

I would recommend that you block these following IPs and domains as a precaution:

108.178.7.118
212.83.164.87
jakiewebs.com
sheethoo.com
chaefooh.com
goldnclouds.com
nofledno.com
zeuriele.com
wqywdo.xip.io
glindeb.com

Video: Somnath Bharti's links to TopSites LLC

Articles on Somnath Bharti and TopSites LLC

You can find some of the history about TopSites LLC and Mr Bharti's involvement in my old "diary" articles written between 2003 and 2007.
Later articles can be found by looking for the Somnath Bharti tag on this blog.

Monday 10 February 2014

81.4.106.132 / oochooch.com / 10qnbkh.xip.io

I don't like the look of this [urlquery], seems to be the payload site for some sort of injection attack. Might be worth blocklisting 81.4.106.132.




Evil .pw domains on 31.41.221.131 to 31.41.221.135

Thanks to Malekal for the heads up, the current batch of evil .pw domains that have been distributing malware appear to have shifted to the following IP addresses:

31.41.221.131
31.41.221.132
31.41.221.133
31.41.221.134
31.41.221.135

These IP addresses belong to Besthosting in Ukraine. A typical payload of one of these malicious sites looks like this URLquery report.

The evil .pw domains in use all use a subdomain of one of the following:
arrowjogger.pw
athleticsarchery.pw
athleticsjudo.pw
ballkayaker.pw
baseballcompetition.pw
basketballplaying.pw
batongoal.pw
battingfield.pw
battinggymnast.pw
boulesplaying.pw
boxerfielder.pw
boxerplay.pw
canoeingbaton.pw
canoekarate.pw
competearena.pw
competitiongolfer.pw
crewjumping.pw
dartgym.pw
defensebicycle.pw
diamondracer.pw
discushurdle.pw
divemedal.pw
diverbiking.pw
diverracket.pw
dodgeballkayaker.pw
fielddefense.pw
gearcompetitor.pw
golfbow.pw
golfercyclist.pw
golfingchampionship.pw
golfingorienteering.pw
halftimedecathlon.pw
handballdart.pw
huddledart.pw
huddledartboard.pw
javelinbaton.pw
leaguedart.pw
medaljogger.pw
medaljogger.pw
movementarchery.pw
pitchbiathlon.pw
pitchexercise.pw
playbunt.pw
playmove.pw
playoffschampion.pw
polediver.pw
polofencing.pw
pooljump.pw
racketrunning.pw
relaycompete.pw
rungymnastics.pw

 I would recommend blocking those domains and the above-listed IPs (or alternatively 31.41.221.128/29 or 31.41.221.128/25). A full list of all the subdomains I can find is here [pastebin]

Saturday 8 February 2014

Somnath Bharti's allwebhunt.com linked to pro-pedophilia sites

Delhi minister Somnath Bharti's allwebhunt.com site was linking to pro-pedophilia sites as late as 31st December 2013, according to Google [warning: I do not advise that you click on the links in that page]. Here is a screenshot (some descriptions may offend) (if you have difficulty with seeing the text, try this version). The ownership link between allwebhunt.com and Mr Bharti is described here.

That content was most likely taken from a controversial category at The Open Directory Project which no longer exists.

The Open Directory Project does try to be all-inclusive in what it catalogues, but I suspect that pro-paedophile sites were something that it felt it could not condone.

Friday 7 February 2014

Headlines Today (India): Somnath Bharti's spammer connection

I'm not sure what all this fascination is with Mr Bharti's alleged connections to porn.. I've never found any evidence that he has hosted or owned sites with pornographic content. But there's certainly a great deal of evidence linking him with spam outfit TopSites LLC.

Somnath Bharti denies link to TopSites LLC in 2004

This is Somnath Bharti's denial of any involvement in TopSites LLC (explored here and in other posts). I believe that the evidence of Mr Bharti's involvement is overwhelming. However, here is a copy of the original email he sent me complete with mail headers so that independent individuals can look into its authenticity.

