Forum
Comments:
-
- on Fri 07 Oct 2011
- 06:38:33 PM UTC
RE: The Bot Is Back — ddplopt.com
ddplopt.com is running a suite of the botnet's phishing scams and malware. The domain has already received adverse ratings by usually reliable sources including Trend Micro Site Safety Center and the SURBL. Watch out for a black hole exploit that uses an invisible iFrame that loads malware from a different site.
The site's DNS is currently provided by
ns1.envelopesf-rswitch.com (IP 199.71.214.131, Psychz Networks, USA)
ns2.envelopesf-rswitch.com (IP 70.31.112.44, Sympatico HSE, Canada)
ns1.chairalitypol.com (IP 199.71.214.131)
ns2.chairalitypol.com (IP 67.15.3.21, ThePlanet.com Internet Services, USA)Evidently, IP 199.71.214.131 has provided DNS for the botnet in previous exploits.
According to the "A" records reported by the DNS, the botnet may be controlling computers at some of these IP addresses
46.37.87.141 (PROCONO, S.A., Spain)
77.209.138.182 AIRTELNET / Vodafone Spain)
77.209.170.180 (Vodafone Spain) also used in previous exploits
77.210.0.69 (AIRTELNET / Vodafone Spain)
77.210.100.135 (AIRTELNET / Vodafone Spain)
77.211.82.219 (AIRTELNET / Vodafone Spain)
77.211.207.178 (AIRTELNET / Vodafone Spain)
81.203.1.72 (Cableuropa - Ono, Spain)
82.130.144.17 (EUSKALTEL, Spain)
84.123.149.92 (Cableuropa - Ono, Spain)
87.182.61.67 (Deutsche Telekom AG, Germany)
88.29.81.153 (Telefonica de Espana SAU, Spain)
200.125.77.157 (Telecentro, Argentina) also used in previous exploits
213.60.168.21 (R Cable y Telecomunicaciones Galicia S.A., Spain) also used in previous exploits -
- on Fri 07 Oct 2011
- 06:47:44 PM UTC
RE: The Bot Is Back — ddplopt.com
IP's currently used by ddplopt.com
List of domains/hosts:
46.37.87.141
62.42.26.164
62.42.62.214
77.209.85.86
77.209.138.182
77.210.92.25
77.211.82.219
81.9.174.95
81.203.1.72
83.213.7.125
84.120.43.30
84.123.149.92
85.84.60.87
87.182.61.67
87.218.220.130
93.156.236.249
178.24.196.11
200.125.77.157
213.60.168.21
217.216.187.197
223.218.83.65
Nameservers currently used by: ddplopt.com
List of domains/hosts:
ns1.chairalitypol.com
ns2.chairalitypol.com
ns1.envelopesf-rswitch.com
ns2.envelopesf-rswitch.comOther relevant domains:
List of domains/hosts:
envelopesf-rswitch.com
chairalitypol.com
techdlfs.com
unassigned.psychz.net
idlefgt.com
parkingstachanal.com------- WOT Services Ltd. - gives us safety through Web of Trust. WOT Community - gives us security through unity. ∞
-
- on Fri 07 Oct 2011
- 08:09:27 PM UTC
malware payloads — ddplopt.com
In addition to about a dozen different spoofs of websites, ddplopt.com runs a spoof of the USA Internal Revenue Service (IRS) government tax site which I do not remember seeing recently, although I have seen a similar spoofed IRS webpage. The newer spoof loads a file into an invisible iFrame from hissheeoplote.com; I presume that this is a hazardous black hole exploit. BitDefender and TrendMicro lists hissheeoplote.com as a "Malware site"; Avira lists it as a "Phishing site". The same page links to a malware payload in the EXE file archive.exe which is called "your tax return". See the malware analysis at
http://www.virustotal.com/file-scan/report.html?id...According to newer "A" records reported by the DNS, the botnet may be controlling computers at some of these IP addresses
62.42.26.164 (Cableuropa - Ono, Spain) also used in previous exploits / Listed in SORBS
62.42.62.214 (Cableuropa - Ono, Spain) Listed in SORBS
82.213.189.238 (Cableuropa - Ono, Spain) Listed in SORBS
84.124.229.114 (Cableuropa - Ono, Spain) Listed in SORBS
85.136.46.153 (ONO, Spain) also used in previous exploits / Listed in SORBS -
- on Fri 07 Oct 2011
- 08:36:54 PM UTC
techdlfs.com joins the botnet
techdlfs.com is running a suite of the botnet's phishing scams and malware. g7w has already noted this domain above. The domain has already received adverse ratings by usually reliable sources including Trend Micro Site Safety Center and the SURBL. Watch out for a black hole exploit that uses an invisible iFrame that loads malware from a different site.
