Dynamoo's Blog

Tuesday, 6 May 2014

Sinister spam from "Agent Feather"

This sinister spam comes with a malicious payload..

From:    Agent Feather [afgeathe32322323@gmail.com]
Reply-To:    afgeathe32323323@gmail.com
Date:    6 May 2014 02:12
Subject:    Do something before it's too late!

My Friend,

Someone close to you wants you to spend at least the next five years of your life behind bars. He has reported you to our organization and I am the one assigned to follow you up to gather more evidences against you. Attached to this email is a copy of the person's audio recording against you. Your name was mentioned eleven times in this recorded conversation, check if you can recognise the person's voice.

What I require is that you create a new email address which will be used for our further correspondence. Use your mobile phone number to text me your newly created email address on this number: +66928711125. The phone line is secured and cannot be traced by our organization or any other law enforcement agent. I know my reason for disclosing this important information to you at this time. Upon receiving your text, I will tell you who I am, our organization and what next you are to do.

You are to note the following and observe them, contrary to these, you will never hear from me again.

1. You are not to reply me on this email address.
2. You are not to call me on the above given number for any reason.
3. You are to text only your newly created email address to me.
4. The newly created email address must be used just for the both of us alone
4. If you know the voice in the recorded message, never approach the person until I tell you to.
5. You must not disclose anything relating to this information to another person.

Having read and understood what I have said, you are to now create a new email address and send it to me by text through your mobile phone number. I am waiting.

Yours sincerely,
Agent Feather.

Attached is a file His Voice.zip which unzips to another file called Voice Conversation without any extension at all. In fact, this file is a malicious executable (you would have to rename it to Voice Conversation.exe manually if you want to infect yourself) which has a VirusTotal detection rate of 13/49.

Most of the automated tools I have thrown at it seem to error out, but the ThreatExpert report does show the malware installing itself onto the test system and making some system changes to prevent removal. It also enumerates the IP address, detects proxy settings and attempts to connect to Google's Gmail SMTP server.

Thursday, 1 May 2014

Something evil on 146.185.213.69 and probably the whole /24

146.185.213.69 caught my eye, hosting a number of "ads." subdomains, many of which are tagged by Google as being malicious (highlighted below)

ads.warmsanieren.de
ads.coaching-baum.de
ads.fatmansempire.de
ads.marktluecke-berlin.de
ads.xn--hoffmnsche-u5a.de
ads.lagu.la
ads.lad-consult.lu
ads.reachcms.co.uk
ads.martinwguy.co.uk
ads.ukbizrooms.co.uk
ads.ajcqualityassurance.co.uk
ads.warmsanieren.de
ads.coaching-baum.de
ads.fatmansempire.de
ads.marktluecke-berlin.de
ads.xn--hoffmnsche-u5a.de
ads.lagu.la
ads.lad-consult.lu
ads.reachcms.co.uk
ads.martinwguy.co.uk
ads.ajcqualityassurance.co.uk
ads.ukbizrooms.co.uk
ads.cto.lu
ads.hoa.lu
ads.blackcockinn.co.uk
ads.loumacfitness.co.uk
ads.cto.lu
ads.hoa.lu
ads.blackcockinn.co.uk
ads.loumacfitness.co.uk

Well, you can probably assume that all those domains are malicious (even without the ads. prefix). But a look at the IP address range was revealing:

inetnum:        146.185.213.0 - 146.185.213.255
netname:        Customer-Valyalov-net
descr:          net for user Valyalov (hosting and VPS)
country:        RU
admin-c:        VME12-RIPE
tech-c:         VME12-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-routes:     LIPATOV-MNT
source:         RIPE # Filtered

person:         Valyalov Mikhail Evgenyevich
address:        Sankt-Petersburg, Volynski per., d. 2, lit. A, pom. 12N
phone:          +79099740171
nic-hdl:        VME12-RIPE
mnt-by:         VEROX-MNT
source:         RIPE # Filtered

route:          146.185.213.0/24
descr:          Valyalov-Net @ RN-Data/AltNet datacenter
origin:         AS41390
mnt-by:         LIPATOV-MNT
source:         RIPE # Filtered

The block is owned by RN Data SIA of Latvia and suballocated to somebody in St Petersburg by the name of Mikhail Evgenyevich Valyalov. RN Data are one of those hosts that have hosted malware in the past, and I tend to lean towards blocking them.

A look at the other contents of the /24 appear [csv] to indicate further suspicious activity, especially f528764d624db129b32c21fbca0cb8d6.com on 146.185.213.53 (mentioned here plus several other places).

So, frankly this entire /24 looks like it is being used for evil purposes at the moment and I recommend that you block it, plus these following domains:

man.liborcartel.com
letter.liborscam.com
kick.lmfho.co.uk
kiss.mbnappiclaim.co.uk
impulse.nrgcard.co.uk
increase.olympicclaims.co.uk
history.parkingclaims.co.uk
heat.onlinefuelcard.co.uk
hole.parkingclaims.com
33db9538.com
54dfa1cb.com
blue.azhealthlawblog.com
board.milliganlawless.com
body.phoenixhealthlaw.com
blow.arizonahealthlawyers.com
exchange.phoenixhealthlawyers.com
boat.milliganlawlesstaylormurphybailey.com
regentimpaired.com
revealedattached.com
f528764d624db129b32c21fbca0cb8d6.com
warmsanieren.de
coaching-baum.de
fatmansempire.de
marktluecke-berlin.de
xn--hoffmnsche-u5a.de
lagu.la
lad-consult.lu
reachcms.co.uk
martinwguy.co.uk
ukbizrooms.co.uk
ajcqualityassurance.co.uk
cto.lu
hoa.lu
blackcockinn.co.uk
loumacfitness.co.uk
ellis-fuhr.us

"BiP Solutions Company" fake invoice spam

This fake invoice spam message leads to a malicious download:

Date:     Thu, 01-May-2014 15:12:56 GMT [11:12:56 EDT]
From:     Eduard Fulton [bfischernn@netmedia1.com]
Subject:     Notification of your invoice

Dear Customer
Our company has obtained your order and it'll be processing for 2 days.
The the bill of parcels and delivery details are below:
http://www.anat-barnir.co.il/04-05-2014/clients/clients.045-264.zip
Sincerely yours,
BiP Solutions Company
Eduard Fulton

BiP Solutions is a real company, but this spam did not come from them. The link in the email goes to a legitimate (but hacked) site in Israel and downloads a file clients.045-264.zip which unzip to a malicious executable clients.045-264.PDF______________________________________________________.exe (there are a lot of underscores in there, yes). This has a VirusTotal detection rate of 15/52, however automated analysis tools [1] [2] are inconclusive as to what it actually does.