Return-Path: <somnath.bharti@gmail.com>
Received: from unknown (HELO blade5.cesmail.net) (192.168.1.215)
  by c60.cesmail.net with SMTP; 14 Nov 2004 13:43:23 -0500
Received: (qmail 5069 invoked by uid 1010); 14 Nov 2004 18:43:22 -0000
Delivered-To: spamcop-net-dynamoo@spamcop.net
Received: (qmail 5045 invoked from network); 14 Nov 2004 18:43:21 -0000
Received: from unknown (192.168.1.101)
  by blade5.cesmail.net with QMQP; 14 Nov 2004 18:43:21 -0000
Received: from rproxy.gmail.com (64.233.170.197)
  by mailgate.cesmail.net with SMTP; 14 Nov 2004 18:43:21 -0000
Received: by rproxy.gmail.com with SMTP id r35so540853rna
        for <dynamoo@spamcop.net>; Sun, 14 Nov 2004 10:43:20 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding;
        b=AItQWQnfUOPREzb2USZ1AAdfuMy54ME4VonsHz7VdB93Wd8apOkFSOrdqjkbLLFqI6nUaFy2cKrbLXTrFSLC0p5Kj2ZdwK0Qb6CFZjbS24HecjymNLUahhMUBp3AbEb0M/t/EXhC4N0HZeCD06YP/TK7XF0dZaqNweevm4cXL4E=
Received: by 10.38.102.45 with SMTP id z45mr1019046rnb;
        Sun, 14 Nov 2004 10:43:20 -0800 (PST)
Received: by 10.38.151.16 with HTTP; Sun, 14 Nov 2004 10:43:20 -0800 (PST)
Message-ID: <4e0e2d5304111410431d08a7bb@mail.gmail.com>
Date: Sun, 14 Nov 2004 10:43:20 -0800
From: Somnath <somnath.bharti@gmail.com>
Reply-To: Somnath <somnath.bharti@gmail.com>
To: dynamoo@spamcop.net
Subject: surprising and serious
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade5
X-Spam-Level:
X-Spam-Status: hits=0.0 tests=RCVD_BY_IP version=3.0.0
X-SpamCop-Checked: 192.168.1.101 64.233.170.197 10.38.102.45 10.38.151.16

Hi Conrad,

I was taken by surprise to find you listing my name, one of my
properties address and my picture in an article on a company named
"TopSites LLC" on your site. I don't know on what basis you have been
talking so emphatic without cross verifying with the person you are
talking about. To my utter surprise, you have been having this article
on your site accusing me of being related to a company I have heard
only through your article. Please have the same removed ASAP and
explain to me what made you write all this about a person, not even
remotely attached to any such company.
Please acknowledge of this email and have any and everything related
my name, my pic and c-28 address removed. I am available at
+91-9891819893, if you have anything to talk about. Also, post on the
same page an apology for this grievous mistake on your part.


--
Regards,
Somnath Bharti

Something evil on 69.64.39.166

69.64.39.166 (Hosting Solutions International, US) appears to be hosting an exploit kit (possibly Fiesta) according to URLquery reports such as this one.

The code is being injected into target websites, possibly through a malvertising campaign. I would recommend blocking the IP address as the simplest option, although I can identify the following domains on that same IP, all of which are likely to be malicious.


advrzc.myftp.org
amyoau.myftp.biz
aokljwwsap.serveftp.com
bgocodwsiu.myftp.org
bpknbvmc.serveftp.com
cjhkxfpdw.serveftp.com
cvxeitw.serveftp.com
cxrhtcau.myftp.biz
czwaiys.myftp.org
dhdwjwve.myftp.org
djqlcce.myftp.org
drituglgjh.serveftp.com
drpmsmt.serveftp.com
ehetlmna.myftp.biz
euimho.serveftp.com
fvyzhy.serveftp.com
hljozqutc.myftp.org
hlwswbaap.serveftp.com
hwtlzdxic.serveftp.com
idoplhj.serveftp.com
iyrseedlt.myftp.biz
lkuvivr.myftp.biz
lxeoic.myftp.org
orrlnypdvz.myftp.biz
osuqlc.myftp.org
plwxycxij.myftp.org
pmkawqgvob.myftp.org
puifnjav.myftp.biz
sbrckuod.serveftp.com
thtnuj.myftp.biz
ucuqgd.myftp.org
uqqyscgq.myftp.org
uuzkpb.myftp.biz
welfcsuybw.serveftp.com
ykypxoub.myftp.org
yrziqui.serveftp.com
yxoiyjbjt.myftp.biz

"Authorization to Use Privately Owned Vehicle on State Business" spam

We've seen this particular type of malware-laden spam before..

Date:      Fri, 7 Feb 2014 17:08:16 +0700 [05:08:16 EST]
From:      Callie Figueroa [Callie@victimdomain]
Subject:      Annual Form - Authorization to Use Privately Owned Vehicle on State Business

All employees need to have on file this form STD 261 (attached).  The original is
retained by supervisor and copy goes to Accounting. Accounting need this form to approve
mileage reimbursement.

The form can be used for multiple years, however it needs to re-signed annually by
employee and supervisor.

Please confirm all employees that may travel using their private car on state business
(including training) has a current STD 261 on file.  Not having a current copy of this
form on file in Accounting may delay a travel reimbursement claim. 
The email appears to originate from within the victim's own domain but doesn't. Attached is an archive file Form_STD261.zip which in turn contains a malicious executable Form_STD261.scr which has a VirusTotal detection rate of just 3/51.

Anubis reports an attempted connection to faneema.com on 198.38.82.223 (Mochahost, US). I recommend blocking both the domain and IP address in this case.