One. Two. Three. Network Operations Center hosting things as bad as can be.

Network Operations Center don't exactly have a glowing reputation of cleanliness when it comes to malware. These following IPs and hosts seem to be distributing something nasty which appears to be injected into victim sites.

I don't have a good analysis of what is going on at the moment, so you'll just have to take my word for it at the moment. The activity has been observed on the following Network Operations Center IP addresses over the past few days:

64.120.207.252
66.96.246.135
66.197.241.194
173.212.223.243
184.22.149.175
184.22.149.176
184.22.149.177
184.22.149.178
184.82.38.54
209.159.153.171
209.159.153.186

A lot of these IPs are connected with things like porn sites, but they also have a number of malicious subdomains in the form .one .two and .three on them. You can safely assume that the domains themselves are malicious (listed as the end of the post if you want to block them). Malicious subdomains spotted are:

one.odpewnvd.biz
two.odpewnvd.biz
three.odpewnvd.biz
one.jldywencp.biz
three.jldywencp.biz
one.gdliiitra.biz
two.gdliiitra.biz
three.gdliiitra.biz
one.dkjeeeielv.biz
two.dkjeeeielv.biz
three.dkjeeeielv.biz
one.kleionrtue.biz
two.kleionrtue.biz
one.jhvbhvhch.biz
three.jhvbhvhch.biz
one.fnfgcngjhv.biz
two.fnfgcngjhv.biz
three.fnfgcngjhv.biz
one.khvvkhvchk.biz
two.khvvkhvchk.biz
three.khvvkhvchk.biz
one.hgvjhvjhvjh.biz
two.hgvjhvjhvjh.biz
three.hgvjhvjhvjh.biz
one.jhvjhvhvhjv.biz
two.jhvjhvhvhjv.biz
three.jhvjhvhvhjv.biz
one.kguukgukigk.biz
two.kguukgukigk.biz
three.kguukgukigk.biz
one.khvkhvkhvkjv.biz
two.khvkhvkhvkjv.biz
three.khvkhvkhvkjv.biz
one.kjghkjdfjhdc.biz
two.kjghkjdfjhdc.biz
three.kjghkjdfjhdc.biz
one.jhvkjvhfkcykc.biz
two.jhvkjvhfkcykc.biz
three.jhvkjvhfkcykc.biz
one.fdsglj.biz
two.fdsglj.biz
three.fdsglj.biz
one.dfwvdfsk.biz
two.dfwvdfsk.biz
three.dfwvdfsk.biz
one.fderefjfv.biz
two.fderefjfv.biz
three.fderefjfv.biz
one.jdfslfdsgy.biz
two.jdfslfdsgy.biz
one.jhfjgdhfds.biz
two.jhfjgdhfds.biz
three.jhfjgdhfds.biz
one.vfdsgsrgsg.biz
two.vfdsgsrgsg.biz
three.vfdsgsrgsg.biz
one.bfsdmhglsdg.biz
one.fdfjkhfsadv.biz
two.fdfjkhfsadv.biz
three.fdfjkhfsadv.biz
one.fdsfgsgdvsd.biz
two.fdsfgsgdvsd.biz
three.fdsfgsgdvsd.biz
one.hfgkjhkklbj.biz
two.hfgkjhkklbj.biz
three.hfgkjhkklbj.biz
one.khfjhcfhgfk.biz
two.khfjhcfhgfk.biz
three.khfjhcfhgfk.biz
one.vdgbfslgdfs.biz
two.vdgbfslgdfs.biz
three.vdgbfslgdfs.biz
one.vsfbglmldsv.biz
two.vsfbglmldsv.biz
three.vsfbglmldsv.biz
two.jreoplte.biz
three.jreoplte.biz
one.djsliufhgs.biz
two.djsliufhgs.biz
three.djsliufhgs.biz
one.vfknvdwowe.biz
two.vfknvdwowe.biz
one.vfsnjvdsisw.biz
two.vfsnjvdsisw.biz
three.vfsnjvdsisw.biz
one.dwfnkvgd.biz
two.dwfnkvgd.biz
three.dwfnkvgd.biz
one.fewfjisi.biz
two.fewfjisi.biz
three.fewfjisi.biz
one.vcdsknvkds.biz
two.vcdsknvkds.biz
three.vcdsknvkds.biz
one.hfdodiopr.biz
two.hfdodiopr.biz
three.hfdodiopr.biz
one.nchepeweo.biz
two.nchepeweo.biz
three.nchepeweo.biz
one.odhbowdwe.biz
two.odhbowdwe.biz
three.odhbowdwe.biz
one.khvjhv.biz
two.khvjhv.biz
one.hghdswo.biz
two.hghdswo.biz
three.hghdswo.biz
one.jhchgch.biz
two.jhchgch.biz
three.jhchgch.biz
one.dmslcfwq.biz
three.dmslcfwq.biz
one.bjfyteshi.biz
two.bjfyteshi.biz
three.bjfyteshi.biz
three.fdgblkdor.biz
one.hgufkjyvu.biz
two.hgufkjyvu.biz
one.hgvhfdesl.biz
two.hgvhfdesl.biz
three.hgvhfdesl.biz
one.berzaoli.biz
two.berzaoli.biz
three.berzaoli.biz
one.guilerty.biz
two.guilerty.biz
three.guilerty.biz
one.nertriko.biz
two.nertriko.biz
three.nertriko.biz
one.hutyerfliop.biz
two.hutyerfliop.biz
three.hutyerfliop.biz
one.kiortnion.biz
two.kiortnion.biz
three.kiortnion.biz
one.mdfckel.biz
two.mdfckel.biz
three.mdfckel.biz
one.dfioptie.biz
two.dfioptie.biz
three.dfioptie.biz
one.kdifpewiofg.biz
two.kdifpewiofg.biz
three.kdifpewiofg.biz
two.jlopirtdsmncx.biz