The site's DNS is currently provided by
ns1.envelopesf-rswitch.com (IP 199.71.214.131, Psychz Networks, USA)
ns2.envelopesf-rswitch.com (IP 70.31.112.44, Sympatico HSE, Canada)
ns1.chairalitypol.com (IP 199.71.214.131)
ns2.chairalitypol.com (IP 67.15.3.21, ThePlanet.com Internet Services, USA)According to newer "A" records reported by the DNS, the botnet may be controlling computers at some of these IP addresses
46.37.87.149 (PROCONO, S.A., Spain) Listed in XBL; Listed in CBL
84.120.43.30 (Cableuropa - Ono, Spain) Listed in SORBS
187.160.187.143 (Television Internacional, S.A. de C.V., Mexico) -
- on Sat 08 Oct 2011
- 05:28:50 AM UTC
RE: The Bot Is Back — ddplopt.com
irs.ddplopt.com
irs.techdlfs.com
FAKE US Internal Revenue Service pagere: hissheeoplote.com
SB reports
Malicious software includes 1 trojanre: 84.120.43.30
Some subdomain residing on this IP:List of domains/hosts:
session1708510.techdlfs.com
session6142970.techdlfs.com
sess_id4855680.techdlfs.com
session7447492.techdlfs.com
session1510003.techdlfs.com
sess_id6077973.techdlfs.com
session9134564.techdlfs.com
sess_id2315805.techdlfs.com
sess_id0116285.techdlfs.com
sess_id5965495.techdlfs.com
sess_id0566626.techdlfs.com
sess_id4725508.techdlfs.com
sess_id1907358.techdlfs.com
sess_id6670278.techdlfs.com
session3319129.techdlfs.com
sess_id4215829.techdlfs.com
sess_id9937369.techdlfs.com
mail.techdlfs.com
session03184000.ddplopt.com
sess_id449687000.ddplopt.com
sess_id65155340100.ddplopt.com
session1746292766100.ddplopt.com
session717925260200.ddplopt.com
session43698568232300.ddplopt.com
session39652782716300.ddplopt.com
sess_id2526858938400.ddplopt.com
session317395639400.ddplopt.com
sess_id120445847500.ddplopt.com
sess_id49182034600.ddplopt.com
sess_id00849586505700.ddplopt.com
session4332388386700.ddplopt.com
sess_id9530800.ddplopt.com
session62645088040800.ddplopt.com
sess_id712133069800.ddplopt.com
session360291900.ddplopt.com
session2966900.ddplopt.com
session07210110.ddplopt.com
sess_id4200099110.ddplopt.com
session87474044546210.ddplopt.com
session41932237210.ddplopt.com
session0849949210.ddplopt.com
session274003959210.ddplopt.com
sess_id74483330310.ddplopt.com
sess_id37540601793310.ddplopt.com
session028165216410.ddplopt.com
session7165936410.ddplopt.com
sess_id78010510.ddplopt.com
session8285510.ddplopt.com
sess_id271272710.ddplopt.com
sess_id9321823745710.ddplopt.com
session84964226710.ddplopt.com
sess_id44809875810.ddplopt.com
session6938858910.ddplopt.com
session94266166020.ddplopt.com
sess_id465617421220.ddplopt.com
sess_id97591220.ddplopt.com
sess_id41967856320.ddplopt.com
session771598081420.ddplopt.com
sess_id3749352769420.ddplopt.com
session471847291620.ddplopt.com
sess_id85860221720.ddplopt.com
sess_id4803648822720.ddplopt.com
session5858945164720.ddplopt.com
sess_id456006720.ddplopt.com
sess_id46784354607720.ddplopt.com
sess_id78984710738720.ddplopt.com
session566091820.ddplopt.com
sess_id5796820.ddplopt.com
session078473295920.ddplopt.com
sess_id2867143168920.ddplopt.com
