Oh, really?

This is a bit funny:

remarks:         This is Ideal-Solution and 2x4.ru Hosting IP network
[snip]
remarks:         ***************************************
remarks:         note for spamhause company of usa:
remarks:         stop follow this subnet, nothing bad here, you can contact us if need.
remarks:         ***************************************

I wonder if “spamhause company of usa” actually is meant to be spamhaus.org.
Everybody knows that Steve Linford is floating around in a houseboat somewhere in Britain, don’t we?
Well, we are perhaps almost equal in knowledge there, the russians and myself, regarding geography and the whereabouts of Spamhaus.
But I feel reasonably sure that they are not in the US.

And I also know that the netblock 193.107.16.0/22, “Ideal Solution Ltd”, mounted by WebAlta has a history of exploits, trojan and you can name whatever bad stuff you can imagine on the net. And 2×4.ru? Not exactly angels.

At least they are better at hosting criminal activity than in geography.
Always good to feel you master something, whatever it is.

Posted in malware, bots. Tags: . Comments Off on Oh, really?

Referrer spam ends up in malware – stars-vs-stars. com

Beware of referrer spam in your weblogs.

At the moment stars-vs-stars. com (hosted on ecatel btw) redirects to http:||olympionik.limewebs. com/xplaymovie.html,
which again redirects to various malware/domains at 69.10.38.27 (trouble-free.net – Michael Lavrik), an infamous IP for hosting malware.
During the last two days, the following domain names have been used:
greatmultimediaservices. com, multimediautilites. com, digitalbluemultimedia. com.
digitalbluemultimedia.com is the active one as I write this.

Poor detection at virustotal.com, 4-8 vendors recognize the malware.
It seems it is being constantly changed.

A screenshot from http:||olympionik.limewebs. com/xplaymovie.html :

Screenshot from olympionik.limewebs.com

If you click on that one, a file named “video-plugin.[varies].exe” will be downloaded.
As mentioned, not many AV vendors recognize those at this moment.

Maybe more later.

Posted in malware, bots. Comments Off on Referrer spam ends up in malware – stars-vs-stars. com

State Vaccination Program – infects you with vacc_profile.exe

Fresh in one of my inboxes:

You have received this e-mail because of the launching of State Vaccination H1N1 Program.
You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people.
Create your Personal H1N1 Vaccination Profile using the link:
Create Personal Profile

Centers for Disease Control and Prevention (CDC) · 1600 Clifton Rd · Atlanta GA 30333 · 800-CDC-INFO (800-232-4636)

The link goes to:
http://online.cdc.gov.yttt4l.co.im/h1n1flu/profile.php%5Betc%5D
The download file, vacc_profile.exe is, according to Virustotal.com only recognized by 5 vendors/programs as I write this:
AntiVir (“TR/Crypt.XPACK.Gen”), Kaspersky (“Packed.Win32.Krap.ae”), McAfee+Artemis (“Artemis!C2B6CB233320”), McAfee-GW-Edition (“Heuristic.BehavesLike.Win32.Trojan.H”)and NOD32 (“a variant of Win32/Kryptik.BFV”).

Hosted on a botnet. One example of overlapping with alliance-leicester phishing according to bfk.de:

online.cdc.gov.yttt4l.org.im	 A 	41.248.217.83
online.cdc.gov.yttt4r.org.im	 A 	41.248.217.83
online.cdc.gov.yttt4l.im	 A 	41.248.217.83
online.cdc.gov.yttt4l.com.im	 A 	41.248.217.83
online.cdc.gov.yttt4r.com.im	 A 	41.248.217.83
www.mybank.alliance-leicester.co.uk.iksadh.co.im	 A 	41.248.217.83
online.cdc.gov.yttt4l.co.im	 A 	41.248.217.83
online.cdc.gov.yttt4r.co.im	 A 	41.248.217.83
online.cdc.gov.yttt4r.im	 A 	41.248.217.83
online.cdc.gov.yttt4l.net.im	 A 	41.248.217.83
online.cdc.gov.yttt4r.net.im	 A 	41.248.217.83

Phishtank has seen irs phishing today:
http://www.phishtank.com/phish_detail.php?phish_id=875991
(http://www.irs.gov.yttt4l.co.im/fraud_application/directory/statement.php)

Several other “overlaps” as well, ally is another example.

See also the InboxRevenge Forum:
http://ksforum.inboxrevenge.com/viewtopic.php?f=13&t=3433

Posted in malware, bots. Comments Off on State Vaccination Program – infects you with vacc_profile.exe

A small fragment of Rove Digital (and others)

Just in case I forget.

inetnum:        213.155.22.192 - 213.155.22.199
netname:        singhajeet3
descr:          singhajeet3 - Singh Ajeet
country:        UA
admin-c:        SA5766-RIPE
tech-c:         SA5766-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-HOSTINGUA
source:         RIPE # Filtered

person:         Singh Ajeet
address:        34203, Florida, United States, Bradenton, 1901 60th Place E. Suite L4257
abuse-mailbox:  abuse@hosting.ua
phone:          +380487281518
nic-hdl:        SA5766-RIPE
source:         RIPE # Filtered

% Information related to '213.155.0.0/19AS41665'

route:          213.155.0.0/19
descr:          Datacenter Hosting.UA
origin:         AS41665
mnt-by:         MNT-HOSTINGUA
source:         RIPE # Filtered

I’ll probably forget the connection, so here is the short version:

A tweet from one of the good guys I’m following:
Details about the MediaTemple security issues (injected spam and .htaccess redirects) http://bit.ly/4POUnQ and http://bit.ly/7o1oyA
[https://twitter.com/unmaskparasites/statuses/6141708994]

And somehow I ended up at redbuszoen. com via you-search. in.
Probably some kind of dynamic, now I end up at cyber-shop. net at 88.208.21.144, advancedhosters.com. Russians in the Netherlands. Shitty place that too.

That’s probably all, sorry for that.

If you want a little bit more, spamhaus is the usual reliable source:
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK8751
But they forgot to list 213.155.22.192 – 213.155.22.199.
Or the whole freaking 213.155.0.0/19.
More evil stuff in there. Like the skiddie forum at evilzone.org (forum.evilzone.org).

But then the whole .UA space should be nuked.
Much safer internet without it.
I’m beginning to have the same thoughts about .NL too.

(And I am now on day 13 in my career as a non-smoker. This is probably what hell will be when that time comes. Now I am prepared for it)

Update a bit later
When following the link from cyber-shop. net, I ended up downloading scareware from securitytoolsediting. net.
Virustotal tells med that 11 out of 40 vendors recognize the file install.exe.
The different names given contain “FakeAlert”, “RogueSecurity”, “Krap”.

securitytoolsediting. net appears to live at 194.60.205.20, “Baltic Center of Innovations TechPromInvest LTD”.
Probably a shitty place too. A quick google search seems to agree with me.

Posted in malware, bots, RBN. Comments Off on A small fragment of Rove Digital (and others)