Translate

4/12/2014

Let US Welcome:
lunpandubishengfa.zhuolingxiu.com as a MALICIOUS VISITOR
(to this Blogspot)
FROM Beijing, CHINA & Walnut, UNITED STATES
IP: 110.173.196.1



MALICIOUS BLOGVISITOR FROM Beijing, CHINA
& Walnut, UNITED STATES

DOMAIN:
http://zhuolingxiu.com/
  • https://www.virustotal.com/de/url/b7d7f19c52b69e6721a7b9073741e7c6dc01f7bd4f3e04d9a95e150abb4ecb29/analysis/1397322523/
HTML:
  • https://www.virustotal.com/de/file/70624e295994c8b58995ea206a9d203bb56fad709b05ac972f053307a3399911/analysis/1397322837/
  • http://sitecheck2.sucuri.net/results/zhuolingxiu.com
IP:
http://110.173.196.1/
  • https://www.virustotal.com/de/url/ab6314d04650288df2d4054571208375f4606cdf8b09266e3427a91d2a6f8e62/analysis/1397323537/
  • https://www.virustotal.com/de/ip-address/110.173.196.1/information/
BHA: 3
  • https://www.projecthoneypot.org/ip_110.173.196.1
Fwd/Rev DNS Match: NO
  • http://www.senderbase.org/lookup/?search_string=110.173.196.1
MALICIOUS SUBDOMAIN:
http://lunpandubishengfa.zhuolingxiu.com/
  • https://www.virustotal.com/de/url/7481662efef095e53073ccc590585966f6b5c3f3c21d2364dc550ee577836b1f/analysis/
  • http://sitecheck2.sucuri.net/results/lunpandubishengfa.zhuolingxiu.com
  • http://www.urlvoid.com/scan/lunpandubishengfa.zhuolingxiu.com/
VISITING LINK:
http://lunpandubishengfa.zhuolingxiu.com/16024/
  • https://www.virustotal.com/de/url/df9f8d71cd3e8c7a80affdc3a9addb0964b0cae6355eddfabc316dbb74ef5e85/analysis/1397321793/
IP:
http://107.160.11.209/
  • https://www.virustotal.com/de/url/ab6314d04650288df2d4054571208375f4606cdf8b09266e3427a91d2a6f8e62/analysis/1397323537/
Network Owner: Psychz Networks
http://www.psychz.net/
  • https://www.virustotal.com/de/url/d1aaf5879110e18c64671ba2386ec1e8cb1e8c9144adb6dc9e1003003f67e814/analysis/1397325169/

COMMENT SPAMMER FROM BLOGGER TO BLOGGER:
Mr. Ams Patil Subject: AMS India from Bangalore
"I would like to recommend your article .. you can also refer PLC Repairs"
OR
"You for me and i for you..."




POTENTIALLY SUSPICIOUS/(MALICIOUS ?)
COMMENT SPAMMER TO THIS BLOG: 
Ams Patil - AMS India - Bangalore
COMMENT: I would like to recommend your article .. you can also refer PLC Repairs

SCREENSHOT COMMENT

 

The Related Post where the Comment has been made, can be found here:

PROFILE LINK:
  • http://www.blogger.com/profile/09937088204105970127
  • https://www.virustotal.com/de/url/4f98b161a5a79f4148538919dcdbc87664d9041df3094edc5d81b3ab1612d648/analysis/1397236254/


HTML
  • https://www.virustotal.com/de/file/f62eff5f017a92631ff39e8100874d1689b185fd096c5669427d46624968b1de/analysis/1397236179/
REDIRECTS TO:
  • https://plus.google.com/110974622069636956786
  • https://www.virustotal.com/de/url/8531cbb1b6af2c6970bd60b52f6743675ebad460b5e273a5d7c53a6cdfad1140/analysis/


HTML
  • https://www.virustotal.com/de/file/d4fc3dd86dfcbc77b810d9d3a4a38e220614f2da7ca2ff0dc8f805c12c9e1923/analysis/1397234501/
about:blank

----> THEN
  • http://plus.google.com/_/scs/apps-static/_/js/k%3Doz.home.en_US.QOoKRaOs7Pc.O/m%3Db%2Cprc/am%3DAMAwAAAMhEEAAAAKFICQAFITAwAACg/rt%3Dj/d%3D1/z%3Dzcms/rs%3DAItRSTPetjrOyteDRh4NktQaFVRe9zAjug
  • https://www.virustotal.com/de/url/bfd1e5160e4365a55b606d76d7a4a33de780bf93219d77014ca1684e9183283e/analysis/1397236576/
SEE AS WELL:
  • http://wepawet.iseclab.org/view.php?hash=fb5bb51b955f9532e7935ffe16a76969&t=1397234005&type=js

OTHER MALICIOUS CONNECTIONS (LINKS) FOUND:

1.0
http://jntukukatpally.blogspot.in/
  • https://www.virustotal.com/de/url/9349507e2076ab173d1ee3edbd50ec32d042f3373b6960bf3481a9d8de742b35/analysis/
http://jntukukatpally.blogspot.com/
  • https://www.virustotal.com/de/url/4c8dbd6ec2caf73b58643c14e2f5cbcc9673613d9293edcd99388332950b8b30/analysis/1397238392/
jntukukatpally links (directly OR indirectly) to:

1.1
http://resources.infolinks.com/js/infolinks_main.js
  • https://www.virustotal.com/de/url/30af8cab0ff04044433949f965963f0d0773bedb554811a276512b174ef219cd/analysis/
  • https://www.virustotal.com/de/file/58b308392779bb9868090be24ba4c3e6880efcdc7df43d2e90547ce0b9e9b957/analysis/1397238583/

2.0
http://driver-lap.blogspot.com/
  • https://www.virustotal.com/de/url/8b47e821ad5a463f2bcfa83228b7df55b0d2e7b860923bddc7158f7b30c4cf3a/analysis/1397238344/
driver-lap links (directly OR indirectly) to:

2.1
http://resources.infolinks.com/js/infolinks_main.js
  • https://www.virustotal.com/de/url/30af8cab0ff04044433949f965963f0d0773bedb554811a276512b174ef219cd/analysis/
  • https://www.virustotal.com/de/file/58b308392779bb9868090be24ba4c3e6880efcdc7df43d2e90547ce0b9e9b957/analysis/1397238583/
UPDATE 3/05/2014:

Ams Patil Made the same Comment on: Comment Spammer From BLOGGER TO BLOGGER:
RRRRRROOOOOOOOOFFFFFFLLLLLLL:

SEE SCREENSHOT: LLLLLLLLLLLLOOOOOOOOOOLLLLLLLL


4/11/2014

NEW POTENTIALLY RISKWARE DETECTED:
Not-a-virus:PSWTool.Win32.PasswordCracker.wa

from securityxploded.com
(GooglePasswordKracker - PASSWORDSTEALER)


NEW POTENTIALLY RISKWARE DETECTED:
Google Password Kracker - PASSWORDSTEALER
not-a-virus:PSWTool.Win32.PasswordCracker.wa
http://securityxploded.com/download-file.php?id=1111
  • https://www.virustotal.com/de/url/d864fcc6532516ad11184ef1da7b9b213d425f73e2dc491cdc867d8f81a4cdd2/analysis/1397222761/
http://securityxploded.com/getfile_plus.php?id=1111
  • https://www.virustotal.com/de/url/fb11af6a71cfc251ce28311cb2ce4a9cd1b9d250466b43d8b69b40a6ec98f300/analysis/1397223150/
(GooglePasswordKracker.zip) PSWTool.Win32.PasswordCracker.wa
  • https://www.virustotal.com/de/file/ebdd3d63628348b6f1ff0dfcb48370197ce00fcbb085f1eb5741bb8ff9052be9/analysis/1397125092/
(Setup_GooglePasswordKracker.exe) PSWTool.Win32.PasswordCracker.wa
  • https://www.virustotal.com/de/file/64ecac6ab2468141e09c9c9be4eec68d4f7ed2ea0dd659ecc6d386846d82c5fa/analysis/1397222739/
WEPAWET: SUSPICIOUS
  • http://wepawet.iseclab.org/view.php?hash=38ed429cd0bfe567ae411d465eed1a1d&t=1397222866&type=js
  • http://zulu.zscaler.com/submission/show/b1d8169ade268f06de667c0595f507e6-1397223014
IP:
http://64.150.191.172/
  • https://www.virustotal.com/de/url/774ec0fe019369938cf734a511ae4334b74f31e5c0202710934e0997df8a6e7f/analysis/


NEW POTENTIALLY RISKWARE DETECTED:
Not-a-virus:PSWTool.Win32.PasswordCracker.ah

from securityxploded.com
(RouterPasswordKracker - PASSWORDSTEALER)


NEW POTENTIALLY RISKWARE DETECTED:
Router Password Kracker - PASSWORDSTEALER
not-a-virus:PSWTool.Win32.PasswordCracker.ah
http://securityxploded.com/download-file.php?id=1051
  • https://www.virustotal.com/de/url/50de12846436464e15f375b94cd40a4ada8548175ad0c62b3e8c60e3a45ae088/analysis/1397221413/
http://securityxploded.com/getfile_plus.php?id=1051
  • https://www.virustotal.com/de/url/ba45120dcf7b88f21e1d5a7033d71ead3434b682a0094a78f622590f6fee352d/analysis/1397221456/
(RouterPasswordKracker.zip) PSWTool.Win32.PasswordCracker.ah
  • https://www.virustotal.com/de/file/ba3437b5a48fd5427fb2275af78617a2ef90f6279d11dfc89959f5dd63ef09a9/analysis/
(Setup_RouterPasswordKracker.exe) PSWTool.Win32.PasswordCracker.an
  • https://www.virustotal.com/de/file/7471baaaa951f9539b6099e9a41025a30ae3004da3b2374187796fec236afa2c/analysis/1397221327/
WEPAWET: SUSPICIOUS
  • http://wepawet.iseclab.org/view.php?hash=ba09ba2dabd6b8d643c96c39377be0ce&t=1397221623&type=js
  • http://zulu.zscaler.com/submission/show/649a46f0bc29a0e9a0b0200883870201-1397221649
IP:
http://64.150.191.172/
  • https://www.virustotal.com/de/url/774ec0fe019369938cf734a511ae4334b74f31e5c0202710934e0997df8a6e7f/analysis/

PHISHING MAIL FROM:
safeukemailer.com & planosdesaudeagora.com

IP: 174.140.167.243 - DICTIONARY ATTACKER & SPAMSERVER
Heuristic.BehavesLike.JS.BufferOverflow.J


PHISHING MAIL FROM:
http://safeukemailer.com/
  • https://www.virustotal.com/de/url/7e6568720e2f0e44bfcb9d974823fc0d6bed744157a9e9b655c4f0ac5be96841/analysis/1397215692/
  • http://wepawet.iseclab.org/view.php?hash=99533e29222be52ac0aecd2104ced6ec&t=1397215185&type=js
REDIRECTS TO:
http://planosdesaudeagora.com/admin/index.php
  • https://www.virustotal.com/de/url/85b7433bf813cd4884a22a8f5f66a8481935be109e6e12066fad3f3ade37fe2f/analysis/1397215746/
HTML
  • https://www.virustotal.com/de/file/6ea7c43f2a8f0bc4b6d11931e3eaeb5fe8f085a5db9accf605424390a9e00e21/analysis/1394810790/
ALSO
http://planosdesaudeagora.com/admin/includes/js/javascript.js
  • https://www.virustotal.com/de/url/f8369cd305da7c812550ca69ecf82f857f4a2506bbd119b5217c57699ce19eac/analysis/1397216635/
Heuristic.BehavesLike.JS.BufferOverflow.J
  • https://www.virustotal.com/de/file/d8c5447067ec6b33acaa3701a50d1d75b985d4e933490b0d0ef81bfd4c7c606d/analysis/1378020397/




DOMAIN LISTED AT SURBL & JOEWEIN
  • http://www.urlvoid.com/scan/planosdesaudeagora.com/
  • https://www.mywot.com/en/scorecard/planosdesaudeagora.com

IP:
http://174.140.167.243/
  • https://www.virustotal.com/de/url/206033db51f7886c907adb9afc607982fbfab8d362ea78ec6e323a5d45cf167d/analysis/1397215940/
  • https://www.virustotal.com/de/ip-address/174.140.167.243/information/
DICTIONARY ATTACKER & SPAMSERVER:
  • https://www.projecthoneypot.org/ip_174.140.167.243
  • http://www.senderbase.org/lookup/?search_string=174.140.167.243

