Sponsored by..

Wednesday, 19 March 2014

NatWest "You have received a secure message" spam

This fake NatWest spam has a malicious attachment:

Date:      Wed, 19 Mar 2014 15:14:02 +0100 [10:14:02 EDT]
From:      NatWest [secure.message@natwest.co.uk]
Subject:      You have received a secure message

You have received a secure message

Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 4226.
First time users - will need to register after opening the attachment.

About Email Encryption - http://www.natwest.com/content/global_options/terms/Email_Encryption.pdf
Attached to the message is an archive file SecureMessage.zip which in turn contains a malicious executable SecureMessage.scr which has a VirusTotal detection rate of 8/51.

Automated analysis tools [1] [2] [3] show attempted downloads from the following domains, both hosted on servers that appear to be completely compromised and should be blocked.

199.193.115.111 (NOC4Hosts, US)
droidroots.com
development.pboxhost.com

184.107.149.74 (iWeb, Canada)
2m-it.com
3houd.com

50.116.4.71 (Linode, US)
aulbbiwslxpvvphxnjij.biz
pwoovaijfrsryxeqtgojbuvsvsovkj.com    
ugfmnjojpinembyyprkoptjbtij.info    
nrhpfongapozhpfwkprxohofhq.biz    
byeqdaufqeujvugwczrocihqb.net    
geugypibqsfqirsogeovqwovvgqsfucm.com    
nvyxbmdfiguizcexgluoyxkjsw.ru    
xcvshidqgwotvfetvcydfajnof.com


Recommended blocklist:
199.193.115.111
184.107.149.74
50.116.4.71
droidroots.com
development.pboxhost.com
2m-it.com
3houd.com
aulbbiwslxpvvphxnjij.biz
pwoovaijfrsryxeqtgojbuvsvsovkj.com    
ugfmnjojpinembyyprkoptjbtij.info    
nrhpfongapozhpfwkprxohofhq.biz    
byeqdaufqeujvugwczrocihqb.net    
geugypibqsfqirsogeovqwovvgqsfucm.com    
nvyxbmdfiguizcexgluoyxkjsw.ru    
xcvshidqgwotvfetvcydfajnof.com




Something evil on 64.120.242.160/27

64.120.242.160/27 (Network Operations Center, US) is hosting a number of exploit domains (see this example report at VirusTotal). There appears to be a variety of badness involved, and many of the domains hosted in the range are flagged as malicious by Google or SURBL (report here [csv]).

There appears to be nothing legitimate in this whole range. Domains flagged as malicious by Google are highlighted, ones marked as malicious by SURBL are in italics. I would recommend you block the entire lot.

64.120.242.160/27
asifctuenefcioroxa.net
hukelmshiesuy.net
asifctuenefcioroxa.com
asifctuenefcioroxa.info
bmyahymenylag.com
bmyahymenylag.info
bmyahymenylag.net
briejttobaintwank.com
briejttobaintwank.net
cethadendalbuof.com
cethadendalbuof.info
cethadendalbuof.net
chebuecanuoc.com
chebuecanuoc.info
damaumrloiazsste.com
damaumrloiazsste.info
damaumrloiazsste.net
edjadehegile.com
edjadehegile.info
estebapenghiossewla.com
estebapenghiossewla.info
estebapenghiossewla.net
georgxoianeqnafoni.com
julynoonicl.com
 
blejythecounyful.com
blejythecounyful.net
hanogaveleoy.com
lalaghoaujrnu.info

blejythecounyful.info
briejttobaintwank.info
bychemarlottelan.com
bychemarlottelan.info
bychemarlottelan.net
cunideaflphiae.com
cunideaflphiae.info
cunideaflphiae.net
edjadehegile.net
exyniosehyn.com
exyniosehyn.info
exyniosehyn.net
govlawsdepartment.com
griceumilldevake.com
hanogaveleoy.info
hanogaveleoy.net
harihbisovynangel.com
harihbisovynangel.info
harihbisovynangel.net
hukelmshiesuy.com
hukelmshiesuy.info
kpiaroleeom.com
kpiaroleeom.info
kpiaroleeom.net
lalaghoaujrnu.com
lalaghoaujrnu.net
lawsdepartment.com
lawsdepartmentgov.com
lawsdepartmentgov.net
lawsdepartmentlog.net
lawsdepartmentlogs.net
lawsgovdepartment.com
lawsgovdepartment.net
loryneanlauwvev.com
loryneanlauwvev.info
loryneanlauwvev.net
musxiiccharinbul.com
musxiiccharinbul.info
musxiiccharinbul.net
odtoidcatcarat.com
onivbyeylaxyver.com
onivbyeylaxyver.info
onivbyeylaxyver.net
uxsiekebergatki.com
uxsiekebergatki.info
uxsiekebergatki.net
westemarqannoriw.com
westemarqannoriw.info
westemarqannoriw.net

More OVH Canada hosted exploit kits

I've been a bit tardy with this look at the new OVH Canada ranges exposed by Frank Denis so some of these domains may already been dead.

