ILLINOIS Online Child Predators 2011: “funson999” aka Michael Wayne Bailey sentenced to 97 Months in Prison

US District Attorney S.R. Wiggington

On March 12th, 2012, Michael Wayne Bailey, 35, of Granite City, Illinois, was sentenced to a total of 97 months imprisonment charging him with possession of child pornography (count one) and receipt of child pornography (count two), the United States Attorney for the Southern District of Illinois, Stephen R. Wigginton, announced. The sentence consists of 97 months’ imprisonment on counts one and two, to run concurrently.

Michael Wayne Bailey

Bailey was also ordered to serve 20 years’ of supervised release on counts one and two, to run concurrently; fined 300 USD on each count, for a total fine of 600 USD; and ordered to pay an additional 200 USD special assessment. Bailey pled guilty to the two-count indictment on September 23rd, 2011 and has been detained since his arraignment on July 26th, 2011.

The violation referenced in count one of the indictment occurred on March 17th, 2011, when officers were executing a state search warrant and seized eight PCs with numerous other media devices from the residence which Bailey shared with other individuals. While profiling the data on the computers, officers located a screen name, “funson999,” which contained numerous chats, discussing the molestation of children and trading images of minors. Officers were able to track the funson999 account to Michael Bailey.

Bailey then admitted creating the funson999 account, stating that he would save images of minors engaged in sexually explicit conduct to his hard drive and then delete them. Bailey also stated he received approximately 10 images of minors engaged in sexually explicit conduct via the Web. Additionally he also admitted engaging in the chats recovered from his computer. Finally, Bailey stated that he deleted e-mails and other information associated to the funson999 account after the initial search warrant was executed.

The violation referenced in count two of the indictment occurred on October 2, 2009, when Bailey downloaded an image of a minor engaged in sexually explicit conduct. The case was investigated by the Madison County Sheriff’s Department and the Federal Bureau of Investigation’s Metro East Cyber Crimes and Analysis Task Force. The case itself was assigned to Assistant United States Attorney Angela Scott.

MALICIOUS VISITOR TO THIS BLOG: www.bema.it INFECTED: Trojan-Downloader.JS.Iframe.czo & HEUR:Trojan.Script.Generic (ITALY)

MALICIOUS SITE: EXPLOIT BLACKHOLE (MALICIOUS INJECTION) Trojan-Downloader.JS.Iframe.czo



DOMAIN:

www.bema.it

• https://www.virustotal.com/de/url/9c313118270d7060f6a88b8d02315e60f6fa366d1e640d01b0154f43f721ab7c/analysis/1391876292/

HTML

• https://www.virustotal.com/de/file/c48575a72b511e9fc0a7e9e601b33507d08296eadb6efebb18655dc1177de4c1/analysis/

SPECIFIC MALWARE (VISITING) LINK: 

www.bema.it/paesaggigeologici.htm

• https://www.virustotal.com/de/url/1a3e767c25cb71944b44bf81943c6d839273fdec1f176966f963d0875215e959/analysis/1391876591/

INFECTION:  

Trojan-Downloader.JS.Iframe.czo

• https://www.virustotal.com/de/file/483e183fedd9db8a7fd74fd979c235c2d0565933534898c55abbfa3e7801b5e7/analysis/1391875774/

HEUR:Trojan.Script.Generic

• https://www.virustotal.com/de/file/0e3b1abbec7f3d81910ab10ba644d5ba64a1075db3b9a85a7833642913871582/analysis/1391875789/

• http://jsunpack.jeek.org/?report=8ace5573ffdaf77d5ed6faf5dd6aface337b0387

• http://wepawet.iseclab.org/view.php?hash=a4bbe339803250d0b1a917575df82c92&t=1391875552&type=js

• https://urlquery.net/report.php?id=9316907

---> REMOTE

miamiheattickets.com/http.php

• https://www.virustotal.com/de/url/0bbe620806942d74fb1ede783f53c0f29151485340a3687deec3bdb8689900d8/analysis/1391877039/

--->

www.bema.it/bema_internet.css

• https://www.virustotal.com/de/url/28a06f8a729f620fc4fb8c3b3aa47c3f2a66b5b9e7fba3578075c5f187218d58/analysis/1391877125/

• https://www.virustotal.com/de/file/805730a9867637233a0e88034a7160ceebb1232bec363db7d057455dc4e8243c/analysis/1352190357/

OTHER MALWARE LINKS FROM THIS DOMAIN:

1) www.bema.it/opere/pg_1.htm

• https://www.virustotal.com/de/url/52200c7f623b60c44c2256c70bc3041a0f7efbf825c1e0067565fd8dfd3dfd37/analysis/1391877987/

INFECTION: 

HEUR:Trojan.Script.Generic

• https://www.virustotal.com/de/file/a4e9035cacdfbfcb1b28cfb2ebedccc0901dbc4c82173a388648d43a7d82b88f/analysis/1391877891/

--->

moreclosings.com

• https://www.virustotal.com/de/url/cb65fb78eb9f34870ab0c33b3fd7b48e9163f72d6d9b29ee9320e97dcb6d69f4/analysis/1391878110/

moreclosings.com/showthread.php?sid=193854

• https://www.virustotal.com/de/url/97d8c820291908356fa32a0b17c1d0eb4bc54e40e4ef64c9a2e72dfd8469a30b/analysis/

• https://urlquery.net/report.php?id=9317125

2) www.bema.it/artigrafiche.htm

• https://www.virustotal.com/de/url/d2fba275794bdef2a814e05cf08b9439daa40293e332fa100bde91327b470231/analysis/1391878663/

INFECTION:  

Trojan-Downloader.JS.Iframe.czo

• https://www.virustotal.com/de/file/3fa71c9f13947e2c60e52843932f59dddcc8e2d424a6f106717f5632e4533dcd/analysis/1391878603/

• https://urlquery.net/report.php?id=9317122

3) www.bema.it/impianti.htm

• https://www.virustotal.com/de/url/17a7d8f57f4c1f929637dea43d3cf7332442a484bb2f89ecca2afb9bf4a9dd1c/analysis/

INFECTION:  

Trojan-Downloader.JS.Iframe.czo

• https://www.virustotal.com/de/file/fc694a8433ca74015e3badf6ecd4d00b18f93ddfaa30121a21b6405658a97928/analysis/1391878854/

• https://urlquery.net/report.php?id=9317119

Category MALICIOUS IP: 217.74.66.183 (komsta.biz) Infected with a spam or malware forwarding link - Botnet (POLAND) Also: mecsohesti.strefa.pl & berlokava.strefa.pl

The IP address 217.74.66.183 (listed in the CBL (Composite Blocking List)) corresponds to a web site that is infected with a spam or malware forwarding link. The website's host name is "komsta.biz", and this link is an example of the redirect: "http://komsta.biz/xmlrpc/r1.php". In other words the website "komsta.biz" has been hacked. Usually, the redirect takes the user's browser to a spam or malware site. It's usually fake russian pills or pornography.

Most probably, the infection is a Cpanel, Plesk, Joomla or Wordpress CMS install, that has become infected either through a vulnerability (meaning the CMS software is out of date and needs patching), or the owner of "komsta.biz" has had their account information (userids/passwords) compromised. Then malicious software/files are being uploaded by ftp or ssl.

In many cases, particularly with older compromises, the criminals that hacked this site will have uploaded a wide variety of spamming and other compromise tools. Therefore, the account corresponding to "komsta.biz" needs to be examined very carefully for signs of tampering. Further, the criminals will even modify existing web pages (particularly http://komsta.biz itself) to have hidden references to pill/drug/porn sites.

It is believed that the malicious redirects are done by altering web server access control mechanisms (example, ".htaccess" files on Apache web servers), and causing the redirect to occur on all "404 url not found" errors.


REFERENCES:

217.74.66.183

• https://www.virustotal.com/de/url/0a6cbec1348cf0d336786144d8ac8b3392a06044ea45210c1ff7164b935138d3/analysis/1391867416/

LISTED AT SPAMHAUS (CBL):

• http://www.spamhaus.org/query/bl?ip=217.74.66.183

LISTED AT CBL:

• http://cbl.abuseat.org/lookup.cgi?ip=217.74.66.183 

----------------------------------------------------------

komsta.biz

• https://www.virustotal.com/de/url/d075ee0a046bf5b9061d6516f74a2a8a896f6d645b500b82b8e5621cdd347af3/analysis/1391868630/

komsta.biz/xmlrpc/r1.php

• https://www.virustotal.com/de/url/13fe2e198d34cfb1180de459f3cdc711cd35315653a442f5ea4cfae49d771803/analysis/ 

---------------------------------------------------------

Other Malicious Domains connected to this IP:

mecsohesti.strefa.pl

• https://www.virustotal.com/de/url/7b8461c8134626cc15ae094d9ae3c6fa82c82a417cc6936693dbaac78829481e/analysis/1391866196/

mecsohesti.strefa.pl/908juare3rm.js

• https://www.virustotal.com/de/url/e953124d50e1310dd2812e263931848b00d462470c676a634e4cb399cfa6b92a/analysis/1391866188/