Recommended blocklist:
64.120.207.252
66.96.246.135
66.197.241.194
173.212.223.243
184.22.149.175
184.22.149.176
184.22.149.177
184.22.149.178
184.82.38.54
209.159.153.171
209.159.153.186
odpewnvd.biz
jldywencp.biz
gdliiitra.biz
dkjeeeielv.biz
kleionrtue.biz
jhvbhvhch.biz
fnfgcngjhv.biz
khvvkhvchk.biz
hgvjhvjhvjh.biz
jhvjhvhvhjv.biz
kguukgukigk.biz
khvkhvkhvkjv.biz
kjghkjdfjhdc.biz
jhvkjvhfkcykc.biz
fdsglj.biz
dfwvdfsk.biz
fderefjfv.biz
jdfslfdsgy.biz
jhfjgdhfds.biz
vfdsgsrgsg.biz
bfsdmhglsdg.biz
fdfjkhfsadv.biz
fdsfgsgdvsd.biz
hfgkjhkklbj.biz
khfjhcfhgfk.biz
vdgbfslgdfs.biz
vsfbglmldsv.biz
jreoplte.biz
djsliufhgs.biz
vfknvdwowe.biz
vfsnjvdsisw.biz
dwfnkvgd.biz
fewfjisi.biz
vcdsknvkds.biz
hfdodiopr.biz
nchepeweo.biz
odhbowdwe.biz
khvjhv.biz
hghdswo.biz
jhchgch.biz
dmslcfwq.biz
bjfyteshi.biz
fdgblkdor.biz
hgufkjyvu.biz
hgvhfdesl.biz
berzaoli.biz
guilerty.biz
nertriko.biz
hutyerfliop.biz
kiortnion.biz
mdfckel.biz
dfioptie.biz
kdifpewiofg.biz
jlopirtdsmncx.biz

Yahoo! Advertising Services (formerly overture.com) email address leak

A long, long time ago there used to be a company called Overture.com that did online advertising, and it was acquired by Yahoo! some time ago.

Now, I use a unique email address for every service I use, and today I was surprised to see the address I used for Overture being used in this spam. I believe this is the first time that I have ever seen spam to this address, so I assume that this is a recent leak of addresses (and Yahoo! has had all sort of problems with breaches at the Heatbleed bug recently).

The botnet sending out this spam does seem to have access to leaked email data that I haven't seen used before. So is this an early warning of yet another problem at Yahoo?

Dr. Annette Bosworth is a moron spammer

I'm not very interested in US politics, and I certainly don't live there. So why is this moron spammer trying to get me to vote for her?

From:     Anette Bosworth [anette.bosworth@bosworthcampaign.com]
Reply-To:     anette.bosworth@bosworthcampaign.com
Date:     9 May 2014 15:27
Subject:     Not Cool, Guys
Signed by:     bosworthcampaign.com

Honestly, who acts like this? 

This is my first run for political office.  I am a doctor, not a career politician, but I just couldn’t sit on the sidelines and watch what is happening to our great nation any longer.

I have always stood up for what I believe in.  The first time I stood up to a bully I was 7 years old.

Today, the biggest bully I see is the federal government.  I grew up on a working farm in Plankinton, South Dakota.  I am a doctor who works with the elderly and the poor.  The clinic I own is a small business.  In every area of work and life, there is just too much government interference.

Being a doctor, I understand how unfair and harmful Obamacare really is -- and I have vowed to repeal every single word of it.  I also pledge to cut taxes, defend the second amendment, and to protect the unborn.

Washington, D.C. insiders don’t want to see people like you and me change their way of doing business.

Change is possible, but it takes effort from all of us.

I am fighting for that change against an establishment insider with millions of dollars, much of it PAC money from special interest groups.

My opponent has so much PAC money, he can afford to be wasteful – and he is.  Just this week, he produced a slick advertisement for TV that didn’t even feature voters from the state of South Dakota.  And when he was caught, he didn’t even apologize -- he just threw the advertisement away.

That’s not how I do things.

I am a fiscal conservative.  I promise that if you donate now, your hard earned donation will be used in a responsible way to fight big government and wasteful spending.  I need your help to get there. Will you join me?

Absentee ballots in South Dakota are mailed out this month and that’s when voting begins – will you chip in $5 or more today?

The donation you make today will help us get our message to voters.