Yesterday Frank identified three new OVH Canada ranges being used to host the Nuclear EK, again the customer is "r5x.org / Penziatki"

198.50.212.116/30
198.50.131.220/30
192.95.40.240/30


Update: also 192.95.51.164/30 according to this Tweet.

A full list of everything I can find is here [pastebin] but the abused domains that I have identified are:

shallowsvent.ru
riastrait.ru
chasmdell.ru
bararete.ru
overlooktableland.ru
volcanogully.ru
oceanhollow.ru
lavaisthmus.ru
overhangcoastline.ru
archipelagoriver.ru
coralreeflagoon.ru
rivermainland.ru
latitudebayou.ru
playacaldera.ru
morainegulch.ru
loesslakebed.ru
landformvale.ru
domehillside.ru
arroyogulch.ru
firthswamp.ru
coastmound.ru
atolllava.ru
passcove.ru


At a mininum I recommend that you block those IP ranges and/or domains.

Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
192.95.0.0/16

Monday, 17 March 2014

Something evil on 192.95.6.196/30

Another useful tip by Frank Denis on evil in the OVH Canada IP ranges, suballocated to their black hat customer "r5x.org / Penziatki", this time on 192.95.6.196/30.

The following domains should be considered as dangerous and I would recommend blocking them as soon as possible:
shoalfault.ru
addrela.eu
backinl.org


A full list of the domains I can find in this /30 can be found here [pastebin].

Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
192.95.0.0/16

Salesforce.com "Please respond - overdue payment" spam

This fake Salesforce spam comes with a malicious attachment. Well, actually two malicious attachments..

Date:      Mon, 17 Mar 2014 16:12:20 +0100 [11:12:20 EDT]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      Please respond - overdue payment
Priority:      High Priority 2

Please find attached your invoices for the past months. Remit the payment by 01/9/2013 as outlines under our "Payment Terms" agreement.

Thank you for your business,

Sincerely,
Alvaro Rocha

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you. 
Attached are two archive files quickbook_invoice_89853654.rar and quickbook_invoice_8988561346654.zip which in turn contain the same malicious executable quickbook_invoice.scr which has a VirusTotal detection rate of 8/49. Automated analysis tools [1] [2] [3] don't give much of a clue as to what is going on here, although you can assume that it is nothing good..

"Your private photos are there for anyone to see. why??" spam

This spam email has a malicious attachment:

Date:      Mon, 17 Mar 2014 13:08:42 +0100 [08:08:42 EDT]
Subject:      Your private photos are there for anyone to see. why??

Sorry to disturb you.Someone sent me thee pictures they seem to be from you and your
boyfriend I'm really troubled by this why do you send your private naked photos around??
this is beyound my understanding. It's in attachment 

The attachment is IMG000003342.zip which somewhat predictably has a malicious executable inside, IMG000003342.exe which has a VirusTotal detection rate of 12/48. Automated analysis tools [1] [2] show that it makes various changes to the system but do not detect any remote hosts contacted.

Injection attack in progress 17/3/14

A couple of injection attacks seem to be in progress, I haven't quite got to the bottom of them yet.. but you might want to block the following domains:

fsv-hoopte-winsen.de
grupocbi.com

These are hosted on 82.165.77.21 and 72.47.228.162 respectively.

The malware is resistant to automated tools and redirects improperly-formed attempt to analyse it to Bing [1] [2]. The malware is appended to hacked .js files on target sites and looks similar to this:


This sort of attack has been used to push fake software updates in the past. Even though I can't quite get to the bottom of this at the moment, you can be pretty sure that this is Nothing Good and I would recommend blocking these domains.

Something evil on 198.50.140.64/27

Thanks again to Frank Denis (@jedisct1) for this heads up involving grubby web host OVH Canada and their black hat customer "r5x.org / Penziatki" hosting the Nuclear EK in 198.50.140.64/27.

A full list of all the web sites I can find associated with this range can be found here, but the simplest thing to do is block 198.50.140.64/27 completely (or if you are paranoid about security and don't mind some collateral damage block 198.27.0.0/16 and 198.50.0.0/16).

Domains in use that I can identify are listed below. I recommend you block all of them. Domains listed as malicious by Google are in red, those listed as suspect by SURBL are in italics.