• https://www.virustotal.com/de/file/b16b4bdb5699e781801c38303ff0843681d622683b1edfaefe7d9255da7cdc36/analysis/1391865764/

• http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=mecsohesti.strefa.pl

---------------------------------------------------------

berlokava.strefa.pl

• https://www.virustotal.com/de/url/3ade4568cc4b8450928f22fdc2ef3961f253073f5854b1cecc26274ddce8afc6/analysis/1391865399/

INFECTED WITH: HTML:Script-inf

• https://www.virustotal.com/de/file/1b9c71d4ede9b1b74f6a228fd391b1532e2dbe90c78ef3bbb77effbebac9693c/analysis/1391865730/

• http://wepawet.iseclab.org/view.php?hash=f54d99392772ab74cc133e0920e5a658&t=1391865424&type=js

• http://zulu.zscaler.com/submission/show/4f05692eb30713ac8402cef9ce93cb06-1391865434

SPAM: "Pures Verwöhnprogramm" emv-info.hotelreservierung.de (FRANCE)

MALICIOUS DOMAIN: SPAM & PHISHING SCAM (FRANCE)

ORIGINATING IP ADRESS:

2.1.14.110

• https://www.virustotal.com/de/url/5daa82f054d1922a3ee933df19c8e85c6798db2f94bd03335d629588349fe817/analysis/1391807477/

LISTED AT SPAMHAUS:

• http://www.spamhaus.org/query/bl?ip=2.1.14.110

Email Reputation: Poor

• http://www.senderbase.org/lookup/?search_string=2.1.14.110

emv-info.hotelreservierung.de

• https://www.virustotal.com/de/url/68cf71f26c2b4e5ef62d3fc27600ed4dc7c1086101b89194092ae84a3fd93340/analysis/1391806480/

• http://www.UnmaskParasites.com/security-report/?page=www.hotelreservierung.de

CONNECTED SPAM DOMAINS:

ads.unister-gmbh.de

• https://www.virustotal.com/de/url/f046bd900cae54568f25063533aeddb8f685ce58b24066f37357fba10e1a2e23/analysis/1391806371/

• https://www.mywot.com/en/scorecard/ads.unister-gmbh.de

crm.hotelreservierung.de

• https://www.virustotal.com/de/url/e82ecd62ab91a3b4792554b117d55deaabc5820d89bdfc8aef7dcf3a4a87aeb7/analysis/1391806614/

www.ab-in-den-urlaub.de

• https://www.virustotal.com/de/url/a368e6a05fd18af9554b616f32e8fab1797d8baab9f67c2585b6f9d72f3ff254/analysis/1391806780/

MALWARE: Trojan-Downloader.JS.Agent.gtu & HEUR:Trojan.Script.Generic INFECTED SITE(s): bretthersley.com & pvhetiozstg.findhere.org

MALICIOUS URL(s): 
(Trojan-Downloader.JS.Agent.gtu) 
MAL. Iframe Injection 
(RBN 275) 
Likely leading to EXPLOIT KIT

DOMAIN:

bretthersley.com

• https://www.virustotal.com/de/url/385d06231a7226fa3998b97e62c5c10195485b57556cd52f3d3a0f4874e602d5/analysis/1391776537/

SPECIFIC LINK:

bretthersley.com/wp-content/themes/01_Super_Slick_VCard_-_Wordpress_Version/images/loader.gif

• https://www.virustotal.com/de/url/225a220dd922c4e73a01ec0f40f5d9686c4d5960f28295dd720abce0cbffce41/analysis/1391775974/

FORMERLY:

Trojan-Downloader.JS.Agent.gtu

• https://www.virustotal.com/de/file/3851fd1f908ad8e7a2c8f3b8fd7a5e73182fa8d99761903a743c12db24d90028/analysis/1375177800/

NOW:

Trojan-Downloader.JS.Agent.gtu

• https://www.virustotal.com/de/file/7fb2f58d2fcc4d48f596e23c122441e8bc0f62cfda923868f1fe1731fe06d8dc/analysis/1391776994/

ALSO: HEUR:Trojan.Script.Generic

• https://www.virustotal.com/de/file/828d91af1ebe3f81d909b1e836629bd73d759f72804b3094ecf8a4a690888b00/analysis/1391777096/

REFERENCE:

• http://jsunpack.jeek.org/?report=21aee5b48f214c4f99c87831e7d0ef38bcf6a694

Detected a Dynamic DNS URL
Detected malicious iframe injection
Detected a TDS URL pattern

• https://urlquery.net/report.php?id=9276908

---> REMOTE

pvhetiozstg.findhere.org/vc.php?go=2

• https://www.virustotal.com/de/url/026e9c1d6e32a50a62b715d7f58a057a1e3c68e3df6af13882c745ce2944a6d3/analysis/1391777504/

• https://www.virustotal.com/de/file/214c3b683099a23da1e8ea88093f2c0ce6234f55f36943f810e031628cb7c93e/analysis/1369498120/

Detected a Dynamic DNS URL
Detected a TDS URL pattern

• https://urlquery.net/report.php?id=9277385

--------------------------

ALSO:

WORDPRESS VERSION OUTDATED: RISK BEING VULNERABLE

aromavietnam.com Malicious Domain Infected with: HEUR:Trojan.Script.Generic & Trojan.JS.Iframe.aeq (EXPLOIT from VIETNAM)

MALWARE: EXPLOIT


DOMAIN:

aromavietnam.com

• https://www.virustotal.com/de/url/ec13cdcd880da204742fbbb17ebb754f78fa9e9916c5d900393e779c09d017bf/analysis/1391695139/

Infected with: HEUR:Trojan.Script.Generic

• https://www.virustotal.com/de/file/000ab3f5794c646ded51dd9b66d10749834dce17193ee9da1c28520fd23c52c1/analysis/1391697040/

EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator

• https://urlquery.net/report.php?id=9256862
• https://urlquery.net/report.php?id=9258051
• https://urlquery.net/report.php?id=9258064

--->

173.237.187.203/post.php?id=704732

• https://www.virustotal.com/de/url/aa23c1e60447fa417c7bf7cd25fdf3257e0b354fb1a37a143b8334b7bd96c1f5/analysis/1391698495/

• https://urlquery.net/report.php?id=9258108

OTHER MALICIOUS LINK(s):

aromavietnam.com/stmenu.js

• https://www.virustotal.com/de/url/e30a7f2e0271567938041e58cbccb2b2273e217c83110083ec79c4b747bef41c/analysis/1391694780/

Infected with: Trojan.JS.Iframe.aeq

• https://www.virustotal.com/de/file/864d33b798d3c718263cb7ed78bea4a007133af53c704f45a54f0ca5e832aaa0/analysis/1391695003/

--->

37.59.120.98/704732.js

• https://www.virustotal.com/de/url/eef9a6a86ae865da21b27b35623e5756f3569ceacb11a0a0fc444de13c413c0c/analysis/1391696634/

REF.: http://jsunpack.jeek.org/?report=05a453d8b0c4094c355d0f93ec02fe7f9619f4a2

arifizgidizayn.com (MALICIOUS DOMAIN) Infected with: HEUR:Trojan.Script.Generic (EXPLOIT KIT, TURKEY)

MALICIOUS DOMAIN: EXPLOIT (KIT)

arifizgidizayn.com

• https://www.virustotal.com/de/url/6d6c58ba2c1ccebe07cdae728992b6ecb9ada7c603b89df47fc4fda6dd80a703/analysis/1391683685/

SPECIFIC LINK:

arifizgidizayn.com/swfnoborder.js

• https://www.virustotal.com/de/url/0505699678769fee5f460fc5d4d1eb04c24ad093d348504cfd2dd82860e595a4/analysis/1391683043/

https://www.virustotal.com/de/file/24a0434d89dfd70c0b84e3caa8adb9231512568bf2caf24d2bb9a6d7404952bb/analysis/1391683046/

Malware Network Compromised Redirect

• https://urlquery.net/report.php?id=9252311

• http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=arifizgidizayn.com

---> PATH


DOMAIN:

habibtour.com.au

• https://www.virustotal.com/de/url/1ab36c262cf6533186fbe3a53be55e00d781a106bbffce7bea5fdbff8feab24a/analysis/1391683497/

SPECIFIC REDIRECTION LINK(s) (SUSPENDED):

habibtour.com.au/language/t.php

• https://www.virustotal.com/de/url/7506f10411b494a3fdd3e39a6485ff45534f0ea20342a400ffdf22ae4c6238e8/analysis/1391683482/