Thanks,
Dr. Annette Bosworth
image2.png

To unsubscribe please click here
   

Dr. Annette Bosworth
2601 S. Minnesota Ave, Suite 105-129, Sioux Falls, SD, 57105

Paid for by Dr. Annette Bosworth for U.S. Senate

Contributions to Bosworth for US Senate are not tax deductible

It seems that she's a Doctor of some sort, but she opposes affordable healthcare. As a European we are constantly amazed and horrified at the way US healthcare professionals just let people die when the money runs out of their insurance policy.. if they have an insurance policy. Until Obama forced changes to the US healthcare system through it was 100 years behind that in Europe. Now it is only 80 years or so behind. Progress I guess.

Also, Annette Bosworth (or whatever idiot is spamming on her behalf) is attempting to solicit funds through fundly.com which violates their terms of service. Luckily she hasn't been able to recruit many other morons to her cause and has only raised $1,150 out of a target of $750,000.

Well, since this is an abuse of the Fundly terms of service, then getting it shut down and losing the funds could be a bit of a laugh.

The spam originates from two18.2bits.co (63.143.38.243) and spamvertises a site at marketer.2bits.co (63.143.38.226). Both these IPs are allocated to Limestone Networks in the US, but are suballocated to a customer called Joseph (Joey) Burzynski of ResistedNormalcy LLC and/or MarketKar.ma in Dallas. The email is digitally signed for the domain bosworthcampaign.com which has hidden WHOIS details.

Of course, this could be a subtle Joe Job intended to frame Annette Bosworth and make her look like a moron. But according to Joey Burzynski's own Facebook page at www.facebook.com/resistednormalcy/likes he "likes" Annette Bosworth. And tattoos. A lot.

There are plenty of other indicators online that Dr Bosworth has employed the promotional "talents" of Mr Burzynski.

I'm not the only one that thinks that this is spammy either, because Gmail says..

Presumably Annette Bosworth thinks that her point of view is so important that she can spam it out to people at random, regardless of where they live. I personally think she is a moron spammer and hope that the electors of South Dakota treat her accordingly.

UPDATE 12 May 2014: According to US law..

Contributions and donations may not be solicited, accepted, or received from, or made directly or indirectly by, foreign nationals who do not have permanent residence in the United States (i.e., those without green cards). This prohibition encompasses all US elections; including federal, state and local elections. 11 CFR 110.20(b).

So it would be prohibited for Dr Bosworth's campaign to accept a donation from me as I live in the UK and have never even visited to the US.

So it's probably a bad move that they accepted my ten bucks.

 There's a lively discussion about this over at the Madville Times.

UPDATE 13 May 2014: it has been said that Americans don't get irony. When I made my illegal $10 contribution to Annette Bosworth's campaign, I added the comment "Ten Bucks Well Spent!" because I knew that that accepting the money from a foreign donor would have some entertaining repercussions.

What I didn't expect was that not only would be donation be accepted, but that Dr Bosworth would also quote me on her Facebook page..

I like the comment "GOOD AMERICAN;;" (even with the spurious semicolons. Perhaps Americans don't understand semicolons either. I'm not sure I do) because of course I am British. And if Dr Bosworth's supporters knew my political leanings then they would assume I was the Spawn of Satan.

Interestingly, this means that they not only accepted the donation but someone took the time to review it.. surely then they should have spotted that I was not in the US.

Ten bucks well spent indeed!

And for those asking.. here is the receipt:

UPDATE 5 June 2014: Annette Bosworth has been arrested on charges of perjury.

HMRC spam / VAT0781569.zip

This fake HMRC spam comes with a malicious attachment:

Date:      Fri, 9 May 2014 12:47:49 +0530 [03:17:49 EDT]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      Successful Receipt of Online Submission for Reference 0781569


Thank you for sending your VAT Return online. The submission for reference 0781569 was
successfully received on Fri, 9 May 2014 12:47:49 +0530  and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes. 

It says "On leaving the GSi this email was certified virus free" which (as you might suspect) is utter bollocks, because it comes with a malicious payload. Attached to the message is an archive VAT0781569.zip which in turn contains two identical malicious executables AccountDocuments.scr and VAT090514.scr which have a VirusTotal detection rate of 15/52.


This is part one of the infection chain. Automated analysis [1] [2] [3] shows that components are then downloaded from the following locations:

[donotclick]bmclines.com/0905UKdp.rar
[donotclick]gamesofwar.net/img/icons/0905UKdp.rar
[donotclick]entslc.com/misc/farbtastic/heap170id3.exe
[donotclick]distrioficinas.com/css/b01.exe

The malicious binary heap170id3.exe has a VirusTotal detection rate of 9/52. Automated analysis [1] [2] shows that this makes a connection to a server at 94.23.32.170 (OVH, France).

The other malicious binary, b01.exe had a VirusTotal detection rate of 11/52. Analysis of this shows [1] [2] that it attempts to connect to several different email services, presumably to send out spam.

Maersk Line Shipping Phish

Some people will phish for anything, this seems to be looking for credentials to My Maersk Line, I guess to allow the scammers to illegally ship items at someone else's expense.

From:     Maersk Line Shipping [sunil.dharmappa@stalliongroup.com]
Reply-To:     shipping@maersklines.com
Date:     8 May 2014 14:55
Subject:     TRACK YOUR CONTAINERS & CARGO NOW!


