Blog for hpHosts, and whatever else I feel like writing about ....

Monday 24 October 2011

hpHOSTS - UPDATED October 24th, 2011

The hpHOSTS Hosts file has been updated. There is now a total of 212,624 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 24/10/2011 19:40
  2. Last Verified: 23/10/2011 17:00
Download hpHosts now!
http://hosts-file.net/?s=Download

Tuesday 18 October 2011

Dear Cronon.net/rzone.de

I received 4 spam e-mails earlier that housed 4 links pointing to zip files on 4 sites housed on rZone.de (Cronon) IP space - all of the files contain trojans - more on that later.

As I normally do, I tried dropping the address listed in the net-block info an e-mail (cmueller@cronon.net and abuse@cronon.net), sadly it seems they don't want to receive abuse reports;

Mail delivery to the following recipient has finally failed:

abuse@cronon.net
Last reason: 550 5.0.0 Mailbox unavailable/command rejected for policy reasons/no
access
Explanation: host kled9.cronon.net [192.166.196.9] said: message denied by policy
[M31efc90 15611 Wed, 19 Oct 2011 02:29:34 +0200 (MEST)]

Transcript of session:
... while talking to kled9.cronon.net [192.166.196.9]:
>>> DATA (end of message)
<<< 550 message denied by policy [M31efc90 15611 Wed, 19 Oct 2011 02:29:34
+0200 (MEST)]


Wed 2011-10-19 01:15:06: --> RCPT To:<cmueller@cronon.net>
Wed 2011-10-19 01:15:07: <-- 250 2.1.5 <cmueller@cronon.net> Recipient ok
Wed 2011-10-19 01:15:07: --> DATA
Wed 2011-10-19 01:15:07: <-- 354 Enter data for mail with id y046e6n9IM767p
Wed 2011-10-19 01:15:07: Sending <xxxxxxxxxxxxxxxxxxxxxxxx\pd50000562659.msg> to [81.169.145.102]
Wed 2011-10-19 01:15:07: Transfer Complete
Wed 2011-10-19 01:15:07: <-- 550 5.7.1 recipients have complained about included content (B-URL)
Wed 2011-10-19 01:15:07: --> QUIT
--- End Transcript ---


And yep, I tried sending via both my Malwarebytes address and my normal it-mate.co.uk address.

Until they stop rejecting abuse reports, I'd strongly recommend you put a block on their IP range.

The offending URLs, for those wondering;

hxxp://praxisreuss.de/info/Profiel.zip - 81.169.145.66
hxxp://www.karate-shanghai.de/download/Profiel.zip - 81.169.145.164
hxxp://www.edv-xp.de/info/Profiel.zip - 81.169.145.75
hxxp://www.foodoffice.de/download/Profiel.zip - 81.169.145.65

Domains the malware contacts;

duffiduffid.ru -> /stat/stat3.php
dzmeritelshop.ru -> /dbs/0088.exe
dzmeritelshop.ru -> /dbs/images.php
dzmeritelshop.ru -> /dbs/logo84.php

Both of these are housed at;

218.24.113.3    Failed resolution    4837    4837 218.24.0.0/16 CHINA169-BACKBONE CNCGROUP China169 Backbone
197.112.2.4    Failed resolution    33774    33774 197.112.0.0/12 DJAWEB
113.161.87.176    static.vdc.vn    45899    45899 113.161.64.0/19 VNPT-AS-VN VNPT Corp
60.19.30.135    Failed resolution    4837    4837 60.16.0.0/13 CHINA169-BACKBONE CNCGROUP China169 Backbone
71.217.16.11    71-217-16-11.tukw.qwest.net    209    209 71.208.0.0/12 ASN-QWEST - Qwest Communications Company, LLC


luigimonaco.org -> /_private/loadera5.exe
IP: 195.110.124.133
AS: 12363 195.110.124.0/22 DADA-AS DADA S.p.a.

Registrars and hosts/ISPs have been notified.

Monday 10 October 2011

Some TDL/TDSS rootkit sites to block

From my friend Conrad;

The following IPs are related to the TDL/TDSS rootkit. 212.36.9.52 / gic-kbmtu0zkvwylf.com appears to be a C&C server.

94.63.149.10
94.63.149.11
94.63.149.12
94.63.149.13
94.63.149.14
94.63.149.15
146.185.250.140
146.185.250.141
195.3.145.251
195.3.145.252
195.3.145.253
212.36.9.52

94.63.149.0/24 is a Romanian host called Eurolan Solutions SRL, I've had this blocked for months with no ill-effects. 146.185.0.0/16 is Petersburg Internet Network Ltd in Russia, the whole /16 is sparsely populated and blocking that would probably do no harm. 195.3.144.0/22 is Latvia host RN Data SIA, given that Latvia hosts are such a sewer then blocking the /22 is probably also a good idea


Read more;

http://blog.dynamoo.com/2011/10/some-tdltdss-rootkit-sites-to-block.html

Saturday 8 October 2011

ALERT: microsoft-key.com, 91.217.153.17

microsoft-key.com was registered through the well known criminal friendly, BIZCN on October 7th (key-microsoft.com existed previously, same IP range), and not surprisingly, is up to no good. The domain is presently only in German for some reason (auto-redirs to /de-DE/, and no other language dirs seem to exist).

A translation via Google, since I don't speak German, shows;

Welcome to the Microsoft activation site! This site is suitable for the activation server and Microsoft to activate copies of Windows. If you receive a message that your copy of Windows is not genuine, have received, so you need to urgently purchase an activation key and activate your copy of Windows. In the opposite case, your IP address to the police and handed over to § 126 para 3 UrhG be regarded as a violation of copyright.

The activation key you can get to the payment on this site.
You just need a paysafecard worth 100 € to buy and enter the PIN.

To continue the activation, you can also give you the identification number awarded


Quite why it's only targeting German speaking individuals is puzzling, but I suspect it's likely only a matter of time before it's active in other languages (already working on takedown of course, and have notified MSRT).

The IP it's living at will come as no surprise either;

IP: 91.217.153.17
IP PTR: Resolution failed
ASN: 41390 91.217.153.0/24 RN-DATA-LV RN Data, SIA

The entire range has and continues to be, a haven for criminals and malicious activity, with malware and phishing present on virtually every IP. Personally I'd strongly urge you blackhole it if you've not already.

Wednesday 5 October 2011

RIP Steve Jobs, and a warning to keep your eyes peeled

Apple have announced the death of Steve Jobs, former CEO of Apple.

http://www.apple.com/stevejobs/

You can bet your life that the blackhat SEO gangs will be on to this like a rash in the next few hours, so please be extra careful out there.