URLVoid Blog

Phishing: Abbiamo limitato l’accesso visa/mastercard account. (Case # PP-001-546-712-069 – ORM001)

admin — Fri, 25 May 2012 15:59:51 +0000

Another phishing email against Italian users of Mastercard / Visa:

Header details:

Received: from mail.oceano.hn (mail.oceano.hn [63.161.65.43])
Received: from User ([62.215.140.237]) by oceano.hn with MailEnable ESMTP; Fri, 25 May 2012 08:04:39 -0600
Subject: Abbiamo limitato l'accesso visa/mastercard account. Si prega di attenersi alla seguente procedura per risolvere. (Case # PP-001-546-712-069 - ORM001)
Date: Fri, 25 May 2012 17:04:41 +0300
To: undisclosed-recipients:;
Content-Type: application/octet-stream; name="visaita.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="visaita.html"

There is a .HTML file attached:

File: visaita.html
Size: 25970 bytes
MD5: C6D16F0B6693AB2831E2BA70534C85BE
SHA1: AB4175E9B97A6E822E3D616BD4DDD5285AC70B39
SHA256: 7B8417D0A420DB5710B44252CF5B4813295EE1B8A51552BD6D5B847AC4AD9E85
SHA384: 4DB62497B232418E708AD8C5278BCDD48DD2E593CAAC01FC0963749EFA3B300BF116A539C222FB389020F61C2A516959
SHA512: 691B828A1FC25EE938114ECA74FFF5690AFE3F8F79AF4D13BB438C064663276CE97D5BED0BDDA3143A9D682FDF67E55C9F46CB1DAE69D5747297C9BF32B491F7

Phishing: Periodic Maintenance (PayPal)

admin — Fri, 18 May 2012 14:59:43 +0000

Another phishing email targets PayPal users:

Email header details:

Received: from mail.artworkdigital.com.br (ns1.artworkdigital.com.br [201.86.117.58])
Received: from User (216-107-107-254.static.networktel.net [216.107.107.254]) by mail.artworkdigital.com.br (Postfix)
Subject: Periodic Maintenance
Date: Fri, 18 May 2012 06:56:14 -0500
To: undisclosed-recipients:;
Content-Disposition: attachment; filename="PayPal_ReactivationFORMay2012.html"

Attached there is a file named:

File: PayPal_ReactivationFORMay2012.html
Size: 10157 bytes
MD5: 9617FF24A5647B20883C7FDA37408156
SHA1: 02C0D8DDEE4AFCC07897A141FFFF7540083B9F44
SHA256: E257318F2B84A08B15F5A431F5A1E1FE112A7D9EF0FBFB3A69AA63784C00F73A
SHA384: B4C63890B4B001D4B02559C0A75DD0472101FAAB306595AB8ADBEBE71CF4504B9026431A98868B1200FB2A517805447E
SHA512: EC5D11EF6509333C492B54D60D6B5D4E9E1FE26A313EAB28B9ADAF3F6154EB6DAE982D00E66486B44C22E4A0CAB9158ED13B48DB70CEEC33EE4F626FE56D8246

Extracted malicious URLs:

hxxp:// adsl-068-157-210-061.sip.bna.bellsouth .net /~jim/style.css
hxxp:// adsl-068-157-210-061.sip.bna.bellsouth .net /~jim/w.php

As we can see, the malicious files are hosted in a DSL hostname:

The website adsl-068-157-210-061.sip.bna.bellsouth.net is hosted at BellSouth.net and its current IP address is 68.157.210.61 (adsl-068-157-210-061.sip.bna.bellsouth.net). The server machine is located in United States (US) and in the same server there are hosted other 0 websites. The domain is registered with the suffix NET and the keyword of the domain is bellsouth. The organization is BellSouth.net.

URLVoid scan report:

http://urlvoid.com/scan/adsl-068-157-210-061.sip.bna.bellsouth.net/

Spam “Your Bill Me Later notice” leads to Incognito exploit kit

admin — Thu, 17 May 2012 11:55:50 +0000

Users have reported another malicious email message with subject “Your Bill Me Later notice” that states you have made a payment over the phone of $60.12 to Bill Me Later website. The email body is full of HREF links that point to a lot of malicious URLs, view a screenshot of the email message:

Email header details:

Received: from server.serverhk.net (69-164-193-60.magicnic.com [69.164.193.60])
Received: from [200.76.191.2] (helo=askokay.com) by server.serverhk.net with esmtpsa
Received: from [192.245.26.33] by m1.gns.snv.thisdomainl.com with SMTP; Wed, 16 May 2012 21:04:47 +1000
Received: from [68.117.211.36] by mailout.endmonthnow.com with NNFMP; Wed, 16 May 2012 20:54:02 +1000
Date: Wed, 16 May 2012 20:50:24 +1000
From: "Advera" askokay@askokay.com
Subject: Your Bill Me Later notice

The malicious extracted URLs are:

hxxp:// www. studiobarsotti .it /3oXGcu61/index.html
hxxp:// www. eventosabsolue .com /qh8xhoi8/index.html
hxxp:// foxpublicidade .com .br /foRzthoD/index.html
hxxp:// www. studiobarsotti .it /GRYYEt3L/index.html
hxxp:// 76.12.158 .176 /3oXGcu61/index.html
hxxp:// 76.12.158 .176 /yWyXU9NU/index.html
hxxp:// www. eventosabsolue .com /ZmUaukzG/index.html
hxxp:// ewaleczek. cal24 .pl /5CY4dSwa/index.html
hxxp:// www. eventosabsolue .com /h03NraKE/index.html
hxxp:// foxpublicidade. com .br/yWyXU9NU/index.html
hxxp:// www. hso. co. jp/yWyXU9NU/index.html
hxxp:// zajacpiotr. hostit .pl /yWyXU9NU/index.html
hxxp:// zajacpiotr. hostit. pl /smWHegmd/index.html
hxxp:// ftp.joblines .sk /ri8ZKUip/index.html
hxxp:// www. sacmilani. com. ar /uvoNJPhk/index.html
hxxp:// foxpublicidade. com. br /smWHegmd/index.html
hxxp:// www. studiobarsotti .it /hTVbWtV1/index.html
hxxp:// jahu. com. br /FW3s2g0r/index.html
hxxp:// onecursos .com .br /foRzthoD/index.html
hxxp:// www. studiobarsotti .it /GRYYEt3L/index.html
hxxp:// www. studiobarsotti .it /yWyXU9NU/index.html
hxxp:// www. kayafamily .it /ZmUaukzG/index.html

Using HTMLSniffer we can dump the HTML content:

From the dumped data, we can see it is the Incognito exploit kit.

Extacted malicious URLs:

hxxp:// bigdeal . my/ZyYJZ7F0/js.js

The malicious URLs redirect users to another malicious URL:

hxxp:// 69.163.34. 134 /showthread.php?t=977334ca118fcb8c

If we use HTMLSniffer and we set the user-agent to Java, when we dump the content of the new malicious URL we can see it recognises from the user-agent that the user is using Java and the exploit tries to serve the infected Java applet:

Spam link on Twitter leads to Fake Antivirus Rogue Software

admin — Tue, 08 May 2012 21:45:45 +0000

One user has reported us a malicious URL that is being sent as a private message to the users that are registered on Twitter, the extracted malicious link is:

hxxp:// www. delicious-audio .com /wp-content

If clicked, it redirects users to a new malicious link:

HTTP/1.1 302 Found
Date: Tue, 08 May 2012 20:50:06 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Location: hxxp:// blog.keeples .com /wp-content
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 27
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Extracted malicious link:

hxxp:// blog.keeples .com /wp-content

Now there is a new redirect to another malicious link:

HTTP/1.1 302 Found
Date: Tue, 08 May 2012 20:50:13 GMT
Server: Apache/2.2.3 (CentOS)
Location: hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Extracted malicious link:

hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/

This is the link of the web page of the fake antivirus rogue software.

Whois details:

Domain Name: spywarecleanermicrosoft.info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 11:32:40
Creation Date: 2012-05-08 11:32:40
Last Update Date: 2012-05-08 11:33:15
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Gerolamo Genovese
Address 1: Via Bernardino Rota 1
City: Mellana
State: CN
Zip: 12012
Country: IT
Phone: +39.3535605212
Email: kinsman@doramail.com

Hosting details:

The website spywarecleanermicrosoft .info is hosted at BurstNET Limited and its current IP address is 31.193.12.3 (31-193-12-3.static.hostnoc.net). The server machine is located in United Kingdom (GB) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is spywarecleanermicrosoft. The organization is BurstNET Limited.