IP: 184.168.221.18 merchantcentric.com
German SPAM & PHISHING Domain
"Blacksher Hall: See what your competitors are doing right now"
(Through b2b-mail.net)


SPAM DOMAIN FROM GERMANY:
http://merchantcentric.com/
  • https://www.virustotal.com/de/url/2655175568ddab160a5f3a07cb4f6bb08eb47b5970460bd619de5d3dc1ad195e/analysis/1397212380/


THROUGH:
http://b2b-mail.net/
  • https://www.virustotal.com/de/url/a0bf735206b0ae297b5fc69b8bbc14d42c1449cf671e3f04db456c138c372871/analysis/1397212963/
  • https://www.mywot.com/en/scorecard/b2b-mail.net
Related Post:
http://stayaway2.blogspot.com/2014/04/blacksher-hall-learn-secrets-of-top.html

4/10/2014

Potentially MALICIOUS ADs:
bellroy.com (IP: 54.236.92.225)
risking with
HIDDEN Iframes (W32.HfsIframe)
and Microsoft Internet Explorer remote code execution via option element


FOR WEBMASTERS & BLOGGERS
If you own a Website or a Blog and are affiliated with Google AdSense, in order to your own Reputation, should block the Domain bellroy.com in your AdSense Dashboard. See the following Report why:


MALICIOUS ADVERTISER: 
HIDDEN IFRAME(s) & 
Microsoft Internet Explorer remote code execution via option element

DOMAIN:
http://bellroy.com/
  • https://www.virustotal.com/de/url/c98b0274361f078ffe11c672882a44deea265179edb5c6fa0602d63080855968/analysis/
W32.HfsIframe
  • https://www.virustotal.com/de/file/67b5a8555f0660f5cea968abbbe32c48a92b6c0cb1782c682a0bb7d35f2439cd/analysis/1397146549/
<--- iframe src="//www.googletagmanager.com/ns.html?id=GTM-MF9C"height="0" width="0" style="display:none;visibility:hidden" --->

AD-LINK:
http://www.googleadservices.com/pagead/aclk?sa=L&ai=CGfswyL9GU6j-NIuoiga4sYDQCouup8sGi_S0sYgBo5WpvzgQASCOwJQjUJeJzE5guwOgAd3f68sDyAECqQI_TRhS36CvPqgDAcgDwQSqBIsBT9BrjS7o2Hx01Y0JFiIuwvJ1xe9IjZ3AaQviQnug8Np1m1Lub00UCac2hzu_KqEdA3aCF6v0DESTEaRR-1SjYlNxE2mKIljXjfcmAgj4IJnE_mEbmdov7A_Top1ov2PE0Cm3JltzAOkli0GYOFPDLlmdDDZfXT2fFSIbEi-AgySr64NOLCIbYqODF4gGAaAGAoAHi6CUNA&num=1&cid=5GjrqWA5Hr9KASVQwZCWupTr&sig=AOD64_1_pgpU0nS6Jm4kbl0tCan3rcz2HA&client=ca-pub-5585202032329389&adurl=http://bellroy.com/wallets/note-sleeve-wallet&nm=2&mb=2&bg=!A0RJckn2eYHUnAIAAABGUgAAACcqAPHBZ1R_GZZ-qskVhAC1RCaSH8E7P1WWZC0O5x_RfOeSlUkxeJvIMszsmy3sXPqRsDlNy8wF68FONASqnu6VRxJ-s-NpHWsQ1GS7blV93HhI3unMwwLWf3jO_ggQ1uDpL5_XK5lofwEA5P2icYwOYX-diVH7uhcjdcVDH0WnnUDwsfalxoHuio6rkHLlVZEw0K_n8FBECRILAC_D7YNm3YixQnPoAup1vg7QEcYLoGraugw_6A2qJro2Z8bmpX0mbatP_HXSBMdhAiO9S4pffic21NrkmjGVx-d_c9TBhi1Tj4BMHIOEuAFJr7PX2F7yuuWu
  • https://www.virustotal.com/de/url/95f54e683c7aa90bcff2516c4203b1eab34ab0773398e57f1df39494d6bfa9da/analysis/1397146003/
W32.HfsIframe
  • https://www.virustotal.com/de/file/5a84faf5f6aca07d4390a9b5cfccc29512b29edb295113d7a6f81dd8c85e0028/analysis/1397146289/
<--- iframe src="//www.googletagmanager.com/ns.html?id=GTM-MF9C"height="0" width="0" style="display:none;visibility:hidden" --->
Microsoft Internet Explorer remote code execution via option element
  • https://urlquery.net/report.php?id=1397146071040
  • https://urlquery.net/report.php?id=1397146084651
--->
http://bellroy.com/wallets/note-sleeve-wallet?gclid=CJGghbqm1r0CFbFFMgodI1QA3w
  • https://www.virustotal.com/de/url/415b1b40a688e6db53001d576b04991a469967e8b17f5327f591942b0ec5b423/analysis/
W32.HfsIframe
  • https://www.virustotal.com/de/file/fbf1f3b0f36895ff64f2ed8270a6058d912395b6fe94a596b7f0e04381422a90/analysis/1397147003/
<--- iframe src="//www.googletagmanager.com/ns.html?id=GTM-MF9C"height="0" width="0" style="display:none;visibility:hidden" --->
Microsoft Internet Explorer remote code execution via option element
  • https://urlquery.net/report.php?id=1397146245634
  • https://urlquery.net/report.php?id=1397146261020
  • https://urlquery.net/report.php?id=1397146282006

IP:
http://54.236.92.225/
  • https://www.virustotal.com/de/url/17c875d298cbb4a685465b5dfbd5f3ae5097b78a8fa58184f224a872eec7d4f3/analysis/1397147591/
  • https://www.virustotal.com/de/ip-address/54.236.92.225/information/

HIDDEN LINK TO:
http://carryology.com/
  • https://www.virustotal.com/de/url/85e70248597bc714f3eac0644ff669c2680af8b6a50b23d34420e54e0f9bd902/analysis/1397147301/

NEW POTENTIALLY RISKWARE DETECTED:
Not-a-virus:PSWTool.Win32.PasswordCracker.an

from securityxploded.com
(WindowsPasswordKracker - PASSWORDSTEALER)