sess_id251326692030.ddplopt.com
sess_id97930130.ddplopt.com
sess_id47306414906130.ddplopt.com
sess_id9027130.ddplopt.com
session496405897230.ddplopt.com
session86016625568330.ddplopt.com
sess_id593378330.ddplopt.com
sess_id86331088412430.ddplopt.com
sess_id966449430.ddplopt.com
session1737723530.ddplopt.com
sess_id98423575530.ddplopt.com
session76019279186530.ddplopt.com
sess_id813379530.ddplopt.com
sess_id10016417111630.ddplopt.com
sess_id70622943672630.ddplopt.com
sess_id4817091730.ddplopt.com
sess_id598050930.ddplopt.com
sess_id399340040.ddplopt.com
sess_id6496764191040.ddplopt.com
sess_id84782040.ddplopt.com
session155124140.ddplopt.com
sess_id0485140.ddplopt.com
sess_id831057140.ddplopt.com
sess_id7402969140.ddplopt.com
sess_id13729023240.ddplopt.com
session623469240.ddplopt.com
sess_id100245340.ddplopt.com
session6326340.ddplopt.com
session73201896340.ddplopt.com
sess_id517531003440.ddplopt.com
sess_id41155267440.ddplopt.com
session8427411540.ddplopt.com
session5445540.ddplopt.com
sess_id356197351640.ddplopt.com
session57163729640.ddplopt.com
session37795740.ddplopt.com
sess_id78627093666740.ddplopt.com
sess_id18164840.ddplopt.com
session93671987910940.ddplopt.com
sess_id9519880940.ddplopt.com
session96521940.ddplopt.com
sess_id894165940.ddplopt.com
session0572050.ddplopt.com
sess_id17323962133050.ddplopt.com
sess_id786724135050.ddplopt.com
sess_id142648250.ddplopt.com
session946021350.ddplopt.com
session76404585004350.ddplopt.com
sess_id78455350.ddplopt.com
sess_id47824103530450.ddplopt.com
session39536507996450.ddplopt.com
session96596109550.ddplopt.com
sess_id48633470650.ddplopt.com
sess_id22597164905750.ddplopt.com
sess_id3750446212850.ddplopt.com
session735583070950.ddplopt.com
sess_id497714060.ddplopt.com
sess_id70753035129060.ddplopt.com
sess_id34162160.ddplopt.com
session331411245160.ddplopt.com
session90019569356160.ddplopt.com
sess_id15922260.ddplopt.com
sess_id17504247089260.ddplopt.com
sess_id2290460.ddplopt.com
sess_id9721995752460.ddplopt.com
session748896247460.ddplopt.com
session33892867560.ddplopt.com
session74950924660.ddplopt.com
sess_id2672005760.ddplopt.com
sess_id9084280982860.ddplopt.com
sess_id2545860.ddplopt.com
session2919293607960.ddplopt.com
session221227960.ddplopt.com
session9309960.ddplopt.com
session3565207070.ddplopt.com
sess_id22637489170.ddplopt.com
sess_id1531270.ddplopt.com
sess_id28229270.ddplopt.com
sess_id19874370.ddplopt.com
session4348386370.ddplopt.com
sess_id8285248370.ddplopt.com
sess_id62646181570.ddplopt.com
session35524393760670.ddplopt.com
session91419670.ddplopt.com
sess_id65538770.ddplopt.com
sess_id682601870.ddplopt.com
sess_id825106104870.ddplopt.com
sess_id60101249185870.ddplopt.com
sess_id25647100713970.ddplopt.com
sess_id6015818970.ddplopt.com
session61008982864080.ddplopt.com
sess_id634855080.ddplopt.com
session07441180.ddplopt.com
sess_id112249180.ddplopt.com
session646348280.ddplopt.com
session73223380.ddplopt.com
session95121392480.ddplopt.com
session80999480.ddplopt.com
sess_id8272580.ddplopt.com
session7052335680.ddplopt.com