Screenshot of the fake warning message:

Screenshot of the fake scanning web page:

From the above images we can see that it is distributed the fake rogue security software named Windows Antivirus 2012. After the fake system scanning is finished, the user is prompted to downloaded an executable file named setup.exe:

The file is downloaded from a new malicious website:

GET /0520091375cbc551/setup.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: scannerdatamicrosoft .info

Whois Details:

Domain Name: scannerdatamicrosoft .info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 11:11:28
Creation Date: 2012-05-08 11:11:28
Last Update Date: 2012-05-08 11:12:08
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Dionisia Barese
Address 1: Corso Porta Borsari 78
City: San Martino Di Castrozza
State: TN
Zip: 38058
Country: IT
Phone: +39.3171462400
Email: milner@snail-mail.net

Domains Details:

The website scannerdatamicrosoft .info is hosted at SPLIUS, UAB and its current IP address is 77.79.10.13 (hst-10-13.duomenucentras.lt). The server machine is located in Lithuania (LT) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is scannerdatamicrosoft. The organization is Webhosting, collocation services.

File details:

File: setup.exe
Size: 2278400 bytes
MD5: EC91E0F31587F6471A4EBCFE2681A45B
SHA1: 0AB7F7253F5CBADF6D664781A73D30A19E251FCA
SHA256: 67DFD917561DF7FE653CE5E0CD7E0688E42B719F1BB475A5EE2819003CE6DC6A
SHA384: 77BB9D7DF670BC9F4C91DED341086C30570E6D9AE14BEE1A172F502CA5C502428FC631B9F88A31CECF290B7CFB1C5FA2
SHA512: 85D1F0608D24DD2B15477EAC540666319831F829B7E8065D9E5B8A2AC5D4860486BCA891FA95DBBBB8EB93834485575108EE957C5AD556EFBA9FDA5824D2C780

When executed the file setup.exe, the rogue software drops two .EXE files:

File Modified - %SAMPLE% - %AppData%\Protector-phkm.exe
Process Created - %SAMPLE% - %AppData%\Protector-phkm.exe - Unknown Publisher - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes
File Created - %SAMPLE% - %AppData%\Protector-phkm.exe - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes - attr: [] - PE
Process Created - %SAMPLE% - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 6D778E0F95447E6546553EEEA709D03C - 389120 bytes
File Deleted - C:\WINDOWS\system32\cmd.exe - %SAMPLE% - 2278400 bytes
File Modified - %SAMPLE% - %AppData%\Protector-tpqx.exe
Process Created - %SAMPLE% - %AppData%\Protector-tpqx.exe - Unknown Publisher - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes
File Created - %SAMPLE% - %AppData%\Protector-tpqx.exe - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes - attr: [] - PE

And this is the screenshot of the splash screen of the rogue software:

More screenshots of the rogue software:

When the user click on “Activate” button, the rogue software executable opens a new Internet Explorer web page where user is supposed to insert his/her credit card details (that will be stolen by the trojan), here is the screenshot of the malicious web page:

Connections logged:

GET / HTTP/1.0
Accept: application/x-shockwave-flash, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www. cmyip .com
Connection: Keep-Alive
 
GET /service/ HTTP/1.0
User-Agent: Mozilla/4.0
Host: 0520091375cbc551 .on-linepaysafery .info
 
POST / HTTP/1.0
Accept: application/x-shockwave-flash, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 0520091375cbc551. on-linepaysafery .info
Content-Length: 109
Connection: Keep-Alive
Pragma: no-cache
Cookie: ct=2011:3:27:23:23; ch=f58320d2a7c79b1a48b7c70a7d2d280a
action=form&projectId=72&partnerId=146&subId=0&install_id=yhstmcvcgj&group_name=2011-3-28_1&reason=errorflash
 
GET /payment_forms/default/images/sprite.png HTTP/1.0
Accept: */*
Referer: hxxp://0520091375cbc551 .on-linepaysafery .info /
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 0520091375cbc551 .on-linepaysafery .info
Connection: Keep-Alive
Cookie: ct=2011:3:27:23:23; ch=f58320d2a7c79b1a48b7c70a7d2d280a

Malicious links extracted:

hxxp:// 0520091375cbc551. on-linepaysafery .info /service/

Whois Details:

Domain Name: on-linepaysafery .info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 08:24:44
Creation Date: 2012-05-08 08:24:44
Last Update Date: 2012-05-08 08:26:02
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Dionisia Barese
Address 1: Corso Porta Borsari 78
City: San Martino Di Castrozza
State: TN
Zip: 38058
Country: IT
Phone: +39.3171462400
Email: sini@wildmail.com

Domain details:

The website www.on-linepaysafery .info is hosted at SPLIUS, UAB and its current IP address is 77.79.10.15 (hst-10-15.duomenucentras.lt). The server machine is located in Lithuania (LT) and in the same server there are hosted other 2 websites. The domain is registered with the suffix INFO and the keyword of the domain is on-linepaysafery. The organization is Webhosting, collocation services.