NEW POTENTIALLY RISKWARE DETECTED:
Windows Password Kracker - PASSWORDSTEALER
not-a-virus:PSWTool.Win32.PasswordCracker.an
http://securityxploded.com/download-file.php?id=1021
  • https://www.virustotal.com/de/url/cc5a4c406543221d1d71c5d0df18550fd5e09f8fef9800b7c28af880590a8d47/analysis/1397141402/
http://securityxploded.com/getfile_plus.php?id=1021
  • https://www.virustotal.com/de/url/426ea5d9ff85f30ab9d48664ab0e90b477d24bb39fc8fda483879057f3380fa1/analysis/1397141585/
(WindowsPasswordKracker.zip) PSWTool.Win32.PasswordCracker.an
  • https://www.virustotal.com/de/file/9dec4dc449b7f4fbc1d77419d202b22bc21c388d55d70a049af58f7938527b49/analysis/1397141499/
(Setup_WindowsPasswordKracker.exe) PSWTool.Win32.PasswordCracker.an
  • https://www.virustotal.com/de/file/6ca5b0c04a96caf1df32be15a26401773d6573f377c84efce1e16e23e13ee0e7/analysis/1397141534/
WEPAWET: SUSPICIOUS
  • http://wepawet.iseclab.org/view.php?hash=b951e8893d7019d984a89ab57e9300dc&t=1397141634&type=js
  • http://zulu.zscaler.com/submission/show/fa35f7d3fc94d4dd91cbee227bced416-1397141683
IP:
http://64.150.191.172/
  • https://www.virustotal.com/de/url/774ec0fe019369938cf734a511ae4334b74f31e5c0202710934e0997df8a6e7f/analysis/

4/09/2014

apps.michaelpriest.com.au
Potentially Suspicious/Malicious BLOGVISITOR with
Manipulated Executable Application on TOUR (A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider)



DOMAIN:

http://apps.michaelpriest.com.au/
  • https://www.virustotal.com/de/url/6ed7612be01bb6857f4c58180d754ce179543c18ee158c5da13721da9fc41993/analysis/1397077102/

VISITING URL:

http://apps.michaelpriest.com.au/MPPluginInstaller/setup.exe

  • https://www.virustotal.com/de/url/7383065de37bccf2367981da8b9925d60ca5e64872483b152392890e32dd2816/analysis/1397074594/
Manipulated Executable Application (POSSIBLY from MS):
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
  • https://www.virustotal.com/de/file/200dc3ffc7fed9f5151a4195f4bf2cbda14414b4afacea90f0d3098d80bb5547/analysis/
SEE ALSO:
  • https://urlquery.net/report.php?id=1397074602869
  • http://www.urlvoid.com/ip/103.247.224.141/
  • http://sitecheck2.sucuri.net/results/www.ashburtonfamilydental.com.au
  • https://www.virustotal.com/de/url/3a502336930e5ec0f405d5fbc929d68a8ea74cb979591113885cbdf881e7083e/analysis/1397077282/
  • http://www.senderbase.org/lookup/?search_string=103.247.224.141

NEW POTENTIALLY RISKWARE & PHISHING DETECTED:
Not-a-virus:PSWTool.Win32.Agent.vx

from securityxploded.com
(WindowsDriveHider - Passwordstealer)


NEW POTENTIALLY RISKWARE DETECTED:
Windows Drive Hider - Passwordstealer
not-a-virus:PSWTool.Win32.Agent.vx
http://securityxploded.com/download-file.php?id=1011
  • https://www.virustotal.com/de/url/f20fbbaa6dc5d1c58e9824b445cf35f506512dc5e1ed7ebbe8eea41ed498780c/analysis/1397069288/
http://securityxploded.com/getfile_plus.php?id=1011
  • https://www.virustotal.com/de/url/dca829bc0b33249a056eb8b6489e84e90e1b5fb8a40f608992141254658f2f6b/analysis/1397069330/
(WindowsDriveHider.zip) PSWTool.Win32.Agent.vx
  • https://www.virustotal.com/de/file/0ca33d4ebaef889b5b35e1f55dd4bb245930b4846bb125fd2755fb65369269ba/analysis/1397069354/
(SetupWindowsDriveHider.exe) PSWTool.Win32.Agent.vx
  • https://www.virustotal.com/de/file/ca65cde81006fda4c3f90ca0f2b8fbe0c5f8d5f06052f652ff33e68d07f06a07/analysis/1397069576/
(WindowsDriveHider.exe) PSWTool.Win32.Agent.vx
  • https://www.virustotal.com/de/file/df7d22e0a4bc4f2674c8be7ba8b7b9c415851dc120dd421508d8a3191f473177/analysis/1397069541/
WEPAWET: Suspicious
  • http://wepawet.iseclab.org/view.php?hash=75ae03c5152f116b12977a062e146979&t=1397069846&type=js
  • http://zulu.zscaler.com/submission/show/22a63c3e6ed00b1be52a58ba2d0a8d70-1397069633
IP:
http://64.150.191.172/
  • https://www.virustotal.com/de/url/774ec0fe019369938cf734a511ae4334b74f31e5c0202710934e0997df8a6e7f/analysis/
SUPPLEMENTARY OTHER LINK FOUND ON PAGE (PUA.PHISHING.BANK):
http://nagareshwar.securityxploded.com/2013/09/16/seh-exploitation-to-get-shell-access/index.html
  • https://www.virustotal.com/de/url/b8e3193f581b32f9c3ef4af6c58ae4a94d0783162f8cf49774d3111d3e1581a7/analysis/1397070689/
HTML-PUA.PHISHING.BANK
  • https://www.virustotal.com/de/file/c8e6a6d9ef6c9178db84fc7614f2d168856d36e44c78f5b68284f5874e8b7176/analysis/1397070794/
  • http://virusscan.jotti.org/de/scanresult/d50831e4520e9bd7863cd71fabe24462a193fe6e



NEW POTENTIALLY RISKWARE DETECTED:
Not-a-virus:PSWTool.Win32.Agent.vs

from securityxploded.com
(SecurePasswordGenerator.exe - Passwordstealer)