sess_id849056680.ddplopt.com
sess_id0271954727680.ddplopt.com
sess_id1475533213880.ddplopt.com
sess_id2534007026880.ddplopt.com
sess_id41182391090.ddplopt.com
session045951552190.ddplopt.com
session837818366490.ddplopt.com
session175507889590.ddplopt.com
sess_id519435690.ddplopt.com
session5029690.ddplopt.com
session92931790.ddplopt.com
session44283986894790.ddplopt.com
sess_id18794224550890.ddplopt.com
sess_id6058890.ddplopt.com
sess_id480903774990.ddplopt.com
sess_id42434505990.ddplopt.com
sess_id10445990.ddplopt.com
session0062088468990.ddplopt.com
sess_id247829990.ddplopt.com
session81227001.ddplopt.com
sess_id3306271551101.ddplopt.com
session01894329903101.ddplopt.com
session7670201.ddplopt.com
session744408344201.ddplopt.com
sess_id3652217201.ddplopt.com------- WOT Services Ltd. - gives us safety through Web of Trust. WOT Community - gives us security through unity. ∞
-
- on Sat 08 Oct 2011
- 06:55:20 PM UTC
ddplopt.com & techdlfs.com suspended
Both ddplopt.com and techdlfs.com have been suspended. Their domain registrar PAKNIC (PRIVATE) LIMITED has set their domain statuses to "clientHold" and has set their domain name servers to "No nameserver".
Perhaps PAKNIC should also take some administrative action regarding the domains formerly providing DNS for the botnet: envelopesf-rswitch.com and chairalitypol.com; otherwise the botnet probably will continue to use them.
-
- on Sun 09 Oct 2011
- 07:04:05 PM UTC
systrmp.com joins the botnet
systrmp.com is running a suite of the botnet's phishing scams and malware. The domain has already received adverse ratings by usually reliable sources including Trend Micro Site Safety Center, BitDefender, Websense ThreatSeeker, and the SURBL. Opera and G-Data call it a "Phishing Site". Watch out for a black hole exploit that uses an invisible iFrame to load malware from a different site, hissheeoplote.com. Watch out for malware in the EXE file archive.exe that pretends to be a citizen's tax return. See the malware report about it at
http://www.virustotal.com/file-scan/report.html?id...The site's DNS is currently provided by
ns1.envelopesf-rswitch.com (IP 199.71.214.131, Psychz Networks, USA)
ns2.envelopesf-rswitch.com (IP 70.31.112.44, Sympatico HSE, Canada)
ns1.chairalitypol.com (IP 199.71.214.131)
ns2.chairalitypol.com (IP 67.15.3.21, ThePlanet.com Internet Services, USA)According to the "A" records reported by the DNS, the botnet may be controlling computers at some of these IP addresses
62.42.26.164 (Cableuropa - Ono, Spain) Listed in SORBS / also used in previous exploits
62.83.94.96 (ONO, Spain) Listed in SORBS
77.209.163.151 (Vodafone Spain)
77.210.13.101 (Vodafone Spain)
78.53.67.98 (HanseNet Telekommunikation, Germany) Listed in SORBS
81.184.9.201 (ONO, Spain) Listed in SORBS
82.130.150.232 (Euskaltel, Spain) Listed in SORBS
83.165.52.14 (R Cable y Telecomunicaciones Galicia S.A., Spain) also used in previous exploits
83.213.7.125 (Euskaltel, Basque / Spain) Listed in SORBS
84.120.40.4 (Cableuropa - Ono, Spain) Listed in SORBS