Dear Sir/madam,

we  want to inform you that your supplier/seller shipped your goods  through our shipping services, we hope your supplier must have given you the details about your container vessel ,we strongly recommend that you confirm your goods/cargo immediately by tracking your goods online.
 All shipped container/goods must be tracked  to enable  you to know the location of your shipment and to know the arrival date of vessel. This is why MAERSK LINE has enabled a user friendly interface for our customers to track there goods by themselves without the help of the agents.

Download the container tracking form attached and  log in with your email now to know the status and location of your container/shipment. You must use the email which you used in communicating with your supplier/seller that is the email our tracking system will recognize because it is the email your supplier registered your goods with .You will be able to save the search criteria for easy reuse at a later stage. You will also have the opportunity to search for shipment from/from specific locations and many other features.

Check the attached now .

Best regards

Maersk shipping company.

Terms of use | Privacy policy | Sitemap | Maersk Line. All rights reserved.

Attached is a file maersk container tracking.htm ..

This attempts to harvest credentials and then POSTS them via a dedicated phishing site at send.apbem.org.br/zolamaersksend.php (189.73.155.37 / Brasil Telecom, Brazil). Once the username and password have been stolen, the victim is sent to the real My Maersk site (which doesn't actually require a password for basic container tracking).

Not many people will have a relevant shipping account at Maersk, but you can imaging the potential value of being able to ship stolen or illegal goods for free..

unitedtraderegister.eu / europeantraderegister.net spam

This spam is attempting to solicit signups for a worthless "World Trade Register" website.

From:     utr@unitedtraderegister.eu
Date:     7 May 2014 00:04
Subject:     Are you ready?
Signed by:     unitedtraderegister.eu

Dear Partner,

In order to have your company inserted in the
global trade register of partner companies for
the 2015/2016 edition you must print, complete
and send the enclosed form before the end of
next week to the following address:

World Trade Register
P.O. Box 3079
3502 GB Utrecht
The Netherlands

or fax it to:
Fax: +31 205 248 107

or reply to this email and attach the form to it.

Updating is free of charge!
To unsubscribe please visit this link:
unitedtraderegister.eu/unsubscribe.php?email=info@[redacted]
In case the form is missing you can download it here:
unitedtraderegister.eu/wtr.pdf

The company behind this spam is a ROKSO-listed organisation called World Company Register / EU Business Register. A ROKSO listing basically means that this is one of the worst spammers currently in the world.

unitedtraderegister.eu forwards to europeantraderegister.net (and worldtraderegister.net is on the same server). This is an old-fashioned directory scam and it should be ignored.

"Lloyds Commercial Banking" "Important BACs" spam

This fake bank spam comes with a malicious attachment:

Date:      Tue, 6 May 2014 08:29:83 GMT
From:      Lloyds Commercial Banking [Annmarie.Baldwin@lloydsbank.com]
Subject:      FW : Important BACs


Important account documents


Reference: C06
Case number: 0995479

Please review attached BACs documents and fax it to +44 (0) 845 600 3319.
Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager.

Yours faithfully



Annmarie Baldwin
Senior Manager, Lloyds Commercial Banking


Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Please remember we guarantee the security of messages sent by email. 

The last line gave me a laugh.. "Please remember we guarantee the security of messages sent by email." Attached to the message is a file LloydsCase-0995479.zip which in turn contains a malicious executable LloydsCase-07052014.scr. The binary is identical in function to the one used in this TNT spam run doing the rounds at the same time.

"TNT UK Limited" spam

This fake TNT spam has a malicious attachment:

Date:      Wed, 7 May 2014 01:50:00 -0600 [03:50:00 EDT]
From:      TNT COURIER SERVICE [tracking@tnt.co.uk]
Subject:      TNT UK Limited - Package tracking 236406937389

TNT COURIER SERVICE (TCS)
Customer/Delivery Services Department
Central Pk Est/Mosley Rd, Trafford Park
Manchester, M17 1TT UK.

DETAILS OF PACKAGE
Reg order no: GB5766211

Your package have been picked up and is ready for dispatch. Please print attached form
and pick up at the nearest office.

Connote #        :        236406937389
Service Type        :        Export Non Documents - Intl
Shipped on        :        07 Apr 13 00:00
Order No                :        5766211
Status                :       Driver's Return Description      :       Wrong Postcode
Service Options: You are required to select a service option below.

The options, together with their associated conditions 

The attachment is GB5766211.zip which contains the malicious executable GB07052014.scr (note the date is encoded into the filename). This has a VirusTotal detection rate of 7/52.

Automated analysis tools [1] [2] [3] show a UDP connection to wavetmc.com and a further binary download from demo.providenthousing.com/wp-content/uploads/2014/05/b01.exe

This second executable has a VirusTotal detection rate of 20/51. The Malwr report and Anubis report both show attempted connection to various mail servers (e.g. Gmail and Hotmail). Furthermore the Anubis report shows a data transfer to 83.172.8.59 (Tomsk Telecommunication Company, Russia).