Tuesday, 29 April 2014

constructiondeal.com spam

Who are constructiondeal.com? And why are they spamming a spamtrap?

From:    Jenny Garcia [membership@m2.constructiondeal.com]
Reply-To:    Jenny Garcia [membership@m2.constructiondeal.com]
To:    "donotemail@wearespammers.com" [donotemail@wearespammers.com]
Date:    28 April 2014 17:49
Subject:    Your account activity
Signed by:    constructiondeal.com

I know you're busy so I went ahead and reviewed the customer activity in your area. Many homeowners are requesting estimates for your services in 90805. Take a look at these jobs and let me know if you can provide estimates for this work in the next week or two?

View the jobs here and let me know if you can do this work.

Best Wishes,

Jenny Garcia
Customer Service
(866) 887-7017

Copyright © 2014 Home Improvement, LLC
Our address is 1033 Young St., Dallas, TX, 75202, USA

If you do not wish to receive future email, click here.
(You can also send your request to Customer Care at the street address above.)

90805 is Long Beach, California, but I have no idea where they came up with that particular ZIP code.

Links in the email go to acton.constructiondeal.com (207.189.124.58 / ViaWest, US) and then onto www.constructiondeal.com (66.63.178.68 / Quadranet, US). Originating IP is 209.162.194.139 (Act-on Software, US) and is digitally signed showing that constructiondeal.com permits sending through that IP. In other words, the email is really from constructiondeal.com and is not a fake.

The domain contact details are partly hidden, but the CEO of owner Capital Enterprise Group, LLC is Igor Mironenko who appears to hail from the Los Angeles area. Constructiondeal.com is listed at the BBB and despite having a large number of complaints it still manages an A- rating.

But in any case, I recommend a zero-tolerance approach to spammers and would personally give this firm a wide berth.

Monday, 28 April 2014

Message From The QUEEN!!!

Wow.. a Message From The QUEEN!!!

From:    Victoria Leopold [abuse@nospam.com]
Reply-To:    leopold.victoria@yahoo.co.uk
Date:    28 April 2014 14:35
Subject:    Message From The QUEEN!!!

Best Regards
Leopold Victoria (Queen).

Queen Elizabeth House
3 Mansfield Road
Oxford OX1 3TB

Strangely, I thought that the Queen was Elizabeth Windsor who lived in Buckingham Palace, London. But perhaps I am wrong. It looks like Queen Leopold has fallen on hard times and is having to use a Yahoo! free email account. And isn't Leopold a man's name?

Of course, this is a scam. Originating IP is 81.149.158.33 (BT, UK) via gwkent.com (69.198.120.156). Avoid.

"This email contains an invoice file attachment" spam

This very terse spam comes with a malicious attachment:

Date:     Mon, 28 Apr 2014 17:23:58 +0900 [04:23:58 EDT]
From:     Accounts Dept [shortchanges2@morgan-bros.co.uk]
Subject:     Email invoice: 2552266

This email contains an invoice file attachment

Attached is a file emailinvoice.8630595.zip which in turn contains a malicious executable emailinvoice.197291101.exe which has a VirusTotal detection rate of 5/51.

Automated analysis tools [1] [2] [3] show various system changes being made, but make no record of network activity.

Friday, 25 April 2014

"Unity Messaging System - Internal Payroll" spam

This fake payroll spam comes with a malicious attachment:

Date:     Fri, 25 Apr 2014 12:36:43 +0900 [04/24/14 23:36:43 EDT]
From:     Unity Messaging System [Unity_UNITY9@victimdomain.com]
Subject:     Internal Payroll

File Validity: 24/04/2014
Company : http://victimdomain.com
File Format: Office - Excel
Internal Name: Payroll
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Payroll.xls

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.

The email appears to be from the victim's own domain and references it in the body of the email. A look at the mail headers shows that this deception runs more deeply..

Received:
    (qmail 19966 invoked from network); 25 Apr 2014 03:36:45 -0000
    from unknown (192.168.1.88) by [redacted] with QMQP; 25 Apr 2014 03:36:45 -0000
    from kctv1142.ccnw.ne.jp (218.216.224.142) by [redacted] with SMTP; 25 Apr 2014 03:36:45 -0000
    from voice533.victimdomain.com (10.0.0.41) by victimdomain.com (10.0.0.11) with Microsoft SMTP Server (TLS) id KFA60IPJ; Fri, 25 Apr 2014 12:36:43 +0900
    from message7154.victimdomain.com (10.31.162.90) by smtp.victimdomain.com (10.0.0.88) with Microsoft SMTP Server id C9PH5LWA; Fri, 25 Apr 2014 12:36:43 +0900

The actual origin of the spam is 218.216.224.142 in Japan. The lines before that are all fake and are attempting to make it look like the email originated from inside the victim's own network (using a 10.x.x.x address). Quite why they bother with this level of detail is a mystery, because anyone technically savvy should spot that it comes with a malicious payload.

The attachment is Payroll.zip which in turn contains a malicious executable Payroll.scr which has an icon that makes it look like an Excel file (which it isn't). If you are hiding file extensions (which is the insecure default setting for Windows then you might be fooled.

If you haven't already done it.. when you have a folder open in Windows, go into Organize -> Folder and search options -> View and then untick Hide extensions for known file types.

Then it will become clear that this isn't an Excel spreadsheet at all (ending in .xlsx or .xls) but it something more sinister.

Yes, .scr is actually an executable file (a more typical one would be .exe). In this case the file is definitely malicious and has a VirusTotal detection rate of 26/51.

Automated analysis tools [1] [2] [3] show an attempted download from:
[donotclick]tmupi.com/media/images/icons/team/Targ-2404USm.tar
[donotclick]altpowerpro.com/images/stories/highslide/Targ-2404USm.tar

These download locations are the same as used in this "Balance Scheet" spam from yesterday and I recommend that you block the domains in question.

Thursday, 24 April 2014

"Balance Scheet" spam

This terse spam has a malicious attachment:

Date:     Thu, 24 Apr 2014 12:80:56 GMT [08:08:00 EDT]
From:     Admin@victimdomain
Subject:     FW: Balance Scheet

Please save the attached file to your hard drive before deleting this message. Thank you.

The mail headers in the email have been faked to make it look like it originated inside the victim's own internal network. Attached to the email is an archive file Balance-Sheet.zip which in turn contains a malicious executable Balance-Sheet.exe which has a VirusTotal detection rate of just 3/51.

Automated analysis tools [1] [2] [3] show an attempted download from the following locations:
[donotclick]tmupi.com/media/images/icons/team/Targ-2404USm.tar
[donotclick]altpowerpro.com/images/stories/highslide/Targ-2404USm.tar

"Atlanta Consulting" fake job offer, atlantaconsulting.net / atlantaconsulting.us / atlantaconsulting.co

This fake job offer comes from a bunch of scammers passing themselves off as "Atlanta Consulting" (not to be confused with several legitimate firms of similar names)

From:    Gertrude Holden [multivariate88@afes.com]
Date:    24 April 2014 14:16
Subject:    Vacancy

Good Day!

A new advanced vacant position is available!

I am a chief personnel officer of an Australian consulting company. We deal with non-typical business solutions. Also we introduce different outsourcing solutions. Presently we have many clients in Europe. To anticipate our cooperation with them, we need to find few regional managers.
We offer a part-time employment and opportunity to advance. Also we provide free elementary training. Initial salary is 2000 euro. If our offer is interesting to you, please send your answer on our e-mail:

info @ atlantaconsulting . net   (remove spaces before sending email)

specifying your country, city of residence, contact telephone number and desired time for call. Our managers work 24 hours for you!

Best regards!
GERALD DAMIEN

The following domains are all part of the same scam:
atlantaconsulting.net
atlantaconsulting.co
atlantaconsulting.us

The WHOIS details for the domains are undoubtedly fake and are certainly not Australian:

Administrative Contact ID:                   COCO-5041
Administrative Contact Name:                 John Carpenter
Administrative Contact Address1:             831 Ridgeview Dr
Administrative Contact City:                 Frankfort
Administrative Contact State/Province:       KY
Administrative Contact Postal Code:          40601
Administrative Contact Country:              United States
Administrative Contact Country Code:         US
Administrative Contact Phone Number:         +1.6064521498
Administrative Contact Email:                jjcarp9@gmail.com

There's a flashy website with no real substance..

The sites are hosted on 151.236.22.16 (EDIS GmbH, US) and the email in this case originated from 190.67.150.55 in Colombia.

The so-called job is going to be money laundering, or perhaps parcel reshipping (described in the video below) or some other scam which will involve you doing something illegal. Avoid.

OnePlus One

[Via]

Expected Q2 201423rd April 2014

Possibly the greatest smartphone you have never heard of, the OnePlus One is an attractive, premium smartphone without the expensive price-tag.

OnePlus is a startup founded late last year by Pete Lau, vice-president of up-and-coming Chinese firm OPPO. The stated design philosophy of OnePlus is "Never Settle" which is reflected in an apparently very high quality of product design. The OnePlus One manages to look both smart and distinctive at the same time.

Elegance is sometimes only skin-deep, so what lies underneath the One's pleasing exterior? Inside is a 2.5GHz quad-core Qualcomm Snapdragon CPU with 3GB of RAM, 16 or 64GB of storage and a large 3100 mAh battery. On the front is a 5.5" 1080 x 1920 pixel full HD display with a 13 megapixel camera on the back and a 5 megapixel one on the front. It's worth noting that the main camera is a Sony Exmor unit which has a proven track record in this type of device.

This is an LTE-capable device with NFC support and all the usual high-end features. But there are some more unusual features too.. prefer on-screen navigation buttons? You can have those. Prefer the buttons at the bottom? Well, you can switch on those instead. Want to personalise your phone? You can change the back of the device, and you can even use a wooden panel like the Moto X. In fact, the OnePlus One seems to be full of little design details that lift it way above the run-of-the-mill and allow it to compete with leaders such as the HTC One M8 and Apple iPhone 5S.

The operating system is Cyanogenmod 11S which is a reworking of Android 4.4. Cyanogenmod is popular with people who like to create custom ROMs for their Android devices, and it has a dedicated following of users and developers. You can control the OnePlus with gesture control and pretty much customise it in exactly they way you want.. something that can be difficult with other Android handsets.

The hardware and software look appealing.. but what about the price? OnePlus say that the One will cost $299 / €269 for the 16GB Silk White version or $349 / €299 for the 64GB Sandstone Black version. Initial markets will be the US most of Western Europe* plus Hong Kong and Taiwan.

That price is about half that of the HTC One M8 which is probably the best handset on the market at the time of writing. OnePlus say that the One should be available during Q2 although the initial release looks like it will be through invitation only. More details can be found on their website at oneplus.net.

One word of warning though - OnePlus are a completely new startup and the company has no track record in getting products to market (although many of their employees do). It's quite possible that the product might ship late (or not at all), the price might change or the quality might not be up to scratch. But we certainly hope that this handset is as good as it promises to be.