NEW POTENTIALLY RISKWARE DETECTED:
Secure Password Generator.exe - Passwordstealer

not-a-virus:PSWTool.Win32.Agent.vs
http://securityxploded.com/download-file.php?id=1001
  • https://www.virustotal.com/de/url/7324056a65a45256f21a3a2ee7f726744fd633a16f5652cedf1207bcf247cf20/analysis/
http://securityxploded.com/getfile_plus.php?id=1001
  • https://www.virustotal.com/de/url/1856e6f51ffc018dc74e5dc7a79a945c6d2309eecedd4ebe49dae7fec42ad735/analysis/
(ZIP) PSWTool.Win32.Agent.vs
  • https://www.virustotal.com/de/file/0d18d235271859bff3dff8356b4570dcbb9933b94d6c6dd57715b8602675f4aa/analysis/1396777216/
(EXE SETUP) PSWTool.Win32.Agent.vs
  • https://www.virustotal.com/de/file/b9224e67ff7c69df803e132298174fdec88e0bd44f6c758fc6e3aef985f91002/analysis/1396777476/
(EXE FILE) PSWTool.Win32.Agent.vs
  • https://www.virustotal.com/de/file/db2f38542a5c0526cbf4906974aadfd2c20d658ea031d19031b17e14a31ed03b/analysis/1396777454/
WEPAWET: SUSPICIOUS
  • http://wepawet.iseclab.org/view.php?hash=c8b48449e807664acd6562d5c9d92b6f&t=1397066560&type=js 

IP:
http://64.150.191.172/
  • https://www.virustotal.com/de/url/774ec0fe019369938cf734a511ae4334b74f31e5c0202710934e0997df8a6e7f/analysis/



NEW POTENTIALLY RISKWARE DETECTED:
Not-a-virus:RiskTool.Win32.Agent.dbq

from securityxploded.com
(SetupPasswordSnifferConsole.exe)

NEW POTENTIALLY RISKWARE DETECTED: Setup Password Sniffer Console


not-a-virus:RiskTool.Win32.Agent.dbq
http://securityxploded.com/getfile_plus.php?id=1155
  • https://www.virustotal.com/de/url/ca5cce1c0eadc8893c81f1fcacee8938dc0734cfb89485ade0bba02597848795/analysis/1397053044/
(ZIP) RiskTool.Win32.Agent.dbq
  • https://www.virustotal.com/de/file/7694d475fbca9d827bdbe8e5075e6fb5258c07cf82b07ec8b16c9f13fd91029b/analysis/1397052774/
(EXE) RiskTool.Win32.Agent.dbq
  • https://www.virustotal.com/de/file/4806ab9294ff991d07156374a85c1153ce319c9c7312f649213ecd685c4f571b/analysis/1397052734/
IP:
http://64.150.191.172/
  • https://www.virustotal.com/de/url/774ec0fe019369938cf734a511ae4334b74f31e5c0202710934e0997df8a6e7f/analysis/1397059586/


4/08/2014

Potentially MALICIOUS ADVERTISER:
Heuristic.LooksLike.HTML.Suspicious-URL.K
@
gaastraproshop.com (m.gaastraproshop.com)
IP: 65.52.130.250 UNITED STATES

FOR WEBMASTERS & BLOGGERS
If you own a Website or a Blog and are affiliated with Google AdSense, in order to your own Reputation, should block the Domain gaastraproshop.com (m.gaastraproshop.com) in your AdSense Dashboard. The Site is potentially Blacklisted. See the following Report:


POTENTIALLY MALICIOUS ADVERTISING DOMAIN:
Heuristic.LooksLike.HTML.Suspicious-URL.K & HIDDEN IFRAMES

DOMAIN:
http://www.gaastraproshop.com/
  • https://www.virustotal.com/de/url/8fe4129403e2f8a3329f8e8c2c030a8e071aa0ca416e83db22bbf2647a9b9354/analysis/1396956156/
HTML (before REDIRECTION) Heuristic.LooksLike.HTML.Suspicious-URL.K
  • https://www.virustotal.com/de/file/bd2bbbc521c2ef59397a0d0094451a2f1c978c88ee3f408a796071a58a733476/analysis/1396956097/
HTML (after REDIRECTION TO: http://m.gaastraproshop.com/ )
  • https://www.virustotal.com/de/url/9b672b89952372844701c6eaee854ac53baed519cf854c2d76f7027e8509ac46/analysis/1396956311/
  • https://www.virustotal.com/de/file/5a7ac6c9a4573c03f9d3b78278854f8eeb77300b41013769849f9593b61cdc10/analysis/

AD-LINK:
http://www.googleadservices.com/pagead/aclk?sa=L&ai=C9_qImM1DU5zaMMyR7ga_pIGgD-7TzuYDzuLHuJsBwI23ARABII7AlCNQuuWsjQNguwOgAczZxPUDyAECqQJouv3HAA-3PqgDAcgDwQSqBK0BT9BVRjDmVncwPOaYlYqDgq5ewlrE62ZKg0EI3bGzSTS2RY4AcjI1uPQNsHaT4rugdrGcIj5NrDkcP7WvV3x2WuALeS2pfl45Vy5x8WsjjQJyAGpQLLToRLzbxcQM41r1VIRWE8sXrd471wq5qDA1D1yV2v7JUSCrkTyQapMs3-HduhxiXs_1faUi_uZDXGoSpta2LFNFHiVzbqL7spmvDb14LM8BdBc3Ht1CYHmIBgGgBgKAB5ymuwo&num=1&cid=5Ghek0AXvKdmiT_PaZgyrXhR&sig=AOD64_1HNWVDpsJ2tiouym8BUaG8D7D4nw&client=ca-pub-5585202032329389&adurl=http://www.gaastraproshop.com/com-en/&nm=3&mb=2&bg=!A0QdcMC5dYUeWQIAAAA5UgAAACwqAOEto0uFWoyzbF9BgLpTZd0j0HlH_C56hY4NLvc3NtowaaH-Z-csGgTuThLZ2700ImAxJCtXBWy07lw2lhyW729LbQpRbKOUhBOCgNPTzNU7gGGfUbNk7f1Es-R1OT2rxWGFmICxmADsYZbJkCp3x90QW9x_krZl8PbIDV5TojB9Z4tmta85i7Np_800PxgiPJJfwWvSEdIldac4iEnohF9kF7b9tuMjUDC-jxzvmThXXObWG5HuPVidMyu5kw1D6sjILopgRn4ifnP6aV0gn8heXTWUH6sXVSlhTfbA-94Jv2Y
  • https://www.virustotal.com/de/url/62eb0a95606957e05b738baee9c886cb70a5e34c5e23659bbf4d96dc14ca3df1/analysis/1396955224/
(HTML-SRC) Heuristic.LooksLike.HTML.Suspicious-URL.K
  • https://www.virustotal.com/de/file/567b8090d9678ab59051c8039a8ee4db6219e30ddc833fc417e74ce75d051dd1/analysis/1396955699/
URL AFTER REDIRECT:
http://www.gaastraproshop.com/com-en/?gclid=COiest_f0L0CFeY-MgodzxsAfw
  • https://www.virustotal.com/de/url/8e9706ee82cfd4bafcde4bb245ce1dd2798c2e1bb7d35e914015246b70eb1f1c/analysis/
(HTML-SRC) Heuristic.LooksLike.HTML.Suspicious-URL.K
  • https://www.virustotal.com/de/file/476be34d21b40a8ebc9eedf9bfd0b59a671735cac2517af1e007cdabf9860d80/analysis/1396955811/
IP:
http://65.52.130.250/
  • https://www.virustotal.com/de/url/153ecf2fa49f6cfa49c849cdadf0abea1ca0d4ea9d299e1ce04c837d83c498ad/analysis/1396957138/