85.84.60.87 (Euskaltel, Spain) Listed in SORBS / also used in previous exploits
85.86.48.130 (Euskaltel, Spain) Listed in SORBS / also used in previous exploits
87.218.220.130 (Jazztel triple play, Spain) Listed in SORBS
88.31.23.129 (Telefonica de Espana SAU, Spain) Listed in SORBS
95.18.51.139 (Jazztel triple play, Spain) Listed in SORBS
213.141.44.168 (TeleCable de Asturias, Spain) Listed in SORBS
217.217.74.239 (Cableuropa - Ono, Spain) Listed in SORBS / also used in previous exploits[Edit: Additional data]
According to newer "A" records reported by the DNS, the botnet may be controlling computers at some of these IP addresses
83.97.180.223 (TeleCable de Asturias, Spain) Listed in SORBS
83.97.222.161 (TeleCable de Asturias, Spain) Listed in SORBS
90.168.213.56 (France Telecom España SA, Spain)
90.172.83.45 (France Telecom Espana SA, Spain)
223.218.74.218 (NTT Communications Corporation, Japan)Note: Another site, msvoipid.com was detected running the same scam earlier; it was promptly suspended by its domain registrar REGISTERMATRIX.COM CORP.
-
- on Mon 10 Oct 2011
- 05:50:22 AM UTC
chipiden.com joins the botnet
chipiden.com is running a suite of the botnet's phishing scams and malware. The domain has already received adverse ratings by usually reliable sources including Trend Micro Site Safety Center, MalwareDomainList, Websense ThreatSeeker, and the SURBL. Watch out for a black hole exploit that uses an invisible iFrame to load malware from a different site, pintineroass.com. Watch out for malware in the EXE file archive.exe that pretends to be a citizen's tax return. See the malware report about it at
http://www.virustotal.com/file-scan/report.html?id...
See also
http://hosts-file.net/?s=chipiden.comThe site's DNS is currently provided by
ns1.envelopesf-rswitch.com (IP 199.71.214.131, Psychz Networks, USA)
ns2.envelopesf-rswitch.com (IP 70.31.112.44, Sympatico HSE, Canada)
ns1.chairalitypol.com (IP 199.71.214.131)
ns2.chairalitypol.com (IP 67.15.3.21, ThePlanet.com Internet Services, USA)According to the "A" records reported by the DNS, the botnet may be controlling computers at some of these IP addresses
85.86.48.130 (Euskaltel, Spain) Listed in SORBS / also used in previous exploits
90.168.213.56 (France Telecom España SA, Spain)
[Edit: Added newer data]
62.42.52.133 (Cableuropa - Ono, Spain)
77.209.97.5 (Vodafone Spain)
77.209.159.227 (Vodafone Spain)
77.210.77.253 (Vodafone Spain)
84.127.194.237 (Cableuropa - Ono, Spain)
85.219.94.18 (Cableuropa - Ono, Spain)
95.39.128.196 (ONO, Spain)
114.183.246.150 (NTT Communications Corporation, Japan)
212.225.170.228 (PROCONO S.A., Spain)
217.217.30.44 (ONO, Spain) -
- on Mon 10 Oct 2011
- 06:47:51 PM UTC
RE: The Bot Is Back — ddplopt.com
There are additional domains being used in the same manner, and resolved with the same domain name servers
NAME SERVERS registered with PAKNIC
ns1.chairalitypol.com
ns1.envelopesf-rswitch.comDOMAINS
msvoipid.com [suspended by Registrar: REGISTERMATRIX.COM CORP.]