URLVoid scan reports:

http://www.urlvoid.com/scan/delicious-audio .com
http://www.urlvoid.com/scan/spywarecleanermicrosoft .info
http://www.urlvoid.com/scan/0520091375cbc551. on-linepaysafery .info
http://www.urlvoid.com/scan/on-linepaysafery .info
http://www.urlvoid.com/scan/blog.keeples .com
http://www.urlvoid.com/scan/scannerdatamicrosoft .info

Link LinkedIn Mail leads to Incognito exploit kit

admin — Fri, 04 May 2012 23:22:38 +0000

We have logged a new email that looks like to be sent by LinedIn:

The email header info shows it is a scam:

Received: from lhost10.forahost.net (server-178.211.48.24.as42926.net [178.211.48.24])
Received: from c9069568.static.spo.virtua.com.br ([201.6.149.104]:49583 helo=fixnot.com.tr) by lhost10.forahost.net
Date: Fri, 04 May 2012 08:34:11 -0700
From: "Order" @fixnot.com.tr
Subject: Link LinkedIn Mail

The email body contains also few malicious links:

hxxp:// gopeshmathur .com/ZgUBqavg/index.html

The dumped content of the URL is clear a Incognito exploit kit:

All the new malicious links are still alive and they redirect users to:

The Java exploit JAR files are downloaded from:

hxxp:// 50.116.8. 93 /data/Pol.jar
hxxp:// 69.163.34 .114 /data/Pol.jar

File: Pol.jar
Size: 15404 bytes
MD5: 020B0B477706596E71DE25286ED77991
SHA1: C196A7B07BFE3D3593E93F7D98E910FA8E63AFF6
SHA256: F76AC6983135C7A69B5F07BC762F1AA478E2D49489090AC66882BC8065D1862B
SHA384: 9C6BF2971E1F86588A9A08A3F18C096FBC62A42CE6927E0A7D0AFDB56DA01DBC4A6F72F742CC62B510FC1085221753D5
SHA512: 5464424E028620C4821B740B89787C7A75E6A56401F98BD15BA94F1A9268D54411E41E97DAE86468F4BDA54160A023DCC45F134E97BC6655E31C9274F8A21FC0

The JAR file exploits the vulnerability in the Java Runtime Environment component of Oracle Java SE (CVE-2012-0507), more details from the oracle.com website:

Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are 7 Update 2 and before, 6 Update 30 and before and 5.0 Update 33 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.

Other malicious Incognito exploit kit URLs:

hxxp:// ftp.coden .com .br /BhxC8VrP/index.html
hxxp:// generalcontractorsnc .com/nUUyHyvy/index.html
hxxp:// mccgedvalenca .com .br/JFs10e34/index.html
hxxp:// radiooisvira .com /mRpNLgWY/index.html
hxxp:// statisticsolympiad .org /gR2aietM/index.html

URLVoid scan reports:

http://www.urlvoid.com/scan/gopeshmathur .com
http://www.urlvoid.com/scan/jombangit .com
http://www.urlvoid.com/scan/shahinvestment .com
http://www.urlvoid.com/scan/mazyamana .com
http://www.ipvoid.com/scan/72.5.102.224
http://www.urlvoid.com/scan/ftp.coden .com .br
http://www.urlvoid.com/scan/generalcontractorsnc .com
http://www.urlvoid.com/scan/mccgedvalenca .com .br
http://www.urlvoid.com/scan/statisticsolympiad .org
http://www.urlvoid.com/scan/radiooisvira .com

Com.Br Websites Infected with Maliciour JS Code (bylviha .ru/count18.php)

admin — Fri, 27 Apr 2012 13:24:30 +0000

Our sandbox has logged various domains with suffix .COM.BR infected with a malicious obfuscated javascript code, that is injected at begin of the HTML pages of the websites, before the initial tag:

The malicious script redirects the users to a malicious URL:

hxxp:// bylviha .ru/count18.php

An example of websites infected:

hxxp:// carboniferacatarinense .com .br/
hxxp:// www. csir-iir. org/
hxxp:// www. terapets .com/