Recommended blocklist:
83.172.8.59
wavetmc.com
demo.providenthousing.com

"This email contains an invoice file attachment" spam

Another case of a very terse spam with a malicious email attachment:

Date:      Wed, 7 May 2014 14:06:46 +0700 [03:06:46 EDT]
From:      Accounts Dept [menopausaln54@jaygee.co.uk]
Subject:      Email invoice: 1888443

This email contains an invoice file attachment 

I guess the psychology here is that if you can't tell a convincing lie, then tell a short one. The attachment is emailinvoice.069911.zip which in turn contains a malicious executable emailinvoice.899191.exe which has a VirusTotal detection rate of 5/52.

Automated analysis tools of this binary [1] [2] [3] shows that it downloads a further component from one of the following locations:

pgalvaoteles.pt/111
axisbuild.com/111
sadiqtv.com/111
hostaldubai.com/111
nbook.far.ru/111
relimar.com/111
webbook.pluto.ro/111
bugs.trei.ro/111
gaunigeria.com/111
rubendiaz.net/111
adventiaingenieria.es/111
assurances-immobilier.com/111
markus.net.pl/111
www.mrpeter.it/111
inmobiliariarobinson.com/111
cigelecgeneration.com/111
hbeab.com/111
lefos.net/111
pk-100331.fdlserver.de/111
decota.es/111
lefos.net/111
krasienin.cba.pl/111
rallyeair.com/111
camnosa.com/111
caclclo.web.fc2.com/111
beautysafari.com/111
www.delytseboer.com/111
atelierprincesse.web.fc2.com/111
czarni.i15.eu/111
gogetgorgeous.com/111

This "111.exe" binary has an even lower VirusTotal detection rate of 3/51. Automated analysis of this shows [1] [2] [3] shows the malware installs itself deeply into the target system.

There is a further dowload of a malicious binary from files.karamellasa.gr/tvcs_russia/2.exe which has a detection rate of 5/50 and identifies as a variant of Zeus. This creates fake svchost.exe and csrss.exe executables on the target system [1] [2] [3].

Recommended blocklist:
pgalvaoteles.pt
axisbuild.com
sadiqtv.com
hostaldubai.com
nbook.far.ru
relimar.com
webbook.pluto.ro
bugs.trei.ro
gaunigeria.com
rubendiaz.net
adventiaingenieria.es
assurances-immobilier.com
markus.net.pl
www.mrpeter.it
inmobiliariarobinson.com
cigelecgeneration.com
hbeab.com
lefos.net
pk-100331.fdlserver.de
decota.es
lefos.net
krasienin.cba.pl
rallyeair.com
camnosa.com
caclclo.web.fc2.com
beautysafari.com
www.delytseboer.com
atelierprincesse.web.fc2.com
czarni.i15.eu
gogetgorgeous.com
files.karamellasa.gr

"Important - BT Digital File" spam

This fake BT spam comes with a malicious attachment:

Date:      Tue, 6 May 2014 15:18:15 +0700 [04:18:15 EDT]
From:      Santiago Biggs [Santiago.Biggs@bt.com]
Subject:      Important - BT Digital File

BT Digital Vault     BT

Dear Customer,

This email contains your BT Digital File. Please scan attached file and reply to this email.

If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt.com/personal/digitalvault/help or call the helpdesk on 0870 240 1116* between 8am and midnight.

Thank you for choosing BT Digital Vault.

Kind regards,
BT Digital Vault Team
footer

*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See http://www.bt.com/pricing for details.

Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address.

This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.

Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000 

Attached to the message is an archive file BT_Digital_Vault_File.zip which in turn contains a malicious executable BT_Digital_File.scr which has a VirusTotal detection rate of 11/52.

Automated analysis tools [1] [2] [3] show that this malware downloads additional components from the following locations:

[donotclick]realtech-international.com/css/0605UKdp.rar
[donotclick]biz-ventures.net/scripts/0605UKdp.rar

Blocking those URLs or monitoring for them may help to prevent further infection.

ccccooa.org - another hacked WordPress site

ccccooa.org ("Cumberland County Council on Older Adults") is another hacked WordPress site being used to serve pharma spam. I got 82 of these all at the same time..

From:     Linkedln Email Confirmation [emailing@compumundo.info]
Reply-To:     emailing@compumundo.info
To:     topsailes@gmail.com
Date:     6 May 2014 13:41
Subject:     Please confirm your email address

Linkedln

Click here to confirm your email address.

You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.

We ask you to confirm your email address before sending invitations or requesting contacts at Linkedln. You can have several email addresses, but one will need to be confirmed at all times to use the system.

If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.

Thank you for using Linkedln!

--The Linkedln Team


This email was intended for [redacted]. Learn why we included this. © 2012, East Middlefield Road. Mountain View, CA 94043, USA 

One example landing URL is [donotclick]www.ccccooa.org/buyphentermine/ which leads to a sort of intermediary landing page..

This is turn goes to a redirected at [donotclick]stylespanel.com/h/go/phentermine.php and then to [donotclick]www.hq-pharmacy-online.com/search.html?q=phentermine which is a fake pharmacy site hosted on 95.211.228.240 (LeaseWeb, Netherlands) which is registered to a probably fake address in Argentina.