* Austria, Belgium, Denmark, Finland, France, Germany, Italy, Netherlands, Portugal, Spain, Sweden, United Kingdom.

OnePlus One at a glance
Available:	Q2 2014
Network:	GSM 850 / 900 / 1800 / 1900 UMTS 850 / 900 / 1700 / 1900 / 2100 LTE Bands 1 / 3 / 4 / 7 / 17 / 38 / 40
Data:	GPRS + EDGE + UMTS (3G) + HSPA+ + LTE + WiFi
Screen:	5.5" 1080 x 1920 pixels
Camera:	13 megapixels (main) 5 megapixels (sub)
Size:	Large smartphone 153 x 76 x 8.9mm / 162 grams
Bluetooth:	Yes
Internal memory:	16GB / 64GB
Memory card:	None
CPU:	2.5GHz quad-core
RAM:	3GB
Java:	Optional
GPS:	Yes (plus GLONASS)
OS:	Cyanogenmod 11S / Android 4.4
Battery life:	Not specified (3100 mAh cell)

Wednesday, 23 April 2014

"Broad Oak Toiletries Ltd" fake invoice spam

UPDATE 2014-05-06: there is a new version of this with a malicious .PDF attachment, please scroll down for more details.

This spam purports to be from a legitimate company called Broad Oak Toiletries Ltd, but in fact it is a fake with a malicious payload and it does not come from Broad Oak Toiletries at all (some other reports say their email has been hacked, it has not.. this is a forgery)

Date:     Wed, 23 Apr 2014 08:13:19 +0000 [04:13:19 EDT]
From:     Sue Mockridge [smockridges2@Broad-oak.co.uk]
Subject:     Invoice 739545

Hello,

Please can you let me have a payment date for the attached March Invoice?

Kind Regards

Sue Mockridge
Accounts Administrator

' (Main) 01884 242626 ' (Direct Dial) 01884 250764

Please consider the environment before printing

Broad Oak Toiletries Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
Registered No. 1971053 England & Wales
Telephone: +44 (0) 1884 242626
Facsimile: +44 (0) 1884 242602

CONFIDENTIALITY:
The information in this email and any attachments is confidential. It is intended solely for the attention and use of the named addressee(s). The unauthorised copying, retransmission, dissemination and other use of, or taking of any action in reliance upon, this information is prohibited. Unless explicitly stated otherwise, the contents of this message are strictly subject to contract; any views expressed may be personal and shall not create a binding legal contract or other commitment on the part of Broad Oak Toiletries Ltd.

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

The attachment is Invoice 493234 March 2014.zip which in turn contains a malicious executable Invoice 288910 March 2014.exe which has a VirusTotal detection rate of just 2/51.

Automated analysis tools [1] [2] show attempted connections to the following URLs:
72.34.47.163/11
91.99.102.154/11
yourmedialinkonline.com/11
dframirez.com/11
duvarikapla.com/11
duvallet.eu/11
24hr-ro.com/11
edwardalba.com/11
ekodin.rs/11
exorcist.go.ro/11
kuikencareercoaching.nl/11
sic-choppers.goracer.de/11
chriswolf.be/11
colorcopysite.com/11
mashhadsir.com/11
akirkpatrick.com/11
www.amelias-decoration.nl/11
netvietpro.com/11
guaempresas.com/11
hayatreklam.net/11
acenber.sbkml.k12.tr/11
how-hayonwye.com/11
iconservices.biz/11
idede.sbkml.k12.tr/11
www.tcrwharen.homepage.t-online.de/11
ec2-107-20-241-193.compute-1.amazonaws.com/11
www.derileq.com.mx/11
iaimrich.com/11
joyscenter.com/11
josip-stadler.org/11
www.kalkantzakos.com/11
files.karamellasa.gr/11
krptb.org.tr/11
legraff.com.tr/11
jieyi.com.ar/11
m.pcdbd.info/11
maestroevent.com/11
www2.makefur.co.jp/11
marcin_dybek.fm.interia.pl/11
marzenamaks.eu.interia.pl/11
mehmetunal.ztml.k12.tr/11
job.yesyo.com/11
mofilms.com/11
multimarge.ph/11
nbd.xon.pl/11
netset.ir/11
allforlove.de/11
ncapkur.sbkml.k12.tr/11
neumandina.com/11
209.217.235.25/~nanakram/11
home.planet.nl/~monst021/11
masterdiskeurope.com/~mooch/11
members.aon.at/~mredsche/11

Recommended blocklist:
72.34.47.163
91.99.102.154
yourmedialinkonline.com
dframirez.com
duvarikapla.com
duvallet.eu
24hr-ro.com
edwardalba.com
ekodin.rs
exorcist.go.ro
kuikencareercoaching.nl
sic-choppers.goracer.de
chriswolf.be
colorcopysite.com
mashhadsir.com
akirkpatrick.com
www.amelias-decoration.nl
netvietpro.com
guaempresas.com
hayatreklam.net
acenber.sbkml.k12.tr
how-hayonwye.com
iconservices.biz
idede.sbkml.k12.tr
www.tcrwharen.homepage.t-online.de
ec2-107-20-241-193.compute-1.amazonaws.com
www.derileq.com.mx
iaimrich.com
joyscenter.com
josip-stadler.org
www.kalkantzakos.com
files.karamellasa.gr
krptb.org.tr
legraff.com.tr
jieyi.com.ar
m.pcdbd.info
maestroevent.com
www2.makefur.co.jp
marcin_dybek.fm.interia.pl
marzenamaks.eu.interia.pl
mehmetunal.ztml.k12.tr
job.yesyo.com
mofilms.com
multimarge.ph
nbd.xon.pl
netset.ir
allforlove.de
ncapkur.sbkml.k12.tr
neumandina.com

UPDATE 2014-05-06:
A new version of this is circulating with a malicious .PDF attachment April invoice 914254.pdf although this time the body text is "Please can you let me have a payment date for the attached April Invoice?" and subject is "Invoice 396038 April". Email addresses spotted so far include

The VirusTotal detection rate for this is 7/51. Automated analysis is somewhat inconclusive. There are some indications that this might be using an Acrobat flaw CVE-2010-0188 which was patched a long time ago, so if have an up-to-date version of Acrobat Reader you may be protected. Also, if you opened the email in Gmail and used Google's PDF viewer you should be OK too.