ddplopt.com [suspended by Registrar: PAKNIC (PRIVATE) LIMITED]
techdlfs.com [suspended by Registrar: PAKNIC (PRIVATE) LIMITED]systmsd.com
chipiden.com
systrmp.com
cpsystms.comREGISTRARS
systmsd.com = 1 API GMBH
chipiden.com = REGISTERMATRIX.COM CORP.
systrmp.com = PAKNIC (PRIVATE) LIMITED
cpsystms.com = BIZCN.COM, INC. -
- on Mon 10 Oct 2011
- 07:36:46 PM UTC
RE: The Bot Is Back — ddplopt.com
This is a botnet infector posing as a message from the IRS. or example, sess_id9837964.systrmp.com/reviews/return/ displays
Understanding your CP01H Notice
What you need to do
Carefully review your tax return (self-extracting archive file). If you think our records are in error, contact the Social Security Administration to correct the situation. If the account is corrected, they will provide you with a Letter SSA 2458 showing the correction. Once the information has been corrected, follow the instructions shown on your CP 01H notice to file your return.
The "tax return" is a link to the dangerous "archive.exe" download file that contains the payload.
-
- on Tue 11 Oct 2011
- 04:11:36 AM UTC
cpsystms.com & systmsd.com join the botnet
As posted above some hours ago by MarkGiles, cpsystms.com and systmsd.com have joined the botnet. They are running a suite of the botnet's phishing scams and malware, but the current campaign is a new scam webpage that spoofs the USA Internal Revenue Service (IRS) and that contains a malware download. See the malware analysis at
http://www.virustotal.com/file-scan/report.html?id...According to the "A" records reported by the botnet's DNS, the botnet may be controlling computers at some of these IP addresses
77.209.38.33 (Vodafone Spain)
77.209.210.107 (Vodafone Spain)
83.165.52.14 (R Cable y Telecomunicaciones Galicia S.A., Spain)
85.86.48.130 (Euskaltel, Spain) also used in previous botnet exploits
90.168.221.231 (France Telecom España, Spain)
90.172.43.56 (France Telecom Espana SA, Spain)
114.183.246.150 (NTT Communications Corporation, Japan)
178.139.115.99 (Vodafone Spain)
200.125.77.157 (Telecentro, Argentina) also used in previous botnet exploits
202.169.76.159 (Nagasaki Cable Media, Japan)
213.60.168.21 (R Cable y Telecomunicaciones Galicia S.A., Spain) also used in previous botnet exploits
217.217.74.239 (Cableuropa - Ono, Spain) -
- on Tue 11 Oct 2011
- 06:27:32 AM UTC
RE: The Bot Is Back — ddplopt.com
Excluding the URL for the blackhole exploit itself, since that's always on a different domain, the URLs for these are;
List of domains/hosts:
cpsystms.com/pub/irs-pdf/p17.pdf
cpsystms.com/pub/irs-pdf/p4535.pdf
cpsystms.com/reviews/return/archive.exe
systmsd.com/pub/irs-pdf/p17.pdf
systmsd.com/pub/irs-pdf/p4535.pdf
systmsd.com/reviews/return/archive.exe
systmsd.com/arc/files/
systmsd.com/local_bdno/netoffice/
systmsd.com/app/bps/main/
systmsd.com/system/
systmsd.com/efs/servlet/military/login.jsp/
systmsd.com/efs/servlet/military/login.jsp/c.php
systmsd.com/appserver/
systmsd.com/mydata/forms/apisrv.php
cpsystms.com/arc/files/
cpsystms.com/reviews/return/archive.exe
systmsd.com/reviews/return/archive.exe
cpsystms.com/arc/files/archivo.exe
systmsd.com/arc/files/archivo.exe
cpsystms.com/local_bdno/netoffice/
cpsystms.com/app/bps/main/
cpsystms.com/system/
cpsystms.com/efs/servlet/military/login.jsp/
cpsystms.com/efs/servlet/military/login.jsp/c.php
cpsystms.com/appserver/
cpsystms.com/mydata/forms/apisrv.phpRegards Steven Burn I.T. Mate / hpHosts it-mate.co.uk / hosts-file.net
-
- on Tue 11 Oct 2011
- 07:47:59 PM UTC
chipiden.com & systmsd.com suspended
chipiden.com has been suspended. Its domain registrar REGISTERMATRIX.COM CORP has set its status to "clientHold".
systmsd.com has been suspended. Its domain registrar 1 API GMBH has set its status to "clientHold".