Avoid.. oh, and if you run a WordPress site please make sure the software is up-to-date.

Sinister spam from "Agent Feather"

This sinister spam comes with a malicious payload..

From:     Agent Feather [afgeathe32322323@gmail.com]
Reply-To:     afgeathe32323323@gmail.com
Date:     6 May 2014 02:12
Subject:     Do something before it's too late!


My Friend,

Someone close to you wants you to spend at least the next five years of your life behind bars. He has reported you to our organization and I am the one assigned to follow you up to gather more evidences against you. Attached to this email is a copy of the person's audio recording against you. Your name was mentioned eleven times in this recorded conversation, check if you can recognise the person's voice.

What I require is that you create a new email address which will be used for our further correspondence. Use your mobile phone number to text me your newly created email address on this number: +66928711125. The phone line is secured and cannot be traced by our organization or any other law enforcement agent. I know my reason for disclosing this important information to you at this time. Upon receiving your text, I will tell you who I am, our organization and what next you are to do.

You are to note the following and observe them, contrary to these, you will never hear from me again.

1. You are not to reply me on this email address.
2. You are not to call me on the above given number for any reason.
3. You are to text only your newly created email address to me.
4. The newly created email address must be used just for the both of us alone
4. If you know the voice in the recorded message, never approach the person until I tell you to.
5. You must not disclose anything relating to this information to another person.

Having read and understood what I have said, you are to now create a new email address and send it to me by text through your mobile phone number. I am waiting.

Yours sincerely,
Agent Feather.

Attached is a file His Voice.zip which unzips to another file called Voice Conversation without any extension at all. In fact, this file is a malicious executable (you would have to rename it to Voice Conversation.exe manually if you want to infect yourself) which has a VirusTotal detection rate of 13/49.

Most of the automated tools I have thrown at it seem to error out, but the ThreatExpert report does show the malware installing itself onto the test system and making some system changes to prevent removal. It also enumerates the IP address, detects proxy settings and attempts to connect to Google's Gmail SMTP server.

Something evil on 146.185.213.69 and probably the whole /24

146.185.213.69 caught my eye, hosting a number of "ads." subdomains, many of which are tagged by Google as being malicious (highlighted below)

ads.warmsanieren.de
ads.coaching-baum.de
ads.fatmansempire.de
ads.marktluecke-berlin.de
ads.xn--hoffmnsche-u5a.de
ads.lagu.la
ads.lad-consult.lu
ads.reachcms.co.uk
ads.martinwguy.co.uk
ads.ukbizrooms.co.uk
ads.ajcqualityassurance.co.uk
ads.warmsanieren.de
ads.coaching-baum.de
ads.fatmansempire.de
ads.marktluecke-berlin.de
ads.xn--hoffmnsche-u5a.de
ads.lagu.la
ads.lad-consult.lu
ads.reachcms.co.uk
ads.martinwguy.co.uk
ads.ajcqualityassurance.co.uk
ads.ukbizrooms.co.uk
ads.cto.lu
ads.hoa.lu
ads.blackcockinn.co.uk
ads.loumacfitness.co.uk
ads.cto.lu
ads.hoa.lu
ads.blackcockinn.co.uk
ads.loumacfitness.co.uk

Well, you can probably assume that all those domains are malicious (even without the ads. prefix). But a look at the IP address range was revealing:

inetnum:        146.185.213.0 - 146.185.213.255
netname:        Customer-Valyalov-net
descr:          net for user Valyalov (hosting and VPS)
country:        RU
admin-c:        VME12-RIPE
tech-c:         VME12-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-routes:     LIPATOV-MNT
source:         RIPE # Filtered

person:         Valyalov Mikhail Evgenyevich
address:        Sankt-Petersburg, Volynski per., d. 2, lit. A, pom. 12N
phone:          +79099740171
nic-hdl:        VME12-RIPE
mnt-by:         VEROX-MNT
source:         RIPE # Filtered

route:          146.185.213.0/24
descr:          Valyalov-Net @ RN-Data/AltNet datacenter
origin:         AS41390
mnt-by:         LIPATOV-MNT
source:         RIPE # Filtered

The block is owned by RN Data SIA of Latvia and suballocated to somebody in St Petersburg by the name of  Mikhail Evgenyevich Valyalov. RN Data are one of those hosts that have hosted malware in the past, and I tend to lean towards blocking them.

A look at the other contents of the /24 appear [csv] to indicate further suspicious activity, especially f528764d624db129b32c21fbca0cb8d6.com on 146.185.213.53 (mentioned here plus several other places).