Remember though that .PDF files and other document types can also spread malware, so exercise caution when dealing with emails from unknown sources.

UPDATE 2014-05-06 II:
A contact analysed the PDF (thanks) and determined that it then downloaded an executable from [donotclick]dr-gottlob-institut.de/11.exe (I guess "11" is a Spinal Tap reference) which has a VirusTotal detection rate of just 4/51.

Automated analysis tools [1] [2] [3] show that this in turn downloads components from the following locations:

pgalvaoteles.pt/111
axisbuild.com/111
sadiqtv.com/111
hostaldubai.com/111
nbook.far.ru/111
relimar.com/111
webbook.pluto.ro/111
bugs.trei.ro/111
gaunigeria.com/111
rubendiaz.net/111
adventiaingenieria.es/111
assurances-immobilier.com/111
markus.net.pl/111
www.mrpeter.it/111
inmobiliariarobinson.com/111
cigelecgeneration.com/111
hbeab.com/111
lefos.net/111
pk-100331.fdlserver.de/111
decota.es/111
krasienin.cba.pl/111
rallyeair.com/111
camnosa.com/111
caclclo.web.fc2.com/111
beautysafari.com/111
www.delytseboer.com/111
atelierprincesse.web.fc2.com/111
czarni.i15.eu/111
gogetgorgeous.com/111

This is very similar to the previous infection, although this time "11" has been dialed up to "111". This file (111.exe) has a VirusTotal detection rate of only 2/52 which does various bad things [1] [2] [3].

Because detection rates are still low, you might want to consider blocking the following domains:
dr-gottlob-institut.de
pgalvaoteles.pt
axisbuild.com
sadiqtv.com
hostaldubai.com
nbook.far.ru
relimar.com
webbook.pluto.ro
bugs.trei.ro
gaunigeria.com
rubendiaz.net
adventiaingenieria.es
assurances-immobilier.com
markus.net.pl
www.mrpeter.it
inmobiliariarobinson.com
cigelecgeneration.com
hbeab.com
lefos.net
pk-100331.fdlserver.de
decota.es
krasienin.cba.pl
rallyeair.com
camnosa.com
caclclo.web.fc2.com
beautysafari.com
www.delytseboer.com
atelierprincesse.web.fc2.com
czarni.i15.eu
gogetgorgeous.com

UPDATE 2014-05-06 III:
Another downloaded file is:
[donotclick]files.karamellasa.gr/tvcs_russia/2.exe

This has a VirusTotal detection rate of just 1/51 which makes it almost invisible. Automated analysis [1] [2] [3] [4] shows that it creates fake svchost.exe and csrss.exe, and sends a DNS query for smtp.gmail.com among other things.

Payload appears to be Gameover / P2P Zeus.

(btw, thanks to the #MalwareMustDie team for help!)

UPDATE 2014-05-12:
Another spam run is in progress, with yet another malicious PDF attachment, this time with a VirusTotal detection rate of 8/50.

The PDF downloads a file from:
[donotclick]infodream.eu/images/1.exe
..which has a VirusTotal detection rate of just 3/52. The Malwr analysis shows an attempted download from:

[donotclick]www.freshanswer.com/b70.exe
[donotclick]files.karamellasa.gr/tvcs_russia/2.exe
[donotclick]park-laedchen.de/illustrate/offending

Out of these only the first download appears to be working, the binary has a detection rate of 27/52. Automated analysis of this binary [1] [2] [3] shows that it attempts to connect to various legitimate services plus these suspect IPs in Russia:
217.174.105.92
93.171.173.34
91.221.36.184
37.143.15.103
146.255.194.173

Thanks again to the #MalwareMustDie team for assistance!

Thursday, 17 April 2014

omronfitness.com hacked, used in pharma spam run

Overnight I received about 500 messages similar to this:

Thank you for considering our products and services, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

Thank you for taking the time to contact us.

Regards, Bethany Briseno, Support Team manager.

---------

Thank you for your letter of Apr 17, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

Thank you for taking the time to contact us.

Regards, Silas Mixon, Support Team manager.

---------

Thank you for considering our products and services, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Sincerely, Jenna Golden, Support Team manager.

---------

Thank you for your letter of Apr 17, your information arrived today.

Alright, here's the link to the site:

Proceed to Site

If we can help in any way, please do not hesitate to contact us.

Sincerely, Fredricka Palacios, Support Team manager.

In each case the message was from either "Support Center" or "Ticket Support" with a subject in the form of "Ticket [#5409290]" (the number is random).

The links in the email go to a legitimate site omronfitness.com belonging to Omrom Healthcare which has been hacked to serve illegal pharmacy pages, for example:
[donotclick]omronfitness.com/buyaccutane/
[donotclick]omronfitness.com/buyflomax/

The landing page does not appear to be malicious, but care should be taken. See this URLquery report for an example.

Omron is a multibillion dollar Japanese corporation, but it appears to have been hacked through an insecure WordPress installation which is rather shabby.

One amusing sidenote, the server 23.21.115.143 that hosts omronfitness.com also hosts another Omron-owned site moronfitness.co. Enough said.

Update 22/4/2014: Omron say that they have now fixed the issue.

Wednesday, 16 April 2014

Something still evil on 66.96.223.192/27

Last week I wrote about a rogue netblock hosted by Network Operation Center in the US. Well, it's still spreading malware but now there are more domains active on this range.