The fast-flux botnet continues to operate cpsystms.com and systrmp.com.
According to the "A" records recently reported by the botnet's DNS, the botnet may be controlling computers at some of these IP addresses
62.42.26.164 (Cableuropa - Ono, Spain)
81.184.9.245 (ONO, Spain)
83.97.177.31 (TeleCable de Asturias, Spain)
84.123.86.122 (Cableuropa - Ono, Spain)
84.123.147.172 (Cableuropa - Ono, Spain)
84.125.37.119 (Cableuropa - Ono, Spain)
85.86.48.130 (Euskaltel, Spain)
90.172.168.183 (France Telecom Espana SA, Spain)
178.139.10.188 (Vodafone Spain)
178.139.13.190 (Vodafone Spain)
212.225.152.88 (PROCONO S.A., Spain) -
- on Wed 12 Oct 2011
- 02:21:57 AM UTC
systrmp.com suspended, cpsystms.com suspended
systrmp.com has been suspended. Its domain registrar PAKNIC (PRIVATE) LIMITED has set its status to "clientHold" (Updated Date: 11-oct-2011).
cpsystms.com has been suspended. Its domain registrar BIZCN.COM, INC has set its status to "clientHold" (Updated Date: 12-oct-2011).
-
- on Wed 12 Oct 2011
- 06:58:16 PM UTC
ns1.envelopesf-rswitch.com & ns1.chairalitypol.com rehosted
The name servers that the botnet has been using, ns1.envelopesf-rswitch.com and ns1.chairalitypol.com, have both moved from IP 199.71.214.131 to IP 194.0.252.114, hosted on the VooServers Ltd network in the UK. An identical move was made for at least one of the botnet's previous name servers last month, but that name server returned to IP 199.71.214.131 within a day or two.
-
- on Wed 12 Oct 2011
- 07:01:59 PM UTC
RE: The Bot Is Back — ddplopt.com
Dropped them an e-mail ;o)
Regards Steven Burn I.T. Mate / hpHosts it-mate.co.uk / hosts-file.net
-
- on Thu 13 Oct 2011
- 12:51:34 PM UTC
ns1.envelopesf-rswitch.com & ns1.chairalitypol.com rehosted
MysteryFCM writes powerful and effective email.
The name servers that the botnet has been using, ns1.envelopesf-rswitch.com and ns1.chairalitypol.com, have both moved from IP 194.0.252.114 to IP 67.23.245.105, hosted on the HostDime.com network in the USA. IP 67.23.245.105 has been favored by the botnet for at least the past four months.
-
- on Thu 13 Oct 2011
- 08:06:55 PM UTC
RE: The Bot Is Back — ddplopt.com
IP 67.23.245.105
AbuseHandle: ABUSE796-ARIN
AbuseName: Abuse Group
AbusePhone: +1-407-756-1126
AbuseEmail: abuse@dimenoc.comid:DIMENOC-1125643625
network-name:DIMENOC-1125643625
ip-network:67.23.245.105/32
org-name:Adam Jack
street-address:440 West Kennedy Blvd Suite #1
city:Orlando
state:FL
postal-code:32810
country-code:US -
- on Fri 14 Oct 2011
- 04:40:53 AM UTC
idsystms.com & mrsystms.com joined botnet, soon suspended
idsystms.com and mrsystms.com were running a suite of the botnet's phishing scams and malware yesterday, before being suspended. (Their domain registrar REGISTERMATRIX.COM CORP has set the status to "clientHold" for each of them.) They spread malware through the botnet's fake IRS CP01H notice. Reported examples are
hXXp://session53636943465463.idsystms.com/reviews/return/?id=TXQQHRZWZ095759&d=Fri,%2014%20Oct%202011%2001:26:15%20+0800
hXXp://sess_id8452519.idsystms.com/reviews/return/?id=FZUEYKGM691&d=Thu,%2013%20Oct%202011%2012:59:49%20-0700
hXXp://irs.idsystms.com/reviews/return/?id=BQPQJPKPXD055&d=Thu,%2013%20Oct%202011%2013:26:09%20-0300
MarkGiles has posted some scorecard warnings.