So, frankly this entire /24 looks like it is being used for evil purposes at the moment and I recommend that you block it, plus these following domains:

man.liborcartel.com
letter.liborscam.com
kick.lmfho.co.uk
kiss.mbnappiclaim.co.uk
impulse.nrgcard.co.uk
increase.olympicclaims.co.uk
history.parkingclaims.co.uk
heat.onlinefuelcard.co.uk
hole.parkingclaims.com
33db9538.com
54dfa1cb.com
blue.azhealthlawblog.com
board.milliganlawless.com
body.phoenixhealthlaw.com
blow.arizonahealthlawyers.com
exchange.phoenixhealthlawyers.com
boat.milliganlawlesstaylormurphybailey.com
regentimpaired.com
revealedattached.com
f528764d624db129b32c21fbca0cb8d6.com
warmsanieren.de
coaching-baum.de
fatmansempire.de
marktluecke-berlin.de
xn--hoffmnsche-u5a.de
lagu.la
lad-consult.lu
reachcms.co.uk
martinwguy.co.uk
ukbizrooms.co.uk
ajcqualityassurance.co.uk
cto.lu
hoa.lu
blackcockinn.co.uk
loumacfitness.co.uk
ellis-fuhr.us

"BiP Solutions Company" fake invoice spam

This fake invoice spam message leads to a malicious download:

Date:      Thu, 01-May-2014 15:12:56 GMT [11:12:56 EDT]
From:      Eduard Fulton [bfischernn@netmedia1.com]
Subject:      Notification of your invoice

Dear Customer
Our company has obtained your order and it'll be processing for 2 days.
The the bill of parcels and delivery details are below:
http://www.anat-barnir.co.il/04-05-2014/clients/clients.045-264.zip
Sincerely yours,
BiP Solutions Company
Eduard Fulton

BiP Solutions is a real company, but this spam did not come from them. The link in the email goes to a legitimate (but hacked) site in Israel and downloads a file clients.045-264.zip which unzip to a malicious executable clients.045-264.PDF______________________________________________________.exe (there are a lot of underscores in there, yes). This has a VirusTotal detection rate of 15/52, however automated analysis tools [1] [2] are inconclusive as to what it actually does.

constructiondeal.com spam

Who are constructiondeal.com? And why are they spamming a spamtrap?

From:     Jenny Garcia [membership@m2.constructiondeal.com]
Reply-To:     Jenny Garcia [membership@m2.constructiondeal.com]
To:     "donotemail@wearespammers.com" [donotemail@wearespammers.com]
Date:     28 April 2014 17:49
Subject:     Your account activity
Signed by:     constructiondeal.com

I know you're busy so I went ahead and reviewed the customer activity in your area. Many homeowners are requesting estimates for your services in 90805. Take a look at these jobs and let me know if you can provide estimates for this work in the next week or two?

View the jobs here and let me know if you can do this work.


Best Wishes,

Jenny Garcia
Customer Service
(866) 887-7017

Copyright © 2014 Home Improvement, LLC
Our address is 1033 Young St., Dallas, TX, 75202, USA

If you do not wish to receive future email, click here.
(You can also send your request to Customer Care at the street address above.) 

90805 is Long Beach, California, but I have no idea where they came up with that particular ZIP code.

Links in the email go to acton.constructiondeal.com (207.189.124.58 / ViaWest, US) and then onto www.constructiondeal.com (66.63.178.68 / Quadranet, US). Originating IP is 209.162.194.139 (Act-on Software, US) and is digitally signed showing that constructiondeal.com permits sending through that IP. In other words, the email is really from constructiondeal.com and is not a fake.

The domain contact details are partly hidden, but the CEO of owner Capital Enterprise Group, LLC is Igor Mironenko who appears to hail from the Los Angeles area. Constructiondeal.com is listed at the BBB and despite having a large number of complaints it still manages an A- rating.

But in any case, I recommend a zero-tolerance approach to spammers and would personally give this firm a wide berth.

Message From The QUEEN!!!

Wow.. a Message From The QUEEN!!!

From:     Victoria Leopold [abuse@nospam.com]
Reply-To:     leopold.victoria@yahoo.co.uk
Date:     28 April 2014 14:35
Subject:     Message From The QUEEN!!!


Best Regards
Leopold Victoria (Queen).

Queen Elizabeth House
3 Mansfield Road
Oxford OX1 3TB

Strangely, I thought that the Queen was Elizabeth Windsor who lived in Buckingham Palace, London. But perhaps I am wrong. It looks like Queen Leopold has fallen on hard times and is having to use a Yahoo! free email account. And isn't Leopold a man's name?

Of course, this is a scam. Originating IP is 81.149.158.33 (BT, UK) via gwkent.com (69.198.120.156). Avoid.

"This email contains an invoice file attachment" spam

This very terse spam comes with a malicious attachment:

Date:      Mon, 28 Apr 2014 17:23:58 +0900 [04:23:58 EDT]
From:      Accounts Dept [shortchanges2@morgan-bros.co.uk]
Subject:      Email invoice: 2552266

This email contains an invoice file attachment

Attached is a file emailinvoice.8630595.zip which in turn contains a malicious executable emailinvoice.197291101.exe which has a VirusTotal detection rate of 5/51.

Automated analysis tools [1] [2] [3] show various system changes being made, but make no record of network activity.

"Unity Messaging System - Internal Payroll" spam

This fake payroll spam comes with a malicious attachment:

Date:      Fri, 25 Apr 2014 12:36:43 +0900 [04/24/14 23:36:43 EDT]
From:      Unity Messaging System [Unity_UNITY9@victimdomain.com]
Subject:      Internal Payroll

File Validity: 24/04/2014
Company : http://victimdomain.com
File Format: Office - Excel
Internal Name: Payroll
Legal Copyright: ╘ Microsoft Corporation. All rights reserved.
Original Filename: Payroll.xls

********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.

The email appears to be from the victim's own domain and references it in the body of the email. A look at the mail headers shows that this deception runs more deeply..