A full list of the subdomains I can find are listed here [pastebin]. I would recommend that you apply the following blocklist:

66.96.223.192/27
andracia.net
beyfiersd.com
beyfiersd.info
beyfiersd.net
capcomcom.com
chebuesx.com
chebuesx.info
chebuesx.net
clicksuntruck.org
damaumsw.net
damaumsx.com
damaumsx.info
damaumsx.net
denovlib.com
denovlib.info
denovlib.net
ehgaugysd.com
ehgaugysd.info
ehgaugysd.net
epdiyfetzs.com
epdiyfetzs.info
epdiyfetzs.net
estebasw.com
estebasw.info
estebasw.net
estebasx.com
estebasx.info
estebasx.net
euvllali.com
euvllali.net
falaporto.com
fortynineseven.com
freemiewgrow.org
garrupyotpq.com
garrupyotpq.info
garrupyotpq.net
geortogils.com
geortogils.info
geortogils.net
gykrabowss.com
gykrabowss.info
gykrabowss.net
hacynkraihc.com
hacynkraihc.info
hacynkraihc.net
helloadultking.biz
hellotreeboom.org
hepiqs.com
hepiqs.info
hepiqs.net
hukelmsqs.info
hukelmsqs.net
jalihs.com
jalihs.info
jalihs.net
jeyjoyjang.org
jisoss.com
jisoss.info
jisoss.net
jkuacobijs.com
joduebey.com
joduebey.net
julynosw.com
julynosx.com
kenkyissd.com
kenkyissd.info
kenkyissd.net
kewennub.com
kewennub.info
kewennub.net
klitryujk.org
lalaghoqs.com
lalaghoqs.info
lalaghoqs.net
loryneaqs.com
loryneaqs.info
loryneaqs.net
maifrchsd.com
maifrcwe.info
maifrcwe.net
mallwysq.net
matsumwe.com
matsumwe.info
matsumwe.net
megasuperduper.org
mibradburnb.com
mibradburnb.info
mibradburnb.net
moarlejitta.com
mopcapcap.com
musxiicqs.com
musxiicqs.info
myruvs.com
njooixrc.com
njooixrc.info
njooixrc.net
oatgirle.com
oatgirle.info
oatgirle.net
odtoidcasz.info
odtoidcasz.net
penapolj.com
penapolj.info
penapolj.net
sakoboresz.com
sakoboresz.info
sakoboresz.net
serenesq.com
serenesq.info
serenesq.net
simarosq.com
simarosq.info
simarosq.net
singsongsing.org
soontrilkittra.biz
sweethouseinc.org
tenynnilsz.com
tenynnilsz.info
tenynnilsz.net
tnirinsq.com
tnirinsq.info
tnirinsq.net
tralalaone.biz
tralalatwo.biz
tuanhefesz.com
tuanhefesz.info
tuanhefesz.net
tynepompling.org
ukrheynasz.com
ukrheynasz.info
ukrheynasz.net
viewtickshot.org
wladimirmosk.com
xuboutwesz.com
xuboutwesz.info
xuboutwesz.net
ynccyrousz.com
ynccyrousz.info
ynccyrousz.net
zeedirfung.org
zeigfridtank.biz

Tuesday, 15 April 2014

Sky.com "Statement of account" spam

Another fake sky.com email with a malicious payload..

Date:     Tue, 15 Apr 2014 19:40:23 +0800 [07:40:23 EDT]
From:     "Sky.com" [statement@sky.com]
Subject:     Statement of account

Afternoon,

Please find attached the statement of account.

We look forward to receiving payment for the February invoice as this is now due for
payment.

Regards,
Kathy

This email, including attachments, is private and confidential. If you have received this
email in error please notify the sender and delete it from your system. Emails are not
secure and may contain viruses. No liability can be accepted for viruses that might be
transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens
House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members:
Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP.

Attached is a file Statement.zip which contains a malicious executable Statement.scr which has a VirusTotal detection rate of 9/51. Automated analysis tools [1] [2] [3] show an attempted download from the following locations:
[donotclick]pelicansea.com/css/1504UKd.zip
[donotclick]twinest.com/images/1504UKd.zip

A number of other IPs are contacted as well, indicating this this is P2P/Gameover Zeus.

Friday, 11 April 2014

Something evil on 62.75.140.236, 62.75.140.237, 62.75.140.238 and 64.120.207.253, 64.120.207.254

[NOTE: the IPs listed here appear to have been cleaned up]

This set of IPs is being used to push the Angler EK [1] [2]:

Intergenia, Germany
62.75.140.236
62.75.140.237
62.75.140.238

Network Operations Center (HostNOC), US
64.120.207.253
64.120.207.254

A look at the /24s that these ranges are in indicates a mix of malicious and legitimate sites, but on the whole it might be a good idea to consider blocking traffic to 62.75.140.0/24 and 64.120.207.0/24.

Sites on these IPs consist of hijacked subdomains of (mostly) legitimate domains in the Intergenia range and purely malicious domains in the HostNOC range. I would recommend that you block the following:

(Intergenia)
casga.sogesca.al
enetian.reddigitalonline.com
southerly.rademsis.com
smallpox.purehealthforyou.com
vender.puteando.com.ar
tender.revsanders.com
lordly.pxz55.com
plumbing.ranperhar.com
flatness.radioxto.com.ar
implement.webshark.com.br
incendiary.whitennerdy.com
instructor.valiza.com
penal.unhasdeouro.com.br
afia.fotigrafia.com.ar
fanny.gamesgamesgames.eu
fug.fugusg.com
intermediary.roboticdreamblog.com
lithium.thiersheetmetal.com
lyrical.thoitrangtre360.com
maximum.riversofgrog.com.au
meaty.vvw5.com
sevice.fuzzyservice.ru
tough.thingiebox.com
transfigure.rmtradinggroup.com
vibrate.saltaland.com.ar
ford.somerford.me
recoil.quintafeira.com.br
solaris.solartrailers.net
surgery.replikacctv.com
wore.quietbytes.com
all.inews4all.com
andre.andro-tech2.info
andy.animadeco.pl
back.bbb-tl.com
begun.beatrizcarrillo.com
belsu.benda.si
binolyt.diymodstore.net
bird.mjdpe.net
bunny.doctorcat.org
bvirtual.t25workoutsale.com
creat.hijac-creative.com
dario.casio-c.com
dd.adamknight.info
desolate.soarstudio.com
dolly.shoppingadvisor.com.ar
emoc.cccuauhtemoc.mx
facilitator.tricksshop.com.br
ff.advidlabs.com
ff.variedades.info
fina.canecafina.com.br