The sites' DNS was provided by
ns1.envelopesf-rswitch.com
ns1.chairalitypol.comThose two name servers for the botnet have moved from IP 67.23.245.105 to IP 173.236.45.150 on the SingleHop network in the USA. See the warnings about IP 173.236.45.150 at
http://cbl.abuseat.org/lookup.cgi?ip=173.236.45.15... -
- on Sat 15 Oct 2011
- 11:29:41 PM UTC
vbsdl.com joins the botnet
vbsdl.com is running a suite of the botnet's phishing scams and malware. TrendMicro, Dr. Web and BitDefender call it a "Malware site"; Opera calls it a "Phishing site". This site may introduce a new format for the botnet's fake "Understanding your CP01H Notice" webpage that spreads malware. Its malware payload in the EXE file archive.exe is disguised as a citizen's tax returns. Most antivirus programs do not detect it yet. See the malware report at
http://www.virustotal.com/file-scan/report.html?id...The first incident report about vbsdl.com that I've seen suggests that the botnet has revived its Facebook malware campaign.
hXXp://www.e-tlumacze.eu/zs1774id.php automatically redirects to a scam Dutch-language Facebook webpage athXXp://facebook.com.vbsdl.com/confirm/reqnl/
Its bottom frame automatically redirects to competeidianaf.com which, if the botnet follows its usual pattern, may contain a black-hole exploit or malicious drive-by download.
The site's DNS is currently provided by
ns1.envelopesf-rswitch.com (IP 173.236.45.150, SingleHop, Inc, USA)
ns2.envelopesf-rswitch.com (IP 70.31.112.44, Sympatico HSE, Canada)
ns1.chairalitypol.com (IP 173.236.45.150)
ns2.chairalitypol.com (IP 67.15.3.21, ThePlanet.com Internet Services, USA)According to the "A" records reported by the DNS, the botnet may be controlling computers at some of these IP addresses
72.22.83.39 (iPower, Inc, USA)
96.9.132.73 (Network Operations Center Inc, USA) -
- on Sun 16 Oct 2011
- 06:00:12 PM UTC
vbsdl.com suspended
vbsdl.com has been suspended. Its domain registrar REGISTERMATRIX.COM CORP has set its status to "clientHold".
Two obvious differences between vbsdl.com and the botnet's other recent scam sites are (1) that the scam web pages that spoofed the IRS and Facebook used a Frameset instead of iFrames to conceal its drive-by or blackhole exploits and (2) that its DNS did not use anything like the typical fast-flux ploy.
-
- on Thu 20 Oct 2011
- 03:36:06 AM UTC
ns1.chairalitypol.com & ns1.envelopesf-rswitch.com suspended
During early October, the bontnet's DNS was provided by ns1.chairalitypol.com and ns1.envelopesf-rswitch.com. Both chairalitypol.com and envelopesf-rswitch.com have been suspended. Their domain registrar PAKNIC (PRIVATE) LIMITED has set the status of each domain to "clientHold" and has changed their name server to "No nameserver".
The Bot Is Back — ddplopt.com
This thread discusses a criminal botnet that spreads malware and runs phishing scams. A discussion of earlier incidents of these exploits is at
http://www.mywot.com/en/forum/13208-rulesbreacker-...
I wish to caution WOT users that some of the botnets exploits will combine a phishing scam with several malware files. Sometimes the malware is too new to be detected by most antivirus programs.