Category MALICIOUS IP:
5.135.188.193 (kimsufi.com)

COMMENT SPAMMER from (Roubaix, FRANCE)



CATEGORY MALICIOUS IP: 
COMMENT SPAMMER
LISTED AT TORNEVALL

FOUND ON EXPLOIT KIT STATISTIC ROUNDUP:
Host - Pages - Hits - Bandwidth - Last visit date - [Start date of last visit] - [Last page of last visit] 5.135.188.193 - 16 - 16 - 5839847 20140115134221


HOST:
http://5.135.188.193/  (Roubaix, FRANCE)
  • https://www.virustotal.com/de/url/ad6cf5b5cc0ac88abe48f641f12ebb0bad4d7bf1d40e15af5f0383471eede4de/analysis/1396905319/
HOSTNAME: (Registered February 15th 2001)
http://ks3294570.kimsufi.com/
  • https://www.virustotal.com/de/url/9e0bfb2602bc25eb416989ffd0cb78bb0e35108f06b6dd5fe4acc5604718cf3e/analysis/1396907424/

WEPAWET: NON-EXISTING DOMAIN
  • http://wepawet.iseclab.org/view.php?hash=fb0cdf5e77cfec395b4db8bf802df86d&t=1396905343&type=js

DOMAIN: (IP: CANADA)
http://kimsufi.com/
  • https://www.virustotal.com/de/url/b2957ee6fe072c26c66415b45c22062fa9319dcd11a935ccc6808ddf8d88c4f1/analysis/
IP: 213.186.33.80  (FRANCE)
  • https://www.virustotal.com/de/url/bf71c3ee663f088661ee99420e310491c614b03b26557c771d040669e9cfe8e8/analysis/
  • https://www.virustotal.com/de/ip-address/213.186.33.80/information/
  • http://toolbar.netcraft.com/site_report?url=213.186.33.80
REDIRECTS TO:
http://www.kimsufi.com/
  • https://www.virustotal.com/de/url/70a198d280f8e42e13903be64df4dbebf292ed8f3ff5d58360ee0af9f1ea9ae3/analysis/1396908942/
IP (CHANGE): 198.27.92.3  (Montréal, CANADA)
  • https://www.virustotal.com/de/url/9e2487ef003597430ea9b8bf016675f1fb4501d516ab468212099b57ad707c87/analysis/1396909634/
REDIRECTS TO:
http://www.kimsufi.com/fr/index.xml
  • https://www.virustotal.com/de/url/69f5933404d7b76ef3e0d002add1516e622d015ddacf4cfeda5803f73673424d/analysis/1396909006/
REDIRECTS TO:
http://www.kimsufi.com/fr/
  • https://www.virustotal.com/de/url/30f30cae7dc114a98734d84bf5eb806a0932e6767c17e05b5f767ef4a5e3cbb3/analysis/1396909110/
  • https://www.virustotal.com/de/file/11114b722dd11cc71086f1d47fcb36ca7b2b5fce27413ecb8d3da00a70fc336d/analysis/1396909603/
  • https://www.virustotal.com/de/url/9e2487ef003597430ea9b8bf016675f1fb4501d516ab468212099b57ad707c87/analysis/1396909634/
--------------------------------------------------------------------------------------------------------------------------------------------
LISTED AT TORNEVALL:
  • http://dnsbl.tornevall.org/  (http://www.ipvoid.com/scan/5.135.188.193)

User-Agents: 30
Web post submissions: 52
  • https://www.projecthoneypot.org/ip_5.135.188.193

Netcraft Risk Rating: 9/10
  • http://toolbar.netcraft.com/site_report?url=5.135.188.193
ALSO:
  • http://www.stopforumspam.com/ipcheck/5.135.188.193

4/07/2014

POTENTIALLY SUSPICIOUS Advertiser:
Several HIDDEN IFRAME(s) @ www.studyinteractive.org
(IP: 94.236.98.164) W32.HfsIframe

London, UNITED KINGDOM


FOR WEBMASTERS & BLOGGERS
If you own a Website or a Blog and are affiliated with Google AdSense, in order to your own Reputation, should block the Domain www.studyinteractive.org in your AdSense Dashboard as the Site has several hidden Iframes (See Screenshots below). See the following Report:


SUSPICIOUS ADvertiser: 
HIDDEN IFRAMES & LINK TO MW DOMAIN

DOMAIN:
http://www.studyinteractive.org/
  • https://www.virustotal.com/de/url/f3d49c88f67e594a5e2790d6b04c04386bba772e06b5bdcd610274e6dec7ad78/analysis/1396890659/
W32.HfsIframe
  • https://www.virustotal.com/de/file/b3057590ae1f538dae28ef2eddd5b949129640e22e8c7c84afa40e1c552a5fe0/analysis/1396890736/
<--- iframe src="//www.googletagmanager.com/ns.html?id=GTM-5BZNPB"height="0" width="0" style="display:none;visibility:hidden" --->