(HostNOC)
odtoidcwe.info
odtoidcwe.com
odtoidcwe.net
bychemawe.info
bychemawe.net
bychemawe.com
cunideawe.net
cunideawe.com
cunideawe.info

Thursday, 10 April 2014

"CCAHC: Climate Change And Health Conference 2014" scam

This spam is a form of advanced fee fraud scam:

From:    CCAHC ccahc@live.com
Reply-To:    ccahc@e-mile.co.uk
Date:    10 April 2014 16:04
Subject:    Call for Poster

CCAHC: Climate Change And Health Conference 2014

Dear Colleague,
On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014.
The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues.
The main theme for this year's poster session is: "Impacts of Climate Change in Health and Nutrition"
While this is the main theme for the poster session it is not exclusive and you are welcome to submit a poster outside of this theme.
CCAHC 2014 showcases yet another exceptional programme with the latest scientific and best practice consensus on sustainable environment, biometeorological adaptation, global warming, climate change, waste management, greenhouse gas, pollution control, heart health, obesity, weight management, diabetes, child health, gut health, food sensitivity, healthy living and many other hot topics.
Why Attend:

Receive current updates on a range of topics, from leaders and expert practitioners.

Understand the latest scientific research in detail and discover its implications for your work.

Explore and debate controversial topics, discuss what is best for your clients and patients.

Sponsorship of air ticket, travel insurance, visa fees and per diem.

Enhance your skill set and progress your career.

Network with hundreds of other professionals involved in diet, nutrition, environment, health and lifestyle.

Participate in the Exhibitor Trail and win prizes!

Present your research, project, product or campaign, attract attention and promote your achievements

Registration is free of charge for participants from developing countries.

Paper Submissions:
Fax or e-mail up to 300 words describing your proposed paper on or before 18th April 2014. The paper will then be sent to the Advisory Board for evaluation and authors will be given feedback on or before 25th April 2014. The highest rated papers will be invited to present at the conference.
Sincerely yours,
Professor Jon Lloyd
Conference Chair
Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom.
Tel: +44 (0)70 8764 2424 | +44 (0)70 2404 4920
Fax: +44 (0)843 562 2173

The email originates from 196.46.246.174 (Airtel, Nigeria) via 221.120.96.3 in Bangladesh. Note that the sender is using free email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap.

According to this article at 419scam.org the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will vanish, taking their mythical conference with them.

Avoid.

Wednesday, 9 April 2014

Something evil on 66.96.223.192/27

There seems to be some exploit activity today on the IP range 66.96.223.192/27 (a customer of Network Operations Center, US). Most domains are already flagged as malicious by Google, and I've reported on bad IPs in this range before.

A list of the domains I can find in this range, their myWOT ratings and Google and SURBL prognoses can be found here [csv].

I would recommend applying the following blocklist:
66.96.223.192/27
capcomcom.com
chebuesx.com
damaumsx.com
denovlib.com
epdiyfetzs.com
estebasw.com
euvllali.com
falaporto.com
fortynineseven.com
geortogils.com
gykrabowss.com
hepiqs.com
jalihs.com
jisoss.com
jkuacobijs.com
joduebey.com
kewennub.com
moarlejitta.com
mopcapcap.com
myruvs.com
njooixrc.com
oatgirle.com
penapolj.com
wladimirmosk.com
chebuesx.info
damaumsx.info
denovlib.info
epdiyfetzs.info
estebasx.info
garrupyotpq.info
geortogils.info
gykrabowss.info
hepiqs.info
jalihs.info
jisoss.info
njooixrc.info
oatgirle.info
penapolj.info
andracia.net
damaumsx.net
denovlib.net
epdiyfetzs.net
estebasx.net
euvllali.net
garrupyotpq.net
geortogils.net
gykrabowss.net
hepiqs.net
jalihs.net
jisoss.net
joduebey.net
kewennub.net
mibradburnb.net
njooixrc.net
oatgirle.net
penapolj.net
clicksuntruck.org
freemiewgrow.org
hellotreeboom.org
jeyjoyjang.org
klitryujk.org
megasuperduper.org
singsongsing.org
sweethouseinc.org
tynepompling.org
zeedirfung.org
estebasx.com
garrupyotpq.com
hacynkraihc.com
julynosw.com
julynosx.com
mibradburnb.com
estebasw.info
hacynkraihc.info
kewennub.info
mibradburnb.info
chebuesx.net
damaumsw.net
estebasw.net
hacynkraihc.net

Tuesday, 8 April 2014

Michael Price and BizSummits get ROKSO listed, scurry under the spotlight

Recently I wrote about a spam run being sent by Michael Price and/or BizSummits and examined the high level of fake material on their "Summits" websites.

In the past few days, BizSummits and Michael Price have the very dubious distinction of being listed in the Spamhaus ROKSO list of what they consider to be the worst spammers worldwide.

A ROKSO listing is bad news because it means that reputable web hosts will not do business with them.

So what happened next?