Recommended blocklist:

198.50.140.64/27
ingsat.eu
kingro.biz

allnew-overstocked-items.us
auto-policy-june.us
creditscorerangeadvice.com
endenergy-bills.us
endundereyedarkcircles.us
getmatch-on-line.us
godating-thurs.us
gomarine-nows.us
neweyehealth-now.us
new-omeganew.us
nowreverse-new.us
topomegafi-x.us
calculated1.us
advisoracct.us
auto9spec.us
autocquotes.us
brightmangroup.us
car04212.us
dailytips4health.us
estrexpe.eu
facts4burningfat.us
fallspecials1.us
freereview.us
fsaccounting.us
homes1research.us
homesavngs.us
hometactics.us
ieligible.us
imusiche.biz
kleycast.biz
kunstar.eu
maoride.eu
micklet.com
my3newscores.us
myreport3card.us
newdaily-health-tip.us
new-healthtip-today.us
newomegaheartfix.us
newoverstock-now.us
newproprate.us
newvisionsummer.us
note018271.us
rate-changes1.us
ratedropps.us
ratenotice09182.us
renew-autoprotection.us
reportcenter3.us
repostcc.us
sandersonhomes.us
spauto1.us
theactivity3.us
unifiedregister1.us
updateon3report.us
updateratehr.us
updscore03.us
uptodate-records3.us

Thursday, 13 March 2014

Malware sites to block 13/3/14

These IPs and domains seem to be involved in injection attacks today. I recommend you block them.

64.120.242.178
188.226.132.70
93.189.46.90
tzut.asifctuenefcioroxa.net
0dr5ah.edjadehegile.com
2ch.asifctuenefcioroxa.net
qwenty.lazarmihail.net
qwenty.onlystream.com.ar
aderfas.miltonsvideo.com.br
aderfas.porwisz.eu
traster.buddysoftware.com.au
qwenty.abundiaorganico.com.ar
qwenty.loishconsulting.com.au
qwenty.scottgotyourspot.com
qwenty.liveoakit.com
qwenty.pfsensefirewall.com
qwenty.tongfangtechnology.com
qwenty.sappa.com.au
aderfas.mypagecreator.com
needrast.dundemworld.com
soon.caelux.es
soon.wezel.info
asifctuenefcioroxa.com
asifctuenefcioroxa.info
asifctuenefcioroxa.net
edjadehegile.com
ekpmpb.asifctuenefcioroxa.net
j4qk.asifctuenefcioroxa.com
jgqke.asifctuenefcioroxa.com
np59s.asifctuenefcioroxa.info

The domains being abused are as follows.. many of them appear to be hijacked legitimate domains.
abundiaorganico.com.ar
asifctuenefcioroxa.com
asifctuenefcioroxa.info
asifctuenefcioroxa.net
buddysoftware.com.au
caelux.es
dundemworld.com
edjadehegile.com
lazarmihail.net
liveoakit.com
loishconsulting.com.au
miltonsvideo.com.br
mypagecreator.com
onlystream.com.ar
pfsensefirewall.com
porwisz.eu
sappa.com.au
scottgotyourspot.com
tongfangtechnology.com
wezel.info

Sky.com "Statement of account" spam

This fake Sky.com email comes with a malicious attachment:

Date:      Thu, 13 Mar 2014 12:23:09 +0100 [07:23:09 EDT]
From:      "Sky.com" [statement@sky.com]
Subject:      Statement of account

Afternoon,

Please find attached the statement of account.

We look forward to receiving payment for the December invoice as this is now due for
payment.

Regards,
Carmela

This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP.
Attached is an archive Statement.zip which in turn contains a malicious executable Statement.scr which has a VirusTotal detection rate of 6/50. Automated analysis tools [1] [2] [3] show attempted connections to the following domains and IPs:

188.247.130.190 (Prime Telecom SRL, Romania)
gobemall.com
gobehost.info

184.154.11.228 (Singlehop, US)
terenceteo.com

184.154.11.233 (Singlehop, US)
quarkspark.org

The two Singlehop IPs appear to belong to Host The Name (hostthename.com) which perhaps indicates a problem at that reseller.

Recommended blocklist:
184.154.11.228
184.154.11.233
188.247.130.190
gobemall.com
gobehost.info
terenceteo.com
quarkspark.org

Evil network: OVH Canada / r5x.org / Penziatki

Note: a more up-to-date list can be found here.