IP:
http://94.236.98.164/
  • https://www.virustotal.com/de/url/ddf767ca33c02f03d89c48d06d684ebfc9fd7b70d8a44a6bad3660bba2f84648/analysis/1396892016/
SPECIFIC AD-LINK:

http://www.googleadservices.com/pagead/aclk?sa=L&ai=C1Ka8_MxCU_6pOsvr7QapvoCYCJX4hcsEndDjp4QBwI23ARABII7AlCNQ6eatif______AWC7A6AB8_Da0wPIAQGpAsaE3dbr1Ls-qAMByAPDBKoEsQFP0HE28GLR59i93_uQP7nr9q4E30h6pDFBgQJbzqpCJJQQ0aDe7YvxTlGaY9pzRs8vyF1nEHdo1tEAxFx16XC4-Lgl4-fxn3hJKR0igEeXfXlRVNkv56ddmN1ZG2RsPQg-YbbQmHKkGucDnGRdtwT4iKZTWEojzb85nYybniV-WkEGRp3JQBIRR-2hTseS9CIQGQrcwP7Cz99h34GT4pyQhlUfpQWsZ4rjvxjYqb7COXOIBgGAB_WOpSw&num=1&cid=5Gj_mwym0n6HSEiehmL18tKY&sig=AOD64_3BPMMDRbXyPW9Agp98BUEmTc_g0g&client=ca-pub-5585202032329389&adurl=http://www.studyinteractive.org/online-msc-degree2/%3Futm_source%3Dgoogle%26utm_medium%3Dcpc%26utm_campaign%3Dmsc-marketing-luxembourg-display-text&nm=10&mb=2&bg=!A0SiEbXxXfeE9QIAAABCUgAAABgqAOHJi1VYTcVszlW_XQUl16Q6RwLTV7-FnDAWCTMg7ixb-JsMj7_eP2TWBvsEjUNKn4TAMGA73MqGBwJ-w_73TLtBVo1E34m53HRZVDIFE0NQxJMKmmppdH6t3vG98-ot5NeBXD8SYUWjnS2VBK-zrqrmBfuwIxkIZvx0tvJddgQvoUdsHU6vdaRpgM7loHmZ70FOefIOOYqyz91P4jYaNIZ0otKMJdBbH1YsWRa3FQVuV3i-wQm6wp4RTQdW--qo2tCemW5HIh8nQ-TFOMZSe9RB4WL1uT4_vGbX3zhqpvnBjiM
  • https://www.virustotal.com/de/url/1d73c6f82f71c6f97a917a117f66581a541f0465632350adf6c0b8327ec6baeb/analysis/1396889946/
W32.HfsIframe
  • https://www.virustotal.com/de/file/93003317e07e1338c35800a3c63ef637fa64acb8786e3f5e5d2bdb062a8f5129/analysis/1396890437/
<--- iframe src="//www.googletagmanager.com/ns.html?id=GTM-5BZNPB"height="0" width="0" style="display:none;visibility:hidden" --->

URL AFTER REDIRECT:
http://www.studyinteractive.org/online-msc-degree2/?utm_source=google&utm_medium=cpc&utm_campaign=msc-marketing-luxembourg-display-text&gclid=CMGByMjszr0CFfFFMgodcxsAeQ
  • https://www.virustotal.com/de/url/1ab400460a40eb42b654e42f30b0173a413331e158774d4746cbddb6c1205d53/analysis/
W32.HfsIframe
  • https://www.virustotal.com/de/file/93003317e07e1338c35800a3c63ef637fa64acb8786e3f5e5d2bdb062a8f5129/analysis/
<--- iframe src="//www.googletagmanager.com/ns.html?id=GTM-5BZNPB"height="0" width="0" style="display:none;visibility:hidden" --->

SEVERAL MORE HIDDEN IFRAMES DETECTED:


Screenshot 1
Screenshot 2
Screenshot 3
Screenshot 4

OTHER SUSPICIOUS LINK FOUND:

DOMAIN:
http://lsbfafg.com/
  • https://www.virustotal.com/de/url/b6f887a3a71940ddb1be80e110d2a44974e1140a009baaf392e745afba19a61a/analysis/1396891366/
http://lsbfafg.com/getform.js
  • https://www.virustotal.com/de/url/b6f887a3a71940ddb1be80e110d2a44974e1140a009baaf392e745afba19a61a/analysis/
http://lsbfafg.com/getform.js?id=12600
  • https://www.virustotal.com/de/url/9455bddead54d9bb28c3deba78ec01923cec20ad9172b6628a38592cea3a4d33/analysis/1396891806/

WHITELIST
of GOOGLE ADs (DOMAINS)



http://info.kerio.com/
https://www.axiomatics.com/
http://www.celeros.de/
https://www.erst-holz.de/
http://www.lampenwelt.de/
http://www.maxmartin-shop.com/
http://www.metallic-design.com/
http://www.nwoods.com/
http://www.optimalprint.de/
https://www.qualys.com/



4/06/2014

Reminder of FEDERAL ONLINE CHILD PREDATORS 2011/12:
Former U.S. Department of Education educator
Joseph Butler, 66, of Clarkston and
Navy seaman Spencer Duncan, 23, from Lawrenceville
sentenced for Involvement with Child Pornography

One was a career employee with the U.S. Department of Education and the other, a sailor with the U.S. Navy. But federal prosecutors said while these men were serving their country, they were involved in the collection and distribution of child sexual abuse images.

On Wednesday, the former educator Mr. Joseph Butler, 66, of Clarkston, and the former seaman Mr. Spencer Duncan, 23, of Lawrenceville, were sentenced for their involvement in child pornography, according to the U.S. Attorney’s Office.



In March 2012, Mr. Butler was sentenced to 10 years for collecting child pornography while using his government computer and Mr. Butler was sentenced to six years and six months for distributing child pornography.

“These two cases illustrate the important point that consumers and purveyors of child pornography can be found everywhere,” Mrs. Yates said. “Both defendants had worked in service to our country and yet were collecting or distributing photographs of children being sexually abused.”

Federal investigators said Mr. Butler used his work computer to download child pornography from the internet onto CD-ROMs, which he then took home.

