FYI...
Evil network: 5.135.230.176/28 - OVH
- http://blog.dynamoo.com/2014/10/evil...ovh-eldar.html
18 Oct 2014 - "These domains are currently hosted or have recently been hosted on 5.135.230.176/28 and all appear to be malicious in some way, in particular some of them have been hosting the Angler EK* (hat tip)... 5.135.230.176/28 is an OVH IP range allocated to what might be a ficticious customer:
organisation: ORG-EM25-RIPE
org-name: eldar mahmudov
org-type: OTHER
address: ishveran 9
address: 75003 paris
address: FR
e-mail: mahmudik@ hotmail .com
abuse-mailbox: mahmudik@ hotmail .com
phone: +33.919388845
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
changed: noc@ ovh .net 20140621
source: RIPE
There appears to be nothing legitimate at all in this IP address range, I strongly recommend that you -block- traffic going to it."
* http://malware-traffic-analysis.net/.../06/index.html
Diagnostic page for AS16276 (OVH)
- https://www.google.com/safebrowsing/...?site=AS:16276
"... over the past 90 days, 4009 site(s)... resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2014-10-18, and the last time suspicious content was found was on 2014-10-18... we found 543 site(s) on this network... that appeared to function as intermediaries for the infection of 4498 other site(s)... We found 1150 site(s)... that infected 2883 other site(s)..."
___
malwr
- https://malwr.com/
Oct. 19, 2014 - "Last Comments:
Malware.
222.236.47.53:8080 195.206.7.69:443 46.55.222.24:8080 162.144.60.252:8080 91.212.253.253:443 95.141.32.134:8080"
- https://malwr.com/about/ >> http://www.shadowserver.org/ *
- 222.236.47.53: https://www.virustotal.com/en/ip-add...3/information/
- 195.206.7.69: https://www.virustotal.com/en/ip-add...9/information/
- 46.55.222.24: https://www.virustotal.com/en/ip-add...4/information/
- 162.144.60.252: https://www.virustotal.com/en/ip-add...2/information/
- 91.212.253.253: https://www.virustotal.com/en/ip-add...3/information/
- 95.141.32.134: https://www.virustotal.com/en/ip-add...4/information/
Bot Count Graphs
* https://www.shadowserver.org/wiki/pm...untYearly#toc1
Page last modified on Sunday, 19 October 2014
___
- http://blog.dynamoo.com/2014/10/fina...spam-uses.html
17 Oct 2014
... ShippingLable_HSDAPDF.scr
- https://www.virustotal.com/en/file/9...is/1413566277/
... Comments:
Full list of CnCs:
5.135.28.118: https://www.virustotal.com/en/ip-add...8/information/
185.20.226.41: https://www.virustotal.com/en/ip-add...1/information/
5.63.155.195: https://www.virustotal.com/en/ip-add...5/information/
___
RIG Exploit Kit Dropping CryptoWall 2.0
- http://www.threattracksecurity.com/i...ryptowall-2-0/
Oct 17, 2014 - "... observed spammers exploiting vulnerable WordPress links to -redirect- users to servers hosting the RIG Exploit Kit, which takes advantage of any number of vulnerabilities in unpatched Silverlight, Flash, Java and other applications to drop CryptoWall 2.0... nasty updated version of CryptoWall, which has built up steam since the disruption of CryptoLocker. Once infected with CryptoWall 2.0, users’ files are encrypted and held for ransom. The spammers behind this latest campaign seem to be the same crew behind a recent wave of eFax spam reported over at Dynamoo’s Blog*... The campaign Dynamoo revealed is being hosted side-by-side on the same server as the RIG Exploit Kit: hxxp ://206.253.165.76 :8080. The exploit redirector is hxxp ://206.253.165.76 :8080/ord/rot.php. And the spam Dynamoo reported is hxxp ://206.253.165.76 :8080/ord/ef.html... The exploit redirector is hxxp :// 206.253.165.76 :8080/ord/rot.php... malicious link loads a RIG Exploit Kit landing page to exploit any of its targeted vulnerabilities to drop CryptoWall 2.0. The MD5 of the sample analyzed is 8cc0ccec8483dcb9cfeb88dbe0184402 ..."
* http://blog.dynamoo.com/2014/10/efax...0204-spam.html
206.253.165.76: https://www.virustotal.com/en/ip-add...6/information/