Hat tip to Frank Denis (@jedisct1) for this report on Nuclear EK's hosted by OVH Canada using their infamous "Penziatki" customer which is linked to black-hat host r5x.org. The blocks have been identified as belonging to that customer and I would recommend that you block them:

198.27.114.16/30
198.27.114.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.231.204/30


OVH Canada have repeatedly hosted exploit kits for this customer to the extent that I am suspicious that either they have been compromised in some way. These following blocks have been identified as serving up malware in the recent past:

192.95.6.24/29
192.95.7.8/30
192.95.7.224/28
192.95.10.16/29
192.95.10.208/28
192.95.41.88/29
192.95.43.160/28
192.95.46.56/30
192.95.46.60/30
192.95.46.132/30
192.95.47.232/30
192.95.47.236/30
198.27.96.132/30
198.27.103.204/30
198.27.114.16/30
198.27.114.64/27
198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.204.240/30
198.50.204.244/30
198.50.212.172/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.231.204/30
198.50.235.196/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30

Obviously there is a problem here. If you are in a security-sensitive environment then you might simply want to block traffic to the following ranges:

198.27.0.0/16
198.50.0.0/16

Of course this will block many legitimate sites, but if stopping exploit kits is a priority over some user inconvenience then you may want to consider it. If you want a slightly more nuanced blocklist then these ranges contain the biggest concentration of malware:

198.27.114.0/24
198.50.172.0/24
198.50.186.0/24
198.50.197.0/24
198.50.231.0/24


OVH must be aware of the reputation of their customer. I wonder why they keep tolerating them on their network?



Monday, 10 March 2014

gateway.confirmation@gateway.gov.uk spam

This fake spam from the UK Government Gateway comes with a malicious payload:

Date:      Mon, 10 Mar 2014 12:04:21 +0100 [07:04:21 EDT]
From:      gateway.confirmation@gateway.gov.uk
Subject:      Your Online Submission for Reference 485/GB3283519 Could not process
Priority:      High

The submission for reference 485/GB3283519 was successfully received and was not
processed.

Check attached copy for more information.

This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail. 
Attached is a file GB3283519.zip which in turn contains a malicious executable GB10032014.pdf.scr which has an icon that makes it look like a PDF file. This has a VirusTotal detection rate of 7/50.

Automated analysis tools [1] [2] [3] show attempted downloads from i-softinc.com on 192.206.6.82 (MegaVelocity, Canada) and icamschat.com on 69.64.39.215 (Hosting Solutions International, US). I would recommend that you block traffic to the following IPs and domains:
192.206.6.82
i-softinc.com
icamschat.com

Wednesday, 5 March 2014

mms.Orange.co.uk "IMAGE Id 889195266-PicFFY2C TYPE=MMS" spam

A horribly managed spam turned up in my inbox, claiming to be an MMS message from Orange UK. Well, at least that's what it looked like when I got the HTML to render properly enough to make it readable..

Date:      Wed, 5 Mar 2014 09:14:13 +0000 [04:14:13 EST]
From:      mms.service3694@mms.Orange.co.uk
Subject:      IMAGE Id 889195266-PicFFY2C TYPE=MMS

Description: Orange

Received from: 447457714595 | TYPE=MMS
There's meant to be an embedded image, but it is completely corrupt. Not that it makes much difference..


Attached is a file called bulger,jpg which is actually a ZIP file, so you have to rename it from .jpg to .zip in order to infect yourself. Some assembly is required in this case..

Anyway, once you have done all that and unzipped it, you get a malicious file IMG0000002993.exe  which has  a VirusTotal detection rate of 17/50. The Malwr report shows that the malware attempts to connect with a bunch of IPs that mostly look like dynamic ADSL subscribers. This sort of behaviour looks like P2P/Gameover Zeus or something similar.



Sunday, 2 March 2014

Malware sites to block 2/3/14

These domains and IPs are all connected with this gang, some of it appears to be involved in malware distribution, fraud or other illegal activities. I recommend that you block these IPs and domains.

Note that some of the IPs listed below are compromised nameservers (marked [ns]) which look like they are insufficiently well locked down. There is a plain list of IPs at the end for copy-and-pasting.

accounting-kent.net
aerostat-adventures.net
aim-darts.net
airnavrace.net
amia.cc
aqu.su
artplat.com
binfile.net
brigadiramoon170.com
ccl.su
clubkindergarten.net
combonicer200.com
ehk.su
flatroom.net
gefesosexwithjimmy.org
iceselinsgrove.com
kartaby.com
keksnownikolle.biz
kirr.cc
lollipollyboobs.org
lostpetutah.net
macdegredo.com
mecheti.com
megemind.com
onetimedns.com
orimylife.net
pcg.su
quarter.su
sandwars.net
sec-one-dns.com
security-apps24.com
securityappsmart.com
security-safedomains.com
security-trust.com
smis.cc
stepnitres.ru
studio-sands.net
unicttaskforce.com
usgunlavs.net
webercountyfairr.net
wildscot-tv.com
world-motorhome.net