In July 2011, federal agents executed a search warrant at Mr. Butler’s home where they found the CD-ROMs of child pornography along with boxes full of children’s clothes and toys, Mrs. Yates said. They also found a collection of self-authored stories that described in graphic detail young children having sex with adults and animals.

Mr. Duncan was caught when an undercover FBI agent was able to download sexually explicit images of minors from the former seaman’s computer, Mrs. Yates said.

Mr. Duncan had created an account on a peer-to-peer file sharing network and made his collection of child pornography available to others, she said.

“The FBI found thousands of such images and dozens of videos on Duncan’s computer when they executed a search warrant at his house,” Mrs. Yates said.

Both Mr. Butler and Mr. Duncan pleaded guilty to the crime in December 2011. Once released, they will be required to register as sex offenders and Mr. Butler will have to undergo five years of supervised release and Mr. Duncan faces 10 years of supervised release.

SOURCE: examiner.com

Win.Adware.PCFixSpeed - Category Malicious ADs:
www.pcrx.com HIDDEN IFRAME (W32.HfsIframe)
BAD REPUTATION from Boca Raton, Florida, United States


FOR WEBMASTERS & BLOGGERS
If you own a Website or a Blog and are affiliated with Google AdSense, in order to your own Reputation, should block the Domain www.pcrx.com in your AdSense Dashboard. The Site is potentially Blacklisted. See the following Report:

MALICIOUS SITE (ALL IN ALL):

DOMAIN:
http://www.pcrx.com/
  • https://www.virustotal.com/de/url/d134b225cf91b786e6cf9e3864b67f8a573f4de32782a21329e495c0abbcc219/analysis/1396782475/
AD-LINK:
http://www.googleadservices.com/pagead/aclk?sa=L&ai=CMwaGcWBAU_i9AoSM7gb_loCwDsy0sLYGpOjF74kBwI23ARABII7AlCNQz7C-s_z_____AWC7A6ABlLn94wPIAQGoAwHIA8MEqgSiAU_QFxELMNi3LYLgPVXseXnrzD6zDU-J9nXFbw2MryJfQV2MP98Ot-XiBzbVkkAFtRnTRs1qSxOOUOszsmoO2qQisuMwkpn9MK8EGJIdZyph2EyPdzoKqSFWD3C4eMQ95FbGFFCHpl1gz4uPUvbNB8gpYVzPuG6YN7kh-7HHQu-CsISfIufJqY0JTLHVQfcx2gpRXnBisX6spyMI2nBDImh03IgGAYAH1MaCHA&num=1&cid=5GjWo9iwtAvE92tyQ7Z3AUiU&sig=AOD64_357e7amdBz9W7LrWCbdRymWZaNWQ&client=ca-pub-5585202032329389&adurl=https://www.pcrx.com/lp2.aspx?cfg=286&b=GGL_PCRx_ppc34_26PCRx_25_cfg286_*GeoUSCA*_-Content-___virus%20removal&s=awppc34&utm_source=google&utm_medium=cpc&utm_term=virus%20removal&utm_campaign=ppc34-26PCRx&nm=13&mb=2&bg=!A0R-hdQBXOFz0QIAAAA8UgAAABwqAOEZb79pp1D1BE3K7kwI4IOviZ2ubSDhRDJG-7Q4HlS4ZjzcD9QltXbHPpVJdOgrxS3cGZDZauOfZjC6SCCrQ7fVHaKypOSsHZfbX0k7nJ7JNhgSZG7hhEe-BfIiXwT9XJoD4p2_0hnSAD9N6RGfKbD72wSjZTlbAm2ILmg4wXbdZmVOSu6UF4GnFC1vWHqKwNmpMhtAIWpYOO-As5VPOLiflE-B9hlWCIYvvFZZkwncRl4GFWbkdMjFoTD0SdPu5nlIl8KUg51-rSptOBGwp0TELfzhzYbR91ChncIZ-RgADCg

  • https://www.virustotal.com/de/url/d01eeb168d9f7603355a6c713dc9f849d0ff9bb33317fe15eb9eba4f712b38b3/analysis/1396780767/
W32.HfsIframe
  • https://www.virustotal.com/de/file/f185f969ec9e00171ae2c074e778151098b139d6582bfcf38677aedc07c9d844/analysis/1396780976/
---> REDIRECTS TO:
https://www.pcrx.com/lp2.aspx?cfg=286&b=GGL_PCRx_ppc34_26PCRx_25_cfg286_*GeoUSCA*_-Content-___virus%20removal&s=awppc34&utm_source=google&utm_medium=cpc&utm_term=virus%20removal&utm_campaign=ppc34-26PCRx
  • https://www.virustotal.com/de/url/b9f4bea865ca713b6d2f2502ddf25b7c2b3568c57ad8d74ae87304a79e5deccd/analysis/1396780879/
COMODO WEB INSP.: Malware Downloads
  • http://app.webinspector.com/public/reports/21119862

POTENTIALLY MALICIOUS PCRx DOWNLOADS:
Win.Adware.PCFixSpeed
  • https://www.virustotal.com/de/file/6a9485d64a00f9e12772d2c87046aaea52cad77dcb5d780a785b6926803dd9f1/analysis/1396782228/
  • https://www.virustotal.com/de/file/20d7c743da686f8d380d6aaf53b000ef111ba6f4167ed326a5f5529726e6269d/analysis/
  • https://www.virustotal.com/de/file/5bcc827dd5eb10282ca30005bcd87e5b7e16f7e1f12b26ddbb6e8d72ed4f09cc/analysis/

WOT: POOR
  • https://www.mywot.com/en/scorecard/pcrx.com
http://www.urlvoid.com/scan/pcrx.com/
  • http://scanurl.net/?u=www.pcrx.com%2Flp2.aspx%3Fcfg%3D286%26b%3DGGL_PCRx_ppc34_26PCRx_25_cfg286_*GeoUSCA*_-Content-___virus%2520removal%26s%3Dawppc34%26utm_source%3Dgoogle%26utm_medium%3Dcpc%26utm_term%3Dvirus%2520removal%26utm_campaign%3Dppc34-26PCRx&uesb=Check+This+URL#results

IP:
http://64.135.82.105/
  • https://www.virustotal.com/de/url/da96984c002d149f8f2254493dee205349d8d1e13239bd6660d8f55634e53a83/analysis/1396783074/
  • https://www.virustotal.com/de/ip-address/64.135.82.105/information/