• https://www.virustotal.com/de/file/07f99e34de6b4f4707f502d1cfcf2957b330c5ff713cf377d1eb82b85f975539/analysis/1391414551/

habibtour.com.au/cgi-sys/suspendedpage.cgi

• https://www.virustotal.com/de/url/be266fdc5e1bb28d85a41c7de7af5c0fce9c078aa3bcab1d83530e56c0fe52ca/analysis/1391683618/

Snowshoe Spammers - MALICIOUS DOMAIN & IP: b2bdigitalapps.com & 193.180.115.48 "Les 5 astuces pour faire encore mieux l'amour" (PHISHING-SCAM, AUSTRIA, SWEDEN)

Bonjour,

Tu trouves que tes relations sexuelles deviennent monotones ? Tu n'est
pas seul. Comme toi, je me suis rendu compte que ma femme et moi, on ne
faisait plus l'amour aussi souvent qu'avant.  Et quand ça nous arrive,
c'est toujours les mêmes vieilles recettes.

En fait, j'avais perdu l'enthousiasme et, ça m'ennuie de le dire, il
m'est même arrivé d'éviter de faire l'amour plusieurs fois. Ce n'était
plus comme avant et je savais qu'il fallait faire quelque chose avant
que ca n'aille trop loin.

Alors je suis allé sur le net pour trouver des idées et j'ai trouvé un
livre qui s'appelle  “500 Astuces Amoureuses” En fait, c'est drôle.
Pendant que je lisais le livre, ma femme est venue voir ce que je
faisais. Quand elle a su de quoi il s'agissait elle m'a viré de
l'ordinateur pour lire elle-même.

Alors finalement, il a marché, ce livre ?

Je te laisse juger : la nuit même, elle a apporté des fraises et du
coulis de chocolat à grignoter devant la télé (évidemment inspiré du
livre).

Ca m'a complètement surpris. Je n'aurais jamais pensé qu'une chose
simple comme manger des fruits et du chocolat pendant les préliminaires
pouvait être aussi excitant.

Je n'irai pas dans les “détails” de la suite … :D… mais je dois dire que
je suis devenu fan de ce livre !
Et notre sexualité est extraordinaire maintenant. Nous ne sommes jamais à
court d'idées pour rendre les choses excitantes. Et si on a besoin
d'une idée, il nous suffit d'ouvrir le livre. C'est top !

Si tu penses que ta sexualité est devenue un peu ordinaire, ou si tu veux
simplement l'améliorer un peu, regardes ce livre

en cliquant ici>>

A bientôt

MALICIOUS PHISHING-SCAM DOMAIN: (SNOWSHOE SPAMMERS)

b2bdigitalapps.com

• https://www.virustotal.com/de/url/c7c6daf58332d34d90b1234b1bdd40c922f4a3bed5174f9b2d561bff8d66a706/analysis/1391621955/

b2bdigitalapps.com/link.php

• https://www.virustotal.com/de/url/7e06bfb6d9730edbbacc4189f36681e84aaa585dd580e2e53543c4aa10d14d0e/analysis/

• https://www.virustotal.com/de/file/22fc373d3b3ab36009613adfd7bb60f7135a4f510aa31808856e721dd5799d0c/analysis/

b2bdigitalapps.com/open.php

• https://www.virustotal.com/de/url/21e996363e94694017a766295f26702b7d6fe9c605a57d30965b3c6be6f9027a/analysis/1391622030/

• https://www.virustotal.com/de/file/dd5bdccb831d1b19c505bd3e67553f6049cea2e20dba7eb231a02ed0103e521f/analysis/1390580473/

b2bdigitalapps.com/unsubscribe.php

• https://www.virustotal.com/de/url/c7f6d051298f7b524bcf37fa3bc9ac2cab53cfff8081d9cf78d2f095f85e8e19/analysis/1391622053/

• https://www.virustotal.com/de/file/fb18ec2dc45858efd8a69d17873eb1a92801a4af8e6b6a44b03e9e7a69d11ffd/analysis/

Snowshoe Spam (Screenshot)

ORIGIN IP:

193.180.115.48

• https://www.virustotal.com/de/url/9c8a9262baa8df9d848573706b4bcf2eeb9c8d23404f1951accff6b123ff9e64/analysis/1391620870/

• https://www.virustotal.com/de/file/18f256b9f1807fe04ee416b47643bae7ed150f37cf79e24c4e2b9646cf3cf908/analysis/1391622765/

 

LISTED AT SPAMHAUS (SBL):

• http://www.spamhaus.org/query/bl?ip=193.180.115.48

 

Email Reputation: Poor
Web Reputation: Poor

• http://www.senderbase.org/lookup/?search_string=193.180.115.48