12.42.61.221    (AT&T, US)   
19.214.121.54    (Ford Motor Company, US)    [ns]
22.15.199.21    (DOD, US)    [ns]
23.253.75.234    (Rackspace, US)   
31.210.107.33    (Radore Veri Merkezi Hizmetleri, Turkey)   
32.21.129.43    (AT&T, US)    [ns]
32.90.65.25    (AT&T, US)    [ns]
37.255.241.29    (TCE, Iran)   
41.66.55.3    (Cote d'Ivoire Telecom, Cote d'Ivoire)    [ns]
41.106.3.132    (FTTH, Algeria)    [ns]
42.96.195.183    (Alibaba, China)    [ns]
54.81.32.208    (Amazon AWS, US)   
65.27.155.176    (Time Warner Cable, US)   
79.88.112.206    (Societe Francaise du Radiotelephone, France)   
83.239.90.244    (OJSC Rostelecom Macroregional Branch South, Russia)   
89.39.83.177    (C&A Connect SRL, Romania)   
89.69.138.91    (UPC, Poland)   
92.84.13.131    (Romtelecom, Romania)    [ns]
93.190.137.5    (Worldstream, Netherlands)   
95.57.118.56    (Dmitry Davydenko / Goldhost LLC, Kazakhstan)   
96.44.143.179    (Quadranet Inc, US)   
103.31.251.202    (Argon Data Communication, Indonesia)   
108.81.248.139    (William Allard / AT&T, US)   
109.24.255.129    (Societe Francaise du Radiotelephone, France)   
112.222.201.43    (LG DACOM Corporation, Korea)   
115.28.39.216    (Hichina Web Solutions, China)   
128.101.154.25    (University of Minnesota, US)    [ns]
128.199.235.196    (DigitialOcean Cloud, Singapore)   
130.255.185.19    (Bradler & Krantz, Germany)   
147.249.171.10    (IDD Information Services, US)    [ns]
152.46.17.236    (North Carolina Research and Education Network, US)   
162.243.39.118    (Digital Ocean, US)   
167.15.26.219    (Munich Reinsurance America Inc, US)    [ns]
167.120.25.43    (The Dow Chemical Company, US)    [ns]
171.76.101.11    (Bharti Cellular Ltd, India)    [ns]
175.107.192.56    (Cyber Internet Services Pakistan, Pakistan)   
176.53.125.6    (Radore Veri Merkezi Hizmetleri, Turkey)   
181.41.194.253    (HOST1FREE at Brazil, Brazil)   
184.154.170.10    (SingleHop, US)    [ns]
185.9.159.205    (Salay Telekomunikasyon Ticaret Limited Sirketi, Turkey)   
186.194.39.139    (FMG Macabuense com serv distrib ltda-me, Brazil)    [ns]
186.202.184.178    (Locaweb Servi├žos de Internet S/A, Brazil)   
186.214.212.64    (Global Village Telecom, Brazil)   
188.165.91.216    (OVH, France / DoHost, Egypt)    [ns]
188.168.142.57    (Transtelecom CJSC, Russia)   
193.17.184.247    (Biznes-Host.pl, Poland)   
194.209.82.222    (blue-infinity, Switzerland)    [ns]
203.235.181.138    (KRNIC, Korea)   
208.167.238.115    (Choopa LLC, US)   
209.203.50.200    (Vox Telecom, South Africa)   
222.218.13.91    (Chinanet Guangxi Province Network , China)    [ns]


12.42.61.221
19.214.121.54
22.15.199.21
23.253.75.234
31.210.107.33
32.21.129.43
32.90.65.25
37.255.241.29
41.66.55.3
41.106.3.132
42.96.195.183
54.81.32.208
65.27.155.176
79.88.112.206
83.239.90.244
89.39.83.177
89.69.138.91
92.84.13.131
93.190.137.5
95.57.118.56
96.44.143.179
103.31.251.202
108.81.248.139
109.24.255.129
112.222.201.43
115.28.39.216
128.101.154.25
128.199.235.196
130.255.185.19
147.249.171.10
152.46.17.236
162.243.39.118
167.15.26.219
167.120.25.43
171.76.101.11
175.107.192.56
176.53.125.6
181.41.194.253
184.154.170.10
185.9.159.205
186.194.39.139
186.202.184.178
186.214.212.64
188.165.91.216
188.168.142.57
193.17.184.247
194.209.82.222
203.235.181.138
208.167.238.115
209.203.50.200
222.218.13.91

seekcousa.com / seekconz.com fake job offer

This job offer from seekcousa.com or seekconz.com is bogus:

Date:      1 Mar 2014 15:53:11 +0700 [03:53:11 EST]
Subject:      Offer

We are offering a shipping manager assistant position.
We are offering a distant job.