Sometimes the malicious script is injected inside the tag:</p> <p></p> <p>URLVoid reports of malicious domains:</p> <p><a href="http://www.urlvoid.com/scan/bylviha.ru">http://www.urlvoid.com/scan/bylviha .ru</a><br /> <a href="http://www.urlvoid.com/scan/carboniferacatarinense.com.br">http://www.urlvoid.com/scan/carboniferacatarinense .com .br</a><br /> <a href="http://www.urlvoid.com/scan/csir-iir.org">http://www.urlvoid.com/scan/csir-iir. org</a><br /> <a href="http://www.urlvoid.com/scan/terapets.com">http://www.urlvoid.com/scan/terapets .com</a></p> </article> <article> <h1>Phishing: A causa del nostro recente aggiornamento. Verified by Visa</h1> <p>admin — Mon, 23 Apr 2012 14:40:39 +0000</p> <p>We have logged other phishing emails used to steal details of Visa users:</p> <div class="wp_syntax"><div class="code"><pre class="text" style="font-family:monospace;">From - Mon Apr 23 16:04:50 2012 Received: from ser.just3d.tv (unknown [91.227.127.33]) Received: (qmail 23589 invoked by uid 0); 23 Apr 2012 13:21:36 -0000 Received: from unknown (HELO User) (admin@just3d.tv@151.58.16.184) Reply-To: sicurela@visaltalia.it From: "verified by visa" verified@visaitalia.com Subject: A causa del nostro recente aggiornamento. Date: Mon, 23 Apr 2012 15.21.34 +0200 To: undisclosed-recipients:;</pre></div></div> <p>Note from the email header the source of the message:</p> <div class="wp_syntax"><div class="code"><pre class="text" style="font-family:monospace;">Received: from ser.just3d.tv (unknown [91.227.127.33])</pre></div></div> <p>It has nothing to do with Visa, and note also the emails:</p> <div class="wp_syntax"><div class="code"><pre class="text" style="font-family:monospace;">Reply-To: sicurela@visaltalia.it</pre></div></div> <p>See the visa<b>l</b>talia.it is a <b>l</b> and not an <b>i</b>.</p> <p>The message of the email:</p> <div class="wp_syntax"><div class="code"><pre class="text" style="font-family:monospace;">Gentile Cliente, A causa del nostro recente aggiornamento sui nostri server (23/04/2012) e necessario aggiornare il tuo profilo. Per una maggiore sicurezza e di accesso, si prega di compilare il modulo allegato. Vi ringraziamo della vostra collaborazione. © Copyright Visa Europe 2012. Tutti i diritti riservati</pre></div></div> <p>There is also an attached file named <b>visaitalia.html</b>:</p> <div class="wp_syntax"><div class="code"><pre class="text" style="font-family:monospace;">File: visaitalia.html Size: 20015 bytes MD5: 2C76E9F667E78C8C32C09DBE1129969E SHA1: 0A30FFC20AC311AF2831086D4B181E0F23483399 SHA256: 1757C6A066E61F1B3E9782570712641FC734E1C6ACCD1DA329F3B10B164136CC SHA384: BD80E5B8A83A3C00D72B6367421AE85CC6A1FF8981F43D0D6784B52D0AAE58B22DD74293BD8735C8B0E4331C8CCCDA02 SHA512: 4B82AC139180E6B19C58A553456BBE30CE155E22A695E300115CAC5C8BDB3F84A024CCDF104E280162B0C44AF1495C850CA3565533DE62EC6F14EF7754295A30</pre></div></div> <p>The attached file contains the form used to send the typed details to a remote link. Listed below there are few malicious links extracted from the HTML attached file:</p> <div class="wp_syntax"><div class="code"><pre class="text" style="font-family:monospace;">hxxp:// leonidasvancouver .com /admin/plm/plm.html hxxp:// rottenfish .de /vbv/plm_files/Logo-Mastercard_Secure_Code.gif hxxp:// rottenfish .de /vbv/plm_files/fin_VerifiedByVisa_186x79.gif hxxp:// rottenfish .de /vbv/run.php</pre></div></div> <p>The malicious websites are classified as detected in URLVoid:</p> <p><a href="http://www.urlvoid.com/scan/rottenfish.de/" target="_blank">http://www.urlvoid.com/scan/rottenfish .de/</a><br /> <a href="http://www.urlvoid.com/scan/leonidasvancouver.com/" target="_blank">http://www.urlvoid.com/scan/leonidasvancouver .com/</a></p> </article> <article> <h1>IPVoid v2.0 (BETA3) Changelog</h1> <p>admin — Thu, 12 Apr 2012 13:18:06 +0000</p> <p>New BETA3 of <a href="http://www.ipvoid.com/" target="_blank">IPVoid</a> service is online.