FYI...
Something evil on 91.231.98.149 and boats .net
- http://blog.dynamoo.com/2013/09/some...98149-and.html
26 Sep 2013 - "This injection attack* [urlquery] on boats .net caught my attention, a nasty bit of injected code pointing to a (now suspended) domain called gamelikeboards .biz hosted on 91.231.98.149 (Neohost.net, Ukraine). Basically, the victim website has code injected pointing to [donotclick]gamelikeboards .biz/_cp/crone/ which cannot be anything good. What do we know about gamelikeboards.biz? As luck would have it, the domain was suspended by the registrar... A look at 91.231.98.0/24 indicates a mix of spammy sites plus a number of local Russian and Ukranian sites... I don't know what the payload is, but the IP address was also used in this recent malware attack**. The IP and domains are definitely malicious, and I would recommend the following blocklist:
91.231.98.149
eschewsramping .biz
gamelikeboards .biz
sixteenups .biz
sorelyzipmagics .biz
technicaltutoring .biz
zarazagorakakaxx1 .org
zarazagorakakaxx2 .com
* http://urlquery.net/report.php?id=5960880
** https://malwr.com/analysis/YjQ1ZmIyN...U2NDU2NDgzNmE/
Added: it looks like this site has been compromised before*** ..."
*** http://news.softpedia.com/news/Outdo...k-382161.shtml
___
Print A Tree, Pop An Ad
- http://www.threattracksecurity.com/i...t-tree-pop-ad/
Sep 26, 2013 - "... We first noticed this one as part of a larger Installcore bundler from a pop up on a “free video” site:
> http://www.threattracksecurity.com/i...treeprint5.png
...
> http://www.threattracksecurity.com/i...treeprint6.jpg
Quite what our chosen subject matter has to do with videos I’ve no real idea, but never let relevance detract from an Adware bundle. Here it is during the main install of “FLV Player Setup”, and it is called “Print-A-Tree”.
> http://www.threattracksecurity.com/i...treeprint2.jpg
... Some of the other programs installed from the Installcore bundle included Web Connect (Yontoo variant), Bonanza Deals and O-to-Lyrics... This is where things go horribly wrong, because not only do you have ads injected onto numerous websites, you also end up with pop-ups which often lead to additional installs (with additional Adware!)... The pop-up ad promotes a web browser which will offer up more adware at install, to sit alongside whatever applications you happen to have on board from the first bundle... You can see more about the original bundler file over at VirusTotal*, which currently has it pegged at 8/41..."
* https://www.virustotal.com/en/file/4...is/1380126410/
File name: FlvPlayerSetup.exe_
Detection ratio: 8/41 ...
___
Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Xerox Scan Attachment Email Messages - 2013 Sep 26
Fake Package Delivery Invoice Notification Email Messages - 2013 Sep 26
Fake Account Payment Notification Email Messages - 2013 Sep 26
Fake Package Delivery Failure Notification Email Messages - 2013 Sep 26
Fake Sales Receipt Notification Email Messages - 2013 Sep 26
Fake Product Order Email Messages - 2013 Sep 26
Fake Voice Messages Delivery Email Messages - 2013 Sep 26
Fake Electronic Payment Cancellation Email Messages - 2013 Sep 26
Fake Purchase Order Request Email Messages - 2013 Sep 26
Fake Product Requirements List Email Messages - 2013 Sep 26
Fake Product Sample Request Email Messages - 2013 Sep 26
Blank Email Messages with Malicious Attachments - 2013 Sep 26
Fake Financial Document Delivery Email Messages - 2013 Sep 26
(More detail and links at the cisco URL above.)