The job routine will take 2-3 hours per day and requires absolutely no investment.
You will work with big shops, suppliers, factories all around the States.
The communication line will flow between you and your personal manager, you will receive orders via email and phone,
and our trained manager will be with you while every step to help you to work out first orders and answer any questions which may appear.
The starting salary is about ~2800 USD per month + bonuses.

You will receive first salary in 30 days after you will successfully complete your first task.
When the first working month will be over you will have a right to receive salary every 2 weeks.
The bonuses are calculated on the very last working day of each month,
and paying out during a first week of the next month.

We will accept applications this week only!
To proceed to the next step we should register you in HR system so we will need a small piece of your personal information.

Please fill in the fields:
Full_name:
Phone_number:
Email_address:
City_of_residence:

We need your personal information to create HR file only,
it will stay secure on the separate server till the moment it will be deleted (which take place every 2 days),
and only HR people will have access to it.

Please send your answer to my secured email manager@seekcousa.com
 I will reply you personally as soon as possible.

Sincerely,
Rudy 
From the job description, this appears to be some sort of parcel mule scam or other criminal activity. This video explains how a parcel reshipping scam works:


seekcousa.com is regsitered with Chinese registrar BIZCN, and the WHOIS details are fake:
Registrant Name: Ernest Dubose
Registrant Organization: Ernest D. Dubose
Registrant Street: 129 Oakridge Lane
Registrant City: Irving
Registrant State/Province: TX
Registrant Postal Code: 75038
Registrant Country: us
Registrant Phone: +1.4699959821
Registrant Phone Ext:
Registrant Fax: +1.4699959821
Registrant Fax Ext:
Registrant Email: info@seekcousa.com
Registry Admin ID:



seekconz.com is also registered with BIZCN, but with different fake details:
Registrant Name: Nickolas Gordon
Registrant Organization: Nickolas R. Gordon
Registrant Street: 4930 Clarence Court
Registrant City: Ontario
Registrant State/Province: CA
Registrant Postal Code: 91762
Registrant Country: us
Registrant Phone: 909-988-6071
Registrant Phone Ext:
Registrant Fax: 909-988-6333
Registrant Fax Ext:
Registrant Email: info@seekconz.com


There is no website associated with either of these domains, but there are mail records of mx.seekconz.com and mx.seekcousa.com pointing to 93.190.137.5 (Worldstream, Netherlands). Nameservers involved in the fraud are ns1.friscolakesgc.net hosted on the same IP and ns2.friscolakesgc.net hosted on 32.21.129.43 (AT&T, US).

We can dig a little deeper on those nameserver records, they have fake WHOIS details as well:
Registrant Name: ROSEMARY CARPIO
Registrant Organization:
Registrant Street: 701 Collins Ave, Apt 4B
Registrant City: MIAMI BEACH
Registrant State/Province: FL
Registrant Postal Code: 33139-6203
Registrant Country: US
Registrant Phone: +1.7868777722
Registrant Phone Ext.:
Registrant Fax:
Registrant Fax Ext.:
Registrant Email: haveacupoft@gmx.us
Registry Admin ID:


These fake details also appear on a domain airnavrace.net which is used as a namserver domain for the following domains and uses the following IPs:
quarter.su
147.249.171.10 (IDD Information Services, US)
42.96.195.183 (Alibaba, China)

.su domains are usually bad news, and I suspect that quarter.su is up to no good. The WHOIS details for this domain don't give much detail..

domain: QUARTER.SU
nserver: ns1.aim-darts.net.
nserver: ns1.airnavrace.net.
state: REGISTERED, DELEGATED
person: Private Person
e-mail: bartels@xrbox.com
registrar: R01-REG-FID
created: 2013.12.09
paid-till: 2014.12.09
free-date: 2015.01.11
source: TCI


That domain is multihomed on a bunch of IPs:

176.53.125.6 (Radore Veri Merkezi Hizmetleri, Turkey)
37.255.241.29 (TCE, Iran)
108.81.248.139 (William Allard / AT&T, US)
65.27.155.176 (Time Warner Cable, US)
203.235.181.138 (KRNIC, Korea)
95.57.118.56 (Dmitry Davydenko , Kazakhstan)
186.214.212.64 (Global Village Telecom, Brazil)
89.39.83.177 (C&A Connect SRL, Romania)

This, it turns out is the tip of a very large iceberg of malicious domains and IPs which I will cover in the next post.

Friday, 28 February 2014

Companies House "FW: Case - 6569670" spam

This fake Companies House spam leads to malware:

From:     Companieshouse.gov.uk [web-filing@companies-house.gov.uk]
Date:     28 February 2014 12:55
Subject:     Spam FW: Case - 6569670


A company complaint was submitted to Companies House website.

The submission number is 6569670

For more details please click : https://companieshouse.gov.uk/Case?=6569670

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other organisations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK


Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500

The link in the email goes to:
[donotclick]economysquareshoppingcenter.com/izmir/index.html
in turn this runs one or more of the following scripts:
[donotclick]homedecorgifts.biz/outfitted/mascara.js
[donotclick]www.coffeemachinestorent.co.uk/disusing/boas.js
[donotclick]citystant.com/trails/pulitzer.js
[donotclick]rccol.pytalhost.de/turban/cupped.js
which in turn leads to a payload site at:
[donotclick]digitec-brasil.com.br/javachecker.php?create=3019&void-cat=4467&first-desk=9002

According to this URLquery report, the payload site has some sort of Java exploit.

Recommended blocklist:
digitec-brasil.com.br
homedecorgifts.biz
coffeemachinestorent.co.uk
citystant.com
rccol.pytalhost.de

Thursday, 27 February 2014

"Royal Mail Shipping Advisory" spam

This fake Royal Mail spam has a malicious payload:

From:     Royal Mail noreply@royalmail.com
Date:     27 February 2014 14:50
Subject:     Royal Mail Shipping Advisory, Thu, 27 Feb 2014

Royal Mail Group Shipment Advisory

The following 1 piece(s) have been sent via Royal Mail on Thu, 27 Feb 2014 15:47:17 +0530, REF# GB36187692IE

For more details please follow the link below - http://www.royalmail.com/track-trace?=GB36187692IE   

SHIPMENT CONTENTS: Insurance Form

SHIPPER REFERENCE: Please refer to the Royal Mail Shipping Services

ADDITIONAL MESSAGE FROM SHIPPER: Please refer to the Royal Mail Shipping Services

Royal Mail Group Ltd 2014. All rights reserved

This is a ThreeScripts attack, the link in the email goes to:
[donotclick]wagesforinterns.com/concern/index.html 
and it then runs one or more of the following scripts:
[donotclick]billigast-el.nu/margarita/garlicky.js
[donotclick]ftp.arearealestate.com/telecasted/earners.js
[donotclick]tattitude.co.uk/combines/cartooning.js

in this case the payload site is at
[donotclick]northwesternfoods.com/sg3oyoe0v2
which is hosted on 23.239.12.68 (Linode, US) along with a bunch of hijacked GoDaddy sites (listed below in italics). The payload appears to be an Angler Exploit Kit (see this example).

Recommended blocklist:
23.239.12.68
billigast-el.nu
ftp.arearealestate.com
tattitude.co.uk
n2ocompanies.com
northerningredients.com
northwesternfoods.com
oziama.com
oziama.net

Amazon.com "Important For Your Online Account Access" spam / 213.152.26.150

This fake Amazon spam leads to something bad.
Date:      Wed, 26 Feb 2014 13:09:55 -0400 [02/26/14 12:09:55 EST]
From:      "Amazon.com" [t1na@msn.com]
Subject:      Important For Your Online Account Access .

Your Account Has Been Held

Dear Customer ,

We take you to note that your account has been suspended for protection , Where the password was entered more than once .

In order to protect ,account has been suspended .Please update your Account Information To verify the account.

http://www.amazon.com/gp/orc/rml/D0bvnTq6RRMA

Thanks for Update at Amazon.com.

-------------------------------------------------------------
Amazon.com
http://www.amazon.com
-------------------------------------------------------------

Please note: This e-mail message was sent from a notification-only address that
cannot accept incoming e-mail. Please do not reply to this message.


In the samples that I have seen the link in the email goes to either [donotclick]exivenca.com/support.php or [donotclick]vicorpseguridad.com/support.php both of which are currently down but were both legitimate sites hosted on 213.152.26.150 (Neo Telecoms, France). The fact that these sites are down could be because the host is dealing with the problem, however I would expect to see this same email template being used again in the future, so take care..

Saturday, 22 February 2014

On the trail of 3NT Solutions LLP

NOTE: An updated list of IPs can be found here (October 2017)

Yesterday I blogged about a company called 3NT Solutions LLP apparently based in the UK and expressed my reservations about them as a business. They operate quite a large range of IP addresses, but a quick Google search shows pitifully little about this company.