</p> <p>Here is the main changelog:</p> <p>- Service has been rewritten completely<br /> - Added other blacklists engines (now 37 in total)<br /> - Fixed various blacklists results<br /> - View IP addresses related to an ISP<br /> - View IP addresses related to an Organization<br /> - View IP addresses located in a Country<br /> - View old reports of an IP address<br /> - Rescan an IP address after 30 minutes<br /> - Scanning time is much faster (around 8 seconds)<br /> - Show how much is old the report (ex: 20 Days Ago)</p> <p>Want to suggest a feature or report a bug ?<br /> Contact us at info (at) novirusthanks (dot) org</p> </article> <article> <h1>Express LinkedIn Mail: spread Blackhole Exploit Kit URLs</h1> <p>admin — Fri, 30 Mar 2012 22:03:34 +0000</p> <p>We have received few emails that looked like to be sent from LinkedIn:</p> <p></p> <p>But after checking email header details it was clearly a spam:</p> <div class="wp_syntax"><div class="code"><pre class="text" style="font-family:monospace;">Return-Path: trtro@www.trt.ro Received: from vps136.whmpanels.com (unknown [89.42.219.181]) Received: from [95.6.42.101] (helo=www.trt.ro) by vps136.whmpanels.com Date: Fri, 30 Mar 2012 21:37:47 +0100 From: "Support" trtro@www.trt.ro Subject: Express LinkedIn Mail</pre></div></div> <p>The A HREF links redirect to 3 different malicious URLs:</p> <div class="wp_syntax"><div class="code"><pre class="text" style="font-family:monospace;">hxxp:// groupehydrogaz .com/20sZhJqa/index.html hxxp:// dealerpos .com/uFj7A93z/index.html hxxp:// hobbyconcept666.yellis .net/20sZhJqa/index.html</pre></div></div> <p>URLVoid reports:</p> <p><a href="http://www.urlvoid.com/scan/groupehydrogaz.com/" target="_blank">http://www.urlvoid.com/scan/groupehydrogaz.com/</a><br /> <a href="http://www.urlvoid.com/scan/dealerpos.com/" target="_blank">http://www.urlvoid.com/scan/dealerpos.com/</a><br /> <a href="http://www.urlvoid.com/scan/hobbyconcept666.yellis.net/" target="_blank">http://www.urlvoid.com/scan/hobbyconcept666.yellis.net/</a></p> <p>The page content dumped from one of these malicious URLs looks like:</p> <p></p> <p>That content looks like the spread-style of <a href="http://blog.urlvoid.com/index.php?s=exploit">Blackhole Exploit Kit</a>.</p> <p>Other malicious URLs are:</p> <div class="wp_syntax"><div class="code"><pre class="text" style="font-family:monospace;">hxxp:// ftp.planitur .com.br/dyEmcL4N/js.js hxxp:// quiztown .org/U2iBLpvu/js.js hxxp:// wap .tl/8M6kMfpV/js.js hxxp:// laspeziacaritas .it/1M4VoeVe/js.js</pre></div></div> <p>URLVoid reports:</p> <p><a href="http://www.urlvoid.com/scan/ftp.planitur.com.br/" target="_blank">http://www.urlvoid.com/scan/ftp.planitur.com.br/</a><br /> <a href="http://www.urlvoid.com/scan/quiztown.org/" target="_blank">http://www.urlvoid.com/scan/quiztown.org/</a><br /> <a href="http://www.urlvoid.com/scan/wap.tl/" target="_blank">http://www.urlvoid.com/scan/wap.tl/</a><br /> <a href="http://www.urlvoid.com/scan/laspeziacaritas.it/" target="_blank">http://www.urlvoid.com/scan/laspeziacaritas.it/</a></p> <p>Pay always attention when opening <b>known and unknown</b> emails:</p> <p>1) Always analyze email headers to see who sent the email<br /> 2) Scan links with our service <a href="http://www.urlvoid.com/">http://www.urlvoid.com/</a><br /> 3) Do not download unknown files<br /> 4) Avoid to open emails that have subject related to pharmaceutical products<br /> 5) Avoid to open emails that have subject related to sexual content<br /> 6) When emails are from your Bank, always call your Bank before open the email</p> </article> </main></body></html>