Received:     
    (qmail 19966 invoked from network); 25 Apr 2014 03:36:45 -0000
    from unknown (192.168.1.88) by [redacted] with QMQP; 25 Apr 2014 03:36:45 -0000
    from kctv1142.ccnw.ne.jp (218.216.224.142) by [redacted] with SMTP; 25 Apr 2014 03:36:45 -0000
    from voice533.victimdomain.com (10.0.0.41) by victimdomain.com (10.0.0.11) with Microsoft SMTP Server (TLS) id KFA60IPJ; Fri, 25 Apr 2014 12:36:43 +0900
    from message7154.victimdomain.com (10.31.162.90) by smtp.victimdomain.com (10.0.0.88) with Microsoft SMTP Server id C9PH5LWA; Fri, 25 Apr 2014 12:36:43 +0900

The actual origin of the spam is 218.216.224.142 in Japan. The lines before that are all fake and are attempting to make it look like the email originated from inside the victim's own network (using a 10.x.x.x address). Quite why they bother with this level of detail is a mystery, because anyone technically savvy should spot that it comes with a malicious payload.

The attachment is Payroll.zip which in turn contains a malicious executable Payroll.scr which has an icon that makes it look like an Excel file (which it isn't). If you are hiding file extensions (which is the insecure default setting for Windows then you might be fooled.

If you haven't already done it.. when you have a folder open in Windows, go into Organize -> Folder and search options -> View and then untick Hide extensions for known file types.

Then it will become clear that this isn't an Excel spreadsheet at all (ending in .xlsx or .xls) but it something more sinister.

Yes, .scr is actually an executable file (a more typical one would be .exe). In this case the file is definitely malicious and has a VirusTotal detection rate of 26/51.

Automated analysis tools [1] [2] [3] show an attempted download from:
[donotclick]tmupi.com/media/images/icons/team/Targ-2404USm.tar
[donotclick]altpowerpro.com/images/stories/highslide/Targ-2404USm.tar

These download locations are the same as used in this "Balance Scheet" spam from yesterday and I recommend that you block the domains in question.

"Balance Scheet" spam

This terse spam has a malicious attachment:

Date:      Thu, 24 Apr 2014 12:80:56 GMT [08:08:00 EDT]
From:      Admin@victimdomain
Subject:      FW: Balance Scheet

Please save the attached file to your hard drive before deleting this message. Thank you.

The mail headers in the email have been faked to make it look like it originated inside the victim's own internal network. Attached to the email is an archive file Balance-Sheet.zip which in turn contains a malicious executable Balance-Sheet.exe which has a VirusTotal detection rate of just 3/51.

Automated analysis tools [1] [2] [3] show an attempted download from the following locations:
[donotclick]tmupi.com/media/images/icons/team/Targ-2404USm.tar
[donotclick]altpowerpro.com/images/stories/highslide/Targ-2404USm.tar

"Atlanta Consulting" fake job offer, atlantaconsulting.net / atlantaconsulting.us / atlantaconsulting.co

This fake job offer comes from a bunch of scammers passing themselves off as "Atlanta Consulting" (not to be confused with several legitimate firms of similar names)

From:     Gertrude Holden [multivariate88@afes.com]
Date:     24 April 2014 14:16
Subject:     Vacancy

Good Day!

A new advanced vacant position is available!

I am a chief personnel officer of an Australian consulting company. We deal with non-typical business solutions. Also we introduce different outsourcing solutions. Presently we have many clients in Europe. To anticipate our cooperation with them, we need to find few regional managers.
We offer a part-time employment and opportunity to advance. Also we provide free elementary training. Initial salary is 2000 euro. If our offer is interesting to you, please send your answer on our e-mail:

info @ atlantaconsulting . net   (remove spaces before sending email)

specifying your country, city of residence, contact telephone number and desired time for call. Our managers work 24 hours for you!

Best regards!
GERALD DAMIEN

The following domains are all part of the same scam:
atlantaconsulting.net
atlantaconsulting.co
atlantaconsulting.us

The WHOIS details for the domains are undoubtedly fake and are certainly not Australian:

Administrative Contact ID:                   COCO-5041
Administrative Contact Name:                 John Carpenter
Administrative Contact Address1:             831 Ridgeview Dr
Administrative Contact City:                 Frankfort
Administrative Contact State/Province:       KY
Administrative Contact Postal Code:          40601
Administrative Contact Country:              United States
Administrative Contact Country Code:         US
Administrative Contact Phone Number:         +1.6064521498
Administrative Contact Email:                jjcarp9@gmail.com

There's a flashy website with no real substance..

The sites are hosted on 151.236.22.16 (EDIS GmbH, US) and the email in this case originated from 190.67.150.55 in Colombia.

The so-called job is going to be money laundering, or perhaps parcel reshipping (described in the video below) or some other scam which will involve you doing something illegal. Avoid.