Exploit Kits - OVH Canada / r5x .org ...
FYI...
Exploit Kits - OVH Canada / r5x .org / Penziatki
- http://blog.dynamoo.com/2014/03/evil...penziatki.html
13 Mar 2014 - "Hat tip to Frank Denis (@jedisct1)* for this report** on Nuclear EK's hosted by OVH Canada using their infamous "Penziatki" customer which is linked to black-hat host r5x .org***. The blocks have been identified as belonging to that customer and I would recommend that you block them:
198.27.114.16/30
198.27.114.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.231.204/30
OVH Canada have repeatedly hosted exploit kits for this customer... If you are in a security-sensitive environment then you might simply want to block traffic to the following ranges:
198.27.0.0/16
198.50.0.0/16
Of course this will block many legitimate sites, but if stopping exploit kits is a priority over some user inconvenience then you may want to consider it. If you want a slightly more nuanced blocklist then these ranges contain the biggest concentration of malware:
198.27.114.0/24
198.50.172.0/24
198.50.186.0/24
198.50.197.0/24
198.50.231.0/24 ..."
(More detail at the dynamoo URL above.)
* https://twitter.com/jedisct1
** https://gist.github.com/jedisct1/9509527 - Nuclear Exploit Kit Mar 12
*** http://blog.dynamoo.com/search/label/R5X.org
> http://google.com/safebrowsing/diagnostic?site=AS:16276
___
Malware sites to block 13/3/14
- http://blog.dynamoo.com/2014/03/malw...ock-13313.html
13 Mar 2014 - "These IPs and domains seem to be involved in injection attacks today. I recommend you block them.
64.120.242.178
188.226.132.70
93.189.46.90 ...
The domains being abused are as follows.. many of them appear to be hijacked legitimate domains..."
(Many others listed at the dynamoo URL above.)
___
Fake Blood count result - fake PDF malware
- http://myonlinesecurity.co.uk/import...e-pdf-malware/
13 Mar 2014 - "This email saying IMPORTANT Complete blood count result pretending to come from NICE (National Institute for Health and Care Excellence) has to be the most vicious and evil attempt by any malware purveyor to try to infect a victim. Sending an email saying that you probably have cancer will alarm & distress so many people and is just the most offensive and disgusting attempt to trick a user into opening a malware attachment... another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Other subjects in this evil email attempt to infect you are:
- IMPORTANT:Blood analysis result
- IMPORTANT:Blood analysis
- IMPORTANT:Complete blood count (CBC)result ...
> http://myonlinesecurity.co.uk/wp-con...-CBCresult.png
... 13 March 2014: CBC_Result_9B4824B65E.zip (55kb) Extracts to CBC_scaned_584444449.pdf.exe
Current Virus total detections: 2/50*... careful when unzipping them and make sure you have “show known file extensions enabled"**, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened."
* https://www.virustotal.com/en/file/d...is/1394703905/
** http://myonlinesecurity.co.uk/why-yo...wn-file-types/
___
Key Secured Message -fake- PDF malware
- http://myonlinesecurity.co.uk/key-se...e-pdf-malware/
13 March 2014 - "Key Secured Message pretending to come from Payroll Reports <payroll @quickbooks .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details...
> http://myonlinesecurity.co.uk/wp-con...ed-Message.png
... Extracts to NIKON-2013564-JPEG.scr ... Current Virus total detections: 2/50*
This Key Secured Message is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day..."
* https://www.virustotal.com/en-gb/fil...55c2/analysis/
___
Fake Sky .com "Statement of account" SPAM
- http://blog.dynamoo.com/2014/03/skyc...ount-spam.html
13 Mar 2014 - "This -fake- Sky .com email comes with a malicious attachment:
Date: Thu, 13 Mar 2014 12:23:09 +0100 [07:23:09 EDT]
From: "Sky .com" [statement@ sky .com]
Subject: Statement of account
Afternoon,
Please find attached the statement of account.
We look forward to receiving payment for the December invoice as this is now due for
payment.
Regards, Carmela ...
Wilson McKendrick LLP Solicitors ...
Attached is an archive Statement.zip which in turn contains a malicious executable Statement.scr which has a VirusTotal detection rate of 6/50*. Automated analysis tools... show attempted connections to the following domains and IPs:
188.247.130.190 (Prime Telecom SRL, Romania)
gobemall .com
gobehost .info
184.154.11.228 (Singlehop, US)
terenceteo .com
184.154.11.233 (Singlehop, US)
quarkspark .org
The two Singlehop IPs appear to belong to Host The Name (hostthename .com) which perhaps indicates a problem at that reseller.
Recommended blocklist:
184.154.11.228
184.154.11.233
188.247.130.190
gobemall .com
gobehost .info
terenceteo .com
quarkspark .org "
* https://www.virustotal.com/en-gb/fil...is/1394715270/
___
HM Revenue & Customs Spam
- http://threattrack.tumblr.com/post/7...e-customs-spam
Mar 12, 2014 - "Subjects Seen:
HMRC Tax Notice
Typical e-mail details:
Dear <email address>
Please be advised that one or more Tax Notices (P6, P6B) have been issued.
For the latest information on your Tax Notices (P6, P6B) please open attached report.
Document Reference: 6807706.
Malicious File Name and MD5:
PDF_Scanned_HMRCBBD45F6647.zip (09BA8CF32FDDE3F73EA8F2E6F75BDF1E)
scaned_7246582_pdf_4364534533.exe (3F347C85BEA303904975FF0A8DE49E7E)
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Ge41r6pupn.png
Tagged: HMRC, weelsof