Well, basically most of the domains listed here have suddenly changed registrar and IP address, and the WHOIS details have been changed to something that looks rather fake (in my opinion). For example, the domain BizSummits.org has the WHOIS details changed from:

Registrant ID:CR38175629
Registrant Name:DNS Administrator
Registrant Organization:BizSummits
Registrant Street: 1200 Abernathy Rd, 17th Floor
Registrant City:Atlanta
Registrant State/Province:Georgia
Registrant Postal Code:30328
Registrant Country:US
Registrant Phone:+1.8006003389
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:dnsadmin@bizsummits.org

to

Registrant ID:NS-b48b7b229f5dc
Registrant Name:Michael Loeloff
Registrant Organization:
Registrant Street: 8380 Lagos De Campo Blvd
Registrant City:Tamarac
Registrant State/Province:FL
Registrant Postal Code:33321
Registrant Country:US
Registrant Phone:+1.2025688305
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:dnsadmin@bizsummits.org

..which is an anonymous-looking apartment in Florida. Most of the other domains have been geographically scattered to different addresses and names. Strangely none of the registrants seem to have a web footprint. In my personal opinion, these addresses are deliberately fake, and they have been changed by someone working for BizSummits.

It isn't just the WHOIS details that changed, the registrar in the case of BizSummits.org has changed from GoDaddy to NameSilo for unknown reasons. And also the IP address has changed from 184.168.221.27 (GoDaddy) to 198.199.112.47 (Digital Ocean). To me that looks like GoDaddy booted them off their network, although there could be other explanations I suppose.

Conversely, most of the domains used in the spam run listed here appear to have been deleted, either by the registrar or by the owner. It doesn't really matter as far as evidence is concerned because services such as DomainTools maintain historical WHOIS records.

Overall, there seems to be a great deal of scurrying around as the spotlight has been shone on their activities.

I'm curious as to whether or not Michael Price or BizSummits think that the spam run sent from their servers was legitimate and legal, and as to whether or not they believe that the use of the images from other companies is justified.

It does appear that someone using Michael Price's photograph and name tried to post a comment, and then thought better of it. Hmmm.

Sage "Please see attached copy of the original invoice" spam

This fake Sage spam comes with a malicious attachment:

Date:     Tue, 8 Apr 2014 08:65:82 GMT
From:     Sage [Merrill.Sterling@sage-mail.com]
Subject:     RE: BACs #3421309

Please see attached copy of the original invoice.

Attached is a file BACs-3421309.zip which in turn contains a malicious executable BACs-040814.exe which has a VirusTotal detection rate of 10/51.

The Malwr analysis shows that it attempts to download a configuration file from [donotclick]hemblecreations.com/images/n0804UKd.dim and then it attempts to connect to a number of other domains and IP addresses.

Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij.biz
twplfztldagaydcacebqpypm.net
aidyhnzrkqomndihmttglrcmpf.com
jnojswlbzdxondfahwgbmluyl.ru
wcaebnfwljamemlzhqwqsovzlfq.com
skirtrslbtjrjfphemnnjqowuus.biz
uobihirghyscvswgwolneuscyamh.org
hvchqgyzfitaiugmbmifdwclrk.info
hemblecreations.com

Monday, 7 April 2014

Quantcast email address leak

Quantcast measures web analytics, and they are widely used by many websites worldwide, including one I operated myself.

However, it seems that Quantcast have some sort of email address leak because the following spam email was sent to an address only used to sign up for Quantcast's services.

From:    iTriplingStocks [redacted]@livraphone.fr
Date:    7 April 2014 20:08
Subject:    Dear [redacted], Three hundred percent gains is super possible

However in 1381 a treaty was signed in which allowed him to return. In 2008, Thames Water submitted plans for 96 homes on the site. Connor's horse Waterford Crystal. French hands between 1781 and 1782, and broken up in 1797. They were later replaced by Generation 1 DVD volumes, and later complete season boxed sets. It consists of the village of Luzein which is made up of the sections of Buchen, Luzein, Pany and Putz. February 1955, while in reserve. Juan Sebastian Lach moved to Europe and studied for a doctorate in cognitive musicology. Stop, only add extraordinary stunts here, and only if you have reliable sources. I think I want to be in the Guinness Book of World Records.
However at Dawn workers cleared the gap where the animals came in trapping them in. Germany dated from roughly 14,000 years ago. Francesco also made furniture and panelling for private and ecclesiatical clients. He claimed to be a god, whereas he was only a servant of the Devil, and as such he met his fate. There have been two unofficial fan remakes. Ecuador, at an altitude between 2,100 and 2,300 m asl. O God, do not leave me. The design has been simplified and a whole range of new security features were introduced.
Indonesian general as ambassador to Australia. Diagram created by me. When Gomo died in 1815, Senachewine became chief of the village. The same magazine gave Hannity their Freedom of Speech Award in 2003. Chavan started his political career in 1991,his name was proposed by Mr. Yale, Fruton became Director of the Division of Science, a position he held until 1962. City Sightseeing Ltd to City Sightseeing Worldwide S. If there were some heightened state of tension, we would, believe me, we would not let them get that close.
The first pressing of the album came in sleeve case packaging. Turkishness and the Republic. Hendschiken while 255 people commuted into the municipality for work. The Broletto in Como is faced with polychrome marble. About 20 additional motels, Inns and Bed and Breakfast operations are based in Digby making tourism an important employer. Alan Bray, a bassist. Italian Ministry of Treasury. Kentucky's head football coach. Soldiers, and turned against the Soviet regime. The source of information should be relevant, including existing solutions. Beata Vergine Assunta e S. In space DeGill has been captured by his old nemesis, the big game hunter Pontifadora the Conquistadora.
When assessing mental involvement in narrative text, items involved more imagery and imagination. Windham was founded in 1951 by Walter F. Diescher and John Endres became friends and business partners. He has also directed videos for The Saturdays and Sugababes.

The spam is an RCHA pump-and-dump spam as reported here, and this spam does make heavy use of email addresses stolen in this way.

It is impossible to say when the email addresses leaked from Quantcast or what data may have leaked with them, however the possibility of a spammer guessing this particular email address would be one in 26^12 (95,428,956,661,682,176) which is practically zero.

Update: Quantcast are investigating the issue at present.