Let's start our investigation by looking them up at Companies House. That gives some basic details:

3NT SOLUTIONS LLP
SUITE 4084
10 GREAT RUSSELL STREET
LONDON
ENGLAND
WC1B 3BQ
Company No. OC363382

LLPs are a relatively new type of company in the UK which allows a firm to be registered with the minimum of details, but there are reports that LLP structures are being widely abused. We'll have a look at the ownership in a moment, but first let's check out this grand-sounding office in Central London..


It is, in fact, the Bloomsbury branch of Mail Boxes Etc and "suite" is simply a euphemism for "mail box".. in other words, this is a mail drop address that most likely forwards any mail to another address, a trick that conceals the full owners of the company.

OK, so that address is a bust. But the WHOIS records for their IP blocks, and their previous address registered at Companies House is something different:

DALTON HOUSE
60 WINDSOR AVENUE
LONDON
SW19 2RR

We can trundle over to that on Google StreetView too..


Dalton House is basically the same thing as the MBE address, it offers a brass plaque somewhere and a mail forwarding service. So no real clues as to ownership here either.

A trip back to Companies House to find their Company Register information [rtf] reveals very little, except two related companies in Belize.



LLP DESIGNATED MEMBER:
DARL IMPEX LTD


Appointed:
01/04/2011


Nationality:
NATIONALITY UNKNOWN


No. of Appointments:
1


Address:
35 NEW ROAD



BELIZE



BELIZE



NA










LLP DESIGNATED MEMBER:
LEGRANT TRADING LTD.


Appointed:
19/03/2013


Nationality:
NATIONALITY UNKNOWN


No. of Appointments:
1


Address:
BLAKE BUILDING SUITE 102, GROUND FLOOR, BLAKE BUIL



CORNER EYRE&HUTSON STREETS



BELIZE CITY



BELIZE



NA





Belize is a pretty much a haven for offshore companies, so it is quite likely that these two Belize companies are owned by someone in a different country again.

The domain registration for 3nt.com doesn't really give any more information, and oddly enough their website is down (so how do they expect to attract business?). But if we do a WHOIS lookup on one of their IP ranges then it becomes much more clear.

inetnum:        5.61.32.0 - 5.61.47.255
netname:        INFERNO-NL-DE
descr:          ********************************************************
descr:          * We provide virtual and dedicated servers on this Subnet.
descr:          *
descr:          * Those services are self managed by our customers
descr:          * therefore, we are not using this IP space ourselves
descr:          * and it could be assigned to various end customers.
descr:          *
descr:          * In case of issues related with SPAM, Fraud,
descr:          * Phishing, DDoS, portscans or others,
descr:          * feel free to contact us with relevant info
descr:          * and we will shut down this server: abuse@3nt.com
descr:          ********************************************************
country:        DE
admin-c:        TNTS-RIPE
tech-c:         TNTS-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-3NT
mnt-routes:     LEASEWEB-MNT
source:         RIPE # Filtered

person:         Neil Young
address:        3NT SOLUTIONS LLP
address:        DALTON HOUSE 60, WINDSOR AVENUE
address:        LONDON, UK
phone:          +442081333030
abuse-mailbox:  abuse@3nt.com
nic-hdl:        TNTS-RIPE
mnt-by:         MNT-3NT
source:         RIPE # Filtered

route:          5.61.32.0/20
descr:          Routed via LEASEWEB
origin:         AS16265
mnt-by:         OCOM-MNT
source:         RIPE # Filtered


Alright, let's cut a long story short because we know who this is.. it's Serbian web host inferno.name who have featured on this blog several times before all the way back to 2011. Similar records exist on all of 3NT's ranges, linking them firmly with inferno.name.

Not it's not a particular surprise to see that inferno.name is trading under a different name, as the scummy sites they host pretty much ruined their reputation. And yeah, this blog helped with that.

I had a look into some of 3NT's IP ranges and you can tell instantly from these samples [csv] that they are pretty low-grade spammy sites. What you can't tell from that list are the command and control servers that they run, and of course they also host malware.

The following IP range are allocated to 3NT Solutions LLP. I recommend that you block them.
5.45.64.0/21
5.45.72.0/22
5.45.76.0/22
5.61.32.0/20
37.1.192.0/21
37.1.200.0/21
37.1.208.0/21
37.1.216.0/21
37.252.2.0/24
37.252.12.0/24
130.0.232.0/21

In addition, these other (smaller) ranges are allocated to inferno.name and v3servers.net who are the same outfit. I also recommend that you block these:
 46.21.147.128/25
46.21.148.128/25
46.22.211.0/25
80.79.124.128/26
92.48.122.0/28
92.48.122.16/28
92.48.122.32/28
92.48.122.48/28
94.100.17.128/26
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24