Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday 18 October 2011

Dear Cronon.net/rzone.de

I received 4 spam e-mails earlier that housed 4 links pointing to zip files on 4 sites housed on rZone.de (Cronon) IP space - all of the files contain trojans - more on that later.

As I normally do, I tried dropping the address listed in the net-block info an e-mail (cmueller@cronon.net and abuse@cronon.net), sadly it seems they don't want to receive abuse reports;

Mail delivery to the following recipient has finally failed:

abuse@cronon.net
Last reason: 550 5.0.0 Mailbox unavailable/command rejected for policy reasons/no
access
Explanation: host kled9.cronon.net [192.166.196.9] said: message denied by policy
[M31efc90 15611 Wed, 19 Oct 2011 02:29:34 +0200 (MEST)]

Transcript of session:
... while talking to kled9.cronon.net [192.166.196.9]:
>>> DATA (end of message)
<<< 550 message denied by policy [M31efc90 15611 Wed, 19 Oct 2011 02:29:34
+0200 (MEST)]


Wed 2011-10-19 01:15:06: --> RCPT To:<cmueller@cronon.net>
Wed 2011-10-19 01:15:07: <-- 250 2.1.5 <cmueller@cronon.net> Recipient ok
Wed 2011-10-19 01:15:07: --> DATA
Wed 2011-10-19 01:15:07: <-- 354 Enter data for mail with id y046e6n9IM767p
Wed 2011-10-19 01:15:07: Sending <xxxxxxxxxxxxxxxxxxxxxxxx\pd50000562659.msg> to [81.169.145.102]
Wed 2011-10-19 01:15:07: Transfer Complete
Wed 2011-10-19 01:15:07: <-- 550 5.7.1 recipients have complained about included content (B-URL)
Wed 2011-10-19 01:15:07: --> QUIT
--- End Transcript ---


And yep, I tried sending via both my Malwarebytes address and my normal it-mate.co.uk address.

Until they stop rejecting abuse reports, I'd strongly recommend you put a block on their IP range.

The offending URLs, for those wondering;

hxxp://praxisreuss.de/info/Profiel.zip - 81.169.145.66
hxxp://www.karate-shanghai.de/download/Profiel.zip - 81.169.145.164
hxxp://www.edv-xp.de/info/Profiel.zip - 81.169.145.75
hxxp://www.foodoffice.de/download/Profiel.zip - 81.169.145.65

Domains the malware contacts;

duffiduffid.ru -> /stat/stat3.php
dzmeritelshop.ru -> /dbs/0088.exe
dzmeritelshop.ru -> /dbs/images.php
dzmeritelshop.ru -> /dbs/logo84.php

Both of these are housed at;

218.24.113.3    Failed resolution    4837    4837 218.24.0.0/16 CHINA169-BACKBONE CNCGROUP China169 Backbone
197.112.2.4    Failed resolution    33774    33774 197.112.0.0/12 DJAWEB
113.161.87.176    static.vdc.vn    45899    45899 113.161.64.0/19 VNPT-AS-VN VNPT Corp
60.19.30.135    Failed resolution    4837    4837 60.16.0.0/13 CHINA169-BACKBONE CNCGROUP China169 Backbone
71.217.16.11    71-217-16-11.tukw.qwest.net    209    209 71.208.0.0/12 ASN-QWEST - Qwest Communications Company, LLC


luigimonaco.org -> /_private/loadera5.exe
IP: 195.110.124.133
AS: 12363 195.110.124.0/22 DADA-AS DADA S.p.a.

Registrars and hosts/ISPs have been notified.

No comments: